Threat Intelligence RoundUp: March

April 03, 2023

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. New MacStealer macOS malware steals passwords from iCloud Keychain – Bleeping Computer

A new information stealer named MacStealer targets Mac users specifically. The stealer can take credentials that have been stored in the iCloud Keychain, web browsers, crypto wallets, and other sensitive files. It is being sold for $100 as malware-as-a-service and was first spotted by Uptycs analysts on a darknet forum. It works on macOS Catalina up to Ventura. MacStealer is distributed as an unsigned DMG file with the goal of tricking the user into executing it on their machine. Then the malware will gather passwords, put them in a ZIP file, and send them to a C2 controlled by the actor who will notify them by Telegram channel. Read full article.

2. FTC says online counseling service BetterHelp pushed people into handing over health information – and broke its privacy promises – The Federal Trade Commission

BetterHelp offers online counseling services. Health information, especially mental health information, is of utmost importance to keep confidential. According to the Federal Trade Commission (FTC), BetterHelp pushed people to take an Intake Questionnaire which prompted them with questions about sensitive health information of which they could not move in the questionnaire until those questions were answered. Read more.

3. Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency – The Hacker News

An old security flaw in Progress Telerik was used by multiple threat groups to break into “federal civilian executive branch (FCEB) agency’s Microsoft Internet Information Services (IIS) web server.” The security flaw exploited used a .NET “deserialization vulnerability affecting Progress Telerik UI for ASP.NET AJAX.” CISA, the FBI, and MS-ISAC (Multi-State Information Sharing and Analysis Center) disclosed the information in a statement and the bad actors had access November 2022 to early January 2023. The CVE that was exploited, CVE-2019-18935, is commonly exploited by threat actors and has been used by the group Praying Mantis. Read more.

4. BidenCash market leaks over 2 million stolen credit cards for free – Bleeping Computer

A darknet marketplace, BidenCash, known for its carding data has released a free database of 2,165,700 debit and credit cards to celebrate its 1 year anniversary. According to researchers from Cyble, 2,141,564 are unique and the other thousands are duplicates. The data released contains information that make up fullz – which are typically financial information that is leaked with subsequent personal information (PII) such as address, email, etc. and can be leveraged by cyber criminals for sophisticated social engineering, phishing, or other attacks. Free credit cards leaks for promotions for users is a marketing technique that has been used by BidenCash before. Read full article.

5. Silicon Valley Bank collapse poses challenge for cybersecurity defenders, firms – The Washington Post

The collapse of Silicon Valley in mid March quickly became a new playground for cyber criminals and cyber attacks, as we have seen time and time again that hackers and cyber criminals often wait for tragedy to hit before striking. This the perfect scenario for a financially motivated threat actor. This article outlines those that should be concerned and the scams to be watching out for. Read here.

6. Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware – The Hacker News

GootLoader and FakeUpdates (SocGholish) are two malwares that have been used in separate threat campaigns to target 6 law firms this January and February. GootLoader has been around since 2020 and can deliver Cobal Strike and ransomware. Threat actors compromised WordPress sites and added new posts which included “business agreements” that when downloaded gave GoodLoader. SocGholish uses sites commonly used by law firms to carry out watering hole attacks. This malware strain does not deliver ransomware. Both attacks show the trend of browser-based attacks growing in popularity as an infection vector and starting to compete with the traditional method of infection via email. Read more.

7. First-known Dero cryptojacking operation seen targeting Kubernetes – Bleeping Computer

Dero is a cryptocurrency advertised as a more secure currency than Monero. However, it has recently been the target of a cryptojacking operation. In this attack threat actors target vulnerable Kubernetes container orchestrator infrastructure that have exposed APIs. Read more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

April Fools? How Threat Actors Try to Trick You With Phishing Emails

Threat actors get crafty with their phishing scam techniques, which is no laughing matter.

April 01, 2023

Diving into Phishing Trends by Categorizing Phony Emails

To learn more about trends in the phishing and spam email landscape, our analysts created accounts for fake email addresses that were posted on the darknet. These addresses were mainly sourced from combolists, which are large batches of credentials that typically came from a variety of different breaches or otherwise illicitly obtained methods.  

Over the course of the year, 1,407 emails were sent to these email addresses. Given the context they were found in, these emails likely only exist to be used by threat actors much like other combolists that are posted on the dark web. That is, to be run through a credential stuffing tool to find successful email/password combos and commit account takeover, or to target the addresses with malicious phishing emails.  

To demonstrate examples of the kinds of dubious emails our analysts received, we ranked them by most popular to least popular and assigned them with the following categories: Personally Identifiable Information (PII) Stealers, Fraud, Malware, and Spam.

Read on to see what type of scam and spam emails were the most popular amongst threat actors over the past year, and to see what key trends our analysts observed in the world of phishing.

1. Sales Spam (26%)

Type: Spam

Of the 1,407 emails, a whopping 365 of them were generic sales spam with no clear motive. This suggests the reason for sending them was unlikely to be to commit fraud.

365 of the emails were sales/personal services spam

2. Survey Scams (17.5%)

Type: PII Stealer, Fraud

Most of these emails invited the recipient to take a survey to win a gift card to popular stores like Walmart, Ace Hardware, and so on. This can be used to gather personal information from the target to execute more refined spearphishing in the future, or leveraged for account takeover.

245 of the emails were survey scams

3. “I hacked you” Scams (16.8%)

Type: Fraud

“I hacked you” scams typically contained some sort of variation of threat such as “I caught you on webcam” – with the sender threatening to release “footage” or encrypt the recipients computer unless they pay a Bitcoin ransom. There were a significant higher number of emails in this category than observed in previous years.

