Last week, DarkOwl participated in OsmosisCon, an Open Source Intelligence Skills-building Conference, in Tampa, FL. The annual, training-oriented event is comprised of workshops and classes to earn Continuing Education Credits (CEUs) lead by industry leaders focusing on the latest in OSINT and SOCMINT tools. In addition, the exhibiting companies provide real world examples of industry standard products and services, allowing attendees to either advance their own research or find a solution for their company.
The networking and consulting opportunities at OsmosisCon are incredibly valuable for anyone in the OSINT space – whether you participate in the pre-event workshops and presentations, speak during the networking events or via the virtual conference platform. Sessions this year covered a wide range of OSINT topics, including artificial intelligence threats, identifying unknown users on social media, foreign searching practices, countering sex trafficking, OSINT methodology, digital data, and more.
The Osmosis Institute’s mission is “to educate and train cyber intelligence investigators, researchers, reporters, and analysts on OSINT and SOCMINT techniques and best practices.” Their statement continues to say, “to that end, we seek to foster professional growth in our community. We strive to inform professionals on how to protect personal privacy data and abide by national and international laws and ethics standards.” OsmosisCon allows them to put this mission into practice and in its 8th year has continued to grow and bring hundreds of cyber intelligence analysts together.
Representing DarkOwl at OsmosisCon was Steve O’Rourke, Account Executive, and Damian Hoffman, Product Engineer and Data Analyst, based out of DarkOwl’s headquarters in Denver.
DarkOwl was one of the first to present at the conference, in what was described as a highly-attended well received session. Damian’s presentation, “Finding Actionable Intelligence in Dark Web Data for OSINT Investigations,” focused on how the dark web is an essential source of information for OSINT investigations across a wide variety of use cases. His talk reviewed some of the considerations that should be taken when using dark web data, how the data can provide value for investigators, and offered DarkOwl’s perspective on the techniques and tools needed to maximize the utility of dark web data.
“This is my second year attending OsmosisCon and we find it to have a great balance between training and education, networking and getting feedback on our product. It is also nice to see so many clients present! I know many attendees share the same sentiment when I say that I am excited for next year’s event in New Orleans and to see this conference continue to grow in attendee turn out and presence,” shared Steve.
DarkOwl looks forward to OsmosisCon 2023 and hope to see both familiar and new faces in New Orleans!
To round out Cybersecurity Awareness Month, we’ve gathered some of the hottest cybersecurity topics being discussed amongst actors on the darknet and deep web.
Cybersecurity awareness month has been enlightening for consumers and businesses alike. Many information security professionals and vendors have shared many guides this October on topics like multi-factor authentication, zero-trust, and other cyber resilience measures to hopefully help soften the impact of a significant corporate cybersecurity incident. The adage, ‘it’s not a matter of if you will be breached, but when…” might feel more and more realizable as the list of ransomware and corporate network attack victims continue to grow.
So, before the month’s end – in the spirit of spreading collective awareness – our analysts took a closer look some of the most popular cybersecurity threats and threat actor attack vectors discussed on the darknet.
Ransoming – Linux
There’s no question that ransomware continues to be one of the most popular threats utilized against commercial organizations, especially small and medium sized businesses that lack the enterprise-level information security budgets. Threat actors are increasingly interested in exploiting Linux-based systems and servers, and, lately, DarkOwl analysts have directly witnessed an increase in technical conversations related to the subject. Lockbit was one of the first ransomware strains to specifically target virtual Linux-based VMware ESXi servers, encrypting the vCenter infrastructure and virtual machines (VMs). Other ransomware gangs like BlackBasta have followed suit using SSH vulnerabilities and compromised credentials to deliver the ransomware to the server.
Figure 1 – Source: MalwareBytes
While many corporations run Windows or Mac client machines, Linux servers are the predominant server of choice for backend operations in enterprise commercial systems, hosting critical intellectual property and sensitive data. The type of data available in a ransomware campaign involving Linux servers attracts ransomware groups for the higher probability of ransom payment and the potential exploitation of sensitive information for cyber espionage.
Go Phish – Attackers continue to target marketing tech such as Google Adwords
Phishing is still a widely utilized and prominent attack vector discussed on the darknet for gaining unauthorized access corporate networks. Threat actors discuss phishing methods, offer “MASTERCLASSES” on the subject for sale in decentralized marketplaces, and regularly advertise phishing email templates for major commercial entities like Google, Apple, and Microsoft.
Some commonly discussed phishing methods are designed to target corporations’ social media accounts held by marketing departments. Others intentionally leverage social media relationships like employees’ LinkedIn connections to trick the victim into clicking on a document shared by a ‘friend.’
Figure 2 – Source: Tor Anonymous Network
In the example below, threat actors directly leverage Google ADSENSE Adwords for serving up phishing URLs. These are deployed to unsuspecting victims who inadvertently select the malicious URL because it appears at the top of their search.
[ORIGINAL POST]
“Ответы: 1
Форум: Поиск партнеров,инвесторов, поставщиков
КУПЛЮ Настройка рекламы Google ADSENSE
Ищу профессионала, кто создаст рекламу по продаже ПРАВ,ВУ в гугле адс.
Способ оплаты:
1. Фиксированная оплата за настройку и пропуск рекламы в гугле.
2. % от продаж ( при блоке рекламы, вы сами запускаете новую рекламу) – Хороший выхлоп.
P/S. Писать строго, кто разбирается в данной теме по…”
[TRANSLATED]
“Answers: 1
Forum: Search for partners, investors, suppliers
BUY Google ADSENSE Ad Settings
I am looking for a professional who will create an advertisement for the sale of rights, WU in Google ads.
Payment method:
1. Fixed payment for setting up and skipping ads in Google.
2. % of sales (with an ad block, you launch a new ad yourself) is a good exhaust.
P/S. Write strictly to those who understand this topic by…”
Source: DarkOwl Vision
These elaborate phishing campaigns frequently result in successful corporate email compromise and occur daily. What’s more, they are getting increasingly sophisticated with targeted spear-phishing methods employed.
Phishing via SMS, (a.k.a smishing) has increased in popularity.
One example of a successful smishing campaign we’ve seen discussed on the darknet has been a fake emergency ‘smishing’ text from executives sent to employees in the organization, designed to not only confirm the phone number of the employee, but potentially drop malware via a follow-up malicious link.
DarkOwl IT provided the example to the right, which depicts an attempted smish of a DarkOwl employee using an executive’s identity.
Server Vulnerabilities – Microsoft Exchange
Like the Linux server ransomware strains, darknet threat actors active seek server-specific vulnerabilities for potential exploitation and server data compromise. DarkOwl analysts have lost count of the number of Microsoft Exchange-related compromised organizational data leaks that surfaced by hacktivists participating in the Ukraine-Russia cyberwar. Over a dozen exchange vulnerabilities added to the NVD in 2022 and even more in 2021, provide threat actors plenty of opportunity for remote code execution (RCE), privilege escalation, file read-write access and arbitrary file deletion on a compromised Exchange server.
Most of the RCE vulnerabilities include malware delivery via PowerShell. Microsoft security advisories strongly suggest that Exchange Server customers disable remote PowerShell access for non-administrative privileged users in their organizations.
While ProxyNotShell is getting lots of recent attention, some of the Exchange vulnerabilities DarkOwl has captured discussed do not always require authentication to execute malicious code. Proof of concept code is also often referenced on darknet discussion forums and Telegram channels, making the vulnerabilities even easier for less adept cybercriminals.
Several of the large database leaks observed by DarkOwl because of a successful Exchange server attack are dumps of every email and attachment from every inbox on the compromised on-prem server. These vulnerabilities do not apply to Microsoft Online or Microsoft 365 cloud mail services.
Server Vulnerabilities – Atlassian Confluence
Another server vulnerability that is being discussed in darknet discussion forums is a remote code execution vulnerability that affects Confluence Server and Data Center (described as CVE-2022-26134 by the NVD).
As of this summer, the vulnerability has reportedly been patched by Atlassian with the release of versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1; however, the vulnerability is still explored by cyber criminals.
In fact, multiple threat actors – with varying motivations and intentions – have expressed specific interest in Confluence-related security vulnerabilities. Another, tagged 26138, involved a hardcoded password for the user account, disabledsystemuser. Threat actors believed to be likely associated with nation state actors and users with specialties in cryptomining have indicated this vulnerability allows for production environments to be compromised, new administrator accounts created, and malicious access to corporate networks granted.The ransomware gang, AvosLocker targeted vulnerable Confluence servers with their command and control at scale earlier this summer.
