October 18, 2024

Phishing-related attacks remain a highly effective method used by actors to gain initial access to victims’ environments. Despite increased efforts in cybersecurity education, phishing attacks continue to rise, posing a threat to individuals and organizations alike. According to IBM’s 2024 Threat Intelligence Index Report, initial access due to phishing increased from 30% in 2022 to 41% in 2023. DarkOwl regularly collects discussions on the dark web where bad actors share TTPs (tactics, techniques, and procedures) to perform more sophisticated phishing-related campaigns, some of which we will highlight below.

In the early days of phishing attacks, bad actors simply used emails with malicious links to lure their victims into exposing their credentials. Although this is still very prevalent, these techniques are quickly evolving as threat actors adopt adjacent styles of phishing, like voice phishing (vishing), SMS phishing (smishing), QR code phishing (Quishing), deepfake phishing (AI phishing), and more. It’s important to understand how these attacks are evolving and how threat actors are adjusting their approach to increase the likelihood of success.

Emerging Phishing Techniques

Voice Phishing (Vishing)

Vishing is one of the most common forms of social engineering used by threat actors. This method can be highly effective because, unlike traditional email phishing, communicating over the phone (or voicemail) adds a psychological trust element, boosting immediate credibility. A charismatic, personable, professional, or sincere caller can more easily trick a victim into providing sensitive details over the phone.

This tactic becomes even more difficult to prevent or identify due to how easily accessible VoIP (Voice over IP) software is, which enables anyone to spoof any phone number. This allows attackers to mimic the phone number of the entity they are impersonating, making their scam appear even more legitimate. Instead of targeting a specific individual, actors also use automated robocalls to reach thousands of potential victims around the clock. Like phishing emails, this method relies on the “it only takes one” strategy to make the fraud successful.

In 2020, a U.S. federal court indicted an India-based VoIP company on charges related to robocalls originating from their servers that impacted American victims. These robocalls were estimated to be in the tens of millions and resulted in losses of 20 million dollars.

SMS Phishing (Smishing)

Very similar to Vishing, is Smishing which also focuses on mobile devices to lure potential victims into gaining trust and exposing sensitive data. This attack vector also has much in common with traditional Phishing because malicious links are the primary source of exposure. Whether it’s a claim for a digital coupon, a USPS tracking code, or an Amazon shipment update, the actor wants to direct you to another page that entices you to provide your credentials or other sensitive data.

With the 2024 presidential election rapidly approaching, the United States has seen a surge in smishing messages involving fake voter registration pages. According to a recent CBS News report, these text messages claim to provide forms to register to vote online. This dangerous trend highlights the significant impact mass smishing campaigns can have on the public if malicious actors are able to tamper with, misuse, or impersonate citizens’ voter registration data.

Shameless Plug: If you haven’t registered for our webinar on Dark Web Influence on the 2024 U.S. Presidential Election, make sure to register!

QR Code Phishing (Quishing)

Although not as common as other phishing methods, quishing has been observed in the wild to trick victims into navigating to malicious links or downloading malware. A QR code can embed any text or data, with capacities of up to 4,296 alphanumeric characters or 2,953 bytes for binary data, encoded into a digital square. This means bad actors can devise creative and novel ways to lure someone into believing the content is genuine, such as placing malicious QR codes over legitimate ones in public places or online. For this reason, it’s vitally important to use a QR code scanner that provides you with a visual of the URL or data before you interact with it.

The following excerpt, discovered on DarkOwl’s Vision platform, showcases a dark web conversation in which the author explains how QR code exploitation occurs in the wild.

Figure 1: Two criminals putting fake QR codes over the ones on carparks, pub tables and EV charger points that redirect to a lookalike site and steal your credentials; Source: DarkOwl Vision

Deepfake Phishing (AI Phishing)

A more theoretical type of phishing tactic, not yet widespread, involves the use of artificial videos, photos, and audio—also known as deepfakes or AI phishing. Security researchers have explored potential ways actors could utilize these new forms of technology to perform malicious actions, but thus far, the impact has not materialized at a large scale. However, as this technology becomes cheaper, harder to detect, and more accessible, it is likely to become a popular mode of exploitation.

The implications of this attack are not difficult to imagine. In a Financial Times article, UK banks were cited as already grappling with how to best handle Know Your Customer (KYC) regulations, voice impersonation attacks, and other types of AI impersonation tactics that could impact global finance, as well as individual customers.

Summary

As phishing attacks continue to evolve beyond traditional email scams, it’s important for individuals and organizations to stay informed of the tactics cybercriminals employ. From vishing and smishing to quishing and deepfake phishing, threat actors are constantly adapting their methods to exploit new technologies and vulnerabilities.

---

Keep up with the latest from DarkOwl. Follow Us on LinkedIn.

October 16, 2024

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, and brute force attacks. In this edition, let’s dive into Drainer as a Service.

Drainers as a Service (DaaS) is a disturbing evolution that makes sophisticated financial fraud accessible to even low-skill criminals. In this blog, we’ll explore what DaaS is, how it works, and why it’s becoming a growing concern in the cybersecurity world.

Drainer as a Service 101

A drainer refers to a malicious tool designed to drain cryptocurrency or traditional financial assets from a compromised account, wallet, or online platform. These tools target everything from crypto wallets to bank accounts and e-commerce platforms, allowing attackers to steal funds quickly and anonymously.

Drainers simplify the process for cyber criminals so you need not be sophisticated in able to use them. This makes this type of fraud much more accessible and easier for individuals on the dark web with very few skills to conduct these types of attacks.  

Drainers can operate in a number of different ways, they can be deployed as part of a phishing kit which will steal users credentials to access their accounts as well as malware which can be deployed to track and collect information about a user’s financial transactions. Depending on how the drainer, they can also automatically “drain” the funds from a victims account, sending them to an account/wallet designated by the threat actor.

Due to the automated nature of drainers, it means that criminals can target large numbers of victims at once. This makes this type of fraud highly profitable.

However, there are threat actors and groups that are also offering the use of drainers as a service. This means that they are selling the tools for others to use. This allows others to purchase, on the dark web, drainers on demand. They will also often be accompanied by support for any issues as well as tutorials on how to use the tools. In this way cyber criminals have commoditized Drainers, selling them much like a legitimate company would sell software.

Providing Drainers as a Service means that the providers are able to profit from this type of activity without directly participating in financial fraud. However this doesn’t make it any less illegal.

Figure 1: Source: DarkOwl Vision

Criminals will advertise their drainer on dark web forums and Telegram and offer subscriptions to the service, this allows them to get access to the tools, the updates that are made as well as support.

Figure 2: Subscription for drainer advertised on carding forum

It is also possible to purchase the tool direct. However criminals prefer to offer this as a service or an affiliate program as this means that they can charge a commission on the funds that are stolen by the buyer or affiliate.

Figure 3: Drainer for sale with commission

Often, Drainer tools will only work with certain cryptocurrencies or wallet types, which can restrict how they can be used. Although some providers will offer customization as part of their service so the buyer can use it as they wish.

Figure 4: Advertisement for Drainer which only works with certain wallets; Source: DarkOwl Vision

Although most drainers do target cryptocurrency, as it is commonly used on the dark web and the transactions are always digital in nature. However, Drainers are also traded on the dark web which are designed to target traditions bank accounts.

Figure 5: Chat with users asking about bank drainers; Source: DarkOwl

The rise of DaaS poses a significant threat to both individuals and organizations. As these tools become more widespread, even unsophisticated attackers can cause substantial financial damage. Cryptocurrency holders, in particular, are at risk, as crypto wallets are often less regulated and less secure than traditional banking systems.

