Chan Imageboards Proliferate on the Darknet


An Introduction to Imageboards of the Darknet

The darknet is replete with an extensive array of content, including onion services and communities that intelligence and investigative analysts have noted are home to cyber criminals, scammers, and threat actors. Typically, the most common hubs for these users are darknet marketplaces and blogs/forums. However, recently, our analysts have observed the increasing presence of a legitimate and growing segment of the darknet, comprised of a community of free-speech enthusiasts who utilize imageboards known as “chans.”

The rise of QAnon and the coordinated siege of the U.S. Capitol in January shined a spotlight on one wildly popular imageboard known as 8chan, bringing about significant coverage in mainstream media. In the wake of such recent events, we have observed an increase in imageboard hosting on the darknet, including many direct copies of the 8chan codebase that are serving as new safe havens for emerging, controversial chan boards. In fact, DarkOwl has identified over two dozen alternative chans on the darknet – not related to 4chan or 8chan – across numerous languages (Russian, Korean, Japanese, German, and English) that are currently online and active.

About Imageboards: What is an Imageboard and Why is it called a Chan?

An imageboard is considered a type of bulletin-board-like forum that revolves around the posting of images, often alongside text and discussion. Imageboards are characterized by a community of users with non-identifiable usernames, usually simply “Anonymous” – that rely on a system of tripcodes instead of registration with credentials. A tripcode is the hashed result of a unique password that allows one’s identity to be recognized without storing any data about the user and entering a particular password will let one “sign” one’s posts, often necessary for moderators and staff, with the tripcode generated from that password. 4chan and 8chan (or 8kun) implemented secure tripcodes that are not reproducible across different imageboards and are more resistant to the hashed password getting hacked or cracked. The originating IP address of the user is known to the administrator of the imageboard, but the pseudo-anonymity of the forum structure led to its users calling themselves “anons.”

The very first imageboard was 2channel, (2ちゃんねる, 2chan, or 2ch) first launched over two decades ago by Hiroyuki Nishimura, a Japanese Internet entrepreneur and student based in the United States at the time. By hosting the board outside of Japan, Nishimura managed to circumvent Japanese internet censorship and grew the predominantly Japanese online community millions of daily users with a level of influence in society many described as comparable to that of traditional mass media like television, radio, and magazines. Nishimura named the imageboard 2channel after the physical channel older televisions would need to be turned to, to use auxiliary devices like 1990s video game consoles.

Figure 1: Pepe the Frog and "feels good man" meme

Figure 1: Pepe the Frog and “feels good man” meme

In 2003, not long after the success of 2channel, Christopher “moot” Poole (at the time age 15 years old) launched an English language counterpart to 2channel known simply as 4chan. Poole already had a history as an active participant on the comedy surface web bulletin board known as “Something Awful” which funneled users to 4chan and quickly increased its popularity, forming a whole new genre of internet subculture including the “Cult of Kek” (Pepe the Frog), the conversational meme factory, and resources for rare adult fandom like My Little Pony.

The pseudo-anonymity provided by 4chan also enabled discussions from a rather darker segment of society where disturbing fetishes and hate speech are not just authorized but glorified. Illegal content such as child pornography and gore increased the need for fairly strict moderation on the site by its hundreds of volunteer moderators stationed around the world; Poole and a part-time developer were the only official staff of the board. In 2014, 4chan was central to the Gamergate controversy, an online harassment campaign dedicated to directly targeting and doxing females because of anger regarding feminist or progressive ideals found at the time in the video game industry.

By this time, alternative imageboards known as “alt-chans” had emerged including Wizardchan whose userbase consisted of virgin men or “incels” (slang derived from “involuntary celibate”) who define themselves as unable to find a romantic or sexual partner despite desiring one and ultimately often despised the sheer existence of the entire female gender. To this day there is crossover in the users between imagebaords – Wizardchan’s users also post in threads on 4chan and vice versa.

Due to the increased moderation of content on 4chan, a prominent user and admin of Wizardchan known as Fredrick Brennen, using the pseduonym “Hotwheels” founded “infinitychan” (using a sideways “8” for infinity, or simply 8chan or 8ch), redesigning the codebase to include user-created and moderated boards on the channel. In 2013, Brennen advertised the new imageboard as a “free speech friendly alternative to 4chan” and 4chan’s eventual blanket censorship of all Gamergate related discussions significantly increased 8chan’s rapid success and popularity in the first years of its operation. 8chan quickly outgrew Brennen’s ability to host the volume of posts by its thousands of daily users and illegal content became increasing difficult to moderate. In late 2014, he partnered with Jim Watkins in the Philippines to host and help scale the platform, using Watkins data center company N.T. Technology while Brennen served as admin and the public face for the board. (Source)

8chan’s content became increasingly obscene and its users linked to several violent international hate crimes including the mass shooting at a Christchurch mosque in 2019, the Poway Synagogue shooting, and El Paso shooting at a Walmart targeting Hispanics shortly thereafter – with all three shooters posting racist and xenophobic manifestos on the imageboard within hours of the attacks. Around the same time, Brennen resigned as the imageboard’s admin and launched a campaign to get the site shutdown permanently with direct attacks against both Jim and Ron Watkins across social media and the mainstream news media. In late 2019, Watkins rebranded 8chan to 8kun after widespread public criticism of the site with support from Russian hosting providers affiliated with cybercriminal activity.

The imageboards mentioned above are considered the grandparent-chans creating the ‘foundational’ platforms for fast-paced discussions, fueling mob-like mentalities and are still widely popular underground online communities. Nevertheless, there are hundreds of “alt-chans”, many of which have a growing presence of users on the darknet, including not only a mirror of 2channel, but 16chan, nanochan, 64chan, Korchan, Kohlchan, and others. The surge in new imageboards and their use of the darknet is indicated by conversations that express how its users are increasingly concerned over the concerted ‘attack on free-speech’ that occurred in the wake of the January 6th riots and as well as members of the US Congress’s call for a repeal of Section 230 of the Communications Decency Act, which has historically protected the hosts of controversial social platforms from legal consequence. (Source)


Key Players: Founders and Key Players in the Imageboard Community

The following lists the founders and critical players of the most popular and widely discussed imageboards in public media. Due to the nature of the content and its users and creators inherent desire for digital privacy many of the owners and administrators of imageboards are completely anonymous or known only by their pseudonyms.

 
 

Chan Language: Understanding the Language of the Chans

Imageboards pride themselves on providing a platform to advocate free-speech and the purest freedom of expression and many users utilize the forums as an outlet for venting internal frustration, speaking on the boards in ways that they would never, ever speak in real life. In 2010, 4chan administrator, “moot” was called to testify in the trial of David Kernell, a 4chan user who was eventually convicted of hacking of Sarah Palin’s email during the 2008 Presidential election and leaking screenshots from her account on the imageboard. The administrator’s role in the trial turned from ordinary to awkward when moot was asked to define and explain the community’s lingo and terms that were used in the posts and comments included in the prosecution’s discovery. Terms he testified about included such vernacular as “b tard”, “troll”, “peeps”, “lurker” and OP (original poster).

In the last decade, the culture and language of the chans has only become even more exclusive and insular to its chan-community, preventing many new users and investigative analysts from engaging its users or even further parsing what they are reading in any given thread from darknet data collection systems. The influx of right-wing extremism and domestic terrorism observed with the popularization of QAnon on 8chan (or 8kun), increased the use of phrases specific to Q’s posts such as “Patriots”, “Trust the Plan”, “Great Awakening”, “WWG1WGA” (where we go one we go all), “Panic in DC”, “deep state”, and the idea of “sheep” or those who follow main stream media blindly.

Imageboard users go to great lengths to directly insult each other on the thread and openly attack anyone of non-Caucasian race or non-evangelical Christian religious beliefs. Most of the lingo is too obscene and vulgar to be mentioned here, but there are some standard key phrases used across all the imageboards that provides general context to many an anon’s post. Several of these have made it into urbandictionary.com, whose definitions were included directly where available.

based: A word used when you agree with something; or when you want to recognize someone for being themselves, i.e. courageous and unique or not caring what others think. Especially common in online political slang. 

redpilled: A word used to describe when a left leaning liberal have shifted their beliefs into alignment with the right. The phrase was adapted from the movie, The Matrix, where Morpheus is offering to enlighten Neo to the Matrix: “You take the red pill, you stay in Wonderland, and I show you how deep the rabbit hole goes.”

shill: This word describes a person who is pretending to agree with a conspiracy and intentionally circulates false information or acts totally insane in an effort to discredit said conspiracy. Someone who shills could also be someone directly lying in a post to deceive or cause controversy.

larp: An acronym meaning “live action role play” – when whatever post has been stated is not real or intended for comedic or dramatic effect, as if it occurred in a play.

/b/tard: A derogatory insult to address users who are found in the /b/ section of the board or to insinuate that their post is random or nonsensical.

lurker: A person who ‘lurks’ or browses the board and never posts anything.

newfag: A newcomer to the imageboard who is considered a nuisance to the discussion. Often this person is trying too hard to fit in.

neckbeard: A word derived from conjoining of the words “neck” and “beard,” to denigrate a male user on the board as characterized by an inflated sense of self-worth and a powerful sense of entitlement, particularly to affection, subservience and sexual acts from women.

neet: A person considered a failure in life who is unemployed and lounges all day playing video games or watching anime. 

waifu: A word used in the manga sub-genre to describe a fictional female character that they love and would marry if they were real.

glow: If the word glow is associated with an insult or someone says, “you glow” that would intimate that you’ve been perceived as law enforcement or a government agent. 

troll/trolling: As it relates to imageboards, trolling describes the deliberate act, (by a troll – noun or adjective), of making random unsolicited and/or controversial comments on various internet forums with the intent to provoke an emotional knee jerk reaction from unsuspecting readers to engage in a fight or argument.


Chan Topic Boards and Types of Content: Where /b/ and /pol/ Persist …

Anything posted here are autistic works of fiction, only a fool would take them seriously.

— /b/ board moderator on endchan, collected from Tor onion service

Persistent topic boards are a characteristic of chan forums. From its inception, 4chan required an administrator to create all topical boards to guide its users’ discussion, leading to a sort of standard that has persisted to newer chans. Alternatively, 8chan infamously provided creative freedom to its users to launch and moderate its own topical boards – a backend board style adapted by several imageboard developers.

Nevertheless, there are some board topics that are persistent across all of the imageboards, including the alt-chans across the surface web and darknet. Such well-known and highly popular sub-boards include:

Figure 2: Sample post from /b/. Source: onee.ch

Figure 2: Sample post from /b/. Source: onee.ch

  • /b/ – random: The sub-board /b/ was the first board Poole created on 4chan and it was the catchall for any random thread about any sort of content including cartoon pornography and debased memes.  It is considered community etiquette across most all imageboards to limit discussions that are specialties or the focus of other boards on the channel. Many imageboards recognize the power of /b/ to such an extent it is the only board available on its entire platform.

  • /pol/ – politically incorrect: The /pol/ sub-board covers wide range of subjects, including politics, culture, social issues, religion, law, finance, and current events. It has become most well-known for its divisive content and hate speech with posts including neo-Nazism, white supremacy, and xenophobia. Nearly all imageboards online today have an active /pol/ board and some even include additional country specific politics, like /polru/ for Russian political discussions. Some non-English speaking alt-chans have created an /intpol/ sub-board instead of /pol/, which stands for international politics as many of the English-speaking /pol/ boards are heavily influenced with U.S.-focused political partisanship. Last year, 8kun renamed its /pol/ board to /pnd/ for politics, news, and debate much to the protest of its userbase.

 
Figure 3: Sample post from /pol/. Source: 16chan's Tor Service

Figure 3: Sample post from /pol/. Source: 16chan’s Tor Service

 
 
Figure 4: Sample post from /pol/. Source: 16chan's Tor Service

Figure 4: Sample post from /pol/. Source: 16chan’s Tor Service

 
  • /a/ – anime: Given the imageboard’s roots in Japanese anime subculture, and 2channel’s founder being Japanese, most imageboards have a sub-board called /a/ dedicated to sharing and discussing anime. Many posts on this sub-board also includes a very specific sub-genre of animated pornography known as “hentai” short for hentai seiyoku translated as a “perverse” or bizarre sexual inclinations.

  • /g/ – technology: The /g/ sub-board got its start on 4chan, and other imageboards have quickly adapted this topical board for “discussing computer hardware and software, programming, and general technology.” This channel often includes a wide-range of posts that might asking recommendations for which Linux distribution to install or pictures of users’ home technology setups.

    Last week, DarkOwl analysts observed a post on /g/ on how to successfully hack Apple’s recently released AirTags product with detailed instructions from a security researcher’s blog on the surface web, demonstrating how /g/ could be used to uncover security vulnerabilities.  Within minutes of the post appearance, /g/ moderators removed the thread validating user complaints of how heavily moderated 4chan can be and what attracts many users to imageboards hosted exclusively on the darknet with more relaxed moderation policies. 

 
Figure 5: Sample post from /g/ sub-board. Source: endchan Tor service

Figure 5: Sample post from /g/ sub-board. Source: endchan Tor service

 

How Imageboards are Evolving on the Darknet

Most imageboards have a surface web domain address and accessible directly from the public Internet. Imageboards are considered pseudo-anonymous, since a user’s IP address is known and likely logged by the imageboard administrator, especially for users accessing the site directly on the surface web.  While many users access imageboards using a Virtual Private Network (VPN) proxy, 8chan utilized Tor off and on over the last five years to mirror its content, to provide additional anonymity to its users accessing the imageboard and to mitigate DDoS attacks against its Internet domains. 

Other imageboards, including 2channel, have a persistent presence on the darknet providing its users additional layers of operational security. Some imageboards like endchan have mirrors across other alternative darknets including Oxen and Yddrasil for additional data redundancy and wider client support to its userbase.

In 2019, DarkOwl reported it detected an emergency bunker for 8chan surfaced on Zeronet during its controversial shutdowns and DDoS in the summer of 2019, but CodeMonkeyZ contacted DarkOwl to state it was not under their direct administration and darknet users suggested it was either a honeypot or setup by an 8chan superfan and loyal user.

Many imageboards are strictly accessed through the surface web have strict rules about what can and cannot be uploaded and its administrators comply with all law enforcement requests for information and readily handover logs. Others give moderators the power to disallow users posting from a Tor exit node, in the case where users access the surface web domain using the Tor Browser Bundle for anonymity. 

Other darknet exclusive imageboards have more lenient rules and allow its users to post illegal content including violence, pornography, and gore. Gurochan, an imageboard that originated over a decade ago, recently returned online and predominantly includes threads with gore and necrophilia.

An Increasingly Evolving Darknet Threat

The imageboard community on the surface web is rapidly evolving and many services are migrating directly to or mirroring their content across the darknet(s). Knowing that 4chan is now heavily moderated and often called a law enforcement honeypot, and that many users of 8kun have disappeared with the failure of a real-life political “reckoning” for the alleged deep state cult at the heart of the QAnon conspiracy, the imageboard underground digital community is thriving as a safe haven for people to direct their shills and troll campaigns.

As previously mentioned, during the course of this content research, DarkOwl identified over two dozen alternative chans on the darknet – not related to 4chan or 8kun – across numerous languages (Russian, Korean, Japanese, German, and English) that are currently online and active. To support its Vision users in conducting their most effective and efficient investigative analysis we have also created a “Groups” filter using these domains, so Vision UI users can easily target their searches directly into these communities without direct or a-priori knowledge of the onion service addresses. Hopefully this post, with its primer on historical context and guide to imageboard community lingo, will help end users develop intelligent targeted queries to find content of interest.

 

COVID Vaccination-Related Fraud and Disinformation on the Darknet

In the year plus since the COVID-19 pandemic took hold, DarkOwl analysts have continued to observe widespread coronavirus-related scams on the darknet. From bootlegged PPE, to “COVID infected blood,” to fake vaccination cards, there appears to be no shortage of individuals willing to take advantage of this global crisis to pursue their goals, be it to spread disinformation or simply to make money.  

