Stolen Credentials – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Massive Data Dumps and More Insider Breaches

After a short period without seeing any new mega breach announcements, the past two weeks has seen several massive data dumps totaling more than 130 million records. In last week’s roundup, we mentioned a hacker going by the Twitter handle “0x2Taylor” who released 58 million records claiming to be stolen from an unsecured database. That leak has been attributed to Modern Business Solutions, but the company did not responded to numerous news outlets or sites that reached out to them about the breach.

It was also recently announced that gaming company Evony was hacked in June 2016 and more than 33 million user records were stolen. The compromised records contained usernames, email addresses, passwords, IP addresses and other internal data. LeakedSource said the passwords were stored using unsalted MD5 hashing and that they had already cracked “most” of the passwords.

On Thursday, a massive data breach was announced affecting Weebly, a popular web-hosting service featuring a drag-and-drop website builder. That breach included more than 43 million user records containing usernames, email addresses, passwords and IP addresses. The good news, LeakedSource wrote, was that the company actually responded to its notification attempts and “did not have [its] head buried deeply in the sand” like other companies it has attempted to notify of late. Also, the compromised passwords were stored using uniquely salted Bcrypt hashing. That’s good because as a hosting provider the breach not only affected tens of millions of users, but also tens of millions of websites.

As our Mid-Year 2016 Cybercrime Trends report noted, the credentials stolen/leaked tag appeared in 12.7% of the negative CyberFacts collected by SurfWatch Labs in the first half of 2016, a rise from 8.3% in 2015. A quick look at the updated data shows that since that report, that number has risen once again to 13.3% — driven, in part, by the more than 130 million records compromised in these three data breaches.

Other trending cybercrime events from the week include:

WikiLeaks, government leaks, dominate news: On Monday WikiLeaks tweeted that the Internet link for founder Julian Assange was intentionally severed by Ecuador. Ecuador later confirmed it was behind the interference due to WikiLeaks’ decision to publish documents affecting the U.S. election and Ecuador’s desire to not meddle in the election processes. That hasn’t stopped the ongoing leak of emails from Hillary Clinton’s campaign manager John Podesta, which was brought up several times during Wednesday’s presidential debate. Executive director of the North Carolina GOP Dallas Woodhouse is the latest official to have his email hacked. In this case it was used to send phishing emails to all of his contacts with a link to a fake Dropbox file titled “GOP-financial_Document.pdf.”

Financial information continues to be targeted: Axis Bank in India is investigating a cyber intrusion after being notified by Kaspersky Lab of a potential breach. Approximately 1,000 members of One Nevada Credit Union had their payment card information stolen via ATM skimming devices, and at least one member had $5,000 stolen due to the incident. Noble House Hotels & Resorts announced a point-of-sale breach affecting payment cards used at its Teton Mountain Lodge & Spa and Hotel Terra properties. According to the company’s press release, only customers who used their cards between September 5 and September 6 of this year were impacted.

Researcher’s computer infected, data stolen: A researcher at the University of Toyama’s Hydrogen Isotope Research Center had research data and personal information stolen from a personal computer after clicking on an attachment claiming to be questions from a student. Japanese news sources said that “huge volumes” of data were transmitted while the computer was infected. The data affected mostly included research that was either already published or slated to be published, as well as the email addresses of 1,500 people. The individual whose device was compromised was researching tritium, a radioactive isotope of hydrogen that may one day be used for fuel in nuclear fusion reactors.

More data breaches announced: CalOptima announced that 56,000 of its members may have had their personal information compromised when an employee downloaded their information onto a personal, unencrypted USB drive. Australian event management company Pont3 announced its third-party external electronic mailing account was accessed without authorization resulting in some participant, volunteer and associated information being stolen. redBus, an inter-city bus ticketing service founded in India, is investigating a possible data breach after being alerted of a potential intrusion; however, the company said it has not been able to conclusively establish a data breach.

Russian man tied to LinkedIn breach: A Russian man that was arrested by Czech police is connected to the 2012 data breach at LinkedIn, the company said on Wednesday, although officials have not publicly confirmed the connection. Russian news agency TASS indicated that Russia would fight any attempts to extradite the man to the U.S.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

After several weeks of steady or dropping cyber risk scores, this week saw a consistent rise in risk across most sectors. Nine out of twelve sectors saw an uptick in cyber risk score when compared to the previous week, with Utilities (+10.9%) and Healthcare (+9.7%) seeing the biggest change. Government and Other Organizations experienced a rise of more than 6%, in part due to the many cyber-attacks and leaks tied to the U.S. presidential election.

