DarkOwl is thrilled to announce the launch of Actor Explore, an exciting new addition to our Vision UI platform that provides invaluable insights into cyber threat actors. This latest feature is designed to empower security professionals, researchers, and organizations with analyst curated information about threat actors, enhancing their ability to understand and combat cybersecurity threats effectively.
With Actor Explore, access to comprehensive threat actor information is just a click away. Navigating the cyber threat actor landscape has never been easier. Each actor profile in Actor Explore includes a detailed dossier, offering an in-depth overview of the threat actor. Additionally, DarkOwl analysts provide extensive information such as darknet fingerprints, targets, tools, CVEs, contact information, and morewhen available. Actor Explore connects this information to our other data sets, including leak sites, ransomware sites, alias, cryptocurrency, etcetera that actors are associated with. This wealth of data enables users to gain a profound understanding of the threat actors, their tactics, and the potential risks they pose.
Cyber threats are continually evolving, and so are the threat actors behind them. The collection consists of threat actors in several categories, including: state-sponsored, cybercrime-focused, ransomware groups, access brokers, exploit brokers and buyers, critical infrastructure attackers, and more. Actor Explore will be regularly updated with new information and actors,prioritizing client needs, ensuring that users have access to the latest intelligence to bolster their cybersecurity efforts and research.
DarkOwl’s Director of Product, Sarah Prime, expressed their enthusiasm about the launch, stating, “We believe this new feature will give our users insight about important threat actors and provide pivot points to where they appear in the darknet. We are committed to providing the most comprehensive darknet dataset, along with context and enrichment that helps our users understand evolving cyber threats.”
About DarkOwl DarkOwl uses machine learning and human analysts to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. For more information, visit www.darkowl.com.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. North Korea Poses as Meta to Deploy Complex Backdoor at Aerospace Org – Dark Reading
Threat actor group Lazarus has crafted a new backdoor used in operations targeting the aerospace industry. “Lightless Can” is a RAT, and Lazarus members are spreading it by impersonating Meta recruiters on LinkedIn. The actors pass “coding challenges” which are “for a job interview”, so victims download to both their company and personal devices, spreading the malware. Read full article.
2. Magecart Campaign Hijacks 404 Pages to Steal Data – Dark Reading
Magecart is inserting malicious code into HTML pages of various websites, with a focus on food and retail industries. Magecart is an umbrella term; the collective is comprised of several different criminal actor groups who employ skimming and custom malware to steal PII and financial information form ecommerce websites. One of Magecart’s skimmers, Kritec, successfully impersonated third party vendors like Google Tag in the spring of 2023. Article here.
3. US energy firm shares how Akira ransomware hacked its systems – Bleeping Computer
Akira actors first used stolen VPN credentials from a third-party contractor’s account to access internal BHI networks. This same account was used to conduct continued recon of the internal network. It took the actors just over a week (nine days) to take 767,000 files/690 GB of data. Exposed data included full names, SSNs, DOBs, and more PII of BHI customers. Read more.
The Ukrainian Cyber Alliance (UCA) used CVE-2023-22515, which involves Confluence, to escalate privileges and access Trigona’s confluence server. They gained insight into the infrastructure and published Trigona’s support documents, exfilled the developer environment and information pertaining to Trigona’s crypto payments, as well as the back-end of Trigona’s chat service and blog/leak site details. After collecting all the information, UCA defaced and deleted Trigona’s site. Read here.
Israeli hacking collective Predatory Sparrow recently reemerged after taking time off from digital operations. This group, who has historically targeted Iran, posted in Persian in their Telegram channel on Monday, October 16, asking if their followers were “…following what is happening in Gaza.” They also shared a link to Iranian Mehr News Agency, which was down at the time. Learn more.
6. KillNet Claims DDoS Attack Against Royal Family Website – Dark Reading
KillNet caused the UK Royal Family’s website to be unavailable for 90 minutes on Sunday, October 1. KillMilk, the leader of KillNet, called the incident “an attack on pedophiles” – a reference to Prince Andrew’s ongoing scandal. Fueling the fire, Britain’s King Charles had recently condemned the Russian invasion of Ukraine in a public speech, and KillNet attempts to exact retribution on those who speak out against Russian actions. Read full article.
7. ALPHV ransomware gang claims attack on Florida circuit court – Bleeping Computer
ALPHV ransomware gang claimed responsibility for an early October attack against northwestern Florida courts. The attack possibly revealed social security numbers and other personal information of the court employees, as well as judges themselves. ALPHV also claims to have a network map of the court’s online systems, which likely includes credentials, leading to further network infiltration and possible lateral movement. Read full article.
8. BianLian extortion group claims recent Air Canada breach – Bleeping Computer
Ransomware group BianLian successfully breached Air Canada with their ransomware, claiming 210 GB of data. Air Canada acknowledged an incident in September 2023, but said that the stolen information was limited. BianLian shared screenshots on their ransomware page indicating that the employee data was only a part of what they stole, and that they also had technical information, such as an SQL database. Learn more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
As the digital landscape continues to evolve, so do the threats that target it. Staying ahead of cyber adversaries requires a deep understanding of the latest trends and innovations in the cybersecurity space.
In this webinar, DarkOwl CEO, Mark Turnage and Socialgist CRO, Justin Wyman explore a variety of critical topics shaping the cybersecurity landscape:
Key VC Raises in Cybersecurity: Capturing Industry Attention
Understanding the Major Players: Who’s Raising the Stakes
Harnessing Security Solutions: How Organizations Protect Their Assets
Addressing the Talent Gap: Scaling with Data Aggregators and Services
Pioneering the Use of AI: How do LLMs and AI Come into Play
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Kathy: Thank you for joining us for today’s webinar exploring emerging trends in cybersecurity. Before we get our topics, begin our topics today, I’d like to turn it over briefly to Mark and Justin to give a brief introduction of themselves and their companies.
Justin: Hi, guys. Nice to meet you. Wyman, Socialgist is the name of my company. I’m the Chief Revenue Officer. We are a provider of open source intelligence. We’ve been doing so for the last 22 years, and I’m excited to be here.
Mark: Hi, I’m Mark Turnage. I’m the CEO and Co-Founder of DarkOwl. We are a company that specializes in the darknet, and specifically in extracting data from the darknet and providing it to our clients and working with partners like Socialgist to provide a broad view of open source intelligence, including that of the darknet.
Kathy: Great. Thank you both. Prior to diving into our topics today, Justin and Mark wanted to take a moment to comment on the Israeli and Hamas conflict happening presently.
