SurfWatch Labs, Inc.

DDoS Attacks Trending Over the Last 30 Days

DDoS attacks are growing in size and sophistication, says a new report from Arbor Networks, and those attacks have continued to impact a variety of organizations over the past few weeks.

According to Arbor networks, a current average-sized DDoS attack is capable of taking down almost any organization’s server at about 1 Gbps. The average attack size in the first half of 2016 was 986 Mbps, which was a 30% increase over 2015. It is project that the average size of a DDoS attack will reach 1.15 Gbps by the end of 2016.

Some highlights from the report include:

An average of 124,000 DDoS events per week over the last 18 months.
A 73% increase in peak attack size over 2015, to 579 Gbps.
274 attacks over 100 Gbps monitored in the first half of 2016 compared to 223 throughout all of 2015.
46 attacks over 200 Gbps monitored in the first half of 2016 compared to 16 throughout all of 2015.
The U.S., France and Great Britain are the top targets for attacks over 10 Gbps.

Lastly, reflection amplification attacks have continued to grow in popularity. The majority of larger DDoS attack utilize this technique by using attack vectors such as DNS servers. Because of this, DNS was the most used protocol in 2016, taking over from NTP and SSDP in 2015, according to the report. The highest recorded reflection amplification attack size during the first half of 2016 was 480 Gbps.

DDoS attacks have been conducted for monetary gain, notoriety, retaliation, and even for personal pleasure.

Trending DDoS Attacks

Over the last couple weeks, many organizations have been targeted with DDoS attacks. The most talked about DDoS attack over the last 30 days is tied to the controversial and very popular Pokemon GO. A group called PoodleCorp claimed credit for the attack, with a motivation very similar to another infamous hacking group called Lizard Squad — they did it for the LULZ.

Not all the recent DDoS attacks were done for the LULZ, as many appear to be out of retaliation for past events. Here is a breakdown of some of the top trending DDoS attacks over the past 30 days.

Pokemon GO Server
On Saturday, July 16 a DDoS attack took down all Pokemon GO servers, which left many players unable to hunt for their Pokemon. The group behind the attack is a newer hacktivist group known as PoodleCorp. The servers were down for several hours before reestablishing a connection for players.

On July 18, the Pokemon servers were hit with another DDoS attack, this time from the group known as OurMine. The group said that “no one will be able to play this game till Pokemon Go contact us on our website to teach them how to protect it!”

On July 20, PoodleCorp announced plans for an upcoming attack against the Pokemon servers that is scheduled for August 1.

MIT
Security researchers have discovered more than 35 DDoS attacks targeting the Massachusetts Institute of Technology (MIT) so far in 2016. The attack vectors used in these campaigns involved devices vulnerable to reflection and amplification attacks and spoofed IP addresses. It appears the bulk of attacks were carried out using booter or stresser services. Stresser services are a concern for organizations and the proliferation of DDoS attacks, as the cost to utilize these services are often extremely low.

Philippines Government Websites
The Filipino government announced this week that 68 separate websites tied to the Philippines government were hit with DDoS attacks. The attacks started July 12 and carried over to the next few days.

It is believed that China is responsible for the attacks as they correspond with a ruling made by the Permanent Court of Arbitration at the Hague in the Netherlands that favored unanimously for the Philippines over China. The ruling was over newly created islands located in the West Philippine Sea that China claimed even though those islands were in Philippines’ maritime territories.

Some of the government websites affected by the DDoS attacks were also defaced, signed with the words “Chinese Government.” There is no actual evidence at this time that China was behind the attacks, but it appears this is likely the case due to the extremely tense international relationship between the two countries.

Steemit
The social network Steemit announced on July 14 that an unknown attacker was able to hack into user accounts and steal the crypto-currency known as Steem Power and Steem Dollars. More than 260 users were affected by the attack, and about $85,000 of the crypto-currency was obtained.

In response to the attacks, Steemit fixed the issue and restored all stolen funds to the users. As soon as the company made this announcement, it was targeted with a DDoS attack. The attack did little to affect the social network, as the company used the attack as an opportunity to take down its servers for maintenance and other upgrades.

WikiLeaks
WikiLeaks servers suffered a DDoS attack last Monday that lasted through Wednesday. The DDoS attack appears to be in response to WikiLeaks’ announcement of an upcoming data dump belonging to Turkey’s biggest political party — AKP (Justice and Development Party).

The cache of data contained 300,000 emails and 500,000 documents that belonged to the party. The announcement came three days after the failed military coup in Turkey which saw the deaths of 208 people.

The DDoS attack prevented WikiLeaks from posting the information. As of July 20, WikiLeaks servers were back online and the data was released.

U.S. Congress Websites
The U.S. Congress website along with two adjacent websites — the U.S. Library of Congress and the U.S. Copyright Office — were the victims of a DDoS attack that lasted for three days. The attack started with the Library of Congress website on the evening of July 17 and slowly enveloped the other websites over the next couple of days.