237 of the emails were “I hacked you” scams

4. “You’ve won free stuff” Scams (7%)

Type: Malware

97 of the emails claimed that the recipient had won some type of reward, including reward points, commercial goods, rebates, and so on. Once the target clicks the link or opens the attachment to claim their “free stuff”, they end up installing ransomware instead.

97 of the emails were “you won free stuff” scams

5. Phone Scams (6.8%)

Type: Malware, PII Stealer

Designed to get around endpoint security, fake invoice for software subscriptions with a real toll-free “customer assistance” number. Once the victim calls, the operator usually attempts to social engineer them into revealing PII, or trick them into installing ransomware. Overall, we saw a big uptick in these compared to previous years – with many leveraging big names such as Geek Squad, McAfee, and Norton.

96 of the emails were phone scams

6. “Generic” Scams (4.8%)

Type: PII Stealer, Fraud

A significant portion of the email data set fell into the category of “generic” – including scams and “advanced fee” schemes. These are mainly weaponized to steal personal information and commit financial fraud or identity theft.

68 of the emails were of the old-school variety, such as 419 scams

7. Counterfeit Spam (4.1%)

Type: Spam, Fraud

These emails advertise below-market rates for high-end brands that are ultimately for counterfeit goods. Of the 58 sent to our analysts, most advertised for well-known luxury brands such as Louis Vuitton and Ray-Ban.

58 of the emails were counterfeiting spam

8. Junk Car Scams (3.7%)

Type: Fraud

“We’ll buy your car” scams continue to be pretty consistent in popularity – though they may not be reported about as often as some of the other categories on this list. For further reading on this topic, our analysts suggest this resource that outlines 5 common scams for prospective call sellers.

53 of the emails were junk car scams

9. Fake Lawsuit Scams (3%)

Type: PII Stealer

“You could be eligible for compensation” – these types of infostealers usually falsely claim the victim could be eligible for compensation if they participate in a phony lawsuit.

42 of the emails were fake lawsuit scams

10. Elder Abuse Scams (2%)

Type: PII Stealer, Fraud

Our analysts identified 28 emails that were directly targeting seniors. Most of these could be identified by keywords such as “senior”, “55+”, “timeshare”, “retirement”, and “over 60”. This suggests that not only is this attack vector still as popular as ever, but that actors are being quite blatant in their marketing towards this demographic.

28 of the emails were scams targeting seniors

11. “Cheating” Scams (2%)

Type: Malware

Many of these emails touted a tool that claimed it could enable the recipient could see or verify the (likely) phony claim that their spouse or partner is cheating on them by installing spyware on their computer.

28 of the emails were “cheating” scams

12. Fake Notifications Scams (1.6%)

Type: Malware

The 23 emails that fell in this category included phony alert emails claiming that the recipient had unread notifications from popular services such as Tinder, Reddit, Whatsapp, and LinkedIn. Popular subject lines contained some variation of “12 unread messages” or “You’ve matched with someone”, etc.

23 of the emails were fake notifications scams

13. Romance Scams (1.4%)

Type: Fraud

Seeing as how romance scams have tripled in popularity in the past few years, our analyst expected to see more of this type of phishing scheme.

20 of the emails were romance scams

14. Fake Invoice Scams (1.3%)

Type: Fraud, Malware

These emails were consistent with the typical invoice scams that have been popular in past years. They are typically blasted out to businesses or email addresses that look like the might be accounts payable, office managers, or other administrative invoice and include a “real” invoice for nonexistent goods or services.

19 of the emails were fake invoice scams

15. CCW/2A Spam (.7%)

Type: PII Stealer

This type of scam is not one that our analysts have observed very often, if at all, before this analyses. These phishing emails mainly offered assistance in obtaining concealed carry permits. Most likely, this is a PII stealer scheme.

10 of the emails were CCW/2A spam

16. Unclaimed Assets Scams (.5%)

Type: PII Stealer, Fraud

Many of the unclaimed asset scam emails claimed that the recipient was entitled to property from either inheritances, or from unallocated government holdings. In the example below the sender broadens the asset to “unidentified property” – making the chances that a target might think it could apply to them more likely.

8 of the emails were unclaimed assets scams

17. Scam Job Offers (.3%)

Type: PII Stealer, Fraud

Only four emails consisted of fake job postings. Given the overall uptick in scams of this nature, this was fewer than our analysts expected.

4 of the emails were job scams

18. IRS Scams (.2%)

Type: PII Stealer, Fraud

Given that this data set included two tax seasons, it was surprising to see how few IRS scams there were. Specifically, our analysts found the lack of specific “IRS” and “tax/taxes” keywords in emails’ subject lines to be significant.

3 of the emails were IRS scams

19. Other Malware (.2%)

Type: Malware

These emails contained malicious links that were likely ransomware. Their phishing pretexts didn’t fit into any of the other categories.

3 of the emails contained malware but didn’t fit into any of the other categories above

Further Observations

Sales spam still dominates, and phone scams are on the rise

After categorizing and ranking these emails, our analysts made note of several key observations:

IRS Scams are down – Tax fraud phishing campaigns that specifically mention taxes or the IRS are way down from previous years. This is likely due to IRS messaging and warnings, which seem to have done their job in at least deterring actors from using this method so heavily.

Phone Scams are are more popular – Phone number malware campaigns, designed to get around endpoint security, are becoming more prevalent.

Less emails marked as “High Priority” – Of all the emails, only 4 were marked as “High Priority,” which is a shift since previous years. In the past, this was a common tactic to create a sense of urgency and improve open rates.

“I hacked you scams” proving to be lucrative – We saw a huge uptick in this type of email over the past year. In this type of scam, the sender usually blasts emails out to massive list and might only get money back from one or two people. Their uptick in popularity indicates that the financial reward from even just a handful of victims is lucrative enough to incentivize more threat actors to use this method.

