AlphaBay and Hansa Brought Down by Basic Mistakes, Indictment Reveals

On Thursday morning, the Department of Justice, Europol, and Dutch authorities announced a coordinated law enforcement takedown of AlphaBay and Hansa Market, two of the three largest dark web marketplaces used to buy and sell illicit goods and services.

AlphaBay has been offline since July 5, the same day that founder Alexander Cazes was arrested in Bangkok and a week before his apparent suicide. With the dark web’s most popular marketplace suddenly unavailable, many users turned to Hansa, a market that touted its security-focused approach. Unfortunately for those users, Dutch law enforcement had seized control of Hansa on June 20 following the arrest of two administrators in Germany, and law enforcement has been covertly monitoring the market’s activity over the past month.

2017-07-20_HansaSeized.png
The dark web markets AlphaBay and Hansa Market were both taken down in a coordinated law enforcement effort that was announced Thursday morning.

As Europol noted, this joint effort against the two markets helped to “magnify the disruptive impact” of the operation.

“It meant the Dutch police could identify and disrupt the regular criminal activity on Hansa but then also sweep up all those new users displaced from AlphaBay who were looking for a new trading platform,” Europol wrote in its press release. “In fact they flocked to Hansa in their droves, with an eight-fold increase in the number of new members of Hansa recorded immediately following the shutdown of AlphaBay.”

2017-07-20_HansaPractices.png
Database trade is the top trending cybercrime practice associated with Hansa Market over the past year, according to SurfWatch Labs’ data.

With both AlphaBay and Hansa Market now out of the picture, Dream Market is the reigning leader, according to SurfWatch Labs’ threat intelligence data.

How Cazes was Caught and AlphaBay Taken Down

Cazes, who was also known as “Alpha02” or “Admin” on the market, founded AlphaBay in 2014 and ran the site along with a team of eight to 10 individuals, according the unsealed indictment. Over the two-and-a-half-year period the site was operational, AlphaBay grew to become the largest dark web market in history and collected tens of millions of dollars in commissions.

2017-07-20_AlphaBayPractices.png
When AlphaBay was shuttered in early July, it had approximately 370,000 listings for sale across various categories such as fraud, drugs, counterfeit items, software and malware, and more.

However, Cazes made numerous mistakes while running AlphaBay that other malicious actors will be paying close attention to, said SurfWatch Labs chief security strategist Adam Meyer.

“As I read the indictment detailing the AlphaBay takedown in particular, I see a list of mistakes being disclosed by the operators of the market that will certainly be scrutinized by criminal elements in order to ensure they are not repeated in future efforts,” Meyer said. “In similar ways that malware instances are shared, tweaked and reused, those who operate illegal marketplaces — or have the desire to due to its profitability — are certainly taking detailed notes for future efforts.”

As the court documents noted:

  • Cazes’ personal email, “Pimp_Alex_91@hotmail.com,” was included in the header of an AlphaBay welcome email that was sent to new users in December 2014. The email was also included in the header of AlphaBay password recovery emails sent in late 2014.
  • Law enforcement then discovered the email address belonged to a Canadian-born man named Alexandre Cazes with a birthdate of October 19, 1991.
  • A December 2008 post on the online tech forum “http://www.commentcamarche.com” was subsequently found in which a user going by the name “Alpha02” posted information in French on how to properly remove a virus from a digital photo. That post included both the name “Alexandre Cazes” and the email “Pimp_Alex_91@hotmail.com.”
  • The email addresses was also tied to a PayPal account registered in Cazes’ name.
  • When Cazes was arrested, law enforcement discovered his laptop open and in an unencrypted state, as well as logged into the server that hosted the AlphaBay site. While searching the computer they found several open text files with passwords for the AlphaBay site and servers, which allowed law enforcement to seize all the information and cryptocurrency on those servers.

At the time of his arrest, a financial statement on Cazes’ computer put his net worth at $23,033,975. Cazes attempted to justify his wealth through a front company called EBX Technologies, but the indictment noted that the company’s website “is barely functional” and that the company’s bank records show “little to no business income or banking activity.”

What’s Next for the Dark Web?

Dark web market takedowns are significant, Meyer said, but they’re also a part of the now-established cycle of popular markets being disrupted by law enforcement or exit scams only to have new markets rise in their absence.

“While the law enforcement take down of AlphaBay and Hansa are certainly heavily impactful to underground merchants, rest assured new marketplaces will be established and new protocols will be implemented,” Meyer said.

It was just a little over a year ago that the then-number-two most popular market, Nucleus Market, suddenly went offline in an apparent exit scam, helping to bolster both AlphaBay’s and Hansa’s user base. With those two markets now gone, Dream Market has become the temporary king, but that will likely change in the coming months as new markets and new operators step in to fill the void — until the cycle repeats again.

TheDarkOverlord Targets Entertainment Sector with Leak of Unaired ABC Show

On Monday, the extortion group known as TheDarkOverlord released the first eight episodes of ABC’s soon-to-be-aired television show “Steve Harvey’s Funderdome” on the torrent site The Pirate Bay.

The leak of the ABC show follows a similar failed extortion attempt and subsequent leak of the first ten episodes of Netflix’s upcoming season of “Orange is the New Black” on April 28. At the time of the Netflix leak, TheDarkOverlord claimed to have stolen hundreds of gigabytes of unreleased and non-public media from a studio — including a total of 37 different film and TV titles. That leak was then tied to Larson Studios, an award-winning audio post-production studio in Hollywood.

2017-06-07_TheDarkOverlordTweet.PNG

As a result, Monday’s leak was likely not a surprise to ABC. TheDarkOverlord has been tweeting about the theft since late April and The New York Times reported that the FBI began notifying the affected companies of the theft a month before that.

Who is TheDarkOverlord?

