darkowl blog

Insider Report: Darknet reacts to Dream Market announcement

Dream Market — one of the largest and most active remaining darknet marketplaces — has announced that it is officially shuttering its doors in its current location. The notification, which can be found on every page in the marketplace, indicates it will be transferring its services to a new URL and partner company at the end of April.

This news announcement comes just weeks after Dream Market has been weathering heavy DDoS attacks, leaving many of its domains unserviceable for intermittent periods.

 
Notification on Dream Market about migrating services to a new URL at the end of April 2019.

Notification on Dream Market about migrating services to a new URL at the end of April 2019.

 

Dream Market has been around since 2013, making it one of the darknet’s longest lasting marketplaces and a leading go-to in the community for illicit sales. The news about the migration has been a topic of many discussions on the darknet, including on Dread, a darknet forum dedicated to security and harm reduction for darknet marketplace purchases.

User Waterchain, a moderator for Dread’s Dream Market sub forum and alleged member of Dream Market’s team, posted a statement regarding the migration. The statement claims that it was prompted by DDoS attacks “on the TOR browser side” and an alleged extortion attempt.  

 
“Official” statement by an alleged Dream Market team member on the darknet forum Dread. (Image via DarkOwl Vision)

“Official” statement by an alleged Dream Market team member on the darknet forum Dread. (Image via DarkOwl Vision)

 

Vendors and buyers alike feel displaced after this announcement as they try to figure out their exit plans. Earlier this week, the Drug Enforcement Agency (DEA) published a press release about shutting down 50 darknet accounts that were used for illicit activities under operation SaboTor (Sabotage Tor).

This, and the timing of Dream Market’s closure, has led some darknet market consumers to believe that Dream Market has been compromised by law enforcement.

 
Dread user expressing concern regarding the timing of Dream Market’s closure and Operation SaboTor. (Image via DarkOwl Vision)

Dread user expressing concern regarding the timing of Dream Market’s closure and Operation SaboTor. (Image via DarkOwl Vision)

 

Related Read — Dream Market: Another law enforcement takeover?

Some members are hopeful that Dream Market is simply experiencing technical difficulties and still plan to use their new market once it’s back online, while other vendors have already transitioned to other markets.

 
Dream Market vendor UPactive advertises listings on two other popular markets. (Image via DarkOwl Vision)

Dream Market vendor UPactive advertises listings on two other popular markets. (Image via DarkOwl Vision)

 

Some newer, less active markets have tried to capitalize on this opportunity by offering incentives for vendors to transition to their marketplace. One such market is Cryptonia Market, which has offered incentives for former Dream Market vendors to switchover to their marketplace.

 
A post from Cryptonia Market, offering fee waivers and other incentives to verified Dream Market vendors. (Image via DarkOwl Vision)

A post from Cryptonia Market, offering fee waivers and other incentives to verified Dream Market vendors. (Image via DarkOwl Vision)

 

While moderators of Dread’s Dream Market sub forum have tried to assure the public that the market was not compromised, there hasn’t been an announcement signed with Dream Market’s official PGP key. This, and the fact that the official Dream Market forum is offline, leaves some users skeptical.

Update:

On the forum DNM Avengers, user rockemsockem45 pointed out that the date format used in the shutdown message is different than previous messages by admin and staff, further adding to the suspicion that the market has been compromised.

 
DNM Avengers user rockemsockem45 posts about the inconsistency of the date format used in the shutdown message.

DNM Avengers user rockemsockem45 posts about the inconsistency of the date format used in the shutdown message.

 

Also, starting earlier this week, multiple vendors have claimed that Dream Market’s support staff are attempting to scam vendors. According to Dread user Terrysukstock, the scam starts by disabling the vendor’s ability to withdraw funds from their account. The vendor is notified via support ticket that fund withdrawal will be restored after the vendor verifies their identity by supplying their password and most recently used bitcoin address.

If the vendor supplies the password, Dream’s support staff changes the password and removes their PGP key, making the vendor’s account inaccessible. Terrysukstock, a vendor with over 34,000 reviews and an average rating of 4.8/5 on Dream Market, claims he followed these instructions and lost over 5 bitcoin.

