Search This Blog

Showing posts with label Dark Web. Show all posts

533 Million Facebook Users' Phone Numbers And Personal Data Leaked Online

 

On Saturday, a user turned to a low-level hacking forum to leak the personal information of hundreds of millions of Facebook users, free of cost. The sensitive credentials that have been exploited included personal data of over 533 million Facebook users from 106 countries – around 32 million users from the US, 11 million from the UK, and around 6 million from India. Leaked data includes users’ full names, their date of birth, address location, phone numbers, Facebook IDs, bios, and in certain instances email addresses also. 

Alon Gal, a CTO of cybercrime intelligence firm Hudson Rock, analyzed the breach on Saturday and informed about this event on Twitter. Alon Gal is also known for his last research finding that was appeared as the same leaked database previously became accessible via a Telegram bot in January. 

While back then, the situation was different. The hacker who was behind the Telegram bot leaked database was selling the hacked credentials to those clients who were ready to pay for the information, but this time the difference is that that all this leaked data of more than 533 million people is available for everyone for free in a low-level hacking forum. 

“A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts,” Alon Gal stated. 

The incident is not foreign to Facebook, which is indeed a popular platform in the arena of cyberattacks. Before this cyberattack, the platform had already experienced data breaches multiple times, notably so. 

The vulnerability that had been spotted in 2019 exposed sensitive information of millions of Facebook users including their phone numbers to be scraped from Facebook's servers in contravention of its terms of service. Back then, Facebook officially stated that the vulnerability was patched in August 2019. Additionally, Facebook vowed to eliminate mass data-scraping after Cambridge Analytica scraped over 80 million users’ data in violation of Facebook's terms of service to target voters with political ads in the 2016 election.

Hacker Hacks Underground Covid Vaccine Market On Dark Web

 

In a recent cybersecurity incident, an attacker hacked down a vaccine marketplace that was running on the dark web. The attacker then placed fake orders, cancelled them after making a refund in Bitcoins worth $752,000, a report released on Thursday says.  As per a blog on the market's forum, the attacker managed to find a way to make fake orders, which he cancelled immediately using the seller account of the trader, and immediately made the refunds in the wild, which was withdrawn in an instant. 

Checkpoint research says the method allowed a hacker to make 13 Bitcoins (BTC), an amount equal to $752,000. Currently, the vaccine marketplace on the dark web which was selling these products is down because of the hack.  But, the attack hasn't put a stop to the sale of Covid-19 relief products on the dark internet. Following the marketplace shutdown, another hacking forum was framed using the same address, offering various ads along with Covid-19 vaccines (documents included) and that too on heavy discounts for promotional purposes.  

Cybersecurity experts recently found out that fake Covid-19 vaccine certificates and duplicate Covid-19 test results were being sold on dark internet and hacking platforms for amount as low as Rs 1800 ($25) and up to Rs 18,000 ($250) for people that are looking to book flights, travel across borders, finding a new job or attending a function.  If an interested user wants to get these 'fake certificates,' he can simply obtain them by sending their details and money to the seller on the dark web, the seller will then e-mails back the forged documents for $250. 

Research from Checkpoint revealed that fake negative Covid-19 test results are available on the dark web for a mere amount of $25.  Covid-19 vaccine ads on the darknet have had a 3 fold increase since the last three months. The selling forums on the dark internet are based from European countries like Spain, Russia, France, and Germany. According to experts, "The vaccines advertised include Oxford-AstraZeneca (at $500), Johnson & Johnson ($600), the Russian Sputnik vaccine ($600) and the Chinese SINOPHARM vaccine." Checkpoint research says, "as a result, the marketplace is down completely since, and at this point of time is yet to be restored online."

Here's How to Safeguard Against Mobikwik Data Breach

 

Cybersecurity researchers claimed that the KYC data of as many as 11 crores Mobikwik users had been leaked and put up for sale on the dark web. However, the Gurugram-based digital wallet company is denying the data breach by stating that they have not discovered any evidence of a data leak.

Rajshekhar Rajaharia, an independent cyber-security researcher was the first person who disclosed the data leak in February. He had said that bank details, email addresses, and other sensitive details of nearly 11 crore Indians were leaked on the dark web. 

Approximately, 8 terabytes (TB) of personal user information were stolen from Mobikwik’s main server by a hacker named ‘Jordan Daven’ and put on dark web platforms on January 20, Rajaharia stated. As a shred of evidence, Jordan Devan emailed the link of the stolen database to PTI and stated that they do not have any other motive of using the data except to acquire it from the company and delete it from their end and also shared the private details of Mobikwik founder Bipin Preet Singh and CEO Upasana Taku from the stolen database. 

When approached, Mobikwik denied the claims and stated, “the company is subjected to stringent compliance measures under its PCI-DSS and ISO Certifications which includes annual security audits and quarterly penetration tests to ensure the security of its platform. As soon this matter was reported, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of breach.” 