There isn’t much known about TheDarkOverlord as the group is very careful about exposing information that could relate to its members’ identities. This actor is smart and calculated but also has become bolder and more arrogant as evidenced in communication with recent victims — as well as very recently even setting up a help desk like hotline.

2017-06-07_TheDarkOverlordTargets
There have been dozens of targets publicly tied to data theft and extortion by TheDarkOverlord over the past year.

“Time to play another round,” the group wrote in a Pastebin post announcing the leak on Monday. “We’re following through on our threats as we always do. We firmly believe that honesty and determination are the two most important factors of any business.”

The tone used by the group — both dismay that the “business” arrangement didn’t work out and a veiled threat to future victims — has become more prominent since TheDarkOverlord first began targeting healthcare organizations in June 2016.

Communication with TheDarkOverlord has shown that there is likely more than one member of the group; however, the language utilized on the group’s accounts suggests that a single member is responsible for the managing the Twitter promotions as it has a common syntax. Generally, healthcare organizations (the group’s primary targets) are under-secured and TheDarkOverlord is taking full advantage.

How TheDarkOverlord Attacks Organizations

TheDarkOverlord favors exploits that allow remote desktop control of a network. The group has also taken data acquired by other actors and exploited the clients found in these breached databases. This shows that TheDarkOverlord is not only proactive with its own targeting, but also opportunistic with regards to the sensitive data of any organization that the group comes across and can and take advantage of — as evidenced by the recent pivot from targeting healthcare organizations to those in the entertainment industry.

2017-06-07_TheDarkOverlordGroups
TheDarkOverlord initially appeared to to focus on targeting healthcare organizations, but the group has since targeted a variety of other industry groups.

In regards to the targeting of entertainment brands, TheDarkOverlord discovered what may have been a softer target in the form of the post-production company Larson Studios, which is part of several major entertainment brands’ supply chain. TheDarkOverlord claims that it was able to exfiltrate numerous unreleased (still under production) media to use as leverage, although the group has only leaked two shows thus far.

As TheDarkOverlord moves from entertainment brand to entertainment brand with its extortion efforts, the actor is learning what impacted brands are willing to pay (if anything), and the group is then releasing the media publicly in order to harm the targeted brand financially for not giving into demands. “Orange is the New Black” was leaked a full six weeks before its June 9 premiere data, and “Steve Harvey’s Funderdome” was leaked six days before its June 11 premiere. Targeted brands are likely following the impact of releasing the unaired shows very closely.

Furthermore, TheDarkOverlord has a unique relationship with the media. By garnering media attention, the group builds its reputation and applies pressure to the organizations it wishes to extort. There have been reports that TheDarkOverlord first contacts its exploited entity and demands a ransom. Once the entity refuses, the actor then lists the heathcare database on TheRealDeal Marketplace or releases entertainment media publicly and alerts the media to its presence.

Past activity has shown a slight shift in tactics as TheDarkOverlord has breached an organization and followed that up by sending the victim, along with particular media figures who request it, a sample of the data. By involving security reporters and bloggers, TheDarkOverlord lends credibility to its work while causing panic in consumers who might be associated with the breach. Consumers’ dissatisfaction will also add pressure to the extorted entities to provide ransom payment to the actor for the stolen data.

As WannaCry Spreads, Law Firm Reveals Separate Ransomware Cost Them $700,000

Businesses across the world are still recovering from last Friday’s outbreak of the WannaCry ransomware. On Monday, White House homeland security adviser Tom Bossert said that the ransomware had hit more than 300,000 computers, and security researchers have since detected several new versions of the malware — at least one of which doesn’t have the widely reported “kill switch” built in that has been used to slow the malware’s spread.

Much has been written about the effects of the ransomware on patients at NHS facilities, on downtime at factories, and on disrupted services at numerous other organizations. Various groups have estimated that the potential costs from the WannaCry outbreak may total between several hundred million and $4 billion.

The attention on WannaCry is deserved; however, there is a much smaller piece of ransomware news that emerged last month that highlights the devastating impact ransomware can have on a single organization. In a complaint filed in April against its insurer, the law firm Moses Afonso Ryan Ltd. (MAR) claims that a ransomware infection took more than three months to resolve, costing the firm more than $700,000 in lost billings.

“During the three months that the documents and information of MAR was held captive by the perpetrators of the ransomware attack, the attorneys of the firm were unproductive and unable to work at a reasonable efficiency,” the firm wrote in its complaint. “Year to year billing comparisons reveal a reduction of over $700,000 of billings for the three months of interruption.”

Dispute Over Insurance Policy Coverage

MAR is suing its insurer, Sentinel Insurance Company, claiming that the policy it purchased “is designed to protect MAR against precisely the type of loss it has now incurred as a result of the ransomware attack and interruption of its business.”  

Sentinel countered that it did, in fact, pay $20,000 in damages, but it denied the additional claim for the alleged lost “business income” as it exceeded what Sentinel believes are the limits of the policy.

Like the other insurance-related lawsuits — such as the Fourth Circuit ruling against Travelers Insurance in August 2016 — the dispute appears to revolve around the language of the policy and what specifically the policy covers when it comes to cybercrime.

“Sentinel admits that it has not paid for all of the losses MAR has claimed resulted from the ransomware attack it suffered, as certain of the losses claimed are not covered by the policy,” Sentinel argued in court documents. “The only coverage under the policy for loss or damage caused by a computer virus is under the Computers and Media Endorsement [section], which changes the policy to provide additional coverage [up to $20,000] for certain computer-related losses.”

Three Months to Resolve the Ransomware?

The lawsuit is yet another reminder that organizations need to ensure they know what their insurance policies cover in regards to cyber-attacks, but that is not the only cyber risk management lesson worth noting from the lawsuit. The court documents also revealed that it took several months for MAR to recover from the single ransomware incident — far more than the average of 42 hours that Ponemon found most ransomware victims spend.

