Two weeks after the takedown of the Dark Web marketplace AlphaBay, its successor Hansa Market was also closed as part of a coordinated operation by the Dutch National Police, Europol, the Federal Bureau of Investigation (FBI) and the US Drug Enforcement Agency (DEA). In the process, the authorities seized personal data for all users.
Two weeks ago Kaspersky Lab security researchers published a report on xDedic, a shadow market where access to compromised servers is sold.
An online market place of hacked servers
A hacker using the pseudonym “Peace_of_mind” is selling a database stolen from the LinkedIn site that contains the information of 167 million users, with 117 million including the email address and password.
According to information provided by the hacker on the MotherBoard site, he stole the data in 2012, after exploiting a computer flaw that affected the professional social network.
On April 14, Forbes magazine announced that the data from pornographic website Naughty America and its affiliates was hacked and offered for sale. The information was subsequently offered for sale on a black market accessible through the Tor network, called The Real Deal.
Indeed, the website hosted an ad offering to buy databases, that of Naughty America but also of affiliate sites totalling more than 3.8 million user accounts.
Early in November, a cybercriminal on the Dark Web offered for sale a client database which he had previously stolen from Comcast, the US media group.
Although Comcast was the target on this particular occasion, the case is representative of current trends in terms of the theft and handling of databases.
On 5 November, an individual using the pseudonyms “Orion” and “Comcast” resorted to a Dark Market accessed via the Tor network to offer for sale a database allegedly belonging to Comcast. The database includes some 590,000 client accounts. The passwords for the accounts are in plain language (i.e. usable as they stand), which increases the value of the list for purchasers. The asking price was $300 for 100,000 accounts, or $1,000 for the whole database.
A few days later, the hacker updated his announcement, claiming to have learned that his sole customer had in fact bought the database on behalf of Comcast.
Having become aware of what the database contained, Comcast then sent an e-mail to one-third of the clients concerned, saying that their passwords had been reset in the wake of the cyberattack. The other two-thirds related to dormant accounts.
In the wake of the terrorist attacks carried out by Islamic State (IS) in Paris on 13 November of this year, the “Anonymous” collective has launched an operation designed to disrupt the online presence of the terrorists.
The day after the attacks, Anonymous published a number of online videos to launch an operation named “OpParis”, which concentrates on IS propaganda outlets to close Twitter accounts or hack into sites believed to support IS.
Last March, a similar operation was launched by these hacktivists after the attacks against the satirical weekly Charlie Hebdo. Anonymous claimed at the time that this operation, named OpCharlie, led to the closure of 9,500 Twitter accounts. The activists’ methods, and their effectiveness, were severely criticised by a number of players in the fight against terrorism. OpParis, which uses the same modus operandi, is similarly criticised.
Each according to his means
The operation uses the classic Anonymous operating methods, which are notably based on the sharing of knowledge and the distribution of tasks.
Anonymous operates on the basis of anonymised chatrooms which allow visitors to join the group. Several dedicated chatrooms, each dealing with a particular problem, were created following the attacks.
IT researchers have reported the activity of an APT group named “The Dukes”. This group of sophisticated hackers is believed to work on behalf of the Russian government.
Operating since 2008, The Dukes commenced its activity by gathering information about pro-Chechen organisations. They have since diversified their targets and their arsenal of malware. They mainly target political organisations, defence companies and Western think-tanks, as well as Russian criminal organisations.
The hackers infect their victims by spear-phishing, distributing diverse malware for various purposes:
- CosmicDuke is used for stealing data such as logins, passwords and encryption keys.
- MiniDuke is an allusion to the encrypted URL’s which Twitter accounts generate automatically in order to connect to the command and control server.
- OnionDuke is a malicious program distributed via compromised output nodes in the Tor network. Its modules can carry out DDoS attacks and steal various data, as well as spamming social networks.
- Since July 2015, CloudDuke and SeaDuke have appeared on the scene. These essentially allow hackers to download other malicious programs. SeaDuke has several levels of encryption and is easily configurable. Hundreds of different versions have been found on victims’ machines.