Underground markets of the darknet provide an extensive inventory of illegal goods for sale, including and certainly not limited to drugs, weapons, hackers and assassins for hire. In the “Digital Goods” section of most marketplaces, one will find an array of malware, bots, and services for conducting offensive information operations against a victim network or targeted information system.

While many of these are tools are considered ‘commercially’ available products and services for any interested anonymous darknet buyer with the cryptocurrency to purchase in hand, nation state-level cyber threat actors are certainly one potential consumer for any of these products with the intent to add these digital weapons to their repository of cyber tools.

[Quick Read: Darknet posts show SolarWinds has been a target, and has open servers that trace back to Russia]

As we’ve recently reported in our findings regarding the SolarWinds hack, monitoring the darknet for these types of tools and malicious discussions enables organizations to understand when and if they’re a target, and prepare accordingly.

For example, in the case of SolarWinds, we have evidence that they have been a target by hackers for a number of years. A few searches in DarkOwl Vision’s database of darknet content reveal glaring potential indicators of compromise that, when taken seriously, could have been leveraged by their customers as a cue to safeguard themselves against what ultimately resulted in the devastating hack that transpired this year.

There are many more cyber weapons at Nation-State threat actors’ disposal on the darknet

The digital goods section of most darknet marketplaces are broad in their offerings, suggesting that a ‘digital good’ consists of any product or service delivered virtually, unlike the purchase of an illegal weapon or illicit drugs that are delivered to a physical address. As such, the digital goods section of many marketplaces includes Adobe PDF files guides, lifetime website memberships and subscriptions, and digitized programming books with little to no value to a sophisticated nation state cyber actor. Most of these are innocuous instructions for the most novice to the underground criminal operations, such as carding, identity fraud, basic social engineering, and technical ‘hacking’ manuals covering basic network penetration.

Basic Network Exploitation Tools

A darknet marketplace consumer can also purchase any number of basic network protocols and tools for maintaining anonymity such as anonymous servers, VPNs and bulk proxies. It is unlikely a foreign nation will need such simplified tools; however, there are also vendors selling more advanced versions of the same type of tools, in packages such as KeyLogger Script Collections and CIA forensics expert tool – Magnet IEF on White House Market, or the FBI Hacking and Forensic Toolkit for exploiting mobile phones for sale by the vendor breadsdrugged on DarkMarket. This package is advertised to include KONBOOT authentication bypass, Oxygen Forensics which retrieves deleted texts and extracts data from all the popular mobile-phone cloud providers.

Then, there are also commercially available remote access trojans and bots that nation states could leverage for more sophisticated attacks and espionage. The Anubis Bot, Azorult 3.3 AZORult Trojan (Version 3.3), and Spy MAX v1.0 – Android RAT are all currently available for sale across many darknet marketplaces and accessible via instant download link delivered upon purchase.

Historically, nation states readily target mobile phones for espionage and intelligence collection. This was publicly revealed when the Kingdom of Saudi Arabia’s (KSA) intelligence and government officials were caught using the Pegasus malware against WhatsApp and iPhone messaging platforms, developed by an Israeli security firm, to target dissident journalists. Recent reporting from Toronto’s Citizen’s Lab details how the Saudi government targeted 36 journalists from Al Jazeera earlier this year.

Cobalt Strike is a popular software emulation environment designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors and readily for sale on the darknet. Recent open source reporting suggests Chinese hackers sponsored by the Chinese government have been actively using Cobalt Strike to enable backdoor access to a number of compromised networks and information systems for the deployment of additional tools on the network in the future.

Banking Malware for Large Scale Financial Industry Attacks

Some nation states, such as North Korea have been known to leverage banking malware for cyber-operations to recoup financial gain from the economic impact of international sanctions. Vendor leaguemode on DarkMarket offers the GozNym 2.0 banking bot for purchase for $1500 USD per build. The same vendor also sells ATM malware that is deployed via EMV (Europay, Mastercard, and Visa, i.e. “chipped”) debit cards on the same market for $1,000 USD per card.

Tools to support the targeted phishing of international banks based in North America, such as CHASE and CIBC of Canada is also currently available for sale on darknet markets. The digital good includes the HTML and CSS for scam websites for a number of prominent banks, including detailed administrator panels. These websites could be used by nation states to conduct targeted attacks against financial institutions.

Ransomware for Offensive Cyber Operations

One information operations technique nation states could employ is simply shutting down critical operations of a competitor country’s critical corporations and industries. WannaCry (aka GonnaCry) ransomware successfully crippled the UK’s National Health System and is currently for sale on White House Market for $150 USD.

The source code for another effective ransomware, known as KingLocker, is also available for purchase and could be customized by a nation state to conduct a large scale campaign against a target industry or country.

The ransomware could be coupled with country-specific business directories, also for sale on darknet marketplaces for targeted in-country deployment. Multiple vendors on White House Market sale leaked databases, such as Dubai’s enterprises and UAE business directory costs as little as $129 USD. Meanwhile, Russia’s industry data with business names, domains, and contact information is only slightly more at $160 USD.

Targeted Phishing and Disinformation Campaigns – Credentials and PII

In the same way leaked organizational information for sale on the darknet could be instrumental for launching ransomware attacks, other critical country-specific information could be leveraged for targeted phishing and disinformation campaigns.

On DarkFox, the vendor GoldApple on DarkFox sells numerous combo lists and US-state level voter registration data. The same vendor offers over 570,0000 (0.57 Million) emails from Japanese citizens for as little as $10 USD that could be for targeted attacks and disinformation campaigns.

One vendor offers a list of millions of US mobile phone customers personal information, including social security numbers and carrier that could be used for spamming and disinformation for $229 USD. The same vendor also has another 8 million Chinese phone numbers for only $200 USD.

Another vendor offers Taiwan’s Ministry of Civil Service database of employees which could be used for targeted phishing to infect government networks for espionage for €69 EUR.  

A database containing information for a US Intelligence agency is advertised for sale on White House Market for a mere $100 USD.  According to the advertisement and the hackers who obtained this information, it was stolen from a cloud server owned by the US government. The database contains thousands of records of critical detailed information associated with the vendors providing goods and services to the agency. This information could be invaluable for a targeted information operations attack by a nation-state.

Most nation-state sponsored human intelligence operations require fake identification and passports. Vendors on the darknet offer fake US passports with biometric data for sale for a starting price of $2,000 USD. The advertisement, sold by vendor topvendor on White House Market states that all their identifications have machine-readable data zones, three layer security UV hologram which will readout correctly when scanned at borders. The vendor also offers detailed advice on travel routes and social engineering methodologies for interacting with customs officials.   

As we reported earlier this year, social media manipulation is an increasingly popular trend by nation state actors to conduct disinformation and propaganda campaigns against their adversaries. Accounts on most all prominent social media platforms are readily available for sale across most darknet marketplaces with digital goods. Long-term established accounts with more ‘followers’ and historical influence are more coveted. One can purchase 1,000 LinkedIn followers for as little as $15 USD on ToRReZ, which could be essential for a nation-state level social engineering or espionage attack, while 50,000 Instagram followers cost upwards of $350 USD. A Facebook campaign to disseminate a particular propaganda agenda is also available for as little as $380 USD from the vendor, etimbuk on the ToRReZ market.

Unique Exploits for Field Operations

One vendor on White House Market using the pseudonym unglued, recently posted a 12-Watt Frequency Generator for sale on the marketplace. The hand-held device could be utilized by a threat actor to jam and potentially interfere with the operation of a wide range of frequencies including those used by mobile phones, Bluetooth devices, and GPS receivers. Nation-states wanting to conduct in-field operations could greatly benefit from such a device. The unit sells for $1,200 USD.

Still the most prevalent cyber weapon: credentials

Exposed credentials will continue to be one of the most prominent threat attack vector for organizational networks by cyber campaign operators, large and small.

According to recent Wall Street Journal reporting, the initial compromise to FireEye was through employee VPN credentials and luckily, the employee alerted IT security when their account had been accessed via an unrecognized device which kickstarted the SolarWinds investigation.

“Hours later, the National Security Agency, America’s top cyberspy organization, issued a broader warning to defense agencies and contractors about vulnerabilities such as those exposed by the SolarWinds attack. Hackers, it said, were finding ways to forge computer credentials to gain wider access across networks and steal protected data stored on in-house servers and cloud data centers. The approach, the NSA said, may have been used in an attack on VMware Inc. software used in national security circles that the spy agency warned about earlier this month.” – Wall Street Journal

Leveraging vulnerabilities uncovered in the Microsoft platform, nation-state hackers behind the SolarWinds attack also accessed key leadership emails at U.S. Treasury Department and other critical U.S. government agencies.

DarkOwl Vision has indexed over 6,100 documents containing compromised e-mail addresses and passwords for federal employees using the treasury.gov email domain.

Contact us to learn more about how you can monitor the darknet for exposed credentials using DarkOwl Vision

In light of the large-scale nation-state sponsored attack against U.S. government networks, and critical commercial sectors of the U.S. supply chain, our analysts reviewed historical darknet content for any SolarWinds related activity. We uncovered an extensive amount of content containing SolarWinds and Orion-specific vulnerabilities and zero-days across darknet exploit marketplaces and discussion forums, many of which could be devastating if exploited at scale.