Never ever open email attachments – While only 7.53% of analyzed emails had an attachment, every single one of those contained malware. The takeaway? Assume that all attachments are malicious unless you are able to verify otherwise in a safe sandboxed environment.


Research indicates that the most successful attack vectors include exploitation of email credentials, either via phishing attacks or account takeover. Take control by gaining situational awareness of your companies darknet exposure by contacting us here.

Ransomware RoundUp: 2022

March 30, 2023

Ransomware groups continued to be a major threat over the past year, causing significant financial and reputational damage to their victims. Their evolving tactics and strategies make it increasingly difficult for organizations to defend against their attacks. However, with increased awareness and investment in cybersecurity, governments and businesses can work together to protect themselves from this growing threat.

Despite the number of reported ransomware complaints decreasing in 2022, the victim payouts have increased. The IC3 estimates that from 800,944 complaints the potential loss is around $10.2 billion. Ransomware continues to run rampant with around 33% of organizations globally being a victim of ransomware, indicating that the groups are becoming more confident and targeted.

Figure 1: Source: 2022 IC3 Report

The overall increase in victim payouts could be partly due to the ways ransomware gangs have changed their operations. In 2022, ransomware groups deployed more backdoors – which allow for remote access. They also began to favor extortion, typically through ransomware or business email compromise. Europe saw 44% of these extortion cases.

According to IBM’s X-Force Threat Intelligence Index, the manufacturing industry was the most extorted in 2022. The FBI’s IC3 (Internet Crime Complaint Center) received the most ransomware attack complaints from Health Care and the Public Health sector; a trend DarkOwl has seen reflected in the victims of the groups detailed below.

Figure 2: Source: 2022 IC3 Report

In this roundup, DarkOwl analysts take a look at the some of the largest ransomware and ransomware-as-a-service (RaaS) gang activity from 2022, and introduce several new and emerging groups that DarkOwl has observed actively operating on the darknet today.

Review of Active Ransomware Groups in 2022

LockBit

LockBit has been one of the most active ransomware groups this year, claiming to have targeted 436 organizations in just the later half of 2022. The group released LockBit 3.0 with new capabilities making it harder to identify in June 2022 and notably started their own bug bounty program. After a LockBit attack on SickKids hospital, LockBit blamed one of their affiliates, released a decryption key for free, and apologized saying the attack went against their policy.

Black Basta

A newcomer that rose to prominence in April 2022 with their attack on the American Dental Association is Black Basta. This group also has possible ties to other ransomware gangs such as Conti, REvil, and Carabank (Fin7). They specialize in double extortion and have been seen outsourcing tools with the use of initial access brokers, Qakbot, and Cobalt strike.

Black Pasta has been observed using the darknet to request login credentials for initial access. Their malware and victim selection suggests they are sophisticated Ransomware actors.

Figure 3: User Black Basta posts in a Darknet forum for corporate access; Source: DarkOwl Vision

Hive

Hive ransomware was first observed in June 2021 and uses an affiliate RaaS model. Unlike some other groups who claim a moral code, Hive has repeatedly targeted healthcare organizations and threatened to leak patient information. As of March 2022, 125 healthcare organizations had been targeted by Hive.

Hive’s original ransomware was written in GoLang – but, in 2022, they switched to Rust. The switch improved their method of encryption, among other advantages.

In January 2023, the Hive operation appeared to have been shut down with a seizure banner appearing on their site detailing a multi-country law enforcement operation. Law enforcement had access to Hive’s computer networks ahead of the takedown and were able to help those who would have been victims.

Figure 4: Hive Ransomware seizure banner; Source: Malwarebytes

Conti

The Conti Ransomware group going into 2022 was one of the most active and prolific RaaS groups. At the outset of the Russian invasion of Ukraine, Conti was one of the first to announce its support for the Russian government after which their ransomware source code and other sensitive data including PII and private communications between actors was leaked. In late May 2022 Conti shut down their official Tor website, Conti News, and the service site for their negotiations went offline. However, reporting indicates that the group has dispersed and not disappeared with some members joining other ransomware groups such as BlackBasta, BlackByte, and Karakurt. However, it is possible that Conti may reappear under a different name in the future.

BlackCat

The BlackCat Ransomware group (AlphaV) who first appeared in later 2021, is thought to have infected more than 60 victims in its first 6 months of operation. The groups are reported to be connected to BlackMatter/DarkSide, with the FBI reporting that many of the developers and money launderers in the group originated from Darkside. BlackCat were the first group to use Rust in their attacks before it was adopted by Hive. BlackCat were one of the first groups to create a public data leaks site and in 2022 they created a search feature for their indexed stolen data to put more pressure on organizations to pay their ransom. LockBit later followed suite. They continue to be active in 2023.

New or Emerging Ransomware Groups

DarkOwl has identified several emerging ransomware groups that are presently active on the dark web. Each of the new ransomware gangs below rose to prominence in 2022 and continue to be active into 2023.

0mega

The 0mega Ransomware group was first identified in May 2022, targeting organizations worldwide with double-extortion techniques. At the time of writing no sample has been identified and analyzed for the 0mega ransomware variant. The ransomware demands are customized to the victim, and victims are required to upload the demand to access the TOR payment negotiation site. The 0mega leak site on TOR currently has 3 victim companies listed with links to download the data. The site was last updated 2023/02/11.

0mega’s operation appears to be organized and is a group to look out for this year. 

Figure 5: 0mega Data Leak Site; Source: Tor Anonymous Browser

BianLian

BianLian has had infrastructure since December of 2021 and tripled their infrastructure in August of 2022. Their victims include health services, information technology services, education, and construction companies. They have created their own toolkit with their ransomware written in Go, and have been seen using living off the land techniques and can establish a backdoor for persistence. BianLian currently offers an I2P mirror complete with instructions for how to install.

