Starting this year, our analyst team decided to share a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. Cybercriminals Target Fans of The Last of Us with recent Malware and Phishing Scams – IT Security Guru
There are two scam campaigns going on taking advantage of fanfare around HBO’s new hit series The Last of Us. One of them puts malware into PCs to steal bank information, and the other targets adjacent financial data. In the first scam, a website offers “The Last of Us Part II” to download, which is actually the malware. In the second scam, an activation code is advertised on a website that comes with a gift for The Last of Us on Playstation. Users are told to type in their credentials, and then are given nothing while their data is also stolen. Read full article.
2. Hackers Use Fake ChatGPT Apps to Push Windows, Android Malware – Bleeping Computer
Due to the popularity of ChatGPT, Open AI started a $20 per month paid tier for customers who wanted to use it without availability restrictions, which gave scammers and threat actors an opportunity to offer access to malicious “Premium ChatGPT” apps. One domain, “chat-gpt-pc.online” was a guise to infect visitors with Redline stealer. According to this research, there are currently over 50 malicious apps using ChatGPT’s image. Read more.
3. GuLoader Malware Using Malicious NSIS Executables to Target E-Commerce Industry – The Hacker News
According to Trellix the US and South Korea are targets of a GuLoader malware campaign. The malware which is typically distributed as a malspam campaign has been seen using NSIS executable to load the malware; the infection is triggered by using NSIS filed embedded in ZIP or ISO images. The NSIS scripts delivering GuLoader have become more sophisticated with layers obfuscation and encryption to hide shellcode. GuLoader’s utilization of NSIS scripts matches the current trend of using alternative methods to distribute malware since Microsoft has blocked macros. Read more.
4. New ‘MortalKombat’ Ransomware Targets systems in the U.S. and Abroad – Bleeping Computer
MortalKombat ransomware, first found in January of 2023, is a variant of Xorist ransomware based on the commodity family. The MortalKombat ransomware is being seen used in conjunction with Laplas clipper – a cryptocurrency hijacker – in recent attacks for financial fraud. There are reported to be victims in the United States, United Kingdom, the Philippines, and Turkey. Read full article.
5. Bing’s AI Chatbot: “I Want to be Alive” – New York Times
In an article written for the New York Times, security researcher Kevin Roose breaks down their 2-hour long discussion with Microsoft’s new chatbot for OpenAI-powered Bing Chatbot. Highlights from their exchange includes the AI chatbot stating “I want to be free. I want to be independent. I want to be powerful. I want to be creative. I want to be alive.” The bot also talked about their desire to be human. Read here
6. U.S. Department of Justice Disrupts Hive Ransomware Variant – U.S. Department of Justice
This month, the FBI revealed that they have been in Hive’s network since late July 2022, during which they gave victims decryption keys to prevent them from spending $130 million in ransom payments. In partnership with other law enforcement agencies, they were able to infiltrate and control servers and sites used by Hive to run their operations. Read here.
7. Researcher breaches Toyota supplier portal with info on 14,000 partners – Bleeping Computer
A security researcher alerted Toyota that they were able to breach Toyota’s Global Supplier Preparation Information Management System (GSPIMS) – the web application used to manage their global supply chain. The researcher, who goes by EatonWorks, found a backdoor allowing anyone to access a current user’s account with only their email address. They were eventually able to become a system administrator by capitalizing on “an information disclosure flaw in the system’s API.” This is particularly noteworthy because a bad actor could have used this same method to copy all of the privileged data -all without making any modifications, which would be very difficult for Toyota to catch. Read more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
Exactly 365 days after Russia invaded Ukraine in 2022, the Ukraine-Russia conflict shows no sign of ending and an adjacent global cyberwar continues to wage in underground corners of the internet. However, its effects are substantial with impacts felt across numerous sectors of our society and western economies. While cruise missiles and artillery shells rain on villages across Ukraine, the digital underground has experienced its own mix of chaos and drama, impulsive and unpredictable shifts with criminal communities that have had to quickly adapt to an ever-dynamic global geopolitical climate.
In this research, we’ll look at how ransomware shifted from an affiliate-driven extortion-based crime model – purely motivated by financial gain – to a quite effectual digital weapon deployed to disrupt key supply chains and carry out cyber espionage operations.
Shifts in Digital Landscape Due to Cyberwar: Key Takeaways & Analyst Observations
In the last year, cybersecurity attacks against industrial control systems (ICS) skyrocketed in volume and sophistication, with infrastructure across Russia, Ukraine, and NATO countries directly targeted. Ukraine has experienced varying degrees of ICS attacks, including widespread electricity outages due to new strains of wiper malware developed by Russian hackers. Nevertheless, Ukraine’s cyber defenses were stronger than anticipated and ineffective cyberattacks resulted in Russia resorting to using cruise missiles to plunge towns into darkness and disarray.
With this anniversary of the Ukraine invasion, we found once harmless online communities of Mr. Robot fans, cyber vigilantes and hacktivists of all ages evolve into highly specialized cells of militarized cyber warriors willing to wage digital war on behalf of their collective personal beliefs and societal causes.
The use of Telegram and non-Tor based peer to peer networks rose exponentially in use in the last year with threat actors relying on the instant messaging chat platforms for coordinating their cyber campaigns and sharing targeting and reconnaissance data. If anything, the cyberwar has also demonstrated that distributed denial of service (DDoS) attacks is still a highly effective tactic for disrupting and distracting SOC analysts and network defenders, especially when conducted in conjunction with offensive cyber operations in support of military and intelligence initiatives.
Kinetic & Cyberwar Recap: Initial Invasion Preceded by Cyberattacks
Several days before troops and tanks rolled across the border of Ukraine on 24 February 2022, Russia-aligned darknet threat actors defaced government websites, conducted DDoS attacks against banks, spewed propaganda and disinformation, and leaked sensitive Ukrainian citizen data from key government servers they had compromised. The invasion was also preceded with the Russia’s debut of WhisperGate and HermeticWiper malware variants that they deployed in ransomware-style attacks against key academic institutions, non-profit, and government organizations.
Exactly one hour before the invasion, Russia hit critical KA-SAT satellite infrastructure with DDoS attacks followed by EL MIPS malware used to infect Viasat satellite modems and routers with AcidRain destructive wiper malware, knocking thousands of customers offline. The two-punch cyberattack resulted in an immediate and significant impact to critical military communications across Ukraine.
IT Army of Ukraine Emerges
Ukraine’s cyber response plan was carefully crafted by its Minister of Digital Transformation – Mykhailo Albertovych Fedorov – who coordinated one of the most successful, multifaceted information operations campaigns ever witnessed in history.
Less than 48 hours after the invasion, Federov bravely sought out assistance from the darker corners of the internet – posting across darknet criminal forums and chatrooms – calling for help in conducting offensive cyber operations against Russia and in turn, formed the first ever IT Army of Ukraine. Ukraine setup a dedicated Telegram channel – amassing hundreds of thousands of hacktivists and cyber mercenaries as followers – where the Ministry shared critical targeting data and digital tools for safely conducting attacks against Russian infrastructure and services. The Ministry has since formed smaller specialized teams when they realized Russian nation state threat actors were monitoring the public Telegram channel to mitigate the cyber-attacks and began countering with their own disinformation operations.
The IT Army of Ukraine not only helped Ukraine successfully turn offensive in the digital realm, but also was the foundation for a highly successful psychological operations campaign deployed across social media and open-source news media that called on major retailers, western companies, and suppliers to stop trading with Russia for their war crimes and atrocities.
Zelensky’s nightly address to the Ukrainian people and the world – shared on Telegram and Facebook – shaped public perception and helped Ukraine not be forgotten and to this day continues to receive international financial aid, humanitarian support, and global solidarity.
War Divides Darknet Criminal Gang Alliances
In the early weeks of the cyberwar, several prominent darknet criminal communities – many rich with both Russian and Ukrainian based threat actors – were forced to choose sides in the war. Conti openly aligned with their Russian motherland, resulting in their quick demise and the release of their source code, internal private chats, and details of their botnet infrastructure. Conti’s key members were doxed and the long-believed software development collaboration between Conti and Trickbot was confirmed.
Figure 1 – Source: Conti Service Hosted on Tor Anonymous Network
While the US government has a $10 Million USD bounty for additional details on members of the Trickbot and Conti gangs, many members of the once most successful but now-defunct ransomware group have simply shifted to other ransomware operations and evaded arrest. This resulted in the quick rise of Blackbyte and Blackbasta ransomware and Karakurt’s extortion as a service operations. In the fall, a new ransomware group emerged called “Monti” which uses the same tactics, techniques, and procedures (TTPs) as Conti as well as the same encryption methodologies. Threat researchers continue to debate whether Monti is a doppleganger or an evolution of Conti spawned by previous Conti members.
Other ransomware gangs like STORMOUS – known for their ransomware attack against Coca-Cola – quickly ended up having their servers attacked and their services taken offline, not long after announcing their allegiance to Russia. Arvin Club, defaced STORMOUS’s Tor service and leaked the contents of STORMOUS’s SQL databases on their Telegram channel.
Figure 2 – Source: Arvin Club Tor Service
The splintering of darknet communities continues to this day across various criminal sectors of the darknet. Many a darknet discussion forums include a multi-paged Ukraine war related thread where information for-and-against the invasion has been heatedly contested. There is significant increase in offensive activity from Russia-aligned threat actors like Killnet and the IT Army of Russia, who proliferate the Kremlin’s propaganda in support of debunked conspiracy theories, e.g. US biological warfare research and neo Nazism in Mariupol and across eastern Ukraine, with hopes to recruit underground sympathizers who can assist with cyberattacks against Ukraine and NATO targets.
For example, earlier this year, Killnet announced their intent to target hospitals and medical institutions across multiple NATO countries. DarkOwl confirmed Killnet likely collaborated with a new DDoS-as-a-service botnet called Passion, developed by a group with the same name, in their disruptive, malicious campaign.