Most notably, DarkOwl analysts also uncovered SolarWinds product documentation and application executables stored on unsecured FTP servers successfully collected by DarkOwl’s platform back in late 2019. The FTP servers contained not only SolarWinds-specific server files, but also Microsoft’s dotnetfx.exe file, a critical executable for installing operating system updates.

Upon further investigation, we traced the IP address of these open FTP servers to the internet service provider, JSC “Severen-Telecom” (severen.ru) in the Northwestern Federal District of Saint Petersburg, Russia.

In addition to the potential tie linking these files to campaigns conducted out Russia, we also have a great deal of evidence to show a suspicious amount of interest in SolarWinds vulnerabilities across the deep web and darknet. In fact, based on the extent of our analysts findings on the darknet alone, we have reason to believe that SolarWinds has likely been a cyber target for quite some time, though a large extent of these indicators that SolarWinds was being targeted transpired in late 2019 and early 2020. For example DarkOwl Vision has collected 98 documents from a single popular zero-day marketplace with mentions of SolarWinds-specific vulnerabilities since February 2020 (shown below).

In addition, our analysts have also noted that there was a great number of users on deep web forums that have displayed a particular interest in understanding critical information security applications and intrusion detection systems, with shares of ‘cracked’ versions of SolarWinds Security Event Manager application as recently as July 2020 (pictured below).

In recent days, DarkOwl has witnessed several darknet users across English and Russian-speaking forums discussing key open source reporting regarding the attack, more specifically, Vinoth Kumar’s posted to social media that he uncovered a public Github repo leaking credentials belonging to SolarWinds since June 2018.

(Source in Vision: bc257bc48dd0452f7ea3412d0288f588)

Read more: Here are a handful of other tools that nation-state actors could use to pull off another SolarWinds-grade hack

In previously published analysis, we outlined the economies of social media and disinformation-as-a-service on the darknet, highlighting how there is now a significant ecosystem across the underground internet feeding the enterprise of mis-and disinformation for financial profit and political gain.

With the 2020 Presidential and General Election rapidly approaching, we decided to take a closer look in this report at the vulnerabilities to election security openly discussed on the darknet, including voter registration data and security risks to ballot tallying technologies, along with recommendations on the remediation both concerned individuals and state election officials can take.

Editors Note: DarkOwl is politically neutral and has no intention to further promote misinformation that the upcoming U.S. election is in jeopardy with increased use of mail-in ballots, but instead using a wide-body of intelligence, primarily captured by the company’s 24/7/365 crawls of the darknet and deep web, seeks to inform and educate the public and the information security community of information available on the darknet and our subsequent intelligence findings and recommendations.

Ballot Tallying Technology Discussions on the Darknet

PRIMER ON ELECTION TECHNOLOGIES

Election day ballot marking and tallying technology in use widely varies from state-to-state:

Optical Scan Paper Ballot Systems
These include both mark sense and digital image scanners where voters manually mark paper ballots that are hand fed into and tabulated with these scanners at the polling location or transferred to and collated at a centralized location.

Direct Recording Electronic (DRE) Systems
These use touchscreen terminals to record the votes, which are stored in the device’s internal memory and then transferred to a centralized location for tabulation. Some of these systems use internal modems for wireless data transmission. Most DREs include a paper receipt or ballot of the voter’s selection, but as many as 15 states have districts that use DREs without paper trail. 

Ballot Marking Devices (BMD) and Systems
These are designed to help disabled voters who might be unable to vote using other methods. Some of these devices include a touchscreen interface with audio and other features similar to DREs.

Punch Card Voting Systems
These require the voter to punch holes in cards using a supplied punch device. Cards are then feed into a computerized vote tabulating device or counted manually in a ballot box. These systems are less common in the U.S.

TIP: You can check what voting options are available to you here: https://verifiedvoting.org/verifier/#mode/navigate/map/ppEquip/mapType/normal/year/2020

DARKNET CHATTER INCLUDES DISCUSSIONS ON ELECTION TECHNOLOGY VULNERABILITIES

While a few states still rely on the manual counting of paper ballots, most lean on a number of ballot tallying technologies manufactured by three principle vendors: Election Systems and Software (ES&S), Dominion Voting, and Hart InterCivic. We have observed darknet chatter around all three of the aforementioned ballot tabulation vendors.

The security and veracity of these election technologies have been widely discussed equally at information security conferences and in underground communities of the darknet. Some technology exploitation demonstrations in the past resulted in big sweeping changes in the technologies employed by some specific states. For example, in 2017 Virginia’s Department of Elections recommended decertifying all of the state’s DRE machines after hackers at DefCon’s Voter Village that summer “pwned” them in record time exploiting numerous vulnerabilities in the systems.

Many DREs include printers that produce a paper trail for election auditing, but there are no options for comparing what is printed on the paper with the voter’s selections and what has been stored in the machine’s attached memory card that is used for the official record. Voters can increase their ownership of their vote by verifying that the information printed on a receipt or paper ballot after using the DRE is accurate before handing it over to the poll workers for official casting.

Texas reportedly had issues in the 2018 midterms with its Hart eSlate voting machines as voters in more than 80 counties reported seeing their choices flip to the other party’s candidate for Senate when they tried to cast a straight ticket. Hart InterCivic responded as user error and touch screen sensitivities. 

A similar issue was experience in NorthHampton County, Pennsylvania when election officials had to move to hand counting paper ballots well into the morning after their ES&S’s ExpressVote XL machines were acting “finicky” and deleting candidate selections.

Hart’s eSlate machines are widely criticized in comments across anonymous discussion forums in the darknet. One anonymous user commented that fraud was completely possible with the machine’s dependence on Microsoft Access databases without encryption or authentication.

A prominent malware developer on the deep web recently suggested that his customized Remote Access Trojans (RATs) could be easily used to infect election systems as they asserted the machines were likely still vulnerable to Remote Code Execution exploits via the Windows LNK files, also known as shortcut files. However, Microsoft released patches for both Windows 7 and Windows 10 operating systems earlier this year, to which DarkOwl assesses election officials and technology vendors would very likely patch their systems accordingly well before the general election, thus the successful use of such a threat is highly improbable.

Users on a darknet hacking forum discuss that antivirus and malware detection software is not usually available on the older DRE systems such as ES&S’s DS850 8000 ballot-per-hour central counting machine. The post author stated how malware infection would require physical access to the machine or a compromised insider to load any malicious software. They also discussed adding an air-gap module to the malware via a “replacement USB” drive to the state’s elections office, including sending the USB using packaging to replicate the voting system manufacture tagged as a “firmware update.” 

As reported at the end of September, someone recently stole two ES&S USB drives and a laptop belonging to an on-site employee for the company from an elections warehouse in East Falls Philadelphia. According to ES&S’s website, their ExpressVote XL machines are shipped with proprietary USB flash drives containing encrypted data signed with FIPS-compliant, security keys to prevent tampering and the possibility of overwrite or change to the system firmware, even if malware is loaded on a replacement USB sent to the officials.

The threat to the security of voting and tabulation machines is exponentially reduced by keeping the devices off of the internet and restricting physical access to trusted employees and election workers. Early system deployment diagrams provided by ES&S (and obtained by Vice) suggested many of their older devices were equipped with an internal modem for communicating results to a centralized communications server at the state board of elections for preliminary dissemination and predictions for media outlets.

These diagrams also suggest they rely on Windows 2008 R2 server and Windows 7, which would have most likely been updated by the 2020 election year.

Kevin Skoglung from the National Election Defense Coalition (NEDC), an election security advocacy group stated they found over 35 voting systems left online across 10 different states for several months. Some of the machines discovered online, likely due to technical maintenance and calibration servicing, were in crucial swing states like Florida and Michigan.

Darknet Exposure of Voter Registration Data and Election Technology Company Credentials

EXPOSED ELECTION VENDOR DATA & THIRD PARTY RISK

All three of the principle ballot tabulation vendors have darknet exposure of corporate credentials, e-mail addresses and passwords, of their employees.

• Exposed ES&S Credentials: 468

• Exposed Dominion Voting Credentials: 94

• Exposed Hart InterCivic Credentials: 218 

Corporate exposure of employee information is often the first step for exploiting a target corporation, via directed spear-phishing and social engineering. Tyler Technologies, a Texas-based software company whose products are used to display state and local election results, has over 2,000 corporate e-mail addresses in DarkOwl Vision’s database as of time of writing. 

While their exposed credentials may not be related to this recent incident, it is worth noting that only a few weeks ago, in late September, Tyler Technologies was hit with RansomExx, a malicious strain of ransomware that began circulating the darknet in late May and early June of this year.

The ransomware, specified as “ransom.exx” in the source code, is distributed through an unsecured RDP configuration, opening a malicious attachment via email, fake updates and downloads, and malicious advertising. Tyler Technologies ended up paying the ransom to recover the encrypted data.

[Pictured] Anonymous users, aka “anons” on a darknet controversial imageboard and safe haven for Q-conspiracy theorists, discussed the Tyler Technologies breach within hours of Reuters’ public announcement of the attack against Tyler Technologies.