Precautionary measures for Mobikwik users 

To check out whether your data is compromised or not, you have to download the Tor browser. It is a free and open-source web that helps you anonymously browse the web. You should also update your Mobikwik account by setting new passwords and setting up two-factor authentication. 

Open this link to access the entire database of the leak that is now online. Search for your data by using your email id or contact number. If nothing pops up, you are safe but if something does pop up then you should immediately contact your bank, and block your cards now.

Threat Actor Targets Guns.com, Spills Sensitive Information on Dark Web

 

As the domain name suggests, Guns.com is a major Minnesota, US-based platform to buy and sell guns online. It is also home to news and updates for firearm owners and lovers around the globe. However, on March 9th, 2021, a database seemingly belonging to Guns.com was dumped on the popular dark web site ‘Raid Forums’.

Earlier this week, a large cache of files allegedly stolen from Guns.com also appeared on Raid Forums. The hackers behind this data dump claimed that files contain a complete database of Guns.com along with its source code. They further added that the breach took place somewhere around the end of 2020 and the data was sold privately meaning on Telegram channels or dark web forums.

According to the analysis of Hackread.com, data dump contains substantial gun buyer information including user IDs, full names, nearly 400,000 email addresses, password hashes, physical addresses, zip codes, city, state, magneto IDs, contact numbers, and account creation date.

One of the folders in the leaked database includes customers’ bank account details including full name, bank name, account type, and dwolla IDs. However, credit card numbers or VCC numbers were not leaked. 

The data dump also contains Guns.com login credentials, an Excel file in the database seems to be containing sensitive login details of Guns.com including its administrator’s WordPress, MYSQL, and Cloud (Azure) credentials. However, it is unclear whether these credentials are recent, old, or already changed by the site’s administrators amid the breach.

This can have a devastating effect on the company since all admin credentials including admin emails, passwords, login links, and server addresses are in plain text format. With this kind of sensitive information available from this hack, a skilled hacker could commit several identity fraud schemes, be well equipped to target victims with phishing scams or other malicious activities.

Insider Trading Threats on Dark Web

 

Insider trading can be done more effectively now than ever before, due to a great extent to the continuing proliferation of encrypted and anonymous messaging services, and the presence of dark web and underground networks that permit threat actors to discover co-conspirators and speak with them. Verifiably, few dark web forums catered to the trafficking of non-public corporate data; presently, updated technology takes into account these endeavors to be conducted with a lot more prominent operational security. 

Monetarily inspired threat actors or displeased employees would now be able to trade data away from the prying eyes of law enforcement and security researchers, permitting only vetted individuals to access sensitive information being given by insiders. 

Moreover, the clearnet is host to many market trading enthusiast groups, on places like Reddit and Discord. These groups range in size from thousands to millions of clients. Insikt Group found "stock signals" services, giving paid clients tips on which trades to make dependent on the proposal of “analysts”. Given that the root of the data is muddled, the unregulated nature of these services and the utilization of unknown messaging services is concerning. 

One of the verifiably significant sites had been The Stock Insiders, a Tor-based site, active from April 2016 until August 2018. As the name proposes, the site was made with the goal of having a community of clients with insider access at publicly traded companies who would impart it to different clients to advise the stock trades of the larger group. The site has for quite some time been inactive, the administrator isn't responsive to private messages, and there have not been any updates to the main page since early 2018. The explanation that operations stopped has not been clarified however it doesn't seem, by all accounts, to be the consequence of a law enforcement takedown since the website is still technically up. 

While the site is no longer active, it actually gives an instructive perspective on how its operations were done. The Stock Insiders has a couple of visible posts instructing clients about how to enlist an account and listing out the requirements for full membership.

What are Smishing Attacks? How to Prevent Them?

 

Smishing is a cyber assault that utilizes SMS text messages to delude its victims into giving sensitive data to a cybercriminal. Sensitive data incorporates your account name and password, name, banking account, or credit card numbers. The cybercriminal may likewise implant a short URL link into the text message, inviting the client to tap on the link which in most cases is a redirect to a pernicious site. Smishing is identified with two other 'smishing' cyber assaults, phishing and vishing. 

Cybercriminals today are essentially inspired by monetary benefit. They create code intended to obfuscate your sensitive data for benefit. At the point when they acquire this information, they may hope to sell your compromised credit card or credentials on the dark web. They may likewise utilize sensitive information to open an account in your name or hold your information ransom in exchange for a large pay-out. 

Back in May 2018, Fifth Third Bank clients were the targets of a smishing assault. The assailants claimed to represent Fifth Third Bank. They contrived a plan to caution clients that their accounts were locked. Within the body of the text message, they gave a link to the clients to open their accounts. The link took the clueless client to a phony webpage that seemed to be like Fifth Third's genuine site. The phishing site prompted the visitors to enter their user name and password, one-time code, and PIN codes to open their account. The cybercriminals then utilized the stolen account data to expunge almost $68,000 from 17 ATMs across three states. 

