Jeff Peters

Short Selling Vulnerabilities Latest in String of Stock Market Manipulation

Medical device company St. Jude filed a lawsuit yesterday against Muddy Waters and MedSec Holdings over a “false” report about cybersecurity issues in St. Jude’s cardiac devices. The August report caused the company’s stock to drop more than ten percent on the heels of those allegations and raised questions around a pending $25 billion deal to be acquired by Abbott Laboratories.

The heart of the issue is that MedSec Holdings, which discovered the alleged flaws, did not disclose them to St. Jude; rather, they took their findings to short-selling firm Muddy Waters in order to short St. Jude stock and turn a profit from the public disclosure.

MedSec contacted Muddy Waters with the proposal to short St. Jude stock after spending 18 months doing research and not generating any revenue, CEO Justine Bone said. Money made from shorting the stock will help finance development of secure medical device technology.

In its lawsuit, St. Jude said, “This insidious scheme to try to frighten and confuse patients and doctors by publicly disseminating false and unsubstantiated information in order to gain a financial windfall and thereby cause investors to panic and drive the St. Jude stock price down must by stopped and defendants must be held accountable so that such activity will not be incentivized and repeated in the future.”

The public battle has been at the center of an ongoing debate over the past two weeks — once again putting the issue of manipulating the stock market via cyber front and center.

Malicious Actors Profit From Stock Market

It’s no secret that malicious actors seek similar types of non-public information that can be used to leverage big profits in the stock market.

Perhaps the most famous recent case involves the theft of press releases from various newswire services. According to an August 2015 complaint filed by the Securities Exchange Commission (SEC), hackers gained access to the services, stole more than 100,000 press releases for publicly traded companies, and then used that information – often quarterly or annual earnings data – to reap over $100 million in unlawful profits.

As we noted in our 2015 Cyber Risk Report, the hackers worked with a network of traders to capitalize on the window between when a draft of a press release was provided and when it was made available to the public. In some instances that window was only a few minutes, but having that knowledge was extremely profitable, as the SEC complaint demonstrated.

2h2015_sec — By using non-public earnings information, the network of traders listed above were able to generate millions of dollars in profits through illegal trades.

Additionally, last summer reports of the hacking group Fin4 breaking into corporate email accounts to steal mergers and acquisitions data sparked the SEC to approach companies about possible breaches.

“The SEC is interested because failures in cybersecurity have prompted a dangerous, new method of unlawful insider trading,” John Reed Stark, a former head of Internet enforcement at the SEC, told Reuters.

Other cybercriminals have used less sophisticated methods to manipulate stock prices.

In July Gery Shalon, 32, and Ziv Orenstein, 41, were extradited from Israel and pled not guilty to charges that included a breach at JPMorgan Chase, which authorities described as the “largest theft of customer data from a U.S. financial institution in history.” The stolen contact information was used to send deceptive communications in order to inflate stock prices, a practice known as pump and dump.

First, they would execute prearranged manipulative trades to cause the stock’s price to rise small amounts on successive days. Then they would send spam emails — sometimes millions a day — touting the stock. Finally, after artificially pumping up the price, they would dump their shares of the stock for huge profits.

A New White-Hat Shorting Strategy

While cyber-experts have long-pointed to the massive profits criminals can make from combining cyber-attacks with strategies such as shorting, the move towards white-hat hackers doing the same thing has created some concern.

MedSec CEO Justine Bone said she knows the approach they used will lead to criticism, but that it was the most powerful way to inflict pain on St. Jude over the company’s “negligent level of attention to cybersecurity.”

Although many companies have implemented bug bounties in an effort to encourage researchers and other hackers to disclose vulnerabilities in a responsible manner, those programs often don’t come with big payouts or spur the change desired by the person who disclosed the bug. Those players may attempt to copy the MedSec strategy — resulting in more profits and more public pressure to respond to alleged vulnerabilities. That gives yet another reason for investors to be concerned over potential cyber issues.

Medical device consultants Billy Rios and Jonathan Butts told Bloomberg that traders were clearly blindsided and scrambling over this new idea, having been inundated with requests from hedge funds, short sellers and other investors about the Muddy Waters report.

“This is almost like The Big Short,” Butts said. “Someone saw something that nobody else did.”

POS Breaches: Bankrupting Small Businesses and Impacting the Supply Chain

There’s a popular cybercrime statistic that has been vexing me for years, and if you read cybersecurity news regularly, I’m sure you’ve seen it cited a few dozen times as well:

60% of small businesses close their doors within six months of a cyber-attack.

I’ve always been skeptical of that bold statistic. As Mark Twain wrote in his autobiography, attributing the now famous quote to British Prime Minister Benjamin Disraeli, “There are three kinds of lies: lies, damned lies and statistics.” Sixty percent is incredibly high (and what percent of these companies would have failed anyway, cyber-attack or not?); nevertheless, I’ve always wanted to find the source of that data and delve into the stories behind that number.

