Category Archives: Deep Web

Watch out, your StockX account details may be available in crime forums

Researchers discovered a dump containing 6,840,339 records associated with StockX user accounts that surfaced in the cybercrime underground.

Last week media reported the hack of StockX, the fashion and sneaker trading platform. A threat actor stole details of 6 million users, the stolen data includes user names, email addresses, addresses, shoe size, purchase history, and encrypted passwords (salted MD5).

Now a dump containing 6,840,339 unique StockX user accounts surfaced in the cybercrime underground.

The database is offered for sale in hacking forums, hackers claim to have begun to decrypt the passwords. The archive was discovered by the security researcher Jim Scott, the same expert that helped Have I Been Pwned to find a CafePress dump circulating in the underground.

Scott found the archive was initially offered for sale on the Apollon marketplace for $300.

How to check if your account has been compromised?

The set of emails involved in the StockX data breach was uploaded on the data breach notification service site Have I Been Pwned.

Users can check if their emails were part of the breach by querying the service Have I Been Pwned website that received the dump from the password crashing site Dehashed.com. The archive includes 6,840,339 records containing “unique email addresses, names, physical addresses, purchases and passwords stored as salted MD5 hashes”. 

According to BleepingComputer, the archive is currently distributed on underground hacker forums for as little as $2.15.

Experts believe that threat actors, once decrypted all the passwords, will start targeting StockX users.

BleepingComputer reporter the case of a hacker that is claiming to have decrypted 367,000 accounts from the dump, is selling them for $400.

StockX users that shared their password with other sites should change it at all sites as soon as possible to prevent credential stuffing attacks

StockX announced to have implemented some changes to its infrastructure to mitigate the suspicious activity. These infrastructure changes included:

  1. a system-wide security update;
  2. a full password reset of all customer passwords with an email to customers alerting them about resetting their passwords; 
  3. high-frequency credential rotation on all servers and devices; and
  4. a lockdown of our cloud computing perimeter

Pierluigi Paganini

(SecurityAffairs – StockX, hacking)

The post Watch out, your StockX account details may be available in crime forums appeared first on Security Affairs.

StockX hacked, customers’ data offered for sale on the dark web

StockX, the live marketplace for buying and selling limited edition sneakers, watches, handbags, and streetwear, announced a data breach.

StockX is a live marketplace for buying and selling limited edition sneakers, watches, handbags, and streetwear, the company announced that the sneaker and streetwear buying platform had been hacked.

An unauthorized user was able to access customer data, as part of the incident response, StockX forced a password reset for its customers.

Last week the company sent out emails to instruct users to reset their passwords due to a mandatory security update.

At the end of last week, StockX began sending out emails to all of their customers stating that a password reset was required due to a security update.

StockX pwd reset

Initially StockX stated that they were alerted to suspicious activity regarding customer data. The company immediately launched an investigation that allowed it to discover the security breach.

According to TechCrunch this was a partial truth, because an unnamed darkweb seller contacted TechCrunch claiming more than 6.8 million records belonging to the company. According to the seller the data were stolen by a hacker back in May.

“A spokesperson eventually told TechCrunch that the company was “alerted to suspicious activity” on its site but declined to comment further. But that wasn’t the whole truth.” reported TechCrunch.

“An unnamed data breached seller contacted TechCrunch claiming more than 6.8 million records were stolen from the site in May by a hacker. The seller declined to say how they obtained the data. In a dark web listing, the seller put the data for sale for $300. One person at the time of writing already bought the data.”

The seller was offering the data for sale for $300, he also provided TechCrunch a sample of 1,000 records. TechCrunch We contacted customers and verified the authenticity of the data.

Exposed data included names, email addresses, hashed password (salted MD5), and other profile information such as shoe size and trading currency. The compromised data also included device information and other info used for an internal purpose. the good news is that no financial data was exposed.

“We were alerted to suspicious activity potentially involving customer data. Upon learning of the suspicious activity, we immediately launched a comprehensive forensic investigation and engaged third-party data incident and forensic experts to assist.” reads the data breach notification. “Though our investigation remains ongoing, forensic evidence to date suggests that an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history. From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted.”

The company announced to have implemented some changes to its infrastructure to mitigate the suspicious activity. These infrastructure changes included:

  1. a system-wide security update;
  2. a full password reset of all customer passwords with an email to customers alerting them about resetting their passwords; 
  3. high-frequency credential rotation on all servers and devices; and
  4. a lockdown of our cloud computing perimeter

At the time the company did not disclose the number of affected victims or details about the hack.

