Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

User Data
Credit Card Credit Card Shop Data Breach Hacker Swarmshop User Data

The User Data of Swarmshop Card Shop has been Leaked Online

 

The details of the Swarmshop Darknet payment card market have been removed for the second time in two years and published on a competing underground website. The breach includes all of Swarmshop's records and all the data exchanged on the platform with the stolen credit card. 

Group-IB, the global threat chasing business, has detected that Swarmshop credit card shop consumer data was leaked on the internet on 17 March 2021. As per the Group IB, details of 623,036 bank cards provided by banks in the US, Canada, United Kingdom, China, Singapore, France, Brazil, Saudi Arabia, and Mexico have been dumped into the Swarmshop dump. 

Though recently, Swarmshop Carding Store seems to have been a common, illegal digital shopping market where cybercriminals were permitted to sell and buy stolen card and banking information. However, it remains unclear as to who has extracted this information, or how and when. The leak revealed massive amounts of data comprising data on four website operators, 90 sellers, and 12,250 purchasers. The researchers have written, "The dump included criminals' nicknames, hashed passwords and account balance and contact details for some entries.” 

The researchers also found that “498 sets of online banking account credentials and 69,592 sets of US Social Security Numbers and Canadian Social Insurance Numbers.” 

The one who breached Swarmshop did not warn the hacker and only sent a message with a connection to the database. At first, the administrators of the Card Shop claimed that the information was linked to a prior breach of the platform by a hacker in January 2020. However, their passwords were requested to be modified. Group-IB reviewed the current dump and found it fresh based on the most recent timestamps for user operation. 

“While underground forums get hacked from time to time, card shop breaches do not happen very often,” Dmitry Volkov, Group-IB’s CTO, said in a statement. “In addition to buyers’ and sellers’ data, such breaches expose massive amounts of compromised payment and personal information of regular users.” 

For decades, hackers have hacked other hackers. It seems quite simple for them to gain access to new hacking instruments, dumps, cards, PII, and value products than to hack people who steal them first of all. It is not surprising that Swarmshop has been successfully breached several times. Like everybody else, cybercriminals have security problems. It only shows that cybersecurity is a hard issue regardless of who you are. 

In Swarmshop's case, researchers seem to think that the attack is yet another criminal's business. About one year ago, a set of information has also been compromised. The site underwent a similar attack. No matter who is responsible, researchers believe that the breach would affect Swarmshop's position on cybercrime.
Read more »
Ryuk Ransomware
Blockchain Cyber Crime Maze Ransomware Ransomware group Ryuk Ransomware

Maze/Egregor Ransomware Earned over $75 Million

 

Researchers at Analyst1 have noticed that the Maze/Egregor ransomware cartel has made at least $75 million in ransom payments to date. This figure is the base of their estimations, as the maximum could be conceivably more since not every victim has disclosed paying to the threat actor. While the group is crippled presently, it is the one that began numerous innovations in the ransomware space. 

“We believe this figure to be much more significant, but we can only assess the publicly acknowledged ransom payments. Many victims never publicly report when they pay a ransom,” security firm Analyst1 said in a 58-page report published this week. 

Analyst1's discoveries are in accordance with a similar report from blockchain analysis firm Chainalysis, which listed the Maze group as the third most profitable ransomware operation — behind Ryuk and Doppelpaymer. 

The now-dead ransomware Maze group was a pioneer in its times. Started in mid-2019, the group was closed down for obscure reasons before the end of last year however resurrected as Egregor ransomware. The greater part of the code, working mechanism, and different clues call attention to that Egregor is the new Maze group. The group dealt with a purported RaaS (Ransomware-as-a-Service), permitting other cybercrime actors to lease admittance to their ransomware strain. These clients, likewise called affiliates, would penetrate organizations and send the Maze groups ransomware as an approach to encrypt files and extort payments.

