dream market – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: More Payment Card Breaches and Dark Web Arrests

Payment card breaches were back in the news again this week as Forever 21 announced that it is investigating a point-of-sale breach (POS) at some of its stores, and several other organizations issued breach announcements related to stolen payment card data.

Forever 21 said that it received a report from a third party about potential unauthorized access to payment cards at some of the company’s stores, and the ongoing investigation is focusing on POS transactions made in stores between March 2017 and October 2017.

“Because of the encryption and tokenization solutions that Forever 21 implemented in 2015, it appears that only certain point of sale devices in some Forever 21 stores were affected when the encryption on those devices was not in operation,” the company wrote.

In addition, organizations continue to submit breach notification letters to various state attorneys general regarding the previously disclosed breach involving Sabre Hospitality Solutions SynXis Central Reservations system, including The Whitehall Hotel and JRK Hotel Group, both of which were impacted from August 10, 2016, through March 9, 2017. The Register also reported that Jewson Direct is notifying customers that their personal and payment card information may have been compromised due to the discovery of unauthorized code on its website. However, the company said the inclusion of card data in the notification was only “an advisory measure” as the investigation is ongoing.

The recent breaches, as well as other breaches such as Sonic, may have led to an increase in payment card fraud activity in the third quarter of 2017. Fraud activity is also expected to increase as consumers buy gift cards and other items over the holiday shopping season.

Other trending cybercrime events from the week include:

Organizations expose data: Researchers discovered a publicly exposed Apache Hive database belonging to ride-hailing company Fasten that contained the personal information of approximately one million users as well as detailed profiles of its drivers. A researcher said the Chinese drone maker DJI has exposed a variety of sensitive information via GitHub for up to four years, in addition to exposing customer information via insecure Amazon S3 buckets. Researchers discovered two insecure Amazon S3 buckets appearing to belong to the Australian Broadcasting Corporation’s commercial division, including information regarding production services and stock files. The Maine Office of Information Technology said that approximately 2,100 residents who receive foster care benefits had their personal information temporarily posted to a public website after an employee at contractor Knowledge Services uploaded a file containing their data to a free file-comparison website without realizing that the information would become publicly accessible. Dignity Health is notifying employees that some of their personal information was accidentally exposed to other employees.
Employee email accounts compromised: ClubSport San Ramon and Oakwood Athletic Club is notifying employees that their W2 and tax statements were sent to a malicious actor following a phishing attack impersonating an executive. ABM Industries Incorporated is notifying employees that their personal information may have been compromised due a phishing attack that led to multiple email accounts being compromised. Saris Cycling Group is notifying employees that their personal information may have been compromised due a phishing email that led to an employee email account being compromised.
Extortion-related attacks: The website of Cash Converters was hacked, and the actors behind the attack said they would release the data of thousands of UK consumers unless a ransom is paid. Little River Healthcare Central Texas is notifying patients of a ransomware attack that may have accessed their information and led to some data being irretrievably deleted when the clinic tried to restore the files. Far Niente Winery is notifying individuals of a ransomware attack that may have compromised their personal information.
Other notable incidents: A group associated with Anonymous hacked the email accounts of an employee of Italy’s Defence Ministry and a member of the Italian police and then published a variety of information allegedly obtained from those accounts. Officials from Catawba County, North Carolina, said that malware shut down a number of county servers and caused temporary interruptions in service, as well as a number of spam emails being sent to county residents. Gallagher NAC is notifying individuals that their personal information may have been compromised due to “a small amount of data” being stolen from a database between June 18 and September 19. CafeMom is notifying customers that email addresses and passwords used to create accounts prior to July 2011 were compromised “at some point in the past.” AppDirect said that a phisher has been impersonating members of the company’s human resources, recruiting, and sales teams on job sites, and several people have applied to those fake listings and received fake job offers.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

Dark Web markets continued to make headlines this week as a key player in AlphaBay’s operations was charged and cyber-attacks against other still-active dark web marketplaces temporarily disrupted operations.

