Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Dark Web. Show all posts
Ransomwares
Cyber Attacks Cyber Researchers Dark Web data security Interlock Interlock ransomware Malware Attack Ransomware attack Ransomwares

Interlock Ransomware Gang Deploys ClickFix Attacks to Breach Corporate Networks

 

Cybersecurity researchers have revealed that the Interlock ransomware gang has adopted a deceptive social engineering technique called ClickFix to infiltrate corporate networks. This method involves tricking users into executing malicious PowerShell commands under the guise of resolving system errors or completing identity verification steps, leading to the deployment of file-encrypting malware. 

While ClickFix attacks have previously been associated with ransomware campaigns, this marks the first confirmed use by Interlock, a ransomware operation that surfaced in late September 2024. The group targets both Windows systems and FreeBSD servers and maintains a dark web leak portal to pressure victims into paying ransoms that can reach millions of dollars. Interlock does not seem to operate as a ransomware-as-a-service (RaaS) model. 

According to Sekoia researchers, Interlock began using ClickFix tactics in January 2025. Attackers set up fake websites mimicking legitimate IT tools—such as Microsoft Teams and Advanced IP Scanner—to lure victims. These fake sites prompt users to click a “Fix it” button, which silently copies a malicious PowerShell script to the user’s clipboard. If run, the command downloads a 36MB PyInstaller payload that installs malware under the guise of a legitimate tool. 

Researchers found the malicious campaign hosted on spoofed domains like microsoft-msteams[.]com, microstteams[.]com, ecologilives[.]com, and advanceipscaner[.]com. Only the last domain led to the actual malware dropper disguised as Advanced IP Scanner. When users unknowingly run the script, a hidden PowerShell window executes actions such as system reconnaissance, persistence via Windows Registry, and data exfiltration. The attackers deploy a range of malware via command-and-control (C2) servers, including LummaStealer, BerserkStealer, keyloggers, and the Interlock RAT—a basic remote access trojan capable of dynamic configuration, file exfiltration, shell command execution, and DLL injection. 

Post-compromise, Interlock operators use stolen credentials to move laterally through networks via RDP, leveraging remote access tools like PuTTY, AnyDesk, and LogMeIn. Data is exfiltrated to Azure Blob Storage, after which the Windows variant of Interlock ransomware is scheduled to run daily at 8:00 PM—a redundancy tactic to ensure encryption if the initial payload fails. The gang’s ransom notes have also evolved, now placing emphasis on the legal and regulatory consequences of leaked data. 

ClickFix attacks are gaining popularity among various cybercriminal groups, with recent reports also linking them to North Korean state-sponsored actors like the Lazarus Group, who use similar tactics to target job seekers in the cryptocurrency sector.
Read more »
Money Laundering
cryptocurrency Cyber Security CyberCrime Dark Web Elon Musk FBI international cybercrime operation Money Laundering

FBI Operated ElonmuskWHM: Undercover Money Laundering Site That Handled $90M in Crypto

 

In a bold and controversial move, the FBI operated a money laundering platform on the dark web under the alias “ElonmuskWHM,” aiming to infiltrate the criminal ecosystem it served. According to an investigation by 404 Media, the FBI’s undercover cybercrime operation lasted nearly 11 months and facilitated close to $90 million in cryptocurrency transactions. 

The ElonmuskWHM site allowed cybercriminals—including drug traffickers and hackers—to convert illicit cryptocurrency into cash, often mailed discreetly to customers across the country. In exchange, the operator took a 20% fee. The service, regularly advertised on forums like White House Market (WHM), offered anonymity and required no form of identity verification—making it a go-to laundering tool for bad actors avoiding mainstream exchanges like Coinbase or Binance. 

A 404 Media review of court documents and online evidence confirmed the FBI’s direct role in running the site following the arrest of its original operator, Anurag Pramod Murarka, a 30-year-old Indian national. Murarka was eventually sentenced to over 10 years in prison. During its covert management, the FBI used the ElonmuskWHM site to investigate major crimes including drug trafficking, hacking schemes, and even a violent robbery in San Francisco. 

This FBI crypto sting is part of a broader pattern of law enforcement embedding within the digital underworld. Similar tactics were used in previous operations like Trojan Shield, where the agency ran a fake encrypted phone company named ANOM, secretly monitoring global criminal communications. Another example includes the infiltration of the ransomware group “Hive,” enabling the FBI to intercept communications and disrupt attacks. While effective, the ElonmuskWHM sting also sparked privacy concerns. Court documents reveal that the FBI requested data from Google identifying every user who watched a specific YouTube video, raising red flags about surveillance overreach and potential constitutional violations. 

