Search This Blog

Showing posts with label Darkweb. Show all posts

Owner of CafePress Penalized $500,000 for Hiding a Data Breach

 

CafePress's past owner Residual Pumpkin firm has been fined $500,000 by U.S. Federal Trade Commission (FTC) in their final order over a 2019 data breach that impacted 23 million customers.

CafePress is a US site that sells print-on-demand items like apparel, housewares, and kitchenware. Sellers can register on the website and upload their designs, and CafePress takes a percentage of every sale. 

Social Security numbers and password recovery responses were kept in plain text and for a longer period by the Residual Pumpkin firm. Additionally, the organization did not implement existing safeguards and react to security vulnerabilities. After several attacks on its servers, it attempted to hide the significant data breach carried on by its inadequate security protocols. 

A unanimous 5-0 vote accepted the FTC's order. The FTC has mandated that the corporations immediately implement multi-factor authentication of stored data and set an encryption key for all social security numbers, in addition to imposing fines on the businesses. 

As a result, the company's current owner PlanetArt, who acquired CafePress in 2020, has set up an alert system to notify all customers and vendors whose private information has been compromised.

Unknown attackers acquired access to files stored as SHA-1 hashes during a February 2019 breach of CafePress' servers, exploited, and later sold 23,205,290 CafePress users' personal information on the dark web. However, after receiving notifications via Troy Hunt's Have I Been Pwned service, several users became aware of the situation. The fact the users seemed to reset their passwords on checking in without being informed of the data breach was the only indication that something was wrong. 

Since some of its merchants' accounts had been hacked since at least January 2018, as per FTC's claim, CafePress was aware that it had vulnerabilities even before the 2019 incident.

Instead of letting users acknowledge the instances, CafePress terminated their accounts and assessed a $25 account closure fee to each of them. Before the 2019 security breach, the company's network was again affected by several malware infestations, and CafePress once again neglected to look into the attacks.

T-Mobile Reveals its Security Systems were Hacked via Lapsus$ Hackers

 

T-Mobile acknowledged on Friday it had been the subject of a security compromise in March when the LAPSUS$ mercenary group gained access to its networks. The admission occurred after investigative journalist Brian Krebs published internal chats from LAPSUS$'s key members, revealing the group had infiltrated the company many times in March previous to the arrest of its seven members. 

After analyzing hacked Telegram chat conversations between Lapsus$ gang members, independent investigative journalist Brian Krebs first exposed the incident. T-Mobile said in a statement the breach happened "a few weeks ago" so the "bad actor" accessed internal networks using stolen credentials. "There was no customer or government information or any similarly sensitive information on the systems accessed, and the company has no evidence of the intruder being able to get anything of value," he added.

The initial VPN credentials were allegedly obtained from illegal websites such as Russian Market in order to get control of T-Mobile staff accounts, enabling the threat actor to conduct SIM switching assaults at anytime. 

The conversations suggest how LAPSUS$ had hacked T-Slack Mobile's and Bitbucket accounts, enabling the latter to obtain over 30,000 source code repositories, in addition to getting key to an internal customer account management application called Atlas. In the short time since it first appeared on the threat scene, LAPSUS$ has been known for hacking Impresa, NVIDIA, Samsung, Vodafone, Ubisoft, Microsoft, Okta, and Globant. 

T-Mobile has acknowledged six previous data breaches since 2018, including one in which hackers gained access to data linked to 3% of its members. T-Mobile acknowledged it had disclosed prepaid customers' data a year later, in 2019, and unknown threat actors had acquired access to T-Mobile workers' email accounts in March 2020. Hackers also acquired access to consumer private network information in December 2020, and attackers accessed an internal T-Mobile application without authorization in February 2021. 

According to a VICE investigation, T-Mobile, unsuccessfully, tried to prevent the stolen data from being posted online after paying the hackers $270,000 through a third-party firm in the aftermath of the August 2021 breach. After its stolen sensitive information turned up for sale on the dark web, the New York State Office of the Attorney General (NY OAG) alerted victims of T-August Mobile's data breach would face elevated identity theft risks. 

The City of London Police announced earlier this month as two of the seven adolescents arrested last month for alleged potential connections to the LAPSUS$ data extortion group, a 16-year-old, and a 17-year-old had been charged.

Russian hacker created the RedLine program, which steals passwords and bank card data in browsers

The RedLine malware attacks browsers based on the Chromium engine — Chrome, Edge, Yandex.Browser and Opera, as well as on the basis of the Gecko engine - Mozilla Firefox and Netscape. RedLine steals saved passwords, bank card data, information about cryptocurrency wallets, cookies, system information, and other information from browsers.

Further, experiments showed that the program collects any sensitive information stored in browsers, and in addition allows you to control the computers of victims via the SOAP remote access protocol and hypothetically create botnets from them. The problem affects not only companies but also ordinary users.

The RedLine program appeared on the Russian darknet in February 2020. The announcement of its sale was posted by a Russian-speaking user with the nickname REDGlade.

The AhnLab ASEC report calls RedLine a serious cyber threat. ASEC discovered the program in 2021 when they were investigating the hacking of the network of an unnamed company. It turned out that access was carried out through a VPN service from an employee's computer infected with RedLine.