2017-05-17_LawFirmRansomware.PNG
The process to recover encrypted documents and recreate lost ones took more than three months, MAR said.

The long recovery time was due to a variety of reasons, which the law firm outlined in its complaint:

  • In May 2016, a ransomware infection led to all of the documents and information stored on the MAR computer network being disabled and the computer network losing all functionality. MAR then hired security experts to fix the problem, but those experts were unable to gain access to the files.
  • In June 2016, the firm made contact with the attacker and negotiated a 13 bitcoin ransom. It took several days to purchase the bitcoins and pay the extortionist because the firm said they were unaware that new account holders could only purchase 2 bitcoins per day.
  • In July 2016, the firm had to re-establish communication with the attacker after discovering the decryption keys and tools it purchased did not work. A second bitcoin ransom was then negotiated and paid.
  • In August 2016, MAR had to recreate documents after discovering that it could not recover documents saved on a temporary server during the three months of business interruption.

All of this resulted due to a combination of events: an attorney at MAR clicking on an email attachment from an unknown source, a lack of proper backups and incident response plan to address a well-known security issue, and a malicious actor that took advantage of the situation by demanding multiple ransom payments.

MAR is just one example of a business that was unprepared for a ransomware attack, and numerous other organizations are likely experiencing similar issues this week. As Elliptic noted, WannaCry has generated over $80,000 in ransom payments since Friday.

2017-05-17_wannacry

However, organizations that decided to pay the WannaCry ransom were lucky that it only required a $300 or $600 payment depending on how quickly they acted. In addition, multiple researchers have reported that organizations were able to successfully restore their files after payment, even as law enforcement agencies have advised there are no guarantees when dealing with cybercriminals.

This is not the case for many ransomware victims. Some recent ransomware campaigns have been observed charging a full two bitcoin in ransom (around $3,700) for any infections, and some organizations have received targeted ransom demands totaling tens of thousands of dollars — and, in cases like MAR, the decryption keys purchased at those inflated prices may not even work.

Hopefully, WannaCry will help push organizations towards better understanding, preparation, and incident response around ransomware since the problem is not going away any time soon.

Behind the Scenes of a $170 Million Payment Card Fraud Operation

On Friday, 32-year-old Russian hacker Roman Seleznev was sentenced to 27 years in prison for running a cybercriminal operation that stole millions of payment cards, resulting in at least $169 million in damages to small business and financial institutions. It’s the longest sentence ever issued in the U.S. for cybercrime, and the court documents and testimony that led to the sentence revealed the inner workings of a decade-long operation that helped to grow and evolve payment card fraud into what it is today.

Earlier this month, in documents urging the judge to issue a lengthy sentence, the prosecution said Seleznev may have harmed more victims and caused more financial losses than any other defendant that ever appeared before the court:

“Seleznev is the highest profile long-term cybercriminal ever convicted by an American jury. His criminal conduct spanned over a decade and he became one of the most revered point-of-sale hackers in the criminal underworld. … Unlike smaller players in the carding community, Seleznev was a pioneer in the industry. He was not simply a market participant – he was a market maker whose automated vending sites and tutorials helped grow the market for stolen card data.”

In total, the government was able to identify 2,950,468 unique credit card numbers that Seleznev stole, possessed, or sold related to more than 500 U.S. business, subsequently affecting 3,700 financial institutions around the world. And — as the government pointed out — that is just the known losses.

Driving Small Businesses to Bankruptcy

2017-04-26_SeleznevMoneyiPhone.PNG
Photo of money taken from Seleznev’s iPhone, which was confiscated upon his arrest in July 2014. In addition, the laptop in his possession at that time contained more than 1.7 million stolen credit card numbers.

As we wrote when Seleznev was convicted on 38 of the 40 counts he faced last year, many of the organizations he targeted were small businesses, and the testimony of seven of those businesses were heard in the court case.

Seattle’s Broadway Grill has perhaps been the most publicized of the point-of-sale breaches. Owner CJ Saretto testified that bad publicity from the breach instantly reduced the restaurant’s revenue by 40 percent and eventually forced him to “walk away from the business, shutter the doors, [and file] personal bankruptcy.” Other owners testified that the effect on business was “horrendous,” that the breach forced them into heavy debt, and that business “has never been the same” since the incident.

It’s no coincidence those that testified in the case against Seleznev were small business owners. Seleznev tended to target small businesses in the restaurant and hospitality industry, particularly if they had poor password security around their point-of-sale devices.

Seleznev “developed and used automated techniques, such as port scanning, to identify retail point of sale computer systems … that were connected to the Internet, that were dedicated to or involved with credit card processing, and that would be vulnerable to criminal hacks,” the indictment stated.

“He quickly learned that many of these businesses’ point of sale systems were remotely maintained by vendors with poor password security,” the government said in its sentencing memorandum. “Because most of his victims were small businesses, they were unlikely to have in-house IT or security personnel. As a result, these companies made extremely attractive targets for someone with Seleznev’s skills as a hacker.”

Track2, Bulba, 2Pac, and POS Dumps

However, Seleznev went far beyond merely stealing payment card information, he also helped to develop and operate websites to market the stolen data and promote more individuals to get into payment card fraud. Seleznev was 18 years old when he began participating in the Russian underground “carding” community under the alias “nCuX,” and seven years later, in 2009 when the U.S. Secret Service tried and failed to coordinate his arrest, he had become a major provider of stolen credit card data, according to court documents.

Just three months after being tipped off to the potential arrest by contacts inside the FSB and retiring his “nCuX” alias, Seleznev was back in the game under the name “Track2.” He soon unveiled two new automated vending websites, “Track2” and “Bulba,” which allowed buyers to to automatically search and purchase his stolen credit card data by using filters such as a particular financial institution or card brand.

2017-04-26_SeleznevBulba
Screenshot of Bulba, an automated vending website used by Seleznev to buy and sell stolen payment card information.

