Author: DarkOwl Analyst Team

July 08, 2022

Two years after the COVID-19 pandemic forced the world into their homes for quarantine, video gaming and streaming subscription service use is at an all-time high. There are over 134 million registered monthly active users (MAUs) on the popular video gaming distribution platform, Steam; an estimated 62 million connect daily to the service. 85% of US households have at least one video streaming service and on average households subscribe to at least 4 different services. In early 2022, Netflix reported over 221.6 million global MAUs of their services. (Source)

Given the widespread use of such services across all ages, demographics, and regional and cultural backgrounds, topics related to video gaming and streaming are frequently discussed in conversations in the criminal digital underground. The video gaming industry and the darknet community also have similarities in their core user base. Many gaming enthusiasts are intelligent, young, technically savvy, thrive in online communities and navigate the controversial and psychological games of the darknet with ease.

In celebration of National Video Game Day – July 8^th – our analysts decided to take a closer look at the intersections between gaming, streaming and the darknet to uncover how interrelated the online communities are.

Accounts For Sale

Video gaming and streaming accounts are regularly offered for sale on the darknet. Accounts and accessories for popular video games such as PlayerUnknown’s BattleGrounds (PUBG), Dota 2, League of Legends (LoL), and Counter Strike (CS): Global Offensive are amongst those that regularly traded.

Game accounts are offered as “premium” with bonus account perks like player outfits, custom “skins,” and additional “uc” or “unknown cash” which can be used as virtual currency on the game platform for purchasing weapons and player skills.

Figure 1: Source DarkOwl Vision

Figure 2: Offer for over 280,000 Video Game Accounts for Sale

Some video gaming accounts include “leveled up” advanced player status that includes more skills or badges, years of experiences, with extensive in-game credibility that is more valuable than a standard account on the game.

Figure 3: Source DarkOwl Vision

DarkOwl has also observed accounts for all of the mainstream video streaming services, such as, Hulu, Amazon, Disney+, Netflix, HBO Max. Some of these accounts are offered for free on Telegram channels, as proof of the legitimacy of accounts available for sale. We’ve also observed accounts for streaming services offered for sale on Telegram for $40 USD, with indications that the original account holder was completely unaware that their account had been sold and used by someone from the darknet.

Figure 4: Source DarkOwl Vision

Cracked Accounts, Cracking Tutorials & Hacks

Some of the accounts being offered or sold are simply accounts that have been curated by darknet users, which are often described as their “own personal account.” Others are created in masse by “cracking” users’ accounts at scale, i.e. stealing and reselling account credentials. Most cracked accounts are obtained by account brokers, who compile leaked credentials from compromised commercial services and perform credential stuffing, or utilize nefarious brute-force password cracking utilities like John the Ripper.

One such utility for offer on the darknet states that using their tool, users can create 10 private Counter Strike game accounts per hour. (Source: DarkOwl Vision)

We’ve seen similar offers for automatic account generator sold in conjunction with “Cracking Tool Packs” which includes crackers, stealers, email validators, and checkers for generating and validating accounts.

Many gamers of the darknet offer game hacks for increasing skills or a player’s credibility without the time in service in the game. For example, one document in Vision details the Fifa 2022 Coin Generator to acquire unlimited free FIFA 22 coins and points for one’s “Ultimate Team” and according to the offer, secure players like Gullit, Ronaldo, and Maradona on one’s team. The hack uses a series of network proxies to avoid the account getting banned or suspended.

Figure 5: Source DarkOwl Vision

Cracked Games

Many deep web forums offer “cracked” games or pirated game software that can be played without any licensing or payment. Recently users on Breached Forums shared several Surface Web sites where games are available without purchase. (Source: DarkOwl Vision)

Video games are cracked by reverse engineering the programmed copyright protection features and bypassing codes in the software that validates the games as authentic. The darknet is replete with users who abhor the idea of intellectual property and celebrate software piracy; afterall, the darknet is home to The Pirate Bay (TPB). Cracking tutorials in the darknet cover all matters of illegal “cracking” including passwords, wi-fi routers, commercial accounts, and software.