Another reason for that rise is a steady trickle of small-scale data breaches tied to groups such as education and healthcare facilities. In a recent blog, we highlighted the difficult and growing problem of malicious insiders, but as that blog noted, the majority of insider incidents are unintentional errors committed by employees, vendors and third parties.

We saw several such news stories this past week:

Katy Independent School District in Texas experienced a data breach affecting 78,000 students after a third-party that works with the district’s student data management system accidentally copied student information and uploaded it to a security software application used by 29 other school districts.

Nearly 700 users of Vermont’s online health insurance marketplace had their information inadvertently exposed due to a subcontractor mishandling their data and making it publicly accessible. WEX Health was hired by Vermont to perform payment processing for the insurance exchange, and Samanage, a subcontractor for WEX Health, made a data file publicly accessible for nearly two months.

St. Joseph Health agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights over accidentally making electronic protected health information publicly accessible on the Internet from February 2011 until February 2012.

This week’s stories highlight the variety of ways a data breach can occur from ill-trained employees and contractors along with other poor risk management strategies.

In the case of Katy Independent School District, an employee for SunGard K-12 mistakenly copied a file containing Katy ISD data into a standard installation pack for an information security software application. In the case of St. Joseph Health, a server that was purchased to store files included a file sharing application whose default settings allowed anyone with an Internet connection to access them. St. Joseph Health did not examine it or modify it after implementation, HHS wrote in a press release, leading to the ePHI of 31,800 individuals being compromised. That mistake cost St. Joseph a payment of $2,140,500 and the adoption of a comprehensive corrective action plan in order to settle potential HIPAA violations.

Those incidents, along with our previous blog on malicious insiders, serves as an important reminder that many data breaches do not come from outside the organization; rather, they come from within.

Malicious Insiders Remain a Difficult and Growing Problem

Earlier this month, the Department of Justice unsealed a criminal complaint against a contractor for the National Security Agency, alleging the theft of highly classified information. Like Edward Snowden in 2013, Harold Thomas Martin III, 51, of Glen Burnie, Maryland, worked for Booz Allen Hamilton and is accused of exploiting his insider access in order to remove classified files.

According to the complaint, search warrants executed in August discovered stolen documents, digital files and government property in Martin’s residence and vehicle. Six of the classified documents contained sensitive intelligence dating back to 2014.

“These documents were produced through sensitive government sources, methods and capabilities, which are critical to a wide variety of national security issues,” the DOJ wrote. “[The] documents are currently and properly classified as Top Secret, meaning that unauthorized disclosure reasonably could be expected to cause exceptionally grave damage to the national security of the U.S.”

A second case of insider theft at the NSA in three years has once again raised the issue of malicious insiders and the challenges of preventing employees, vendors and other third-parties from causing a major data breach.

Growing Concern Around Insider Activity

Defense is just one of many groups rightfully concerned about insider threats. A recent survey of 500 security professionals from enterprise companies found that one in three organizations had experienced an insider data breach within the past year. In addition, 56 percent of those security professionals said that insider threats have become more frequent over the past 12 months.

Since January 2016, SurfWatch Labs has collected data on more than 180 industry targets associated with the “insider activity” tag. Of those, Healthcare Facilities and Services is the top trending group with 35 total targets, followed by Software with 18 total targets.

Not all data breaches caused by insiders are intentional. In fact, the majority of insider breaches are caused by a combination of employee errors, negligence, lost devices or other unintentional disclosures, according to SurfWatch Labs’ data.

The more malicious “employee data theft” tag is tied to less than one-fifth of all the targets associated with insider activity.

However, there is growing concern around that small percentage of malicious insiders — particularly those who may be using their knowledge and access to sell information anonymously on the dark web.

As Verizon’s Data Breach Investigations Report noted, insider activity is among the most difficult issues to detect. Nearly half of the insider incidents evaluated by Verizon took months to discover, and more than a fifth of the incidents took years.

That concern is amplified by the ease in which insiders can monetize their access to sensitive information due to the growing popularity of dark web markets and anonymous digital currencies such as bitcoin — a concern shared by many in law enforcement. In September, Europol announced the creation of a working group designed to look into the those currencies, which the agency said is “already transforming the criminal underworld.”