Those features have become commonplace now, but as the prosecution noted, it was “a major innovation” at the time and the “Track2 and Bulba websites achieved instant success.”

“[The sites] made it possible for criminals to efficiently search for and purchase stolen credit card data through a process as easy as buying a book on Amazon,” the prosecution wrote. “Automated vending sites increased the efficiency [of] credit card data trafficking, and remain the gold standard for credit card trafficking to this day.”

2017-04-26_AlphaBayCarding

The popular dark web marketplace AlphaBay adopted a similar automated shop for stolen payment card information in May 2015, but it includes more search options and a more user-friendly interface than Seleznev’s 2009 Bulba site.

In April 2011, Seleznev was injured in a terrorist bombing in Marrakesh, Morocco, and hospitalized for several months. His co-conspirators ran the Track2 and Bulba websites in his absence until they closed up shop in January 2012 citing no new dumps to sell.

Once again, Seleznev choose to return to cybercrime by innovating his operations. Switching monikers to “2Pac,” he launched a new automated vending site that would not only sell his stolen data but would offer stolen cards from “the best sellers in one place.” Seleznev would take a portion of the proceeds for each sale, and he used this model to resell credit data stolen in popular breaches such as Target, Michaels, and Nieman Marcus on the 2Pac site.

2017-04-26_SeleznevATMDump
Someone chatting with Seleznev trying to get payment card data stolen via ATM skimmers listed on the 2Pac site.

In addition, Seleznev needed a continuous stream of dumps and customers to fuel his 2Pac site, so he began teaching others the basics of payment card fraud via a sister site, called “POS Dumps.”

2017-04-26_Seleznev2PacTutorial
The POS Dumps site linked to the 2Pac site and walked wannabe fraudsters through the steps necessary to become a criminal.

The POS Dumps website contained four categories to teach amateurs how to successfully commit payment card fraud:

  1. Choosing and buying equipment
  2. Choosing and buying dumps
  3. How to generate Track1 and why it is needed
  4. Writing the dumps onto cards

The website even had links to eBay to purchase the necessary equipment (an MSR206 manual swipe magnetic card reader/writer) and custom malware to help write the stolen payment card data onto other cards.

2017-04-26_SeleznevTheJERM
POS Dumps provided a “comprehensive” program to interface with the MSR206 magnetic reader/writer to help wannabe cybercriminals commit fraud.

The prosecution wrote that the POS Dumps website “trained thousands of new criminals in the basics of how to use the data to commit fraud.” Similar types of tutorials related to fraud and cybercrime remain among the most commonly listed items on dark web markets today, according to SurfWatch Labs’ data.

A Record 27-Year Prison Sentence

2017-04-26_SeleznevGuidelines
The prosecution argued that the U.S. sentencing guidelines stated that “unauthorized charges … shall not be less than $500 per access device.” Therefore, Seleznev’s 2.9 million stolen credit cards equated to more than $1.4 billion in losses.

Court documents from the defense called the long prison sentence “draconian.” However, Seleznev clearly knew his actions could have serious consequences. He monitored the U.S. court’s PACER system for any criminal indictments against him, and when agents arrested him in the Maldives as he attempted to board a plane in 2014, he immediately asked if the U.S. had an extradition treaty. The U.S. did not have a formal treaty with the Maldives, but an agreement was obtained in the days prior to take custody of Seleznev.

The prosecution described Seleznev’s sentencing guideline calculation as “literally off the charts.” A score of 43 recommends a life sentence, and Seleznev scored 16 points above that — a 59.

The judge agreed with the prosecution and sentenced Seleznev to 27 years in prison last Friday.

“The notion that the Internet is a Wild West where anything goes is a thing of the past,” said U.S. Attorney Annette L. Hayes. “As Mr. Seleznev has now learned, and others should take note – we are working closely with our law enforcement partners around the world to find, apprehend, and bring to justice those who use the internet to steal and destroy our peace of mind.  Whether the victims are multi-national banks or small pizza joints, we are all victims when our day-to-day transactions result in millions of dollars ending up in the wrong hands.”

Slew of Source Code and Malware Leaks Increases Risk for Organizations

Earlier this month, an undergraduate student in Korea apologized for creating and making public the joke ransomware “Resenware.” The malware didn’t ask for money to decrypt files; instead, it required victims to score more than 200 million points on the “lunatic” level of the shooting game Touhou Seirensen ~ Undefined Fantastic Object.

The student told Kotaku that he released the joke malware on Github before falling asleep and by the time he woke up it had spread and “become a huge accident.” The source code was quickly removed from Github and a tool was released allowing infected users to decrypt their files without having to play the game. The creator then apologized for making a “kind of highly-fatal malware.”

That’s all well and good, but as Will Rogers once said, “Letting the cat out of the bag is a whole lot easier than putting it back in.”

2017-04-18_Resenware.PNG
A warning from Resenware shared by Malware Hunter Team.

The story highlights how quickly publicly available source code can be spread, copied, and potentially repackaged by malicious actors. That isn’t as likely to happen with Resenware due to the lack of a financial component, though it could be utilized by actors looking to cause harm rather than turn a profit. Nevertheless, profit-driven actors have numerous other recent source code leaks they can pull from.

For example, in December 2016, the source code for a commercial Android banking Trojan, along with instructions on how to use it, was released on a cybercriminal forum. Malicious actors quickly used that code to create the BankBot Trojan, which Dr. Web researchers noted can steal login credentials and payment card details by loading phishing forms and dialogs on top of legitimate applications, as well as intercept and delete text messages sent to the infected device. Since then, BankBot has made several appearances in the Google Play store, confirming Dr. Web’s January conclusion that the leak “may lead to a significant increase in the number of attacks involving Android banking Trojans.” In fact, just last week two malicious applications utilizing BankBot, HappyTimes Videos and Funny Videos 2017, were removed from the Google Play store after receiving thousands of installs.