Federal prosecutors allege that Ronald L. Wheeler III, of Streamwood, Illinois, worked as a spokesperson for the now-shuttered Dark Web marketplace AlphaBay. AlphaBay had grown to become the largest-ever Dark Web marketplace before it, along with the popular Hansa Market, were taken offline by law enforcement this past summer.

Wheeler is accused of working alongside Alexandre Cazes, a 25-year-old Canadian who was alleged to be the owner of AlphaBay known as “Alpha02.” Cazes reportedly committed suicide in his Thai jail cell a week after being arrested in July.

The Associated Press reported that Wheeler has pleaded not guilty to the AlphaBay-related charges, but prosecutors allege that he worked with Cazes using the name “Trappy” to moderate the AlphaBay forum on reddit, mediate sales disputes, and provide other non-technical assistance to users.

As SurfWatch Labs previously reported, the downfall of AlphaBay and Hansa Market elevated Dream Market to the temporary king of the Dark Web. However, Dream Market other popular markets have been the target of DDoS attacks over the past few weeks, making the sites difficult to access for some users. Those attacks can delay purchases beyond the already congested list of pending Bitcoin transactions, which is slowing down both legitimate and criminal transactions.

Prior to being seized, AlphaBay had grown to accept multiple payment options, including Ethereum and Monero; however, Dream Market still only accepts Bitcoin, and that restriction may help push some users towards other markets that have more, and quicker, payment options as the Dark Web marketplace continues to evolve in AlphaBay’s absence.

Weekly Cyber Risk Roundup: HBO Hackers Promise More Leaks and Dark Web Vendors Reuse Passwords

HBO was among the week’s top trending cybercrime targets as malicious actors claimed to have stolen 1.5 terabytes of company data and subsequently leaked upcoming episodes of “Ballers,” “Room 104,” “Insecure,” and the unaired comedy “Barry,” which is scheduled to air in 2018. The hackers also leaked the script for Sunday night’s episode of Game of Thrones before it aired, as well as the apparent personal information and account details of a senior HBO executive.

In a separate incident, Sunday night’s episode of Game of Thrones was leaked several days early and spread via torrent sites due to an incident at distribution partner Star India, which published the episode early on its official website before removing it shortly thereafter.

The actors behind the HBO breach initially teased that more leaks were “coming soon.” Later, someone claiming to represent the group told The Hollywood Reporter that additional leaks would occur on Sunday; however, the contact then said the leaks would be delayed “because of some new buyers.”

“Some of HBO’s top competitors are negotiating with us for buying the dump,” the contact wrote in an email. “The deal are near to close. Poor HBO never rise again.”

As THR pointed out, it’s unlikely HBO’s direct rivals would purchase the stolen data. Variety reported that the hackers appeared to have accessed thousands of internal documents, employee data, and possibly internal corporate email. CEO Richard Plepler notified employees that the incident “resulted in some stolen proprietary information, including some of our programming.” However, CNN reported that HBO does not believe the company’s email system as a whole was compromised, despite THR’s contact alleging that they still have “full access to their webmails.”

Other trending cybercrime events from the week include:

Airlines issue warnings: Virgin America notified employees and contractors that their information may have been compromised due to a network intrusion first detected on March 13, 2017. The unauthorized access may have compromised the login credentials of approximately 3,120 employees and contractors, as well as the personal information of 110 employees. Malicious actors have leaked data allegedly tied to Spirit Airlines Free Spirit accounts after a failed extortion attempt against the airline. Spirit said that the actor attempted to extort the company using previously compromised email addresses and passwords from other data breaches. Canadian airline WestJet announced that the profile data of some WestJet Rewards members has been disclosed online by an unauthorized third party. WestJet did not indicate what data was leaked or how many customers were affected.

#LeakTheAnalyst operation targeting researchers: A hacking group going by the name “31337 Hackers” leaked data belonging to a security researcher working for FireEye’s breach investigation unit Mandiant, and the group also may have gained access to the researcher’s Hotmail, OneDrive, and LinkedIn accounts. The data appears to be stolen from the researcher’s personal computer, and there is “no evidence that FireEye or Mandiant systems were compromised,” FireEye said. The group said the leak is part of a larger operation that is targeting security researchers, dubbed “#LeakTheAnalyst.”

