Weekly Cyber Risk Roundup: More Payment Card Breaches and Dark Web Arrests

Payment card breaches were back in the news again this week as Forever 21 announced that it is investigating a point-of-sale breach (POS) at some of its stores, and several other organizations issued breach announcements related to stolen payment card data.

2017-11-18_ITT.png

Forever 21 said that it received a report from a third party about potential unauthorized access to payment cards at some of the company’s stores, and the ongoing investigation is focusing on POS transactions made in stores between March 2017 and October 2017.

“Because of the encryption and tokenization solutions that Forever 21 implemented in 2015, it appears that only certain point of sale devices in some Forever 21 stores were affected when the encryption on those devices was not in operation,” the company wrote.

In addition, organizations continue to submit breach notification letters to various state attorneys general regarding the previously disclosed breach involving Sabre Hospitality Solutions SynXis Central Reservations system, including The Whitehall Hotel and JRK Hotel Group, both of which were impacted from August 10, 2016, through March 9, 2017. The Register also reported that Jewson Direct is notifying customers that their personal and payment card information may have been compromised due to the discovery of unauthorized code on its website. However, the company said the inclusion of card data in the notification was only “an advisory measure” as the investigation is ongoing.

The recent breaches, as well as other breaches such as Sonic, may have led to an increase in payment card fraud activity in the third quarter of 2017. Fraud activity is also expected to increase as consumers buy gift cards and other items over the holiday shopping season.

2017-11-18_ITTGroups

Other trending cybercrime events from the week include:

  • Organizations expose data: Researchers discovered a publicly exposed Apache Hive database belonging to ride-hailing company Fasten that contained the personal information of approximately one million users as well as detailed profiles of its drivers. A researcher said the Chinese drone maker DJI has exposed a variety of sensitive information via GitHub for up to four years, in addition to exposing customer information via insecure Amazon S3 buckets. Researchers discovered two insecure Amazon S3 buckets appearing to belong to the Australian Broadcasting Corporation’s commercial division,  including information regarding production services and stock files. The Maine Office of Information Technology said that approximately 2,100 residents who receive foster care benefits had their personal information temporarily posted to a public website after an employee at contractor Knowledge Services uploaded a file containing their data to a free file-comparison website without realizing that the information would become publicly accessible. Dignity Health is notifying employees that some of their personal information was accidentally exposed to other employees.
  • Employee email accounts compromised: ClubSport San Ramon and Oakwood Athletic Club is notifying employees that their W2 and tax statements were sent to a malicious actor following a phishing attack impersonating an executive. ABM Industries Incorporated is notifying employees that their personal information may have been compromised due a phishing attack that led to multiple email accounts being compromised. Saris Cycling Group is notifying employees that their personal information may have been compromised due a phishing email that led to an employee email account being compromised.
  • Extortion-related attacks: The website of Cash Converters was hacked, and the actors behind the attack said they would release the data of thousands of UK consumers unless a ransom is paid. Little River Healthcare Central Texas is notifying patients of a ransomware attack that may have accessed their information and led to some data being irretrievably deleted when the clinic tried to restore the files. Far Niente Winery is notifying individuals of a ransomware attack that may have compromised their personal information.
  • Other notable incidents: A group associated with Anonymous hacked the email accounts of an employee of Italy’s Defence Ministry and a member of the Italian police and then published a variety of information allegedly obtained from those accounts. Officials from Catawba County, North Carolina, said that malware shut down a number of county servers and caused temporary interruptions in service, as well as a number of spam emails being sent to county residents. Gallagher NAC is notifying individuals that their personal information may have been compromised due to “a small amount of data” being stolen from a database between June 18 and September 19. CafeMom is notifying customers that email addresses and passwords used to create accounts prior to July 2011 were compromised “at some point in the past.” AppDirect said that a phisher has been impersonating members of the company’s human resources, recruiting, and sales teams on job sites, and several people have applied to those fake listings and received fake job offers.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-11-18_ITTNew

Cyber Risk Trends From the Past Week

2017-11-18_RiskScoresDark Web markets continued to make headlines this week as a key player in AlphaBay’s operations was charged and cyber-attacks against other still-active dark web marketplaces temporarily disrupted operations.

Federal prosecutors allege that Ronald L. Wheeler III, of Streamwood, Illinois, worked as a spokesperson for the now-shuttered Dark Web marketplace AlphaBay. AlphaBay had grown to become the largest-ever Dark Web marketplace before it, along with the popular Hansa Market, were taken offline by law enforcement this past summer.

Wheeler is accused of working alongside Alexandre Cazes, a 25-year-old Canadian who was alleged to be the owner of AlphaBay known as “Alpha02.” Cazes reportedly committed suicide in his Thai jail cell a week after being arrested in July.

