dark web - X-Industry - Red Sky Alliance2024-03-29T14:33:40Zhttps://redskyalliance.org/xindustry/feed/tag/dark+webPIILOPUOTI goes Darkhttps://redskyalliance.org/xindustry/piilopuoti-goes-dark2023-09-21T18:10:00.000Z2023-09-21T18:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12228600055,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12228600055,RESIZE_400x{{/staticFileLink}}" width="250" alt="12228600055?profile=RESIZE_400x" /></a>Law enforcement officials in Finland worked with Europol and a cybersecurity firm to take down a dark web marketplace called PIILOPUOTI. The platform had operated on the Tor Network since May 2022 as a way for people to smuggle and sell drugs as well as paraphernalia into Finland, according to a statement from Finnish Customs. “The criminal investigation is still underway. At this point, Finnish Customs and our international cooperation partners will not provide any further information on the matter,” they said.</p>
<p>Finnish authorities did not respond to requests for comment about whether arrests were made or whether other illegal operations were run through the platform.</p>
<p>Finnish Customs explained that the investigation was conducted in coordination with German and Lithuanian authorities as well as Europol, the European Union Agency for Criminal Justice Cooperation (Eurojust), the authorities of other countries and various police units in Finland.<a href="#_ftn1">[1]</a></p>
<p>Cybersecurity firm Bitdefender said it was involved in the takedown and provided guidance to help law enforcement agencies in their investigation of the platform.</p>
<p>The senior director of investigation and forensics unit at Bitdefender, declined to flesh out the company’s role in the operation but said that they “offered technical consulting to the entire investigation group and to all the involved countries. We are happy to discover that our intel helped with the operation. This operation is a prime example of the public and private sector pooling resources and working together to disrupt illegal online activities,” Bitdefender said. It should also serve as a wake-up call for criminals who falsely believe their infrastructures, anonymity and actions are fully protected by the dark web. They should understand if they are in the crosshairs of an international effort, they will eventually be brought to justice.”</p>
<p><a href="{{#staticFileLink}}12228600068,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12228600068,RESIZE_400x{{/staticFileLink}}" width="361" alt="12228600068?profile=RESIZE_400x" /></a>This is the latest takedown of an internet platform used for nefarious purposes after US law enforcement agencies partnered with officials in Poland last month to dismantle the Lolek bulletproof hosting platform.</p>
<p>Genesis Market, which functioned as a one-stop-shop for criminals, selling both stolen credentials and the tools to weaponize that data, was seized in an FBI-led operation involving more than a dozen international partners in April.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/europol-finland-take-down-pillopuoti-dark-web-market/">https://therecord.media/europol-finland-take-down-pillopuoti-dark-web-market/</a></p></div>Status of the CyberCrime Undergroundhttps://redskyalliance.org/xindustry/status-of-the-cybercrime-underground2023-06-24T12:50:00.000Z2023-06-24T12:50:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12125871256,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12125871256,RESIZE_400x{{/staticFileLink}}" alt="12125871256?profile=RESIZE_400x" width="250" /></a>Earlier this year, threat researchers at Cybersixgill released the annual report, <u>The State of the Cybercrime Underground</u>. </p>
<p><a href="https://cybersixgill.com/resources/the-state-of-the-underground-2023">https://cybersixgill.com/resources/the-state-of-the-underground-2023</a> </p>
<p>The research stems from an analysis of Cybersixgill's collected intelligence items throughout 2022, gathered from the deep, dark and clear web. The report examines the continuous evolution of threat actors' tactics, tools, and procedures (TTPs) in the Digital Age and how organizations can adapt to reduce risk and maintain business resilience. This article summarizes a few of the report's findings, including trends in credit card fraud, observations about cryptocurrency, AI developments and how they are lowering barriers to entry to cybercrime, and the rise of “Cybercrime as-a-Service" (CaaS) activities.<a href="#_ftn1">[1]</a></p>
<p>Credit card fraud is (mostly) on the Decline - Credit card fraud has been a common and frequent threat used by underground cybercriminals for many years. But several recent developments are slowing the tide and significantly reducing credit card fraud incidents. More recently, we have seen a significant decline in compromised credit cards for sale on illicit underground markets. For example, in 2019, dark web markets listed approximately 140 million compromised cards for sale. The number declined to around 102 million in 2020 and plummeted again by another 60% to almost 42 million cards in 2021. Finally, in 2022, this total plunged again to only 9 million cards. The significant decline in credit card fraud is due mainly to the following:</p>
<ol>
<li>Improvements in authentication and fraud prevention – Banks and financial institutions are using advanced authentication and "passwordless" methods that make it harder to compromise a card, such as biometric authentication (e.g., fingerprints and face recognition), as well as PINs, EMV chips, and multi-factor authentication (MFA).</li>
<li>Real-time fraud detection – Implemented primarily by credit card companies, real-time fraud detection systems that use machine learning algorithms to analyze user behavior, spending patterns, and geolocation data can identify anomalies or suspicious activity. Once a transaction is flagged as suspicious, the issuer might demand additional types of verification, such as asking a security question or sending an SMS verification, making it more challenging for fraudsters to use stolen cards.</li>
<li>E-commerce security improvements – Since 2021, e-commerce sites have been using more robust security measures, such as two-factor authentication (2FA), address verification systems, and secure payment systems adhering to PCI DSS, making it harder for cybercriminal threat actors to steal credit card data from consumers.</li>
</ol>
<p>Cryptocurrency: a tool and a target - A hallmark of cryptocurrency is that it's decentralized, allowing users anonymity and privacy. No surprise, then, that cryptocurrencies are the payment method of choice for cybercriminals to purchase illicit goods and services, launder proceeds from cyberattacks, and receive ransomware payments. As cryptocurrency has gained broader adoption for legitimate purposes, it's also become a target for threat actors, presenting new opportunities for "crypto-jacking," digital wallet takeovers, crypto-mining, and siphoning digital assets from crypto exchanges.</p>
<p>Even with the fallout from the 2022 crypto crash, crypto's value among cybercriminals has only increased. As revealed in our report, we saw a 79% increase in crypto account takeover attacks in 2022. (Ultimately, cybercriminals use crypto to move money, not make money. While transactions on the underground are consummated in cryptocurrency, prices are listed in dollar value.) Yet, threat actors may ultimately abandon cryptocurrencies if investors continue to pull out due to the market's volatility, as fewer crypto users make it easier for law enforcement to track illicit transactions and for legislators to enforce stricter regulation. Researchers are continuing to watch this space to see how it evolves.</p>
<p>Democratization of AI - In less than a year since it first arrived on the scene, cybercriminals continue to show great enthusiasm for ChatGPT - as well as other newly released AI tools and its promise as a force multiplier for cybercrime. With its ability to emulate human language for social engineering and even automate the development of malware code, with the right prompts and guidance, threat actors can streamline the entire attack chain. ChatGPT allows novice and less sophisticated cybercriminals to carry out malicious acts faster, with relative ease. AI technology is making cybercrime more accessible and lowering the barrier of entry by enabling threat actors to quickly write malicious code and perform other "pre-ransomware" preparatory activities.</p>