Avast recently released a free decryptor for the currently known BianLian ransomware strain. This could explain why recently BianLian has not been encrypting victim’s data, instead focusing on extortion. The group will need to stay ahead of researchers’ decryptors this year to continue targeting victims successfully.

Figure 6: BianLian Data Leak Site; Source: Tor Anonymous Browser

Daixin

The Daixin ransomware group is known for targeting the health sector, leading CISA to issue a cybersecurity advisory to this sector in October 2022. The group have been active since June 2022 and built their ransomware from leaked source code attributed to Babuk Locker. In early 2023, their Tor leak site had 8 victims listed with details of what documents have been obtained by the group.

The Daixin Team encrypt the servers relied on by healthcare organization, which means they can halt key services increasing the likelihood of a payout and can also exfiltrate PII, creating a further revenue stream as this data achieves higher prices on dark web marketplaces. However, consistently attacking healthcare organizations has drawn the attention of law enforcement which could mean they are on the verge of disruption. Nevertheless, due to its profitability, the Daixin team will likely continue targeting this sector. The health sector should be wary of Daixin.

Figure 7: Daixin Team Tor Site; Source: Tor Anonymous Browser

Royal

Royal first materialized in January of 2022 and is believed to be made up of actors previously associated with Conti, TrickBot, and Roy/Zeon malware (the group was originally named Zeon). Unlike some other groups, Royal does not provide its ransomware as a service and they do not make their code available to affiliate actors. Recently they have released a malware variant which preys on Linux systems. The group is known for using call-back phishing tactics impersonating food delivery or software providers.

Royal’s Tor page begins with a contact form, requiring the user to submit an email address. It also has search bar functionality to identify victims. Royal currently has around 58 victims for 2023 listed on their site, the highest of any group reviewed in this article. Royal will upload samples of data to this site to prove their legitimacy to their victims. If the victim refuses payment, 100% of the stolen data will then be uploaded to the site. Some ransomware gangs will remove victims’ information from their site if they pay the ransom. Therefore, the number of victims shown does not always reflect the true number of victims targeted.

Figure 8: Royal Ransomware Tor Site; Source: Tor Anonymous Browser

Although Royal ransomware has emerged recently, researchers believe the actors running the group are sophisticated and experienced. DarkOwl analysts assess Royal will continue to grow into an even greater threat in 2023.

Final Thoughts

Ransomware is an ever-evolving threat ecosystem. Some groups are driven by political motivations, but most attacks are for financial gain. Ransomware groups use the darknet and darknet-adjacent sites to negotiate with victims, spread their personal brand, and develop or purchase new, sophisticated technology to thwart cyber defense teams. Advances in cyber defenses have prompted some groups to focus on data extortion, pressuring companies with the valuable private data they have stolen rather than encrypting networks.

Despite the successes of cyber defense teams in 2022, ransomware gangs will be keen to develop different tools and tactics to better evade security measures. Additionally, ransomware attacks are underreported – around 75% are never reported. Even when law enforcement successfully shuts down a ransomware operation, the group is likely to rebrand or the members will simply disband and work for other ransom groups. Given some entities are still willing to pay, ransomware will remain a threat because of potentially massive financial rewards.

DarkOwl Vision allows organizations to monitor these ransomware groups on the darknet, to identify more information about their tactics, techniques, and procedures and the sectors they are targeting. DarkOwl analysts continuously monitor the darknet to identify emerging new groups and who the most recent victims are to best track and predict potential attacks.


Interested in learning more? Contact us to learn about our Ransomware API.

The Hidden Economy of Credentials on the Darknet

March 28, 2023

Earlier this month, DarkOwl contributed to the State of Secrets Sprawl 2023 report by GitGuardian. In this blog, we highlight our contributions. Check out the full report here.


When it comes to secrecy, there is one place that cannot be ignored: the darknet.

Darknet 101

The darknet, also referred to as the dark web, is a layer of the internet designed specifically for anonymity. It is more difficult to access than the surface web and is accessible only via using specialized software or network proxies – specifically browsers supporting special protocols. Users cannot access the darknet by simply typing a dark web address into a web browser. Adjacent to the darknet are other networks, such as instant messaging platforms like Telegram and the deep web (non-public web).

Due to its inherently anonymous and privacy-centric nature, it facilitates a complex ecosystem of cybercrime and illicit goods and services trade. The dark web is a thriving ecosystem within the global internet infrastructure that many organizations struggle to incorporate into security posture. Still, it is an increasingly vital component for organizations with forward-thinking strategies.

“Secret” data, including tokens and keys found on open repositories such as GitHub, are easily re-sold (or sometimes shared for free) on the darknet and deep web.

How Does It Work?

In some cases, such as that of the deep web site BreachForums, leaked data is offered for download via vendor-specific currency in the form of generally inexpensive credits. Another way to accrue credits is to share other breached data for users to download. Users can also gain credits to purchase these stolen data packets by commenting on and engaging with other user posts. Both of these aspects of the darknet breach economy encourage discovering and re-sharing of sensitive user data and creativity in exploiting previously-exposed information.

Consequently, an extensive amount of sensitive information is available for download on the darknet and deep web, ranging in prices from free to several thousands of dollars. While such free exchanges may challenge the use of the word “economy’” – it is crucial to remember how this stolen information is used. The vast majority of cases result in hackers gaining illicit access to user accounts and either exploiting them for financial gain or using them to pivot into corporate network access to carry out more large-scale attacks.