But, while there were a lot of ransomware groups working on similar RaaS plans, the Maze group became famous by making a “leak site” where they'd regularly list organizations they infected, which was a novelty at that point, in December 2019. 

This branding change didn't influence the group's prosperity. Indeed, both Maze and Egregor positioned as the second and third most active RaaS services on the market, representing almost a fourth of all victims recorded on leak sites a year ago. As per Analyst1's report published for the current week, this heightened period of activity additionally converted into money-related benefits, based on transactions the company was able to track on public blockchains. 

However, this achievement additionally drew attention from law enforcement, which started putting hefty assets into researching and finding the group. Right now, the Maze/Egregor group is on a hiatus, having stopped activities after French and Ukrainian authorities captured three of their members in mid-February, including a member from its core team.
Read more »
United States
crime through technology Cyber Weapon security crime Technology United States

Man Sentenced To 12 Years For Attempting To Purchase Chemical Weapon On The Dark Web

 

A 46-year-old Missouri man has been sentenced to 12 years without parole in US federal prison today for trying to obtain a chemical weapon via an illicit Dark Website with Bitcoin currency; the weapon has the capacity to kill hundreds of people. 

According to the court, the man named Jason Siesser had admitted his cybercrime and accepted that he attempted to purchase a chemical weapon two times between 14 June and August 4, 2018. Additionally, the court document has also mentioned that he had provided the order shipping address in the name of a juvenile, whose name, address he used illegally to acquire this highly toxic weapon including five batches of cadmium arsenide, hydrochloric acid, and other chemical compounds. 

As per the information that the court has provided, three batches of this chemical concoction would be enough to kill more than 300 people at once. On August 4, 2020, Siesser has been to prison for attempting to obtain a chemical weapon. 

Jason had ordered chemical weapons on two different occasions, at first, he ordered two 10 milliliter units of chemical on 4th July of 2018 with the use of cryptocurrencies. When the seller did not ship the order, he contacted him continuously. Then it was on 9th July of 2018, when he contacted the seller and asked him to ship the order as early as possible because he planned to use it immediately after receiving it. 

Jason ordered his second chemical on 5th august of 2018 and again he made the payment with help of Bitcoin, worth roughly $150. Notably, what he ordered, was a very toxic chemical. 

During the investigating officers' raid at Siesser's home, they had found nearly 10 grams of the toxic chemical including cadmium arsenide, which can be deadly if it ingested or inhaled; approximately 100 grams of cadmium metal and more than 500 mL of hydrochloric acid had been found. 

"Writings located within the home articulated Siesser’s heartache, anger and resentment over a breakup, and a desire for the person who caused the heartache to die," said the Department of Justice.
Read more »
Web security
Cyber Security E Skimming Hacking Magecart Web security

Visa: Hackers Use Web Shells to Compromise Servers and Steal Credit Card Details

Visa, a global payment processor has warned that hackers are on the rise in deploying web shells in infected servers to steal credit card information from online customers. A kind of tools  (scripts or programs) Web Shells are used by hackers to infiltrate into compromised, deploy remote execute arbitrary commands or codes, traverse secretly within victim's compromised network, or attach extra payloads (malicious). Since last year, VISA has witnessed an increase in the use of web shells to deploy java-script-based files termed as credit card skimming into breached online platforms in digital skimming (also known as web skimming, e-skimming, or Magecart attacks).  

If successful, the skimmers allow the hackers to extradite payment information, and personal data posted by breached online platform customers and then transfer it to their controlled severs. According to VISA, "throughout 2020, Visa Payment Fraud Disruption (PFD) identified a trend whereby many e-skimming attacks used web shells to establish a command and control (C2)during the attacks. PFD confirmed at least 45 eskimming attacks in 2020 using web shells, and security researchers similarly noted increasing web shell use across the wider information security threat landscape."