Still, authorities defend such undercover cybercrime strategies as essential to understanding and dismantling complex digital criminal networks. Gabrielle Dudgeon, spokesperson for the U.S. Attorney’s Office, noted that the operation directly supported multiple federal prosecutions and investigations. As cybercrime becomes increasingly sophisticated, law enforcement agencies are evolving too—blurring ethical lines in the process. The ElonmuskWHM operation underscores the high-stakes chess match between digital criminals and those tasked with stopping them.
Read more »
Personal Data
Dark Web Dark website Data Breach Data Brokers Data Leak data security DOGE Elon Musk ParkMobile Personal Data

Dark Web Site DogeQuest Targets Tesla Owners Using Data from ParkMobile Breach

 

A disturbing dark web website known as DogeQuest has surfaced, targeting Tesla owners and associates of Elon Musk by publishing their personal information. The data used on the site appears to have been sourced largely from a 2021 breach of the ParkMobile app, which affected over 21 million users. 

According to privacy research group ObscureIQ, 98.2% of the individuals listed on DogeQuest can be matched to victims of the ParkMobile hack. The site initially operated on the surface web but now functions under a .onion domain, which anonymizes its hosting and complicates takedown efforts by authorities. The purpose of DogeQuest is masked as an “artistic protest” platform, encouraging acts of vandalism against Tesla vehicles. 

Although the site claims neutrality by stating it does not endorse or condemn actions taken, it openly hosts names, home addresses, contact details, and even employment information of more than 1,700 individuals. These include not only Tesla drivers but also DOGE employees, their families, and high-profile individuals from the military, cybersecurity, and diplomatic sectors. The website’s presence has allegedly been linked to real-world vandalism, prompting federal investigations into its operations. 

ObscureIQ’s analysis reveals that the core data used by DogeQuest includes email addresses, phone numbers, and license plate details—information originally accessed through ParkMobile’s compromised Amazon Web Services cloud storage. While ParkMobile claimed at the time that no financial data was exposed, the combination of breached user data and information purchased from data brokers has been enough to target individuals effectively. 

A class-action lawsuit against ParkMobile later resulted in a $32 million settlement for failing to secure user data. Despite the gravity of the situation, no other public reporting had directly connected DogeQuest to the ParkMobile breach until ObscureIQ’s findings were shared. The doxxing platform has evolved into a larger campaign, now also publishing details of prominent federal employees and private sector figures. A spreadsheet reviewed by the Daily Caller News Foundation highlights how widespread and strategic the targeting has become, with individuals from sensitive fields like defense contracting and public health policy among the victims. 

Law enforcement agencies, including the FBI and DOJ, are now actively investigating both the digital and physical components of this campaign. Just last week, the Department of Justice charged three individuals suspected of attacking Tesla vehicles and infrastructure across multiple states. However, officials have not yet confirmed a direct link between these suspects and DogeQuest. The FBI has also noted a troubling increase in swatting incidents aimed at DOGE staff and affiliates, indicating that the site’s influence may extend beyond digital harassment into coordinated real-world disruptions. 

With DogeQuest continuing to evade takedown attempts due to its anonymized hosting, federal authorities face an uphill battle in curbing the campaign. ParkMobile has so far declined to comment on the matter. As the scope and sophistication of this doxxing effort grow, it underscores the lingering impact of data breaches and the increasing challenges in protecting personal information in the digital age.
Read more »
malware
BlackLock Cyber Encryption Cybersecurity CyberThreat Dark Web Data Leak Site El Dorado malware

Threat Actors Compromised by Security Firms Working to Protect Victims

 


An outstanding example of counter-cybercrime has been the successful penetration of the digital infrastructure associated with the ransomware group BlackLock. Threat intelligence professionals succeeded in successfully infiltrating this infrastructure. As a result of this operation, researchers were able to gain valuable insight into the operations of threat actors, according to cybersecurity company Resecurity. This breakthrough was made possible due to a vulnerability in the data leak site (DLS) of BlackLock, which enabled the breakthrough to be accomplished. 

Using this weakness, it is possible to retrieve configuration details, authentication credentials, as well as a comprehensive log of the commands that have been executed on the compromised server. The problem was triggered by an inadvertent error in the DLS that exposed the clearnet IP addresses associated with the group's back-end systems as a result of a misconfiguration. 

