fbi - Banking & Finance - Red Sky Alliance2024-03-28T17:03:05Zhttps://redskyalliance.org/Finance/feed/tag/fbiCyber Dye Packhttps://redskyalliance.org/Finance/cyber-dye-pack2021-06-10T14:12:27.000Z2021-06-10T14:12:27.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}9073810482,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9073810482,RESIZE_400x{{/staticFileLink}}" alt="9073810482?profile=RESIZE_400x" width="250" /></a>A few days after the Colonial Pipeline was attacked, a former law enforcement source close to the company told Red Sky Alliance that law enforcement officials used a cyber type ‘dye pack’ to track the Bitcoin Colonial ransom payment. A traditional dye pack is used in banks to be used during a bank robbery. The robbers take the cash bundle with the dye pack and within minutes, the dye pack ignites and paints the robber with a dye, so responding police can identify the fleeing felon. The federal law enforcement cyber cops basically did the same thing. Very clever indeed. </p>
<p>The US Department of Justice announced earlier this week the recovery of $2.3 million, about half, of the ransom that was collected by hackers last month in the Colonial Pipeline cyber-attack. Cyber experts say it was a surprising outcome to an increasingly frequent and severe crime. "Ransomware is very seldom recovered," said the Institute for Technology Law and Policy at Georgetown Law, who described it as "a really big win" for the government. "What we don't know is whether or not this is going to pave the way for future similar successes."</p>
<p>That's because there are several unexplained factors that contributed to the operation's success. A new cyber task force holds the key to this success. Top US federal law enforcement officials explained that the money was recovered by a recently launched Ransomware and Digital Extortion Task Force, which had been created as part of the government's response to a surge of cyberattacks.</p>
<p>To resolve the attack on Colonial Pipeline, the company paid about $4.4 million on 8 May to regain access to its computer systems after its oil and gas pipelines across the eastern US were shutdown by ransomware.</p>
<p>Victims of these attacks are given very specific instructions about when and where to send the money, so it is not uncommon for investigators to trace payment sums to cryptocurrency accounts, typically Bitcoin, set up by the criminal organizations behind the extortion. What is unusual is to be able to unlock those accounts to recoup the funds.</p>
<p>Court documents released in the Colonial Pipeline case say the Federal Bureau of Investigation (FBI) got in by using the encryption key linked to the Bitcoin account to which the ransom money was delivered. However, officials have not disclosed how they got that key (nor will they). One of the reasons criminals like to use Bitcoin and other cryptocurrencies is the anonymity of the entire system, as well as the idea that funds in any given cryptocurrency wallet can be accessed only with a complex digital key. "The private key is, from a technology perspective, the thing that made it possible to seize these funds," a researcher said. Cyber-attackers will go to great lengths to guard any information that could lead someone to associating the key with an individual or organization: "They're going to really try and cover their tracks."</p>
<p>Officials likely got the private key in one of three ways: One possibility is that the FBI was tipped off by a person associated with the attack. Either the person or group behind the scheme or someone associated with DarkSide, a Russia-based ransomware developer that leases its malware to other criminals for a fee or a share of the proceeds. A second possibility is that the FBI uncovered the key thanks to a careless criminal. There is a saying in law enforcement, “you don’t always catch the smart ones.” Deputy FBI Director said that the bureau has been investigating DarkSide since last year. It is likely that in their surveillance, agents and analysts may have had search warrants that enabled them to access the emails or other communication by one or more of the people who participated in the scheme. "And through that, they were able to get access to the private key because maybe somebody emailed something to help them track down," they explained. A final likelihood is that the FBI tracked down the key by leveraging information it got from Bitcoin or from the cryptocurrency exchange where the money had been bouncing from one account to another since it was first paid.</p>
<p>It is not known whether any of the exchanges have been willing to cooperate with the FBI or to respond to the agency's subpoenas. But if they are, it could be a dramatic game changer in fighting ransomware attacks. Yet, a caution is provided that the good guys can never underestimate the bad guys.</p>
<p>What is not likely is that the FBI somehow hacked the key on its own. While some admits it is theoretically possible, "the idea that the FBI would have, through some sort of brute-force decryption activity, figured out the private key seems to be the least likely scenario." Regardless, if law enforcement authorities are able to consistently remove the profits from the attacks, they will ‘likely’ eliminate the crime.</p>