New data breaches: Health insurer Anthem said that 18,500 customers’ personal and medical information may have been compromised by an employee at LaunchPoint. The Daniel Drake Center for Post-Acute Care is notifying 4,721 patients that their information may have been compromised due to an employee accessing their medical records without authorization. Kaleida Health is notifying patients that their information may have been compromised due a phishing incident that allowed an unauthorized third party to gain access to a small number of Kaleida Health email accounts. Kids Pass said that the personal information of users could have been compromised by changing the URL of the activation code sent to new users in order to view other account holders’ data. An attacker managed to trick an employee at A9t9 into handing over the company’s Google developer account credentials and then pushed out a malicious version of the Copyfish Chrome extension.

More ransomware: An unnamed Canadian company paid $425,000 after a ransomware attack encrypted its production databases and backups. The intruders gained access due to spear phishing messages that were sent to six senior company officials. Northwest Rheumatology of Tucson is notifying patients that their information may have been compromised following a ransomware attack that occurred on April 10, 2017.

Arrests and sentences: The security researcher known as “Malwaretech,” who is best known for helping to stop the spread of the WannaCry malware, was arrested for allegedly creating and distributing the Kronos banking Trojan. A Seattle man has been arrested on charges of extorting multiple media companies with threats of DDoS attacks. A Russian citizen was sentenced to 46 months in prison for his role in infecting tens of thousands of computers with the Ebury malware.

Cyber Risk Trends From the Past Week

Law enforcement continues to target activity on the dark web following the recent takedown of AlphaBay and Hansa Market, two of the three largest cybercriminal marketplaces on the dark web.

Those takedowns left Dream Market as the new king of the dark web; however, there has been speculation by its users that Dream Market may have been compromised by law enforcement as well — or at least that 16 vendor accounts on the site may have been compromised.

One of those 16 alleged vendors said that Dutch law enforcement had seized his or her vendor account and changed all of its information on the same night that Hansa Market was taken offline.

“I can clearly say that (at least) my account was seized by dutch LE,” the user wrote. “I think they came on it through my sillyness using same password on hansamarket. … I don’t think dreammarket itself is compromised, I only think the LE is trying to fuck the rest out of this community by using log-in informations from other markets.”

As Naked Security reported, there has been no confirmation from the Dutch police about the alleged takeover of Dream Market accounts, but it makes sense that authorities would exploit password reuse and lack of two-factor authentication by cybercriminals in order to further their reach into active dark web markets.

A recent survey (PDF) found that 81% of those in the U.S. reuse passwords across multiple online accounts — and this now includes dark web vendors too, if the Dream Market news is any indication. This reuse occurs despite the fact that password reuse and credential-stuffing attacks lead to numerous cases of account takeovers, data breaches, and other cybersecurity incidents each week.

It may be impossible to stop users from reusing passwords, but, as Troy Hunt noted, NIST recommends that organizations become proactive and block passwords that have been previously tied to data breaches in order to improve security. That’s why he’s released a list of 320 million previously compromised passwords for organizations to download for free and use to protect their systems.

“Use this data to do good things,” Hunt wrote. “Take it as an opportunity to not just reduce the risk to the service you’re involved in running, but also to help make people aware of the broader risks they face due to their password management practices.”

Top Dark Web Markets: With Dream Market You Can Be a Criminal Too!

Two weeks ago we talked about the disappearance of Nucleus Market and how many of its former users have moved to AlphaBay, the unquestioned leader in terms of current dark web activity.

This week we turn our attention to Dream Market, the second most popular dark web market of 2016, according to SurfWatch Labs’ threat intelligence data.

A Quick Look at Dream Market

The places where cybercriminals go to sell their illicit goods and services are constantly changing. This is due to a combination of exit scams that rip off buyers, law enforcement disrupting operations, and a healthy paranoia that may lead those running certain markets to close up shop before getting caught. Dream Market has been around since November 2013 — a significant achievement in the ever-evolving cybercriminal scene. At two-and-a-half years of age, it is the oldest existing dark web marketplace, and that longevity has helped it to establish a certain level of trust among its users.