One user surmised the attack might have originated within the Q-community while another posted multiple doxes, identifying key management and leadership at the company.

EXPOSED VOTER DATA

U.S. voter registration information has been widely circulated across darknet forums and channels for potentially nefarious purposes. Earlier this year, DarkOwl detected U.S. voter registration databases for the states of Michigan, Florida, North Carolina, and Colorado being shared freely and sometimes sold on popular deep web forums, but this was certainly not the first exposure of U.S. voter registration data on the darknet.

In the leaked police files known as the “BlueLeaks” files, that were released on the darknet earlier this year, official documentation speaks of how state voter registration data could be misused and specifically mentions how a malicious actor could leverage voter names, e-mail addresses, and telephone numbers to connect with new audiences and market personalize advertisements according to their views on specific topics, propensity to vote, and other factors. This information coupled with a foreign adversary’s disinformation campaign could be utilized to register fake social media accounts, seed content, and amplify distribution of content of interest to targeted audiences.

In 2018, a verified user using the pseudonym Omnipotent shared Kansas’ database of 4.1 million voters’ registration data including voter IDs, full names, physical addresses, previous addresses, dates of birth, genders, voter status and voter history. Omnipotent suggested the data was collected by gaining access to the state’s official SSH and SFTP servers and downloaded the data directly.

While most threat actors are less interested in disinformation and would utilize voter registration data for financial gain via identity fraud or scamming, one darknet source suggested that if any state’s SFTP and servers were insecure to the point of file download and SSH access, then there was nothing preventing the voter registration databases from also being altered. By introducing minor errors to key districts, especially in swing states, as little as 1% of the total records, or preventing as few as 1 in 100 voters from voting, due to errors in their recorded registration information, could change a state’s outcome on election day.

Luckily, most states have the option for provisional ballots and any voter registration discrepancies can be resolved with verification of identity. The FBI has validated that some states’ voter registration servers have been infiltrated in recent years, but in a recent advisory suggests that any release of such widely publicly available data has no potential impact to the credibility of the democratic election process. (Source)

Disinformation on Election Credibility likely to persist into media coverage on night of election

While voter registration data can obviously be used to conduct targeted disinformation campaigns, it is important to understand the other vectors with which disinformation can be spread by leveraging other security vulnerabilities described in this report. For example, in the case of Tyler Technologies, actors could potentially take advantage of these known vulnerabilities to intercept early voter reporting data and manipulate it before it reaches the media, which could then lead to unintentional false reporting by the press on which incumbent is in the lead. This could be especially impactful to would-be voters, who may choose not to cast their vote if they think their candidate is leading by a wide enough margin.

It is also worth noting that the attack on Tyler Technologies took place within days of the FBI and its Cybersecurity and Infrastructure Security Agency (CISA) issuing a public warning that they had intelligence indicating that foreign actors would likely spread disinformation the day of and days immediately after the election, specifically regarding the election’s credibility – in an effort to actively undermine the democracy of the country.

Knowing the scale of disinformation-as-a-service offerings available on the darknet the use of proxy media outlets for foreign propaganda information operations and the economies of bulk social media accounts in support of disseminating and controlling a false narrative, it is understandable why the FBI emphasized the importance of using only the most reliable information sources and not sharing and circulating controversial information about the election. 

DarkOwl would add the emphasis of importance of voting early regardless of what preliminary local media outlets may suggest about the projected outcomes of an election. The FBI has released a further advisory on how foreign information proxies, including pseudo-academic online journals may be leveraged to disseminate articles with misleading and unsubstantiated information in order sow disbelief in democratic election process.

Given the depth of political dissent DarkOwl has observed across darknet forums and discussion boards, domestic terrorist groups and conspiracy theorists will also inadvertently support these narratives and further exacerbate discord across the country through social media platforms and large group chats. 

The best way to avoid becoming a victim and pawn in the ongoing psychological, via information, warfare around us is to cast your vote, refuse to engage, disseminate or proliferate any controversial election information on social media; remain calm and unite with those that you may deeply disagree with – remembering the words of Helen “Jo” Cox that “we are far more united and have far more in common than that which divides us.”

REMEDIATION: Security recommendations for voters and election officials 

As we mentioned throughout the report, despite threats to the US election systems discussed on the darknet, there are plenty of steps voters and election officials can and are actively taking to mitigate any risks to the credibility of the election. Voters can proactively take steps to ensure their information is accurate on their voter registration rosters.

Check your voter registration information online ASAP 

• All U.S. voters should confirm the accuracy of their voter registration information before arriving to their local voting sites on election day. If voting in person, bringing photo identification and proof of residence with you to the voting site helps in the case any errors require a provisional ballot. Instructions on how to verify one’s registration information by state can be found at: https://www.usa.gov/confirm-voter-registration 

While ballot tallying and DRE machines are not connected to the internet during active elections on November 3rd, districts across states are actively securing their information networks to prevent any disruption or intrusion. MSSPs such as DarkOwl’s partner, CyberDefenses, LLC, help harden election networks and setup redundant network systems as day-of distributed denial of service (DDoS) attacks have occurred in previous election cycles. They also proactively provide education to election officials and poll workers on best physical and network security practices, help reorganize their networks to the most secure configurations, and conduct information assurance testing of many of state’s election networks across the country.

During conversations with CyberDefenses, LLC, technical leadership advise a top down strategy for the Secretaries of States they support and are less worried about physical network security and more concerned about election credibility disinformation campaigns by foreign and domestic threat actors. Earlier this year, they witnessed a concerted Black SEO campaign, like those advertised on underground forums and marketplaces, where threat actors intentionally buried the official vote411.org domain, a key national-level election information website, using SEO manipulation. Fake domains containing incorrect information, resolving to IP addresses across Russia, appeared ahead of the official website in Google search results until counter-SEO was implemented. BlackSEO and URL hijacking are key tools of many disinformation as a service offerings across the darknet. Domestic terrorists and foreign threat actors are also actively conducting heavy reconnaissance of election networks to uncover potential vulnerabilities that can be leveraged in an election credibility disinformation campaign.

Any risk to the security of voting machines is proactively remediated by many election officials and their technical support in the weeks leading up to the election, on making sure all electronic voting machines have been updated with the latest versions of application software and firmware with minimum exposure to the internet. Election officials, their technical support and on-site machine vendors conduct software updates by bringing small numbers of the machines online to push the installs and immediately taking them offline to reduce the network exposure of the devices.

Election vendor officials are also advised to be suspicious of and verify any and all packages received from device vendors or third-parties, no matter how credible they appear to ensure any mailed USB “firmware updates” are legitimate and not a malicious phishing attempt.

On the day of the election, officials are also advised to place sufficient emergency back-up ballots for all voters in case electronic voting machines break down or behave unpredictably. Officials should also print hard copy back-ups of the electronic poll books in all precincts for any real-time registration or poll book roster manipulation. Many districts also rely on “sneaker-net” the day of the election calling in and hand-carrying ballot tallies to avoid any inadvertent data exposure. 

Consider your voting options depending on where you live

As an individual if you have concerns about the security of your local election systems in use, first, if paper ballots are printed as formal record of your candidate selections, then take time to review what has been recorded carefully after using a DRE machine. Secondly, if you live in one of the few states that only have DREs without paper trails or one of the handful of states that still have some districts with DREs without a paper trail contact your state representatives and insist on a public audit. 

As we introduced in our previous blog post, DarkOwl analysts have observed a now well-established digital economy in the darknet around the trade of social media accounts and its influencers – accounts sold in bulk that could be easily leveraged for a dis- or mis-information campaign by a foreign government or agency with malicious intention.

In this blog, we look at how the darknet is rife with “disinformation as a service” type offerings, and how technology such as blockchain is now being leveraged to persistently disseminate false narratives to the public.

Clarifying the meaning of “disinformation campaigns”

Put simply, a disinformation campaign is a psychological operation to manipulate a target’s perception regarding select topics using strategic methods to disseminate false and half-truths via various media mediums. Usually, these campaigns are multifaceted and comprehensive, using a mix of Social Media account activity and illegitimate news publications in which disinformation can be disguised in a highly sophisticated and believable fashion.

CONSENSUS CRACK DEVELOPMENT

Social media continues to be a powerful tool for conducting disinformation campaigns, especially since access to large quantities of pre-verified, fake social media accounts continue to be readily available for purchase on the darknet. By having agency over large volumes of fake social media accounts, perpetrators are able to facilitate what the historical COINTEL “Gentleman’s Guide to Forum Spies” calls, Consensus Crack Development. This is a disinformation tactic in which agents under the guise of a fake account make claims in a post on social media or forum which appears legitimate, towards some objective truth, but has a generally weak premise without substantive proof to back the claim of the post.

Once content has been posted/stated as truth, alternative fake accounts also under the agent’s control post comments both agreeing and disagreeing, presenting both viewpoints initially, and the dialogue between the fake accounts continue until the intended consensus is solidified.

