Trends and Analysis – Page 5 – SurfWatch Labs, Inc.

Supply Chains and Third Parties Continue to Cause Data Breaches

When putting together our recent Mid-Year 2016 Cyber Risk Report, the SurfWatch Labs team began by trying to answer one crucial question: with numerous cybercrime events across thousands of organizations this year, is there a central theme that emerges from all of that data?

In 2014, the data was dominated by a seemingly endless string of point-of-sale breaches. In 2015, the data highlighted a shift towards stolen personal information and more effective ways for cybercriminals to monetize that information. In 2016, the data so far showcases how cybercrime effects often spread beyond the walls of the victim organization.

“The diversity of cyber threats can seem overwhelming when viewed in isolation,” the report noted. “Collectively, they paint a picture of an increasingly connected cybercrime world. Malicious actors excel on taking one piece of information and leveraging it to perform further attacks, gain more information, and widen their reach. The stories so far in 2016 clearly demonstrate this approach, with numerous cyber incidents tied to previous data breaches.”

In fact, the number of cybercrime targets tied to “third-party” tags spiked the month before we published our report. As we noted in our previous blog, many of these incidents were connected to previous data breaches and the tactic of “credential stuffing” — where automated tools are used to exploit large batches of known user credentials to discover new accounts to take over.

SurfWatch Labs collected data on more industry targets tied to “third-party” data breaches in June than any other month so far in 2016.

On Tuesday another company was added to the growing list of third-party victims after its customer data was discovered being sold on the dark web. This time it was UK telecommunications company O2. Once again, the incident was attributed to credential stuffing.

“We have not suffered a data breach,” O2 said in a statement. “Credential stuffing is a challenge for businesses and can result in many [companies’] customer data being sold on the dark net. We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”

As the BBC noted, “The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago.”

Although the company wasn’t directly breached, UK Telecom O2 had customer information for sale on the dark web due to data breaches at other organizations and “credential stuffing.”

That XSplit breach occurred in November 2013 and affected 2,983,472 accounts, according to Have I Been Pwned? The breach led to names, email addresses, usernames and hashed passwords being compromised.

That batch of three-year old credentials appears to be the cause of the current breach of O2 accounts — as malicious actors leveraged that old information in order to gain even more personal information on the victims. In addition to names, email addresses and passwords, the O2 accounts for sale on the dark web include users’ phone numbers and dates of birth.

This is a similar scenario to what happened at LinkedIn, the most discussed company related to cybercrime so far this year. A 2012 data breach exposed more than 100 million user credentials. Over the past few months we’ve seen a variety of companies force password resets or otherwise report data theft due to those four-year-old credentials still being reused by customers or employees.

In short, old data breaches are leading to a surge of fresh attacks. However, credential reuse isn’t the only concrete example of the ripple effect of cybercrime, although it certainly is a major issue. This year has also seen more traditional incidents of supply chain cybercrime — where one partner or vendor is exploited to compromise another organization. In fact, SurfWatch Labs has collected data on “third-party” cybercrime impacting dozens of different industry groups so far in 2016.

2016-07-27_thirdpartygroups — While many industry groups have been impacted by “third-parties” this year, Software and IT Services and Consulting are the top trending groups in SurfWatch Labs’ data.

For example, in June we wrote about several healthcare organizations that were victimized by an actor going by the name “TheDarkOverlord,” who was attempting to sell data stolen from healthcare databases on the dark web. This week two of those healthcare organizations publicly confirmed they were victims. As databreaches.net noted, both cited third-parties as a source of the compromise in their repsective statements.

Midwest Orthopedics Group: “… To date, our investigation has determined that on May 4, 2016, a hacker, or hackers, likely gained access into our secured database system through a third party contractor and may have obtained some personal information of our patients …”
Athens Orthopedic Clinic: “Athens Orthopedic Clinic recently experienced a data breach due to an external cyber-attack on our electronic medical records using the credentials of a third-party vendor. …”

Various agencies and government groups are taking notice of the trend. The Federal Energy Regulatory Commission recently proposed revisions to the critical infrastructure protection (CIP) Reliability Standards, writing in a press release that “recent malware campaigns targeting supply chain vendors highlight a gap in protection under the [current] CIP.” In addition, the new guidelines from the automotive industry’s ISAC call for more transparent supply chains and increased involvement with third-party researchers. Lastly, Air Force chief information officer Lt. Gen. William Bender noted at a recent forum that the supply chain remains a concern that can span across many different companies.

“It’s not just primary vendors, it’s secondary, tertiary and even further down,” he said.

Having threat intelligence on those various partners, vendors and others who may indirectly affect an organization’s cybersecurity is more important than ever. As SurfWatch Labs’ Mid-Year Risk Report concluded, “The effects of cybercrime continue to ripple outwards – affecting those in the supply chain and beyond.”

DDoS Attacks Trending Over the Last 30 Days

DDoS attacks are growing in size and sophistication, says a new report from Arbor Networks, and those attacks have continued to impact a variety of organizations over the past few weeks.

According to Arbor networks, a current average-sized DDoS attack is capable of taking down almost any organization’s server at about 1 Gbps. The average attack size in the first half of 2016 was 986 Mbps, which was a 30% increase over 2015. It is project that the average size of a DDoS attack will reach 1.15 Gbps by the end of 2016.

Some highlights from the report include:

An average of 124,000 DDoS events per week over the last 18 months.
A 73% increase in peak attack size over 2015, to 579 Gbps.
274 attacks over 100 Gbps monitored in the first half of 2016 compared to 223 throughout all of 2015.
46 attacks over 200 Gbps monitored in the first half of 2016 compared to 16 throughout all of 2015.
The U.S., France and Great Britain are the top targets for attacks over 10 Gbps.

Lastly, reflection amplification attacks have continued to grow in popularity. The majority of larger DDoS attack utilize this technique by using attack vectors such as DNS servers. Because of this, DNS was the most used protocol in 2016, taking over from NTP and SSDP in 2015, according to the report. The highest recorded reflection amplification attack size during the first half of 2016 was 480 Gbps.