As per VISA PFD findings, most Magecart hackers used web shells to plant backdoors in compromised online store servers and build a c2c (command and control) infrastructure which lets the hackers steal the credit card information. The hackers used various approaches to hack the online shops' servers, exploiting vulnerabilities in unsafe infrastructure (administrative), apps/website plugins related to e-commerce, and unpatched/out-of-date e-commerce websites. These Visa findings were confirmed earlier this February when Microsoft Defender Advanced Threat Protection (APT) team revealed that these web shells implanted on compromised servers have grown as much as twice since last year.  

"The company's security researchers discovered an average of 140,000 such malicious tools on hacked servers every month, between August 2020 to January 2021," reports Bleeping Computer.  "In comparison, Microsoft said in a 2020 report that it detected an average of 77,000 web shells each month, based on data collected from roughly 46,000 distinct devices between July and December 2019," it further says.
Read more »
Vyveva
APT actors Lazarus Group malware North Korea North Korean Hackers South African Freight Vyveva

North Korean Lazarus Group Attacks South African Freight Via New Weapon

 

The North Korean-backed Lazarus hacking group employed a new backdoor in targeted attacks against a South African freight and logistics company. ESET researchers first discovered the malware in June 2020, but further evidence suggests Lazarus has been using it in previous attacks going back to at least December 2020. 

The new backdoor malware, dubbed Vyveva is one of the latest tools discovered in the Lazarus armory. Vyveva has the capability of exfiltrating files, gathering data from an exploited machine and its drives, remotely connect to a command-and-control (C2) server and run arbitrary code. It also uses watchdogs to keep track of newly connected drives or the active user sessions to trigger new C2 connections on new sessions or drive events.

While ESET researchers have not gained much success in identifying the initial compromise vector but they have discovered three main components comprising Vyveva – its installer, loader and backdoor. Vyveva also consists a ‘timestomping’ option which allows its operators to manipulate any file’s data using metadata from other files on the system or by setting a random date between 2000 and 2004 to hide new or modified files. 

“Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET technology. However, the similarities do not end there: the use of a fake TLS protocol in network communication, command-like execution chains, and the methods of using encryption and Tor services all point toward Lazarus. Hence, we can attribute Vyveva to this APT group with high confidence,” security researcher Filip Jurcacko stated.

According to the US government, Lazarus group was formed in 2007 and since then, as per the researchers, the group has been responsible for the $80 million Bangladeshi bank heist and the HaoBao Bitcoin-stealing campaign. The Lazarus Group’s activities were widely reported only after it was blamed for the 2014 cyber-attack on Sony Pictures Entertainment and the 2017 WannaCry ransomware attack on the countries including the US and Britain.
Read more »
Have I Been Pwned
Carding Mafia Credit Card Credit Card Hacking Forum Data Breach Have I Been Pwned

Credit Card Hacking Forum Compromised 300,000 User Accounts Due To A Data Breach

 

As per the information provided by the website ‘Have I Been Pwned’, Carding Mafia, a credit card stealing and trading platform that exposed nearly 300,000 user accounts, has indeed been compromised. However, Motherboard indicates that there was no indication that its consumers were warned on either the Carding Mafia Forum or its community telegram channel. According to forum data, Carding Mafia has more than 500,000 users. 

The breach potentially released 297,744 users' e-mail addresses, IP addresses, usernames, and hashed credentials. The authenticity of stolen data was verified by the founder of Have I Been Pwned, Troy Hunt. Hunt has stated that the carding site identifies e-mail addresses leaked through the 'forgot password' feature although it declined to identify and use any other random e-mail addresses. The carding website cautioned that when anonymous e-mails are submitted, a notification pops up which reads, “you have not entered an email address that we recognize” as per the Motherboard. 

The data reportedly hacked from this carding facility was 990 GB in the size of 660,000 artworks and 130,000 threads, according to the screenshots shared by Motherboard. The accused hacker presented the database through their inbox for free. Researchers noticed some months ago that too many cybercrime payments were being shifted to private message applications, to prevent alerting officials and security researchers that typically warn of compromised organizations. 

