Search This Blog

Showing posts with label Dark Web. Show all posts

ACY Accidentally Exposes User Data On Web

Anurag Sen, a famous cybersecurity expert said that ACY Securities, an Australia-based trading company accidentally posted huge amounts of personal and financial data of unsuspected users and businesses on the web for public access. The incident happened because of misconfigured database that ACY Securities owns. Sadly, the data leak had over 60GB worth of data that was left in the open without any protection. 

It means that anyone with basic knowledge about obtaining unsafe databases from platforms like Shodan can gain full access to ACY's data. The data had logs from February 2020 to this date, getting updated regularly. The exposed data includes- full name, postal code, address, date of birth, email address, gender details, contact number, password, and banking, and financial information. The attack hit businesses in various countries including China, India, Spain, Russia, Brazil, Australia, Romania, Malaysia, the United States, the United Kingdom, Indonesia, and United Arab Emirates. 

The expose is very severe because, at the beginning of this year, Anonymous and affiliated hacker groups totaled 90% (estimated) of Russian cloud databases, leaked to the public. The exposed data in these leaks was without a password or authentication. 

In the ACY Securities incident, if we consider the extent and nature of leaked data, the case could've turned out to have the worst implication. For instance, threat actors could have downloaded tha data and performed phishing scams, identity thefts, marketing campaign scams, and microloans identity scams.

"misconfigured or unsecured databases, as we know it, have become a major privacy threat to companies and unsuspected users. In 2020, researchers identified over 10,000 unsecured databases that exposed more than ten billion (10,463,315,645) records to public access without any security authentication. In 2021, the number increased to 399,200 exposed databases," read a post on HackRead.

Costa Rica's New Government is Under Attack by a Conti Ransomware Gang

 

The Conti ransomware organization, which has hacked some Costa Rican government computer systems, has increased its threat, claiming that its ultimate goal is to overthrow the government. The Russian-speaking Conti gang tried to intensify the pressure to pay a ransom by boosting its demand to $20 million, perhaps capitalizing on the fact that President Rodrigo Chaves had just been in office for a week. 

"We are aiming to overthrow the government by a cyber attack, and we have already demonstrated all of our strength and power," the group stated on its official website. "In your government, we have insiders. We're also attempting to obtain access to your other systems, and you have no choice but to pay us." Chaves said the organization had infiltrated up to 27 institutions at various levels of government, declaring that the country was "at war" with the Conti ransomware gang but giving no indication that the ransom would be paid. 

"I appeal to every Costa Rican to go to your government and organize rallies to demand that they pay us as soon as possible if your existing government is unable to fix the situation?" A different statement on Conti's dark web page stated, "Perhaps it's worth replacing." Over the weekend, the ransomware issued a warning that it will remove the decryption keys in a week, making it impossible for Costa Rica to restore access to the ransomware-encrypted files. 

The lethal April 19 attack prompted the new administration to proclaim a state of emergency, and the gang has exposed troves of data acquired from infected systems before encryption. Conti linked the attack to an affiliate actor nicknamed "UNC1756," a play on the name given to uncategorized threat groups by threat intelligence firm Mandiant. 

If it was any other ransomware gang, according to Aaron Turner, vice president of SaaS posture at Vectra, an AI cybersecurity firm, the threat would be unnoticeable. "However, because it's Conti, and Conti has publicly connected themselves with Putin's Russia's military activities, this threat should demand a second look," he said. 

He believes that if the US supports 'enemy' troops in Russia's neighborhood, there is a strong urge for retaliation. "Fortunately for Costa Rica, Conti isn't the most sophisticated gang of ransomware operators," he said. "Costa Rica is also lucky in that Russia's invasion of Ukraine went so badly that there are likely inadequate military forces on the other side of the planet to launch a combined cyberattack and conventional strike." While the prospect of overthrow is intriguing from an academic standpoint, Turner believes the chances of Conti orchestrating a coup are extremely remote. 

Affiliates are hacker organizations that rent access to pre-developed ransomware tools to coordinate assaults on corporate networks as part of the so-called ransomware-as-a-service (RaaS) gig economy, and then share the profits with the operators. Conti has continued to target companies all over the world after suffering a large data breach of its own earlier this year amid its public support for Russia in its current war against Ukraine. 

Conti is the "most prolific ransomware-associated cybercriminal activity organization operational today," according to Microsoft's security team, which records the cybercriminal gang under the cluster DEV-0193. "DEV-0193 has hired developers from other malware operations that have shut down for varied reasons, including legal actions. The addition of developers from Emotet, Qakbot, and IcedID to the DEV-0193 umbrella is very noteworthy." 

Conti is one of the most wanted cybercriminal gangs in the world, with the US State Department offering up to $10 million in incentives for any information leading to the identity of its senior members.

Dark Web: 31,000 FTSE 100 Logins

 

With unveiling the detection of tens of thousands of business credentials on the dark web, security experts warn the UK's largest companies that they could unintentionally be exposed to significant vulnerability. Outpost24 trawled cybercrime sites for the compromised credentials, discovering 31,135 usernames and passwords related to FTSE 100 companies using its threat monitoring platform Blueliv.