I’ve largely failed on both of those fronts over the past few years.

First, the statistic is most often attributed in some vague way to either the National Cyber Security Alliance or the U.S. House Small Business Subcommittee on Health and Technology. In fact, National Cyber Security Alliance executive director Michael Kaiser did quote that statistic before the House Small Business Subcommittee on Health and Technology in December 2011, but he was actually citing a Business Insider article from three months prior. The Business Insider article is similarly vague, saying only that “about 60 percent of small businesses will close shop within six months of an attack” — but providing no other context to back up that assertion.

Second, my repeated attempts to find small businesses that have failed due to cyber-attacks — and are willing talk publicly about those failures — have come up mostly empty.

When Breaches Lead to Bankruptcy

All of this serves as a backdrop to the recent conviction of Roman Valerevich Seleznev, aka Track2, 32, of Vladivostok, Russia. Seleznev was convicted on August 25 of 38 counts related to hacking point-of-sale systems and stealing payment card information. According to trial testimony, Seleznev’s scheme led to more than $169 million in losses across 3,700 financial institutions.

Perhaps most interesting — at least when it comes to my ongoing quest to chronicle small businesses being put out of business by cybercrime — was this tidbit from the Department of Justice press release:

Many of the businesses [targeted by Seleznev] were small businesses, some of which were restaurants in Western Washington, including the Broadway Grill in Seattle, which was forced into bankruptcy following the cyber assault.

According to the indictment, Seleznev and others used automated techniques such as port scanning to identify vulnerable retail point-of-sale systems that were connected to the Internet and then infect those systems with malware.

“[Seleznev and others] hacked into, installed malware on, and stole credit card track data from, hundreds of retail businesses in the Western District of Washington and elsewhere,” the indictment stated. “[They] stole, in total, over two million credit card numbers, many of which they then sold through their dump shop websites … generating millions of dollars of illicit profits.”

Seattle’s iconic The Grill on Broadway was one of those small businesses to be hit by point-of-sale malware in 2010. The incident, along with other issues inherited from previous owners, led to the restaurant being closed in 2013.

“It became a target of a credit card number harvesting scheme that claimed a number of businesses on Broadway as victims,” the Seattle Gay Scene wrote at the time of the closing. “Several years of missed software updates played a significant role in the incident and [owner Matthew] Walsh and his team discovered this fact only a few months after purchasing the business. The effects were devastating to The Grill, generating massive amounts of negative publicity and drastically reduced revenue at the restaurant.”

The resources required to stay afloat were simply too much.

“In spite of what it may seem, we’re a very small business,” Walsh said. “We don’t have endless financial resources to keep us afloat like a chain restaurant or large corporation could.”

Recent Supply Chain Issues Affect POS Systems

The conviction of Seleznev over stolen payment card information and the re-emergence of The Grill on Broadway’s story comes during the same month that several point-of-sale vendors, including Oracle MICROS, have announced potential compromises — and a series of retailers and hotels have subsequently published data breach notifications.

Those breaches haven’t been explicitly connected, but several of the hotels to recently announce breaches have previously confirmed using MICROS products.

For example, Millennium Hotels & Resorts (MHR), which recently announced a data breach affecting food and beverage point-of-sale systems at 14 hotels, said it was notified by a third-party service provider about “malicious code in certain of its legacy point of sale systems, including those used by MHR.”

“The third party is a significant supplier of PoS systems to the hotel industry,” a spokesperson responded when SurfWatch Labs inquired about problems stemming from the supply chain. “It is aware of these issues. We are not disclosing the name.”

However, in 2008 MICROS Systems, now owned by Oracle, announced that Millennium Hotels & Resorts would be using MICROS “as the standard food and beverage point-of-sale solution for its 14 Millennium Hotel properties located in the United States” — so it’s possible there’s some connection between the breaches.

The same Russian group that hit MICROS has targeted at least five other cash-register providers, according to Forbes’ Thomas Fox-Brewster. Investigations are ongoing, but as we noted in our recent report, cybercrime is increasingly interconnected and compromises can quickly move down the supply chain, affecting everyone from small businesses to large enterprises.

If that 60% statistic is true, even partially, then it begs the question: will these recent breaches in the point-of-sale supply chain lead to more shuttered doors in the future?

And will we hear those businesses’ stories if it does happen? Or will they just become another vague statistic that we all continue to reference?

Banner Health Data Breach Leads to Series of Class Action Lawsuits

Earlier this month, Banner Health announced a data breach affecting approximately 3.7 million people. Since then, a series of class action lawsuits have been filed against the healthcare provider.

The breach involved two separate attacks, Banner Health said. The first targeted payment cards used at food and beverage outlets across some Banner Health locations. The second targeted patient, insurance, and provider information.

