Banner Health Data Breach Leads to Series of Class Action Lawsuits

Earlier this month, Banner Health announced a data breach affecting approximately 3.7 million people. Since then, a series of class action lawsuits have been filed against the healthcare provider.

The breach involved two separate attacks, Banner Health said. The first targeted payment cards used at food and beverage outlets across some Banner Health locations. The second targeted patient, insurance, and provider information.

The sensitive healthcare information that was stolen is what sets this case apart from other recent data breach lawsuits, said Michella Kras, of counsel, Hagens Berman Sobol Shapiro. Kras is one of the attorneys working on the Banner data breach case filed by the firm, which she discussed on this week’s Cyber Chat podcast.

Hagens Berman Sobol Shapiro filed the class action lawsuit on behalf of Howard Chen, an Arizona doctor whose information was stolen in the breach.

“Dr. Chen’s personal information was compromised in three different ways: as an employee, insurance customer, and health provider,” the lawsuit states. “Dr. Chen is concerned that as a result of Banner’s conduct, his personal information, provider information, and health information is vulnerable to use by third parties.”

Banner Health has offered one-year of free credit monitoring to those affected by the breach, but that’s not enough, said Kras, who estimated Banner Health may pay $6 per person for the service.

“That’s not much of an incentive for them to change their practices because that’s such a small amount to a company that big,” Kras said. “It needs to be something greater than that to spur them to make changes.”

Listen to the podcast for more on Banner Health, class action lawsuits in general, and what companies can do to limit their liability.

 

After Slow Start in 2016, Point-of-Sale Breaches Surging

Last week Eddie Bauer became the latest in a growing string of companies to announce a major point-of-sale-related breach. All 350 North American stores were affected by malware that may have siphoned off customers’ payment card information between January and July of this year.

Not all cardholder transactions were impacted, the company said, and the breach does not include any online transactions; however, the announcement comes during the same month that Oracle MICROS, HEI Hotels & Resorts and several other companies posted similar breach announcements.

The recent surge follows a comparatively quiet period over the first half of 2016, as this chart from our Mid-Year 2016 Cyber Risk Report highlights.

POS
Compared to the large number of POS breaches and chatter in 2014, the past year and a half has been relatively quiet — other than a spike in late 2015 tied to several different hotel breaches, the report said.

“This dip in discussion is accentuated by the extreme number of high-profile organizations affected by POS breaches in 2014, perhaps skewing the perception for what ‘normal’ levels of activity should be,” the report noted. “Point-of-sale breaches are not making as many headlines, but breaches so far this year have proven that for many organizations the associated costs are as high or higher than they have ever been.”

Revisiting that chart a month and a half later, it appears the activity level is now kicking up to match those high costs. SurfWatch Labs has collected more point-of-sale-related CyberFacts in August (through just 21 days) than any other month so far this year.

2016-08-22_POS_Chatter.png
The number of point-of sale CyberFacts collected by SurfWatch Labs has surged in recent months (data through August 21). HEI Hotels & Resorts is the highest trending POS-related target this month after announcing a data breach.

Oracle, Other Vendors Compromised

Adding to the concern around point-of-sale systems, Brain Krebs recently broke the news of a breach of hundreds of computer systems at Oracle, including a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.

Sources said the MICROS customer support portal has been observed communicating with a server known to be used by the Carbanak Gang. That’s alarming since the gang is suspected be behind the theft of more than $1 billion from financial institutions in recent years.

“This breach could be little more than a nasty malware outbreak at Oracle,” Krebs wrote. “However, the Carbanak Gang’s apparent involvement makes it unlikely the attackers somehow failed to grasp the enormity of access and power that control over the MICROS support portal would grant them.”

The investigation is ongoing, and Oracle so far has not provided customers or media outlets with many answers.

To make matters worse, Forbes’ Thomas Fox-Brewster reported that several other cash register suppliers besides MICROS have been breached recently.

“It now appears the same allegedly Russian cybercrime gang has hit five others in the last month: Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell,” he wrote. “Together, they supply as many as, if not more than, 1 million point-of-sale systems globally.”