DDoS attacks have been conducted for monetary gain, notoriety, retaliation, and even for personal pleasure.

Trending DDoS Attacks

Over the last couple weeks, many organizations have been targeted with DDoS attacks. The most talked about DDoS attack over the last 30 days is tied to the controversial and very popular Pokemon GO. A group called PoodleCorp claimed credit for the attack, with a motivation very similar to another infamous hacking group called Lizard Squad — they did it for the LULZ.

Not all the recent DDoS attacks were done for the LULZ, as many appear to be out of retaliation for past events. Here is a breakdown of some of the top trending DDoS attacks over the past 30 days.

Pokemon GO Server
On Saturday, July 16 a DDoS attack took down all Pokemon GO servers, which left many players unable to hunt for their Pokemon. The group behind the attack is a newer hacktivist group known as PoodleCorp. The servers were down for several hours before reestablishing a connection for players.

On July 18, the Pokemon servers were hit with another DDoS attack, this time from the group known as OurMine. The group said that “no one will be able to play this game till Pokemon Go contact us on our website to teach them how to protect it!”

On July 20, PoodleCorp announced plans for an upcoming attack against the Pokemon servers that is scheduled for August 1.

MIT
Security researchers have discovered more than 35 DDoS attacks targeting the Massachusetts Institute of Technology (MIT) so far in 2016. The attack vectors used in these campaigns involved devices vulnerable to reflection and amplification attacks and spoofed IP addresses. It appears the bulk of attacks were carried out using booter or stresser services. Stresser services are a concern for organizations and the proliferation of DDoS attacks, as the cost to utilize these services are often extremely low.

Philippines Government Websites
The Filipino government announced this week that 68 separate websites tied to the Philippines government were hit with DDoS attacks. The attacks started July 12 and carried over to the next few days.

It is believed that China is responsible for the attacks as they correspond with a ruling made by the Permanent Court of Arbitration at the Hague in the Netherlands that favored unanimously for the Philippines over China. The ruling was over newly created islands located in the West Philippine Sea that China claimed even though those islands were in Philippines’ maritime territories.

Some of the government websites affected by the DDoS attacks were also defaced, signed with the words “Chinese Government.” There is no actual evidence at this time that China was behind the attacks, but it appears this is likely the case due to the extremely tense international relationship between the two countries.

Steemit
The social network Steemit announced on July 14 that an unknown attacker was able to hack into user accounts and steal the crypto-currency known as Steem Power and Steem Dollars. More than 260 users were affected by the attack, and about $85,000 of the crypto-currency was obtained.

In response to the attacks, Steemit fixed the issue and restored all stolen funds to the users. As soon as the company made this announcement, it was targeted with a DDoS attack. The attack did little to affect the social network, as the company used the attack as an opportunity to take down its servers for maintenance and other upgrades.

WikiLeaks
WikiLeaks servers suffered a DDoS attack last Monday that lasted through Wednesday. The DDoS attack appears to be in response to WikiLeaks’ announcement of an upcoming data dump belonging to Turkey’s biggest political party — AKP (Justice and Development Party).

The cache of data contained 300,000 emails and 500,000 documents that belonged to the party. The announcement came three days after the failed military coup in Turkey which saw the deaths of 208 people.

The DDoS attack prevented WikiLeaks from posting the information. As of July 20, WikiLeaks servers were back online and the data was released.

U.S. Congress Websites
The U.S. Congress website along with two adjacent websites — the U.S. Library of Congress and the U.S. Copyright Office — were the victims of a DDoS attack that lasted for three days. The attack started with the Library of Congress website on the evening of July 17 and slowly enveloped the other websites over the next couple of days.

As of Wednesday the websites are up and running normally. It is not known who is behind the attack or what the motivation for the attack was.

Brazil
A Rio court in Brazil was the target of a DDoS attack perpetrated by Anonymous. The attack took place on Tuesday and only lasted a few hours. Anonymous attacked the Rio court for its decision to block the controversial Whatsapp throughout Brazil. The decision told ISPs to block the app, and Brazil’s five major ISP operators — Claro, Nextel, Oi, TIM, and Vivo — all complied with the order.

The tensions between WhatsApp and Brazil go back to February 2015 when Whatsapp was unable to help Brazilian law enforcement by decrypting messages sent over the social network. Brazilian courts have fined and temporarily banned Whatsapp, arrested a Vice President for Facebook Latin America for being linked with the social network, and now a permanent ban is put in place. However, due to the Anonymous DDoS attack the Brazil court lifted the ban on Whatsapp.

Cybercrime is Increasingly Interconnected, Says New SurfWatch Labs Report

The first half of 2016 is over, and SurfWatch Labs analysts have spent the past few weeks sifting through the huge amount of cybercrime data we collected — totaling tens of thousands of CyberFacts across more than 3,400 industry targets — in order to identify threat intelligence trends to include in our mid-year 2016 report.

“If anything,” the report notes, “the stories behind these breaches seem to contradict the increasingly familiar spin that follows most incidents: ‘We were the victim of a sophisticated attack. The incident has been contained.'”

Download the full Mid-Year 2016 Cyber Trends Report

To the contrary, the data behind the year’s many incidents indicates many cyber-attacks are neither sophisticated nor isolated.

For example, this year’s top trending cybercrime target was LinkedIn. In May 2016 LinkedIn announced that a 2012 breach, which was believed to have been contained four years ago by resetting passwords on impacted accounts, was much larger than originally thought. An additional 100 million members were affected. Since that announcement, reports continue to surface of secondary organizations having their data stolen due to a combination of those now exposed LinkedIn passwords, widespread password reuse among employees, and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer.

To make matters worse, LinkedIn was just one of several massive credential dumps to make headlines — not to mention the numerous high-profile breaches affecting personal information or other sensitive data.

