Search This Blog

Showing posts with label Dark Web. Show all posts

This Aspiring Hacker was Caught in a Quite Embarrassing Manner

 

The US Department of Justice (DoJ) has arrested a Ukrainian citizen for using a botnet to hack people's passwords. He was caught by his alleged messages to vape shops in Ukraine, including an invoice with his home location. 

Glib Oleksandr Ivanov-Tolpintsev is accused by the Department of Justice of deploying a botnet to break passwords of targeted individuals, which he subsequently sold on the dark web. According to his indictment, Ivanov-Tolpintsev made over $80,000 from the operation. 

The press release from the DoJ reads, “During the course of the conspiracy, Ivanov-Tolpintsev stated that his botnet was capable of decrypting the login credentials of at least 2,000 computers every week...Once sold [on the dark web], credentials were used to facilitate a wide range of illegal activity, including tax fraud and ransomware attacks.” 

On October 3, 2020, Polish police arrested Ivanov-Tolpintsev in Korczowa, Poland, and he was extradited to the United States to stand prosecution for these offenses. 

Amateur Blunders 

According to an IRS affidavit, investigators tracked down Ivanov-Tolpintsev by looking at the contents of the Gmail accounts he used to conduct his dark web activities. 

Many digital receipts from online vape shops were sent to one of these accounts, revealing Ivanov Tolpintsev's name and contact information. 

Furthermore, Ivanov-normal Tolpintsev's email account was set as the recovery address for these accounts. Exploring the contents of his regular account showed a plethora of personally identifying information, including passport scans and Google Photos photos.

The government was able to assemble enough evidence to convince a court to order Ivanov Tolpintsev's arrest and extradition because of his carelessness in separating his criminal digital identity from his physical one. 

Although the investigators haven't revealed much about Ivanov Tolpintsev's botnet case but the case highlights the dangers of depending solely on a password to protect an account. 

Since breaking and auctioning passwords on the dark web may lead to significant attacks like the one on the United Nations, security experts have been urging to implement multi-factor authentication (MFA) systems.

1GB of Puma Data is Now Accessible on Marketo

 

Hackers have stolen data from Puma, a German sportswear firm, and are now attempting to extort money from the corporation by threatening to expose the stolen files on a dark web page specialized in the leaking and selling of stolen data. The Puma data was posted on the site more than two weeks ago, near the end of August. 

The publication claims that the threat actors took more than 1 GB of private information, which would be sold to the highest bidder on an unlawful marketplace, according to Security Affairs analysts. This operation appears to be devoted only to the theft and sale of private information, ruling out the possibility that it is a ransomware offshoot. 

To back up their claims, the threat actors released some sample files that, based on their structure, suggest the attackers got Puma's data from a Git source code repository. The information is now available on Marketo, a dark web platform. The platform, which was launched in April of this year, is quite simple to use. 

Users can register on the marketplace, and there is a section for victim and press inquiries. Victims are given a link to a private chat room where they can negotiate. Marketo includes an overview of the company, screenshots of allegedly stolen data, and a link to a "evidence pack," also known as a proof, in each of the individual postings. They utilise a blind bidding mechanism to auction sensitive data in the form of a silent auction. Users place bids depending on how much they believe the data is worth. 

Site administrators first compile a list of potential victims, then provide proof (typically in the form of a small downloadable archive) that their network has been infiltrated. If the victimised firm refuses to cooperate with the hackers, their data is exposed on the web, either for free or for VIP members only. The website claims to compile data from a variety of hacking groups but does not cooperate with ransomware gangs.

“Right now, I can say that Puma haven’t contacted us yet,” the administrator of the dark web leak portal told The Record in a conversation last week. “The rest of the data would be released if Puma will decline the negotiations,” they added.

Data From Fujitsu is Being Sold on the Dark Web

 

An organisation called Marketo is selling data from Fujitsu on the dark web, although the firm claims the information "appears to be tied to customers" rather than their own systems. Marketo announced on its leak site on August 26 that it had 4 GB of stolen data and was selling it. They claimed to have private customer information, company data, budget data, reports, and other company papers, including project information, and gave samples of the data.

Fujitsu Limited, based in Tokyo, is a Japanese multinational information and communications technology equipment and services firm founded in 1935. After IBM, Accenture, and AWS, Fujitsu was the world's fourth-largest IT services company by yearly sales in 2018. Fujitsu's hardware portfolio consists mostly of personal and enterprise computing solutions, such as x86, SPARC, and mainframe compatible servers. 

Initially, the group's leak site stated that there were 280 bids on the data, but now it only shows 70 offers. A Fujitsu representative downplayed the event, saying there was no evidence it was linked to a case in May in which hackers used Fujitsu's ProjectWEB platform to steal data from Japanese government agencies. 

"We are aware that information has been uploaded to dark web auction site 'Marketo' that purports to have been obtained from our site. Details of the source of this information, including whether it comes from our systems or environment, are unknown," a Fujitsu spokesperson said. 