Hotels Remain Top Trending POS Target

In our mid-year report, the “Hotels, Motels and Cruiselines” subgroup of Consumer Goods dominated the chatter around point-of-sale breaches, and not much has changed in the two months since that report. In fact, nearly 42% of all the point-of-sale CyberFacts collected by SurfWatch Labs so far this year have fallen into that group.

2016-08-22_POS_Groups
More than 60% of SurfWatch Labs’ point-of-sale related CyberFacts collected this year fall into either the Hotels, Motels and Cruiselines or Restaurants and Bars groups.

The top trending point-of-sale target this month is HEI Hotels & Resorts, which announced a breach involving 20 hotels on August 12. The malware was discovered in June on point-of-sale systems used at restaurants, bars, spas, lobby shops and other facilities, according to Reuters. Twelve Starwood hotels, six Marriott International properties, one Hyatt hotel and one InterContinental hotel were impacted.

If those names sound familiar, it’s because several of them have already made news for data breaches of late, including Hyatt in December 2015 and Starwood in January 2016.

Other data breaches this year involving hotels include Kimpton Hotels, Hard Rock Hotel & Casino Las Vegas, Rosen Hotels & Resorts and the Trump Hotel Collection.

2016-08-22_POS_Groups_ITT

Although the various incidents that have been announced in recent weeks have not been explicitly connected by either researchers or law enforcement, the breach notice from Eddie Bauer did signify that other organizations have been targeted with a similar campaign.

“Unfortunately, malware intrusions like this are all too common in the world that we live in today,” the company wrote. “In fact, we learned that the malware found on our systems was part of a sophisticated attack directed at multiple restaurants, hotels, and retailers, including Eddie Bauer.”

Other experts such as Gartner fraud analyst Avivah Litan have speculated that the breach at Oracle “could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider.”

At the moment many questions remain, but if these investigations lead to the discovery of further compromises, expect to see more breach announcements and more payment card information being sold on Dark Web markets in the months to come.

Does Your Cyber Threat Intelligence Tell a Story?

I began at SurfWatch Labs several years ago with one primary directive: be a story teller. Cybercrime impacts everyone, I was told, yet many business owners, executives and employees know next to nothing about cybersecurity. 

For the most part those people were either unaware, assumed their business would never be a targeted by hackers, or put the onus on the tech guys to handle those threats. Those who did take cybersecurity seriously and wanted to learn — well, without a technical background cyber-related writing has a tendency to induce a mini-coma within the first three paragraphs.

Essentially, there was large disconnect between the numerous cyber-attacks and data breaches and everyone who was being impacted by those incidents. That gap has closed quite a bit the last few years, but a gap still remains. Unlike regular crime, which tends to evoke much a more visceral reaction, cybercrime and the reporting on it often feels one step removed from our daily lives. Even as we currently find ourselves speculating how cyber-issues could help decide a presidential election, people are still surprised when they become the target of a cyber-attack.  

Take Patrick Feng, an adjunct assistant professor who studies technology and sustainability policy at the University of Calgary in Canada. As Scientific American reported, on May 28 a ransomware attack left many of the university’s researches locked out of their own data and email, leading the university to make a ransom payment of $15,500 to ensure nothing was lost.

“Even though I teach technology policy, and am aware of these kinds of issues, I still thought it was never going to happen to me,” Feng said.

Yes, presidential candidates are targeted, but little ol’ me? C’mon.

That disconnect is why I wrote back in 2014 that the story of celebrity nude photos being stolen may have been the most important cybercrime event of that year:

For most of us, we are not celebrities, and it does not affect us. But when I read that story, or stories like that of [Miss Teen USA] Cassidy Wolf, who described her reaction to being sextorted by a similar creep – “I literally threw my phone across the room and started screaming. It did not feel real, it was like a horror movie.” – it stays with me in a way that a hundred stories of credit cards being stolen from Home Depot will never do.

We need stories to help spur action across all aspects of our lives, including cybersecurity. In a sense, that is what effective cyber threat intelligence is all about. Our goal here at SurfWatch Labs is to tell those stories, to help connect those dots so that everyone from the newly hired employee to the board of directors can understand the risks posed to them both individually and to their organization as a whole.