It is not unusual for hackers to post the stolen data publicly on popular hacking forums to gain "street cred" or a reputation. One can use this credibility to claim data or even request premium prices. Hackers find it harder to individually sell hacked information and use data brokers to divide over-generous fees. 

Hacker on hacker Cybercrime is a common way to stifle competitiveness by offering similar services to rival gangs. It may also be a simple way to get the gigabytes of compromised data free of charge or to boost the credibility of the hacker. Although IP information could encourage law enforcement agencies to identify the whereabouts of cybercriminals, as most criminals use VPN services to hide their real internet addresses. In order to register for hacking websites, hackers also use untraceable email addresses from vendors including Mailinator. However, new hackers are likely to be mistaken by logging into their actual IP addresses or by using real email addresses on the carding hacking pages. 

Meanwhile, Ilia Kolochenko, Founder and Chief Architect at ImmuniWeb, says: “Most of the compromised accounts have fake data and IPs from anonymous VPNs or proxies that are not likely to bring much actionable evidence to law enforcement agencies for investigation. Moreover, even the Western law enforcement agencies are currently underequipped to investigate and prosecute cybercrime on a large scale and will probably not initiate investigatory operations after the leak.”
Read more »
Technology
Blockchain Crypto Currency Data Leak Facebook Security Technology

Crypto at Risk After Facebook Leak: Here’s how Hackers Can Exploit Data

 

The tech giant Facebook has been hit with a new wave of data leaks, yet again but this time, the number of users whose records were exposed was not 50 million but a massive 500 million. 

According to a security analyst, sensitive personal information for over half a billion Facebook users was leaked on a well-trafficked hacking forum on April 3, posing a danger to millions of cryptocurrency traders who may now be susceptible to sim swapping and other identity-based attacks.

What should be done? 

In response to the question that how exactly does this most recent breach place at risk the crypto assets of individuals, Dave Jevans, CEO of blockchain security firm CipherTrace, told Cointelegraph that people who have had their phone numbers leaked need to be extra careful because a lot of fraud involving digital assets hinges on such details. 

He further added, “We’ve seen an increase in SIM swaps, phishing attacks, and other types of fraud involving cryptocurrencies that rely on acquiring the phone numbers of victims to execute. Leaked info about the identity of high-profile crypto users gave bad actors the ability to target them.” 

Ben Diggles, co-founder, and chief revenue officer at Constellation, told Cointelegraph that Facebook's latest security lapse is unsurprising, especially given that most Facebook users have a different approach, in which they prefer their world to be managed and structured for them. 

“Those that are crypto holders that were on the list have little to worry about unless they were storing descriptive details of their holdings and access on their Facebook account. However, these hackers have gotten really sophisticated, so I have no idea what tricks they may have [up] their sleeves with regards to scraping info specific to crypto wallets and exchanges.”, he added. 

However, he suggests that most users should update their passwords for all of their social media profiles, as well as all other sites that share their data with Facebook, as a precaution. 

Does decentralization matter? 

As more data leaks occur, a large majority of people around the world are understanding the value proposition that decentralized systems offer in terms of protection, particularly, since they do not feature a single point of failure. 

On the matter, Eli Arkush, a cloud solutions engineer at cybersecurity firm GlobalDots, suggests that having a platform's backend system distributed using blockchain technology could make it more difficult for hackers to obtain user information; however, once credentials fall into the wrong hands, password reuse may become a concern. 

However, Stephen Wilson, the CEO of Lockstep Group and a member of the Australian government's National Blockchain Roadmap Cybersecurity Working Group, believes that, contrary to popular belief, storing personal information on any blockchain ecosystem is never a good idea. He pointed out that the type of personal data breached by Facebook should never be stored in a blockchain, and even if it is, such data can never be completely protected by blockchain in the long run.

“Blockchain and DLTs usually only decentralize some aspects of data management. They don’t usually decentralize data storage in any relevant sense because they tend to duplicate ledger entries across multiple systems. The storage is distributed, but identical copies of information are available in multiple locations and can be vulnerable to attackers or thieves.”, he further added. 