The Associated Press reported that Wheeler has pleaded not guilty to the AlphaBay-related charges, but prosecutors allege that he worked with Cazes using the name “Trappy” to moderate the AlphaBay forum on reddit, mediate sales disputes, and provide other non-technical assistance to users.

As SurfWatch Labs previously reported, the downfall of AlphaBay and Hansa Market elevated Dream Market to the temporary king of the Dark Web. However, Dream Market other popular markets have been the target of DDoS attacks over the past few weeks, making the sites difficult to access for some users. Those attacks can delay purchases beyond the already congested list of pending Bitcoin transactions, which is slowing down both legitimate and criminal transactions.

Prior to being seized, AlphaBay had grown to accept multiple payment options, including Ethereum and Monero; however, Dream Market still only accepts Bitcoin, and that restriction may help push some users towards other markets that have more, and quicker, payment options as the Dark Web marketplace continues to evolve in AlphaBay’s absence.

Payment Card Fraud and Cryptocurrency Attacks Saw Significant Increase Last Quarter

The financials sector saw an increase in incident volume in the third quarter of 2017, and much of that increase revolved around cyber-attacks targeting various cryptocurrency platforms, as well as payment card breaches in the consumer goods sector that led to increased fraud activity on cybercriminal markets.

2017-10-12_FinancialRisk
The financial sector (blue) saw above average risk scores for incident volume, effect impact, and targeted asset in Q3 when compared to all sectors (black).

Key takeaways from SurfWatch Labs’ threat intelligence findings for the period include:

  • Banks remained as the top trending group associated with cybercrime in the financials sector, accounting for nearly one quarter (24.4%) of the negative cyber events collected by SurfWatch Labs; however, that percentage was down from 38.1% in the first half 2017 and 35.8% across all of 2016.
  • That drop was largely attributed to increased activity in the specialty financials group, which saw its percentage of threat intelligence jump from 7.4% in the first half of 2017 to 19.4% in Q3 as malicious actors increasingly targeted cryptocurrency platforms.
  • Payment cards were the dark web target category to see the most significant increase, accounting for 14.6% of the financials sector’s dark web threat intelligence – a rise from 7.1% in the first half of 2017.
2017-10-12_FinancialIncidentVolume
The financials sector saw an increase in the amount of threat intelligence collected by SurfWatch Labs beginning in July, and that increased volume continued throughout Q3 2017.

Malicious Actors Increasingly Targeting Cryptocurrency

Cybercrime incidents related to the banking group remained the most widespread in SurfWatch Labs’ Q3 threat intelligence data. However, when excluding our dark web data, many of the most noteable cyber-attacks – including all five of the top trending incidents for the period – occurred at cryptocurrency organizations in the specialty financials group.

2017-10-12_FinancialGroupsAll
Specialty financials accounted for 19.4% of the cybercrime threat intelligence collected by SurfWatch Labs during Q3, a significant increase from the 7.4% during the first half of 2017.

Several of the top trending cyber-attacks in Q3 revolved around the hijacking of Ethereum Initial Coin Offerings (ICO) in order to steal cryptocurrency. Notable attacks include:

    • In July, Coindash said that an actor gained access to its website during the company’s ICO and changed the text on the site to a fraudulent Ether wallet address – resulting in $10 million worth of Ether being stolen from investors.
    • Veritaseum also reported in July that it had $8.4 million worth of tokens stolen during its ICO as a result of a “very sophisticated” attack, which may have involved at least one corporate partner dropping the ball, according to the company’s founder.
    • In August, Enigma Catalyst said that investors were scammed out of approximately $500,000 of Ether when malicious actors hijacked the company’s website, mailing lists, and Slack accounts and subsequently offered a fake pre-sale to investors ahead of the company’s upcoming ICO.

In addition, there were a variety of other cryptocurrency-related attacks during the period. For example, a bug was found in the multi-signature wallet code used as part of Parity Wallet software, which led to wallets being exploited and reports of approximately $34 million worth of Ether being stolen before white hat hackers intervened to prevent an additional $85 million in theft. In addition, a malicious actor was also able to trick the hosting provider of the open source Classic Ether Wallet into hijacking the Classic Ether Wallet domain, resulting in potential theft as transactions were made on the site.

As cryptocurrencies continue to gain legitimacy and value, it is likely that malicious actors will continue to shift towards targeting them in both the near and long term. For example, one group is tracking over 150 active Ethereum scams heading into the fourth quarter of the year.  Exploiting the popularity of cryptocurrencies has proven to be highly profitable for both cybercriminals and state actors, such as North Korea.