Mark: I’m happy to comment. You know, when the conflict broke out on October the 7th, we immediately started looking at content in DarkOwl’s database that was relevant to the conflict, either pro-Israeli, pro-Palestinian, pro-Hamas, and we pretty rapidly triangulated on about 400 Telegram channels that are actively covering the conflict. And we’ve been monitoring those channels throughout, directly ourselves and generating some content which is available on our website, and also supplying that to our clients. And it gives them a different perspective than what you see on the front page of many of the newspapers. I will comment, we published a blog very early in the conflict that noticed that amongst the most prominent Pro-Hamas Telegram channels, they went quiet for several weeks before the attack. Unusually quiet. We don’t have an explanation other than they were distracted, they were planning, they were getting ready, or they had been told to go offline. But we did detect that in the lead up to the attack, there was considerably less activity on those Telegram channels than was normally the case.
Justin: I would say when you see such a horrible thing, it’s really hard to process, especially because in the space that Mark and I occupy, Israel is a big component of it. Technology companies and cybersecurity are founded in Israel all the time. Some of the leaders in the space. So it gave an extra personal feel, if that’s even possible. When you see these types of things, when you know the people that are directly impacted by it at a different level. And then I thought it was it was comforting to see that we could in some way help with our information, help the helpers, essentially. And Mark, I got to say, I thought the Dark Owl content was fantastic. To help show examples of how OSINT intelligence can help prepare for these types of things and deal with them frankly.
Kathy: Thank you both. Now we will begin with our first topic.
Key Raises in Cybersecurity: Capturing Industry Attention
Justin: So let me talk at a high level. What is happening? If you look at VC and cybersecurity over the last couple of years, it’s declining, which normally I think would be a bad thing if you didn’t realize it was declining from a peak bubble that happened during the pandemic. So you can say things are down 30% from last year, which is down another 30% from last year. It really, honestly, to me just seems to be returned back to normal. You see a lot of companies having some very specific raises, we’ll get into and you’ll see some combinations, you’ll see some coverage. But I think that the cybersecurity industry should feel that there’s been a correction that was due because you’re in a bubble. But now we are in a place where things are normally operating. The space is growing and investment is happening as well.
Mark: Yeah, I’ll just echo Justin. The investment into the cyberspace, go back say three years was just red hot. It was at levels that I didn’t think were sustainable. And oftentimes at evaluations that I didn’t think were justified. What has happened as the economy has gone through a fair amount of turmoil over the last year and a half is that those valuations have reset, and the level of investment is what I would normally expect in a pretty healthy sector that is still growing. Overall funding is down. I think it’s down 30% year on year. Valuations are down. The interesting thing is that companies that are still growing and companies that are profitable are still getting healthy inbound investment. Just yesterday, by the way, Censys announced a $50 million dollars raise, a small company out of Israel raised $4 million. I mean the raises come in regularly. They’re not at the valuations that we saw, say 2 or 3 years ago, but they are still happening. And they are particularly happening with very healthy companies.
The other trend, by the way that I’ll mention is any time you have an economic reset, which is what we’re experiencing right now, it forces consolidation in the market. You know, scale matters, size matters, sophistication matters. Go-to-market strategies and the ability to reach your market matters. So whereas before a small startup could have raised successive rounds of value, of money, of capital at ever increasing valuations against, you know, maybe skinny performance – those days are gone and they’re likely to be an acquisition candidate for for another company. And we’re seeing this – large companies are pretty active in the M&A market right now as a result.
Kathy: Based on that, a question has come in. What changes do you foresee over the next coming year?
Justin: Let me start with one of the public markets because that leads things. So in the public markets, you’ll see a lot of leading cybersecurity companies up double digits this year, more than the S&P 500. CrowdStrike is a good example. They’re up 70% year to date. As an example, Tesla is only up 80%. Apple’s only up 36%. So that’s not market forces. That’s industry forces of the problem with cybersecurity is growing so rapidly. The things I think you’ll see over the next year would be companies that have a growth plan, getting more funding and moving into new markets. I saw that already with OSINT Combine. There’s a company with a very good Australian presence going to the North American market. Full disclosure, they’re friends of my company and DarkOwl – so maybe we’re a bit biased there.
You’ll see some people getting acquired by PE firms, which is an idea of, again, operational excellence that might be a different component than things, say, in a bubble where instead of doing a PE acquisition, you would raise a bunch of money and see if you could sell and market your way out of it. The other thing I’ve noticed that I think will come is more legitimacy and standardization. Frost and Sullivan has created industry coverage for the first time on a lot of these companies. You’ll see certification tracks coming out of industry organizations like Osmosis. So I see it as a big step forward in the maturity of this space. There’s always startups, there’s always guys in the middle, and there’s always the big guys, and you want to have enough of them to create an ecosystem where you can ultimately meet the consumer need.
Mark: I couldn’t agree more. The way I would have described the cyber security industry two years ago was an awkward teenager. And it’s moving to young adulthood. It’s maturing. It’s growing up. It’s actually starting to understand what its own limitations are and what it can and cannot do. And I would just echo Justin and say, over the next year, we’re going to continue to see consolidation – more and more mergers, more acquisitions. It has always amazed me, just as an aside, that the largest cybersecurity companies in the world still only measure their revenues in single digit billion dollars. Those are the largest. And then it falls off pretty quickly from there. And given the size and importance of the problem, this is an industry that is ripe for what you just identified, Justin, which is growing up, consolidating, becoming more professional, working against known certifications and known standards. And by the way, known regulations because the regulators have arrived.
Justin: Mark, that McKinsey report we’re referencing before about just how breaches are supposed to go up 300% from 2015 to 2025 also noted that to your point about revenue, that the vendors in the space right now make up a 10th of what they think the overall revenue is going to be in the next ten years. So yeah, teenager growing up is a great analogy, meaning there’s just so much. There’s some stability being built in, but there’s still so much more to grow up.
Understanding the Major Players: Who’s Raising the Stakes
Mark: Well, I think in the world of threat intelligence broadly, there are a couple of very large players – Recorded Future comes to mind, Flashpoint comes to mind, Intel 471. There are a bunch of these players. Interestingly enough, every single one of those has been acquired over the last 3, 4 or 5 years by large private equity firms that have, as a strategy, explicitly what Justin was talking about, grow these companies up, make them larger, make them professionalize their operations, give them global scale and global reach. And then below that you’ve got a whole range of companies and these are small- to mid-size. Some of them are just start-ups who are looking at problems from a different angle. And there has been a lot of activity, both in terms of fundraising into those companies as well as acquisition. I mean, one that comes to mind is Maltego. Maltego was acquired by a private equity firm at the beginning of this year, and that’s a well known, well established platform that is used across the industry by a number of different companies and users. And in my view, that was a really smart purchase by the private equity firm. What else is going on Justin that you’re seeing?