It’s also why charts like this are among my favorite ways to look at SurfWatch Labs’ cyber threat intelligence data — not because it’s a useful chart in any practical sense, but because of the way it highlights this year’s cybercrime events and shows the stories that collectively we are, and aren’t, paying attention to.

2016-08-05_firstseen.png
This chart shows the more than 1,000 industry targets SurfWatch Labs has collected data on this year (not including dark web data), as well as the date they first appeared in our data and how many CyberFacts we have collected pertaining to each organization.

In the cybersecurity space, we tend to define time by the major breaches — Target, Home Depot, Sony Pictures, Anthem, the U.S. Office of Personnel Management, Ashley Madison, LinkedIn, the Democratic National Committee — but doing so can negate the real story. As we noted in our recent cyber trends report, most attacks are not sophisticated. They are not high-profile incidents that garner national headlines. Rather, they are a steady wave of relatively simple and often automated attacks that continues to wash over those without proper awareness or understanding of their cyber risk.

Only a tiny fraction of cybercrime events cross over that gap and become part of the public consciousness. For the many more organizations that remain under the radar, cybercrime still has significant real-world consequences  — as well as for the employees, executives, shareholders and boards of directors that are tied to those various data breaches, denial-of-service attacks, extortion attempts, account takeovers, cyber-espionage, insider threats and other forms of cybercrime.

With cyber threat intelligence becoming one of the latest cybersecurity buzzwords, people are often trying to define what it is. What’s the proper balance between raw data and human analysis? Who is the target audience? How does that intelligence translate into specific action? In simpler terms, it is just telling the story of your organization’s cyber risk — with proper context and in a way that everyone can understand and take action on.

To continue to close that cybersecurity gap we need more training and more technological innovations and more smart leaders, but we also need to connect all of that together and drive progress forward somehow. That’s what cyber threat intelligence, and the stories it can tell, is all about.

Typosquatting: Easy Attack Vector That Produces Results

Every week here at SurfWatch Labs our team of threat analysts write about new vulnerabilities, malware developments and cyber-attacks.  One attack vector that is not mentioned very frequently but can be a significant threat for organizations and consumers alike is a technique called typosquatting.

Typosquatting is an attempt to trick users into thinking they have landed on their desired website, but in reality the user has landed on a website with a similar looking domain name that is controlled by cybercriminals. It’s an old technique, and security-conscious organizations often try to secure those domain variations that arise from typos.

However, a study last year described how companies remain vulnerable to typosquatting and found that most organizations do very little to protect their customers from the threat.

Key findings from the study:

  • Few trademark owners protect themselves against typosquatting by defensively registering typosquatting domains for their own domains.
  • The study found that 95% of the most popular 500 websites researched were targeted with typosquatting.
  • Hackers are increasingly targeting longer domains.
  • Some companies secure potential typosquatting domains but then choose not to renew them, leaving them vulnerable.

TypoSquatting Attack Example

A great example of a typosquatting attack was used against the popular online first-person shooter game Counter-Strike: Global Offensive. The hackers set up a convincing spoof, tricking gamers into believing they were on a legitimate site for the game. The fake site was listed as csgoloungcs.com, while the legitimate site is csgolounge.com.

Not only were visitors of the fake site tricked into sharing their login credentials, a Trojan downloader was pushed on them, leading to malware infections.

Another example found malicious actors taking advantage of the .om top level domain. Earlier this year, Netflix users who mistyped the address as netflix.om were redirected to a fake Flash update page.

Typosquatting is one example of the many opportunistic type of threats facing organizations. It doesn’t require sophisticated techniques, and it’s an easy way to leverage popular brands in order to entrap customers who aren’t aware of such scams.

Typosquatting scams can lead to a variety of consequences for users — from account takeover to identity theft — and those consequences can easily spill over to the organizations being impersonated in the form of disgruntled customers, bad press, or having to deny a breach when stolen credentials are put up for sale on the Dark Web.

All that trouble can be largely avoided by being vigilant about identifying common typographical mistakes related your organization’s domains and purchasing them to keep them out of malicious actors’ hands.

IcyEagle: A Look at the Arrest of an Alleged Dark Web Vendor

Last month Aaron James Glende, 35, was arraigned in U.S. District Court in Atlanta on charges related to selling stolen bank account information on the Dark Web market AlphaBay. According to the indictment, Glende operated under the alias “IcyEagle” and began advertising his criminal services in late 2015.