Most hacking schemes in the past have primarily focused on stealing funds from cryptocurrency exchanges. For example, in 2014 and 2018, the total amount of money compromised as a result of exchanges being hacked was $483 million and $875 million, respectively. 

However, an increasing number of offenders are focusing their attention on stealing user data because it provides them with unique opportunities to obtain funds quickly. As a result, cryptocurrency owners must protect their assets.
Read more »
ransomware attacks
Cyber Attacks Fortinet FortiOS Kaspersky ransomware attacks

Cring Ransomware Attacks Exploited Fortinet Flaw

 

Ransomware operators shut down two production facilities having a place with a European manufacturer in the wake of conveying a relatively new strain that encrypted servers that control a manufacturer's industrial processes, a researcher from Kaspersky Lab said on Wednesday. Threat actors are abusing a Fortinet vulnerability flagged by the feds a week ago that conveys a new ransomware strain, named Cring, that is targeting industrial enterprises across Europe. 

Researchers say the attackers are misusing an unpatched path-reversal flaw, followed as CVE-2018-13379, in Fortinet's FortiOS. The objective is to access the victim's enterprise networks and eventually convey ransomware, as indicated by a report by Kaspersky Lab. “In at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,” Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report. 

Cring is relatively new to the ransomware threat scene—which as of now incorporates prevailing strains REvil, Ryuk, Maze, and Conti. Cring was first noticed and revealed by the analyst who goes by Amigo_A and Swisscom's CSIRT team in January. The ransomware is one of a kind in that it utilizes two types of encryption and annihilates backup files to threaten victims and keep them from retrieving backup files without paying the ransom. A week ago, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) cautioned that nation-state advanced persistent threat (APT) groups were effectively abusing known security vulnerabilities in the Fortinet FortiOS operating system, influencing the organization's SSL VPN items. 

In its report, Kaspersky echoed the feds cautioning adding attackers are first scanning connections with Fortinet VPNs to check whether the software utilized on the gadget is the vulnerable version. The objective is to crack open affected hardware, give adversaries admittance to network credentials, and build up traction in the targeted network, Kopeytsev clarified. “A directory-traversal attack allows an attacker to access system files on the Fortigate SSL VPN appliance,” he wrote. “Specifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file ‘sslvpn_websession,’ which contains the username and password stored in cleartext.”
Read more »
Russian Cyber Security
Cyber Fraud hacker news Russia Russian Cyber Security

Cyber Criminals began to use a new scheme to defraud Russians

The classic scheme to defraud Russian bank clients with the help of malicious emails is experiencing a second birth. Now the scammers, presenting themselves as Yandex.Money operators, demand to transfer funds to a bitcoin wallet under the threat of publishing compromising videos.

They are relying primarily on the fact that the potential victim will react to a familiar brand: the letters are sent from the email address inform@money.yandex.ru. Yandex.Money electronic payment service, which belongs to Sberbank, changed its name to YooMoney last year.

In the letter, the attacker, who calls himself a programmer, claims that he managed to hack into the user's computer and gain full access to it and related devices, including the camera. According to the scammer, he managed to make an intimate video of the victim, and if he doesn't get what he wants, he will send the video to his entire contact list.

"Transfer $650 to my bitcoin wallet. My bitcoin wallet (BTC Wallet): bc1qpg0uv2dcsjvpe9k2y7knxpzfdqu26tvydeu4pf. After receiving payment, I will delete the video and you will never hear from me again. I give you 50 hours (over two days) to pay. I have a notification of reading this email and a timer will go off when you see this email," the scammer intimidates the victim.

YooMoney's press office said they are aware of this technique by the scammers and have already taken appropriate action. "The information is sent from a domain that we no longer own. Yesterday we received information about this and passed it on to the domain owner's security service," the service stated.

