Author: DarkOwl Content Team

Underground markets of the darknet provide an extensive inventory of illegal goods for sale, including and certainly not limited to drugs, weapons, hackers and assassins for hire. In the “Digital Goods” section of most marketplaces, one will find an array of malware, bots, and services for conducting offensive information operations against a victim network or targeted information system.

While many of these are tools are considered ‘commercially’ available products and services for any interested anonymous darknet buyer with the cryptocurrency to purchase in hand, nation state-level cyber threat actors are certainly one potential consumer for any of these products with the intent to add these digital weapons to their repository of cyber tools.

[Quick Read: Darknet posts show SolarWinds has been a target, and has open servers that trace back to Russia]

As we’ve recently reported in our findings regarding the SolarWinds hack, monitoring the darknet for these types of tools and malicious discussions enables organizations to understand when and if they’re a target, and prepare accordingly.

For example, in the case of SolarWinds, we have evidence that they have been a target by hackers for a number of years. A few searches in DarkOwl Vision’s database of darknet content reveal glaring potential indicators of compromise that, when taken seriously, could have been leveraged by their customers as a cue to safeguard themselves against what ultimately resulted in the devastating hack that transpired this year.

There are many more cyber weapons at Nation-State threat actors’ disposal on the darknet

The digital goods section of most darknet marketplaces are broad in their offerings, suggesting that a ‘digital good’ consists of any product or service delivered virtually, unlike the purchase of an illegal weapon or illicit drugs that are delivered to a physical address. As such, the digital goods section of many marketplaces includes Adobe PDF files guides, lifetime website memberships and subscriptions, and digitized programming books with little to no value to a sophisticated nation state cyber actor. Most of these are innocuous instructions for the most novice to the underground criminal operations, such as carding, identity fraud, basic social engineering, and technical ‘hacking’ manuals covering basic network penetration.

Basic Network Exploitation Tools

A darknet marketplace consumer can also purchase any number of basic network protocols and tools for maintaining anonymity such as anonymous servers, VPNs and bulk proxies. It is unlikely a foreign nation will need such simplified tools; however, there are also vendors selling more advanced versions of the same type of tools, in packages such as KeyLogger Script Collections and CIA forensics expert tool – Magnet IEF on White House Market, or the FBI Hacking and Forensic Toolkit for exploiting mobile phones for sale by the vendor breadsdrugged on DarkMarket. This package is advertised to include KONBOOT authentication bypass, Oxygen Forensics which retrieves deleted texts and extracts data from all the popular mobile-phone cloud providers.

Then, there are also commercially available remote access trojans and bots that nation states could leverage for more sophisticated attacks and espionage. The Anubis Bot, Azorult 3.3 AZORult Trojan (Version 3.3), and Spy MAX v1.0 – Android RAT are all currently available for sale across many darknet marketplaces and accessible via instant download link delivered upon purchase.

Historically, nation states readily target mobile phones for espionage and intelligence collection. This was publicly revealed when the Kingdom of Saudi Arabia’s (KSA) intelligence and government officials were caught using the Pegasus malware against WhatsApp and iPhone messaging platforms, developed by an Israeli security firm, to target dissident journalists. Recent reporting from Toronto’s Citizen’s Lab details how the Saudi government targeted 36 journalists from Al Jazeera earlier this year.

Cobalt Strike is a popular software emulation environment designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors and readily for sale on the darknet. Recent open source reporting suggests Chinese hackers sponsored by the Chinese government have been actively using Cobalt Strike to enable backdoor access to a number of compromised networks and information systems for the deployment of additional tools on the network in the future.

Banking Malware for Large Scale Financial Industry Attacks

Some nation states, such as North Korea have been known to leverage banking malware for cyber-operations to recoup financial gain from the economic impact of international sanctions. Vendor leaguemode on DarkMarket offers the GozNym 2.0 banking bot for purchase for $1500 USD per build. The same vendor also sells ATM malware that is deployed via EMV (Europay, Mastercard, and Visa, i.e. “chipped”) debit cards on the same market for $1,000 USD per card.

Tools to support the targeted phishing of international banks based in North America, such as CHASE and CIBC of Canada is also currently available for sale on darknet markets. The digital good includes the HTML and CSS for scam websites for a number of prominent banks, including detailed administrator panels. These websites could be used by nation states to conduct targeted attacks against financial institutions.

Ransomware for Offensive Cyber Operations

One information operations technique nation states could employ is simply shutting down critical operations of a competitor country’s critical corporations and industries. WannaCry (aka GonnaCry) ransomware successfully crippled the UK’s National Health System and is currently for sale on White House Market for $150 USD.

The source code for another effective ransomware, known as KingLocker, is also available for purchase and could be customized by a nation state to conduct a large scale campaign against a target industry or country.

The ransomware could be coupled with country-specific business directories, also for sale on darknet marketplaces for targeted in-country deployment. Multiple vendors on White House Market sale leaked databases, such as Dubai’s enterprises and UAE business directory costs as little as $129 USD. Meanwhile, Russia’s industry data with business names, domains, and contact information is only slightly more at $160 USD.

Targeted Phishing and Disinformation Campaigns – Credentials and PII

In the same way leaked organizational information for sale on the darknet could be instrumental for launching ransomware attacks, other critical country-specific information could be leveraged for targeted phishing and disinformation campaigns.

On DarkFox, the vendor GoldApple on DarkFox sells numerous combo lists and US-state level voter registration data. The same vendor offers over 570,0000 (0.57 Million) emails from Japanese citizens for as little as $10 USD that could be for targeted attacks and disinformation campaigns.

One vendor offers a list of millions of US mobile phone customers personal information, including social security numbers and carrier that could be used for spamming and disinformation for $229 USD. The same vendor also has another 8 million Chinese phone numbers for only $200 USD.

Another vendor offers Taiwan’s Ministry of Civil Service database of employees which could be used for targeted phishing to infect government networks for espionage for €69 EUR.  

