Author: DarkOwl Content Team

October 24, 2023

Last week, DarkOwl participated in OsmosisCon, an Open Source Intelligence Skills-building Conference, in New Orleans, LA. The annual, training-oriented event is comprised of workshops and classes to earn Continuing Education Credits (CEUs) lead by industry leaders focusing on the latest in OSINT and SOCMINT tools. In addition, the exhibiting companies provide real world examples of industry standard products and services, allowing attendees to either advance their own research or find a solution for their company.

The networking and consulting opportunities at OsmosisCon are incredibly valuable for anyone in the OSINT space – whether you participate in the pre-event workshops and presentations, speak during the networking events or via the virtual conference platform. Sessions this year dove into a wide range of topics including open source techniques and skills related to exposing fraud, utilizing artificial intelligence, currents and future threats, identifying unknown users, and more.

The Osmosis Institute’s mission is “to educate and train cyber intelligence investigators, researchers, reporters, and analysts on OSINT and SOCMINT techniques and best practices.” Their statement continues to say, “to that end, we seek to foster professional growth in our community. We strive to inform professionals on how to protect personal privacy data and abide by national and international laws and ethics standards.” OsmosisCon allows them to put this mission into practice and in its 9^th year has continued to grow and bring hundreds of cyber intelligence analysts together.

Representing DarkOwl at OsmosisCon this year was Alison Halland, Chief Business Officer, Caryn Farino, Director of Client Engagement, and Damian Hoffman, Product Engineer and Data Analyst, based out of DarkOwl’s headquarters in Denver. 

Leading up the kick off of the conference, Damian presented, “Finding Actionable Intelligence in Dark Web Data for OSINT Investigations,” focused on how the dark web is an essential source of information for OSINT investigations across a wide variety of use cases. Showcasing DarkOwl Vision, his talk reviewed some of the considerations that should be taken when using dark web data, how the data can provide value for investigators, and offered DarkOwl’s perspective on the techniques and tools needed to maximize the utility of dark web data. The team was happy to report that this was a packed presentation with standing room only!

During the conference, Damian also participated in the Bits & Bytes Speed Networking Session. During these roundtable discussions, presenters and attendees were able to sit with industry specialists to discuss quick compact tips in their area of expertise and engage in discussion. Each table presenter prepared and hosted discussion on a different topic. Damian’s topic “Mental Health Strategies for OSINT Investigators” is a crowd-sourced, data driven project aimed at collecting, validating, categorizing, and distributing mental health strategies freely for the OSINT community. Researchers on this project aim to collect Strategies (specific actions, behaviors, or modifications of belief that will lessen the negative impacts of vicarious trauma when exposed to distressing content) from a wide variety of OSINT practitioners and validate their effectiveness using empirical evidence. More about the research project can be found here and you can submit your strategies here.

In addition to presenting and manning the DarkOwl tabletop, the team was able to meet with many current customers. Attending OsmosisCon is invaluable for face-to-face time to build and maintain relationships. Being able to meet with clients in person provides a great opportunity to share new product features, features in development, gather product feedback, and keep up to date with the latest trends.

DarkOwl looks forward to OsmosisCon 2024 and hope to see both familiar and new faces in Las Vegas!

---

You can see what conferences we will be attending coming up and request time to chat with us.

October 20, 2023

Introduction

One of the latest companies to be victim of a data breach, 23andMe, has had their data shared on various dark web marketplaces as well as Telegram. Interestingly, the data from this breach has partly been shared in response to the conflict in Israel and Gaza with one of the sharers of the data citing this as a reason for sharing some of this information.  

23andMe is a genealogy company which as well as providing ancestry services uses DNA to identify where individuals’ ancestors are likely to have come from. They also provide details of individuals’ health and genetic predispositions. The leak purports to contain full names, year of birth, location, as well as DNA markers and locations they may have links to.  

23andMe has indicated that the data was obtained as part of a credential stuffing attack, and that there has been no evidence of a security breach on their IT systems.

The First Leak is Shared

The first identified mention of a leak of 23andMe data was on the marketplace Hydra Market on August 11, 2023. The post was made by a user using the alias Dazhbog. In the post he claimed to have access to 10M DNA data that he was providing for sale. He claimed that the file size was over 300TB and that the data would only be sold once, the asking price for the data was $50 million. 