 
Vendor Terrysukstock posts about falling victim to Dream Market’s support staff scam. (Image via DarkOwl Vision)

Vendor Terrysukstock posts about falling victim to Dream Market’s support staff scam. (Image via DarkOwl Vision)

 

Several vendors have supported Terrysukstock’s experience. Vendor GreentreeCA’s posted his support ticket to Dread to provide evidence of the scam.

 
The support ticket that Vendor GreentreeCA received, providing evidence of the scam.

The support ticket that Vendor GreentreeCA received, providing evidence of the scam.

 

Meanwhile, Dread’s Dream Market subforum moderator Waterchain has announced retirement due to “corrupted” moderators that have allegedly locked him out of his account.

 
Retirement message by former Dream Market moderator Waterchain. (Image via DarkOwl Vision)

Retirement message by former Dream Market moderator Waterchain. (Image via DarkOwl Vision)

 

No official message has been forthcoming from Dream Market’s team regarding the scam allegations.

Note: This story is developing. DarkOwl will continue to monitor developments and post updates here, so remember to check back!

 

 

Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.

New Princess Ransomware Surfaced Earlier than Reports Suggest

News broke out mid-August that Princess Evolution, a revamped form of the infamous Princess Locker ransomware that was first seen several years ago, is back with a fresh toolkit (see this article for example).

News coverage at the time suggested that the Princess Evolution ransomware had only recently surfaced. However, after further digging into the “newly uncovered” iteration of the ransomware, DarkOwl analysts discovered that Princess Evolution has actually been offered on darknet marketplaces dating as far back as this past April.  

What is the Princess Ransomware? 

Princess Evolution is a form of ransomware that encrypts most files on the infiltrated computer system and holds them hostage until the targeted user pays enough money to regain access to them. During the encryption process, the ransomware changes affected file extensions to a randomly generated string of characters.

To notify the targeted party that their files have been compromised, users are notified via a ransom note telling them that their files are locked, followed by instructions on where and how to pay the ransom sum. As of August 8 2018, users were instructed to pay the amount of 0.12 bitcoin (equivalent to US$773 as of that date). The malicious software is currently being advertised on 0day forum as RaaS (ransomware as a service) and is soliciting associates to help spread the malware to unsuspecting victims.

Screen capture of a DarkOwl Vision result – scraped in April of this Year – that depicts the ransomware Princess Evolution being sold on a darknet marketplace.

Screen capture of a DarkOwl Vision result – scraped in April of this Year – that depicts the ransomware Princess Evolution being sold on a darknet marketplace.

A similar posting on 0day forum; responses haven’t slowed down since the original post earlier this year.

A similar posting on 0day forum; responses haven’t slowed down since the original post earlier this year.

Interested members are instructed to leave their Jabber ID as a thread comment or to send it in a private message to the 0day account “PR1NCESS.”  Our analysts calculate that there have been over one hundred comments from individuals interested in joining the campaign since the original post scraped by DarkOwl Vision in April.

Princess4.png
 

(Above, Right) Profiles of PR1NCESS on Codex and Kickass forums.

Princess3.png

What is 0day?

0day is a popular darknet carding and hacking forum first established in 2015. Users are required to register an account before accessing any content on the forum. Additionally, once registered, user accounts must go through an activation process to receive full access to the forum.

The forum’s main purpose is to act as a marketplace for buyers and sellers of illicit goods, such as stolen credit cards, hacked accounts for legitimate websites, malwares and exploits, as well as other services. Some prolific sellers also advertise their own websites in the message boards.

The below image shows just a sample of the items offered for sale on 0day, as captured in DarkOwl Vision.

Example of items being sold on the 0day forum.

Example of items being sold on the 0day forum.

So, what should you do if you find yourself infected with the Princess Evolution ransomware? We recommend that you refer this article, which has a great step-by-step guide for regaining control of your computer and your files: https://www.pcrisk.com/removal-guides/10531-princess-ransomware. And, as always, organizations should continue to be proactive against ransomware threats by adhering to security best practices and actively educating all of their employees on their internal security plan.

 

 

Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.

Not So Anonymous

Critical Vulnerabilities in Darknet Tools Could Expose Its Users

In recent weeks, analysts at DarkOwl have witnessed a number of vulnerability issues in key utilities used for dark web (i.e. deep web and darknet anonymous network) intelligence collection and analysis. Last week, analysts found the official Chrome extension for MEGA.nz’s file sharing service was harvesting sensitive user data; while Tor Project’s latest browser release based on Firefox Quantum, was deployed with default settings that could potentially compromise users’ identities.