Marketo is a reliable source, according to Ivan Righi, a cyber threat intelligence expert at Digital Shadows. The veracity of the material stolen, according to Righi, cannot be validated, but prior data leaks by the group have been found to be real. 

"Therefore, it is likely that the data exposed on their website is legitimate. At the time of writing, Marketo has only exposed a 24.5 MB 'evidence package,' which contained some data relating to another Japanese company called Toray Industries. The group also provided three screenshots of spreadsheets allegedly stolen in the attack," Righi said.

The group has gone as far as sending samples of stolen data to a company's competitors, clients, and partners in the past to embarrass victims into paying for their data back. The group has listed hundreds of firms on their leak site, most notably Puma, and releases one every week, usually selling data from US and European corporations. At least seven industrial goods and services firms, as well as healthcare and technology firms, have been targeted. 

According to Brett Callow, a ransomware expert, and threat analyst at Emsisoft, it's unknown how Marketo gets the data it offers, but there's evidence that the data is frequently linked to ransomware attacks.

Phorpiex Malware has Shut Down their Botnet and Put its Source Code for Sale

 

The Phorpiex malware's creators have shut down their botnet and are selling the source code on a dark web cybercrime forum. The ad states that none of the malware's two original authors are participating in maintaining the botnet, which is why they opted to sell its source code. It was posted on 27th August by an individual previously associated with the botnet's operation. 

Phorpiex, a long-running botnet notorious for extortion schemes and old-school worms delivered via removable USB drives and instant messaging programmes, has been broadening its architecture in recent years in order to become more durable and deliver more deadly payloads. 

These operations had extended to encompass bitcoin mining, which had previously included extortion and spamming. Researchers have noticed an upsurge in data exfiltration and ransomware delivery since 2018, with the bot installer releasing malware such as Avaddon, Knot, BitRansomware (DSoftCrypt/ReadMe), Nemty, GandCrab, and Pony, among others. 

“As I no longer work and my friend has left the biz, I’m here to offer Trik (name from coder) / Phorpiex (name fomr AV firms) source for sell [sic],” the individual said on Friday in a forum post spotted by British security firm Cyjax. 

The ad's legitimacy was confirmed by Alexey Bukhteyev, a malware reverse engineer for security firm Check Point. “The description of the malware is very similar to what we saw in the code,” Bukhteyev said. The malware's command and control (C&C) servers have been inactive for approximately two months, according to the researcher, who previously researched the Phorpiex virus in 2019. 

The last command the bot received from the Phorpiex C&C servers was on July 6, 2021, according to Bukhteyev, who has been running a phoney Phorpiex bot in order to spy on its operations. The command was a self-explanatory "SelfDeletion" instruction. The botnet appears to have vanished from open-source reports since then. 

"As we know, the source code is private and hasn’t been sold before. Therefore, this [forum ad] looks really believable,” Bukhteyev said. “However, we can be totally sure if we buy it. The binaries are quite straightforward, and we can easily confirm that the source code is for this bot indeed, if we get it."

Even if the botnet C&C servers are down, Bukhteyev warns that if someone buys the code, they can set up new ones and hijack all the already infected systems.

The average price of access to a hacked company in the darknet reached $5,400

Specialists of the Israeli company Kela analyzed more than 1 thousand ads for the sale of initial access to the internal computer networks of hacked organizations published on the darknet from July 2020 to June 2021. The average lot price is about $5.4 thousand.

Kela noted that pricing depends on the revenue of the hacked company: this indicator also determines the nominal value of the ransom that hackers can request. Therefore, access to small firms costs $100-200, and the most expensive lots are thousands of times more.

The highest price tag that the experts met was equal to 12 bitcoins (about $540 thousand at the exchange rate on August 18). That's how much the brokers asked for access to an unnamed Australian company with an annual income of $500 million. The second most expensive access cost 5 bitcoins (about $225 thousand). For this amount, an account was sold in the ConnectWise Control remote desktop access system from the network of one of the American IT companies. Another lot from the top three most expensive accesses was a lot for $100,000, which promised access to the network of some Mexican government agency.

Kela's specialists have compiled a rating of countries, access to companies from which are most often sold on the darknet. The United States led the top by a large margin: 27.9% of ads concern American organizations. France is on the second line with an indicator of 6.1%. Next are the United Kingdom and Australia with shares of 4% each. Canada closed the top five with a result of 3.8%. Then there are Italy (3.5%), Brazil (3.2%), Spain and Germany (2.3% each), the United Arab Emirates (2%).

The researchers noted that Russia and the CIS countries could not enter the top 10, since working with local companies on Russian-language hacker forums is not customary.


Hackers Publish Classified Documents Stolen from Lithuanian Ministry of Foreign Affairs

 

The Lithuanian Ministry of Foreign Affairs has refused to comment regarding the credibility of e-mail files allegedly stolen from its own system and offered for sale on the RaidForums hacking platform. The archive consists of 1.6 million emails including discussions and also documentations designated as vulnerable and also highly sensitive in attributes.