“Europol, INTERPOL, and the Basel Institute on Governance are concerned about the seriousness of these threats and note the increasing use of new kinds of currencies,” Europol wrote in a press release. “To trace assets transferred, laundered, exchanged or stored through the use of cryptocurrencies poses new and distinctive challenges to investigators and prosecutors, as does the seizure and confiscation of the proceeds of crime in cryptocurrencies.”

Financial gain remains the primary motivator for insiders, according to Verizon. Thirty-four percent of insider breaches are profit-driven, followed by espionage, which accounts for a quarter of insider breaches.

Monitoring Cybercriminal Channels

It’s unclear exactly how the NSA discovered its recent insider theft, so it’s hard to judge the extent of which the agency’s post-Snowden security reforms may have aided in identifying Martin’s alleged theft — or what lessons, if any, can be extrapolated to help protect other organizations.

In addition to monitoring employees and creating a positive corporate culture to minimize disgruntled employees, as Verizon suggested, organizations can also benefit from monitoring dark web markets and cybercriminal forums for any signs of yet-to-be detected breaches.

For example, SurfWatch Labs recently observed a user of a dark web forum claiming to have insider access at a money transfer company, and in June, Brian Krebs shared a screenshot of an insider at Guitar Center boasting that the fraud he or she was proposing would “have no way of coming back to me.”

“I currently have approvals and passwords that allow me to manually enter CC [credit cards] at the registers of Guitar Center, Bypassing the usual 3 code verify,” the insider wrote. “I also have physical access to the server room and I am looking to exploit this with the help of some seriously skilled people.”

The fact that a disgruntled employee or contractor can go unnoticed, in many cases for years, while monetizing stolen information via anonymous cryptocurrencies is a scary thought for many organizations, particularly since a significant percentage of insider attacks are carried by low-level employees.

“When their roles were classified in the incident, almost one third [of insiders] were found to be end users who have access to sensitive data as a requirement to do their jobs,” Verizon noted. “Only a small percentage (14%) are in leadership roles (executive or other management), or in roles with elevated access privilege jobs such as system administrators or developers (14%). The moral of this story is to worry less about job titles and more about the level of access that every Joe or Jane has (and your ability to monitor them).”

Monitoring for insider threats, either within an organization or via external sites, may not stop a breach that has already happened, but it can help to shorten the discovery so that it is not going on for years, as is often the case.

Weekly Cyber Risk Roundup: Yahoo One of Many New Data Breaches

The past week has been full of various data breach announcements that have flown mostly under the radar. One exception is the breach at the World Anti-Doping Agency (WADA). New batches of information on Olympic athletes continue to be leaked, and the Entertainment sector’s cyber risk score has steadily risen to reflect those leaks. Another exception, and one of the biggest data breach stories of the year, is Thursday’s announcement from Yahoo that 500 million users had their information stolen in late 2014 by alleged state-sponsored hackers.

The theft includes names, email addresses, phone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.

The New York Times described the Yahoo breach as “the biggest known intrusion of one company’s computer network.” U.S. Sen. Richard Blumenthal said that if claims that Yahoo knew about the breach since August are true, taking two months to inform users is “a blatant betrayal of their users’ trust.” Sen. Mark Warner is using the incident to push for the adoption of a uniform data breach notification standard.

The Yahoo breach is just the latest example of years-old breaches that have come to light in recent months and affected tens or, in Yahoo’s case, hundreds of millions of individuals. The already massive list of potentially exposed passwords continues to grow, making good password hygiene more important than ever. But the Yahoo breach highlights another nagging problem: the use of static, knowledge-based authentication questions.

From Yahoo’s announcement:

“We invalidated unencrypted security questions and answers so they cannot be used to access an account. … Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.”

Except unlike passwords, static-based questions cannot be changed. How do you change your mother’s maiden name, your favorite teacher, or the name of your first pet? Fake answers can be used – and they are more secure – but what percentage of people will actually take that extra step?

A February survey from password manager LastPass indicates the majority of people are still reusing passwords. Fifty-nine percent of respondents said they reuse passwords across multiple services and 61% said they are more likely to share work passwords than personal passwords.

Organizations need to be aware of recent credential breaches, inform and train users about the threat, and ensure that password policies and procedures reflect the current level of risk surrounding compromised credentials.

