Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Domain. Show all posts

Breach Forums Plans Dark Web Return Despite FBI Crackdown

 

Breach Forums, the infamous cybercrime and hacker forum, is all set to return to the dark web under a new Onion label, Hackread reported. While the exact timing for the resuscitation of its clearnet domain is unknown, officials are trying to revive it this week. 

ShinyHunters, a hacker and Breach Forums administrator, confirmed the latest developments to a local media outlet . According to the hacker, the new Onion domain for Breach Forums is preparing for a comeback, which is scheduled for the following week. 

"The onion is ready, it's not public yet, but it will probably be launched this week." When asked about the status of the clearnet domain, the hacker just stated that "the clearnet will come back," without providing a specific timeline. 

Notably, on May 15th, 2024, the FBI seized Breach Forums V2, apparently after apprehending two admins, one known by the moniker Baphomet. ShinyHunters told Hackread.com that they believe Baphomet may have handed up backend credentials to the FBI, resulting in the entire seizure of the forum's Escrow, as well as its dark web and clearnet domains. 

However, recent developments have taken an unexpected turn, with ShinyHunters announcement last week that they had retrieved access to the seized clearnet domain for Breach Forums from the FBI using an unspecified technique. 

Interestingly, neither the FBI nor the Department of Justice has issued a statement on the seizure or any of the linked events. While the FBI has recognised the seizure and requested victims of data breaches on Breach Forums to come forward and fill out a form to help with further investigations, official statements from authorities are still waiting. 

With ShinyHunters' revelation that they had regained access to the confiscated clearnet domain, the narrative develops, leaving many doubts regarding the forum's future and the role of law enforcement authorities. However, it is clear that Breach Forums is undergoing a huge transition. From its confiscation by the FBI to its probable resurrection with a new Onion domain, the story depicts the dangerous and strange world of cybercrime.

PUMA Network: Unmasking a Cybercrime Empire

A massive cybercrime URL shortening service known as "Prolific Puma" has been uncovered by security researchers at Infoblox. The service has been used to deliver phishing attacks, scams, and malware for at least four years, and has registered thousands of domains in the U.S. top-level domain (usTLD) to facilitate its activities.

Prolific Puma works by shortening malicious URLs into shorter, more memorable links that are easier to click on. These shortened links are then distributed via email, social media, and other channels to unsuspecting victims. When a victim clicks on a shortened link, they are redirected to the malicious website.

Security researchers were able to track Prolific Puma's activity by analyzing DNS data. DNS is a system that translates domain names into IP addresses, which are the numerical addresses of websites and other devices on the internet. By analyzing DNS data, researchers were able to identify the thousands of domains that Prolific Puma was using to deliver its malicious links.

Prolific Puma's use of the usTLD is particularly noteworthy. The usTLD is one of the most trusted TLDs in the world, and many people do not suspect that a link with a usTLD domain could be malicious. This makes Prolific Puma's shortened links particularly effective at deceiving victims.

The discovery of Prolific Puma is a reminder of the importance of being vigilant when clicking on links, even if they come from seemingly trusted sources. It is also a reminder that cybercriminals are constantly developing new and sophisticated ways to attack their victims.

Here are some tips for staying safe from Prolific Puma and other malicious URL shortening services:

  • Be wary of clicking on links in emails, social media posts, and other messages from unknown senders.
  • If you are unsure whether a link is safe, hover over it with your mouse to see the full URL. If the URL looks suspicious, do not click on it.
  • Use a security solution that can detect and block malicious links.
  • Keep your web browser and operating system up to date with the latest security patches.

The security researchers who discovered Prolific Puma have contacted the United States Computer Emergency Readiness Team (US-CERT) and the Department of Homeland Security (DHS) about the service. Both agencies are working to take down Prolific Puma's infrastructure and prevent it from being used to launch further attacks.

Prolific Puma is not the first malicious URL-shortening service to be discovered. In recent years, there have been a number of other high-profile cases of cybercriminals using URL shortening services to deliver malware and phishing attacks.

The discovery of Prolific Puma is a reminder that URL shortening services can be abused for malicious purposes. Users should be cautious when clicking on shortened links, and should take steps to protect themselves from malware and phishing attacks.

Proxyjacking Threat: Exploited SSH Servers for Sale on the Dark Web

A new attack targeting Secure Shell (SSH) servers has surfaced in the constantly changing world of cybersecurity. Concerningly, exploited SSH servers are now being provided as proxy pools on the dark web, which is a worrying trend. The integrity of global digital infrastructures as well as the security of sensitive data are seriously jeopardized by this trend.