The sensitive healthcare information that was stolen is what sets this case apart from other recent data breach lawsuits, said Michella Kras, of counsel, Hagens Berman Sobol Shapiro. Kras is one of the attorneys working on the Banner data breach case filed by the firm, which she discussed on this week’s Cyber Chat podcast.

Hagens Berman Sobol Shapiro filed the class action lawsuit on behalf of Howard Chen, an Arizona doctor whose information was stolen in the breach.

“Dr. Chen’s personal information was compromised in three different ways: as an employee, insurance customer, and health provider,” the lawsuit states. “Dr. Chen is concerned that as a result of Banner’s conduct, his personal information, provider information, and health information is vulnerable to use by third parties.”

Banner Health has offered one-year of free credit monitoring to those affected by the breach, but that’s not enough, said Kras, who estimated Banner Health may pay $6 per person for the service.

“That’s not much of an incentive for them to change their practices because that’s such a small amount to a company that big,” Kras said. “It needs to be something greater than that to spur them to make changes.”

Listen to the podcast for more on Banner Health, class action lawsuits in general, and what companies can do to limit their liability.

After Slow Start in 2016, Point-of-Sale Breaches Surging

Last week Eddie Bauer became the latest in a growing string of companies to announce a major point-of-sale-related breach. All 350 North American stores were affected by malware that may have siphoned off customers’ payment card information between January and July of this year.

Not all cardholder transactions were impacted, the company said, and the breach does not include any online transactions; however, the announcement comes during the same month that Oracle MICROS, HEI Hotels & Resorts and several other companies posted similar breach announcements.

The recent surge follows a comparatively quiet period over the first half of 2016, as this chart from our Mid-Year 2016 Cyber Risk Report highlights.

Compared to the large number of POS breaches and chatter in 2014, the past year and a half has been relatively quiet — other than a spike in late 2015 tied to several different hotel breaches, the report said.

“This dip in discussion is accentuated by the extreme number of high-profile organizations affected by POS breaches in 2014, perhaps skewing the perception for what ‘normal’ levels of activity should be,” the report noted. “Point-of-sale breaches are not making as many headlines, but breaches so far this year have proven that for many organizations the associated costs are as high or higher than they have ever been.”

Revisiting that chart a month and a half later, it appears the activity level is now kicking up to match those high costs. SurfWatch Labs has collected more point-of-sale-related CyberFacts in August (through just 21 days) than any other month so far this year.

The number of point-of sale CyberFacts collected by SurfWatch Labs has surged in recent months (data through August 21). HEI Hotels & Resorts is the highest trending POS-related target this month after announcing a data breach.

Oracle, Other Vendors Compromised

Adding to the concern around point-of-sale systems, Brain Krebs recently broke the news of a breach of hundreds of computer systems at Oracle, including a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.

Sources said the MICROS customer support portal has been observed communicating with a server known to be used by the Carbanak Gang. That’s alarming since the gang is suspected be behind the theft of more than $1 billion from financial institutions in recent years.

“This breach could be little more than a nasty malware outbreak at Oracle,” Krebs wrote. “However, the Carbanak Gang’s apparent involvement makes it unlikely the attackers somehow failed to grasp the enormity of access and power that control over the MICROS support portal would grant them.”

The investigation is ongoing, and Oracle so far has not provided customers or media outlets with many answers.

To make matters worse, Forbes’ Thomas Fox-Brewster reported that several other cash register suppliers besides MICROS have been breached recently.

“It now appears the same allegedly Russian cybercrime gang has hit five others in the last month: Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell,” he wrote. “Together, they supply as many as, if not more than, 1 million point-of-sale systems globally.”

Hotels Remain Top Trending POS Target

In our mid-year report, the “Hotels, Motels and Cruiselines” subgroup of Consumer Goods dominated the chatter around point-of-sale breaches, and not much has changed in the two months since that report. In fact, nearly 42% of all the point-of-sale CyberFacts collected by SurfWatch Labs so far this year have fallen into that group.

2016-08-22_POS_Groups — More than 60% of SurfWatch Labs’ point-of-sale related CyberFacts collected this year fall into either the Hotels, Motels and Cruiselines or Restaurants and Bars groups.

The top trending point-of-sale target this month is HEI Hotels & Resorts, which announced a breach involving 20 hotels on August 12. The malware was discovered in June on point-of-sale systems used at restaurants, bars, spas, lobby shops and other facilities, according to Reuters. Twelve Starwood hotels, six Marriott International properties, one Hyatt hotel and one InterContinental hotel were impacted.

If those names sound familiar, it’s because several of them have already made news for data breaches of late, including Hyatt in December 2015 and Starwood in January 2016.

Other data breaches this year involving hotels include Kimpton Hotels, Hard Rock Hotel & Casino Las Vegas, Rosen Hotels & Resorts and the Trump Hotel Collection.

Although the various incidents that have been announced in recent weeks have not been explicitly connected by either researchers or law enforcement, the breach notice from Eddie Bauer did signify that other organizations have been targeted with a similar campaign.