To gain insight into potential threat actors aiming to defraud individuals and corporations alike, DarkOwl turned to the darknet to take a closer look. In doing so, we identified scammers purportedly selling COVID-19 vaccines, vaccination passports and cardstock records of vaccination as issued by the the Center for Disease Control (CDC). DarkOwl has also observed a number of disinformation campaigns related to the efficacy and legitimacy of the COVID-19 vaccine across major deep web and darknet discussion boards creating additional conflict and polarization across forum users.

Vaccination Cards for Sale on the Darknet

In the past few months, DarkOwl has noted a number of scammers offering vaccination record cards for sale, priced around $150 USD on average.

Figure 1: Vaccination Cards/Passports for offer on the darknet (Source - DarkOwl Vision)

Figure 1: Vaccination Cards/Passports for offer on the darknet (Source – DarkOwl Vision)

One vendor, known only as as “darknetdeals” also offers negative COVID-19 PCR tests for sale for those needing negative COVID-19 tests for travel and work.

Users on deep web discussion boards discuss their surprise regarding the nature of the vaccination record cards issued in the U.S. and the generic grey cardstock it was printed on, along with handwritten name and dates of the first and second doses, for vaccines with multi-dose administration. DarkOwl has not engaged the threat actor nor purchased a card to verify whether this is a legitimate offer or scam, but the opportunity could appeal to anti-vaxxers who desire to travel and dine-in restaurants without receiving the vaccine.  

Other offers have also surfaced on Telegram with “coronavirus certificates” and vaccine passports available for purchase. The price was not disclosed on the channel.

 
Figure 2: Advertisement on Telegram for Vaccine Passport (Source - DarkOwl Vision)

Figure 2: Advertisement on Telegram for Vaccine Passport (Source – DarkOwl Vision)

 

Vaccinated individuals across the US have shared post-vaccine selfies with the CDC-stamped paper card issued by their vaccination provider proudly in hand across social media. Scammers could not only utilize the photo of the card to create fake cards for sale on the darknet, but steal the personalized information such as full name and date of birth for identity theft and fraud.

 
Figure 3: Sample CDC Vaccination Cards Discussed and Circulated on the Darknet

Figure 3: Sample CDC Vaccination Cards Discussed and Circulated on the Darknet

 

Vaccine Doses Still for Sale on Darknet Markets

DarkOwl continues to see several COVID-19 vaccines offered for sale across darknet marketplaces and classified-like paste sites. In recent months, there has been a surge in vaccines on offer, including Russia’s Sputnik vaccine developed by Gamaleya. On one new darknet market alone, there are 5 different vendors offering vaccines ranging in price from $40 to $888 USD per dose. Pfizer vaccines tend to be more expensive than the other vaccines on offer.

DarkOwl had observed offers for COVID-19 vaccines on other darknet markets back in December, with prices ranging from $500 to $4000 USD. One vendor received feedback stating that they purchased five vials of the Pfizer vaccine for $2000 USD and it was packaged in a shipping container the size of a pizza box along with dry ice to maintain the significantly cold temperature requirement. It was unclear whether these were intended to be single doses or multi-dose spread out by 21 days, as suggested by the manufacturer.

Figure 4: Review of Vaccine Vendor on the Darknet, December 2020

Figure 4: Review of Vaccine Vendor on the Darknet, December 2020

Figure 5: Moderna COVID-19 Vaccine Advertisement on the Darknet

Figure 5: Moderna COVID-19 Vaccine Advertisement on the Darknet

While these could theoretically be ‘stolen’ vaccines, it is more likely they are counterfeit vaccines with vials of unknown and possibly lethal substances. Last week, open sources reported that authorities had discovered fake coronavirus vaccines containing distilled water were administered to at least 80 patients in a clinic in Mexico, while a darknet scammer was arrested in Poland for selling vaccines that actually contained an anti-wrinkle agent. Luckily, the Polish doses do not appeared to have been administered to anyone.

Other offers for vaccines are clearly scams without any intention to deliver a single vial.

One vendor on a market known for its promotion of “rippers” (a.k.a. scammers), stated they had the “most-effective” “Pfitzer” vaccine for sale for $500 USD. The contact information associated with the vendor has only emerged on the darknet in recent weeks and is also connected with offers for various pharmaceuticals including ecstasy and Adderall.

Some scammers have established darknet onion services with elaborate backstories of their accessibility to COVID-19 vaccines and medicines. One domain is supposedly setup by Wuhan Institute of Virology Lab Scientists and Doctors who have medicine exclusive to China to treat COVID-19 and vaccines that the Chinese government is keeping secret from the rest of the world. They are not ‘selling’ the vaccines and medicines but shipping them after Bitcoin donation is received. They also refuse to respond to ‘long emails’ and ‘investigative questions,’ and their written text includes a number of typos. (Quoted below)

 

We are Wuhan Institute of Virology Lab Scientists and Doctors. We are a few scientists from the Wuhan Institute of Virology who have been working on viruses for human health, however after the corona virus (covid-19) has been leaked out of the facility and start infecting people we warned our government about making the covid-19 vaccines available for the public and start manufacturing the corona virus medicines asap. Unfortunately our warnings didn`t work and local infection turned out to a pandemi. Some of us are sworn doctors and others are honest scientists who only work for humanity. Being able to help people but not being allowed to is making us sick, some of us committed suicide already but we decided to use any and all ways to save lives.

As written on other pages we have been sending some covid-19 (corona virus) vaccines and corona virus (covid-19) medicines successfully to another country and we do not intend to sell any covid-19 vaccine but we are asking your help to let us save our lives and escape from China to a safe location in any part of the world and work with other scientists to save more lives.

If you have suffered with the Corona virus (covid-19) and hopefully recovered we are sure of that you don`t want that suffer for anybody else. So even if you don`t need the covid-19 vaccine or corona virus medicine please donate to the address below so you can save more lives.

— Authors of Tor Onion Service titled ‘We Are Wuhan Institute of Virology Lab Scientists and Doctors’, captured March 21, 2021
 

Disinformation Persistent Across Boards and Chans

If fake vaccines filled with unknown substances do not undermine the public’s confidence in vaccine distribution, there is plenty of disinformation rampant across the political threads on darknet and deep web discussion boards to stoke collective fears and personal anxieties. A recent thread on one discussion board included links to the original Moderna patent with skepticism and a link to a controversial article suggesting the mRNA vaccines cause cancer.

 
Figure 6: User on darknet board discusses fertility issues and vaccine (Source - DarkOwl Vision)

Figure 6: User on darknet board discusses fertility issues and vaccine (Source – DarkOwl Vision)

 

Others suggest the vaccine impacts fertility, stating how they now have lowered sperm counts since taking the vaccine. Some users call out other users for “shilling” a term from the urban dictionary that in conspiracy terms refers to a person who is intentionally circulating false information or acts totally insane in an effort to discredit a conspiracy – revealing an active information war is at play on the boards.

 
Figure 7: Controversial Discussion on a Deep Web Discussion Board

Figure 7: Controversial Discussion on a Deep Web Discussion Board

 
 
Figure 8: Controversial Discussion on a Deep Web Discussion Board

Figure 8: Controversial Discussion on a Deep Web Discussion Board

 

The fabricated conspiracies on such forums are particularly imaginative and controversial. For example, another post on a forum insinuated that the entire narrative around the dangers of mRNA vaccines was intentionally developed to shift people to prefer vaccines that are indeed gene therapy experiments instead.

Based on our observations, vaccine resistance is not limited to the United States. One user on Telegram expressed outrage over how a certificate of vaccination was required to receive services from a hair salon in Demark as of April 2021. The post was written with a tone of desperation including the sentence “We need help” at the end, signaling this is becoming a global issue of controversy and potential social uprising.

 

Guys in Denmark you now have to show a corona passport (vaccine/negative test) to get service in hair salon from April 6th!!! Before that it was only for traveling. Now it’s hair salon. They are slowly grooming us into accepting this stupd passport. Soon it will be for restaurants and other cultural activities. This is fucking madness. I am so angry about this and so is many other danish citizens. This will soon happen all over the world. They say there will be a expired date for the passport but I dont believe that cus they lied about the 14 days to flatten the curve. We really need fucking help. Soon it will be restaurants too and does that mean I need to show a fucking certification to pick up food from restaurant and to the customers adress as a food courier!? I am at this stage where I may risk losing my fucking job in two months unless my job is exempted from it. Even if I may be exempted from it, many citizens will lose their job and have their freedom taken away because of this stupid passport. We need help.

— Post from Telegram User, March 23rd, 2021
 

Vaccine Data on the Darknet

Critics of the CDC’s vaccination records on easily obtainable grey cardstock and the ease at which they are counterfeited is justification for a digital vaccine passport program. Developers have not delayed as there are now numerous vaccine passport apps available across the widely used mobile app stores. Even New York has announced a new vaccine status program for mobile phones after partnering with IBM to develop a scannable barcode, similar to the QR codes used by airlines for boarding.

Since last year, the International Air Transport Association (IATA) has been working on an app called Travel Pass for use across their 290 airline participants for laboratories and healthcare providers to send PCR test results and vaccination records for flyers to present for compliant air travel. (Source)

The U.S. CDC’s website emphasizes the importance of their centralized Immunization Information System (IIS) which includes a repository of all vaccinations records for each state and according to their website, COVID-19 vaccine providers are required to report detailed information about each vaccination given at the county and state level. Personal information for vaccination recipients includes full name, date of birth, residential address, sex, race and ethnicity in addition to the vaccine’s production information from the manufacture such as expiration date, dose and lot numbers for tracing which vaccination was administered.

The CDC’s COVID-19 specific IIS includes a number of different digital information systems for tracking and managing COVID-19 vaccine data:

  • VAMS: vaccination administration management system available for vaccination providers use – contracted by the CDC for development by Deloitte Consulting.

  • IZ Gateway: the immunization gateway, a central cloud storage system to enable IISs, federal agencies, and private partners to connect and share immunization information.

  • VaxText: second dose reminder system that vaccine recipients can enroll with to receive SMS text message reminders for their next vaccination date based on the vaccine they received.

  • VTrks: vaccine ordering system which includes vaccines for each provider along with associated shipping information.

  • VaccineFinder: vaccine provider lookup system to provide the contact information for vaccine providers, hours of operation, and types of vaccines available.

Many COVID vaccine clinics have decided against the CDC endorsed VAMS administration system and instead procured commercial application alternatives such as PrepMod for mass vaccine scheduling and data administration. DarkOwl has observed some darknet users complaining about having issues using PrepMod’s system effectively and some states are considering abandoning the PreMod product for systemic design issues and persistent bugs.

 
Figure 9 Source: https://www.cdc.gov/vaccines/programs/iis/downloads/basics-immun-info-sys-iis-508.pdf

Figure 9 Source: https://www.cdc.gov/vaccines/programs/iis/downloads/basics-immun-info-sys-iis-508.pdf

 

Given the frequency and ease at which cybercriminals are compromising commercial database systems and regularly selling or leaking millions of records of customer authentication data and financial information on the darknet, vaccination record data sets are at risk of compromise.

Large scale databases of personally identifiable data associated with the vaccine distribution, like the CDC’s IZ Gateway and VaxText systems or any number of commercial and government vaccine passport apps in circulation, will be a prominent target for darknet cyber exploitation enthusiasts in the coming months, if they are not already attempting to gain unauthoritzed access to such systems around the globe.


Understanding Darknet Risk to Individuals and Corporations

Risk is a word regularly used across information security circles and CISO agendas. And, in light of the recent surge of indiscriminate organizational ransomware attacks, companies are aggressively attempting to identify and mitigate any cybersecurity risk that could lead to potentially extensive financial and reputation damage, especially from a high profile cybersecurity attack or data breach. Meanwhile, individual persons also struggle to know how concerned they should be in mitigating their own personal risk to when, not if, their sensitive personal information appears on the deep web and darknet.

In this blog, DarkOwl analysts dig into the domain of risk, taking a closer look at the threats corporations and individuals face, how risk is calculated and mitigated.  Underground digital communities within hidden and anonymous networks are an integral role in identifying the threats at play, and DarkOwl works alongside its partners to help provide the critical monitoring of potential markers of risk using its darknet search platform.

What is risk and what is the darknet’s role in risk calculations?

Risk is traditionally thought as a multiplier of likelihood and severity, or consequence of outcome; however, in cybersecurity the definition is expanded for consideration of intention or threat. For example, in a personal risk scenario, one’s leaked credentials (e.g. usernames, e-mail addresses and passwords) might appear in commercial data breach leaks which poses one degree of risk, but the minute those same credentials appear in conjunction with direct malicious intent to cause financial or direct harm, then their personal risk increases dramatically; DarkOwl has observed similar specific targeting frequently in the darknet. The same would be true for the intention of an attack against a corporation or government organization, but this is understandably much harder to quantify.

The U.S. Department of Homeland Security (DHS) defines risk as the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences” such that: likelihood is defined as “the chance of something happening, whether defined, measured or estimated objectively or subjectively, or in terms of general descriptors (such as rare, unlikely, likely, almost certain), frequencies, or probabilities” and consequence is given as “the effect of an event, incident, or occurrence, including human consequence, economic consequence, mission consequence, psychological consequence.”

The DHS risk assessment model is more simplify defined as a function of three variables: threat, vulnerability, and consequences with full recognition “these values are not equal” as stated by DHS Secretary Chertoff in 2005. “For example, some infrastructure is quite vulnerable, but the consequences of an attack are relatively small; other infrastructure may be much less vulnerable, but the consequences of a successful attack are very high, even catastrophic.”

In organizational risk calculations, threat includes anything that can cause harm to the organization and that could expand to include threats from natural disaster (wildfire, hurricanes, and earthquakes) or even a significant hardware / backup failure that triggers a disruption in services or production and not necessarily exclusive to cybersecurity attacks by external malicious entities.

risk-1.png

There are numerous interpretations, philosophies, and variations on this formula and luckily organizations are given extreme flexibility in conducting internal risk assessments by applying risk models of varying degrees of detail and complexity of threat identification and vulnerabilities – of which cybersecurity has become increasingly critical.

Threat calculations are often tied to scenarios with likelihoods of occurrence that involve an adversary’s intent, capability, and targeting. When we look at the darknet’s role in risk and threat vectors, especially when considering the risk to a company’s brand or stakeholders, malicious threat actors who conduct operations in the underground (e.g. cybercriminal organizations, nation state actors and proxies, and cyber opportunists) proactively hunt for and attempt to exploit sensitive data for personal financial gain by whatever means possible, often manipulating unpatched vulnerabilities and crafting new exploits in the wild.

DarkOwl analysts also regularly witness critical corporate and personal information actively shared across various underground digital communities in the darknet and deep web and have categorized the types of vulnerable data at risk accordingly, delineating corporate and individual personal risk, with careful consideration that these two are intricately interrelated due to the fact humans are one of many risks corporate organizations must consider when calculating their cybersecurity risk. The region where corporate and individual risk overlap is of most critical consideration as well as the extent and volume of readily available information for threat actors to launch their attacks.

Likewise, the more accumulated data a threat actor has access to for an individual or a corporation increases the risk accordingly.

Figure 1: Visualizing the threat to corporations and individuals

Figure 1: Visualizing the threat to corporations and individuals

Corporate Risk and The Darknet

The possibility of a cybersecurity attack against a corporation feeds a number of different corporate risk calculations: the loss of customer data presents a significant risk to a company’s brand, reputation and stakeholders; there’s moderate risk for loss of sales due to counterfeit goods offered on the darknet and direct reputational attacks on discussion forums and social media; there is direct risk via the executives and key leadership of an organization for business e-mail compromise (BEC) phishing attacks or financial extortion through physical threat to executive’s family; and, there is risk to attack via third (and fourth) party vendors and suppliers.