“As we investigate, StockX will continue to take additional measures, as needed, to protect the privacy of our customers. In the meantime, out of an abundance of caution, we recommend that if you use your StockX password for other accounts, you change those passwords as well.” concludes the company.

Pierluigi Paganini

(SecurityAffairs – StockX, data breach)

The post StockX hacked, customers’ data offered for sale on the dark web appeared first on Security Affairs.

Security Affairs newsletter Round 225 and Important Update

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

Crooks used rare Steganography technique to hack fully patched websites in Latin America
Jessica Alba ‘s Twitter account hacked, it posted racist and homophobic messages
Over 23 million stolen payment card data traded on the Dark Web in H1 2019
Android devices could be hacked by playing a video due to CVE-2019-2107 flaw
Facebook deleted Russia-Linked efforts focusing on Ukraine ahead of the election
Prolific Dark Web dealer of drugs pleads guilty
Sonicwall warns of a spike in the number of attacks involving encrypted malware and IoT malware
WordPress Plugin Facebook Widget affected by authenticated XSS
Capital One data breach: hacker accessed details of 106M customers before its arrest
Critical zero-days discovered in VxWorks RTOS, billions of devices at risk
Google Project Zero hackers disclose details and PoCs for 4 iOS RCE flaws
LAPD data breach exposes personal info of thousands of officers
Malware researchers analyzed an intriguing Java ATM Malware
Cyber attacks hit Louisiana schools ahead of years beginning
DHS warns of cyber attacks against small airplanes
Hacking avionics systems through the CAN bus
Hacking campaign is wiping Iomega NAS Devices exposed online
Hacking eCommerce sites based on OXID eShop by chaining 2 flaws
CISA warns of critical flaws in Prima FlexAir access control system
Cisco to pay $8.6 million fine for selling flawed surveillance technology to the US Gov
Cyber Defense Magazine – August 2019 has arrived. Enjoy it!
MICROCHIPS Act aims at improving tech supply chain
New Mirai botnet hides C2 server in the Tor network to prevent takedowns
Recently discovered Hexane group targets the oil and gas industry
Facebook dismantled influence campaigns focused on Middle East and Northern Africa
How to Reverse Engineer, Sniff & Bruteforce Vulnerable RF Adult Toys with WHID Elite
Lotsy group targets Italian and Spanish-speaking users
Nation-state actor uses new LookBack RAT to target US utilities
Over 1 Million payment cards from South Korea sold on the Dark Web
DRAGONBLOOD flaws allow hacking WPA3 protected WiFi passwords
SystemBC, a new proxy malware is being distributed via Fallout and RIG EK

Pierluigi Paganini

(SecurityAffairs – newsletter)



The post Security Affairs newsletter Round 225 and Important Update appeared first on Security Affairs.

New Mirai botnet hides C2 server in the Tor network to prevent takedowns

Researchers at Trend Micro have discovered a new Mirai Botnet that has command and control server in the Tor network to make takedowns hard.

Experts at Trend Micro have discovered a new Mirai Botnet that uses a Command and Control hidden in the Tor Network, a choice that protects the anonymity of the operators and makes takedowns operated by law enforcement hard.

“Barely a month since discovering a new Miori variant, we found another new Mirai sample through our research.” reads the analysis published by Trend Micro. “Compared to previous variants, however, we found this sample distinct because the cybercriminals placed the command and control (C&C) server in the Tor network for anonymity.” 

The malware’s command center is hidden to make takedowns a more complicated process. Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices.

Since the code of the Mirai  was leaked online many variants emerged in the threat landscape. SatoriMasutaWicked MiraiJenX, Omni, and the OMG are just the last variants appeared online in 2018.

The new variant spotted by Trend Micro implements the same features as previous ones, it targets TCP ports 9527 and 34567, a circumstance that suggests its operators aim to target IP cameras and DVRs. 

The configuration includes possible default credentials that can be used to infect other hosts.

The communication protocol implemented in this sample is the same as previous Mirai variants except for the use of the socks5 connection. Experts also identified a byte sequence indicative of a DDoS command sent from the C&C server via a UDP flood attack to target a specific IP address.