A database containing information for a US Intelligence agency is advertised for sale on White House Market for a mere $100 USD.  According to the advertisement and the hackers who obtained this information, it was stolen from a cloud server owned by the US government. The database contains thousands of records of critical detailed information associated with the vendors providing goods and services to the agency. This information could be invaluable for a targeted information operations attack by a nation-state.

Most nation-state sponsored human intelligence operations require fake identification and passports. Vendors on the darknet offer fake US passports with biometric data for sale for a starting price of $2,000 USD. The advertisement, sold by vendor topvendor on White House Market states that all their identifications have machine-readable data zones, three layer security UV hologram which will readout correctly when scanned at borders. The vendor also offers detailed advice on travel routes and social engineering methodologies for interacting with customs officials.   

As we reported earlier this year, social media manipulation is an increasingly popular trend by nation state actors to conduct disinformation and propaganda campaigns against their adversaries. Accounts on most all prominent social media platforms are readily available for sale across most darknet marketplaces with digital goods. Long-term established accounts with more ‘followers’ and historical influence are more coveted. One can purchase 1,000 LinkedIn followers for as little as $15 USD on ToRReZ, which could be essential for a nation-state level social engineering or espionage attack, while 50,000 Instagram followers cost upwards of $350 USD. A Facebook campaign to disseminate a particular propaganda agenda is also available for as little as $380 USD from the vendor, etimbuk on the ToRReZ market.

Unique Exploits for Field Operations

One vendor on White House Market using the pseudonym unglued, recently posted a 12-Watt Frequency Generator for sale on the marketplace. The hand-held device could be utilized by a threat actor to jam and potentially interfere with the operation of a wide range of frequencies including those used by mobile phones, Bluetooth devices, and GPS receivers. Nation-states wanting to conduct in-field operations could greatly benefit from such a device. The unit sells for $1,200 USD.

Still the most prevalent cyber weapon: credentials

Exposed credentials will continue to be one of the most prominent threat attack vector for organizational networks by cyber campaign operators, large and small.

According to recent Wall Street Journal reporting, the initial compromise to FireEye was through employee VPN credentials and luckily, the employee alerted IT security when their account had been accessed via an unrecognized device which kickstarted the SolarWinds investigation.

“Hours later, the National Security Agency, America’s top cyberspy organization, issued a broader warning to defense agencies and contractors about vulnerabilities such as those exposed by the SolarWinds attack. Hackers, it said, were finding ways to forge computer credentials to gain wider access across networks and steal protected data stored on in-house servers and cloud data centers. The approach, the NSA said, may have been used in an attack on VMware Inc. software used in national security circles that the spy agency warned about earlier this month.” – Wall Street Journal

Leveraging vulnerabilities uncovered in the Microsoft platform, nation-state hackers behind the SolarWinds attack also accessed key leadership emails at U.S. Treasury Department and other critical U.S. government agencies.

DarkOwl Vision has indexed over 6,100 documents containing compromised e-mail addresses and passwords for federal employees using the treasury.gov email domain.

Contact us to learn more about how you can monitor the darknet for exposed credentials using DarkOwl Vision

In light of the large-scale nation-state sponsored attack against U.S. government networks, and critical commercial sectors of the U.S. supply chain, our analysts reviewed historical darknet content for any SolarWinds related activity. We uncovered an extensive amount of content containing SolarWinds and Orion-specific vulnerabilities and zero-days across darknet exploit marketplaces and discussion forums, many of which could be devastating if exploited at scale.

Most notably, DarkOwl analysts also uncovered SolarWinds product documentation and application executables stored on unsecured FTP servers successfully collected by DarkOwl’s platform back in late 2019. The FTP servers contained not only SolarWinds-specific server files, but also Microsoft’s dotnetfx.exe file, a critical executable for installing operating system updates.

Upon further investigation, we traced the IP address of these open FTP servers to the internet service provider, JSC “Severen-Telecom” (severen.ru) in the Northwestern Federal District of Saint Petersburg, Russia.

In addition to the potential tie linking these files to campaigns conducted out Russia, we also have a great deal of evidence to show a suspicious amount of interest in SolarWinds vulnerabilities across the deep web and darknet. In fact, based on the extent of our analysts findings on the darknet alone, we have reason to believe that SolarWinds has likely been a cyber target for quite some time, though a large extent of these indicators that SolarWinds was being targeted transpired in late 2019 and early 2020. For example DarkOwl Vision has collected 98 documents from a single popular zero-day marketplace with mentions of SolarWinds-specific vulnerabilities since February 2020 (shown below).

In addition, our analysts have also noted that there was a great number of users on deep web forums that have displayed a particular interest in understanding critical information security applications and intrusion detection systems, with shares of ‘cracked’ versions of SolarWinds Security Event Manager application as recently as July 2020 (pictured below).

In recent days, DarkOwl has witnessed several darknet users across English and Russian-speaking forums discussing key open source reporting regarding the attack, more specifically, Vinoth Kumar’s posted to social media that he uncovered a public Github repo leaking credentials belonging to SolarWinds since June 2018.

(Source in Vision: bc257bc48dd0452f7ea3412d0288f588)

Read more: Here are a handful of other tools that nation-state actors could use to pull off another SolarWinds-grade hack

For the last two years, U.S. voter registration information has been widely circulated across darknet forums and channels for potentially nefarious purposes. Earlier this year, DarkOwl detected U.S. voter registration databases for the states of Michigan, Florida, North Carolina, and Colorado being shared freely. Some databases are packaged in sets of key states and sold on popular deep web forums and marketplaces by popular darknet vendors such as GoldApple.