What’s Everyone Talking About? Trending Cybercrime Events

In addition to the highly-publicized data breaches from Yahoo and WADA, many other companies made data breach announcements over the past week.

Some of those apparent breaches are sparse on details – such as the FBI seizing computers at Camden County Courthouse in Missouri or office supplies firm AF Smith taking its Apple website offline after fears of a payment card breach – however, many of this week’s announcements showcased the various ways in which data breach can occur.

Data breaches were caused by:

Unauthorized access: Codman Square Health Center is notifying patients of a data breach after an unauthorized individual accessed information through the New England Healthcare Exchange Network. Mobile review site MoDaCo said a data breach of 875,000 accounts likely occurred by way of a compromised administrator account. A Florida man has been arrested on charges of hacking into computers operated by the Linux Kernel Organization and the Linux Foundation using compromised credentials. A Kennesaw State University student used a professor’s account to hack into the school’s system to change grades and steal personal information. Police also discovered the usernames and passwords of at least 36 faculty members in a notebook in his home. The Pokemon battle simulator Pokemon Showdown was breached and the hacker was able to steal a database dump by compromising administrator’s credentials via social engineering and then using a privilege escalation vulnerability.

Improper court filings: WakeMed Health and Hospitals has been ordered by a federal judge to notify thousands of patients that their personal and medical information was disclosed in court filings over a six-year period. Most of WakeMed’s bankruptcy claims were filed by now-retired employee Valeria Soles. In court testimony, Soles said she had no training and no supervision with regard to filing claims and that no one else in her department knew how to file bankruptcy claims.

Missing devices: The University of Ottawa is investigating the disappearance of an external hard drive containing the personal information of approximately 900 students. According to CBC News, the hard drive was used to back up personal information on students with physical or learning disabilities or mental health issues that applied for special academic accommodations.

Employee error: The recent leak of NSA hacking tools by a group known as Shadow Brokers is suspected to have originated with an employee or contractor who made the mistake three years ago. The theory is that tools were left on a remote computer during an operation and that Russian hackers eventually found them.

Third parties: A data breach at the payroll service used by Oconee County, South Carolina, led to 230 county employees not receiving their scheduled direct deposits. The investigation is ongoing and the source of the breach is currently unknown.

Cybercriminal hackers: Hackers claim to have stolen a database from Australian point-of-sale vendor H&L Australia, and the alleged 14.1 gigabytes of data along with an active backdoor to the company’s network was apparently offered for sale more than two months ago.

In addition to the data breaches listed above, SurfWatch Labs also collected data on many different companies tied to cyber-attacks and illegal trading over the past week. Some of those newly seen targets are shown in the chart below.

Supply Chains and Third Parties Continue to Cause Data Breaches

When putting together our recent Mid-Year 2016 Cyber Risk Report, the SurfWatch Labs team began by trying to answer one crucial question: with numerous cybercrime events across thousands of organizations this year, is there a central theme that emerges from all of that data?

In 2014, the data was dominated by a seemingly endless string of point-of-sale breaches. In 2015, the data highlighted a shift towards stolen personal information and more effective ways for cybercriminals to monetize that information. In 2016, the data so far showcases how cybercrime effects often spread beyond the walls of the victim organization.

“The diversity of cyber threats can seem overwhelming when viewed in isolation,” the report noted. “Collectively, they paint a picture of an increasingly connected cybercrime world. Malicious actors excel on taking one piece of information and leveraging it to perform further attacks, gain more information, and widen their reach. The stories so far in 2016 clearly demonstrate this approach, with numerous cyber incidents tied to previous data breaches.”

In fact, the number of cybercrime targets tied to “third-party” tags spiked the month before we published our report. As we noted in our previous blog, many of these incidents were connected to previous data breaches and the tactic of “credential stuffing” — where automated tools are used to exploit large batches of known user credentials to discover new accounts to take over.

SurfWatch Labs collected data on more industry targets tied to “third-party” data breaches in June than any other month so far in 2016.

On Tuesday another company was added to the growing list of third-party victims after its customer data was discovered being sold on the dark web. This time it was UK telecommunications company O2. Once again, the incident was attributed to credential stuffing.

“We have not suffered a data breach,” O2 said in a statement. “Credential stuffing is a challenge for businesses and can result in many [companies’] customer data being sold on the dark net. We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”

As the BBC noted, “The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago.”

Although the company wasn’t directly breached, UK Telecom O2 had customer information for sale on the dark web due to data breaches at other organizations and “credential stuffing.”

