Even as the New Year approached and the world celebrated the festive Christmas season, the cybercriminal community did not pause their activities. Instead, they marked the holiday season in their unique way. On Christmas Eve, Resecurity observed multiple actors on the Dark Web releasing substantial data dumps. These resulted from data breaches and network intrusions to various companies and government agencies. Numerous leaks disseminated in the underground cyber world were tagged with 'Free Leaksmas,' indicating that these significant leaks were shared freely among cybercriminals as a form of mutual gratitude.
Ironically, this display of generosity among cybercriminals is far from a cause for celebration for victims globally. It will inevitably result in them facing various adverse effects, such as Account TakeOvers (ATO), Business Email Compromises (BEC), identity theft, and financial fraud. Significantly, the data breaches were not confined to the United States; they extended globally, impacting individuals in a wide range of countries, including France, Peru, Vietnam, Italy, Russia, Mexico, the Philippines, Switzerland, Australia, India, South Africa, and even mixed international sources. This widespread geographical distribution highlights these cybercriminal activities' extensive global reach and severe impact.[1]
A significant event during the 'Leaksmas' in the Dark Web involved the release of a large dataset from Movistar, a leading telecommunications provider in Peru. This dataset contained over 22 million records, including customers' phone numbers and DNI (Documento Nacional de Identidad) numbers. The DNI, the sole identity card recognized by the Peruvian Government for all civil, commercial, administrative, and judicial activities, makes its exposure on the Dark Web a severe threat, potentially leading to widespread identity theft and fraud. This incident underscores the critical need for robust Digital Identity Protection programs, particularly in Latin America, where a trend of cyber-attacks escalates, resulting in major data breaches and significant damages.
On Christmas, a government agency in Chile experienced a security breach.
In another incident targeting the Asia-Pacific region, cybercriminals released a substantial leak involving one of the significant credit services in the Philippines. The perpetrators disclosed over 15.77 GB of data in this breach.
The "Leaksmas" event continued with another significant breach involving a French company. Approximately 1.5 million records from this company were shared freely on the Dark Web.
Cybercriminals also "gifted" a leak involving 1.4 million records associated with a project later acquired by Klarna, a Swedish fintech company. Interestingly, rumors of a potential data breach had been circulating since 2022, and several users had received notifications. However, the complete data dump was not freely available on the Dark Web until this event.
Returning to the Asia-Pacific region, another significant leak freely shared on the Dark Web involved a Vietnam-based fashion store. This breach exposed over 2.5 million victim records. Such a database is a valuable asset for spammers and illegal affiliate marketing specialists, offering them the potential to generate substantial profits during the winter holiday.
Another noteworthy leak involved a hacked online military gear shop based in Italy. While the database contained only 2,000 records, the nature of the audience of individuals interested in military gear makes it particularly attractive to foreign cyber actors, especially those focused on defense-related information.
The perpetrators also targeted India, a country known for its vast economy and rapid pace of digitization.
On Christmas 2023, there was a relatively new leak involving a sushi restaurant network from Russia, comprising over 164,052 records. This dataset was notable for not being previously seen on the Dark Web, making it potentially interesting to specific actors. A significant leak involved over 2 million records of banking customers from Mexico. It's highly probable that these records were obtained directly from a breached financial institution, a loan provider, or a telemarketing operator specializing in generating financial industry leads. Interestingly, this particular dataset had been previously offered for sale but became freely available during this event. Our assessment suggests that this data might have originated from an older breach dating back to 2021-2022. Despite its age, the information remains relevant in 2024, as it's unlikely that all the affected individuals would have updated their personal information since the breach.
Another significant incident involved a massive data leak from ESSEMTEC. In addition to these individual leaks, the perpetrators released larger data compilations consisting of multiple separate data breaches. Some of these were extensive packages, known as combo lists, containing millions of records, including emails and passwords.
"All I want for Christmas is the destruction of the government." The most prominent figures in the data leaking activity on the Dark Web during the Christmas period were undoubtedly the actors from SiegedSec. They gained particular notoriety for previously releasing exfiltrated data from the Idaho National Labs.
The group SiegedSec has made public claims about successfully hacking into unspecified government resources. Before this, they had celebrated a successful attack on Shufersal, Israel's largest supermarket chain, which they referred to as a “Christmas Gift” in support of Palestine. They also targeted BEZEQ! and Cellcom, one of Israel's leading telecommunications companies. It's worth noting that there have been claims from some groups about ending their associations with SiegedSec due to their stance, but the authenticity of these claims has not been fully verified.