As of Wednesday the websites are up and running normally. It is not known who is behind the attack or what the motivation for the attack was.

Brazil
A Rio court in Brazil was the target of a DDoS attack perpetrated by Anonymous. The attack took place on Tuesday and only lasted a few hours. Anonymous attacked the Rio court for its decision to block the controversial Whatsapp throughout Brazil. The decision told ISPs to block the app, and Brazil’s five major ISP operators — Claro, Nextel, Oi, TIM, and Vivo — all complied with the order.

The tensions between WhatsApp and Brazil go back to February 2015 when Whatsapp was unable to help Brazilian law enforcement by decrypting messages sent over the social network. Brazilian courts have fined and temporarily banned Whatsapp, arrested a Vice President for Facebook Latin America for being linked with the social network, and now a permanent ban is put in place. However, due to the Anonymous DDoS attack the Brazil court lifted the ban on Whatsapp.

Cybercrime is Increasingly Interconnected, Says New SurfWatch Labs Report

The first half of 2016 is over, and SurfWatch Labs analysts have spent the past few weeks sifting through the huge amount of cybercrime data we collected — totaling tens of thousands of CyberFacts across more than 3,400 industry targets — in order to identify threat intelligence trends to include in our mid-year 2016 report.

“If anything,” the report notes, “the stories behind these breaches seem to contradict the increasingly familiar spin that follows most incidents: ‘We were the victim of a sophisticated attack. The incident has been contained.'”

Download the full Mid-Year 2016 Cyber Trends Report

To the contrary, the data behind the year’s many incidents indicates many cyber-attacks are neither sophisticated nor isolated.

For example, this year’s top trending cybercrime target was LinkedIn. In May 2016 LinkedIn announced that a 2012 breach, which was believed to have been contained four years ago by resetting passwords on impacted accounts, was much larger than originally thought. An additional 100 million members were affected. Since that announcement, reports continue to surface of secondary organizations having their data stolen due to a combination of those now exposed LinkedIn passwords, widespread password reuse among employees, and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer.

To make matters worse, LinkedIn was just one of several massive credential dumps to make headlines — not to mention the numerous high-profile breaches affecting personal information or other sensitive data.

Trending Industry Targets Tied to Cybercrime in 1H 2016

SurfWatch Labs collected data on 3,488 industry targets tied to cybercrime in the first half of 2016. Of those, 1,934 industry targets were observed being discussed on the traditional web and 1,775 were observed on the dark web.

Malicious actors excel at taking one piece of information and leveraging it to perform further attacks, gain more information, and widen their reach. As we noted in May, this has led to many companies making headlines for data breaches — even though a breach may not have occurred. For example:

Music service Spotify had a list of user credentials posted to Pastebin that were collected from other data breaches. This led to a series of articles about the company “denying” a data breach.

China’s online shopping site Tabao had hackers use a database of previously stolen usernames and passwords to try to access over 20 million active accounts.

GitHub, Carbonite, Twitter, and more have all forced password resets for users after large-scale targeting of user accounts or lists of user credentials appeared on the dark web.

Other unnamed companies have confirmed to media outlets that sensitive information has been stolen recently due to password reuse attacks.

SurfWatch Labs’ data paints a picture of an increasingly connected cybercrime world where malicious actors leverage past successes to create new victims. The pool of compromised information widens; the effects of cybercrime ripple outwards.

However, those effects are largely dependent on industry sector and the types of information or resources that are attractive to different individuals, hacktivists, cybercriminal groups, and other malicious actors. SurfWatch Labs’ data so far this year reflects that fact.

Updated_Effect_Heatmap2 — Infected/exploited assets, service interruption and data stolen/leaked were the top trending effect categories overall in the first half of 2016, based on the percentage of CyberFacts that contained those tags.

For example, SurfWatch Labs report identifies infected/exploited assets as the top effect category overall, although it only appeared in 14% of entertainment and government-related CyberFacts. In those sectors, the majority of discussion was around account hijacks (37%) and service interruption (33%), respectively, as actors targeted social media accounts with large followings or hacktivists utilized defacement and DDoS attacks to spread their messages.

Similarly, the healthcare sector saw increased chatter around the financial loss and data altered/destroyed categories due to several high-profile ransomware attacks and warnings from various bodies about potential extortion attacks.

Other interesting data points and trends from the report include:

IT, global government, and consumer goods were the most targeted industries. Of all the CyberFacts analyzed, the information technology industry was hit the hardest in the first half of 2016. Microsoft was second behind LinkedIn as the top target. After IT, the government sector had the highest number of publicly discussed cybercrime targets, led by a breach at the Commission on Elections in the Philippines. The consumer goods sector made up the largest share of industry targets with information bought, sold, or otherwise discussed on the dark web.