Justin: A company I recently became familiar with at a conference was Fivecast. They raised 20 million. They were an Australian based company looking to really expand their sales and marketing into North America. They feel their perception, not mine or based on conversations, that they feel they have their product completeness to the point where it’s time to go see if they can compete against the bigger guys in the space. Now Cobwebs, another huge player in the space, just joined Chainlink. Those are other things I’m seeing.
Another one we were talking about, Mark, is Palo Alto Networks buying Dig this morning as a sign of just a major player adding in a feature capability. So, you know, this is following the the classic playbook – where you watch Oracle and Salesforce go after each other and then add on competing bolts. Again, another idea that you have a very well established market that you can operate. If you have operational excellence, you can really succeed.
Mark: Another example of that, by the way, is Proofpoint yesterday announced the purchase of Tessian and we’ll come on to it. Tessian is an AI provider that will significantly enhance Proofpoint’s products. And so you’re starting to see that happen at a pace that I have long predicted. But really I think this economic climate has accelerated.
Harnessing Security Solutions: How Organizations Protect Their Assets
Justin: I’ll start as I always do, with a little bit of data. Fraud is still massive. The biggest issue that every organization is dealing with – it’s coming from social media, it’s coming from internally. I talked a little about this McKinsey report, but again, I’ll say it again because it’s such a massive number. They think that breaches damage is going to increase 300% by 2025. The other one that I looked at was a survey of mid-sized companies suggests that threat volumes will almost double from 2021 to 2022. So that’s 100% growth in one year.
What they’re doing to protect their assets – my concern is with their employees. So I’d love to hear your thought on this, Mark.
Mark: Just a small data point from DarkOwl – we track where visitors to our site go and what pages they dwell on. The most common feature across our website is our fraud webpage and content on fraud. That speaks to the nature of the problem.
I’ll just say two things. One is we are all excited as an industry about AI. We’re excited about new tools, about new capabilities that exist. So are the threat actors. They’re using all of the same tools, all of the same capabilities to actually scale and professionalize their own operations. But, you know, going back to your point, Justin, the biggest threat to many companies is their own employees continues to be their own employees, whether that’s actual outright fraud or just mistakes that employees make that open up the company to potential potential attack and fraudulent attacks.
Justin: I believe that was the logic behind the Tessian acquisition is just the amount of people that have exposed their companies by literally emailing the wrong person. That seems to be a problem that should be quickly solved through some proper technology application.
Mark: I mean, I’m amazed. I’m actually amazed. Look, I mean, CEOs are are susceptible to this as well. And in fact, I mean, go to any OSINT training seminar and they’ll tell you the most vulnerable people or the easiest to attack are the C-suite, because they’re the ones who are the sloppiest or the least attentive to to security. That continues to be the case, but it permeates the entire organization.
Justin: The other thing I’ve heard is that key figures, usually execs, because there’s so much information, that they’re much more easy to manipulate. Voice manipulation takes a lot of samples of data. So the bigger the sample, the easier it is to manipulate the voice is the other thing I would talk about. And then the last one I noticed was people just kind of really trying to do the best they can to understand their supply chains. If employees are people accidentally sending information out. Supply chains are people sending information in, and these are business partners that you rely on your suppliers. So it’s very easy. Those are very weak points in a system to kind of create havoc if you’re not prepared.
Mark: There’s absolutely no question. The pandemic taught us that supply chains matter and supply chain vulnerability is mission critical. And to to Kathy’s question of how organizations protect their assets, it’s not only protecting your own assets, but protecting those critical assets of your vendors who are critical to the provision of your product or your services as an organization, which is why you’re starting to see these third party and vendor risk management companies come into their own in terms of their level of maturity, because especially very large, complex organizations need to pay attention to their supply chains.
Addressing the Talent Gap: Scaling with Data Aggregators and Services
Mark: The interesting thing about the talent gap is that the cybersecurity industry for years has complained about lack of talent. I think the statistic I continually hear is something like half a million unfilled cybersecurity jobs worldwide. And that number has held pretty steady for the last number of years. We’re in an environment, though, where many of the companies in our sector are actually laying people off. So how do you square those two contradictory statistics? Well, one way to square them is exactly what Justin said earlier, which is many of the companies that are laying people off were hiring at a clip that was unsustainable just as recently as 2 or 3 years ago. So you’re coming back to a sort of a more normal track. My sense is that there is still plenty of demand in the marketplace for people who have cybersecurity experience, whether it’s developers or product people or otherwise. But yes, there is a gap and I think AI is going to help fill that gap. What do you think about that, Justin?
Justin: I absolutely do. Let’s talk about the two things like data aggregators and services. Start with services because Mark and I have a data aggregation stake in this fight. But on the services component, when I work in the space, what is interesting to me is the people come from all different backgrounds military, private, etcetera. There’s no “you don’t go to school to become a cybersecurity expert.” So that’s a very big problem. But it’s a problem that is being solved, I think. When we were all at OsmosisCon, which is a association of these professionals, they’re creating certifications. They’ve created a conference so people can come and share tips and tricks. And that’s just one of many. So I think it’ll get easier and easier to bring people into the space and give them the certifications that show them that they’re qualified, because right now it really is due to the nature of the sensitivity of the issues and how people come. It’s like, who do you know that you can trust? Which makes sense in the beginning. But over time, you have to figure out how to scale your business. So I see a lot of services being created to help with that.
Then on the data aggregation side. As a data provider technology provider in this space, it’s amazing to me how big the problem is, right? These people are searching for needles in haystacks and the haystacks are growing, and so the only way you can solve them is through aggregation. And that’s basically at any point in the value chain. So if you’re creating a piece of software that allows analysts to hunt for threat actors, well, you’re probably going to use data from many different sources because the haystack is too big for you to do it yourself. Then if you’re actually looking and searching and doing the analysis on top of the data, these tools will allow you to search more efficiently. If you go back to Mark’s Telegram example about things going silent before an attack, as these technologies get better, you know you won’t have to go, “Huh? Why are these silent?” These things will go, hey, there’s an interesting activity here. The volume of these things has really dropped off. Why? And that’s a way that people will be able to not only look in the haystack more broadly, but faster, have things suggested to them. So I think ultimately the space will be fine. Again, I can’t stress this enough, we are coming off a bubble, and that generally means people aren’t behaving how they should behave. And so to correct that, you have to lay some people off. But now that we’ve had this baseline, people go back to building their businesses most based off of the value they provide in the market. And as we’ve shown, the value is only growing, meaning the threats are only increasing dramatically.