This is certainly not the first exposure of U.S. voter registration data on the darknet en mass:

• In December 2015, millions of personal voters’ information was exposed on the darknet, when security researcher Chris Vickery and databreaches.net discovered over 191 million U.S. voters’ data available after a marketing firm supporting one of the political campaigns had a mis-configured database. The owner of the database was never identified. (Source)

• In summer 2017, another 198 million voters’ information was exposed after researchers discovered an unprotected AWS S3 bucket containing the voter rosters. The voter information had been archived by Deep Root Analytics, TargetPoint Consulting, Inc., and Data Trust, three data mining companies supporting the Republican Party. Rosters of statewide voter data are made readily available to political campaigns and their marketing affiliates for free for targeted campaigning and canvasing. The value of such databases, especially one containing hundreds of millions of U.S. voters’ personal data would be worth several hundred thousand dollars to darknet cyber criminals who could leverage the information for traditional financial cyber crime.

Interestingly, just earlier this month another darknet user also shared a database containing the personal information for millions of political contributors and donors on a popular hacking forum. The information in the database included the full name of the donor, physical address, age, phone number, income, gender and donor type. The user did not specify which campaign this data was stolen from. The post was removed by forum moderators as other users suggested the author was a “criminal hacker” and this data was acquired through malicious intrusions of a political database. The post did not specify where the information originated or which campaign it was from.

In the meantime, DarkOwl analysts have witnessed several conversations on popular right-wing leaning deep web discussion boards regarding the domain: http://donaldtrump.watch. Anonymous users and supporters of Trump stated the domain was active and contained personally identifiable information of the President and GOP financial contributors. WHOIS domain history has a redacted owner for privacy and suggests a 2018 creation date; archives of the website from late 2019, suggested it was created in response to the President’s Impeachment and is simply a “Donor locator map for the impeached Chief Executive Donald J. Trump. – Data Provided by the FEC.gov.” The Federal Election Commission does record all contributions made to any candidate, campaign contributions are not private, and the data held by the FEC can be requested typically for marketing and canvasing use.

The website is setup with an alphabetized address and name search capability indentifying contributors by name, their address, the specific dollar amount of their donations, and last donation date. There are numerous postive and negative comments about the Trump donor website across deep web and darknet discussion groups. Some commented on their neighbor’s donations.

Huh, two of the neighbors I like each donated about a grand to Trump. I didn't take either of them for Trump supporters. One guy in my neighborhood is unusually enthusiastic, it would seem.

Many users stated the information on the website was false, incorrect or dated back in 2016, while other users confirmed their families’ information was correct on the website and expressed concern about potential property damage. Analysis of the donations suggests the information is accurate up through August 31, 2020.

Regardless of exactly when the website appeared and the motive behind its author’s, the website information could be used to target, intimidate and frighten Trump supporters similarly to how earlier this month the FBI announced attribution to Iran for an email campaign sent to non-Trump supporters in Florida, threatening them to vote for Trump and signed by the controversial right-wing extremist group, The Proud Boys.

The BlueLeaks files, released earlier this year and containing files from hundreds of police departments, speak of how state voter registration data could be misused and specifically mentions how a malicious actor could leverage voter names, e-mail addresses, and telephone numbers to connect with new audiences and market personalize advertisements according to their views on specific topics, propensity to vote, and other factors. This information coupled with a foreign adversary’s disinformation campaign could be utilized to register fake social media accounts, seed content, and amplify distribution of content of interest to targeted audiences. [READ MORE]

In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces; looking for trends, exploring new marketplaces, examining admin and vendor activities and offering a host of insights into this transient and often criminal corner of the internet. 

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are released featuring different darknet marketplaces on an ongoing basis.

UpShop Market

UpShop is a small darknet marketplace that specializes in the sale of stolen or compromised digital accounts. These listings advertise account credentials for Microsoft accounts, Wells Fargo accounts, iTunes accounts, and many others. They also have a section dedicated entirely towards the sale of stolen (or potentially fraudulent) identities, with each advertised item consisting of a Social Security Number and its corresponding City, State, and Zip code.

Since its opening back in mid-December 2017, the market has been casually promoted across several Russian and English-speaking deep web criminal forums, including, XSS, Dedik, WWH-Club, Gerki, Beznal, and Club2CRD.

The administrator/s of UpShop have been relatively quiet this past summer and into this fall, and have not publicly posted market update since early-May, 2020. Nevertheless, at the time of this posting business at the underground market appears to be continuing as usual.

The price of stolen accounts on UpShop

Over the course of our most recent observations, DarkOwl researchers noted that there were 3,121 stolen accounts being advertised for sale. This is up from the 2,981 that we noted as the total number of listings earlier this summer. Whether UpShop will continue to follow this trajectory has yet to be determined, but as we mentioned earlier, the underground business does seem to be fully operational at this time.

Other findings include:

• The average price of one stolen account on UpShop market is $6.33 USD.

• The stolen accounts are associated with 40+ different merchants, who seem to primarily be retail merchants like Target and Khol’s.

• Sam’s Club and Walmart accounts make up 46.46% of the total number of stolen accounts advertised for sale.

• The price of one stolen Sam’s Club account ranges between $2.50 USD to $5.00 USD, while the price of one stolen Walmart account ranges between $5.00 USD to $6.00 USD.

• The price of each listing is largely determined by the amount of personally identifiable and financial information fixed to each account.

•  Additional Market Observations and Related Findings:

• The staff members of UpShop have been tied to several usernames including, upshop33 – which appears to be their main moniker – as well as malkincheff, and ElskChief.

• Only 5 vendors total are responsible for trafficking all of the stolen account data into the market, including, Like_a_Boss, BestStuff, romulan, applewarrior and drobdead. 

• UpShop has a built-in identity theft store. At the time of this writing, 10 identities are advertised for sale. The average price of one stolen (or potentially fraudulent) identity is $0.30 USD, which is rather low in comparison to prices across other identity theft stores we’ve observed on the darknet.  

• UpShop also has a built-in email-flooding service, a service whereby a cybercriminals can send a large volume of spam to a target’s email address, crippling their ability to manage their inbox. The price of each ‘flood’ is determined by the volume of emails sent to the victim’s email address.

 Thanks for reading this edition of our Darknet Marketplace Snapshot Series! Subscribe to our blog on our blog homepage to be notified whenever we publish a new piece.