The BankBot Trojan is just one example of the continuing evolution of malware as the stockpile of effective cybercriminal tools continues to accumulate. The leak of these tools, whether made as a joke by amateurs or for malicious purposes by professional cybercriminals, means that more polished malware is now at the fingertips of malicious actors than ever before.

Even if an inexperienced actor is unable to take and modify public malware source code, they can simply turn to professionally run as-a-service malware options that are likely doing so.

Last week MalwareBytes released a report with an interesting chart on ransomware trends. It shows that the Cerber ransomware-as-a-service (RaaS) has come to dominate the ransomware market with a nearly 90% share as its main competitor, Locky, has declined.

2017-04-19_Cerber
Cerber is dominating the ransomware market as Locky fell off sharply, according to MalwareBytes’ honeypots.

“Cerber [has spread] largely because the creators have not only developed a superior ransomware with military-grade encryption, offline encrypting, and a slew of new features, but by also making it very easy for non-technical criminals to get their hands on a customized version of the ransomware,” the report authors noted.

Those types of criminal operations can greatly benefit from the large amount of exploits and malware source code that has made its way into the public domain this year.

For example, since March 2017 we’ve seen:

  • The release of the source code for the NukeBot banking Trojan, a modular Trojan that comes with a web-based admin panel to control infected endpoints.
  • New allegedly NSA-developed exploits leaked by TheShadowBrokers, including last week’s release of a series of now-patched Windows exploits and a critical vulnerability that can hijack Solaris systems that was released a week prior (and patched today by Oracle).
  • More leaks of alleged CIA exploits and tools, some of which claim the CIA benefited by repackaging components of the Carberb malware source code, which was leaked in 2013, into CIA hacking tools.
  • A report last week claimed that the Callisto APT Group used tools leaked from the surveillance company HackingTeam, which was breached in 2015, in a series of targeted attacks last year.

Whether it’s nation-state actors, cybercriminal groups, or amateur hackers, they can all benefit by the leak of these tools over the past month. If past leaks are any indication, malicious actors will incorporate any effective tools and techniques from the recent leaks into their already-existing cyber arsenals.

As the collective knowledge grows on the cybercriminal side, it’s crucial that organizations harness their own threat intelligence in order to have their finger on the pulse of malicious actors. With that information they can more effectively counter the slew of new vulnerabilities, exploits, and as-a-service tools being used to infiltrate their networks and damage their organization.

New Cryptocurrencies Gain Traction, Spark Concern For Law Enforcement

Last month a new ransomware emerged known as “Kirk Ransomware.” The malware was interesting not just because of the Star Trek-themed imagery of James Kirk and Spock that it used, but also because it may be the first ransomware to demand payment via the cryptocurrency Monero.

2017-04-06_KirkRansomware.png
Victims of the Kirk Ransomware are walked through how to make their ransom payments using Monero.

There are literally hundreds of different types of existing cryptocurrencies like Monero that cybercriminals can choose from, but bitcoin is the most well known and has been the most widely used, by far, when it comes to ransomware. Bitcoin’s status as the reigning cryptocurrency king has been driven, in part, by the growth of cybercriminal markets and ransomware actors that greatly benefit by having a semi-anonymous payment option available. However, bitcoin is facing both growing pains and an expanding group of credible challengers that claim to have better answers to some of the current issues facing cryptocurrencies.

Cryptocurrencies are, for better or worse, intertwined with cybercrime, and dark web markets and malicious actors adopting new forms of payment such as Monero and Ethereum are helping push those currencies to new heights. With that growth comes new opportunities for cybercriminals as well as new concerns for law enforcement.

As we noted in a recent blog on AlphaBay’s plans to adopt Ethereum next month, the cryptocurrency has seen a dramatic increase in price on the heels of AlphaBay’s announcement and partnerships with legitimate financial institutions. Likewise, Monero was worth around $2.50 the day before AlphaBay announced plans to adopt the currency, and less than eight months later it has jumped to more than $26.

In December 2016 an AlphaBay support representative told Bitcoin Magazine that Monero accounted for about two percent of its sales, so bitcoin remains king. However,  one can assume that the actors behind AlphaBay have plenty to gain financially by riding the wave created by the largest dark web marketplace adopting new cryptocurrencies — besides simply appeasing their customers.

Monero — which advertises itself as a “secure, private, untraceable currency” — is perhaps the most praised among cybercriminals. Bitcoin was not designed to be anonymous, and every transaction is publicly visible on the distributed ledger known as the blockchain. That’s why malicious actors use third-party tools such as bitcoin tumblers to help hide the origins of bitcoins. It’s also why law enforcement officials and security researchers have been able to “follow” bitcoins to bust those buying and selling illicit goods and services.

Monero, on the other hand, allows users to send and receive funds without transactions being publicly visible on the blockchain, which is one of the reasons some malicious actors prefer it.

“Bitcoin is much more vulnerable to chain analysis,” advised one AlphaBay member in September 2016, when the dark web market adopted Monero. “I can’t stress strongly enough how much more secure it is for darknet transactions.”

2017-04-06_ABMonero
Monero is safer for both the buyer and seller, wrote one AlphaBay user.

Although cryptocurrencies such as Monero have not been as heavily scrutinized by law enforcement as the more popular bitcoin, their adoption among malicious actors is a concern — even if Monero is not perfect.

“There are obviously going to be issues if some of the more difficult to work with cryptocurrencies become popular,” Joseph Battaglia, a special agent working at the FBI’s Cyber Division in New York City, said at an event in January. “Monero is one that comes to mind, where it’s not very obvious what the transaction path is or what the actual value of the transaction is except to the end users.”