To lure potential purchasers, the hacker published several documents and correspondence belonging to Lithuanian diplomatic as proof of the authenticity of the data. In a blog post yesterday, the hacker shared two files saying that they were email archives of conversations from top representatives of Lithuania’s embassy in Georgia.

The hacker claims to have a 300GB cache of 102 Outlook Data File files (PST) with some discussions related to secret negotiations against U.S. President Biden, and preparation for the war with Belarus, including a “nuclear strike”.

The leaked documents are marked as secret, top-secret, and cosmic. The seller also shared a list with names that presumably work for the Lithuanian Ministry of Foreign Affairs.

The Lithuanian Ministry of Foreign Affairs on Thursday posted a short statement declining to comment about the potential leak or even if it is legitimate.

“The Ministry of Foreign Affairs is unable to confirm the veracity of the information disseminated to the public and will not comment. We see this as an information attack by unfriendly countries” the Lithuanian Ministry of Foreign Affairs stated. 

The ministry was targeted in November 2020 and the attack was attributed to Russian actors, but the incident was not disclosed at the time. However, it remains unclear how much the vendor is asking for the cache but some forum users expressed interest in purchasing the leak. According to them, some inboxes have about 10 years of documents.

Gitanas Nausėda, the president of Lithuania said this week that there is proof suggesting that information was stolen in the November attack and that some of it is deemed classified.

"An investigation is ongoing, with no doubt, we well assess that damage done during this cyber-attack. But there are certain signs showing that certain information leaked. And that information is deemed classified," the president said in an interview with the Delfi.lt news website.

Underground Criminals Selling Stolen Network Access to Third Parties for up to $10,000

 

Cybersecurity firm Intsights published a new report that highlights the vibrant marketplaces on the dark web where attackers can buy or sell what they needed to target an organization. 

Paul Prudhomme, a cybersecurity advisor at IntSights, analyzed several underground exchanges on Russian and English-language platforms where stolen credentials and network compromises are traded. The underground criminals sell stolen network access to third parties for up to $10,000. The prices are also influenced by location and industry.

“Some cyber-criminals specialize in network compromises and sell the access that they have obtained to third parties, rather than exploiting the networks themselves,” researchers explained. “By the same token, many criminals that exploit compromised networks — particularly ransomware operators — do not compromise those networks themselves but instead buy their access from other attackers.”

According to researchers, cybercriminal groups rarely possess a team of attackers experienced in each stage of an attack, making dark web platforms ideal to sell or buy malware payloads, hosting infrastructure, and access to abused networks. 

“In September 2020, Russian-speaking username “hardknocklife” auctioned off remote desktop protocol (RDP) access to a U.S. hospital. He mentioned as a selling point that this RDP access yielded patient records, in which he reportedly had no interest,” researchers added. 

“US patient records from healthcare organizations are a valuable resource for identity thieves and other fraudsters because they contain dates of birth, social security numbers, and other personal details that they can use for fraudulent credit applications and other malicious purposes,” they went on to say. “This seller could have mined or monetized that data himself but lacked interest in doing so, perhaps because he could be more productive as an intruder than a fraudster, or because he lacked the fraud or criminal business skills to do so.”

This information started at the low price of $500 in the auction but was sold at a ten times higher rate of $5000. Researchers examined a sample of 46 sales of network access on underground forums between September 2019 and May 2021. The sample included 30 offerings from Russian-language forums (65%) and 16 offerings from English-language forums (35%). 

The primary target of underground criminals is the Tech & telecoms industry (22%), followed by Financial Services, Healthcare & Pharma, and Energy and Industrials, all on 19.5%. There is no surprise in these numbers. They match industry risk from other reports. What is perhaps a surprise is the emergence of automotive (9%) in fifth place.

IntSights researchers analyzed 46 separate offers to sell network access. In the majority of cases (40 out of 46), the location was mentioned. North America with 37.5% was at the top of the list followed by Europe, the Asia Pacific and the Middle East/North Africa accounted for 17.5% each, with Latin America just 10%. 

“Criminals typically prefer victims in wealthier countries with advanced economies, as they are generally more lucrative. Prices for access to healthcare organizations also trend lower due to the perception that they are easier to compromise,” researchers concluded.

3.8 Billion Phone Numbers of Clubhouse Users up for Sale on Dark Web

 


On a hacking forum, a threat actor has begun selling the confidential database of Clubhouse, which contains 3.8 billion phone numbers. According to the threat actor, the company "saves/steals each user's phonebook" in a confidential database that it is selling. According to the seller, the secret database has 3.8 billion phone numbers (cell phones, fixed, private, and professional numbers), each of which is given a score (Number of Clubhouse users who have this phone number in their phonebook). 

The threat actor shared a link to a sample of data from the database, which included phone numbers for approximately 83.5 million Japanese consumers. Cyber News researchers revealed the personal data of 1.3 million Clubhouse users had been exposed online in April 2021. 

