For the last two years, U.S. voter registration information has been widely circulated across darknet forums and channels for potentially nefarious purposes. Earlier this year, DarkOwl detected U.S. voter registration databases for the states of Michigan, Florida, North Carolina, and Colorado being shared freely. Some databases are packaged in sets of key states and sold on popular deep web forums and marketplaces by popular darknet vendors such as GoldApple.

This is certainly not the first exposure of U.S. voter registration data on the darknet en mass:

• In December 2015, millions of personal voters’ information was exposed on the darknet, when security researcher Chris Vickery and databreaches.net discovered over 191 million U.S. voters’ data available after a marketing firm supporting one of the political campaigns had a mis-configured database. The owner of the database was never identified. (Source)

• In summer 2017, another 198 million voters’ information was exposed after researchers discovered an unprotected AWS S3 bucket containing the voter rosters. The voter information had been archived by Deep Root Analytics, TargetPoint Consulting, Inc., and Data Trust, three data mining companies supporting the Republican Party. Rosters of statewide voter data are made readily available to political campaigns and their marketing affiliates for free for targeted campaigning and canvasing. The value of such databases, especially one containing hundreds of millions of U.S. voters’ personal data would be worth several hundred thousand dollars to darknet cyber criminals who could leverage the information for traditional financial cyber crime.

Interestingly, just earlier this month another darknet user also shared a database containing the personal information for millions of political contributors and donors on a popular hacking forum. The information in the database included the full name of the donor, physical address, age, phone number, income, gender and donor type. The user did not specify which campaign this data was stolen from. The post was removed by forum moderators as other users suggested the author was a “criminal hacker” and this data was acquired through malicious intrusions of a political database. The post did not specify where the information originated or which campaign it was from.

In the meantime, DarkOwl analysts have witnessed several conversations on popular right-wing leaning deep web discussion boards regarding the domain: http://donaldtrump.watch. Anonymous users and supporters of Trump stated the domain was active and contained personally identifiable information of the President and GOP financial contributors. WHOIS domain history has a redacted owner for privacy and suggests a 2018 creation date; archives of the website from late 2019, suggested it was created in response to the President’s Impeachment and is simply a “Donor locator map for the impeached Chief Executive Donald J. Trump. – Data Provided by the FEC.gov.” The Federal Election Commission does record all contributions made to any candidate, campaign contributions are not private, and the data held by the FEC can be requested typically for marketing and canvasing use.

The website is setup with an alphabetized address and name search capability indentifying contributors by name, their address, the specific dollar amount of their donations, and last donation date. There are numerous postive and negative comments about the Trump donor website across deep web and darknet discussion groups. Some commented on their neighbor’s donations.

Huh, two of the neighbors I like each donated about a grand to Trump. I didn't take either of them for Trump supporters. One guy in my neighborhood is unusually enthusiastic, it would seem.

Many users stated the information on the website was false, incorrect or dated back in 2016, while other users confirmed their families’ information was correct on the website and expressed concern about potential property damage. Analysis of the donations suggests the information is accurate up through August 31, 2020.

Regardless of exactly when the website appeared and the motive behind its author’s, the website information could be used to target, intimidate and frighten Trump supporters similarly to how earlier this month the FBI announced attribution to Iran for an email campaign sent to non-Trump supporters in Florida, threatening them to vote for Trump and signed by the controversial right-wing extremist group, The Proud Boys.

The BlueLeaks files, released earlier this year and containing files from hundreds of police departments, speak of how state voter registration data could be misused and specifically mentions how a malicious actor could leverage voter names, e-mail addresses, and telephone numbers to connect with new audiences and market personalize advertisements according to their views on specific topics, propensity to vote, and other factors. This information coupled with a foreign adversary’s disinformation campaign could be utilized to register fake social media accounts, seed content, and amplify distribution of content of interest to targeted audiences. [READ MORE]

Underground markets of the darknet provide an extensive inventory of illegal goods for sale, including drugs, weapons, hackers and assassins for hire. Also commonly found in darknet marketplaces are a variety of “digital goods,” most notably log-in access credentials for social media accounts across a multitude of sectors. One can as easily purchase credentials for Amazon Prime accounts as they can the credentials of a PayPal account, or an iTunes account that belonged to a previous owner.

What DarkOwl analyst observed as decidedly more prevalent this year is the increase in the existence of completely falsified social media accounts, the creation of which entails posting content to them regularly, generating likes/followers/credibility based on strategic activity, enlisting tools such as SMS verification services to standard bypass security measures, and then selling these powerful “ready-to-go” accounts to eager would-be buyers on the darknet.

After witnessing a surge in the number of fake, pre-packaged social media accounts being advertised for sale over the last year, we took a closer look and found that the demand for these types of accounts has shaped into a sophisticated market, giving individuals with potentially malicious intentions the tools they need to not only obtain social media accounts, but also to leverage them for persistent disinformation campaigns.

Before these purchased accounts can be used to spread and influence others, however, there are a number of hurdles that criminals must cross first: including obtaining accounts that appear to be genuine (i.e. have a history of regular posts and photos), have sufficient clout (i.e. have a number of followers), and navigate security challenges such as two-factor authentication requirements.

Bulk accounts for sale 

The economy of fake, compromised, or otherwise manipulated social media accounts is a booming business. Traditionally, these compromised credentials belong to an unwitting former account holder whose password got in the hands of the wrong individual. 

However, our analysts have recently noticed a surge in an equally if not now more prevalent type of social media darknet marketplace listing. These are that of curated social media accounts that have been created expressly for the purpose of being sold in the future.

The result is another niche economy in which both “fresh” (newly created) and “aged” (accounts with pre-generated followers, or similar) social media accounts are available for purchase across a variety of forums and marketplaces on the darknet.

In taking a closer look at what these listings have in common, we were able to conclude that the demand and price for some social media accounts is closely related to the perceived level of influence and social media platform popularity.

Key takeaways from our observations:

• Of all the social media platform account information listed for sale, YouTube accounts seem to be the most popular overall

• Reddit accounts are also in high demand and are priced based on the amount of Reddit ‘karma’ the account comes with – with some listings advertising accounts with over 50,000 karma points

• In one case, we observed a Russia-based supplier advertising over 30,000 accounts for sale across Facebook and Twitter alone

• In addition to fake accounts created with the aim of selling to the highest bidder – who is then to free to use it to their own accord, a number of darknet vendors continue to offer “combo-lists” (usernames and password combinations) of hacked or leaked account data, many of which were likely retrieved via reused passwords that were compromised in another commercial data breach

• Facebook and TikTok accounts tend to cost the most across most social media account brokers, followed closely behind by LinkedIn, Reddit, and Instagram

• In addition to social media platforms, we also observed vendors selling Gmail accounts, which notably require security measures such as two-factor authentication (2FA)

2FA measures have Created Demand for “Phone Verified Accounts”

Due to the onset of 2FA requirements across multiple platforms, the digital economy of social media accounts has had to adapt. Now, instead of just selling usernames and credentials, vendors are advertising Phone Verified Accounts (PVAs), or accounts that have already been formally associated with a phone number and unique IP address.

For example, if someone were to log into their Gmail account from their personal computer in their home, they will likely be required to allow Gmail to text them a log-in code, which they then enter back into their Gmail account to gain access. In doing so, Gmail then has confirmed this individual’s phone number and IP address, and their account is thereby Phone Verified. Notably, this process requires a mobile device or some other means by which to receive a SMS text.

Google began employing phone verification requirements for account registration as early as 2015. Also in 2015, Facebook began encouraging its users to associate a phone number with their account, and in 2019 made verification via SMS a requirement for all new registrants. Now, both Instagram and Facebook also employ phone verification via SMS with new account registrations and will often block accounts setup using virtual or privatized IP addresses or if accounts are created on the same IP address within a short period of time.

These continued increases in security measures have driven the demand for phone-verified social media accounts, which don’t come cheap. We have steadily observed darknet forum users offering account verification services for accounts created in the USA, UK and China on Facebook, Telegram, Instagram, Gmail and others.

One such current listing offers “High Quality Facebook Marketplace Accounts” for sale. Each account comes with:

– Anywhere between 2 to 9 years of daily activity

– Over 1,000 friends/followers

– An associated email address

– An associated Facebook password

– 10 backup 2FA codes

– The date of birth needed for account verification and/or recovery.

The phone verification account market has been thriving since these platforms instilled such security protocols, even outside of the darknet. Examples of such vendors include:

• On the surface web, PVACreator (pvacreator.com) provides PVA accounts for a variety of platforms and the one-time, single use account price ranges from $62 to $348 USD depending on the platform. Users of their service can sign-up for unlimited accounts across all the sites they have access for $1200.

• Rental property management software, Hemlane is the most expensive website PVAs are available for, while most run on average $100 USD each. 