The consequences of an attack against a corporation can include:

  1. Unauthorized access to a corporate network

  2. Misuse of information by an authorized user

  3. Loss of access to corporate data (via deletion or encryption)

  4. Disruption of service or productivity

  5. Reputational loss and damage to brand or corporate image

The risk of unintentional data compromise

As nearly every security researcher and infosec professional would agree, the volume of organizational data leaks via unauthorized network intrusion attacks over the last twelve to eighteen months is troubling. Identity Force identified over 74 organizations across every industry segment that suffered network intrusion attacks in 2020 resulting in public reporting of sensitive PII leaked for malicious use on the deep web and darknet. From April through December 2020, DarkOwl observed 144 victim companies and non-profit organizations mentioned by the REvil ransomware criminal gang on their darknet data leak onion service, Happy Blog, such that the “real” volume of compromised corporate information and customer authentication data in circulation from 2020 is likely significantly higher.

While large commercial data leaks receive press coverage, with phrases like “millions of records of user data exposed” there is an unknown number of organizations that have likely secretly dealt with a critical cybersecurity incident without ever disclosing the breach to their customers or users due to the consequences of reduced consumer confidence.

Extortion as a service is an increasingly successful sector of the underground criminal ecosystem and involves stealing sensitive personal or corporate information and then leveraging unauthorized access to this information to force the victim to pay, essentially blackmailing the victim, in exchange for quasi protection of their data. Threat actors utilize hacking forums and discussion boards across the deep web and darknet to explore potential vulnerabilities, sometimes expressing interest in specific industries, companies, and individuals, then finally sharing or selling the sensitive information they have stolen – resulting in significant reputational and/or financial loss for the victim organization.

Figure 2: Example ransomware leak site on the darknet for Ragnar Locker Group

Figure 2: Example ransomware leak site on the darknet for Ragnar Locker Group

Figure 3: Example e-mail sent to victim's customers by a ransomware group (courtesy krebsonsecurity.com)

Figure 3: Example e-mail sent to victim’s customers by a ransomware group (courtesy krebsonsecurity.com)

Lately, darknet onion services that are hosted by cybercriminal gangs have been a key repository for the stolen and extorted data collected from victim networks via ransomware attacks.

DarkOwl has documented over two dozen unique ransomware-specific onion services for public release of information about their victims if the demanded ransom is not paid. Some ransomware groups even mock their victims using terms like “Wall of Shame” to taunt companies who attempt to avoid public disclosure of their compromise and sensitive data leak. Brian Krebs reported that the REvil ransomware gang started e-mailing customers of its victims to increase the pressure on the victim organization to pay the demanded ransom.

Notably, a reader of Kreb’s report commented on the optics around the fact they had received the notification e-mail from the criminals three months after the victim’s third-party let their customers know about the attack at the end of December 2020.

Figure 4: Source: https://krebsonsecurity.com/2021/04/ransom-gangs-e-mailing-victim-customers-for-leverage/

Figure 4: Source: https://krebsonsecurity.com/2021/04/ransom-gangs-e-mailing-victim-customers-for-leverage/

Counterfeiting risk is brand risk

The darknet is home to a lesser-known segment of corporate brand risk with offers of counterfeit goods on darknet markets. DarkOwl has historical captures of illegal ticket sales for the MLB and NFL and counterfeit sports memorabilia for sale on darknet markets as well as offers for more luxury brands such Rolex and Gucci counterfeit merchandise for sale. The sale of counterfeit physical goods is a persistent and viable market in the underground economy.  

Figure 5: Darknet marketplace advertisement for counterfeit Rolex watch for $4500 USD.

Figure 5: Darknet marketplace advertisement for counterfeit Rolex watch for $4500 USD.

Executives and key leaderships are critical targets

Some criminals utilize traditional open-source intelligence (OSINT) techniques to uncover the names, e-mail addresses and family relationships of an organization’s executives and key leadership to conduct pointed phishing campaigns via e-mail, SMS or traditional in-person and telephone-based social engineering to gain malicious access to a corporate victim’s network.

Popularly targeted executives include Facebook’s Mark Zuckerberg, Amazon’s Jeff Bezos and Twitter’s Jack Dorsey who often appear on the darknet in public “dox,” (defined both as a verb and noun) to publicly name or publish private information about that person — or the personal information published — especially as a way of punishing the person or getting revenge. The emergence of such ‘dox’ across anonymous networks and criminal communication platforms increases the overall risk to a company and those individuals as the threat, i.e. intention for attack increases significantly with the mention alone.

Figure 6: Source DarkOwl Vision (DocID: 585815b7bd0913ae4275f61c633ff3d107770e50)

Figure 6: Source DarkOwl Vision (DocID: 585815b7bd0913ae4275f61c633ff3d107770e50)

Vendors and other third parties increase risk

As witnessed by the massive SolarWinds supply chain attack last year, nation state actors and cybercriminals are increasingly sophisticated and opportunistic seeking to exploit third and fourth party suppliers and vendors to cause harm against the victim organization. Third parties include any unit an organization works with including but not limited to vendors, such as suppliers and manufacturers, partners, affiliates, distributors, resellers, and agents. Third parties may have access to information such as: corporate sensitive data, financial data, contract terms and pricing, strategic planning data, intellectual property, credential data, personally identifiable information (PII) of customers and employees and protected health information (PHI) and can unknowingly contribute to a threat actor gaining unauthorized access to a corporate network. Today, organizations should consider investing in a comprehensive third party risk management program as discussed extensively in a recent report by Upguard.

While it is not always overtly clear who or what organization a threat actor may be intending as their next target, monitoring the darknet and deep web for mentions of a company’s name, along with names of its executives and key leadership, and network information such as domains, e-mail and IP addresses can be a helpful marker for quantifying the potential threat or intent of harm against an organization. DarkOwl’s DARKINT Exposure Scores are one of many potential quantifiable metrics a corporation can use to measure and understand a company’s business risk. Scores can also be utilized for self-risk assessments, as well as brand monitoring and vendor risk management.

Last summer, DarkOwl evaluated an assortment of industry sectors using its DARKINT Exposure Scoring system across hundreds of companies, classified as small, medium, and large for mentions of their website and email domains. Not surprisingly, Colleges & Universities had the largest scores and Insurance and Hospital & Health industries followed closely behind.

The Software Development sector had the smallest percentage of companies with no exposure, i.e. a greater volume of compromise and the industries covering Hospitals & Healthcare and Grocery Stores had the highest percentage of companies with no exposure. The raw data of which companies were included in the research and statistical analysis of the research are available for discussion upon request.

risk-8.png

Individual Risk and the Darknet

With the most recent news of Facebook’s exposure of over 530 Million user’s e-mail addresses and phone numbers, it seems as though nearly everyone has some extent of their personal information exposed and often actively traded and sold in the underground. Threats to individual personal risk appearing on the deep web and darknet are more actually extensive than account credentials alone. DarkOwl has observed several criminals specialize in trade of other critical PII such as national identification numbers, mailing and billing addresses, dates of birth, social media profiles, and even more concerning financial data like bank account numbers and credit and debit card numbers along with their card verification values (CVVs), expiration dates and security personal pin codes.

Individuals are at risk of social engineering

Personal individual risk increases with the extent of the information exposed, where and how it has been distributed. Cybercriminals are increasingly creative in their techniques to gain access to this illicit information with astute social engineering and mass phishing campaigns. Criminals actively seek to obtain an individual’s sensitive personal information necessary for a financial institution’s security verification process such as one’s mother’s maiden name, historical personal residence and billing addresses and answers to key security questions, sometimes obtained through links to phishing website or “fake” copies of popular commercial websites with username and password login form fields, sent through “SMS bomb” or spam e-mail phishing attacks. A popular technique —  both discussed openly with methods traded in underground forums —  is sending out fake mobile phone notifications. Spammers text delivery notices via SMS with a link to a phishing URL (often a shortened URL, e.g. “bit.ly”) for companies like DHL or UPS that are designed to harvest the victim’s mobile IP address, IMEI number, mobile phone model and software version along with sensitive personal information input by the victim in search for the non-existent package. The Federal Trade Commission (FTC) issued advisories early last year on how to recognize a widely distributed FedEx scam via SMS text message and in February researchers reported that over 10,000 Microsoft users were affected with a FedEx phishing campaign that was not detected by Exchange Online Protection (EOP) or Microsoft Defender for Office 365.

The risk of password reuse and credential stuffing

Credential stuffing is a widespread technique utilized by cybercriminals to test if historically exposed e-mail addresses and password combinations are valid logins across multiple commercial websites. For example, many victims exposed by the MyFitnessPal data breach may have changed the password on their compromised personal account, thinking innocently they had successfully protected themselves; however, the victim continued to use the same compromised e-mail address and password combination from MyFitnessPal to login to shop on Nike’s website for fitness related equipment.

Opportunistic cyber criminals automate the testing of large ‘combo lists’ containing compromised e-mail addresses and passwords against commercial websites and once a successful authentication occurs readily steals the PII and financial information, often saved, on the e-commerce shopping platform’s user profile. Last week, the largest combination list of all time known as COMB or Compilation of Many Breaches, consisting of over 3.2 billion e-mail addresses and cleartext passwords from data breaches going back as far as 2012 were shared on a darknet hacker forum.

Figure 7: Advertisement for a breach compilation

Figure 7: Advertisement for a breach compilation

Circling back to the overlap between individual and corporate risk, credential stuffing using malicious software and botnets affects not only the individuals but also the commercial organizations whose user accounts are surreptitiously accessed, as many immediately assume access was achieved due to vulnerabilities with the commercial service provider’s technical configuration instead of a simple credential stuffing technique conducted en masse. The uncertainty potentially erodes consumer and stakeholder confidence warranting that commercial agencies consider credential stuffing in their internal security frameworks and corporate risk assessments as well.

The risk of identity theft and financial fraud

While a personal e-mail address or password leak is easily mitigated by using complex passwords and password managers, the greatest threat to an individual is financial fraud and/or personal identity theft. 

Aggregated compromised personal data about an individual, referred by underground actors as “fullz,” and sometimes augmented with data gathered via criminals who have conducted attacks against insurance, mortgage, and credit agencies, is assumed to be used in some attempt to defraud a program for monetary gain or personal identity theft with very strong likelihood as witnessed with large scale pandemic unemployment assistance fraud conducted over the last year.

Individual risk calculations

Ultimately, what does the fact any of your personally identifiable information is on the darknet really mean? Your level of concern is directly correlated to your individual risk and calculating individual risk using information exposed on the darknet is measured by not only the location of and volume of credentials and PII exposed, but also a factor of time – that is, how long the information has been available and the likelihood of exploitation by a malicious actor. Of course, this likelihood of occurrence increases immediately once there is direct intent and targeting of the person either individually or in conjunction with a campaign against a corporation, regardless of what types or volume of personal data is already accessible.

  • E-mail address and password leaks: Individual risk increases slightly with the website where the credentials have been used, i.e. banking application or health portal. Individuals can mitigate risk by using unique, complex passwords and password managers.

  • Personal financial data like credit and debit cards: Individual risk is higher if the card is still in use. Most banks have fraud prevention and do not hold the cardholder responsible for illegal purchases with stolen credit and debit card data.

  • Identity verification information: Individual risk increases with the more sensitive data accessible to a threat actor. For example, if a bank account number along with the full name of the account holder, their physical residential addresses, and other key identity verification information such as their mother’s maiden name, the name of their first dog, and secondary school mascot is obtained, then a threat actor has enough information to impersonate them and take control of the account. Compromise can be mitigated by visiting the bank in person with a form of identification (passport or driver’s license), closing down the compromised account, and opening a new one.

Only an individual can ascertain the degree of personal cybersecurity risk they are comfortable with, given the types of information they have shared publicly and the value they place on their personal information, their individual brand, and digital reputation. In a hyper-connected society that is increasingly reliant on networked digital information systems to function, everyone’s exposure and subsequent risk is increasing to some extent. For some individuals, this risk is gradual and others exponential.

It’s Risky Business Regardless

Threats posed to individuals and corporations from the darknet where sensitive corporate or personal information is leaked by cybercriminals is diverse. Criminals employ increasingly sophisticated social engineering and technical attack vectors to pilfer information that could lead to full identity theft for an individual or corporate extortion with multi-billion ransom demands. 

Whats more, threat attack vectors and vulnerabilities are rapidly evolving. With the now global acceptance of Bitcoin and companies like Tesla accepting Bitcoin payments to purchase their vehicles, soon cryptocurrency addresses for individuals and companies will have to be considered in this model and protected accordingly, if they are not already being targeted for middleman attacks. The deep web, anonymous networks, and various chat platforms will continue to be home for trading these commodities of data and DarkOwl will continue to assist its clients and partners to help provide the most comprehensive darknet database necessary for critical monitoring of potential markers of cybersecurity risk to corporations and individuals.

Unemployment Fraud on the Darknet

In April 2020, within weeks of widespread lockdown and quarantine caused by the coronavirus or COVID-19 pandemic, the U.S. Bureau of Labor and Statistics reported that over 23.1 million people were unemployed across the United States. This surge in out-of-work adults caused record spikes in unemployment claims across state benefits systems, many of them unable to accommodate the increased demands in benefit requests.

Figure 1: Chart Derived from U.S. Bureau of Labor and Statistics (Source - Courtesy of Department of Numbers)

Figure 1: Chart Derived from U.S. Bureau of Labor and Statistics (Source – Courtesy of Department of Numbers)

As a result, fraudsters on the darknet and deep web quickly capitalized on flaws in the state-run unemployment benefits systems, directly compromising claimant accounts to redirect unemployment payments, submitting false unemployment claims using illegally obtained personally identifiable information (PII).

Aiding in the exploitation of these programs are the plethora of available detailed step-by-step instructions known as ‘methods’ or ‘sauce’ that are readily available for purchase across the darknet.

Serious fraud yields serious capital for cyber criminals

With record numbers of persons unemployed comes record financial programs to cover these claims. The Coronavirus Aid, Relief and Economic Security (CARES) Act, signed into law in March, 2020 at $2.2 trillion USD, provided multiple lines of funding for unemployed U.S. workers including $260 billion USD in direct funding for expanded unemployment insurance. 

  1. The original unemployment supplemental was known as the Federal Pandemic Unemployment Compensation (FPUC) program. This program provided an extra $600 per week for individuals who already qualified for state unemployment compensation from late January 2020 through July 31, 2020.   

  2. The Pandemic Emergency Unemployment Compensation (PEUC) funding program provided an extended benefit period to individuals who have exhausted their unemployment benefits under existing state or federal law, have no right to regular unemployment benefits under any state law or other compensation under any federal law.   

  3. The Pandemic Unemployment Assistance (PUA) program was setup to provide unemployment compensation to individuals who would not ordinarily qualify for unemployment such as: gig workers and freelancers, independent contractors and self-employed persons, or those who have exhausted all other rights to state or federal unemployment (including PEUC). Qualifying individuals were eligible to receive up to 39 weeks of benefits for being unemployed between January 27, 2020 and December 31, 2020. 

The difference between PEUC and PUA is that the PEUC essentially extends benefits by up to 13 weeks for individuals otherwise qualified to receive regular unemployment, but who have exhausted those benefits. DarkOwl has observed both programs mentioned extensively across the fraud community in the darknet and deep web.

In December 2020, the U.S. Government passed the Continued Assistance Act (CAA), totaling $900 billion, which extended the federal benefits of the CARES Act from December 27, 2020 to March 13, 2021. The CAA extended the benefits for an additional 11 weeks, and also provides an extra $300 per week for all benefits recipients. 

This act also included a new supplemental known as Mixed Earners Unemployment Compensation (MEUC) program intended to address gaps in the original stimulus package penalizing with those mixed income from multiple sources who receive lower unemployment benefits because they were only deemed eligible for regular state unemployment or PEUC due to their wage-based income.

The MEUC program is subject to state discretion and very few states have adopted the new payment terms of providing mixed income earners an extra $100 USD per week. 

Figure 2: 2020 to 2021 Enhanced Unemployment Benefit Programs Coverage Summary (Source)

Figure 2: 2020 to 2021 Enhanced Unemployment Benefit Programs Coverage Summary (Source)

Overview: Pandemic-related unemployment fraud on the darknet

“Sauce” for sale

On the darknet, fraudsters and cybercriminals have become intimately familiar with these programs offering elaborate guides and tutorials detailing how to fraudulently make claims against the different financial unemployment assistance programs. Described as “sauce,” fraudsters offer the methods for sale on darknet marketplaces, in private and public chatrooms, and on social media.