Disinformation as a Service: a darknet exclusive

The darknet is a known playground for disinformation campaigns and its users are fairly wise to detecting disinformation, especially across anonymous image boards where a number of controversial groups like Qanon participate. One anonymous user on endchan advised, “don’t be fooled by disinformation, they almost always use truth but wrap it in disinformation,” noting the prevalence of outrageous conspiracy theories historically across the internet.

Of more concern is DarkOwl’s discovery of a number of Ukrainian and Russian-speaking disinformation-as-a-service providers across the darknet with a considerable footprint for information-manipulation related offers and discussions.

While most service providers’ advertisements read like a commercial mass media company, specializing in promoting the brand and image of a person or business, these providers solicit customers on cybercrime focused darknet forums, where the skills for online branding and mass marketing are leveraged for malicious intention, such as the demise of competitors’ brand and subsequent reputation.

To illustrate how these disinformation services are structured and advertised, we’ve put together a brief profile for three different vendors who are profiting in this space.

DARKNET VENDOR A: A SAMPLE MENU OF DISINFORMATION AND REPUTATION INFLUENCE OFFERINGS

One noteworthy disinformation-as-a-service provider also markets both reputation promotion and destruction services. English translations of the offerings on their brochure read:

We are offering to erase:

• News

• Pages from websites

• Results from search engines

• YouTube videos

• Negative comments on forums

• Personal information on forums

• Telephone numbers from databases

• Social media profiles (OK.ru, VK, Instagram & others)

We will create positive reputation for a company or identity. We can:

• Create a positive reputation for a company

• Create a positive reputation for individuals

• Improve reputation for search engines such as Yandex & Google

• Provide reputation monitoring across the web

We are offering anti-reputation services for a company or identity. We can:

• Create anti-reputation for a company, service or individual

• Create and post negative content and optimize it for search engines

• Post negative reviews and write negative comments on social media

• Create multiple negative narratives and experiences to legitimize the claims

• We will orchestrate the story (theatre) and can listen to your suggestions regarding anti-reputation

• This type of service is more complex and offered as a package for sale for results (and needed outcome)

We can create disruptions to the daily operations of a company. We can:

• Spam them by flooding them with questions on their site to contact them

• Continuously call the company from various phone lines and speak nonsense

• Every minute from different IP addresses

• Harass via website chat bots -send delivery companies fake addresses

• We will take the company where it started!

DARKNET VENDOR B: A SPECIALIST IN WHATSAPP CAMPAIGNS

Another reputable vendor on a popular Russian underground forum offers targeted customized messaging via WhatsApp, mass social media information management, via credible social media accounts on OK.ru, Facebook and Instagram in bulk, as well as content removal from search engines using targeted critical search engine optimization (SEO).

Their offer describes their automated social media services as a “a network of controlled biorobots that can convey to the masses any information you need.”

In the summer 2018, WhatsApp messages widely circulated in rural Indian communities were the cause of a number of violent mob-lynchings where strangers were attacked and wrongly accused of child kidnappings.  WhatsApp countered the disinformation-sparked violence by limiting the number of times a message could be forwarded and the size of WhatsApp groups. (Source)

DARKNET VENDOR C: A PIONEER IN USING BLOCKCHAIN TECHNOLOGY TO PROPAGATE DISINFORMATION CONTENT ACROSS THE INTERNET

“Information without the possibility of being deleted” - Blockchain is now being leveraged to conduct persistent disinformation campaigns 

Another notable vendor states that they employ a “blockchain-based botnet” to conduct persistent disinformation campaigns. DarkOwl analysts assess that this vendor has been active across many of the key Russian and Ukrainian-speaking darknet forums for several years and in late 2019 debuted a commercial enterprise around their public relation services, listing their partnerships with leading mass media across Russia, CIS, Europe and the USA and political campaigns and elections as some of their specialties.

The vendor, who submits their forum posts primarily in Ukrainian, marketed their blockchain based approach by stating in an advertisement earlier this year that they can offer “information without the possibility of deletion. The vendor further stated that by utilizing their services and executing a disinformation program based on the blockchain, they are able to prevent the deletion of content for either the promotion of a business or the “funeral” of a competitor.

As of early 2020, the vendor offered such services for $500 USD for promotion or $700 for competitor disinformation.

After more targeted conversations and technical research on their approach, DarkOwl’s analysts discovered using the blockchain for on-chain data storage is not-only reliably secure, but potentially turns the blockchain into a politically and architecturally decentralized ‘cloud’ for data preservation and persistence.

Blockchain data storage technology uses the BitTorrent protocol, breaking up the files into individual transactions or 1MB segments for Bitcoin (i.e. blocks) and stores them across multiple instances, preserving the content contained therein as information on the blockchain cannot be modified. Blockchain data storage works best with smaller sized files, as consistent with a modern HTML/CSS website where video files and media may be more cost-prohibitive. For security purposes, the vendor did not specify which blockchain (Bitcoin, Ethereum) they prefer for their disinformation botnet.

A More Subtle and Simple Disinformation Technique: URL hijacking

Aside from content creation and social media manipulation, doxing and disseminating information in mass, DarkOwl’s partner, CyberDefenses, Inc. has recently also uncovered a number of state and local election-related domains where criminals leverage URL hijacking and typo squatting to manipulate the narrative of the original source. Disinformation agents register a fake domain, spelling the domain name similar to the original, often simply swapping an uppercase “I” (pronounced ‘eye’) instead of a lowercase “l” (L), copy and replicate the exact website design color scheme and HTML/CSS layout as the original, but change extremely subtle content, such as a single campaign policy or contact information to misinform and misdirect the malicious website visitors and potential voters for that candidate.

Depending on the efficacy of the malicious copy website’s SEO, the fake domain can sometimes emerge ahead of the original in popular search engine results for related keywords. URL hijacking can cause subtle election interference that can easily go undetected.

Other times, disinformation actors don’t even bother to use the darknet to sell their disinformation-as-a-service offerings. This happens most often in the context of financially-motivated actors who create disinformation or other sensationalist content in order to drive clicks to their ad-supported websites. DarkOwl recently  spoke to cyber threat investigation company Nisos regarding their research into domains created in the North Macedonian town of Veles, which became famous during the 2016 US election cycle for US-focused disinformation created purely for financial motivations.

Nisos found that while there were indeed a number of the more than 1000 active domains created in Veles that still focused on US politics, there were an even greater number hosting sensationalist health-related content, suggesting that health-related disinformation was likely more lucrative than political disinformation. Nisos also uncovered an extensive curriculum offered by an enterprising local web developer that provided detailed training regarding how to monetize such domains and market them on social media platforms.

Nisos’s findings suggest that while the focus on disinformation as an election threat may diminish after the 2020 US election cycle, disinformation actors will probably still deploy the disinformation tactics learned in political campaigns to spread disinformation for financial gain on topics of perennial interest such as health issues, gossip news, and other tabloid topics.

Financially motivated actors will hone tactics and techniques in between election cycles that may fly below the radar of election-focused disinformation watchers. Yet because they are constantly evolving their tactics as a result of the cat-and-mouse game of evading detection by internet companies, these actors may resurface during the next major election cycle using tactics that are unrecognizable to researchers who are accustomed to the 2020 version of disinformation actor tactics. “Pay attention to the ones doing it for money” says Nisos researcher Matt Brock. “There will be a Darwinian selection process that will occur largely below the radar of disinformation researchers currently focused on threats to election integrity, but the tactics of the fittest financially-motivated survivors will likely spread to the next generation of ideologically-motivated disinformation actors in ways that we will miss if we’re not paying attention now.” 

Also on the Darknet: Personal Forensics & Dirt Digging

Given the popularity of doxing services on the darknet, underground forums are also a popular resource for finding help in uncovering dirt on competitors and political candidate rivals. Earlier this month, one anonymous user on a darknet forum, reached out openly in the public thread asking for help “digging up information on people” specifying two US Congressional candidates by name they were interested in. DarkOwl was unable to confirm whether this user’s request for assistance was satiated.

Election Disinformation Warnings Prominent

The U.S. government and its intelligence community of agencies publicly acknowledge the active dissemination of, and subsequent impacts caused by sharing, misleading information up until the election date and the days immediately thereafter. In recent weeks, both the CIA and FBI have published warnings in relation to foreign actors spreading disinformation around the imminent 2020 Presidential Election with the intention to discredit the elections’ legitimacy warning the public on sharing online content across social media networks. (Source)

Anonymous networks with digital markets, forums, and image boards, facilitate the spread of such misinformation as apparent with the volume of tools and services on offer, and the number of criminal actors prominent in these sinister underground communities. In 2018, an internal, for-official-use-only, article prepared by the Department of Homeland Security that was subsequently leaked on the darknet indicated that the US government has been fully aware of customizable tools available for sale on the dark web that could “enhance a malign influence operation aimed at interfering with the 2018 US midterm elections by creating a seemingly legitimate and professionally made graphics displaying falsified election results.”

DarkOwl’s Vision system successfully captured the 2018 advertisement, submitted by an anonymous user of the darknet forum with over 10 years forum experience, along with the product’s description detailing the broadcast. Similar offers for Election Night 2020 templates have been spotted, but their proliferation has not been ascertained.