• On a popular deep web forum, one user offered access to a SaaS-like platform called, GramCreator for creating Instagram PVAs in mass for a flat fee. GramCreator’s marketing material highlights their ability to protect their users interest and evade detection by Instagram.

Because an SMS service is necessary to create a PVA, the widespread marketing of PVAs has subsequently driven the demand for SMS services, which we are increasingly seeing on offer across the darknet.

Traditionally, SMS services have been employed by scammers and phishing-focused cybercriminals, who will then spam mobile phones with targeted, malicious phone calls and texts. In doing so, they are then able to siphon users personal information and/or compromise their mobile device or home network when connected to wi-fi. 

Now, SMS services enable entrepreneurs in the social media account economy to combine social media account credentials with new, unique SMS-enabled phone numbers that have been pre-associated with the credentials, thereby allowing any purchaser of these pre-made social profiles to bypass 2FA challenges.

Bots are also in high demand

In looking at the vendors in this space, we also observed that the digital economy for social media bots is thriving. For example, on the underground market OpenBazaar, a number of vendors sell Instagram and YouTube promotion bots to increase a fresh social media account’s views and likes.

Other offers guarantee to “drive over 10,000++ of real, genuine human traffic” from search engine and social networking sites in 100 days for as little as $5 USD.

Not only that, but bot services appear to be getting more sophisticated and have evolved to be more persistent. On Telegram, some developers offer exclusive access to their automatic traffic generator programs for website and social media platforms. 

Other, older darknet market solicitations advertise social media bots that can auto-generate 400 to 600 likes per hour.  The longevity of these auto-generated likes and followers is uncertain. Adding to the notion that they may not be reliable is the case of one darknet forum user, who recently posted that all 100 Instagram followers that they had purchased from a similar service had disappeared after a single week. Comments on the thread from other social media bot providers stated if they used their service, they would refund a significant percentage of the purchase price if the follower left.

On a popular Russian criminal darknet forum, members also discuss the employment of social media crawlers such as Saveogram to crawl and harvest content from the real Instagram accounts of influencers, which they then used as a template to recreate and modify messages in accordance with their larger disinformation goals. Earlier this year, TikTok deleted Kendall Jenner’s verified account after it turned out the account was fake. The fake account gained over half a million followers in less than 2hrs of the account creation.

Impact of the “pre-packaged” social media account engine

In the last decade the proliferation of social media applications from Facebook and Twitter to now controversial TikTok, is rampant with one or more applications on nearly every adult’s smartphone, connecting people around the world through follows, likes, and retweets. Keeping abreast of current news via social media is increasingly popular. In late 2019, a Pew Center research study concluded that 55% of adults in the US rely on social media to get their news, while a follow-up study conducted from October 2019 through July 2020 indicates that nearly one in five US-based adults receive political and election related coverage exclusively via social media. Facebook, Twitter and Reddit lead the platforms with the most news-centric userbase.

Users acknowledge the impact of false and misleading information on these sites. In 2016 and the months leading up to the US Presidential Election, social media was flooded with false political advertisements assessed by the Special Counsel’s Investigation to be mostly engineered by agents of the Russian Government. While we understand that nation-state governments actively conduct disinformation campaigns, spreading the propaganda of their choosing in increasingly creative and cunning means, the disinformation methods of government intelligence agencies are now readily available to those needing such services commercially on the darknet.

In this initial report, we focused on how fraudulent social media accounts are traded and sold on the darknet. Stay tuned for our follow-up pieces that will detail how these accounts are leveraged to execute disinformation content campaigns, and what potential impacts this underground economy will have on the upcoming US-elections.

In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces; looking for trends, exploring new marketplaces, examining admin and vendor activities and offering a host of insights into this transient and often criminal corner of the internet. 

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are released featuring different darknet marketplaces on an ongoing basis.

UpShop Market

UpShop is a small darknet marketplace that specializes in the sale of stolen or compromised digital accounts. These listings advertise account credentials for Microsoft accounts, Wells Fargo accounts, iTunes accounts, and many others. They also have a section dedicated entirely towards the sale of stolen (or potentially fraudulent) identities, with each advertised item consisting of a Social Security Number and its corresponding City, State, and Zip code.

Since its opening back in mid-December 2017, the market has been casually promoted across several Russian and English-speaking deep web criminal forums, including, XSS, Dedik, WWH-Club, Gerki, Beznal, and Club2CRD.

The administrator/s of UpShop have been relatively quiet this past summer and into this fall, and have not publicly posted market update since early-May, 2020. Nevertheless, at the time of this posting business at the underground market appears to be continuing as usual.

The price of stolen accounts on UpShop

Over the course of our most recent observations, DarkOwl researchers noted that there were 3,121 stolen accounts being advertised for sale. This is up from the 2,981 that we noted as the total number of listings earlier this summer. Whether UpShop will continue to follow this trajectory has yet to be determined, but as we mentioned earlier, the underground business does seem to be fully operational at this time.

Other findings include:

• The average price of one stolen account on UpShop market is $6.33 USD.

• The stolen accounts are associated with 40+ different merchants, who seem to primarily be retail merchants like Target and Khol’s.

• Sam’s Club and Walmart accounts make up 46.46% of the total number of stolen accounts advertised for sale.

• The price of one stolen Sam’s Club account ranges between $2.50 USD to $5.00 USD, while the price of one stolen Walmart account ranges between $5.00 USD to $6.00 USD.

• The price of each listing is largely determined by the amount of personally identifiable and financial information fixed to each account.

•  Additional Market Observations and Related Findings:

• The staff members of UpShop have been tied to several usernames including, upshop33 – which appears to be their main moniker – as well as malkincheff, and ElskChief.

• Only 5 vendors total are responsible for trafficking all of the stolen account data into the market, including, Like_a_Boss, BestStuff, romulan, applewarrior and drobdead. 

• UpShop has a built-in identity theft store. At the time of this writing, 10 identities are advertised for sale. The average price of one stolen (or potentially fraudulent) identity is $0.30 USD, which is rather low in comparison to prices across other identity theft stores we’ve observed on the darknet.  

• UpShop also has a built-in email-flooding service, a service whereby a cybercriminals can send a large volume of spam to a target’s email address, crippling their ability to manage their inbox. The price of each ‘flood’ is determined by the volume of emails sent to the victim’s email address.

 Thanks for reading this edition of our Darknet Marketplace Snapshot Series! Subscribe to our blog on our blog homepage to be notified whenever we publish a new piece.

In our new Darknet Marketplace Snapshot blog series, DarkOwl researchers provide short-form insight into a variety of darknet marketplaces; looking for trends, exploring new marketplaces, examining admin and vendor activities and offering a host of insights into this transient and often criminal corner of the internet. 

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are released featuring different darknet marketplaces on an ongoing basis.

This marketplace is engaging in blatant copyright infringement 

The most notable characteristic of the darknet marketplace Amazin is that the administrator is committing outright copyright infringement by unlawfully using Amazon’s intellectual property in their branding. In addition to cloning Amazon’s official logo and replacing the “o” with an “i,” (Amazon -> Amazin), the administrator of Amazin Market has also poached other branding characteristics from Amazon’s official website.

For example, the marketplace admin has laid the cloned spin-off logo on top of the exact same quintessential charcoal color that Amazon features on its website. The admin has also situated a white shopping cart in the top-right hand corner of the market, much like Amazon’s actual interface.

Amazin Market has a relatively intuitive user interface and customer support system, that continues to mirror Amazon’s both visually and navigationally. The market also heralds a robust vendor rating and review system. Referred to as a supplier rating, it measures the performance of darknet vendors on Amazin Market on an ongoing basis, as well as provides buyers on Amazin Market with the opportunity to make better purchasing decisions.

A look at what’s for sale

While Amazin market may look like Amazon from a visual perspective, the merchandise one can find being sold there is a major departure from the kitchenware and back-to-school supplies you’ll find on Amazon. Instead, Amazin market carries exclusively illicit supplies, such as hacked accounts and e-gift card codes.

Amazin Market appears to principally feature financial-related goods and services. Vendors on Amazin Market are currently advertising for sale hacked Amazon, JPMorgan and PayPal accounts, as well as compromised iTunes, Amazon, Google Play and GameStop e-gift card codes, sometimes 70-80% off face value.

In addition to hijacked accounts and e-gift card codes, vendors on Amazin Market are also advertising for sale money laundering services using PayPal, Payoneer and Western Union.

Of significance, DarkOwl discovered that one vendor is responsible for trafficking all of the stolen payment card information through Amazin Market. Known as ‘HQDumps,’ the vendor is selling ‘dumps,’ hacker-slang for stolen payment card information that can be used to conduct in-store card fraud.

After reviewing and analyzing all of HQDumps’s listings, DarkOwl was able to determine that HQDumps is currently selling financial details that belong to victims that reside around the world, particularly in the United States, Europe, Australia and Asia.