Fraud Activity Increases on the Dark Web

SurfWatch Labs also observed an increase in the amount of fraud-related activity in Q3, with fraud accounting for 43.6% of financials dark web threat intelligence – a significant jump from previous periods. In the first half of 2017, fraud accounted for 24.4% of collected dark web intelligence, and during 2016 it accounted for 24%.

2017-10-12_FinancialEffectMacrosDarkWeb
SurfWatch Labs collected a much larger percentage of fraud-related threat intelligence in Q3 2017 than during any other recent period.

Digging deeper into the data, it is clear that point-of-sale (POS) and other payment card breaches helped to drive a significant portion of fraud activity in Q3. In the first half of 2017, the target tag of “payment cards” appeared in only 8.3% of the dark web threat intelligence collected by SurfWatch Labs. In Q3 that number rose to 14.5%.

Some of the notable payment card breaches announced during Q3 include:

2017-10-12_ITTPaymentCards

  • The fast food chain Sonic has been tied to at least a portion of five million fresh payment cards being sold on a cybercriminal market.
  • Whole Foods announced a POS breach involving its taprooms and restaurants.
  • Avanti announced a POS breach affecting an undisclosed number of the company’s self-serve snack kiosks.
  • Equifax’s massive breach included more than 200,000 payment cards.
  • B&B Theaters announced it was investigating a payment card breach that may date all the way back to 2015.
  • Sabre announced a breach affecting its SynXis Central Reservations system back in May, and affected hotels continued to issue breach notification letters throughout Q3.
  • Third-party vendor Aptos continues to be tied to payment card breaches at online retailers.

Other payment card breach notifications and investigations have continued to be announced in the days since Q3 ended, including a POS breach at Hyatt Hotels and Irish retailer Musgrave warning SuperValu, Centra, and Mace customers to be on the lookout for fraud. In addition, Flexshopper announced it exposed payment card information, and Tommie Cooper and Cricut announced they discovered malware on their website checkout pages.

Numerous organizations also warned of payment cards phishing scams during the period – including Netflix, Uber, E-ZPass, Newcastle University, and more. A number of other data breaches and leaks involved partial payment card information.

Conclusion

The financials sector continues to be the target of a wide range of attacks due to the nature of the data organizations hold and the services they provide. As we noted in our Fraud and the Dark Web whitepaper, the number of avenues through which malicious actors can carry out fraud has increased along with the number of digital accounts tied to financial information. However, Q3 saw an increase in more traditional payment card fraud activity on the dark web – likely resulting from several large one-off POS breaches, as well as issues at vendors that have spread through the supply chain to affect both in-person and online purchases.

On the flip side, the number of cryptocurrency related breaches, particularly those tied to Ethereum, have highlighted a shift that may have legs – particularly since there is less regulation and, in some cases, less security to circumvent in order to pull off multi-million dollar heists. For example, it was reported that at least one Slack account with administrative privileges at Enigma used a previously leaked password and didn’t require two-factor authentication. Likewise, the incident involving Classic Ether Wallet began by simply socially engineering a third party over the phone by impersonating the site’s owner. Malicious actors are quick to copy the successful techniques of their peers, and we will likely see similar attempts against cryptocurrency organizations in the future.

Dark Web Markets, Equifax Breach Raise Authentication Concerns

The recent Equifax breach once again has the whole nation talking about cybercrime — and the widespread fraud and identity theft likely to follow in the wake of 143 million compromised consumers. Identity theft is a major concern for individuals, but as SurfWatch Labs chief security strategist Adam Meyer noted, malicious actors spring boarding off of breached information to authenticate as legitimate users is perhaps a more significant concern when it comes to organizations.

Meyer’s thoughts echo the findings of SurfWatch Labs’ recent whitepaper, which found that malicious actors tend to be focused on authentication when it comes to fraud on dark web markets and cybercriminal forums.

Downloaded the full whitepaper, “Fraud and the Dark Web”

The most observed type of dark web fraud in 2017 is account fraud, which has accounted for more than a quarter (25.2%) of all the fraud-related activity observed on the dark web this year. That includes a wide variety of different accounts that can be accessed with stolen customer credentials, including:

  • online accounts for banking and financial services;
  • online store accounts, as both buyers and sellers;
  • accounts tied to monthly subscriptions or other recurring services;
  • accounts related to the growing number of digital cryptocurrencies;
  • and more.

By comparison, credit card fraud, which is what many consumers may associate with the dark web, has only accounted for 16.7% of the activity so far this year.