On which side is the Tor Project?

The Tor Project is a non-profit organization that prides itself on providing users free software and an open network for securely browsing the Internet. Tor’s Browser, developed collaboratively with Mozilla, allows users with any operating system (OS) to freely visit clearnet, deep web, and darknet anonymous websites or sites that might be blocked in countries with Internet censorship. With little to no configuration changes nor detailed understanding of networking protocols, Tor Browser prevents somebody watching your Internet connection from learning what sites its users visit and thwarts the sites its users visited from discerning one’s physical location through location identifiable information such as IP and/or MAC Addresses.  

Digital Fingerprints

One historical security feature of Tor Browser has been user agent obfuscation. Every browser sends its user agent (UA) to every website it visits. The UA is a string of text that identifies the browser and the operating system to the web server, or host of the website visited. There are millions of different UA combinations given how they change with both software and hardware. The web server uses this information for a variety of purposes. In the Surface Web, website creators use the UA to help optimally display the website to different browsers for the “best possible browsing experience.” Knowing the UA also assists when a web server hosts both desktop and mobile versions of a site, e.g. serving up content adjusted for the screen size of the device.

Example User Agents

For more example user agents check out  this site .

For more example user agents check out this site.

The default Tor Browser user agent has historically included a mixture of Mozilla and Windows OS UA’s with the following string:  Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0. The revision “rv:52.0” and “/52.0” strings correlate to the version of Tor browser installed. 52.0 corresponded Tor Browser 7.0a4.  In the recent 5 September release of Tor Browser 8.0/8.5a1, the user’s actual OS is exposed in the UA.

Exposing this information presents risk to Tor users. Darknet web servers could maliciously use this information to identify anonymous users or link users based on speech and UA across multiple forums and chatrooms. While including the user’s OS in the UA does not reveal one’s physical location, in a world where anonymity is irreplaceable, this issue could prove disastrous. 

In order to update or change the UA in Tor Browser, the following steps are required:

  1. Enter about:config in the URL bar and accept the risks

  2. Search for: general.useragent.override, right click on the user agent, and select Reset.

If you want to replace the UA with another unique or custom text string, right click on the user agent and choose “Modify.” The pop-up that displays is editable. Enter whatever string you wish, then click OK.

Figure 1 Tor Browser about:config useragent override popup

Figure 1 Tor Browser about:config useragent override popup

Tor users who want to delay their upgrade to 8.0/8.5a1, might want to reconsider as Zerodium released yesterday on Twitter details around a NoScript “bug” discovered in all Tor Browser 7.x versions that subjects the user to embedded code on the hidden service regardless of whether or not NoScript was “actively blocking all scripts.” (Source)

Figure 2 Zerodium Tweet posted on 10 September 2018 ( Source )

Figure 2 Zerodium Tweet posted on 10 September 2018 (Source)

Javascript = Yes? Or No?

Another issue DarkOwl analysts found with the latest Tor Browser release is the default configuration settings for Javascript. Tor users are mixed between browsing with or without Javascript enabled. As Tor becomes more inclusive of media and dynamic content, more and more Tor websites include embedded Javascript code. If Javascript is disabled, then the web sites may appear to be broken, missing content, prevent authentication, and frustrate the most patient of Tor users.  However, the community should also recognize that Javascript is a vulnerable vector that is leveraged by blackhat attackers. In 2014, law enforcement utilized injected Javascript code to infect everyone who visited any Tor server hosted by “Freedom Networking” with malware that exposed their real IP address. (Source)

In Paolo Mioni’s article entitled “Anatomy of a malicious script: how a website can take over your browser” the author gutted what seemed like an innocuous embedded piece of Javascript to outline how the elementary script was configured to redirect the user to a specific URL and could be simply adapted to arbitrarily inject other malicious scripts such keyloggers and cryptominers. (Source)

Coinhive, tagged as one of the largest threats to web users in the Spring of 2018, is an online crypto-service which provides cryptocurrency miners crypto mining malware, that can be installed on websites via embedded Javascript. The JavaScript miner runs in the browser of the website visitors and mines coins on the Monero blockchain. Unfortunately, the Coinhive code has been exploited by hackers for use as malware to hijack the end customer’s personal data and processor resources. This summer, independent security researcher, Scott Helme identified more than 4,000 websites, including many belonging to the UK government, infected with Coinhive malware.