<p>Commercializing Cybercrime with As-a-Service Offerings - The as-a-Service business model is increasing, given its ability to help cybercriminals commercialize their expertise and scale operations. By purchasing sophisticated hackers' services, infrastructures, or tools, threat actors can outsource the groundwork required to launch a cyberattack with minimal effort. Especially concerning is the continued rise of Ransomware-as-a-Service (RaaS). The RaaS business model operates much like a modern business, whereby ransomware developers and operators lease out their ransomware technology and infrastructure to a network of lesser skilled 'affiliates' for distribution in return for a cut of the ransom extortion profits, thereby scaling their operations. This as-a-Service offering makes the extortion business accessible and profitable to a larger pool of cybercriminals driving the rapid increase in ransomware attacks year over year.</p>
<p>Every connected asset within an organization's sprawling attack surface presents cybercriminals with a potential entry point for attack. Today, protecting the expanding organizational attack surface with cyber threat intelligence alone to evaluate exposure is a near impossible task. The modern attack surface is increasingly external, extending beyond the known network perimeter to include a vast ecosystem of unknown assets from cloud-based resources, connected IPs, SaaS applications, and third party supply chains. As a result, most organizations suffer from major blindspots into their complete attacker-exposed IT environment, while struggling with overwhelming quantities of cyber threat intelligence data. To effectively defend against cyber threats, security teams need complete visibility into their unique attack surface and real-time insight into their threat exposure.</p>
<p>Given the ever-expanding threat landscape of the Digital Age, the ability to identify the highest priority risks facing their organization and focus their efforts accordingly offers tremendous benefits to resource-constrained security teams.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2023/06/activities-in-cybercrime-underground.html">https://thehackernews.com/2023/06/activities-in-cybercrime-underground.html</a></p></div>Nerd Car Thieveshttps://redskyalliance.org/xindustry/nerd-car-thieves2023-04-24T16:00:00.000Z2023-04-24T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}11035269864,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11035269864,RESIZE_400x{{/staticFileLink}}" width="250" alt="11035269864?profile=RESIZE_400x" /></a>Researchers have recently revealed that a hacking device can allow thieves to steal a wide range of car models using an attack method named Controller Area Network (CAN) injection. Automotive cybersecurity experts at the EDAG Group and Canis Automotive Labs started analyzing these attacks after one of the researchers had his 2021 Toyota RAV4 stolen last year. The car was actually stolen on two occasions. He found that someone had pulled apart his headlight and unplugged the cables. What initially appeared as vandalism was part of an attempt to steal the popular SUV.</p>
<p>Specifically, the thieves pulled off the bumper and unplugged the headlight cables to reach wires connected to an Electronic Control Unit (ECU) responsible for the vehicle’s smart key. An investigation by Tabor showed that the thieves likely connected a special hacking device that allowed them to unlock the vehicle and drive away.</p>
<p>Such hacking devices can be acquired on dark web sites for up to US$ 5,500, and they are often advertised as ‘emergency start’ devices that can be used by vehicle owners who have lost their keys or automotive locksmiths. In the case of the device designed for Toyota cars, the electronics responsible for hacking the vehicle are hidden inside a Bluetooth speaker case.</p>
<p>The hacking device is designed to conduct what the researchers call a CAN injection attack. These devices appear to be increasingly used by auto thieves. Injection vulnerabilities allow attackers to insert malicious inputs into an application or relay malicious code through an application to another system. Injection involves four prevalent attack types: OGNL injection, Expression Language Injection, command injection, and SQL injection. During an injection attack, untrusted inputs or unauthorized code are “injected” into a program and interpreted as part of a query or command. The result is a program alteration, redirecting it for a nefarious purpose.</p>
<p>Injection attacks can include calls to the operating system via system calls, external programs via shell commands, or calls to backend databases using SQL (i.e., SQL injection). Whenever an application uses an interpreter, there is the risk of introducing an injection vulnerability. Whole scripts written in Perl, Python, and other languages can be injected into a poorly designed application and then executed, giving the attacker control over its behavior.</p>
<p>The researchers analyzed diagnostics data from Tabor’s stolen RAV4 and such a CAN injection device to see how they work. Modern cars have several ECUs, each responsible for a different system, such as headlights, climate control, telematics, cameras, engine control, and the smart key that unlocks and starts the vehicle. ECUs are connected together through CAN buses.</p>
<p>The attacker does not need to connect directly to the smart key ECU. Instead, they can reach the smart key ECU from the wires connected to, for example, the headlight if the headlight and the smart key ECU are on the same CAN bus.</p>
<p>The attacker connects the hacking device to the headlight wires and can send a specially crafted CAN message that tells the smart key receiver ECU that the key is validated. The attacker can then send a specially crafted CAN message to the door ECU to unlock the door. This allows the thieves to get in the car and drive away. The attack can be made by connecting the hacking device to other CAN wires. Still, the ones in the headlight are often the most accessible, and connecting to them does not involve causing too much damage to the car, which would lower its value.</p>
<p>While in this case, the stolen vehicle was a Toyota, and the hacking device tested by the researchers is specifically designed for Toyota cars, the problem is not specific to Toyota. Similar hacking devices for sale to car thieves target many brands, including BMW, GMC, Cadillac, Chrysler, Ford, Honda, Jaguar, Jeep, Maserati, Nissan, Peugeot, Renault, and Volkswagen.</p>
<p>The researchers reported their findings to Toyota without much success since it is not a vulnerability disclosure. On the other hand, they believe all vehicle makers should read their reports and take action to prevent CAN injection attacks. The recent report contains some recommendations manufacturers can apply to prevent these attacks.</p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p></div>Nerd Car Thieveshttps://redskyalliance.org/xindustry/nerd-car-thieves2023-04-24T16:00:00.000Z2023-04-24T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}11035269864,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11035269864,RESIZE_400x{{/staticFileLink}}" width="250" alt="11035269864?profile=RESIZE_400x" /></a>Researchers have recently revealed that a hacking device can allow thieves to steal a wide range of car models using an attack method named Controller Area Network (CAN) injection. Automotive cybersecurity experts at the EDAG Group and Canis Automotive Labs started analyzing these attacks after one of the researchers had his 2021 Toyota RAV4 stolen last year. The car was actually stolen on two occasions. He found that someone had pulled apart his headlight and unplugged the cables. What initially appeared as vandalism was part of an attempt to steal the popular SUV.</p>
<p>Specifically, the thieves pulled off the bumper and unplugged the headlight cables to reach wires connected to an Electronic Control Unit (ECU) responsible for the vehicle’s smart key. An investigation by Tabor showed that the thieves likely connected a special hacking device that allowed them to unlock the vehicle and drive away.</p>