Key things to know about Amazin Market

7 vendors currently operate on Amazin Market. The names of those vendors include, amazin, JPMorgan, RedBull, Babo, Patron, Joker and HQDumps. After reviewing all of HQDumps’s vendor reviews on Amazin Market, DarkOwl uncovered that HQDumps used to be a vendor on the Silk Road. It remains unknown what version of the Silk Road HQDumps was affiliated with, whether the original or post-Ulbricht versions.

DarkOwl also found that HQDumps used to be a member of the “MasterGroupOfSpam,” a Telegram Channel inhabited by 9,700+ cybercriminals involved in various criminal activities, primarily hacking and card fraud. It is important to note that HQDumps has not operated on Telegram (HQ DUMPS @ HQDUMPS) since late May.

Differentiating itself from other darknet markets, such as Infinity Market, Amazin Market does not reveal the precise number of stolen goods that each and every vendor is advertising. This feature may have been implemented in an effort to better protect Amazin Market’s vendors, as law enforcement agencies have been known to prioritize vendors by the sheer volume of illicit goods that they are individually offering.

Contrary to other darknet markets, Amazin Market only supports Bitcoin as a means of payment. At this time, DarkOwl has not observed any darknet forum chatter or related scrutiny related to this payment limitation. 

Amazin Market, like so many other markets on the darknet, has an escrow system. Escrow systems serve as third party vehicles that hold funds until both sides of the transaction have been completed. It’s an important feature as it acts as a way to protect both buyer and vendors from getting scammed.

DarkOwl analysts noticed that Amazin Market is listed on Tor66, a darknet search engine on the Tor Network that advertises many known scam services. Interestingly, Amazin Market is also listed as a ‘scam market’ on Dark Web Magazine’s dark web scam list. These findings support why the admin has had a difficult time gaining traction amidst the criminal underground, even with a darknet marketing incentive of $30 USD (as pictured below).

Who is behind Amazin market?

DarkOwl discovered a darknet market known as MoneyPlus with the same source code, vendor community and user-interface as Amazin Market. DarkOwl uncovered that the administrator of MoneyPlus (additional and possible alias Amazin) can be reached via email at [email protected]. At this time, DarkOwl does not have definitive evidence whether Amazin Market and MoneyPlus Market are affiliated, and whether both markets are run by the same administrator.

Additional research efforts revealed that Amazin Market has a dual presence on the deep web (hxxps://amazin.to and hxxps://amazin.biz). After running a WHOIS and IP Geo lookup around both domains, the first domain was found to be registered on March 28, 2014. The domain was also found to be protected by Cloudflare and linked to the IP address of 104.31.81.229, a server located in Manila, Philippines. The second domain was found to be registered on December 17, 2012. In contrast, the domain was not found to be protected by Cloudflare, and is linked to the IP address of 192.64.119.87, a server located in Los Angeles, CA.

As such, the actual location of the marketplace’s servers, as well as the identity of the marketplace’s administrator, remain unclear.

Thanks for reading this edition of our Darknet Marketplace Snapshot Series! Subscribe to our blog on our blog homepage to be notified whenever we publish a new piece.

In a time when society is more reliant than ever on personal food delivery and shopping services such as Seamless and Instacart, darknet criminals also have increased their reliance on exploiting these applications for continued financial gain.

The potential for fraudulent activity includes purchasing goods with hacked accounts on these services, abusing the vendor’s refund policy, and even more advanced techniques such as API traffic interception for malicious injection or targeted data manipulation.

DarkOwl has observed an increase in the prevalence of food delivery and personal shopping service accounts on offer across a number of darknet marketplaces.

DarkOwl confirmed an increase in food delivery service provider mentions in not only major darknet marketplaces but also in criminal carding forums and illicit digital good trades on anonymous websites. Of the vendors we looked at, Seamless and Caviar appear to have the most remarkable increase in the number of documents in DarkOwl Vision mentioning compromised accounts, with Instacart, Uber Eats, Just Eat, and DoorDash close behind.

To conduct our analysis, we looked for instances of each food delivery service provider appearing in our database of darknet documents (Vision), from year to year. Vision is comprised of content scraped directly from pages on the darknet, such as pages on Tor. As per the graph below, we are then able to see how many mentions there were of each company in our database to estimate what percentage of darknet pages mentioned these companies during that time.

For example, of all the pages of darknet content DarkOwl has collected that mention DoorDash or DoorDash accounts to-date, 33% of page results were observed on the darknet in 2019 and 67% were from 2020. This is also notable insofar as it indicates that DarkOwl did not observe DoorDash accounts appearing on the darknet until 2019, so they are evidently a new and increasingly popular target.

Our analysts also note that the 2020 data included in this analysis is only through the end of July, meaning that many of these vendors will likely surpass (or continue to surpass) their 2019 numbers by an even greater extent by year’s end. Interestingly, DarkOwl also observed PostMates and UK-based Deliveroo food delivery services mentioned in fraud-focused conversations on criminal forums but in less volume than in 2019.

Across the board, using DarkOwl Vision, we saw an average 230% increase in darknet mentions of most of the major food delivery and personal shopping providers between last year and this year.

Examples of Compromised Accounts Being Advertised

On the darknet marketplace Infinity Market alone, DarkOwl discovered 8 different vendors selling a mix of hacked mainstream food delivery service accounts, including, DoorDash, Grubhub and Caviar. The average price ranges from $1.50 to $10 USD per account and successful use depends on the user not recently changing their password, as is often the case, rendering the account useless.  The value of the accounts is determined by a number of factors including the ‘freshness’ of the account and the number of completed orders fixed to the account, as well as and most importantly, the volume of personally identifiable and financial information attached.

In mid-June, a new user on Raid Forums posted numerous DoorDash email addresses and passwords along with their account balances free for criminal use. With the account login credentials and an account with a saved credit card on file, the cybercriminal can easily change the delivery address and use the account to purchase food for delivery fraudulently.

Instacart accounts are regularly traded and sold on darknet marketplaces. On White House Market, a vendor using the moniker, drhack3r is offering Canadian-based Instacart shopping accounts for as little as $9 USD (pictured).

According to reporting from late July, some 278,531 Instacart consumer grocery shopping accounts were found to be for sale on the darknet, for as little as $2 per account. The information includes the customer name, email address, the last four digits of their credit cards, the order history for the account, and some other shopping-related data. The validity of the account information has been verified by two Instacart customers whose details are up for sale, and this information is not old.

DarkOwl has been unable to confirm the Instacart offer for the volume of Instacart accounts available and Instacart denied a breach of their systems occurred. Instacart stated that the account data was likely generated as a result of credential stuffing using previously compromised information publicly available.

One Way Criminals Make Money From These Accounts: Refund Policy Fraud

Underground cybercriminals have also uncovered ways to bypass most of the major food delivery service’s refund policies and now offer step-by-step instructions for single, one-time use or the opportunity to use third-party anonymous accounts for executing the order and the refund, while skimming either a flat rate or a percentage of the refund as commission for facilitating the refund fraud.

Refund brokers who charge a flat rate for orders up to a certain value, likely operate a larger criminal enterprise, whereas others charging upwards of 45% per transaction, suggests they rely on issuing a fewer number of refunds with higher profit margin. 

In May, Instacart refunds for upwards of $700 USD, along with Uber Eats for $200 and Shipt for $500, were offered for sale by a user known as @DDsRefundVouches on the popular chat application Telegram.

Frauding refund policies presents an opportunity to resale the credit as gift cards, a popular money laundering currency on the darknet and deep web.

Food Delivery Account Vulnerability: API Cracking & Shopping Bots

Some more advanced hackers are more interested in the technology to exploit these personal services and many have expressed interest in the underlying API for traffic interception. This would give the criminal access to the customer’s personally identifiable information such as name, address, e-mail address and payment information.

A user on a hacker forum expressed interest in “cracking” the Just Eat food delivery service in the UK and the forum community offered a number of solutions depending on whether the purpose is to order for free or steal refund. One user “BigLad465” found a Deliveroo (another UK-based food delivery service) exploit that could capture a customer’s credit card for as little as £35 ($45 USD) for use on future food deliveries on another account or using the compromised account to request refunds on previous orders.

Grocery shopping services like Instacart and Delivery.com are equally at risk for this type of criminal behavior. In late April, an anonymous user pasted the Javascript source code to automate the creation of Instacart accounts. The purpose of creating mass-volume of Instacart accounts was not identified in the post, but the username associated with the post is “ddanhviet” who has posted numerous scripts related to online shopping, product recommendations and user reviews including Home Depot and Tmall, a Chinese-based online shopping website.

Many of the app-interception and manipulation discussions sit on the Surface Web in websites such as Reddit and in social media. In early June, a Reddit user asked specifically about the Instacart API, looking to intercept traffic between Instacart servers and the shopper API. Some of the comments included Charlesproxy and Wireshark as potential solutions. Another Reddit thread from May talked of Instacart bots from a supplier known as HaxEdge Solutions to steal large-value batches.