The focus on this more indirect fraud — the buying, selling, and trading of access to accounts connected to payment information or services — is driven by both the huge growth in the number of online accounts and the weak authentication that so often accompanies those accounts.

The Equifax breach has simply exacerbated those authentication concerns to the point where outlets like Wired and The Verge are writing that we may need a “fundamental reassessment in how, and why, we identify ourselves” and that it may be “time to burn it all down and start over.” SurfWatch Labs analysts, along with many other researchers, have been warning for years that the pool of forever-compromised information is continuing to grow deeper and cause more issues for business unprepared to deal with that reality.

What can organizations do to protect themselves? Unfortunately, that is not a one-size-fits-all answer.

“Collectively, organizations lose billions of dollars to fraud-related cybercrime every year,” the whitepaper noted. “Individually, how each organization should address the problem of fraud can vary greatly depending their unique risk footprints.”

However, there are some general best practices that all businesses should keep in mind when it comes to combating fraud, such as:

  • Continuous monitoring of malicious actors: Dark web markets, paste sites, social media, and other communication channels are often used to leak stolen data and discuss cyber threats. Organizations should have a way to monitor any leaks or threats that may directly affect their customers, employees, or supply chain. In addition, organizations should stay abreast of any changes in the cybercriminal tactics, techniques, and procedures being used by malicious actors so that they can adapt their cyber defenses.
  • Discourage the the use of weak or already compromised passwords: Consumers have a growing number of accounts that are either tied to financial information or able to be easily monetized by cybercriminals, and consumers’ poor password habits are frequently exploited by malicious actors. NIST recommends advising users against passwords that have been previously breached, and in August 2017 security researcher Troy Hunt provided a list of 320 million compromised passwords that organizations can implement to encourage the use of more secure passwords as they see fit.
  • Encourage two-factor authentication: With so much fraud centered on compromised accounts, having an additional layer of authentication can greatly reduce the chances of those accounts being compromised. Organizations may be reluctant to create additional steps in the login process, but there is an expanding number of secondary authentication options available with varying levels of security and usability.
  • Prioritize and take action against the most impactful threats: In 2014, FICO reported that the average duration of a physically compromised ATM or POS device was 36 days. In 2016, that dropped to just 11 days – and the average number of payment cards affected by a single compromise was cut in half. Implementing training and systems to consistently address the most common and impactful threats facing your organization can have a significant impact in reducing fraud.

In addition to our whitepaper on Fraud and the Dark Web, SurfWatch Labs will also be hosting a webinar on Wednesday, September 20 from 1-2 PM ET.

Cyber Fraud: How it Happens and What You Can Do
Capture.PNG

The webinar will feature a discussion around cyber fraud, including an in-depth examination of the “Anatomy of Fraud,” what intel can be gathered from Dark Web markets and forums, and recommended courses of action to proactively mitigate the risk of fraud as well as how to effectively respond if fraud occurs.

Weekly Cyber Risk Roundup: HBO Hackers Promise More Leaks and Dark Web Vendors Reuse Passwords

HBO was among the week’s top trending cybercrime targets as malicious actors claimed to have stolen 1.5 terabytes of company data and subsequently leaked upcoming episodes of “Ballers,” “Room 104,” “Insecure,” and the unaired comedy “Barry,” which is scheduled to air in 2018. The hackers also leaked the script for Sunday night’s episode of Game of Thrones before it aired, as well as the apparent personal information and account details of a senior HBO executive.

2017-08-04_ITT.png

In a separate incident, Sunday night’s episode of Game of Thrones was leaked several days early and spread via torrent sites due to an incident at distribution partner Star India, which published the episode early on its official website before removing it shortly thereafter.

The actors behind the HBO breach initially teased that more leaks were “coming soon.” Later, someone claiming to represent the group told The Hollywood Reporter that additional leaks would occur on Sunday; however, the contact then said the leaks would be delayed “because of some new buyers.”

“Some of HBO’s top competitors are negotiating with us for buying the dump,” the contact wrote in an email. “The deal are near to close. Poor HBO never rise again.”

As THR pointed out, it’s unlikely HBO’s direct rivals would purchase the stolen data. Variety reported that the hackers appeared to have accessed thousands of internal documents, employee data, and possibly internal corporate email. CEO Richard Plepler notified employees that the incident “resulted in some stolen proprietary information, including some of our programming.” However, CNN reported that HBO does not believe the company’s email system as a whole was compromised, despite THR’s contact alleging that they still have “full access to their webmails.”