For obvious reasons, we’ll not detail any of the cracking tutorial methods that we’ve spotted across popular hacking forums and Telegram channels. In 2021, multiple video game developers were attacked by cyber criminals and source code for their projects stolen and resold on the darknet. In February 2021, cyber criminals gained access to the CD Projekt and exfiltrated the source code for Cyberpunk 2077, The Witcher 3, and Gwent. In July, the LAPSUS$ criminal group successfully exfiltrated the source code from Electronic Arts Fifa 2021 soccer game and the proprietary FrostBite game engine, which was the foundation for other popular games by the video game publisher.

The availability of such source code compilations facilitates the successful cracking of video game software applications in the future by cyber criminals profiting off selling pirated games.

Figure 6: Source DarkOwl Vision DocID: 03ed2be2b016739aeeb6993d55655cd0d4791eef

Combolists

One of the fundamental tools an elite video gaming and streaming service account ‘cracker’ requires is a combolist. A combolist consists of a list of leaked usernames and passwords or email addresses and passwords combinations that can be used for cracking.

In the last year alone, DarkOwl has scraped nearly 100,000 documents across the darknet and deep web for offers of “combolists” from across the US, Europe, and Latin America. Most of the combolists are advertised as “private combos”, with hundreds of thousands of credential combinations in each combolist, and available for purchase on darknet marketplaces like Nemesis for under $20 USD.

Figure 7: Marketplace Offering Combolists for Download and Purchase

The combolists are used in credential stuffing programs to validate the credential combinations work on the commercial gaming or streaming service authentication logins. With hundreds of thousands of combinations to work from, even a 1% success rate is a significant volume of accounts that a cracker could resell as a ‘cracked account’ for the platform.

Video Game Fraud, Pranks, & Scamming

The darknet is known for widespread fraud and scamming and the video gaming community is perfect for exploiting its younger and often naïve users. With online gaming environments supporting multiplayer teams – that include a socialization and sense of community with group and private chats – gamers spend hours a week with their teammates creating very real sense of community and unfortunately, a false sense of trust and confidence in their online “friends.”

Many scammers play the criminal long game, willingly infiltrate online teams and lure the game participants to share personal information such as their real name, location, age, etc that can be used for identity theft and financial fraud. Not all of this social engineering is used exclusively for fraud. Some aggressive players gain this information to formally dox the players and SWAT them for the sake of online bullying and harassment.

To SWAT someone involves calling 911 (or similar emergency services) and lying about someone committing a serious crime, e.g. hostage, kidnapping, etc, to urge dispatchers to send a team of police officers, ideally a SWAT team, to a victim’s location. This is often carried out in the middle of a game or Twitch stream where the audio and video of the SWAT team arriving can be witnessed by others. Gamers will also prank victims with large deliveries of food like pizza that requires payment upon receipt.

Figure 8: Source DarkOwl Vision

Scammers will send other players third-party links to “cheats” and “gifts” for the game that are malicious in nature and often covertly install malware on the player’s device. Some of the links are simply phishing links that trick the victim into entering personal information, or their login in attempt to hijack the player’s gaming account for “cracked account” resale.

Figure 9: Source DarkOwl Vision

We have also captured offers for physical game consoles for sale on darknet marketplaces, which are often either stolen goods or buyers are scammed, cryptocurrency on the market loss as the electronics or console is never delivered.

Some malware in circulation intentionally targets gamers for theft of personal information and fraud. According to open sources, there has been “cracking malware” like BloodyStealer, in circulation that behave like traditional information stealers, but target information specific to video game users like account logins and user tokens for Steam, Epic, VimeWorld, Discord, and EA.

Gamers Recruited for Criminal Activity and Information Operations

In recent years, chatter on darknet discussion forums and Telegram channels detail how political extremists have leveraged video gaming platforms and online communities for recruitment and socialization of political and societal ideologies. Gamers have stated both “fascists” and right-wing “Q” extremists have infiltrated popular video game group chats, spamming the chat with racial slurs and hateful rhetoric in attempt to trigger its players and evaluate how players react and respond.

Many users on the platform login to the game – not to play the game, as evidenced by their lack of skills and time actually playing – but to dialogue and post content to the game’s group and team chat for recruitment and information operations.