Figure 3 Darknet Forum where Coinhive Exploit use is Discussed (633c61aaa0289fa0572b15b163f11b04)

Figure 3 Darknet Forum where Coinhive Exploit use is Discussed (633c61aaa0289fa0572b15b163f11b04)

Not MEGA.nz too…

MEGA.nz is a controversial but free cloud storage service, similar to Dropbox, that is a popular resource for blackhat and whitehat hackers. Over the last few years, data from many of the major commercial data breaches has been reliably posted to the MEGA.nz storage site and links shared across darknet forums. Despite previous concerns regarding the security of using the website, it proved a fruitful resource for personally identifiable information (PII) and credential data collection. Last week, DarkOwl analysts discovered a compromised version of the official Google Chrome extension for MEGA.nz, version 3.39.4, was published with malicious codes to harvest user credentials and private keys for cryptocurrency accounts. ZDNet broke the news of the hacked extension indicating that for the four hours after it was uploaded to Google's Chrome Web Store, the extension sent users’ stolen data to a server located at megaopac[.]host, hosted in Ukraine. (Source)

Unsurprisingly, MEGA.nz has expressed significant dissatisfaction with Google over this security breach blaming Google’s recent policy to disallow publisher signatures on Chrome extensions. An updated version of the extension, v3.39.5 is now available on the Chrome Web Store.

While the Firefox version of the MEGA plugin was not compromised, Mozilla recently removed 23 Firefox Add-ons that illegally tracked user’s browser data. In August, Mozilla released a list of compromised add-ons which included one called "Web Security," a security-centric Firefox extension with over 220,000 users, that was caught sending users' browsing histories to a server located in Germany.

DarkOwl Vision recently archived a May-2018 post from Junior Member on a popular darknet forum offering custom Chrome malware. The self-promoted malware developer advertised a trojanized YouTube Video Downloader in their post, but emphasized their ability to develop custom malware, supporting the possibility that even more compromised Chrome extensions like MEGA.nz could be published in the future.

Figure 4 Darknet Forum Post about Custom Chrome Extension Malware (c726797ae6dcd1ac889aff630d2855eb)

Figure 4 Darknet Forum Post about Custom Chrome Extension Malware (c726797ae6dcd1ac889aff630d2855eb)

Anonymity Impossible

The unfortunate and harsh reality in the world of the deep web and darknet anonymous networks is that anyone on these networks whether they be privacy conscious individuals, journalists, whitehat or blackhat hackers, must remain vigilant and hyper-aware that the tools and resources that advertise anonymity and security may be secretly exposing critical information of its users. Virtual Private Networks (VPNs) and Virtual Machines along with persistent endpoint protection may be the new norm for individuals who navigate potentially dangerous networks and sites; whereas DarkOwl Vision provides secure access to over 650 Million darknet and deep web pages to those who want to avoid the risk all together.

IRC Protocol: Instant Messenger of the Darknet

Before the age of social media, messaging specific applications, and even SMS text on your mobile phone, computer and networking enthusiasts communicated via an open internet protocol known as IRC, or internet relay chat. This text-based “instant messaging” application first surfaced in 1988, by a Finnish software developer using the alias of “WiZ” who in real life is Jarkko Oikarinen. IRC was codified in 1993 as RFC 1459 as an open source networking protocol, and does not belong to any specific person or group. This means that IRC is not going away anytime soon and will continue to outlive social media instant messaging chat applications. 

If it is not logic, it’s magic.
If it is not magic, it is female logic.”
— Jarkko Oikarinen

Everything you need to know about IRC

IRC follows a standard server/client networking model consisting of a collection of servers hosting multiple channels where multiple users can connect via a standalone chat application or web interface client. There are a number of Windows, Mac, and Linux based IRC clients available to dive into the hidden social network of IRC; however, because most clients are supported by academic or recreational open source software developers, continued support and up to date IRC client applications can be challenging if not impossible to find. Another downside to IRC is that all IRC servers send and receive messages via plaintext making IRC one of the most insecure protocols used in the internet. For this reason, many IRC servers recommend users use a Virtual Private Network (VPN) in addition to a Tor proxy to guarantee anonymity prior to connecting to certain channels or discussing sensitive subjects. Some servers also provide additional support with IP/host cloaking to protect users’ IP addresses from disclosure to the rest of the users connected. 