Kathy: Based on that, we’ve had a question come in: We have seen a lot of layoffs in the space recently. And can you address how this does affect the talent gap?
Justin: Positive half glass full spin would be – when you have layoffs in an industry where it’s growing, it’s because those people are in a place where they weren’t effective. They weren’t doing the things that needed to be done to keep the business on its goals. So when you take an experienced person and you separate them from a business that no longer needs them in a growing space, they should be deployed in a better space where they are more impactful. Right. This is the efficiency of markets happening. So I think these gaps will take the people that were places where they weren’t as useful and put them in places where they will be much more useful and create a world where they’ll be, again, more coverage.
Mark: Not to disregard the dislocation that necessarily occurs when that when that happens, if you’re the individual who’s affected, it can be quite difficult. But I agree with Justin that on aggregate we’re not seeing employment in the cyberspace decline. It still continues to increase.
Pioneering the Use of AI: How do LLMs and AI Come into Play
Mark: The big issue that both Justin and I have discussed in the past is anytime you bring an end to a problem, it needs a data set to sit on, to learn, to learn that problem in order to be effective. And so what becomes the most critical in that is the data we aggregate – darknet data. Socialgist aggregates open source data across a variety of different platforms. Those data sets become extremely valuable and extremely important in the application of an LLM to address or learn about a specific problem. And you know, in the case of DarkOwl, I can speak to that, our data set has been aggregated over 5 or 6 years. That’s not something that you can just recreate overnight. If you’re a new company coming into this space or somebody looking to utilize AI, the same I’m sure is true for Socialgist. So it’s a very interesting insight into the power of the underlying data that that any organization can has in terms of addressing the problem via an LLM.
Justin: And I totally agree with everything Mark just said. I think the other thing to think about is, how much easier it is to get things out of the data value, out of the data with LLMs, and how in general, the biggest thing you’re going to see in the software world, the biggest constraint is going to be software engineering capacity. Every company in the world wishes they had more software engineers because it’s hard to do things like connect a data set into an analytics platform. It’s a very technical work. These engineers now are doing work 40% faster, so it’ll be easier to make progress and solve problems when you put these types of applications together. What that should mean is that you should have in the long run, and again, marginal like dislocation is hard and things need to change and we have to cross the chasm and all these sayings, but what we’re really talking about is in the long run, things should get cheaper with technology and things should also get better. So the data sets that we ship to our clients that are working very hard to get incredible data out, get incredible insights out of it, should be able to get insights out of it faster and better and cheaper because they need less engineers. And then the tools to analyze these data sets should only get more powerful as well. I really see there will be an area where, you know, there’s different segments in our space, right? There’s the people that are at these big companies, and they have all the budgets in the world, and they have the fanciest tools, and there’s people below that, and there’s people literally using their cell phones to track people doing medical research. Those people should get increasingly better tools that will make them much more effective. So we’re talking about the capability of people with less budget getting much more effective, which I think really creates a much better world.
With the caveat that the other guys have it too. So there’s always a push and pull, but I see a lot of positive headwinds in the in the long run with AI.
Mark: I mean look, you know it’s going to increase, as Justin said, productivity per worker significantly. And the comment that I heard recently in a conference was, you know, AI will be tremendously dislocating of many types of employees and many types of groups, but the world’s going to divide itself into to two camps. Those people who know how to use AI to make themselves more productive and those who don’t. And that’s the digital divide that we’re actually hurtling towards. I’m deeply optimistic, personally, about what I can do across multiple different fields, but starting with our own field in cybersecurity – I’m very optimistic about it.
Kathy: We’ve had another question come in and an attendee is interested to know “Will DarkOwl and its peers sell their data sets to companies?”
Mark: Good question. We’ve been approached by a couple of companies, and we’ve done our own early work on putting an LLM onto our own dataset. I suppose I should put on my businessman’s hat and say it depends on the price. Yes, it depends on the price. But it’s not something that we’re going to do loosely or without a lot of thought. Because once that data is out there under somebody else’s LLM, obviously the data is available to whoever has access to that platform.
Justin: It depends, I think is a good answer. I think the thing to understand about perhaps my company, Mark’s company, is like, you know, our mission is to extract information from the world’s online conversations and if you can help us with that mission, because we’re very serious about it for the reasons we’ve discussed throughout this whole thing, we’re seriously going to talk about it. Now, there’s sometimes choices that make decisions. There’s sometimes choices that make that not the case. And there’s always a lot of nuance. But at a high level, if you help us with our mission and the business makes sense, then that would seem something that should happen. But also, Mark, you touched on a really interesting point of, you know, I do think data companies like ourselves are also going to explore training with our own LLMs too. to have the full picture. So I think the key is as long as LLMs capability is used on these data sets to make the world a better place, we’re for it. The machinations, I don’t know. There could be a world where two data providers do one together, etcetera, but the technology should make the data more useful, and that is our goal.
Mark: I will point out we’re in discussion right now with our first client who wants to put in on a subset of our data. It’s exciting.
Disclaimer: DarkOwl analysts do not endorse any of these marketplaces or offerings and have not confirmed legitimacy of any of these sites. This information is provided for awareness only and has not been independently verified.
Introduction
This Halloween season, DarkOwl analysts decided to delve into some of the scary things that are available for purchase on the dark web. The dark web is well known for dealing in illicit goods such as drugs, counterfeit goods, and hacking tools as well as leaked data. But there are also sites out there which claim to be selling goods that are a bit more gruesome and creepy…
This blog explores some of the weird and scary things we have found being sold on the dark web.
Warning: This blog contains images some may find distressing.
Organs For Sale
A number of sites have been identified on the dark web that claim to be selling human organs. DarkOwl analysts have seen both stand-alone sites selling these as well as individual postings on marketplaces. In the image below, we can see a stand-alone site which offers organs for transplant and claims to provide shipping worldwide.
The image below is an example of the items that are being offered for sale. Ranging from hearts, kidneys, and livers. They claim that the organs remain viable for one year – which is scientifically impossible. There is no indication from this site on how the organs are transported, or how the purchaser is expected to transplant the organs, as no medical help is provided. The do provide a money back guarantee however.
The cryptocurrency address associated with this site has received a total of 0.61955435 BTC, which equates to around $34,000 depending on the conversion rate. Although the address currently has a balance of 0. Most of the transactions that have taken place have been for $100-200 which is far below the asking price on the website. So, it is unlikely that they have actually sold the items they are advertising or at least not at the prices shown above.