In our new Darknet Marketplace Snapshot blog series, DarkOwl researchers provide short-form insight into a variety of darknet marketplaces; looking for trends, exploring new marketplaces, examining admin and vendor activities and offering a host of insights into this transient and often criminal corner of the internet. 

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are released featuring different darknet marketplaces on an ongoing basis.

This marketplace is engaging in blatant copyright infringement 

The most notable characteristic of the darknet marketplace Amazin is that the administrator is committing outright copyright infringement by unlawfully using Amazon’s intellectual property in their branding. In addition to cloning Amazon’s official logo and replacing the “o” with an “i,” (Amazon -> Amazin), the administrator of Amazin Market has also poached other branding characteristics from Amazon’s official website.

For example, the marketplace admin has laid the cloned spin-off logo on top of the exact same quintessential charcoal color that Amazon features on its website. The admin has also situated a white shopping cart in the top-right hand corner of the market, much like Amazon’s actual interface.

Amazin Market has a relatively intuitive user interface and customer support system, that continues to mirror Amazon’s both visually and navigationally. The market also heralds a robust vendor rating and review system. Referred to as a supplier rating, it measures the performance of darknet vendors on Amazin Market on an ongoing basis, as well as provides buyers on Amazin Market with the opportunity to make better purchasing decisions.

A look at what’s for sale

While Amazin market may look like Amazon from a visual perspective, the merchandise one can find being sold there is a major departure from the kitchenware and back-to-school supplies you’ll find on Amazon. Instead, Amazin market carries exclusively illicit supplies, such as hacked accounts and e-gift card codes.

Amazin Market appears to principally feature financial-related goods and services. Vendors on Amazin Market are currently advertising for sale hacked Amazon, JPMorgan and PayPal accounts, as well as compromised iTunes, Amazon, Google Play and GameStop e-gift card codes, sometimes 70-80% off face value.

In addition to hijacked accounts and e-gift card codes, vendors on Amazin Market are also advertising for sale money laundering services using PayPal, Payoneer and Western Union.

Of significance, DarkOwl discovered that one vendor is responsible for trafficking all of the stolen payment card information through Amazin Market. Known as ‘HQDumps,’ the vendor is selling ‘dumps,’ hacker-slang for stolen payment card information that can be used to conduct in-store card fraud.

After reviewing and analyzing all of HQDumps’s listings, DarkOwl was able to determine that HQDumps is currently selling financial details that belong to victims that reside around the world, particularly in the United States, Europe, Australia and Asia.

Key things to know about Amazin Market

7 vendors currently operate on Amazin Market. The names of those vendors include, amazin, JPMorgan, RedBull, Babo, Patron, Joker and HQDumps. After reviewing all of HQDumps’s vendor reviews on Amazin Market, DarkOwl uncovered that HQDumps used to be a vendor on the Silk Road. It remains unknown what version of the Silk Road HQDumps was affiliated with, whether the original or post-Ulbricht versions.

DarkOwl also found that HQDumps used to be a member of the “MasterGroupOfSpam,” a Telegram Channel inhabited by 9,700+ cybercriminals involved in various criminal activities, primarily hacking and card fraud. It is important to note that HQDumps has not operated on Telegram (HQ DUMPS @ HQDUMPS) since late May.

Differentiating itself from other darknet markets, such as Infinity Market, Amazin Market does not reveal the precise number of stolen goods that each and every vendor is advertising. This feature may have been implemented in an effort to better protect Amazin Market’s vendors, as law enforcement agencies have been known to prioritize vendors by the sheer volume of illicit goods that they are individually offering.

Contrary to other darknet markets, Amazin Market only supports Bitcoin as a means of payment. At this time, DarkOwl has not observed any darknet forum chatter or related scrutiny related to this payment limitation. 

Amazin Market, like so many other markets on the darknet, has an escrow system. Escrow systems serve as third party vehicles that hold funds until both sides of the transaction have been completed. It’s an important feature as it acts as a way to protect both buyer and vendors from getting scammed.

DarkOwl analysts noticed that Amazin Market is listed on Tor66, a darknet search engine on the Tor Network that advertises many known scam services. Interestingly, Amazin Market is also listed as a ‘scam market’ on Dark Web Magazine’s dark web scam list. These findings support why the admin has had a difficult time gaining traction amidst the criminal underground, even with a darknet marketing incentive of $30 USD (as pictured below).

Who is behind Amazin market?

DarkOwl discovered a darknet market known as MoneyPlus with the same source code, vendor community and user-interface as Amazin Market. DarkOwl uncovered that the administrator of MoneyPlus (additional and possible alias Amazin) can be reached via email at [email protected]. At this time, DarkOwl does not have definitive evidence whether Amazin Market and MoneyPlus Market are affiliated, and whether both markets are run by the same administrator.

Additional research efforts revealed that Amazin Market has a dual presence on the deep web (hxxps://amazin.to and hxxps://amazin.biz). After running a WHOIS and IP Geo lookup around both domains, the first domain was found to be registered on March 28, 2014. The domain was also found to be protected by Cloudflare and linked to the IP address of 104.31.81.229, a server located in Manila, Philippines. The second domain was found to be registered on December 17, 2012. In contrast, the domain was not found to be protected by Cloudflare, and is linked to the IP address of 192.64.119.87, a server located in Los Angeles, CA.

As such, the actual location of the marketplace’s servers, as well as the identity of the marketplace’s administrator, remain unclear.

Thanks for reading this edition of our Darknet Marketplace Snapshot Series! Subscribe to our blog on our blog homepage to be notified whenever we publish a new piece.

In a time when society is more reliant than ever on personal food delivery and shopping services such as Seamless and Instacart, darknet criminals also have increased their reliance on exploiting these applications for continued financial gain.

The potential for fraudulent activity includes purchasing goods with hacked accounts on these services, abusing the vendor’s refund policy, and even more advanced techniques such as API traffic interception for malicious injection or targeted data manipulation.