Some of the ways to prevent smishing attacks are: 

• Try not to react to text messages that demand private or monetary data from you. 

• On the off chance that you get a message that has all the earmarks of being from your bank, financial institution, or other entity that you work with, contact that business directly to decide whether they sent you a genuine solicitation. Review this entity’s policy on sending text messages to clients. 

• On the off chance that a text message is encouraging you to act or react rapidly, pause and consider the big picture. Recall that crooks utilize this as a strategy to get you to do what they need. 

• Never reply to a dubious text message without doing your research and checking the source.

WeLeakInfo's Customer Records Leaked

 

WeLeakInfo.com was an information breach notification service that was permitting its clients to check if their credentials have been compromised in information breaches. The service was guaranteeing a database of more than 12 billion records from over 10,000 data breaches. In mid-2020, a joint operation directed by the FBI in coordination with the UK NCA, the Netherlands National uPolice Corps, the German Bundeskriminalamt, and the Police Service of Northern Ireland resulted in the seizure of the WeLeakInfo.com domain. 

The U.S. Department of Justice in January declared that it seized weleakinfo.com, which existed since 2017. The site sold different subscription levels, making it workable for scammers to access and look through the database. Two 22-year old men,, one in the Netherlands and the other in Northern Ireland, were arrested in connection with running the site, as per the Dutch media source Nu.nl. 

The site additionally vowed to alert members if their own data was stolen and uploaded to the database, with a feature called “Asset Monitoring.” “Get notified when your information is detected in a data breach,” the sales pitch said, according to an archived version of the homepage. “Stay one step ahead of hackers.” 

Weleakinfo, and other sites like it, basically work as a noxious variant of HaveIBeenPwned, a database where guests can check if their data has been compromised. HaveIBeenPwned permits clients to decide whether an email address has been included for different information breaches. 

Security specialists from Cyble saw that a member from a hacking forum professed to have registered in one of the domains of WeLeakInfo,, wli.design, which was enlisted again on March 11 2021. At that point, the actor made an email address for the domain and utilized it to get to the account of the cybercrime group registered on the payment service Stripe. The admittance to the Stripe account permitted the actor to get to clients' details, including email, address, partial card details, and purchase history. 

“The WeLeakInfo operators allegedly used the domain’s email address for payments via Stripe, the actor claimed. The actor claimed to have registered the domain and then created an email address on the registered domain used in their Stripe account gaining access to WeLeakInfo customers details.” reads the post published by Cyble.

Bug in Brave Browser Expose Users’ Dark Web History

 

Brave, the web browser that insists on privacy, exposes users' activities to its Internet Service Providers on Tor's secret servers, or "dark web." In its browser, Brave has solved a data protection problem that sends queries for .onion domains to a DNS solution, instead of a Tor node path, so that access to the dark website is shown to users. In a hotfix release, the bug was addressed.

Brave is an open-source web browser built on a Chromium web browser created by Brave Software, Inc. It restricts advertisements and website trackers and supplies users with a way to submit cryptocurrency donations to websites and developers of content in the form of simple tokens. 

Introduced in June 2018, Brave's Tor mode has enabled Brave users to gain anonymity when browsing the internet, encouraging them to have access to the .onion versions of legal websites such as Facebook, Wikipedia, and key news portals over the years. However, an unnamed security researcher reported in the research article, that Brave's Tor mode had sent queries to DNS resolvers rather than Tor nodes on the open Network. DNS requests are non-encrypted so that attempts to access .onion sites in Brave can be monitored using the Tor functionality, which is directly contradictory to the goal of this platform at first. 

The aforementioned DNS leak poses great dangers when all leaks build footprints on the Tor traffic of Brave users in DNS server logs. The risk is important. While in some Western states with stable democracy it might not be troublesome, it may be a concern for certain browser users to browse Brave's Tor websites from the authoritarian regimes. 

This problem seems to be the product of the browser's CNAME ad-block feature, which blocks third-party monitoring scripts using CNAME DNS for first-party scripts and prevents traffic blocker detection. This allows a website to cloak third-party scripts using primary domain's- sub-domains that are then immediately routed into a monitoring domain. 

Over the last three years, the organization has worked to develop today, second only to Tor Browser, one of the most privacy-driven Web browser solutions available. 

A Brave developer has stated after the release that the browser provided a hotfix on the problem. The problem is already solved on the night of the development of the browser. 

“Since it’s now public we’re uplifting the fix to a stable hotfix. Root cause is regression from CNAME- based adblocking which used a separate DNS query.” He further added. 