It is doubtful if this is a legitimate offering, DarkOwl analysts have observed the same images being used on multiple sites which may indicate that they are using stock images and that this is a scam. The fact that they claim the organs will survive a year is also suspicious.
It is also unclear from the sites we have reviewed, ifthey are legitimate, where these organs are sourced from. There is the potential that this could be linked to criminal activity such as human trafficking or the black-market trade of organs.
Another site we identified is more specific about the locations that they are able to export organs to and also indicates that they will provide medical expertise to assist with the transplant. It is worth noting that this particular dark web site is not currently active.
“Human” Meat
Perhaps the “creepiest” site we found was one that advertises the sale of human “meat” for consumption – “For those with taste.”
The site states that eating human meat is not immoral as long as you haven’t killed to get it. Although they don’t directly state where the meat is sourced from, they suggest it comes from road traffic accidents and morgues.
The site also gives information about where they will export the “meat” to and suggest that everyone should taste human meat at least once. They offer a range of “cuts” as well as organs which can be sent to Europe, Asia, and Africa.
DarkOwl has no evidence to suggest if this is legitimate or not. We do not suggest trying to order.
Hitmen
It has been widely reported previously that hitmen are available for hire on the dark web. Although it is never clear if the sites are legitimate or not, there have been examples where they have been proved to be true and murders or attempted murders have taken place.
One such example of hitman services being offered was identified by DarkOwl. The Mexican Mafia claim to offer the following services in their own words:
Death by shoot and drive away
Death by making it look like accident or robbery gone wrong
Death by sniper
Beating
Arson
Guns
They offer proof that they are legitimate by posting the names of individuals they claim to have murdered in multiple jurisdictions. No further research was conducted to substantiate this claim and it is possible they could have obtained stories from the media and claimed them as their own.
Conclusion
The dark web holds many secrets, some of which can be gruesome. At this time of year, they can seem like “tricks” but we are unable to confirm if any of the things mentioned in this blog are legitimate or not but either way they are creepy for spooky season.
Disclaimer: DarkOwl is not affiliated with any of the groups mentioned in this article and do not support the actions of cybercriminals regardless of their motivations. This information is provided for informational purposes only and has not been independently verified.
Introduction
Defacement attacks, involve the unauthorized modification or vandalism of a website or web application. These attacks typically result in the alteration of the website’s content, appearance, or functionality by attackers with malicious intent. The primary goals of defacement attacks are usually to deface the targeted website, display a message or image, and often to spread a message or agenda, drawing attention to the attacker’s cause or skills.
It’s important to note that defacement attacks are just one form of cyberattacks, and they usually don’t involve data theft or damage to the website’s infrastructure. However, they can still have a significant impact on the website’s reputation and the trust of its visitors as well as voicing political messages.
As the events in Israel and Gaza have unfolded, defacements have been a common technique used by cyber actors to target opponents. Here we examine some of the groups conducting these attacks and the victims.
DragonForce Malaysia
DragonForce Malaysia is a pro-Palestinian group located in Malaysia. The group are active on social media with accounts on Telegram, Twitter and Instagram. They also have their own website and forum where they detail their activities.
Historically the group have primarily conducted distributed denial-of-service (DDOS) and defacement attacks, and this pattern is being replicated in response to the October 07 attack on Israel. However, they have also been seen to use other exploits.
Since the beginning of the conflict, DragonForce have mounted defacement attacks against approximately 125 websites with .il domains. There does not seem to be a pattern to the websites that are targeted other than their affiliation to Israel, although multiple Op names have been used on their various defacement messages. As shown below they have also used their defacements to encourage other hackers to join their cause.
Their Telegram channel has also been used to highlight other attacks that they have conducted, including a claim to have accessed the “Israel Telephone system Management,” as well as other Israeli Telcos. Samples of the data have been posted on their telegram channel. They are also sharing leaked databases as seen in the image below.
Cyb3r_Drag0nz_Team
Similarly, to DragonForce Malaysia the Cyb3r_Drag0nz_Team is a pro-Palestinian group which has been active creating defacements since the beginning of October. However, they appear to have cast a wider net in terms of who they are targeting with a number of US victims in the education space as well as in other countries, including Israel.
As well as providing details of the group in their defacement message they also supply the usernames/Aliases of individuals who have assisted in the attack as shown below. They also provide details of their Telegram and Twitter accounts.
This highlights the fact that groups which conduct defacement attacks are usually looking for notoriety and often are active on social media in order to publicize their actions. This group have conducted defacement attacks against approximately 157 websites since October 08, 2023, as of the writing of this article.
The Telegram account of this group has been used to promote the defacements it has conducted; this appears to be the main activity that they conduct although they have also released leaked information purporting to contain Israeli citizen data. This underscores that with this conflict normal citizens are being targeted as well as governments and military organizations.
X7root
This group has also conducted defacement attacks against Israeli websites, including kdh.org.il which is the Jewish Burial society, this appears to still be active. This defacement message also includes an image from the Holocaust likely to cause the most amount of offense possible. The image is not included here but the accompanying message is shown below.
Little is available about this group, but they do also have a Telegram channel which has previously been used to sell exploits and requires a $90 subscription fee. However, recent posts on the channel have been anti-Israel in nature and provide details of the websites which have been defaced. In posts made on Telegram the user states that he is Arab and shows support for individuals in Gaza. The user is using the #OpIsrael which has been used by many pro-Palestinian groups.
Conclusion
Defacement attacks are not a new technique, but they can become particularly effective in times of conflict, as they were in Russia and Ukraine, in order to share the attacker’s message. The majority of defacement attacks that we have observed have been conducted by Pro-Palestinian groups, but Pro-Israel groups are also conducting cyberattacks. Defacements are a powerful tool for hacktivist groups seeking to use their skills to share a message.
Defacements are in some ways unique in that they seek to publicize the actors behind them, their views and their activity. Therefore, they are more prominent and easier to detect than some other attacks and usually less destructive as they do not tend to affect the underlying infrastructure. As hacktivists seek to take a stand, they differ from the more traditional cyber espionage which seeks to stay in the shadows, but it is very likely those attacks will escalate in the coming months.
Last week, DarkOwl participated in OsmosisCon, an Open Source Intelligence Skills-building Conference, in New Orleans, LA. The annual, training-oriented event is comprised of workshops and classes to earn Continuing Education Credits (CEUs) lead by industry leaders focusing on the latest in OSINT and SOCMINT tools. In addition, the exhibiting companies provide real world examples of industry standard products and services, allowing attendees to either advance their own research or find a solution for their company.