Employee data is being targeted more often. Some organizations reported falling victim to scams targeting data such as W-2 information even though they were able to successfully identify and avoid other more traditional wire fraud scams. Malicious actors may be trying to take advantage of these “softer” targets in the human resources, bookkeeping, or auditing departments by performing attacks that are not as easily recognizable as large-dollar wire fraud attempts.

Point-of-sale chatter remains relatively low. Point-of-sale breaches are not making as many headlines, but breaches so far this year have proven that for many organizations the associated costs are as high or higher than they have ever been.

Ransomware and extortion threats continue to grow. The first half of 2016 saw a spike in ransomware and extortion-related tags as researchers, organizations, and government officials tried to deal with the growing and costly problem of data or services being held hostage for ransom.

For more threat intelligence trends, download the full Mid-Year 2016 Cyber Trends Report from SurfWatch Labs.

Costs of Data Breaches Rising, But Its Not All Bad News

It should come as no surprise, but data breaches are costly for organizations. Each stolen record containing sensitive or confidential information costs an organization an average of $158, according to the 2016 Ponemon Cost of Data Breach Study released last month. That price more than doubles – to $355 – when looking at a highly regulated industry such as healthcare.

Those costs add up. The final tally for an average breach is now a whopping $4 million. That’s up from the $3.79 million last year and a 29 percent in total costs since 2013.

Clearly, data breaches have a significant impact on business. In fact, the biggest financial consequence often comes in the form of lost customers, according to Ponemon. The findings confirm what others surveys have recently reported: consumers are increasingly unforgiving when it comes to data breaches, particularly younger generations.

A FICO survey found that 29 percent of millennials will close all accounts with a bank after a fraud incident. Not only will they take away their own business, a significant percentage will actively campaign against others using the bank. A quarter will turn to social media with negative posts, and more than a fifth will actively discourage their friends families from using the services.

Can the C-Suite Make a Difference?

It’s not all bad news when it comes to cybercrime-related research though. In fact, The Economist Intelligence Unit recently found that certain types of organizations are having at least some success when it comes to fighting against the tidal wave of cyber-attacks. Making cybersecurity a priority at the top of an organization can have a significant impact on cyber risk.

According to the survey:

A proactive strategy backed by an engaged C-suite and board of directors reduced the growth of cyber-attacks and breaches by 53% over comparable firms.
This includes a 60% slower growth in hacking, a 47% slower growth in ransomware, and a 40% slower growth in malware attacks than their less successful counterparts.
Successful firms were also 56% more likely to maintain a standing board committee on cybersecurity.

Unfortunately, many organizations are either overwhelmed with low-level data and tasks, or they are unable to clearly articulate relevant threats to those executives. This leaves them more vulnerable to the various cyber threats facing their organizations — and the potential costs and other fallout associated with those incidents.

That’s why it’s crucial that those in the C-suite and on the board of directors have strategic threat intelligence — including dark web data on the cybercriminals themselves — provided in a clear, concise and ongoing manner. It is possible to stem the tide of cyber-attacks with a combination of the proper leadership, expertise and tools, but all too often those organizations are operating without a crucial piece of the puzzle — the high-level threat intelligence to help guide those decisions.

Taking Action with Threat Intelligence

Much has been written about the cybersecurity knowledge gap in the C-suite; however, that issue runs both ways. Earlier this year, ISACA released its State of Cybersecurity: Implications for 2016 report, and they found that respondents “overwhelmingly reported that the largest [skills] gap exists in cybersecurity and information security practitioners’ ability to understand the business.”

This is a crucial problem as security experts continue to hammer home the point that cybersecurity is no longer an IT problem, but a business one. Cybersecurity employees understanding business concerns and business executives understanding cybersecurity concerns isn’t just an aspiration, it’s a necessity for properly managing cyber risk.

That collaboration and understanding is at the heart of effective cyber threat intelligence.

Effective threat intelligence empowers those in the C-suite and board of directors with relevant and easy-to-comprehend information about the most important cyber threats impacting their business, their competitors and their supply chain. Effective threat intelligence also serves as a guidepost for those in IT to ensure that tactical defenses and resources are aligned with the most pressing business concerns.

In short, threat intelligence is a key component in getting away from the never-ending game of whackamole that results from blindly chasing down the latest headline-grabbing cyber threats and instead operating with a more thoughtful, harmonious and strategic approach. It’s applying the same combination of technical analysis and business insight that are commonplace in other key areas of the organization in order to achieve the biggest return on your cybersecurity investment.

It’s no wonder then that those organizations are seeing the best results when it comes to reducing their overall cyber risk.

More Financial Institutions Fall Victim to SWIFT Attacks

In late June, reports surfaced of an unnamed Ukrainian bank having $10 million stolen, adding to the growing list of cyber-attacks leveraging SWIFT, the messaging system used by financial institutions around the world.