As attack vectors continue to evolve, having eyes on the darknet is critical for any company looking to establish a comprehensive cybersecurity posture. To learn more about how the darknet applies to your use case, request a time to chat with one of our team members.
DarkOwl analysts regularly follow threat actors on the darknet who openly discuss cyberattacks and disseminate stolen information such as critical corporate or personal data. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients.
Bjorka Terrorizes the Indonesian Government
In the last two months, a cyber threat actor known by the alias Bjorka has been terrorizing the Indonesian government by targeting vulnerable systems and doxing key officials. After compromising their targets, Bjorka has been leaking sensitive databases from key Indonesian-specific organizations, such as Indonesia’s central mobile telecommunications provider. They’re also released data from servers storing correspondences from the Indonesian President.
DarkOwl analysts have observed that the threat actor has become increasingly embolden in their attacks against Indonesia. They have expanded their operations, stirred up real-life darknet drama by claiming that “the wrong hacker was arrested,” and have repeatedly put out calls for cyberwar against the Indonesian government.
Trolling Indonesia Government Causes Deep Web Forum Chaos
The actor known as Bjorka joined Breach Forums in early August 2022, and immediately gained attention from the forum community. They contributed to the underground forum – known for circulating commercial and government data leaks – by sharing databases containing millions of private personally identifying information (PII) from WattPad and Tokopedia commercial websites. Both sites were reportedly compromised in 2020.
Bjorka subsequently engaged in more activity on the forum that indicates they were targeting Indonesian entities. This includes:
A post containing a database of 26 Million records of personal data exfiltrated from the Telkom Indonesia provider, IndiHome, which they uploaded and made available free of charge.
Posts offering for the sale of a Ministry of Communications and Information Technology (KOMINFO) database of over 1.3 Billion Indonesian SIM card registration records and an Indonesian Citizen database stolen from the General Elections Commission.
Post sharing a controversial archive containing a collection of “secret” letters sent on behalf of President Joko Widodo (Jowoki) by the Indonesia government’s State Intelligence Agency – Badan Intelijen Negara (BIN).
In addition to database leaks and doxxes, Bjorka has revealed controversial political information related to investigations inside Indonesia, which prompt social unrest. For example, Bjorka identified Muchdi Purwopranjono – an Indonesian politician, former major general in the Kopassus, and head of the BIN – as responsible for the murder of a prominent human rights activist, Munir Said Thalib in September 2004.
Bjorka has also showed particular interest in Ferdy Sambo and the Brigadir J murder case; Ferdy Sambo, former head of the police Propam Division, and Inspector General of Police, is one of four suspects accused of shooting of Brigadir J in July 2022.
On Telegram, Bjorka highlighted another Indonesian official, Tito Karnavian, and Ferdy Sambo’s supervisor, as a person of interest and that Tito knew all about Brigadir J’s murder.
Figure 1: Source Breach Forums, Tor Anonymous Network
The cyberattacks against ministries across the Indonesian government, including the “President’s Letters” as they’re commonly called, caused Bjorka’s popularity in the Indonesian hacking community to skyrocket. Many referred to Bjorka as the “Indonesian Spartacus”. The influx of non-English speaking forum members prompted the site’s administrator, pompompurin to post a notice demanding the new users behave themselves and post messages in English. The forum – as of time of writing – sits at over 172,000 member accounts, a user growth of nearly 3x the number of users DarkOwl observed in July.
In late September, Bjorka also shared a personal plea for the new Indonesian forum members to follow the rules.
“FOR EVERYONE WHO COMES FROM INDONESIA AND CAME HERE BECAUSE OF ME, PLEASE FOLLOW THE BF RULES
BECAUSE ALL THE STAFF AT BF ARE TIRED OF A BUNCH OF IDIOTS FROM INDONESIA WHO DON’T FOLLOW THE RULES.
USE ENGLISH BECAUSE BF IS AN INTERNATIONAL FORUM, SO STOP USING YOUR LOCAL LANGUAGE.”
– Quotes Directly From Bjorka on the deep web site Breach Forums
The influx of Indonesian-based forum members brought with it general criticism and negative sentiment regarding the Indonesian government, especially the Ministry of Information.
“With all of the Indonesian crap taking place in here, I wouldn’t be surprised that Indonesian intelligence are joining here in sheer numbers”
“The reason why most Indonesians supported Bjorka … because they are clowns, literally an entire circus, their ministry of information and technology is literally a graduate of agriculture”
“Their security is honestly a joke at this point”
“I’m from Indonesia but I signed up not to be able to meet Bjorka but to learn to break into a database and share even though it’s my own country’s database, I’m doing this to fight a stupid government just because of one case they can be like children who can only cry and can only cry corrupt people’s money rather than the people’s interests. Sorry for the long post, greetings from Indonesia.”
– Posts from other forum users regarding Indonesia and Bjorka
Figure 2: Source Breach Forums, Tor Anonymous Network
Some Leaks Confirmed As Valid
Many leaks that surface on darknet forums like Breach Forums are met with skepticism of their legitimacy. Even breaches like Paytm, which appeared earlier this summer have had information security researchers respond – after the fact – that the information contained in the leaked database is fabricated, likely from other leaked open sources.
In mid-September, the Head of the National Cyber and Encryption Agency (BSSN) in Indonesia publicly stated that President Joko Widodo’s documents and letters as well as ministers’ personal data, were valid although with the surge of additional leaks during September, there have been numerous denials from Indonesian government officials of the legitimacy of the leaks, antagonizing and frustrating many threat actors on the forum. According to open-source news reporting, the Indonesian Ministry of Communications had also launched an investigation into the IndiHome data leak.
Who is Bjorka?
While Bjorka recently gained notoriety for their activity on Breach Forums, it’s no surprise DarkOwl discovered they were also active on the forum’s predecessor, Raid Forums. A user with the same moniker joined RaidForums in November 2020 and their profile includes a muted version of the same avatar image. According to DarkOwl Vision archives of RaidForums, in April 2021, they promoted their digital data project, leaks[.]sh, as a leaked database search engine built on ElasticSearch using commercial and government leaks shared by the forum administrator Omnipotent and other data brokers on Raid Forums. They also maintain the Surface Web domain bjork[.]ai.
Bjorka claims their physical location is Warsaw, Poland on their Breach Forums account profile and social media accounts related to the threat actor continue the Polish-connection narrative, claiming ties to a “smart old man in Warsaw” who experienced Indonesia’s injustice in 1965. This is likely reference to September 1965, when the Indonesia Army carried out mass killings and imprisonment of members of the Communist Party of Indonesia, Gerwani women, ethnic Javanese, and ethnic Chinese.
While little is recorded about the 1965-66 political killings in East Java there is research covered in the Journal of Genocide Research covering how the military influenced civilian perceptions and created divisions between the political left and right. The threat actor continued that their friend could not be tracked down.
“yea don’t try to track him down from the foreign ministry. because you won’t find anything. he is no longer recognized by Indonesia as a citizen because of the 1965 policy. even though he is a very smart old man” – Source Twitter (@bjorkanism)
According to social media in mid-September, the Bjorka “team” possibly expanded to include another darknet forum member known as strovian after the threat actor posted threads to Breach Forums in September calling Indonesian intelligence, BIN “stupid.”
Figure 3: Source Breach Forums, Tor Anonymous Network
The threat actor strovian – active on Breach Forums since April 2022 – has targeted servers in Indonesia and offered multiple databases for sale. The strovian cybercriminal appears to have exfiltrated databases detailing the identities of Indonesian police officers (POLRI DB) and Indonesian customs officers (DIRJEN BEA CUKAI). They also offered a BIN intelligence database for sale stolen in 2020 from a Foreign Affair Intelligences Deputy. strovian offered a similar Police Database on RaidForums in February 2022, prior to its seizure and shutdown.
Some conspiracy theorists suggest the Bjorka team and the attacks against KOMINFO originated with the Indonesian government, “like ISIS was created by the US Government” as a societal distraction from other geo-political agendas and corrupt initiatives or formed as a justification for state budget increases.
Recent social media posts across Twitter, YouTube, and TikTok – many from accounts using the infamous Anonymous Legion Guy Fawkes mask – suggest that the Bjorka hacker is neither a name nor a person, but instead is a nation-wide hacking “movement” and represents social justice for the Indonesian people.
A dark, ominous, “Anonymous” styled video released on YouTube in September openly declared ‘cyberwar’ with the Indonesian government on behalf of the Bjorka cause.
“The name Bjorka represents the Indonesian people.”