That XSplit breach occurred in November 2013 and affected 2,983,472 accounts, according to Have I Been Pwned? The breach led to names, email addresses, usernames and hashed passwords being compromised.

That batch of three-year old credentials appears to be the cause of the current breach of O2 accounts — as malicious actors leveraged that old information in order to gain even more personal information on the victims. In addition to names, email addresses and passwords, the O2 accounts for sale on the dark web include users’ phone numbers and dates of birth.

This is a similar scenario to what happened at LinkedIn, the most discussed company related to cybercrime so far this year. A 2012 data breach exposed more than 100 million user credentials. Over the past few months we’ve seen a variety of companies force password resets or otherwise report data theft due to those four-year-old credentials still being reused by customers or employees.

In short, old data breaches are leading to a surge of fresh attacks. However, credential reuse isn’t the only concrete example of the ripple effect of cybercrime, although it certainly is a major issue. This year has also seen more traditional incidents of supply chain cybercrime — where one partner or vendor is exploited to compromise another organization. In fact, SurfWatch Labs has collected data on “third-party” cybercrime impacting dozens of different industry groups so far in 2016.

2016-07-27_thirdpartygroups — While many industry groups have been impacted by “third-parties” this year, Software and IT Services and Consulting are the top trending groups in SurfWatch Labs’ data.

For example, in June we wrote about several healthcare organizations that were victimized by an actor going by the name “TheDarkOverlord,” who was attempting to sell data stolen from healthcare databases on the dark web. This week two of those healthcare organizations publicly confirmed they were victims. As databreaches.net noted, both cited third-parties as a source of the compromise in their repsective statements.

Midwest Orthopedics Group: “… To date, our investigation has determined that on May 4, 2016, a hacker, or hackers, likely gained access into our secured database system through a third party contractor and may have obtained some personal information of our patients …”
Athens Orthopedic Clinic: “Athens Orthopedic Clinic recently experienced a data breach due to an external cyber-attack on our electronic medical records using the credentials of a third-party vendor. …”

Various agencies and government groups are taking notice of the trend. The Federal Energy Regulatory Commission recently proposed revisions to the critical infrastructure protection (CIP) Reliability Standards, writing in a press release that “recent malware campaigns targeting supply chain vendors highlight a gap in protection under the [current] CIP.” In addition, the new guidelines from the automotive industry’s ISAC call for more transparent supply chains and increased involvement with third-party researchers. Lastly, Air Force chief information officer Lt. Gen. William Bender noted at a recent forum that the supply chain remains a concern that can span across many different companies.

“It’s not just primary vendors, it’s secondary, tertiary and even further down,” he said.

Having threat intelligence on those various partners, vendors and others who may indirectly affect an organization’s cybersecurity is more important than ever. As SurfWatch Labs’ Mid-Year Risk Report concluded, “The effects of cybercrime continue to ripple outwards – affecting those in the supply chain and beyond.”

Cybercrime is Increasingly Interconnected, Says New SurfWatch Labs Report

The first half of 2016 is over, and SurfWatch Labs analysts have spent the past few weeks sifting through the huge amount of cybercrime data we collected — totaling tens of thousands of CyberFacts across more than 3,400 industry targets — in order to identify threat intelligence trends to include in our mid-year 2016 report.

“If anything,” the report notes, “the stories behind these breaches seem to contradict the increasingly familiar spin that follows most incidents: ‘We were the victim of a sophisticated attack. The incident has been contained.'”

Download the full Mid-Year 2016 Cyber Trends Report

To the contrary, the data behind the year’s many incidents indicates many cyber-attacks are neither sophisticated nor isolated.

For example, this year’s top trending cybercrime target was LinkedIn. In May 2016 LinkedIn announced that a 2012 breach, which was believed to have been contained four years ago by resetting passwords on impacted accounts, was much larger than originally thought. An additional 100 million members were affected. Since that announcement, reports continue to surface of secondary organizations having their data stolen due to a combination of those now exposed LinkedIn passwords, widespread password reuse among employees, and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer.

To make matters worse, LinkedIn was just one of several massive credential dumps to make headlines — not to mention the numerous high-profile breaches affecting personal information or other sensitive data.

Trending Industry Targets Tied to Cybercrime in 1H 2016

SurfWatch Labs collected data on 3,488 industry targets tied to cybercrime in the first half of 2016. Of those, 1,934 industry targets were observed being discussed on the traditional web and 1,775 were observed on the dark web.