The HaxEdge Solutions website discusses how they are able to conduct e-mail monitoring, social media hacking, expunge criminal records, and recover lost money due to scams. Despite their morally questionable services offered, HaxEdge does not have a noteworthy darknet footprint in DarkOwl Vision.

In recent months, there has been a surge in Instacart related batch-stealer apps and many have come and gone, sometimes using slightly varied titles, such as Ninja Hours, Ninja Shoppers and Ninja Shopper. DarkOwl discovered nearly a dozen active platforms in mid-May advertising openly on YouTube and social media platforms. Contact information for these apps links them to users spanning the U.S., including New York, Savannah, Georgia and Northern California.

Detailed tutorials on how to use the third-party bots and batch stealers are available across a variety of YouTube channels for the apps. In the case of Ninja Shoppers, which was recently covered by Bloomberg News, the app is free to download, but users must be ‘’activated in a private group” in order to be granted permission to pay for a user authentication token. Once logged-in, the program prompts the user to find Instacart orders available near their location, according to a YouTube video viewed more than 13,000 times in the past three months.

Identifying one criminal exploiting food delivery accounts: Ninja Shopper

Ninja Shopper is one of the most prominent and popular Instacart order (batch) stealing programs available on the market. The app developer accepts Bitcoin and Zelle payments and sales for as little as $600 USD with a phone number located in the New York area.

With minimal OSINT investigating, DarkOwl analysts uncovered an application in a GitHub repo with a similar name originated two years ago called “batchgrab” from a Brazilian programmer, using the moniker, felix b1scoito. Other repositories in his GitHub include auto-clickers, e-mail spammers, and DDoS tools.

The moniker “b1scoito” has a large darknet presences across major deep and dark web hacking forums. They previously talked of intercepting the Netflix API and demonstrates proficiency in a number of key programming languages. Using other digital fingerprints revealed through pivoting with DarkOwl Vision, analysts found links to a programmer on a YouTube channel that included a Portuguese-speaking tutorial on AdvancedBots only a couple of months ago, an inactive Twitter account and Surface Web URL with numerous references to the b1scoito alias.

Ninja Shopper is not the only Portuguese-speaking bot on the market. Others such as Robô Instacart had a short lifespan on YouTube and Reddit in late May (shown below).

As outlined in the recent article published by Bloomberg, their journalists connected with an Instacart bot-seller that DarkOwl discovered by phone in late July and the man spoke first in Portuguese and then in English, confirming to them he was selling a bot for those amounts. He declined to answer additional questions after learning that the information would likely be publicized.

Potential Impacts to Account Holders

Food delivery services with mobile-phone apps are in widespread use. For example, according to a survey conducted by U.S. Foods back in mid-2019, survey data indicated that they average person has at least two food delivery apps and uses them upwards of three times per month. Furthermore, one could reasonably expect that usage has increased even more in 2020 with local restaurants dining rooms shutdown and country-wide quarantines due to COVID-19.

It is reasonable that criminals will continue to exploit these accounts in the future, beyond simple account hijacking or scamming vendor refunds. Further potential impacts include:

• Access to PII (Personally Identifiable Information) could be exploited and used to make fraudulent purchases. (i.e. hackers with access could access your credit card info, home address and other addresses you’ve ordered from, etc.) 

• Information gleaned from your account could be used for highly targeted phishing attacks. (i.e. hackers could send an email appearing to come from a restaurant you frequent using detailed information from your order to execute a phishing attack.) 

• Free Food! We have observed interactions on the darknet of individuals discussing how they’ve simply usurped an account to order food for themselves and others.

In light of this knowledge, heightened personal security would be to never reuse passwords that might already have been compromised nor save personal credit card information on commercial accounts such as this. We also advise that users of these services take heightened caution when opening and clicking on links in emails purportedly coming from these services, as they may be phishing attempts.

In our new Darknet Marketplace Snapshot blog series, DarkOwl researchers provide short-form insight into a variety of darknet marketplaces; looking for trends, exploring new marketplaces, examining admin and vendor activities and offering a host of insights into this transient and often criminal corner of the internet. 

First up is Infinity Market – but don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are released featuring different darknet marketplaces on an ongoing basis.

Vendors Continue to Gravitate Towards Infinity Market

Infinity Market is capturing the attention of more and more vendors. Since early May of 2020 alone, DarkOwl has witnessed an astonishing 76.92% increase in vendor registration volume.

The statistic does not come as a surprise to DarkOwl, as vendors have quickly recognized that Infinity Market mirrors a criminal nexus, rather than a traditional darknet market, differentiating itself by standing up both a built-in card shop and botnet log store.

Another reason that vendors continue to turn to Infinity Market is because the market has a growing presence on the deep web. It is evident that the administrators of Infinity have allocated a significant amount of time and investment into marketing directives.

At the time of this writing, DarkOwl uncovered that Infinity Market has a promotional presence across several mid and top-tier Russian and English-speaking deep web criminal forums. Most notably, Raid, Club2CRD, Breach, Pro Crd, Fraudster Crew, WWH-Club, and Cracked.

Establishing more trust with vendors, the administrators of Infinity have promised to protect their real-world identities by not collecting, storing and sharing any of their profile data and related market activities with ‘third-parties.’

The admins have also ensured vendors that their market infrastructure and messaging channels are protected with AES 256 level encryption (as pictured below).

Key things to know about Infinity Market

• Since the pandemic, compromised food delivery service accounts have been one of the hottest commodities on Infinity Market. Particularly Grubhub and DoorDash accounts. The price of a compromised DoorDash account, at the time of this writing, was $2 to $5 USD, the prices largely determined by the ‘freshness’ of the compromised account and the volume of personally identifiable information attached.      

• A user’s rank in Infinity Market is determined by spending history.

  • Lite – $0 – $1,000 USD

  • Silver – $1,000 – $3,000 USD

  • Gold – $3,000 – $6,000 USD

  • Prime – $6,000 – $10,000 USD

  • Infinity – $10,000+ USD

• Contrary to other darknet markets, Infinity Market only supports Bitcoin as a means of payment. Drawing skepticism, the market does not allow vendors and buyers to withdraw and transfer funds to other wallets.

• We have no definitive evidence where Infinity Market’s servers are hosted or where its staff are located. Some sources suggest the administrator of Infinity Market may reside in the United Kingdom. He or she also uses both Telegram and Gmail to communicate with criminal associates.

Stay tuned as we explore new and existing darknet marketplaces to provide our readers a glimpse into the darknet economy and some of its major players.

Interested in what you’ve just read? Don’t forget to subscribe to our blog below to get the latest in darknet intelligence and be notified as soon as we put out new content.

On July 9th 2020, the hackers behind the infamous and malicious Maze ransomware-as- a-service (RaaS) malware released a press statement on their Tor hidden service outlining new terms and conditions for their operations in light of the economic crisis and global pandemic.

The press announcement further included instructions for their latest ransomware victims, including five key points outlining a post-hack timeline for victim negotiations and subsequent data publications. The announcement listed their intended victims – alleging they had already been compromised – and now are seeking payment from them before releasing their data to the public. These victims include large corporations such as Xerox and LG ELECTRONICS.

The hackers stated they will publish notice of successful hacks along with the victim’s name within three days of the attack. The victim organization must start communication within the 72-hour period post hack. The list of organizations they publicly announced as their targets included in the following screenshot:

If successful negotiations do not occur within ten days, Maze claims that all of the organization’s ransomed data will subsequently be released to the public. This is contrary to the REvil hacker’s approach of auctioning or selling the compromised data (as opposed to releasing it for free). The Maze hackers also allude to “no more delays of a month or two” suggesting some compromised organizations were possibly using stall tactics to delay publicizing the attack.

Presumably as a means of further intimidating their victims, the Maze hackers also state that upon data release for reach of their victims, they will also be contacting their victim’s partners, clients, and regulators to increase the impact of their attack and damage to the reputation of the compromised organization and company value.

The hackers included a closing statement on how they are proud of their reputation and that ironically, “honesty is their revenue” along with a list of a dozen organizations they are extorting that would soon have their data published.

DarkOwl analysts noted that the language used in the hackers’ press release lacked proper grammar confirming English is likely not the hackers’ first language. The hackers also elaborated how the victim’s inability to connect to the Maze website chat or negotiate due to fear is their own fault — even stating they are not “physiologists” (probably intending here to state psychologists) and are unable to understand their victim’s behavior patterns.

NOTE: DarkOwl has chosen to include the names of the most recent victims in this blog at present due to the fact that they are publicly available.

For more information about Maze and other RaaS sold or traded on the darknet, contact us to setup a trial using Vision to monitor and alert you if your company is being targeted or mentioned on the darknet.

DarkOwl has investigated threats to cloud-based platforms and applications discussed on the darknet in order to identify threat actors that are specifically targeting cloud environments. Our investigation includes a broad range of cloud environments; from compromising personal iCloud accounts to hacking large-scale infrastructures such as Microsoft Azure and Amazon Web Services (AWS).

