Unveiling Insurance Fraud on the Dark Web

April 25, 2024

Cyber Insurance has become a hot topic in recent years. As DarkOwl has previously documented, frequent attacks against organizations mean that there is ever increasing demand for coverage which assists in reducing the negative financial impacts and risks of conducting activities on the internet.

One of the things that cyber insurance can cover is extortion payments associated with ransomware attacks. As ransomware attacks are expected to continue to increase during 2024, with more and more groups adopting double-extortion techniques, it is prudent for organizations to explore their insurance options.

However, insurance carriers are not immune from cyberattacks and can also fall victim to attacks and credential loss. As a third-party supplier, their data can also be exposed through the ransomware attacks of their customers. In this blog we explore this exposure.

Ransomware

The term “Insurance” appears in over 100,000 documents linked to ransomware activity in DarkOwl’s Vision platform. Ransomware groups such as CL0P, Medusa, BlackBasta and 0mega to name just a few have published documents from victims which include insurance information.

The Dunghill Leak group, published on their leak site details of a UK-based transportation company called Go-Ahead Group who they alleged they had obtained data from. They provided descriptions of the data as well as sample images of the documents. They claimed that this included details of insurance claims made by the company. One of the sample documents they provided appears to be related to medical insurance.

Figure 1: Stolen document from Go-Ahead Group

Insurance carriers and providers themselves are also not immune from ransomware attacks. The ransomware group BlackBasta posted information relating to an insurance marketing firm named LeClair. They provide marketing services to insurance brokers. All of the data relating to this organization was published on the leak site of BlackBasta and according to the site has been viewed over 3000 times.

Figure 2: LeClair sample data on BlackBast leak site

Another insurance provider, Delaware Life Insurance Company appeared to be a victim of the group Ransom House. All data relating to this organization was disclosed including a file tree of all documents obtained. The group claimed to have stolen 1.4TB of data from the organization as well as being able to download this is full they also provided proof which contains confidential documents, health records, and pricing information.

Figures 3 and 4: RansomHouse Leak site and proof of documents listed

The CL0p ransomware group, when posting data for one of their victims, a university, detailed that the victim had used their insurance company to negotiate. They stated that they were cheap and the negotiator was bad. Despite the claim that the university offered to pay $950,000 the full data was still leaked. This highlights how insurance providers interact with ransomware groups and their review of the activity.

Figure 5: Post on CL0p leak site from DarkOwl Vision

Leaks

Insurance companies can also appear in other types of data leaks, with information relating to the insurance provider appearing in leaks. This can include email addresses, locations, passwords, and names of employees.

The leak etenders.gov.za, of a government service in South Africa which documents tenders for government initiatives, included information relating to insurance providers including their telephone numbers and email address.

Figure 6: etenders.gov.za leak

Data purported to be from Farm Bureau Insurance – Tennessee was posted on the Telegram channel BF Repo V3 Files, a backup repository for data leaks from BreachForums, on January 20, 2024. Data exposed included full names, email addresses, physical addresses, phone numbers, vehicle information, and dates of birth. The leak appeared to include customer information and the cars that had been insured and the broker.

Figure 7: fbitn.com data leak

The naz.api is reported to be one of the largest credential stuffing lists released and was originally posted in September 9, 2023 on well known darkweb forum BreachForums. According to that post, the database was created by extracting data from stealer logs, and contains over 1 billion unique records of saved logins and passwords in users’ browsers. Infostealer logs are files produced when a trojan is installed on a system that collects information from the infected system.

Searching though this data, almost 700 results were identified which included the statefarm.com domain, indicating that these records likely belong to employees of StateFarm. The data included websites that the addresses had visited as well as the password associated with this account. These types of leaks could give threat actors access to accounts which may lead to a network intrusion and highlight why it is so important for organizations and individuals to practice good password hygiene.

Insurance Fraud

It would be remiss to review insurance on the darknet and not touch on insurance fraud. Although we do not always see the direct activity of fraud, we do see guides and tutorials being offered as well as documentation being sold that can assist an individual in conducting insurance fraud.

Figure 8: Guide for sale on the dark web

Posts on Telegram offer insurance documents for sale, likely to be used to conduct fraud operations.

Figure 9: Telegram channel Skimming Central

As well as actors claiming they are able to produce car insurance documents so individuals do not need to insure their cars.

Figure 10: Post on Telegram channel Bazaar Lounge

A post on the dark web marketplace nifheim.world offers insurance documents as well as other counterfeit documents.

Figure 11: Post on Nifheim.world

Conclusion

Although cyber security insurance is an ever growing business, adopted to protect organizations from the financial and reputational damage a cyberattack can cause, insurance companies themselves are not immune from the threat of cyber attacks. Whether it be data leaks, ransomware attacks, or the continued threat of insurance fraud, insurance companies too need to be vigilant to the threat of attacks to ensure they protect themselves and their customers. As insurance covers large swaths of our lives from our vehicles, houses, sentimental items and health they can hold sensitive information on their customers, it is therefore imperative that this data is secured.

Curious how DarkOwl can help? Contact Us.

Explore the Products

Button Product Vision
Vision UI ›
Button Product Search
Search API ›
Button Product Entity
Entity API ›
Button Product Score
DarkSonar API ›
Button Product Score
Score API ›
Button Ransomware API
Ransomware API ›
Button Product Datafeeds
Datafeeds ›

See why DarkOwl is the Leader in Darknet Data

Get a Demo
Get a Demo

Products

Services

Use Cases

Company

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.