Malicious actors excel at taking one piece of information and leveraging it to perform further attacks, gain more information, and widen their reach. As we noted in May, this has led to many companies making headlines for data breaches — even though a breach may not have occurred. For example:

Music service Spotify had a list of user credentials posted to Pastebin that were collected from other data breaches. This led to a series of articles about the company “denying” a data breach.

China’s online shopping site Tabao had hackers use a database of previously stolen usernames and passwords to try to access over 20 million active accounts.

GitHub, Carbonite, Twitter, and more have all forced password resets for users after large-scale targeting of user accounts or lists of user credentials appeared on the dark web.

Other unnamed companies have confirmed to media outlets that sensitive information has been stolen recently due to password reuse attacks.

SurfWatch Labs’ data paints a picture of an increasingly connected cybercrime world where malicious actors leverage past successes to create new victims. The pool of compromised information widens; the effects of cybercrime ripple outwards.

However, those effects are largely dependent on industry sector and the types of information or resources that are attractive to different individuals, hacktivists, cybercriminal groups, and other malicious actors. SurfWatch Labs’ data so far this year reflects that fact.

Updated_Effect_Heatmap2 — Infected/exploited assets, service interruption and data stolen/leaked were the top trending effect categories overall in the first half of 2016, based on the percentage of CyberFacts that contained those tags.

For example, SurfWatch Labs report identifies infected/exploited assets as the top effect category overall, although it only appeared in 14% of entertainment and government-related CyberFacts. In those sectors, the majority of discussion was around account hijacks (37%) and service interruption (33%), respectively, as actors targeted social media accounts with large followings or hacktivists utilized defacement and DDoS attacks to spread their messages.

Similarly, the healthcare sector saw increased chatter around the financial loss and data altered/destroyed categories due to several high-profile ransomware attacks and warnings from various bodies about potential extortion attacks.

Other interesting data points and trends from the report include:

IT, global government, and consumer goods were the most targeted industries. Of all the CyberFacts analyzed, the information technology industry was hit the hardest in the first half of 2016. Microsoft was second behind LinkedIn as the top target. After IT, the government sector had the highest number of publicly discussed cybercrime targets, led by a breach at the Commission on Elections in the Philippines. The consumer goods sector made up the largest share of industry targets with information bought, sold, or otherwise discussed on the dark web.

Employee data is being targeted more often. Some organizations reported falling victim to scams targeting data such as W-2 information even though they were able to successfully identify and avoid other more traditional wire fraud scams. Malicious actors may be trying to take advantage of these “softer” targets in the human resources, bookkeeping, or auditing departments by performing attacks that are not as easily recognizable as large-dollar wire fraud attempts.

Point-of-sale chatter remains relatively low. Point-of-sale breaches are not making as many headlines, but breaches so far this year have proven that for many organizations the associated costs are as high or higher than they have ever been.

Ransomware and extortion threats continue to grow. The first half of 2016 saw a spike in ransomware and extortion-related tags as researchers, organizations, and government officials tried to deal with the growing and costly problem of data or services being held hostage for ransom.

For more threat intelligence trends, download the full Mid-Year 2016 Cyber Trends Report from SurfWatch Labs.

Top Dark Web Markets: AlphaBay and Stolen Credentials

Dark web markets are constantly changing. The last major shakeup to occur was the disappearance of the Nucleus Market, which has been offline for nearly a month and a half. Since then, the site’s users have flocked to other markets in search of an alternative.

Many of those users have transitioned to AlphaBay, the current king of dark web markets. AlphaBay was the most popular marketplace before Nucleus Market disappeared. Since then it has only grown more popular.

AlphaBay_May2016_2 — A vendor selling hacked bank account logins on AlphaBay.

A similar surge happened in March 2015 after the administrators of the dark web marketplace Evolution shut down and stole users’ bitcoins in an “exit scam.” In the three days following Evolution’s disappearance, AlphaBay received 18,000 new registrations, said alpha02, a well-known carder and founder of the AlphaBay market. A few months later another major dark web market, Agora, announced it was shutting down due to security issues. Once again, AlphaBay membership surged. By October 2015 AlphaBay announced it had hit 200,000 users and become one of the most popular markets on the dark web.

That growth has continued. In early January there were approximately 12,500 fraud-related listings. Today there are close to 20,000.