The seller also indicated that they would be open to selling the data in parts, based on location and ethnicity. This was priced at $10k per 1k of data.  

Although it is unclear who is behind the username Dazhbog, they did indicate that 23andMe was not allowed to operate in their country. They also gave specific instructions for how buyers in China would be able to receive the data – in hard copy. The user first registered on Hydra Market on August 10, one day before the original post was made.  

The poster provides details of how the information was obtained – claiming it was obtained through an API service used by pharmaceutical companies.  

As proof of the data obtained, links we provided for Sergey Brin – Co-founder of Google and Anne Wojcicki – CEO of 23andMe. Images were also shown.  

A post was made by the original poster on August 14 claiming that the full data had been sold to an Iranian individual and requested that the original post be removed. The post is still active, but the original poster has made no new posts since this time. Their profile also indicates that they have not been active since this time. This would suggest that this account was created specifically to share this leak.  

Parts of the Leak Emerge 

Once the original leak had been shared, several other leaks emerged on the forum Breached Forum which is known for providing leaked data.  

The user Golem posted on October 1, 2023, a link to data which they claimed was DNA of Celebrities. The description of the leak indicates that it will provide details of 1 million Ashkenazi Jews. The poster claims there is more data to come, and that raw data can be provided for a fee.  

Although this post was not available for long, other users began to share the information – providing multiple leaks. A Telegram account was also created with the sole purpose of sharing this leak shortly after the attack on Israel on 7 October.  

A further post was made on October 17 providing a leak claiming to provide details of individuals from the UK or with links to the UK. The poster, Golem stated that this information was being released in response to what they claimed was “the bombing of a hospital by the Israelis.” 

Again, the leaks were not available for long, but the information was posted by other users. This also included links to German and Chinese data.  

Golem also made a post, in response to 23 and Me claiming this was not a data leak, providing details of how the information was accessed. They also give examples which were provided in the original post. It is unclear if Golem has any links to Dazhbog or how they obtained this information.  

Conclusion 

The leak of this data provides threat actors with information relating to individuals’ personal ancestry and their DNA and could pose threats to those individuals, particularly those in the public eye. Some of the releases of this leak highlights how data leaks are being used as part of the conflict in Israel and Gaza with data being weaponized as part of the conflict. It also underlines the way that leaks are shared on the dark web, often first being made available for sale and then being shared for free. DarkOwl never pays for data from the dark web. 

It is currently unclear if all the data obtained as part of this attack will be made available. DarkOwl analysts will continue to monitor for any further posts. All data that has been made freely available thus far is available via DarkOwl Vision. 

---

Stay up to date with the latest research from the DarkOwl analyst team and subscribe to our email newsletter.

October 19, 2023

Last week, DarkOwl participated in the well-regarded law enforcement conference: ISS World Latin America. The annual, training-oriented event describes itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering.” 

ISS World events focus on the latest in cyber tools and methodologies specifically for law enforcement, public safety, government and private sector intelligence communities. The first full day of ISS events are dedicated to training and in-depth sessions. Trainings and topics covered throughout the event include how to use cyber to combat drug trafficking, cyber money laundering, human trafficking, terrorism and other nefarious activity that occurs all across the internet.

DarkOwl is a regular sponsor of several ISS shows around the world, but this was our first year attending ISS Latin America and we were thrilled with the quality and quantity of conversations and interest. Representing DarkOwl at this year’s show was Dustin Smith, Director of Marketing, and Steph Shample, Senior Intelligence Analyst, both based out of DarkOwl’s headquarters in Denver, CO.

During the event, Steph lead a seminar on the Use of darknet for National Intelligence and Law Enforcement purposes. This session details the intelligence available on deep/dark web (DDW) platforms, as well as adjacent platforms such as Telegram and Discord, which can be enriched and used by law enforcement and government officials to reduce criminal activity and simultaneously protect national security. Types of intelligence include: tracing financial transactions to illuminate drug, weapon, human trafficking, and other supply chains that contribute to malicious activity, whether fiat or cryptocurrency transactions; hybrid incidents events that threaten both cyberspace and physical safety; and the kinds of equipment, kits, and material sold by criminal actors that contribute to digital attacks against critical infrastructure and key resources (CIKR), threatening the safety of everyday services. Those interested can find a summary of the presentation in Spanish here.