2017-08-04_ITTGroups

Other trending cybercrime events from the week include:

  • Airlines issue warnings: Virgin America notified employees and contractors that their information may have been compromised due to a network intrusion first detected on March 13, 2017. The unauthorized access may have compromised the login credentials of approximately 3,120 employees and contractors, as well as the personal information of 110 employees. Malicious actors have leaked data allegedly tied to Spirit Airlines Free Spirit accounts after a failed extortion attempt against the airline. Spirit said that the actor attempted to extort the company using previously compromised email addresses and passwords from other data breaches. Canadian airline WestJet announced that the profile data of some WestJet Rewards members has been disclosed online by an unauthorized third party. WestJet did not indicate what data was leaked or how many customers were affected.
  • #LeakTheAnalyst operation targeting researchers: A hacking group going by the name “31337 Hackers” leaked data belonging to a security researcher working for FireEye’s breach investigation unit Mandiant, and the group also may have gained access to the researcher’s Hotmail, OneDrive, and LinkedIn accounts. The data appears to be stolen from the researcher’s personal computer, and there is “no evidence that FireEye or Mandiant systems were compromised,” FireEye said. The group said the leak is part of a larger operation that is targeting security researchers, dubbed “#LeakTheAnalyst.”
  • New data breaches: Health insurer Anthem said that 18,500 customers’ personal and medical information may have been compromised by an employee at LaunchPoint. The Daniel Drake Center for Post-Acute Care is notifying 4,721 patients that their information may have been compromised due to an employee accessing their medical records without authorization. Kaleida Health is notifying patients that their information may have been compromised due a phishing incident that allowed an unauthorized third party to gain access to a small number of Kaleida Health email accounts. Kids Pass said that the personal information of users could have been compromised by changing the URL of the activation code sent to new users in order to view other account holders’ data. An attacker managed to trick an employee at A9t9 into handing over the company’s Google developer account credentials and then pushed out a malicious version of the Copyfish Chrome extension.
  • More ransomware: An unnamed Canadian company paid $425,000 after a ransomware attack encrypted its production databases and backups. The intruders gained access due to spear phishing messages that were sent to six senior company officials. Northwest Rheumatology of Tucson is notifying patients that their information may have been compromised following a ransomware attack that occurred on April 10, 2017.
  • Arrests and sentences: The security researcher known as “Malwaretech,” who is best known for helping to stop the spread of the WannaCry malware, was arrested for allegedly creating and distributing the Kronos banking Trojan. A Seattle man has been arrested on charges of extorting multiple media companies with threats of DDoS attacks. A Russian citizen was sentenced to 46 months in prison for his role in infecting tens of thousands of computers with the Ebury malware.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-08-04_ITTNew

Cyber Risk Trends From the Past Week

2017-08-04_RiskScoresLaw enforcement continues to target activity on the dark web following the recent takedown of AlphaBay and Hansa Market, two of the three largest cybercriminal marketplaces on the dark web.

Those takedowns left Dream Market as the new king of the dark web; however, there has been speculation by its users that Dream Market may have been compromised by law enforcement as well — or at least that 16 vendor accounts on the site may have been compromised.

One of those 16 alleged vendors said that Dutch law enforcement had seized his or her vendor account and changed all of its information on the same night that Hansa Market was taken offline.

“I can clearly say that (at least) my account was seized by dutch LE,” the user wrote. “I think they came on it through my sillyness using same password on hansamarket. … I don’t think dreammarket itself is compromised, I only think the LE is trying to fuck the rest out of this community by using log-in informations from other markets.”

As Naked Security reported, there has been no confirmation from the Dutch police about the alleged takeover of Dream Market accounts, but it makes sense that authorities would exploit password reuse and lack of two-factor authentication by cybercriminals in order to further their reach into active dark web markets.

A recent survey (PDF) found that 81% of those in the U.S. reuse passwords across multiple online accounts — and this now includes dark web vendors too, if the Dream Market news is any indication. This reuse occurs despite the fact that password reuse and credential-stuffing attacks lead to numerous cases of account takeovers, data breaches, and other cybersecurity incidents each week.

It may be impossible to stop users from reusing passwords, but, as Troy Hunt noted, NIST recommends that organizations become proactive and block passwords that have been previously tied to data breaches in order to improve security. That’s why he’s released a list of 320 million previously compromised passwords for organizations to download for free and use to protect their systems.

“Use this data to do good things,” Hunt wrote. “Take it as an opportunity to not just reduce the risk to the service you’re involved in running, but also to help make people aware of the broader risks they face due to their password management practices.”

AlphaBay and Hansa Brought Down by Basic Mistakes, Indictment Reveals

On Thursday morning, the Department of Justice, Europol, and Dutch authorities announced a coordinated law enforcement takedown of AlphaBay and Hansa Market, two of the three largest dark web marketplaces used to buy and sell illicit goods and services.