Open-source reporting by counter-terrorism specialists opines that some terrorist groups such as ISIS have utilized video game platforms and streaming communities like Twitch to spread their polarizing and violent political beliefs about controversial issues. The desensitization of first-person shooting games like Call of Duty and Grand Theft Auto (GTA) helps radicalization of individuals, especially teenagers between the ages of 11-17 years to carry out violent acts against marginalized groups in society.

Other young video gamers have been lured through video game communities to meet up with other users in-real-life (IRL) after establishing an online “friendship” through the game. Law enforcement have reported several of the young female gamers have ended up physically harmed, such as harvesting their organs, and even sold into sex-trafficking as a result of the in-person meet-ups.

Curious about something you read? Interested in how darknet data applies to your use case? Contact us to find out how darknet data applies to your use case.

May 05, 2022

In honor of World Password Day – a date established in 2013 by Intel Corporation to foster security awareness – the content team at DarkOwl decided to compile some interesting statistics based on the email and password entities available in the DarkOwl Entity API.

DarkOwl’s Entity Volume

Every day we hear of another commercial data or app breach. At this point, everyone can assume their email address and/or password has been leaked on the darknet or deep web. DarkOwl has collected and tokenized over 8.68 billion (with a “B”) email addresses. 5.46 billion of those emails include a password. 57% of those email addresses include a ‘plaintext’ or legible password.

But My Password is Complex!

If you’re still using your cat’s name followed by the exclamation point (“Fritzie!”), your password is not complex, and you have most likely already experienced an account compromise. But, you’re not alone. Complex, lengthy passwords are not the norm across DarkOwl’s data.

The most common password length is 8 characters.

Figure 1: Distribution of Password Volume by Password Character Length

Is an 8-character length password strong enough?

The strength of an 8-character password depends on the motivation and the tools available to the cybercriminal targeting your account. There are plenty of password ‘cracking’ tools readily available to hackers to conducting dictionary and brute force style password attacks. Some of the most popular tools include:

• John the Ripper
• Cain & Abel
• OphCrack
• THC Hydra
• Hashcat
• Brutus
• RainbowCrack
• CrackStation

Even the most sophisticated password crackers will need significant processing power and time to successfully break long, complex passwords. Unless an 8-character password includes numbers and symbols, the password can be potentially brute forced.

Figure 2: Time to Crack Passwords of Varying Degrees of Character Length and Complexity

Over 4 billion of the passwords (4,285,451,030) available in DarkOwl’s Entity API are 32 characters or less. 662,341,057 passwords could be classified as extreme and greater than 32 characters in length.

Figure 2 demonstrates that passwords including numbers and symbols are harder to crack than letters alone. DarkOwl’s data contains a significant volume of passwords with some degree of complexity but only 637 million plaintext passwords would be classified as “strong.”

Strong passwords defined as containing special characters, digits, lowercase, uppercase, and length greater than 8 characters.

Passwords That Age Us

Do you have a favorite year that you include in your password for uniqueness? Perhaps it’s your birthday year or anniversary. Both are very common. We found over 707 million passwords include a year string that starts with “19XX” or “20YY.”

According to our data distribution, peak volumes of passwords include the data range of 1980 to 1994. The most frequent years we observed were:

1990: 14,006,141

1987: 13,795,566

Figure 3: Distribution of Passwords Containing a Date (Year) String

QWERTY is Simply Lazy

The “QWERTY” keyboard layout originated in the late 1860s and was designed to help people type and translate Morse code faster. Regardless of its origins, people heavily rely on the top row of the American keyboard characters in many password fields; 5,793,906 passwords in DarkOwl Entities API contains the6-character string “qwerty.”

Even worse is sequential numbers with 29,010,394 consisting of “123456” and 11,718,471 going to the trouble to add the whole number set, “123456789.”

DarkOwl has collected 5,857,363 passwords using the laziest password of all: the word, “password.”

Hashed Passwords > Plaintext

Billions of leaked plaintext passwords are tragic, no matter the complexity, character length, or whether a date string or qwerty is included. Therefore, if you suspect a plaintext password you use or have used in a commercial webservice has been compromised, change it immediately and cease using it on any authentication logins. Credential stuffing campaigns exploit password reuse and utilize email address and password combinations to attempt logins outside of the source of the original leak.

Given the propensity for commercial data breaches, most authentication and digital identification protection platforms strongly suggest users passwords are stored in a hashed format instead of plaintext to reduce the likelihood of immediate malicious use upon compromise.