In addition to presenting, Steph and Dustin were able to connect and have several conversations with prospects as well as current clients and partners. Building these relationships face-to-face is invaluable. Visitors at the DarkOwl tabletop included those from Panama, El Salvador, Peru, Mexico, Colombia, Paraguay, Brazil, Guatemala, and Bolivia. Connecting with cybersecurity professionals from around the world and hearing the latest trends, concerns and challenges that they are facing is a huge benefit of ISS shows. Steph shared, “I was blown away by the quality of conversations we had at our table, the need for darknet intelligence is evident and being able to share search results in real time with attendees got everyone really excited.”

Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity.

DarkOwl looks forward to continuing our presence at ISS World events as part of our ongoing initiative to support the global law enforcement community in their efforts to police illegal and nefarious activity on the darknet. 

---

Interested in learning how DarkOwl can help your cyber investigations? Get in touch.

October 17, 2023

Homoglyphs are characters from one language set that look like characters of a different language set. Threat actors use different character sets to cause confusion and register domain names similar to legitimate domains, but with one or more characters from another language, for phishing and credential harvesting campaigns.

In this blog, DarkOwl analysts outline several examples, all including an example screenshot of the fake website. Readers will notice that the vast majority of these are cryptocurrency or NFT (non fungible token) phishing scams.

IDN Homograph Attacks

An Internalized Domain Name (IDN) homograph attack, also referred to as “homograph attack,” “homoglyph attack,” homograph domain name spoofing,” and “script spoofing” is a type of spoofing attack in which the cybercriminal deceives their victim with a website that seems real and genuine but is not. To many, this may sound like typosquatting. Typo-squatting, or URL hijacking, differs as it relies on the victim mistyping a URL in the address bar. For example, a user may type in “gooogle.com” instead of “google.com” and the prior domain may be owned by a hacker and used for malicious purposes.

For both IDN homograph attacks and typo-squatting attacks, once the attacker has deceived their victim, they then exploit the victim on the site by asking them to input credit card details, login credentials, and other personal identifiable information (PII) to later use for their own benefit, usually relating to financial gain. In the case of IDN homograph attacks, these fake websites are created and registered using homoglyphs, resulting in a URL that looks very similar, nearly identical if not paying close attention, to the real URL. For example, an attacker may use the number “0” instead of the letter “O”, or vice versa. Common characters come from the English, Chinese, Latin and Greek alphabets.

Examples in the Wild

Cryptocurrency and Cryptowallets

It is no secret that cryptocurrency is often a target of cyber criminals, especially those looking for financial gain. Cryptocurrency wallets have a “veneer of anonymity;” an address owners identity is actually often able to be associated with crypto transactions due to the connections with financial institutions, blockchain addresses and crypto-related service providers. However, hackers do not necessarily need your personal identifiable information (PII) to conduct a successful attack – as long as they are able to infiltrate and gain access to a wallet, they can then transfer crypto from there. Crypto transactions are not able to be cancelled or reversed (unless refunded by the receiver), as transfers take place on a decentralized network.

It has been estimated that more than 50% of total cybercrime revenue globally comes from the darknet with Bitcoin being used in 98% of cases and the other 2% being other cryptocurrencies. In the spring of 2023, Kaspersky reported 85,000 scam emails had been delivered to the most popular cryptocurrency hot and cold wallets users, with the scam emails impersonating popular cryptocurrency exchanges and wallet providers. Chainalysis reported that in 2022, cryptocurrency hackers stole $3.8 billion USD, up 5 million from 2021, setting a new record.

Entity API, part of the DarkOwl API product suite, allows users to access highly targeted, structured information from the largest commercially available collection of darknet and deep web sources. This includes Tor, I2P, Zeronet, Data Breaches, encrypted chats, IRC, and authenticated forums. You can check out how to use Entity API to monitor cryptocurrency mentions here.