<p>Such hacking devices can be acquired on dark web sites for up to US$ 5,500, and they are often advertised as ‘emergency start’ devices that can be used by vehicle owners who have lost their keys or automotive locksmiths. In the case of the device designed for Toyota cars, the electronics responsible for hacking the vehicle are hidden inside a Bluetooth speaker case.</p>
<p>The hacking device is designed to conduct what the researchers call a CAN injection attack. These devices appear to be increasingly used by auto thieves. Injection vulnerabilities allow attackers to insert malicious inputs into an application or relay malicious code through an application to another system. Injection involves four prevalent attack types: OGNL injection, Expression Language Injection, command injection, and SQL injection. During an injection attack, untrusted inputs or unauthorized code are “injected” into a program and interpreted as part of a query or command. The result is a program alteration, redirecting it for a nefarious purpose.</p>
<p>Injection attacks can include calls to the operating system via system calls, external programs via shell commands, or calls to backend databases using SQL (i.e., SQL injection). Whenever an application uses an interpreter, there is the risk of introducing an injection vulnerability. Whole scripts written in Perl, Python, and other languages can be injected into a poorly designed application and then executed, giving the attacker control over its behavior.</p>
<p>The researchers analyzed diagnostics data from Tabor’s stolen RAV4 and such a CAN injection device to see how they work. Modern cars have several ECUs, each responsible for a different system, such as headlights, climate control, telematics, cameras, engine control, and the smart key that unlocks and starts the vehicle. ECUs are connected together through CAN buses.</p>
<p>The attacker does not need to connect directly to the smart key ECU. Instead, they can reach the smart key ECU from the wires connected to, for example, the headlight if the headlight and the smart key ECU are on the same CAN bus.</p>
<p>The attacker connects the hacking device to the headlight wires and can send a specially crafted CAN message that tells the smart key receiver ECU that the key is validated. The attacker can then send a specially crafted CAN message to the door ECU to unlock the door. This allows the thieves to get in the car and drive away. The attack can be made by connecting the hacking device to other CAN wires. Still, the ones in the headlight are often the most accessible, and connecting to them does not involve causing too much damage to the car, which would lower its value.</p>
<p>While in this case, the stolen vehicle was a Toyota, and the hacking device tested by the researchers is specifically designed for Toyota cars, the problem is not specific to Toyota. Similar hacking devices for sale to car thieves target many brands, including BMW, GMC, Cadillac, Chrysler, Ford, Honda, Jaguar, Jeep, Maserati, Nissan, Peugeot, Renault, and Volkswagen.</p>
<p>The researchers reported their findings to Toyota without much success since it is not a vulnerability disclosure. On the other hand, they believe all vehicle makers should read their reports and take action to prevent CAN injection attacks. The recent report contains some recommendations manufacturers can apply to prevent these attacks.</p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p></div>Nerd Car Thieveshttps://redskyalliance.org/xindustry/nerd-car-thieves2023-04-24T16:00:00.000Z2023-04-24T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}11035269864,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11035269864,RESIZE_400x{{/staticFileLink}}" width="250" alt="11035269864?profile=RESIZE_400x" /></a>Researchers have recently revealed that a hacking device can allow thieves to steal a wide range of car models using an attack method named Controller Area Network (CAN) injection. Automotive cybersecurity experts at the EDAG Group and Canis Automotive Labs started analyzing these attacks after one of the researchers had his 2021 Toyota RAV4 stolen last year. The car was actually stolen on two occasions. He found that someone had pulled apart his headlight and unplugged the cables. What initially appeared as vandalism was part of an attempt to steal the popular SUV.</p>
<p>Specifically, the thieves pulled off the bumper and unplugged the headlight cables to reach wires connected to an Electronic Control Unit (ECU) responsible for the vehicle’s smart key. An investigation by Tabor showed that the thieves likely connected a special hacking device that allowed them to unlock the vehicle and drive away.</p>
<p>Such hacking devices can be acquired on dark web sites for up to US$ 5,500, and they are often advertised as ‘emergency start’ devices that can be used by vehicle owners who have lost their keys or automotive locksmiths. In the case of the device designed for Toyota cars, the electronics responsible for hacking the vehicle are hidden inside a Bluetooth speaker case.</p>
<p>The hacking device is designed to conduct what the researchers call a CAN injection attack. These devices appear to be increasingly used by auto thieves. Injection vulnerabilities allow attackers to insert malicious inputs into an application or relay malicious code through an application to another system. Injection involves four prevalent attack types: OGNL injection, Expression Language Injection, command injection, and SQL injection. During an injection attack, untrusted inputs or unauthorized code are “injected” into a program and interpreted as part of a query or command. The result is a program alteration, redirecting it for a nefarious purpose.</p>
<p>Injection attacks can include calls to the operating system via system calls, external programs via shell commands, or calls to backend databases using SQL (i.e., SQL injection). Whenever an application uses an interpreter, there is the risk of introducing an injection vulnerability. Whole scripts written in Perl, Python, and other languages can be injected into a poorly designed application and then executed, giving the attacker control over its behavior.</p>
<p>The researchers analyzed diagnostics data from Tabor’s stolen RAV4 and such a CAN injection device to see how they work. Modern cars have several ECUs, each responsible for a different system, such as headlights, climate control, telematics, cameras, engine control, and the smart key that unlocks and starts the vehicle. ECUs are connected together through CAN buses.</p>
<p>The attacker does not need to connect directly to the smart key ECU. Instead, they can reach the smart key ECU from the wires connected to, for example, the headlight if the headlight and the smart key ECU are on the same CAN bus.</p>
<p>The attacker connects the hacking device to the headlight wires and can send a specially crafted CAN message that tells the smart key receiver ECU that the key is validated. The attacker can then send a specially crafted CAN message to the door ECU to unlock the door. This allows the thieves to get in the car and drive away. The attack can be made by connecting the hacking device to other CAN wires. Still, the ones in the headlight are often the most accessible, and connecting to them does not involve causing too much damage to the car, which would lower its value.</p>
<p>While in this case, the stolen vehicle was a Toyota, and the hacking device tested by the researchers is specifically designed for Toyota cars, the problem is not specific to Toyota. Similar hacking devices for sale to car thieves target many brands, including BMW, GMC, Cadillac, Chrysler, Ford, Honda, Jaguar, Jeep, Maserati, Nissan, Peugeot, Renault, and Volkswagen.</p>
<p>The researchers reported their findings to Toyota without much success since it is not a vulnerability disclosure. On the other hand, they believe all vehicle makers should read their reports and take action to prevent CAN injection attacks. The recent report contains some recommendations manufacturers can apply to prevent these attacks.</p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p></div>In the Box / One-Stop Dark Web Shoppinghttps://redskyalliance.org/xindustry/in-the-box-one-stop-dark-web-shopping2022-12-09T14:24:15.000Z2022-12-09T14:24:15.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10906606696,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10906606696,RESIZE_400x{{/staticFileLink}}" width="250" alt="10906606696?profile=RESIZE_400x" /></a>Malware is nothing more that burglary tools. Cyber researchers have recently shed light on a Dark web marketplace called “In the Box” that is designed to specifically cater to mobile malware operators. The actor behind the criminal storefront, believed to be available since at least January 2020, has been offering over 400 custom web injects grouped by geography that can be purchased by other adversaries looking to mount attacks of their own. The automation allows other bad actors to create orders to receive the most up to date web injects for further implementation into mobile malware noted cyber threat investigators.<a href="#_ftn1">[1]</a></p>