The Financial Times Stock Exchange (FTSE) 100 Index comprises the top 100 companies on the London Stock Exchange in terms of market capitalization. Across several industry verticals, these businesses reflect some of the most powerful and lucrative businesses on the market. 

The following are among the key findings from the study on stolen and leaked credentials: 

  • Around three-quarters (75%) of these credentials were obtained by traditional data breaches, while a quarter was gained through personally targeted malware infections. 
  • The vast majority of FTSE 100 firms (81%) had at least one credential hacked and published on the dark web, and nearly half of FTSE 100 businesses (42%) have more than 500 hacked credentials. 
  • Since last year, there were 31,135 hacked and leaked credentials for FTSE 100 organizations, with 38 of them being exposed on the dark web. 
  • Up to 20% of credentials are lost due to malware infections and identity thieves.
  • 11% disclosed in the last three months (21 in the last six months, and 68% for more than a year) Over 60% of stolen credentials come from three industries: IT/Telecom (23%), Energy & Utility (22%), and Finance (21%). 
  • With the largest total number (7,303) and average stolen credentials per company (730), the IT/Telecoms industry is the most in danger. They are the most afflicted by malware infection and have the most stolen credentials disclosed in the last three months.
  • Healthcare has the biggest amount of stolen credentials per organization (485) due to data breaches, as they have become increasingly targeted by cybercriminals since the pandemic started. 

"Malicious actors could use such logins to get covert network access as part of "big-game hunting" ransomware assault. Once an unauthorized third party or initial access broker obtains user logins and passwords, they can either sell the credentials on the dark web to an aspiring hacker or use them to compromise an organization's network by bypassing security protocols and progressing laterally to steal critical data and cause disruption," Victor Acin, labs manager at Outpost24 company Blueliv, explained.

T-Mobile Users Impacted by August Data Breach are at Risk of Identity Theft

 

A new warning was issued on Wednesday for T-Mobile data breach victims of potential identity theft risks. New York State Attorney General Letitia James warned victims affected by an August 2021 breach that their private details might be circulating for sale on the dark web. 
 
Last year in August 2021, T-Mobile reported a data breach that ended up compromising the private details of millions of T-Mobile users, including former clients and prospective buyers.  
 
Of the 53 million persons impacted by the data breach, more than 4 million were New Yorker residents who had their names, dates of birth, Social Security numbers, and driver’s license details were exposed, according to the press release issued by the Attorney General's office.   
 
Additionally, the attackers stole technical data — including international mobile equipment identities (IMEIs) and international mobile subscriber identities. IMEIs, which are often used for advertising purposes, are a unique fingerprint for a device that cannot be reset.  
 
“Recently, a large subset of the information compromised in the breach was discovered for sale on the dark web — a hidden portion of the Internet where cybercriminals buy, sell, and track personal information,” the warning reads.  
 
“Many individuals received alerts through various identity theft protection services informing them that their information was found online in connection with the breach, confirming that impacted individuals are at heightened risk for identity theft.” Officials from California, Florida, and several other states issued similar warnings. 
 
The state attorneys general noted that identity protection services already have alerted concerned individuals that their private details had been found online. Cybercrime forums have been under increased pressure by state, federal, and international law enforcement agencies, but the buying and selling of people’s personal data is still an increasingly active criminal act.  
 
Citizens who believe they were affected by the data breach are suggested to take the appropriate steps to protect their information from identity theft. This includes checking credit reports; considering contacting the Equifax, Experian, and TransUnion credit bureaus to place a free credit freeze on personal credit reports; and requesting credit reporting services to provide fraud warnings.

Europol Dismantles Criminal Network Distributing Forged EU Travel Documents on Dark Web

 

The Spanish National Police and the French Border Police, in a joint operation coordinated by Europol, have busted an organized cybercrime gang involved in the procurement and distribution of forged travel and ID documents for migrant smugglers. 

During the raids, in which three house searches were carried out and a total of 17 people were arrested, police seized computers, smartphones, storage devices, counterfeit and genuine ID documents and photocopies of ID documents, labor certificates, administrative documents, payment cards, and cash. 

According to a press release published by European Union’s law enforcement agency, the organized cybercrime gang network distributed forged ID and travel documents in France, Germany, Italy, and Spain. 

“The documents were used by other criminals involved in the smuggling of migrants to the US, the UK and Ireland and other criminal activities (such as property crimes, trafficking in human beings, drug trafficking),” the statement of Europol reads. The criminal network was directly involved in migrant smuggling activities and logistical arrangements in return for payments starting at €8000 ($9000) per person.” 

The members of the criminal gang, mainly originating from Eastern European countries, apparently also operated in Georgia and Lithuania. According to Europol, cybercriminals mainly used dark web channels to distribute forged documents, including residence permits, vehicle registration documents, driver’s licenses, and travel documents focusing on French, Romanian, Georgian, Lithuanian, and Polish IDs. 

Additionally, the suspects used instant messaging apps and postal services to send the documents to their intended recipients. Messaging apps, presumably encrypted ones, were used by the group to collaborate and exchange images of documents, vehicles, and money transfer slips. Europol analysts said they linked some of this information to other ongoing investigations. 