“Unfortunately, malware intrusions like this are all too common in the world that we live in today,” the company wrote. “In fact, we learned that the malware found on our systems was part of a sophisticated attack directed at multiple restaurants, hotels, and retailers, including Eddie Bauer.”

Other experts such as Gartner fraud analyst Avivah Litan have speculated that the breach at Oracle “could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider.”

At the moment many questions remain, but if these investigations lead to the discovery of further compromises, expect to see more breach announcements and more payment card information being sold on Dark Web markets in the months to come.

Does Your Cyber Threat Intelligence Tell a Story?

I began at SurfWatch Labs several years ago with one primary directive: be a story teller. Cybercrime impacts everyone, I was told, yet many business owners, executives and employees know next to nothing about cybersecurity.

For the most part those people were either unaware, assumed their business would never be a targeted by hackers, or put the onus on the tech guys to handle those threats. Those who did take cybersecurity seriously and wanted to learn — well, without a technical background cyber-related writing has a tendency to induce a mini-coma within the first three paragraphs.

Essentially, there was large disconnect between the numerous cyber-attacks and data breaches and everyone who was being impacted by those incidents. That gap has closed quite a bit the last few years, but a gap still remains. Unlike regular crime, which tends to evoke much a more visceral reaction, cybercrime and the reporting on it often feels one step removed from our daily lives. Even as we currently find ourselves speculating how cyber-issues could help decide a presidential election, people are still surprised when they become the target of a cyber-attack.

Take Patrick Feng, an adjunct assistant professor who studies technology and sustainability policy at the University of Calgary in Canada. As Scientific American reported, on May 28 a ransomware attack left many of the university’s researches locked out of their own data and email, leading the university to make a ransom payment of $15,500 to ensure nothing was lost.

“Even though I teach technology policy, and am aware of these kinds of issues, I still thought it was never going to happen to me,” Feng said.

Yes, presidential candidates are targeted, but little ol’ me? C’mon.

That disconnect is why I wrote back in 2014 that the story of celebrity nude photos being stolen may have been the most important cybercrime event of that year:

For most of us, we are not celebrities, and it does not affect us. But when I read that story, or stories like that of [Miss Teen USA] Cassidy Wolf, who described her reaction to being sextorted by a similar creep – “I literally threw my phone across the room and started screaming. It did not feel real, it was like a horror movie.” – it stays with me in a way that a hundred stories of credit cards being stolen from Home Depot will never do.

We need stories to help spur action across all aspects of our lives, including cybersecurity. In a sense, that is what effective cyber threat intelligence is all about. Our goal here at SurfWatch Labs is to tell those stories, to help connect those dots so that everyone from the newly hired employee to the board of directors can understand the risks posed to them both individually and to their organization as a whole.

It’s also why charts like this are among my favorite ways to look at SurfWatch Labs’ cyber threat intelligence data — not because it’s a useful chart in any practical sense, but because of the way it highlights this year’s cybercrime events and shows the stories that collectively we are, and aren’t, paying attention to.

This chart shows the more than 1,000 industry targets SurfWatch Labs has collected data on this year (not including dark web data), as well as the date they first appeared in our data and how many CyberFacts we have collected pertaining to each organization.

In the cybersecurity space, we tend to define time by the major breaches — Target, Home Depot, Sony Pictures, Anthem, the U.S. Office of Personnel Management, Ashley Madison, LinkedIn, the Democratic National Committee — but doing so can negate the real story. As we noted in our recent cyber trends report, most attacks are not sophisticated. They are not high-profile incidents that garner national headlines. Rather, they are a steady wave of relatively simple and often automated attacks that continues to wash over those without proper awareness or understanding of their cyber risk.

Only a tiny fraction of cybercrime events cross over that gap and become part of the public consciousness. For the many more organizations that remain under the radar, cybercrime still has significant real-world consequences — as well as for the employees, executives, shareholders and boards of directors that are tied to those various data breaches, denial-of-service attacks, extortion attempts, account takeovers, cyber-espionage, insider threats and other forms of cybercrime.

With cyber threat intelligence becoming one of the latest cybersecurity buzzwords, people are often trying to define what it is. What’s the proper balance between raw data and human analysis? Who is the target audience? How does that intelligence translate into specific action? In simpler terms, it is just telling the story of your organization’s cyber risk — with proper context and in a way that everyone can understand and take action on.

To continue to close that cybersecurity gap we need more training and more technological innovations and more smart leaders, but we also need to connect all of that together and drive progress forward somehow. That’s what cyber threat intelligence, and the stories it can tell, is all about.

IcyEagle: A Look at the Arrest of an Alleged Dark Web Vendor

Last month Aaron James Glende, 35, was arraigned in U.S. District Court in Atlanta on charges related to selling stolen bank account information on the Dark Web market AlphaBay. According to the indictment, Glende operated under the alias “IcyEagle” and began advertising his criminal services in late 2015.