Although the exact picture of how law enforcement managed track down and identify Glende remains unclear, the details released so far provide an interesting behind the scenes view of the cybercrime-related postings we often highlight on this blog.

IcyEagle_SunTrust
IcyEagle listed these high-balance SunTrust Bank accounts for sale on AlphaBay in May 2016. He sold similar items to an undercover FBI agent in March and April 2016.

SurfWatch Labs has observed IcyEagle selling information related to a variety of companies over the past 10 months, but the June 28 indictment mentions only one company by name, SunTrust Bank.

On multiple dates in March and April 2016, a Federal Bureau of Investigations (“FBI”) agent in the Northern District of Georgia, acting in an undercover capacity, accessed the AlphaBay website. While on the website, the agent purchased SunTrust account information from Icy Eagle using Bitcoin. A review of the information purchased from IcyEagle confirmed that it contained usernames, passwords, physical addresses, email addresses, telephone numbers, and bank account numbers that belonged to five different SunTrust Bank customers.

IcyEagle has listed SunTrust Bank accounts with a variety of balances this year, ranging from $250,000-$500,000 (selling for $229.99), to $100-$500 (selling for $9.99).

He also sold a 6-page guide on how to best cash out SunTrust Bank accounts, which includes sections on routing numbers, background checks, Bitcoin, and other tips.

IcyEagle_SunTrustGuide
IcyEagle sold guides on how to cash out compromised accounts, including SunTrust Bank accounts. As with many listings on Dark Web markets, guides on using those items or services are readily available.

“I bring you freshly hacked Sun Trust Bank Account Logins,” read one posting for SunTrust Bank accounts with balances between $30,000 and $150,000. “The accounts are notorious for having weak security.”

According to postings viewed by the FBI, IcyEagle sold at least 11 of these high-balance SunTrust Bank accounts and 32 of the lower-balance accounts.

Dozens of other listings not-related to SunTrust Bank were also posted by IcyEagle and likely sold this year, although those were not listed in the recent indictment. 

IcyEagle_Amazon
Amazon is one of the most popular companies tied to IcyEagle in SurfWatch Labs’ data, based on the number of listings we have observed on AlphaBay.

IcyEagle sold hacked Amazon gift balances for around one-tenth of the total balance. Other accounts for sale generally ranged from $2.99 to $14.99, depending on the type of account. These included email logins, dating website logins, customer reward program logins, logins for various financial services and more.

How was IcyEagle Caught?

An undercover officer purchased stolen bank account information from IcyEagle in March and April 2016, according to the indictment. Interestingly, Glende was also arrested by local police for selling drugs around the same time. A tip from U.S. Postal Inspectors led to police officers finding a “trove” of drugs at his Minnesota home in March.

“According to police, Postal inspectors reported finding packages connected to Glende that contained prescription pills,” wrote the Winona Post. “Officers executed a search warrant of Glende’s home on Friday, March 11, and reportedly found two U.S. Postal Service packages ready to be sent that contained the prescription narcotics Valium, Xanax, and oxycodone. Officers reportedly found a trove of other drugs at Glende’s home: nearly 600 Xanax pills, more than a dozen dextroampethamine capsules, 138 oxycodone pills, nearly 50 Valium pills, marijuana, and marijuana wax.”

The indictment states that IcyEagle began advertising his criminal services by early November 2015. SurfWatch Labs’ data matches these allegations, with our threat intelligence analysts first observing several listings by IcyEagle in October 2015. New listings continued to be posted until the end of May, shortly before his arrest. 

2016-08-10_IcyEagleActivity.png
SurfWatch Labs has been observing IcyEagle listing cybercrime-related items on AlphaBay Market since October 2015.

It’s unclear how — or even if — those two events are linked, but shortly after that drug-related arrest the FBI appears to have begun targeting IcyEagle’s postings on AlphaBay. We can speculate that after U.S. Postal Inspectors tied Glende to selling prescription drugs, the search warrant and subsequent investigation may have revealed evidence leading law enforcement to AlphaBay and IcyEagle — or vice versa. Either way, Glende is charged with performing cybercrime-related activities including five counts of bank fraud, four counts of aggravated identity theft, and one count of access device fraud.