Below are examples of cryptocurrency wallet websites that have been targets of internalized domain name homoglyph attacks.

metamasķ.com (clone of metamask.com)

Metamask is an Ethereum-based cryptocurrency wallet that allows users to access their Ethereum wallet though a browser extension or their mobile app. The screenshot to the left demonstrates a great example of internet browsers alerting users of potential danger ahead – these should always be paid attention to. The character used in this homoglyph substitution domain is “ķ” in place of the “k” in “metamask,” which comes from the Latvian alphabet.

treźor.com (clone of trezor.com)

Trezor is a hardware wallet that securely manages your Bitcoin and other cryptocurrencies. Hardware wallets like this are designed to protect your digital assets from hacks and theft. The character used in this homoglyph substitution domain is “ź” in place of the “z” from the Polish alphabet.

app-uniśwap.org (clone of app.uniswap.org)

Uniswap is a platform to trade, sell and buy crypto and NFTs. It is one of the most popular ways to exchange with the Uniswap Protocol. The Uniswap Protocol is a leading decentralized crypto trading protocol that allows users to swap, earn, and build on it. The character used in this IDN homoglyph is “ś” in place of the “s” from the Latin alphabet.

cóinómi.com (clone of coinomi.com)

Coinomi is a blockchain wallet that allows secure storing, managing and trading of Bitcoin, Ethereum and over 1,770 other blockchains. Note on the first image that the IDN homoglyph homepage loads up for a split second before redirecting to the fake page, seen in the second image, which looks identical to the real homepage. The threat actor is using an open-source website clone tool for the campaign but not hiding their tracks very well, this “Index of locally available sites” page should be a clear warning that something is not right and should raise a red flag to users. The character used in this homoglyph substitution domain is “ó” (and 2 of them) in place of the “o” from the Latin and Polish alphabets.

Technology Vendors

The technology vendor examples are quite different than those above. The IDN homoglyph sites examples below were likely used for phishing campaigns. Phishing is a type of fraudulent social engineering for data collection designed to trick users into revealing sensitive information to what appear to be trustworthy sources via email. Earlier this year, DarkOwl analysts created accounts for fake email addresses that were posted on the darknet to learn more about trends in the phishing and spam email landscape. That research can be found here.

cloudfǀare.com (clone of cloudflare.com)

Cloudflare is a content delivery network (CDN) and cloud cybersecurity company that provides services to increase the security, performance, and reliability of websites and web services. This IDN homoglyph website just leads to a blank homepage. This was probably used for phishing campaigns where email victims were tricked into clicking a link that goes to a specific directory on this site. The character used in this homoglyph substitution domain is “ǀ” in place of the “l” which is a “dental click” used to denote the sound “tsk! tsk!”

intųit.com (clone of intuit.com)

Intuit is a leading financial software technology company offering numerous products to help businesses and individuals alike. Like the fake cloudflare site in the example above, this has a web server but no default home page and is probably part of a phishing campaign trying to to trick victims into clicking on a link from an email that leads to a deeper directory on the server. The character used in this homoglyph substitution domain is “ų” in place of the “u” which comes from the Latin alphabet.

flaṣh.com (clone of flash.com)

Flash.com leads to an Abode site, but if you land on the IDN homoglyph “flaṣh.com” you will see the warning below. This is a great example of an internet browser warning users before entering a potentially dangerous site and even explains what triggered the fake site warning. The character used in this homoglyph substitution domain is “ṣ” in place of the “s” which comes from the Latin alphabet.

Retail

aırdyson.com (clone of airdyson.com)

Airdyson is a very popular hair styler. This site is seems to be either selling counterfeits or just harvesting credit card info. The character used in this homoglyph substitution domain is “ı” in place of the “i” which is called a “dotless i” and comes from used in the Latin-script alphabets of Azerbaijani, Crimean Tatar, Gagauz, Kazakh, Tatar, and Turkish.

The List Goes On…

Other homoglyph substitution domains DarkOwl analysts found, most of which were able to process email but either had no website or a missing default index page, include:

• baɾclays.com (clone of barclays.com)
• crypţo.com (clone of crypto.com)
• dişcord.com (clone of discord.com)
• freshmań.com (clone of freshman.com)
• opènsea.com (clone of opensea.com)
• polygoñ.com (clone of polygon.com)
• applẹ-icloud.com (clone of apple-icloud.com)
• bítfinex.com (clone of bitfinex.com)
• pornĥub.com (clone of pornhub.com)
• unıvısıon.com (clone of univision.com)
• zeǁepay.com (clone of zellepay.com)
• bmobạnking.com (clone of bmobanking.com)
• mėgạ.com (clone of mega.com)
• dỉscovercard.com (clone of discovercard.com)
• cỉtynationalbank.com (clone of citynationalbank.com)
• crawfordandcoproductíons.com (clone of crawfordandcoproductions.com)
• zỉonsbank.com (clone of zionsbank.com)

Takeaways

Our analysts note that threat actors are not leveraging homoglyphs as much as was previously seen. Homograph attacks have declined but this does not mean that cybercriminals will not create more complex spoofing domains. Security measures are in place among web browsers to detect and alert users when they suspect they may be entering a fake site that they thought was legitimate, as seen in the Flash example above. It is important for users to pay attention to URLs and always exercise caution.