Trending Industry Targets Tied to Cybercrime in 1H 2016

SurfWatch Labs collected data on 3,488 industry targets tied to cybercrime in the first half of 2016. Of those, 1,934 industry targets were observed being discussed on the traditional web and 1,775 were observed on the dark web.

Malicious actors excel at taking one piece of information and leveraging it to perform further attacks, gain more information, and widen their reach. As we noted in May, this has led to many companies making headlines for data breaches — even though a breach may not have occurred. For example:

Music service Spotify had a list of user credentials posted to Pastebin that were collected from other data breaches. This led to a series of articles about the company “denying” a data breach.

China’s online shopping site Tabao had hackers use a database of previously stolen usernames and passwords to try to access over 20 million active accounts.

GitHub, Carbonite, Twitter, and more have all forced password resets for users after large-scale targeting of user accounts or lists of user credentials appeared on the dark web.

Other unnamed companies have confirmed to media outlets that sensitive information has been stolen recently due to password reuse attacks.

SurfWatch Labs’ data paints a picture of an increasingly connected cybercrime world where malicious actors leverage past successes to create new victims. The pool of compromised information widens; the effects of cybercrime ripple outwards.

However, those effects are largely dependent on industry sector and the types of information or resources that are attractive to different individuals, hacktivists, cybercriminal groups, and other malicious actors. SurfWatch Labs’ data so far this year reflects that fact.

Updated_Effect_Heatmap2 — Infected/exploited assets, service interruption and data stolen/leaked were the top trending effect categories overall in the first half of 2016, based on the percentage of CyberFacts that contained those tags.

For example, SurfWatch Labs report identifies infected/exploited assets as the top effect category overall, although it only appeared in 14% of entertainment and government-related CyberFacts. In those sectors, the majority of discussion was around account hijacks (37%) and service interruption (33%), respectively, as actors targeted social media accounts with large followings or hacktivists utilized defacement and DDoS attacks to spread their messages.

Similarly, the healthcare sector saw increased chatter around the financial loss and data altered/destroyed categories due to several high-profile ransomware attacks and warnings from various bodies about potential extortion attacks.

Other interesting data points and trends from the report include:

IT, global government, and consumer goods were the most targeted industries. Of all the CyberFacts analyzed, the information technology industry was hit the hardest in the first half of 2016. Microsoft was second behind LinkedIn as the top target. After IT, the government sector had the highest number of publicly discussed cybercrime targets, led by a breach at the Commission on Elections in the Philippines. The consumer goods sector made up the largest share of industry targets with information bought, sold, or otherwise discussed on the dark web.

Employee data is being targeted more often. Some organizations reported falling victim to scams targeting data such as W-2 information even though they were able to successfully identify and avoid other more traditional wire fraud scams. Malicious actors may be trying to take advantage of these “softer” targets in the human resources, bookkeeping, or auditing departments by performing attacks that are not as easily recognizable as large-dollar wire fraud attempts.

Point-of-sale chatter remains relatively low. Point-of-sale breaches are not making as many headlines, but breaches so far this year have proven that for many organizations the associated costs are as high or higher than they have ever been.

Ransomware and extortion threats continue to grow. The first half of 2016 saw a spike in ransomware and extortion-related tags as researchers, organizations, and government officials tried to deal with the growing and costly problem of data or services being held hostage for ransom.

For more threat intelligence trends, download the full Mid-Year 2016 Cyber Trends Report from SurfWatch Labs.

Top Dark Web Markets: HANSA, Piracy and Exit Scams

HANSA Market is the third most popular dark web market this year, according to data from SurfWatch Labs. It’s a new and growing market focused on the security of its users. Previously in this series we’ve talked about Alpha Bay and the problem of stolen credentials and Dream Market and the cybercrime-as-a-service model. As we turn our attention to HANSA, it’s an opportunity to reflect on how these dark web markets work — and the reason there has been so much turnover the past few years.

Hansa_books — Piracy is one of the top trending cybercrime categories on HANSA market. This includes pirated software, video games, movies, books and other media as well as credentials for related accounts. In the screenshot above a vendor is selling a collection of 21 ebooks by a popular author for just $4.99.

HANSA was created in response to the many exit scams that have occurred over the past few years. Most dark web markets require buyers to deposit money (bitcoins) before they can purchase. Once a market becomes popular, there can be a significant amount of bitcoins in limbo, and owners are often tempted to shut the market down and take all the money that has built up. HANSA created a system that they claim ensures that no exit scam is possible.

“After recent exit scams of various marketplaces (e.g. Evolution, BlackBank) we wanted to create a market where it is impossible for either admins or vendors to run away with your funds,” the admins wrote. “Most markets operate the same: Blindly deposit money into your account, wait for confirmations and then make the purchase. … On HANSA you do not have to deposit Bitcoins before your purchase. Every order is simply a Bitcoin transaction itself.”

How Do Exit Scams Work?

Not long ago — before the FBI took down Silk Road and creator Ross Ulbricht was sentenced to life in prison — there was a dream of a victimless black market where users could Anonymously purchase illicit goods such as drugs beyond the reach of intrusive government laws. But as Wired’s Andy Greenberg wrote in January, that dream is now largely dead due to the many exit scams and the turnover in marketplace leaders over the past few years:

The result has been that the libertarian free-trade zone that the Silk Road once stood for has devolved into a more fragmented, less ethical, and far less trusted collection of scam-ridden black market bazaars. Instead of the Silk Road’s principled—if still very illegal—alternative to the violence and unpredictable products of street dealers, the dark web’s economy has become nearly as shady as the Internet back alley politicians and moralizing TV pundits have long compared it to.

The most striking example of this is the Evolution Market exit scam. In March of 2015, the Evolution marketplace halted bitcoin withdrawals from the site for a week, using the excuse of technical difficulties as the owners, known as Verto and Kimble, let the virtual coffers build. Then they closed up shop and walked away with an estimated $12 million in bitcoin.