(English Translation of original post)

"Election Night 2018" is a fully customizable template that contains everything you need to create a great, bright video dedicated to the election. "Election Night 2018" is incredibly easy to set up, so you can create a professional broadcast show in a very short time, regardless of whether you are creating a show for the presidential election or Federal and regional.” 

– Source, DarkOwl Vision: be1fe1114d27b9ab9fd262ca43e4dcf0

Earlier in 2020, the U.S. State Department utilized its “Rewards for Justice” program to solicit any tips from residents of known Eastern-block countries (Russia, Ukraine, Belarus) that could potentially assist authorities prevent possible digital election interference.

Russian-speaking users on a darknet forum, popular for cyber-crime coordination and malware trading, discussed the U.S. diplomats’ targeted request for information in detail, stating it was sent via bulk SMS text-message to residents of Saratov, Krasnodar, Vladivostok, Ulyanovsk, Chelyabinsk, Perm and Tyumen in Russia. One user suggested they should absurdly exploit the program by hiring a random homeless person to pretend to be a KGB or Fancy Bear sponsored hacker, equipping them with a laptop with hacker-like toolkits installed and signs with potential information the department would pay for.

A New Age of Disinformation: State Sponsored Propaganda to Conspiracy Theories

The concept of information operations via state-sponsored propaganda campaigns is hardly novel, but the lack of internet moderation and a mass transition into social media and digital dependent age, especially over the last two decades, has amplified the proliferation of disinformation in mass, especially as related to particular geo-political agendas and mass social ideology construction. Society’s lack of media literacy and critical thinking skills outside one’s personal area of expertise compounds the complexities of navigating the seas of digital propaganda.

In August, the U.S. Department of State Global Engagement Center (GEC) issued a Special Report outlining the Pillars of Russia’s Disinformation and Propaganda Ecosystem that details the complex information network of official government communications, state-funded global messaging, proxy resources, weaponized social media and cyber-enabled disinformation used by the Russian government in its global information operations campaigns.

Notably, the U.S. State Department report highlighted forgeries and cloned websites (URL hijacking) – consistent with DarkOwl and CyberDefenses’ observed research – as key cyber-enabled disinformation methods used by the Russian government.

 A key take-away from their report is how a multi-faceted information ecosystem “allows for the introduction of numerous variations of the same false narratives” an approach consistent with the saying “Repeat a lie often enough and it becomes the truth“, assessed as the principle law of propaganda historically attributed to Nazi Germany’s Minister of Propaganda, Joseph Goebbels. This was witnessed most recently with the height of the COVID-19 pandemic where at least four global, “independent” news outlets: Global Research, SouthFront, New Eastern Outlook, and Strategic Culture Foundation – assessed by the GEC as “Kremlin-aligned disinformation proxies” – circulated hundreds of articles stating COVID-19 was a U.S. sponsored bio-weapon deployed against China, including defamation of Bill Gates and the CIA’s involvement. The proxies’ website and social media reach was reported considerable, with the “Canadian” Global Research outlet averaging over 350,000 readers per article during a three month period in early 2020.

Seeing how disinformation campaigns control the narrative by spreading lies across social media and sometimes even trusted internet news outlets, along with our discovery of the prevalence of sophisticated disinformation-as-a-service providers portends that mere content removal to mitigate a disinformation campaign, especially outside of a social media platform, will quickly no longer become an available option. Blockchain-based biorobots and artificial intelligence operating out of Russia and eastern-Europe are just the latest cyber soldiers of the global psychological war of the information age.

For the last two years, U.S. voter registration information has been widely circulated across darknet forums and channels for potentially nefarious purposes. Earlier this year, DarkOwl detected U.S. voter registration databases for the states of Michigan, Florida, North Carolina, and Colorado being shared freely. Some databases are packaged in sets of key states and sold on popular deep web forums and marketplaces by popular darknet vendors such as GoldApple.

This is certainly not the first exposure of U.S. voter registration data on the darknet en mass:

• In December 2015, millions of personal voters’ information was exposed on the darknet, when security researcher Chris Vickery and databreaches.net discovered over 191 million U.S. voters’ data available after a marketing firm supporting one of the political campaigns had a mis-configured database. The owner of the database was never identified. (Source)

• In summer 2017, another 198 million voters’ information was exposed after researchers discovered an unprotected AWS S3 bucket containing the voter rosters. The voter information had been archived by Deep Root Analytics, TargetPoint Consulting, Inc., and Data Trust, three data mining companies supporting the Republican Party. Rosters of statewide voter data are made readily available to political campaigns and their marketing affiliates for free for targeted campaigning and canvasing. The value of such databases, especially one containing hundreds of millions of U.S. voters’ personal data would be worth several hundred thousand dollars to darknet cyber criminals who could leverage the information for traditional financial cyber crime.

Interestingly, just earlier this month another darknet user also shared a database containing the personal information for millions of political contributors and donors on a popular hacking forum. The information in the database included the full name of the donor, physical address, age, phone number, income, gender and donor type. The user did not specify which campaign this data was stolen from. The post was removed by forum moderators as other users suggested the author was a “criminal hacker” and this data was acquired through malicious intrusions of a political database. The post did not specify where the information originated or which campaign it was from.

In the meantime, DarkOwl analysts have witnessed several conversations on popular right-wing leaning deep web discussion boards regarding the domain: http://donaldtrump.watch. Anonymous users and supporters of Trump stated the domain was active and contained personally identifiable information of the President and GOP financial contributors. WHOIS domain history has a redacted owner for privacy and suggests a 2018 creation date; archives of the website from late 2019, suggested it was created in response to the President’s Impeachment and is simply a “Donor locator map for the impeached Chief Executive Donald J. Trump. – Data Provided by the FEC.gov.” The Federal Election Commission does record all contributions made to any candidate, campaign contributions are not private, and the data held by the FEC can be requested typically for marketing and canvasing use.

The website is setup with an alphabetized address and name search capability indentifying contributors by name, their address, the specific dollar amount of their donations, and last donation date. There are numerous postive and negative comments about the Trump donor website across deep web and darknet discussion groups. Some commented on their neighbor’s donations.

Huh, two of the neighbors I like each donated about a grand to Trump. I didn't take either of them for Trump supporters. One guy in my neighborhood is unusually enthusiastic, it would seem.

Many users stated the information on the website was false, incorrect or dated back in 2016, while other users confirmed their families’ information was correct on the website and expressed concern about potential property damage. Analysis of the donations suggests the information is accurate up through August 31, 2020.

Regardless of exactly when the website appeared and the motive behind its author’s, the website information could be used to target, intimidate and frighten Trump supporters similarly to how earlier this month the FBI announced attribution to Iran for an email campaign sent to non-Trump supporters in Florida, threatening them to vote for Trump and signed by the controversial right-wing extremist group, The Proud Boys.

The BlueLeaks files, released earlier this year and containing files from hundreds of police departments, speak of how state voter registration data could be misused and specifically mentions how a malicious actor could leverage voter names, e-mail addresses, and telephone numbers to connect with new audiences and market personalize advertisements according to their views on specific topics, propensity to vote, and other factors. This information coupled with a foreign adversary’s disinformation campaign could be utilized to register fake social media accounts, seed content, and amplify distribution of content of interest to targeted audiences. [READ MORE]

Underground markets of the darknet provide an extensive inventory of illegal goods for sale, including drugs, weapons, hackers and assassins for hire. Also commonly found in darknet marketplaces are a variety of “digital goods,” most notably log-in access credentials for social media accounts across a multitude of sectors. One can as easily purchase credentials for Amazon Prime accounts as they can the credentials of a PayPal account, or an iTunes account that belonged to a previous owner.

What DarkOwl analyst observed as decidedly more prevalent this year is the increase in the existence of completely falsified social media accounts, the creation of which entails posting content to them regularly, generating likes/followers/credibility based on strategic activity, enlisting tools such as SMS verification services to standard bypass security measures, and then selling these powerful “ready-to-go” accounts to eager would-be buyers on the darknet.

After witnessing a surge in the number of fake, pre-packaged social media accounts being advertised for sale over the last year, we took a closer look and found that the demand for these types of accounts has shaped into a sophisticated market, giving individuals with potentially malicious intentions the tools they need to not only obtain social media accounts, but also to leverage them for persistent disinformation campaigns.

Before these purchased accounts can be used to spread and influence others, however, there are a number of hurdles that criminals must cross first: including obtaining accounts that appear to be genuine (i.e. have a history of regular posts and photos), have sufficient clout (i.e. have a number of followers), and navigate security challenges such as two-factor authentication requirements.

Bulk accounts for sale 

The economy of fake, compromised, or otherwise manipulated social media accounts is a booming business. Traditionally, these compromised credentials belong to an unwitting former account holder whose password got in the hands of the wrong individual. 

However, our analysts have recently noticed a surge in an equally if not now more prevalent type of social media darknet marketplace listing. These are that of curated social media accounts that have been created expressly for the purpose of being sold in the future.

The result is another niche economy in which both “fresh” (newly created) and “aged” (accounts with pre-generated followers, or similar) social media accounts are available for purchase across a variety of forums and marketplaces on the darknet.

In taking a closer look at what these listings have in common, we were able to conclude that the demand and price for some social media accounts is closely related to the perceived level of influence and social media platform popularity.