Examples

Verizon

The below screenshots demonstrate a typical database leak offering. Note: the top of the second image breaks down the extent of the data available per Verizon user. This breached information has been offered entirely free (no digital currency or credits are required to download).

Another way to accrue credits is to share other breached data for users to download. Users can also gain credits to purchase these stolen data packets by commenting on and engaging with other user posts. Both of these aspects of the darknet breach economy encourage discovering and re-sharing of sensitive user data and creativity of exploiting previously-exposed information.

TSA No-Fly List

The recently hacked US TSA No-Fly list is offered for credit tokens on a deep web forum.

DoorDash User Account

While the token or credit-based nature of the darknet economy does support “free” or more covert methods of exchanging Secret data (such as credits), this is not always the case. For example, as demonstrated by this DoorDash database of username and password combos for over 650,000 individuals was offered at a starting bid of 10,000 USD in August 2022.

Are Hackers Exchanging Secrets on the Darknet?

The shift towards everything-as-an-API in the commercial landscape echoes what DarkOwl analysts see in the darknet.

Discussions around stealing API keys and selling them is a relatively new phenomenon in the darknet over the last couple of years that we expect to continue to grow. Threat actors who are looking to facilitate the wider distribution of malware through supply chain compromises have also discussed credentials and pivot points sourced from open repositories.

Developers and security researchers worldwide have been equally appalled and conflicted by the intentional sabotage of an open-source software package. Many are particularly concerned about the reputational damage these incidences cause to the open-source software development movement.

How Many Credentials are for Sale on the Darknet?

While it is impossible to grasp the total size of the underground digital economy, DarkOwl does have insight into certain entities that indicate the potential for exploitation, including sensitive credential information. DarkOwl’s AI and analyst-augmented database is updated in near real-time and collects from hard-to-aces reaches of the darknet, including authenticated forums, ransomware sites, chat platforms, open server databases, and breach/leak exchanges. As of January 2023, our records detected:


Interested what and how darknet data applies to your business? Contact us.

DarkOwl Grows Presence in Dubai as GISEC Global Expands

March 24, 2023

Last week, DarkOwl participated in GISEC Global in Dubai, UAE. GISEC Global describes themselves as, “the leading gathering ground for the cybersecurity community worldwide.” At the event, one can expect the top government dignitaries and cyber leaders, CISOs from major corporations, regional and international innovators and global experts from top cybersecurity enterprises from 40 countries in the Middle East, Africa, and Asia. Every year cyber incidents cost 6 trillion dollars… GISEC attendees come together to lead cybersecurity transformations across sectors and nations to solve this problem by learning from the best to boost cyber resilience for a safer digital future.

Representing DarkOwl at GISEC Global was David Alley, CEO of DarkOwl FZE based in Dubai and Richard Hancock, Darknet Intelligence Analyst and Sales Engineer, based out of DarkOwl’s headquarters in Denver, CO. David Alley shared, “As almost all aspects of work and life have gone digital and the global digital landscape keeps changing, it is more important than ever that all strengthen their cybersecurity measures.” GISEC Global offers a platform for just this to happen; key industry leaders come together in order to stay ahead of potential threats, discover innovative strategies and remain secure from major disruptions.

In addition to networking and conversations at the booth, top minds of the space have the platform to share thought leadership, innovations and the latest in the cyber security space. Speakers were present from all around the world, including the UAE, Malaysia, USA, Singapore, Nigeria, India, South Africa, Egypt, Oman, Jordan, and many more. Topics ranged from why API’s are critical attack vectors and how to secure them, to transforming the role of the CISO, to unlocking true AI potential. There were several stages dedicated to different topics throughout the event: government, critical infrastructure, darknet, women in cybersecurity, and national security. In addition, there were halls dedicated to just trainings, meetings and hands on workshops. This is a major benefit of GISEC Global – the emphasis on thought leadership, sharing information and education.

The DarkOwl team remained busy over the three days manning the booth, meeting new prospects and showcasing our industry leading darknet platform, Vision UI. David stated, “David Alley commented, “the traffic on the booth was non-stop.” In addition, the team was lucky to have several current clients and partners in attendance, including HWG and Pegasus Intelligence. David and Rich spent time understanding how we can best optimize and elevate our current partnerships and how we can continue to provide the most value as their darknet data provider.

DarkOwl is excited for GISEC Global in 2024 and to see the show grow for another year in a row.


DarkOwl looks forward to continuing their presence at several international events in the future. You can see what conferences we will be attending coming up and request time to chat with us here.

[Developing] BreachForums’ Alleged Admin Pompompurin Arrested, Dark Web Reacts

Last Updated 28 March 2023 – 23:09 UTC
28 March 2023 – 23:09 UTC

Connor FitzPatrick Appears in Court

Last week we reported that an individual alleged to be the administrator of the dark web forum BreachForums was arrested in New York. On Friday, March 24, Connor FitzPatrick appeared in court charged with facilitating the unauthorized purchasing and selling of stolen identification documents, unauthorized access devices, unauthorized access to victim computer systems and login credentials.

What is really interesting is how the FBI were able to identify FitzPatrick as Pompompurin. It seems from the affidavit provided in court that Fitzpatrick made several mistakes that ultimately led to his downfall. Proving that human error is a big factor in the attribution of cyber criminals.

FitzPatrick logged on to both BreachedForums and its predecessor RaidForums from IP addresses which were registered to his parent’s home address. Furthermore, he also made access to these forums and cryptocurrency wallets, exclusively funded by the bitcoin address linked to Pompompurin’s account, from a mobile device registered in his name. What’s more, Fitzpatrick provided his real email address to the admin of RaidForums, as proof that a breach he had purchased was not complete. Although he stated this was not his address a fact that was identified by the FBI when they were able to seize RaidForums in early 2022.