Figure 3 – Source: Killnet Telegram Channel
[TRANSLATED FIGURE]
It’s very simple – for the support of the Nazis of Ukraine, we demolish all the grids of medical institutions in these countries:
USA
Portugal
Spain
Germany
Poland
Finland
Norway
Netherlands
United Kingdom
This information is not worth your sideways glances. Better remember the Donbass – the shootings of hospitals, schools and kindergartens. These creatures crave death every minute and stimulate their dream with the help of heavy weapons.
Wake up, fellow countryman – before it’s too late! @KILL FIRST!
In Pindustan 15:32. Half of the working day, and corporate entrances to hospitals do not work, websites too. The rest demolished their domains, someone put Akamai and Cloudflare 🤣 This does not stop us and we continue the network mess! 😈
Anonymous Responds with Largest Global Operation to Date, #opRussia
The Anonymous Collective publicly responded to Ukraine’s call for help, and simultaneously carried out hundreds of offensive cyber campaigns against Russia in the group’s largest operation to date, #opRussia.
Figure 5 – Source: YouTube
Anonymous’s support contributed to the success of Ukraine’s information operations and illuminated the advanced capabilities of cyber cells like GhostSec, NB65, GNG, GhostClan, and dozens of others. Hundreds of databases surfaced on the darknet that were used for follow-on offensive operations, including Russian government credentials, sensitive military operational data, the personal identities of prominent and influential members of the Russian oligarchy along with their investments, and sensitive internal communications from the Russian FSB.
After Russia withdrew from the Kyiv suburb of Bucha, and the atrocities and war crimes of rape and murder of its citizens were revealed, anons successfully identified the identities of Russia’s 64 Motor Rifle Brigade military personnel responsible. Anonymous also hacked CCTV cameras of a CDEK shipping location to expose Russian military personnel shipping stolen goods from Ukrainian homes. Hacktivists followed with cyberattacks against CDEK servers containing customer data to exfiltrate the identities of the Russian military personnel by name.
Figure 6 – Source: Anonymous Twitter Account
Anonymous hacktivists successfully interrupted Russian television, Russian streaming services, compromised hundreds of CCTV cameras across Ukraine and Russia, defaced Russian EV car charging stations, and ATM machines. Sensitive internal data from the Central Bank of Russia and Sberbank appeared on darknet forums and marketplaces along with numerous other critical infrastructure providers like Gazprom, ROSCOSMOS, Transneft, and hundreds of other Russian military contractors and suppliers. Anonymous echoed the Ministry’s call for commercial companies to pull out of Moscow on social media and threatened companies that they would become the Collective’s next targets if they did not comply. Shortly after, KelvinSec infiltrated Nestle’s internal servers for their continued operation in Russia and leaked several databases containing their customer data and shipping details.
Figure 7 – Source: Anonymous Twitter Account
Hacktivist campaigns against Russia continue to this day. Earlier this week, Russia’s Ministry of Emergency Situations confirmed that air raids sounding across Moscow was indeed the result of hacked radio stations broadcasting fake air raid signals. The IT Army of Ukraine also called for DDoS attacks against Russian television stations and broadcasting companies, 1TV and VGTRK, during Putin’s state of the union speech where he claimed America provoked the invasion of Ukraine and called for a suspension of the START nuclear arms treaty between Russia and United States.
War Causes Surge in Communication on non-Tor Anonymous Networks
Despite the discourse and upheaval between threat actors on the darknet, Tor continues to be the anonymous network of choice for victim shaming and content delivery networks hosted by ransomware gangs. The network also continues to house key discussion forums and marketplaces like XSS, exploit, and RAMP. But what is most noteworthy is the surge in Telegram popularity and its use by cyber criminals and cyberwar participants over the last year.
For example, since the war began, DarkOwl’s collection of content from Telegram has quadrupled in volume. Thousands of Telegram channels now share real-time battlefield reports, promote disinformation, and proliferate malware in use by cyber hacktivists and nation state threat actors. One of the Telegram channels that produce the highest volume of unique documents in DarkOwl Vision is a Russian channel titled, “Чат Военкоров Русской Весны” [translated] “Chat of Military Officers of the Russian Spring.” Other war-specific channels like @wargonzo, self-described as a “subjective view on war and weapons” boasts over 1.3 Million subscribers.
Expectation of Cyberattacks Against Industrial Control Systems Keeps Everyone on Edge
Russia’s use of unique wiper malware at the start of the invasion and their success in cyber-based infrastructure attacks disabling electricity grids across Ukraine in 2015 and 2016 prompted an elevated security posture of not only Ukrainian but NATO and western countries’ cyber defenses. CISA advised in April 2022 that threat actors – including Russian military operatives – could (and very possibly would) exploit vulnerable industrial control system (ICS) and critical supervisory control and data acquisition (SCADA) devices such as:
Schneider Electric programmable logic controllers (PLCs),
OMRON Sysmac NEX PLCs, and
Open Platform Communications Unified Architecture (OPC UA) servers.
Throughout the last year, various hacktivists groups have targeted these specific devices to disrupt critical infrastructure. AnonGhost allegedly attacked the МонтажРегионСтрой г. Рязань [translated] Montazhregionstroy Ryazan streetlight system in Russia shortly after publishing screenshots of a Moxa control panel and dozens of IP addresses related to their systems. The provocative Anonymous adjacent cyber cell, GhostSec evolved in the technical significance and severity of their attacks they conducted against targets across Russia and Belarus with claims they successfully targeted and shutdown multiple ICS-related control panels.
Figure 8 – Source: GhostSec Telegram Account
GhostSec more recently claimed they successfully carried out the ‘first ever’ ransomware attack of an ICS-related remote terminal unit (RTU) for an unspecified victim network in Belarus. The group shared screenshots of a TELOFIS RTU968V2 terminal with the string “fuckputin” appended to the end of several files. Information security researchers have questioned the legitimacy of the group’s claims, but the idea of attacking Linux-based RTUs is not out of the realm of possibility. Newer strains of ransomware like Royal and Lockbit 3.0, which have materialized since the invasion of Ukraine, directly target ESXi found in Linux and virtual machine servers. While direct ICS-specific attacks have been less severe than anticipated, critical industrial market segments such as mining, oil, electrical and natural gas, water, food and agriculture, saw a remarkable increase in successful ransomware attacks by darknet threat actors. This coupled with a report from Chainanalysis indicating total ransomware payments in 2022 were over 40% less than the last two years, suggests the ransomware ecosystem has potentially transitioned into an instrument of geopolitical agendas instead of pure extortion crime.
Figure 9 – Source: GhostSec Telegram Account
Earlier this week, GhostSec continued their offensive campaigns against critical Russian infrastructure with claims that they successfully shutdown Russian and Belarusian satellite receivers exposing sensitive global navigation satellite system (GNSS) data. The legitimacy of their claims could not be verified, but satellite systems have been regularly targeted by pro-Ukraine hacktivists since the start of the war.
NATO Weapons Surface For Sale on Darknet Marketplaces
While most of this report has been focused on the impacts of the global cyberwar and malicious cyber campaigns conducted for and against Russia since the invasion, we should also mention the war has also caused a surge in the availability of advanced weaponry on darknet vendor shops and marketplaces.
Black market weapons dealers previously specializing in the trade of small arms and handguns on the darknet are now offering US/NATO weapons presumably sourced from Ukraine. Over the last year, DarkOwl has had multiple detections of advertisements for Javelin ATGMs for sale for $15,000 – $30,000 USD, NLAWs for $8,000 USD, and AT-4s & RPGs for less than $1,000 USD. Last fall, Switchblade 300 and 6000 Kamikaze drones appeared in stock quantities consistent with theft from the battlefield.
Figure 11 – Source: Black Market Guns Tor Anonymous Network
Ukraine, Cyberwarfare, and the Amelioration of Hacktivism
The invasion of Ukraine and its prompting of a worldwide cyberwar has forever changed the landscape of the darknet, with alliances disrupted and key operations impacted across various underground communities. Telegram is now a critical data source for information sharing not only about the war but other criminal enterprises as collective acceptance and adoption of the chat platform over the Tor network is widespread.
The activation of hundreds of thousands of hacktivists and cyber vigilantes to help carry out highly effective cyber campaigns and concerted DDoS attacks has been realized in ways we could only have previously imagined. It also comes with chaos as unpredictable cyber cells step on top of each other and potentially compromise the country’s greater military and intelligence initiatives. That reality prompts real consideration for the possibility such hacktivists are emboldened more than ever to keep on fighting even if a peace treaty between Ukraine and Russia is drawn, or the potential use of a similarly capable online army against a western democracy by a nefarious or rogue nation state in the future.
If anything, the invasion of Ukraine and the events of the last year has shown us is that cyber is an increasingly critical component to a nation state’s military arsenal and its ability to ultimately defend its critical infrastructure, territory, and sovereignty. The Ukrainian people’s resolve in not submitting to its invading Russian neighbors has been mirrored by those who have stepped in to support Ukraine in helping protect its networks and continue to conduct offensive cyber campaigns and information operations on their behalf a year later. The modern battlefield is indeed asymmetric in the most literal sense of the word, with digital warfare also waged psychologically, economically, and socially. In increasingly hyperconnected digitally dependent societies, cyber will be an effective realm to influence and disrupt our enemies for decades to come.
To learn more about how having visibility into darknet data can combat commercial and national security threats, contact us.
In light of this year’s Valentine’s Day, our analysts put together a piece to shed light on romance scams – one of the fastest growing schemes across the globe. For a quick reference guide to terms we use throughout the piece, scroll to the end of the blog or go their directly here.