Although the exact picture of how law enforcement managed track down and identify Glende remains unclear, the details released so far provide an interesting behind the scenes view of the cybercrime-related postings we often highlight on this blog.

IcyEagle_SunTrust — IcyEagle listed these high-balance SunTrust Bank accounts for sale on AlphaBay in May 2016. He sold similar items to an undercover FBI agent in March and April 2016.

SurfWatch Labs has observed IcyEagle selling information related to a variety of companies over the past 10 months, but the June 28 indictment mentions only one company by name, SunTrust Bank.

On multiple dates in March and April 2016, a Federal Bureau of Investigations (“FBI”) agent in the Northern District of Georgia, acting in an undercover capacity, accessed the AlphaBay website. While on the website, the agent purchased SunTrust account information from Icy Eagle using Bitcoin. A review of the information purchased from IcyEagle confirmed that it contained usernames, passwords, physical addresses, email addresses, telephone numbers, and bank account numbers that belonged to five different SunTrust Bank customers.

IcyEagle has listed SunTrust Bank accounts with a variety of balances this year, ranging from $250,000-$500,000 (selling for $229.99), to $100-$500 (selling for $9.99).

He also sold a 6-page guide on how to best cash out SunTrust Bank accounts, which includes sections on routing numbers, background checks, Bitcoin, and other tips.

IcyEagle_SunTrustGuide — IcyEagle sold guides on how to cash out compromised accounts, including SunTrust Bank accounts. As with many listings on Dark Web markets, guides on using those items or services are readily available.

“I bring you freshly hacked Sun Trust Bank Account Logins,” read one posting for SunTrust Bank accounts with balances between $30,000 and $150,000. “The accounts are notorious for having weak security.”

According to postings viewed by the FBI, IcyEagle sold at least 11 of these high-balance SunTrust Bank accounts and 32 of the lower-balance accounts.

Dozens of other listings not-related to SunTrust Bank were also posted by IcyEagle and likely sold this year, although those were not listed in the recent indictment.

IcyEagle_Amazon — Amazon is one of the most popular companies tied to IcyEagle in SurfWatch Labs’ data, based on the number of listings we have observed on AlphaBay.

IcyEagle sold hacked Amazon gift balances for around one-tenth of the total balance. Other accounts for sale generally ranged from $2.99 to $14.99, depending on the type of account. These included email logins, dating website logins, customer reward program logins, logins for various financial services and more.

How was IcyEagle Caught?

An undercover officer purchased stolen bank account information from IcyEagle in March and April 2016, according to the indictment. Interestingly, Glende was also arrested by local police for selling drugs around the same time. A tip from U.S. Postal Inspectors led to police officers finding a “trove” of drugs at his Minnesota home in March.

“According to police, Postal inspectors reported finding packages connected to Glende that contained prescription pills,” wrote the Winona Post. “Officers executed a search warrant of Glende’s home on Friday, March 11, and reportedly found two U.S. Postal Service packages ready to be sent that contained the prescription narcotics Valium, Xanax, and oxycodone. Officers reportedly found a trove of other drugs at Glende’s home: nearly 600 Xanax pills, more than a dozen dextroampethamine capsules, 138 oxycodone pills, nearly 50 Valium pills, marijuana, and marijuana wax.”

The indictment states that IcyEagle began advertising his criminal services by early November 2015. SurfWatch Labs’ data matches these allegations, with our threat intelligence analysts first observing several listings by IcyEagle in October 2015. New listings continued to be posted until the end of May, shortly before his arrest.

SurfWatch Labs has been observing IcyEagle listing cybercrime-related items on AlphaBay Market since October 2015.

It’s unclear how — or even if — those two events are linked, but shortly after that drug-related arrest the FBI appears to have begun targeting IcyEagle’s postings on AlphaBay. We can speculate that after U.S. Postal Inspectors tied Glende to selling prescription drugs, the search warrant and subsequent investigation may have revealed evidence leading law enforcement to AlphaBay and IcyEagle — or vice versa. Either way, Glende is charged with performing cybercrime-related activities including five counts of bank fraud, four counts of aggravated identity theft, and one count of access device fraud.

Law enforcement officials continue to tout the arrests of alleged cybercriminals such as Glende as a sign that they will hold bad actors accountable for their actions despite the difficulties associated with such a task.

“The threat posed by cyber criminals is a persistently increasing problem for everyday citizens here in the U.S. and abroad,” said J. Britt Johnson, Special Agent in Charge, FBI Atlanta Field Office, in a press release. “This investigation and resulting arrest clearly illustrates that the FBI, however, will not cease in its effort to identify, locate, arrest and seek prosecution of these criminals regardless of how deep in the digital underground they reside.”