AlphaBay has been offline since July 5, the same day that founder Alexander Cazes was arrested in Bangkok and a week before his apparent suicide. With the dark web’s most popular marketplace suddenly unavailable, many users turned to Hansa, a market that touted its security-focused approach. Unfortunately for those users, Dutch law enforcement had seized control of Hansa on June 20 following the arrest of two administrators in Germany, and law enforcement has been covertly monitoring the market’s activity over the past month.

2017-07-20_HansaSeized.png
The dark web markets AlphaBay and Hansa Market were both taken down in a coordinated law enforcement effort that was announced Thursday morning.

As Europol noted, this joint effort against the two markets helped to “magnify the disruptive impact” of the operation.

“It meant the Dutch police could identify and disrupt the regular criminal activity on Hansa but then also sweep up all those new users displaced from AlphaBay who were looking for a new trading platform,” Europol wrote in its press release. “In fact they flocked to Hansa in their droves, with an eight-fold increase in the number of new members of Hansa recorded immediately following the shutdown of AlphaBay.”

2017-07-20_HansaPractices.png
Database trade is the top trending cybercrime practice associated with Hansa Market over the past year, according to SurfWatch Labs’ data.

With both AlphaBay and Hansa Market now out of the picture, Dream Market is the reigning leader, according to SurfWatch Labs’ threat intelligence data.

How Cazes was Caught and AlphaBay Taken Down

Cazes, who was also known as “Alpha02” or “Admin” on the market, founded AlphaBay in 2014 and ran the site along with a team of eight to 10 individuals, according the unsealed indictment. Over the two-and-a-half-year period the site was operational, AlphaBay grew to become the largest dark web market in history and collected tens of millions of dollars in commissions.

2017-07-20_AlphaBayPractices.png
When AlphaBay was shuttered in early July, it had approximately 370,000 listings for sale across various categories such as fraud, drugs, counterfeit items, software and malware, and more.

However, Cazes made numerous mistakes while running AlphaBay that other malicious actors will be paying close attention to, said SurfWatch Labs chief security strategist Adam Meyer.

“As I read the indictment detailing the AlphaBay takedown in particular, I see a list of mistakes being disclosed by the operators of the market that will certainly be scrutinized by criminal elements in order to ensure they are not repeated in future efforts,” Meyer said. “In similar ways that malware instances are shared, tweaked and reused, those who operate illegal marketplaces — or have the desire to due to its profitability — are certainly taking detailed notes for future efforts.”

As the court documents noted:

  • Cazes’ personal email, “Pimp_Alex_91@hotmail.com,” was included in the header of an AlphaBay welcome email that was sent to new users in December 2014. The email was also included in the header of AlphaBay password recovery emails sent in late 2014.
  • Law enforcement then discovered the email address belonged to a Canadian-born man named Alexandre Cazes with a birthdate of October 19, 1991.
  • A December 2008 post on the online tech forum “http://www.commentcamarche.com” was subsequently found in which a user going by the name “Alpha02” posted information in French on how to properly remove a virus from a digital photo. That post included both the name “Alexandre Cazes” and the email “Pimp_Alex_91@hotmail.com.”
  • The email addresses was also tied to a PayPal account registered in Cazes’ name.
  • When Cazes was arrested, law enforcement discovered his laptop open and in an unencrypted state, as well as logged into the server that hosted the AlphaBay site. While searching the computer they found several open text files with passwords for the AlphaBay site and servers, which allowed law enforcement to seize all the information and cryptocurrency on those servers.

At the time of his arrest, a financial statement on Cazes’ computer put his net worth at $23,033,975. Cazes attempted to justify his wealth through a front company called EBX Technologies, but the indictment noted that the company’s website “is barely functional” and that the company’s bank records show “little to no business income or banking activity.”

What’s Next for the Dark Web?

Dark web market takedowns are significant, Meyer said, but they’re also a part of the now-established cycle of popular markets being disrupted by law enforcement or exit scams only to have new markets rise in their absence.

“While the law enforcement take down of AlphaBay and Hansa are certainly heavily impactful to underground merchants, rest assured new marketplaces will be established and new protocols will be implemented,” Meyer said.

It was just a little over a year ago that the then-number-two most popular market, Nucleus Market, suddenly went offline in an apparent exit scam, helping to bolster both AlphaBay’s and Hansa’s user base. With those two markets now gone, Dream Market has become the temporary king, but that will likely change in the coming months as new markets and new operators step in to fill the void — until the cycle repeats again.