An admin for the market summed up the bad news to fellow users in a Reddit post, “I am so sorry, but Verto and Kimble have fucked us all.”

In April 2016, a year after the disappearance of Evolution, Nucleus Market, at the time the number two most popular dark web marketplace, suddenly vanished. Rumors of an exit scam abound.

However, not all exit scams are so high profile. Most exit scams are actually done by individual vendors, as Motherboard’s Jon Christian noted.

“It turns out that a logistical problem with darknet markets is that when a vendor throws in the towel, it’s very tempting for him or her to stop mailing drugs, but continue pocketing customers’ payments for as long as possible,” Christian wrote. “If you’ve built up a good reputation on a darknet market’s seller rating system — which, like eBay, is based on feedback from other users — why not keep pulling in cash until the review system catches up with you?”

Escrow Payments and Finalizing Early

Many markets offer protection to buyers against this type of scam in the form of escrow payments. A neutral third party such as the market holds the money until the buyer has received the goods. After the buyer receives the order, payment is released. In the case of disputes, marketplace admins often act as an arbiter. However, many buyers and sellers use something known as “Finalize Early.” Essentially, the buyer releases the funds from escrow before receiving the goods or services. Some vendors abuse this trust.

HANSA does not offer the option to Finalize Early, ensuring that extra layer of protection is behind all market transactions.

While this policy helps protect buyers from vendor exit scams, there is still the concern that the market itself may perform an exit scam. In fact, this is one reason why some vendors prefer Finalizing Early. With numerous transactions in escrow, the market can at any time be holding a significant amount of bitcoins, and that can be tempting to steal. Finalizing Early lets those vendors receive payment immediately.

Multisignature Transactions

This is where multisignature escrow applies. HANSA uses a 2-of-2 multisignature escrow process (vendor-HANSA). As they explain, “Funds can only be accessed by the vendor after the buyer finalizes a transaction and can never be accessed by the site staff. Theft from either party is impossible.”

In January HANSA announced that it now supports 2-of-3 multisig transactions (buyer-vendor-HANSA) as well.

“The only flaw our market had in the past was the loss of Bitcoins in cases like the vendor losing his/her Bitcoin private key or him/her refusing to refund buyers in cases of disputes,” HANSA announced. “Fortunately this has happened very rarely and we have reimbursed the buyer every time out of our own pocket. Still, this can be avoided.”

With 2-of-3 multisig transactions, money is transferred into an escrow fund shared by the buyer, the seller and HANSA. Once two out those three parties approve the transaction, the funds are released.

This isn’t a new system. In fact, Evolution offered multisignature transactions designed to stop the exact kind of exit scam they eventually performed, but not many buyers used the feature.

As a moderater of the DarkNetMarket subreddit noted after the Evolution theft, “Maybe this will open more people’s eyes to the benefits of multisig.” Then he added, “Nah, who am I kidding? When has an event like this ever changed anything?”

The disadvantage is that the process can seem complicated and may turn away some users, which may be one of the reasons why HANSA is not quite as popular as AlphaBay and Dream Market — although at the moment it remains as one of the more trusted and stable dark web markets.

Healthcare Databases for Sale on Dark Web, but What Else is Being Sold?

The recent theft and potential sale of various healthcare databases has once again put the sector at the forefront of cybercrime — and makes many wonder how their information is affected by criminal activity on the dark web. While healthcare-related data is not nearly as prevalent on the dark web as other sectors like financial services, SurfWatch Labs has observed a variety of items being offered up for sale in addition to this week’s headline-making healthcare databases.

As previously noted, common threat intelligence found on the dark web includes compromised credentials, stolen financial information, stolen intellectual property, threats stemming from an organization’s supply chain, and information on a wide range of hacking services and other cybercrime tools. These same categories also apply to healthcare organizations.

Over the past year SurfWatch Labs has observed direct healthcare breaches, third-party breaches that have impacted healthcare organizations’ employee accounts, fraudulent prescriptions, and other healthcare-related cyber threats.

What’s Being Sold on the Dark Web Now?

This week, several healthcare databases were put up for sale on the dark web by an actor going by the name “TheDarkOverlord” — along with a hefty price tag for that information.

On Monday, after previously posting three different databases that contain names, addresses, Social Security numbers, birth dates and some phone numbers of 655,000 individuals, the hacker told the Daily Dot that he was sitting on a “large” number of other databases. On Tuesday he followed through on that claim, adding for sale a database of 34,000 records from a New York Clinic as well as a health insurance database with 9.3 million patients, which he said was stolen using a zero-day vulnerability “within the RDP protocol that gave direct access to this sensitive information.” On Wednesday he again made headlines by naming one of the companies breached, Midwest Orthopedic Clinic in Farmington, Missouri, and said that the owner “should have just paid up to prevent this leak from happening.”

Healthcare_database2_cropped — According to the post, the 2GB file contains 9,278,352 records and is selling for 750 bitcoin (around $485,000), a far higher price than is typical for items sold via dark web markets.

A posting of more than 9 million records is on the extreme end of the price spectrum, and it could be that the actor is trying to spin up some media attention in order to better extort potential victims or drive future sales — if he is indeed sitting on many more databases to sell.

More typical of the type of healthcare-related information found for sale on the dark web is counterfeit documents and other identity information that can be used for different types of fraudulent purposes, including but not limited to medical. Although this information does not sell for hundreds of thousands of dollars and make national headlines, it is much more prevalent.

For example, fraudulent medical cards from around the world are available for approximately a few hundred dollars.

In the posting below, a vendor is selling a Quebec Medicare card template for $700. “Why is it so good?” the vendor asks rhetorically. “Because it has the latest security features, and is a valid photo ID. Most places will trust the Medicare [card] before they trust the DL [driver’s license] because almost no one makes them.”

Healthcare_Card2_cropped — The vendor is also selling driver’s license templates, but fraudulent Medicare cards are an easier option for the buyer, he wrote. With this card, all the buyer needs is a hologram overlay (which he conveniently also sells) and an embosser.