The networking and consulting opportunities at OsmosisCon are incredibly valuable for anyone in the OSINT space – whether you participate in the pre-event workshops and presentations, speak during the networking events or via the virtual conference platform. Sessions this year dove into a wide range of topics including open source techniques and skills related to exposing fraud, utilizing artificial intelligence, currents and future threats, identifying unknown users, and more.
The Osmosis Institute’s mission is “to educate and train cyber intelligence investigators, researchers, reporters, and analysts on OSINT and SOCMINT techniques and best practices.” Their statement continues to say, “to that end, we seek to foster professional growth in our community. We strive to inform professionals on how to protect personal privacy data and abide by national and international laws and ethics standards.” OsmosisCon allows them to put this mission into practice and in its 9th year has continued to grow and bring hundreds of cyber intelligence analysts together.
Representing DarkOwl at OsmosisCon this year was Alison Halland, Chief Business Officer, Caryn Farino, Director of Client Engagement, and Damian Hoffman, Product Engineer and Data Analyst, based out of DarkOwl’s headquarters in Denver.
Leading up the kick off of the conference, Damian presented, “Finding Actionable Intelligence in Dark Web Data for OSINT Investigations,” focused on how the dark web is an essential source of information for OSINT investigations across a wide variety of use cases. Showcasing DarkOwl Vision, his talk reviewed some of the considerations that should be taken when using dark web data, how the data can provide value for investigators, and offered DarkOwl’s perspective on the techniques and tools needed to maximize the utility of dark web data. The team was happy to report that this was a packed presentation with standing room only!
During the conference, Damian also participated in the Bits & Bytes Speed Networking Session. During these roundtable discussions, presenters and attendees were able to sit with industry specialists to discuss quick compact tips in their area of expertise and engage in discussion. Each table presenter prepared and hosted discussion on a different topic. Damian’s topic “Mental Health Strategies for OSINT Investigators” is a crowd-sourced, data driven project aimed at collecting, validating, categorizing, and distributing mental health strategies freely for the OSINT community. Researchers on this project aim to collect Strategies (specific actions, behaviors, or modifications of belief that will lessen the negative impacts of vicarious trauma when exposed to distressing content) from a wide variety of OSINT practitioners and validate their effectiveness using empirical evidence. More about the research project can be found here and you can submit your strategies here.
In addition to presenting and manning the DarkOwl tabletop, the team was able to meet with many current customers. Attending OsmosisCon is invaluable for face-to-face time to build and maintain relationships. Being able to meet with clients in person provides a great opportunity to share new product features, features in development, gather product feedback, and keep up to date with the latest trends.
DarkOwl looks forward to OsmosisCon 2024 and hope to see both familiar and new faces in Las Vegas!
One of the latest companies to be victim of a data breach, 23andMe, has had their data shared on various dark web marketplaces as well as Telegram. Interestingly, the data from this breach has partly been shared in response to the conflict in Israel and Gaza with one of the sharers of the data citing this as a reason for sharing some of this information.
23andMe is a genealogy company which as well as providing ancestry services uses DNA to identify where individuals’ ancestors are likely to have come from. They also provide details of individuals’ health and genetic predispositions. The leak purports to contain full names, year of birth, location, as well as DNA markers and locations they may have links to.
23andMe has indicated that the data was obtained as part of a credential stuffing attack, and that there has been no evidence of a security breach on their IT systems.
The First Leak is Shared
The first identified mention of a leak of 23andMe data was on the marketplace Hydra Market on August 11, 2023. The post was made by a user using the alias Dazhbog. In the post he claimed to have access to 10M DNA data that he was providing for sale. He claimed that the file size was over 300TB and that the data would only be sold once, the asking price for the data was $50 million.
The seller also indicated that they would be open to selling the data in parts, based on location and ethnicity. This was priced at $10k per 1k of data.
Although it is unclear who is behind the username Dazhbog, they did indicate that 23andMe was not allowed to operate in their country. They also gave specific instructions for how buyers in China would be able to receive the data – in hard copy. The user first registered on Hydra Market on August 10, one day before the original post was made.
The poster provides details of how the information was obtained – claiming it was obtained through an API service used by pharmaceutical companies.
As proof of the data obtained, links we provided for Sergey Brin – Co-founder of Google and Anne Wojcicki – CEO of 23andMe. Images were also shown.
A post was made by the original poster on August 14 claiming that the full data had been sold to an Iranian individual and requested that the original post be removed. The post is still active, but the original poster has made no new posts since this time. Their profile also indicates that they have not been active since this time. This would suggest that this account was created specifically to share this leak.
Parts of the Leak Emerge
Once the original leak had been shared, several other leaks emerged on the forum Breached Forum which is known for providing leaked data.
The user Golem posted on October 1, 2023, a link to data which they claimed was DNA of Celebrities. The description of the leak indicates that it will provide details of 1 million Ashkenazi Jews. The poster claims there is more data to come, and that raw data can be provided for a fee.
Although this post was not available for long, other users began to share the information – providing multiple leaks. A Telegram account was also created with the sole purpose of sharing this leak shortly after the attack on Israel on 7 October.
A further post was made on October 17 providing a leak claiming to provide details of individuals from the UK or with links to the UK. The poster, Golem stated that this information was being released in response to what they claimed was “the bombing of a hospital by the Israelis.”
Again, the leaks were not available for long, but the information was posted by other users. This also included links to German and Chinese data.
Golem also made a post, in response to 23 and Me claiming this was not a data leak, providing details of how the information was accessed. They also give examples which were provided in the original post. It is unclear if Golem has any links to Dazhbog or how they obtained this information.
Conclusion
The leak of this data provides threat actors with information relating to individuals’ personal ancestry and their DNA and could pose threats to those individuals, particularly those in the public eye. Some of the releases of this leak highlights how data leaks are being used as part of the conflict in Israel and Gaza with data being weaponized as part of the conflict. It also underlines the way that leaks are shared on the dark web, often first being made available for sale and then being shared for free. DarkOwl never pays for data from the dark web.
It is currently unclear if all the data obtained as part of this attack will be made available. DarkOwl analysts will continue to monitor for any further posts. All data that has been made freely available thus far is available via DarkOwl Vision.
Last week, DarkOwl participated in the well-regarded law enforcement conference: ISS World Latin America. The annual, training-oriented event describes itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering.”
ISS World events focus on the latest in cyber tools and methodologies specifically for law enforcement, public safety, government and private sector intelligence communities. The first full day of ISS events are dedicated to training and in-depth sessions. Trainings and topics covered throughout the event include how to use cyber to combat drug trafficking, cyber money laundering, human trafficking, terrorism and other nefarious activity that occurs all across the internet.