Law enforcement officials continue to tout the arrests of alleged cybercriminals such as Glende as a sign that they will hold bad actors accountable for their actions despite the difficulties associated with such a task.

“The threat posed by cyber criminals is a persistently increasing problem for everyday citizens here in the U.S. and abroad,” said J. Britt Johnson, Special Agent in Charge, FBI Atlanta Field Office, in a press release. “This investigation and resulting arrest clearly illustrates that the FBI, however, will not cease in its effort to identify, locate, arrest and seek prosecution of these criminals regardless of how deep in the digital underground they reside.” 

IcyEagle was just a drop in the bucket when compared to the thousands of pieces of Dark Web threat intelligence SurfWatch Labs analysts have recently observed. Nevertheless, cases like this serve as an important reminder of the insight that can be gained by watching these markets — not just for law enforcement, but for the companies that bear the brunt of this malicious cybercrime activity.

Payment Transactions Face New Data Breaches and Exploits

The last few weeks have not been kind to businesses and customers concerning payment transactions and digital currency. Several point-of-sale systems and digital wallet services have come under fire for data breaches and potential financial theft — not to mention the recent theft of $68 million worth of bitcoin.

The most wide-reaching event may be the breach at software company Oracle Corp, which was reported by Brian Krebs on Monday. A Russian cybercrime group appears to be behind an attack that saw the compromise of hundreds of computers system, including a customer support portal for Oracle’s MICROS point-of-sale credit card payment systems.

This could be a potentially huge breach, as more than 330,000 cash registers around the world utilize Oracle’s MICROS point-of-sale system. In 2014, the company said that about 200,000 food and beverage outlets, 100,000 retail sites, and 30,000 hotels used the software.

It is currently unknown how many organizations were affected by the breach or how long the breach took place. The investigation is ongoing, but potential ties to the Carbanak Gang have raised the level of concern. Oracle did tell Brian Krebs that the company “detected and addressed malicious code in certain legacy MICROS systems,” and that Oracle asked customers to reset their MICROS passwords.

Digital Wallets Face Scrutiny

At last week’s Black Hat conference, a security researcher presented on a flaw in the mobile payment system Samsung Pay. Samsung Pay allows customers to save payment cards on a digital wallet, providing users the option to select the payment card of their choice with the added security of a PIN or fingerprint scan to complete a purchase.

Security expert Salvador Mendoza discovered several problems with Samsung pay, including static passwords used to protect databases, weak obfuscation, and comments in the code. Mendoza also discovered issues with the tokens that are used to complete transactions. Cybercriminals could potentially predict future tokens from studying previous tokens used to make fraudulent transactions.

“Samsung Pay has to work harder on the token’s expiration date to suspend it as quickly as possible after the app generates a new one, or the app may dispose of the tokens which were not implemented to make a purchase,” Mendoza explained. “Also, Samsung Pay needs to avoid using static passwords to ‘encrypt’ its files and databases with the same function because eventually someone will be able to reverse it.”

Samsung responded to Mendoza’s claims by saying “reports implying that Samsung Pay is flawed are simply not true.”

However, in a separate document Samsung did admit that “skimming” a token is possible, although extremely difficult.

“Samsung Pay’s multiple layers of security make it extremely difficult to make a purchase by skimming a token,” the company wrote. “This skimming attack model has been a known issue reviewed by the card networks and Samsung pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack.”

Samsung Pay isn’t the only digital wallet in the news for potential cybersecurity issues.  Venmo — a digital wallet service that allows users to interact with friends by sending money, making purchases, and sharing payments — made headlines recently for flaws that could potentially lead to malicious purchases.

A flaw in an optional SMS-based feature could allow a criminal to easily steal money from people’s accounts, according to researchers. Because Venmo allows users to charge friends through shared bill pay, that friend has to authorize the charge before payment is made. A hacker with physical access to a Venmo user’s phone could steal money from another user’s account by replying to a notification text message with a provided 6-digit code. A feature in Siri that allows users to reply to text messages from locked devices along with the iOS text message preview feature make this attack possible.