Upon his arrest FitzPatrick claimed that he earned approximately $1,000 a day from his activities on BreachForums which he mainly used to maintain the forum – one wonders if this was worth the 5 years in prison he is likely to receive.


March 21, 2023

Almost exactly a week ago on March 15, 2023, an admin of the popular darknet and deep web site BreachForums who goes by the alias Pompompurin was arrested in Peekskill, NY. In this blog, DarkOwl analysts review what has happened to date and will continue to the monitor the situation and update this blog accordingly.

Pompompurin Identified and Arrested

Pompompurin has been identified as US citizen Conor Brian FitzPatrick. FitzPatrick was charged with one count of conspiracy to commit access device fraud and bail was set at $300,000 – paid for by his parents. 

After news of the arrest broke publicly on March 17th, the reaction on BreachForums was quick, with members scrambling to find out what had happened and concern that the forum had been taken over by the FBI in a similar way to what happed with RaidForums. Raidforums was seized by the DOJ in April 2022 and had been taken over by them previous to the announcement of the arrest of the alleged administrator “Omnipotent” – Diego Santos Coelho. 

Thread chatter on the soon-to-be defunct forum revealed members questioning if the news of Pompompurin’s arrest was real – even pointing to their user activity being “away” for the 48 hours beforehand as evidence that the news was in fact accurate.

Figure 1: Users on BreachedForums discussing the news announcement of its administrator’s arrest, Source: DarkOwl Vision

The users of BreachForums wanted to know if they could delete their accounts to avoid meeting the same fate as Pompompurin at the same time that they seemed to be discovering that he had been arrested. They posted elements of reporting as well as details of FitzPatricks’s true identity.  

Figure 2: Users of BreachForum discussing arrest, Source: Breachforums

BreachForums emerged in April 2022 in the wake of the takedown of RaidForums, and allowed users to buy and sell data which had been obtained through illegal means. The admins of the site ran an escrow service ensuring that sellers received the funds that they had requested. The site was widely used by cybercriminals to purchase stolen data and hosted controversial leaks such as data stolen from the Washington DC healthcare exchange. 

Pompompurin was also known to conduct cyber-attacks himself, admitting in an interview with Brian Krebs in November 2021 that he was responsible for sending fake emails using the fbi.gov domain. He claimed at the time this was done to point out vulnerabilities in the FBI systems, but it undoubtably put him higher on the FBI’s radar leading to his recent arrest.  

Interestingly when Pompompurin was arrested, he admitted to his role as admin on BreachForums and the use of this alias. 

“When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian FitzPatrick; b) he used the alias ‘pompourin,’ and c) he was the owner and administrator of ‘BreachForums,’ the data breach website referenced in the Complaint,” FBI special agent John Longmire testified

This fact does not appear to have been looked on favorably by users of his forum, with discussions turning to how to evade the FBI by living in a different country than the US and not attacking US companies from within the US.

 Figure 3: Discussions on how to evade the FBI, Source: BreachForums

On the other side, numerous users appeared to have some sympathy for “Pom” (as he is commonly referred to), with some stating that he was one of the nicest admins they had ever worked with and that he would delete accounts if you asked nicely.

One user even volunteered responsibility for any content they hosted on the dark web forum, ostensibly to alleviate potential legal trouble on Pom‘s behalf

Others offered to support him financially in his time of legal trouble.  

Figure 5: Users voice words of support among the fallout, Source: BreachForums

Discussion also centered around how it was that the FBI were able to identify the true identity of Pom with fingers being pointed at an open source intelligence company, with whom Pom had apparently registered. With threats being made to attack that company.  

They also showed concern about whether Pompompurin would share any information or become an informant with the “feds” with users being worried that their registration information would be found by the FBI.  

BreachForums had a co-admin who indicated that the FBI may have been able to access the systems if Pompompurin had shared this information or left his computer open when his parents home was raided. 

 Figures 6 and 7: More chatter around the potential fallout – including FBI involvement, Source: BreachForums

It was quickly shared that all of Pompompurin’s access had been disabled and that the co-admin was checking to see if they could confirm that the FBI were able to infiltrate the site. 

Figure 8: BreachForum’s co-admin chatting about checking FBI access, Source: BreachForums

While the discussions remained largely focussed on potential risks for the remaining active users, others continued to point to a grassroots effort to protect Pom from Law Enforcement Operations.

Figure 9: Discussions around how to remove logs and other digital evidence tying Pompompurin to BreachForums, Source: DarkOwl Vision

On Sunday the admin “Baphomet” announced that he would be closing down Breach Forums as he was concerned that the FBI did in fact have access. He posted on the groups telegram channel as well as posting a more complete message explaining his decision.  

Figure 10: Breach Forums closing down announcement, Source: Telegram

Interestingly, he stated that the Telegram channel would maintain operation and that he was looking to create new infrastructure which would replace BreachForum even working with competitor marketplaces. As of writing, the onion site has been taken down and is unreachable.  


DarkOwl will continue to monitor the dark web and adjacent sources such as Telegram to identify any new of emerging groups and sites which may take the place of BreachForums. Stay up to date.

Dark Web Exposure of Popular E-Learning Companies

March 21, 2023

The darknet is home to a complex economy that is largely built off of the illicit exchange of digital goods such as MTV (Malware Toolkits and Viruses) and compromised credentials. Threat actors exploit these assets for a variety of reasons, many of which take some form of fraud. While many threat actor tactics seem to be purely for financial gain, dark web adjacent sites such as Telegram contain multitudes of other listings that may serve a more unexpected user group – including those looking to continue their education with illicitly obtained accounts for E-Learning tools.