Weekly Cyber Risk Roundup: Big Telecom Leaks and AlphaBay Goes Offline

Massive database leaks were once again among the week’s top trending cybercrime targets, including incidents involving U.S. Verizon customers, France’s Orange S.A, and India’s Reliance Jio Infocomm.

2017-07-014_ITT.PNG

The Verizon leak was caused by a third-party engineer at NICE Systems and affected as many as 14 million U.S. customers. The engineer appears to have created a publicly available Amazon Web Services S3 bucket that logged customer call data for unknown purposes. As a result, personal information, account information, and Verizon account PIN codes were potentially exposed. A Verizon spokesperson acknowledged the breach, but said only 6 million customers had their data exposed by the incident.

In addition, French-language text files stored in the server show internal data from Paris-based telecommunications corporation Orange S.A., also a NICE Systems partner. However, the researchers said it “appears this internal Orange data is less sensitive.”

In addition, Reliance Jio Infocomm, an Indian telecom company with over 100 million subscribers, is investigating a potential incident after local news sites reported that names, telephone numbers and email addresses of Jio users were visible on a site called “Magicapk.” However, an initial investigation showed that Jio’s apps and websites were secure, ET Telecom reported. Last week the police brought in a suspect who was in possession of partial details of Jio subscribers, including their names, email IDs, alternate mobile phone numbers, and the dates of activation of SIM cards. That data may have been taken from a Jio retailer, since they have access to that type of subscriber data, the deputy commissioner of police for Navi Mumbai said.

2017-07-014_ITTGroup

Other trending cybercrime events from the week include:

  • More payment card breaches: A breach of Avanti Markets internal networks allowed malicious actors to push malware to self-checkout devices used in corporate break rooms, and as a result payment card information may have been compromised. Avanti said that it believes the malware was only active between July 2 and July 4 of this year. B&B Theatres, which operates 50 locations across seven states, discovered a point-of-sale breach that appears to date back two years. A recent alert estimated the window of exposure of the breach to be between April 2015 and April 2017. Real Estate Business Services (REBS) notified 1,033 California Association of Realtors members that their personal and payment card information may have been stolen when the online store they use was compromised with malware. The infection occurred between March 13 and May 15.
  • Medical information exposed: The County Commissioners Association of Pennsylvania (CAAP) said that the details of approximately 1,800 child welfare cases were exposed online by third-party vendor Avanco International. University of Iowa Health Care is notifying 5,292 patients that a limited set of their protected health information was “inadvertently saved in unencrypted files that were posted online through an application development site” and exposed for nearly two years. A former employee of the St. Charles Health System is accused of the unauthorized access and viewing of thousands of patient records.
  • More ransomware infections: Community Care of St. Catharines and Thorold in Ontario had its systems infected by NW4 ransomware, which demanded a $3,000 ransom payment. A Community Care spokesperson said that it backs up its data regularly so there was no need to pay the extortion. However, it still took nearly a week for Community Care to restore full access to its computers, and some data that was not captured in the most recent backup was lost. The dental office of Dr. Douglas Boucher, DDS, and Dr. Andrea Yaley, DDS, is notifying patients of a ransomware attack that may have compromised their patient information. The office said that its computer systems were believed to have been hacked around May 19, 2017, and on June 2 it received a ransomware notice. Records were restored from a backup; however, the office said the hacker did access its email system and may have accessed its patient dental health records.
  • Other notable incidents: A hacker going by the name Dhostpwned was able to use a PHP shell to compromise the dark web hosting provider Deep Hosting and said he obtained “the majority” of files and SQL databases on the server. An employee at the Australian Tax Office (ATO) published an ATO guide on how to hack mobile phones that included instructions on how to bypass passwords and obtain data even if the phone battery is depleted and it does not have a sim card. A Russian-born cybercriminal living in Los Angeles was sentenced to 110 months in prison for running a sophisticated scheme to steal and traffic sensitive personal and financial information in the online criminal underground.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-07-14_ITTNew

Cyber Risk Trends From the Past Week

2017-07-14_RiskScoresThe dark web marketplace AlphaBay has been taken down in a law enforcement raid and one of the alleged leaders of the site has been found dead in his Thai prison cell in an apparent suicide.  

(See “AlphaBay and Hansa Brought Down by Basic Mistakes, Indictment Reveals” for more information.)

As SurfWatch Labs has noted in the past, AlphaBay was by far the largest and most popular dark web marketplace before it suddenly went dark earlier this month, leading concerned users to speculate if its owners had either been arrested or performed an exit scam. It is not uncommon for dark web markets to disappear without notice. However, AlphaBay had built up a reputation for reliability and become the undisputed king of the dark web marketplaces over the past two years.