<p>In The Box may be called the largest and probably the only one in its marketplace category providing high-quality web injects for popular types of mobile malware. Web injects are packages used in financial malware that leverage the Adversary-in-the-Browser (AitB) attack vector to serve malicious HTML or JavaScript code in the form of an overlay screen when victims launch a banking, crypto, payments, e-commerce, email, or social media app.</p>
<p>These pages typically resemble a legitimate bank login web page and prompt unwitting users to input confidential data such as credentials, payment card data, Social Security numbers (SSN), card verification value (CVV) that's then used to compromise the bank account and conduct fraud.</p>
<p>In The Box is accessible over the Tor anonymity network and advertises a variety of web inject templates for sale, with the listing accessible only after a customer is vetted by the administrator and the account is activated. The web injects can be either purchased for $100 a month or as an "UnLim" tier that enables the buyer to generate an unlimited number of injects during the subscription period. Costs for the unlimited (“UnLim”) plan vary anywhere between $2,475 and $5,888 depending on the supported trojans. Some of the Android banking trojans that are supported through the service include Alien, Cerberus, ERMAC (and its successor MetaDroid), Hydra, and Octo.</p>
<p>In The Box marketplace may now proudly be called the largest and most significant catalyst for banking theft and fraud involving mobile devices. The significance of findings is highlighted by the quality, quantity and spectrum of the available malicious arsenal. Currently, cybercriminals are offering over 1,849 malicious scenarios for sale, designed for major financial institutions, ecommerce, payment systems, online retailers, and social media companies from over 45 countries including the US, the UK, Canada, Brazil, Colombia, Mexico, Saudi Arabia, Bahrain, Turkey, and Singapore. The supported organizations targeted by cyber criminals include Amazon, PayPal, Citi, Bank of America, Wells Fargo, DBS Bank, etc.</p>
<p>The majority of high-demand injects is related to payment services including digital banking and cryptocurrency exchangers. During November 2022, the actor arranged a significant update of close to 144 injects improving their visual design. The development comes as Cyble disclosed a new Malware-as-a-Service (MaaS) operation named DuckLogs that's marketed for $69.99 for a lifetime access, giving threat actors the ability to harvest sensitive information, hijack cryptocurrency transactions, and remotely commandeer the machines.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2022/12/darknets-largest-mobile-malware.html">https://thehackernews.com/2022/12/darknets-largest-mobile-malware.html</a></p></div>Twitter Hack IIhttps://redskyalliance.org/xindustry/twitter-hack2022-11-29T13:34:48.000Z2022-11-29T13:34:48.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10894405054,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10894405054,RESIZE_400x{{/staticFileLink}}" alt="10894405054?profile=RESIZE_400x" width="225" /></a>A hacker has leaked 5.3 million Twitter account details on a cybercrime forum while another researcher, Chad Loder, claims there is another Twitter breach involving “perhaps over 100 million accounts.”</p>
<p>On 7 August 2022, Hackread.com reported a story detailing a Twitter data breach involving 5.4 million accounts. Now, the very same data has been leaked on a hacker forum which surfaced as an alternative to popular and <a href="https://www.hackread.com/fbi-seizes-raidforums-arrests-founder-diogo-santos-coelho/">now-sized Raidforums</a>.</p>
<p><a href="{{#staticFileLink}}10894405257,RESIZE_710x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}10894405257,RESIZE_584x{{/staticFileLink}}" alt="10894405257?profile=RESIZE_584x" width="500" /></a><em>The data is currently available for download (Screenshot left: Hackread.com)</em></p>
<p>However, there’s more to it. The end of 2022 does not appear to be on Twitter’s side because it has now become the target of yet another conflict. A Los Angeles-based cyber security researcher revealed on 23 November that Twitter had experienced a massive breach that allegedly affected millions of users across the US and the EU.<a href="#_ftn1">[1]</a> </p>
<p>On his now-suspended Twitter account, Chad Loder <a href="https://web.archive.org/web/20221124064042/https:/twitter.com/chadloder/status/1595557696131911680">warned</a> users about the data breach which he stated occurred “no earlier than 2021” and “has not been reported before”. He stated to have seen the stolen data in the alleged breach and had spoken to the potential victims who confirmed that the breach data was “accurate”. </p>
<p>On his <a href="https://kolektiva.social/@chadloder/109406380942373215">Mastodon page</a>, the researcher said that according to his research, it’s probable that there are tens of millions currently affected accounts, possibly hundreds of millions.</p>
<p><a href="{{#staticFileLink}}10894406077,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10894406077,RESIZE_584x{{/staticFileLink}}" alt="10894406077?profile=RESIZE_584x" width="533" /></a>However, what is uncertain is whether this breach is the same as the one that previously occurred in July this year, which was also confirmed by Twitter, or whether this breach is completely different.</p>
<p>According to Loder, this could not be the same breach until Twitter “<a href="https://web.archive.org/web/20221124064042/https:/twitter.com/chadloder/status/1595570101641568261">lied</a>” about the July breach. He also noted that this data was in a “completely different format” and had “differently affected accounts.” </p>
<p>Within 24 hours of Loder tweeting about this, his Twitter account got suspended due to having “violated the Twitter rules.”</p>
<p><a href="{{#staticFileLink}}10894406276,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10894406276,RESIZE_710x{{/staticFileLink}}" alt="10894406276?profile=RESIZE_710x" width="600" /></a></p>
<p><em>Chad Loder on Twitter (Screenshots on right Hackread.com)</em></p>
<p>What is likely is that both breaches exploited the same vulnerability which was first <a href="https://hackerone.com/reports/1439026">reported</a> by HackerOne in January. It allowed anyone to enter a phone number or email address to find the Twitter handle associated with it. This is a feature used by Twitter as an internal identifier but can be readily converted to a Twitter ID.</p>
<p>At the time, <a href="https://www.hackread.com/twitter-data-breach-accounts-sold-hacker-forum/">Twitter acknowledged the existence</a> of the vulnerability and stated that it had been patched but did not mention anyone exploiting it. However, it was then reported by Restore Privacy that a hacker had used the vulnerability to put together a dataset consisting of Twitter handles, email addresses, and phone numbers of millions of accounts. The data includes Twitter users in the UK, almost every EU country, and parts of the US. </p>
<p>Any Twitter account with the “let others find you by phone number” setting enabled in its “discoverability” settings is affected. This option is hidden quite deep in Twitter’s settings and <a href="https://twitter.com/settings/contacts">is turned on by default</a>. </p>