“Looking for related samples and information elsewhere for comparison, other open sources such as VirusTotal yielded a report of the same hash value from the same URL source, which was an open directory also hosting other samples for other device architectures.” continues the report. “Other details from the report also showed another distribution server.”

mirai botnet

Experts find this particular Mirai Botnet sample interesting for the deployment of the C&C server in Tor, likely to evade tracking of its IP address and avoiding being shut down by law enforcement. This is reminiscent of the BrickerBot botnet reported back in 2017

“While there have been previous reports of other malware having their C&C hidden in Tor, we see this as a possible precedent for other evolving IoT malware families. Because of Tor’s available environment, the server remains anonymous, therefore keeping the malware creator and/or C&C owner unidentifiable.” concludes the post. “Likewise, the server remains running despite discovery, network traffic can masquerade as legitimate and remains encrypted, and it may not necessarily be blacklisted due to other possible legitimate uses for Tor.

The presence of another distribution server and other samples designed for other device architectures possibly implies that these malicious actors intend to apply this operation in a larger scale. However, detection systems with signature and behavior-based mechanisms can still detect and block these malware intrusions.”

Pierluigi Paganini

(SecurityAffairs – Mirai botnet, malware)

The post New Mirai botnet hides C2 server in the Tor network to prevent takedowns appeared first on Security Affairs.

Prolific Dark Web dealer of drugs pleads guilty

One of the most active drug sellers on the Dark Web was charged by law authorities and ordered to forfeit over $4 million in cryptocurrency

The US Department of Justice (DoJ) charged Richard Castro (36) (aka “Chemsusa,” “Chems_usa,” and “Jagger109”) with participating in a conspiracy to distribute carfentanil, fentanyl, and a fentanyl analogue over the “dark web,” including on AlphaBay and Dream Market

“On one dark web marketplace, Dream Market, “Chemsusa” boasted that it had completed more than 3200 transactions on other dark web markets, including more than 1,800 on AlphaBay.” reads the press release published by the DoJ. “The customer feedback for “Chemsusa” included, “Extremely potent and definitely the real Carf,” as well as “The Carfent is unbelievably well synthesized, keep up the amazing work.” 

Alpha bay Dark web drugs

Castro completed thousands of transactions with positive feedback from its buyers, but last year opted to leave the black markets in the Dark Web and continue to sell drugs directly to its customers via encrypted email.

Castro was requesting a fee up-front to connect and was identified by an undercover officer that paid the fee, obtained the encrypted email address, and placed orders with CASTRO.

The co-conspirator, Luis Fernandez (41), was shipped the drugs to the customers, including the police officer that also identified him.

“RICHARD CASTRO, 36, of Windermere, Florida, and LUIS FERNANDEZ, 41, of the Bronx, New York, are each charged with one count of conspiracy to distribute and possess with the intent to distribute three controlled substances – carfentanil, phenyl fentanyl, and fentanyl – as well as one count of distributing these controlled substances via the Internet.” continues the DoJ. “CASTRO is also charged with one count of laundering narcotics proceeds, which carries a maximum sentence of 20 years in prison.  The statutory maximum sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendants will be determined by the judge.”

Castro was accepting payments in Bitcoin (BTC), that were distributed in seven cryptocurrency wallets. Then the popular drug seller laundered the narcotics proceeds through the purchase of valuable assets and a huge amount of Zimbabwe banknotes.

According to the investigators, the man purchased approximately 100 quadrillion Zimbabwe banknotes.

Castro has agreed to forfeit $4,156,198.18 in cryptocurrency

“Manhattan U.S. Attorney Geoffrey S. Berman said:  “As he admitted today, for years, Richard Castro used the dark web to distribute prolific quantities of powerful opioids, including fentanyl and carfentanil.” states the DoJ. “Castro thought he could hide behind the anonymity of the internet, and use online pseudonyms to deal drugs – like ‘Chems_usa’ and ‘Chemical_usa.’  Thanks to our law enforcement partners, ‘Chems_usa’ is now in U.S. prison.”

Castro faces a mandatory minimum sentence of 10 years in prison and a maximum sentence of life for drug distribution. He also faces one count of money laundering, which carries a maximum sentence of 20 years in federal prison.

“As he admitted today, for years, Richard Castro used the Dark Web to distribute prolific quantities of powerful opioids, including fentanyl and carfentanil,” said Manhattan US Attorney Geoffrey Berman. “Castro thought he could hide behind the anonymity of the Internet, and use online pseudonyms to deal drugs.”

The press release confirmed that sentencing is scheduled for October 25, 2019, at 2:30 p.m. before Judge Cote.

Pierluigi Paganini

(SecurityAffairs – Dark Web, cybercrime)

The post Prolific Dark Web dealer of drugs pleads guilty appeared first on Security Affairs.