Likewise, non state-sponsored health cards are available. The listing below, from a now-defunct dark web marketplace, is selling a U.S. health insurance card for $40.

Why? “These are to provide proof that you have health insurance in the United States,” the seller wrote, adding that an insurance card like the one provided is an excellent way to round out a fake identity. “If a fake ID is questioned, this can be pulled out to back it up and eliminate any question. [It] may save you. In addition it may be used as a secondary form of ID to open up a PO box under a false identity.”

Insurance cards like the one for sale here have a variety of cybercriminal uses ranging from direct medical identity theft to verification purposes in order to perpetrate other forms of fraud.

Some items for sale on the dark web leverage physicians’ identities. The posting below is from a vendor who is currently selling a signed California drug prescription form from a medical group with six different doctors. “These are REAL doctors Rx Scripts, from a REAL CA medical practice,” the vendor wrote. “These are extremely hard to come by.”

The form, which includes up to three prescriptions, is selling for $75, and the vendor will even fill out the script for an extra $100 if the buyers are unsure how to do so.

Healthcare_prescriptions_cropped — “The form contains Doctors Names, DEA numbers, and CA license numbers,” the listing reads. “These are signed prescriptions you can fill out yourself for pharmaceuticals in CA, I would like to get rid of these ASAP.”

Additionally, the dark web is often associated with illegal drugs – and for good reason. Reporting on dark web markets such as Silk Road tends to focus on hard drugs; however, prescription drugs are readily available. They can be purchased from a variety of sellers on nearly every dark web marketplace.

Healthcare_drugs — This vendor is selling a wide wide range of prescription drugs in different dosages.

Utilizing Cyber Threat Intelligence

In addition to the postings from open marketplaces shown above, there is information to be gained from the private cybercriminal forums and markets on the dark web. As more researchers and law enforcement turn to the dark web for intelligence gathering purposes, cybercriminals have begun to take more precautions. Some markets require a referral to gain access. Some require a user fee. This chatter, both the public postings and more restrictive groups, can provide important insight into the most active cyber threats facing your organization.

For example, SurfWatch Labs has previously observed certain forum members requesting health insurance records from specific companies – presumably to assist in perpetrating insurance fraud as one actor was specifically looking for “high cost treatments.” Knowing which actors are targeting an organization, what those actors are looking for, and other chatter around potential cyber threats can be invaluable when it comes to planning, budgeting and implementing a company’s cyber risk management strategy.

This type of dark web threat intelligence provides direct insight into the malicious actors that target healthcare organizations, and it goes beyond the big ticket items that generate news headlines and spark a national conversation. Those stories are important, but in many ways the dark web shines a light on a cybercrime problem that is much more insidious: death by a thousand cuts.

With so many different threats out there, knowing which threats to focus on is critical. In many ways cybersecurity is simply about effective prioritization, and to that point, cyber threat intelligence and the dark web is a vital aspect.

BEC Scams Continue to Plague Businesses

In a year where ransomware is receiving massive amounts of attention, there is another threat that continues to grow – Business Email Compromise (BEC) scams. The FBI has issued two warnings about this threat in 2016. The first warning was bad enough, with the FBI estimating BEC scams have accounted for about $2.3 billion is losses from 17,642 victims. Unfortunately, the latest warning has increased these figures.

The FBI is now saying that money lost from BEC scams is over $3 billion dollars, with more than 22,000 victims falling prey to this attack.

“The BEC scam continues to grow, evolve, and target businesses of all sizes,” the FBI warning read. “Since January 2015, there has been a 1,300% increase in identified exposed losses.”

The warning went on to say that victims of BEC scams have appeared in all 50 U.S. states as well as 100 countries throughout the world. Another noteworthy piece of information is where the money lost in these scams is ending up.

“Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong,” the alert read.

In most cases, a BEC scam attempts to portray an email or request as being urgent, placing pressure on the recipient to act fast without asking questions. The email is often sent from a legitimate looking source — such as a high-ranking company official or a bank that works with the company — which further eliminates questions from the recipient.

Money is the ultimate goal of a BEC scam. Many cases involve attempting to create a scenario where a money transfer takes place. The 2015 tax season demonstrated a new method for BEC scams — W-2 data theft.

Tax fraud was abundant in 2015. In many of these documented events, a BEC scam was used to compromise company W-2 information.

“Fraudulent requests are sent utilizing a business executive’s compromised email,” the FBI alert stated about BEC data theft scams.

“The entity in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipient of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur prior to a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario, even if they were able to successfully identify and avoid the traditional BEC incident.”

The alert from the FBI pointed out that BEC scams aimed at obtaining data first appeared during the 2015 tax season.

Employees are the primary targets of BEC scams. It is vital that employees understand the dangers of opening attachments from unknown sources. It is equally important that employees question unusual requests — like what you would see in a BEC scam email. Make sure employees understand that it is okay to ask questions before performing job functions, especially if that job function was requested via email. Before sensitive information is accessed, put in place checkpoints to make sure this information is only being shared with authorized and legitimate personnel.

Cyber-Espionage Making Headlines Over Past Couple Weeks

Over the last week, at least five separate cyber-espionage-related news events have made headlines ranging from attacks against governments to company-related targets. The primary goal of cyber-espionage is to uncover company or government secrets, such as military plans, blueprints, or coveted intellectual property. SurfWatch Labs has collected CyberFacts on exactly 300 targets tied with espionage so far this year.

In 2016, central government is the top trending industry target of cyber-espionage.

Espionage Targets — *In 2016, Central Government, which includes nation-state level government organizations, is the top trending target associated with espionage.*

Several groups have appeared in SurfWatch Labs’ data concerning espionage in 2016. Group 27 – a cyber-espionage group linked with the Seven Pointed Dagger malware campaign that utilizes a remote access Trojan known as Trochilus and has ties to Asia – is the top trending espionage actor in 2016.