“At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars,” said the Information Systems Audit and Control Association (ISACA).

These SWIFT-related attacks often require significant time investment from cybercrimnals, but the payouts can be substantial — including an $81 million theft from Bangladesh’s central bank in February.

According to the Kyiv Post:

[ISACA] said that such hacks usually take months to complete. After breaking into a financial institution’s internal networks, hackers will take time to study the bank’s internal processes and controls. Then, using the knowledge and access they have gathered, the hackers will begin to submit fraudulent money orders to webs of offshore companies, allowing them to siphon off millions of dollars.

“The SWIFT case — it’s actually more in line with what’s happening right now, which we call multi-dimensional attacks because it involves many areas,” said ThetaRay CEO Mark Gazit, who was a guest on this week’s Cyber Chat podcast.

The attacks shed light on the trend of some cybercriminal groups moving beyond personal information and credit card theft. Instead, they are focusing on the institutions themselves and the potentially massive payouts that come along with a successful attack.

These groups are becoming smarter and often know the inner working of banks, Gazit said.

“If you go to the dark web you can find the set of rules for banks in the United States, and some of the banks will have more than 10,000 rules. They’re all published.”

Growing Problem for Financial Organizations

Customers have an expectation of certain convenience features, and banks have to keep pace with those expectations in order to not lose business. The growing digital footprint makes those financial institutions much more susceptible to cybercrime, which is increasingly automated, Gazit said.

This means that cyber-attacks have more impact throughout organizations.

“It becomes a board issue, a CEO issue, a risk issue. Suddenly, it’s not just an issue that IT guys should deal with somewhere in back office rooms. It’s actually becoming something that relates the very core part of the business.”

On Monday, SWIFT announced that they were engaging with several security companies to assist the community by providing forensic investigations related to SWIFT products as well as providing anonymized intelligence data to help prevent future fraud.

Part of the problem around cybersecurity is that teams may be hampered by their past successes and failures, Gazit said.

“Existing organizations such as financial institutions, utility companies, they still have very good people that have extensive knowledge that is derived from the past, and sometimes past knowledge can be a curse when you try to prepare yourself against new attacks.”

He added, “I think that we’ll see more surprises, more attacks that nobody expected, more crime that people will be very much surprised how it happened or how it could happen.”

For more, listen to the full conversation with ThetaRay’s Mark Gazit about how financial sector attacks are evolving and what needs to be done to stay ahead of cybercriminals.

Startup Companies Claiming To Be “Non-Hackable”: Interview With Angel Investor Michael Barbera

While cyber-attacks continue to grow and evolve some companies are claiming to be “non-hackable” – and they’re often startups. The problem with this logic is that it is simply incorrect; all companies are potentially vulnerable to being hacked.

“Every organization can be hacked by a clever person with patience. I personally avoid all companies who say they are non-hackable.”

We had the opportunity to speak with Barbera about angel investing, how serious startup companies are taking cybersecurity, and what he is looking for a startup company to have in place in terms of cybersecurity before he invests.

Our edited conversation follows.

As an angel investor, when a startup company tells you that they are “non-hackable,” what is your initial reaction?

So, a cloud storage company comes up and says you can store your files with them. Those files are encrypted, and once it is on their server if it were to ever get hacked, the hacker would receive an encrypted file and it looks like a bunch of junk. That means nothing to me. If the US Army can get hacked, if the CIA can get hacked, so can your little company. Nothing is foolproof, so why are you going around and saying it is? I don’t think they can practice what they preach.

Do you think these startup companies are simply saying what you would want to hear, or are they ignorant and truly believe they are “non-hackable?”

I think there is a lot of ignorance, and I think these companies really believe that they have a product or service that is foolproof. I also think some say it as a marketing technique for non-tech savvy people. If you had a baby boomer generation target market, they don’t know much about IT, or the Internet and how it works. They can barely operate a Facebook account. So when they hear a service is “non-hackable,” they are more likely to use that service. So it might be a marketing technique for some companies.

Years ago, LifeLock had an actor or spokesman put their social security number on a commercial. He got hacked.

[Laughs] Well of course he did.

What is your overall view on how cybersecurity is evolving when you learn about these new companies?

It really changes based on each company’s business model and strategy. So when you have a startup dependent on their budget and their goals, IT and security may or may not be a big part of it. It all depends on what they are doing.

Say you have a small mom-and-pop shop that is selling goods from their brick-and-mortar store that is also selling on their website, their minimal requirement is to be PCI compliant. Their biggest concern is being hacked. In the larger scheme of things, hackers will probably won’t look at a smaller target like a mom-and-pop store. It might not be beneficial to them.

Other companies who do more stuff on the Internet have more of a liability to protect that information, so they need to take it more seriously.

Focusing on cybersecurity, when you are looking to invest in a company, what are you hoping to hear from them when making a decision to invest or not?