Although most dark web markets sell a wide variety of items, certain sites tend to attract specific types of listings over others. For example, when we wrote about AlphaBay, we focused on the problem of stolen credentials, the market’s most popular practice tag, according to SurfWatch Labs’s data.

When looking at Dream Market, credentials trade is much less popular. Instead, the most popular type of listing involves crimeware.

2016-06-01_DreamPracticeHeatmap — This heat map is colored by the most popular cybercrime practice tags found on each market, with red signifying a higher percentage of listings. Interestingly, the three most popular markets this year all have a different focus: carded account trade for the now-defunct Nucleus Market, credentials trade for AlphaBay, and crimeware trade for Dream Market.

Although Dream Market’s popularity is growing, some users have reported occasional issues accessing the market since Nucleus went offline. This may be due to the influx of former Nucleus users or — as has occurred in the past — DDoS attacks from competitors trying to disrupt the user base.

Crimeware Trade and “Sophisticated” Cybercriminals

There’s a perception that cybercriminals are growing increasingly sophisticated. This is driven home by the fact that nearly every company’s PR team rolls out the “we were victims of a sophisticated cyber-attack” line after each incident. It’s true; the cybercrime-as-a-service model has allowed for advanced techniques to be more readily available to the average hacker. However, the root causes of data breaches and other cyber incidents tend to remain relatively unsophisticated.

When looking at the many listings on Dream Market related to crimeware trade, it’s clear that not everyone is a criminal mastermind performing million dollar wire fraud or business email compromises scams. In fact, many crimeware items for sale on Dream Market and elsewhere aren’t malware like remote access Trojans or keyloggers at all, but rather basic guides on how to perform simple, low-level thefts.

For example, there’s the below vendor who’s selling a guide on how to scam a major retailer for in-store credit. This “dead serious” scam has even been used to make money to take dates out for drinks and to get a tank of gas. Your satisfaction is guaranteed!

Are you hungry? You won’t be anymore if you follow this other vendor’s advice on scamming a popular pizza chain. Get unlimited free pizza.

Or are you an aspiring fraudster looking for someone to take you under their wing? For just the low price of $2.99, you can learn how to take advantage of this company’s obvious security flaws, handy smartphone application, and no-questions-asked refund policy. The vendor even claims it’s legal!

Or maybe you’ve hit hard times and need a few bucks. No worries! This vendor has a guide that’s “perfect for those in financial instability situations.” Just purchase some of the many bank account credentials that are advertised with enticing balances, and pair those with this handy step-by-step tutorial to cash them out — no knowledge necessary.

Or maybe you hear about all these tools used to discover vulnerabilities and hack businesses, but you don’t know how to use them. There are plenty of guides for those without technical knowledge.

Of course, real malware, tools and hacking services are for sale, along with stolen credentials, pirated media, counterfeit documents and more.

Cybercrime-as-a-Service

Although it’s fun to look at some of the over-the-top salesmanship and scams for sale on Dream Market and others, it is important to note that those low-dollar fraudulent charges, while not enough to make news headlines, do have a significant impact on the companies they’re targeting and the individuals they’re ripping off.

Also, the fact that potential criminals can have their hands held throughout the whole process of cybercrime — from phishing to malware to cashing out funds — is a growing concern. As we wrote in SurfWatch Labs’ 2015 Year in Review, “This separation of the technical aspect of cybercrime has widened the pool of potential hackers and lessened the knowledge gap that previously separated groups of malicious actors.”

There is no need to build an exploit kit or point-of-sale malware from scratch. Simply purchase the latest tools complete with customer service and technical support. Need a phishing page or information on a company’s employees? Buy one of the many guides on social engineering. No time for that? Simply hire one of the many services to do the technical legwork for you.

The good news? All of the information and tools available to those wannabe hackers can be leveraged by organizations as well. This dark web threat intelligence can help us better understand the relevant cyber threats facing organizations, their supply chain and their customers.

Next week we’ll look at another dark web market to see what intelligence we can learn.