Home Tags Dark net

Tag: dark net

Crafted tool to brute-force, take over accounts, buy stuff RSA 2016 Security researchers have thrown the spotlight on a popular cybercrime tool that’s used by crooks to automate the process of taking over accounts on major websites before making fraudulent purchases. Sentry MBA, which is readily available for purchase on the so-called dark web, offer a way to break into accounts via a point-and-click utility.

The tool makes cybercrime accessible to legions of aspiring attackers across the globe and removes the pesky need to learn the coding skills needed to hack into websites through exploiting SQL injection flaws or other vulnerabilities. Finding website vulnerabilities takes technical skills and it’s a far easier proposition to just hijack a few user accounts. Websites' data breaches mean that many credential lists available for sale or already in the wild. Password reuse means that many consumers use the same login credentials on multiple websites. Crooks are unlikely to know which consumers have been sloppy with their passwords, much less which higher value accounts these login credentials might unlock.
Sentry MBA gets around this problem by creating a means to launch brute force attacks. Numbers game Any long list of stolen credentials will almost certainly include many that open accounts on the sites coveted by hackers.
Sentry MBA automates the process of testing millions, or tens of millions, of compromised username/password combinations to see which ones work - a task that would be impossibly time-­consuming without automation. Three things are needed to launch a productive Sentry MBA attack: a “config” file to help Sentry MBA navigate the unique characteristics of a targeted site, a “combo” list of username/password combinations a would-be cybercrook would like to test1, and a “proxy” file, a list of compromised hosts (also known as proxies or bots) that Sentry MBA uses during the attack. Proxies help the attacker evade website defences by spreading login attempts across many sources. Each of theses three items in the witches' brew can be found on the open web or purchased from Sentry MBA resellers in cybercrime forums, according to Shape Security. The open web and dark net are filled with forums offering working config files for specific sites, combo files containing credentials from the latest online breach, and proxy files of bots that haven’t been blacklisted.

These underground markets, combined with automated tools like Sentry MBA, create a new cybersecurity reality where devastating online attacks can be launched by any individual with minimal resources. Once crooks have obtained a list of functioning login credentials at targeted retailers, they can use the information to order high value gadgets using the victim’s stored credit card number before changing the shipping address, allowing crooks to recover the goods or get an accomplice to collect it for them.

These knock-off goods would then be sold on for cash. “Once you’ve maxed out one credit card, just rinse and repeat for all the accounts you cracked,” according to Shape Security.
In practice, receiving stolen goods in this way in the riskiest part of the operation for more skilled crooks and carries a substantial risk of tracking and arrest, hence the use of mules to receive and forward goods as part of better organised scams. Fraud might be detected and stopped at various stages of a fraudulent transaction.

Even so, preventing hackers getting into accounts in the first place is obviously undesirable.

Data from Shape Security shows there plenty of malfeasance using Sentry MBA going on. Sentry MBA is a potential menace to any site with valuable data behind its login page.
In some cases gamers use the tool to crack into accounts on online gaming websites.

Tutorials and YouTube videos (example below) on how to use Sentry MBA are easy to find online.
Brute force Shape Security’s technology protects banking, retail, healthcare, and government sites from automated (brute force) password guessing attacks, which are commonly run using tools such as Sentry MBA.
Shape’s technology protects websites and mobile applications by detecting and preventing automated account breaking attempts. Analysis by Shape Security of a sample of customer data consisting of six billion login and search page submissions from December of 2015 through January of 2016 found that Sentry MBA attacks were commonplace. For example, cybercriminals made nearly four million login attempts at a major global bank in four separate attacks over a three-day period.

These attacks enlisted over 200,000 proxies located in Russia, Vietnam, Mexico, China, and the US. Separately, two major breakouts in early December highlight how cybercriminals are turning their attention to mobile APIs.

The first attack, focused on the target’s traditional website application, made over 30,000 login attempts using proxies located in Russia.

The second attack, focused on the target’s mobile API, made an average of 15,000 login attempts every day for seven days.

Both attacks shared 220 proxies, evidence the same miscreants may have been responsible for both attacks. By reducing the level of technical skill needed to mount a cyberattack, Sentry MBA brings down the skill level needed to run damaging attacks down to point-and-click levels.

The marketing of Sentry MBA shows how cybercrime more generally is becoming increasingly compartmentalised and commoditised, Shape Security concludes. Research on the abuse of Sentry MBA was released at the RSA Conference in San Francisco on Wednesday. ® Bot-note 1 “Combo” lists often include credentials harvested from breaches at other online locations. Sponsored: DevOps: hidden risks and how to achieve results
Bitglass Threat Research Team's Project Cumulus demonstrates what happens when Google Drive credentials are 'stolen.' Everyone knows that stolen credentials can have disastrous effects on people's most critical accounts, but there's often no clear timeline for how exactly criminals put them to use.