DarkOwl has observed an increase in the prevalence of food delivery and personal shopping service accounts on offer across a number of darknet marketplaces.

DarkOwl confirmed an increase in food delivery service provider mentions in not only major darknet marketplaces but also in criminal carding forums and illicit digital good trades on anonymous websites. Of the vendors we looked at, Seamless and Caviar appear to have the most remarkable increase in the number of documents in DarkOwl Vision mentioning compromised accounts, with Instacart, Uber Eats, Just Eat, and DoorDash close behind.

To conduct our analysis, we looked for instances of each food delivery service provider appearing in our database of darknet documents (Vision), from year to year. Vision is comprised of content scraped directly from pages on the darknet, such as pages on Tor. As per the graph below, we are then able to see how many mentions there were of each company in our database to estimate what percentage of darknet pages mentioned these companies during that time.

For example, of all the pages of darknet content DarkOwl has collected that mention DoorDash or DoorDash accounts to-date, 33% of page results were observed on the darknet in 2019 and 67% were from 2020. This is also notable insofar as it indicates that DarkOwl did not observe DoorDash accounts appearing on the darknet until 2019, so they are evidently a new and increasingly popular target.

Our analysts also note that the 2020 data included in this analysis is only through the end of July, meaning that many of these vendors will likely surpass (or continue to surpass) their 2019 numbers by an even greater extent by year’s end. Interestingly, DarkOwl also observed PostMates and UK-based Deliveroo food delivery services mentioned in fraud-focused conversations on criminal forums but in less volume than in 2019.

Across the board, using DarkOwl Vision, we saw an average 230% increase in darknet mentions of most of the major food delivery and personal shopping providers between last year and this year.

Examples of Compromised Accounts Being Advertised

On the darknet marketplace Infinity Market alone, DarkOwl discovered 8 different vendors selling a mix of hacked mainstream food delivery service accounts, including, DoorDash, Grubhub and Caviar. The average price ranges from $1.50 to $10 USD per account and successful use depends on the user not recently changing their password, as is often the case, rendering the account useless.  The value of the accounts is determined by a number of factors including the ‘freshness’ of the account and the number of completed orders fixed to the account, as well as and most importantly, the volume of personally identifiable and financial information attached.

In mid-June, a new user on Raid Forums posted numerous DoorDash email addresses and passwords along with their account balances free for criminal use. With the account login credentials and an account with a saved credit card on file, the cybercriminal can easily change the delivery address and use the account to purchase food for delivery fraudulently.

Instacart accounts are regularly traded and sold on darknet marketplaces. On White House Market, a vendor using the moniker, drhack3r is offering Canadian-based Instacart shopping accounts for as little as $9 USD (pictured).

According to reporting from late July, some 278,531 Instacart consumer grocery shopping accounts were found to be for sale on the darknet, for as little as $2 per account. The information includes the customer name, email address, the last four digits of their credit cards, the order history for the account, and some other shopping-related data. The validity of the account information has been verified by two Instacart customers whose details are up for sale, and this information is not old.

DarkOwl has been unable to confirm the Instacart offer for the volume of Instacart accounts available and Instacart denied a breach of their systems occurred. Instacart stated that the account data was likely generated as a result of credential stuffing using previously compromised information publicly available.

One Way Criminals Make Money From These Accounts: Refund Policy Fraud

Underground cybercriminals have also uncovered ways to bypass most of the major food delivery service’s refund policies and now offer step-by-step instructions for single, one-time use or the opportunity to use third-party anonymous accounts for executing the order and the refund, while skimming either a flat rate or a percentage of the refund as commission for facilitating the refund fraud.

Refund brokers who charge a flat rate for orders up to a certain value, likely operate a larger criminal enterprise, whereas others charging upwards of 45% per transaction, suggests they rely on issuing a fewer number of refunds with higher profit margin. 

In May, Instacart refunds for upwards of $700 USD, along with Uber Eats for $200 and Shipt for $500, were offered for sale by a user known as @DDsRefundVouches on the popular chat application Telegram.

Frauding refund policies presents an opportunity to resale the credit as gift cards, a popular money laundering currency on the darknet and deep web.

Food Delivery Account Vulnerability: API Cracking & Shopping Bots

Some more advanced hackers are more interested in the technology to exploit these personal services and many have expressed interest in the underlying API for traffic interception. This would give the criminal access to the customer’s personally identifiable information such as name, address, e-mail address and payment information.

A user on a hacker forum expressed interest in “cracking” the Just Eat food delivery service in the UK and the forum community offered a number of solutions depending on whether the purpose is to order for free or steal refund. One user “BigLad465” found a Deliveroo (another UK-based food delivery service) exploit that could capture a customer’s credit card for as little as £35 ($45 USD) for use on future food deliveries on another account or using the compromised account to request refunds on previous orders.

Grocery shopping services like Instacart and Delivery.com are equally at risk for this type of criminal behavior. In late April, an anonymous user pasted the Javascript source code to automate the creation of Instacart accounts. The purpose of creating mass-volume of Instacart accounts was not identified in the post, but the username associated with the post is “ddanhviet” who has posted numerous scripts related to online shopping, product recommendations and user reviews including Home Depot and Tmall, a Chinese-based online shopping website.

Many of the app-interception and manipulation discussions sit on the Surface Web in websites such as Reddit and in social media. In early June, a Reddit user asked specifically about the Instacart API, looking to intercept traffic between Instacart servers and the shopper API. Some of the comments included Charlesproxy and Wireshark as potential solutions. Another Reddit thread from May talked of Instacart bots from a supplier known as HaxEdge Solutions to steal large-value batches.

The HaxEdge Solutions website discusses how they are able to conduct e-mail monitoring, social media hacking, expunge criminal records, and recover lost money due to scams. Despite their morally questionable services offered, HaxEdge does not have a noteworthy darknet footprint in DarkOwl Vision.