Sites such as Codeacademy have long established themselves as having a successful model that many other E-Learning companies follow today. Most offer a “freemium” model, meaning select courses or certificates can be gained for free, with more advanced or specialized certificates priced on a tiered scale. After seeing a number of postings on the darknet from users soliciting hacks or compromised credentials for various E-Learning accounts, our analysts took a look at the exposure of several popular companies in this industry using our industry leading darknet data platform, DarkOwl Vision.

Coursera

DarkOwl Vision has indexed a high quantity of email addresses with the domain coursera.org in recent years – likely as the result of a data breach. At the time of writing, DarkOwl Vision contains 2,058 total coursera emails, and 811 unique emails. However, only 9 of these emails have been associated with plain text passwords.

While Coursera does offer free learning tracks, their more premium offerings range anywhere from 39$-59$ per month, with more specialized certificates typically costing on the higher end. The most common type of offering being exchanged on darknet forums is for methods to obtain these pricier certificates for free.

Figure 1: Advertisements an I2P site for methods to scam Coursera and obtain free certificates, Source: DarkOwl Vision

In the following example, stealer log for coursera.org is being sold for as little as $10 US dollars. The listing also contains ISP (internet service provider) information – potentially to indicate to the purchaser that they should use a VPN when logging into the stolen E-Learning account so as not to have their IP blocked.

Figure 2: Raccoon Stealer logs for coursera.org being sold for $10 USD on Russian Market, Source: DarkOwl Vision

Other offerings include a python script that allows users to download Coursera courses and obtain valuable certificates for paid tracks free of charge.

Figure 3: Advertisement on a Russian paste site for a python script that allows users to obtain certificates on Coursera for free, Source: DarkOwl Vision

SkillShare

While Skillshare has a relatively smaller darknet footprint to Coursera by way of quantity, their results in DarkOwl Vision return a higher number of passwords associated with leaked emails with a Skillshare domain. In this case, these credentials are unlikely to be used for account takeover, as they more likely belong to Skillshare employees. These credentials pose a higher risk because they could potentially be exploited and used to access Skillshare’s corporate networks. In total, of the 202 unique emails detected, 18 of them came with a plain text password.

Figure 4: Premium Skillshare accounts being sold on Telegram, Source: DarkOwl Vision

The below listing was indexed from 2easy shop, a popular dark web marketplace that has a large Russian language user base. In this case, credentials for the mentioned URLs were harvested using the stealer malware Redline. For 10$, the purchaser can gain access to the Skillshare account of the compromised target that the Redline malware was used on. Thus, with these types of listings, there is no guarantee of the value of the E-Learning account itself.

Figure 5: Redline stealer logs of Skillshare on 2easy shop, Source: DarkOwl Vision

LinkedIn Learning

The size and scope of LinkedIn reaches well beyond E-Learning, so it is no surprise that their exposure exceeds other in this category by means of market coverage alone. Clocking in at over one thousand unique email address and nearly as many plaintext passwords exposed in DarkOwl Vision, their risk for internal network exploitation is significant.

Premium LinkedIn accounts are also rather expensive, so the market for access to premium LinkedIn accounts (including to LinkedIn Recruiter) has remained active. In the example below, a recent result from Telegram advertises to have a variety of premium LinkedIn accounts for sale, including LinkedIn Learning premium. These are being offered $10 a month in individual quantities, or for as low as $5 a month when bought in bulk quantities of 100 or more.

Figure 6: Premium Linkedin Learning accounts offered on a Telegram forum, Source: DarkOwl Vision

Udacity

Search results for udacity.com email domain mentions in DarkOwl Vision returned over 700 unique email addresses, which is considerably more than its peers. However, only one of these was associated with a plain text password. Thus, their dark web exposure from an internal threat perspective is on the relatively low side compared to other E-Learning companies.

On the account takeover and fraud end, our analysts found numerous results similar to the listing below. As pictured, the post contains plain text email addresses and passwords that can be easily checked and verified by those willing to put in a bit of extra work to obtain free Udacity accounts. Published to Telegram, the post also solicits screenshots from those who are able to successfully log in to any of these accounts. This is likely so that they can use those screenshots as a means of validating their services and gaining reputation status as a legitimate vendor.

Figure 7: Telegram listing containing plain text credentials for Udacity accounts, Source: DarkOwl Vision

Codeacademy

From a credentials perspective, Codeacademy’s footprint within DarkOwl Vision fell in par to other E-Learning companies. Overall, results for their domain amounted to 508 total email addresses, of which 167 were unique and 8 were associated with plain text passwords.

There were numerous advertisements on Tor that advertised a variety of Codecademy accounts and hacking tools that could help exploit them. This includes listings for the E-Learning accounts themselves, as well as “crackers,” or “checkers” which are scripts that cross reference credentials against a service to see A. if the credentials are able to successfully log in, and B. what type of account the credentials now have access to.

In the result below, detected by DarkOwl Vision in January this year, a listing for one of these “checkers” advertises that “It captures premium status and the number of enrolled courses and also saves free and premium accounts.” Using this type of tool, a threat actor could run credentials in vast quantities against the Codecademy log in portal and potentially uncover many successful log in combinations for valuable Codecademy accounts.

Figure 8: A Variety of Codecademy account-cracking resources, including credentials and “checker” tools, listed on Tor, Source: DarkOwl Vision

This listing also contains listings for Codecademy Pro accounts, as well as some the ensure both emails access “+ HQ”. Each of these listings directed to a separate vendor and were amongst dozen of similar advertisements.

Final Thoughts

Interestingly, during the course of this research, our analysts observed a disproportionate number of discussions from sources in DarkOwl Vision , including IRC channels, Telegram, and darknet forums – discussing Codecademy in the context of genuine further education. This included discourse around the value of various courses, advice for professional development, further learning recommendations, and so on. This could signal that those seeking and purchasing E-Learning assets may find Codecademy more applicable to the coding skillset needed amongst users who operate on the darknet and deep web.