If it was anything more than being PCI compliant, I would want them to have an in-house IT specialist that could provide the services needed. If it is a smaller company needing to be PCI compliant, we can outsource that. It really goes toward the organizational services that they are working with. If they are working with people’s finances, then we are going to have to implement advanced security systems. If they are working with names, addresses, and they are PCI compliant, that is a different story. There are different levels, and it really goes back to business models.

What you have to understand is a lot of people – like small business owners – their everyday life is making a sale. On top of that, while they are sweeping they are supposed to do their books, their IT, and their taxes. A lot of people don’t think about [cybersecurity] until it is too late, and that is unfortunate.

Cybersecurity Rant – Security Marketers Misusing Terms

Let me start off by saying that I am a marketer. I’ve been in the cybersecurity space for roughly 10 years with multiple companies focusing on different aspects that can be bucketed under the following segments of the market: endpoint security, network security and threat intelligence. In every segment there are buzzwords that seem to take on a life of their own.

In threat intelligence there are a few that really do us a disservice. The two that I want to pick on are “real-time” and “actionable.” Let’s dissect these:

“Real-time” Threat Intelligence

When I see this, to me it’s like nails on a chalkboard because “real-time” and “threat intelligence” cannot possibly go hand in hand. Threat intelligence requires analysis … by humans who have the expertise to do so. This does not and cannot happen in “real-time.” You can certainly get real-time information, but information and intelligence are not one in the same.

As my colleague Adam Meyer wrote in an article titled “Setting the Record Straight on Cyber Threat Intelligence,” information is unfiltered and unevaluated, available from many sources, and can be accurate/false, misleading and/or incomplete. Additionally, it may or may not be relevant to your business. The beauty of cyber threat intelligence is transforming all of that information into meaningful insights that drive better decision-making. That transformation process can be discussed in its own blog or collection of blogs, but the point I’m trying to make is that none of this is in “real-time.” I’m comfortable with near real-time because timeliness is an important attribute of intel … along with accuracy and relevancy.

“Actionable” Threat Intelligence

The word actionable isn’t bad, it’s just that we’ve overused it to the point it no longer means anything. Too many vendors equate information with actionable threat intelligence, but again, these are very different. A lot of information for you to research certainly creates lots of action, but is it actionable? To me, “actionable” means a decision can be made without requiring much, if any, additional research and analysis. If it is refined, final, actionable threat intelligence, all that prep work has been done and now you can make a sound risk management decision.

When I first joined SurfWatch Labs I had a friend who worked for an e-commerce business take me through a “day in the life” of how his company used threat intelligence. They took in a feed of low-level, tactical data and fed that into their SIEM, which spit out hundreds of alerts per day. The company had a team of analysts that would research each alert (which I was told could take as little as 20 minutes and sometimes up to a full day) and try to understand if they needed to worry about it and if so, how to deal with it. Every day this team of analysts had a lot of actions to take regarding their threat-related data. Just a few types of questions they needed to be able to answer:

What was the actual threat?
Was it relevant to their business and infrastructure?
What was the potential impact? Did it impact sensitive information/systems?
If it was relevant and important, then what steps and tools were necessary to mitigate this risk before it was too late?

Again, the information they received required lots of actions, but I would argue it wasn’t actionable intelligence at that point. Actionable intelligence takes that information and then runs analysis and correlation against the business profile where at the end there is a decision point and a method for addressing the risk. If you look at all the companies throwing around the term “actionable” I bet the majority provide an aspect of intelligence or a step in the direction of intelligence, but do not actually provide “actionable” intelligence.

Ok so why am I ranting about this? The above are just two of the more obvious examples where vendors are actively confusing the market and doing a disservice to customers trying to understand what threat intelligence is, what type of intelligence is right for them, and how to use it. Threat intelligence is not tangible like a firewall or some whiz-bang appliance, but if properly understood it can be extremely valuable to directing a cybersecurity program and reducing an organization’s overall risk footprint.

Top Dark Web Markets: HANSA, Piracy and Exit Scams

HANSA Market is the third most popular dark web market this year, according to data from SurfWatch Labs. It’s a new and growing market focused on the security of its users. Previously in this series we’ve talked about Alpha Bay and the problem of stolen credentials and Dream Market and the cybercrime-as-a-service model. As we turn our attention to HANSA, it’s an opportunity to reflect on how these dark web markets work — and the reason there has been so much turnover the past few years.

Hansa_books — Piracy is one of the top trending cybercrime categories on HANSA market. This includes pirated software, video games, movies, books and other media as well as credentials for related accounts. In the screenshot above a vendor is selling a collection of 21 ebooks by a popular author for just $4.99.