<p>Of interest is that following the money did not take long. The attackers made an unusual error in this case by failing to keep money moving. The $2.3 million that ultimately was recovered was still sitting in the same Bitcoin account it had been delivered to. You really do not see that with cybercrimes. Was this done on purpose, or through carelessness? </p>
<p>Another scam where a company is tricked into submitting a payment using phony instructions. Funds get wired to accounts at legitimate banks. The banks do not realize that the account was set up by a fraudulent actor. And as soon as those funds hit the account, they are wired back out of the account by the criminals almost instantly. Within 72 hours, those funds are gone and very hard to track or trace. </p>
<p>Red Sky Alliance cannot over state the obvious that, “We are living in perilous cyber times.” An ounce of prevention is ALWAYS worth a pound of cure. Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice and very important, however, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. </p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p>Interested in a RedXray subscription to see what we can do for you? Sign up here: <a href="https://www.wapacklabs.com/RedXray">https://www.wapacklabs.com/RedXray</a> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p><span style="font-size:8pt;">source: </span></p>
<p><span style="font-size:8pt;"><a href="https://www.npr.org/2021/06/08/1004223000/how-a-new-team-of-feds-hacked-the-hackers-and-got-colonial-pipelines-bitcoin-bac">https://www.npr.org/2021/06/08/1004223000/how-a-new-team-of-feds-hacked-the-hackers-and-got-colonial-pipelines-bitcoin-bac</a><br /> <a href="https://www.clevescene.com/scene-and-heard/archives/2011/05/20/pic-of-the-day-heres-what-it-looks-like-when-a-dye-pack-explodes-on-a-robber">https://www.clevescene.com/scene-and-heard/archives/2011/05/20/pic-of-the-day-heres-what-it-looks-like-when-a-dye-pack-explodes-on-a-robber</a><br /> </span></p>
<p> </p></div>Who Bought Your On-Line Banking Credentials Over The Weekend?https://redskyalliance.org/Finance/who-bought-your-on-line-banking-credentials-over-the-weekend2020-07-21T03:19:33.000Z2020-07-21T03:19:33.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}7060609897,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}7060609897,RESIZE_400x{{/staticFileLink}}" alt="7060609897?profile=RESIZE_400x" width="250" /></a>It is estimated the over five billion unique user credentials are circulating on Darknet forums, with cybercriminals offering to sell access to bank accounts as well as domain administrator access to corporate networks. Researchers discovered that more than 15 billion user credentials are in circulation, of which 5 billion username and password combinations do not have repeated credential pairs and have been advertised on underground forums only once, according to the recently issued report.<a href="#_ftn1">[1]</a> More often credentials that are exposed are reposts or collections of previously exposed credentials. It is likely these issues may have already mitigated the risk. The keyword here is, “may.”</p>
<p>There has been a 300 percent increase in the number of stolen credentials circulating on in underground forums since 2018. After a recent 18-month cyber investigation, researchers estimate that the banking credentials stem from nearly 100,000 data breaches that have taken place over the last two years. Many have noticed more credential stuffing lists in circulation in recent time frames. Some blame the [COVID-19] pandemic and associated scams, yet these events are being copied at a high rate.</p>
<p>All levels of hackers are using numerous tactics and techniques to carry out bank account takeovers. Some criminals buy credentials on deep/dark marketplaces, where a single account costs on average $15.43. But the more sought-after banking credentials sell for an average of $70+. The price for access to a single bank account can exceed $500 depending on factors such as the amount of money in the account, the availability to access personally identifiable information and the account's age, the report notes.</p>
<p>The underground advertisements for access to these types of high-end accounts comprised 25 percent of all ADs in illegal sites. Researchers additionally found that credentials for domain administrator access to corporations and government agencies, where there is potential for a complete network compromise, can be sold in bidding wars for as high as $140,000. The average selling price is about $3,100. </p>