Figure 5: Source YouTube Link REDACTED
[TRANSLATED IMAGE]
“with this we will declare a cyber war with the Indonesian government.”
There are multiple mentions by Bjorka directly that they are a result of ‘monsters’ and Indonesia’s five-pillared state philosophical principle called, Pancasila, which translates to “the five bases.”
The threat actor claims Pancasila was not proven and not completely implemented in Indonesia. The nation emblem of the country incorporates the Pancasila ideals, and any criticism of the philosophy is forbidden by law, possibly resulting in criminal charges.
Figure 6: Source Wikipedia
[TRANSLATING IMAGE]
“- Belief in the one and only God.
– Just and civilized humanity.
– The unity of Indonesia.
– Democracy guided by the inner wisdom in the unanimity arising out of deliberations amongst representatives.
– Social justice for all of the people of Indonesia.”
Critics of Pancasila are often angry that the philosophy does not include the right to atheism, i.e. the rejection of any theistic belief, but it is extremely unclear what Bjorka really believes regarding Pancasila and how it’s impacted them so deeply.
Bjorka claims the “country is in a bad situation with rising fuel prices” and political corruption. One of their more recent social media posts predicts they will target hacking public citizens debts and “forfeit all online loan applications and delete all data.”
Figure 7: Source Twitter, October 4, 2022
Bjorka Mocks Indonesian Government
In mid-September 2022, Bjorka shared a post titled, “THE INDONESIAN GOVERNMENT IS LOOKING FOR ME?” citing reports that the Indonesian government had formed a ‘special team’ to hunt the cybercriminal down.
Bjorka alleged that the State Intelligence Agency (BIN) and the National Police had incorrectly identified and arrested a young man as the Bjorka hacker using Instagram account (@volt_anonym), but the real Bjorka on active on the forum claiming this was all false information and they were very much free from jail.
Figure 8: Breach Forums, Source: Tor Anonymous Network
Bjorka stated they had direct insider knowledge from a friend at the palace of the President, and that the President was soon going to dismiss the Minister of Communications and Information Technology. They encouraged the President to hire someone “tech savvy” instead of political partisans or military officers.
On social media, the actor claimed they did not want to harm the citizens of Indonesia, and that their intent was to expose security vulnerabilities and weaknesses in Indonesia’s networks. They followed by posting the personal information (dox) of several high-ranking Indonesian government officials on their Telegram account. The data set included phone numbers, email addresses, full names, gender, NIK (identity number), KK (family card), physical addresses, and vaccine numbers.
After releasing the data, Bjorka teased officials directly on social media who dismissed their leaks as unimportant.
“How are you, Mr. @Mohmaffudmd? Are you still sure that no important data has been leaked?”
– Source: Twitter
On the birthday of the KOMINFO Minister, Johnny G. Plate, Bjorka posted “Happy Birthday” along with a detailed dox of the minister’s personal information. Much of information had already been uploaded on another popular doxing deep web site in August. Bjorka followed with sharp words for the minister on social media:
“This is a new era to show differently. Nothing will change if fools are still given immense power. The supreme leader in technology should be assigned to someone who understands, not a politician and not someone from the armed forces. Because they are just people – stupid people.”
– Source: Twitter
At the end of the month of September, the threat actor initiated a thread titled, “NATIONAL CYBER AND CRYPTO AGENCY OF INDONESIA” and included a CNN Indonesia news article reporting that the BSSN had increased its budget directly because of their data leaks. They included in the post, the name and photograph of the head of the agency along with a detailed dox and images of his identification cards.
According to open sources all the hacktivism against Indonesia by Bjorka has resulted in changes in government policy. Indonesia enacted its first personal data protection bill at the end of September. The bill imposes sanctions and criminal charges on organizations that fail to safely secure personal data. Individuals are also able to claim compensation for data breaches.
Bjorka Started Something That Shows No Signs of Slowing Down
During the month of September, Bjorka posted several high-profile leaks mentioned earlier, but their verdant followers and other darknet cybercriminals targeting Indonesia have leaked dozens more databases and sensitive data such as: Indonesia’s car registration databases, citizenship databases from the Ministry of Social Affairs, an Indonesian tollway operator, and government social assistance systems. Bjorka’s efforts indeed appears to have launched a concerted movement against Indonesia and what its citizens jokingly call an “open-source country.” (See REFERENCE – Sample of Indonesia-Related Data Leaks at end of document)
A twist to the Bjorka movement narrative is a thread titled, “66 GB Indonesia Department of Communication and Information Technology” shared by a Breach Forum user named, toshikana on September 13th. The forum user, who joined in July 2022, refers to something called “Operation Garden of the Gods” they and one other threat actor carried out with the intention to:
“improve the Quality of the Department but not limited to: Education, Cybersecurity, Consistency, Human Resources, On Target Budget Utilization and Good Communication since the name of your Department is Department of Communication and Information Technology but the fact is that You always fail to Communicate.”
– Post from user toshikana
The post also includes the data leak links for the KOMINFO database that Bjorka had shared earlier and then continues with an epilogue referring to the “General” and states their Group – which includes the General – was offered a large sum of money in August to target the Department of Foreign Affairs but they sent warning emails to the Minister Prabowo because they are not supporting any kind of “Revolution.”
toshikana implies that someone knowledgeable of this underground community and its members sought out to finance the cyber operation and sow chaos in Indonesia.
“With the permission of the General, we will securely store the rest Data classified as Confidential/Secret/Top Secret in our server until we see a significant change from you, we will not sell, share or use this. I’m sure we all agree that something that is promised to be safe, in the future it must remain safe and so is Confidential Data, it must remain Confidential, even if it is old Data or Data belonging to Poor People, isn’t that right Plate? what about you Semmy? Dedy? BSSN? and the Department of Health?
What we both will never breach/leak: anything related to Civilians/Poor People, Department of Foreign Affairs, Department of Defense and the Indonesian Military…. you’re welcome.
Also since our Group was offered a large sum of Money from a dozen People over Jabber to breach the system of the Indonesian Department of Foreign Affairs and Defense and sell the data to them, on Aug 25, 2022 one of our Lieutenants had sent a warning Email along with the evidence to the two Departments, also had sent an Email to Minister Prabowo about the huge potential of Cyber Espionage, but my sixth sense tells me that our Email was not read or it was read but only considered as a joke, with tremendous interest from them, you may have to pay attention to this one and don’t let your eyes closed.”
– Source: DarkOwl Vision
The surge in Indonesia-specific activity by other cyber actors might have prompted Bjorka to share personal information about themselves with their online community. Last week, Bjorka revealed their gender on Telegram, claiming they were “just a girl hiding behind a computer” living happily in Poland and they will “disappear for a while” due to so many issues in Indonesia. They also dismissed any suggestion that Bjorka was a ‘team.’
Perhaps posts stating strovian had joined their efforts and drama-filled threads from toshikana, might all have been simply a psychological operation, a possible diversion for the Indonesian government and intelligence teams’ digital investigators, or an attempt to emphasize that Bjorka is much larger than one person and is movement inspiring a social revolution in Indonesia.
Figure 9: Source Telegram
As of October 13th, Bjorka’s Telegram channels had all been shut down by Telegram staff and Bjorka quoted administrators stating, “even private channels can also be taken down.” Bjorka’s Twitter account (@bjorkanism) was also suspended due to “rules violations” which they contest stating staff from both platforms are simply actioning requests submitted by the Indonesian government. They included an ominous threat against Twitter if their account is suspended again.
“I will promise to delete twitter from play store if he suspends me again.”
– Source Twitter
Figure: Sample Indonesia-Related Leaks
DarkOwl Sources
DarkOwl is an open-source intelligence (OSINT) platform that aggregates information from various underground sources to discern actionable and meaningful intelligence that can be utilized across multiple industry sectors including commercial applications, law enforcement, and national security initiatives.
Remembering the subtle differentiations between data, information, and intelligence, DarkOwl’s key sources of raw data are described here.
This investigative research relies on a wide body of all-source intelligence, including sources such as the surface web, deep web and darknet. This information was gathered via numerous investigative platforms, including DarkOwl Vision product offerings. To learn more about DarkOwl’s product suite, contact us.