As these services become more prevalent, it is crucial for individuals and organizations to stay vigilant, adopt best security practices, and remain informed about the latest threats.

---

To see DarkOwl Vision and our collection in action, contact us.

October 02, 2024

In light of Cybersecurity Awareness month, DarkOwl is committed to sharing research, trends and industry news from our analysts.

Be the first to know as we release new research by entering your email below!

Upcoming Content This Month

REPORT

Election Disinformation

In the lead-up to the upcoming U.S. presidential election, the disinformation landscape is becoming increasingly complex. DarkOwl analysts have delved into how mis- and disinformation originating from the dark web, and alternative online spaces, is infiltrating mainstream platforms. Various actors, including nation states, U.S.-based political movements, and conspiracy groups, are shaping this online space. Their activities have led to false narratives moving between the deep, dark web and more widely accessible platforms.

As major social media companies struggle with regulating disinformation, narratives once confined to niche spaces are now gaining broader traction. This underscores the importance of recognizing and addressing the growing influence of disinformation as the election approaches. Stay tuned for the full report and sign up for emails to get this report directly delivered to your inbox upon publication. Read full report.

BLOG

What are Drainers as a Service?

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, APIs, and brute force attacks. In this edition, let’s dive into Drainer as a Service.

Drainers as a Service (DaaS) is a disturbing evolution that makes sophisticated financial fraud accessible to even low-skill criminals. In this blog, we’ll explore what DaaS is, how it works, and why it’s becoming a growing concern in the cybersecurity world. Check it out.

BLOG

The Rising Tide of Phishing: Exploring Emerging Threats Beyond Email

In the early days of phishing attacks, bad actors simply used emails with malicious links to lure their victims into exposing their credentials. Although this is still very prevalent, these techniques are quickly evolving as threat actors adopt adjacent styles of phishing, like voice phishing (vishing), SMS phishing (smishing), QR code phishing (Quishing), deepfake phishing (AI phishing), and more. It’s important to understand how these attacks are evolving and how threat actors are adjusting their approach to increase the likelihood of success. Read here.

EVENT

DarkOwl @ OsmosisCon in Las Vegas, NV

Attending OSMOSIScon conference? The open source skills-building conference’s mission is to educate and train cyber intelligence investigators, researchers, reporters, and analysts on OSINT and SOCMINT techniques and best practices. Stop by Table 17 and schedule time to meet with us in-person here.

BLOG

Q3 Product Updates

Stay tuned for our quarterly update blog highlighting new product features and collection stats updates. There is always something exciting coming from our Product and Collections teams and the team is excited to share this round of updates! Check it out!

EVENT

it-sa Expo&Congress in Nuremberg, Germany

Going to be at it-sa, Europe’s largest trade fair for IT security…and one of the most important dialogue platforms for IT security solutions? Make sure to schedule time to meet us and see us at Booth 7A-632 during the show.

WEBINAR

Election Disinformation

In this webinar, DarkOwl analysts explore the disinformation landscape on the dark web in the context of the upcoming U.S. presidential election. What emerges is a complex, multifaceted online space characterized by a variety of actors, ranging from nation states to American citizens and U.S.-based conspiratorial political movements. All of the above play key roles in both creating and amplifying mis- and disinformation which has seeped from the deep and dark web onto the surface web, and vice versa. As a number of prominent social media platforms maintain policies of limited disinformation regulation, false narratives previously concentrated on the dark web and alternative social media platforms have become mainstream, thereby gaining traction and reaching greater audiences. Combined, these factors reflect a complex environment in the lead up to the election, and highlight the importance of identifying and combatting mis- and disinformation. Recording and transcription here.

BLOG

Cyber Actor Spotlight: Terrorgram

The dark web community of those buying, selling, trading and sharing data is extremely active. Dark web sites such as BreachForums and LeakBase are heavily used by threat actors to trade data, ask about what is available and provide links to stolen data. However, some individuals in this community are more active than others, regularly sharing data leaks from high profile organizations, often claiming they have hacked the data themselves or worked with other hackers to make the data available.  

One such threat actor is known as USDoD. He has been very active on BreachForums, sharing multiple leaks and also claiming to be starting his own site to share data. However, it was reported late last week that he had been arrested in Brazil. Here we will review some of USDoD’s activities and what lead to his arrest. Full blog here.

BLOG

Exploring the Darknet: A Halloween Journey

The darknet can be a scary place. 👻 For Halloween, we will highlight some spooky findings from our analyst team that they have come across this past year. In the meantime, check out last year’s edition where the team uncovered human organs for sale, human meat for sale, and hitmen for hire! Check out this years’ blog here.

---

Curious to see how darknet data can improve your cybersecurity situational awareness? Contact us.

October 01, 2024

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. US cracks down on spyware vendor Intellexa with more sanctions – BleepingComputer

In a September 16 press release, the U.S. Department of the Treasury announced the sanctioning of five individuals and one entity linked to the Intellexa Consortium for the development of Predator spyware. Intellexa Consortium is a network of decentralized companies responsible for creating highly invasive spyware products that have been marketed under the “Predator” brand. Predator spyware is notably used by state-sponsored actors and governments to gain access to sensitive information on victim’s devices. As highlighted in the press release, previous targets of the spyware have included “government officials, journalists, policy experts, and opposition politicians.” Full article here.

2. China is pushing divisive political messages online using fake U.S. voters – NPR

Chinese State linked actors are reportedly running an influence operation, known as Operation Spamouflage, in which they are claiming to be US soldiers or American voters and commenting on controversial topics on social media. Topics have included reproductive rights, America’s policy towards Israel and support for Ukraine as well as criticizing both candidates. They are reported to have used AI to create some of this content. Read more.

3. Iranian Hackers Set Up New Network to Target U.S. Political Campaigns – The Hacker News

Insikt Group researchers have identified a new network infrastructure associated with GreenCharlie, an Iranian threat actor that overlaps with APT42, Mint Sandstorm, Charming Kitten, Damselfly, TA453, and Yellow Garuda. GreenCharlie is linked to malware that reportedly aims to target U.S. political campaigns and government entities. According to Insikt Group, GreenCharlie has been linked to POWERSTAR and GORBLE malware, both of which are used in phishing campaigns for cyber espionage. Article here.

6. Five Russian GRU Officers and One Civilian Charged for Conspiring to Hack Ukrainian Government – DOJ

The DOJ announced the indictment of five Russian GRU offices and one civilian for conspiring to hack the Ukrainian government. The GRU officers are part of Unit 29155 of the Russian Main Intelligence Directorate, a military intelligence agency of the General Staff of the Armed Forces. They are accused of conspiracy to hack into, exfiltrate data from, leak information from and destroy computer systems associated with the Ukraine Government in advance of the Russian invasion of Ukraine. “The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” said Assistant Attorney General Matthew G. Olsen of the National Security Division. Full article.

7. Chinese botnet infects 260,000 SOHO routers, IP cameras with malware – BleepingComputer

The Federal Bureau of Investigation (FBI) has disrupted a Chinese state-sponsored botnet dubbed Raptor Train. The botnet—“a network of computers infected by malware”—had infected more than 260,000 devices to target critical infrastructure in the U.S. and abroad and steal data. The botnet notably targeted victims in the “military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors.” Read more.