Attack Methodology

Understanding the attack vector against cloud-based platforms is the first step to understanding where to start the darknet research. Fortunately, there are many discussions across the information security community on technical approaches to penetrating a cloud-based network for malicious intention.

As with any information network, one of the simplest ways to gain access is through targeted social engineering and/or credential compromise. Social engineering AWS/Azure network users through the use of fabricated emails, calls or social media is a proven approach to obtaining user credentials. If a user has API keys for accessing the platform, general phishing techniques can be easily employed to gain access to the user’s computer and other accounts, where the attacker could then pull the API keys for said AWS user. One hacker emphasized the importance of learning as much as you can about a target organization in social engineering, highlighting that AWS is no exception. Threat actors target information such as AWS account ids, Amazon Resource Names (ARNs), IP addresses, Role Names, and other related AWS information in order to start an attack on the network [ref].

Some hackers have successfully employed sending SMS text messages to targeted network users. The SMS includes a malicious link that “appears to be a legitimate platform notification” for password reset, and in the process, the authentication credentials are captured.  Amazon includes a number of user-friendly URLs for accessing the AWS console or AWS SSO user panels. The following URLs could be adapted for targeted phishing or once the target name is identified the threat actor could attempt to brute force the legitimate links:

IAM User Sign-In Link (name):    https://name.signin.aws.amazon.com/console

IAM User Sign-In Link (account id):    https://accountid.signin.aws.amazon.com/console

AWS SSO Start Page:      https://name.awsapps.com/start

Other malicious threat actors, such as the hacker behind the RouteX Malware, have successfully accessed cloud accounts through the reuse of compromised account usernames and passwords and automated “credential-stuffing.”

Despite repeated warnings from the infosec community, it is well known that most people still continue to reuse passwords, jeopardizing the security of their cloud-based platform accounts. (Source: a136a0a1fb206b55f06084f100ab4cbc)

Methodology – API Keys

Some cloud services, like AWS, utilize API keys to allow technical users to connect and control cloud servers without a username and password. These are random, yet unique, strings of numbers and letters that allow the user to connect to the server. API keys are an easy starting point for compromising an AWS instance and the darknet contains thousands of such mentions. Telegram group MrChecker.net sells AWS keys for as cheap as 15 USD, while other hackers post stolen keys to darknet paste sites for future use. (Source: cbe876388ac06e2caddc6c69f516a310)

Some developers have accidentally committed their AWS EC2 access keys to file sharing websites like GitHub. According to open source reporting, clever threat actors are employing bots to persistently scan GitHub to find unprotected AWS access keys. 

One open-sourced tool widely disclosed was the Python script TruffleHog. In recent months, GitHub user, Crypto-Breaker, committed an entire repository called “My Arsenal of AWS Security Tools” that could easily be adapted for exploitation of AWS buckets. Some AWS users have argued that Amazon now actively searches GitHub for compromised committed secret keys, shutting down the potentially compromised account and notifying the user automatically before a large AWS bill could be accumulated by a malicious threat actor.

Attack Methodology – Third Party Software and Web Applications

One security researcher discussed in detail the exploitation of Server-Side Request Forgeries (SSRF) to conduct privilege escalation. A SSRF is an arbitrary web request from a compromised server to a target network. Making arbitrary requests against the target IP, e.g. replacing http(s):// with file://, can yield invaluable information like session keys and AWS container credentials. The IAM credentials can also be harvested through HTTP requests to a server’s meta_data URL and gain access to the same temporary credentials that the application uses. For example the URL:

will return a JSON object that contains an AWS access key ID, secret access key, and session token, which allows whoever made that request access to the AWS environment.

Coupling these techniques with tools like boto3, a python script for interacting with the AWS API, further malicious calls can be performed, including defacing the domain of the S3 website [source]. The Telegram channel, exploithub, discusses SSRF’s against Azure as well as other critical vulnerabilities in cloud-based platforms.

Attack Methodology – Malicious Injection

AWS and Azure both are vulnerable to CSV injection techniques to compromise cloud-based servers. Ready-Hacker-One includes Cross-site request forgery (CSRF) and CSV injection payloads in their “Everythingpayloads” GitHub (Source: f78043b645a4e1ce2c66e3aaf4783748) while Rhino Security details the features of the vulnerabilities in AWS and Azure in multiple open source reports. For example, the following command will download an executable from a remote server using PowerShell and then run it on the target user’s computer. The external web server is served over HTTP and automatically redirects to my malicious .exe file, because due to Azure’s validation, forward and backward slashes break this vulnerability [source].

Darknet forum user, Everest_RR, started a thread discussing how CSRF exploitation could produce credentials and a starting point for server-attack through over 100 Jenkins plug-ins (Figure 7). Plugin developers failed to enforce POST requests that prevent attacks using the CSRF token. These third-party plug-ins interact with most popular cloud-based architectures such as Twitter, AWS, VMware and Azure.

Azure Vulnerabilities on the Darknet

Hackers frequently discuss vulnerabilities on the darknet for various platforms. A recent Azure vulnerability, CVE-2019-1306, “Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability” was explicitly posted to a hacker forum on the darknet by the user known by the moniker, PresidentXS. An attacker successfully exploiting this vulnerability allows for malicious code execution on an ADO service account.

Earlier this year, Russian hackers on the darknet forum Dublikat discussed Azure Stack vulnerabilities documented in CVE-2019-1234 (Source: d25c98cc06300c5a8e3dcbd1a6ebf606). Such discussion threads in DarkOwl Vision are useful for reviewing comments, exploring applications, and use cases for the vulnerability specifically.

In 2018, a user on a popular darknet security forum, Torum, expressed interest in attacking an online web server located on the Azure platform. The purpose of the forum thread was less to discuss the attack vector, but more for the solicitation of assistance in the venture. The user, badass888, listed a number of “illegal sports betting” software websites that they wanted to replicate, but the threat actor needed to hack Azure’s cloud platform to gain access to the website databases and source code. It is unclear from the comments whether the hacker managed to find help, but malicious intent is present.

Google Cloud

Google’s Cloud service “Google Drive” is also regularly targeted by threat actors on the darknet. One Russian forum user, “KeyBox,” recently offered an unlimited “Google Drive” monthly service that is cheaper than Google’s data storage plans. Their services are available on keybox.pp.ua and further discounts are on offer.

Это супер выгодно – по подписке 1000 Gb дискового пространства стоит около 1000 руб в месяц, а здесь вы платите один раз и получаете Безлимитный Google Drive.

Translation: This is super profitable – by subscribing 1000 Gb of disk space costs about 1000 rubles per month, but here you pay once and get Unlimited Google Drive.

CloudFlare

Another popular topic on the darknet is how to bypass “CloudFlare” website content delivery networks.

Cloudflare acts as an intermediary between a client and a server, often using a reverse proxy to mirror and cache websites. Cloudflare was established to track malicious cybercriminal behavior and prevent criminals from the originating server’s content.

 According to one darknet user, “CloudFlare is a big pain to us hackers.” Torigon user xData_ recently posted an informative thread on multiple CloudFlare bypass methods. The thread details tools for different platforms as well has host discovery methods, including SSL vulnerabilities and subdomains pointing back to the main host IP.

There are numerous tools readily available for bypassing CloudFlare protections. Most of the software is hosted on GitHub repositories and APIs. The Censys API is regularly referenced by threat actors to expose target IP address through the SSL certificate data. For example, once a list of potential origin servers (IPv4 hosts) has been obtained, some scripts will call each one of them and compute the similarity of the response with the response sent by the original domain, using a structural similarity function designed on purpose for comparing websites similar to the Levenshtein distance calculation.

Another extremely popular resource and regularly referenced cloudflare bypass  is “CloudFail” created by the hacker m0rtem. CloudFail is considered a “tactical reconnaissance tool” for target data collection. The script uses Tor to mask all requests and conducts misconfigured DNS scans with DNSDumpster.com. After the crimeflare.com database is also scanned for subdomains, the subdomains are brute forced. CloudFail is capable of attacking upwards of 2,500 subdomains at one time.