Steps to protect yourself from IDN homograph attacks:

1. Regularly update your browser for the latest security updates and patches.
2. Confirm the legitimacy of the website by making sure it has an Extended Validation Certificate (EVC), especially before sharing on sensitive information.
3. Avoid clicking suspicious links from emails, chat messages, publicly available content, and social media sites, and verify that the visible link matches the real destination.
4. When in doubt, there are several browser tools such as Punycode Alert and Quero Toolbar help sus out potential danger.

If you do find a phishing domain or IDN homoglyph site, there are several ways to report it. DarkOwl analysts found hostinger.com to be the fastest responding registrar in shutting them down, and you can always report to Google, the Federal Trade Commission and the Internet Crime Complaint Center.

---

To keep up to date with the latest research from DarkOwl, register for our weekly newsletter.

October 13, 2023

Read on for highlights from DarkOwl’s Product Team for Q3, including new exciting product features.

New Leak Context Feature

When your search results are from data leaks, you can now review additional information curated by DarkOwl analysts, giving you enrichment on the data leak, “Leak Context”. This new section includes a description of the leak, details on the the target organization, date posted, date of event (if known), and the type of content exposed. Additionally, there is a new option to Download Context (as a .txt file) to include in reports or briefings. An example from Vision UI can be seen below. Beyond the UI, Leak Context is also available programmatically through a new Leak Context API endpoint.

Vision UI & Vision API Updates

Chat Channel Filters

Filter your search to one or more channels or servers from Telegram or Discord using the Filter Menu in the UI or new API parameters. This allows you to track individual channels of interest instead of the whole chat network.

Chat Users Search

A new Chat Users search option allows you to find discussions from particular usernames or user IDs within Telegram or Discord.

Enhanced Forum Presentation

More than 100 forums are now in our new thread-view structure. This allows users to easily distinguish thread Titles, number of Posts (at time of collection), Users, Post Dates, and the Post Bodies.

Lexicon Updates

DarkOwl Vision’s DARKINT Search Lexicon is an easy-to-use tool intended to help users find interesting content within our database. This quarter, the team built out 99 additional Lexicon queries to help our clients find the most important sites to them, including:

• 15 new ransomware entries
• 46 new forum entries
• 38 new market entries

Clients can always submit content for us to add. Curious what DarkOwl means by “DarkInt?” Check out our full write up.

Translations

The team has added 10 new translated Search Blocks, including Russian, Spanish, and French, with more on the way!

Leaks of Interest Collected

Nato Data 

Data allegedly retrieved from NATO’s Cooperation on Opportunities and Innovations (COI) portal that was leaked on SeigedSec’s Telegram channel in July 2023. According to the post, “this attack on NATO has nothing to do with the war between Russia and Ukraine, this is a retaliation against the countries of NATO for their attacks on human rights…” Data includes hundreds of documents. 

5M Shanghai Suishenma 

Suishenma is the Chinese name for Shanghai’s health code system, which the city of 25 million people, like many across China, established in early 2020 to combat the spread of COVID-19. All residents and visitors have to use it. The leak includes scan time, if they are a foreigner, company name, name, credit card and scan method.  

cegedim.com 

Cegedim, a technology and services company, suffered a ransomware attack from the Cl0p group in September 2023. The leak contained multiple documents, including financial information, email addresses, IP addresses. 

pwc.com 

PWC was a victim of the MoveIT vulnerability executed by the ransomware group CL0P. The leak contains a number of documents relating to the organization as well as email addresses, IP addresses, and technical information. 

duolingo.com 

In January 2023, an actor was selling the scraped data of 2.6 million Duolingo users on the BreachForums hacking forum. Subsequently the data, including names, emails, languages learned, and other Duolingo-related information, became available without payment. 

On the Horizon

Be the first to hear an exciting announcement from the DarkOwl team – we are about to launch something you will not want to miss! To get a preview of this new release, schedule a time to speak to one of our team members.