The going rate for a detailed unemployment fraud method varies between $200 and $300 USD and offered specifically by state, suggesting that different state unemployment systems may require unique techniques for direct exploitation.  

According to DarkOwl Vision, PUA is mentioned more often than PEUC, likely cause there is fewer historical work data reporting requirements for freelancers and sole proprietors covered by the PUA method and thus easier to defraud. DarkOwl has observed the PUA “sauce” for sale for the specific states listed below – with over 75% of the United States mentioned in offers across the darknet and deep web. This does not indicate that only these states have been exploited, but merely that these are the states observed advertised in the darknet communities DarkOwl has access to over the last year.

Pandemic Unemployment Assistance exploitation “how-to” guides are being sold for the following states:


AlabamaAlaskaArizonaArkansasCaliforniaColoradoFlorida GeorgiaHawaiiIllinois Indiana Iowa Kansas 
 
KentuckyLouisiana Maryland Massachusetts Michigan Minnesota MississippiNebraska Nevada New Jersey New York North Carolina North Dakota 
 
OhioOregonPennsylvaniaRhode IslandSouth CarolinaTennesseeTexasVermontVirginiaWashingtonWest Virginia Wyoming
Figure 3: Users on the darknet are selling PUA “sauce", or how-to guides for exploiting unemployment programs, for the states colored in red above

Figure 3: Users on the darknet are selling PUA “sauce”, or how-to guides for exploiting unemployment programs, for the states colored in red above

Fraudsters selling PUA and PEUC methods are highly adaptive and acutely aware of security methods states are implementing to combat fraud, often updating the “sauce” frequently with the latest and greatest information. This includes new offers of “backpay sauce” opportunities with the latest relief funding being approved for states that ran out of unemployment relief funds.

According to the most recent fraud group chatter, Ohio has been mentioned more frequently with the phrase “Ohio is lit and still paying” acknowledging that some states’ anti-fraud methods are not as effective as others.

Figure 4: Step by step guide to fraudulently file for benefits in Maryland (Source - Twitter)

Figure 4: Step by step guide to fraudulently file for benefits in Maryland (Source – Twitter)

Figure 5: Advertisement on darknet forum for unemployment insurance claim services (Source - DarkOwl Vision)

Figure 5: Advertisement on darknet forum for unemployment insurance claim services (Source – DarkOwl Vision)

Telegram and Social Media are playing a large part in the spread of this type of fraud

While the fraud community continues to thrive on Tor, many threat actors are active on chat platforms such as Telegram as well. Many popular fraud channels and supergroups contain users selling the latest sauce and new exploitation methods, including large Telegram communities with upwards of 100,000 members.

 
 

Fraudsters are also increasingly utilizing social media platforms like YouTube and Instagram. where they share videos detailing a variety of fraud related guides and topics. Many of these posts relay methods by which one could commit fraud and take a variety of formats, including:

a) personally narrating the steps in a video – which often entails revealing their voice,

b) sharing a video of a method written out in text with suggestions to ‘pause the video and read’

c) demonstrating the technique via captured video of their computer screen while candidly committing the fraud.

As can be seen in the YouTube video included above, these content providers often successfully navigate possible YouTube take-downs by stating the video is “for educational purposes only.” 

Unemployment fraud methods: How criminals are accessing and exploiting state unemployment systems

Hijacking the account of existing claimants using compromised commercial authentication data such as email addresses and passwords

Many fraudsters exploit individuals who have already submitted a claim, but this method may often require access to the email address associated with the unemployment claimant’s account for successfully changing the password and personal information for the claimant account. Many PEUC claimants register for their unemployment benefits then do not regularly visit the web portal to access their account.

Claimant victims might be tipped that their account has been compromised if they receive a password change notification from the system via email (for the states with such a system) but even those noticed may be overlooked. Once the criminal successfully gains access to the account, then they will quickly change the name and mailing address associated with the account along with the bank information where the existing claims are being paid. 

 
Figure 6: Screenshot provided as proof from fraudster claiming they had access to California's EDD claimant accounts with outstanding balance for purchase.

Figure 6: Screenshot provided as proof from fraudster claiming they had access to California’s EDD claimant accounts with outstanding balance for purchase.

 

Some criminals will foolishly attempt to use the exploited claimant account to extend benefits or submit new claims using the fraudulently information without the victim’s knowledge. This method often triggers most states fraud activity flags, which forces the account and payments into a hold state until the victim (or a fraudster) can verify their information and activity by calling the unemployment office directly.

 
Figure 7: Screenshot from Colorado Unemployment Benefits Website with Account Locked

Figure 7: Screenshot from Colorado Unemployment Benefits Website with Account Locked

 

Initiating new unemployment benefit claims using compromised fullz data of persons gainfully employed purchased from the deep web and darknet

Initiating new claims using fullz data is the most frequently mentioned method of committing unemployment fraud. In the latest tutorials fraudsters have shared on social media, the cybercriminals are very specific in their method, such as selecting fullz from key states that have the highest probability of paying the benefit.

Other advanced fraudsters leverage social engineering to research additional data on person behind the fullz they are intending to use like extracting their employer information (via targeted LinkedIn search) in order to append falsified historical w2 forms in attempts to validate the account’s legitimacy. Many victims are only discovering their information was compromised upon receiving a 1099-G tax form in their physical mailbox in January for taxes owed on benefit compensation they never received. 

Initiating new unemployment benefits claims using deceased fullz data purchased from the darknet and deep web

Many family and friends of the deceased do not monitor the financial status of their departed loved one, even often forgetting to cancel the credit cards for the deceased. With the fullz data of the deceased, this is usually enough to initiate a new unemployment benefit claim registered to bank account controlled by the fraudster and start receiving the $600 per week within days of the registration completion.

A U.S. Department of Labor report from the Assistant Inspector General in late February reported that over 91,000 social security numbers of deceased persons accounted for $58.7 million USD in unemployment insurance claims in 2020.

Compromising the state unemployment system via blackhat ‘hacking’ techniques or exploiting vulnerabilities of the benefit system and modifying claimant account information in the system database

DarkOwl has observed criminal sources alluding to this method in chatter on the darknet in recent months.  In July 2019, Maryland’s Department of Labor reported cybercriminals breached their agency’s unemployment database resulting in the potential compromise of over 78,000 claimant’s personal information including full names, social security numbers, dates of birth, and city or county of residence.

Earlier this year, Washington state reported that in December the State Auditor discovered a vulnerability in its unemployment benefit system computer file-transfer service used by the auditor’s office that allowed unknown “persons” to access  to data from over a million residents of Washington that submitted claims in 2020. The exposed information included claimant’s social security numbers, driver’s license numbers, bank account numbers and employment information, essentially comprehensive fullz data a cybercriminal could leverage to steal someone’s identity.

The critical vulnerability discovered was later reported to be associated with a third-party service provider, specifically Accellion’s File Transfer Application (FTA). In recent weeks, FTA’s critical vulnerability has been assessed as the behind a string of cyber attacks against corporations, governments, and universities around the globe and linked to the CL0P ransomware gang from the darknet.

Most of the fraudsters are not bold enough to use their own personal accounts, but instead utilize online banking applications such as Venmo and Bluevine. Others use prepaid debit cards like Netspend or an account owned by a trusted money mule to receive the unemployment funds. 

Remediation is an ongoing, near-daily process

Many of the state systems are identifying weaknesses in their unemployment benefits systems and implementing more rigorous identity protection measures. Many states now require claimants submit an identity authorization form including photograph of the person and official identification such as a passport or driver’s license. With the Colorado Department of Labor & Employment such steps have not previously been required prior to and in the early phases of the pandemic, but in recent weeks Colorado mandated every claimant (active or on hold) verify their identity with their “Program Identity Hold” system with their partner ID.me to help mitigate fraudulent claim activity by evaluating 50 different potential triggers.

According to recent reporting, Colorado has experienced inordinate volumes of fraudulent claims with over 1 million claims flagged for fraud – about 90% of their PUA claims – resulting in $7 billion in potential fraud payouts.

Figure 8: Source - DarkOwl Vision

Figure 8: Source – DarkOwl Vision

Unfortunately, DarkOwl analysts have witnessed fraudsters in Telegram conversations offer “ID.me” bypass methods for sale, demonstrating how the cyber threat continues to evolve in a continuous cat and mouse game. This offer was shared in a popular fraud supergroup as recently as early March, 2021.

DarkOwl has also observed some recent fraudsters suggest they have “fullz with id” meaning they have a photograph of the victim’s driver’s license to potentially satiate identity authorization requirements. This demonstrates that driver’s license information alone is insufficient for identity verification. It is reasonable to assume that even DMV drivers’ license database for some states could be compromised in the near future. California reported a data breach of their internal DMV data management system with 38 million database records of vehicle registration information stolen in early 2020.

Per the recent passing of the $1.9 trillion dollar stimulus package, the primary unemployment financial assistance programs are likely to continue well into 2021, with PUA and PEUC ending in early October 2021 and FPUC and MEUC continuing through early September, 2021. The continued money flow will inevitably mean continued fraud of the programs on the darknet, with new methods of committing these acts almost certain to emerge.


The Fraud Files: What is Fraud on the Darknet?

Due to the vast number of scams and scam-attempts that most of us encounter on a daily basis, today’s society has largely become desensitized to fraud as we understand it on the internet. However, very few understand how this criminal economy thrives extensively across the darknet where it takes on a variety of different formats that target individuals and corporations alike.

Darknet forums and marketplaces are replete with how-to guides, mentors, bank drops, and sensitive PII and credit card databases for sale. Straightforward as it may seem to understand the current fraud landscape – especially with these listings and discussions being so common – the reality is not so simple. Navigating this underground territory requires an understanding of terms and concepts that apply across the darknet landscape that not everyone might be familiar with.

As such, we’re beginning our “Fraud Files” with an introduction or educational primer on the types of fraud most prevalent and regularly discussed terms and topics across the deep web and darknet.

The Language of Fraud

Over the course of crawling and exploring fraud on the darknet and deep web, DarkOwl discovered a unique language across vendors and key fraud cybercriminals operating in this sphere.  Darknet marketplace advertisements of counterfeit and digital goods include numerous types of data for sale. Fraudsters are in the business of monetizing anything they can get their hands on and DarkOwl has observed frequent mentions of CVVs, bins, dumps, fullz, and bank drops – commodities which present varying degrees of financial returns.

Card Verification Values (CVVs)

In the carding industry – one of the largest fraud segments of the darknet – the card verification values or CVVs are a precious commodity to fraudsters. The CVV appears on credit and debit cards and consists of a three-digit number on the back of Visa, Mastercard, and Discover card brands or a four-digit numeric sequence located often on the front of American Express credit card brands. These numbers are also sometimes referred to as card security codes (CSC). There is also a second generation of card verification values known as CVV2 generated by a secondary process that makes them slightly harder to guess. (Source

Bank Identification Numbers (BINs)

BINs or Bank Identification Numbers (a.k.a. Issuer Identification Number (IINs)) are another critical commodity of the fraud industry, especially with criminals focused on carding. The first six numbers on credit and debit cards identify the bank issuing the card, the country of issuance, the card type, and category. The ISO Register of BINs/IINs for US banks is managed by the American Bankers Association and is not generally available to the public; yet an open-source database has been setup and available for limited personal search and mentioned frequently on the deep web. (Source)

Dumps/“Dumpz”

Dumps or “dumpz” are one of the most popular and readily traded commodities in the darknet and across the deep web, consisting of large pre-compiled lists of stolen financial data. Most often, dumps consist of credit card data of varying completeness such as: a) credit card dumps or CC dumps consisting of datasets of credit card numbers with expiration and bank information, b) CVV dumps consisting of a list of known credit card numbers with expiration and CVV and c) Pin dumps consisting of a list of known credit card numbers with expiration and personal pin identifiers known only to the cardholder and bank for additional security.

Dumps may also include whether or not the credit card is VBV, which is Visa’s “Verified By Visa” additional security measures for online purchases, often consisting of a security pass phrase or key answer to a personal security question only know to the cardholder and the financial institution. Non-VBV Visa credit cards are preferred in the fraud community.

Popular darknet “dumps” provider, D. Trump advertising dumps for sale on a darknet forum

Popular darknet “dumps” provider, D. Trump advertising dumps for sale on a darknet forum

One popular “dumps” provider is known on the darknet as D. Trump, observed advertising their services across various deep web and darknet hidden services since Trump’s Presidential election back in 2016. Their forum posts insinuates that the compiled dumps data is “sniffed from their botnet” and their advertisements include a twist on Trump’s MAGA-theme with the catchphrase, “Make Dumps Great Again.”

Fullz

“Fullz” is a general term that indicates a comprehensive package of information to create a “full” picture of the subject matter. A highly coveted underground criminal commodity, fullz often consist of large, pre-compiled lists of stolen financial information along with critical personally identifiable information (PII), needed for account verification and criminal manipulation. The PII often includes the full name of the victim, billing address with zip code (for U.S. addresses), and phone numbers. Even more lucrative fullz also include personal pin codes. the victim’s mother’s maiden name for enhanced security. Sometimes fullz will include answers to security questions for accessing banks web customer portal or mobile app. Some fraudsters include deceased people in their fullz offerings as families rarely think to cancel the credit of dead relatives.

There are several darknet hidden services and deep web domains that specialize in trading “fullz”. One market known as “FullzBuy” with logo design using the yellow pricetag like Best Buy has fullz lists ready to purchase to include state driver’s license databases, social security numbers, and one listing stated it was stolen from a loan company, increasing the value and likelihood the data is recent.

 
Example “fullz” captured directly from the deep web site, Fullz Buy.

Example “fullz” captured directly from the deep web site, Fullz Buy.

 

Bank Drops

Bank Drops are another popular commodity on the darknet, especially for cyber criminals and fraudsters looking to turn their hacked bank credentials into cash. While some carding enthusiasts take dumps and fullz and turn them into fake credit cards to purchase goods or debit cash from an ATM, others exploit compromised account information through quiet bank transfers to bank drops via money mules.

In the last year, fraudsters discovered how to successfully leverage a mule’s mobile money transfer app such as Venmo and Cashapp to transfer cash directly from the stolen fullz account, removing upwards of $1000 USD daily from the victim, often wit…

In the last year, fraudsters discovered how to successfully leverage a mule’s mobile money transfer app such as Venmo and Cashapp to transfer cash directly from the stolen fullz account, removing upwards of $1000 USD daily from the victim, often without their knowledge.

Money Mules

Money Mules or simply, “Mules” are individuals recruited by “mule herders” to help conceal the originating identity of the cybercriminal or fraudster and often key to turning the fraudulently acquired credit card and bank information into cash.

Many mules operate in lengthy fraud mule chains and networks and mules sometimes are completely unaware they are participating in a complex criminal enterprise. Many mules innocently respond to an innocuous “work from home” solicitation to help a so-called legitimate company send and receive funds from foreign customers, in exchange for a percentage of the transfer. In actuality, the company website and job posting is all fake, including the signed work contract, and their accounts are obscuring the identities of cyber financial criminals around the world.

Other mules knowingly assist in the fraud and set up a series of bank accounts, receiving funds from the fraud chain, cash out the transfers and send the monies along to the intended recipients using services such as Western Union.

The S’s of Fraud

Curiously, there have been an increase in fraud advertisements discussing techniques and malware delivery methods that coincidentally start with the letter ‘S’ – Notably: Swiping, Smishing, SIM Swapping and Skimming.

Swiping

Swiping is a term used by many of the younger-aged fraudsters which involves using stolen merchant account information or credit card data to make fraudulent purchases and having them delivered to an address, sometimes referred to as a “drop” (usually not associated with the criminal or the victim) where no one is home and the goods are then collected by the would-be swiping cybercriminal.

Swiping may also refer to the process of using stolen debit card information to collect cash out of an ATM. Variations of this process have been popularized across deep web enthusiasts in the hip hop culture spurring a completely new genre of “scam rap” where the technique is woven into the lyrics of rap songs. DarkOwl has observed this with young scam-rappers such as Teejayx6, as shown in the video below.