Last year witnessed a gradual shift in the methodology employed by migrant smugglers in the trafficking of human beings. Digital technology is playing a major role in the operations of migrant smugglers and they have expanded their use of social media platforms and mobile applications in order to offer their illegal services.  

Human traffickers have exploited the anonymity of the internet environment to target vulnerable individuals and then exploit them via both escort websites and even dating platforms. To counter this new threat, Europol signed a working agreement with the UK’s National Crime Agency (NCA) designed to formalize cooperation on this and other serious and organized crimes.

Russian Man and his Wife Arrested in U.S. for Stealing Record $4.5 billion in Bitcoins

Russian citizen Ilya Lichtenstein and his wife Heather Morgan were arrested in the United States on Tuesday. The U.S. Justice Department in a statement called them the largest Internet fraudsters in history. 

The spouses are suspected of hacking the Hong Kong cryptocurrency exchange Bitfinex in 2016 and withdrawing 120,000 bitcoins from its accounts, which is $4.5 billion at current prices. Intelligence agencies managed to confiscate $3.6 billion worth of bitcoins stored in the Russian's e-wallets. 

On Tuesday night, after the arraignment in the Court of the Southern District of New York, Magistrate Judge Debra Freeman decided to release the suspects on bail of $8 million for two. However, the spouses were unable to leave federal prison as the judge's decision was put on hold by Washington. 

According to the prosecution, the couple should remain in custody because "they are sophisticated cybercriminals and money launderers, and there is a serious risk of their escape." Prosecutors admit that the couple may have passports in other names. 

In particular, agents found a file named Passport_ideas on Liechtenstein's computer. And a plastic container with disposable phones was found under the bed in the apartment of the defendants. Under American law, Ilya Lichtenstein and Heather Morgan face up to 25 years in prison. 

A few years ago, 34-year-old Ilya Lichtenstein unsuccessfully tried to create a technology startup and become an investor. He came to the United States from Russia at the age of six, when his family was granted asylum for religious reasons. 

His wife, Heather Morgan, called herself an economist, a journalist, and a "Crocodile of Wall Street", was a freelance writer for Forbes magazine and even performed as a rapper under the name Razzltkhan. According to the New York Times, giant billboards with her image decorated Times Square. 

According to the investigation conducted by the FBI and the US Internal Revenue Service, Lichtenstein and Morgan hacked the Bitfinex protection system and made about 2 thousand illegal transactions, transferring funds from the accounts of the exchange's clients to their electronic wallet. 

In subsequent years, the suspects managed to launder about 25 thousand bitcoins through third-party exchanges and online services on the darknet. A new hearing on Lichtenstein and his wife's bail application will be held in Washington on February 11.

Morley Businesses Provider Uncovered a Ransomware Attack

 

Morley, a business services company revealed this week , it had been the target of a ransomware assault which could have exposed the personal information of over 500,000 people. The incident was found in August 2021 when it observed certain files had become unavailable owing to a ransomware attack.

Morley Companies, Inc., based in Saginaw, Michigan, provides business operations to Fortune 500 and Global 100 companies, such as session management, back-office procedures, contact centers, and trade show showcases and displays. 

According to an investigation, for all individuals affected, Morley will cover the expenses of 2 years of IDX identity protection. Those who are affected will be alerted and given instructions on how to join IDX's program. The intruders may have had access to user and staff data, including confidential and sensitive health information. To be precise, the hack exposed the personal information of 521,046 people in total. The company did not explain why it took about 6 months after discovering the breach to begin alerting victims in its letters to victims. 

Morley's security incident notification noted, "As a result, Morley realized the data may have been stolen from its digital environment." "Morley then started collecting personal information needed to notify possibly affected persons, which he finished in early 2022." 

In order to determine why the files weren't accessible anymore, Morley said it had to engage a cybersecurity specialist. When the root of the incident was uncovered, which was revealed to have been a ransomware epidemic, the company engaged the assistance of local experts to analyze the information and identify all those who had been impacted. 

Although this looks to be optimistic, the cyber-intelligence platform claims to have only recently uncovered Morley's data on the dark web. This is often a caution, the data will be used in future attacks by other threat actors, such as specific phishing.

Exposed Corporate Credentials Endanger the Pharmaceutical Industry

 

Constella Intelligence published a report that includes fresh and additional information relevant to pharma sector exposures, breaches, and leakages, with a specific focus on employees and executives from the top twenty pharma firms on the Fortune Global 500 list. 

The report examined eighteen prominent pharmaceutical corporations and their nine hundred plus subsidiaries around the world to assess the presence of exposures of services, sensitive platforms, unpatched CVEs, and other security vulnerabilities. Among the major insights were some alarming numbers, such as 92% of pharmaceutical organisations having at least one exposed database with possible data leakage and 46% having an exposed SMB service. SMB flaws have already been used in prominent assaults such as WannaCry, NotPetya, Nachi, and Blaster worms. 

In 70% of the pharmaceutical M&A deals examined in 2020, the newly acquired subsidiary had a detrimental impact on the parent company's security posture, introducing tens, if not hundreds, of sensitive unprotected and unpatched services. 