Clubhouse refuted these charges in a statement to news agency IANS, saying, "There are a series of bots creating billions of random phone numbers." Speaking over the alleged "secret database of Clubhouse," the company clarified saying, “in the event that one of these random numbers happens to exist on our platform due to mathematical coincidence, Clubhouse’s API returns no user identifiable information." 

Several specialists, in particular, have chimed in on the matter, dismissing the hacker's claims. According to security researcher Rajshekhar Rajaharia, a list of phone numbers, such as the one in this case, maybe easily constructed, and the data leak claim appears to be false. Sunny Nehra, another researcher, pointed out that the threat actor is very new to that forum, is the least engaged, and is prone to making such "lame claims." 

"Days after scraped data from more than a billion Facebook and LinkedIn profiles, collectively speaking, was put for sale online, it looks like now it’s Clubhouse’s turn. The upstart platform seems to have experienced the same fate, with an SQL database containing 1.3 million scraped Clubhouse user records leaked for free on a popular hacker forum," reported CyberNews.

Clubhouse is an iOS and Android social audio app that allows users to speak in voice chat rooms with thousands of people. Live talks are held on the audio-only app, and users can engage by speaking and listening. Conversations may not be recorded, transcribed, duplicated, or disseminated without prior consent, according to Clubhouse guidelines. In a funding round in April 2021, venture capitalists valued Clubhouse at roughly $4 billion. 

69K Users Affected in LimeVPN Data Breach

 

According to analysts, the VPN provider LimeVPN has been hacked, affecting 69,400 user records. Before taking down the company's website, a hacker claims to have taken the company's entire client database. According to PrivacySharks, the stolen details include user names, plaintext passwords, IP addresses, and billing information. The attack also contained the public and private keys of LimeVPN users, according to the researchers.

“The hacker informed us that they have the private keys of every user, which is a serious security issue as it means they can easily decrypt every LimeVPN user’s traffic,” the firm said in a posting. Experts are concerned about the possibility of decryption because VPNs tunnel all of their users' internet activity, which could be a gold mine of information for cybercriminals. 

The entire alleged stockpile has been listed for sale on the hacker forum RaidForums. The hacker, who goes by the handle "slashx," initially stated that the database included 10,000 documents for $400 (on Tuesday) before increasing the number (on Wednesday). According to Slashx, the heist was carried out through a security breach, rather than an internal threat or an older attack. The site then went offline on Thursday, presumably due to a virus intrusion. “Worryingly, our access was blocked by Malwarebytes [antivirus protection] due to a potential trojan found on the site,” PrivacySharks claimed. 

LimeVPN verified the data breach, according to a PrivacySharks spokesperson, and the hacker who took the database also claimed responsibility for the site's outage. LimeVPN alerted RestorePrivacy that "our backup server has been compromised" and that it had "reset our access passwords and initiated a system audit," according to RestorePrivacy, which confirmed the leak separately. Both groups of researchers made contact with the perpetrator and examined samples of the alleged data. 

RestorePrivacy researchers observed that transaction details for users buying the service were available (as in dollar amounts and payment method), but real payment-card data or bank details were not included while evaluating the available sample data offered by slashx.“This is because the VPN uses a third-party payment processor called WHMCS,” the firm noted. “However, the hacker claims to have obtained the entire WHMCS database with the LimeVPN hack.”

“Even though LimeVPN is not a large provider like Surfshark or NordVPN, the fact that its entire database was scraped raises the question of security among VPN providers,” Cliff Durward, PrivacySharks’ head of security said. “Although most VPN companies, like LimeVPN, employ no-logs policies, identifiable data such as email addresses and payment information can still be stolen and sold if security breaches occur.”

Data of 700 Million LinkedIn Users Has Been Compromised

 

A massive breach has purportedly compromised the data of over 700 million LinkedIn users. LinkedIn has a total of 756 million users, which means that this new hack has exposed the data of more than 92 percent of its users. An anonymous hacker is reported to have gotten a fresh dataset including personal information about LinkedIn users. Reportedly, the data exposed includes phone numbers, physical addresses, geolocation data, and inferred salaries. 

The data advertised by the hacker is “both authentic and up-to-date,” according to a recent investigation by the publication, with data points ranging from 2020 to 2021. The article goes on to say that the data breached comprises a lot of information. LinkedIn reported a data breach impacting 500 million customers in April, in which personal information such as email addresses, phone numbers, workplace information, complete names, account IDs, links to social network profiles, and gender characteristics were exposed online. 

According to LinkedIn, the information was obtained through skimming the network rather than a data breach. In an emailed statement, LinkedIn said, "While we're still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members' privacy is protected." 

The hacker has also uploaded a sample set of 1 million users for purchasers on the Dark Web, where the new dataset of 700 million users is also on sale. RestorePrivacy was the first to notice this listing on the Dark Web, and 9to5Google double-checked the sample data. 

User information such as email addresses, full names, phone numbers, physical addresses, geolocation records, LinkedIn username, and profile URL, inferred salaries, personal and professional experience/background, gender, and social media accounts and usernames are included in the sample dataset that has been published on the Dark Web. 