In recent months, there has been a surge in Instacart related batch-stealer apps and many have come and gone, sometimes using slightly varied titles, such as Ninja Hours, Ninja Shoppers and Ninja Shopper. DarkOwl discovered nearly a dozen active platforms in mid-May advertising openly on YouTube and social media platforms. Contact information for these apps links them to users spanning the U.S., including New York, Savannah, Georgia and Northern California.

Detailed tutorials on how to use the third-party bots and batch stealers are available across a variety of YouTube channels for the apps. In the case of Ninja Shoppers, which was recently covered by Bloomberg News, the app is free to download, but users must be ‘’activated in a private group” in order to be granted permission to pay for a user authentication token. Once logged-in, the program prompts the user to find Instacart orders available near their location, according to a YouTube video viewed more than 13,000 times in the past three months.

Identifying one criminal exploiting food delivery accounts: Ninja Shopper

Ninja Shopper is one of the most prominent and popular Instacart order (batch) stealing programs available on the market. The app developer accepts Bitcoin and Zelle payments and sales for as little as $600 USD with a phone number located in the New York area.

With minimal OSINT investigating, DarkOwl analysts uncovered an application in a GitHub repo with a similar name originated two years ago called “batchgrab” from a Brazilian programmer, using the moniker, felix b1scoito. Other repositories in his GitHub include auto-clickers, e-mail spammers, and DDoS tools.

The moniker “b1scoito” has a large darknet presences across major deep and dark web hacking forums. They previously talked of intercepting the Netflix API and demonstrates proficiency in a number of key programming languages. Using other digital fingerprints revealed through pivoting with DarkOwl Vision, analysts found links to a programmer on a YouTube channel that included a Portuguese-speaking tutorial on AdvancedBots only a couple of months ago, an inactive Twitter account and Surface Web URL with numerous references to the b1scoito alias.

Ninja Shopper is not the only Portuguese-speaking bot on the market. Others such as Robô Instacart had a short lifespan on YouTube and Reddit in late May (shown below).

As outlined in the recent article published by Bloomberg, their journalists connected with an Instacart bot-seller that DarkOwl discovered by phone in late July and the man spoke first in Portuguese and then in English, confirming to them he was selling a bot for those amounts. He declined to answer additional questions after learning that the information would likely be publicized.

Potential Impacts to Account Holders

Food delivery services with mobile-phone apps are in widespread use. For example, according to a survey conducted by U.S. Foods back in mid-2019, survey data indicated that they average person has at least two food delivery apps and uses them upwards of three times per month. Furthermore, one could reasonably expect that usage has increased even more in 2020 with local restaurants dining rooms shutdown and country-wide quarantines due to COVID-19.

It is reasonable that criminals will continue to exploit these accounts in the future, beyond simple account hijacking or scamming vendor refunds. Further potential impacts include:

• Access to PII (Personally Identifiable Information) could be exploited and used to make fraudulent purchases. (i.e. hackers with access could access your credit card info, home address and other addresses you’ve ordered from, etc.) 

• Information gleaned from your account could be used for highly targeted phishing attacks. (i.e. hackers could send an email appearing to come from a restaurant you frequent using detailed information from your order to execute a phishing attack.) 

• Free Food! We have observed interactions on the darknet of individuals discussing how they’ve simply usurped an account to order food for themselves and others.

In light of this knowledge, heightened personal security would be to never reuse passwords that might already have been compromised nor save personal credit card information on commercial accounts such as this. We also advise that users of these services take heightened caution when opening and clicking on links in emails purportedly coming from these services, as they may be phishing attempts.

In our new Darknet Marketplace Snapshot blog series, DarkOwl researchers provide short-form insight into a variety of darknet marketplaces; looking for trends, exploring new marketplaces, examining admin and vendor activities and offering a host of insights into this transient and often criminal corner of the internet. 

First up is Infinity Market – but don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are released featuring different darknet marketplaces on an ongoing basis.

Vendors Continue to Gravitate Towards Infinity Market

Infinity Market is capturing the attention of more and more vendors. Since early May of 2020 alone, DarkOwl has witnessed an astonishing 76.92% increase in vendor registration volume.

The statistic does not come as a surprise to DarkOwl, as vendors have quickly recognized that Infinity Market mirrors a criminal nexus, rather than a traditional darknet market, differentiating itself by standing up both a built-in card shop and botnet log store.

Another reason that vendors continue to turn to Infinity Market is because the market has a growing presence on the deep web. It is evident that the administrators of Infinity have allocated a significant amount of time and investment into marketing directives.

At the time of this writing, DarkOwl uncovered that Infinity Market has a promotional presence across several mid and top-tier Russian and English-speaking deep web criminal forums. Most notably, Raid, Club2CRD, Breach, Pro Crd, Fraudster Crew, WWH-Club, and Cracked.

Establishing more trust with vendors, the administrators of Infinity have promised to protect their real-world identities by not collecting, storing and sharing any of their profile data and related market activities with ‘third-parties.’

The admins have also ensured vendors that their market infrastructure and messaging channels are protected with AES 256 level encryption (as pictured below).

Key things to know about Infinity Market

• Since the pandemic, compromised food delivery service accounts have been one of the hottest commodities on Infinity Market. Particularly Grubhub and DoorDash accounts. The price of a compromised DoorDash account, at the time of this writing, was $2 to $5 USD, the prices largely determined by the ‘freshness’ of the compromised account and the volume of personally identifiable information attached.      

• A user’s rank in Infinity Market is determined by spending history.

  • Lite – $0 – $1,000 USD

  • Silver – $1,000 – $3,000 USD

  • Gold – $3,000 – $6,000 USD

  • Prime – $6,000 – $10,000 USD

  • Infinity – $10,000+ USD

• Contrary to other darknet markets, Infinity Market only supports Bitcoin as a means of payment. Drawing skepticism, the market does not allow vendors and buyers to withdraw and transfer funds to other wallets.

• We have no definitive evidence where Infinity Market’s servers are hosted or where its staff are located. Some sources suggest the administrator of Infinity Market may reside in the United Kingdom. He or she also uses both Telegram and Gmail to communicate with criminal associates.