The threat intelligence team identified 9,030 breaches/leakages and 4,549,871 exposed records—including attributes such as email addresses, passwords, phone numbers, addresses, and even credit card and banking information—related to employee corporate credentials from the companies examined by analysing identity records from data breaches and leakages discovered in open sources and on the surface, deep, and dark web. 

The proliferation and distribution of this sensitive employee data provides threat actors with the resources they need to carry out a wide range of cyberattacks, including impersonation, phishing, account takeover, and a variety of others that can lead to more sophisticated attacks like ransomware or coordinated disinformation campaigns. 

“The pharma sector’s role within the healthcare ecosystem, especially with today’s public health needs, only emphasizes how critically important it is that these companies protect themselves from cyber threat actors,” said Constella Intelligence CEO, Kailash Ambwani. “As we have seen before, only one exposed employee credential can lead to a company having their systems or supply chain shut down by a data breach leading to a ransomware attack, resulting in a shortage of life-saving supplies.”

Because of their intellectual property and confidential information, as well as their critical role in creating life-saving treatments, pharmaceutical firms are high-value targets for threat actors. The pandemic-driven shift toward remote workforces, combined with accelerating operational digitization, has increased the overall digital footprint of enterprises in this industry, resulting in more digital vulnerabilities and risk.

DeepDotWeb Operator Sentenced to Eight Years for Role in $8.4 million Kickback Scheme

 

An Israeli national was sentenced to 97 months in prison in connection with operating the DeepDotWeb (DDW), a website that connected internet users with darknet marketplaces.

From 2013, Prihar (37) and co-defendant Michael Phan (34), started operating DeepDotWeb and provided a platform for Dark Web news and links to marketplaces, redirecting visitors to their .onion addresses -- websites that are not available via standard search engines in the clear web.

The conviction of Tal Prihar, 37, was announced last week by the U.S. Department of Justice and U.S. Attorney Cindy K. Chung for the Western District of Pennsylvania for money laundering and was ordered to forfeit $8,414,173, ASUS laptop, iPhone, and accounts at various cryptocurrency exchanges such as Kraken, Binance and OKCoin. 

Prihar had pleaded guilty to conspiracy to commit money laundering in March 2021, almost two years after his arrest and the site's seizure, while Phan remains in Israel and is currently undergoing extradition proceedings.

For linking users with the illegal darknet marketplaces, Prihar received a total of 8,155 bitcoins from his affiliate marketing deals with marketplace operators. To conceal the sources of these payments, Prihar converted them to fiat currency and laundered it through other Bitcoin and bank accounts he controlled in the name of shell companies. 

"To conceal the nature and source of these illegal kickback payments, Prihar transferred the payments from his DDW bitcoin wallet to other bitcoin accounts and to bank accounts he controlled in the names of shell companies." explains the DoJ announcement. 

The investigation into DDW involved the FBI's Pittsburgh Field Office, French authorities, Europol, the IRS, German law enforcement, the Israeli National Police, and the UK's National Crime Agency (NCA), among other organizations. 

Additionally, the DoJ also announced the sentencing of an associate of the Dark Overlord hacking group for his role in possessing and selling more than 1,700 stolen identities, including social security numbers, on the dark web marketplace AlphaBay. 

Slava Dmitriev, a 29-year-old Canadian citizen who was arrested in Greece in September 2020 and extradited to the U.S. in January 2021, was sentenced to a jail term of three years after he pleaded guilty in August 2021 to fraud charges.

CRTC Inquiry Targets Dark Web Marketplace Sellers and Administrator

 

Four Canadians have been fined a total of $300,000 by the CRTC's Chief Compliance and Enforcement Officer for their engagement in the Dark Web marketplace Canadian HeadQuarters (also known as CanadianHQ). Following the execution of warrants by CRTC employees, the marketplace was taken offline. 

CanadianHQ was one of the largest Dark Web marketplaces in the world before it was closed down, and it played a pivotal role in damaging cyber operations in Canada. It specializes in the selling of spamming services, phishing kits, stolen passwords, and accessibility to infected systems, which were utilized by buyers to carry out a variety of malicious activities. 

The CRTC's inquiry centered on four people who reportedly sent emails that looked like they came from well-known companies in order to gain personal information like credit card numbers and banking information. 

The following people have been fined for violating Canada's anti-spam legislation (CASL) by sending commercial electronic messages without consent: 

• $150,000 Chris Tyrone Dracos (a.k.a. Poseidon) 
• $50,000 Marc Anthony Younes (a.k.a. CASHOUT00 and Masteratm) 
• $50,000 - Souial Amarak (a.k.a. Wealtyman and Supreme) 
• $50,000 Moustapha Sabir (a.k.a. La3sa) 

Mr. Dracos faces a harsher sentence as the marketplace's inventor and administrator for allegedly assisting in the execution of multiple CASL violations by the platform's suppliers and customers. Several other suppliers have been uncovered as part of this investigation, and enforcement measures will be taken against them in the near future, as per the sources. The Spam Reporting Centre encourages Canadians to report spam, phishing, and other suspicious practices. 

Steven Harroun, Chief Compliance and Enforcement Officer, CRTC stated, “Some Canadians are being drawn into malicious cyber activity, lured by the potential for easy money and social recognition among their peers. This case shows that anonymity is not absolute online and there are real-world consequences when engaging in these activities. 