How Does AlphaBay Work?

As we noted last month, there are a lot of misconceptions about the dark web, and it is not hard for the average person to find these websites and purchase illicit goods and services. However, the markets are also full of law enforcement, researchers conducting threat intelligence (like SurfWatch Labs), and scammers. As a result, those buying and selling items tend to be concerned about two things: anonymity and security.

Anonymity when purchasing: The combination of tools such as Tor, which helps users anonymously access the markets, and the growth of virtual currencies, which helps users anonymously purchase illegal items, has helped dark web markets such as AlphaBay flourish.
Security among thieves: AlphaBay offers multi-signature escrow to help protect buyers from getting scammed. Money is deposited into a wallet with three people having keys: the buyer, the seller and the market. Two of those keys are needed to approve payment. If the buyer is happy, he or she releases the key and the seller is paid. If there is a dispute, the moderator can approve payment and give the second key to the seller — or deny payment and give the key to the buyer.

In addition, in just the past few months AlphaBay has rolled out mandatory two-factor authentication for vendors as well as a detailed privacy policy — the first dark web market ever to do such a thing, it claims.

Many markets try to emulate the customer-friendly features seen on popular e-commerce sites such as Amazon or eBay. In the case of AlphaBay, there is both a “Vendor Level,” which is based on number of sales and amount sold, and a “Trust Level,” which is based on the level of activity within the community as well as feedback from users. In addition, buyers can view feedback in the forms of reviews and star ratings.

AlphaBayFeedback_edited — Seller ratings on AlphaBay.

The key takeaway for those unfamiliar with these cybercriminal markets is that it is not that different an experience from buying things via the normal web.

What’s for Sale on AlphaBay?

Being the most popular dark web market, AlphaBay offers nearly every type of item or service for sale. Drugs are the most common type of item — as is true of most markets. SurfWatch Labs doesn’t collect data on every listing, instead focusing mainly on cybercrime-related items. Of those, credentials trade is the top trending practice tag over the past 30 days.

2016-05-24_alphabay_practices — Although all types of items are for sale on AlphaBay, credentials trade is the top trending practice tag over the past month, according to SurfWatch Labs.

Credentials trade includes logins for various services and financial institutions. Those credentials can then be used for fraud, as a stepping stone for further attacks, or simply to use legitimate services such as Netflix or Uber for free.

Specific items related to credential theft for sale the past few weeks include …

Credentials to access various credit card accounts or the information to answer associated security questions:

Credentials that can be bought in bulk such as this list of 10,000 German email addresses and passwords:

Credentials for customer accounts at various restaurants and coffee shops, including some that have payment information connected to “auto-reload” the account whenever the balance gets low enough:

Credentials for reward accounts from airlines and other retailers that can be redeemed for various goods and services:

Credentials for hacked websites such as WordPress blogs:

Full profiles — which include names, email, passwords, phone numbers, Social Security numbers, dates of birth and more — basically, everything needed to set up an account, apply for credit or perform other fraudulent actions:

And credentials for many, many more accounts.

Where do all of these stolen credentials come from? They come from data breaches, malware that captures keystrokes, phishing and, as we noted earlier this week, the problem of people continuing to reuse passwords across multiple sites, which allows automated tools to use those giant lists of previously stolen credentials to gain access to other sites.

Of course, AlphaBay offers a plethora of other items for sale unrelated to stolen credentials, and we’ll touch on some of those in the coming week’s as we examine the other dark web markets. Those top markets tend to change due to exit scams, security concerns or law enforcement actions, but for now AlphaBay remains the king of the underground.

Credential Theft and the Problem of Non-Breach ‘Breaches’

Earlier this month, news outlets across the country reported on the latest mammoth list of stolen credentials — 272 million in total.

“It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago,” Reuters reported.

Turns out, the total number of actual accounts affected is much, much less — a representative for Google put the total number of bogus Google accounts at 98% — however, the story does bring a crucial cybersecurity point back to the forefront: stolen credentials and the collateral damage they cause. Companies are continually finding themselves in the news for data breaches that aren’t really breaches at all.