 
 

Smishing

Smishing is a form of phishing via SMS where cybercriminals hope the victim will click on malicious links in SMS text messages. There are numerous anonymous SMS spam services that will deliver these links readily for a small charge advertised across the darknet.

These smishing texts can take many forms such as a bank notification, mobile service cancellation scam, or fake delivery notice that leads the victim to providing personal information that will be traded on the darknet or install malware to spy and remotely control the victim’s mobile device.

SIM Swapping

SIM Swapping (a.k.a. SIM Splitting, port-out scam, or simjacking) occurs when a criminal takes over the mobile phone account of its victim often through directly social engineering the mobile carrier using publicly available PII of the victim compromised and leaked on the darknet. The phone number’s text messages and calls are then rerouted to a different sim and device controlled by the criminal in order to further breach the security of 2-factor authentication (2FA) security services that can lead to email, bank, and cryptocurrency account compromise and theft. In these times of uncertainty and rampant digital crime, authentication apps such as Authy, Lastpass, and even Google or Microsoft Authenticators are safer than relying solely on SMS 2FA for secondary security.

Signs Your Sim has been Swapped

This list originated from Norton Security.

  1. You’re unable to place calls or texts. The first big sign that you could be a victim of SIM swapping is when your phone calls and text messages are not going through. This likely means fraudsters have deactivated your SIM and are using your phone number.

  2. You’re notified of activity elsewhere. You will know you’re a victim if your phone provider notifies you that your SIM card or phone number has been activated on another device.

  3. You’re unable to access accounts. If your login credentials no longer work for accounts like your bank and credit card accounts, you likely have been taken over. Contact your bank and other organizations immediately.

Skimming

Skimming is a type of credit card information theft that involves installation of a small device attached to a legitimate credit card transaction device, such as a credit card machine at a merchant, gasoline pump, or ATM. When the card is inserted or swiped for the legitimate transaction, the card data including the full number, expiration, and card holder’s name is harvested and rerouted to the malicious cybercriminal’s computer or networked server. The information is then used to make fraudulent transactions digitally or with a counterfeit credit card. A skimmer device installed on a gas pump or ATM is often noticeable as the hardware will protrude out past the payment key panel as the device must sit on top and affixed to the installed credit card reader. Many pumps in the U.S. now include a visible security label that will change colors or provide noticeable indication if it has been tampered with. Often fraudsters specializing in skimming turn the skimmed magnetic data into dumps for resale in the darknet. Skimming devices are also sold on darknet forums and marketplaces.

Fraud is Hardly Simple

Many of us associate the idea of fraud with the Nigerian Prince email scam tricking the most vulnerable population to send money via wire transfers to businesses and persons that do not really exist or have the needs that they have begged for help with.

While that is one form of limited wire fraud, the fraud industry has evolved into a complex darknet ecosystem with numerous categories and potential financial outlets to target including: personal identity fraud, bank fraud, carding and counterfeiting, merchant-level fraud, and government-program fraud.

According to a Federal Trade Commission’s report published in late 2020, imposter scams and online shopping fraud present the highest reported financial losses to businesses and individuals. The origins of their fraud data between darknet, deep web, and surface web) was not specified in this impact report.

Digital Theft – Stolen Identities

As we mentioned earlier, data is money and cyber-fraudsters are readily targeting individuals to increase their earnings by stealing from victim’s bank, credit and online-merchant accounts. This is achieved through hijacking or performing an “account takeover” of the victim’s bank or credit account and liquidating the funds via bank drops and money mules.

Other forms of personal identity fraud occur when key personally identifiable information of a victim, such as one’s U.S. social security number, home address, and mother’s maiden name is used to open new lines of credit or even worse, mortgages compromising the victim’s credit score in the process. This is why regular monitoring of one’s credit score, particularly to watch for any “known addresses” listed in the report that do not belong to the credit holder, is a strategic action to take in detecting identity fraud.

 

 
FTC’s assessment of identity fraud by categories for data through 2019. DarkOwl assesses fraud against government docs, benefits, and employment  will increase since the pandemic.

FTC’s assessment of identity fraud by categories for data through 2019. DarkOwl assesses fraud against government docs, benefits, and employment will increase since the pandemic.

 

The same 2020 FTC report states that credit card fraud is the most common type of identity theft in their dataset, occurring in over 30% of all identity theft reports. Bank, lease/loan, utilities, and government programs were also included in this list. DarkOwl assesses these financial distributions will shift with Government Programs and Employment Benefits compromising a larger percentage of fraud given the pandemic climate and rampant fraud methods available.

Carding – Unauthorized Purchases by Fraudsters

As we mentioned earlier, data is money and cyber-fraudsters are readily targeting individuals to increase their earnings by stealing from victim’s bank, credit and online-merchant accounts – account data that trades readily on the darknet as dumps, fullz, and CVVs. In the simplest of terms, carding involves the illegal use of a card by unauthorized persons to purchase a product and there are a couple of different paths a cyber-fraudster can take with this information they’ve purchased or found in the underground.

  1. Some fraudsters might use the account information such as web login username or the account number to employ blackhat criminal hijacking of the victim’s account with the merchant online and making fraudulent purchases

  2. Others take the stolen card numbers (dumps, fullz, bins) and make purchases illegally digitally and have the goods shipped to a drop address. Many of these purchases, especially if they are of low dollar value go completely unnoticed by the victim as few people actually review their purchases on their credit card statement each month.

  3. Some more sophisticated criminals will take the data and create counterfeit credit cards for use in-person directly at a merchant. Often the fraudsters purchase large quantities of high-end electronics and expensive goods for resale or trade.

Many of the card list contain card numbers that have already been flagged as stolen or deactivated; for this reason, many darknet carding services often advertise their dumps or fullz are “fresh”, meaning the numbers have been acquired recently and less likely to be deactivated. There are several deep web sites solely setup for the purchase of card verification (alive or dead). There is also a special Skype number carding fraudsters call to verify the card is active via an automated service.

A Most Unusual Financial Opportunity

In late January, one creative carding criminal posted on a darknet criminal forum the offer to sell 180 GB of audio stolen from a merchant’s phone payment processing system collected over the last 6 years. At least 70% of the recorded calls supposedly include exploitable PII such as, first name, last name, registered address, phone number, e-mail, date of birth, card number, expiration date, and CVV.

The fraudster only asked for $2,400 USD in cryptocurrency for the entire dataset and subsequently lowered the price in the following weeks after receiving criticism for the “valids” and very little interest from the community.

Screen Shot 2021-03-02 at 5.24.27 PM.png
[ENGLISH TRANSLATION] 
I will sell about 180 GiB (200k files) of conversation records merged from the server of the service for processing orders by phone (YUS). Calls made between 2015 and 2021, mp3 format, distributed in folders with the date of the call. Also, almost every folder has a txt or csv with a list of caller names. The caller's phone number is used as the file name. Calls in English and not much in Spanish(no more than 5%). Not all calls contain complete information on the holder and CC, but about 70% of the call records contain information such as, first name, last name, address, phone number, mail, date of birth, card number, expiration date, cvv. Of course, there are a lot of overdue CC's in the calls made in 2015-2019. Also, the total valid for CC is 10-15%, at least I did it so I rewrote a couple of hundred calls in text form to check the valid. Walid did not meet my expectations, and this is the reason for the sale. 
I want $2,400 for everything. I accept BTC, ETH, and XMR. If you need sample files, I will ask you to put money in the guarantor or deposit, as I am happy to conduct transactions through the guarantor.
I am ready to answer any questions in the PM

Merchants and banks have had to increase their insurance to account for the increasing criminal activity around carding. When a victim does discover their information has been compromised and illegal purchases made, they often report the unauthorized purchase to the credit card company – who will often freeze the account and issue a new card – prior to cancelling the illegal transaction from the credit statement as a part of the financial institution’s zero liability guarantee, established with the Fair Credit Billing Act in the U.S. Sometimes it’s helpful to also contact the merchant and notify them that a claim has been submitted with the credit company.

Taking Money Directly From “Big Brother”

W2 Tax Forms for Sale to Commit Tax Fraud (Source: DarkOwl Vision)

W2 Tax Forms for Sale to Commit Tax Fraud (Source: DarkOwl Vision)

Since the COVID-19 pandemic hit the U.S. and suddenly millions of citizens were out of work, DarkOwl analysts have observed an increase in government-specific fraud against government subsidized programs such as State Unemployment, Pandemic Unemployment Assistance, the Small Business Association, and even personal Stimulus Payments from the Internal Revenue Service (IRS). Many cyberfraudsters view themselves as cyber vigilantes and are personally more willing to scam the government out of funds instead of their neighbor next door. In December, USA Today reported there had been an estimated $36 Billion USD stolen across U.S. unemployment benefits.

 The upcoming tax-season is another market for opportunistic fraudsters who have obtained sensitive PII from the darknet. Some fraudsters with access to SSNs and fullz data, will file taxes ahead of the victim and steal the refund payment from the government. This complicates the victim’s standing with the IRS considerably as they attempt to recover their refund and their account with the IRS.

One popular darknet vendor using the pseudonym, “@OsamaFBG” has been selling a COVID-19 stimulus check template and method for as little as $50 USD over the last year, since the IRS first started distributing checks to U.S. Citizens. Source: 62f077c9fbf3185ab831ac578f46d117. Another offered a method guaranteed to fraud upwards of $100,000 USD “easily” from the SBA’s relief grant program for as little as $300 USD.

 
Offer for a method to Fraud the Small Business Administration's COVID Relief Grants Vision (Source: DarkOwl Vision)

Offer for a method to Fraud the Small Business Administration’s COVID Relief Grants Vision (Source: DarkOwl Vision)

 

Conclusions

The fraud industry is a vibrant and thriving ecosystem across the darknet and deep web. Financial cyber criminals will continue to exploit vulnerabilities across all financial systems and continue to trade and sell victim’s personal data and accounts for continued financial gain. Scams and carding fraud are key segments of this market while government benefits and unemployment system fraud have skyrocketed in the pandemic.

Curious to learn more? Check out our “Fraud on the Darknet” webinar to see live fraud-related searches using our darknet analyst dashboard.

The Rise of Android-Specific Malware on the Darknet

2020: the year of the “RAT”

While 2020 has largely become known for the surge in large and small-scale ransomware attacks, which skyrocketed indiscriminately across industries, our analysts have also witnessed an increase in the offers of Android-based Remote Access Trojans/Tools (RATs). These criminally-masterminded digital weapons are used not only to extract information from and spy on Android mobile devices, but are also often the attack vector through which many of the ransomware variants that have been deployed in recent attacks were delivered.

Android-specific malware, especially if deployed alongside a “crypter,” is one of many credible threats to commercial and government organizations that utilize devices with the Android operating system. DarkOwl discovered that threat actors are successfully deploying mobile ransomware such as “Sauron Locker” and RATs such as AhMyth, disguised as a COVID-19 testing app, designed to ‘exfiltrate’ or extract the contents of the mobile device without knowledge of the user, and further ‘extort’ the user locking the device until cryptocurrency ransom is paid.

Android Malware On The Darknet: A Conscious Intention

As discussed in previous reporting, a threat actor that plans offensive operations against a unique range of targets will utilize whatever cyber weapons and tools that are available in their arsenal to destabilize and/or damage their targets. Targets ranging from everyday citizens, government officials, healthcare workers, lawyers, etc. The open-source nature of the Android OS provides an excellent starting point for direct software exploration and ultimate exploitation of vulnerabilities in the technology. This opportunity is not exclusive to nation state actors and their proxies, but amateur cybercrime enthusiasts who are entering the underground malware development community are perfectly capable with the right motivation such as political agenda or social movement to utilize such exploits in their inventory of cyber tools. 

The successful implementation of distributing malware and exploiting device vulnerabilities lies in the obscuration and obfuscation methods employed. Deep web and darknet forum users also have the option to purchase DNS hosting services for anonymous port forwarding for their malware, VPNs, RDPs, remote administration tools, ransomware, as well as the specific crypter needed to make the malware fully undetected or undetectable.

RATs on the darknet: Common variants for offer

CERBERUS

Since 2019, one of the most widely discussed RATs has been is Cerberus, particularly in the context of targeting banking applications supported by the Google Play store and Android mobile operating systems.

The Cerberus RAT is capable of deep surveillance within the victim’s device, interfering with the encrypted communications the phone has with its apps, and outside. An update to the RAT appeared in 2020 (v2) that has additional security-evasion functionalities, such as stealing two-step authentication (2FA) codes from apps like Google Authenticator.

Essentially, the Cerberus RAT is capable of intercepting and recording a victim’s mobile phone’s unlock pattern or PIN, Google Authenticator codes, and intercepting SMS messages necessary to perform a two-step authentication. Similarly, this malware can embed itself between the victim and their mobile banking application sitting and waiting to extract any and all the necessary data to perform bank fraud.

Figure 1: In early October 2020, a Telegram user “blutheCA” posted a link to the Cerberus V2 source code on the IndianAnons supergroup channel. (Source - DarkOwl Vision)

Figure 1: In early October 2020, a Telegram user “blutheCA” posted a link to the Cerberus V2 source code on the IndianAnons supergroup channel. (Source – DarkOwl Vision)

In late July 2020, the developers of Cerberus decided to get out of the banking fraud business, apparently due to internal group conflicts and subsequent fracture, and the main developer offered their entire operation, including the source code and C2 network, for auction. Unfortunately, no one was interested in taking on their criminal operations and the developers instead released the source code of the Cerberus malware into the wild. The auction was marketed on popular darknet malware forum, exploit, with a starting price of $25,000 USD and advertised monthly profit of $10,000 USD. The developers stated they were including “the source code of the apk, the source code of the module, the source code of the admin panel, their servers, the customer base with an active license, the contact list of customers, the contact list of those who wanted to purchase the product, and a lot of additional information.”

Other users on the forum suggested that Google Play released a security update that is capable of detecting Cerberus’s main module signature and this RAT was no longer viable without software changes.

ALIEN

Within weeks of the Cerberus source code leaks, a fork of the initial variant of Cerberus (v1) called Alien surfaced for sale on the darknet. In addition to all the main capabilities that Cerberus provided, Alien also included a keylogger, device application installs, removals, and service start and stop, 2FA authenticator stealer, and device notification sniffer. The Alien RAT successfully installs and leverages the commercial TeamViewer application in its operation on the victim’s mobile device providing the threat actors full remote control and observation of the device and its owner’s behaviors. (Source)

A longtime user of the darknet forum, exploit, using the pseudonym “megabyte” first offered a three-month license to use the Alien Android RAT on August 14, 2020 for $4,500 USD.

AHMYTH

Over the last three years, AhMyth is another malicious Android RAT that has been actively traded and discussed on the darknet. Its repositories on github.com were updated as recently as three months ago. The RAT includes an electron-framework based server-side desktop application and the APK installers for the client or victim’s Android device. The developer is active on Twitter under the handle @AhMythDev and states their location is Oman.

The AyMyth RAT features:

•A file manager allowing the threat actor to view the contents of the victim’s device including firmware

•Access to victim device’s browser data, cookies and web browsing history

•Remote access to the victim’s device microphone and camera

•Remote access to all device call logs

•SMS access – allows the threat actor to not only read but also send SMS text messages from the victim’s device

•GPS location data – allows for the threat actor to track the geographical location of the victim.

 
Figure 2: Screenshot of AhMyth repository on GitHub (Source - hxxps://github.com/AhMyth/AhMyth-Android-RAT)

Figure 2: Screenshot of AhMyth repository on GitHub (Source – hxxps://github.com/AhMyth/AhMyth-Android-RAT)

 

ROGUE

Figure 3: Advertisement for Rogue RAT (Source: DarkOwl Vision)

Figure 3: Advertisement for Rogue RAT (Source: DarkOwl Vision)

Earlier this year, open source reporting indicated that the developers of the Rogue RAT had been circulating the malware across darknet forums for rent for as little as $29 USD per calendar month and offering discounts such as $45 for 3 months and lifetime memberships. According to researchers, the Rogue RAT exploits Google’s Firebase development platform to conceal its malevolence and Android’s Accessibility Services to bypass restrictions on tracking user actions and registers its own notification service to view such messages on the infected device; an exploitation technique observed with other Android malware strains.