6% (518,566,724) of the passwords available in DarkOwl’s Entity API are hashed passwords.

In cryptography, hashing involves using a mathematical algorithm to map data of any size into a bit string of a fixed size. In password hashing, a ‘hash’ consists of a unique digital fingerprint (of a fixed size) corresponding to the original plaintext password which cannot be reversed. There are several different types of ‘hashing algorithms’ available for encrypting passwords.

The most common hash in DarkOwl’s data is MD5 followed by SHA-1.

Some MD5 hashes in phpBB and WordPress appear as 34 characters instead of 32. DarkOwl has 345,431 hashed passwords consisting of 34 characters.

Both MD5 and SHA-1 have been deemed vulnerable as they are subject to collision attacks and dehashing. One of the most popular password hacking programs to date, Hashcat, contains lookup tables for popular wordlists, like RockYou allowing for the original plaintext password to be deciphered.

Password Strengthening Tips

Although you can’t prevent commercial services getting breached and usernames, email addresses, and password combinations getting leaked, you can follow some simple steps to ensure you employ robust password hygiene and reduce the risk of a password getting brute forced or exploited in a credential stuffing campaign.

• Use an automated complex password Manager like Lastpass, BitWarden, or 1Password.
• Don’t reuse passwords. Have unique password for every login and streaming service you sign up for.
• Choose passwords at least 16 characters in length.
• Include symbols and numbers for increased complexity.
• Avoid using passwords with dictionary words or names.
• Don’t use sequential numbers or the word “password”
• Don’t use the year of your birth or anniversary in your password.
• Turn on multi-factor authentication (MFA) for important accounts like financial and banking sites.

Celebrating World Password Day

Today’s World Password Day is a perfect time to pause and review the security – or lack thereof – of your most common password habits. After reading this blog, we invite to you to consider taking the following actions today:

• Review passwords stored in your keychain, password managers, or sticky notes.
• Change any passwords you might be reusing across multiple sites.
• Share password tips on social media with friends and family.
• (#WorldPasswordDay)
• Transform a weak password into a strong one using the password strengthening tips above.
• Turn on MFA for all important accounts.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.

A review of the ongoing darknet risks associated with the compromise of Version Control Systems (VCS) and other software supply chain version control systems. Our full report can be found here.

Research from DarkOwl analysts continues to indicate that software programming and engineering tools are a viable exploitation vector

Last week, a maintainer for NPM package – a widely used package manager for the JavaScript programming language – showcased how potentially powerful supply chain attacks on software development and components can be. This individual, an open-source software developer known as RIAEvangelist, intentionally embedded malware in the latest stable release of a popular repository called node-ipc out of protest for Putin’s atrocities against Ukraine. The malware is officially labeled ‘peacenotwar’ and deploys with a readme file titled WITH-LOVE-FROM-AMERICA.txt, and notably only is triggered to install on devices with a Belarus or Russia geo-located IP addresses.

Developers and security researchers around the world have been equally appalled and conflicted by the intentional sabotage of an open-source software package. Many are particularly concerned about the reputational damage these incidences cause to the open-source software development movement.

Despite general widespread sentiments against Putin’s invasion of Ukraine, the open source software development community has marked RIAEvanglist’s NPM package as malicious, because this individual chose to deploy malware in the digital supply chain ecosystem.

“This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.” 

     - peacenotwar source code description

Exploitation of software-build processes and code repositories facilitates wider, more-catastrophic distribution of malware and enterprise-level software compromise. By poisoning software development, update processes, and link dependencies, threat actor’s malicious codes can be potentially distributed to thousands of users without need for social engineering, e-mail compromise, or drive-by-download malware delivery mechanisms.

In recent months, DarkOwl has observed a significant increase in instances of malware developers mentioning or discussing direct attacks to international software supply chain. In many cases, this chatter was centered around plans that involved targeting popular open-source software developer repositories like Github and Bitbucket, as well as associated software digital support infrastructure.