For example, this year we’ve seen:

Spotify had a list of user credentials posted to Pastebin, leading to a spate of articles about the company “denying” a data breach. “Spotify has not been hacked and our user records are secure,” the company repeatedly told reporters and bloggers.
China’s online shopping site Tabao had hackers use a database of previously stolen usernames and passwords to try to access over 20 million active accounts. “Alibaba’s system was never breached,” a spokesperson noted.
Reddit recently had more than 100 subreddits defaced when a hacker went on a spree of taking over moderator accounts. The Register speculated that it was “possible the hacker is testing breached passwords against the accounts to pop weak or reused credentials.”

In nearly every case, along with the negative — and some may argue unfair — breach-related headlines, a spokesperson steps up to say the same thing: we weren’t breached and the theft is likely due to customers reusing credentials that were stolen elsewhere.

Verizon’s recent Data Breach Investigations Report highlighted the issue as well: 63% of confirmed data breaches involved weak, default or stolen passwords. The report authors noted, “The use of stolen, weak or default credentials in breaches is not new, is not bleeding edge, is not glamorous, but boy howdy it works.”

As we repeatedly see, the reuse of stolen credentials puts many companies in the unfavorable position of having to deny a data breach happened — even as customer accounts are getting taken over.

Easy-to-Use Tools

Automated tools have made it easy for cybercriminals to take these massive lists of stolen credentials — such as the list of over 100 million LinkedIn credentials — and test those credentials against popular websites until they find cases of password reuse.

How often does that work? It varies depending on who you ask, but Shape Security recently wrote about its experience examining one of the popular tools used in these “credential stuffing” attacks.

“We have found that most combo lists have a 1% to 2% success rate, meaning that if an attacker purchases a list from a breach on site A (or a combination of site breaches) and then uses Sentry MBA (or another credential stuffing tool) with that list to attack site B, 1% to 2% of the usernames and passwords from site A will work on site B,” wrote Shape Security chief security scientist Xinran Wang.

One percent may not seem like much, but as Wang points out, if an attacker has a list of one million credentials, they may be able to hijack 10,000 accounts on any popular website using these readily available tools.

In some cases, this amounts to a massive number of fraudulent logins. According to Shape Security researchers, over a one week period last December, attackers made five million log-in attempts at the website of a Fortune 100 company using the Sentry MBA tool.

That’s why some of these recent legitimate breaches have been so widely criticized. The companies in question often are not taking into account the potential collateral damage.

Big Breaches and Collateral Damage

Last month security researcher Troy Hunt reported that over seven million user accounts for the Minecraft community “Lifeboat” were compromised. According to Motherboard, Lifeboat didn’t bother telling its users about the potential issue — and how it may affect other accounts with similar credentials.

“When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act,” said a Lifeboat representative, not clarifying to Motherboard when pressed why the company never informed its users. “We have not received any reports of anyone being damaged by this.”

But would they know if someone used those stolen credentials to log into someone’s email or social media or bank account?

Likewise, Brian Krebs recently criticized LinkedIn’s handling of its massive breach of user credentials. In 2012, LinkedIn discovered a data breach that it thought affected 6.5 million users. The company contacted those users to force a password reset. However, last week they discovered the breach actually impacted more than 117 accounts.

“Inexplicably, LinkedIn’s response to the most recent breach is to repeat the mistake it made with original breach, by once again forcing a password reset for only a subset of its users,” Krebs wrote.

“We did at the time what we thought was in the best interest of our member base as a whole, trying to balance security for those with passwords that were compromised while not disrupting the LinkedIn experience for those who didn’t appear impacted,” LinkedIn spokesman Hani Durzy said in an email to Krebs about the 2012 incident.

But what about the more than 100 million potentially compromised credentials that may have been used for years without users even being aware they may have been stolen?

Looking Forward

There will always be a subset of users that reuse credentials, and those users will always be at increased risk of their accounts being hijacked. Unfortunately for companies, their names are often associated with a data breach or a hack even if it is an event driven largely by a combination of other organizations’ breaches and bad password habits.

Implementing additional layers of security such as two-factor authentication can help protect those customers. Or organizations can follow the lead of proactive companies like Amazon, which recently reset some users passwords after finding a list of leaked credentials online.

“While the list was not Amazon-related, we know that many customers reuse their passwords on multiple websites,” Amazon wrote to impacted users. “Since we believe your email addresses and passwords were on the list, we have assigned a temporary password to your Amazon.com account out of an abundance of caution.”

Until organizations get more proactive or force users to implement more layers of security, with so many stolen credentials available to cybercriminals, expect organizations to continue to make negative headlines due to these “non-breach breaches.”