Stay tuned as we explore new and existing darknet marketplaces to provide our readers a glimpse into the darknet economy and some of its major players.

Interested in what you’ve just read? Don’t forget to subscribe to our blog below to get the latest in darknet intelligence and be notified as soon as we put out new content.

On July 9th 2020, the hackers behind the infamous and malicious Maze ransomware-as- a-service (RaaS) malware released a press statement on their Tor hidden service outlining new terms and conditions for their operations in light of the economic crisis and global pandemic.

The press announcement further included instructions for their latest ransomware victims, including five key points outlining a post-hack timeline for victim negotiations and subsequent data publications. The announcement listed their intended victims – alleging they had already been compromised – and now are seeking payment from them before releasing their data to the public. These victims include large corporations such as Xerox and LG ELECTRONICS.

The hackers stated they will publish notice of successful hacks along with the victim’s name within three days of the attack. The victim organization must start communication within the 72-hour period post hack. The list of organizations they publicly announced as their targets included in the following screenshot:

If successful negotiations do not occur within ten days, Maze claims that all of the organization’s ransomed data will subsequently be released to the public. This is contrary to the REvil hacker’s approach of auctioning or selling the compromised data (as opposed to releasing it for free). The Maze hackers also allude to “no more delays of a month or two” suggesting some compromised organizations were possibly using stall tactics to delay publicizing the attack.

Presumably as a means of further intimidating their victims, the Maze hackers also state that upon data release for reach of their victims, they will also be contacting their victim’s partners, clients, and regulators to increase the impact of their attack and damage to the reputation of the compromised organization and company value.

The hackers included a closing statement on how they are proud of their reputation and that ironically, “honesty is their revenue” along with a list of a dozen organizations they are extorting that would soon have their data published.

DarkOwl analysts noted that the language used in the hackers’ press release lacked proper grammar confirming English is likely not the hackers’ first language. The hackers also elaborated how the victim’s inability to connect to the Maze website chat or negotiate due to fear is their own fault — even stating they are not “physiologists” (probably intending here to state psychologists) and are unable to understand their victim’s behavior patterns.

NOTE: DarkOwl has chosen to include the names of the most recent victims in this blog at present due to the fact that they are publicly available.

For more information about Maze and other RaaS sold or traded on the darknet, contact us to setup a trial using Vision to monitor and alert you if your company is being targeted or mentioned on the darknet.

As most of the world shelters in place due to the COVID-19 pandemic, Zoom – the video conferencing tool we’re all very familiar with by now – has witnessed an extraordinary surge in use. Employees are on calls in Zoom for hours a day conducting meetings with their coworkers. Families and friends, unable to meet in person, connect on Zoom for virtual happy hours, weekends and holidays. In the first quarter of 2020, Zoom Video Communications added 2.22 million monthly active users, contributing to what is rapidly approaching a total of 13 million monthly users.

Given the fact hackers were and have also been on lockdown in their homes, it is no surprise that less than a month after most of the U.S. went under quarantine, compromised Zoom accounts appeared for sale on criminal forums in the deep web and darknet. In late March, news headlines declaring that there has “Zoom Breach” quickly began appearing en masse. As a result, we decided to take a closer look at what we’re calling the “Zoom Situation” (more on that below), and in this blog will outline how in a matter of months, this convenient, free video conferencing software became a major public information security concern.

One item that we want to note upfront is that Zoom – as in, the company – was not breached. To our knowledge, no hacker gained access to their user database or broke into their servers in any way. As analysts, we take care to differentiate between “breaches,” “leaks,” “credential compilations,” etc., because they mean very different things in relation to the cybersecurity posture of the targeted organization.

Zoom is only as insecure as your password reuse habits

The latest offers for Zoom accounts across darknet forums and marketplaces speak less to the security of Zoom’s software and more to the continued reuse of usernames and password combinations across commercial applications. In other words, the greatest and most important takeaway from this situation is that it would have been entirely avoided if Zoom users weren’t reusing passwords they’ve used elsewhere.

There’s nothing particularly special about Zoom’s conferencing security. The platform itself relies on the standard transport layer security (TLS) 1.2 protocol, which replaced the depreciated Secure Sockets Layer (SSL) over HTTPS, and encrypts chats using the Advanced Encryption Standard (AES) 256-bit block cipher. However, in spite of this fairly basic framework, there is no indication that the 500K accounts offered for sale were collected from exploiting a vulnerability within the Zoom application.

Instead, DarkOwl assesses with high confidence that the hackers selling this data have instead used a method called “credential stuffing” to test Zoom login authentication against publicly available username and password combinations. So, if your email address and password were exposed in another breach, even from years back, and you used that same email/password to log into Zoom, you would now be a part of what others are referring to as the Zoom Breach.

By running old, leaked credentials through a credential-stuffing validation tool, hackers managed to find and confirm the logins for 3.8% of Zoom’s registered members in historical data breaches. Anyone using a tool like this could target any organization they wanted to.

One such tool called SNIPR (pictured) is a leading credential-stuffing toolkit supporting multiple attack surfaces including web requests (http/s) and IMAP-based email accounts without the need for any command-line or shell programming from the user.

Because of the increased worldwide use of Zoom due to the pandemic, Zoom became a target of interest for (presumably) bored hackers, resulting in a list of 500K verified Zoom accounts being offered for sale on the darknet service, POPBUY Market for 10,000 USD in BTC ($50 USD per account). It is unclear from the vendor’s listing on the market who is behind the offer or if it is legitimate.

Another listing for Zoom account data appeared on deep web hacking forum, nulled.to, at a much cheaper price than the darknet marketplace above. This advertisement pointed to the hacker’s “Shoppy” account that offers each account for as little as 0.25 USD and included an external link to a sample file with some of the compromised data. The paste included 91 records with the username, password, Zoom URL (with password), Numerical HostKey, Real Name of User, and account type.

