Many jobs in the cybersecurity industry require some sort of cybersecurity certification, such as one provided by CompTIA, ISC2, Cisco, Microsoft, or AWS. But earning one isn't easy. It requires coursework and study to pass a rigorous exam, costing upwards of $600.
However, individuals can find illegal shortcuts to certification on the dark web. The options include fake certificates, cheating services for exams, and leaked courses. Threat actors sell these services on underground forums, dedicated Telegram groups (figure 3), and the clear web (figure 1).
We must note that the number of sellers of fraudulent cybersecurity certification services is relatively small compared to other services sold on the dark web. The relatively low number is probably because exam providers do the utmost to uphold the exams' integrity and prevent cheating and because (we hope) most cybersecurity professionals would be opposed to insincere practices.
On underground sites, actors sell all sorts of fake certificates and diplomas, including those for cybersecurity certifications.
Figure 1: Fake CompTIA diploma
Figure 2: Fake CISSP certificate offered for sale
However, it is relatively easy to verify if a certificate is genuine; each one possesses a unique serial number that confirms that it is legitimate.
Generally, exams take place in vendor-supervised testing centers, where proctors monitor candidates under the watchful eye of security cameras. However, some exam providers also offer the option of remote testing. This practice allows a candidate to take the test at home while a proctor observes over a webcam.
Some actors allege to be able to bypass these security measures, offering to solve the exam questions during the exam for certifications such as CompTIA, Cisco, Microsoft, Google, and AWS.
Figure 3: An actor on a Telegram group offering certification services
While they don't explain how they do this, they guarantee their customers will receive the certification.
Figure 4: Certification service process description
Other actors claim to be able to act as a man-in-the-middle for remote testing. For example, in a post offering a cheating service (figure 4), an actor explains that during exams, test-takers audio and video streams are directed to them so they can listen to and watch exams in real-time, bypassing the proctor.
Figure 5: Certification exam cheating service for different vendors
Individuals on the dark web also offer leaked courses from various providers. In 2022, there was an approximately 73% increase in the number of leaked courses advertised on underground markets compared to 2021.
The prices for genuine cybersecurity training courses range from free to more than $5,000, depending on the provider. Unfortunately, the same courses are offered at cut-rate prices on the dark web. Some threat actors leak the courses via free downloads, while others charge for them.
The average price on the dark web for a leaked cybersecurity certification course ranges from $5 to $200, depending on the quality and quantity of course content. The price reflects the number of courses offered, course level (beginner to expert), and the course date (updated versions vs. older courses), as reflected in the examples below. Generally, sellers only offer refunds for technical issues.
Figure 6: Free download for an entire course leak
Figure 7: Package of various courses advertised for $140 on an underground market
Figure 8: Cybersecurity course (red team operator) advertised for $75
As stated, the underground market for these services appears relatively small. Even so, test and course providers ought to take measures to monitor cheating services, fake certifications, and leaked courses. By identifying how underground actors engage in these services, they can further clamp down on dishonest practices.
Fake cybersecurity certificates pose a significant risk to employers who accidentally hire unqualified candidates misrepresenting their training. Ultimately, the organizations that employ such individuals may discover their sensitive data in the wrong hands. Therefore, employers must take a few minutes to verify a prospective employee's certifications to prevent such circumstances.
Individuals who buy fake certificates or purchase cheating services must know that the credentials they acquire lack real value and risk being exposed and banned from working in the industry. Indeed, only those with high integrity should be entrusted with protecting an organization's data integrity.
Learn more about how Cybersixgill automatically aggregates data leaks and alerts customers in real time.