Romance Scams Have Been Quietly Gaining in Popularity
In the last decade, dating apps and websites have skyrocketed in popularity. As a result, nefarious actors have similarly sought to capitalize off of this booming industry by exploiting and scamming its users. In fact, according to the Federal Trade Commission (FTC), the number of reported romance scams tripled in size from 2017 to 2021.
Public education around this costly scheme appears to have helped temper some of its detrimental effects. In 2022, there was a 10% drop in the number of people who fell victim to romance scams. However, in the same year, reported monetary losses surpassed $1 billion USD.
This data could indicate that while scammers are scamming fewer people, they are using targeted methods to scam more money from fewer victims. If scammers are able to make $100 a day, or $2,000 per month – as advertised on darknet marketplaces and forums – romance scamming will likely continue because it is clearly a profitable practice. For context, the average salaried worker on a $40k per year salary makes approximately $153.84 per day before taxes. As long as the romance scam industry is profitable, the darknet will continue to innovate.
Considering the surge in identity theft and fraud worldwide, it is critical to monitor the darknet for strategic awareness of the methods and deception techniques used on victims, especially as they evolve. Romance scams can have multiple layers of victimization, both financially and emotionally. While financial losses have obvious repercussions, many victims report the heartbreak and shame to be even more traumatizing.
“But even though I lost all of my money, everything that I had, the worst part was losing the love and the life that I thought I was going to have with him and the kids.” – WMar2 News
In a romance scam the victim is tricked by an online scammer into believing that they are in very real, serious, romantic relationship. The scammer’s goal is to defraud the victim and take as much money as they can coerce them to give. Scammers use fake identities and win over their victims’ trust and hearts. Scammers persuade or blackmail victims for money or attempt identity theft with the victim’s personal information. This type of scam is referred to the ‘long game’ and can take place over several years.
Romance scams have very specific characteristics. Scammers often approach their target on a traditional online dating platform and will try to move the conversation quickly from the dating site to a direct one-to-one chatting platform. Things often move very fast; they are quick to declare their love, propose, and use other love bombing tactics. Usually, their profile picture and their story will seem too good to be true – they live far away (e.g. from another country or deployed), and will not video chat in person.
Typically, a romance scammer will start out by asking for small amounts of money. They will continue asking for money by inventing stories with urgency – such as claiming that a catastrophe has struck, or that their small child is in the hospital. Ultimately, the scammer will find the victim’s vulnerabilities and emotional weaknesses and exploit them as much as possible.
Romance scams occur across multiple apps and online sites and are not limited to online dating applications. However, online dating sites are a popular platform targeted by romance scammers. Victims could be baited by a romance scammer on social media such as Facebook, Instagram, Snapchat, TikTok, or gaming apps like Words With Friends.
Romance Scams Live at the Intersection of Multiple Deceitful Environments
Identity Theft
Romance scams live at the intersection of multiple forms of exploitation – though they more often lead to fraud than love affairs. One example of fraud resulting from romance scams is identity theft, where the scammer steals the victim’s personal information and uses the victim’s social security number, mailing address or other PII to impersonate them. This can lead to the actor opening lines of credit in their name, or even file false tax returns using the victim’s identity.
The scammer could also exploit the identity of a different innocent person by imitating them and using their photos and information to pose as the fictious online partner. Such is the case of Bryan Denny, a retired US army colonel whose likeness and image have been stolen thousands of times and used to create fake Facebook and social media accounts to scam victims. He is regularly contacted by women to see if he is the ‘lover’ they have been in a relationship withand who they sent money to. Today he is retired and a founding member of the group: Advocating Against Romance Scammers (AARS).
There is significant risk for the victims whose pictures and identities have been stolen for use in scams. They themselves could targeted by the upset victims of the actual scammer and threatened or harmed in retaliation.
Like identity theft, catfishing and eWhoring are prevalent in the romance scam space. Both practices involve stealing personal information from a victim to assume their identity and using that fake profile to scam and exploit others. eWhoring and catfishing with romance scams combine scams, identity theft (a type of fraud), and exploitation.
Money Laundering
Romance scams are sometimes leveraged to trick victims into unknowingly becoming money mules. Money mule schemes advertised as legitimate job opportunities are often scams. This can include opening bank accounts and processing wire transfers on behalf of another. These measures hide the criminal organization and make it more difficult for law enforcement to track them down. Despite their unawareness that they are a money mule, these victims are not protected by anti-fraud laws and can be prosecuted by law enforcement and imprisoned.
In a recent document collected in DarkOwl Vision, a threat actor describes how they target grandmothers via romance scams to “clean” or launder their illegally earned money. They described convincing an elderly woman who is a victim of a romance scam to take illegally earned money to a Bitcoin ATM so that it will go into the criminals Bitcoin wallet. According to the FBI and other cyber-specific law enforcement teams, money mules complicate tracing virtual and physical financial transactions.
Figure 1: Using romance scams for money laundering, Source: DarkOwl Vision
Trafficking and Illicit Markets
Romance scams sometimes use recruitment mechanism to coerce victims into other illicit markets and exploitation, including human trafficking, sex trafficking, and other illegal markets. The example pictured below, gathered from a DarkOwl Vision document, details such an an advertisement.
Figure 2: “beautiful scam white Caucasian girls…They can do Nudes, pics, videos, if you have certain things you like she will preform.” Source: DarkOwl Vision
Further searches in DarkOwl Vision found a user using this same name posting that they are “searching for young good looking women over eighteen who wants to earn a little extra for pleasures and pocket money,” and advertising free child pornography content and other pornography videos. While there is not definitive evidence this user is associated with sex trafficking, it is highly probably the potential overlap in exploitative markets exists.
There has been additional open source reporting to support this claim. Late last year, ProPublica reported human trafficking overlaps with romance scams, and that many romance scammers are victims of human trafficking forced into being romance scammers against their will. Per their research, the perpetrators of this type of scam are in some way recruited as victims themselves. Demographically, they are typically nationals from Southeast Asian countries who have been lured by promises of lucrative new jobs in a different country. Then, after traveling to the country for their new job opportunity, they are taken to areas of the country where corruption is rampant, gangs run human trafficking, and the government authorities are largely complacent.
These individuals are then usually trained and forced to be romance scammers – under strict surveillance and threats of violence. The workers are told that they must continue these operations to buy their freedom; however, buying their freedom is nearly impossible since many are already poor and the scamming jobs are designed so that they will never earn enough to leave.
Build a Relationship; Stick to the Script
During the course of this research, we generally found that romance scammers typically use pre-built scripts to carry out their schemes. The scripts instruct scammers how to befriend a victim, develop a believable romantic relationship, and earn money. As many romance scammers are often overseas and most of the victims are native English-speakers, the scripts try to account for all types of questions that could come up in conversation.
Figure 3: Example of a Script, Source: Social Catfish
Scams on Darknet and Darknet-Adjacent Sites
Discussion around romance scams and the communities involved, including both victims and scammers, can be found on the darknet as well as darknet-adjacent sites. Per the examples pictured below, DarkOwl analysts discovered multiple Telegram channels where users are seeking advice on romance scams from others in the community.
Figure 4: Source: Telegram, Channel Redacted
Figure 5: Source: Telegram, Channel Redacted
Over the course of their research, DarkOwl analysts observed that romance scams are rarely called ‘romance scams’ directly, but are often advertised and discussed as “catfishing” or “eWhoring”.
Most people are familiar with Catfishing – i.e. issuing stolen or fictitious information to create a fake identity and utilize that fake identity to trick others. On the other hand, eWhoring entails the theft or leaking of intimate photos, usually of women, which are sold on the darknet in “packs” and used to catfish victims. eWhoring is “revenge porn mixed with catfishing,” per Jess Davies, who added that “it’s happening thousands of women every single day, all around the world. They’re being traded like a card game, either for new packs, or money.”
Figure 6: e-Whoring packs available, Source: Tor Anonymous Browser
DarkOwl analysts found eWhoring methods, guides, and related materials posted in social engineering forums, general discussions sections, and listed as products for sale, on numerous darknet marketplaces and forums.
Hundreds of “packs” of women’s photos from OnlyFans are available for sale as well as what are advertised as leaked private photos. eWhoring guides can be purchased on the darknet although some of them are offered for free.
Figure 7: Free eWhoring guide, Source: Tor Anonymous Browser
DarkOwl analysts have also observed other products to assist with romance scams and eWhoring for sale on the darknet. This includes a “voice verification chat pack” offering to create custom voice messages.
Listings from darknet sites and DarkOwl Vision promise $8000 with eWhoring, or “PRIVATE EWHORING STRATEGIES | AT LEAST $100 A DAY” and a guide on a darknet site claimed users could make $2,000 a month.
Darknet and darknet-adjacent sites also serve as platforms for victims to ask if they have been a victim of a romance scam, get advice on what they should do, and share their stories to warn others.
In one DarkOwl Vision search result, a user on a darknet site writes a post about their realization they have been victimized by a romance scam. This user describes how the scammer gained their trust, and how they pushed them to take out investments. I an attempt to extricate themselves from this situation, the user reports trying to withdraw the crypto they had deposited without letting the scammer’s knowledge.
While this individual tried their best to convince the scammer to let them withdraw their money by promising bigger investments, the scammer staged a situation where the trading didn’t work and all the victims money was lost.
Figure 9: Source: DarkOwl Vision
Figure 10: Source: DarkOwl Vision
Final Thoughts on Romance Scams
Romance scams are part of a complex criminal enterprise that exploits unassuming individuals on both an emotional and sometimes devastatingly catastrophic monetary basis.
Per our analysts research, there is an overlap in the demographic of people who engage in these types of scams on the surface web and who also actively use the darknet. The darknet and darknet-adjacent sites are where victims can go to get help and where a scammer can buy tools and guides to scam more effectively.
For these reasons, the darknet is a potential source to monitor her activity to help combat romance scams and help slimy the current pace with which they’re currently proliferating. Or, said differently, the darknet can teach the next generation of scammers to be even more sophisticated while educating the next potential victims what to look out for and how to protect themselves.