The seller of the RAT, known as “Triangulum” released version 6.2 of the malware on deep web forums back in April 2020, and its source code emerged too, revealing that the Rogue RAT does not appear to be a unique malware codebase, but instead an update to an earlier variant known as DarkShades.

COVID-THEMED (DISGUISED) RATS

Figure 4: Screenshot from Twitter (Source: https://twitter.com/LukasStefanko/status/1306143556281737217/photo/4)

Figure 4: Screenshot from Twitter (Source: https://twitter.com/LukasStefanko/status/1306143556281737217/photo/4)

Given the ‘open-source’ nature of the AhMyth Android RAT, DarkOwl analysts have observed several malicious Android RAT variations based on the AhMyth source code. For example, a malicious fake Indian-based COVID app for Android surfaced in 2020 with remarkable similarities to the AhMyth RAT. The command-and-control (C2) server’s IP address is hard-coded as has been identified as a private IP address: 192.168.1.99:1234 and public IP of: 122.10.114.159. (Source)

Other Twitter users observed the AhMyth RAT disguised as a COVID-19 testing app. Observations came to light in September 2020 in France when a fake website mimicking legitimate services surfaced with a C2 domain identified as hxxp://tweensangoma.servebbs[.]com:22222.

Security researchers assess that Pakistani hacking group, Transparent Tribe, has been actively exploiting COVID-related tracking and monitoring applications for serving up malicious mobile malware. Their targets are often Indian government organizations and persons, explaining why the malware was found alongside Indian-specific COVID tracking apps. The group does not exclusively target Indian organizations as their victims. Multiple darknet sources state the group has successfully attacked more than 1,000 victims in over 27 countries and present as a formidable criminal cyber organization.

Internet security company DomainTools discovered that an Android app called “COVID19 Tracker,” which disguised itself as a coronavirus outbreak geo-tracking tool was actually ransomware that locked the users phone and demanded a payment of $100 in bitcoin within 48 hours, according to reporting.

More recently, a relatively new darknet user named “Shade Me” listed MD5 hashes used as indicators of compromise (IOCs) for twelve COVID-titled Android RATs. Their post, titled, “Most popular Android Threats 2020” was published to a popular deep web forum in September, 2020. Both Covid-Ahmyth and Covid-Cerberus were included in the list. GitHub user sk3ptre shared the same list including the live strains of the malware on their GitHub repository at hxxps://github.com/sk3ptre/AndroidMalware_2020.

Deeper dive: Android-specific ransomware on the darknet

With all the publicity around ransomware attacks of corporate networks around the world in 2020, few realize that mobile devices such as Android and iOS are susceptible to ransomware attack. Law Enforcement indicated they knew of this and warned in their intelligence briefings in the BlueLeaks collection leaked by DDoSecrets in mid-2020.

Users on the darknet discussion forum, dread also confirm that sophisticated Android-based ransomware is in development by some of the most prolific ransomware criminal gangs in the underground.

Android ransomware is hard, I think maze is working on some currently but I’m not sure how far they’ve got.

— User /u/overload on darknet forum Dread, (Source: DarkOwl Vision)

After considerable review of the popular Android-specific ransomware payloads available for sale or use on the darknet and deep web, DarkOwl analysts believes Android-based ransomware and device locking will be a noteworthy feature of standalone ransomware payloads, RATs and banking botnets.

There is a plethora of free and pay2play downloads available from notable threat actors and well-respected darknet hidden services, accompanied by instructions on how to use the ransomware. The availability of detailed instructions facilitates the most novice malware fanatic to put such malicious code to action without much effort.

SAURON LOCKER

Figure 5: Offer for Sauron Locker on Deep Web Forum (Source - DarkOwl Vision)

Figure 5: Offer for Sauron Locker on Deep Web Forum (Source – DarkOwl Vision)

Sauron Locker has been observed distributed to Android devices on a cracked version of the popular mobile game, Clash Royale originally developed by Supercell. The unsuspecting victims hoping to get the free-cracked version on third-party websites are instead delivered the malicious ransomware and their devices locked with ransomware demands displayed. Sauron Locker also includes geographical location detection, allowing it to provide custom ransomware notes and payment demands based on the location of its victims. Researchers have observed the locker demand higher ransoms for victims in the US than in Europe or Russia.

Sauron Locker was most recently advertised on a popular hacking deep web forum by the user, blackhatrussia. DarkOwl analysts have observed blackhatrussia frequently distributing various strains of malware, including Sauron Locker, on hacking forums and their personal website. Sauron Locker is advertised to work on Android devices from 4.4 kit kat to Android 9.0 pie. blackhatrussia accepts payment for the malware exclusively via several cryptocurrencies including: Bitcoin, Litecoin, and Dogecoin. Interestingly, on the threat actor’s personal website, Sauron Locker appears to be available free of charge with three unique download links that may or may not also infect the user in the process of download.

In November 2020, DarkOwl also uncovered another Sauron Locker specific thread on one of the most respected darknet forums, by the user, Cold_Killer. Instead of providing the source code for the ransomware directly. Cold_Killer is requesting $60 USD in cryptocurrency in order to merely use Sauron Locker. The download links are included in the thread, which presumably are password protected, and credentials are handed over once a payment is provided.

 
Figure 6: Offer for Sauron Locker on Deep Web Forum (Source - DarkOwl Vision)

Figure 6: Offer for Sauron Locker on Deep Web Forum (Source – DarkOwl Vision)

 

Not too surprisingly, DarkOwl also discovered a Sauron Locker thread on additional deep web forums (pictured above), by the user speedwap4. This thread is almost an exact copy of blackhatrussia’s. The user speedwap4 included their Telegram contact information “@MegaFunds” in the advertisement for future discussion. The Telegram handle has been associated with other darknet actors across the darknet carding and hacking communities including Bitcoin stealers.

This association with Bitcoin stealers might explain the origins of observations by some researchers where Sauron Locker is installed alongside a cryptocurrency miner that readily consumes the victim’s device’s resources, data, and bandwidth as it uses these to mine for digital currencies like Bitcoin.

XERXES ANDROID BOTNET

In early February, a Telegram post included a link to the Xerxes Android Botnet advertised by a malware developer known as @zEdHacKs. Interestingly, this same name was used as a password to access the software download link shared on a similar hacking-focused Telegram group back in 2019. In addition to a device locker, this botnet is advertised to also include an SMS Stealer, App Downloader, Credit Card Grabber, and Notification Sender. DarkOwl has not confirmed how effective this malware is once deployed on a victim’s device.

 
Figure 7: Advertisement posted on Telegram for the Xerxes Android Botnet (Source: DarkOwl Vision)

Figure 7: Advertisement posted on Telegram for the Xerxes Android Botnet (Source: DarkOwl Vision)

 

OXYN-ANDROID-BOT

The Oxyn-Android-Bot is similarly advertised to include the OX-Locker ransomware in addition to exfiltration of banking and personal data of the victim’s Android device. This malware variant also includes harvest of the geolocation data of the device and notification manipulation, a technique discussed in detail in a Microsoft report published late last year, advising on the dangers of a ransomware strain they call MalLocker.B that hijacks the incoming call notification for exploitation. (Source)

The creator of the Oxyn-Android-Bot is active across many of the key darknet communities and like other malware developer, leverages GitHub to distribute information the malware, in addition to darknet and deep web criminal forums and Telegram channels.

The latest price range for this malware was $1200 to $2,000 USD depending on the type of customer support package purchased.

Figure 8: Oxyn-Android-Bot (Source: GitHub)

Figure 8: Oxyn-Android-Bot (Source: GitHub)

COVIDLOCKER & WANNALOCKER

Figure 9: Telegram advertisement for CovidLocker (Source: Telegram)

Figure 9: Telegram advertisement for CovidLocker (Source: Telegram)

DarkOwl became aware of these Android Ransomware strains by name after they appeared for download on a hacker Telegram channel last October.

The offer included links to download the ransomware’s source code and decryption passkeys. The community where this ransomware was discovered offers tutorials and mentorship – along with several “ransomware builder” collections for those in the early-stages of learning how to write and deploy malicious malware for financial gain.

Like Oxyn’s bot, DarkOwl has not verified the degree of severity or specific technical details of this ransomware variants’ features.

Threat Attack Vector for Android OS Attacks

Easy Delivery Method

Android ransomware can be delivered via malicious app download, as observed with Sauron Locker or via SMS message. In 2019, malware developers delivered their ransomware via malicious posts to popular Android-developer focused boards on Reddit and XDA Developers. (Source)

Network-wide deployment against employee devices is not impossible. A successful phishing or vishing attack against users can give threat actors full control of the device. Once inside the device, lateral movement within the network can infect multiple devices at once. Just recently IBM uncovered a phishing attack using a very similar strategy. 

Figure 10: Example of a phishing email, which is a common threat deployment vector for RATs (Source - https://securityintelligence.com/wp-content/uploads/2020/12/1606993218.jpeg)

Figure 10: Example of a phishing email, which is a common threat deployment vector for RATs (Source – https://securityintelligence.com/wp-content/uploads/2020/12/1606993218.jpeg)

 

“FUD” (no, not that FUD) MALWARE

As previously mentioned, there are a number of readily available “crypters” available for use against Android OS and used in conjunction with Android RATs. DarkOwl analysts discovered users on Telegram sharing an APK crypter that includes an anti-virus bypass coded in Java in 2020, allegedly by DedSec hacking crew (though there is some suspicion that this might be a case of alias hijacking).

They describe this malware variant as “Fud” – which in this case is intended to stand for “fully undetectable.”

Figure 11: “[Fud]APK Crypter” for sale (Source -DarkOwl Vision)

Figure 11: “[Fud]APK Crypter” for sale (Source -DarkOwl Vision)

An Ever-Evolving Threat

At the end of 2020, DarkOwl analysts were informed by darknet sources of a Cyberpunk 2077 related ransomware in circulation across the video gaming community. Shortly after the debut of the popular cyberpunk game, cybercriminals uploaded a “fake” Cyberpunk 2077 Android app to a fake website impersonating the Google Play store that installed BlackKingdom Coderware, developed by Telegram user “@Codersan” that subsequently encrypted all the device’s files, including the embarrassing selfies and displayed a ransom note for $500 USD before files can be recovered.

In early January, DarkOwl detected the source code for this malware with the filename: coderware.ransomware_py, confirming it was developed in Python, posted on a popular darknet hacking forum. The forum user included criticism of the code, stating it was “script kiddie ransomware.” 

Figures 12 & 13: Screen captures of the Cyberpunk2077 malware offered on Google Play Store.

Figures 12 & 13: Screen captures of the Cyberpunk2077 malware offered on Google Play Store.

Researchers at Kapersky first detected the ransomware in the wild and noted that the files can be easily decrypted using any RC4 decryptor. Luckily, there are a number of decrpyters readily available on GitHub along with the apk file and malware sample: hxxps://github.com/dot-sec/Cyberpunk2077-android-malware.

This Cyberpunk 2077 fake ransomware delivery app is completely unrelated to the ransomware attack that the developers of the Witchers series have been battling since February 9th, earlier this month. The CD PROJEKT RED Twitter account (@CDPROJEKTRED) shared an update including the ransom note which included threats to release the source code of their popular game series. 

Figure 14: Screenshot from Twitter  (Source: https://twitter.com/CDPROJEKTRED/status/1359048125403590660?s=19)

Figure 14: Screenshot from Twitter (Source: https://twitter.com/CDPROJEKTRED/status/1359048125403590660?s=19)

As DarkOwl has observed and historically reported, the darknet and deep web are home to an extensive malware economy, with marketplaces and forums that offer a wide range of malware, threats, and viruses. Sellers not only offer a variety RATs as described above, but also VPN services, exploits, crypters and ransomware, along with all the educational materials and personalized support: private guides, tutorials, and mentors for hire – ready to educate those newly entering the underground cyber-criminal industry.  

Curious about something you’ve read, or want to learn more? Subscribe to our blog to get the latest.

Shiny Leaks and Criminals: SolarWinds, Seller13 and ShinyHunters

During review of recent darknet hidden service domains collected from Tor, DarkOwl analysts discovered a new ‘leaks-focused’ marketplace called “Dark Leaks Market” featuring a wide range of leaked databases and documents from recently ransomed corporate organizations. An underground forum user, using the alias “Seller13” shared the URL for the marketplace while promoting their most recent acquisition of documents identified as “Solar Winds Data Leak” consisting of critical client information related to SolarWinds customers.

In late December 2020, DarkOwl discovered an advertisement identified as “The Solar Winds Data Leak” on the Dark Leak Market for $85,000 USD. The database was listed as including “highly confidential tools leaked documents with worldwide client list and their deals” as well as “usernames passwords of their networks, email id’s and their conversations – [including] Top secret information about their affairs.”

While the database is listed for sale for $85,000 USD the advertisement further states they are offering to sell this data to those who offer highest price bid and will be sold to only two of them. As of January 3, 2021, the price had dropped to 0.5 BTC, or approximately $16,000 USD according to historical Bitcoin prices during the same time.

sw1.jpg

Who is Seller13?

The “Who Are We” section of the market identifies the group as a “team” of “cybersecurity enthusiasts, cryptopunks, entrepreneurs and businessmen” who are clearly non-English speaking cyber criminals as apparent by the significant number of grammatical and spelling errors throughout their operations’ description. This suggests that “Seller13” is not a lone-wolf style cybercrime enthusiast, but instead a group of criminals working together to infiltrate commercial networks and capitalize on crimes across the darknet.

sw2.jpg

sw3.jpg

DarkOwl also uncovered an encrypted chat channel, hosted by Seller13 and only accessible by invitation, where they are even more exuberant about their acquisition of SolarWinds related leaks. Their latest comments, posted in the early hours of the week before New Year’s, suggests that they were in the process of purchasing SolarWinds “hacked database and information” and were going to resell it in parts of 1 to 5 GB increments.

As of January 3, 2020, Seller13 stated they were uploading the SolarWinds data to mega.nz.

Using DarkOwl Vision, analysts discovered that a user with the pseudonym of “Seller13” has an extensive history of activity on the darknet, including a deep web forum discussing weapons popular with native Russian speakers.

DarkOwl detected advertisements from early as 2011 on a deep web forum selling various small arms and accessories, including MMG Thompson M1 and the RP 46. This suggests that not only is Seller13 possibly from Eastern Europe, they have a history of criminal activity and extensive connections with cyber criminal organizations that have been historically active across the darknet and deep web.

Compromised commercial website data shared on popular deep web forum, RaidForums links the alias “Seller13” to several email addresses, such as: [email protected], [email protected], and [email protected] DarkOwl has little to no confidence that the email address: [email protected] is connected to the darknet actor, Seller13, based on the commercial website where it was obtained. However, the hotmail.de email was more interestingly associated with the pseudonym “Seller13” in a data breach called “l33t crew members” from 2017.

A connection to REvil?

Ironically many of the databases offered for sale on the Dark Leak Market and advertised on Seller13’s Telegram channel have been previously observed as data obtained via ransomware attacks by the ubiquitous REvil criminal organization out of Eastern Europe. DarkOwl analysts recorded victims such as Kenneth Copeland and Agromart, as previously advertised on the “Happy Blog” darknet hidden service published by the REvil group back in 2020.

It is unconfirmed whether Seller13 is a legitimate darknet vendor of actual criminally obtained data or just another darknet scammer who is in the business of capitalizing on popular commercial datasets, such as SolarWinds and will simply take their customer’s cryptocurrency and never deliver any meaningful data. DarkOwl has surmised several possibilities around Seller13’s ultimate intentions and how they obtained the data they have listed on their hidden service: did Seller13 obtained the data via purchase with intent to resale? Are they acting as an agent of REvil, given the negative publicity received by the ransomware group? Lastly, is Seller13 a legitimate member of the REvil team that has spun off to start the Dark Leak Market?