Having insight into darknet activity means staying one step ahead of potential risks and costly threats to your company. To learn more about how DarkOwl’s data products can assist your threat intelligence initiatives, contact us.

DarkOwl Presents on Darknets at Digipol

March 17, 2023

Last week, DarkOwl participated in Digipol 2023 in Hyderabad, India. Digipol’s mission is to “internetwork the law enforcement and defence agencies with right security solutions being delivered by various technology developers from all over the world.” The summit focuses on education and exploring advancements and innovations in the cyber security space, with focus on law enforcement agencies and defense organizations, so that they can keep a safe and secure world. It is only open to those in the police and defense space and is not open to the public, allowing true knowledge transfer.

Representing DarkOwl was David Alley, CEO of DarkOwl FZE based in Dubai and, Ramesh Elaiyavalli, CTO of DarkOwl, based out of DarkOwl’s headquarters in Denver, CO.

Throughout the event, there are several technology sessions highlighting key advancements and technology solutions. Speakers include those from law enforcement, defense agencies, and security industry experts. Digipol takes a very strategic approach, focusing on providing first class education and practical demonstrations on top law enforcement topics and issues to promote technologies and innovations in a way that law enforcement agencies and defense agencies can adopt and adapt to better their cyber investigations and capabilities.

Digipol is a great networking opportunity to interact with key figures in national and public safety, with almost all states and union territories of India present, whether it be at the booth, a training session or presentation. David Alley shared, “Digipol is a great balance between training, education and networking. Not only did we get to meet many new faces, but seeing so many clients present was a great benefit for us.”

Presentation: DarkNet Primer and Intelligence Use Cases

In addition to networking and promoting DarkOwl at the booth, David Alley was able to give a live presentation to attendees demonstrating DarkOwl Vision: Darknet Intelligence Discovery and Collection. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data. The goal of this session was to further educate the international intelligence community on how threat actors on the darknet are evolving in their use of new tools and methodologies. Many of the attendees expressed that they were unaware how many darknets there are – confirmation that having a platform to share this information like Digipol provides, is essential to continuing darknet education.

Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. Vision provides a user friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information.

DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into. DarkOwl was proud to be able to share our ongoing initiative to support the global law enforcement community in their efforts to police illegal and nefarious activity on the darknet.  


DarkOwl looks forward to continuing their presence at Digipol events in the future. You can see what conferences we will be attending coming up and request time to chat with us here.

[On Demand Webinar] Top Trends and Predictions in Open Source Intelligence

March 16, 2023

In 2023, OSINT will continue to quickly evolve as investigators across a myriad of industries seek to disrupt crime, fraud, and threats. To help OSINT practitioners understand what to expect for 2023 and beyond, two respected leaders in the industry will share their predictions about what’s on the horizon for open-source intelligence.

In this webinar, originally held March 14, Rob Douglas, Co-Founder & CEO of Skopenow, and Mark Turnage, Co-Founder & CEO of DarkOwl, will share their insights on emerging threats and the latest OSINT tools and techniques to detect and prevent them.

Get Transcription

DarkOwl Grows International Presence at ISS World Middle East & Africa

March 10, 2023

Last week, DarkOwl participated in ISS World Middle East & Africa in Dubai, UAE. ISS World Middle East & Africa describes itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering,” making it the ideal event for DarkOwl to grow our international presence, build relationships in person and spread the importance of darknet data to the international intelligence and law enforcement communities.

ISS World takes pride in focusing on education and training covering the areas of law enforcement, public safety, and government and private sector intelligence communities, with a full day dedicated to solely seminars led by law enforcement officers and Ph.D. Scientists. Talks throughout the event cover topics ranging from how to use cyber intelligence to combat drug trafficking, cyber money laundering, human trafficking, terrorism and other illicit activities.

Representing DarkOwl at ISS World Middle East was David Alley, CEO of DarkOwl FZE based in Dubai and Damian Hoffman, Product Engineer and Data Analyst out of DarkOwl’s headquarters in Denver, CO.

Networking with cybersecurity professionals from around the world and connecting face to face is one of the true benefits of this show. David and Damian had people from United Arab Emirates, Qatar, Jordan, Egypt, Iraq, Morocco, Turkey, Latvia, Lithuania, Azerbaijan, Romania, Ukraine, Pakistan, India, Bangladesh, Indonesia, Malaysia, China, United States, Spain, UK, Germany, Italy, Ireland, Israel, Uganda, Rwanda, Tanzania, South Africa, Angola, Kenya, Zambia, and Australia all visit the DarkOwl booth. International shows demonstrate that cyber security is a global problem, no company and no government is immune to the potential risks associated with the world going truly digital. Damian Hoffman noted that there were “nonstop conversations all day;” covering how DarkOwl data relates specifically to cryptocurrency addresses, Telegram, ransomware groups, stealer logs, data integration and more. The quality of conversations and questions shows that darknet is a top concern amongst the security and intelligence communities.

Live Demonstration of DarkOwl Vision: Darknet Intelligence Discovery and Collection

In addition to networking and promoting DarkOwl at the booth, David Alley was able to give a live presentation to attendees demonstrating DarkOwl Vision: Darknet Intelligence Discovery and Collection. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data.

Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. Vision provides a user friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into.

If you are in Dubai and want to meet with DarkOwl, you are in luck! We will be at GISEC Global next week (March 14-16). Stop by Stand C 102, Hall 5 or request time to chat with us below!


DarkOwl looks forward to continuing their presence at ISS World events in the future. You can see what conferences we will be attending coming up and request time to chat with us here.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.