“A hacker could have sent a payment request to a targeted user, and if they had access to the victim’s locked device, they could have used Siri to send the approval code displayed on the screen, ” said Eduard Kovacs of SecurityWeek. “The maximum amount of money an attacker could have stolen from one user was $2,999.99 per week, which is the weekly limit set by the developer.”

Keeping Payments Safe

As we’ve highlighted on this blog and in recent threat intelligence reports, high-profile payment-related breaches aren’t at the forefront of cybercrime in the way they were several years ago. However, recent events prove that these payment systems — traditional point-of-sale systems, digital wallets and digital currencies — can lead to significant direct losses as well as brand damage and other consequences from the negative press generated by discovered vulnerabilities.

As SurfWatch Labs’ Chief Security Strategist Adam Meyer recently wrote, cybersecurity is largely about identifying and removing opportunity for malicious actors to do bad things — either directly or indirectly.  There are clear best practices that can be utilized by both businesses and customers to help protect sensitive payment data. Unfortunately, data is only as safe as the methods used to protect it.

Cybercriminals are constantly coming up with new methods and tricks to crack software and trick people into divulging their sensitive information. Cyber threat intelligence can help organizations remain mindful of the many new and evolving threats, identify their weaknesses, and deploy safeguards to protect data — whether that is payment-related data or other sensitive information.

 

Top Dark Web Markets: TheRealDeal, Paranoia and Zero-Day Exploits

In trying to demystify the Dark Web, we’ve talked about the customer-friendly features of markets, the hand-holding nature of cybercrime-as-a-service, and the secure payment options that can protect anonymous buyers.

As we turn our attention to the exploit-centric TheRealDeal Market, it gives us a chance to examine an aspect of the Dark Web that isn’t so rose-colored: the paranoia that runs deep for many buyers, sellers and market operators.

A Quick Look at TheRealDeal Market

Of the many Dark Web markets, TheRealDeal Market has perhaps the most interesting backstory. While other markets focus on things such as drugs and stolen payment card information, TheRealDeal Market launched in 2015 with a focus on code — from zero-day exploits to known vulnerabilities to source code. This led to stories in high-profile outlets such as Wired, which described TheRealDeal as “a new marketplace [that] hopes to formalize that digital arms trade.”

Shortly after making those headlines, several members were arrested, the site went offline, came back online for a short period, and then disappeared again. Finally, half a year later, it relaunched in December 2015.

TheRealDeal9
Exploits such as this alleged zero-day for ecommerce software are frequently listed on TheRealDeal Market.

The main reason for the long downtime was “paranoia,” as the site admin put it in an interview. That paranoia was grounded in real world events.

On July 13, 2015, the popular cybercrime forum Hell was shut down after its administrator, Ping, was arrested. A few days later — on July 15, 2015 — the FBI announced the dismantling of a dark web forum known as Darkode, which U.S. Attorney David J. Hickton described as “a cyber hornets’ nest of criminal hackers ” and “one of the gravest threats to the integrity of data on computers in the United States and around the world.” The coordinated law enforcement effort, known as Operation Shrouded Horizon, led to 70 Darkode members and associates across 20 countries being charged, arrested or searched.

As DeepDotWeb reported, those arrests tied up several members of TheRealDeal Market team.

“What I can say is that most of the original team is not with us at the moment,” TheRealDeal admin said in December. “Currently, at least for the time being, the market will be under the management of me (identified in support as admin S.P.), an old vendor that has stuck with us from the beginning, and a couple of trustworthy people from other darknet communities. I can also add that the main reason of the last down time was paranoia, if it turned out to be justifiable or not, I cannot say.”

That paranoia tends to run throughout all dark web markets — paranoia of law enforcement, paranoia of exit scams, paranoia of other users. As one drug vendor from the now-defunct Evolution Market said in a 2014 interview, “In this business it’s always better to be too paranoid than not paranoid enough.”

Feeding into that paranoia is the fact that the main administrator appears to have vanished recently and support has stopped replying to messages, at least according to one popular vendor.

“This [is] very strange by just leaving the market like this without any management or any notice for leaving,” the vendor told Motherboard in an online chat.