Regardless of who they really are, the advertised databases outside of REvil confirms that once a victim has been compromised there is no assurance that their data will stay with the group that stole it.

Seller13 Rebranding as ShinyHunters Affiliate

Since the initial detection of Seller13 on the darknet and Telegram, DarkOwl recently discovered the threat group launching a concerted rebranding of their cybercriminal commercial operation from “Seller13” to “S# Hunters.” Their activity across Telegram and the darknet now references @Omn1p0t3nt for additional contact and speaks of the availability of numerous “Shiny Leaks” on offer. Their current and historical advertisements on public darknet hidden services alludes to the availability of “ransomware setup, source codes, and dark web marketplace scripts” for sale further connecting this group of threat actors to ransomware criminal groups.

ShinyHunters is a pseudonym affiliated with an infamous darknet threat actor group who has released significant volumes of databases from compromised commercial websites around the world – databases containing millions of leaked email addresses and passwords, and personally identifiable information (PII) such as full names, addresses, credit card data, and IP address. News of their most recent database leak, from online dating service, MeetMindful was discussed in recent information security open-source reporting.

ShinyHunters has been extremely active across many Russian and English speaking darknet and deep web networks and communications, including Telegram for the last couple years. DarkOwl has also observed the group actively selling leaked databases on Empire Market where an offer for “First Stage Mindful 2M” – likely affiliated with the MeetMindful database leak, was offered for sale as early as May 2020 for $1300 USD.

 
sw4.jpg

 

According to some darknet sources, ShinyHunters has supposedly also previously used the moniker, Prosox, who has been active since at least 2018 with a “team of Moroccan hackers” across the deep web, Telegram, and Discord. They are most notorious for defacing YouTube titles via a zero-day vulnerability now patched by the content provider.

After careful review of the Dark Leak Markets and the advertisements for “Shiny Leaks” the threat actor now calling themselves “S# Hunters” has posted across various hidden services on Tor, there is strong probability this threat actor is merely scammer, capitalizing on the public media attention the real “ShinyHunters” darknet cybercriminal group is receiving.

In some of their most recent posts, they refer and give credit to a Telegram user known as @Omn1p0t3nt, who they state acquired hacked “Fire Eye Tools” presumably from the SolarWinds and Sunburst exploits. This pseudonym is extremely similar to another popular deep web threat actor and administrator of RaidForums, knowns as “Omnipotent” without the “l33t” spelling, further suggesting a scammer’s psychological game is in the works.

DarkOwl will continue to follow as more information is available.

Cyber Weapons on Darknet Marketplaces and Forums

Underground markets of the darknet provide an extensive inventory of illegal goods for sale, including and certainly not limited to drugs, weapons, hackers and assassins for hire. In the “Digital Goods” section of most marketplaces, one will find an array of malware, bots, and services for conducting offensive information operations against a victim network or targeted information system.

While many of these are tools are considered ‘commercially’ available products and services for any interested anonymous darknet buyer with the cryptocurrency to purchase in hand, nation state-level cyber threat actors are certainly one potential consumer for any of these products with the intent to add these digital weapons to their repository of cyber tools.

[Quick Read: Darknet posts show SolarWinds has been a target, and has open servers that trace back to Russia]

As we’ve recently reported in our findings regarding the SolarWinds hack, monitoring the darknet for these types of tools and malicious discussions enables organizations to understand when and if they’re a target, and prepare accordingly.

For example, in the case of SolarWinds, we have evidence that they have been a target by hackers for a number of years. A few searches in DarkOwl Vision’s database of darknet content reveal glaring potential indicators of compromise that, when taken seriously, could have been leveraged by their customers as a cue to safeguard themselves against what ultimately resulted in the devastating hack that transpired this year.

There are many more cyber weapons at Nation-State threat actors’ disposal on the darknet

The digital goods section of most darknet marketplaces are broad in their offerings, suggesting that a ‘digital good’ consists of any product or service delivered virtually, unlike the purchase of an illegal weapon or illicit drugs that are delivered to a physical address. As such, the digital goods section of many marketplaces includes Adobe PDF files guides, lifetime website memberships and subscriptions, and digitized programming books with little to no value to a sophisticated nation state cyber actor. Most of these are innocuous instructions for the most novice to the underground criminal operations, such as carding, identity fraud, basic social engineering, and technical ‘hacking’ manuals covering basic network penetration.

Basic Network Exploitation Tools

A darknet marketplace consumer can also purchase any number of basic network protocols and tools for maintaining anonymity such as anonymous servers, VPNs and bulk proxies. It is unlikely a foreign nation will need such simplified tools; however, there are also vendors selling more advanced versions of the same type of tools, in packages such as KeyLogger Script Collections and CIA forensics expert tool – Magnet IEF on White House Market, or the FBI Hacking and Forensic Toolkit for exploiting mobile phones for sale by the vendor breadsdrugged on DarkMarket. This package is advertised to include KONBOOT authentication bypass, Oxygen Forensics which retrieves deleted texts and extracts data from all the popular mobile-phone cloud providers.

Then, there are also commercially available remote access trojans and bots that nation states could leverage for more sophisticated attacks and espionage. The Anubis Bot, Azorult 3.3 AZORult Trojan (Version 3.3), and Spy MAX v1.0 – Android RAT are all currently available for sale across many darknet marketplaces and accessible via instant download link delivered upon purchase.

cw3.png

Historically, nation states readily target mobile phones for espionage and intelligence collection. This was publicly revealed when the Kingdom of Saudi Arabia’s (KSA) intelligence and government officials were caught using the Pegasus malware against WhatsApp and iPhone messaging platforms, developed by an Israeli security firm, to target dissident journalists. Recent reporting from Toronto’s Citizen’s Lab details how the Saudi government targeted 36 journalists from Al Jazeera earlier this year.

cw4.png

Cobalt Strike is a popular software emulation environment designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors and readily for sale on the darknet. Recent open source reporting suggests Chinese hackers sponsored by the Chinese government have been actively using Cobalt Strike to enable backdoor access to a number of compromised networks and information systems for the deployment of additional tools on the network in the future.

cw5.png

Banking Malware for Large Scale Financial Industry Attacks

Some nation states, such as North Korea have been known to leverage banking malware for cyber-operations to recoup financial gain from the economic impact of international sanctions. Vendor leaguemode on DarkMarket offers the GozNym 2.0 banking bot for purchase for $1500 USD per build. The same vendor also sells ATM malware that is deployed via EMV (Europay, Mastercard, and Visa, i.e. “chipped”) debit cards on the same market for $1,000 USD per card.

Tools to support the targeted phishing of international banks based in North America, such as CHASE and CIBC of Canada is also currently available for sale on darknet markets. The digital good includes the HTML and CSS for scam websites for a number of prominent banks, including detailed administrator panels. These websites could be used by nation states to conduct targeted attacks against financial institutions.

cw6.png

Ransomware for Offensive Cyber Operations

One information operations technique nation states could employ is simply shutting down critical operations of a competitor country’s critical corporations and industries. WannaCry (aka GonnaCry) ransomware successfully crippled the UK’s National Health System and is currently for sale on White House Market for $150 USD.

The source code for another effective ransomware, known as KingLocker, is also available for purchase and could be customized by a nation state to conduct a large scale campaign against a target industry or country.

The ransomware could be coupled with country-specific business directories, also for sale on darknet marketplaces for targeted in-country deployment. Multiple vendors on White House Market sale leaked databases, such as Dubai’s enterprises and UAE business directory costs as little as $129 USD. Meanwhile, Russia’s industry data with business names, domains, and contact information is only slightly more at $160 USD.

Targeted Phishing and Disinformation Campaigns – Credentials and PII

In the same way leaked organizational information for sale on the darknet could be instrumental for launching ransomware attacks, other critical country-specific information could be leveraged for targeted phishing and disinformation campaigns.

cw7.png

On DarkFox, the vendor GoldApple on DarkFox sells numerous combo lists and US-state level voter registration data. The same vendor offers over 570,0000 (0.57 Million) emails from Japanese citizens for as little as $10 USD that could be for targeted attacks and disinformation campaigns.

One vendor offers a list of millions of US mobile phone customers personal information, including social security numbers and carrier that could be used for spamming and disinformation for $229 USD. The same vendor also has another 8 million Chinese phone numbers for only $200 USD.

Another vendor offers Taiwan’s Ministry of Civil Service database of employees which could be used for targeted phishing to infect government networks for espionage for €69 EUR.  

A database containing information for a US Intelligence agency is advertised for sale on White House Market for a mere $100 USD.  According to the advertisement and the hackers who obtained this information, it was stolen from a cloud server owned by the US government. The database contains thousands of records of critical detailed information associated with the vendors providing goods and services to the agency. This information could be invaluable for a targeted information operations attack by a nation-state.

cw8.png

cw9.png

Most nation-state sponsored human intelligence operations require fake identification and passports. Vendors on the darknet offer fake US passports with biometric data for sale for a starting price of $2,000 USD. The advertisement, sold by vendor topvendor on White House Market states that all their identifications have machine-readable data zones, three layer security UV hologram which will readout correctly when scanned at borders. The vendor also offers detailed advice on travel routes and social engineering methodologies for interacting with customs officials.   

cw10.png

As we reported earlier this year, social media manipulation is an increasingly popular trend by nation state actors to conduct disinformation and propaganda campaigns against their adversaries. Accounts on most all prominent social media platforms are readily available for sale across most darknet marketplaces with digital goods. Long-term established accounts with more ‘followers’ and historical influence are more coveted. One can purchase 1,000 LinkedIn followers for as little as $15 USD on ToRReZ, which could be essential for a nation-state level social engineering or espionage attack, while 50,000 Instagram followers cost upwards of $350 USD. A Facebook campaign to disseminate a particular propaganda agenda is also available for as little as $380 USD from the vendor, etimbuk on the ToRReZ market.

Unique Exploits for Field Operations

One vendor on White House Market using the pseudonym unglued, recently posted a 12-Watt Frequency Generator for sale on the marketplace. The hand-held device could be utilized by a threat actor to jam and potentially interfere with the operation of a wide range of frequencies including those used by mobile phones, Bluetooth devices, and GPS receivers. Nation-states wanting to conduct in-field operations could greatly benefit from such a device. The unit sells for $1,200 USD.

Still the most prevalent cyber weapon: credentials

Exposed credentials will continue to be one of the most prominent threat attack vector for organizational networks by cyber campaign operators, large and small.

According to recent Wall Street Journal reporting, the initial compromise to FireEye was through employee VPN credentials and luckily, the employee alerted IT security when their account had been accessed via an unrecognized device which kickstarted the SolarWinds investigation.

“Hours later, the National Security Agency, America’s top cyberspy organization, issued a broader warning to defense agencies and contractors about vulnerabilities such as those exposed by the SolarWinds attack. Hackers, it said, were finding ways to forge computer credentials to gain wider access across networks and steal protected data stored on in-house servers and cloud data centers. The approach, the NSA said, may have been used in an attack on VMware Inc. software used in national security circles that the spy agency warned about earlier this month.” – Wall Street Journal

DarkOwl also discovered darknet users talking about key open source reporting regarding the attack, more specifically, Vinoth Kumar posted to social media that he found a public Github repo leaking credentials belonging to SolarWinds since June 2018.

DarkOwl also discovered darknet users talking about key open source reporting regarding the attack, more specifically, Vinoth Kumar posted to social media that he found a public Github repo leaking credentials belonging to SolarWinds since June 2018.

Leveraging vulnerabilities uncovered in the Microsoft platform, nation-state hackers behind the SolarWinds attack also accessed key leadership emails at U.S. Treasury Department and other critical U.S. government agencies.

DarkOwl Vision has indexed over 6,100 documents containing compromised e-mail addresses and passwords for federal employees using the treasury.gov email domain.

Contact us to learn more about how you can monitor the darknet for exposed credentials using DarkOwl Vision

Evidence of SolarWinds Vulnerabilities on the Darknet

In light of the large-scale nation-state sponsored attack against U.S. government networks, and critical commercial sectors of the U.S. supply chain, our analysts reviewed historical darknet content for any SolarWinds related activity. We uncovered an extensive amount of content containing SolarWinds and Orion-specific vulnerabilities and zero-days across darknet exploit marketplaces and discussion forums, many of which could be devastating if exploited at scale.

Most notably, DarkOwl analysts also uncovered SolarWinds product documentation and application executables stored on unsecured FTP servers successfully collected by DarkOwl’s platform back in late 2019. The FTP servers contained not only SolarWinds-specific server files, but also Microsoft’s dotnetfx.exe file, a critical executable for installing operating system updates.

Source DarkOwl Vision: 8581ed393d5aabc9da818b2b3455c450

Source DarkOwl Vision: 8581ed393d5aabc9da818b2b3455c450

Upon further investigation, we traced the IP address of these open FTP servers to the internet service provider, JSC “Severen-Telecom” (severen.ru) in the Northwestern Federal District of Saint Petersburg, Russia.

In addition to the potential tie linking these files to campaigns conducted out Russia, we also have a great deal of evidence to show a suspicious amount of interest in SolarWinds vulnerabilities across the deep web and darknet. In fact, based on the extent of our analysts findings on the darknet alone, we have reason to believe that SolarWinds has likely been a cyber target for quite some time, though a large extent of these indicators that SolarWinds was being targeted transpired in late 2019 and early 2020. For example DarkOwl Vision has collected 98 documents from a single popular zero-day marketplace with mentions of SolarWinds-specific vulnerabilities since February 2020 (shown below).

Example of SolarWinds Cross Site Scripting Vulnerability, posted on the darknet in May of 2020

Example of SolarWinds Cross Site Scripting Vulnerability, posted on the darknet in May of 2020

Example of SolarWinds SQL Injection Exploit, posted on the darknet in May of 2020

Example of SolarWinds SQL Injection Exploit, posted on the darknet in May of 2020

In addition, our analysts have also noted that there was a great number of users on deep web forums that have displayed a particular interest in understanding critical information security applications and intrusion detection systems, with shares of ‘cracked’ versions of SolarWinds Security Event Manager application as recently as July 2020 (pictured below).

Source DarkOwl Vision: b7c107a767fa84498e5661e22d261c9a

Source DarkOwl Vision: b7c107a767fa84498e5661e22d261c9a

In recent days, DarkOwl has witnessed several darknet users across English and Russian-speaking forums discussing key open source reporting regarding the attack, more specifically, Vinoth Kumar’s posted to social media that he uncovered a public Github repo leaking credentials belonging to SolarWinds since June 2018.

(Source in Vision: bc257bc48dd0452f7ea3412d0288f588)


The Digital Economy of Disinformation: Darknet Threat to Election Security

In previously published analysis, we outlined the economies of social media and disinformation-as-a-service on the darknet, highlighting how there is now a significant ecosystem across the underground internet feeding the enterprise of mis-and disinformation for financial profit and political gain.

With the 2020 Presidential and General Election rapidly approaching, we decided to take a closer look in this report at the vulnerabilities to election security openly discussed on the darknet, including voter registration data and security risks to ballot tallying technologies, along with recommendations on the remediation both concerned individuals and state election officials can take.

Editors Note: DarkOwl is politically neutral and has no intention to further promote misinformation that the upcoming U.S. election is in jeopardy with increased use of mail-in ballots, but instead using a wide-body of intelligence, primarily captured by the company’s 24/7/365 crawls of the darknet and deep web, seeks to inform and educate the public and the information security community of information available on the darknet and our subsequent intelligence findings and recommendations.

Ballot Tallying Technology Discussions on the Darknet

PRIMER ON ELECTION TECHNOLOGIES

Election day ballot marking and tallying technology in use widely varies from state-to-state:

Optical Scan Paper Ballot Systems
These include both mark sense and digital image scanners where voters manually mark paper ballots that are hand fed into and tabulated with these scanners at the polling location or transferred to and collated at a centralized location.

Direct Recording Electronic (DRE) Systems
These use touchscreen terminals to record the votes, which are stored in the device’s internal memory and then transferred to a centralized location for tabulation. Some of these systems use internal modems for wireless data transmission. Most DREs include a paper receipt or ballot of the voter’s selection, but as many as 15 states have districts that use DREs without paper trail. 