As a case in point, the dark web marketplace known as Oasis, which beat AlphaBay by two weeks to become the first market to accept Monero, suddenly went offline in late September 2016 in what may have been an exit scam. Various users quickly reported that at least 150 bitcoin was lost in the potential scam, but guessing how much Monero currency was stolen proved to be much more difficult.

“If we can’t find out, that’s a good thing,” wrote one redditor.

However, the FBI likely has a different view.

AlphaBay to Begin Accepting Ethereum as the Bitcoin Alternative Grows More Popular

Beginning next month, malicious actors using the dark web marketplace AlphaBay will be able to buy and sell their goods using the growing cryptocurrency platform Ethereum. Ethereum will become the third payment option available on the market, joining the longstanding cryptocurrency king bitcoin as well as the privacy-focused Monero, which was adopted by AlphaBay last September.

The announcement is good news for fans of Ethereum, whose Ether cryptocurrency has seen a continued surge of growth in 2017 and is the second most popular cryptocurrency after bitcoin.

2017-04-06_AlphaBayEthereum
AlphaBay will begin accepting Ethereum deposits and withdrawals on May 1, an administrator announced on the site’s forum in March.

Bitcoin is by far the most well-known cryptocurrency, and it has been widely adopted by malicious actors and dark web markets as a convenient and semi-anonymous form of digital payment. In fact, cryptocurrencies like bitcoin, dark web markets like AlphaBay, and extortion payments like ransomware are interconnected in that the growth of one has helped spur the growth of the others.

However, bitcoin is currently experiencing growing pains, and Ethereum has emerged over the past year as its main rival. Ethereum’s proponents claim that is it is a more versatile and scalable cryptocurrency. In fact, the idea of Ethereum goes beyond just currency, which is why it and other blockchain companies have been described as bitcoin 2.0. If bitcoin was about creating a decentralized payment system, Ethereum is about using that same concept to radically re-architect everything on the web — as Ethereum creator Vitalik Buterin describes it.

Fortune magazine explained in a September 2016 profile:

Ethereum’s power lies in its ability to automate complex relationships encoded in so-called smart contracts. The contracts function like software programs that encapsulate business logic — rules about money transfers, equity stake transfers, and other types of binding obligations — based on predetermined conditions. Ethereum also has a built-in programming language, called Solidity, which lets anyone build apps easily on top of it.

There’s ongoing debate over just how secure other cryptocurrencies are compared to bitcoin. For example, in June 2016 a hacker was able to exploit a flaw in the smart contract used by The DAO, a crowdsourced venture capital platform based on the Ethereum blockchain, in order to steal more than $50 million worth of Ether.

A controversial solution to address the theft was proposed, known as a “hard fork.” Cryptocurrencies use the concept of a blockchain, which is essentially a decentralized and agreed upon ledger of all the transactions that have occurred. The hard fork would change the agreed upon rules and create a new path forward for the currency — one that would invalidate the theft. However, some Ethereum users argued that the idea of hard fork went against the very principles of a decentralized network that was designed to combat a single authority. Those that eventually rejected the fork are now on a parallel version of the blockchain, Ethereum Classic, while the rest of the community moves forward on the other fork as Ethereum.

Despite the troubles, Ethereum continues to thrive. The concept of disrupting existing business models with decentralized blockchains has gained Ethereum interest not just from dark web markets, but from legitimate companies. In February it was announced that 30 organizations — including JPMorgan Chase, Microsoft, and Intel — would team up under the Enterprise Ethereum Alliance to enhance the privacy, security, and scalability of the Ethereum blockchain.

Ethereum’s Value: Past 90 Days

2017-04-06_EthereumMarketCap
Ethereum’s market cap has grown significantly on the heels of recent announcements, according to CoinMarketCap.

All of that news has helped to more than quadruple the market cap of Ethereum in 2017, from less a billion in January 2017 to around $4 billion on April 6.

It’s still nearly a month before the option goes live, so it is unclear how many security-obsessed cybercriminals on the dark web will actually use the payment option — or if they will stick with bitcoin. Nevertheless, being adopted by AlphaBay, which is by far the most popular dark web market according to SurfWatch Labs’ data, could potentially be a huge boost for Ethereum.

Ransomware Disrupting Business Operations and Demanding Higher Payouts

Malicious actors are continually fine-tuning their tactics, and one of the best examples of this is the evolution of ransomware. Ransomware has largely been an opportunistic, rather than a targeted, form of cybercrime with the goal of infecting as many users as possible. That model has worked so effectively that extortion is now ubiquitous when it comes to cybercrime — so much so that even fake attacks are proving to be successful.

As I wrote earlier this month, the surge of extortion attacks impacting organizations has led to a number of fake extortion threats, including empty ransomware demands where actors contact organizations, lie about the organization’s data being encrypted, and ask for money to remove the non-existent threat. Cybercriminals like to follow the path of least resistance, and an attack doesn’t get much easier than simply pretending to have done something malicious.

However, attacks over the past year have proven that infecting organizations with ransomware can result in much higher payouts. The more disruptive the attack, the more money some organizations are willing to pay to make the problem go away. As a result, ransomware actors are shifting their targets towards more disruptive attacks, which we examine in our latest report, Ransomware Actors Shift Gears: New Wave of Ransomware Attacks Aims to Lock Business Services, Not Just Data.

A quick look at some of the ransomware mentioned in SurfWatch Labs new report.

It was just 13 months ago that Hollywood Presbyterian Medical Center made national attention by paying $17,000 to decrypt its files after a ransomware attack. The incident was novel at the time, but those types of stories have since become commonplace.