Extortion of this kind is quite well known and has a long history, explained the agency executive director of the Association of participants in the market of electronic money and remittances Pavel Shust. Such messages can be sent in the thousands, hoping that someone will believe the threats and transfer money after all. The expert explained that in reality, of course, no one has hacked the computer and has no compromising materials, this letter should simply be deleted and forgotten about it.

Read more »
Ransomware
Cyber Attacks data security Ireland IT firms attacked IT Institution Ransomware

IT Services Remain Disrupted At Two Colleges Of Ireland After Ransomware Attacks

 

Two IT universities of Ireland the National College of Ireland (NCI) and the Technological University of Dublin have been hit by a cyber attack. 

Recently, both the aforementioned universities have reported ransomware attacks on their system. Currently, the National College of Ireland is working 24 hours to restore its IT services after suffering a massive cyber attack. Consequently, the institution is forced to go with an offline IT system. 

"NCI is currently experiencing a significant disruption to IT services that have impacted a number of college systems, including Moodle, the Library service, and the current students’ MyDetails service," the college reported on Saturday. 

An advisory that has been released by some press institutions said that two third-level institutions that are experiencing cyber-attacks, particularly ransomware attacks – in their regard, there is no definite timeline for when the IT services will be fully restored. 

In the wake of the attack, the two institutions have immediately notified the students, staff, and other employees, about the cyber attacks. Subsequently, NCI’s IT suspended access to the systems and the campus building was also shut down for staff as well as the students until the IT services are fully recovered from the attacks. 

NCI has also notified the important inquiries pertaining to the attack, to the authorities including the national police service of the Republic of Ireland and the Data Protection Commissioner. 

"Please note that all classes, assessments, and induction sessions planned from today Tuesday 6th until this Thursday 8th April inclusive have been postponed and will be rescheduled for a later date," NCI added in a statement issued today. 

"…The College will issue a further update on Thursday afternoon in relation to classes and other events for Friday and beyond. As well as, Students with assignments due this week were told that "no late penalties will be applied while the outage remains in place." 

Meanwhile, students were also told not to access any system of the campus until Monday, April 12. They were also advised to avoid contacting the IT staff that is at present working on restoring attacked IT systems.
Read more »
WhatsApp
German Germany Google Ads malware supply chain attacks WhatsApp

German Company Hit By Supply Chain Attack, Only Few Device Affected

Gigaset, a German device maker, was recently hit with a supply chain attack, the hackers breached a minimum of one company server to attach the malware. Earlier known as Siemens Home and Office Communication Devices, Gigaset is Germany based MNC. The company holds expertise in communication technology area, it also manufactures DECT telephones. Gigaset had around 800 employees, had operations across 70 countries and a revenue of 280 Million euros in the year 2018. 

The attack happened earlier this month, the malware was deployed in the android devices of the German company. According to experts, various users reported cases of malware infections, complaining the devices were attacked with adwares that showed unwanted and intrusive ads. Most of the users reported their complaints on Google support forums. A German website published a list of these package names (unwanted popups) which were installed on the android devices. 

Earlier complaints from the users are suggesting that data might've also been stolen from these devices. The foremost issue that these users faced was SMS texting and sending Whatsapp messages, the latter suspended few accounts on suspicion of malicious activity. The company has confirmed about the breach and said that the only the users who installed latest firmware updates from the infected devices were affected. The company is already set on providing immediate solutions to the affected customers. "It is also important to mention at this point that, according to current knowledge, the incident only affects older devices," said the company. 

The company during its routine investigation found that few of the old devices had malware problems. It was further confirmed by the customer complaints. Gigaset says it has taken the issue very seriously and is working continuously to provide short term solution to its customers. "In doing so, we are working closely with IT forensic experts and the relevant authorities. We will inform the affected users as quickly as possible and provide information on how to resolve the problem. We expect to be able to provide further information and a solution within 48 hours," said Gigaset.
Read more »
Subscribe to: Comments (Atom)