Oxfam Australia 1.7 Million users Compromise with the Data Breach

 

Recently, a hacking threat group has supposedly infected the data of 1.7 billion users, which is being investigated by Oxfam Australia – a humanitarian and non-profit organization that witnessed data breach and blatant violation of privacy. 

Oxfam Australia is a secular association which is focused on development and assistance, it is an autonomous organization that operates within the broader framework of Oxfam Umbrella to eradicate poverty across Australia, Asia, Africa, and the Middle East.

The company said in a statement on Thursday 4th of February, that they were informed about the data breach at the end of last week and that they immediately instigated an investigation to uncover the motives, origins, and damage incurred. 

Oxfam Australia is investigating a possible violation of privacy after a threat actor claimed to sell their database on a hacker website. The dark web database sample contains email addresses, names, physical addresses, telephone numbers, and donation sums, which seems to be all legit data to customers. One of the records includes legal donor data from threat actor pooled sample data. Although it is still unknown whether any data has been compromised, it was revealed earlier this week that a threat actor was trying to sell a charity database. Forensic experts were asked to help determine whether data were accessed and whether their supporters were affected. Oxfam Australia said they are currently undertaking investigations into the breach and have reported the infringements to the Australian Cyber Security Centre (ACSC) and Office of the Australian Information Commissioner (OAIC). 

"Late last week, Oxfam Australia was alerted to a suspected data incident. Oxfam immediately launched an investigation and engaged market-leading experts to assist in identifying whether data may have been accessed and any impact on its supporters." 

Chief Executive Lyn Morgain said, “Oxfam Australia had reported the matter to the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC) while continuing to investigate the suspected incident.” 

In order to warn them of the alleged violation, Oxfam contacted supporters and stakeholders. Although no official confirmation was issued for the cyber-attack, an information violation has probably occurred based on the threat actor details. 

In these regards, all contributors and registered users on the Oxfam Australia platform need to update their passwords. They also need to change it if they use the same password on other pages. Threat actors may also use the data suspected to conduct targeted phishing attacks in that database. Both donors can watch for phishing attacks from Oxfam and submit additional personal details. 

Morgain added that “We are committed to communicating quickly to our supporters once the facts have been established, and we will provide updates as we learn more.”

E-Commerce Theft: Dark Web Card Payment Store ValidCC Shut Down


A dark web market handled by a cybercrime group, Valid CC has been hacking online merchants and stealing payment credentials for more than six years. Last week, Valid CC closed down abruptly. The owners of Valid CC say that a law enforcement operation seized their servers. The operation aimed to seize and capture the store's infrastructure. A number of online shops sell "card not present" or "CNP" payment data on the internet. The payment data may be stolen from credit cards of e-commerce stores, but it's mostly sourced from cybercriminals and threat actors.  

However, in the case of Valid CC, experts believe that the store attacked and hacked hundreds of e-commerce merchants. The hackers seeded websites with hidden card skimming codes that stole personal information and payment credentials when a customer went through the checkout stage.   Group-IB, a Russian based cybersecurity firm, had published a report last year where it briefed about the operations of Valid CC, highlighting that Valid CC was responsible for hacking around 700 e-commerce stores. Besides this, Group IB identified another group "UltraRank" responsible for attacking additional 13 third-party suppliers that offered software components to these online stores spread across Europe, America, and Asia.  

Experts believe that UltraRank orchestrated a series of cyberattacks, which were earlier attributed to three different cybercrime groups by cybersecurity firms. "Over five years….UltraRank changed its infrastructure and malicious code on numerous occasions, as a result of which cybersecurity experts would wrongly attribute its attacks to other threat actors,” said Group-IB. It adds, “UltraRank combined attacks on single targets with supply chain attacks.” Valid CC's muscle man on various platforms- a hacker who goes by the handle of SPR, notified customers that the shop would be shut down from 28 January, following a law enforcement operation that sealed Valid CC's operations. 

According to SPR, Valid CC lost access to more than 600,000 unsold payment card accounts, a very heavy blow to the store's inventory.  As a result, Valid CC lost its proxy and destination servers, and now it can't open and decrypt the back-end, says SPR.  Group-IB reports, "the store’s official representative on underground forums is a user with the nickname SPR. In many posts, SPR claims that the card data sold in the ValidCC store was obtained using JS sniffers. Most of SPR’s posts are written in English, however, SPR often switches to Russian, while communicating with customers. This might indicate that ValidCC is probably managed by a Russian speaker."  

Data Related to Thousands of Foxtons Clients Leaked Online

 

Estate agent Foxtons Group is under tremendous pressure after a daily newspaper named ‘publication i’ asserted that critical information pertaining to customers’ card and other personal details have been uploaded to a dak web site. As per the reports of publication i, on October 12 last year, a customer discovered card information, addresses, and personal messages belonging to over 16,000 individuals. 

