Search This Blog

Showing posts with label Darkweb. Show all posts

Users May Risk Losing their Passwords on Dark Web For Sale


In April, Zoom became one of the many victims of the companies that lost their user data to the hackers. Zoom, which is one of the top online video conference platforms, lost more than half a million of account logins on the dark web. The leaked passwords could be bought either for free or for a minimal amount of money. Understandably, the users are blaming the Zoom company for losing its accounts, and they have every right to do so. It is, however, a part of much bigger trouble that includes hackers, some criminal niches on the Internet, and the fault of our own to set very weak user passwords.


How passwords end up on the dark web? 

Every year, more than hundreds of millions of user accounts end up getting exposed to the dark web, either through malware or phishing attacks. According to a report by Privacy Rights Clearinghouse, a non for profit organization in California, around 11.6 Billion user accounts have been hacked since the year 2005. The hacked accounts are then either uploaded on hacker websites or posted on the dark web for sale.

These websites and dark web can be accessed only through a specific browser called Tor. "Then there's Tor, the darkest corner of the Internet. It's a collection of secret websites (ending in .onion) that require special software to access them. People use Tor so that their Web activity can't be traced -- it runs on a relay system that bounces signals among different Tor-enabled computers around the world," says Jose Pagliery from CNN Business.] The hackers use these purchased passwords and try logging in with them to several other websites until they are successful, a technique known as credential stuffing.

The hackers used credential stuffing to steal more than 500,000 Zoom user accounts and uploaded them later on the dark web. In response to this, Zoom spokesperson has confirmed that they suspect the hackers used credential stuffing to breach the accounts. "You can help prevent some of these attacks by banning the use of bad passwords, blocking legacy authentication, and training employees on phishing," says Microsoft's security website on "how to prevent your company from web attacks."

Hackers sell data of 80 thousand cards of customers of the Bank of Kazakhstan


An announcement about the sale of an archive of stolen data from 80,000 Halyk Bank credit cards appeared on the Darknet's site Migalki.pw.

It should be noted that Halyk Bank of Kazakhstan is the first Bank in the country in terms of the number of clients and accumulated assets. This is not the first time for a Bank when data has been compromised.

The fact that the archive consists only of Halyk Bank cards suggests that the cards were stolen inside the structure.

Typically, identifiers of stolen cards are obtained using MitM attacks (Man in the middle). While the victim believes that he is working directly, for example, with the website of his Bank, the traffic passes through the smart host of the attacker, which thus receives all the data sent by the user (username, password, PIN, etc.).

It is possible that the archive is not real. This may be a bait for potential carders created by the Bank, the so-called honey pot. This trap for hackers creates an alleged vulnerability in the server which can attract the attention of attackers and inspire them to attack. And the honeypot will see how they work, write down the information and pass it to the cybersecurity department.

Although, such actions are risky for the image of a financial institution, as any Bank tries to avoid such negative publicity.

It is important to note that all data leaks from the Bank is the personal fault of the owners, managers of the Bank. In Russia and in Kazakhstan, in case of data leakage, the bank at best publishes a press release stating that "the situation is under control". However, banks in the US and Europe in the same situation receive a huge fine.

Data of Bank customers in Russia are becoming more expensive on the Darknet


In the first half of 2019, the price of banking customer data has rapidly increased on the Darknet. Thus, the cost of obtaining data on cards or statements of operations increased by 3-7 times. At the beginning of the year, the client's account statement could be purchased for 2 thousand rubles ($ 32), now its cost can reach 15 thousand rubles ($ 238).

According to the Positive Technologies analyst Vadim Solovyov, data on ATMs used by the client appeared on many sites, their price is from 8 thousand ($ 127) to 15 thousand rubles ($ 238). He noted, rather, this information can be used in traditional criminal schemes, for example, so that the fraudster's call to the client sounded more reliable.

"If the cost has increased, it means that the methods of countering leaks in banks have significantly complicated the business of attackers", the Central Bank believes.

The Head of the Information Security Department of the Open-Bank Vladimir Zhuravlev associated the price increase with a change in the type of attacks on customers. According to him, earlier fraudsters often used technical means, such as Trojans, phishing links or skimming. Now 90% of the theft occurs using social engineering methods, where the availability of personal customer data is very helpful to the fraudster.

The Central Bank does not disclose official statistics on the theft of funds of individuals in the first half of the year. However, law enforcement officers recorded an increase in successful thefts from bank accounts. For example, in the Kurgan region, the number of crimes has doubled, in the Smolensk region has grown five times.

According to Stanislav Pavlunin, the Vice-President of Post-Bank, the Bank uses different approaches and methods to combat internal fraud, for example, photo and video shooting of monitor screens, as well as official documents, presentations containing confidential information is prohibited.

It is interesting to note that Sixgill analysts have prepared a report, according to which Russia took the last place in the number of stolen bank cards. The researchers see two reasons for such low rates: the first is a large percentage of Russian cybercriminals, and the second is the economic situation in Russia.

Mylobot Turns your PC into a Zombie system



Tom Nipravsky, a security researcher at Deep Instinct, discovered another 'never seen before' malware that could transform a Windows PC into a botnet. Named as 'Mylobot', this malware has developed from the 'Dark Web'. It was finished up in the wake of following its server that was additionally utilized by other malware from the dark web.

The powerful botnet is said to consolidate various noxious systems, generally including:

·       Anti-VM techniques
·       Anti-sandbox techniques
·       Anti-debugging techniques
·       Wrapping internal parts with an encrypted resource file
·       Code injection
·       Process hollowing (a technique where an attacker creates a new process in a suspended state and replaces its image with the one that is to be hidden)
·       Reflective EXE (executing EXE files directly from memory, without having them on disk)
·       A 14-day delay before accessing its C&C servers.

"On a daily basis we come across dozens of highly sophisticated samples, but this one is a unique collection of highly advanced techniques," says Arik Solomon, vice president of R&D at Deep Instinct. "Each of the techniques is known and used by a few malicious samples, but the combination is unique."

As indicated by the researcher, Mylobot likewise bears contrary to the botnet property. The reason, as indicated by the researcher, for this conduct being is, possibly to prevail upon the "opposition" on the dark web.

 “Part of this malware process is terminating and deleting instances of other malware. It checks for known folders that malware “lives” in (“Application Data” folder), and if a certain file is running – it immediately terminates it and deletes its file. It even aims for specific folders of other botnets such as DorkBot.”

The researchers say it's vital to take note that Mylobot was found in the wild, at a Level 1 communication and telecommunication equipment manufacturer and not in a proof-of-idea show.

Also, in conclusion the one thing they are extremely sure about is the modernity of the malware's creators as, according to ZDNet, the real author(s) of this malware are yet obscure, be that as it may, the malware utilizes a similar server which is connected to the scandalous Locky ransomware, Ramdo, and DorkBot.