DarkOwl’s Chief Business Officer, Alison Halland, the Director of Strategic Alliances at Cowbell, Jessica Newman, and Cowbell’s Director of Risk Engineering, Manu Singh, sit down and discuss the building blocks of the darknet and organizational risk, what darknet data exposure means for small to medium sized businesses, how Cowbell uses DarkOwl’s darknet data to generate a dark intelligence scores for each of their policyholders. They also dive into the value-add of a Cowbell policy to their policyholders provided by Cowbell’s free reports from their risk engineering team utilizing DarkOwl’s darknet data to assess and mitigate cyber risk to businesses.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity
Jessica: I want to welcome you all. We are really excited to have you on behalf of Cowbell and DarkOwl. We are here today to talk about the dark web, which is hopefully an interesting and fun topic of conversation. From what we hear, everyone typically perks up when the dark web is mentioned. It’s a topic that gets a lot of questions and a lot of interest. Our intention today is to arm you with enough information about the dark web and about how Cowbell uses the dark web to feel comfortable talking about the dark web with your customers.
Quickly I will introduce myself, my name is Jessica. It’s great meeting you and being with you today. I run point on our cybersecurity partnerships here at Cowbell… I’m going to let our panelists introduce themselves. We’re really excited to offer their expertise to you all today. Alison do you want to start by introducing yourself?
Alison: Absolutely. I’m Alison Halland with DarkOwl, and we’re based in Denver Colorado. I’ve been with the company for over 6 years and we are Cowbell’s darknet partner. We provide our darknet data to Cowbell and it’s been a great partnership. I’m excited to be here talking to all of you and hopefully you can walk away with a little more information about what the darknet is and how it can be helpful as you talk to your clients looking at getting policies.
Manu: Thanks Alison, thanks Jessica. Glad to be here today. I’m Manu Singh, and I’m the Director of Risk Engineering here at Cowbell. My team assists our policy holders through our continuous risk assessment process. That includes understanding our Cowbell cyber platform, our Cowbell factors, understanding how our AI and machine learning scans are used to develop insights and recommendations, as well as some of the data that we add off the dark web thanks to the assistance of DarkOwl. My team— ultimately our goal is to reduce the frequency and severity of data breaches and cyber incidents for our policy holders. We certainly do that by generating our dark web data reports, and again that is with the assistance of the data that DarkOwl is providing for us.
Jessica: Awesome. I want to kick things off. We’re going to have this be as interactive as possible so please feel free to ask questions, utilize that chat, if questions come up we want to make sure that we’re answering them. I want to kick things off with a question for those of you who are joining us today: I want to understand if the dark web is a topic is of interest to your customers today. Is this something that comes up a lot or do you see [the dark web] as an angle that you can use when you’re selling cyber insurance? There’s a question up there now: How confident are you at discussing the dark web with customers? Do you feel very confident, neutral, or that this is totally new to me? I’ll give you a second to place your vote…. there are some results showing that people are pretty neutral. This is actually really good news. My hope was that you don’t feel very confident in discussing dark web and that you’ll leave today feeling much more so. That gives us a really good place to start from.
Alison I’m going to kick it over to you if you can give our audience a quick overview of what is the dark web. I think having that basic understanding of what it is and what happens there will help us understand how we can then talk to customers about it.
Alison: Excellent. So as Jessica said let’s step back and define the darknet so that you all are all operating under the same kind of information. At this point in time it’s a buzz word that we’ve all heard, especially if you’re paying attention to media or newspapers. It usually comes along with an image of someone in a black hooded sweatshirt with all sorts of code in the background. I want to unravel that a little bit and talk through exactly what the darknet is.
We at DarkOwl consider the surface web to be anything that’s indexed by a search engine. Think about when you open up Google, you put in a search term, you hit enter. All of those results are by definition the surface web. They are indexed and you can click on them. And interestingly despite hundreds of thousands of results coming up on Google that only represents about 5% of the internet. Hence the iceberg analogy this is the tiny piece that is above the surface of the water.
The deep web makes up essentially the other 95%. The deep web is nothing scary or dangerous. In fact, I guarantee that everyone on this call was on the deep web today or yesterday. The deep web is content that sits behind a username and a password –or content that is not indexed by a search engine. What I mean by that is if I go into Google, I might not be able to pull up the deeds on all the houses in Denver within the search engine. But if I go to denver.gov I can find that information. Or, for instance, I logged into my bank website this morning and I paid my water bill. That is deep web content – I can get there with a username and password but all of you can’t access my bank account. That is where the majority of the internet resides. There’s so much that sits behind usernames and passwords.
The darknet, where DarkOwl specializes, sits below both of those. It is an undefined and hard to quantify space, but, in comparison to the deep web and the surface web it is much, much smaller in volume. The reason it’s important and significant is that by definition the darknet allows you to remain anonymous. That is the darknets defining feature. If you want to nerd out over it, the darknet was actually developed by the US Naval Research Laboratory in the 90s to allow folks serving to remain anonymous. As we all know, what does anonymity bring? It brings an opportunity to do things without being found. Hence the illegal activity that happens on the darknet. But I want to be very clear that the darknet in itself is not a bad thing. It is not illegal to go onto the darknet. You do need to download special software. Some of you may have been on Tor.
The key takeaways here are: for the darknet you have to download special software, its kind of a pain get onto it, however, it is not illegal, and anyone is able to access it, and the defining feature is that you are able to remain anonymous when interacting on the darknet. And the best way to visualize this –and you all will know what generation I was born in by my analogy- when you used to watch the Price is Right you’d have that show with the little ship that would go down through all the slots. That’s essentially what’s happening on the darknet with your IP address. The ability to track someone back to an IP address is almost impossible on the darknet whereas if I go to Cowbell.com, Cowbell has an awesome marketing team, they most likely know where I came from, what my IP address was, what pages I looked at, and how long I stayed there. Those same tracking metrics do not exist on the darknet.
Why do we care about the darknet? Why is it something that we are all on the phone to talk about? The takeaways here are usage on the dark web. I go interchangeably between dark web and darknet – we use them interchangeably at DarkOwl. But there was an 80% increase in usage over the last 3 years. Millions of users are connecting through the Tor browser, which is the best-known darknet out there. This is a very lively and active community of folks. It may not be as big in quantity compared to the deep web or the surface web, but there’s a lot of activity going on there. That’s why we are all focused on it, and that’s why we DarkOwl are in business.
Obviously all of you are in the insurance space –so why is it important to understand what DarkOwl does and what darknets exist out there? The kind of stuff you are going to see on the darknet is exposed credentials, you are going to see IP addresses, you are going to see people buying and selling social security numbers, people trading gift cards, people posting ransomware, and people selling services to conduct malicious activity against organizations. You name it and it is being transacted on the darknet.
As a company, whether you are tiny or humongous, you need to understand what that looks like for your own organization. Jessica and Manu and I think a lot about: how can this data be helpful for our respective clients? And the best way to think of it is as an exposure vector. Most people on the darknet are there because they are doing something illegal and taking advantage of the ability to remain anonymous. If you as an organization have content on the darknet, whether it is emails or trade secrets or anything – that is a concern. That is why we’re all on this call today. We’re going to get into how Cowbell uses that information and what you can all leverage to help inform your clients why it is important for them to understand their darknet presence.
Jessica: You can see here the quantity of data that DarkOwl has, DarkOwl being Cowbells partner for dark web intelligence. What we want to impress upon our customers is that with Cowbell, it’s not just a cyber insurance policy that you are getting. You’re getting all the intelligence that Cowbell has from our partners as well. And DarkOwl is the crème de la crème of dark web intelligence. This is a value-add that’s above and beyond what other cyber insurance carriers might offer. And that’s a huge piece of information to keep in mind when talking to customers. The dark web is not just one place, it’s several different places. Many of you may have heard of platforms like Telegram or Discord. These are encrypted chat spaces that DarkOwl collects information from as well.
Alison, quick question for you: most people think to themselves, I am a small business, my information is probably not on there, and if it is on there what can someone really do with it? Can you speak to the amount of exposure you see for small businesses? Let’s say a bad actor has access to an email address, what could they even do with it?
Alison: Right. We get that question quite a lot. The answer is contrary to what most folks think. The vast majority of attacks, whether it’s ransomware attacks or cyber incidents, are targeted at small and medium businesses. Part of that is because that’s an easier feeding ground. A lot of those small to medium businesses don’t have the tech staff or the budget to have cybersecurity tools in place. Yes, you read in the front of the Wall Street Journal that a Fortune 500 company experienced a huge breach. But the ones you don’t necessarily hear about are all the small and medium businesses that are getting targeted day-in and day-out. The risks can be higher for those small and medium businesses… An IBM is going to be able to weather that storm whereas a small or medium business – they could not in a position to deal with a huge ransomware attack. The first question you ask Jessica – it absolutely is important for anyone whether you are a business of two people or two billion.