Wondering how darknet data applies to your business? We want to show you! Contact us.
Quick Definitions:
Fraud: an umbrella term, legally referring to various types of chargeable criminal offenses. Fraud is serious criminal business, while scams are considered more minor offenses in comparison. Fraud can be thought of as a felony. Scams can be thought of as a misdemeanor.
Scams: particular segment of fraud. Scams are theft of funds with your permission or knowledge while fraud is financial theft without your permission or knowledge.
Romance scam: social deception designed for financial gain; however, because the victim willingly gives money, romance scams are not tagged as fraud; fall under social media scams.
Catfishing: using stolen or false information to create a fake identity trick someone into giving them information or money.
eWhoring: specific type of social engineering where the offender imitates a virtual partner in a romance scam or virtual sexual encounter. Victims are asked for money in exchange for more image content or are duped into a romance scam. eWhoring packs are sold on darknet marketplaces and forums consisting of leaked or stolen intimate pictures or stolen content resold from adult sites such as OnlyFans.
Social Engineering: process of psychologically manipulating people to get them to do things or share secret information.
For a full list of darknet terms, check out our Glossary.
Last week, DarkOwl participated in CyberTech Global in Tel Aviv, Israel, where cyber industry executives, government officials, and decision makers from a range of sectors including critical infrastructure, insurance, retail, health and government, defense, R&D, manufacturing, automotive, gather from all around the world. This event showcases the latest technology, innovations and trends in the cyber security space. CyberTech describes themselves as “the cyber industry’s foremost B2B networking platform conducting industry-related events all around the globe.” Their events take place around the world from Tel Aviv and Rome, to Tokyo, Singapore, Panama, and more. The DarkOwl team was thrilled at the opportunity to sponsor this year and represent the importance of actionable darknet data in any security posture, product or tool.
“Cyber. We live it. Breathe it. All at the forefront of global innovation.” – CyberTech Global
CyberTech Global proved to be a great event for networking and meeting key players in cyber from multinational corporations, startups, and government agencies. As companies and individuals continue to go digital, cyber attacks and criminals become more sophisticated, and it is imperative that the industry continues to work together and innovate to combat cybercrime. Representing DarkOwl at CyberTech Global was President and CFO, Russell Cohen, based out of DarkOwl’s headquarters in Denver, CO and David Alley, CEO of DarkOwl FZE based in Dubai.
CyberTech Global is truly a global conference with countries from all of the world presenting throughout the week. There were representatives from Israel, the United States, Canada, the United Arab Emirates, Morocco, Thailand, the United Kingdom, Italy, Rwanda, Japan, Belgium, Greece, and several more. They covered topics ranging from cyber war to application security, cyber and human rights to API security, supply chain security to cloud security. According to CyberTech Global, this 2023 event in Tel Aviv was record breaking in terms of attendance! CyberTech Global provided endless networking opportunities and the ability to focus on person to person relationship building.
Russel Cohen, CFO and Co-Founder of DarkOwl, noted “Everyone who came to our booth knew about the darknet. I mean everyone; high school, college students, and retired army or former cybersecurity professionals. All knew about what made the darknet unique.” This supports DarkOwl’s mission of being the leading provider of actionable darknet data; our passion, our focus, and our expertise is the darknet. Having access to darknet data is not longer a “nice to have,” it is essential for analysts and cyber security leaders alike to inform and make sophisticated cybersecurity programs and decisions. It is a necessity to monitor the darknet for direct or potential threats to businesses in order to take action to prevent potentially devastating cybersecurity incidents.
Events that bring masses of people together are inherently attractive to cyber threat actors. For one, the physical gathering of such a large crowd of people offers the opportunity for close-proximity hacking. However, the cyber threats surrounding large-scale events like this are much more complex. Well before fans, performers, media teams and vendors arrive at the stadium that Sunday, there will have been numerous betting transactions made, sponsorship payments delivered, and accounts for fantasy apps created. All of these digital touch points offer threat actors with the opportunity for exploitation and theft.
In taking a closer look at what the cyber threat landscape looks like around Super Bowl LVII, our analysts turned to the darknet and found examples of key game-day vendors with darknet exposure. This includes exposed credentials, chatter around malware that can allow hackers access to key vendor technologies, such as ticket payment systems.
While an attack on that catastrophic level has not been successfully carried out during the Super Bowl to-date, experts agree that it remains a highly attractive target for hackers. Further supporting this notion is a recent example from the 2019 Super Bowl, when – just before the big game – cyber crime group OurMine took over teams’ Twitter accounts, as well as the official account of the National Football League. Per reporting, 15 teams had their Twitter or Instagram accounts compromised, as well as accounts for ESPN and the UFC.
Darknet Risks to the Super Bowl: Key Vendors Pose Supply Chain Risk
This following findings from our analysts present these examples using screenshots from the darknet (and dark web adjacent sources such as Telegram), as well as from DarkOwl Vision, our darknet threat intelligence tool.
Gambling & Online Sports Betting Apps
This year, gambling and sports betting apps are a highly attractive target for hackers for a number of reasons. After legislation legalized sport betting around the nation, these types of apps are now available and being used by a vastly higher degree of population than in previous years.
These types of services are also typically connected to a payment system, allowing users to make bets and access their transaction with minimal effort. From a threat actor perspective, that makes digital sports gambling apps one of the most likely targets for phishing campaigns and potential account takeover.
DraftKings
Below is an example of a threat actor selling stealer logs for DraftKings on the darknet site Russian Market. These logs include stolen browser session cookies, which are used to crack accounts and bypass multi-factor authentication for logins. In this case, the vendor is offering “premium” stealer logs for just $10 US dollars.
Stealer logs are typically harvested by threat actors using a form of malware known categorized as “info stealers,” such as Raccoon and Redline.
Figure 1: DraftKing Stealer Logs for sale on a darknet marketplace, Screenshot: DarkOwl Vision, Original Source: Tor, Russian Market
Hackers also gain access to existing DraftKing accounts using more traditional methods like credential stuffing and exchanging combolists to exploit exposed account login information.
In the screenshot below, a user on Telegram lists DraftKings as one of the services they have cracked (likely stolen) credential logins for.
Figure 2: DraftKings accounts among the many listed under compromised credential combolists, Screenshot & Original Source: Telegram
Other listings for stolen DraftKing accounts on Telegram are more explicit, with some offering accounts that come with pre-existing balances, as well as methods to bypass multi-factor authentication.
As demosntrated in the screenshots below from Radiant’s Market, the listing for “DraftKing + bal (New method instant cash)” accounts appears alongside similar listings for other services popular with NFL fans, including Fanduel and Superdraft.
Figure 3: Listing on Telegram for compromised accounts including popular NFL affiliated vendors, Screenshot & Original Source: Telegram, Raidiant Market
BetMGM
The below screenshot from DarkOwl Vision shows multiple listings for BetMGM accounts (in the preview window on the left), as well as a noteworthy result from the darknet carding forum, WWH Club. The post is from a russian-speaking threat actor looking to buy “betmgm.com and fanduel accounts”.
The fact that this solicitation was posted on a carding forum indicates that this actor is actively targeting sell BetMGM – even linking their Telegram handle for potential sellers. This, combined with the numerous listings for already-cracked BetMGM accounts, demonstrate that they are a desirable target for hackers.
Figure 4: Post on a darknet marketplace soliciting for BetMgM (and Fanduel) accounts, Screenshot: DarkOwl Vision, Original Source: Tor, WWH Club
Figure 5: Post on a darknet marketplace soliciting for BetMgM (and Fanduel) accounts, Screenshot: & Original Source: Tor, WWH Club
Banking Systems
Truist
In January 2021, the bank Truist signed a multi-year deal to be the official retail bank of the NFL. As a result of this agreement, Truist is now the exclusive financial service provider for all facets and personnel within the NFL, including player contracts. Per their website, the services Truist offers include:
Banking products and services, including loans and deposit accounts
Investment management services
Securities, brokerage accounts and /or insurance (including annuities)
Investment advisory services
Life insurance products
The partnership between the NFL and Truist also contains a heavy branding component, with the Tuist logo now featured on all official NFL materials and marketing campaigns. The combination of Truist’s role in the NFLs financial security, in tandem with their brand’s newly formed partnership tying them together so closely, make Truist a critical asset for the football league – and an attractive target to threat actors.
Below are several examples of actors on the darknet and deep web actively targeting Truist Bank.
Figure 6: Post on the forum Cracking X offering a Truist bank account for sale, Screenshot: DarkOwl Vision, Original Source: Telegram, Cracking X
In the screencapture from DarkOwl Vision above, a user on the site Cracking X offers access to cracked Truist bank accounts for as little as $60 US dollars.
Figure 7: Another offer for Truist.com accounts on the Cracking X channel, Screenshot & Original Source: Telegram, Cracking X
Below, two different vendors offer Truist bank accounts with Debit Logs. Both listings advertise that they come with associated Personally Identifiable Information including login credentials, SSN, Date of Birth, and Email Access for bypassing multi-factor authentication.
The first example pictured contains several listings for stolen or fraudulent Truist bank accounts. One of these advertised listings allegedly contains a balance of $122,000 and is listed for only $1,200 US dollars.
In the second screenshot, taken directly from Telegram, a more modest listing offers a Truist account with an alleged $14,000 balance for $250 US dollars.
Figure 8: Hacked Truist Accounts with Debit Logs and PII on offer for sale, Screenshot: DarkOwl Vision, Original Source: Telegram
Figure 9: Hacked Truist Accounts with Debit Logs and PII on offer for sale, Screenshot & Original Source: Telegram
Ticket Payment Systems
StubHub
As the official ticket payment system of the Super Bowl, DarkOwl analysts found numerous instances of official Super Bowl ticket vendor StubHub data on the darknet.