DarkOwl is a regular sponsor of several ISS shows around the world, but this was our first year attending ISS Latin America and we were thrilled with the quality and quantity of conversations and interest. Representing DarkOwl at this year’s show was Dustin Smith, Director of Marketing, and Steph Shample, Senior Intelligence Analyst, both based out of DarkOwl’s headquarters in Denver, CO.
During the event, Steph lead a seminar on the Use of darknet for National Intelligence and Law Enforcement purposes. This session details the intelligence available on deep/dark web (DDW) platforms, as well as adjacent platforms such as Telegram and Discord, which can be enriched and used by law enforcement and government officials to reduce criminal activity and simultaneously protect national security. Types of intelligence include: tracing financial transactions to illuminate drug, weapon, human trafficking, and other supply chains that contribute to malicious activity, whether fiat or cryptocurrency transactions; hybrid incidents events that threaten both cyberspace and physical safety; and the kinds of equipment, kits, and material sold by criminal actors that contribute to digital attacks against critical infrastructure and key resources (CIKR), threatening the safety of everyday services. Those interested can find a summary of the presentation in Spanish here.
In addition to presenting, Steph and Dustin were able to connect and have several conversations with prospects as well as current clients and partners. Building these relationships face-to-face is invaluable. Visitors at the DarkOwl tabletop included those from Panama, El Salvador, Peru, Mexico, Colombia, Paraguay, Brazil, Guatemala, and Bolivia. Connecting with cybersecurity professionals from around the world and hearing the latest trends, concerns and challenges that they are facing is a huge benefit of ISS shows. Steph shared, “I was blown away by the quality of conversations we had at our table, the need for darknet intelligence is evident and being able to share search results in real time with attendees got everyone really excited.”
Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity.
DarkOwl looks forward to continuing our presence at ISS World events as part of our ongoing initiative to support the global law enforcement community in their efforts to police illegal and nefarious activity on the darknet.
Interested in learning how DarkOwl can help your cyber investigations? Get in touch.
DarkOwl tuvo la suerte de tener la oportunidad de presentarse en ISS América Latina en Panamá. El evento contó con 20 proveedores y cientos de miembros interesados y curiosos de los sectores militares, gubernamentales y privados de América Latina y del Sur.
La presentación de DarkOwl cubrió una gran cantidad de material en tan solo 50 minutos, porque la región se ve afectada por muchos y variados problemas cibernéticos. Destacamos la inteligencia DDW para proteger la infraestructura crítica y los datos personales, así como para defenderse contra el ransomware, cuya frecuencia, según los expertos de CTI, aumentará en América Latina y Sur y disminuirá en todo el mundo. Incidentes como Conti en Costa Rica (2022) y Lockbit en Colombia (2023) demuestran la necesidad de concienciación y vigilancia debido a la epidemia de ransomware.
El comienzo de la presentación cubrió los datos, porque los datos son lo que alimenta las operaciones criminales (robar, vender, comprar, dividir, reutilizar). Todo en América Latina y del Sur está conectado: muchísimos dispositivos, todos enviando metadatos y permitiendo el acceso a información personal, de ubicación y otra información confidencial.
Es por esta razón que tantos datos están expuestos y disponibles en América Latina y del Sur, y luego reutilizados en diversas operaciones criminales. Al igual que en América del Norte, la interconectividad en la región no se cumple con políticas, prácticas ni directrices de seguridad sólidas en materia de ciberseguridad.
También cubrimos los “4 grandes” adversarios de la cibernética: Irán, China, Corea del Norte y Rusia, con una concentración principal en Irán y China.
Demostramos cómo el gobierno chino dirige Huawei, que está llevando a cabo una fuerte campaña para instalar sus redes e infraestructura en toda América Latina y del Sur. Debido a las preocupaciones de espionaje, así como a los canales dedicados de Telegram que se centran en restaurar dispositivos Huawei antiguos para enviar malware, spam, ransomware y otras actividades maliciosas, que Huawei esté en el continente es una mala idea. También destacamos que, además de varios otros países europeos, Canadá y Estados Unidos prohibieron a Huawei. Una postura continental fuerte y unida, con prohibiciones de Huawei tanto en América del Norte como del Sur, sería un gran paso en la protección de nuestras redes e infraestructura, incluidas las del sector de las telecomunicaciones.
El fraude financiero completó los temas de discusión, ya que esta región es un foco de actividad de fraude financiero.
Homoglyphs are characters from one language set that look like characters of a different language set. Threat actors use different character sets to cause confusion and register domain names similar to legitimate domains, but with one or more characters from another language, for phishing and credential harvesting campaigns.
In this blog, DarkOwl analysts outline several examples, all including an example screenshot of the fake website. Readers will notice that the vast majority of these are cryptocurrency or NFT (non fungible token) phishing scams.
IDN Homograph Attacks
An Internalized Domain Name (IDN) homograph attack, also referred to as “homograph attack,” “homoglyph attack,” homograph domain name spoofing,” and “script spoofing” is a type of spoofing attack in which the cybercriminal deceives their victim with a website that seems real and genuine but is not. To many, this may sound like typosquatting. Typo-squatting, or URL hijacking, differs as it relies on the victim mistyping a URL in the address bar. For example, a user may type in “gooogle.com” instead of “google.com” and the prior domain may be owned by a hacker and used for malicious purposes.
For both IDN homograph attacks and typo-squatting attacks, once the attacker has deceived their victim, they then exploit the victim on the site by asking them to input credit card details, login credentials, and other personal identifiable information (PII) to later use for their own benefit, usually relating to financial gain. In the case of IDN homograph attacks, these fake websites are created and registered using homoglyphs, resulting in a URL that looks very similar, nearly identical if not paying close attention, to the real URL. For example, an attacker may use the number “0” instead of the letter “O”, or vice versa. Common characters come from the English, Chinese, Latin and Greek alphabets.
Examples in the Wild
Cryptocurrency and Cryptowallets
It is no secret that cryptocurrency is often a target of cyber criminals, especially those looking for financial gain. Cryptocurrency wallets have a “veneer of anonymity;” an address owners identity is actually often able to be associated with crypto transactions due to the connections with financial institutions, blockchain addresses and crypto-related service providers. However, hackers do not necessarily need your personal identifiable information (PII) to conduct a successful attack – as long as they are able to infiltrate and gain access to a wallet, they can then transfer crypto from there. Crypto transactions are not able to be cancelled or reversed (unless refunded by the receiver), as transfers take place on a decentralized network.