Espionage Actors 2016 — *Group 27 is the top trending espionage actor so far in 2016.*

Recent Espionage Activity

As mentioned above, there have been five espionage-related events that have made headlines over the last week.

North Korea Hacks South Korea

In February 2014, North Korea began targeting about 140,000 computers throughout several South Korean defense contractor firms and government agencies. The attack was discovered back in February of 2016.

Companies that were not defense contractors were also targeted, such as SK Holdings group and Korean Air Lines, but it appears no data was actually obtained. According to researchers, about 95% of the data obtained in the attack by North Korea was defense related. One of the most coveted pieces of information that was obtained were blueprints for the wings of F-15 fighter jets.

North Korea has denied any involvement concerning cyber-espionage attacks on South Korea. However, evidence obtained from these attacks have been traced back to the North Korean capital Pyongyang.

Russians Hack Network of Democratic National Committee

Two separate hacker groups with ties to the Russian government have infiltrated the network of the Democratic National Committee. The names of both groups have been lovingly named “Cozy Bear” and “Fancy Bear.”

The attacks took place at different times. Cozy Bear first infiltrated the database in the summer of 2015 and was monitoring email and chat communications, while Fancy Bear appeared last April and targeted opposition research files. The Fancy Bear group was able to obtain information held on Donald Trump. Information held on Hillary Clinton and several other GOP political action committees were also targeted.

New Sofacy Campaign Targeting U.S. Government

A Russian-linked cyber-espionage group — known as Sofacy — sent a spear-phishing email to a U.S. government official from a compromised computer belonging to another country’s Ministry of Foreign Affairs. The email had a malicious attachment that, if opened, would have loaded two DLL files on the official’s computer.

One of the files contained a Carberp malware variant of the Sofacy Trojan of which the group’s name is derived. The group has also been called Fancy Bear — which is tied to the Democratic National Committee hack — APT28, Sednit, Pawn Storm, and Strontium.

The good news in this attack is that it was full of mistakes. First of all, the RTF document attached to the email didn’t show any content, which immediately pointed to something being wrong. Also, old IP addresses and C&C server domains were used from past campaigns, which was another flag that this email was malicious.

Mofang Chinese APT Group

The Mofang Chinese APT cyber-espionage group has been around since 2012. The group is identified through their ShimRat malware and is unique from other APT groups because they exclusively use social engineering tactics to target computer networks, not exploits. More specifically, the groups’ attack vector of choice is spear phishing.

The bulk of activity displayed from this group has been against the Myanmar government. The group has also been spotted targeting companies in the United States, Canada, Germany, India, and Singapore. Attacks from this group have continued throughout 2015.

Former IBM Employee Charged with Economic Espionage

On Tuesday, a former Chinese employee from the tech company IBM was charged by U.S. authorities with economic espionage for allegedly stealing source code from the company and handing it to the Chinese government.

Xu Jiaqiang, the defendant, offered the code to undercover U.S. FBI agents posing as tech company officials that were seeking software for their company. Jiaqiang was also intending to provide this source code to the Chinese National Health and Planning Commission where he was previously employed.

Jiaqiang’s indictment also brings with it three counts of economic espionage and three counts of trade secret theft. In total, he faces a maximum of 75 years in prison if convicted of all charges.

Despite Drop In Frequency, PoS Data Breaches are Still a Threat

In 2014, point-of-sale (PoS) data breaches against mainstream retail stores like Target and the Home Depot were primary talking points in cybersecurity. In 2016, PoS data breaches haven’t garnered as much attention, with threats like ransomware and more sophisticated phishing attacks taking up the mantle of the leading concerns in cybersecurity.

Over the last two years, the amount of chatter around PoS breaches has dropped dramatically.

Point of sale chatter — *The chart above shows all PoS-related CyberFacts from June 2014 – May 2016. Outside of a rise in CyberFacts starting in October 2015 the amount of chatter concerning PoS breaches has remained low.*

PoS breaches still occur, but the frequency of attacks, as well as the targets, have changed. In 2014, department stores were impacted the most by PoS data breaches. Since that time, cybercriminals have turned their attention towards hotels, restaurants and bars. In many instances, a hotel had an associated restaurant or bar’s payment system compromised. The payment card breach against Starwood properties is one example of this activity.

POS chatter by group — Cybercriminals have shifted to new targets with regards to PoS breaches. While Department Stores were a top trending target in 2014, since then, cybercriminals have shifted their efforts to breaching PoS systems at Hotels, Motels and Cruiselines.

New EMV Standards Having an Impact on PoS Cybercrime

Back in October 2015, the United States implemented new EMV standards aimed at protecting against PoS cybercrime. Many big retail stores have adopted the technology, which has helped thwart the amount of payment card cyber-attacks against them.

There have been well-documented problems so far with EMV, from customers not having access to chip-enabled cards to retailers offering customers the option swipe their card rather than force them to use the Chip-and-PIN technology. Perhaps the biggest problem with the EMV shift is the amount of retail companies that simply do not offer customers payment terminals that accept the new Chip-and-PIN cards.

Despite the problems, EMV has positively impacted PoS cybercrime. However, due to the increased security, cybercriminals are turning their attention to other, more lucrative attack vectors. In 2016, phishing and ransomware attacks have both trended highly.

Latest PoS Data Breaches and Malware

However, cybercriminals haven’t completely turned away from attacking payment terminals. To date, SurfWatch Labs has collected information on 23 industry targets related to PoS data breaches.

In what is probably the most recent of those breaches, security researcher Brian Krebs has reported fraudulent activity involving the Texas-based restaurant chain CiCi’s Pizza. In this event, a cybercriminal posed as a “technical support specialist” for the company’s PoS provider, which allowed access to payment card data. This social engineering technique is one way cybercriminals can circumvent EMV (assuming CiCi’s Pizza utilized these payment terminals).

