Understanding the Phishing Ecosystem: Using and Monetizing Victim Data

6 minute read

This blog is the fourth part in our series on understanding the phishing ecosystem. Make sure to check out the previous blogs at the links to the right.

For non-targeted phishing attacks, threat actors try to increase the impact of their campaign using the various TTPs and technologies covered within the previous advisories in this series. The main aim for any threat actor operating a phishing campaign is to ensure the maximum number of victims enter their sensitive data into their phishing pages. Once this information or “victim data” has been collected, the threat actor must then monetize this information, which can be achieved in multiple ways.

From simply using the data directly to make fraudulent purchases or cashing out accounts, to selling pre-packaged collections of data to others- there are many methods of seeing fiscal returns from phishing attacks, and defrauding companies and victims.

Details on How Victim Data is Used and Monetized Within the Phishing Ecosystem

Monetization will take different forms depending on the capabilities of the threat actor operating the phishing campaign, but is done swiftly. Victim data will quickly age out, as the likelihood increases over time that the victim will realize they have fallen for a phishing attack and update their credentials, freeze financial accounts, or replace credit cards.

In order to facilitate these transactions and buying and selling victim data, threat actors will join discussions across multiple dark web and covert channels. Many forums and marketplaces exist dedicated to selling victim data, from chat rooms or forum threads to search engines specifically designed to aid threat actors in locating credentials or accounts derived from phishing attacks.

Figure 1: Online search engine for finding stores, markets and covert channels selling access or credentials for specific platforms
Source: ZeroFox Threat Research

It is not uncommon to find legitimate commerce platforms– designed for small businesses to easily set up online stores– being abused in order to sell compromised accounts and victim data. These stores offer quick and easy access to victim data, with transactions being processed directly from within the platform under their own refund and payment protection policies. Many of these store fronts also support leaving reviews of sellers, allowing threat actors purchasing data to quickly see if a seller is potentially scamming others and either providing invalid credentials, none at all, or legitimate data.

Figure 2: Feedback section of online storefront allegedly selling compromised account details
Source: ZeroFox Threat Research

Another popular vector for buying and selling victim data is within encrypted messaging apps such as Telegram. Within these covert channels, data being sold is often referred to as “fullz” or “dumps,” a slang term meaning the package being sold contains complete credential and/or credit card information from a victim. Even packages which are no longer valid still fetch a price within these markets. This data is referred to as “dead fullz”, meaning it’s no longer “live”. These packages are commonly used by threat actors to commit identity theft, refund fraud, card cloning, credit fraud, opening mule accounts and many other forms of scams and fraud.

“Fullz” are sold either in bulk for a set cost, or on a per-account basis with varying cost based on the value or assets of the compromised account. This is standard for accounts with direct access to monetary funds such as banks. Alternatively some buyers and sellers offer instead to “cash out”, or withdraw funds from the account, in exchange for taking a percentage of the total amount obtained. This can range between 20-50% of the total amount “cashed out”.

Figure 3: Access to a compromised bank account being sold via Telegram bot (left), conversation between buyer/seller of cloned credit cards (right)
Source: ZeroFox Threat Research

More advanced threat actors take advantage of messaging app platforms capabilities, using publicly available APIs and automation frameworks to create closed access, fully automated channels to sell victim data. Many of these advanced channels integrate third-party services, in order to create unique accounts and crypto wallet addresses for each visitor, where they can top up with credits and use them to purchase victim data.

Figure 4: Telegram bot shop menu (left), dynamically generated cryptocurrency wallet address details to use within the store (right)
Source: ZeroFox Threat Research

Buying and selling account details for highstreet restaurant, grocery and food/drink delivery services has proved to be increasingly popular, with a large interest in this form of PII package growing during the pandemic. These packages are sold to be used in conjunction with what are referred to as “methods”- guides which the threat actor should follow in order to successfully perform fraudulent activities with the provided information. These guides will contain step by step instructions on how they take the stolen information, perform a fraudulent transaction, and then cover their tracks or bypass security controls and processes in order to avoid suspicion and subsequent investigation.

Many food delivery apps are targeted with this type of fraud. Threat actors can use the package and methods in order to place large orders for food, or purchase gift cards to redeem on another account. This effectively allows threat actors to convert a £5-£10 GBP “fullz” package to up to £100 GBP worth of consumable goods.

Figure 5: A screenshot shared within a covert channel dedicated to selling victim data, showing a successful transaction redeeming a gift card obtained by fraudulent means.
Source: ZeroFox Threat Research

Financial transactions between buyers and sellers of victim data can take place through the use of multiple platforms. Popular online payment systems and apps designed to transfer cash quickly are often used, alongside cryptocurrency platforms. Many marketplaces and commerce platforms abused for these types of transactions directly integrate with these payment platforms to automate transactions, allowing threat actors to simply list their information and send victim data to purchasers after the transaction has completed.


As almost all new businesses today have some form of online presence or interface with its customers, the potential targets for phishing and fraud will continue to increase. Businesses internal processes and checks are still vulnerable to social engineering or clever manipulation to take advantage and exploit potential weaknesses. ZeroFox assesses with a high likelihood that this will continue, however, by understanding the TTPs associated with this type of fraud, businesses can ensure their processes and procedures are robust enough to prevent this type of activity.

See ZeroFox in action