The Proxyjacking Menace

Proxyjacking, as it is now termed, involves cybercriminals compromising SSH servers and selling them on the dark web as part of proxy pools. These servers are then used as a gateway for malicious activities, bypassing traditional security measures and gaining unauthorized access to networks. This technique allows attackers to conceal their true identity and location, making it difficult for cybersecurity professionals to trace and mitigate the threat.

Cloudflare, a prominent cybersecurity firm, highlights the significance of SSH in secure networking. SSH tunneling is a powerful tool for encrypting connections and safeguarding sensitive data during transmission. However, when these tunnels are breached, they become a potential point of vulnerability. Cloudflare emphasizes the need for robust security measures to protect against SSH-related threats.

SSH Tunneling and its Vulnerabilities

SSH tunneling is widely used to establish secure connections over untrusted networks. However, when improperly configured or outdated, SSH servers become susceptible to exploitation. Cybercriminals are quick to capitalize on these vulnerabilities, using compromised servers to launch attacks that can lead to data breaches, unauthorized access, and network compromise.

The exploitation of SSH servers for proxy jacking poses a significant risk to organizations and individuals alike. By leveraging these compromised servers, attackers can gain access to sensitive information, compromise critical systems, and disrupt operations. The consequences of such breaches can be severe, ranging from financial losses to reputational damage.

To defend against this emerging threat, organizations must prioritize the security of their SSH servers. Regularly updating and patching systems, implementing strong access controls, and employing advanced intrusion detection systems are essential to fortifying defenses against proxy jacking attacks. Furthermore, organizations should consider monitoring the dark web for any indications of compromised servers associated with their domains.

Proxyjacking has become more prevalent due to vulnerable SSH servers, which emphasizes the constant necessity for cybersecurity awareness. Being knowledgeable about new strategies and bolstering defenses are essential as cyber threats continue to change. Organizations may preserve their digital assets and shield themselves from the sneaky threat of proxyjacking by putting in place strong security measures and being diligent in monitoring for any breaches.



Cybercriminals Exploit SVB's Downfall for Phishing

The downfall of Silicon Valley Bank (SVB) on March 10, 2023, has caused instability all across the global financial system, but for hackers, scammers, and phishing schemes, it's evolving into a huge opportunity.

Security experts have already observed a variety of schemes that take advantage of the situation, which has severely hurt tech companies. Proofpoint researchers reported on Twitter that they have observed scammers sending fraudulent emails pertaining to a cryptocurrency company impacted by the failure of SVB.

On March 12, a considerable amount of domain names with the name SVB were registered. Threat actors are preparing for business email compromise (BEC) attacks by registering suspicious domains, creating phishing pages, and more. These operations seek to defraud targets by stealing money, account information, or malware.

A campaign using lures related to USDC, a digital stablecoin linked to the USD that was impacted by the SVB collapse, was found, as per Proofpoint. Fraudulent cryptocurrency businesses were defamed in messages sent through malicious SendGrid accounts that pointed users to URLs where they could claim their cryptocurrency.

A substantial KYC phishing campaign using SVB branding and a template with a DocuSign theme was found, as per Cloudflare. Within hours of the campaign's inception, 79 instances were where it was discovered. An assault that included HTML code with a first link that changed four times before linking to an attacker-controlled website was also intended at the company's CEO.

The HTML file used in the attack directs the user to a WordPress instance with the capacity to do the recursive redirection, however, it is unclear if this specific WordPress installation has been hijacked or if a plugin was set up to enable the redirect.







 Roaming Mantis Virus Features DNS Setups


Malicious actors linked to the Roaming Mantis attack group were seen distributing an updated variation of their patented mobile malware called Wroba to compromise Wi-Fi routers and perform Domain Name System (DNS) theft.

Kaspersky found that the threat actor behind Roaming Mantis only targets routers made by a well-known South Korean network equipment manufacturer that is situated in that country.

Researchers have been tracking the Roaming Mantis malware distribution and credential theft campaign since September 2022. This malware uses an updated version of the Android malware Wroba. o/XLoader to identify susceptible WiFi routers based on its model and modify their DNS.

All Android devices connected to the WiFi network will now experience a redirect to the malicious landing page and a request to install the malware as a result of the router's DNS settings having been altered. Consequently, there is a steady flow of infected devices that can penetrate secure WiFi routers on national public networks that serve a huge number of users.

The attacks use smishing messages as their primary intrusion vector to deliver a booby-trapped URL that, depending on the mobile device's operating system, either provides a malicious APK or directs the user to phishing URLs.

Even though there are no landing pages for American targets and Roaming Mantis does not seem to be specifically targeting American router models, Kaspersky's telemetry reveals that 10% of all XLoader victims are in the United States.

Additionally, the feature was set up to primarily target WiFi routers in South Korea, according to security researchers. Roaming Mantis victims have also been spotted in France, Japan, Germany, the US, Taiwan, Turkey, and other countries.