The subdomain discovery methods discussed in xData_’s thread are in full use as captured by multiple DarkOwl Vision results. There are several hundred examples like the figures below where the subdomain IP has been identified along with the CloudFlare protection flag (off or on). Another threat actor did a similar subdomain analysis of the social media platform Snapchat in late 2019. (Source: 42995a33628e79b929ee7708999f0ebc). Most results with the format: <<Subdomain IP Cloudflare>>, do not list an author; however, in November 2019, PostNL’s subdomains were exploited by a user with the moniker, ProxyManiac. This threat actor also identified some 300+ websites hosted on Bulletproof Hosting in another deep web data dump. (Source: 813aacb2d453e10ed8d0c2a2c9e63426)

iCloud

Personal Apple iCloud accounts are a popular target among darknet hackers. For example, one of the most popular questions observed by DarkOwl analysts active in underground chatrooms is “How do I hack my girlfriend’s iphone?”.  Torigon user, Roxy, recently posted a link to an iCloud bypass utility for accessing personal iCloud accounts. The software is advertised to work on iPhone models 5s to X. (Source: e456dc53f7840f85609783e97038156a)

Most Russian forums include service advertisements; like the August 2017 offer below by scriptseller2018. This advertisement detailed the steps for exploiting an Apple ID and iCloud account all packaged together and included in a script the hacker was selling on the forum (Source: bee9c6a7875239502c5e3115fdab144e)

Abuse of Cloud Resources

While not a direct threat to cloud subscribers, abuse of cloud resources is a concern for cloud providers, particularly for providers that offer IaaS (Infrastructure as a Service) and PaaS (Platform as a Service) models. The most prevalent way this occurs on the darknet is through the sale and usage of dedicated cloud servers, often referred to as “dedics”. There are many examples of users on the darknet that are offering these services.

One notable example is user extremalspeed, who posts advertisements for his services on Russian hacking forums such as Exploit.in and UFOLabs. Deep web forums such as Raidforums are also riddled with similar advertisements.

Organizations are not the only ones taking advantage of cloud computing; from cracking passwords and encryption keys to hosting exploits and stolen data, hackers are no longer limited to using their own hardware for malicious purposes. There are many tutorials posted to the darknet that describe how to take advantage of free credits offered by cloud providers. User therigbys, of now defunct “KICKASS” forum, notes that there are specific advantages to using Alibaba cloud for spamming purposes – “You can use the credit to own servers, they have quality IP, you can use to spam with little red flags.” Cloud providers are also being used to host phishing sites; Exploit.in forum member the-one expressed plans to host Office 365 phishing pages on Azure.

Selling Access to Personal Cloud Services

Some hackers sell access to their personal cloud of data dumps, such as DrDastan on Raidforums. This type of service is usually advertised as a subscription service and the seller usually claims to regularly post updates with fresh data.

Selling Access to Compromised Servers and Accounts

In recent years, hackers have made many headlines for selling access to an organization’s compromised servers and servers hosted on the cloud are no exception. The following two examples are from hacker forum Exploit.in. In the first example, threat actor Buffer is selling access to an education institute’s platform, which he claims gets 35 million visits per day. In the second example, threat actor onfrich is selling access to Azure server panels of a hospitality company.

In 2019, a user on deep web crime forum, sinister.ly using the moniker, momxia, posted an offer for Google Accounts with $100 USD credit.

The advertisement included multiple methods to contact them, along with a surface web link to their online store. According to their Selly Store located on the surface web, the Google cloud accounts were available for sale at the price of $6.00 USD. As of time of writing, the seller’s website indicated they were out of stock.

See this research featured in the newly released IBM’ X-Force Cloud Threat Landscape Report 2020

Curious to learn more about our darknet data? Have any questions for our analysts? Contact us.

Since first leaking highly-sensitive personal information pertaining to Lady Gaga, the threat actor group has since targeted Sherwood Food Distributors and Donald Trump. Our team has been monitoring the situation closely and will continue to update here as new developments arise.

UPDATES (LATEST JUNE 2, 2020)

REvil Hackers Begin Auctioning Compromised Data

While US cities degenerate into destructive police protests and rioting, the REvil hackers show no sign of slowing, adding more victims to their darknet website in recent days. They also introduced an “auction” feature to their website, with Canadian agriculture company Agromart Group’s data as their first lot, starting bids at $50,000 USD.

SODINOKIBI USED AGAINST AGROMART GROUP

Agromart Group is a Canadian agriculture company with offices in Ontario. The Happy Blog post for Agromart suggests the hack of the group of several companies (including Scotland Agromart Ltd.) likely occurred on or around 26 May 2020. The hackers state they have corporate documents and accounts with over 22,000 files and 3 databases. There are several accounting spreadsheets included in the screenshots included as evidence of the legitimacy of the attack. The spreadsheet appears to consist of a list of Agromart’s customers and their orders. There was also a document labeled “Personal Net Worth Statement” with details of an employee’s personal financial information. It’s unclear whether or not this attack has or will impact Canada’s farming industry.

Early Tuesday morning, the hackers debuted an “auction” section of their darknet blog featuring Agromart, indicating a divergence from the Russian Jokerbuzz darknet auction hidden service mentioned in the Grubman Shire announcement. The minimum deposit in Monero (XMR) is $5,000 USD with a suggested starting price for the files and databases of $50,000 USD. The auction’s “blitz” price is $100,000 USD and will last only a week. The hackers also included links to purchase the Monero cryptocurrency, preferring Monero to Bitcoin transactions.

TELECOMMUNICATIONS AND ENERGY FIRMS NOT IMMUNE

Hackers also posted links to South African telecommunications and mobile phone provider, Telkom, as well as British energy reporting and accounting company, Elexon. The announcement for Telkom’s hack was brief while the hackers included a link to “sample” files from Elexon’s corporate network and multiple screenshots. One included a renewal application form for CFC’s Cyber Private Enterprise, suggesting the company held an insurance policy for such a cyber attack.

According to their public website, Elexon admitted the attack on their internal networks occurred on 14 May 2020 and there was no risk to the public or loss of customer-level data.

Several Law Firms Added in Recent Days

The REvil hackers also debuted hacks from additional US law firms: Indiana-based Wartman Law Firm and Fraser Wheeler and Courtney LLP in Louisiana. The post for Wartman indicates there are several hundred folders of customer and client data compromised and the law office has a week to respond with payment. The hackers state the Fraser Wheeler and Courtney data leak is over 50 GB with a repurchase price of $100,000 USD.

As of this update, DarkOwl has observed 41 data leaks posted to the REvil / Sodinokibi ransomware hackers “Happy Blog.” The post numbering system is up to 76, and we assess there are a large number of corporate victims either not yet mentioned or paid the ransom and avoided public inclusion to the darknet blog.

Given the volume and frequency of new postings, the threatening language used on recent public announcements and the latest introduction of the “auction” feature to their website, it is evident the hackers are feeling more emboldened and confident in the success of their extortion endeavors.

DarkOwl also discovered that a previous victim’s data, the National Eating Disorders Association (NEDA) archived by DarkOwl Vision in late March yet since removed from the Happy Blog, has recently appeared on a darknet marketplace not previously assessed to have affiliation with the REvil hackers.

A vendor using the moniker, “eternos” registered to ASEAN market in early May and the listing for the NEDA association’s database appeared shortly thereafter for as little as $99 USD. There is no intelligence to suggest “eternos” is associated with the REvil hackers, as the database could have been collected by an independent darknet group from links shared earlier on REvil’s Happy Blog or harvested from the NEDA network completely independent of the REvil ransomware attack of the organization.

New Targets Announced over Memorial Day Weekend

While the US celebrated Memorial Day weekend, the REvil/Sodinokibi hackers continued to target corporations around the globe. On Monday, May 26, 2020, the hackers announced another new victim, a law firm called Vierra Magen Marcus LLP. The hackers posted then announced their next new target, Titan Entertainment, late Tuesday, May 27, 2020. Since DarkOwl Vision’s first capture of the “Happy Blog” V3 hidden service in late February 2020, we know of at least 32 victims of the Sodinokibi ransomware since the website launched, an average of 2.6 successful infections worth public disclosure per week.

VIERRA MAGEN MARCUS LLP

Vierra Magen Marcus LLP is another California-based intellectual property law firm with an extensive client lists across “Technology, Science, and Growth Enterprises.” The hackers refer to their extorted archive including 1.2 terabytes of documents including patents, non-disclosure agreements, and conflict resolution legal documents.

TITAN ENTERTAINMENT

Late Tuesday, the hackers added another Victim, Titan Entertainment, based out of London, UK with only the URL for the company’s website and the text, “download- Will be soon…” The screen capture provided by the hackers appears to include a list of servers from the company and their associated backups along with internal IP addresses of the compromised systems. As of time of writing, the website URL for Titan Entertainment listed on the Happy Blog is unresponsive.

FARO Technologies, a Leading 3D Printing/Manufacturing Company, is Latest Victim of REvil Hackers’ Ransomware Attacks

UPDATE: As of May 27th, Happy Blog no longer contains the post discussed below, suggesting FARO may have paid the ransom demands.

On May 20th, sometime between 11:31 MST and 2:38 MST, the hacking group known as REvil posted an announcement to the darknet forum Happy Blog stating that they had identified and compromised a new target, FARO Technologies. The hackers stated that FARO Technologies has 24 hours to pay their ransom demands, or they would leak 1.5 TBs of FARO’s data to the public. It is unclear how files REvil has total.

This announcement comes as the hackers continue to target the high-profile law firm Grubman Shire Meiselas & Sacks – and leak highly sensitive data pertaining to their celebrity clientele.