Key takeaways from our observations:

• Of all the social media platform account information listed for sale, YouTube accounts seem to be the most popular overall

• Reddit accounts are also in high demand and are priced based on the amount of Reddit ‘karma’ the account comes with – with some listings advertising accounts with over 50,000 karma points

• In one case, we observed a Russia-based supplier advertising over 30,000 accounts for sale across Facebook and Twitter alone

• In addition to fake accounts created with the aim of selling to the highest bidder – who is then to free to use it to their own accord, a number of darknet vendors continue to offer “combo-lists” (usernames and password combinations) of hacked or leaked account data, many of which were likely retrieved via reused passwords that were compromised in another commercial data breach

• Facebook and TikTok accounts tend to cost the most across most social media account brokers, followed closely behind by LinkedIn, Reddit, and Instagram

• In addition to social media platforms, we also observed vendors selling Gmail accounts, which notably require security measures such as two-factor authentication (2FA)

2FA measures have Created Demand for “Phone Verified Accounts”

Due to the onset of 2FA requirements across multiple platforms, the digital economy of social media accounts has had to adapt. Now, instead of just selling usernames and credentials, vendors are advertising Phone Verified Accounts (PVAs), or accounts that have already been formally associated with a phone number and unique IP address.

For example, if someone were to log into their Gmail account from their personal computer in their home, they will likely be required to allow Gmail to text them a log-in code, which they then enter back into their Gmail account to gain access. In doing so, Gmail then has confirmed this individual’s phone number and IP address, and their account is thereby Phone Verified. Notably, this process requires a mobile device or some other means by which to receive a SMS text.

Google began employing phone verification requirements for account registration as early as 2015. Also in 2015, Facebook began encouraging its users to associate a phone number with their account, and in 2019 made verification via SMS a requirement for all new registrants. Now, both Instagram and Facebook also employ phone verification via SMS with new account registrations and will often block accounts setup using virtual or privatized IP addresses or if accounts are created on the same IP address within a short period of time.

These continued increases in security measures have driven the demand for phone-verified social media accounts, which don’t come cheap. We have steadily observed darknet forum users offering account verification services for accounts created in the USA, UK and China on Facebook, Telegram, Instagram, Gmail and others.

One such current listing offers “High Quality Facebook Marketplace Accounts” for sale. Each account comes with:

– Anywhere between 2 to 9 years of daily activity

– Over 1,000 friends/followers

– An associated email address

– An associated Facebook password

– 10 backup 2FA codes

– The date of birth needed for account verification and/or recovery.

The phone verification account market has been thriving since these platforms instilled such security protocols, even outside of the darknet. Examples of such vendors include:

• On the surface web, PVACreator (pvacreator.com) provides PVA accounts for a variety of platforms and the one-time, single use account price ranges from $62 to $348 USD depending on the platform. Users of their service can sign-up for unlimited accounts across all the sites they have access for $1200.

• Rental property management software, Hemlane is the most expensive website PVAs are available for, while most run on average $100 USD each. 

• On a popular deep web forum, one user offered access to a SaaS-like platform called, GramCreator for creating Instagram PVAs in mass for a flat fee. GramCreator’s marketing material highlights their ability to protect their users interest and evade detection by Instagram.

Because an SMS service is necessary to create a PVA, the widespread marketing of PVAs has subsequently driven the demand for SMS services, which we are increasingly seeing on offer across the darknet.

Traditionally, SMS services have been employed by scammers and phishing-focused cybercriminals, who will then spam mobile phones with targeted, malicious phone calls and texts. In doing so, they are then able to siphon users personal information and/or compromise their mobile device or home network when connected to wi-fi. 

Now, SMS services enable entrepreneurs in the social media account economy to combine social media account credentials with new, unique SMS-enabled phone numbers that have been pre-associated with the credentials, thereby allowing any purchaser of these pre-made social profiles to bypass 2FA challenges.

Bots are also in high demand

In looking at the vendors in this space, we also observed that the digital economy for social media bots is thriving. For example, on the underground market OpenBazaar, a number of vendors sell Instagram and YouTube promotion bots to increase a fresh social media account’s views and likes.

Other offers guarantee to “drive over 10,000++ of real, genuine human traffic” from search engine and social networking sites in 100 days for as little as $5 USD.

Not only that, but bot services appear to be getting more sophisticated and have evolved to be more persistent. On Telegram, some developers offer exclusive access to their automatic traffic generator programs for website and social media platforms. 

Other, older darknet market solicitations advertise social media bots that can auto-generate 400 to 600 likes per hour.  The longevity of these auto-generated likes and followers is uncertain. Adding to the notion that they may not be reliable is the case of one darknet forum user, who recently posted that all 100 Instagram followers that they had purchased from a similar service had disappeared after a single week. Comments on the thread from other social media bot providers stated if they used their service, they would refund a significant percentage of the purchase price if the follower left.

On a popular Russian criminal darknet forum, members also discuss the employment of social media crawlers such as Saveogram to crawl and harvest content from the real Instagram accounts of influencers, which they then used as a template to recreate and modify messages in accordance with their larger disinformation goals. Earlier this year, TikTok deleted Kendall Jenner’s verified account after it turned out the account was fake. The fake account gained over half a million followers in less than 2hrs of the account creation.

Impact of the “pre-packaged” social media account engine

In the last decade the proliferation of social media applications from Facebook and Twitter to now controversial TikTok, is rampant with one or more applications on nearly every adult’s smartphone, connecting people around the world through follows, likes, and retweets. Keeping abreast of current news via social media is increasingly popular. In late 2019, a Pew Center research study concluded that 55% of adults in the US rely on social media to get their news, while a follow-up study conducted from October 2019 through July 2020 indicates that nearly one in five US-based adults receive political and election related coverage exclusively via social media. Facebook, Twitter and Reddit lead the platforms with the most news-centric userbase.

Users acknowledge the impact of false and misleading information on these sites. In 2016 and the months leading up to the US Presidential Election, social media was flooded with false political advertisements assessed by the Special Counsel’s Investigation to be mostly engineered by agents of the Russian Government. While we understand that nation-state governments actively conduct disinformation campaigns, spreading the propaganda of their choosing in increasingly creative and cunning means, the disinformation methods of government intelligence agencies are now readily available to those needing such services commercially on the darknet.

In this initial report, we focused on how fraudulent social media accounts are traded and sold on the darknet. Stay tuned for our follow-up pieces that will detail how these accounts are leveraged to execute disinformation content campaigns, and what potential impacts this underground economy will have on the upcoming US-elections.

In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces; looking for trends, exploring new marketplaces, examining admin and vendor activities and offering a host of insights into this transient and often criminal corner of the internet. 

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are released featuring different darknet marketplaces on an ongoing basis.

UpShop Market

UpShop is a small darknet marketplace that specializes in the sale of stolen or compromised digital accounts. These listings advertise account credentials for Microsoft accounts, Wells Fargo accounts, iTunes accounts, and many others. They also have a section dedicated entirely towards the sale of stolen (or potentially fraudulent) identities, with each advertised item consisting of a Social Security Number and its corresponding City, State, and Zip code.

Since its opening back in mid-December 2017, the market has been casually promoted across several Russian and English-speaking deep web criminal forums, including, XSS, Dedik, WWH-Club, Gerki, Beznal, and Club2CRD.

The administrator/s of UpShop have been relatively quiet this past summer and into this fall, and have not publicly posted market update since early-May, 2020. Nevertheless, at the time of this posting business at the underground market appears to be continuing as usual.

The price of stolen accounts on UpShop

Over the course of our most recent observations, DarkOwl researchers noted that there were 3,121 stolen accounts being advertised for sale. This is up from the 2,981 that we noted as the total number of listings earlier this summer. Whether UpShop will continue to follow this trajectory has yet to be determined, but as we mentioned earlier, the underground business does seem to be fully operational at this time.

Other findings include:

• The average price of one stolen account on UpShop market is $6.33 USD.

• The stolen accounts are associated with 40+ different merchants, who seem to primarily be retail merchants like Target and Khol’s.

• Sam’s Club and Walmart accounts make up 46.46% of the total number of stolen accounts advertised for sale.

• The price of one stolen Sam’s Club account ranges between $2.50 USD to $5.00 USD, while the price of one stolen Walmart account ranges between $5.00 USD to $6.00 USD.

• The price of each listing is largely determined by the amount of personally identifiable and financial information fixed to each account.

•  Additional Market Observations and Related Findings:

• The staff members of UpShop have been tied to several usernames including, upshop33 – which appears to be their main moniker – as well as malkincheff, and ElskChief.

• Only 5 vendors total are responsible for trafficking all of the stolen account data into the market, including, Like_a_Boss, BestStuff, romulan, applewarrior and drobdead. 

• UpShop has a built-in identity theft store. At the time of this writing, 10 identities are advertised for sale. The average price of one stolen (or potentially fraudulent) identity is $0.30 USD, which is rather low in comparison to prices across other identity theft stores we’ve observed on the darknet.  

• UpShop also has a built-in email-flooding service, a service whereby a cybercriminals can send a large volume of spam to a target’s email address, crippling their ability to manage their inbox. The price of each ‘flood’ is determined by the volume of emails sent to the victim’s email address.