Kaspersky experts advise consulting one's router's user manual to ensure that its DNS settings have not been modified or contacting your ISP for assistance to safeguard the internet connection from such a virus. Furthermore, updating your router's firmware regularly from the official source is advised, as is changing the router's default login and password for the admin web interface. Avoid using a third-party repository and do not install router firmware from outside sources.

Snatch Ransomware Targets Volvo Cars 

 

Volvo revealed in a press release that some of its research and development assets were the target of a cyberattack.

The ransomware organization Snatch reportedly released pictures of stolen Volvo papers into the darknet on November 30, according to the Swiss tech news blog INSIDE IT.

As per the company, owned by Geely of China, "Volvo Cars have learned that one of the file sources has been unlawfully acquired by a third party. The limited amount of R&D assets stolen during the hack has been confirmed by investigations so far."

An effort to sell data seized from Volvo Cars was initially discovered by French cybersecurity expert Anis Haboubi on a popular phishing site. 

On December 31, 2022, a forum user going by the online alias IntelBroker reported that VOLVO CARS had been the target of a ransomware attack. He alleges that the Endurance Ransomware gang attacked the business and stole 200GB of private information that is now being peddled.

Database access, CICD access, Atlassian access, domain access, WiFi hotspots and logins, auth bearers, API access, PAC security access, employee lists, licenses, keys, and system files are all being offered  by IntelBroker for $2500 in Monero, who has also shared a number of screenshots as evidence of the hack.
 
Based on the currently available information, the business does not believe this will affect the safety or security of its customers' cars or their personal information. Volvo, situated in Goteborg, is now investing money to electrify every vehicle in its lineup by 2030.

However, Bleeping Computer stated that the Snatch ransomware gang was claiming responsibility for the attack. A spokesman earlier told AFP that the company had not been hit by ransomware and remained in full control of its data.

On November 30, the extortion gang published a new post on their data leak website detailing how they had broken into Volvo Car Corporation's servers and taken files during the incursion. The entry included screenshots of the taken files as evidence.

Since then, Snatch has also released 35.9 MB of just what it claim are papers that were taken during the hack from Volvo's systems. Volvo refused to respond when a cybersecurity firm emailed it to ask if the screenshots published by the Snatch extortion group were actually of files stolen from its systems.


Analysis on Agent Tesla's Successor

OriginLogger, a malware that has been hailed as the replacement for the well-known data theft and remote access trojan (RAT) noted as Agent Tesla, had its functioning dissected by Palo Alto Networks Unit 42

Agent Tesla, one of the most notorious keyloggers used by hackers, was shut down on March 4, 2019, due to legal issues. It is a remote access program built on the.NET platform, that has long existed in the cyber realm, enabling malicious actors to obtain remote access to target devices and transmit user data to a domain under their control. It has been in the public since 2014 and is promoted for sale on dark web forums. Typically, attackers send it as an attachment in harmful spam emails.

Since Agent Tesla and OriginLogger are both commercialized keyloggers, it should not be assumed that one has a distinct advantage over the other in terms of initial droppers. 

Security company Sophos revealed two new versions of the common virus in February 2021, with the ability to steal login information from online browsers, email clients, and VPN clients as well as use the Telegram API for command and control.

According to Unit 42 researcher Jeff White, what has been labeled as Agent Tesla version 3 is OriginLogger, which is alleged to have emerged to fill the gap left by the former after its operators shut down the business.

A YouTube video explaining its features served as the foundation for the cybersecurity company's study, which resulted in the detection of a malware sample "OriginLogger.exe" that was added to the VirusTotal malware archive on May 17, 2022.

The binary is a developer code that enables a purchased client to specify the kind of data to be acquired, including screenshots, the clipboard, and the list of services and programs from which the keys are to be retrieved.

Unlike the IP addresses linked to originpro[.]me, 74.118.138[.]76 resolves to 0xfd3[.]com rather than any OriginLogger domains directly. Turning to this domain reveals that it has MX and TXT entries for mail. originlogger[.]com in the DNS.

Around March 7, 2022, the disputed domain started to resolve to IP 23.106.223[.]47, one octet higher than the IP used for originpro[.]me, which used 46. 

OrionLogger uses both Google Chrome and Microsoft Outlook, both of which were utilized by Unit 42 to locate a GitHub profile with the username 0xfd3 that had two source code repositories for obtaining credentials from those two applications.

Similar to Agent Tesla, OrionLogger is distributed via a fake Word file that, when viewed, is utilized to portray an image of a German passport, a credit card, and several Excel Worksheets that are embedded in it.

The files essentially include a VBA macro that uses MSHTA to call a remote server's HTML page, which contains obfuscated JavaScript code that allows it to access two encoded binaries stored on Bitbucket.