Attackers sell malware on the darknet and telegram for an average of $150-200. RedLine is distributed using phishing mailings with attached files in the format .doc, .xls, .rar, .exe. It is also uploaded to domains that disguise themselves as an online casino or, for example, the website of the Krupskaya Confectionery Factory.

It is worth noting that in December 2021, RedLine became the most popular program used in cyber attacks. Since the beginning of the month, more than 22 thousand attacks have been carried out with the help of RedLine.

Experts urged not to store credentials in browsers, suggesting instead to use a password manager and enable two-factor authentication wherever possible.

Russian hackers have posted confidential British police data

The hacker group Clop, allegedly linked to Russia, put up for sale data stolen from the British police. This statement was made on Sunday by the Mail on Sunday newspaper.

According to the publication, information stolen by hackers can be bought on the darknet. The Mail on Sunday says that information from the Police national computer system (PNC), where information about 13 million British residents is stored, could have fallen into the hands of hackers.

"We are aware of the incident and we are working with our law enforcement partners to understand and limit the extent of its potential consequences," the Kingdom's National Cyber Security Center said.

The ransomware attack reportedly targeted the British IT company Dacoll, one of whose divisions provides remote access to PNC for 90% of UK police forces.

The company confirms that the incident happened on October 5, but claims that it was related only to the company's internal network and did not affect its clients or their systems. Meanwhile, the Mail on Sunday claims that information from Dacoll's customers was put up for sale after the company refused to pay a ransom to hackers, the amount of which was not disclosed.

British cybersecurity expert Philip Ingram said that the damage caused by such a data leak is immeasurable, as now there are serious questions about the security of solutions used by numerous public and private organizations.

It is worth noting that the Clop group has been actively using the malware family with the same name since the winter of 2019, demanding a ransom for the return of access to blocked data. Some companies specializing in protection against hackers have suggested that some of the members of the group live in Russia.

The number of Russian bank card sales on the darknet will decline, says Group-IB

Group-IB found out that carding is losing its appeal to cybercriminals. At the same time, sales of magnetic stripe content of bank cards and text data of bank cards decreased in Russia and the CIS, while the market for such data grew worldwide.

According to Hi-Tech Crime Trends Group-IB, the volume of the shadow carding market in Russia and the CIS has decreased by 77%. The number of bank card data posted for sale on the darknet and attributed to banks in Russia and the CIS decreased by 60%.

The market for text data of bank cards (number, expiration date, holder name, address, CVV) decreased by 44%.

A similar trend is typical for the global carding market: its volume decreased by 26%. Group-IB attributed this trend to a decrease in dump sales due to the closure of the largest cardshop Joker's Stash.

At the same time, in the global market, the amount of text data of bank cards in the shadow market increased by 36%.

Group-IB believes that the increase in the number of sold text data is associated with the increase in phishing during the pandemic. The company expects that the number of sales of bank cards will continue to gradually decline.

According to his experts, the activity of skimmers and online stores on the proliferation of these cards in Russia is declining. This is due to the development of banks, for example, introducing systems such as 3-D Secure. Moreover, such protection systems are not widespread in the world. This explains that the market for text data of bank cards has grown worldwide, while in Russia it has decreased.

Experts add that the share of Russian-language messages is growing on shadow forums: in order to minimize personal risks, hackers are trying to steal payment data from customers in other countries, which negatively affects global statistics.

Users May Risk Losing their Passwords on Dark Web For Sale


In April, Zoom became one of the many victims of the companies that lost their user data to the hackers. Zoom, which is one of the top online video conference platforms, lost more than half a million of account logins on the dark web. The leaked passwords could be bought either for free or for a minimal amount of money. Understandably, the users are blaming the Zoom company for losing its accounts, and they have every right to do so. It is, however, a part of much bigger trouble that includes hackers, some criminal niches on the Internet, and the fault of our own to set very weak user passwords.


How passwords end up on the dark web? 

Every year, more than hundreds of millions of user accounts end up getting exposed to the dark web, either through malware or phishing attacks. According to a report by Privacy Rights Clearinghouse, a non for profit organization in California, around 11.6 Billion user accounts have been hacked since the year 2005. The hacked accounts are then either uploaded on hacker websites or posted on the dark web for sale.

These websites and dark web can be accessed only through a specific browser called Tor. "Then there's Tor, the darkest corner of the Internet. It's a collection of secret websites (ending in .onion) that require special software to access them. People use Tor so that their Web activity can't be traced -- it runs on a relay system that bounces signals among different Tor-enabled computers around the world," says Jose Pagliery from CNN Business.] The hackers use these purchased passwords and try logging in with them to several other websites until they are successful, a technique known as credential stuffing.

The hackers used credential stuffing to steal more than 500,000 Zoom user accounts and uploaded them later on the dark web. In response to this, Zoom spokesperson has confirmed that they suspect the hackers used credential stuffing to breach the accounts. "You can help prevent some of these attacks by banning the use of bad passwords, blocking legacy authentication, and training employees on phishing," says Microsoft's security website on "how to prevent your company from web attacks."