Per their website, FARO is the world’s most trusted source for 3D measurement, imaging and realization technology. The company develops and manufactures leading edge solutions that enable high-precision 3D capture, measurement and analysis across a variety of industries including manufacturing, construction, engineering and public safety. 

Sometime after making this initial announcement, REvil updated their post to state they were giving FARO Technologies an additional 20 hours due to “a minor technical issue.” Then, in a subsequent post, they stated the following:

“FARO Technologies has exactly 3 hours, after which we will publish a link to the data here. FARO Technologies, if you do not know where to find the instructions, contact your employee [redacted]. He has already visited website, seen the instructions and knows what to do.”

On May 21st, REvil published the below announcement claiming that FARO had failed to meet their ransom demands, including a link to the data files. It is unclear what measures each party took to remediate this situation, though it appears that at some point, FARO’s parent company became involved. To our knowledge, REvil has never stated how much money they have demanded of their hostage.

Items of note in the file-tree shared as a preview of what will allegedly be included in the 1.5 TB data drop include: IT audits, forensic information pertaining to public safety, global research and development files, legal records, and user data. 

REvil Announces Next Target will be Madonna and Claims They’ve had Offers for Buyers for Trump Data

May 18: Just before 7:00PM UTC, DarkOwl Analysts observed an update to Happy Blog with the following announcement. In it, REvil states that Madonna is their next target, and that they will be auctioning off her personal files on the 25th of May. There is no reference to the ongoing ransomware attack they have conducted on Grubman Shire Meiselas & Sacks (GSM), indicating the hackers may be pivoting their approach to making a profit off of selling the personal data of high net worth individuals (instead of just attempting to exploit GSM with ransomware payments).

The hackers are starting the bidding for Madonna’s confidential data at $1 Million dollars.

The hackers also stated that they have far more information pertaining to Donald Trump than was released in their initial drop, and that they have received several offers from buyers who want the full extent of the information REvil has “accumulated” over time.

In the second press release they published, they address the fact that they have been accused of “bluffing,” maintaining that the full extent of the information they have on Trump is damaging and will lead to public disgrace and financial loss.

REvil also outlines how they do not plan to cease their ongoing Ransomware attack, but do plan on profiting from the money they can make from selling individual client data – regardless of whether GSM has paid their ransom demands.

ORIGINAL POST:

Hollywood Law Firm Hacked; Personal Data of High Profile Individuals Exposed

On May 11, 2020, lawyers for the Hollywood elite, Grubman Shire Meiselas & Sacks (GSM) confirmed publicly they were in the midst of a cyber ransomware attack, with hackers holding hostage some 756 GB of sensitive client data, contracts, and personal information harvested from their main website server, www.gsmlaw.com, which remains offline.

The hackers, believed to be from Eastern Europe, demanded a ransom of $21 Million USD putting the law firm and their clients in a precarious position during already stressful times due to the COVID-19 pandemic.

Despite where the owners of the law firm are in negotiation with the hackers and whether or not the FBI has become directly involved, the hackers have already started publishing data from the ransomed servers on the darknet. DarkOwl analysts discovered a Tor hidden service the hackers maintain called “Happy Blog.” It was there that they announced their hack of the GSM hack in early May, and continues to be where the group routinely publishes updates. The hackers’ announcement lists many of GSM’s exclusive clients such as: Madonna, Facebook, Elton John, Barbara Streisand, and Lady Gaga along with 9 inactive, but prepared links for separate data leaks.

The underground website also includes screen captures of over 176 folders listed on the compromised server and what appears to be signed contracts and agreements from Christina Aguilera in 2013 and Madonna’s World Tour 2019/20. There are numerous other famous actors and musicians from Hollywood mentioned.

Lady Gaga Data Exposed

DarkOwl analysts also discovered the first of the 9 data leaks had been released at 2:00pm UTC on Thursday, May 14, 2020 and included over 2 GB of data related to entertainer, Lady Gaga, due to release a new album at the end of the month. Along with the data leak, the hackers updated the website to state, “we public the first part of the data because the time is up” (confirming that English is not their native language).

A review of the data revealed there exists over 3,000 files across 350 folders which includes but is not limited to: W9 forms, expense reports, producer agreements, certificates of engagements, and confidentiality agreements over the last decade. Of particular concern is the folder listed, “Gaga Medical Confidentiality Agreements” that most likely includes some of the most personally identifiable information for the mega entertainer, such as her social security number.

The Next High Profile Individual Data-Drop: Donald Trump

On May 14, 2020, the hackers responded even more seriously, doubling the ransom in a new message stating, “The ransom is now [doubled to] $42,000,000 … The next person we’ll be publishing is Donald Trump. There’s an election going on, and we found a ton of dirty laundry on time.” According to PageSix, the hackers added, “Mr Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don’t want to see him as president … The deadline is one week.”

DarkOwl Analysts have confirmed that the second drop did contain information pertaining to Donald Trump. While he was not a client of GSMs, there were leaks of associates of his that reference him, as well as leaked correspondences between GSM and other clients in which either Trump or Trump’s Entertainment holding company were mentioned.

Since Trump was not a client of GSM, the second REvil drop is not like Lady Gaga’s, and his personal files were not made public in any way. Regardless, DarkOwl analysts are currently in the process of reviewing the leaked correspondences for items of note. This blog will be updated accordingly as we do so.

REvil Announces New Target: Sherwood Food Distributors, LLC

UPDATE: As of (approximately) May 20th, Happy Blog no longer contains the post discussed below, suggesting Sherwood may have paid the ransom demands.

The same group of hackers who just released highly sensitive data relating to Lady Gaga as a part of their ongoing extortion attempt of Grubman, Shire, Meiselas and Sacks have posted on the darknet that they are holding another company for ransom – Sherwood Food and Harvest Distributors. The threat actors posted a notice about their new target around 3pm MST 5/15.

This notice contained a link to download a portion of Sherwood’s proprietary files as “previews” which they plan on releasing one at a time (8 in total). The first link to leaked information contains roughly 2,300 files. These files contain highly sensitive data including cash-flow analysis, sub-distributor info, detailed insurance information, proprietary vendor information – including for that of Kroger, Albertsons, Sprouts – scanned drivers license images for drivers in their distribution networks, etc. The threat actors also posted a conversation they had with Coveware, a leading ransomware mitigation company, dating back to at least May 3rd.

This shows Sherwood has been aware of and dealing with this attack for over a week, and had not made this information public. While the threat actors only posted Coveware’s side of the conversation, it is clear that Coveware attempted to negotiate by acting as a middleman between Sherwood, their board, and the attackers. Also of note is that Grubman, the law firm, also utilized Coveware’s services, which is worth keeping in mind considering these are two supposedly unrelated companies/targets.

Who are these Hackers?

According to open source reporting, the hackers responsible for the ransomware are reportedly known as REvil or Sodinokibi, who infamously attacked foreign exchange company, Travelex late last year with similar ransomware. Travelex paid the hackers $2.3 Million of the $6 Million USD in ransom demanded.

There are several mentions of the ransomware developers across English and Russian speaking darknet forums and marketplaces.

• The hackers sponsored a hacking competition worth $15,000 on darknet forum, XSS in January 2020, according to multiple sources.

• In April 2020, BleepingComputer and numerous darknet news sources also confirmed the ransomware hackers would from now on only accept Monero for their ransoms, as they believed, quite confidently that Bitcoin was traceable by law enforcement.

• The hackers are believed to have also authored GandCrab, a popular ransomware as a service (RaaS) that circulated the internet from January 2018 until May 2019, when the hackers suddenly announced they were shutting down their operations.

The Sodinokibi ransomware authors and their associates have been widely distributing the ransomware through infected Javascript on WordPress websites. Upon installation on the victim machine, it deletes all Shadow Volume Copies, disables the Startup repair in Windows and then begins encrypting all the files on the system hard drive.

Once the malware completes its encryption process, Sodinokibi modifies the desktop wallpaper, adding a ransom note, which contains instructions about the decryption process. The ransom note also includes instructions on how to make the payment to have the files decrypted, including unique keys and links to the payment site (likely Monero).

Reception to REvil’s latest antics have not been great. Members of XSS forum have expressed displeasure to how much attention this has brought them, posting:

DarkOwl Analysts continue to dig into this hacking group to see what we can uncover. Stay tuned for updates as we will continue to update this blog with new findings.

As most of the world shelters in place due to the COVID-19 pandemic, Zoom – the video conferencing tool we’re all very familiar with by now – has witnessed an extraordinary surge in use. Employees are on calls in Zoom for hours a day conducting meetings with their coworkers. Families and friends, unable to meet in person, connect on Zoom for virtual happy hours, weekends and holidays. In the first quarter of 2020, Zoom Video Communications added 2.22 million monthly active users, contributing to what is rapidly approaching a total of 13 million monthly users.