For example:

  • On November 25, 2016, an HDDCryptor infection at the San Francisco Municipal Transportation Agency led to the temporary shutdown of ticketing machines and free rides for many passengers, costing an estimated $50,000 in lost fares.
  • On January 19, 2017, a ransomware infection of the St. Louis Public Library computer system temporarily halted checkouts across all 17 locations and led to a several-day outage of the library’s reservable computers. 
  • On January 31, 2017, a ransomware infection in Licking County, Ohio, led to the IT department shutting down more than a thousand computers and left a variety of departments – including the 911 call center – unable to use computers and perform services as normal for several days.
  • In February 2017 at the RSA Conference,  researchers from the Georgia Institute of Technology presented a proof-of-concept ransomware that targets the programmable logic controllers (PLCs) used in industrial control systems (ICS).

As the Georgia Institute of Technology researchers noted: “ICS networks usually have little valuable data, but instead place the highest value on downtime, equipment health, and safety to personnel. Therefore, ransomware authors can threaten all three to raise the value side of the tradeoff equation to make ICS ransomware profitable.”

In short, if actors understand what is most valuable to an organization and can find a way to effectively disrupt those goals, they can find success in yet-to-be targeted industries. It may require more legwork, but the higher potential payouts may make it worthwhile for some actors to engage in less widespread but potentially much more profitable attacks.

Government agencies, consumer services, educational institutions, healthcare organizations, and more have all had services disrupted by ransomware over the past six months.

In addition, just last week, researchers discovered a new ransomware family, dubbed “RanRan,” that doesn’t even ask for money. Instead, the ransomware attempts to force victims “to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.” The malware is described by the researchers as “fairly rudimentary” and there are a number of mistakes in the encryption process, but it serves as an example of how malicious actors that are not financially motivated can nevertheless leverage ransomware to achieve their goals.

Organizations need to take action to protect themselves against ransomware actors that are trying to find more effective ways to disrupt business operations and demand even higher ransom payouts. For more information on these evolving ransomware attacks, download SurfWatch Labs’ free report: Ransomware Actors Shift Gears: New Wave of Ransomware Attacks Aims to Lock Business Services, Not Just Data.

IRS and Cybercriminals Battle Over Billion Dollar Tax Fraud Industry

While new initiatives by the Internal Revenue Service (IRS) are making it harder for cybercriminals to successfully file fraudulent tax returns, those measures have not slowed down the theft of employee W-2 information this year.

The SurfWatch Labs analyst team has observed groups of malicious actors sharing concerns about government efforts to combat fraud, as well as tips on how those protections can be circumvented, in several discussion threads on popular dark web markets. Several of those actors suggested teaming up with other seasoned cybercriminals in order to share tactics and improve their success rates in the face of the new measures. “We’re gonna have to join forces if we are going to beat the odds this year,” wrote one actor on a now-deleted tax fraud discussion thread. Another actor in a separate thread echoed those sentiments: “The process has become much more difficult over the past couple of years, but [it’s] still doable to some extent. Not like in the good ‘ole days though.”

Another actor expressed concern over new verification codes to be included on 50 million W-2 forms during the 2017 tax season — up from two million forms using the codes last year. “My guess is if this is successful, then within 2 years it will be on every W2,” the actor wrote.

An actor in a tax fraud discussion thread speculating that the verification codes used on some W-2 forms may become more widespread in the future.

The IRS has partnered with certain Payroll Service Providers this tax season to provide a 16-digit code designed to help verify the accuracy of millions of W-2s. However, as the IRS noted in its announcement, the verification rollout is only a test and “omitted and incorrect W-2 Verification Codes will not delay the processing” of returns filed this year. Other more tangible efforts to combat tax fraud include the IRS holding any refunds claiming the Earned Income Tax Credit or the Additional Child Tax Credit until February 15 to provide more time to verify the accuracy of returns, and the requirement of an individual’s date of birth and previous-year’s adjusted gross income when using tax software for the first time. Some states also ask for additional identification information, such as driver’s license numbers, in order to file their returns.

Additional anti-fraud efforts have come largely because of the large volume of fraudulent tax returns filed each year. Over the first nine months of 2015, the IRS confirmed that 1.2 million fraudulent tax returns made it into the agency’s tax return processing systems. Attempts to combat the massive amount of fraud resulted in 787,000 fraudulent returns over the same period in 2016 — a nearly 50 percent drop. It’s too early to say how 2017 will fare in terms of the number of fraudulent returns and the total cost to the IRS. What is clear is that cybercriminals are continuing to target tax-related information such as W-2s despite those changes — and they’re having great success.

As I’ve noted in other articles, cybercriminals follow the path of of least resistance and most profit. While cybercriminals face more resistance than in the past, their motivation, opportunity and capability are clearly still there.

Tax-related cybercrime is cyclical, and cyber threat intelligence around the subject peaks around this time every year. However, this past February was the most active month in terms of the volume of data SurfWatch Labs has collected around tax fraud since May 2015, and that spike in 2015 was due to a large amount of threat intelligence data surrounding the theft of taxpayer information from the IRS’ “Get Transcript” service.

The amount of SurfWatch Labs’ tax-related cyber threat intelligence data peaked in February (data through March 6, 2017).

Much of the recent data directly relates to phishing incidents that have resulted in the theft of employee W-2 information. As we wrote in a blog early last month, malicious actors are using the same simple but effective phishing tactics that led to last year’s wave of successful W-2 thefts. This week we saw the number of organizations that have publicly confirmed breaches due to W-2 phishing surpass 100 for the year, and that number does not even include the numerous organizations that had W-2 information stolen through other means, such as data breaches or incidents at tax preparation firms or payroll providers.

That stolen W-2 information is then used to file fraudulent tax returns, commit other forms of identity theft, or sold on various dark web markets for around $10 each. That can translate into a decent profit for a cybercriminal actor who can successfully dupe a handful of payroll or human resource employees into handing over hundreds — or thousands — of W-2 forms at a time.

A vendor from AlphaBay says they have “tons” of stolen W-2 tax forms for sale for only $10 each.