8. New Tickler malware used to backdoor US govt, defense orgs – Bleeping Computer

According to BleepingComputer, the Iranian government-backed hacking group APT33 (also known as Peach Sandstorm and Refined Kitten) has been observed using a new malware dubbed “Tickler” to backdoor U.S. government and United Arab Emirates networks between April and July of this year. The group is assessed to be working on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) and has been carrying out cyber espionage operations since at least 2013. In the group’s most recent intelligence collection campaign, the new Tickler malware is being used to target organizations in the “government, defense, satellite, oil and gas sectors,” and functions by leveraging Microsoft Azure infrastructure. Read article.

9. Germany seizes 47 crypto exchanges used by ransomware gangs – Bleeping Computer

In a September 19 press release, the Federal Criminal Police Office of Germany (BKA) announced that it had seized 47 cryptocurrency exchange services hosted in Germany that were facilitating cybercriminal activity and were used for money laundering. The exchange services in question allowed cybercriminals to exchange cryptocurrencies while remaining anonymous, thereby creating a “low risk-environment for cybercriminals.” The press release lists ransomware groups, darknet traders, and botnet operators as examples of threat actors who utilized these exchange services, often to exchange ransom payments. Read more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

September 26, 2024

In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces: looking for trends, exploring new marketplaces, examining admin and vendor activities, and offering a host of insights into this transient and often criminal corner of the internet. This edition features Dark Empire Market. 

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published. 

Introduction

Darknet marketplaces (DNMs) are synonymous with where on the dark web users can buy and sell illicit goods.  

Traditional DNMs are defined as dark or deep web sites where numerous (often hundreds) vendors can sell various types of products ranging from drugs, digital goods, leaked databases, counterfeit documents, credit cards, etc. The most popular traditional DNMs that remain today are: 

1. Ares Market 
2. Archetyp Market 
3. MGM Grand Market  
4. Dark Empire Market 

DISCLAIMER: Please note that this list specifically excludes any forum that also has a marketplace section like XSS or Exploit, as well as marketplaces that specialize in one product category like digital goods on Russian Market. 

As we continue our Darknet Marketplace snapshot series we will review Dark Empire Market, one of the most popular marketplaces available on the darknet today.  In our last snapshot, we explored Ares Market.

Dark Empire Market 

Dark Empire Market’s name is sometimes confused with Dark Market or Empire Market, which were both darknet markets which have been seized by law enforcement. This highlights a trend that darknet admins have to sometimes create new sites with intentionally misleading names that are similar to defunct DNMs, whether to gain popularity or to make it easier for previous customers to find them.  

Dark Empire Market appears to have originally surfaced in early 2021, based on the earliest results that are still viewable on the site. However, its popularity increased shortly after the Bohemia, Hydra, and Monopoly markets were seized in early 2023. DarkOwl’s Vision database to date has over 19,000 results pertaining to Dark Empire Market. There is very little open-source information available to provide more information on the history of this site and its admins. In fact, when you search for this site, most results are related to the now defunct Empire Market. Additionally, it has not gained particular attention from the media meaning there is little information in relation to it. However, it has been previously mentioned on sites like Reddit, Dread, and Ransomlook.io.  

Homepage

The below screenshot displays Dark Empire Market’s Homepage. This includes the logo, followed by various topics, and a disclaimer and banner advertisement. This is a format that we commonly see on other traditional DNMs.  

Additionally, credentials are not required to view content on this site, which is uncommon on most DNMs. Therefore, it is a good site to explore if you do not want to create credentials and/or are new to the darknet. It is usually uncommon for darknet sites to allow you to view products on their sites without eventually facing a paywall. 

  Underneath is a visual display of the various product categories: 

• Counterfeits 
• Credit Cards 
• Documents 
• Drugs 
• Gadgets 
• Gift Cards 
• Guns 
• Money Transfers 
• Other 

The site claims to offer worldwide shipping, it states every vendor sells worldwide. 

It also provides escrow services and advertises for individuals to become a vendor on the site.  They provide an email that can be used for any enquiries or issues – offering full customer support to the users on the site.  

Counterfeits 

Counterfeit goods are products that are made to imitate genuine items with the intention of deceiving others. They can be used for financial crime, identify theft, as well as counterfeit goods. Counterfeiting can range from physical documents like licenses and passports to counterfeit cash (euros and dollars).  

The counterfeiting category on Dark Empire Market primarily advertises counterfeit financial products. Currently there are 12 actives listings, and the below screenshot shows 3 financial counterfeit products.  

Looking a step further, DarkOwl analysts reviewed one of the products. The below screenshot is one of the above products and advertises as, “Pre-Shredded Cash 25,000 USD Cash” and is for sale for $999.00, which was discounted from an original price of $2,100.00 USD. The vendor claims these US dollars came from the Federal Reserve in 2017. The vendor self identifies as “The Queens Cash aka queencdcguev” in the below description. 

It is not uncommon for vendors to use snark or humor in their advertisements, below we provide some real FAQs that are provided by the vendors.  

 The FAQs also highlight why the vendor can be trusted. Reviews are what most DNMs rely on to ensure that they are receiving the products that they are buying. A lot of the time the products for sale sound too good to be true. This is usually because they are. But as demonstrated below vendors will try to explain why they have received bad reviews.  

Credit Cards  

Many DNMs sell cloned or stolen credit cards. The Credit Cards category on this market has a total of 22 listings. Most of the listings advertise access, credit card fraud aka carding products. Most of these products advertise access to Visa, Mastercard, and American Express Credit Cards and Gift Cards. The below screenshot displays 3 Credit Cards listings. It appears these listings advertise pre-paid Visa and Mastercard Gift Cards. 

 The below screenshots display a recent product listing titled, “3 x AMEX Prepaid 3100$ / 2700 Euros,” which is allegedly selling for $299.00 USD. The product description continues to explain that there is a daily withdrawal limit of $3500.00 USD. Additionally, the vendor claims that after purchase they will send a printed guide of how to “safely cash out” via parcel service. 

 Guns 

There are a total number of 35 listings under the Guns category. Most of the products are for guns and or ammunition. The below displays a few of the products. Product pricing ranges from 200.00 USD to over 1000.00 USD. The images posted on the site have the onion URL over them, presumably so they cannot be shared on other sites.  

DarkOwl analysts selected the following product titled, “Bushmaster AR15 Tactical Package Semi Auto Rifle.” The product has a 5-star rating and there are 35 customer reviews for this vendor. The product description meticulously explains the technical specs of this weapon.  

Below is a chat that appears below the product description. Most prospective buyers are inquiring with the vendor to confirm if they ship to a particular country. The below shows buyers asking about if they can safely send the weapon to the Dominican Republic, Australia, Turkey, Sweden, and others. Every time the vendor responds saying “Yes worldwide” or “Yes without problems.” It is unclear what shipping methods this vendor is using. Although some other vendors state that they use FedEx and FedEx international to ship overseas. 

As stated above there are other areas and goods that are sold on this market. Drugs are another area of the site which appears to be popular. There are currently 50 listings in this section, second only to gadgets, which sells products such as phones and computers. A range of different drugs are made available and a varying range of prices. Some of them have discounts applied. Most of the listings have over 4.5 stars. 

One seller, providing cocaine claims to be the most trusted seller in the world, who used the best packaging to ensure “stealth and security.” There are many comments stating that they have successfully received the drugs.  

Dark Empire Market is currently online and operating. It highlights the variety of goods that can be sold and the methods which they use to ship these goods worldwide. It also gives insight into how the vendors operate and how they explain their products and the reviews that they receive.  

During our next blog in this series of DNM reviews we will look at Archetyp Market.

---

Subscribe to email to receive the latest research directly into your inbox every Thursday and don’t miss our next Darknet Marketplace Snapshot.  