<p>Keeping in mind the recent news, it becomes apparent that this data was accessed by more than one bad actor. Reports <a href="https://9to5mac.com/2022/11/25/massive-twitter-data-breach/amp/">confirm</a> that they were shown a dataset that contained similar information in a different format. The datasets could be sold to malicious parties who would use the data for advertising purposes or maliciously target certain accounts such as celebrities. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p> </p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.hackread.com/twitter-jan-data-breach-leak/">https://www.hackread.com/twitter-jan-data-breach-leak/</a></p></div>Dark Web Roundup Q1-Q3 2022https://redskyalliance.org/xindustry/dark-web-roundup-q1-q3-20222022-11-03T20:13:28.000Z2022-11-03T20:13:28.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}10862220462,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" style="padding:5px;" src="{{#staticFileLink}}10862220462,RESIZE_400x{{/staticFileLink}}" width="250" alt="10862220462?profile=RESIZE_400x" /></a>Red Sky Alliance maintains a substantial dark web collections data set and we make this data available to our customers through our CTAC, RedXray, and API products. This gives customers the opportunity to explore and perform analyses on dark web data without the need for establishing a safe infrastructure for navigating the Tor network. To date we have collected over 1.4 million data points across 80 dark web sites. The set of sites that we collect from on an ongoing basis will change with new sites coming in and older sites shutting down, but we still maintain historical data for each site we collect from.</p>
<p>Our collection processes allow us to capture text on designated dark web sites, which then gets added to our Cyber Threat Analysis Center, or CTAC product for exploration. CTAC uses Amazon OpenSearch as a backend, which makes querying and analyzing data a simple matter. We can see below in Figure 1 a general overview of the nature of the sites we have collected from thus far in 2022. We can see that the majority of the sites we have collected from thus far have been forums, followed by a number of marketplaces and ransomware sites.</p>
<p><a href="{{#staticFileLink}}10862220279,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10862220279,RESIZE_710x{{/staticFileLink}}" width="600" alt="10862220279?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 1. Distribution of dark web sites collected from in 2022.</em></p>
<p>As is clear from the distribution of the data, discussion forums so far this year. Due to the nature of discussion forums, quite a lot of the data ends up being filler or noise, but there is still valuable information to be found. An example of this is shown below in Figure 2. This is a set of leaked Spotify credentials found on the “Best Carding World Forum.” Given are email and password combinations along with payment method information. One thing to note about this kind of leak is that email/password combinations can be particularly dangerous since many people tend to use either the same or similar passwords for multiple accounts. Thus, the credentials present in this leak may also be used to access an individual’s email or Paypal account in addition to Spotify.</p>
<p><a href="{{#staticFileLink}}10862220493,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10862220493,RESIZE_710x{{/staticFileLink}}" width="600" alt="10862220493?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 2. Leaked Spotify credentials on Best Carding World Forum.</em></p>
<p>Below in Figure 3, we give an overview of the most active sites we collect from in each category. For discussion forums, the Rutor forum is the clear leader, accounting for approximately 91% of our forum collections for this year. Other forums such as Dread, Helium, Best Carding World, and Darknet City each account for relatively small proportions of the remaining forum collections. For marketplaces, the ASAP Market accounts for nearly 43% of our collections, with DarkDock not far behind. The other notable marketplaces we have collected from this year include Dark0de Reborn, Digital Thrift Shop, and Black Market Guns. In terms of ransomware sites, Conti is the leader of the category, accounting for approximately 39% of our ransomware collections. Following behind are Grief, Lockbit 2.0, Snatch, and Cl0p.</p>
<p style="text-align:center;"><a href="{{#staticFileLink}}10862221075,original{{/staticFileLink}}"><img src="{{#staticFileLink}}10862221075,RESIZE_710x{{/staticFileLink}}" width="600" alt="10862221075?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 3. Distribution of active sites in collection categories.</em></p>
<p>Moving the focus to marketplaces, as one might imagine, a wide variety of goods are available for sale on the dark web. An overview of the item categories in our marketplace collections can be seen in Figure 4. The largest item category in our marketplace collections are digital goods, which can encompass any number of things from instructions on how to commit fraud, account credentials, software keys, stolen credit card information, etc. Many of the remaining categories involve drugs, i.e., cannabis, benzos, stimulants, psychedelics, etc. Other items found in dark web marketplaces may include database dumps, or pirated software and ebooks.</p>
<p><a href="{{#staticFileLink}}10862220696,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10862220696,RESIZE_710x{{/staticFileLink}}" width="600" alt="10862220696?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 4. Categories of items found in dark web marketplaces.</em></p>
<p>In terms of our ransomware collections, we can easily pull together a list of domains for the most active ransomware listings so far for this year. That can be seen in Figure 5.</p>
<p><a href="{{#staticFileLink}}10862221665,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10862221665,RESIZE_400x{{/staticFileLink}}" width="300" alt="10862221665?profile=RESIZE_400x" /></a></p>
<p style="text-align:center;"><em>Figure 5. Domains for most active ransomware collections.</em></p>
<p>One distinct advantage of our collections is how easily one area of collection connects to others. Take note of the tkelevator domain listing. Interestingly, we can connect this domain to a number of credentials found in our breach collections. These records are shown in Figure 6, demonstrating how leaked credentials could end up leading to future ransomware attacks.</p>
<p><a href="{{#staticFileLink}}10862222452,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10862222452,RESIZE_710x{{/staticFileLink}}" width="700" alt="10862222452?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 6. Credentials found for tkelevator.com in breach collections.</em></p>
<p>Of course, it needs to be mentioned here that these are simply interesting discoveries in our collections, and they may not necessarily reflect direct causes of any issues. This information should be used in conjunction with context, risk analyses, or information gathered from other sources for decision-making and action planning.</p>
<p> </p>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}10862222482,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10862222482,RESIZE_400x{{/staticFileLink}}" width="300" alt="10862222482?profile=RESIZE_400x" /></a><br /> Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a></li>
</ul>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a> </p></div>Dark Web Investigations coming up Short?https://redskyalliance.org/xindustry/dark-web-investigations-coming-up-short2022-09-21T14:17:28.000Z2022-09-21T14:17:28.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10818501281,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10818501281,RESIZE_400x{{/staticFileLink}}" width="250" alt="10818501281?profile=RESIZE_400x" /></a>According to a recent report, cyber threat intelligence professionals believe they could not find private data leaked from their organizations on the dark web. Most security professionals in US organizations are concerned about threats from the dark web, a large portion still do not take risks from the criminal underground seriously. A recent survey shows that a third of people responsible for managing cyber vulnerabilities in their day-to-day work say they are not very concerned about threats emerging from the dark web.</p>
<p>While 69% are very or somewhat concerned about dark web threats, that still leaves many US companies blind to the dangers lurking in the dark corners of the Internet. The cybercrime underground is constantly changing. What organizations refer to as the dark web today does not cover the entire cybercrime landscape. By monitoring cybercrime sources for contextual intelligence, organizations can detect dangerous threats and prevent them from becoming cyber-attacks that cause major financial and reputational damages.</p>