Given the fact hackers were and have also been on lockdown in their homes, it is no surprise that less than a month after most of the U.S. went under quarantine, compromised Zoom accounts appeared for sale on criminal forums in the deep web and darknet. In late March, news headlines declaring that there has “Zoom Breach” quickly began appearing en masse. As a result, we decided to take a closer look at what we’re calling the “Zoom Situation” (more on that below), and in this blog will outline how in a matter of months, this convenient, free video conferencing software became a major public information security concern.

One item that we want to note upfront is that Zoom – as in, the company – was not breached. To our knowledge, no hacker gained access to their user database or broke into their servers in any way. As analysts, we take care to differentiate between “breaches,” “leaks,” “credential compilations,” etc., because they mean very different things in relation to the cybersecurity posture of the targeted organization.

Zoom is only as insecure as your password reuse habits

The latest offers for Zoom accounts across darknet forums and marketplaces speak less to the security of Zoom’s software and more to the continued reuse of usernames and password combinations across commercial applications. In other words, the greatest and most important takeaway from this situation is that it would have been entirely avoided if Zoom users weren’t reusing passwords they’ve used elsewhere.

There’s nothing particularly special about Zoom’s conferencing security. The platform itself relies on the standard transport layer security (TLS) 1.2 protocol, which replaced the depreciated Secure Sockets Layer (SSL) over HTTPS, and encrypts chats using the Advanced Encryption Standard (AES) 256-bit block cipher. However, in spite of this fairly basic framework, there is no indication that the 500K accounts offered for sale were collected from exploiting a vulnerability within the Zoom application.

Instead, DarkOwl assesses with high confidence that the hackers selling this data have instead used a method called “credential stuffing” to test Zoom login authentication against publicly available username and password combinations. So, if your email address and password were exposed in another breach, even from years back, and you used that same email/password to log into Zoom, you would now be a part of what others are referring to as the Zoom Breach.

By running old, leaked credentials through a credential-stuffing validation tool, hackers managed to find and confirm the logins for 3.8% of Zoom’s registered members in historical data breaches. Anyone using a tool like this could target any organization they wanted to.

One such tool called SNIPR (pictured) is a leading credential-stuffing toolkit supporting multiple attack surfaces including web requests (http/s) and IMAP-based email accounts without the need for any command-line or shell programming from the user.

Because of the increased worldwide use of Zoom due to the pandemic, Zoom became a target of interest for (presumably) bored hackers, resulting in a list of 500K verified Zoom accounts being offered for sale on the darknet service, POPBUY Market for 10,000 USD in BTC ($50 USD per account). It is unclear from the vendor’s listing on the market who is behind the offer or if it is legitimate.

Another listing for Zoom account data appeared on deep web hacking forum, nulled.to, at a much cheaper price than the darknet marketplace above. This advertisement pointed to the hacker’s “Shoppy” account that offers each account for as little as 0.25 USD and included an external link to a sample file with some of the compromised data. The paste included 91 records with the username, password, Zoom URL (with password), Numerical HostKey, Real Name of User, and account type.

Our analysts confirmed the sample “hacked accounts” in the offer include email address and password combinations indexed in Vision from previous data breach collections confirming the hackers likely verified the accounts using credential stuffing.

DarkOwl assesses the significantly reduced price to the darknet market is the result of Zoom advising users to change their passwords and the account data being virtually useless to the buyer.

The monikers used by the hacker offering these accounts is sufiyan.755 and MuratSarsilmaz. This moniker has “junior member” status on Surface Web forum, LeakZone and no darknet documents in DarkOwl Vision.

The hacker’s Shoppy account also lists very few other offerings, suggesting this is a beginner hacker entering the market.

Zoom may be in the clear in this case, but historically does not seem concerned about user privacy

Zoom is sharing your data with Facebook

In March 2020, open source reporting confirmed that Zoom has been making money by sharing personal user data with Facebook in return for subsequent advertisement revenue. A new, resulting lawsuit states that Zoom, “failed to properly safeguard personal information” of its users. The lawsuit follows a MotherBoard report that verified how the Zoom iOS app for Apple smartphones was sharing information with Facebook about its users without their consent.

Data that Zoom shared with Facebook included:

• a flag when the user opens the app,

• details on the user’s device such as the model

• the time zone and city they are connecting from

• the phone carrier they are using

• a unique advertiser identifier created by the user’s device which companies can use to target a user with advertisements in the future.

This sharing of data with Facebook was not included in the application’s Terms and Conditions, which is the foundation for the lawsuit. Most anonymous and privacy conscious internet users avoid video conferencing software like Zoom and prefer encrypted applications like qTox (pictured) or Signal, or will simply forgo video chatting all together.

They’ve allowed Zoom-bombing to thrive

The science of Zoom-bombing is as simple as BASH. Before the pandemic, some Zoom users complained of random people connecting to their Zoom conference meeting rooms without saying anything. Other hosts even received Zoom’s alert email “participants are waiting” at all hours of the night, which appears to have been reconnaissance for testing what has morphed into the pandemic Zoom-bomb.

Since quarantine, many conferences have been subjected to the Zoom-bomb where hackers enter the conference then subject the unwilling participants to an array of shocking and often illegal content. The frequency of this has resulted in now widespread use of password protected conferences and hosts approval required for participants entering after the meeting has started.

How does this happen? Largely, this can be attributed to Zoom’s overly simple URL identifier for meetings connects an array of 9 numbers at the end of the address to the user’s meeting identification: https://zoom.us/j/<string of 9 random numbers>. DarkOwl analysts shared that this simple string of 11-numbers could be auto-generated in a loop inside a BASH shell script or any popular scripting language that then tests the URL with the UNIX curl or wget command. Confirmed accounts could then be targeted by manually “bombing” the conference call with malicious audio and imagery.

Some open source reports suggest that many of the trolls behind the majority of the Zoom-bombings are anti-semitic hackers targeting Jews during online meetings by flooding conferences with imagery of swastikas and Nazi soldiers. There’s a lot of evidence that suggests that is true, however a number of hackers have targeted many other non-faith-based and academic conferences, as well as individuals.

To make the situation more complicated, adding passwords requirements to Zoom meetings soon might not be enough – though we do strongly recommend this as an initial step. For example, last week, hackers on popular darknet cybersecurity forum Torum mentioned a resourceful tool called the ZWarDial code, developed by KCSec. According to Brian Krebs, this code apparently leverages the BASH script idea and automates the Zoom-bomb without need for the user account or password. This intelligence suggests that hackers are already evolving their tactics and techniques to Zoom’s security implementation.

Hackers might be attempting to disable Zoom accounts in the future

DarkOwl Vision also captured a snippet of Powershell source code for a function called “Disable-ZoomAccount” which includes logic to check if a user exists on Zoom, via a User Principle Name (UPN), in this case an email address, and if the legitimate user is “active” then the source code changes the ZoomUserStatus to “deactivate.” The function writes to a log if it was successful or if manual intervention is required for disabling the account before closing. The purpose of the function or how it will be used in the wild was not identified in the deep web document.

Zoom is rapidly patching security issues

Zoom has responded quickly to criticism of their video conferencing platform. This is perhaps in response to the fact that in late March and early April 2020, New York City school districts – as well as Elon Musk’s Space X operation – publicly stated they would no longer be using Zoom software due to ongoing security concerns.

The digital conferencing platform has also responded with an in-depth security audit and released multiple security updates to the software. Security updates include support for more complex password requirements for meeting passwords, the random meeting identification has increased from 9 digits to 11, and password protection for shared cloud recordings of meetings is on by default.

To prevent unauthorized and un-attributable malicious access, there is no longer the option to “Join Before Host” and all participants require a Zoom account to participate in a Zoom conference call. Zoom had also temporarily disabled third-party support for file-sharing services such as Box and OneDrive; as of late last week’s security updates, this feature was available again.

Takeaways and advice

When it comes to Zoom, there are still steps that you can take right now to add an additional measure of security to yourself and your organization:

• What happened with Zoom could happen with any internet-based application. So, remind your employees, family and friends to chose unique passwords and email address combinations on every commercial application.

• Adding password protection to Zoom meetings is the first step to mitigating unauthorized access to the user’s conference room.

We can’t emphasize this enough: what happened to Zoom (and Zoom-users) can happen to any internet-based application at any time. It only takes one hacker with access to old, breached/leaked credential data and a credential-stuffing tool to target an organization of their choosing. As such, with the current level of dependency on remote working and virtual video conferences, DarkOwl encourages all to be vigilant while using any platforms that require user account registration:

• Set-up accounts on such software with unique (if not disposable) email addresses, using complex passwords not used anywhere else

• Apply any and all additional security options available, such as password-protection for the meeting and limiting access to stored shared recorded meetings.

If you are considering abandoning Zoom altogether, TechRepublic recently posted a list of alternative video conferencing applications.

Thanks for reading our blog! Contact us if you want to know more about this issue or discuss how DarkOwl can help mitigate your account information appearing on the darknet.