And the second question is what can they do with an email address? Quite frankly they can do a lot. They can find their way into that organization. A lot of content we see on the darknet will have passwords associated with it. Think about a hacker that has stolen information. And a small to medium business’ employee uses that same password for their Spotify account that they do internally for work. Because of password re-usage, that hacker can access the internal systems of the small to medium business and take down information. The business could be vulnerable to social engineering. We see a lot of executives targeted at small to medium-sized businesses. There are many vectors present on the darknet that threat actors could use to get into the organization from a technological standpoint or to social engineer their way in.
Jessica: That’s the perfect segway over to Manu which is the “so what?” What does Cowbell do with this data? How do we understand at what level of risk a company faces when it comes to dark web exposure? Manu, if you wouldn’t mind, give us an understanding of how Cowbell uses this data and what is available to customers above and beyond what they see in their dashboard? In their Cowbell portal on the platform.
Manu: Absolutely. The way we look at it, DarkOwl’s data is directly aggravated from forums off the dark web. This is valuable data to Cowbell since we’ve created a dark intelligence score for each one of our policyholders in the form of a Cowbell factor. This score helps us determine what the level of risk is associated with the organization’s exposure on the dark web. If we determine that there is organizational data exposed on the dark web, we’re able to quickly identify the number of documents exposed, and then we notify those Cowbell policyholders to potentially take action through our own platform. Now how does that really affect Cowbell factors, and what we can do for our insurers?
Our dark intelligence telefactor is impacted directly by the number of exposed data points that have surfaced on the dark web. The more exposed documents we identify and the more credentials or passwords that are leaked are associated as a high-risk. The severity of those exposed data points is categorized by low, medium, high, or very high. For example, if we identify that there’s 50 documents exposed on the darkweb for a particular insurer and 25 of those documents were considered hack-worthy data, then we may categorize that as a medium-sized risk. If we go down to 20 exposed documents with only 5 that were considered hack-worthy data than that may be considered a low risk. Versus something where we might find 5,000 documents on a particular insurer and they have 250 documents that are considered hack-worthy data. That would be in either the high or very high category as well. At that point we identify that risk for our insurer on our Cowbell cyber platform. From there they can go ahead and request additional details, such as what’s behind those documents and what’s actually been exposed. That’s what tends to happen with policy holders. They reach out to the risk engineering team and then from there we create a report for them.
Jessica: So if I want to understand what’s behind the score, you’re saying that I can reach out to the risk engineering team and receive a report. What does that report have in it? Can you show us an example?
Manu: Absolutely, I have one right here… this is a sample report. For full disclosure this is not any actual data on a policy holder or any actual dark web information on a policy holder. This is all make-believe. With DarkOwl’s data, we organize that data into a report that is consumable by IT professionals, by security professionals, and a report that makes sense for management teams and the C-suite as well. We want everyone to be able to look at this report and say: I get it, I see what the risks are, I see what the exposure is.
Our risk manager has done a great job of aggregating that data into a report that’s consumable by all. On the top you’ll see that summary of findings found through the help of DarkOwl’s platform. It will quickly summarize where this data was exposed. This report says the data was exposed in the MGM 2022 breach as well as the leading data source where all types of information was exposed. In this one it highlights the PII that may have been exposed such as date of birth, email addresses, names, actual physical addresses. This was happening for over 142 million records from the MGM breach in 2022. From there the report goes into some of the categories that we have found. The total number of exposed documents that have surfaced on the dark web for this particular insurer will be listed.
We have 555 exposed documents. From there it goes into how many of those are actually exposed credentials with passwords listed whether is plain text passwords, so that would be the actual password, versus something that’s hashed which would be more of a coded password and more difficult for a bad actor to take advantage of. It has listed 5 there. And then 5 is the total number of exposed passwords. This is passwords without a credential associated with it. This will also list out the most recent data that was listed, so you may find data that was listed in 2021, 2020, 2019. This data is as of this year so that makes it even more crucial for an organization to understand that this is a direct exposure, this is a recent breach, and this could be a recent password that an employee is using.
Down here we have a couple of charts. It will tell you the amount of passwords and some of the other data that is exposed such as email, names, phones, and physical address which is conveyed here for a policy holder.
Scrolling down we get into the recommendations that we want some of our policy holders to follow if they do have data exposure, such as what you can do next and how you can mitigate some of the exposure. We have listed some of the best practices and security controls policyholders can apply.
Everything from applying multi-factor authentication to those email accounts that may be exposed, to changing those passwords, creating robust password policies, requiring employees to have alphanumeric passwords, and passwords of at least 10 to 12 characters. That’s the standard right now. With special characters included. Training your employees to identify phishing attempts, having good email hygiene, and not clicking on links if you don’t know who the sender is are what we recommend to our policy holders to apply if they do have any exposure.
Jessica: I want to note that somebody in the chat asked: Is it hard to remove your information if it is on the dark web? Alison thanks for answering it [in the chat function]. In fact, it is impossible to erase information once it is on the dark web. There are two things to keep in mind here. Number one is this set of recommendations. If a customer is highly exposed, however, they are acting on some of these recommendations the exposure will go down with time. The more time that passes the lesser the importance of the exposure, such as if they are old passwords or passwords that are no longer in use or if there’s multi-factor authentication enabled. That’s going to disable a bad actor from using this information to do anything bad.
Manu: And the answer is yes. It is hard to remove that data. We can’t simply call the bad guys and say “hey look can you please delete my data off the dark web?,” they just won’t do it. Once it’s on the dark web it’s most likely on there for good. It’s going to be bought and sold. It’s going to be reposted on other forums for bad actors to buy, for actors to attempt to deploy phishing attempts against, to employ brute force attempts against, so it will always be on there. What the organization should do at that point is mitigate. Be proactive in your approach. Apply best practices. These are some of the recommendations that we initially want the insurer to take advantage of and quickly apply within their environment.
Going onto the next page this will be the actual raw data that we notice from DarkOwl’s aggregation. We’ll list out the email that was leaked and posted on the dark web. It will be the company email most likely. From there we’ll also post whether any password was leaked. In this case the password was leaked. The answer could be yes, no, or could be a hashed password. From there we want to give the policyholders the date that it was published on the dark web. We think that’s important because the more relevant data for the bad actor to take advantage of and to use to compromise your organization will be the most recent data that was posted. We tend to see that with credentials that they get from the current year – those passwords may still be current. Employees may still be using those passwords to login to those accounts. Threat actors take quick advantage of that. Then we’ll list out the data source as well just so the policy holder can understand: was I compromised, or was this from a third party where my data might have been sitting somewhere and the bad actors had access to it that way? If there are any of other types of information included –so email addresses and passwords for this one –you can see some of these emails have a lot more PII associated with them, such as email addresses, names, titles, their LinkedIn IDs, and where they’re living.
Alison: That context that Manu just went over is extremely valuable and I don’t want that to be lost in the details. There are other darknet providers who might be able to say yes, that company has exposure on the darknet. But then it’s end of sentence. And you don’t get the context. Being able to share with that client that these exact email addresses with these exact passwords were a part of this breach is so much more powerful. Think about the mitigation if you are a small-medium sized business and this report comes back and there’s three email addresses on it and three of those employees are no longer with the company and left 4 years ago. You’re not concerned. Or, you come back and this report has 5 email addresses listed on it and every one of those employees was attending a conference last week together – that’s going to be a very different mitigation strategy for that business than the former. The context and the fact that Cowbell can pass that on to you to pass onto the policy holder… is extremely important because it allows them to act on it versus “well there’s information out there, good luck.”
Jessica: Alison when you say valuable, I want to press upon that. A lot of DarkOwl’s customers are cybersecurity companies. They might charge thousands of dollars to a customer per year to provide this in-depth information. Manu, do our customers have to pay for this report?
Manu: No, this is a value-add for being a Cowbell policy holder. It’s one of the many value-adds that we bring to our policy holders, and it’s one of the most frequently requested value-adds that we provide. If you notice that you had an exposure on the dark web, within the same day or within 24 hours we can turn around a report and get it over to your risk managers and your security folks. There’s no added cost associated with utilizing this service.
Alison: I would leverage that highly. When we were prepping for the webinar, Jessica was asking me how I would position it if I was in all of your shoes. I think about comparing different car insurances. If you make that analogy over to cyber insurance, this is the equivalent of getting free oil changes and engine checks. This is a huge value-add especially for small-medium businesses that may not have an IT staff who can be looking on the darknet. I think it’s a freebee that they can take advantage of.
Jessica: Absolutely. Manu, can you answer for us: what are some of the most common questions or trends that you get from customers about the dark web? Is there a common misconception, myth, or concern that your team fields most often?
