Specialists of the Israeli company Kela analyzed more than 1 thousand ads for the sale of initial access to the internal computer networks of hacked organizations published on the darknet from July 2020 to June 2021. The average lot price is about $5.4 thousand.
Kela noted that pricing depends on the revenue of the hacked company: this indicator also determines the nominal value of the ransom that hackers can request. Therefore, access to small firms costs $100-200, and the most expensive lots are thousands of times more.
The highest price tag that the experts met was equal to 12 bitcoins (about $540 thousand at the exchange rate on August 18). That's how much the brokers asked for access to an unnamed Australian company with an annual income of $500 million. The second most expensive access cost 5 bitcoins (about $225 thousand). For this amount, an account was sold in the ConnectWise Control remote desktop access system from the network of one of the American IT companies. Another lot from the top three most expensive accesses was a lot for $100,000, which promised access to the network of some Mexican government agency.
Kela's specialists have compiled a rating of countries, access to companies from which are most often sold on the darknet. The United States led the top by a large margin: 27.9% of ads concern American organizations. France is on the second line with an indicator of 6.1%. Next are the United Kingdom and Australia with shares of 4% each. Canada closed the top five with a result of 3.8%. Then there are Italy (3.5%), Brazil (3.2%), Spain and Germany (2.3% each), the United Arab Emirates (2%).
The researchers noted that Russia and the CIS countries could not enter the top 10, since working with local companies on Russian-language hacker forums is not customary.
The administrator behind Joker's Stash professes to have formally closed down the operation on 15th February. Meanwhile, criminal gangs offering stolen payment cards for sale have stepped up their promotional efforts. Among the darknet marketplaces vying to get previous Joker's Stash clients are Brian's Club, Vclub, Yale Lodge, and UniCC, Kela says. Joker's Stash clients were likely already searching for a new marketplace, says the threat research firm Digital Shadows, because of the site's declining customer service and having its service hindered by law enforcement officials in December 2020.
Cybercriminal group recognized as Pysa/Mespinoza has leaked the sensitive information stolen from the Hackney Council on the Darknet website. The group of attackers claimed that the stolen documents are from Hackney Council in a ransomware attack last year. The council in East London stated that they are collaborating with the Ministry of Housing and the UK’s National Cyber Security Centre (NCSC) to scrutinize and perceive the impact of the incident.
The Russian-language Darknet site sells a program that allows you to distribute spam messages bypassing traffic and email protection tools. The program uses a function in the IMAP protocol
A new tool for spammers is actively being sold on the Darknet, which allows you to bypass the standard protection of e-mail accounts. By exploiting a feature in the Internet Message Access Protocol (IMAP), attackers upload the messages they need directly into the mailboxes of victims.
To trigger the attack, it is necessary that the attackers already have access to the victim's account. The Email Appender malware has been actively promoted on Russian-language hacker forums since the fall of 2020.
The author offers to use the program through a subscription — $50 for one day, $300 for a week or $1000 per month. This is very expensive, but judging by the latest campaigns, the demand for this service is very high.
Experts of the information security company Vade Security indicate that companies in Italy, France, Denmark and the United States have already been subjected to full-scale attacks by spammers using Email Appender. One of the affected organizations claims that it received 300 thousand spam messages in one day and was forced to spend very substantial resources to disable compromised accounts or change usernames and passwords.
Databases of usernames and passwords to mail are actively sold out on hacker forums. According to Gemini Advisory, an attacker can upload such a database to Email Appender, after which the program will try to connect to accounts that match pairs of usernames and passwords via IMAP. Next, it remains to use the IMAP function, which allows hackers to upload ready-made mail messages to the mailbox.
"There are a number of ways to block such spam campaigns, but the main one is to regularly change passwords and not use the same combination (or similar to it) more than once," said Alexey Vodiasov, technical Director of the company SEC Consult Services.
In addition, according to Vodiasov, two-factor authorization is effective, so that even a compromised account cannot be connected without attracting the attention of its rightful owner.
The expert added that it is also possible to enable notifications of cases of logging into an account from unusual IP addresses. Mail systems are quite capable of doing this.