The breached data has been linked to consumers before 2010 but what's alarming is that nearly one-fifth of the cards are still active. In most of the cases, threat actors exhibit their haul to the clients by selling a small sample online, before selling privately. The size of the personal data published online is relatively small, however, the total number of clients that have been affected remains the most intriguing question. 

Three weeks ago, Foxtons Group was notified of the published data by the client who discovered the same, however, it can be noted that the agency had not taken any measures to inform clients or the authorities yet. 

As per the reports, in the last three months, leaked files have been viewed over 15,000 times. Estate agent Foxtons Group released a statement saying that its Alexander Hall mortgage broking business was hit by malware in October 2020 during a strike that affected many other firms.

“Some IT systems were affected for several days but were restored without significant disruption to customers. All necessary disclosures have been made and full details of the attack were provided to the FCA and ICO at the time. We are satisfied that the attack did not result in the loss of any data that could be damaging to customers and believe that the ICO and FCA are satisfied with our response”, Foxtons Group stated.

The CTO of Cortex Insight, Stephen Kapp stated that “it is safe to assume the worst, and Foxton customers should look to protect themselves from identity fraud and card fraud as a result of this breach. With both personal information and payment card information lost, Foxtons customers should take some time to validate payments and potential credit history interactions since October and flag anything suspicious to their bank”.

Indian Crypto Exchange BuyUcoin Hacked

 

In yet another data breach, sensitive information of almost 3.25 lakh clients of India-based global cryptocurrency exchange and wallet, BuyUcoin, have been exposed on the Dark Web. The information leak incorporates names, emails, mobile numbers, encrypted passwords, user wallet details, order details, bank details, KYC details (PAN number, passport numbers), and deposit history. 

Established in July of 2016, BuyUcoin is a crypto wallet and trade stage where merchants and purchasers can transact with digital assets like bitcoin, ethereum, ripple, and so forth. It is based out of Delhi-NCR in India. 

As per independent cybersecurity researcher Rajshekhar Rajaharia, the 6GB document on the MongoDB database contains three backup files containing BuyUcoin information. 

"This is a serious hack as key financial, banking and KYC details have been leaked on the Dark Web," Rajaharia said and shared some screenshots of the leaked information. 

The leaked information could be utilized by attackers to run fraudulent assaults against people, the researcher said. He likewise added that the information could empower hackers to comprehend the credit score of the victims utilizing transaction details. 

Researchers at cybersecurity firm Kela Research and Strategy Ltd originally found the stolen information, connected on a similar forum, from Wongnai Media Co Ltd, Tuned Global Pvt Ltd, BuyUcoin, Wappalyzer, Teespring Inc and Bonobos.com, which looks at the craftsmanship of scandalous hacking group ShinyHunters. "Over this past summer, ShinyHunters was seen publishing leaked information for free, uncovering a large number of individual records from all over the world," Victoria Kivilevich, threat intelligence analyst at Kela Research told. 

As per Rajaharia, the hacker is the same who earlier leaked BigBasket and JusPay information in India. In November a year ago, one of India's well-known online supermarkets BigBasket found that its information of more than 20 million clients had been hacked and was on sale on the dark web for more than $40,000. Recently, Bengaluru-based digital payments gateway JusPay said that about 3.5 crore records with masked card information and card fingerprint were compromised by the hacker. 

While denying the leak, BuyUcoin CEO and Co-founder Shivam Thakral said, “We would like to reiterate the fact that only dummy data of 200 entries were impacted which was immediately recovered and secured by our automated security systems.”

AnyVan 4.1 Million Users Comprised with Data-Breach

 

Headquartered in Hammersmith, London (UK)- AnyVan is a European online platform for the patrons to access consignment, transport, and removal services from their chain network of transport partners. It focuses on European moves only. Also, it is one of the front runners of Europe in terms of moving services as it can easily compare the delivery path of the patron with that of the transport service provider and associate them to mitigate costs and eliminate CO2 emissions by optimizing storage space and haulage. However recently AnyVan affirmed its users about the unauthorized data break-in and embezzlement of personal details of its patrons by the hackers. 

The company informed its patrons by sending them a notice concerning a data breach that the company has become a victim of. AnyVan later disclosed that they discovered this incident on the 31st of December 2020 and they also mentioned the reason as to, “why they're being informed so late?” 

AnyVan in regards to the aforementioned incident stated that “This leaking of data came to our attention on the 31st December, but we understand the incident itself occurred at the end of September. As soon as the incident came to our attention, our specialist IT team investigated it and have since taken the following remedial action: all passwords have been changed."

According to the notice and statements given by the company, patrons' names, email and a cryptographic hash of their passwords have been accessed and probably displayed on the dark web by the actors. Seemingly, no other sensitive information was compromised. Further, they added that an investigation of the incident continues. however, all this came only after the actors had ample time to exploit user’s data and information. The estimate reflects that around 4.1 million users are being affected due to this data breach. AnyVan never even reached out to the ICO (Information Commissioner’s Office), which was an important step as its users' confidential data was compromised.