<p>To give a potential buyer of admin credentials additional information to help make a sale, some underground forums include details such as the number of devices running on the network, how many employees work at the company, and any intellectual property or sensitive documents on the system. Often employing bad practices, many people use the same credentials across multiple platforms. This leaves users vulnerable to account takeovers by hackers implementing brute-force attacks. The tools for such attacks can be purchased in underground forums for an average price of $4. Apart from buying bank credentials in the underground, cybercriminals also use brute-force cracking tools and account checkers to steal information. </p>
<p>Many hackers also harvest banking credentials using Trojan malware, keyloggers, and man-in-the-middle browser attacks, which enable them to steal the data directly from victims' online banking portals. Once a hacker obtains a list of credentials, they can then buy or rent tools for credential-stuffing attacks, automated login attempts using a combination of usernames and plaintext passwords. </p>
<p>Some sites rent out identity credentials for a limited amount of time for less than $10. These sites offer not only access to compromised bank accounts, but also browser data, such as IP addresses, time zones, and cookies, which make it easier to avoid detection. Cybercriminals also sometimes share credentials for free on forums to help build a sense of community. </p>
<p>Your personal/home computers allow you to access many merchants and financial web sites and accounts. A security suggestion for users is to constantly change your passwords to a new sequence. This may be a pain but will save you from being compromised. Try to never us pet names, birthdates, anniversary dates that can be found posted on social media. If you are using a word or name, substitute a number or a special character for vowels and randomly use capital letters and numbers. Changing your password avoids several dangers, including some that are less obvious, such as what happens to the passwords you have saved on computers you no longer own.</p>
<ul>
<li>It can be tempting to use the same password on every account you have, whether for computers and network equipment or online accounts, as it is much easier to remember a single one. But it also means that if someone figures out your password, a hacker can gain access to every account you have. Changing your passwords to something different and unique to each account will make it so that even if someone does guess one password, he cannot use it for anything else.</li>
<li>Not all hackers take what they need and leave. Occasionally hackers may continue accessing your account, either to monitor your data or continue stealing information over time. It can be difficult to figure out if someone else is using your account, so by changing your password consistently, you reduce the risk that other people will have frequent access to your accounts. Consider changing your password every few months to be on the safe side. </li>
<li>If you use the same password for long stretches of time, you increase the risk of someone guessing your password. Whether it is from someone watching you type in your password a number of times or someone repeatedly trying to guess it, the longer you have the same password, the longer people have to try to find out what it is. Do not let people watch you log in to your accounts, and avoid using short, easy-to-guess words or phrases. </li>
<li>If you ever switch computers with other people, or if you get rid of old computers without reformatting the hard drive, it's possible that anyone who uses your old computer will have access to your saved passwords. Giving someone a computer with saved passwords is like giving them access to your accounts. Consistently changing your passwords will mean that even if someone has found an old password of yours, it will no longer be relevant or useful. </li>
<li>When coming up with a new password, you want something that can be safe from guesswork and hacking attempts. You may be tempted to use a long password, but the quality is much more important than quantity. Hacking programs can guess passwords by combining random words and phrases together, as well as any information relevant to you. To combat this, avoid using any personal information such as dates, addresses or names. Also avoid using simple words and phrases; if you do, make them grammatically incorrect to avoid guessing. Use random combinations of numbers, letters and symbols that can still be easy to remember. For example, instead of "password," which should never be used under any circumstance, you could use "p4$$w0rD." It is still the same word, and still short, but far harder to guess either by human or program.</li>
</ul>
<p>Red Sky Alliance can provide both internal monitorings in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. </p>
<p>For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /> Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a><br /> Twitter: <a href="https://twitter.com/redskyalliance">https://twitter.com/redskyalliance</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bankinfosecurity.com/5-billion-unique-credentials-circulating-on-darknet-a-14596">https://www.bankinfosecurity.com/5-billion-unique-credentials-circulating-on-darknet-a-14596</a></p></div>