“Canadian Headquarters was one of the most complex cases our team has tackled since CASL came into force. I would like to thank the cyber-security firm Flare Systems, the Sûreté du Québec and the RCMP’s National Division for their invaluable assistance. Our team is committed to investigating CASL non-compliance on all fronts.”

Ransomware Groups are Enlisting Breached Individuals to Persuade Firms to Pay Up

 

According to recent reports, attackers are utilising stolen data to contact individuals who have been compromised in the attack (through social media, email, or phone). These direct contact strategies are being used by ransomware gangs as additional leverage to get victims to pay up. They call employees or customers whose data was compromised in the attack and urge them to persuade the victim to pay up, threatening them with the release of their personal information if they do not. 

NBC News featured a story on a parent whose child attended a school run by a district that was the target of a ransomware attack. The attackers emailed the parent, asking him to put pressure on the district to pay up, or else all of the exfiltrated materials, including information on him and his son, will be posted on the dark web. 

According to the person interviewed by NBC, the district did not notify parents or many staff members that they had been the victims of an attack, at least not before the assailants established contact with them. The attackers exploit whatever contact information they can obtain, such as employee directories or customer databases, to identify individuals to pressure. 

Allen ISD was the victim of a cyberattack in September 2021 and was afterward the target of attempted extortion by the perpetrators. Allen ISD, located roughly 30 miles north of Dallas, Texas, educates nearly 22,000 K-12 students. Following consultation with external cybersecurity experts, school administrators decided to refuse to pay the hackers' demands, even telling local media that there was no indication that data had been exfiltrated. Despite the fact that the ransomware gang claimed to have collected personal information from district children, families, and staff and sought to extort millions of dollars from Allen ISD. 

Another strategy used by ransomware attackers is to contact employees at a firm during the reconnaissance stages of an assault to see if they can bypass the infiltration stages by exploiting an insider threat. Insider threats are one of a few non-digital threats that have plagued businesses of all sizes to date. 

Insider threats represent a quarter of the eight main cybersecurity risks that significantly affect the corporate and public sectors, according to the Osterman Research white paper White Hat, Black Hat, and the Emergence of the Gray Hat: The True Costs of Cybercrime. 

According to a new survey conducted by identity protection firm Hitachi ID Systems, 65% of surveyed IT and security executives or their staff had been contacted to aid in ransomware cyberattacks. This marks a 17% increase over a similar survey conducted a year ago. The attackers used email and social media to contact employees in the majority of cases, while phone calls accounted for 27% of their approach efforts, a direct and brazen method of communication.

The Clop Ransomware Gang Leaked Sensitive Data from the UK Police

 

Clop ransomware operators seized confidential information held by the British police, according to the media, and the cybercriminal group targeted the IT firm Dacoll. According to the media, cybercriminals used a phishing attack to compromise the company's systems, which had access to the police national computer. The Mail reported the security breach on December 19, 2021, while the gang released the stolen material on its leak site on the dark web. 

Clop Ransomware, a member of the well-known Cryptomix ransomware family, is a nasty file-encrypting virus that deliberately avoids unprotected systems and encrypts saved files by planting the .Clop extension. It uses the AES cypher to encrypt images, videos, music, databases, papers, and attaches the .CLOP or.CIOP file extension which stops victims from accessing personal information. For instance, "sample.jpg" is renamed "sample.jpg.Clop." 

Clop virus gets its name from the Russian word "klop," which means "bed bug" — an insect of the genus Cimex that feeds on human blood at night. Clop ransomware is regarded as extremely severe malware due to the virus's ability to infect the majority of operating system versions, including Windows XP, Windows 7, Windows 8, Windows 8.1, and Windows 10. 

The security breach occurred in October, when Clop ransomware operators obtained access to Dacoll data, including that of the PNC, which contained personal information and records for 13 million people. Dacoll, while confirming the data breach said, “We can confirm we were the victims of a cyber incident on October 5.”  

“We were able to quickly return to our normal operational levels. The incident was limited to an internal network not linked to any of our clients’ networks or services.” 

“The cyber-criminal gang Clop has released some of the material it plundered from an IT firm that handles access to the police national computer (PNC) on the so-called ‘dark web’ – with the threat of more to follow.” reported the Daily Mail. “Clop is believed to have demanded a ransom from the company, Dacoll, after launching a ‘phishing’ attack in October." 

Dacoll declined to pay and did not reveal the sum of the ransomware gang's demand. Photographs of motorists exfiltrated from the National Automatic Number Plate Recognition (ANPR) system, footage, and close-up images of the faces of drivers who have committed traffic offenses are among the stolen information.

Three Men Arrested for Manipulating Competitive Exams

 

The Delhi Police Cyber Cell has arrested three men for allegedly helping over 200 students to clear competitive exams via fraudulent methods. Police identified the accused from Ahmedabad, Gujarat, and the technical expert, who used to work as a solver from Delhi. 

According to police, they received information reliable source that several services were available on the dark web in which some attackers claim to gain control of the examinee's device to get the desired score, and in return, the attackers were paid handsomely by the aspirants. 