Ballot Marking Devices (BMD) and Systems
These are designed to help disabled voters who might be unable to vote using other methods. Some of these devices include a touchscreen interface with audio and other features similar to DREs.

Punch Card Voting Systems
These require the voter to punch holes in cards using a supplied punch device. Cards are then feed into a computerized vote tabulating device or counted manually in a ballot box. These systems are less common in the U.S.

TIP: You can check what voting options are available to you here: https://verifiedvoting.org/verifier/#mode/navigate/map/ppEquip/mapType/normal/year/2020

DARKNET CHATTER INCLUDES DISCUSSIONS ON ELECTION TECHNOLOGY VULNERABILITIES

While a few states still rely on the manual counting of paper ballots, most lean on a number of ballot tallying technologies manufactured by three principle vendors: Election Systems and Software (ES&S), Dominion Voting, and Hart InterCivic. We have observed darknet chatter around all three of the aforementioned ballot tabulation vendors.

The security and veracity of these election technologies have been widely discussed equally at information security conferences and in underground communities of the darknet. Some technology exploitation demonstrations in the past resulted in big sweeping changes in the technologies employed by some specific states. For example, in 2017 Virginia’s Department of Elections recommended decertifying all of the state’s DRE machines after hackers at DefCon’s Voter Village that summer “pwned” them in record time exploiting numerous vulnerabilities in the systems.

Many DREs include printers that produce a paper trail for election auditing, but there are no options for comparing what is printed on the paper with the voter’s selections and what has been stored in the machine’s attached memory card that is used for the official record. Voters can increase their ownership of their vote by verifying that the information printed on a receipt or paper ballot after using the DRE is accurate before handing it over to the poll workers for official casting.

Pictured: “The absence of evidence is not evidence of absence” — A darknet user comments that fraud is completely possible with the eSlate voting machine’s dependence on Microsoft Access databases without encryption or authentication.

Pictured: “The absence of evidence is not evidence of absence” — A darknet user comments that fraud is completely possible with the eSlate voting machine’s dependence on Microsoft Access databases without encryption or authentication.

Texas reportedly had issues in the 2018 midterms with its Hart eSlate voting machines as voters in more than 80 counties reported seeing their choices flip to the other party’s candidate for Senate when they tried to cast a straight ticket. Hart InterCivic responded as user error and touch screen sensitivities. 

A similar issue was experience in NorthHampton County, Pennsylvania when election officials had to move to hand counting paper ballots well into the morning after their ES&S’s ExpressVote XL machines were acting “finicky” and deleting candidate selections.

Hart’s eSlate machines are widely criticized in comments across anonymous discussion forums in the darknet. One anonymous user commented that fraud was completely possible with the machine’s dependence on Microsoft Access databases without encryption or authentication.

A prominent malware developer on the deep web recently suggested that his customized Remote Access Trojans (RATs) could be easily used to infect election systems as they asserted the machines were likely still vulnerable to Remote Code Execution exploits via the Windows LNK files, also known as shortcut files. However, Microsoft released patches for both Windows 7 and Windows 10 operating systems earlier this year, to which DarkOwl assesses election officials and technology vendors would very likely patch their systems accordingly well before the general election, thus the successful use of such a threat is highly improbable.

Users on a darknet hacking forum discuss that antivirus and malware detection software is not usually available on the older DRE systems such as ES&S’s DS850 8000 ballot-per-hour central counting machine. The post author stated how malware infection would require physical access to the machine or a compromised insider to load any malicious software. They also discussed adding an air-gap module to the malware via a “replacement USB” drive to the state’s elections office, including sending the USB using packaging to replicate the voting system manufacture tagged as a “firmware update.” 

As reported at the end of September, someone recently stole two ES&S USB drives and a laptop belonging to an on-site employee for the company from an elections warehouse in East Falls Philadelphia. According to ES&S’s website, their ExpressVote XL machines are shipped with proprietary USB flash drives containing encrypted data signed with FIPS-compliant, security keys to prevent tampering and the possibility of overwrite or change to the system firmware, even if malware is loaded on a replacement USB sent to the officials.

Pictured: Early ES&S system deployment diagram that suggest many older devices were equipped with an internal modem for communicating results to a centralized communications server at the state board of elections for preliminary dissemination an…

Pictured: Early ES&S system deployment diagram that suggest many older devices were equipped with an internal modem for communicating results to a centralized communications server at the state board of elections for preliminary dissemination and predictions for media outlets. (Source)

The threat to the security of voting and tabulation machines is exponentially reduced by keeping the devices off of the internet and restricting physical access to trusted employees and election workers. Early system deployment diagrams provided by ES&S (and obtained by Vice) suggested many of their older devices were equipped with an internal modem for communicating results to a centralized communications server at the state board of elections for preliminary dissemination and predictions for media outlets.

These diagrams also suggest they rely on Windows 2008 R2 server and Windows 7, which would have most likely been updated by the 2020 election year.

Kevin Skoglung from the National Election Defense Coalition (NEDC), an election security advocacy group stated they found over 35 voting systems left online across 10 different states for several months. Some of the machines discovered online, likely due to technical maintenance and calibration servicing, were in crucial swing states like Florida and Michigan.

This summer, the NEDC sent coalition letters to states across the country outlining a list of immediate actions to secure the voting process before the 2020 general election: (Source: https://www.electiondefense.org/reports)
  • Ban all voting technologies that are connected to the Internet or disconnect their modems immediately, and scan systems for viruses that may have already been inserted.
  • Place sufficient emergency back-up ballots for all voters in case electronic voting machines break down, or for those who don’t wish to vote on touch screen voting machines.
  • Print hard copy back-up of electronic poll books in all precincts.
  • Disinfect and limit the use of touchscreen machines to mitigate the spread of COVID-19 and avoid long lines on election day.

Darknet Exposure of Voter Registration Data and Election Technology Company Credentials

EXPOSED ELECTION VENDOR DATA & THIRD PARTY RISK

All three of the principle ballot tabulation vendors have darknet exposure of corporate credentials, e-mail addresses and passwords, of their employees.

  • Exposed ES&S Credentials: 468

  • Exposed Dominion Voting Credentials: 94

  • Exposed Hart InterCivic Credentials: 218 

“The more I look at this the more I think it’s our guys. How to infiltrate and find voter fraud, hack the system?”

“The more I look at this the more I think it’s our guys. How to infiltrate and find voter fraud, hack the system?”

Corporate exposure of employee information is often the first step for exploiting a target corporation, via directed spear-phishing and social engineering. Tyler Technologies, a Texas-based software company whose products are used to display state and local election results, has over 2,000 corporate e-mail addresses in DarkOwl Vision’s database as of time of writing. 

While their exposed credentials may not be related to this recent incident, it is worth noting that only a few weeks ago, in late September, Tyler Technologies was hit with RansomExx, a malicious strain of ransomware that began circulating the darknet in late May and early June of this year.

The ransomware, specified as “ransom.exx” in the source code, is distributed through an unsecured RDP configuration, opening a malicious attachment via email, fake updates and downloads, and malicious advertising. Tyler Technologies ended up paying the ransom to recover the encrypted data.

[Pictured] Anonymous users, aka “anons” on a darknet controversial imageboard and safe haven for Q-conspiracy theorists, discussed the Tyler Technologies breach within hours of Reuters’ public announcement of the attack against Tyler Technologies.

One user surmised the attack might have originated within the Q-community while another posted multiple doxes, identifying key management and leadership at the company.

EXPOSED VOTER DATA

U.S. voter registration information has been widely circulated across darknet forums and channels for potentially nefarious purposes. Earlier this year, DarkOwl detected U.S. voter registration databases for the states of Michigan, Florida, North Carolina, and Colorado being shared freely and sometimes sold on popular deep web forums, but this was certainly not the first exposure of U.S. voter registration data on the darknet.

Pictured: Darknet advertisement for voter North Carolina registration databases

Pictured: Darknet advertisement for voter North Carolina registration databases

In the leaked police files known as the “BlueLeaks” files, that were released on the darknet earlier this year, official documentation speaks of how state voter registration data could be misused and specifically mentions how a malicious actor could leverage voter names, e-mail addresses, and telephone numbers to connect with new audiences and market personalize advertisements according to their views on specific topics, propensity to vote, and other factors. This information coupled with a foreign adversary’s disinformation campaign could be utilized to register fake social media accounts, seed content, and amplify distribution of content of interest to targeted audiences.

In 2018, a verified user using the pseudonym Omnipotent shared Kansas’ database of 4.1 million voters’ registration data including voter IDs, full names, physical addresses, previous addresses, dates of birth, genders, voter status and voter history. Omnipotent suggested the data was collected by gaining access to the state’s official SSH and SFTP servers and downloaded the data directly.

While most threat actors are less interested in disinformation and would utilize voter registration data for financial gain via identity fraud or scamming, one darknet source suggested that if any state’s SFTP and servers were insecure to the point of file download and SSH access, then there was nothing preventing the voter registration databases from also being altered. By introducing minor errors to key districts, especially in swing states, as little as 1% of the total records, or preventing as few as 1 in 100 voters from voting, due to errors in their recorded registration information, could change a state’s outcome on election day.

Luckily, most states have the option for provisional ballots and any voter registration discrepancies can be resolved with verification of identity. The FBI has validated that some states’ voter registration servers have been infiltrated in recent years, but in a recent advisory suggests that any release of such widely publicly available data has no potential impact to the credibility of the democratic election process. (Source)

Pictured: Voter registration databases traded on the darknet, color-coded by darknet vendor and forum (unless otherwise specified).

Pictured: Voter registration databases traded on the darknet, color-coded by darknet vendor and forum (unless otherwise specified).

Disinformation on Election Credibility likely to persist into media coverage on night of election

While voter registration data can obviously be used to conduct targeted disinformation campaigns, it is important to understand the other vectors with which disinformation can be spread by leveraging other security vulnerabilities described in this report. For example, in the case of Tyler Technologies, actors could potentially take advantage of these known vulnerabilities to intercept early voter reporting data and manipulate it before it reaches the media, which could then lead to unintentional false reporting by the press on which incumbent is in the lead. This could be especially impactful to would-be voters, who may choose not to cast their vote if they think their candidate is leading by a wide enough margin.

It is also worth noting that the attack on Tyler Technologies took place within days of the FBI and its Cybersecurity and Infrastructure Security Agency (CISA) issuing a public warning that they had intelligence indicating that foreign actors would likely spread disinformation the day of and days immediately after the election, specifically regarding the election’s credibility – in an effort to actively undermine the democracy of the country.

Knowing the scale of disinformation-as-a-service offerings available on the darknet the use of proxy media outlets for foreign propaganda information operations and the economies of bulk social media accounts in support of disseminating and controlling a false narrative, it is understandable why the FBI emphasized the importance of using only the most reliable information sources and not sharing and circulating controversial information about the election. 

DarkOwl would add the emphasis of importance of voting early regardless of what preliminary local media outlets may suggest about the projected outcomes of an election. The FBI has released a further advisory on how foreign information proxies, including pseudo-academic online journals may be leveraged to disseminate articles with misleading and unsubstantiated information in order sow disbelief in democratic election process.

Given the depth of political dissent DarkOwl has observed across darknet forums and discussion boards, domestic terrorist groups and conspiracy theorists will also inadvertently support these narratives and further exacerbate discord across the country through social media platforms and large group chats. 

The best way to avoid becoming a victim and pawn in the ongoing psychological, via information, warfare around us is to cast your vote, refuse to engage, disseminate or proliferate any controversial election information on social media; remain calm and unite with those that you may deeply disagree with – remembering the words of Helen “Jo” Cox that “we are far more united and have far more in common than that which divides us.”

 
FOREIGN ADVERSARIES TAKE CREDIT
“In 2016, the U.S. was unprepared at all levels of government for a concerted attack from a determined foreign adversary on our election infrastructure,”
-Senator Richard Burr (R-NC) member of the Senate Intelligence Committee
In another popular darknet discussion board, one user discussed how in 2012, Vladimir Putin publicly decried how the U.S. had encouraged local protestors to claim Russia’s presidential elections were rigged and suggested that Putin was actively seeking payback by discrediting American elections. This was further supported by a lengthy post on a now defunct darknet forum back in 2016, by a Russian darknet threat actor on how easily the U.S. election system could be hacked by Putin and his cyber warriors. The author, using the moniker alex_61, outlined flaws in the voter registration process and duplication of registration data across states, the exploitation of absentee ballots, the ease at which DRE software at the time based on Windows 2000 could be compromised remotely via the polling location’s wi-fi, sending “fake” software upgrades that contain malware to the state election officials, and the lack of national election oversight and auditing as potential opportunities for mass manipulation that the Russian government was fully capable of.  

REMEDIATION: Security recommendations for voters and election officials 

As we mentioned throughout the report, despite threats to the US election systems discussed on the darknet, there are plenty of steps voters and election officials can and are actively taking to mitigate any risks to the credibility of the election. Voters can proactively take steps to ensure their information is accurate on their voter registration rosters.

Check your voter registration information online ASAP 

  • All U.S. voters should confirm the accuracy of their voter registration information before arriving to their local voting sites on election day. If voting in person, bringing photo identification and proof of residence with you to the voting site helps in the case any errors require a provisional ballot. Instructions on how to verify one’s registration information by state can be found at: https://www.usa.gov/confirm-voter-registration 

While ballot tallying and DRE machines are not connected to the internet during active elections on November 3rd, districts across states are actively securing their information networks to prevent any disruption or intrusion. MSSPs such as DarkOwl’s partner, CyberDefenses, LLC, help harden election networks and setup redundant network systems as day-of distributed denial of service (DDoS) attacks have occurred in previous election cycles. They also proactively provide education to election officials and poll workers on best physical and network security practices, help reorganize their networks to the most secure configurations, and conduct information assurance testing of many of state’s election networks across the country.

During conversations with CyberDefenses, LLC, technical leadership advise a top down strategy for the Secretaries of States they support and are less worried about physical network security and more concerned about election credibility disinformation campaigns by foreign and domestic threat actors. Earlier this year, they witnessed a concerted Black SEO campaign, like those advertised on underground forums and marketplaces, where threat actors intentionally buried the official vote411.org domain, a key national-level election information website, using SEO manipulation. Fake domains containing incorrect information, resolving to IP addresses across Russia, appeared ahead of the official website in Google search results until counter-SEO was implemented. BlackSEO and URL hijacking are key tools of many disinformation as a service offerings across the darknet. Domestic terrorists and foreign threat actors are also actively conducting heavy reconnaissance of election networks to uncover potential vulnerabilities that can be leveraged in an election credibility disinformation campaign.

Any risk to the security of voting machines is proactively remediated by many election officials and their technical support in the weeks leading up to the election, on making sure all electronic voting machines have been updated with the latest versions of application software and firmware with minimum exposure to the internet. Election officials, their technical support and on-site machine vendors conduct software updates by bringing small numbers of the machines online to push the installs and immediately taking them offline to reduce the network exposure of the devices.

Election vendor officials are also advised to be suspicious of and verify any and all packages received from device vendors or third-parties, no matter how credible they appear to ensure any mailed USB “firmware updates” are legitimate and not a malicious phishing attempt.

On the day of the election, officials are also advised to place sufficient emergency back-up ballots for all voters in case electronic voting machines break down or behave unpredictably. Officials should also print hard copy back-ups of the electronic poll books in all precincts for any real-time registration or poll book roster manipulation. Many districts also rely on “sneaker-net” the day of the election calling in and hand-carrying ballot tallies to avoid any inadvertent data exposure. 

Consider your voting options depending on where you live

As an individual if you have concerns about the security of your local election systems in use, first, if paper ballots are printed as formal record of your candidate selections, then take time to review what has been recorded carefully after using a DRE machine. Secondly, if you live in one of the few states that only have DREs without paper trails or one of the handful of states that still have some districts with DREs without a paper trail contact your state representatives and insist on a public audit. 

 
Copyright © 2022 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.