Advertisements from threat actors claim that the malware employs time-tested techniques and can keylog, steal credentials, and screenshots, download additional payloads, post your data in a variety of ways, and try to escape detection.

A corpus analysis of over 1,900 samples reveals that using 181 different bots and SMTP, FTP, web uploads to the OrionLogger panel, and Telegram are the most popular exfiltration methods for returning data to the attacker. The goal of this investigation was to automate and retrieve keylogger configuration-related information.





Global Scam Operation "Classiscam" Expanded to Singapore

 

Classiscam, a sophisticated scam-as-a-service business, has now entered Singapore, after more than 1.5 years  migrating to Europe. 

"Scammers posing as legitimate buyers approach sellers with the request to purchase goods from their listings and the ultimate aim of stealing payment data," Group-IB said in a report shared with The Hacker News. 

The operators were described as a "well-coordinated and technologically advanced scammer criminal network" by the cybersecurity firm. Classiscam is a Russia-based cybercrime operation that was originally detected in the summer of 2019 but only came to light a year later, coinciding with an uptick in activity due to an increase in online buying following the COVID-19 epidemic. 

Classiscam, the pandemic's most commonly utilised fraud scheme, targets consumers who use marketplaces and services related to property rentals, hotel bookings, online bank transfers, online retail, ride-sharing, and package deliveries. Users of major Russian ads and marketplaces were initially targeted, before spreading to Europe and the United States. 

Over 90 active organisations are said to be utilising Classiscam's services to target consumers in Bulgaria, the Czech Republic, France, Kazakhstan, Kirghizia, Poland, Romania, Ukraine, the United States, and Uzbekistan. The fraudulent operation spans 64 countries in Europe, the Commonwealth of Independent States (CIS), and the Middle East, and employs 169 brands to carry out the assaults. Criminals using Classiscam are reported to have gained at least $29.5 million in unlawful earnings between April 2020 and February 2022. 

This campaign is remarkable for its dependence on Telegram bots and conversations to coordinate activities and generate phishing and scam pages. Here's how it all works: Scammers put bait advertising on famous marketplaces and classified websites, frequently promising game consoles, laptops, and cellphones at steep prices. When a potential victim contacts the seller (i.e., the threat actor) via the online storefront, the Classiscam operator dupes the target into continuing the conversation on a third-party messaging service like WhatsApp or Viber before sending a link to a rogue payment page to complete the transaction. 

The concept includes a hierarchy of administrators, workers, and callers. While administrators are in charge of recruiting new members, automating the building of scam pages, and registering new accounts, it is the employees that make accounts on free classifieds websites and submit the false advertising. 

"Workers are key participants of the Classiscam scam scheme: their goal is to attract traffic to phishing resources," the researchers said. 

In turn, the phishing URLs are produced by Telegram bots that replicate the payment pages of local classified websites but are housed on lookalike domains. This necessitates the workers to submit the URL containing the bait product to the bot. 

"After initial contact with the legitimate seller, the scammers generate a unique phishing link that confuses the sellers by displaying the information about the seller's offer and imitating the official classified's website and URL," the researchers said. 

"Scammers claim that payment has been made and lure the victim into either making a payment for delivery or collecting the payment." 

The phishing pages also offer the option of checking the victim's bank account balance in order to find the most "valuable" cards. Furthermore, some cases involve a second attempt to deceive the victims by phoning them and requesting a refund in order to collect their money back. 

These calls are made by assistant employees posing as platform tech support professionals.  In this scenario, the targets are sent to a fraudulent payment page where they must input their credit card information and confirm it with an SMS passcode. Instead of a refund, the victim's card is charged the same amount again.

While the aforementioned method is an example of seller scam, in which a buyer (i.e., victim) receives a phishing payment link and is cheated of their money, buyer scams also exist.

A fraudster contacts a legal vendor as a client and sends a bot-generated fraudulent payment form imitating a marketplace, ostensibly for verification purposes. However, after the seller inputs their bank card details, an amount equal to the cost of the goods is debited from their account.

Classiscammers' complete attack infrastructure consists of 200 domains, 18 of which were constructed to deceive visitors of an undisclosed Singaporean classified website. Other sites in the network masquerade as Singaporean movers, European, Asian, and Middle Eastern classified websites, banks, markets, food and cryptocurrency businesses, and delivery services.

"As it sounds, Classiscam is far more complex to tackle than the conventional types of scams," Group-IB's Ilia Rozhnov siad. "Unlike the conventional scams, Classiscam is fully automated and could be widely distributed. Scammers could create an inexhaustible list of links on the fly."

"To complicate the detection and takedown, the home page of the rogue domains always redirects to the official website of a local classified platform."