IcyEagle was just a drop in the bucket when compared to the thousands of pieces of Dark Web threat intelligence SurfWatch Labs analysts have recently observed. Nevertheless, cases like this serve as an important reminder of the insight that can be gained by watching these markets — not just for law enforcement, but for the companies that bear the brunt of this malicious cybercrime activity.

Top Dark Web Markets: TheRealDeal, Paranoia and Zero-Day Exploits

In trying to demystify the Dark Web, we’ve talked about the customer-friendly features of markets, the hand-holding nature of cybercrime-as-a-service, and the secure payment options that can protect anonymous buyers.

As we turn our attention to the exploit-centric TheRealDeal Market, it gives us a chance to examine an aspect of the Dark Web that isn’t so rose-colored: the paranoia that runs deep for many buyers, sellers and market operators.

A Quick Look at TheRealDeal Market

Of the many Dark Web markets, TheRealDeal Market has perhaps the most interesting backstory. While other markets focus on things such as drugs and stolen payment card information, TheRealDeal Market launched in 2015 with a focus on code — from zero-day exploits to known vulnerabilities to source code. This led to stories in high-profile outlets such as Wired, which described TheRealDeal as “a new marketplace [that] hopes to formalize that digital arms trade.”

Shortly after making those headlines, several members were arrested, the site went offline, came back online for a short period, and then disappeared again. Finally, half a year later, it relaunched in December 2015.

TheRealDeal9 — Exploits such as this alleged zero-day for ecommerce software are frequently listed on TheRealDeal Market.

The main reason for the long downtime was “paranoia,” as the site admin put it in an interview. That paranoia was grounded in real world events.

On July 13, 2015, the popular cybercrime forum Hell was shut down after its administrator, Ping, was arrested. A few days later — on July 15, 2015 — the FBI announced the dismantling of a dark web forum known as Darkode, which U.S. Attorney David J. Hickton described as “a cyber hornets’ nest of criminal hackers ” and “one of the gravest threats to the integrity of data on computers in the United States and around the world.” The coordinated law enforcement effort, known as Operation Shrouded Horizon, led to 70 Darkode members and associates across 20 countries being charged, arrested or searched.

As DeepDotWeb reported, those arrests tied up several members of TheRealDeal Market team.

“What I can say is that most of the original team is not with us at the moment,” TheRealDeal admin said in December. “Currently, at least for the time being, the market will be under the management of me (identified in support as admin S.P.), an old vendor that has stuck with us from the beginning, and a couple of trustworthy people from other darknet communities. I can also add that the main reason of the last down time was paranoia, if it turned out to be justifiable or not, I cannot say.”

That paranoia tends to run throughout all dark web markets — paranoia of law enforcement, paranoia of exit scams, paranoia of other users. As one drug vendor from the now-defunct Evolution Market said in a 2014 interview, “In this business it’s always better to be too paranoid than not paranoid enough.”

Feeding into that paranoia is the fact that the main administrator appears to have vanished recently and support has stopped replying to messages, at least according to one popular vendor.

“This [is] very strange by just leaving the market like this without any management or any notice for leaving,” the vendor told Motherboard in an online chat.

Yesterday, TheRealDeal Reddit account said the reason for the absence was an accident.

“Admin not dead, just almost,” the account wrote. “The only guy with the actual keys to the kingdom had a small accident. … More coming soon.”

What’s For Sale on TheRealDeal Market?

Since its December 2015 relaunch, TheRealDeal Market has once again been making national news. Most recently was a vendor selling a 200 million-strong database of alleged Yahoo user credentials, most likely stolen in 2012, for 3 bitcoin (around $1800). A Yahoo spokesperson said the company is aware of the listing and is investigating whether the data is legitimate.

The same vendor has recently sold massive databases of credentials from LinkedIn and MySpace.

TheRealDeal2 — A posting from TheRealDeal Market claiming to contain 200 million user passwords for Yahoo.

TheRealDeal Market sparked another national story this summer when a different vendor began offering a series of healthcare databases for sale. That actor was able to use the media — along with initial price tags in the hundreds of thousands of dollars — to generate a significant amount of attention around the postings, his or her alias, and TheRealDeal Market. A half dozen databases have since been posted ranging from 23,000 records to 9.3 million records.

One of the more recent postings is from a healthcare organization in Fairview, Illinois.

The seller claimed he or she was able to access various healthcare databases due to a zero-day vulnerability “within the RDP protocol that gave direct access to this sensitive information.”

“[The data] was retrieved from an accessible internal network using account credentials that were garnered through the token impersonation of an employee,” the listing reads. “First stage access was accomplished using RDP 0day.”

Although various stolen databases have generated most of the media attention around TheRealDeal Market, code-related items are a staple of the market — and one of the reasons it was founded.