9to5Google reached out to the hacker who says that the data was obtained through hacking the LinkedIn API to gather the information that people upload to the site. Although the data does not include passwords, it is nevertheless extremely valuable and might be used in identity theft or phishing attempts.

Domino’s Data Leak Exposed Data of 18 Crore Orders

 

The famous Pizza company Dominos suffered a data leak again this year wherein the details of 18 crore orders are made accessible on the dark web, according to some security experts. 

A hacker alleged that earlier in April he had successfully gained access to Dominos data in the value of 13TB. Data belonging to more than 180,00,000 purchase orders containing telephone numbers, e-mail addresses, and billing information, and user credit card details would be included in the leak. 

Domino's Pizza, Inc. is a multinational American pizza restaurant chain established in 1960, known as Domino's. The F&B chain is particularly prominent in India, which can be seen in the smooth functioning of its operations despite the ongoing pandemic. 

Rajshekhar Rajaharia, a security expert, took to Twitter to announce that Dominos was again infringed upon while showing that 18 crore orders' data was made available as hackers built a search engine on the Dark Web; customers will most probably find their personal information there if they are regular dominos buyers. The information leaked comprises users' name, e-mail, telephone number, and even their GPS locations. 

"Data of 18 crore orders of Domino's India have become public. Hacker created a search engine on Dark Web. If you have ever ordered @dominos_india online, your data might be leaked. Data include Name, Email, Mobile, GPS Location, etc," Rajaharia tweeted. 

The incident was brought to light before the beginning of April by Alon Gal, CTO of cybersecurity company Hudson Rock. He said that users' data were sold for about ten BTC by hackers. The hackers want to create a search engine to enable data to be queried, Gal further added. 

The data compromised include 10 Lakh credit card details and even addresses of people who have purchased Dominos Pizza. However, Dominos India had denied leakage of financial information of users in a declaration given to Gadgets 360. 

When Jubilant Food Works, the master franchise holder for Domino's in India, Nepal, Sri Lanka, and Bangladesh, was approached, it was confirmed that the company recently had a security incident but no financial details were revealed. 

"Jubilant Food Works experienced an information security incident recently. No data about financial information of any person was accessed and the incident has not resulted in any operational or business impact.” 

"As a policy, we do not store financial details or credit card data of our customers, thus no such information has been compromised. Our team of experts is investigating the matter and we have taken necessary actions to contain the incident," the company spokesperson said.

Leaked Apple Schematics & Extortion Threats Removed From Dark Web

 

According to MacRumors, the ransomware group that stole schematics from Apple supplier Quanta Computer last week and threatened to release the trove of documents has mysteriously deleted all references to the extortion attempt from its dark web blog. 

Last Tuesday, the ransomware group REvil claimed that it had gained access to Quanta's internal computers and obtained some photographs and schematics of unreleased Apple products. The group requested $50 million from Quanta in order to retrieve the data. However, according to a statement posted on the hacker group's website on April 20, Quanta declined to pay the ransom, which led the criminals to turn their attention to Apple. 

The hackers publicly posted a handful of images depicting unreleased product schematics, including in total, 21 images showing different features of an alleged upcoming MacBook Pro, an SD card slot, HDMI slot, and a MagSafe charger, to prove they had hacked into Quanta's servers and to increase the pressure on Apple. 

Unless Apple paid the $50 million ransom demand in return for removing the files, the group threatened to publish new data every day leading up to May 1. The extortion attempt was timed to coincide with Apple's "Spring Loaded" digital event on April 20, at which the company unveiled AirTag item trackers, new iPad Pro models, and new iMacs. Despite the threat, after the original demand was made public, no further stolen documents have been leaked online. 

REvil isn't known for bluffing and regularly shares stolen documents if its victims don't pay up, so it's unclear why the group didn't follow through this time. According to MacRumors, the photos were mysteriously deleted from their dark web location. The group has not stated why the photos were deleted, and all references to the blackmail attempt have been removed. 

Apple is still yet to comment on the breach, although it has a history of refusing to deal with hackers. A hacker group tried to extort money from Apple in 2017 by keeping consumer data hostage. "We do not reward cybercriminals for violating the law," Apple told the community, and the company has yet to comment on the breach. 

The group is still aggressively extorting other businesses, so it's unclear what caused it to delete all material related to the Quanta hack.

SOCTA: Here's a Quick Look into the Report by Europol

 

The Serious Organized Crime Threat Assessment study 2021 by Europol summarises the criminal threat from the last four years and offers insights into what can be expected in the following four years. Organized crime isn't just cybercrime, but cybercrime is now a big component of organized crime. Europol sees the development of businesses, growth in the digital lifestyle, and the rise of remote workers as new vulnerabilities and opportunities for use. 

“Critical infrastructures will continue to be targeted by cybercriminals in the coming years, which poses significant risks,” cautions the published report. “Developments such as the expansion of the Internet of Things (IoT), the increased use of artificial intelligence (AI), applications for biometrics data, or the availability of autonomous vehicles will have a significant impact. These innovations will create criminal opportunities.” 