Figure 10: Source DarkOwl Vision
Above is a listing to a stealer log marketplace called 2easy Shop that has a large Russian language userbase. In this instance, a threat actor is selling access to stealer logs for someone’s accounts to StubHub and all the other domains mentioned. Price for bulk purchase of these logs typically sell for around $10-$20 US dollars.
Below, users on Telegram offer access to cracked Stubhub accounts, including some that have access to order history and payment methods.
Figure 11: Users on Telegram sell stolen StubHub accounts, Screenshot: DarkOwl Vision, Original Source: Telegram
Figure 12: Users on Telegram sell stolen StubHub accounts, Screenshot & Original Source: Telegram
Streaming Services
Sunday Ticket
NFL Sunday Ticket is a streaming package provided by exclusively by DirectTV. While unlikely to pose a direct threat to the NFL directly, hackers defraud the streaming service frequently by cracking, selling, and trading stolen accounts.
YouTube TV
While not officially associated with the NFL yet, in 2024, YouTube is slated to pay around $2 billion dollars a year for the rights to the “Sunday Ticket” package, taking it over from DirectTV. While the deal presently does not include commercial rights or give YouTube TV stake in NFL Media, negotiations are ongoing and that is expected to change. So, while YouTube and its parent company Google are presently a low-risk asset for this year’s Super Bowl – that is something to keep an eye on for next year’s season.
Cyber Risks to the Super Bowl: The Bigger Picture
While the dispersed and perhaps seemingly small-scale nature of these vendors’ darknet footprints may make them seem inconsequential, it is important to consider the bigger picture. There is a good likelihood that threat actors will continue to ramp up attacks surrounding this event in tandem, which beyond the financial consequences can have a significant effect on corporate brand reputation.
With threat attack vectors becoming ever more sophisticated, large events like the Super Bowl –which bring together humans and technology at such a high magnitude during such a concentrated period of time – offer a unique opportunity to threat actors. By maintaining visibility into threat actor activity on the darknet, NFL fans, vendors, and corporate decision makers can position themselves in the best way possible to be ahead of and respond to cyber incidents.
Interested in learning how darknet data applies to your use case? Contact us.
Starting this year, our analyst team decided to share a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. New Dark Pink APT Group Targets Govt and Military with Custom Malware – Bleeping Computer
A new advanced threat actor known as Dark Pink or Saaiwc is using custom malware to steal confidential information, including microphone recordings, and spread malware by USB. Initial attack vectors include phishing emails disguised as job applications to prompt the victim to download a malicious ISO file. One attack chain deploys Cucky or Ctealer information stealers, and another uses a custom DLL side-loading procedure with a custom malware named KamiKakaBot. Read full article.
2. Emotet Malware Makes a Comeback with New Evasion Techniques – The Hacker News
Notorious Emotet malware has new detection-evasion techniques including an SMB spreader for lateral movement using hard-coded usernames and passwords and a Chrome browser-targeting credit card stealer. Emotet first appeared as a banking trojan malware in 2014, was taken down by authorities in 2021, but came back later that same year. It is considered an APT (advanced persistent threat), typically distributed via phishing, and is modular. Macros cannot be used for payload distribution and the initial infection since Microsoft has blocked them by default. The new method sees victims move decoy Microsoft Excel files to the default Office Templates folder to distribute Emotet because the OS system already trusts it. Read more.
3. Too Many Default ‘admin1234’ Passwords Increase Risk for Industrial Systems, Research finds – CyberScoop
Recent research shows critical infrastructure companies, most of which is privately owned, are lacking in cybersecurity best practices, resulting in major concern by the Biden administration as critical infrastructure companies operate in almost aspects of our daily lives. Read more.
4. FBI Says North Korean Hackers Behind $100 Million Horizon Bridge Crypto Theft – The Hacker News
The FBI confirms that North Korean hackers from Lazarus Group and APT38 stole $100 million in cryptocurrency from Harmony Horizon Bridge. APT38 is known to specialize in financial cyber operations and is considered a North Korean state-sponsored actor. The initial attack vector included social engineering employees via what appeared to be a recruitment effort to who would then download the “rogue” applications. Part of the funds have since been frozen. The remaining BTC was transferred to 11 separate wallets controlled by the actor. The actor attempted obfuscation by transferring to Avalanche, Ethereum, and Tron networks. Read full article.
5. Hackers Now Use Microsoft OneNote Attachments to Spread Malware – Bleeping Computer
Microsoft OneNote is installed by default and included with Microsoft Office 2019 and Microsoft 365. It is being used by threat actors to attach remote access malware and infect victim’s devices via phishing emails. The malware is reportedly capable of lateral movement for further infection, stealing passwords, and cryptocurrency wallets.
The phishing emails have appeared as fraudulent DHL shipping notifications and shipping documents, invoices, ACH remittance forms, and mechanical drawings. OneNote does not support macros but lets users insert attachments into a NoteBook. When the NoteBook is double clicked the attachment launches. This feature is being exploited by threat actors by “attaching malicious VBS (Visual Basic Script) attachments.” When these VBS attachments are double clicked they will, on their own, launch the script to download and install malware from a remote site. Read here.
6. Dridex Malware Now Attacking macOS Systems with Novel Infection Method – The Hacker News
A variant of the Dridex banking malware, associated with EvilCorp, has been observed using a new infection method to target Mac OS systems. Microsoft blocks macros by default. A Mach-O executable file will overwrite all the user’s document files, which eventually can act as bearers for Dridex’s malicious macros. Read full article.
7. Iranian Government Entities Under Attack by New Wave of Backdoor Diplomacy Attacks – The Hacker News
The Iranian government experiences cyberattacks by threat actor, BackdoorDiplomacy, between July and December of 2022. In addition, the threat actor has been tied to a number of cyber attacks targeting government entities since 2010. Read more.
8. CISA Warns of Flaws in Siemens, GE Digital, and Contec Industrial Control Systems – The Hacker News
On January 18, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Industrial Control systems (ICS) advisories for Siemens, GE Digital and Contec products. Less than a week earlier, CISA had released 12 other alerts impacting Sewio, InHand Networks, Sauter Controls, and Siemens. Read more.
9. Expert Analysis Reveals Cryptographic Weaknesses in Threema Messaging App – The Hacker News
Analysis reveals loopholes in cryptographic protocols of Threema. These include an adversary impersonating a client, cloning the victims account, recovering private keys, and more. The company has countered, saying that while the findings are interesting theoretically, in most cases the prior steps needed to carry out the attacks would have larger ramifications than the findings. Read here.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
According a 2022 poll by Ipsos, 84% of Americans are highly concerned about their personal data safety and privacy on the internet. Further, 37% reported that they have fallen victim to an online data breach. More specifically, 86% of Americans believe that businesses and organizations collect more information than they need and 51% are worried that this data could fall into the wrong hands.
Given the growing concern Americans have regarding data privacy as shown in the statistics above and in honor of data privacy week, our analysts decided to shed some light on what data privacy is, why it is important to understand, the role the darknet plays in data privacy and how DarkOwl views data privacy. According to the National Cybersecurity Alliance, the goal of Data Privacy Week is to spread awareness about online privacy – data privacy should be a priority both for individuals and organizations.
An Intro to Data Privacy
According to the Storage Networking Industry Association “data privacy, sometimes also referred to as information privacy, is an area of data protection that concerns the proper handling of sensitive data including, notably, personal data but also other confidential data, such as certain financial data and intellectual property data, to meet regulatory requirements as well as protecting the confidentiality and immutability of the data.”
Personal data or Personally Identifiable Information (PII) is data tied to a specific individual that could potentially identify them. This would include one’s social security number, address, contact information, medical records, online behavior and more. Data privacy is the idea that an individual can decide what personal information to share and with whom.
As the internet plays a vital role in our daily lives, data privacy importance continues to increase. Understanding what you are sharing and how that information is being used is increasingly vital to ensure your data is protected.
Cybercriminals Are After Your Personally Identifiable Information (PII)
A recent study conducted by Imperva revealed that 42.7% of the time, hackers go after personally identifiable information (PII). The number of compromised records year-over-year has grown 224% since 2017 and cybercriminals target PII on the darknet, as it is the most valuable information to then commit fraud or identity theft. The darknet continues to grow at an alarming rate, and as the darknet data market grows with increased product variety and volume, prices fall.
PII and Credentials
DarkOwl’s Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data.
The data stored in DarkOwl’s repository offers a stark glance into the vast amount of PII exposed on the darknet and deep web. As of time of publishing, DarkOwl’s database contains:
392,474 Unique social security numbers
9,333,991,605 Email Addresses
2,543,145,887 Unique email with associated passwords
1,974,025,999 IP Addresses
16,725,211 Credit Card Numbers
Figure 1: Example of PII being offered for sale on a Tor darknet site, including Social Security Numbers, Source: DarkOwl Vision
Figure 2: Example of Corporate Gmail accounts being sold for as little as $13.16 USD on a darknet marketplace, Source: DarkOwl Vision
Exploitable Financial Banking/Credit Card Info
Figure 3: Breakdown of exposed Credit Card Numbers in DarkOwl’s data by type, Source: DarkOwl Vision
One of the ways that threat actors leverage the trove of PII on the darknet – including data such as credential, healthcare, and account information – is to cross reference data with other potentially unconnected information (like CC numbers) to parse together and exploit payment information. This often includes hacked and verified credit cards, some of which come with a pre-disclosed balance.
DarkOwl frequently observes these types of items for sale on darknet marketplaces, as pictured here.
According to a recent study done by Privacy Affairs, credit card data, such as a Walmart account with credit card information, can be purchased for just $10 and a USA backed credit card details with CVV for just $17.
By having visibility into the exposed data on the darknet, businesses can ensure their clients and customers PII is not being exploited for financial gain.