“We actually tried selling such information and codes ourselves at some point [on established marketplaces] but it seems that all people want on those markets is credit cards and tutorials on how to make money with credit cards,” an admin said in an interview in April 2015. “The problem is that 90% of these dealers are scammers. People with a lot of experience can always do their best to determine if what they are buying is real based on technical information and demos but some of these ‘vendors’ are very clever and very sneaky. We decided it would be much better if there was a place where people can trade such pieces of information and code combined with a system that will prevent fraud and also provide high anonymity.”

The past month SurfWatch Labs has observed various alleged zero-day exploits for sale on TheRealDeal Market.

These include a listing claiming “a remote code execution that allows installation of any APK file on any Android phone that has [a certain gambling application] running.”

TheRealDeal4 — The alleged zero-day exploit is selling for 12 bitcoin (around $7000).

There is also a posting claiming a local privilege escalation zero-day that will “go from user to SYSTEM in a few lines of code.”

TheRealDeal6 — This alleged local privilege escalation zero-day is also selling for 12 bitcoin (around $7000).

Then there is an alleged zero-day in a popular messaging app, which can lead to denial of service.

TheRealDeal5 — This denial-of-service exploit for a popular app is listed for 7.5 bitcoin (around $4,500).

In addition to zero-days and known exploits, there is also a variety of source code and other listings that can be found on the TheRealDeal Market.

For example, a recent listing claims to be selling information stolen from a large HL7 developer located in the United States.

“In addition to the source code for the HL7 Interface Engine software, the private keys for signing the code will also be included as well as the licensing database that entails a full record of all clients and their status information,” the listing reads. “There are many legitimate and nefarious uses for this exclusive package offer. You are only limited by your imagination.”

TheRealDeal1 — This source code, signing keys and licensing database from a U.S. HL7 software developer comes with a hefty price tag of 40 bitcoin (around $23,000).

Another listing offers an enterprise code signing certificate.

“No timewasters please, if you don’t know why this is so expensive or what to do with it — don’t bother,” the seller wrote.

This enterprise code signing certificate is listed for 15 bitcoin (around $9,000).

These are just a sampling of the many recent listings on TheRealDeal Market.

Although TheRealDeal Market may not be as popular as AlphaBay or other markets that we’ve profiled over recent months — which tend to be dominated by things such as illegal drugs, hacking tutorials, payment card information and stolen credentials — TheRealDeal Market has managed to frequently make headlines for the types of information sold there, connections to other high-profile arrests, and now, the recent disappearance of the current admin.

Podcast: DNC Fallout Continues, LastPass Exploit Discovered and Bitcoin is Not Real Money

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 77: DNC Fallout Continues, LastPass Exploit Discovered and Bitcoin is Not Real Money:

The fallout from the breach at the Democratic National Committee continued as WikiLeaks published more information and Julian Assange vowed that there was more to come. UK Telecom O2 became the latest company to be victimized by batches of previously exposed credentials. Shapeways, Kimpton Hotels, and Korean online store Interpark all made headlines for data breaches. Cybercrime advisories included researcher Tavis Ormandy warning of flaws in password manager LastPass, NIST advising organizations to move beyond SMS-based two-factor authentication, a flaw in Amazon’s Silk web browser, the KeySniffer flaw affecting wireless keyboards, and news of the Chthonic banking Trojan. On the legal front a Miami judge ruled that bitcoin is not real money, Target shareholders’ derivative lawsuit was dismissed, the University of Mississippi Medical Center was hit with a $2.7 million HIPAA settlement, a breach led to a Minnesota county paying a $1 million settlement, and a former Citibank employee was sentenced to prison. Finally, one internet star asked his followers to hand over their passwords, and they did.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Supply Chains and Third Parties Continue to Cause Data Breaches

When putting together our recent Mid-Year 2016 Cyber Risk Report, the SurfWatch Labs team began by trying to answer one crucial question: with numerous cybercrime events across thousands of organizations this year, is there a central theme that emerges from all of that data?

In 2014, the data was dominated by a seemingly endless string of point-of-sale breaches. In 2015, the data highlighted a shift towards stolen personal information and more effective ways for cybercriminals to monetize that information. In 2016, the data so far showcases how cybercrime effects often spread beyond the walls of the victim organization.

“The diversity of cyber threats can seem overwhelming when viewed in isolation,” the report noted. “Collectively, they paint a picture of an increasingly connected cybercrime world. Malicious actors excel on taking one piece of information and leveraging it to perform further attacks, gain more information, and widen their reach. The stories so far in 2016 clearly demonstrate this approach, with numerous cyber incidents tied to previous data breaches.”

In fact, the number of cybercrime targets tied to “third-party” tags spiked the month before we published our report. As we noted in our previous blog, many of these incidents were connected to previous data breaches and the tactic of “credential stuffing” — where automated tools are used to exploit large batches of known user credentials to discover new accounts to take over.

SurfWatch Labs collected data on more industry targets tied to “third-party” data breaches in June than any other month so far in 2016.