Alexandre Cazes, the man who committed suicide in his jail cell, is alleged to be the operator of AlphaBay known as “Alpha02.” U.S. authorities issued a warrant for Cazes arrest on June 30, and he was arrested in Bangkok on July 5, the Bangkok Post reported, the same day the dark web market suddenly went offline. Arrangements were being made for his return to the United States to face charges when Cazes reportedly used a towel to hang himself.

Wired reported that conservative estimates put AlphaBay’s daily transactions between $600,000 and $800,000 a day. With the site suddenly gone, a significant percentage of the cybercriminal ecosystem is now in search of a new home. That influx of traffic forced the dark web market Hansa to close its doors to new businesses due to “technical issues.” Users of Dream Market also reported issues accessing the site following AlphaBay’s takedown.

The next few months will certainly be an interesting time on the dark web as those users look for a new place to buy, sell, and trade their goods and services — and as the story and fallout around the takedown begin to take shape.

AlphaBay to Begin Accepting Ethereum as the Bitcoin Alternative Grows More Popular

Beginning next month, malicious actors using the dark web marketplace AlphaBay will be able to buy and sell their goods using the growing cryptocurrency platform Ethereum. Ethereum will become the third payment option available on the market, joining the longstanding cryptocurrency king bitcoin as well as the privacy-focused Monero, which was adopted by AlphaBay last September.

The announcement is good news for fans of Ethereum, whose Ether cryptocurrency has seen a continued surge of growth in 2017 and is the second most popular cryptocurrency after bitcoin.

2017-04-06_AlphaBayEthereum
AlphaBay will begin accepting Ethereum deposits and withdrawals on May 1, an administrator announced on the site’s forum in March.

Bitcoin is by far the most well-known cryptocurrency, and it has been widely adopted by malicious actors and dark web markets as a convenient and semi-anonymous form of digital payment. In fact, cryptocurrencies like bitcoin, dark web markets like AlphaBay, and extortion payments like ransomware are interconnected in that the growth of one has helped spur the growth of the others.

However, bitcoin is currently experiencing growing pains, and Ethereum has emerged over the past year as its main rival. Ethereum’s proponents claim that is it is a more versatile and scalable cryptocurrency. In fact, the idea of Ethereum goes beyond just currency, which is why it and other blockchain companies have been described as bitcoin 2.0. If bitcoin was about creating a decentralized payment system, Ethereum is about using that same concept to radically re-architect everything on the web — as Ethereum creator Vitalik Buterin describes it.

Fortune magazine explained in a September 2016 profile:

Ethereum’s power lies in its ability to automate complex relationships encoded in so-called smart contracts. The contracts function like software programs that encapsulate business logic — rules about money transfers, equity stake transfers, and other types of binding obligations — based on predetermined conditions. Ethereum also has a built-in programming language, called Solidity, which lets anyone build apps easily on top of it.

There’s ongoing debate over just how secure other cryptocurrencies are compared to bitcoin. For example, in June 2016 a hacker was able to exploit a flaw in the smart contract used by The DAO, a crowdsourced venture capital platform based on the Ethereum blockchain, in order to steal more than $50 million worth of Ether.

A controversial solution to address the theft was proposed, known as a “hard fork.” Cryptocurrencies use the concept of a blockchain, which is essentially a decentralized and agreed upon ledger of all the transactions that have occurred. The hard fork would change the agreed upon rules and create a new path forward for the currency — one that would invalidate the theft. However, some Ethereum users argued that the idea of hard fork went against the very principles of a decentralized network that was designed to combat a single authority. Those that eventually rejected the fork are now on a parallel version of the blockchain, Ethereum Classic, while the rest of the community moves forward on the other fork as Ethereum.

Despite the troubles, Ethereum continues to thrive. The concept of disrupting existing business models with decentralized blockchains has gained Ethereum interest not just from dark web markets, but from legitimate companies. In February it was announced that 30 organizations — including JPMorgan Chase, Microsoft, and Intel — would team up under the Enterprise Ethereum Alliance to enhance the privacy, security, and scalability of the Ethereum blockchain.

Ethereum’s Value: Past 90 Days

2017-04-06_EthereumMarketCap
Ethereum’s market cap has grown significantly on the heels of recent announcements, according to CoinMarketCap.

All of that news has helped to more than quadruple the market cap of Ethereum in 2017, from less a billion in January 2017 to around $4 billion on April 6.

It’s still nearly a month before the option goes live, so it is unclear how many security-obsessed cybercriminals on the dark web will actually use the payment option — or if they will stick with bitcoin. Nevertheless, being adopted by AlphaBay, which is by far the most popular dark web market according to SurfWatch Labs’ data, could potentially be a huge boost for Ethereum.