The people behind an IRC server are as diverse as the topics available for discussion. Individuals and groups of individuals across the world host IRC servers creating a decentralized network of endless chat possibilities. The “channels” available to connect to on an IRC server are akin to “rooms” within a building where people gather to discuss the channel’s subject of interest or topic.  Some IRC servers will have hundreds of channels to choose from, such as Freenode, which publically lists over 52,000 unique channels across their servers. The exact number of live IRC servers is unknown. Even so, irc.netsplit.de lists over 500 publically advertised IRC servers, but there are many Tor-based IRC servers not advertised.

Specific channels on an IRC server are preceded by a hastag “#” and vary across a broad set of discussion topics. As one would expect, many of the topics are specific to computing such as #linux, #python, or #networking, but others range from sports to special interests or even religious beliefs. IRC can be an excellent resource for troubleshooting software or asking technical questions, as many program developers, like those contributing to Linux distributions or mobile applications, (e.g. #iPhonedev), are active on IRC and eager to answer questions and help beginners. On the other hand, some IRC conversations are extremely general and an overly complicated form of social interaction for those who choose to connect virtually with others instead of in person.

Once a user successfully connects to a given IRC server, the command /join #<channel name> allows the user to enter the room of their choice, unless the room is set to private requiring an invitation and a password or the room has been locked by a moderator who wants to ban abusive users from entering the channel. In some special instances, the user might strongly believe they deserve access to a locked or private channel and have been unfairly denied access. If that is the case, the user can type /knock <message>, where message is the user’s custom message sent only to the channel admins. Similar to real life, if one knocks insistently on the door, it might not get one access but instead annoy the admins and get the user banned from the server entirely.

Most IRC users avoid using their real names on the servers and instead connect using a “nickname” or alias for the chat. Frequent visitors to IRC channels register their “nick” with nickserv to prevent other users from using their name. Using the command /nickserv register password e-mail in the main server window (not the unique channel) associates the email to the user and prevents the user’s nickname from being used by any other guests on the server. Users concerned with anonymity or connecting from the darknet would register a nick with an anonymous email address such as secMail or TorBox and not a Clearnet (e.g. gMail or Yahoo) address that is associated with their personal identity or could be used in any way to identify them.

Popular uses of IRC Channels

Over recent years of darknet intelligence collection and interacting in the grey world of computer security, our analysts have found wide-spread use of IRC-based coordination, collaboration and communication across darknet and deepweb regulars on everything from hacking to carding. Anonops and other cyber offensive collectives, offer Tor-hosted IRC servers and channels covering topics such as #hackers, #hardchats, #tor, #ddos, and numerous “#op”-prefixed chaannels for specific operations targeting everything from the NSA to Russia.  

User submitted posts on Verified Carder, a popular Deep Web carding forum, explain how IRC can be used to verify stolen or hacked credit card numbers and the benefit of connecting with “cashiers” who can help make money from the stolen credit card.

 
Figure        SEQ Figure \* ARABIC     1       Discussion on Finding "Cashiers" on IRC on a Popular Carding Forum

Figure 1 Discussion on Finding "Cashiers" on IRC on a Popular Carding Forum

 

For this reason, Darkowl has active autonomous data collection across hundreds of IRC servers/channels and queries filtered to IRC captured conversation are available using the search pod “Protocol->IRC.” DarkOwl Vision has successfully collected numerous conversations where stolen credit card information is offered for sale or for verification.

Figure       SEQ Figure \* ARABIC
   2       Vision Capture from DarkIRC Carding Verification on 11 May 2018

Figure 2 Vision Capture from DarkIRC Carding Verification on 11 May 2018

Once connected to an IRC server, conversations in the channels are known for their brightly colored text; however, the text color can also be sometimes altered in the chat client user preferences, depending on the chat client application of choice. A few sample screenshots from various chat clients are listed below.

Figure        SEQ Figure \* ARABIC     3       Quassel Application Sample IRC

Figure 3 Quassel Application Sample IRC

Figure        SEQ Figure \* ARABIC     4       HexChat Sample Chat

Figure 4 HexChat Sample Chat

Figure        SEQ Figure \* ARABIC     5       Weechat Sample Chat

Figure 5 Weechat Sample Chat

But, many IRC servers offer web-based chat clients, which is useful for users having the desire and the bandwidth to run IRC within Tor Browser. In order to run web-based IRC over Tor, Javascript must be enabled.