September 24, 2024

The dark web has undergone a significant transformation in the past two decades, demonstrating remarkable tenacity and adaptability. Similarly, the concept of self-healing networks is a groundbreaking approach to maintaining robust and reliable networks without the need for manual human interaction to reestablish connections. The evolutionary parallels between what has come to be the darknet and the core principles of self-healing networks highlights one critical similarity: resilience. Resilient networks are by necessity required to be flexible, scalable, secure, and reliable. Core qualities of resilience being the ability to adapt to unforeseen variables and embrace dynamic changes. These are qualities that the dark web is not new to. And today, resilient networks play a crucial role in minimizing downtime, preventing disruptions, and mitigating interruptions regardless of where that network falls on the iceberg.

Comparing the similarities of these two domains gives insight into how self-healing fundamentals contribute to the dark web’s resilience. Looking through the lens can inform how the dark web will continue to evolve in the future.

A Cliff Note Summary of Darknet Evolution

Initially, dark web marketplaces focused primarily on illegal drugs. However, over the years, marketplaces achieved diversification by expanding goods and services beyond the “illicit” as well as other illicit goods and services not linked to drugs, such as hacking tools, malware, and financial information. There has also been a huge boom in the sale and release of data.

Today’s platforms and alternative communication services offer a wide range of goods and services far beyond the early years of the dark web. This diversification continues to attract a broader user base of buyers and sellers on a global scale contributing to a significant increase in the overall volume of darknet transactions. The darknet global ecosystem of feeding buyers and sellers also saw the rise of professional criminal organizations offering specialized services including targeted cyberattacks, custom malware development, and global money laundering operations, not to mention the incredible growth of professional ransomware groups. Darknet professionalization further entrenched the darknets role in global cybercrime.

Dark web marketplaces have evolved from rudimentary platforms to sophisticated darknet e-commerce services complete with user reviews, escrow services, and dedicated customer support. An evolutionary change in sophistication that mirrored changes in traditional commercial e-commerce platforms making darknet marketplaces more accessible to the most basic consumer. Adding a means of measuring trust for vendors and buyers only added more fuel to the evolutionary fire. Additionally, darknet services adopted more advanced security measures such as end-to-end encryption, multi-factor authentication, and robust anonymization techniques. More accessibility to trading and improved security enhancements equating to resilience for darknet vendors. Darknet resilience that also made it increasingly difficult for authorities to track and shut down.

The adoption of cryptocurrency marked yet another critical evolution to the darknet. Bitcoin has been the hallmark of darknet transactions for over a decade, providing a degree of anonymity between buyers, sellers. However, newer tactics and tools now contribute to the traceability of cryptocurrency transactions and possible attribution which led to the desire for more privacy-focused cryptocurrencies that offered enhanced anonymity and security, a mark in resilience triggering yet another evolution. Currencies such as Monero and Z-Cash are now widely accepted on dark web marketplaces. Additionally, illicit dark web laundering services known as tumblers, or crypto mixers, become prevalent, helping to further obscure both origin and destination of cryptocurrency transactions.

In recent years, the use of mobile applications emerged as a significant development in facilitating illicit transactions on the dark web. Mobile applications designed to operate on both Android and iOS platforms, provide users with convenient, on-the-go access to darknet marketplaces, alternative communication services, and forums. Many of these custom mobile applications feature built-in end-to-end encryption, anonymization tools, and secure messaging capabilities that protect user identities and communications. The use of private APK or IPA applications not made available through the authorized marketplace added yet another level of obfuscation and secrecy to potentially nefarious activities. The proliferation of mobile applications only made it easier for cybercriminals to conduct illicit business, stay connected, and further evade law enforcement. These mobile platforms extended the reach of dark web activities, making the darknet more accessible and pervasive.

Law enforcement agencies made significant strides in combating illicit activities despite the darknets growth in sophistication and diversification. For the better part of two decades, high-profile takedowns by law enforcement of major dark web marketplaces like Silk Road, AlphaBay, Wallstreet, Dream, Genesis, Empire, and Hansa disrupted illicit marketplace activities resulting in numerous arrests around the globe. These operations not only dismantled key illicit marketplace but were also used as a platform by law enforcement to send a strong message to cybercriminals. Improved international collaboration among law enforcement agencies resulted in more coordinated and effective operations against dark web criminal activities, making it harder for darknet marketplaces to operate unchecked. But regardless of law enforcement takedowns, the darknet has continued to be resilient and self-healing with many new markets popping up to replace those that had been taken down.

Self-Healing Networks: Fundamental Concepts, Principles and Achievements

Self-healing networks are networks designed to automatically detect, diagnose, and repair network connection faults without human intervention. These networks focus on network redundancy features and are built on the principle of autonomic computing. Autonomic computing embeds hardware and code with self-managing capabilities that enables the network to adapt to changes and recover from failures autonomously. The implementation of redundancy and failover mechanisms ensures multiple redundant paths and systems are in place that guarantee continuity of service in case of critical failure. Continuous monitoring and real-time diagnostics are not required but often help identify connection issues, enabling prompt remediation and reinforcing network stability.

Self-healing networks significantly enhance the reliability of network infrastructures by reducing downtime and ensuring continuous operation. The inherent scalability and flexibility of self-healing networks adapt to changing demands and conditions, providing reliable services to dynamic environments. Furthermore, self-healing networks are known to contribute to cost efficiency by minimizing the need for manual intervention. Manual intervention is a reactive process. Minimizing manual interventions reduces the financial impact of network disruptions. When a connection is interrupted, a self-healing system recognizes the fault and deploys a countermeasure to reestablish the connection. To say that self-healing networks are resilient is an understatement.

Conclusion: Resilience in Parallel

The evolutionary path of the darknet continues to highlight remarkable resilience over the last  two decades, despite efforts of law enforcement. Even when major dark web markets are dismantled, new gateways quickly emerge to fill the void and further perpetuate illicit online activities in a continuous game of whack-a-mole for authorities. The darknet continues to recover from takedowns, shutdowns, and social migrations the same way that self-healing systems autonomously recover from connection faults. When one marketplace, forum, or alternate communication service ceases to exist, another connection opens to reestablish the flow. The darknets ability to adapt and evolve quickly aligns with and demonstrates self-healing resilience. This resilience is critical to the survival and functionality of the darknet in the face of internal and external challenges. Understanding the resilience and evolution of the darknet is crucial for anticipating and effectively responding to future changes. 

---

To keep up with the latest, follow us on LinkedIn.

September 19, 2024

In the ever-evolving realm of cybersecurity, social engineering stands out as a particularly cunning adversary. As we enter the last quarter of 2024, the methods used by cybercriminals (Threat Actors) are becoming increasingly sophisticated, blending technology, AI, and psychology in ways that can catch even the most discerning individuals off guard. This year, the tactics of social engineering are not just evolving—they’re advancing at an unprecedented pace. Black Hat USA 2024 & DEF CON 32 explored many of the latest trends in social engineering, uncovering the new strategies and technologies that are shaping the future of these deceptive practices. Understanding these trends is crucial for staying ahead of the curve and protecting yourself and your company in a digital landscape that’s more complex than ever.

AI and Social Engineering

It should come as no surprise that many of the emerging trends in social engineering center around the use of AI. This intersection of social engineering and artificial intelligence is particularly dynamic. At DEF CON 32, one of the highlights was the John Henry Competition: Humans vs. AI, where the evolving capabilities of these technologies were put to the test. DarkOwl had the opportunity to witness this intriguing contest firsthand.