The interruption of Emotet Botnet in January 2021, with foreign activities organized by Europol, is highlighted in the report. This includes the international efforts concerning the authorities of the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine. But the overall thought is that cybercrime is growing in sophisticated ways with criminal gangs being increasingly organized due to which the threat is multiplying at a fast rate. However, the Europol report does not comment on the usual cyber threats, apart from the fact that crime syndicates sell it 'as a service more and more. 

ENISA estimates that 230,000 new malware variants are detected each day. Europol shows that the number and sophistication of attacks continue to increase. “The increase in the number of attacks on public institutions and large companies is particularly notable.” Further, the DDoS - Denial of service is an expanding threat, frequently followed by attempts at extortion. Attacks on government and vital resources continue, but criminal groups with lower security protocols increasingly target smaller organizations. 

“Last year saw a multitude of damaging consequences from ransomware, breaches, and targeted attacks against sensitive data,” comments Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber. Cyber attackers have taken full advantage of the much more critical vulnerabilities at the detriment of the organizations, ranging from hacks of COVID-19 study data to assaults on critical networks and government agencies. The increase in online child exploits, especially what is recognized as the live distance violence, also occurred as students experienced months at home during school closures. Besides, Europol states that it has a database of over 40 million pictures from around the globe of child sexual abuse. 

Furthermore, there shouldn’t be an underestimation of the involvement of the Dark Web in illegal activities, where criminals use it to share their knowledge on operating security. The usage of the dark web for the selling of illicit drugs and weapons has increased over the past four years, but law enforcement has seemed to have caused some mistrust among consumers and might have cooled down the growth rate in association with online assaults. Sex trafficking (THB) is also carried out on the dark web and surface web pages where labor and sex are the main categories. Europol claims that THB is substantially underreported and states that in the EU, THB is on the rise for labor exploitation. 

Even the complexity of technology has increased with the inception of fraud such as investment fraud, BEC, non-deployment fraud, novelty fraud, fake invoice fraud, social profit fraud, bank fraud, etc. This will probably go on. Also “The use of deep fakes will make it much more challenging to identify and counter fraud,” warns Europol. And the organized crime ecosystem is marked by a networked environment with smooth, systemic, and profitable coordination among criminals.

OTP Generating Firm at a Risk, as Hacker Claims to have Sold its Sensitive Data

 

A hacker seems to sell confidential information that is claimed to have been robbed from an OTP firm. And this OTP firm perhaps has some of the most prominent technology and business giants on its customer's board list which includes Google, Facebook, Amazon, Emirates, Apple, Microsoft, Signal, Telegram, and Twitter, etc. 

A one-time password ( OTP ), also called a one-time pin or dynamic password is a legitimate password on something like a computer system, or even on a digital device, for a single login or transaction. Besides, the very same hacker claims to also have real-time access to the company's OTP device. The InfoSec researcher, Rajshekar Rajaharia, however, didn’t agree with the hacker behind the identification of such a suspected breach. 

“The seller was active on the dark web forum for a long time claiming to sell live access to OTP and 2FA but from what we have seen there are some chances that the data might be old as we have found some clues that changes have been made with dates. Nevertheless, we are still investigating because data seems real otherwise,” stated Rajaharia. 

Rajaharia also provided sample information with confirmation of the presence of one-time codes and even if not all of them are currently available or legitimate, a purchaser might find valuable work throughout the platform and its policies. It offered 50GB of exfiltrated data, among several other details. The cost of access was reduced from $18,000 to $5,000 for the introductory mark. Though the name of the company is listed in the listing, for security purposes it is considered unethical to disclose it. 

Other details included in the selling package are PII, including SMS logs, mobile numbers, e-mail addresses, SMPP details, customer documentation, and much more. Since 2017, the data itself is comprehensive. The seller switched the listing from the dark web marketplace to Telegram, as per the latest revelation, where sales were continued, however, the number of buyers was unknown. Also, 10 million OTPs appear in the data packs. 

The company in conversation refused all data infringement charges by claiming that perhaps the systems were as stable as ever and it could not verify the authenticity of the alleged data. 

Also, the National Stock Exchange of India received a letter from them, which reads, “We would like to highlight that unverified posts and claims are being circulated about an alleged data breach at [company’s name retracted]. Based on the evidence we have seen thus far, it is not from any of our current systems, and therefore we cannot verify the authenticity of the alleged data breach.” 

However, the company stated that they were engaged with an expert in a third party to support them in its system audit, so it would be noticed and uprooted if there was a web shell in there.

533 Million Facebook Users' Phone Numbers And Personal Data Leaked Online

 

On Saturday, a user turned to a low-level hacking forum to leak the personal information of hundreds of millions of Facebook users, free of cost. The sensitive credentials that have been exploited included personal data of over 533 million Facebook users from 106 countries – around 32 million users from the US, 11 million from the UK, and around 6 million from India. Leaked data includes users’ full names, their date of birth, address location, phone numbers, Facebook IDs, bios, and in certain instances email addresses also. 