HANSA was created in response to the many exit scams that have occurred over the past few years. Most dark web markets require buyers to deposit money (bitcoins) before they can purchase. Once a market becomes popular, there can be a significant amount of bitcoins in limbo, and owners are often tempted to shut the market down and take all the money that has built up. HANSA created a system that they claim ensures that no exit scam is possible.

“After recent exit scams of various marketplaces (e.g. Evolution, BlackBank) we wanted to create a market where it is impossible for either admins or vendors to run away with your funds,” the admins wrote. “Most markets operate the same: Blindly deposit money into your account, wait for confirmations and then make the purchase. … On HANSA you do not have to deposit Bitcoins before your purchase. Every order is simply a Bitcoin transaction itself.”

How Do Exit Scams Work?

Not long ago — before the FBI took down Silk Road and creator Ross Ulbricht was sentenced to life in prison — there was a dream of a victimless black market where users could Anonymously purchase illicit goods such as drugs beyond the reach of intrusive government laws. But as Wired’s Andy Greenberg wrote in January, that dream is now largely dead due to the many exit scams and the turnover in marketplace leaders over the past few years:

The result has been that the libertarian free-trade zone that the Silk Road once stood for has devolved into a more fragmented, less ethical, and far less trusted collection of scam-ridden black market bazaars. Instead of the Silk Road’s principled—if still very illegal—alternative to the violence and unpredictable products of street dealers, the dark web’s economy has become nearly as shady as the Internet back alley politicians and moralizing TV pundits have long compared it to.

The most striking example of this is the Evolution Market exit scam. In March of 2015, the Evolution marketplace halted bitcoin withdrawals from the site for a week, using the excuse of technical difficulties as the owners, known as Verto and Kimble, let the virtual coffers build. Then they closed up shop and walked away with an estimated $12 million in bitcoin.

An admin for the market summed up the bad news to fellow users in a Reddit post, “I am so sorry, but Verto and Kimble have fucked us all.”

In April 2016, a year after the disappearance of Evolution, Nucleus Market, at the time the number two most popular dark web marketplace, suddenly vanished. Rumors of an exit scam abound.

However, not all exit scams are so high profile. Most exit scams are actually done by individual vendors, as Motherboard’s Jon Christian noted.

“It turns out that a logistical problem with darknet markets is that when a vendor throws in the towel, it’s very tempting for him or her to stop mailing drugs, but continue pocketing customers’ payments for as long as possible,” Christian wrote. “If you’ve built up a good reputation on a darknet market’s seller rating system — which, like eBay, is based on feedback from other users — why not keep pulling in cash until the review system catches up with you?”

Escrow Payments and Finalizing Early

Many markets offer protection to buyers against this type of scam in the form of escrow payments. A neutral third party such as the market holds the money until the buyer has received the goods. After the buyer receives the order, payment is released. In the case of disputes, marketplace admins often act as an arbiter. However, many buyers and sellers use something known as “Finalize Early.” Essentially, the buyer releases the funds from escrow before receiving the goods or services. Some vendors abuse this trust.

HANSA does not offer the option to Finalize Early, ensuring that extra layer of protection is behind all market transactions.

While this policy helps protect buyers from vendor exit scams, there is still the concern that the market itself may perform an exit scam. In fact, this is one reason why some vendors prefer Finalizing Early. With numerous transactions in escrow, the market can at any time be holding a significant amount of bitcoins, and that can be tempting to steal. Finalizing Early lets those vendors receive payment immediately.

Multisignature Transactions

This is where multisignature escrow applies. HANSA uses a 2-of-2 multisignature escrow process (vendor-HANSA). As they explain, “Funds can only be accessed by the vendor after the buyer finalizes a transaction and can never be accessed by the site staff. Theft from either party is impossible.”

In January HANSA announced that it now supports 2-of-3 multisig transactions (buyer-vendor-HANSA) as well.

“The only flaw our market had in the past was the loss of Bitcoins in cases like the vendor losing his/her Bitcoin private key or him/her refusing to refund buyers in cases of disputes,” HANSA announced. “Fortunately this has happened very rarely and we have reimbursed the buyer every time out of our own pocket. Still, this can be avoided.”

With 2-of-3 multisig transactions, money is transferred into an escrow fund shared by the buyer, the seller and HANSA. Once two out those three parties approve the transaction, the funds are released.

This isn’t a new system. In fact, Evolution offered multisignature transactions designed to stop the exact kind of exit scam they eventually performed, but not many buyers used the feature.

As a moderater of the DarkNetMarket subreddit noted after the Evolution theft, “Maybe this will open more people’s eyes to the benefits of multisig.” Then he added, “Nah, who am I kidding? When has an event like this ever changed anything?”

The disadvantage is that the process can seem complicated and may turn away some users, which may be one of the reasons why HANSA is not quite as popular as AlphaBay and Dream Market — although at the moment it remains as one of the more trusted and stable dark web markets.