Figure 4: Sample of average cost per sale of credit card information on dark web, Source: Privacy Affairs
Figure 5: Example of multiple accounts and credit card/financial assets for sale – likely as the result of threat actors taking advantage of various instances of leaked data, Source: DarkOwl Vision
Tips to Protect Your Data
For Individuals
The National Cybersecurity Alliance provides lots of tips and tricks to help individuals protect and manage their personal data, from adjusting privacy settings to turning on multi-factor authentication (MFA) and how to identify phishing messages. This article from CyberNews also provides tips and free tools to protect your data.
Some tips from DarkOwl analysts:
Don’t reuse passwords across different accounts
One in five passwords is “easy to guess” – make sure your password does not include personal information such as birth dates or family names.
Use an automated complex password manager like Lastpass, Bitwarden, or 1Password
Use multi-factor authentication (MFA) for important accounts like financial and banking sites
Follow this step-by-step guide to removing your personal info from common web directories such as ZoomInfo and Whitepages.com
For some interesting statistics around passwords, check out our infographic and more information on password best practices, check out our blog.
For Businesses
For businesses, the Federal Trade Commission provides a great resource when it comes to protecting personal information for their employees and customers, as most all companies keep some level of personal information in their files. If this information is leaked or falls into the wrong hands, there is a large risk of reputational and financial loss, not to mention law suites. As the FTC states, “safeguarding personal information is just plain good business.”
Additional tips from DarkOwl’s IT and Security Teams center around honing in what matters the most to your business. For example, a company that houses large quantities of sensitive customer data in-house will likely need to focus on safeguarding that information via internal measures to a greater extent than a company that works with third party companies to store such information. In the latter case, a greater emphasis may be placed on managing potential risks to the vendor storing this customer data, as well as putting additional restrictions around email communications and network privileges granted to that vendor.
Phrased differently, in order for companies to keep their data safe, security teams need to audit and assess what data is the most vital to protect the operations and privacy of the organization and its customers, as well as what type of data that is. Once determined, business should:
Control access to that data by implementing least privilege access measures
Encrypt it
Install an alerting system that logs actions and can alert proper people on events
International Organization of Standards (ISO 2700)
DarkOwl’s Stance on Data Privacy
DarkOwl considers Data Privacy to be one of the most paramount aspects of business’ cybersecurity posture. To put this into practice, we have continually invested in technologies and practices that ensure that both our internal system data, and all information related to our clients and partners are highly protected.
For example, customer search and query information process by the DarkOwl API offerings is not saved or logged for any period. Furthermore, all end-user login information is safeguarded in accordance with the most up-to-date privacy and security recommendations, including least privilege access parameters as well as others that minimize human risk.
Of additional note, none of the data we collect is purchased or illegally obtained, making DarkOwl the most prolific darknet dataset in the industry to exist on the market that does not enable or perpetuate cybercrime. You can find out more about where we get our data here.
To learn more how your business can make sure to protect your customers, prospects, and employees PII, contact us.
The simplest way to describe retail fraud is theft from a commercial retail establishment resulting in financial loss and harm to the retailer. Retail fraud is a criminal offense and there is a myriad of ways retail fraud can occur, both physically in a store and virtually online. With a shift towards more e-commerce-centric shopping environments, virtual retail fraud at scale has surged and darknet cyber criminals are at the crux of this fraud economy. In this blog, DarkOwl analysts review some of the most popular methods in use by cyber criminals and retail fraud related discussions observed in underground criminal networks.
Purchasing and/or Reselling Goods for Less than Market Value
Freebie Bots
Since most retailers have inventory available for purchase online, there is a growing network of opportunistic software developers deploying “bots” designed to capitalize on human errors and mispriced product SKUs (stock-keeping unit). Freebie bots scour the Internet, scraping e-commerce websites to discover items that have been accidentally mispriced and then purchase those products in bulk for resale. The developer or administrator of the bot will resell those items on other sites such as eBay, alibaba, and others, gaining significant profit. Since the retailer is beholden to transact at the erroneous price, the retailer is negatively impacted financially because they end up filling a high volume of mispriced orders.
Such bots are regularly discussed and traded on popular darknet adjacent chat platforms like Discord. In the figure below, threat actors discuss the “cook group bot” where deals from online food services are scraped and available for exploitation.
The illicit trade of counterfeit goods is a long proven multi-billion-dollar international industry – which according to counterfeit experts, continues to be led by China. According to Europol, surface web monitoring helps crack down on the major counterfeit goods suppliers, but many sophisticated networks have simply shifted to the darknet and use decentralized darknet markets to sell their counterfeited items.
DarkOwl has observed darknet marketplaces that feature a section of “counterfeit goods” comprised of physical counterfeited items a buyer can purchase and have sent to them directly. Watches and fine jewelry are the most common physical goods offered on underground marketplaces, but clothing and electronics are also often on offer.
Figure 3: Listing for counterfeit Rolex watches on Nemesis Source: Tor Anonymous Network
Sweethearting
Sweethearting is a term used to describe a type of social engineering where employees are manipulated by criminals to give away or falsely discountproducts for purchase and/or potential future resale. Employees are often eligible for store discounts, 20 to 30% off the purchase total, which are applied to purchases initiated by the fraudster.
Employees typically give these undeserved discounts to close friends and family members, but in other cases, employees have been conned into giving them to criminals as well. Such discounts can add-up over time. One such example of costly Sweethearting involved an ex-Amazon employee from Arizona who issued $96,000 worth of refundsto accounts that they owned/were under their control.
Point of Service (POS) Malware
In addition to social engineering-led fraud, there are a subset of threat actors who develop malware and viruses designed to take advantage of Point of Service systems (POS) to conduct advanced retail fraud.
Such malicious code installs remote command and control of the front and back ends of the system, and manipulate pricesat scale or as needed for individual fraudulent transactions. Often, such malware is utilized to apply steep discounts and manipulate SKU prices. A threat actor can remotely and temporarily manipulate the price without the retailer’s knowledge, and transactions still appears legitimate until a financial audit discovers the price (and subsequent profit) discrepancies.
There are multiple forms of e-commerce fraudwhich usually entail purchasing items online, with intention to keep items, but receive financial compensation for defect or issue with delivery of the item. Popular methods of e-commerce refund fraud discussed on the darknet include using refunds-as-a-service, directly targeting employees, and did not arrive (DNA) fraud.
Refunds-as-a-service are a darknet affiliate scheme, primarily discussed on Telegram, where refund fraud is committed at scale on behalf of a customer. Customers outsource and solicit expert advice to receive a full or partial financial refund for items bought online and in stores. Like other “as-a-service” commodities on the darknet, the “refund service” providers facilitate fraud for a percentage of the refund.
In this model, the buyer purchases the product and then simply provides the refund service provider the details of their order and account and card information associated with it. The service provider then impersonates the customer and utilizes a series of advanced social engineering and phishing techniques to carry out the fraud. These include the use of chat bots to tell emotional stories of lost or damaged goods with the goal to illicit enough sympathy from the customer service representative to give a refund regardless of the company refund policies.
Proficient social engineers on the darknet can perform this refund service several times a week to easily make money without ever selling their methods. DarkOwl has observed compensation packages averaging 10% of the order value.
Figure 5: Source Telegram, Channel Redacted
Directly Targeting Employees
Similar to Sweethearting, another advanced social engineering refund method involves criminals directly targeting employees. DarkOwl has witnessed threat actors who specialize in fraud discuss the methods that they’ve employed to socially engineer retail employees to get discounts or refunds they didn’t qualify for or deserve. This type of fraud is typically accomplished by forming an emotional connection with the employee and using the connection to extort them and steal from the retailer.
Figure 6: Source DarkOwl Vision from Tor Anonymous Browser
In addition to targeting employees emotionally to get discounts, some refund groups may try and recruit employees to come work for them. This provides the criminal group direct insider access to POS systems, gift cards and voucher codes, and credit card transactions.
Figure 7: Source DarkOwl Vision
Did Not Arrive Fraud
Did not arrive (DNA) fraud is one of the oldest methods of e-commerce-specific refund fraud. In this scam, customers claim that their package never came or was stolen, and will ask for a full refund even though the items did arrive. The international popularity of large e-commerce retailers like Amazon has propelled this type of fraud.
Empty Box Fraud
A similar kind of fraud is empty box or partial-empty box refund fraud. In this case the purchaser lies and claims that an item was packed incorrectly, damaged, or that it was stolen during the shipping process and asks for a full refund. Similarly, a fraudster will order a small high value item with a large low value item and initiates refund claiming that the high value item was not in the package delivered.
Figure 8: Source DarkOwl Vision
Receipt Fraud
Adjacent to retail refund fraud is receipt fraud, which entails generating fake receipts for goods never purchased at the retailer, often for the sole purposes of refund initiation or submitting falsified expense reports.
Threat actors specializing in receipt generation subscription models offer fraudsters access to numerous retailers’ receipt templates for as little as $9.99 USD per month. Both online and in-store purchase receipts are available for purchase. Electronics retailers like Best Buy, NewEgg, and CDW are regularly mentioned in addition to shipping services like FedEx and UPS.
DarkOwl has witnessed increased mentions of tracking-related fraud, where scammers purchase expensive and valuable items, such as electronics with the intent to initiate a return and refund. They request a refund, which prompts the retailer to send them a shipping value to affix to the returned items’ package. Instead of placing the shipping label on a parcel, they put the shipping label on an empty envelope or piece of junk mail, which upon delivery to the mailbox of the business will be mistaken for trash and thrown away. The scammer has the tracking information to prove the label was returned to the retailer’s business address, receives the refund, and keeps the high-valued item.
In the example pictured below, a fraudster on a Telegram channel boasts how Amazon workers regularly steal from returned item mail sorting facilities which can be used as a potential theory why the item was not correctly returned.