But as we noted above, W-2 forms are now only part of the information needed to successfully dupe the IRS. Many returns will also need information such as the individual’s date of birth and previous year’s adjusted gross income. That information can be harder to come by, and how to best obtain that information is one of the key discussion points on the cybercriminal forums observed by our analysts.

“How do I get to know the AGI [Adjusted Gross Income]?” one actor asked the group in a discussion thread on a dark web forum. Another actor, who claims to have gone solo this year after previously being part of a group engaged in tax fraud, said information such as AGI generally requires other forms of data collection or social engineering. “You’ll have a tricky time getting it,” the actor warned. Later, the actor advised that AGI can often be found in an individual’s car note or home loan documentation.

An actor responding to previous posts about finding AGI figures, as well as the value of targeting 1120S corporate tax forms.

In a separate thread, the same actor wrote a long post that is part inspirational pep talk to wannabe fraudsters frustrated by the recent changes, part FAQ on how to best perform tax fraud. We won’t share the full details of that post here (including details such as which financial institutions and methods work best for receiving fraudulent tax return payments), as this post is meant to help illuminate the thought process of cybercriminals, not to serve as a walkthrough on how to successfully commit tax fraud. Nevertheless, the section on how to find an individual’s AGI is worth noting due to the lengths the actor claims to go — and may now need to go — in order to pull off a successful season of tax fraud.

The actor explained, “For everyone I targeted, I started researching them 6 months ago” by looking through public data for things like birth announcements (to “add that baby child credit”) or for minor offenses such as driving under the influence (to find people who have jobs “in the good bracket” that are also more likely to be “one of the last minute tax filers”).

“Lots of social engineering goes into this as well,” the actor wrote. “I have even been so bold to call some, pretending to solicit them into ‘free tax assistance’ [to] find out when they plan on filing.”

An actor offering advice on how to scout targets for tax fraud.

That extra legwork is why listings on dark web markets that include information such as AGI tend to sell at much higher prices than those without. For example, the listing below, which “contains all info needed for filing [a] tax refund,” was priced at $50, five times the price of a listing selling only stolen W-2 information.

A listing on the Hansa Market selling W-2 information along with the victim’s date of birth and the previous year’s adjusted gross income.

These discussions indicate that efforts made by the IRS, financial institutions, and others have made the practice of filing fraudulent tax returns more difficult for cybercriminal actors. Despite those efforts, a number of tax-related breaches continue to occur and a great deal of effort continues to be made by malicious actors to successfully bypass those protections and steal a slice of that lucrative tax pie.

As one actor reminded everyone: “Tax fraud is a billion dollar entity. Take your cut along with the others. Don’t be dissuaded.”

Fake Extortion Demands and Empty Threats on the Rise

I’ve previously written about the rise of extortion as an emerging trend for 2017, but if you didn’t want to take my word for it, you should have listened to the numerous warnings shared at this year’s RSA 2017. Cyber-extortion has become one of the primary cybersecurity-related issues facing organizations — and it appears to be here to stay.

My analyst team has researched cyber extortion and have found that malicious actors are not only engaging in these threat tactics, but they’re using the surging popularity of extortion and ransomware to target organizations with a variety of fake extortion demands and empty threats. We cover this topic in depth in our latest report, The Extortion Epidemic: Fake Threats on the Rise as Ransoms and Blackmail Gain Popularity.

In the graphic below I’ve noted some popular extortion threats, how actors carry out the threats and the impending results. Essentially they’re following the path of least resistance and most profit.

The Many Faces of Extortion: Popular Threats
extortion-only-breakdown

2017-02-28_extortionittbyyearupdated
The number of organizations publicly associated with ransom and extortion continues to grow, and 2017 is on pace to see the highest number yet, based on data from the first two months of the year.

The gist of it all is that organizations have real fear around these threats and trust that bad actors have the ability to carry out these threats. Putting trust in bad guys is a bad idea!

The fake ransoms are successful in large part because their real counterparts have impacted so many organizations. We’re already on pace to have more organizations publicly tied to ransoms and extortion in 2017 than any other year.

FBI officials have estimated the single subset of extortion known as ransomware to be a billion-dollar-a-year business, and fake ransomware threats have sprung up in the wake of that growth. A November 2016 survey of large UK businesses found that more than 40 percent had been contacted by cybercriminals claiming a fake ransomware infection. Surprisingly, two-thirds of those contacted reportedly paid the “bluff” ransom.

DDoS extortion threats are similarly low-effort cybercriminal campaigns, requiring only the sending of a threatening email. Earlier this month, Reuters reported that extortionists using the name “Armada Collective” had threatened Taiwanese brokerages with DDoS threats. Several of the brokerages experienced legitimate attacks following the threats; however, 2016 saw several campaigns leveraging the Armada Collective name where the threats were completely empty. One campaign generated over $100,000 in payments despite researchers not finding a single incident where a DDoS attack was actually made.

2017-01-30_armadaemail.png
A portion of the extortion email sent to the owner of Alpha Bookkeeping Services in Port Elizabeth, South Africa, in September 2016.

Extortion is also frequently tied to data breaches — both real and fake — as it is an another simple and direct avenue for cybercriminals to monetize stolen data. In January 2017 the E-Sports Entertainment Association (ESEA) was breached and the actor demanded a ransom payment of $100,000 to not release or sell the information on 1.5 million players.

ESEA said in its breach announcement that it did not pay the ransom because “paying any amount of money would not have provided any guarantees to our users as to what would happen with their stolen data.”

That is what reportedly happened to many of the victims who paid ransoms to have their hijacked MongoDB and other databases restored: they found themselves out both the data and the ransom payment. As noted in our report, it’s hard to have faith in cybercriminals, and organizations who do pay ransoms should be aware that in many cases those actors may not follow through after receiving extortion payments.

For more information on extortion threats and how to keep your organization safe, download the free report: The Extortion Epidemic: Fake Threats on the Rise as Ransoms and Blackmail Gain Popularity.