Podcast: Healthcare Leaks, POS Breaches, and Latest Malware and Legal News

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 75: Healthcare Leaks, POS Breaches, and Latest Malware and Legal News:

Several large healthcare databases have been put up for sale on the dark web, and the actor behind the leaks is promising more. Point-of-sale breaches made headlines this week at Hard Rock Hotel & Casino Las Vegas and Noodles & Company. More SWIFT attacks are impacting “dozens of banks.” Sports and cybercrime intersected as ransomware hit NASCAR and the SEC was the victim of a Twitter hack. Advisories this week include vulnerabilities in Symantec products that Google’s Project Zero called “as bad as it gets,” Bart and Cerber ransomware warnings, Marcher and Retefe banking Trojan developments, and a botnet utilizing CCTVs. The legal side saw congressmen urging HHS to examine ransomware, the FTC clarifying what they’re looking for during investigations, privacy lawsuits affecting both researchers and the FBI, and new and potential cybersecurity laws in Rhode Island and China. Lastly, a man is using technology to fight parking tickets.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Healthcare Databases for Sale on Dark Web, but What Else is Being Sold?

The recent theft and potential sale of various healthcare databases has once again put the sector at the forefront of cybercrime — and makes many wonder how their information is affected by criminal activity on the dark web. While healthcare-related data is not nearly as prevalent on the dark web as other sectors like financial services, SurfWatch Labs has observed a variety of items being offered up for sale in addition to this week’s headline-making healthcare databases.

As previously noted, common threat intelligence found on the dark web includes compromised credentials, stolen financial information, stolen intellectual property, threats stemming from an organization’s supply chain, and information on a wide range of hacking services and other cybercrime tools. These same categories also apply to healthcare organizations.

Over the past year SurfWatch Labs has observed direct healthcare breaches, third-party breaches that have impacted healthcare organizations’ employee accounts, fraudulent prescriptions, and other healthcare-related cyber threats.

What’s Being Sold on the Dark Web Now?

This week, several healthcare databases were put up for sale on the dark web by an actor going by the name “TheDarkOverlord” — along with a hefty price tag for that information.

On Monday, after previously posting three different databases that contain names, addresses, Social Security numbers, birth dates and some phone numbers of 655,000 individuals, the hacker told the Daily Dot that he was sitting on a “large” number of other databases. On Tuesday he followed through on that claim, adding for sale a database of 34,000 records from a New York Clinic as well as a health insurance database with 9.3 million patients, which he said was stolen using a zero-day vulnerability “within the RDP protocol that gave direct access to this sensitive information.” On Wednesday he again made headlines by naming one of the companies breached, Midwest Orthopedic Clinic in Farmington, Missouri, and said that the owner “should have just paid up to prevent this leak from happening.”

Healthcare_database2_cropped — According to the post, the 2GB file contains 9,278,352 records and is selling for 750 bitcoin (around $485,000), a far higher price than is typical for items sold via dark web markets.

A posting of more than 9 million records is on the extreme end of the price spectrum, and it could be that the actor is trying to spin up some media attention in order to better extort potential victims or drive future sales — if he is indeed sitting on many more databases to sell.

More typical of the type of healthcare-related information found for sale on the dark web is counterfeit documents and other identity information that can be used for different types of fraudulent purposes, including but not limited to medical. Although this information does not sell for hundreds of thousands of dollars and make national headlines, it is much more prevalent.

For example, fraudulent medical cards from around the world are available for approximately a few hundred dollars.

In the posting below, a vendor is selling a Quebec Medicare card template for $700. “Why is it so good?” the vendor asks rhetorically. “Because it has the latest security features, and is a valid photo ID. Most places will trust the Medicare [card] before they trust the DL [driver’s license] because almost no one makes them.”

Healthcare_Card2_cropped — The vendor is also selling driver’s license templates, but fraudulent Medicare cards are an easier option for the buyer, he wrote. With this card, all the buyer needs is a hologram overlay (which he conveniently also sells) and an embosser.

Likewise, non state-sponsored health cards are available. The listing below, from a now-defunct dark web marketplace, is selling a U.S. health insurance card for $40.

Why? “These are to provide proof that you have health insurance in the United States,” the seller wrote, adding that an insurance card like the one provided is an excellent way to round out a fake identity. “If a fake ID is questioned, this can be pulled out to back it up and eliminate any question. [It] may save you. In addition it may be used as a secondary form of ID to open up a PO box under a false identity.”

Insurance cards like the one for sale here have a variety of cybercriminal uses ranging from direct medical identity theft to verification purposes in order to perpetrate other forms of fraud.

Some items for sale on the dark web leverage physicians’ identities. The posting below is from a vendor who is currently selling a signed California drug prescription form from a medical group with six different doctors. “These are REAL doctors Rx Scripts, from a REAL CA medical practice,” the vendor wrote. “These are extremely hard to come by.”