That changed this week with a new experiment from researchers with cloud access security broker (CASB) Bitglass, who put together a fictional digital identity and then leaked its credentials to the Dark Web to track the secret life of credentials once they're stolen. This is the second-year running that Bitglass has done a "where's your data?" experiment.

For this one, dubbed Project Cumulus, the Bitglass Threat Research Team created an online persona of an employee for a fictitious bank.

This included creating a phony Google Drive account with fake bank data and files containing real credit card numbers and other data made to look like something someone would produce on the job.

The drive was then tracked using Bitglass watermarks embedded in the files and its CASB technology in monitor-only mode. From there, the team leaked the credentials for the Google Drive in a way that made it appear they were stolen during a larger phishing campaign.

They found there was an immediate spike in activity when the credentials were leaked, with over 1,400 visits recorded to them and to the fictitious bank's Web portal. From there, about 94% of the hackers who accessed the drive in question then also found the victim's other online accounts, including the faked bank Web portal. One in ten of them immediately attempted to log into Google itself with the Google Drive credentials in hand.

And 12% of hackers attempted to download files containing sensitive content, with a handful cracking encrypted files after they were downloaded. "Our second data-tracking experiment reveals the dangers of reusing passwords and shows just how quickly phished credentials can spread, exposing sensitive corporate and personal data," says Nat Kausik, CEO of Bitglass. [Experiment tracked the Dark Web journey of a cache of phony names, SSNs, credit cards, and other personal information. Read What Happens When Personal Information Hits The Dark Web.] Project Cumulus was the next step in Bitglass' experimentation on tracking stolen credentials or documents in the wild. Last year, it leaked watermarked documents and found these files were viewed 200 times in just the first few days of leaking.

At that time, not many attackers used any methods to anonymize their traffic to the documents in question. In stark contrast, this second incarnation had 68% of all logins coming from Tor-anonymized IP addresses. Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio More Insights
Dial P for pwnage A new Trojan banker for Android is capable of wiping compromised smartphones as well stealing online banking credentials, security researchers are warn. The Mazar BOT Android malware is read using booby-trapped multi-media messages. If installed, the malware gains admin rights that give it the ability to do almost anything with a victim's phone. The malware can read SMS messages, which means it can also circumvent (two factor authentication) 2FA systems. The malware also gain the ability to send SMS messages to premium channel numbers, run man-in-the-middle attacks or even erase compromised phones. It also uses TOR for communication. Antivirus detection is currently very low, Danish security outfit Heimdal Security warns. “Mazar BOT has been advertised for sale on several websites on the Dark Web, but this is the first time we’ve seen this code be abused in active attacks,” Heimdal Security adds in a blog post on the threat. The malware cannot be installed on smartphones running Android with the Russian language option. More on the Mazar BOT Android malware can be found in a blog post by CSIS, Heimdal Security’s parent firm, here. CSIS shows how the malware can abuse Chrome injects, among other tricks in its armoury. ® Sponsored: Building secure multi-factor authentication
NEWS ANALYSIS: While the theft of employee information is a problem for the staff at government agencies, the fact is that it's also a threat to national security once it's part of a big data research effort. A few days ago I reported...
Netcraft security man Paul Mutton says net narks have spun up a fake version of Alphabay Market, a popular darknet venue, in a bid to steal login credentials. AlphaBay is the brainchild of Russian carders that emerged in 2014 following the fall of drug haven Silk Road. The HTTP site is cleverly assembled to mimic the login page for Tor and includes a CAPTCHA. Once complete the phishing site flexes its unique feature and redirects users to the legitimate AlphaBay Market. Mutton says the phishers could have easily generated a partial match to the AlphaBay Market public key but not a complete replica. "Ironically, some of the services that can be bought and sold on the AlphaBay Market include spam sending services, bank drops, account details, and other services useful to fraudsters engaged in phishing," Mutton says. "This attack could therefore be viewed as yet another example of fraudsters defrauding fraudsters. "In a further show of there being no honour amongst thieves, the HTML source of the phishing site appears to have been copied from a previous lookalike site using the onion-market.co domain name." The fake site is dangerous for new users who enter their credentials into the phishing portal and later go on to become regular users of the site. Attackers could bid their time until such a time that users have loaded accounts with Bitcoins. It is unlikely to trick the most financially valuable AlphaBay veteran members who would only access the authentic hidden service site, likely using the community-recommended mix of operation security-focused technologies such as Tor and Tails. ® 1 Sponsored: Building secure multi-factor authentication