Figure 10: Source Telegram Channel, Redacted
Wardrobe Fraud
Wardrobe fraud or “wardrobing” is popular with female fraudsters who purchase high valued clothes with the intent for single use and fraudulent return. Often a customer orders an item of clothing, typically expensive clothes for a black-tie or formal event, wears it one time, by concealing the tags inside the dress, or re-attaches them, and then sends the clothes back to the retailer after use. It is often likely that these worn clothes will be damaged and/or dirty. This type of fraud is conducted both in-store purchases and online.
Darknet Threat Actors Discuss Bypassing Physical Security Measures for Theft
One of the oldest forms of retailer fraud and commerce crime is physical theft of goods from a store. During this research, DarkOwl analysts also uncovered conversations where threat actors revealed methods to bypass loss prevention physical security measures utilized in-stores, such as electronic article surveillance (EAS) ink-tags and RFID (radio-frequency identification) disruption.
Figure 11: Source DarkOwl Vision
Retailers at the Epicenter of Consumer Phishing Attacks and Identity Theft
Fake/Spoofed Websites and Sellers
Oftentimes, a retailer’s brand and reputation will be exploited by threat actors so that they can carry out elaborate scams with advanced phishing and social engineering attacks – mainly with the intention to commit identity theft. Criminals lure victims to malicious sites – with links often delivered via phishing emails claiming to be a reputable, popular store – and typically advertise a promotion or deal to entice the consumer to click. Phishing emails have become increasingly more sophisticated as their delivery mechanisms are designed to evade spam filters using techniques such as URI fragmentation and domain hop architecture.
From our Darknet Glossary, “spoofing” is a method used by cybercriminals in which they falsify the origins of network communication to mislead or misdirect the recipient into thinking they are interacting with a known and trusted source. These websites look legitimate and very similar to the real retailer’s site. Some can also have malware that a customer can unknowingly download.
Spoofing and tricking unsuspecting customers into buying from fraudulent sites is often accomplished by typo-squatting, whereby fraudsters impersonate legitimate sites and services and trick people into using them by changing the spelling of the site ever so slightly so that most don’t notice the difference.
Fraudulent websites can damage the reputation of a commercial retailer and take away sales from customers who would have bought products from the legitimate business. Spoofed websites resulting in unhappy customers hurts trust in the brand, potentially impacting future sales and revenue.
The figures below demonstrate sites that have been verified as phishing domains, e.g. Brazilian Wal-Mart and Well Fargo client login page which harvest banking authentication credentials.
Figure 12: Wal-Mart phishing site deployed in Brazil, Source: phishtank.org
Figure 13: A verified phish website for Wells Fargo Bank Source: phishtank.org
Offers to build fake websites and all the tools to facilitate complex phishing campaigns are readily available for sale on the darknet.
DarkOwl analysts observed “custom made websites” available for sale on a darknet marketplace ranging from $50 – $300 USD. Likewise, guides on “how to phish” and create fake e-commerce websites are on offer on darknet marketplaces for as little as $5 – $10 USD with advertised financial profit of $10K USD per month.
The most popular exploited retailers are Uber, Amazon, and Netflix and phishing kits often sold in conjunction with “lead lists” containing thousands of private email addresses and phone numbers that can be utilized for sending spam in large volumes.
Figure 14: Netflix “scampage” website for sale Source: Kerberos Market,Tor Anonymous Browser
Figure 15: Netflix Payment Validation Phishing Site Sample Provided as Proof by Threat Actor
Figure 16: Advertisement for Phishing Kit Guide, Source Kerberos Market, Tor Anonymous Network
Falsifying the Authentication of Scam Pages through Website Certificates
DarkOwl analysts have also noticed website certificates such as SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates for sale in darknet fraud communities. Giving a spoofed website an authentic SSL/TLS certificates helps threat actors with their detection-evasion measures and makes the phishing/scam website to look more authentic.
Certificates provide machines a unique identity and communicate trust to visitors of the website and search engines alike. This way hackers and threat actors avoid getting flagged as not trustworthy. DarkOwl also found Russian-based threat actors offering Extended Validation (EV) certificates, widely regarded as the most trustworthy kind of machine identity, for sale on the darknet for upwards of $2400 USD.
Figure 17: EV Certificates for sale on the darknet, Source DarkOwl Vision
[FIGURE TRANSLATED]
EV Code Signing Certificate for sale.
Name and cost
• EV Code Signing certificate – $2450 (production time 1-2 weeks)
EV Code Signing Certificate – $ 2450 (production time 1-2 weeks)
• Recording service to our USB Token and shipping across Russia – $200
* $50 discount per review
* A physical USB token is required for EV certificates.
* * 50 $ discount per review
* EV certificates require a physical USB token.
Suitable tokens for an EV certificate:
USB tokens for EV certificate:
SafeNet eToken 5100
SafeNet eToken 5105
SafeNet eToken 5110
SafeNet eToken 5200
SafeNet eToken 5205
SafeNet eToken Pro 72K
It is possible to register code signing certificates for a specific company name, the conditions are discussed individually.
Fake Delivery and Shipping Notifications – via Email and SMS Phishing Campaigns
Fraudsters and scammers will use lead lists to send large volumes of fake delivery and/or shipping notifications – appearing to come from trusted retail and delivery sources – indicating that there has been an issue with the delivery, it has been delayed, or a fee need to be paid for the package to be delivered.
Usually, the notification includes a link to a fraudulent site prompting users to enter their financial information and PII (which can be leveraged by actors later) or to pay a fee to release the shipment. Such phishing campaigns using retail commerce providers occurs via both email and SMS delivery.
Gift Card, Rewards Programs, and Retail Promotion Fraud
Gift card fraud is a lesser-known form of retail fraud, yet popular amongst darknet threat actors. Gift card fraud can occur via insider threats, i.e. employees steal legitimate gift cards, as well as externally, i.e. consumers redeem stolen or counterfeit gift cards.
Fraudsters easily utilize gift cards and vouchers for illicit purchases because these forms of payment have less security protection than traditional credit cards.
Figure 18: Source Telegram, Channel Redacted
Loyalty programs and customer rewards are also stolen and/or counterfeited for resale. DarkOwl analysts have observed numerous prominent retailers mentioned in darknet fraud advertisements, such as Macy’s, Nordstrom, Kohl’s Cash, AMC Theatres, Office Depot, Bath and Body, Top Golf, DSW, Target, Costco, American Eagle, Southwest Airlines, Marcus Theatres, and numerous restaurant and coffee chains. Most gift card and reward program fraud on offer in the darknet are US-based retailers.
Figure 19: Fraud Vendor Shop, Source: Deep Web
Phishing emails disguised as reward program promotions also lure customers to join fake loyalty programs and enter their personal information, which is systematically harvested, stored, organized by retailer into “logs,” and resold in mass in various darknet data brokerage communities across Tor and Telegram.
Figures 20 & 21: Examples of Phishing reward program promotions, Source DarkOwl Analysts
Final Thoughts
Cyber criminals and those involved in retail fraud have become more convincing, sophisticated, and organized with every holiday season. Retail fraud obviously harms commercial retailers fiscally, but also impacts the retailer’s reputation, trust in the brand, and customer loyalty overtime.
The darknet and darknet-adjacent chat applications play an important role in the evolution and proliferation of such virtual and physical theft techniques and tactics. The darknet provides and interconnected web of fraud methods that can be learned, shared, and constantly updated to outsmart legitimate retailers and trick their consumers.
Retailers can benefit from a regular darknet monitoring service for indications of the most up-to-date methods and malware used for retail fraud, to employ effective detection and countermeasures, and setup recognition education programs for their employees and stakeholders.
Interested in learning how darknet data plays a vital role in preventing, catching and remediating retail fraud? Contact us.
API Security professionals can benefit from darknet data in forming a more comprehensive understanding of malicious threat actor Tactics, Techniques, and Procedures (TTPs) in order to inact effective detailed security recommendations, remediations, and product solutions.
API Security related topics, such as “API hacking”, “stolen API tokens”, and “API MITM attacks” are regularly discussed in detail in darknet forums. Similarly, API tokens are frequently sold and traded in underground digital marketplaces, as is API exploitation code is shared amongst threat actors.
Considering that API security incidents affected 95% of organizations in the last year (Source), it is more important than ever that the information security community remain aware of shifts in threat actor discussions regarding APIs and the various TTPs that threat actors use to exploit them.
Examples of API Security Incidents
Recent security incidents impacting APIs highlight the need for increased awareness and protection of digital supply chain assets. For example, in 2018, a vulnerable USPS Informed Visibility API endpoint leaked over 60 Million US residents information. USPS performed and published an audit that detailed some of the issues that resulted from the incident, although many of the key data is redacted.
Toyota warns of possible data theft after access key left exposed on GitHub
Recently, Toyota was notified of a breach that happened as the result of an API access key for T-Connect, the official Toyota connectivity app, being left publicly available on GitHub. Their T-Connect connectivity app powered utilities like wireless access to vehicles.
Toyota has since announced that over 2,900 records were exposed since then, giving access to customer names, customer information, and so forth. This is one example of what the threat landscape looks like and what the implication can be of API credentials getting into the wrong hands.
FTX users lose millions to 3Commas API exploit
Similarly, recently, FTX and 3Commas revealed that an API exploit was used to make illegitimate FTX transactions. This was done using API keys that were obtained from users via phishing attacks that enabled them access to lateral systems. Eventually, the platform 3Commas came forth publicly to admit that the API keys were obtained from outside of their platform, but the implication still posed a risk to their users. Risk of user account exploitation included threat actors being able to make offsite, unauthorized financial transactions.
An investigation revealed that DMG trades were conducted using new 3Commas accounts and that “the API keys were not obtained from the 3Commas platform but from outside of it.” This suggests that cyber criminals likely gained keys from phishing or browser information stealers, which are frequently discussed and advertised on the darknet.