Alon Gal, a CTO of cybercrime intelligence firm Hudson Rock, analyzed the breach on Saturday and informed about this event on Twitter. Alon Gal is also known for his last research finding that was appeared as the same leaked database previously became accessible via a Telegram bot in January. 

While back then, the situation was different. The hacker who was behind the Telegram bot leaked database was selling the hacked credentials to those clients who were ready to pay for the information, but this time the difference is that that all this leaked data of more than 533 million people is available for everyone for free in a low-level hacking forum. 

“A database of that size containing the private information such as phone numbers of a lot of Facebook’s users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts,” Alon Gal stated. 

The incident is not foreign to Facebook, which is indeed a popular platform in the arena of cyberattacks. Before this cyberattack, the platform had already experienced data breaches multiple times, notably so. 

The vulnerability that had been spotted in 2019 exposed sensitive information of millions of Facebook users including their phone numbers to be scraped from Facebook's servers in contravention of its terms of service. Back then, Facebook officially stated that the vulnerability was patched in August 2019. Additionally, Facebook vowed to eliminate mass data-scraping after Cambridge Analytica scraped over 80 million users’ data in violation of Facebook's terms of service to target voters with political ads in the 2016 election.

Hacker Hacks Underground Covid Vaccine Market On Dark Web

 

In a recent cybersecurity incident, an attacker hacked down a vaccine marketplace that was running on the dark web. The attacker then placed fake orders, cancelled them after making a refund in Bitcoins worth $752,000, a report released on Thursday says.  As per a blog on the market's forum, the attacker managed to find a way to make fake orders, which he cancelled immediately using the seller account of the trader, and immediately made the refunds in the wild, which was withdrawn in an instant. 

Checkpoint research says the method allowed a hacker to make 13 Bitcoins (BTC), an amount equal to $752,000. Currently, the vaccine marketplace on the dark web which was selling these products is down because of the hack.  But, the attack hasn't put a stop to the sale of Covid-19 relief products on the dark internet. Following the marketplace shutdown, another hacking forum was framed using the same address, offering various ads along with Covid-19 vaccines (documents included) and that too on heavy discounts for promotional purposes.  

Cybersecurity experts recently found out that fake Covid-19 vaccine certificates and duplicate Covid-19 test results were being sold on dark internet and hacking platforms for amount as low as Rs 1800 ($25) and up to Rs 18,000 ($250) for people that are looking to book flights, travel across borders, finding a new job or attending a function.  If an interested user wants to get these 'fake certificates,' he can simply obtain them by sending their details and money to the seller on the dark web, the seller will then e-mails back the forged documents for $250. 

Research from Checkpoint revealed that fake negative Covid-19 test results are available on the dark web for a mere amount of $25.  Covid-19 vaccine ads on the darknet have had a 3 fold increase since the last three months. The selling forums on the dark internet are based from European countries like Spain, Russia, France, and Germany. According to experts, "The vaccines advertised include Oxford-AstraZeneca (at $500), Johnson & Johnson ($600), the Russian Sputnik vaccine ($600) and the Chinese SINOPHARM vaccine." Checkpoint research says, "as a result, the marketplace is down completely since, and at this point of time is yet to be restored online."

Here's How to Safeguard Against Mobikwik Data Breach

 

Cybersecurity researchers claimed that the KYC data of as many as 11 crores Mobikwik users had been leaked and put up for sale on the dark web. However, the Gurugram-based digital wallet company is denying the data breach by stating that they have not discovered any evidence of a data leak.

Rajshekhar Rajaharia, an independent cyber-security researcher was the first person who disclosed the data leak in February. He had said that bank details, email addresses, and other sensitive details of nearly 11 crore Indians were leaked on the dark web. 

Approximately, 8 terabytes (TB) of personal user information were stolen from Mobikwik’s main server by a hacker named ‘Jordan Daven’ and put on dark web platforms on January 20, Rajaharia stated. As a shred of evidence, Jordan Devan emailed the link of the stolen database to PTI and stated that they do not have any other motive of using the data except to acquire it from the company and delete it from their end and also shared the private details of Mobikwik founder Bipin Preet Singh and CEO Upasana Taku from the stolen database. 

When approached, Mobikwik denied the claims and stated, “the company is subjected to stringent compliance measures under its PCI-DSS and ISO Certifications which includes annual security audits and quarterly penetration tests to ensure the security of its platform. As soon this matter was reported, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of breach.” 

Precautionary measures for Mobikwik users 

To check out whether your data is compromised or not, you have to download the Tor browser. It is a free and open-source web that helps you anonymously browse the web. You should also update your Mobikwik account by setting new passwords and setting up two-factor authentication. 

Open this link to access the entire database of the leak that is now online. Search for your data by using your email id or contact number. If nothing pops up, you are safe but if something does pop up then you should immediately contact your bank, and block your cards now.