Manu: The number one question we get after an organization realizes that their data was on the dark web is: “have we suffered a data breach or a cyberattack?” In most cases that we’ve seen the answer is no, it’s just the circumstances – it tends to be that the compromise happened at a third party, and they were storing your data in some capacity and threat actors gained access to it and they posted it on the dark web. Sometimes a bad actor will even mention the data source that they aggregated the data from. There are some cases where it could be direct exposure to your organization, and this indicates a breach. But what we tend to see is that it’s most likely a third-party breach and your data has been posted on the darknet. I would say the next question that we receive often is: “how can I reduce my risk?” and “this data is out there, what do I do?” and “how do I make sure that I don’t get hacked, how do I make sure that I don’t become a target?” It goes back to being proactive to applying those recommendations that we spoke about. Between MFA, email security, training your employees, and having strong passwords –all of that is very important. Those are probably the top two questions we get from policy holders once they notice that they have had some exposure.
Jessica: Manu this question (from the chat) is going to come to you. Do we also use this data as we underwrite and determine premium rates for prospective customers, and if so, is there a way to get a sample of some exposure for clients in advance as we help them consider the value of a Cowbell policy?
Manu: It is factored into the underwriting process if there is exposure on the dark web, however, we do give policyholders a chance to let us know what they are doing to be proactive to reduce their risk. Once underwriting understands [what they are doing to reduce risk] we get comfortable enough with the risk to move forward in the underwriting process.
Alison: Can they share it with their prospective clients?
Manu: Yes. We can certainly provide that data to prospective clients as well.
Jessica: So a broker could reach out in advance and understand what the exposure is so that they can guide that client potentially into a Cowbell policy or elsewhere?
Manu: Yes. As far as sending the actual data over we wouldn’t do that. We would just let them know if there is exposure and the amount of documents we’ve noticed as hack worthy data on the dark web. Then the actual data that is exposed would be shared with the policyholder or the potential client.
Jessica: So the dark web report that you shared is a post-buying experience for the policy holder. Any final comments? Alison and Manu thank you so much for being here. Do you have any closing thoughts for the audience?
Alison: We’re here and as you can tell we are doing a ton of work in the background and by “we” I mean Cowbell and DarkOwl to try and make this a much more robust policy than some other folks out there so don’t be afraid to come to us, ask questions, and if you have any personal interest in learning more about the darknet, there’s a lot on our website at DarkOwl. We’re just here to help.
Manu: Thanks Alison and I would say that if there’s exposure on the dark web and if you don’t know what to do –come to us, ask, go on the platform and see if there is any indication. And if there is exposure as us to generate a report for you. Again, it’s a value-add for our policy holders so certainly take advantage of it. This helps in several ways. It will help reduce the organization’s chance of suffering a cyber incident related to that exposed data. It also helps underwriters better understand your security posture, and then they can more accurately rate your organization as a safer risk, and that includes during the renewal process as well.
The organization can show Cowbell that they have been proactive, that they have reached out, that they have mitigated against some of these exposures, and they can show us that they are in a strong place for a renewal. Take advantage of the value-add from DarkOwl and Cowbell; it only helps reduce your risk and make your organization a stronger cybersecurity organization.
Jessica: Thank you. Hopefully we’ve given you some things to think about today that you can turn around today, tomorrow, the next, and directly relay to your customers as to why Cowbell… is different in the market than other carriers. We’re using data sources that are absolutely the best in class to help define risk and rate risk. Beyond that we have Manu and his team who are here to help you, guide you, and provide extra information and context throughout the entire lifecycle of a policy.
Cowbell is the leading provider of cyber insurance for small and medium-sized enterprises (SMEs) and the pioneer of Adaptive Cyber Insurance. Cowbell delivers standalone cyber coverage tailored to the unique needs of each business. Our innovative approach relies on AI for continuous risk assessment and continuous underwriting while delivering policyholders a closed-loop approach to risk management with risk prevention, risk mitigation, incident preparedness and response services. To learn more, visit: https://cowbell.insure/
DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. Our passion, our focus, and our expertise is the darknet.
Interested in how darknet data applies to your use case? Contact us.
The fundamental rule of thumb in conducting any online cyber investigation is that the deeper you get into underground networks such as the darknet, the more vigilant your operational security and certainty in the technologies employed for anonymity. To remain safe while conducting dark and deep web operations, here are some guidelines and recommendations from our analysts.
1. Separate Your Technologies
Never utilize your work or home computers, or networks for that matter, for conducting dark web investigations. Even if you think you are being secure using Tor Browser Bundle or a VPN, there is elevated risk of inadvertent exposure to malware, threats, and viruses once you leave the Surface Web.
The same is true for social media investigations as well. Many threat actors that use personas on social media will include malicious links in social posts that are designed to log your IP address or expose your identity and location. A recent threat intelligence report indicates that some nation state sponsored malware can be triggered simply by hovering over the hyperlink.
2. Keep Darknet Identity Separate from IRL
Similarly, never use your personal, work, or school email address to sign up for or register accounts on any services on the darknet or deep web. Although you might think the address is non-attributable, if the username is remotely connected to your real-life identity, such as using your favorite sports team or hobbies, a threat actor can easily use the information to divulge your real identity or directly target you.
Likewise, never re-use an email address you used for an investigation with any personal or work-related website registrations or mailing lists, even if you believe it is non-attributable.
3. Layer Your Proxies
The Tor Browser provides layers of security protection through a series of network relays, obfuscating both the client and server IP addresses for every TCP/IP handshake. When conducting OSINT and darknet investigations that involve moving in and out of the Tor network, use one, or more, reliable paid virtual private network (VPN) services that offer additional features like double obfuscation and privacy policies like no server logging of user connection data. One could also adopt more extreme measures like live distros like Tails which wipes out every session’s data including the RAM, or Whonix which by design prevents IP address leakage.
4. Use Burner Phones and Email Addresses Where Possible
Non-attributable burner phones are more and more difficult to acquire, but increasingly necessary for building out investigative personas and joining sensitive networks and channels on chat platforms like Telegram. Underground forums and marketplaces also sometimes require a Telegram account or a valid email address for registration.
Overall, it is best to use temporary email address services, non-US based free email providers, or Tor email providers for account registrations. Some example temporary, anonymous, and secure email providers include Guerrilla, Protonmail, and AnonAddy.
5. Encrypt Everything Everywhere
Not using encryption on your darknet investigative platform, especially if you’re downloading and storing potentially sensitive data, is akin to storing things in a fireproof safe in real life without using the lock. The safe is there, turning the dial is the simple extra step for ensuring the safe’s contents are secure. End-to-end and OpenPGP encryption for emails and files are always better than storing on the disk directly.
Likewise, open-source Linux utilities like CryFS are readily available to encrypt your data. CryFS uses an AES-256-GCM algorithm plus a user-defined password to access configuration data for decrypting the hard disk. Others advocate for GostCrypt, a fork of Truecrypt, which uses the GOST 28147-89 algorithm and its more advanced cousin, Grasshopper for securing the data.
6. Trust No One
Despite the urban legends in circulation, such as – there are more law enforcement and information security researchers on the darknet than criminals – there is not a single individual or persona in the darknet that you can completely trust. Maintain your persona, capture whatever information and digital evidence you need quickly, and burn aliases and assets whenever necessary to not generate a lengthy digital paper trail.
Nearly every underground criminal community includes social engineering experts who thrive on the thrill of hunting down members of marketplaces, forums, and chats. Humans will continue to be the weakest link in cybersecurity, as threat specialists at Zerofox contend social engineering will continue to be the primary initial access vector for the foreseeable future. The LAPSUS$ gang are some of the most sophisticated social engineering cyber criminals in the darknet and continue to exploit enterprise victims using social engineering methods.
DarkOwl Vision’s UI helps OSINT analysts, darknet analysts, and darknet investigators gather critical data safely by bearing the brunt of these security risks. Vision provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information.
In light of Cybersecurity Awareness month, DarkOwl is committed to sharing resources from our researchers and analysts that touch on safety best-practices and key trends in the global cybersphere based directly on insights from the darknet.
Be the first to know as we release new research by entering your email below!
Featured Content
WHITEPAPER
Tensions Between China & Taiwan Realized on the Darknet
In this report, DarkOwl researchers provide insights and analysis from the darknet on how tensions between China and Taiwan are impacting the cyber underground.
Industrial Control Systems and Operational Technology Threats on the Darknet
DarkOwl participated in this presentation in conjunction with Hybrid COE to bring awareness around ICS/OT threat vectors that continue to emerge and circulate on the darknet.