On Tuesday another company was added to the growing list of third-party victims after its customer data was discovered being sold on the dark web. This time it was UK telecommunications company O2. Once again, the incident was attributed to credential stuffing.

“We have not suffered a data breach,” O2 said in a statement. “Credential stuffing is a challenge for businesses and can result in many [companies’] customer data being sold on the dark net. We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”

As the BBC noted, “The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago.”

Although the company wasn’t directly breached, UK Telecom O2 had customer information for sale on the dark web due to data breaches at other organizations and “credential stuffing.”

That XSplit breach occurred in November 2013 and affected 2,983,472 accounts, according to Have I Been Pwned? The breach led to names, email addresses, usernames and hashed passwords being compromised.

That batch of three-year old credentials appears to be the cause of the current breach of O2 accounts — as malicious actors leveraged that old information in order to gain even more personal information on the victims. In addition to names, email addresses and passwords, the O2 accounts for sale on the dark web include users’ phone numbers and dates of birth.

This is a similar scenario to what happened at LinkedIn, the most discussed company related to cybercrime so far this year. A 2012 data breach exposed more than 100 million user credentials. Over the past few months we’ve seen a variety of companies force password resets or otherwise report data theft due to those four-year-old credentials still being reused by customers or employees.

In short, old data breaches are leading to a surge of fresh attacks. However, credential reuse isn’t the only concrete example of the ripple effect of cybercrime, although it certainly is a major issue. This year has also seen more traditional incidents of supply chain cybercrime — where one partner or vendor is exploited to compromise another organization. In fact, SurfWatch Labs has collected data on “third-party” cybercrime impacting dozens of different industry groups so far in 2016.

2016-07-27_thirdpartygroups — While many industry groups have been impacted by “third-parties” this year, Software and IT Services and Consulting are the top trending groups in SurfWatch Labs’ data.

For example, in June we wrote about several healthcare organizations that were victimized by an actor going by the name “TheDarkOverlord,” who was attempting to sell data stolen from healthcare databases on the dark web. This week two of those healthcare organizations publicly confirmed they were victims. As databreaches.net noted, both cited third-parties as a source of the compromise in their repsective statements.

Midwest Orthopedics Group: “… To date, our investigation has determined that on May 4, 2016, a hacker, or hackers, likely gained access into our secured database system through a third party contractor and may have obtained some personal information of our patients …”
Athens Orthopedic Clinic: “Athens Orthopedic Clinic recently experienced a data breach due to an external cyber-attack on our electronic medical records using the credentials of a third-party vendor. …”

Various agencies and government groups are taking notice of the trend. The Federal Energy Regulatory Commission recently proposed revisions to the critical infrastructure protection (CIP) Reliability Standards, writing in a press release that “recent malware campaigns targeting supply chain vendors highlight a gap in protection under the [current] CIP.” In addition, the new guidelines from the automotive industry’s ISAC call for more transparent supply chains and increased involvement with third-party researchers. Lastly, Air Force chief information officer Lt. Gen. William Bender noted at a recent forum that the supply chain remains a concern that can span across many different companies.

“It’s not just primary vendors, it’s secondary, tertiary and even further down,” he said.

Having threat intelligence on those various partners, vendors and others who may indirectly affect an organization’s cybersecurity is more important than ever. As SurfWatch Labs’ Mid-Year Risk Report concluded, “The effects of cybercrime continue to ripple outwards – affecting those in the supply chain and beyond.”

Podcast: Pokemon Go Tops Cybercrime Targets, GOP Unveils Cyber Platform and Other Risk Trends

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 76: Pokemon Go Tops Cybercrime Targets, GOP Unveils Cyber Platform and Other Risk Trends:

The popular Pokemon Go was this week’s top trending cybercrime target following several incidents including DDoS attacks that disrupted service. DDoS attacks against the U.S. Congress, Philippines Government and WikiLeaks also made news. Data breach announcements include more than 130 stores being impacted by Cici’s Pizza’s point-of-sale breach, Asiana Airlines having 47,000 documents containing customer information stolen, and 2 million users being impacted by a hack at Ubuntu Forums. On the advisory front, SurfWatch Labs released its Mid-Year 2016 Cyber Trends report, Adobe Flash is back in the news, a Stagefright-like vulnerability is affecting Apple devices, and legitimate remote administration software is being used to spread banking malware. The GOP led the way on the legal side of cybercrime as the party unveiled its official platform, including cyber. Oregon Health & Science University was fined $2.7 million. The Department of Commerce will soon being accepting self-certifications for the EU-U.S. Privacy Shield. The St. Louis Cardinals hacking case wrapped up with a 46-month prison sentence. The alleged operator of Kickass Torrents was also arrested this week. Lastly, Pokemon Go is leading many people to get hurt in strange ways.

Download the Mid-Year 2016 Cyber Trends report from SurfWatch Labs: info.surfwatchlabs.com/cyber-threat-…eport-1h-2016

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.