Hackers sell data of 80 thousand cards of customers of the Bank of Kazakhstan


An announcement about the sale of an archive of stolen data from 80,000 Halyk Bank credit cards appeared on the Darknet's site Migalki.pw.

It should be noted that Halyk Bank of Kazakhstan is the first Bank in the country in terms of the number of clients and accumulated assets. This is not the first time for a Bank when data has been compromised.

The fact that the archive consists only of Halyk Bank cards suggests that the cards were stolen inside the structure.

Typically, identifiers of stolen cards are obtained using MitM attacks (Man in the middle). While the victim believes that he is working directly, for example, with the website of his Bank, the traffic passes through the smart host of the attacker, which thus receives all the data sent by the user (username, password, PIN, etc.).

It is possible that the archive is not real. This may be a bait for potential carders created by the Bank, the so-called honey pot. This trap for hackers creates an alleged vulnerability in the server which can attract the attention of attackers and inspire them to attack. And the honeypot will see how they work, write down the information and pass it to the cybersecurity department.

Although, such actions are risky for the image of a financial institution, as any Bank tries to avoid such negative publicity.

It is important to note that all data leaks from the Bank is the personal fault of the owners, managers of the Bank. In Russia and in Kazakhstan, in case of data leakage, the bank at best publishes a press release stating that "the situation is under control". However, banks in the US and Europe in the same situation receive a huge fine.

Data of Bank customers in Russia are becoming more expensive on the Darknet


In the first half of 2019, the price of banking customer data has rapidly increased on the Darknet. Thus, the cost of obtaining data on cards or statements of operations increased by 3-7 times. At the beginning of the year, the client's account statement could be purchased for 2 thousand rubles ($ 32), now its cost can reach 15 thousand rubles ($ 238).

According to the Positive Technologies analyst Vadim Solovyov, data on ATMs used by the client appeared on many sites, their price is from 8 thousand ($ 127) to 15 thousand rubles ($ 238). He noted, rather, this information can be used in traditional criminal schemes, for example, so that the fraudster's call to the client sounded more reliable.

"If the cost has increased, it means that the methods of countering leaks in banks have significantly complicated the business of attackers", the Central Bank believes.

The Head of the Information Security Department of the Open-Bank Vladimir Zhuravlev associated the price increase with a change in the type of attacks on customers. According to him, earlier fraudsters often used technical means, such as Trojans, phishing links or skimming. Now 90% of the theft occurs using social engineering methods, where the availability of personal customer data is very helpful to the fraudster.

The Central Bank does not disclose official statistics on the theft of funds of individuals in the first half of the year. However, law enforcement officers recorded an increase in successful thefts from bank accounts. For example, in the Kurgan region, the number of crimes has doubled, in the Smolensk region has grown five times.

According to Stanislav Pavlunin, the Vice-President of Post-Bank, the Bank uses different approaches and methods to combat internal fraud, for example, photo and video shooting of monitor screens, as well as official documents, presentations containing confidential information is prohibited.

It is interesting to note that Sixgill analysts have prepared a report, according to which Russia took the last place in the number of stolen bank cards. The researchers see two reasons for such low rates: the first is a large percentage of Russian cybercriminals, and the second is the economic situation in Russia.

Mylobot Turns your PC into a Zombie system



Tom Nipravsky, a security researcher at Deep Instinct, discovered another 'never seen before' malware that could transform a Windows PC into a botnet. Named as 'Mylobot', this malware has developed from the 'Dark Web'. It was finished up in the wake of following its server that was additionally utilized by other malware from the dark web.

The powerful botnet is said to consolidate various noxious systems, generally including:

·       Anti-VM techniques
·       Anti-sandbox techniques
·       Anti-debugging techniques
·       Wrapping internal parts with an encrypted resource file
·       Code injection
·       Process hollowing (a technique where an attacker creates a new process in a suspended state and replaces its image with the one that is to be hidden)
·       Reflective EXE (executing EXE files directly from memory, without having them on disk)
·       A 14-day delay before accessing its C&C servers.

"On a daily basis we come across dozens of highly sophisticated samples, but this one is a unique collection of highly advanced techniques," says Arik Solomon, vice president of R&D at Deep Instinct. "Each of the techniques is known and used by a few malicious samples, but the combination is unique."

As indicated by the researcher, Mylobot likewise bears contrary to the botnet property. The reason, as indicated by the researcher, for this conduct being is, possibly to prevail upon the "opposition" on the dark web.

 “Part of this malware process is terminating and deleting instances of other malware. It checks for known folders that malware “lives” in (“Application Data” folder), and if a certain file is running – it immediately terminates it and deletes its file. It even aims for specific folders of other botnets such as DorkBot.”

The researchers say it's vital to take note that Mylobot was found in the wild, at a Level 1 communication and telecommunication equipment manufacturer and not in a proof-of-idea show.

Also, in conclusion the one thing they are extremely sure about is the modernity of the malware's creators as, according to ZDNet, the real author(s) of this malware are yet obscure, be that as it may, the malware utilizes a similar server which is connected to the scandalous Locky ransomware, Ramdo, and DorkBot.