Threat Actor Targets Guns.com, Spills Sensitive Information on Dark Web

 

As the domain name suggests, Guns.com is a major Minnesota, US-based platform to buy and sell guns online. It is also home to news and updates for firearm owners and lovers around the globe. However, on March 9th, 2021, a database seemingly belonging to Guns.com was dumped on the popular dark web site ‘Raid Forums’.

Earlier this week, a large cache of files allegedly stolen from Guns.com also appeared on Raid Forums. The hackers behind this data dump claimed that files contain a complete database of Guns.com along with its source code. They further added that the breach took place somewhere around the end of 2020 and the data was sold privately meaning on Telegram channels or dark web forums.

According to the analysis of Hackread.com, data dump contains substantial gun buyer information including user IDs, full names, nearly 400,000 email addresses, password hashes, physical addresses, zip codes, city, state, magneto IDs, contact numbers, and account creation date.

One of the folders in the leaked database includes customers’ bank account details including full name, bank name, account type, and dwolla IDs. However, credit card numbers or VCC numbers were not leaked. 

The data dump also contains Guns.com login credentials, an Excel file in the database seems to be containing sensitive login details of Guns.com including its administrator’s WordPress, MYSQL, and Cloud (Azure) credentials. However, it is unclear whether these credentials are recent, old, or already changed by the site’s administrators amid the breach.

This can have a devastating effect on the company since all admin credentials including admin emails, passwords, login links, and server addresses are in plain text format. With this kind of sensitive information available from this hack, a skilled hacker could commit several identity fraud schemes, be well equipped to target victims with phishing scams or other malicious activities.

Insider Trading Threats on Dark Web

 

Insider trading can be done more effectively now than ever before, due to a great extent to the continuing proliferation of encrypted and anonymous messaging services, and the presence of dark web and underground networks that permit threat actors to discover co-conspirators and speak with them. Verifiably, few dark web forums catered to the trafficking of non-public corporate data; presently, updated technology takes into account these endeavors to be conducted with a lot more prominent operational security. 

Monetarily inspired threat actors or displeased employees would now be able to trade data away from the prying eyes of law enforcement and security researchers, permitting only vetted individuals to access sensitive information being given by insiders. 

Moreover, the clearnet is host to many market trading enthusiast groups, on places like Reddit and Discord. These groups range in size from thousands to millions of clients. Insikt Group found "stock signals" services, giving paid clients tips on which trades to make dependent on the proposal of “analysts”. Given that the root of the data is muddled, the unregulated nature of these services and the utilization of unknown messaging services is concerning. 

One of the verifiably significant sites had been The Stock Insiders, a Tor-based site, active from April 2016 until August 2018. As the name proposes, the site was made with the goal of having a community of clients with insider access at publicly traded companies who would impart it to different clients to advise the stock trades of the larger group. The site has for quite some time been inactive, the administrator isn't responsive to private messages, and there have not been any updates to the main page since early 2018. The explanation that operations stopped has not been clarified however it doesn't seem, by all accounts, to be the consequence of a law enforcement takedown since the website is still technically up. 

While the site is no longer active, it actually gives an instructive perspective on how its operations were done. The Stock Insiders has a couple of visible posts instructing clients about how to enlist an account and listing out the requirements for full membership.

What are Smishing Attacks? How to Prevent Them?

 

Smishing is a cyber assault that utilizes SMS text messages to delude its victims into giving sensitive data to a cybercriminal. Sensitive data incorporates your account name and password, name, banking account, or credit card numbers. The cybercriminal may likewise implant a short URL link into the text message, inviting the client to tap on the link which in most cases is a redirect to a pernicious site. Smishing is identified with two other 'smishing' cyber assaults, phishing and vishing. 

Cybercriminals today are essentially inspired by monetary benefit. They create code intended to obfuscate your sensitive data for benefit. At the point when they acquire this information, they may hope to sell your compromised credit card or credentials on the dark web. They may likewise utilize sensitive information to open an account in your name or hold your information ransom in exchange for a large pay-out. 

Back in May 2018, Fifth Third Bank clients were the targets of a smishing assault. The assailants claimed to represent Fifth Third Bank. They contrived a plan to caution clients that their accounts were locked. Within the body of the text message, they gave a link to the clients to open their accounts. The link took the clueless client to a phony webpage that seemed to be like Fifth Third's genuine site. The phishing site prompted the visitors to enter their user name and password, one-time code, and PIN codes to open their account. The cybercriminals then utilized the stolen account data to expunge almost $68,000 from 17 ATMs across three states. 

Some of the ways to prevent smishing attacks are: 

• Try not to react to text messages that demand private or monetary data from you. 

• On the off chance that you get a message that has all the earmarks of being from your bank, financial institution, or other entity that you work with, contact that business directly to decide whether they sent you a genuine solicitation. Review this entity’s policy on sending text messages to clients. 

• On the off chance that a text message is encouraging you to act or react rapidly, pause and consider the big picture. Recall that crooks utilize this as a strategy to get you to do what they need. 

• Never reply to a dubious text message without doing your research and checking the source.