Figure        SEQ Figure \* ARABIC     6       AnonOps WebChat Login

Figure 6 AnonOps WebChat Login

Figure        SEQ Figure \* ARABIC     7       AnonOps Web Interface Sample Collection

Figure 7 AnonOps Web Interface Sample Collection

When viewing IRC conversations in DarkOwl Vision, the exact text is extracted without the color or emphasized font faces. In the result from a recent IRC protocol search in DarkOwl Vision, the date and time stamp of each message is displayed along with the nickname of the user in capital letters preceded and proceeded by “--“ and the message of the user submitted to the channel that was collected. If the conversation included any hyperlinks (Clearnet or Darknet), the engine captures this information as well.

As with any result in DarkOwl Vision, the Metadata Details are included and any data containing personally identifiable information such as email addresses, social security numbers or credit cards is tagged appropriately.

Figure        SEQ Figure \* ARABIC     8       Vision IRC Collection from 24 May 2018

Figure 8 Vision IRC Collection from 24 May 2018


Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.

Equifax on the darknet

Could darknet monitoring have prevented Equifax from becoming "equihax"?

Late last week, we learned the largest U.S. credit bureau, Equifax, had been significantly hacked resulting in the breach of the names, social security numbers, and personally identifiable information for over 143 million Americans. The incident, which the internet has since dubbed the "equihax" immediately led to widespread confusion and concern.

Can you trust Equifax’s security site (equifaxsecurity2017.com) - that requires you to simply enter the last six-digits of your social security number - to check if your name was included in the breach? Should you use their service to sign up for your year of free credit monitoring?  Who do you contact to be included in the $25,000 per victim massive class action lawsuit that is being formulated against them? 

And, what does the darknet have to do with it?


Equifax data has been on the darknet for months

As experts in darknet intelligence, our analysts immediately took to our darknet database tool, DarkOwl Vision, to perform a search of any relevant data that might provide insight into the equihax. What we found was evidence of Equifax credentials on a Russian darknet site, dating back an unknown period of time. DarkOwl Vision search results also showed Equifax data listed for sale on another Russian darknet page known as BestDarkForum.cc, which our darknet crawler indicates existed as far back as June 27th of this year. 

While we cannot yet verify that the information being sold in the above cases is from the recent equihax, or from a different (potentially unrelated) Equifax source, we can conclude that the presence of the compromising, personal data of Equifax customers has been advertised to willing buyers on the darknet for some months.

DarkOwl Vision identified a Russian forum selling access to NBKI, EQUIFAX, OKB, and Russian Standard databases (post dated  June 27, 2017 ). &nbsp;The site offers record lookup service for any individual across a number of leaked databases with a variable price list.&nbsp; Note:&nbsp; we can’t verify that that the Equifax data being advertised here is a result of the recent equihax leaked databases.&nbsp; We will continue to dig further on this, but it’s unlikely that we can source this data unless we make contact with the seller directly to analyze the source further

DarkOwl Vision identified a Russian forum selling access to NBKI, EQUIFAX, OKB, and Russian Standard databases (post dated June 27, 2017).  The site offers record lookup service for any individual across a number of leaked databases with a variable price list. Note: we can’t verify that that the Equifax data being advertised here is a result of the recent equihax leaked databases.  We will continue to dig further on this, but it’s unlikely that we can source this data unless we make contact with the seller directly to analyze the source further

What does this historical darknet presence have to do with the recent equihax?

e2.png

Most corporate data breaches are a result of an unlucky combination of a leaked server credential and a poorly patched data server running SQL or PHP-like databases. It turns out Equifax credentials have been circulating on the darknet long before last week’s first revelation from Equifax management. 

In late 2015, identity thieves reached out to the community requesting data from any of the major credit databases on the DreamMarket darknet marketplace forum. While consumer credit data is gold, a hacker has to start somewhere to begin mining for the treasure. As of this morning, DarkOwl Vision has indexed over 2,000 equifax.com corporate email addresses and clear text (unhashed) passwords across the darknet and paste-based sites providing an excellent starting place for attempting to breach the Equifax network using brute force or more sophisticated methods.

Screen shot of a darknet site in our DarkOwl Vision tool that reveals buyers have been seeking Equifax data for as far back as two years.