 Thanks for reading this edition of our Darknet Marketplace Snapshot Series! Subscribe to our blog on our blog homepage to be notified whenever we publish a new piece.

In our new Darknet Marketplace Snapshot blog series, DarkOwl researchers provide short-form insight into a variety of darknet marketplaces; looking for trends, exploring new marketplaces, examining admin and vendor activities and offering a host of insights into this transient and often criminal corner of the internet. 

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are released featuring different darknet marketplaces on an ongoing basis.

This marketplace is engaging in blatant copyright infringement 

The most notable characteristic of the darknet marketplace Amazin is that the administrator is committing outright copyright infringement by unlawfully using Amazon’s intellectual property in their branding. In addition to cloning Amazon’s official logo and replacing the “o” with an “i,” (Amazon -> Amazin), the administrator of Amazin Market has also poached other branding characteristics from Amazon’s official website.

For example, the marketplace admin has laid the cloned spin-off logo on top of the exact same quintessential charcoal color that Amazon features on its website. The admin has also situated a white shopping cart in the top-right hand corner of the market, much like Amazon’s actual interface.

Amazin Market has a relatively intuitive user interface and customer support system, that continues to mirror Amazon’s both visually and navigationally. The market also heralds a robust vendor rating and review system. Referred to as a supplier rating, it measures the performance of darknet vendors on Amazin Market on an ongoing basis, as well as provides buyers on Amazin Market with the opportunity to make better purchasing decisions.

A look at what’s for sale

While Amazin market may look like Amazon from a visual perspective, the merchandise one can find being sold there is a major departure from the kitchenware and back-to-school supplies you’ll find on Amazon. Instead, Amazin market carries exclusively illicit supplies, such as hacked accounts and e-gift card codes.

Amazin Market appears to principally feature financial-related goods and services. Vendors on Amazin Market are currently advertising for sale hacked Amazon, JPMorgan and PayPal accounts, as well as compromised iTunes, Amazon, Google Play and GameStop e-gift card codes, sometimes 70-80% off face value.

In addition to hijacked accounts and e-gift card codes, vendors on Amazin Market are also advertising for sale money laundering services using PayPal, Payoneer and Western Union.

Of significance, DarkOwl discovered that one vendor is responsible for trafficking all of the stolen payment card information through Amazin Market. Known as ‘HQDumps,’ the vendor is selling ‘dumps,’ hacker-slang for stolen payment card information that can be used to conduct in-store card fraud.

After reviewing and analyzing all of HQDumps’s listings, DarkOwl was able to determine that HQDumps is currently selling financial details that belong to victims that reside around the world, particularly in the United States, Europe, Australia and Asia.

Key things to know about Amazin Market

7 vendors currently operate on Amazin Market. The names of those vendors include, amazin, JPMorgan, RedBull, Babo, Patron, Joker and HQDumps. After reviewing all of HQDumps’s vendor reviews on Amazin Market, DarkOwl uncovered that HQDumps used to be a vendor on the Silk Road. It remains unknown what version of the Silk Road HQDumps was affiliated with, whether the original or post-Ulbricht versions.

DarkOwl also found that HQDumps used to be a member of the “MasterGroupOfSpam,” a Telegram Channel inhabited by 9,700+ cybercriminals involved in various criminal activities, primarily hacking and card fraud. It is important to note that HQDumps has not operated on Telegram (HQ DUMPS @ HQDUMPS) since late May.

Differentiating itself from other darknet markets, such as Infinity Market, Amazin Market does not reveal the precise number of stolen goods that each and every vendor is advertising. This feature may have been implemented in an effort to better protect Amazin Market’s vendors, as law enforcement agencies have been known to prioritize vendors by the sheer volume of illicit goods that they are individually offering.

Contrary to other darknet markets, Amazin Market only supports Bitcoin as a means of payment. At this time, DarkOwl has not observed any darknet forum chatter or related scrutiny related to this payment limitation. 

Amazin Market, like so many other markets on the darknet, has an escrow system. Escrow systems serve as third party vehicles that hold funds until both sides of the transaction have been completed. It’s an important feature as it acts as a way to protect both buyer and vendors from getting scammed.

DarkOwl analysts noticed that Amazin Market is listed on Tor66, a darknet search engine on the Tor Network that advertises many known scam services. Interestingly, Amazin Market is also listed as a ‘scam market’ on Dark Web Magazine’s dark web scam list. These findings support why the admin has had a difficult time gaining traction amidst the criminal underground, even with a darknet marketing incentive of $30 USD (as pictured below).

Who is behind Amazin market?

DarkOwl discovered a darknet market known as MoneyPlus with the same source code, vendor community and user-interface as Amazin Market. DarkOwl uncovered that the administrator of MoneyPlus (additional and possible alias Amazin) can be reached via email at [email protected]. At this time, DarkOwl does not have definitive evidence whether Amazin Market and MoneyPlus Market are affiliated, and whether both markets are run by the same administrator.

Additional research efforts revealed that Amazin Market has a dual presence on the deep web (hxxps://amazin.to and hxxps://amazin.biz). After running a WHOIS and IP Geo lookup around both domains, the first domain was found to be registered on March 28, 2014. The domain was also found to be protected by Cloudflare and linked to the IP address of 104.31.81.229, a server located in Manila, Philippines. The second domain was found to be registered on December 17, 2012. In contrast, the domain was not found to be protected by Cloudflare, and is linked to the IP address of 192.64.119.87, a server located in Los Angeles, CA.

As such, the actual location of the marketplace’s servers, as well as the identity of the marketplace’s administrator, remain unclear.

Thanks for reading this edition of our Darknet Marketplace Snapshot Series! Subscribe to our blog on our blog homepage to be notified whenever we publish a new piece.

In a time when society is more reliant than ever on personal food delivery and shopping services such as Seamless and Instacart, darknet criminals also have increased their reliance on exploiting these applications for continued financial gain.

The potential for fraudulent activity includes purchasing goods with hacked accounts on these services, abusing the vendor’s refund policy, and even more advanced techniques such as API traffic interception for malicious injection or targeted data manipulation.

DarkOwl has observed an increase in the prevalence of food delivery and personal shopping service accounts on offer across a number of darknet marketplaces.

DarkOwl confirmed an increase in food delivery service provider mentions in not only major darknet marketplaces but also in criminal carding forums and illicit digital good trades on anonymous websites. Of the vendors we looked at, Seamless and Caviar appear to have the most remarkable increase in the number of documents in DarkOwl Vision mentioning compromised accounts, with Instacart, Uber Eats, Just Eat, and DoorDash close behind.

To conduct our analysis, we looked for instances of each food delivery service provider appearing in our database of darknet documents (Vision), from year to year. Vision is comprised of content scraped directly from pages on the darknet, such as pages on Tor. As per the graph below, we are then able to see how many mentions there were of each company in our database to estimate what percentage of darknet pages mentioned these companies during that time.

For example, of all the pages of darknet content DarkOwl has collected that mention DoorDash or DoorDash accounts to-date, 33% of page results were observed on the darknet in 2019 and 67% were from 2020. This is also notable insofar as it indicates that DarkOwl did not observe DoorDash accounts appearing on the darknet until 2019, so they are evidently a new and increasingly popular target.

Our analysts also note that the 2020 data included in this analysis is only through the end of July, meaning that many of these vendors will likely surpass (or continue to surpass) their 2019 numbers by an even greater extent by year’s end. Interestingly, DarkOwl also observed PostMates and UK-based Deliveroo food delivery services mentioned in fraud-focused conversations on criminal forums but in less volume than in 2019.

Across the board, using DarkOwl Vision, we saw an average 230% increase in darknet mentions of most of the major food delivery and personal shopping providers between last year and this year.

Examples of Compromised Accounts Being Advertised

On the darknet marketplace Infinity Market alone, DarkOwl discovered 8 different vendors selling a mix of hacked mainstream food delivery service accounts, including, DoorDash, Grubhub and Caviar. The average price ranges from $1.50 to $10 USD per account and successful use depends on the user not recently changing their password, as is often the case, rendering the account useless.  The value of the accounts is determined by a number of factors including the ‘freshness’ of the account and the number of completed orders fixed to the account, as well as and most importantly, the volume of personally identifiable and financial information attached.

In mid-June, a new user on Raid Forums posted numerous DoorDash email addresses and passwords along with their account balances free for criminal use. With the account login credentials and an account with a saved credit card on file, the cybercriminal can easily change the delivery address and use the account to purchase food for delivery fraudulently.

Instacart accounts are regularly traded and sold on darknet marketplaces. On White House Market, a vendor using the moniker, drhack3r is offering Canadian-based Instacart shopping accounts for as little as $9 USD (pictured).

According to reporting from late July, some 278,531 Instacart consumer grocery shopping accounts were found to be for sale on the darknet, for as little as $2 per account. The information includes the customer name, email address, the last four digits of their credit cards, the order history for the account, and some other shopping-related data. The validity of the account information has been verified by two Instacart customers whose details are up for sale, and this information is not old.