The human team featured the renowned “Human Hacker” Snow and her co-founder of the Social Engineering Community Village, JC, both of whom brought their profound intuition, creativity, and understanding of human behavior to the challenge. In contrast, the AI team, consisting of Lisa Flynn (Human Systems Engineer & AI Researcher) and Perry Carpenter (Author & Cyber Evangelist), demonstrated the formidable precision and efficiency of advanced algorithms. Throughout the competition, both teams showcased their vishing tactics through live calls to companies.

The AI team presented cutting-edge techniques in voice modification, including both traditional robotic tones and more sophisticated, human-like audio, such as that produced by deep fakes. They also illustrated how AI models could adapt and evolve, learning from previous calls to refine their approach. Despite the impressive performance of the AI team, the human team narrowly secured victory, highlighting the enduring strength of human intuition in the face of rapidly advancing technology.

AI Vulnerabilities

When discussing social engineering and AI, it’s crucial to recognize not just how AI can be used for malicious purposes but also how AI systems themselves can fall victim to social engineering. This is particularly relevant in the context of large language models (LLMs) like ChatGPT. While these models are designed with safeguards to prevent them from assisting in illegal activities, including hacking, they are not impervious to social engineering campaigns.

At DEF CON 32, Jayson E. Street, a renowned speaker, author, and Simulated Adversary featured in National Geographic’s Breakthrough Series and Rolling Stone Magazine, delivered a compelling presentation that captivated the audience. Street, who was named one of Time’s Persons of the Year in 2006, demonstrated how LLMs can be manipulated through social engineering techniques. His talk, which drew an overflow crowd, showcased how LLMs, despite their advanced programming, can still be susceptible to Layer 8 attacks—an informal term for cybersecurity attacks aimed at human operators.

Street’s demonstration revealed that, because LLMs are ultimately built and influenced by human inputs, they can be tricked into providing information or instructions that could be used for unethical purposes. By employing sophisticated social engineering tactics, Street successfully coerced multiple LLMs into revealing codes and procedures for hacking various devices, networks, and systems. This eye-opening presentation underscored the vulnerabilities inherent in even the most advanced AI systems and highlighted the ongoing need for vigilance and robust security measures in the face of evolving threats.

Social Media Exploits

Social media has become a double-edged sword in the realm of cybersecurity. While it connects people, facilitates communication and can be used for marketing, it also serves as a rich resource for social engineers seeking to exploit personal and organizational vulnerabilities.

One of the primary tactics used by social engineers is data harvesting. Cybercriminals meticulously collect personal information from social media profiles to craft highly targeted attacks. By analyzing the details shared on platforms such as Facebook, LinkedIn, and Instagram, they can tailor their schemes to exploit specific weaknesses, whether it’s in the form of phishing emails, vishing phone calls, or physical penetration.

Impersonation scams represent another significant threat. Social engineers often create fake profiles or hijack existing accounts to deceive individuals or organizations. These fraudulent accounts can be used to gain unauthorized access to sensitive information, manipulate key contacts, or spread malicious links. The deceptive nature of these impersonation tactics makes them particularly dangerous, as they exploit the inherent trust people place in their social networks.

Moreover, the influence of social media personalities can be harnessed for malicious purposes. Influencer manipulation involves exploiting the trust and reach within a social media influencers command. By co-opting these figures, cybercriminals can leverage their established credibility to disseminate harmful content, promote phishing schemes, or even orchestrate more complex social engineering attacks. The vast reach of influencers amplifies the impact of these deceptive practices, making it crucial for both individuals and organizations to remain vigilant.

As social media continues to evolve, so too will the tactics of social engineers. Understanding and recognizing these strategies is essential for safeguarding personal and organizational information against increasingly sophisticated threats.

Evolving Threats and Responses

As social engineering tactics continue to evolve, cybercriminals are employing increasingly sophisticated methods to exploit human psychology and technological systems. Psychological manipulation techniques are at the forefront of these developments. Social engineers are leveraging urgency and fear tactics to compel quick responses from their targets. By creating time-sensitive threats or amplifying fear, they manipulate individuals into making hasty decisions without proper scrutiny.

Similarly, the use of social proof and authority figures has become more prevalent. Attackers often pose as trusted figures or leverage perceived authority to gain compliance and manipulate their targets. Emotional appeals are another powerful tool, with attackers crafting messages designed to evoke strong emotions such as sympathy or excitement. These emotional triggers can cloud judgment and make individuals more susceptible to deception.

In response to these growing threats, regulatory and legal frameworks are adapting. New legislation is being introduced to address the challenges posed by social engineering attacks. These emerging laws aim to create a more robust legal foundation for combating such threats and ensuring better protection for individuals and organizations. Compliance requirements are also evolving, necessitating that organizations adjust their cybersecurity practices to meet new standards. This often involves implementing more stringent security measures and training programs. Global cooperation has become a vital component of these efforts, with countries and organizations working together to share information, best practices, and strategies to combat social engineering on an international scale.

Another significant trend is the rise of hybrid attacks, where attackers combine multiple channels and platforms to enhance their effectiveness. By integrating email, phone, and social media attacks, cybercriminals create more complex and convincing schemes. Cross-platform exploits are particularly concerning, as they involve coordinating attacks across different communication platforms and devices, increasing the likelihood of success. Contextual attacks further heighten the danger by utilizing specific, context-relevant information—such as recent events or personal milestones—to make the attack appear more credible and targeted.

Additionally, recent insights from Black Hat and KnowBe4 have identified several noteworthy trends in social engineering:

• Consent Phishing: This tactic is on the rise, with attackers tricking individuals into unknowingly granting permission for malicious activities.
• Business Email Compromise: Cybercriminals are increasingly targeting business email systems to execute fraudulent schemes and gain unauthorized access.
• Deepfakes: The use of deepfakes creates deeper challenges by fabricating realistic but false content that can mislead and deceive.
• Nation-State Attackers: Nation-state actors are incorporating social engineering into their arsenal, adding a layer of complexity to their attacks.
• Phishing-as-a-Service: This rapidly growing market offers tools and services that enable even less technically skilled attackers to launch phishing campaigns.

Understanding these evolving tactics is crucial for staying ahead of potential threats. By recognizing the sophisticated methods employed by cybercriminals, individuals and organizations can better fortify their defenses and respond more effectively to emerging social engineering challenges.

Conclusion

As we navigate the final stretch of 2024, it’s clear that social engineering is not just a challenge for today but a growing concern for the future. The insights gained from DEF CON 32 and other sources highlight how cybercriminals are leveraging advanced technologies and psychological tactics to craft increasingly sophisticated attacks. Staying informed about these emerging trends is not just a defensive measure—it’s a proactive strategy for safeguarding yourself and your organization in an ever-complex digital world. By understanding and anticipating these evolving tactics, you can better fortify your defenses and remain one step ahead of those who seek to exploit vulnerabilities. Remember, in the world of cybersecurity, knowledge truly is power. Stay vigilant, stay informed, and stay secure.

---

Stay up to date with the latest from DarkOwl. Subscribe to email.

September 17, 2024

It seems like every day a new report is released detailing data has been leaked from an organization. There are very few individuals in the world that do not have some personal data which has been released in a data leak. It is a global problem, and the data leaked can have serious ramifications for the individuals or organizations that are exposed.  

Therefore, it is important that we understand exactly what a leak is, what it means and what challenges there are around collecting them. Furthermore, we need to know what remediation action we should take when our data is bound to be leaked, and understand exactly how our data has made it online and who it is available to. In this blog, we will explore these areas. 

Different Types of Leaks 

Although terms like “leak” and “breach” tend to be used interchangeably, they do have nuances that explain how the data was obtained, and they do mean different things. There are also several different other definitions which can be used that provide details of how the leak was obtained and what data it might include.   