Our analysts confirmed the sample “hacked accounts” in the offer include email address and password combinations indexed in Vision from previous data breach collections confirming the hackers likely verified the accounts using credential stuffing.

DarkOwl assesses the significantly reduced price to the darknet market is the result of Zoom advising users to change their passwords and the account data being virtually useless to the buyer.

The monikers used by the hacker offering these accounts is sufiyan.755 and MuratSarsilmaz. This moniker has “junior member” status on Surface Web forum, LeakZone and no darknet documents in DarkOwl Vision.

The hacker’s Shoppy account also lists very few other offerings, suggesting this is a beginner hacker entering the market.

Zoom may be in the clear in this case, but historically does not seem concerned about user privacy

Zoom is sharing your data with Facebook

In March 2020, open source reporting confirmed that Zoom has been making money by sharing personal user data with Facebook in return for subsequent advertisement revenue. A new, resulting lawsuit states that Zoom, “failed to properly safeguard personal information” of its users. The lawsuit follows a MotherBoard report that verified how the Zoom iOS app for Apple smartphones was sharing information with Facebook about its users without their consent.

Data that Zoom shared with Facebook included:

• a flag when the user opens the app,

• details on the user’s device such as the model

• the time zone and city they are connecting from

• the phone carrier they are using

• a unique advertiser identifier created by the user’s device which companies can use to target a user with advertisements in the future.

This sharing of data with Facebook was not included in the application’s Terms and Conditions, which is the foundation for the lawsuit. Most anonymous and privacy conscious internet users avoid video conferencing software like Zoom and prefer encrypted applications like qTox (pictured) or Signal, or will simply forgo video chatting all together.

They’ve allowed Zoom-bombing to thrive

The science of Zoom-bombing is as simple as BASH. Before the pandemic, some Zoom users complained of random people connecting to their Zoom conference meeting rooms without saying anything. Other hosts even received Zoom’s alert email “participants are waiting” at all hours of the night, which appears to have been reconnaissance for testing what has morphed into the pandemic Zoom-bomb.

Since quarantine, many conferences have been subjected to the Zoom-bomb where hackers enter the conference then subject the unwilling participants to an array of shocking and often illegal content. The frequency of this has resulted in now widespread use of password protected conferences and hosts approval required for participants entering after the meeting has started.

How does this happen? Largely, this can be attributed to Zoom’s overly simple URL identifier for meetings connects an array of 9 numbers at the end of the address to the user’s meeting identification: https://zoom.us/j/<string of 9 random numbers>. DarkOwl analysts shared that this simple string of 11-numbers could be auto-generated in a loop inside a BASH shell script or any popular scripting language that then tests the URL with the UNIX curl or wget command. Confirmed accounts could then be targeted by manually “bombing” the conference call with malicious audio and imagery.

Some open source reports suggest that many of the trolls behind the majority of the Zoom-bombings are anti-semitic hackers targeting Jews during online meetings by flooding conferences with imagery of swastikas and Nazi soldiers. There’s a lot of evidence that suggests that is true, however a number of hackers have targeted many other non-faith-based and academic conferences, as well as individuals.

To make the situation more complicated, adding passwords requirements to Zoom meetings soon might not be enough – though we do strongly recommend this as an initial step. For example, last week, hackers on popular darknet cybersecurity forum Torum mentioned a resourceful tool called the ZWarDial code, developed by KCSec. According to Brian Krebs, this code apparently leverages the BASH script idea and automates the Zoom-bomb without need for the user account or password. This intelligence suggests that hackers are already evolving their tactics and techniques to Zoom’s security implementation.

Hackers might be attempting to disable Zoom accounts in the future

DarkOwl Vision also captured a snippet of Powershell source code for a function called “Disable-ZoomAccount” which includes logic to check if a user exists on Zoom, via a User Principle Name (UPN), in this case an email address, and if the legitimate user is “active” then the source code changes the ZoomUserStatus to “deactivate.” The function writes to a log if it was successful or if manual intervention is required for disabling the account before closing. The purpose of the function or how it will be used in the wild was not identified in the deep web document.

Zoom is rapidly patching security issues

Zoom has responded quickly to criticism of their video conferencing platform. This is perhaps in response to the fact that in late March and early April 2020, New York City school districts – as well as Elon Musk’s Space X operation – publicly stated they would no longer be using Zoom software due to ongoing security concerns.

The digital conferencing platform has also responded with an in-depth security audit and released multiple security updates to the software. Security updates include support for more complex password requirements for meeting passwords, the random meeting identification has increased from 9 digits to 11, and password protection for shared cloud recordings of meetings is on by default.

To prevent unauthorized and un-attributable malicious access, there is no longer the option to “Join Before Host” and all participants require a Zoom account to participate in a Zoom conference call. Zoom had also temporarily disabled third-party support for file-sharing services such as Box and OneDrive; as of late last week’s security updates, this feature was available again.

Takeaways and advice

When it comes to Zoom, there are still steps that you can take right now to add an additional measure of security to yourself and your organization:

• What happened with Zoom could happen with any internet-based application. So, remind your employees, family and friends to chose unique passwords and email address combinations on every commercial application.

• Adding password protection to Zoom meetings is the first step to mitigating unauthorized access to the user’s conference room.

We can’t emphasize this enough: what happened to Zoom (and Zoom-users) can happen to any internet-based application at any time. It only takes one hacker with access to old, breached/leaked credential data and a credential-stuffing tool to target an organization of their choosing. As such, with the current level of dependency on remote working and virtual video conferences, DarkOwl encourages all to be vigilant while using any platforms that require user account registration:

• Set-up accounts on such software with unique (if not disposable) email addresses, using complex passwords not used anywhere else

• Apply any and all additional security options available, such as password-protection for the meeting and limiting access to stored shared recorded meetings.

If you are considering abandoning Zoom altogether, TechRepublic recently posted a list of alternative video conferencing applications.

Thanks for reading our blog! Contact us if you want to know more about this issue or discuss how DarkOwl can help mitigate your account information appearing on the darknet.