<p>Over half of security professionals who participated in the survey say they would not be surprised to find their organization‘s private data posted on the dark web. Researchers link these results to a high probability that organizations do not have the tools to monitor criminals underground on the dark web. If detected on time, action can still be taken to take down the leaked information before any malicious actors get to it. Cyber professionals state that teams need to act fast. Knowing what you do not know is an everyday challenge.<a href="#_ftn1">[1]</a></p>
<p>The survey shows that almost 30% of the respondents said they were not very likely to detect their organization’s private data on the dark web if it was leaked. The survey’s authors say these findings show that while security professionals are aware of the risk of a data breach, they might not feel able to prevent it from happening. The survey shows that security professionals are concerned about all types of data being released on the dark web. However, 18.7% of respondents, the largest portion, fear customer data appearing on the dark web. Loss of intellectual property was a close second with 16.7%.</p>
<p>Most security teams are aware of the risk underground cybercriminal activity poses, 48% of respondents said their organizations have no dark web threat intelligence policy to guide their threat response. Organizations with a policy in place most often (23.5%) outsource their dark web threat intelligence to a service provider. A similar share (23%) uses purpose-built dark web monitoring software to scout for leaked data and gather intelligence. Some teams use threat intelligence tools that monitor the dark web for keywords without direct access or tools that directly access the dark web, such as the TOR browser.</p>
<p>According to the report, only 41% of respondents said their security program is effective at monitoring the dark web. According to the report‘s authors, relatively low satisfaction with existing security programs might result from poor training and organizations trying to catch up with sudden changes within the field of cybersecurity. Almost a fifth of those who view their security programs as effective said that‘s because analysts were provided with specific training on conducting dark web threat intelligence investigations. The second most common reason (17.7%) for program effectiveness respondents pointed to having a separate internet connection from the corporate network to conduct investigations. Security professionals say that the biggest challenge for dark web monitoring is an acute lack of system isolation, which puts the system at risk of compromise. Lack of training was the second challenge respondents mentioned most often.</p>
<p>Survey respondents often pointed to private forums and messaging groups when asked which parts of the dark web they lack access to. 49% said they are not satisfied with their dark web visibility. Of the 51% who are satisfied with their dark web access, 39% said they still would not be able to prevent an attack. The report shows that while organizations take cyber threats seriously, they do not always know what to do to combat them. Four hundred twenty-six security professionals from the US took part in the survey. All of the respondents are directly responsible for gathering cyber threat intelligence.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://cybernews.com/news/dark-web-too-shady-for-pros-monitoring-the-underground/">https://cybernews.com/news/dark-web-too-shady-for-pros-monitoring-the-underground/</a></p></div>Credential Harvesting at Collegehttps://redskyalliance.org/xindustry/credential-harvesting-at-college2022-07-05T13:07:21.000Z2022-07-05T13:07:21.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10622735858,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10622735858,RESIZE_400x{{/staticFileLink}}" width="250" alt="10622735858?profile=RESIZE_400x" /></a>The cyber division of the Federal Bureau of Investigation (FBI) has published a notification, warning US colleges and universities that education and learning qualifications have been marketed for sale on the Dark Web and on online legal marketplaces and sites. The warning targets universities, colleges, and higher education institutions that credentials have been advertised for sale on Dark Web criminal marketplaces. This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyberattacks against individual users or affiliated organizations. Cyber actors continue to conduct attacks against US colleges and universities leading to the exposure of user information on public and cybercriminal forums.</p>
<p>Credential harvesting against an organization is often a result of spear-phishing, ransomware, or other cyber intrusion tactics. According to investigators, the credentials were discovered in January 2022 for sale on a Russian cybercrime forum. The credentials pertained to several American universities and colleges across the country. Prices ranged from a few dollars to multiple thousands. The same document suggested that in May 2021, over 36,000 email and password combinations (some of which may have been duplicates) for email accounts ending in .edu were found on a publicly available instant messaging platform.</p>
<p>This report also explains the exposure of such sensitive credential and network access information is very detrimental to the institutions as it could lead to cyberattacks against individual users or affiliated organizations.</p>
<p>Higher education institutions should use caution of this current threat and change passwords, as well as be diligent with security measures such as two factor authentication. Attackers could attempt to breach credit cards or gain access to other personally identifiable information, submit fraudulent transactions on behalf of the institution, exploit other criminal activity, or launch subsequent attacks.</p>
<p>Credentials were obtained via spear-phishing, ransomware, or cyber intrusion tactics. To mitigate these threats, authorities are calling for colleges, universities, and all academic entities to establish and maintain strong relationships with cyber professionals and local, state and federal law enforcement. </p>
<p>To help identify potential vulnerabilities and mitigate threats, the report recommends that all academic institutions establish and maintain “strong liaison relationships with the FBI Field Office in their region.” Additionally, all higher education institutions should, if necessary, review their incident response and communication strategies in case of a cyber incident.<a href="#_ftn1">[1]</a></p>
<p>Law enforcement recommends mitigation strategies aimed at reducing the risk of compromise, such as:</p>
<ul>
<li>Keeping all systems up-to-date</li>
<li>Implementing cybersecurity training</li>
<li>Requiring strong passwords</li>
<li>Utilizing multi-factor authentication (MFA)</li>
<li>Using anomaly detection tools</li>
<li>Enforcing the principle of least privilege</li>
</ul>
<p>See: <a href="https://redskyalliance.org/xindustry/can-hackers-raise-my-college-gpa">https://redskyalliance.org/xindustry/can-hackers-raise-my-college-gpa</a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cybersecurityintelligence.com/blog/for-sale-academic-credentials-6343.html">https://www.cybersecurityintelligence.com/blog/for-sale-academic-credentials-6343.html</a></p></div>Wanna to Buy a Payment Card?https://redskyalliance.org/xindustry/wanna-to-buy-a-payment-card2021-12-16T18:10:22.000Z2021-12-16T18:10:22.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}9917755254,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9917755254,RESIZE_400x{{/staticFileLink}}" width="250" alt="9917755254?profile=RESIZE_400x" /></a>Researchers have found that 1.5 million dark web payment card data belong to US citizens. Visa cards were the most frequent, with 913,955 found on the darknet, followed by Mastercard with 406,851 cards and American Express with over 143,836. And, Australia and Hong Kong were the next most affected places, with details on 419,806 and 399,537 cards found, respectively. According to research, a card's vulnerability depends on the proportion of non-refundable cards, the country's population, and the number of cards in circulation. "For example, taking into account a large number of cards with refunds available, US cards may be more reliable. But there was still a big number of them found hacked on the internet because of the greater number of credit card users in this country in general," explains the CTO at NordVPN. </p>