Leak 

A leak refers to the unintentional or accidental release or exposure of information. It can happen due to a variety of reasons, such as human error, poor security practices, or faulty software. The majority of the time, there is no malicious intent linked to the leak and the information is released in error.  

Examples of leaks can be an organization leaving an FTP server open, or unintentionally releasing private information onto a website. It is not always the case that a malicious actor had identified and obtained this data, but that does often happen.  

One recent example of a leak collected by DarkOwl is the leak of Trello data. Data purported to be from Trello was posted on BreachForums, a hacking forum, on July 16, 2024. According to the post, Trello had an open API endpoint that allowed unauthenticated users to map an email address to a Trello account. Data exposed includes email addresses, names, profile data, user identification numbers (UID), and usernames. According to the threat actor, the leak is from January 16, 2024, and contains 15,111,945 unique email addresses. The threat actor stated that the database is useful for doxing (to publicly name or publish private information (PII) about an unwitting target), noting that email addresses are matched to full names and aliases are matched to personal email addresses. 

Figure 1: Trello Leak on BreachForums 

Breach 

A breach is a deliberate, unauthorized intrusion into a system or network to access, steal, or manipulate data. It is usually carried out with malicious intent by hackers or cybercriminals. This information is then routinely sold or shared online for profit and financial gain. Hackers will often find vulnerabilities in an organization’s network and use these to exfiltrate data. This can be as simple as obtaining a user’s credentials to deploying complex malware. Often the data that is leaked relates to customer data or employee credentials, although other data can also be taken.  

A recent example of breach data obtained by DarkOwl is the National Public Data Breach. Data purported to be from National Public Data (NPD) was posted on BreachForums, once again, on August 6, 2024. According to the post by threat actor Fenice, the full NPD database was breached by SXUL. Data exposed includes full names, dates of birth, physical addresses, phone numbers, and Social Security Numbers.  

The National Public Data leak was first offered for sale by USDoD on BreachForums on April 7, 2024, for $3.5 million USD. The dataset is reported to have 2.9 billion rows and cover data from 2019-2024. USDoD continued to advertise the sale of this data through June 2024. On July 21, 2024, Alexa69 uploaded data from the National Public Data to BreachForums, indicating it came from USDoD’s leak.  

On August 12, 2024, National Public Data disclosed a data security incident believed to have involved a third-party bad actor who hacked into the data late December 2023, and leaking data in April 2024 and July 2024. According to the company’s official statement, the breach contained names, email addresses, phone numbers, and mailing addresses. 

Figure 2: NPD breach advert on BreachForums 

Insider 

An Insider, in this context, is someone who is based within an organization and has access to information or systems and chooses to either release information or share access or assistance with others. There are many reasons that they might do this, but if they do not follow Whistle blower protocols then this is an illegal act.  

These types of leaks can be devastating due to the access that some employees have and the information that they are able to obtain. The data can be released in a variety of ways and is usually made freely available.  

Some of the most famous examples of insider leaks are that of Edward Snowden and Julian Assange, where US classified information was leaked by those individuals to journalists and via their own websites. A more recent example is that of Jack Teixeira, an airman first class of the Massachusetts Air National Guard, who photographed and leaked classified documents on a Discord server which were later shared on other social media networks.  

Figure 3: Image of classified data leaked on Discord 

Ransomware 

Traditionally, ransomware was the act of locking a company’s systems and data and demanding a payment to release that data. However, the modern concept of ransomware is not only locking access to the data but exfiltrating it and also extorting the company in order to not release the data online. This is known as the double extortion technique. However, some groups now only act in terms of releasing the data.  

Ransomware attacks are on the rise with companies of all sizes being possible targets. Most ransomware groups will host a leak site, or shame site, on the dark web where they will list their victims and threaten to release their data if they do not pay. They often provide details of the company, as well as images proving that they have access to the data.  

Unlike other leaks, ransomware leaks tend to be very large in size and contain a full dump of a company’s system. They can include very sensitive information, but often also include documents which provide no real information. Unlike some other leaks, this data is rarely curated, and security experts often have to trawl through this data to establish what exactly has been released and what threat that it poses. However, this should not diminish the huge risk and reputational damage that the release of ransomware leaks poses.  

Below is an example of a Ransomware leak site that DarkOwl collects from. 

Figure 4: Hunter Ransomware leak page 

Scrape 

A scrape is when an individual, usually a threat actor but it also can be security researchers, will scrape data from publicly available websites and amalgamate this to appear as if it is a leak of data.  The information contained in these is all publicly available and can be found using open-source techniques. However, grouping it all together can allow threat actors to use the information for nefarious means and reduce the amount of time that they need to spend researching their targets. It is always recommended that only necessary information is shared by individuals online.  

A recent example of a scraped data leak is the Yellow Pages leak. This was a consolidation of data from yellow pages, which is available online, and released on the dark web. Other companies which have been victim to this kind of activity include LinkedIn. 

Figure 5: Scraped Yellow Pages data available on BreachForums 

Combo 

A combo list is an amalgamation of data that has appeared in other leaks, although the source of the data is not always clear. A combo list traditionally consists of an email address and a password. As it is unclear where the data is from, the leak of this data usually poses a low threat and does not provide much actionable intelligence, although passwords should still be changed.  

However, recently, combo lists from stealer logs have started to be circulated that contain a URL, email address, and password. These pose a larger threat due to the fact that the threat actor could be able to access the site for which the password has been leaked.  

A recent combo list collected by DarkOwl is CHINA COMBOLIST, which was made available on Nulled, on July 26, 2024. According to the post, this data is from China. Data exposed includes email addresses and plaintext passwords. 

Figure 6: Combo list from China 

Although DarkOwl do collect combo lists, we do not prioritize them due to the fact that the data has previously been released and they have limited value. Nonetheless, if an email address appears in a combo list, as the information propagates to additional threat communities, an increase of malicious cyber activity should be expected against individuals represented in the leak. There is also additional risk if the credentials were reused on other systems. 

Stealer Logs 

A stealer is another word for an infostealer, or information stealer. A stealer is “a software-based program, typically malware, that is deployed on victim devices that when executed or downloaded is designed to take credentials, cookies, and sensitive information to take advantage of the victim financially, engage in fraud, and possibly identity theft.” After the stealer has covertly accessed stored information, it will transmit the data back to the cybercriminal.  

Threat actors will make the data stolen through stealer logs available both for free and for sale on both the darknet and Telegram. They will release information which includes, URLs of sites visited, associated usernames or email addresses and passwords as well as cookies. This data can also include details of the software installed on a machine, cryptocurrency wallets, gaming platforms and other data.  

Data from stealer logs is generally fairly fresh and released soon after the data is stolen which provides a higher risk that the passwords released are up to date and have not been changed. They can therefore pose a very high risk to individual, and companies affected.  

Figure 7: Sample of recent stealer log collected by DarkOwl 

Different Ways Leaks are Released 

Now that we have covered the different types of leaks that are made available, it is important to explore the ways in which these leaks are shared and where this information is available, as this can form part of the risk assessment of the threat posed by the release of the data. In this section the term “leak” will be used generically to cover all types of leaks listed above unless otherwise stated.  

For Sale 

Many leaks are made available on dark web forums and marketplaces for sale. Depending on the data that the threat actor has stolen and the value that they think it will have will depend on the price that it is sold for.  

It is illegal to purchase stolen data unless you are the original owner of the data! 

In some cases, after a period of time and if the seller has made enough money, the data may become freely available, also in some cases other threat actors who have been able to obtain the data will subsequently share it for free on the dark web. However, there are some leaks that never become available for free.  