“We received intel that several services are available on the dark web, in which hackers claim they can get the desired score by hacking into the device used by the examinee,” Deputy Commissioner of Police (DCP) K.P.S. Malhotra stated. 

To bust the syndicate, a fake candidate was arranged who generated the requirement for an examination. The hacker was contacted using VoIP communication and the desired sum of money was transferred to the account provided by the alleged person. The alleged person asked the candidate to download a Software Iperius Remote through which he secured control of the participant's laptop and attempted the exam on October 25 and the fake candidate was declared passed in the exam with a score of 736.

During the investigation, the phone number, bank account, and internet usage of the alleged person were tracked to Ahmedabad and he was identified as D. Shah, who was arrested from Ahmedabad, Gujarat on November 24. His mobile phone and laptop were seized. It was found that through the Training Center at Ahmedabad and Gujarat, they approached those applicants who want to get these certifications without having the required knowledge and skills for the domain. 

The modus operandi 

After detailed interrogation and analysis of the devices of the accused Shah, it was discovered that his father Rajesh was also involved and was giving potential clients a “100 per cent guarantee” of passing online certification exams. “Through their training center they approached applicants who didn’t have the required knowledge and skills and promised them the desired score. They also contacted candidates through WhatsApp and Telegram,” the DCP said. 

The online certification exams of the aspirants were cleared through this exam solver, A. Alam, who “hacked sites for various exams — WS (Amazon Web Services), Azure, CompTIA A+, PMP, CISM, CEH (Cyber Ethical Hacking), etc by getting remote access through apps”.

“These competitive examinations are recognized worldwide. The exams which were earlier organized offline, are now being conducted online through various software. For instance, Cisco offers certifications for beginners, associates, experts in technology. All of these exams require knowledge and a particular skill set, such as programming, to score,” the police source said.

Researchers Have Issued a Warning About Phishing Scams That Imitate Netflix

 

The tremendous shift of movie and television audiences to streaming services over the last year has offered scammers a golden opportunity to conduct phishing attacks in order to trick future customers into handing over their payment information. Cybercriminals will always follow payment data, according to Kaspersky's Leonid Grustniy, who warned of phishing attempts disguised as Netflix, Amazon Prime, and other streaming service offers. 

Depending on their current streaming subscription status, Kaspersky's researchers detected several lures aimed at targets. Fake sign-up pages for services like Netflix were used to obtain victims' email addresses and credit card information. “Armed with your info, they can withdraw or spend your money right away; your email address should come in handy for future attacks,” Grustniy wrote. 

Fans who did not have subscriptions were lured in by cybercriminals who offered them the chance to view popular series on a bogus website. They usually display a short clip as a teaser, which they try to pass off as a fresh, previously unaired episode. It's usually taken from trailers that have been in the public domain for a long time. Victims who are interested are then prompted to purchase a low-cost subscription in order to continue viewing. What happens next is a standard scenario: any payment information entered by users is sent directly to the fraudsters, and the never-before-seen episode continues. 

Account credentials for streaming services are also popular among cybercriminals, who are interested in more than just bank account information. Because hijacked accounts with paid subscriptions are sold on the dark web. 

Scammers are increasingly using the extensive cultural influence of video streaming platforms as a weapon. For example, the worldwide enthusiasm in Netflix's Squid Game has recently been used to scam crypto investors out of more than $3.3 million. Check Point Research identified a fraudulent Netflix application in the Google Play store last spring, which spread via WhatsApp chats.

Users should avoid clicking on any emails that appear to be affiliated with streaming services and be aware of obvious signals that it's a scam, such as misspellings in messages when payment information is requested. “Do not trust any person or site promising viewings of movies or shows before the official premiere,” Grustniy added.

Russian Cybercriminals Claim to have Hacked the National Rifle Association

 

On the dark web, a well-known Russian cybercriminal gang has posted files that claim to be from the National Rifle Association. Grief, a hacking group, posted 13 files to its website on Wednesday, claiming to have hacked the NRA. It has threatened to reveal more files if it is not paid, however it has not stated how much it will cost. 

The news of the incident swiftly circulated online, with dozens of Twitter accounts with no followers attempting to magnify the attack's content by retweeting it. The accounts were formed in the previous six months and followed no one, but they shared content regarding the cyberattack, including postings from The Washington Times linked to a news report and a screenshot of Grief's website from Brett Callow, an Emsisoft threat analyst. 

When asked about the new accounts' activity, Twitter stated it reviewed "many accounts violating our platform manipulation and spam policies" and then took action. Twitter could not say who was behind the manipulative activity, or whether the accounts were linked to the group that claimed responsibility for the attack on the NRA. 

Grief, according to most cybersecurity experts, is a renamed effort by a group of Russian cybercriminals known as Evil Corp, which is currently under sanctions by the US Treasury Department. "It's the same group," said Allan Liska, a ransomware analyst at the cybersecurity firm Recorded Future. 

When contacted for comment, the NRA did not react. It did, however, issue a tweet in which it stated that it "does not share anything relevant to its physical or electronic security," and that it "takes extreme efforts to secure information regarding its members, donors, and operations." Grief, although being a criminal organization, isn't renowned for faking when it says an organization has been hacked, according to Brett Callow. "I’m not aware of any incidents in which Grief/Evil Corp has attempted to take credit for other operations’ attacks," Callow said. 