Screen shot of a darknet site in our DarkOwl Vision tool that reveals buyers have been seeking Equifax data for as far back as two years.


This week we learned that Equifax had failed to update their servers of a critical zero-day (or 0-day) Apache Struts vulnerability (CVE-2017-5638) that would have ideally been patched when the exploit was made known to Apache users in early March. The September Baird Equity Research report did not assess that the core databases were affected, but did state that Equifax reportedly became aware of the breach on 29 July and that unauthorized access occurred for approximately 2.5 months before being identified, speaking rather indirectly to a more broader concern over Equifax’s data security processes.

DarkOwl Vision indexed a .onion site offering access to Equifax data on a Russian darknet forum with the topic "Банковский пробив" (translated roughly as ‘Banking Breakthrough’).  The darknet user with the avatar ‘lunzinafinex’ offered extended and simple extractions for persons on Russia's leading credit bureau, the National Bureau of Credit Histories (NBKI), the United Credit Bureau (OKB), and Equifax.

Russian darknet forum with the topic "Банковский пробив" (translated roughly as ‘Banking Breakthrough’)

Russian darknet forum with the topic "Банковский пробив" (translated roughly as ‘Banking Breakthrough’)

Screen shot of the same .onion site as it appears in DarkOwl Vision, our darknet database.

Screen shot of the same .onion site as it appears in DarkOwl Vision, our darknet database.

e7.png

The same alias has also been used on multiple Russian carding and counterfeiting forums across the surface net. The last post by this user was a comment to their late June offer on 4 August 2017 on FakeCash (fcash.biz) with the title “Quick check of credit histories.” It is unclear whether these offers are related to the recent Equifax breach or something completely different.


So, is your information actually for sale on the darknet? 

Most likely. Last Friday, the first offer to sell the Equifax data appeared on the darknet on the TOR hidden service, badtouchyonqysm3[.]onion. The hackers claimed they did not anticipate receiving such large set of data and needed to monetize the attack quickly. They stated that they would release the entire data set on September 15th, 2017 (one week from the time of the writing). The offer was set at 600 BTC, or approximately $2.6 million USD. Threat intelligence researchers determined the onion was hosted on the popular Daniel’s hosting service and removed shortly thereafter.

 
e8.png
 

On Thursday, another hidden service, equihxbdrjn5czx2[.]onion, appeared with opportunity to purchase the compromised Equifax data along with images to “prove” they are legit. This site was more simple in its construction than the previous with plain text, ASCII art, and HTML links to the images.  The hackers require a $700 USD deposit to their public bitcoin address to receive the link to download the dataset at a cost of 4 BTC per 1,000,000 entries – adding up to approximately the same as the first offer of $2.6 million USD for the entire dataset.

 
e9.png
 

The “samples” from their treasure trove included database-like extraction for celebrities, Donald Trump, Kim Kardashian, and Bill Gates, all included in previous DoxBin datasets. On the other hand, the images, include severely redacted screen captures from what appears to be various servers on the Amazon cloud. 

The IP address 172.31.25.243 is listed in the image and redirects to the canonical name: http://ip-172-31-25-243.us-west-2.compute.internal, an address within Amazon’s Elastic Compute Cloud (aka Amazon EC2). While the domain name cannot be resolved, the GeoLocation for the server is Valencia, California.

IP Location Results for 172.31.25.243
==============
City:         Valencia
Zip Code:     91355
Region Code:  CA
Region Name:  California
Country Code: US
Country Name: United States
Latitude:     34.418
Longitude:    -118.566

 
e10.png
 
 
e11.png
 
 
e12.png
 
e13.png

Most of the images have their dates redacted; however, one image included timestamps of April 24, 2017 earlier than the original Equifax report indicated. The last sentence of the latest hidden service is the most ominous suggesting they’ve had access for much longer than the 2.5 month window.

As you seen in media [sic], Equihax by more than just “Apache Struts RCE”. Apache Struts RCE is Equifax’s smoke to cover up embarassing [sic] security fails.

We have had access for years now.
— anonymous darknet user

While it is completely plausible that the latest equihax offer is a scam, the mounting evidence that such data is not just valuable but actually extremely sought after by identity thieves makes monitoring data of this nature all the more vital for businesses and government agencies. 

For more information on how you can monitor the darknet using OWL Vision, click "Learn More" below.


Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.