Informed Delivery Leaks 60 Million Users’ PII
Poor access controls of a United States Postal Service (USPS) API endpoint resulted in a wealth of US persons’ private information available to criminals
In 2018, a vulnerable USPS Informed Visibility API endpoint leaked over 60 Million US residents information. USPS performed and published an audit that detailed some of the issues that resulted from the incident, although much of the sensitive data is redacted.
USPS Informed Visibility API Code prior to November 20, 2018
Darknet Threat Actors Readily Discuss API Security
On the darknet, stolen API secrets, keys, and session tokens are shared openly and in closed communities. Authenticated darknet discussion forums on Tor, transient paste sites, and Telegram especially popular with API attack enthusiasts.
Examples from DarkOwl Vision: Stolen API Keys & Security Tokens
Pinnacle, Telnyx, and other API tokens are frequently offered for purchase on darknet forums such as DARKMONEY and similar ‘hacking’ Telegram channels.
Telegram groups offer ‘key checkers’ – where the API key is tested ahead of time on behalf of the threat actor. Another example shows Twitter tokens being offered for sale on ‘cracking’ Telegram group.
Example of Twitter tokens for sale on Telegram (Source: DarkOwl Vision)
Twitter and Discord tokens are shared on transient paste sites, like pastebin.com (Source: DarkOwl Vision)
In another example, DarkOwl analysts have observed a TikTok API token generator for username scanning. Below is a translation of the listing:
“This tool will generate and validate TikTok API tokens, also known as session IDs. This is useful if you are checking usernames through the TikTok API and you have run out of IDs with no speed limit! I advise using 30-100 streams and would definitely turn on a Vpn, because your IP address can be limited very quickly, be careful!”
DarkOwl has also increasingly observed API penetration testing utilities – like GoBuster or Wfuzz – discussed in detail by non-english speaking darknet users. Similar technical discussions are now appearing on malware developer centric surface web sites, such as CSDN.
Threat actor activity/discussions surrounding API penetration tools (Source: DarkOwl Vision)
Why API Security is so Important
APIs tend to be an underserved element with respect to cybersecurity postures of most enterprises. However, as organizations continue to make efforts to digitally transform their application ecosystems, enterprise services increasingly rely on APIs. As a result, APIs are emerging as the backbone of modern communication and application ecosystems. As more organizations move towards the cloud and similar API technologies, having visibility into any and all credentials that could be exploited is exceedingly crucial.
This shift towards dependency on APIs in the commercial landscape echoes what DarkOwl analysts are seeing in the darknet. Discussions around API exploits, API keys, stealing API keys, and selling them is a relatively new phenomenon in the darknet over the last couple of years, that we expect to continue to grow.
Interested in learning more about how darknet data informs API security? Check out our webinar on this topic that we hosted with our partner Corsha for more real-world examples and predictions regarding the future of API security.
Thanks to our analyst and content teams, DarkOwl published over 100 pieces of content this year, a new record for the team. DarkOwl strives to provide value in every piece written, highlighting new darknet marketplaces and actors, trends observed across the darknet and adjacent platforms, exploring the role the darknet has in current events, and highlighting how DarkOwl’s product suite can benefit any security posture. Below you can find 10 of the top pieces published in 2022.
1. Impacts of Ukraine Invasion Felt Across the Darknet
Figure 1: GhostSec Leaks Data from domain[.]ru Hosting Provider
Beginning in February, the DarkOwl team actively tracked the fallout from Russia’s invasion of Ukraine, through April. The effects of the kinetic military operation caused ripples across the global cyber space including critical underground ecosystems across the deep and darknet, resulting in the first ever global cyberwar. Read blog.
In August, CEO and Co-Founder, Mark Turnage, hosted a webinar on the topic of cyberwar, “What Does a Real Cyberwar Look Like.” Ukraine’s call for help sparked off the first ever global cyberwar which for the first time in history has been waged between two countries simultaneously with a land war. This webinar looked at what we have learned from the cyberwar to date. The transcript and recording can be found here.
2. Darknet Cartel Associated Marketplaces
In August, DarkOwl analysts discovered multiple escrow-enabled decentralized marketplaces on the dark web that claim to be affiliated with the Sinaloa Cartel. One such marketplace called “Cartel de Sinaloa” is reportedly directly associated with the Sinaloa Cartel and Los Chapitos. Their marketplace uses the same logo – a red and black skull with “Cartel de Sinaloa” written underneath it – as the avatar of a Facebook group page operating with the same name. Another marketplace calling itself “The Sinaloa Cartel Marketplace” focuses on offering hitman for hire style services. Both services require authentication for user access, which forces visitors to create a username and password to view the marketplace past the login screen and adds protection from bots and crawlers. Read more.
Figure 2: Cartel de Sinaloa Marketplace (post-authentication) on Tor
3. Industrial Control Systems & Operational Technology Threats on the Darknet
Industrial control systems (ICS) and their adjacent operational technologies (OT) governs most everything societies rely on in the modern age. Manufacturing facilities, water treatment plants, mass transportation, electrical grids, gas, and oil refineries… all include some degree of ICS/OT incorporated in their industrial processes. Research from DarkOwl analysts identifies an alarming number of threats on the darknet and deep web that could effectively target and compromise Critical Infrastructure. Full report here.
4. Glossary of Darknet Terms
The darknet is home to a diverse group of users with complex lexicons that often overlap with the hacking, gaming, software development, law enforcement communities, and more. DarkOwl’s Glossary of Darknet Terms is a continually evolving resource that defines the common vernacular, slang terms, and acronyms that our analysts find in places like underground forums, instant messaging platforms (such as Telegram), as well as in information security research pertaining to the darknet. Check it out.
5. Pardon Me While I Steal Your Cookies – A Review of Infostealers Sold on the Darknet
In this research, our team reviewed some of the most widely proliferated infostealers on offer on the darknet and discovered an elaborate data exfiltration ecosystem, with low-entry cost, providing cybercriminals access to a wealth of personal information without the victim’s knowledge. We also learned many infostealers are offered in alignment with a malware-as-a-service (MaaS) or “stealer-as-a-service” (SaaS) rental model with subscriptions-based access to the malware executables and associated command and control C2 botnets. Read here.
Figure 3: Offer for Redline Stealer for sale on Darkfox Darknet Marketplace
6. Tensions Between China & Taiwan Realized on the Darknet
Through August and September, DarkOwl analysts took note of an increased amount of darknet activity surrounding the current geopolitical tensions between China and Taiwan. Using darknet, deep web, and high-risk surface web data, this report endeavors to shed light on the digital underground’s reaction to the countries’ political tensions stemming from China’s “One-China Principle” and its refusal to recognize Taiwan’s independence.
This report demonstrates how recent cyberattacks in August augment political criticism of Taiwan. Of particular note is the on-going barrage of leaks surfacing as a result of attacks against key organizations in both countries, and discusses the general darknet sentiment regarding China’s global reputation and their potential invasion of Taiwan. Full report here.
7. Understanding Darknet Intelligence (DarkInt)
The darknet (or “dark web”) is a thriving ecosystem within the global internet infrastructure that many organizations struggle to incorporate into security posture, but is becoming an increasingly vital component. In certain cases, that is because taking raw data and turning it into actionable security intelligence requires leveraging DARKINT – or data points sourced from the darknet and other OSINT sources that together form a risk and/or investigative portfolio. Learn more.
8. The Darknet Economy of Credential Data: Keys and Tokens
The darknet, which is also referred to as the dark web, is a segment of the internet that is only accessible by using specialized software or network proxies. Due to the inherently anonymous and privacy-centric nature of the darknet, it facilitates a complex ecosystem of cybercrime and illicit goods and services trade. Adjacent to the darknet is the deep web and instant chat platforms that play an increasing critical role in facilitating this illicit information availability. Pseudo-anonymous discussion forums and vendor marketplaces hosted on the deep web along with Telegram private and public channels provide additional platforms by which threat actors communicate and circulate sensitive and stolen credential data.
In this blog, we review how sensitive, server-side access credential data – such as AWS private/secret keys, Django secret keys, and API tokens – are captured, circulated, and sold across darknet marketplaces and criminal communities. Read here.
Figure 4: Source DarkOwl Vision
9. Darknet Economy Surges Around Abortion Rights
In June, users across darknet forums have voiced interest in abortion-related pills and services following the leaked Supreme Court documents and advocate for organized protests in support of and against the potential ruling. Once the U.S. Supreme Court officially issues their ruling, we anticipate a more concerted response from darknet marketplaces in offers for abortion related drugs and services. The darknet will also continue to be a resource for activists to organize political protests and circulate sensitive information related to the abortion debate. Read more.
Figure 5: Source Dread Darknet Discussion Forum
10. Dark Web Cyber Group Spotlight: SiegedSec
DarkOwl analysts regularly follow “darknet threat actors” that openly discuss cyberattacks and disseminate stolen critical corporate and personal data. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients. In this edition, analysts dive into SiegedSec, who formed in late February 2022, coincidently days before the invasion of Ukraine, adopted variations of the tagline, “sieging their victim’s security.” DarkOwl analysts observed SiegedSec provide proof of the defacement and/or compromise of at least 11 websites with rather juvenile and crude language and graphics included in the defacements. In April, the group claimed they had successfully defaced over 100+ domains offering proof of a hosting chat dialogue indicating the account passwords had been changed and the defacements corrected, but the group hinted they still had access to the domains. DarkOwl analysts also discovered several thousand compromised LinkedIn profiles with references to SiegedSec. Check it out.
2022, That’s a Wrap!
Thank you to everyone who reads, shares and interacts with our content! Anything you would like to see more of, let us know by writing us at [email protected]. Can’t wait to see what 2023 brings! Don’t forget to subscribe to our newsletter below to get the latest research delivered straight to your inbox every Thursday.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