As a precautionary measure, the company advised its patrons to update their password and other personal details for the accounts, they use on AnyVan. They alarmed them not to share unwittingly any other piece of information or personal detail to anyone. Moreover, the company apologized for this data breach of the personal information suffered by its users and said that they are very sorry for the inconvenience caused.

DarkMarket Taken Down in an international Operation

 

DarkMarket, purportedly the world's biggest dark web marketplace, has been taken down by a Europol-coordinated international operation, as indicated by authorities. Europol upheld the takedown with specialist operational analysis and coordinated the cross-border collaborative effort of the nations.

The Central Criminal Investigation Department in the German city of Oldenburg arrested an Australian resident who is the alleged operator of DarkMarket, close to the German-Danish border over the weekend. The investigation, which was driven by the cybercrime unit of the Koblenz Public Prosecutor's Office, permitted officials to find and close the marketplace, switch off the servers and hold onto the criminal framework – over 20 servers in Moldova and Ukraine upheld by the German Federal Criminal Police Office (BKA). The stored information will give investigators new prompts to further investigate moderators, sellers, and buyers.

Before its closure, DarkMarket facilitated near 500,000 clients and had encouraged more than 320,000 transactions, as indicated by Europol. The dark web marketplace exchanged everything from drugs and counterfeit cash to stolen Mastercard details and malware. As per Europol's estimate, the site exchanged what might be compared to €140 million in today’s money, in a blend of bitcoin and monero. European authorities intend to utilize held onto DarkMarket servers from Ukraine and Moldova to investigate the buyers and dealers who utilized the site for criminal transactions.

DarkMarket's bust was not the first for German authorities, which have discovered illegal platform operators on German soil lately. In 2019, Koblenz prosecutors declared the disclosure of darknet servers facilitated from a previous NATO bunker in a lethargic German town. Authorities state the probe that revealed DarkMarket included a months-in length international law enforcement operation. US agencies like the FBI, DEA narcotics law enforcement division, and IRS tax authority all added to the investigation, alongside police from Australia, Britain, Denmark, Switzerland, Ukraine, and Moldova, with Europol playing a "coordinating role." 

DarkMarket is the most recent dark web marketplace taken down since the Silk Road bust back in 2015 — in recent years, international law enforcement operations had additionally brought down AlphaBay and Wall Street Market, which were likewise used to sell drugs and other illegal products.

Russian hackers selling program in darknet that bypasses spam protection

The Russian-language Darknet site sells a program that allows you to distribute spam messages bypassing traffic and email protection tools. The program uses a function in the IMAP protocol

A new tool for spammers is actively being sold on the Darknet, which allows you to bypass the standard protection of e-mail accounts. By exploiting a feature in the Internet Message Access Protocol (IMAP), attackers upload the messages they need directly into the mailboxes of victims.

To trigger the attack, it is necessary that the attackers already have access to the victim's account. The Email Appender malware has been actively promoted on Russian-language hacker forums since the fall of 2020.

The author offers to use the program through a subscription — $50 for one day, $300 for a week or $1000 per month. This is very expensive, but judging by the latest campaigns, the demand for this service is very high.

Experts of the information security company Vade Security indicate that companies in Italy, France, Denmark and the United States have already been subjected to full-scale attacks by spammers using Email Appender. One of the affected organizations claims that it received 300 thousand spam messages in one day and was forced to spend very substantial resources to disable compromised accounts or change usernames and passwords.

Databases of usernames and passwords to mail are actively sold out on hacker forums. According to Gemini Advisory, an attacker can upload such a database to Email Appender, after which the program will try to connect to accounts that match pairs of usernames and passwords via IMAP. Next, it remains to use the IMAP function, which allows hackers to upload ready-made mail messages to the mailbox.

"There are a number of ways to block such spam campaigns, but the main one is to regularly change passwords and not use the same combination (or similar to it) more than once," said Alexey Vodiasov, technical Director of the company SEC Consult Services.

In addition, according to Vodiasov, two-factor authorization is effective, so that even a compromised account cannot be connected without attracting the attention of its rightful owner.

The expert added that it is also possible to enable notifications of cases of logging into an account from unusual IP addresses. Mail systems are quite capable of doing this.

Massive Data Dump of 10 Crore Indian Card Holders Leaked on Dark Web

 

The data of 10 Crore Indian cardholders has been sold on the Dark Web for an unknown amount. The information has been disclosed by the independent cybersecurity researcher Rajshekhar Rajaharia who further stated that ‘hackers attacked the server of Bangalore-based digital payments portal Juspay and after the server was compromised they leaked the data of 10 Crore Indian debit and credit card holders on Dark Web’.