Some experts speculated that the NRA paid a ransom to its attackers after Grief temporarily withdrew the NRA from its website. Grief deleting the NRA from its website, according to Jon DiMaggio, chief security strategist at cyber threat analysis firm Analyst1, could be evidence that the NRA paid up. 

According to a screenshot uploaded by Mr. Callow, the NRA entry on Grief's leak website was available Monday, along with a file titled "corporate insurance" and other data. “Insurance docs are useful to ransomware operators as they effectively specify how much orgs can afford to pay — no matter what their balance sheets look like,” Mr. Callow tweeted.

RedLine Stealer Identified as Major Source of Stolen Credentials on Dark Web Markets

 

A significant proportion of stolen credentials being traded on two dark web underground marketplaces were gathered via the RedLine Stealer malware, according to Insikt Group, Recorded Future's cybersecurity research arm. 

The RedLine Stealer, first discovered in March 2020, is a part of the info stealer family, a form of malware that once infects a computer and its primary goal is to capture as much user data as possible and then deliver it to the attackers, who often sell it online. 

The RedLine Stealer has data gathering features such as the ability to extract login credentials from web browsers, FTP applications, email apps, instant messaging clients, and VPNs. RedLine can also harvest authentication cookies and card numbers from browsers, chat logs, local files, and cryptocurrency wallet databases. 

Since March 2020, the malware has been sold on many underground hacking sites by a coder called REDGlade. After good feedback in a hacking forum thread, unauthorized versions of the RedLine Stealer were distributed on hacker forums a few months later, in August of this year, facilitating it to proliferate to even more threat actors who did not have to pay for it. 

But, even before the cracked version was released, RedLine had gained a devoted following. According to a report published last week by Insikt Group, the majority of stolen credentials available for sale on two underground marketplaces originate from computers infected with the RedLine Stealer. 

Insikt researchers stated, “Both Amigos Market and Russian Market were identified by Insikt Group (June 2021) posting identical listings regularly that contained the same timestamps, infostealer variants used, geographical locations of affected machines, and ISPs.” 

The results of the Insikt team follow similar research by threat intelligence firm KELA from February 2020, which discovered that around 90% of stolen credentials sold on the Genesis Market originated from infections with the AZORult infostealer. 

According to the two reports, underground cybercrime marketplaces are fragmented and often operate with their own independent suppliers, just as legal markets have their own choices for particular business partners. 

By going after the producers and dealers of these infostealers, this fragmentation opens the path to impairing the supply of multiple underground markets. In February 2020, a Chrome upgrade (which modified how credentials were saved inside the browser) halted the flow of newly stolen credentials on Genesis Market for months until the AZORult stealer was modified to assist the new format.

LockBit 2.0 Ransomware Hit Israeli Defense Firm E.M.I.T. Aviation Consulting

 

LockBit 2.0 ransomware operators have reportedly hit the Israeli aerospace and defense firm E.M.I.T. in a new campaign of attacks. According to Aviation Consulting Ltd, hackers claim to have accessed the internal system and also have stolen credential data from the company. 

Post attack, the group is threatening to publish the stolen data which includes sensitive information, invoices, employees, and possibly payment data, onto their dark web leak site in case the company is not ready to pay the ransom. Although the group of attackers is yet to leak the stolen data as proof of the attack, the countdown will end on 07 October 2021. 

Currently, it has not been disclosed how the attackers' group acquired access to the system of the company and when the incident took place. Similar to other ransomware attacks, LockBit 2.0 has also executed a ransomware-as-a-service model and maintains a network of affiliates. 

According to the technical data, the ransomware operation group LockBit ransomware has been in action since September 2019, in June the group announced the LockBit 2.0 RaaS. After ransomware ads were banned on the hacking forums, the group of LockBit operators came with their own leak site and also promoting the latest model and advertising the LockBit 2.0 affiliate program. 

At present, the LockBit gang is highly active targeting numerous organizations including Riviana, Anasia Group, Wormington & Bollinger, Vlastuin Group, DATA SPEED SRL, SCIS Air Security, Peabody Properties, Island independent buying group, Buffington Law Firm Day Lewis, and many others worldwide. 

A few months, the Australian Cyber Security Centre (ACSC) had warned its Australian organizations against LockBit 2.0 ransomware attacks. E.M.I.T. Aviation Consulting Ltd was established in 1986, the company is involved in designing and assembling complete aircraft, tactical and sub tactical UAV systems, and mobile integrated reconnaissance systems.

Mozilla: Maximum Breached Accounts had Superhero and Disney Princes Names as Passwords

 

The passwords that we make for our accounts are very similar to a house key used to lock the house. The password protects the online home (account) of personal information, thus possessing an extremely strong password is just like employing a superhero in a battle of heroes and villains. 

However, according to a new blog post by Mozilla, superhero-themed passwords are progressively popping up in data breaches. Though it may sound absurd - following the research done by Mozilla using the data from haveibeenpwned.com, it was evident that most frequent passwords discovered in data breaches were created on either the names of superheroes or Disney princesses. Such obvious passwords make it easier for hackers to attack and hijack any account or system. 