The old-fashioned malware attack vector is still being utilized as well to conduct attacks on PoS systems. New variants are still being created and continue to evolve. Some of the latest PoS malware families to make headlines include:

TreasureHunt PoS
AbaddonPOS
Multigrain
FighterPOS
FastPOS

With EMV implementation taking place at new retail locations daily, the amount of PoS-related data breaches is bound to decrease. Protecting customers at the point of physical payment is paramount to retail operations, but organizations can do more. Social engineering and phishing attempts are among the biggest threats facing organizations today, and Chip-and-PIN won’t protect against this threat. Deploying physical security features like firewalls is obviously important, but educating employees about phishing and social engineering tactics is arguably just as important a cybersecurity strategy.

Top 5 Items for Sale on the Dark Web, and What Businesses Can Learn From Them

In April 2016, the dark web market Nucleus went offline. Before its disappearance, Nucleus had become the number two most popular market on the dark web, hosting tens of thousands of listings for a variety of illicit goods and services. The debate continues around why Nucleus vanished; however, it was just one of the many different markets where users could go to anonymously purchase credentials to customer accounts, stolen payment card data, pirated software, counterfeit currency and goods, malware, hacking services and more.

Screenshot of Nucleus Market before it went offline in May.

Knowing this can be quite useful to businesses and threat researchers. It can be leveraged for valuable cyber threat intelligence including the kind of data being bought and sold by cybercriminals, tools and services that are commonly used, and vulnerabilities that are being actively exploited. Most importantly, the dark web provides much needed context. But with the huge number of threats out there, some legitimate and some not, where should organizations focus their resources? Threat intelligence from the dark web can help provide businesses with that important insight. With that in mind, here are five of the most common items for sale on the dark web, and how that information can help organizations combat cybercrime, according to SurfWatch Labs data.

1.Stolen Credentials

Although a wide variety of cybercrime-related items are for sale on the dark web, stolen credentials are among the most prevalent. When looking at the most popular dark web market in 2016, credentials trade accounts for nearly a quarter of the data collected by SurfWatch Labs. Cybercriminals initially get this information by using phishing messages, malicious applications, and other methods to get malware such as keyloggers installed on victims’ devices. These stolen usernames and passwords often end up for sale on the dark web where other malicious actors then use them for a variety of purposes. Although online banking accounts are a natural target, other types of credentials readily available for purchase include employee and personal email accounts, social media accounts, eBay and PayPal accounts, and other popular services such as Netflix, Uber, and more.

How this can help your organization: With the huge number of data breaches and stolen credentials out there, it is likely that some employees have had their usernames and passwords compromised, and in many instances those include work-related email addresses. Monitoring the dark web for stolen credentials related to your brand and your employees can allow you to educate users, prevent fraudulent logins and stop a future attack from spreading.

2. Fraud and Stolen Identities

When a point-of-sale data breach occurs, that stolen payment card information often ends up for sale on various dark web markets. Cybercriminals act very quickly to monetize those accounts. The longer a stole card is on the market, the less valuable it becomes due to the likelihood of it being tied to a data breach, theft, or other fraud — and cancelled by the bank or cardholder. Other items for sale related to fraud include counterfeit documents such as passports and driver’s licenses as well as personal information needed to open lines of credit such as Social Security numbers, dates of birth and other identifiers. Like traditional crime, cybercrime is largely driven by money, and fraud and stolenidentities have traditionally been the go-to methods for turning a quick profit. However, it is not just the occasional thugs perpetrating these acts. It is often professional cybercrime rings run by gangs in other countries that have been perfecting their techniques for years.

How this can help your organization: Many point-of-sale data breaches aren’t discovered until the stolen payment card information shows up for sale or fraudulent charges begin occurring on enough cards to pinpoint a source of the compromise. By finding the stolen information sooner rather than later, retailers and financial institutions can shorten the shelf life of stolen cards and reduce potential losses.

3. Intellectual Property

Media piracy is a popular practice on the dark web. Stolen ebooks, music, movies and other forms of entertainment are sold at a fraction of the cost — with none of the profits going to the creators. In addition to piracy, even more damaging forms of intellectual property are bought and sold on the dark web. This may include source code, stolen customer lists, trade secrets and other sensitive data stolen from organizations. A report by the Commission on the Theft of Intellectual Property stated that stolen intellectual property costs the United States as much as $300 billion each year, and the Center for Responsible Enterprise and Trade estimates trade secret theft costs between one and three percent of the GDP of advanced economies. Not all of that is sold on the dark web — much of it is nation-state espionage — however, of all the items for sale on the dark web, intellectual property tends to be the most impactful and have the most long-term consequences for organizations.

How this can help your organization: Finding intellectual property such as source code for sale on the internet is a significant cause for concern. Unlike payment card information, which can be stolen from a variety of locations, intellectual property is a likely indicator of either an intruder gaining access or an insider selling valuable information. Media piracy, which is the most common form of intellectual property for sale, can lead to a significant loss of income, particularly if that item finds it’s way onto popular torrent sites where users freely share stolen material.

4. Supply Chain Threats

Effective threat intelligence should include all the cyber risks facing an organization, including risk faced by third-party partnes and vendors. Vendors may have their own credentials or intellectual property for sale on the dark web, or there may be relevant vulnerabilities that are being actively exploited by malicious actors. Those potential issues may move down the supply chain and impact other organizations along the way. For example, in April 2016 SurfWatch Labs threat intelligence analysts uncovered a breach into web hosting provider Invision Power Services, whose customers include professional sports leagues as well as major media and entertainment companies. A malicious actor indicated plans to infect those brands’ users with malware. Although these incidents are often not the direct fault of those companies, the fallout from customers, investors and regulators does tend to fall directly at the feet of those organizations.

How this can help your organization: Vendors and the supply chain are among the most common causes of data breaches, yet they’re often a blind spot when it comes to an organization’s cybersecurity practices. Having insight into potential issues not just within your organization, but with your partners can help to give a more complete picture of your organization’s risk and help alert you to any potential issues before they make way down the supply chain and into your business.