Over 23 million stolen payment card data traded on the Dark Web in H1 2019

According to a report published by cyber security firm Sixgill data for over 23 million payment card were on offer in underground forums in the first half of 2019. 

A report published by cybersecurity firm Sixgill revealed that data for over 23 million payment card were offered for sale in the cybercrime underground.

The report, titled “Underground financial fraud report“, provides interesting details about the sale of stolen financial data in the Dark Web

More than 15 million payment card were issued in the US, no other nation accounted for more than 10 percent of stolen card numbers. The second source of stolen payment card data is the U.K., while the number of stolen cards from Russia is virtually zero (only just 316 cards out of 23 million).

Despite the fight of law enforcement against the sale of stolen payment card data, certain websites continue to be important centers of this activity. The following graph shows that three trading posts accounted for 64 percent of the cards on offer during the first half of 2019. 

payment card data forums

Giving a look at the details of stolen payment card data we can verify that 57 percent of stolen records are related to Visa cards, followed by Mastercard at 29 percent. AMEX accounted for 12 percent. 

Threat actors are moving outside traditional website-based markets, turning to Instant Relay Chat and encrypted Telegram channels instead. One IRC channel hosts a bot that is able to quickly validate stolen cards. It was used more than 425,000 times in the first half of 2019.

Crooks prefer to buy records containing CVV  numbers (65%) instead of data dumps (35%) because the former could be used for online frauds, while the latter for in-store fraud using cloned cards. Compromised payment card data is sold on dark web markets for as little as $5

“Fraudsters have a number of illicit methods they use to steal card data. They place “skimmers” over the card readers on gas pumps and ATM machines. Retail workers and restaurant employees use devices to copy the swipes when they take a card for payment. They infect computers and other devices with malware to record payment information when their owners buy from ecommerce sites. Hackers infiltrate the networks of large companies and simply steal millions of records at a time.” states the blog post published by Sixgill.

““CVV” information is sold with the three-digit number on the back of the card, which tend to be used in schemes in which criminals order things online. “Dumps,” which contain all of the information on the magnetic strip necessary to swipe, are used to replicate physical cards and make in-store purchases. Cards with CVV numbers were more popular, in part because the ability to fabricate new cards to be used in-person is far more difficult than using an ecommerce site.”

Experts pointed out that cyber criminals are moving outside traditional website-based markets, most of the illegal activities are passing through to Instant Relay Chat and encrypted Telegram channels. One IRC channel hosts a bot that is able to quickly validate stolen cards, and according to the experts, it was used more than 425,000 times in the first half of 2019.

“The centralization of fraudulent activity in a handful of markets mirrors similar economic and commercial patterns in real-world financial markets,” concludes the report. “This phenomenon may seem like a ripe opportunity for law enforcement agencies to effectively shut down a sizable portion of cybercriminal activity; however, as we’ve seen in the past with the shutting down of markets like Alphabay, Hansa, and Silk Road, threat actors quickly migrate their activities to other markets.”

Pierluigi Paganini

(SecurityAffairs – stolen payment card data, darkweb)

The post Over 23 million stolen payment card data traded on the Dark Web in H1 2019 appeared first on Security Affairs.

Irish Silk Road admin sentenced to 78 months in federal prison

An Irish national has been sentenced to 78 months in jail for his role as one of the administrators and forum moderators of Silk Road dark web marketplace.

Gary Davis (31), of Wicklow, Ireland, has been sentenced to 78 months in prison for his role as one of the administrators and forum moderators of Silk Road dark web marketplace.

The man, who is also known as Libertas also provided customer support to Silk Road users in 2013, for this job he received a weekly salary.

The man was involved in the monitoring of user activity, in providing customer service, and resolving dispute between buyers and vendors.

Silk Road was seized by law enforcement in 2013 and his founder Ross William Ulbricht (aka Dread Pirate Roberts) was arrested, later it was sentenced to life in prison after being convicted on multiple counts related to the Silk Road activity.

According to FBI, between February of 2011 and July 2013, Silk Road managed $1.2 billion worth of transactions for 957,079 users, the total earning for Ulbricht was nearly $80 million.

According to the DoJ press release, more than $200 million worth of illegal drugs and other contraband were sold through the black market.

The FBI also seized about $33.6 million worth of Bitcoin that were sold by authorities in a series of auctions.