DarkOwl has been unable to confirm the Instacart offer for the volume of Instacart accounts available and Instacart denied a breach of their systems occurred. Instacart stated that the account data was likely generated as a result of credential stuffing using previously compromised information publicly available.

One Way Criminals Make Money From These Accounts: Refund Policy Fraud

Underground cybercriminals have also uncovered ways to bypass most of the major food delivery service’s refund policies and now offer step-by-step instructions for single, one-time use or the opportunity to use third-party anonymous accounts for executing the order and the refund, while skimming either a flat rate or a percentage of the refund as commission for facilitating the refund fraud.

Refund brokers who charge a flat rate for orders up to a certain value, likely operate a larger criminal enterprise, whereas others charging upwards of 45% per transaction, suggests they rely on issuing a fewer number of refunds with higher profit margin. 

In May, Instacart refunds for upwards of $700 USD, along with Uber Eats for $200 and Shipt for $500, were offered for sale by a user known as @DDsRefundVouches on the popular chat application Telegram.

Frauding refund policies presents an opportunity to resale the credit as gift cards, a popular money laundering currency on the darknet and deep web.

Food Delivery Account Vulnerability: API Cracking & Shopping Bots

Some more advanced hackers are more interested in the technology to exploit these personal services and many have expressed interest in the underlying API for traffic interception. This would give the criminal access to the customer’s personally identifiable information such as name, address, e-mail address and payment information.

A user on a hacker forum expressed interest in “cracking” the Just Eat food delivery service in the UK and the forum community offered a number of solutions depending on whether the purpose is to order for free or steal refund. One user “BigLad465” found a Deliveroo (another UK-based food delivery service) exploit that could capture a customer’s credit card for as little as £35 ($45 USD) for use on future food deliveries on another account or using the compromised account to request refunds on previous orders.

Grocery shopping services like Instacart and Delivery.com are equally at risk for this type of criminal behavior. In late April, an anonymous user pasted the Javascript source code to automate the creation of Instacart accounts. The purpose of creating mass-volume of Instacart accounts was not identified in the post, but the username associated with the post is “ddanhviet” who has posted numerous scripts related to online shopping, product recommendations and user reviews including Home Depot and Tmall, a Chinese-based online shopping website.

Many of the app-interception and manipulation discussions sit on the Surface Web in websites such as Reddit and in social media. In early June, a Reddit user asked specifically about the Instacart API, looking to intercept traffic between Instacart servers and the shopper API. Some of the comments included Charlesproxy and Wireshark as potential solutions. Another Reddit thread from May talked of Instacart bots from a supplier known as HaxEdge Solutions to steal large-value batches.

The HaxEdge Solutions website discusses how they are able to conduct e-mail monitoring, social media hacking, expunge criminal records, and recover lost money due to scams. Despite their morally questionable services offered, HaxEdge does not have a noteworthy darknet footprint in DarkOwl Vision.

In recent months, there has been a surge in Instacart related batch-stealer apps and many have come and gone, sometimes using slightly varied titles, such as Ninja Hours, Ninja Shoppers and Ninja Shopper. DarkOwl discovered nearly a dozen active platforms in mid-May advertising openly on YouTube and social media platforms. Contact information for these apps links them to users spanning the U.S., including New York, Savannah, Georgia and Northern California.

Detailed tutorials on how to use the third-party bots and batch stealers are available across a variety of YouTube channels for the apps. In the case of Ninja Shoppers, which was recently covered by Bloomberg News, the app is free to download, but users must be ‘’activated in a private group” in order to be granted permission to pay for a user authentication token. Once logged-in, the program prompts the user to find Instacart orders available near their location, according to a YouTube video viewed more than 13,000 times in the past three months.

Identifying one criminal exploiting food delivery accounts: Ninja Shopper

Ninja Shopper is one of the most prominent and popular Instacart order (batch) stealing programs available on the market. The app developer accepts Bitcoin and Zelle payments and sales for as little as $600 USD with a phone number located in the New York area.

With minimal OSINT investigating, DarkOwl analysts uncovered an application in a GitHub repo with a similar name originated two years ago called “batchgrab” from a Brazilian programmer, using the moniker, felix b1scoito. Other repositories in his GitHub include auto-clickers, e-mail spammers, and DDoS tools.

The moniker “b1scoito” has a large darknet presences across major deep and dark web hacking forums. They previously talked of intercepting the Netflix API and demonstrates proficiency in a number of key programming languages. Using other digital fingerprints revealed through pivoting with DarkOwl Vision, analysts found links to a programmer on a YouTube channel that included a Portuguese-speaking tutorial on AdvancedBots only a couple of months ago, an inactive Twitter account and Surface Web URL with numerous references to the b1scoito alias.

Ninja Shopper is not the only Portuguese-speaking bot on the market. Others such as Robô Instacart had a short lifespan on YouTube and Reddit in late May (shown below).

As outlined in the recent article published by Bloomberg, their journalists connected with an Instacart bot-seller that DarkOwl discovered by phone in late July and the man spoke first in Portuguese and then in English, confirming to them he was selling a bot for those amounts. He declined to answer additional questions after learning that the information would likely be publicized.

Potential Impacts to Account Holders

Food delivery services with mobile-phone apps are in widespread use. For example, according to a survey conducted by U.S. Foods back in mid-2019, survey data indicated that they average person has at least two food delivery apps and uses them upwards of three times per month. Furthermore, one could reasonably expect that usage has increased even more in 2020 with local restaurants dining rooms shutdown and country-wide quarantines due to COVID-19.

It is reasonable that criminals will continue to exploit these accounts in the future, beyond simple account hijacking or scamming vendor refunds. Further potential impacts include:

• Access to PII (Personally Identifiable Information) could be exploited and used to make fraudulent purchases. (i.e. hackers with access could access your credit card info, home address and other addresses you’ve ordered from, etc.) 

• Information gleaned from your account could be used for highly targeted phishing attacks. (i.e. hackers could send an email appearing to come from a restaurant you frequent using detailed information from your order to execute a phishing attack.) 

• Free Food! We have observed interactions on the darknet of individuals discussing how they’ve simply usurped an account to order food for themselves and others.

In light of this knowledge, heightened personal security would be to never reuse passwords that might already have been compromised nor save personal credit card information on commercial accounts such as this. We also advise that users of these services take heightened caution when opening and clicking on links in emails purportedly coming from these services, as they may be phishing attempts.

In our new Darknet Marketplace Snapshot blog series, DarkOwl researchers provide short-form insight into a variety of darknet marketplaces; looking for trends, exploring new marketplaces, examining admin and vendor activities and offering a host of insights into this transient and often criminal corner of the internet. 

First up is Infinity Market – but don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are released featuring different darknet marketplaces on an ongoing basis.

Vendors Continue to Gravitate Towards Infinity Market

Infinity Market is capturing the attention of more and more vendors. Since early May of 2020 alone, DarkOwl has witnessed an astonishing 76.92% increase in vendor registration volume.

The statistic does not come as a surprise to DarkOwl, as vendors have quickly recognized that Infinity Market mirrors a criminal nexus, rather than a traditional darknet market, differentiating itself by standing up both a built-in card shop and botnet log store.

Another reason that vendors continue to turn to Infinity Market is because the market has a growing presence on the deep web. It is evident that the administrators of Infinity have allocated a significant amount of time and investment into marketing directives.

At the time of this writing, DarkOwl uncovered that Infinity Market has a promotional presence across several mid and top-tier Russian and English-speaking deep web criminal forums. Most notably, Raid, Club2CRD, Breach, Pro Crd, Fraudster Crew, WWH-Club, and Cracked.

Establishing more trust with vendors, the administrators of Infinity have promised to protect their real-world identities by not collecting, storing and sharing any of their profile data and related market activities with ‘third-parties.’

The admins have also ensured vendors that their market infrastructure and messaging channels are protected with AES 256 level encryption (as pictured below).

Key things to know about Infinity Market

• Since the pandemic, compromised food delivery service accounts have been one of the hottest commodities on Infinity Market. Particularly Grubhub and DoorDash accounts. The price of a compromised DoorDash account, at the time of this writing, was $2 to $5 USD, the prices largely determined by the ‘freshness’ of the compromised account and the volume of personally identifiable information attached.      

• A user’s rank in Infinity Market is determined by spending history.

  • Lite – $0 – $1,000 USD

  • Silver – $1,000 – $3,000 USD

  • Gold – $3,000 – $6,000 USD

  • Prime – $6,000 – $10,000 USD

  • Infinity – $10,000+ USD

• Contrary to other darknet markets, Infinity Market only supports Bitcoin as a means of payment. Drawing skepticism, the market does not allow vendors and buyers to withdraw and transfer funds to other wallets.

• We have no definitive evidence where Infinity Market’s servers are hosted or where its staff are located. Some sources suggest the administrator of Infinity Market may reside in the United Kingdom. He or she also uses both Telegram and Gmail to communicate with criminal associates.

Stay tuned as we explore new and existing darknet marketplaces to provide our readers a glimpse into the darknet economy and some of its major players.

Interested in what you’ve just read? Don’t forget to subscribe to our blog below to get the latest in darknet intelligence and be notified as soon as we put out new content.