For Free 

Many threat actors will release data for free on forums and marketplaces. Sometimes they do this in order to increase their reputation in the community or because they do not think that there is much value in the data. If information is made available for free it is considered open-source data and can be collected.  

Ransomware 

If a company does not pay the ransom, ransomware groups will release the data, usually on their leak site, at the time they previously designated. They will make all of the files available for free on the site for others to download. These will likely be collected by security researchers and threat actors alike. The data in these leaks can be used for further attacks or to cause reputational damage.  

There are also some ransomware groups that will seek to make further money off of the data that they have stolen, and they will occasionally make the release of the data available to the highest bidder. This is especially true for high value targets.  

Subscriptions 

Some threat actors will offer subscriptions to the data that they have stolen, this is usually the case with actors who are operating stealer malware. As new logs come in each day, they will offer subscriptions to view this data. Subscriptions can be for varying periods of time form a week to a month to a lifetime subscription.  

Figure 8: Example of a TG channel offering a data subscription 

Reputation/Credits 

Although a threat actor may offer a leak for free, on certain sites you will only be able to access the download link if you use credits which you have earnt on the site. Credits can be purchased or can be earned via reputation on a site, by making posts, sharing data, reacting to other posts, etc.  

Figure 9: Example of required credits to release a leak 

Or not released…. Nation state actors 

There are some leaks that never appear to be released. We know that they happened as the company affected reported the breach to their regulator as they are mandated to do in certain countries, but we never see the data shared on the dark web or in any other area. In most cases it is likely that this information was stolen by a nation-state actor who is using the data for their own intelligence needs. However, some actors may choose to keep the data to themselves for their own reasons.  

Challenges 

It is very important to collect leaks in order to understand what data a company has exposed and therefore what potential risk they have. This is also important on an individual basis as people can be subject to financial crime and identity theft. While threat actors will use this data to commit further crimes, security researchers use this data to protect organizations and companies. However, we all face similar challenges when dealing with this data.  

Volume 

The sheer number of leaks and breaches and others that are released on a daily basis is a challenge in of itself. It is hard to keep up with what has been posted on the various dark web sites, as well as personal websites for certain threat actors. Analysts have to trawl through this data on a daily basis to keep up and then make as assessment about what data is real, verified and will be useful to others. Some data released is much more actionable than other and unfortunately a judgment sometimes needs to be made about what to prioritize. In an ideal world we would be able to mitigate all the risk posed but this simply cannot be done for every single leak. 

Availability 

Availability is also an issue. Often reports with appear in the media highlighting a leak and often people will want access to this leak. However, there can be a variety of reasons why it might not be available. The leak may not have been released. It may be available but only for sale. The data may have been confidentially shared with a third party, either by a threat actor or sometimes law enforcement which means that it is not available to the wider security community.  

Formats 

Due to the nature of leaks, that they can take many different forms, as described above, and come from a variety of different victims the format that the data appears in can provide a challenge. No two leaks are the same and to make sure that you are exporting the most relevant and useful data it is often required to analyze a review the data and normalize it in order to understand what it contains. This can be a difficult process that takes time to achieve.  

Size of data and the slowness of TOR 

Some leaks are very large, particularly those that come from Ransomware attacks. This can pose issues in downloading the data, particularly if it is being shared via TOR. TOR is notoriously slow. Downloading large amounts of data over it is a challenge. It is not uncommon that downloading a ransomware leak with take weeks or months to achieve. However, threat actors do attempt to get around this challenge by providing download leaks to third party file hosting providers or making the download available via torrent.  

What DarkOwl Does with Leaks 

DarkOwl actively collects leaks which are freely available and makes these available to our customers to ensure they are able to monitor for any exposure that they might have. We seek to obtain leaks which contain data which is high value and is most likely to be used in ongoing attacks. We actively seek leaks which include PII and offer unique data which is not shared elsewhere.  

Furthermore, we seek to ensure that we collect leaks which a global in nature, not focusing on one geographical location. Every area of the world is at risk from data leak, and we seek to make sure we can support the protection of as many areas as possible.  

We also seek to collect leaks, where possible that are most important to our customers and will pursue leaks wherever possible that are requested. This includes ongoing monitoring of our vast dark web data to identify, as soon as possible, if and when a leak is made available.  

Recommended Remediation 

There are several steps that both companies and individuals can take in order to remediate the risk that is posed by data leaks. The following are examples of actions that can be taken.  

• Freeze your credit report 

• Create and maintain a strong password policy 

• Use of password managers 

• Active monitoring of exposure in leaks 

• Vigilant for social engineering and phishing attacks 

• Change passwords if included in a breach, or on a regular basis 

• Enable 2FA on all available accounts 

• Limit the amount of personal data that you share online, including social media sites and other sources

---

Curious to learn more about DarkOwl’s collection process? Contact us.

September 12, 2024

Earlier this month, Alison Halland, Chief Business Officer of DarkOwl, attended AFCEA/INSA Intelligence and National Security Summit in National Harbor, MD.

Alison and Kathy Hoffman represented the DarkOwl team at the Intelligence and National Security Summit hosted by INSA and AFCEA for a busy 2 days. The event describes themselves as “the nation’s premiere conference for unclassified dialogue between U.S. Government intelligence agencies and their industry and academic partners,” and had over 2,100 attendees this year.

AFCEA International is a non-profit organization founded in 1946 that supports its members by offering a platform for the ethical exchange of information. It is committed to advancing knowledge by addressing topics of importance to its members in information technology, communications, and electronics, particularly within the defense, homeland security, and intelligence sectors. The Intelligence and National Security Alliance (INSA) is a nonpartisan, nonprofit organization dedicated to fostering public-private partnerships that advance intelligence and national security priorities. INSA focuses on identifying, developing, and promoting collaborative solutions to national security challenges. With over 160 member organizations, INSA benefits from active involvement by leaders and senior executives across the public, private, and academic sectors.

In addition to the exhibit hall, attendees could participate in a number of speaking sessions and breakout sessions. During the plenary sessions, top agency and military intelligence leaders discussed strategic intelligence challenges, military intelligence priorities, and the state of the community, and during the breakout sessions, senior executives, technology experts, and thought leaders explored some of the most pressing issues facing the community. Speakers included leaders from the Federal Bureau of Investigation, In-Q-Tel, the Defense Intelligence Agency, the Central Intelligence Agency, Defense Innovation Unit, US Navy, U.S. Space Force and many more. Topics included issues such as AI and emerging technologies, China and CI security, space acquisition, and more.

One of the common themes throughout the conference is the agreed upon need for darknet data. What was once viewed as a “nice to have,” is no longer. Government agencies and companies alike are on the same page that the data DarkOwl can provide is invaluable. Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives.

DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into. Using our darknet search engine, investigators are able to collect intelligence without having to access the darknet directly, offering a layer of protection and improved case-building efficiency.

Our government applications span a wide range, encompassing the tracking of threat actors, criminal activities such as drugs and human trafficking, malware detection, monitoring hacking forums, and searching marketplaces for illegal or stolen credentials, personal identifiable information, and intellectual property. Utilizing DarkOwl Vision, our darknet search engine, investigators can gather intelligence on individuals or subjects of interest, extracting usernames, aliases, chatroom activities, and potentially incriminating information. This data is then employed to compile evidence and solve intricate crimes. Our passion, our focus, and our expertise is the darknet.

The DarkOwl looks forward to attending the Intelligence and National Security Summit next year!

---

Interested in meeting with the DarkOwl team? See where we are around the world the rest of the year here.

September 06, 2024

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, and APIs. In this edition, let’s dive into brute force attacks.