Yesterday, TheRealDeal Reddit account said the reason for the absence was an accident.

“Admin not dead, just almost,” the account wrote. “The only guy with the actual keys to the kingdom had a small accident. … More coming soon.”

What’s For Sale on TheRealDeal Market?

Since its December 2015 relaunch, TheRealDeal Market has once again been making national news. Most recently was a vendor selling a 200 million-strong database of alleged Yahoo user credentials, most likely stolen in 2012, for 3 bitcoin (around $1800). A Yahoo spokesperson said the company is aware of the listing and is investigating whether the data is legitimate.

The same vendor has recently sold massive databases of credentials from LinkedIn and MySpace.

TheRealDeal2
A posting from TheRealDeal Market claiming to contain 200 million user passwords for Yahoo.

TheRealDeal Market sparked another national story this summer when a different vendor began offering a series of healthcare databases for sale. That actor was able to use the media — along with initial price tags in the hundreds of thousands of dollars — to generate a significant amount of attention around the postings, his or her alias, and TheRealDeal Market. A half dozen databases have since been posted ranging from 23,000 records to 9.3 million records.

One of the more recent postings is from a healthcare organization in Fairview, Illinois.

TheRealDeal7.jpg
The seller claimed he or she was able to access various healthcare databases due to a zero-day vulnerability “within the RDP protocol that gave direct access to this sensitive information.”

“[The data] was retrieved from an accessible internal network using account credentials that were garnered through the token impersonation of an employee,” the listing reads. “First stage access was accomplished using RDP 0day.”

Although various stolen databases have generated most of the media attention around TheRealDeal Market, code-related items are a staple of the market — and one of the reasons it was founded.

“We actually tried selling such information and codes ourselves at some point [on established marketplaces] but it seems that all people want on those markets is credit cards and tutorials on how to make money with credit cards,” an admin said in an interview in April 2015. “The problem is that 90% of these dealers are scammers. People with a lot of experience can always do their best to determine if what they are buying is real based on technical information and demos but some of these ‘vendors’ are very clever and very sneaky. We decided it would be much better if there was a place where people can trade such pieces of information and code combined with a system that will prevent fraud and also provide high anonymity.”

The past month SurfWatch Labs has observed various alleged zero-day exploits for sale on TheRealDeal Market.

These include a listing claiming “a remote code execution that allows installation of any APK file on any Android phone that has [a certain gambling application] running.”

TheRealDeal4
The alleged zero-day exploit is selling for 12 bitcoin (around $7000).

There is also a posting claiming a local privilege escalation zero-day that will “go from user to SYSTEM in a few lines of code.”

TheRealDeal6
This alleged local privilege escalation zero-day is also selling for 12 bitcoin (around $7000).

Then there is an alleged zero-day in a popular messaging app, which can lead to denial of service.

TheRealDeal5
This denial-of-service exploit for a popular app is listed for 7.5 bitcoin (around $4,500).

In addition to zero-days and known exploits, there is also a variety of source code and other listings that can be found on the TheRealDeal Market.

For example, a recent listing claims to be selling information stolen from a large HL7 developer located in the United States.

“In addition to the source code for the HL7 Interface Engine software, the private keys for signing the code will also be included as well as the licensing database that entails a full record of all clients and their status information,” the listing reads. “There are many legitimate and nefarious uses for this exclusive package offer. You are only limited by your imagination.”

TheRealDeal1
This source code, signing keys and licensing database from a U.S. HL7 software developer comes with a hefty price tag of 40 bitcoin (around $23,000).

Another listing offers an enterprise code signing certificate.

“No timewasters please, if you don’t know why this is so expensive or what to do with it  — don’t bother,” the seller wrote.

TheRealDeal3.jpg
This enterprise code signing certificate is listed for 15 bitcoin (around $9,000).

These are just a sampling of the many recent listings on TheRealDeal Market.

Although TheRealDeal Market may not be as popular as AlphaBay or other markets that we’ve profiled over recent months — which tend to be dominated by things such as illegal drugs, hacking tutorials, payment card information and stolen credentials — TheRealDeal Market has managed to frequently make headlines for the types of information sold there, connections to other high-profile arrests, and now, the recent disappearance of the current admin.