While analyzing the data it was seen that 368,397 breaches included Superman, 226,327 breaches included Batman, and 160,030 breaches had Spider-Man as their passwords. Further, thousands of breaches featured Wolverine and Ironman as well. And not only this research from 2019 showed that 192,023 breached included Jasmine and 49,763 breached included Aurora as their password.

There were 484,4765 breached that had password as ‘princess’ and some Disney + accounts had password as ‘Disney’. This is one of the biggest reasons that support data breaches by hackers and boost their confidence.

With the increasing frequency of compromised account credentials on the dark web, a growing number of businesses are turning to password-less solutions. Microsoft has expanded its password-less sign-in option from Azure Active Directory (AAD) commercial clients to use Microsoft accounts on Windows 10 and Windows 11 PCs. 

Almost all of Microsoft's employees are passwordless, according to Vasu Jakkal, corporate vice president of the Microsoft Security, Compliance, Identity, and Management group.

"We use Windows Hello and biometrics. Microsoft already has 200 million passwords fewer customers across consumer and enterprise," Jakkal said. "We are going completely passwordless for Microsoft accounts. So you don't need a password at all," he further added. 

Though it's common to reuse passwords, it is highly dangerous, yet it's all too frequently because it's simple and people aren't aware of the consequences. Credential stuffing exploits take advantage of repeated passwords by automating login attempts targeting systems utilizing well-known email addresses and password pairings. One must keep changing their passwords from time to time and try to create a strong yet not so obvious password.

This Aspiring Hacker was Caught in a Quite Embarrassing Manner

 

The US Department of Justice (DoJ) has arrested a Ukrainian citizen for using a botnet to hack people's passwords. He was caught by his alleged messages to vape shops in Ukraine, including an invoice with his home location. 

Glib Oleksandr Ivanov-Tolpintsev is accused by the Department of Justice of deploying a botnet to break passwords of targeted individuals, which he subsequently sold on the dark web. According to his indictment, Ivanov-Tolpintsev made over $80,000 from the operation. 

The press release from the DoJ reads, “During the course of the conspiracy, Ivanov-Tolpintsev stated that his botnet was capable of decrypting the login credentials of at least 2,000 computers every week...Once sold [on the dark web], credentials were used to facilitate a wide range of illegal activity, including tax fraud and ransomware attacks.” 

On October 3, 2020, Polish police arrested Ivanov-Tolpintsev in Korczowa, Poland, and he was extradited to the United States to stand prosecution for these offenses. 

Amateur Blunders 

According to an IRS affidavit, investigators tracked down Ivanov-Tolpintsev by looking at the contents of the Gmail accounts he used to conduct his dark web activities. 

Many digital receipts from online vape shops were sent to one of these accounts, revealing Ivanov Tolpintsev's name and contact information. 

Furthermore, Ivanov-normal Tolpintsev's email account was set as the recovery address for these accounts. Exploring the contents of his regular account showed a plethora of personally identifying information, including passport scans and Google Photos photos.

The government was able to assemble enough evidence to convince a court to order Ivanov Tolpintsev's arrest and extradition because of his carelessness in separating his criminal digital identity from his physical one. 

Although the investigators haven't revealed much about Ivanov Tolpintsev's botnet case but the case highlights the dangers of depending solely on a password to protect an account. 

Since breaking and auctioning passwords on the dark web may lead to significant attacks like the one on the United Nations, security experts have been urging to implement multi-factor authentication (MFA) systems.

1GB of Puma Data is Now Accessible on Marketo

 

Hackers have stolen data from Puma, a German sportswear firm, and are now attempting to extort money from the corporation by threatening to expose the stolen files on a dark web page specialized in the leaking and selling of stolen data. The Puma data was posted on the site more than two weeks ago, near the end of August. 

The publication claims that the threat actors took more than 1 GB of private information, which would be sold to the highest bidder on an unlawful marketplace, according to Security Affairs analysts. This operation appears to be devoted only to the theft and sale of private information, ruling out the possibility that it is a ransomware offshoot. 

To back up their claims, the threat actors released some sample files that, based on their structure, suggest the attackers got Puma's data from a Git source code repository. The information is now available on Marketo, a dark web platform. The platform, which was launched in April of this year, is quite simple to use. 

Users can register on the marketplace, and there is a section for victim and press inquiries. Victims are given a link to a private chat room where they can negotiate. Marketo includes an overview of the company, screenshots of allegedly stolen data, and a link to a "evidence pack," also known as a proof, in each of the individual postings. They utilise a blind bidding mechanism to auction sensitive data in the form of a silent auction. Users place bids depending on how much they believe the data is worth. 

Site administrators first compile a list of potential victims, then provide proof (typically in the form of a small downloadable archive) that their network has been infiltrated. If the victimised firm refuses to cooperate with the hackers, their data is exposed on the web, either for free or for VIP members only. The website claims to compile data from a variety of hacking groups but does not cooperate with ransomware gangs.

“Right now, I can say that Puma haven’t contacted us yet,” the administrator of the dark web leak portal told The Record in a conversation last week. “The rest of the data would be released if Puma will decline the negotiations,” they added.