It has been estimated that more than 50% of total cybercrime revenue globally comes from the darknet with Bitcoin being used in 98% of cases and the other 2% being other cryptocurrencies. In the spring of 2023, Kaspersky reported 85,000 scam emails had been delivered to the most popular cryptocurrency hot and cold wallets users, with the scam emails impersonating popular cryptocurrency exchanges and wallet providers. Chainalysis reported that in 2022, cryptocurrency hackers stole $3.8 billion USD, up 5 million from 2021, setting a new record.
Entity API, part of the DarkOwl API product suite, allows users to access highly targeted, structured information from the largest commercially available collection of darknet and deep web sources. This includes Tor, I2P, Zeronet, Data Breaches, encrypted chats, IRC, and authenticated forums. You can check out how to use Entity API to monitor cryptocurrency mentions here.
Below are examples of cryptocurrency wallet websites that have been targets of internalized domain name homoglyph attacks.
metamasķ.com (clone of metamask.com)
Metamask is an Ethereum-based cryptocurrency wallet that allows users to access their Ethereum wallet though a browser extension or their mobile app. The screenshot to the left demonstrates a great example of internet browsers alerting users of potential danger ahead – these should always be paid attention to. The character used in this homoglyph substitution domain is “ķ” in place of the “k” in “metamask,” which comes from the Latvian alphabet.
treźor.com (clone of trezor.com)
Trezor is a hardware wallet that securely manages your Bitcoin and other cryptocurrencies. Hardware wallets like this are designed to protect your digital assets from hacks and theft. The character used in this homoglyph substitution domain is “ź” in place of the “z” from the Polish alphabet.
app-uniśwap.org (clone of app.uniswap.org)
Uniswap is a platform to trade, sell and buy crypto and NFTs. It is one of the most popular ways to exchange with the Uniswap Protocol. The Uniswap Protocol is a leading decentralized crypto trading protocol that allows users to swap, earn, and build on it. The character used in this IDN homoglyph is “ś” in place of the “s” from the Latin alphabet.
cóinómi.com (clone of coinomi.com)
Coinomi is a blockchain wallet that allows secure storing, managing and trading of Bitcoin, Ethereum and over 1,770 other blockchains. Note on the first image that the IDN homoglyph homepage loads up for a split second before redirecting to the fake page, seen in the second image, which looks identical to the real homepage. The threat actor is using an open-source website clone tool for the campaign but not hiding their tracks very well, this “Index of locally available sites” page should be a clear warning that something is not right and should raise a red flag to users. The character used in this homoglyph substitution domain is “ó” (and 2 of them) in place of the “o” from the Latin and Polish alphabets.
Technology Vendors
The technology vendor examples are quite different than those above. The IDN homoglyph sites examples below were likely used for phishing campaigns. Phishing is a type of fraudulent social engineering for data collection designed to trick users into revealing sensitive information to what appear to be trustworthy sources via email. Earlier this year, DarkOwl analysts created accounts for fake email addresses that were posted on the darknet to learn more about trends in the phishing and spam email landscape. That research can be found here.
cloudfǀare.com (clone of cloudflare.com)
Cloudflare is a content delivery network (CDN) and cloud cybersecurity company that provides services to increase the security, performance, and reliability of websites and web services. This IDN homoglyph website just leads to a blank homepage. This was probably used for phishing campaigns where email victims were tricked into clicking a link that goes to a specific directory on this site. The character used in this homoglyph substitution domain is “ǀ” in place of the “l” which is a “dental click” used to denote the sound “tsk! tsk!”
intųit.com (clone of intuit.com)
Intuit is a leading financial software technology company offering numerous products to help businesses and individuals alike. Like the fake cloudflare site in the example above, this has a web server but no default home page and is probably part of a phishing campaign trying to to trick victims into clicking on a link from an email that leads to a deeper directory on the server. The character used in this homoglyph substitution domain is “ų” in place of the “u” which comes from the Latin alphabet.
flaṣh.com (clone of flash.com)
Flash.com leads to an Abode site, but if you land on the IDN homoglyph “flaṣh.com” you will see the warning below. This is a great example of an internet browser warning users before entering a potentially dangerous site and even explains what triggered the fake site warning. The character used in this homoglyph substitution domain is “ṣ” in place of the “s” which comes from the Latin alphabet.
Retail
aırdyson.com (clone of airdyson.com)
Airdyson is a very popular hair styler. This site is seems to be either selling counterfeits or just harvesting credit card info. The character used in this homoglyph substitution domain is “ı” in place of the “i” which is called a “dotless i” and comes from used in the Latin-script alphabets of Azerbaijani, Crimean Tatar, Gagauz, Kazakh, Tatar, and Turkish.
The List Goes On…
Other homoglyph substitution domains DarkOwl analysts found, most of which were able to process email but either had no website or a missing default index page, include:
baɾclays.com (clone of barclays.com)
crypţo.com (clone of crypto.com)
dişcord.com (clone of discord.com)
freshmań.com (clone of freshman.com)
opènsea.com (clone of opensea.com)
polygoñ.com (clone of polygon.com)
applẹ-icloud.com (clone of apple-icloud.com)
bítfinex.com (clone of bitfinex.com)
pornĥub.com (clone of pornhub.com)
unıvısıon.com (clone of univision.com)
zeǁepay.com (clone of zellepay.com)
bmobạnking.com (clone of bmobanking.com)
mėgạ.com (clone of mega.com)
dỉscovercard.com (clone of discovercard.com)
cỉtynationalbank.com (clone of citynationalbank.com)
crawfordandcoproductíons.com (clone of crawfordandcoproductions.com)
zỉonsbank.com (clone of zionsbank.com)
Takeaways
Our analysts note that threat actors are not leveraging homoglyphs as much as was previously seen. Homograph attacks have declined but this does not mean that cybercriminals will not create more complex spoofing domains. Security measures are in place among web browsers to detect and alert users when they suspect they may be entering a fake site that they thought was legitimate, as seen in the Flash example above. It is important for users to pay attention to URLs and always exercise caution.
Steps to protect yourself from IDN homograph attacks:
Regularly update your browser for the latest security updates and patches.
Confirm the legitimacy of the website by making sure it has an Extended Validation Certificate (EVC), especially before sharing on sensitive information.
Avoid clicking suspicious links from emails, chat messages, publicly available content, and social media sites, and verify that the visible link matches the real destination.
When in doubt, there are several browser tools such as Punycode Alert and Quero Toolbar help sus out potential danger.
If you do find a phishing domain or IDN homoglyph site, there are several ways to report it. DarkOwl analysts found hostinger.com to be the fastest responding registrar in shutting them down, and you can always report to Google, the Federal Trade Commission and the Internet Crime Complaint Center.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