Cybersecurity Awareness: Darknet Investigator Best Practices
DarkOwl analysts outline a compilation of best practices for conducting OSINT and DARKINT investigations. Curious what we mean by DarkInt? Check out this 101 guide. This is now live!
BLOG
Cyber Group Spotlight: Bjorka
Learn more about the threat actor Bjorka who is causing terror to the Indonesian government. Check out previous Cyber Group Spotlight on SiegedSec in the meantime. This now live!
EVENT
DarkOwl @ OSMOSISCON in Tampa, FL
DarkOwl Product Engineer Damian Hoffmann will present “Finding Actionable intelligence in Dark Web Data for OSINT investigations” to attendees at this year’s OSMOSISCON, October 16 – 18.
Attending OSMOSISCON? Schedule a time meet with a DarkOwl team member here. Read our synopsis here.
EVENT
DarkOwl @ DarkWeb Conference in Hyderabad, India
David Alley, CEO for DarkOwl FZE will be attending and speaking at this conference on October 18th, focusing on Combating Cyber Warfare and Cyber Terrorism using the Darkweb.
Attending this conference? Schedule time to meet David here.
DATASHEET
Dark Web Monitoring
DarkOwl is an open-source intelligence (OSINT) platform that aggregates information from various underground sources. Monitor for information critical to your organization, clients, and customers to discern actionable and meaningful intelligence from things like cyber breaches and ransomware attacks. Check out our new datasheet.
BLOG
Top Mentions of Cybersecurity Awareness on the Darknet
This piece will examine what threat actors on the darknet are discussing regarding cybersecurity awareness and related topics. This is now live!
Curious to see how darknet data can improve your cybersecurity situation awareness? Contact us.
Industrial control systems (ICS) and their adjacent operational technologies (OT) govern most everything societies rely on in the modern age. Manufacturing facilities, water treatment plants, mass transportation, electrical grids, gas, and oil refineries… all include some degree of ICS/OT incorporated in their industrial processes. Cyberattacks against these are on the rise and the challenge to protect industrial control systems persists. Recent research from DarkOwl analysts specifically identifies an alarming number of threats on the darknet and deep web that could effectively target and compromise critical infrastructure.
DarkOwl is not the only one taking note of these trends and associated challenges. Hybrid CoE, the European Centre of Excellence for Countering Hybrid Threats, has published a Working Paper entitled Defending critical infrastructure: The challenge of securing industrial control systems, diving into the topic of cyber threats affecting industrial control systems, the downstream affects and what can be done from a policy perspective.
Last week, DarkOwl CEO Mark Turnage participated in a webinar, “Defending Critical Infrastructure: The Challenge of Securing Industrial Control Systems” hosted by Hybrid CoE, with speakers from The United States Army College, the Internal Society of Automation (ISA), and the National Institute for Strategic Studies, Ukraine.
The panelists discussed DarkOwl’s recent research in detail, covering topics such as cyber incidents affecting the vulnerabilities of industrial operations, recent examples from Russia’s war against Ukraine, specific OCS/OT threats on the darknet, and potential ways to develop more effective policies.
The slides that Mark Turnage shared during the webinar can be found here:
Curious to learn more about how darknet data can tailor your threat intelligence or provide insight into the threats your face? Contact us.
DarkOwl analysts took note of an increased amount of darknet activity surrounding the current geopolitical tensions between China and Taiwan.
Using darknet, deep web, and high-risk surface web data, this report endeavors to shed light on the digital underground’s reaction to the countries’ political tensions stemming from China’s “One-China Principle” and its refusal to recognize Taiwan’s independence.
This report will also demonstrate how recent cyberattacks in August augment political criticism of Taiwan. Of particular note is the on-going barrage of leaks surfacing as a result of attacks against key organizations in both countries, and discusses the general darknet sentiment regarding China’s global reputation and their potential invasion of Taiwan.
Questions? Curious to learn how darknet data applies to your use case specifically? Contact us.
In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces: looking for trends, exploring new marketplaces, examining admin and vendor activities, and offering a host of insights into this transient and often criminal corner of the internet. This edition features Exchange Market.
For this marketplace snapshot, our analysts selected a darknet marketplace hosted on Tor called Exchange Market. Exchange marketplace content is predominantly Chinese Mandarin and features illicit goods traditionally offered on a typical criminal marketplace – including weapons. The market does not appear to emphasize drugs for purchase in variety and volume as is common with other decentralized markets on the darknet.
Since early 2019, DarkOwl has observed activity from Exchange Market with a comprehensive offering of physical and virtual goods and services for sale; including advertisements that are supportive and worthwhile to darknet and underground criminal communities. The market’s onion service is advertised as though it is based in China, uses mostly Chinese Mandarin language, and references popular technology and applications exclusive to China culture. The market is not widely advertised across the darknet in typical marketplace discussion boards and link lists.
Like most decentralized markets, account registration and user authentication are required before accessing Exchange market’s listings. The market also requires the user solve an English-character-based CAPTCHA before access is granted.
Exchange Market Login Screen, Source: Tor Browser
Once authenticated, the banner includes the English phrase:
“Exchange, Trade Privately. Against Tracking and surveillance.”
The top banner includes three sections translated to English as:
“Real-time manual penetration data for acquisition of first-hand online loans by overseas teams”; “Receive download site traffic”; and “Integrity buys and sells first-hand data on men and women.”
Exchange Market, Post-Authentication, Source: Tor Browser
A Closer Look at Exchange Market’s Goods & Services
Exchange market is divided into different sections with each advertising a different category of items for sale. Sections at the very top offer paid advertising materials as is common with other darknet marketplaces and forums. For example, some paid advertisements listed include recruitment and data brokerage offerings:
“High salary looking for 3 to 4 Java architects front end engineer jobs in Thailand”;
“A large number of financial investment data in the currency circle of Japan, South Korea, Europe and the United States stock and foreign exchange exchanges are collected”; and
“Looking for a hacker that can provide cvv sync fish.”
Below the Paid Advertising section, there are different categories listed with dozens of individual advertisements each. The advertisements listed are updated frequently.
data resources
service businesses
virtual items
physical items
technical skills
video pornography
other categories
basic knowledge
private shop
Three Categories of Goods & Services Advertised: Data Resources, Services, and Virtual Items, Source: Tor Browser
[TRANSLATED FIGURE BELOW – Source: Google Translate]
Data Resource [see more]
Service Business [see more]
Virtual item [see more]
1 15W pieces of the latest national college student data in July 2021 suitable for online loans
1 11 detective business inquiry 11 high quality and lowest price on the whole network 11 recruiting agents 11
1 In 2022, the whole network will launch Android remote control stealing u
2 470,000 pieces of data on the wehkamp shopping station in the Netherlands
2 In 2022, the latest PAYPAL binding foreign credit card fraud core technology
6 500,000 shopping data in Spain_Automatic delivery
6 thug private detective
6 1434 sets of US driver’s license front and back hand-held driver’s license
7 57W National Physician and Physician Registration Examination Database Package is of great value for money
7 Dead and Remnant Order Customized Order
7 37 sets of Japanese driver’s license plus hand-held driver’s license japan driver’s license
8 Taiwan personal data 730,000 names, phone numbers, email addresses, birth dates
8 Anti-drinking tea network security Anonymous anti-tracking evades the investigation of the Internet police to deal with national security tea-drinking security money laundering technology
8 TRCERC’s latest release of the coin withdrawal interface source code is fully open source, there are two sets
9 870,000 names and email addresses of real estate agents in the United States
9 All kinds of inquiries of detectives
9 In 2021, the latest bitcoin money laundering technology is very safe in the black production circle
10 US Wolf Eye Clinic patient data 630,000 phone and mailbox SSN
10 24-hour stable query business
10 11 teach you how to date a girl in junior high, high school and college 11 by no means a cold reading pua tutorial
11 elitemate US online dating site data 1.04 million
11 Check cars, check people, check all
11 AliExpress eBay Amazon Alibaba Taobao and other e-commerce seller data
12 7.73 million Robinhood stock and cryptocurrency investing sites
12 Query ID card activity track
12 Latest National Official Contact Information Official Position
13 570,000 users of btce cryptocurrency platform
13 Detective_Check_Online second message
13 CC attack tutorial and software
14 24,970 US users of bitmain bitcoin mining machine
14 High-quality file inspection on the whole network
14 Naked chat fraud to obtain address book source code Naked chat software codeless video voice changing software photographed and shipped automatically
15 Hacker QQ number stealing tutorial with software
16 bitcoinnetworks bitcoin contract website 5237
16 Monero Money Laundering 2021 The Safest Way to Launder Money Original
16 The full technical information of the hacker is here
Translated Table of Exchange Market Listings for data resources, business services, and virtual items
Data Resources
This section of the market has listings focused the brokerage of personally identifiable information (PII) and digital identity theft crime including: selling PII exfiltrated from shopping data, college students’ data, phone numbers, social security numbers (SSNs), addresses, and users of bitcoin services. The personal data offered appears to be primarily sourced from individuals located in the Netherlands, India, Brazil, Spain, the United States, and Taiwan.