In their Christmas message, SiegedSec mentioned the exfiltration of citizen data, suggesting that we can anticipate more unexpected actions from them in the upcoming year.
Christmas Gifts from Notorious “Five Families.” Just before Christmas Eve, an alliance of several hacktivist groups, collectively known as the “Five Families,” executed a data leak involving a Chinese clothing store, affecting over 1 million records. Additionally, the group publicly acknowledged their ambitious intentions for the upcoming year, 2024, indicating plans to release more leaks. They also conveyed their regards to their audience in this announcement.
The "Five Families" group also carried out leaks involving an Indian resource and a South African medico-legal association.
Allies of GhostSec, affiliated with Stormous (a ransomware group), contributed to the campaign by releasing a substantial leak from an online computer shop in Uzbekistan. This breach impacted over 500,000 records.
Security had previously reported on the "Five Families" in the context of the activities of the "Ransomed.VC" ransomware group. A week before Christmas, this group established its own marketplace for trading data leaks, featuring various compromised data from diverse regions, including the US, Canada, Russia, China, Iran, UAE, India, Brazil, and the European Union. The new group operators promoted this marketplace through Telegram to attract new sellers and buyers.
Anticipating the Christmas season, the group disseminated several data leaks from the Asia-Pacific region, mainly focusing on Thailand, a country renowned as a favorite international tourist destination for winter holidays.
Cybercriminals dealing in stolen payment data also viewed Christmas as an opportune time to attract new buyers by offering discounts. Some underground shops provided substantial markdowns, with discounts reaching up to 40% on compromised online banking and e-commerce accounts. Underground vendors offering 'look-up services', commonly utilized by fraudsters for activities like loan application fraud, identity theft, and online banking theft, also participated in offering significant discounts. These services become particularly relevant during the holiday season when fraudsters actively exploit vulnerabilities in anti-fraud systems and target e-commerce and marketplace platforms.
During Christmas, some underground credit card (CC) shops offered substantial discounts, with some going as high as 50% off. This was a special promotional effort for the festive period. Additionally, cybercriminals were in a hurry to sell credit cards with the most imminent expiration dates. Their goal was to offload these cards as quickly as possible before the New Year began to avoid losing potential profits from cards becoming invalid.
Significance:
- Just a few days before Christmas, over 50 million records containing information about consumers worldwide have been leaked on the Dark Web. The actual damage resulting from this activity could potentially amount to millions of dollars. Mitigating this damage is particularly challenging due to the intricate interconnection between personal data and digital identity. Changing this information in practice is a complex and often difficult process for the average consumer.
- The approach of winter holidays has a notable impact on the underground economy, catalyzing for cybercriminals to intensify their activities and release their most lucrative offerings on the Dark Web. During this period, there is an expected increase in financial fraud and activities driven by financial motives, as these actors take advantage of the festive season to escalate their illicit operations.
- The scope and geographical reach of cybercriminal activity are boundless, transcending all borders. While North America has traditionally been a primary target, there is a growing interest in other regions, particularly Latin America (LATAM) and Asia-Pacific (APAC). These areas are experiencing a rapid evolution in the digital economy, marked by the emergence of new fintech products and marketplaces. This growth, however, is also attracting malicious actors who aim to exploit these developments to defraud consumers.
- Digital identity continues to be a primary focus for cybercriminals. These malicious actors actively seek out sensitive personal identifiable information (PII), exploiting vulnerabilities in insecure web applications, software applications, and network services. They aim to access and misuse this critical personal data, highlighting the ongoing threat to digital identity security.
References:
- The twelve frauds of Christmas
https://pkfgm.co.uk/the-twelve-frauds-of-christmas-2
- 2023 Holiday Shopping Scams
https://www.ic3.gov/Media/Y2023/PSA231115
- FBI Warns ‘Tis the Season for Holiday Scams
https://www.fbi.gov/contact-us/field-offices/houston/news/fbi-warns-tis-the-season-for-holiday-scam
- Five Holiday Scams to Avoid
https://www.morganstanley.com/articles/holiday-scams
- Holiday Scams
https://ncdoj.gov/protecting-consumers/holiday-scams
See Election Integrity: https://redskyalliance.org/xindustry/beware-of-info-manipulation-tactics-for-2022-midterm-elections
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://securityaffairs.com/156560/deep-web/leaksmas-dark-web-data-leak.html
Comments