<p>A payment/pay card, or payroll card, is one way of getting your paycheck. Pay cards are a kind of reloadable debit card employers can give them to their employees and deposit paychecks onto the cards instead of printing checks or using direct deposit. If a card is refundable, the victim will get compensated for the hacker-inflicted damage. Non-refundable cards provide no such relief. Another recommendation is to have a separate bank account for different purposes and only keep small amounts of money on the one your payment cards are connected to.</p>
<p>Considering these factors, researchers determined that Hong Kong was most vulnerable, followed by Australia and New Zealand. At the same time, the Netherlands was considered to be the least vulnerable to attacks like these. Most of the payment cards (914,072) cost $20 on the dark web. However, the average price of a payment card in the research stood at $9.70.<a href="#_ftn1">[1]</a></p>
<p>More than a half (2,524,142) of all the discovered payment cards were Visa, followed by MasterCard (1,602,248) and American Express (215,971). Comparing the number of credit and debit cards, overall, the difference was not significant, with 52.5% of the discovered cards being debit and 47.5% being credit cards.</p>
<p>According to investigators, the black market for card payment details has been steadily growing since 2014. Even if the cards sell for $10 on average, a stolen database with 4 million card details can sell for a whopping $40 million.</p>
<p>A large portion of the payment card data online comes from brute force, a computer-generated process aimed at getting the right numbers almost randomly. "A computer can make thousands of guesses a second. After all, criminals do not target specific individuals or specific cards. It is all about guessing any viable card details that work to sell," analysts explain. There is no way to remove a threat of brute-forcing completely, but that does not mean users do need to do anything at all. One way is to stay vigilant and respond quickly to any notice from your bank on card use.</p>
<p>How to protect yourself against phishing:</p>
<ul>
<li>Use unique and complex passwords for all of your online accounts. Password managers help you generate strong passwords and notify you when you reuse old passwords.</li>
<li>Use multi-factor authentication (MFA) where possible.</li>
<li>Beware of any messages sent to you, even from your Facebook contacts. Phishing attacks will usually employ some type of social engineering to lure you into clicking malicious links or downloading infected files.</li>
<li>Watch out for any suspicious activity on your Facebook or other online accounts.</li>
</ul>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and offers pro-active solutions to protect your networks. Cyber intelligence is a needed key for your over-all cyber security. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://cybernews.com/news/4-million-payment-cards-sold-on-the-dark-web-1-5-million-belong-to-americans/">https://cybernews.com/news/4-million-payment-cards-sold-on-the-dark-web-1-5-million-belong-to-americans/</a></p></div>Operation Dark HunTORhttps://redskyalliance.org/xindustry/operation-dark-huntor2021-10-27T15:22:10.000Z2021-10-27T15:22:10.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}9741553061,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9741553061,RESIZE_400x{{/staticFileLink}}" width="250" alt="9741553061?profile=RESIZE_400x" /></a>Federal law enforcement officials announced on 26 October 2021 that a wide-ranging, global illicit drug crackdown yielded 150 arrests and the seizure of more than $31.6 million in cash and virtual currencies. The 10-month law enforcement initiative called Operation Dark HunTOR, after the encrypted Internet tool, was conducted in partnership with international counterparts. The operation produced 234 kilograms (500 lbs.) of seized drugs. Of those arrested, 65 were in the US and the remaining were in several European countries including Germany, France and the UK. </p>
<p> “We face new and increasingly dangerous threats as drug traffickers expand into the digital world and use the dark net to sell dangerous drugs like fentanyl and methamphetamine,” the head of the US Drug Enforcement Administration (DEA), said at a news conference. “We cannot stress enough the danger of these substances.”</p>
<p>Many of the drugs that were confiscated were found to be counterfeit or include other dangerous substances apart from what they were purported to be, such as fentanyl. “Those purchasing drugs through the dark net often don’t know what they’re getting,” said an Associate Deputy FBI Director. “Today we’re taking some of the most dangerous, unregulated drugs off the streets of America.” The operation included members of the Department of Justice’s Joint Criminal Opioid and Darknet Enforcement team and Europol.<a href="#_ftn1">[1]</a></p>
<p>The US officials reported Operation Dark HunTOR sprang from prior law enforcement efforts to clamp down on the sale and distribution of drugs and other illicit items over the dark web, including the shutdown of digital marketplace DarkMarket at the beginning of the year.<a href="#_ftn2">[2]</a></p>
<p>Law enforcement noted that the countries of Mexico and China are two major centers of activity related to illicit drug manufacturing and trafficking operations. “No one is beyond the reach of law, even on the dark web,” the Europol Deputy Executive Director said.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.politico.com/news/2021/10/26/dark-web-drug-crackdown-arrests-517177">https://www.politico.com/news/2021/10/26/dark-web-drug-crackdown-arrests-517177</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.justice.gov/opa/pr/international-law-enforcement-operation-targeting-opioid-traffickers-darknet-results-150">https://www.justice.gov/opa/pr/international-law-enforcement-operation-targeting-opioid-traffickers-darknet-results-150</a></p></div>Attacked, Stolen and for Sale - Againhttps://redskyalliance.org/xindustry/attacked-stolen-and-for-sale-again2021-07-14T13:38:15.000Z2021-07-14T13:38:15.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}9246407257,RESIZE_192X{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9246407257,RESIZE_192X{{/staticFileLink}}" width="181" alt="9246407257?profile=RESIZE_192X" /></a>After 500 million LinkedIn users were affected in a data-scraping incident in April 2021, it has happened again with big security consequences. A new posting with 700 million LinkedIn records has appeared on a popular hacker forum. Analysts from Privacy Sharks found the data put up for sale on RaidForums by a hacker calling himself “GOD User TomLiner.” The dark web advertisement, posted 22 June 2021, claims that 700 million records are included in the cache, and included a sample of 1 million records as “proof.”</p>
<p>Privacy Sharks examined the free sample and saw that the records include full names, gender, email addresses, phone numbers and industry information. It is unclear what the origin of the data is but the scraping of public profiles is a likely source. That was the engine behind the collection of 500 million LinkedIn records that went up for sale in April. It contained an “aggregation of data from a number of websites and companies” as well “publicly viewable member profile data,” LinkedIn said at the time.</p>
<p>According to LinkedIn, no breach of its networks has occurred this time, either: “While we’re still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources,” according to the company’s press statement. “This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members’ privacy is protected.”</p>
<p>“This time around, we cannot be sure whether or not the records are a cumulation of data from previous breaches and public profiles, or whether the information is from private accounts,” according to Privacy Shark’s blog post, published on 28 June 2021. “We employ a strict policy of not supporting sellers of stolen data and, therefore, have not purchased the leaked list to verify all of the records.”</p>
<p>There are 200 million more records available in the collection this time around, so it is probable that new data has been scraped and that it is more than a rehash of the previous group of records, researchers added.<a href="#_ftn1">[1]</a></p>