The Unites States is targeted the most frequently in this category with personal data available stolen from US real estate agents, a US optometrist’s patient data, and data from a US online dating service. A newer advertisement, shared this week, titled, “3.26 million in 22 years in the United States_Detailed personal information of US citizens” claims that the data is US personal identity data from 2021 and that 2022 and includes names, addresses, phone numbers, and work associations, and industries.
Data Resources Section of Exchange Market, Source: Tor Browser
Another listing, titled “Taiwan personal data 730,000 names, phone numbers, email addresses, birth dates,” is notable given tensions between the China and Taiwan and likely a result of recent cyberattacks against the country. Each database offered appears to be legitimate and links to real data.
Neither advertisement includes a price for the databases.
“Service Business” Offerings
Listings under the service business category include social engineering, penetration testing, fraud technologies, private detectives, internet tracking avoidance and privacy, and methods for money laundering.
One listing appears to offer one-on-one guidance for the “private customization for telemarketing SMS” – which is likely a customized SMS hijacking service.
Virtual Items
The “virtual items” features malware, trojans, and viruses for conducting cybercrime. Our analysts noted several RATs (Remote Access Trojans), PII for social engineering and fraud, hacking tutorials and associated software, video and voice changing software, and Bitcoin laundering technology.
Interestingly, most of the PII offered here originated from citizens in Spain, Italy, the United Kingdom, Japan, the United States, and Poland – suggesting that either Chinese-based threat actors are directly targeting these countries or non-China based data brokers are reselling exfiltrated databases on this market. Other databases for sale included e-commerce websites such as Amazon, AliExpress, eBay, Alibaba, and Taobao.
Physical Items
Instead of offering a wide selection of drugs for sale as a ‘physical good’ for sale, this section of the market features counterfeited documents and items (e.g. cigarettes), weapons, and a limited supply of LSD tabs and prescription drugs. Clonazepam and LSD tabs are allegedly shipped from Europe, a handgun offered for $10,200 USD, and fake tax certificates and bank cards were advertised from various international government and financial institutions.
Of note, the handgun’s advertisement description, “Glock19 customer customized list” does not correlate to the model of the handgun pictured. The picture is a G17 Glock instead and includes the inscription “Austria” on the weapon. Despite the discrepancy in what is advertisement and the picture, there are other automatic and semi-automatic weapons included in the Glock19 advertisement.
[TRANSLATED ADVERTISEMENT – Source Google Translate]
“New glock 19 gen4 price ($10,200)
Shipping time is about a month
No refunds will be accepted after payment, as the goods will not be returned once dispatched, Because of their own problems, the mobile phone number is not answered, the goods are not received, and refunds are not accepted. If you do not receive the goods or do not meet the requirements can be refunded. Please release the money after receiving the goods without any problems, for the sake of long-term cooperation in the future
Save time for those who really need it, don’t bother.
AR15 AR-24K beretta PX4 MAC 11 Russian-made Markov is cheap
Customer-made list, if you need anything else, you can send a private message, don’t waste everyone’s time thank you [If you want to order, please make a sincere consultation for $10, send a private message on the site, or leave a telegram or encrypted email
Only connect with the big boss, you can also come if you think you have the strength. Don’t waste your time consulting if you are bored
I finally want to say that cheap people deserve to be deceived. . . Stop believing those in some groups. . All liars can’t see it.”
Handgun offered for sale on the darknet marketplace, Source: Tor Browser
Technical Skills
The Technical Skills section cover numerous skills required for fraud and hacking technologies. Some technical skills advertisements include antivirus software by-pass techniques, methods to register Google voice account with US phone numbers, online credit card loans, DDoS attacks, and scraping information from WeChat chat records real-time. There are also some unexpected socially specific skills on offer like: “Tricks to Control Women” and “The Manson Method to Get Women Addicted to You.”
Video Pornography
This section of the market includes what one would expect with subscriptions and pornographic content available for purchase and download. There are also mentions of CSAM content.
Other Categories
This section includes uncategorized listings for a variety of products, much of which is similar to the ones already described above. Our analysts noted offers for ransomware, international passports, hacking toolkits and tutorials, and unrelated listings, such as “The most complete network of CCP princelings.”
Basic Knowledge
The Basic Knowledge section of the marketplace is a mixture of offerings and discussions on topics such as earning passive income, fraud and hacking tutorials, and practical dating skills.
More Exchange Market Listings, Source: Tor Browser
This section of the market appears to also include an option to add comments to posts, although additional marketplace approvals and/or Bitcoin payment may be required.
Exchange Market: DarkOwl Analyst’s Observations
Exchange Marketplace restricts any personalization of buyer or vendor accounts. There are no custom usernames or avatars associated with either type of account.
Vendors are provided a “seller account number” that appears with their product listings and there is no obvious vouching for a vendor’s legitimacy with reviews and creditability from other marketplaces or sources.
Similarly, buyers are issued a random string of numbers that serve as the account’s username, further obfuscating the identities of all parties involved in a marketplace transaction.
A limited number of vendors include links to potentially associated Telegram channels and/or include English text in their advertisements.
Products on the marketplace are tailored towards Chinese online services, e.g. ransomware to target Taobao, Xianyu, WeChat, and Weibo.
To transact with a vendor on Exchange, the onion service requires the buyer generate a separate transaction password.
The marketplace serves as ‘escrow’ with a ‘pay-to-play’ mentality, requiring Bitcoin deposit for an account to be fully activated.
Conclusions
With longevity and network persistence offering illegal goods and services since 2019, DarkOwl assesses that Exchange Market is a comprehensive darknet marketplace that sells goods and services to support the full spectrum of potential cybercrime. In addition to databases and exploits to conduct financial and identity fraud, scamming, hacking, ransomware campaigns, and more, the market appears to also support a solid recruitment and hacker-for-hire segment of the Chinese-malware community.
Unlike other decentralized markets, Exchange Market demonstrates higher concern for anonymity by providing random numbers to users rather than personalized aliases. While the language barrier might limit access for large swaths of darknet users – who are predominantly English and Russian speakers – Exchange Market’s popularity is consistent despite limited out of market advertising and is still flourishing on its own.
Subscribe to email to receive the latest research directly into your inbox every Thursday and don’t miss our next Darknet Marketplace Spotlight.
The year 2022 has been one of heightened global tensions and geopolitical military conflicts. Russia’s three-day “special military operation” against Ukraine has turned in months of heated battlefield bloodshed, cruise missile attacks, and sparked a global cyberwar touching hundreds of other non-Ukrainian nor Russian entities. Elsewhere, open sources estimate that over 100 people have died in a border conflict between the former Soviet states of Kyrgyzstan and Tajikistan, both of which share a border with China. Meanwhile, a fragile ceasefire agreement between Armenia and Azerbaijan failed to stop fighting that resulted in a couple hundred deaths in an Armenia enclave of the Nagorno-Karabakh region of Azerbaijan just last month.
Amongst these hostilities are escalating, volatile tensions between China and Taiwan that stem from China’s “One-China Principle” and its refusal to recognize Taiwan’s sovereign independence.
In DarkOwl’s upcoming research investigation, our analysts take a closer look at how recent political tensions between China and Taiwan spill into the darknet, deep web, and greater cyber space.
Recent political tensions between China and Taiwan spill into the darknet and cybersphere.
In this paper, we will look at how numerous data leaks and cyberattacks have occurred in both the U.S. and Taiwan – prompted by a controversial political visit from US Speaker of the House, Nancy Pelosi in August, and the subsequent approval from the Biden administration to deliver $1.1 Billion dollars in US weapons to Taiwan.
The new research piece will also shed light on the darknet’s response to concerted information operations and political escalations between the two countries, including chatter related to a potential military invasion of Taiwan, China’s role in Russia and across the globe, and general anti-China sentiment across several darknet discussion services. We also uncover some of the critical government and organization data leaks that have surfaced for both Taiwan and China and are in circulation in the darknet.
To receive a copy of this research as soon as it goes live on October 5, drop your email below:
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