In November 2013, after the seizure of the original Silk Road, a new version of the popular black market was launched, so-called Silk Road 2.0, and Libertas was one of the administrators, but it is not clear is the pseudonymous was still used by Davis at the time.

Davis was identified and arrested in Ireland in January 2014, he made opposition to the extradition in the U.S. due to his mental health and fearing for his life. He was arguing that the extradition and consequent incarceration in the U.S. were violating his fundamental rights.Davis was extradited to the United States in July 2014,

“Geoffrey S. Berman, the United States Attorney for the Southern District of New York, announced that GARY DAVIS, a/k/a “Libertas,” was sentenced today to 78 months in prison for his role as a member of the small administrative staff of the “Silk Road” website.  Silk Road was an online black market of unprecedented scope.” reads the press release published by the DoJ.  “During its operation from 2011 until 2013, Silk Road was used by thousands of drug dealers and other unlawful vendors to distribute over $200 million worth of illegal drugs and other illicit goods and services to more than 115,000 buyers, and to launder hundreds of millions of dollars derived from those unlawful transactions.  DAVIS previously pled guilty before United States District Judge Jesse M. Furman, who also imposed today’s sentence.”

silk road

In October 2018, Davis pleaded guilty to drug trafficking charges, one count of conspiring to distribute massive quantities of narcotics, a charge arising out of his role as a member of the small administrative staff of “Silk Road.”
The Judge also ordered the man to serve three years of supervised release and pay $25,000 in fine.

“Davis’s arrest, extradition from Ireland, conviction, and prison sentence should send an unmistakable message: the dark web does not cast shadows long enough to protect criminals from the long arm of the law,” Manhattan U.S. Attorney Geoffrey S. Berman said.

Pierluigi Paganini

(SecurityAffairs – Dark Web, cybercrime)

The post Irish Silk Road admin sentenced to 78 months in federal prison appeared first on Security Affairs.

Scraping the TOR for rare contents

Cyber security expert Marco Ramilli explains the difficulties for scraping the ‘TOR networks’ and how to enumerate hidden-services with scrapers.

Scraping the “TOR hidden world” is a quite complex topic. First of all you need an exceptional computational power (RAM mostly) for letting multiple runners grab web-pages, extracting new links and re-run the scraping-code against the just extracted links. Plus a queue manager system to manage scrapers conflicts and a database to store scraped data need to be consistent. Second, you need great starting points. In other words you need the .onion addresses where your scrapers start from. You might decide to begin from common and well-known onion links such as The TOR-hidden-wiki or to start from great reddit threads such this one, but seldom those approaches bring you to what I refer as “interesting links”. For this post “interesting links” means specific links that are rare or not very widespread and mostly focused on cyber-attacks and/or cyber-espionage. Another approach needs be used in order to reach better results. One of the most profitable way to search for “interesting links” is to look for .onion addresses in temporal and up-to-date spots such as: temporal pasties, IRC chats, slack or telegram groups, and so on and so forth. In there you might find links that bring you to more rare contents and to less spread information.

Today I want to start from here by showing some simple stats about scraped .onion links in my domestic scraping cluster. From the following graph you might appreciate some statistics of active-and-inactive scraped hidden services. The represented week is actually a great stereotype of what I’ve got in the last whole quarter. What is interesting, at least in my personal point of view, is the percentage of offline (green) onion services versus the percentage of online (yellow) onion services.

Tor crawlers

This scenario changed dramatically in the past few months. While during Q1 (2019) most of the scraped websites were absolutely up-and-running on Q2 (2019) I see, most of the scraped hidden services, dismissed and/or closed even if they persists in the communication channels (IRC chat, Pasties, Telegram, etc.).

I think there are dual factors that so much affected last quarter in spotting active hidden service. (1) Old content revamping. For example bots pushing “interesting links” back online even after months of inactivity. This activity is not new at all, but during the past quarter has been abused too many time respect to previous quarters. (2) Hidden services are changing address much more fast respect to few months ago. In order to make hard to spot malicious actors, they might decide to keep up-and-running their hidden services only for few hours and then change address/location. Is that way to enumerate hidden-services passing away or is it a simple weird time-frame? We will see it during the next “Scraping” months, stay tuned !

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans.

This analysis and many other studies and tools are available on Marco Ramilli’s blog:

https://marcoramilli.com/2019/07/18/scraping-the-tor-for-rare-contents/

Pierluigi Paganini

(SecurityAffairs – Tor network, DarkWeb)

The post Scraping the TOR for rare contents appeared first on Security Affairs.