Exploiting Version Control Systems (VCS) and poisoning supply chains is not a new threat vector. In 2021, the Kaseya ransomware attack – via a simple malicious software update pushed to thousands of users by notorious ransomware gang, REvil – highlighted the extensive threat to software supply chains and cloud-based commercial software repositories. (Source)

The December 2020, the Solarwinds attack similarly inspired international concern for the integrity of commercial enterprise software and underscored the need for widespread implementation of zero trust architectures. (Source)

Another example of a threat actor group exploiting digital supply chain vulnerabilities is the hacking group LAPSUS$. The increasingly active group most recently announced that they had acquired privileged access to digital authenticator Okta’s networks via a support engineer’s thin client. The result of Okta’s compromise exposed significant intelligence findings, and highlights the overarching risks at stake to any software development and operational lifecycle. (Source)

Brief summary of how LAPSUS$ leveraged supply chain exploits to compromise global software company Okta:

• LAPSUS$ most likely gained access to Okta using credentials purchased on the deep web marketplace: Genesis Market, proving the underground continues to feed criminal empires.
• AWS credentials and code repository tokens were likely stored in company Slack messaging systems that LAPSUS$ then utilized to move laterally through peripherally associated digital infrastructure.
• LAPSUS$ clearly stated they were not interested in Okta, but the customers Okta supported and had access to.
• Okta’s implementation of zero trust architectures called into question given level of access available to third-party support engineer account.
• Okta estimates at least 366 unique clients’ organizational data could have been accessed by the threat group via the initial compromised privileged access.

We are witnessing – in real time – the terrifying realization of the dangers to software supply chains via malicious compromise of the tools and infrastructure critical to supporting the software development lifecycle. Any product or service that touches one’s network, i.e. customer relationship management (CRM) software, software version control (VCS) utilities, authenticators, payroll and timekeeping accounting systems, cloud service providers, internal employee messaging platforms (Slack, Teams, etc.) are all potential targets for compromise.

Research from our analysts

Version control systems and software supply chains are a viable and high consequential attack vector readily exploited by cybercriminal organizations, nation state actors, and hacktivists from the darknet. DarkOwl believes there will be continued and increased attacks against dependency libraries and software package managers, such as NPM and PyPI, with the intention of stealing information and establishing long term persistence in the victim machines. Read full report here.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.

In light of disturbances in the darknet due to nationalistic fractures amongst ransomware and cybercriminal groups, DarkOwl analysts did a cursory review of activity across ransomware-as-a-service (RaaS) gangs since the invasion of Ukraine.

We reviewed the number of reported victims by RaaS groups and the location of the victims, and determined the following:

• Conti and Lockbit 2.0 lead in total number of victims announced since the 24^th of February, 2022.
• Conti was offline for almost a week due to infrastructure leaks and fractures with their Ukrainian-aligned affiliates. Since March 1^st, the group has resumed locking and leaking victims’ networks around the world.
• Several key Tor services for well-known RaaS gangs, including Pay2Key, Blackbyte, Cuba, are online and active; however, they have not shared any victim’s data since the invasion on February 24th, 2022.
• A new RaaS group called Pandora Gang hit multiple victims in a matter of days, including two victims from Japan.
• STORMOUS ransomware has been heavily targeting Ukraine.
• STORMOUS most recently attacked 4A Games (Ukraine) and EPIC Games (US).
• Given the severity of the attacks against Nvidia and SAMSUNG, LAPSUS$ is now being categorized as a RaaS gang, even though they do not have an affiliate program that we are aware of.
• US, Canada, UK, Czech Republic, and Germany have the highest volume of ransomware victims in the distribution of victims by location published in the last two weeks.
• Many ransomware victims have direct connection to US and Western critical corporate/government operations and supply chains.

NOTE: The charts below do not take into consideration attacks by Russia against Ukraine networks in conjunction with HERMETIC WIPER attacks or leaks released by Free Civilian. The totals, as reported by the Ukraine government, would exceed that of those counted here for the US.

LAPSUS$ Group: Additional Findings

The cybercriminal group LAPSUS$ has ramped up their activities since the invasion – emboldened by their attacks against Nvidia and SAMSUNG.

They recently solicited experts in various specific industries for their next victim selection, possibly looking for insiders to assist. Telecommunications, software development/gaming, hosting, and call-centers were among the industries requested.

Over the weekend, LAPSUS$ also implied they were responsible for recent “cybersecurity incident” with Ubisoft.

DarkOwl will continue to monitor RaaS activity and update as new information becomes available.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.