5. Hacking Tools and Services

In addition to stolen items, malicious actors can purchase many different types of hacking tools and services. One popular market actually began by specializing in selling zero-days and other rare exploits. For example, one user was previously selling a new way to hack Apple iCloud accounts for $17,000. Other items for sale include exploit kits, keylogging malware, phishing pages, remote access Trojans, hacking guides and more. The cybercrime tools purchased may even come with subscription services, easy-to-use interfaces, technical support and other features often associated with legitimate software. In addition, cybercrime services are for sale including distributed denial-of-service attacks, doxing and help hacking accounts. The cybercrime-as-a-service model has segmented the market so that actors can specialize in their own field, whether that is running a botnet, creating exploit kits or stealing credentials. All types of cybercrime tools and services are available — for a price.

How this can help your organization: Knowing what tools are readily available and popular can help organizations defend against common attack methods. In addition, new exploits that are put up for sale or modifications to existing tools can provide insight into how cybercriminals are evolving their attacks in order to evade detection. This context, combined with other dark web threats, can help provide the necessary threat intelligence to help effectively guide your organization’s cyber risk management strategy.

Top Dark Web Markets: With Dream Market You Can Be a Criminal Too!

Two weeks ago we talked about the disappearance of Nucleus Market and how many of its former users have moved to AlphaBay, the unquestioned leader in terms of current dark web activity.

This week we turn our attention to Dream Market, the second most popular dark web market of 2016, according to SurfWatch Labs’ threat intelligence data.

A Quick Look at Dream Market

The places where cybercriminals go to sell their illicit goods and services are constantly changing. This is due to a combination of exit scams that rip off buyers, law enforcement disrupting operations, and a healthy paranoia that may lead those running certain markets to close up shop before getting caught. Dream Market has been around since November 2013 — a significant achievement in the ever-evolving cybercriminal scene. At two-and-a-half years of age, it is the oldest existing dark web marketplace, and that longevity has helped it to establish a certain level of trust among its users.

Although most dark web markets sell a wide variety of items, certain sites tend to attract specific types of listings over others. For example, when we wrote about AlphaBay, we focused on the problem of stolen credentials, the market’s most popular practice tag, according to SurfWatch Labs’s data.

When looking at Dream Market, credentials trade is much less popular. Instead, the most popular type of listing involves crimeware.

2016-06-01_DreamPracticeHeatmap — This heat map is colored by the most popular cybercrime practice tags found on each market, with red signifying a higher percentage of listings. Interestingly, the three most popular markets this year all have a different focus: carded account trade for the now-defunct Nucleus Market, credentials trade for AlphaBay, and crimeware trade for Dream Market.

Although Dream Market’s popularity is growing, some users have reported occasional issues accessing the market since Nucleus went offline. This may be due to the influx of former Nucleus users or — as has occurred in the past — DDoS attacks from competitors trying to disrupt the user base.

Crimeware Trade and “Sophisticated” Cybercriminals

There’s a perception that cybercriminals are growing increasingly sophisticated. This is driven home by the fact that nearly every company’s PR team rolls out the “we were victims of a sophisticated cyber-attack” line after each incident. It’s true; the cybercrime-as-a-service model has allowed for advanced techniques to be more readily available to the average hacker. However, the root causes of data breaches and other cyber incidents tend to remain relatively unsophisticated.

When looking at the many listings on Dream Market related to crimeware trade, it’s clear that not everyone is a criminal mastermind performing million dollar wire fraud or business email compromises scams. In fact, many crimeware items for sale on Dream Market and elsewhere aren’t malware like remote access Trojans or keyloggers at all, but rather basic guides on how to perform simple, low-level thefts.

For example, there’s the below vendor who’s selling a guide on how to scam a major retailer for in-store credit. This “dead serious” scam has even been used to make money to take dates out for drinks and to get a tank of gas. Your satisfaction is guaranteed!

Are you hungry? You won’t be anymore if you follow this other vendor’s advice on scamming a popular pizza chain. Get unlimited free pizza.

Or are you an aspiring fraudster looking for someone to take you under their wing? For just the low price of $2.99, you can learn how to take advantage of this company’s obvious security flaws, handy smartphone application, and no-questions-asked refund policy. The vendor even claims it’s legal!

Or maybe you’ve hit hard times and need a few bucks. No worries! This vendor has a guide that’s “perfect for those in financial instability situations.” Just purchase some of the many bank account credentials that are advertised with enticing balances, and pair those with this handy step-by-step tutorial to cash them out — no knowledge necessary.

Or maybe you hear about all these tools used to discover vulnerabilities and hack businesses, but you don’t know how to use them. There are plenty of guides for those without technical knowledge.

Of course, real malware, tools and hacking services are for sale, along with stolen credentials, pirated media, counterfeit documents and more.

Cybercrime-as-a-Service

Although it’s fun to look at some of the over-the-top salesmanship and scams for sale on Dream Market and others, it is important to note that those low-dollar fraudulent charges, while not enough to make news headlines, do have a significant impact on the companies they’re targeting and the individuals they’re ripping off.

Also, the fact that potential criminals can have their hands held throughout the whole process of cybercrime — from phishing to malware to cashing out funds — is a growing concern. As we wrote in SurfWatch Labs’ 2015 Year in Review, “This separation of the technical aspect of cybercrime has widened the pool of potential hackers and lessened the knowledge gap that previously separated groups of malicious actors.”

There is no need to build an exploit kit or point-of-sale malware from scratch. Simply purchase the latest tools complete with customer service and technical support. Need a phishing page or information on a company’s employees? Buy one of the many guides on social engineering. No time for that? Simply hire one of the many services to do the technical legwork for you.

The good news? All of the information and tools available to those wannabe hackers can be leveraged by organizations as well. This dark web threat intelligence can help us better understand the relevant cyber threats facing organizations, their supply chain and their customers.

Next week we’ll look at another dark web market to see what intelligence we can learn.