The form, which includes up to three prescriptions, is selling for $75, and the vendor will even fill out the script for an extra $100 if the buyers are unsure how to do so.

Healthcare_prescriptions_cropped — “The form contains Doctors Names, DEA numbers, and CA license numbers,” the listing reads. “These are signed prescriptions you can fill out yourself for pharmaceuticals in CA, I would like to get rid of these ASAP.”

Additionally, the dark web is often associated with illegal drugs – and for good reason. Reporting on dark web markets such as Silk Road tends to focus on hard drugs; however, prescription drugs are readily available. They can be purchased from a variety of sellers on nearly every dark web marketplace.

Healthcare_drugs — This vendor is selling a wide wide range of prescription drugs in different dosages.

Utilizing Cyber Threat Intelligence

In addition to the postings from open marketplaces shown above, there is information to be gained from the private cybercriminal forums and markets on the dark web. As more researchers and law enforcement turn to the dark web for intelligence gathering purposes, cybercriminals have begun to take more precautions. Some markets require a referral to gain access. Some require a user fee. This chatter, both the public postings and more restrictive groups, can provide important insight into the most active cyber threats facing your organization.

For example, SurfWatch Labs has previously observed certain forum members requesting health insurance records from specific companies – presumably to assist in perpetrating insurance fraud as one actor was specifically looking for “high cost treatments.” Knowing which actors are targeting an organization, what those actors are looking for, and other chatter around potential cyber threats can be invaluable when it comes to planning, budgeting and implementing a company’s cyber risk management strategy.

This type of dark web threat intelligence provides direct insight into the malicious actors that target healthcare organizations, and it goes beyond the big ticket items that generate news headlines and spark a national conversation. Those stories are important, but in many ways the dark web shines a light on a cybercrime problem that is much more insidious: death by a thousand cuts.

With so many different threats out there, knowing which threats to focus on is critical. In many ways cybersecurity is simply about effective prioritization, and to that point, cyber threat intelligence and the dark web is a vital aspect.

What Sensitive Information is on Your Organization’s Old Drives?

I heard a story yesterday about a friend’s nephew that lost his SD card from his smartphone. The SD card contained data on his games, pictures, and pretty much everything else he used his phone for. He searched everywhere for this SD card until it finally dawned on him where it was.

Turns out, the SD card was in his old smartphone that he traded to a cellular store for a newer phone. Honest mistake, right?

It was an honest mistake, but it is also a symptom of a bigger issue.

Data recycling can lead to big problems, problems that most people are unaware of. For many people that are looking to get rid of electronics, they probably go through a few basic steps to get rid of data such as a factory reset or manually erasing any data they see. However, this won’t get rid of all the data contained on the device.

In a study conducted by Blancco Technology Group, it was found that 78% of hard drives examined in the study still contained residual data that could be recovered. The study focused on 200 used hard disk drives sold on eBay and Craigslist.

What is this data? Well, let’s start with photos (with locations indicators), personal information, Social Security numbers and other financial information.

Perhaps more alarming, about 11% of studied devices contained company information such as emails, sales projections, product inventories and CRM records.

Unfortunately for organizations, this is another way neglectful actions on the part of human beings can cause a data breach or other malicious activity. People make mistakes all the time, and these unintentional mistakes can have severe consequences.

Erasing Computers, Tablets and Phones

Going through all your devices and making sure they are clear of any data can be a chore (especially if technology is not your thing). There is good news: the Internet is full of information that can help you solve this problem.

Obviously, there are different devices that hold your data and the steps taken to get rid of that data will be different. Below are some helpful links that can guide you through erasing all the data from a device:

USA Today: 3 simple ways to delete your data for good: This article from USA Today talks about steps you can take on Windows computers to delete data from the hard drive. The latest version of Windows covered in the article is Windows 8. It does offer information for Windows 7 OS and below.
BT: Selling your computer? How to wipe your PC with Windows 10: This article from BT shows you how to erase data from a hard drive with a Windows 10 OS. It will also show you how to reinstall Windows 10 for when and if you decide to sell the device or give it to a friend or relative.
ZDNet: Securely wiping an Android smartphone or tablet: Android devices are the most popular on the market, so this article covers the data erasure issue for many people with an Android OS smartphone or tablet.
Apple: What to do before selling or giving away your iPhone, iPad, or iPad touch: This is a page from Apple support detailing what a user must do in order to erase their data.
Apple: What to do before selling or giving away your Mac: This is the data erasure process for Mac computers.

As the Blancco Technology Group noted, many organizations struggle when it comes to securing the data on old drives.

“One of the more troublesome challenges is related to wiping the data from them when employees leave the company, the drives hit their end of life or the data itself needs to be removed to comply with IT policies and security regulations,” the report read.

Ensure your organization has a clear policy in place so that — unlike my friend’s nephew — you’re not scrambling later and trying to figure out the source of sensitive information being compromised.