Brute Force Attacks 101

A brute force attack is an attack that involves trying to identify all possible combinations (usually passwords) to find a match of the credential via trial and error until entry is gained. The goal is usually to gain access and then steal sensitive, proprietary or corporate information. While brute force attacks are not a new method used by hackers and cybercriminals, it is on the rise, as a once time-consuming method, advancements in specialized and automated tools have made these attacks more feasible against weak security systems.

According to recent reporting, brute force attacks increased by 74 percent between 2021 and 2022. Other recent reporting from Kaspersky maintains that the most common attack vector for all ransomware attacks continues to be via account takeover utilizing stolen or brute forced credentials. In addition, Verizon reports that over 80% of breaches caused by hacking involve brute force or the use of lost or stolen credentials.

There are several types of brute force attacks:

• Simple Brute Force Attack: attackers try all possible combinations without any shortcuts until the correct one is found.
• Dictionary Attack: attackers use a precompiled list of words and common passwords to guess the correct password.
• Hybrid Attack: attackers combine dictionary attacks with brute force methods. It starts with a dictionary list and then tries variations, such as adding numbers or symbols to the words.
• Reverse Brute Force Attacks: attackers start with a publicly known or leaked password password and try it against multiple usernames.
• Credential Stuffing: attackers test if historically exposed email addresses and password combinations are valid logins across multiple commercial websites. 
• Rainbow Table Attacks: attackers use precomputed tables of hash values for all possible passwords.

DarkOwl Vision Password Analysis

Last year, DarkOwl data scientists conducted a password analysis of all the passwords collected in DarkOwl Vision. 102,368,238 passwords were found that followed a yyyy-mm-dd format, and 13,223 with passwords with yyyy/mm/dd. While utilizing special characters like numbers is a good practice for password hygiene, the prevalence of users who incorporate a date into their password means that threat actors will leverage this to attempt to brute force accounts.

There are several password “cracking” tools readily available to hackers to conducting dictionary and brute force style password attacks. Some of the most popular tools include:

• John the Ripper
• Cain & Abel
• OphCrack
• THC Hydra
• Hashcat
• Brutus
• RainbowCrack
• CrackStation

Even the most sophisticated password crackers will need significant processing power and time to successfully break long, complex passwords. Unless an 8-character password includes numbers and symbols, the password can be potentially brute forced. The table below shows the time to needed to crack passwords of varying degrees of character length and complexity.

Brute Force Attacks in the Wild

Below are recent examples in the news of cyber groups reportedly using brute force attacks to hack accounts of individuals and organizations.

Ukraine arrests individuals who hijacked social media, email accounts

An organized crime group who operates throughout Ukraine had three members arrested by the Cyber Police of Ukraine. The suspects used brute-force to procure login credentials and then sell them on the darkweb for profit. Computers, phones, and bank cards were all seized from the residences of the people arrested.

Brute-forcing is not a sophisticated method of operation, but it is effective. Multi-factor authentication is a solid security step to take towards reducing the effectivity of brute-force operations. This incident also demonstrates how data from everyday activities such as login credentials from social media as well as banking, online bill pay, and more, can be weaponized. Actors take steps to steal this information and then gain financial profit from selling it, endangering personal accounts and digital hygiene for innocent people.

China’s “Earth Krahang” infiltrates organizations throughout 45 countries

Government organizations worldwide were the target of a two-year, Chinese state-sponsored campaign. Spear-phishing is employed to deploy backdoors while exposed internet-facing servers are also attacked, leading to a multi-pronged attack. The group uses open-source tools to build VPN servers and then brute-forces email accounts to procure passwords, focusing on compromised Outlook accounts.

Cisco cautions of increase in brute-force attacks targeting VPN, SSH services

Citing TOR exit nodes as the origin, Cisco issued a warning about broad attacks targeting Cisco VPNs, web services, and Mikrotik routers. The brute-force attempts use tunnels and proxies for anonymization. Patching is one of the simplest ways to offer protection against this method.

Successful attacks could result in locking users out of their accounts as well as provide unauthorized network access, enabling the theft of credentials, network metadata, and more damaging, sensitive information that could be used in other malicious operations.

Stealthy MerDoor malware uncovered after five years of attacks

A new Advanced Persistent Threat (APT) group named LanceFly is utilizing a custom, stealthy backdoor called “Merdoor” to target organizations in South and Southeast Asia since 2018. Methods for initial access are unclear, but Symantec has observed the group using methods such as phishing emails, SSH credential brute forcing, and others. Merdoor is put into “’perfhost.exe’ or ‘svchost.exe” which are both real Windows processes through DLL side-loading. The stealthy backdoor is persistent and can remain on devices between reboots. The backdoor establishes connection with a C2 server, from which it can be given instructions.

Brute Force Attacks in DarkOwl Vision

Cyber criminals and hackers frequently discuss vulnerabilities, tools techniques and procedures (TTPs), and on the darknet and darknet adjacent platforms. Below we share screenshots from DarkOwl Vision UI that highlight the use of brute force attacks. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search darknet data. Vision provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information.

GitHub

The first two screenshots below portray a Russian language user sharing a link to a GitHub repository containing brute force attack source code for android devices on the well know Russian language darknet forum, XSS. The second image portrays the same information in its original format directly on the XSS forum.

Figure 1: XSS mention of Russian threat actor sharing link to brute force attack source code for Android devices on GitHub; Source: DarkOwl Vision

Figure 2: Brute force attack source code on GitHub; Source: Tor Anonymous Browser

In the screenshot below, threat actors discuss in a Discord channel a new scanning and brute force framework available on GitHub, praising the tools exceptional speed.

Figure 3: Discord channel showcasing a new brute force tool available on GitHub; Source: DarkOwl Vision

DarkOwl analysts also found darknet market posting offering brute force attack software in exchange for $500 USD worth of bitcoin. This poster claims that they have made $12,000 USD in 2 months using this software.

Figure 4: Darknet marketplace offering brute force attack method; Source: DarkOwl Vision

In addition, as we know, threat actors utilize the darknet and darknet adjacent sites to exchange information, best practices and ask questions. This is one of the reasons why it is so important to monitor this activity – we are learn about upcoming trends, what they are discussing and prepare for the attacks being planned. In the example below, an actor is asking the community how long they can expect a brute force attack to take.

Figure 5: Cyber threat actors discussing brute force attacks; Source: DarkOwl Vision

How to Defend Against Brute Force Attacks

Believe it or not, 98% of cyberattacks can be prevented with basic hygiene. Below are several tips to prevent brute force attacks and more in-depth password strengthening tips.

• Strong password.
• Lock accounts after a certain number of failed login attempts. This will limit automated guessing and automated tools.
• Limit the number of login attempts that can be made within a given period of time. This will limit automated guessing and automated tools.
• Monitor IP addresses for frequent login attempts.
• Use multifactor authentication.
• Use captchas to prevent bots from attempting to login.

Password Strengthening Tips

Everyone can follow some simple steps to ensure you employ robust password hygiene and reduce the risk of a password getting brute forced or exploited in a credential stuffing campaign.

• Use an automated complex password Manager like Lastpass, BitWarden, or 1Password.
• Don’t reuse passwords. Have unique password for every login and streaming service you sign up for.
• Choose passwords at least 16 characters in length.
• Include symbols and numbers for increased complexity.
• Avoid using passwords with dictionary words or names.
• Don’t use sequential numbers or the word “password”
• Don’t use the year of your birth or anniversary in your password.
• Turn on multi-factor authentication (MFA) for important accounts like financial and banking sites.

---

To see DarkOwl Vision in action, contact us.