Juspay stated to IANS that people are being misinformed through media which has been telling users not to worry about their financial information. There has been no data leak regarding the card numbers and the victims of cyber attacks are much lower than the 10 Crore mark, media stated. 

While giving insights into the security incident, Juspay told, “on August 18, 2020, an unauthorized attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised; some data records containing non-anonymized, plain-text email and phone numbers were compromised, which form a fraction of the 10 Crore data records”. 

However, Rajshekhar Rajaharia was of different opinion and in relation to that, he said, the financial information of all 10 Crore cardholders is in jeopardy if the attackers can detect the Hash algorithm which is used to develop the card fingerprint and by using this algorithm they can decrypt the concealed card number.

Juspay was launched by the two former Amazon engineers Ramanathan RV and Vimal Kumar in August 2012 and was later joined by Bloomberg executive Sheetal Lalwani.  The company has raised a total of $21.6M via funding and the last funding round was in March 2020. 

The data revealed on the Dark Web contains ‘confidential information regarding debit and credit cards of cardholders including expiry date, card fingerprint, ISIN, the type of card, users' card brand (VISA/Rupay/Mastercard), the last four digits of the card, and user account ID.

The company spokesperson acknowledged that only a few contact numbers and email addresses have been leaked which have little to no value; According to him, no sensitive information regarding card numbers was accessed. He further asserted that no transaction or order information was compromised. 

Important Documents Related to the Covid-19 Vaccine Leaked on the Darkweb

 

As the pandemic continues to spread globally via a new Covid-19 variant, the attacks on medical agencies surge likewise. Pharmaceutical industries and government organizations continue to face the wrath. As per the sources, the European Medicines Agency (EMA) became the victim of the latest attack, from where “several documents related to the Covid-19 vaccine are allegedly stolen and are released in the Darkweb market, security experts said”.

Security experts from threat intelligence firm Cyble also said, “during the evaluation of data, the experts have found that various confidential files, including MoMs, assessment reports, confidential emails, login portal links and images of its internal pages were accessed and leaked”. The illegal market for Covid-19 vaccines has asserted its malicious influence even more so as it continues to expand in scope and horizon.

In this regard, European Medical Agency said, “EMA has been the subject of a cyber attack. The Agency has swiftly launched a full investigation, in close cooperation with law enforcement and other relevant entities”.

“EMA cannot provide additional details whilst the investigation is ongoing. Further information will be made available in due course”, the agency further added.

The agency is investigating the security incident, however, there is no clarification regarding the source of the attack. Also, whether the hackers were successful in their attempt or not remains unclear as of now.

European Medical Agency have been twice the victim of cyber attacks in recent months, it has become the target of attackers because it has all the necessary and confidential information related to the Covid-19 vaccines, also it has to be noted that it played a massive role in the assessment of Covid-19 vaccines.

The leaked documents are also being shared on the Russian-speaking forums when the threat intelligence firm Cyble started tracking the documents. During the investigation, the experts have also found that the attackers were using the internal email from where the portal link was shared and also the login page for the portal to access the reports, all of which were shared through the screenshots. Furthermore, the documents included the supposed evaluation reports of the Covid-19 vaccine which also comprised the summary report of drug release

Data Breach: Stolen User Records from 26 Companies Being Sold Online

 

A data broker has been allegedly selling stolen user data of twenty-six companies on a hacker forum. Reportedly, the hacker who has put on sale the stolen data for certain companies at a particular price – is yet to decide the pricing for the rest of the stolen databases. 

The hacker behind the sale has stolen a whopping total of 368.8 million user records majorly from companies that previously reported 'Data Breach', however, seven new companies that joined the list were – Sitepoint.com, Anyvan.com, MyON.com, Teespring.com, Eventials.com, ClickIndia.com, and Wahoofitness.com.

Dark Web and Hacking Forums keep making headlines for their notorious relationship with data brokers and hackers who extensively use these platforms to leak or sell databases containing user information/credentials/records acquired during data breaches of various companies worldwide who later confirm the breaches. However, in the aforementioned case, only MyON and Chqbook have confirmed the data breaches, the other six companies have not given any statement confirming that they have experienced a data breach.

In a conversation with BleepingComputer, while confirming that their networks were compromised, MyON.com said, "In July 2020 we were made aware of a bad actor trying to sell portions of our data on the dark web. We immediately began investigating to shut down any continued threats to our data or the data of our customers. We were then able to confirm that according to federal and state privacy laws, no confidential student or customer data was compromised, and this incident did not rise to the level of an actual breach of student private data."  