<p>The good news is that credit-card data, private message contents and other sensitive information is not a part of the incident, from Privacy Shark’s analysis. That’s not to say there aren’t serious security implications though. “The leaked information poses a threat to affected LinkedIn users,” according to Privacy Sharks. “With details such as email addresses and phone numbers made available to buyers online, LinkedIn individuals could become the target of spam campaigns, or worse still, victims of identity theft.”</p>
<p>It added, “expert hackers may still be able to track down sensitive data through just an email address. LinkedIn users could also be on the receiving end of email or telephone scams that trick them into sharing sensitive credentials or transferring large amounts of money.”</p>
<p>Then there are brute-force attacks to be concerned about: “Using email addresses provided in the records, hackers may attempt to access users’ accounts using various combinations of common password characters,” researchers warned. The data could be a social-engineering goldmine. Attackers could simply visit public profiles to target someone but having so many records in one place could make it possible to automate targeted attacks using information about users’ jobs and gender, among other details.</p>
<p>“It is not uncommon to see such data sets being used to send personalized phishing emails, extort ransom or earn money on the Dark Web, especially now that many hackers target job seekers on LinkedIn with bogus job offers, infecting them with a backdoor trojan,” Candid Wuest, Acronis vice president of cyber-protection research, said via email at the time of the first data-scraping incident. “For example, such personalized phishing attacks with LinkedIn lures were used by the Golden Chickens group.”</p>
<p>Once again, I wonder who will be contacting me on LinkedIn with a great opportunity to connect, visit URLs and open attached PDF’s. This looks like a great time to consider working with a phishing simulation and training organization, before your employees fall for any of the usual tricks. Red Sky Alliance has continued to partner with companies that can help protect our clients, members and readers. Please visit <a href="https://www.wapacklabs.com/phinsecurity">https://www.wapacklabs.com/phinsecurity</a> for an inexpensive way to protect your organization.</p>
<p>At Red Sky Alliance, we can help INFOSEC teams with services beginning with cyber threat notification, analysis and complete elimination of cyber threat from both the inside and outside of networks. Our analysts will be happy to hold a brief call with your team members to help them better prepare for cyberattacks, malware and ransomware. And what if this call led to savings in current duplicated services and forecasted need for additional personnel? </p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p>Interested in a RedXray subscription to see what we can do for you? Sign up here: <a href="https://www.wapacklabs.com/RedXray">https://www.wapacklabs.com/RedXray</a> </p>
<p><strong> </strong></p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/">https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/</a></p></div>“I’ll have a BBQ Sandwich and a side of Credit Card Numbers”https://redskyalliance.org/xindustry/credit-card-numbers2020-10-28T20:03:54.000Z2020-10-28T20:03:54.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}8082894658,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8082894658,RESIZE_400x{{/staticFileLink}}" alt="8082894658?profile=RESIZE_400x" width="250" /></a>There is no shortage of places within the Internet's dark market where stolen credit and debit card information is sold. Most of them, truth be told, are criminal chancers trading in recycled data from old breaches; bargains are to be held for fraudsters willing to take a gamble that some of the bundle of payment cards they have bought will actually be usable. Not only is it the biggest, but Joker's Stash, which was established in 2014, prides itself on traders selling the "freshest" of payment card details, those that come directly from a breach rather than being recycled. As a result, this compromised card data does not come cheap and is pitched firmly in the top tier as far as pricing is concerned.</p>
<p> Joker's Stash advertisement for the sale of 'BlazingSun' group of stolen cards (Source: Gemini Advisory)</p>
<p>The Joker's Stash darknet marketplace has posted a fresh collection of 3 million credit cards that are likely related to a breach of the Dickey's Barbecue Pit chain of franchised restaurants, according to Gemini Advisory. The new collection, called "BlazingSun," was posted on 19 October 2020 on the Joker's Stash carding site, and Gemini Advisory says it confirmed the authenticity of the data before publishing its report.</p>
<p>The darknet marketplace had been advertising in recent weeks that the data from the Dickey's Barbecue Pit breach would be posted soon. The data is from both track 1 and track 2 or cards, which can include the cardholder name, account number, expiration date and bank identification number. It apparently comes from cards used at restaurants in 30 states as well as some international locations, according to the report. The data appears to have been stolen between July 2019 and August 2020. Joker's Stash is now selling the information for a median price of $17 per card.<a href="#_ftn1">[1]</a></p>
<p><a href="{{#staticFileLink}}8082895661,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8082895661,RESIZE_400x{{/staticFileLink}}" alt="8082895661?profile=RESIZE_400x" width="248" /></a>A spokesperson for Dickey's Barbecue Pit stated that the company is aware of the report that card data is for sale and has contacted third-party security firms as well as the FBI to investigate. "We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved," the spokesperson says.</p>
<p>In January 2020, Joker's Stash posted for sale 30 million payment cards related to a breach at the Wawa convenience store chain. The marketplace advertised this [Wawa] breach as containing 30 million records, and as of this writing, it continues to add compromised cards. Since the breach first appeared in January 2020 and continues to add records 10 months later, the BlazingSun [Dickey's card listing] may follow a similar timeline of several months.</p>
<p>The source of the breach data from Dickey's Barbecue Pit restaurants is not known. Dickey's operates on a franchise model, which often allows each location to dictate the type of point-of-sale device and processors that they utilize. Given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey's locations.</p>
<p>Dickey's Barbecue Pit oversees 469 restaurant franchise restaurants across 42 states. The Gemini Advisory report estimates that 156 of these locations in 30 states appear to have been compromised, with the highest exposure in California and Arizona. Dickey's Barbecue Pit sustained a ransomware attack in 2015, and the company ended up paying a $6,000 ransom. In 2018, the then-CEO wrote a blog post promising to update and improve the company's security practices.</p>
<p>Over the last several months, Joker's Stash also has advertised a collection of nearly 400,000 payment cards issued by banks in the US and South Korea for approximately $5 each, according to the security firm Group-IB.</p>
<p> </p>
<p><strong>Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.</strong></p>
<p><strong>The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</strong></p>
<p><strong>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </strong></p>
<p><strong>Weekly Cyber Intelligence REDSHORT Briefings: </strong><br /> <strong>Created for security managers, by security professionals, focused on sharing information for the good of the infosec community.</strong></p>
<p><strong><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></strong></p>
<ul>
<li><strong>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></strong></li>
<li><strong>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></strong></li>
<li><strong>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></strong></li>
</ul>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bankinfosecurity.com/for-sale-3-million-cards-used-at-dickeys-barbeque-pit-a-15192">https://www.bankinfosecurity.com/for-sale-3-million-cards-used-at-dickeys-barbeque-pit-a-15192</a></p></div>