Whereas, while denying the claims of a data breach, Chqbook.com emailed BleepingComputer, saying, "There has been no data breach and no information belonging to our customers has been compromised. Data security is a key priority area for us and we conduct periodic security audits to ensure the safety of our customers’ information,"  

The companies that fell prey to the data breach are as follows: MyON.com (13 million), Singlesnet.com (16 million), Teespring.com (8.2 million), ModaOperandi.com (1.2 million), Chqbook.com (1 million), Pizap.com (60 million), Anyvan.com (4.1 million), Fotolog.com (33 million), Eventials.com (1.4 million), Wahoofitness.com (1.7 million), Reverbnation.com (7.8 million), Sitepoint.com (1 million), Netlog.com (53 million), Clickindia.com (8 million), Cermati.com (2.9 million), Juspay.in (100 million), Everything5pounds.com (2.9 million), Knockcrm.com (6 million), Accuradio.com (2.2 million), Mindful.org (1.7 million), Geekie.com.br (8.1 million), Bigbasket.com (20 million), Wognai.com (4.3 million), Reddoorz.com (5.8 million), Wedmegood.com (1.3 million), Hybris.com (4 million). 

Users who happen to be a part of any of the abovementioned websites are strongly advised to update their passwords, preferably something unusual and strong enough to thwart a brute-force attack.

179 Dark Net Vendors Arrested in a Massive International Sting; 500 kg Drugs Seized


Global police agencies have confiscated over $6.5m both in cash and virtual currencies, 64 firearms, and 1,100 pounds of drugs - arresting 179 vendors across 6 countries including the U.S and Europe in one of the biggest raid on dark web marketplaces. The international sting operation saw considerable co-operation from Law enforcement agencies all over the world including the US, UK, Germany, Europe, Canada, Europe, Sweden, Austria, and the Netherlands.

The 500kg of drugs recovered by investigators during the operation included fentanyl, methamphetamine, oxycodone, ecstasy, cocaine, hydrocodone, MDMA, and several other medicines containing addictive substances, as per the findings.

The authorities dubbed the global sting operation as 'DisrupTor' and while announcing it, they claimed in a press release that the "golden age of the dark web marketplace is over." The roots of the operation go back to May 3, 2019; the day German authorities seized the dark web drug market, "Wallstreet market" and arrested its operators.

"Operations such as these highlight the capability of law enforcement to counter encryption and anonymity of dark web market places. Police no longer only take down such illegal marketplaces – they also chase down the criminals buying and selling illegal goods through such sites." The press release further read.

According to the Justice Department, it was the largest international law enforcement operation that targeted opioid traffickers on the dark web. The investigation witnessed an extensive range of investigators ranging from the FBI, ICE, DEA, Customs and Border Protection (CBP), to the Defense Department.

Commenting on the success of the operation, the head of Europol’s European Cybercrime Centre (EC3), Edvardas Šileris said, “Law enforcement is most effective when working together, and today’s announcement sends a strong message to criminals selling or buying illicit goods on the dark web: the hidden internet is no longer hidden, and your anonymous activity is not anonymous. Law enforcement is committed to tracking down criminals, no matter where they operate – be it on the streets or behind a computer screen.”

“With the spike in opioid-related overdose deaths during the Covid-19 pandemic, we recognize that today’s announcement is important and timely,” said Christopher Wray, FBI director. “The FBI wants to assure the American public, and the world, that we are committed to identifying dark net drug dealers and bringing them to justice.” He further added.

The data of clients of the Russian bank Alfa-Bank leaked to the Network


On June 22, a message appeared on the Darknet about the sale of a database of clients of the largest Russian banks. The seller did not specify how many records he has on hand but assured that he is ready to upload 5 thousand lines of information per week.

One of the Russian Newspapers had a screenshot of a test fragment of the Alfa-Bank database, which contains 64 lines. Each of them has the full name, city of residence, mobile phone number of the citizen, as well as the account balance and document renewal date.

A newspaper managed to reach up to six clients using these numbers. Two of them confirmed that they have an account with Alfa-Bank and confirmed the relevance of the balance.

Alfa-Bank confirmed that they know about the data leak of several dozen clients.
The seller of Alfa-Bank's database said that he also has confidential information of clients of other credit organizations.

"I can sell a database of VTB clients with a balance of 500 thousand rubles or more with an update from July 17 for 100 rubles per entry," claimed the seller. However, the Russian newspaper was not able to get test fragments of these databases.

The newspaper also contacted two other sellers who offered information about users of Gazprombank, VTB, Pochta Bank, Promsvyazbank, and Home Credit Bank.
Information about the account balance is classified as a Bank secret. Knowing such confidential details makes it easier for attackers to steal money using social engineering techniques.

"There are two ways to get bases on the black market. One of them is the leak of data by an insider from a Bank or company. The second option is through remote banking vulnerabilities," said Ashot Hovhannisyan, founder of the DLBI leak intelligence service.
According to him, the reason for the ongoing leaks is inefficient investments in security. Companies often protect their systems from hacking from outside, but not from insiders.