A rare insight into the internal network architecture of the ransomware group was provided after these systems were unintentionally revealed in conjunction with additional service-related metadata, which were typically concealed behind TOR services. Upon discovering the security flaws, Security successfully decrypted multiple BlackLock ransomware user accounts as a result of its decryption. As a result of this breakthrough, the firm was able to gain a deep insight into the gang's infrastructure, enabling it to monitor and, sometimes, even control its operations. 

The visibility obtained included a detailed record of the command-line actions used to maintain the data leak site. The group’s internal systems were further exposed by one of the threat actors who reused the same password across several related accounts, which was a critical lapse. As a result of the compromise, the group also managed to get access to email accounts that linked to MEGA cloud storage accounts, which they used to store and distribute stolen data acquired from their cyberattacks. Insights like these have made a significant contribution to ongoing intelligence gathering and mitigation efforts. 

Recently, a ransomware collective operating under the name BlackLock, which is also known by its alias El Dorado, was gaining traction as an important player within the global cybercrime ecosystem as a whole. This gang was poised to become one of the most active and disruptive threat groups on the cyber scene when a critical intervention from cybersecurity firm Security abruptly stopped its rise. It was discovered by Resecurity's threat intelligence team in late 2024 that a security flaw was discovered in BlackLock's data leak platform, which was hosted on the dark web. 

With this vulnerability, researchers gained unauthorized access to the group's backend systems, effectively invading their infrastructure. To gather extensive intelligence on the group's covert operations, Security used the exploitation of this flaw. The information collected by Resecurity exceeded the public visibility of what was publicly visible. It was possible to collect high-value assets such as authentication credentials as well as technical configurations through this access, which allowed the group to reveal its internal dynamics in a rare and detailed manner. 

Upon identifying the breach, Security disclosed that their efforts had substantially disrupted BlackLock's ability to operate, thereby neutralizing a major threat actor before it could extend its reach in the future. It is clear from the firm's actions that proactive cyber defense measures are becoming more and more important. It highlights the role ethical hacking and threat hunting can have in removing sophisticated cybercriminal networks from the system. 

During a strategic cybersecurity operation in which a security firm successfully infiltrated a ransomware syndicate's infrastructure by exploiting a vulnerability in its dark web platform, a security firm was able to successfully infiltrate it. By utilizing covert access, Security, a U.S.-based cybersecurity company, was able to monitor the threat actor's internal activities, identify potential targets, and notify affected organizations as well as law enforcement agencies as soon as possible. 

BlackLock ransomware, also known as El Dorado, is an extremely dangerous ransomware group that has been involved in numerous high-impact cyberattacks affecting at least 40 organizations from diverse sectors and regions. The operation targeted the BlackLock ransomware group. In addition to unauthorized data encryption and exfiltration, the group engaged in extortion attempts that required significant ransom payments, resulting in extortion attempts. 

Further, information gathered during the breach indicated that BlackLock was planning to recruit affiliate partners as part of the plan to expand its operations. As a result of working under a ransomware-as-a-service (RaaS) model, these collaborators would be tasked with deploying malicious payloads to further spread the infection scope and increase the value of the profits they generated. 

With the intervention of Resecurity, not only did a threat campaign be disrupted, but it also demonstrated that proactive threat-hunting, intelligence-led defense strategies are effective for combating organized cybercrime in a way that is unavoidable. It was discovered by cybersecurity experts at Security late in 2024 that the Data Leak Site (DLS) run by the BlackLock ransomware group was vulnerable to critical vulnerabilities. 

A detailed analysis of the group’s digital infrastructure was conducted as a result of this vulnerability. The analysis revealed detailed activity logs, associated hosting services, and MEGA cloud storage accounts used to archive exfiltrated data from victims, in addition to the detailed activity logs. Security said that after the successful breach of the DLS, a vast repository of information about threat actors’ operational methodologies was made available to the public. Aside from providing insight into the group's methodology, this also provided indicators for future threats. 

Furthermore, the intelligence gathered helped the firm anticipate and thwart several planned cyber intrusions while discreetly alerting affected organizations beforehand before public exposure. As an example of Resecurity's proactive collaboration with the Canadian Center for Cyber Security earlier this year, Resecurity was able to prevent several cyber threats from occurring. It was successfully used by the company to share timely intelligence regarding an impending release of data targeting an organization in Canada – 13 days before the ransomware group revealed the information publicly. 

By intervening at an early stage and in collaboration with multiple agencies, it is essential for organizations to be aware of emerging threats and to be able to combat them effectively to protect themselves from reputational and financial harm. Research from Resecurity identified a significant Local File Include (LFI) vulnerability in BlackLock's infrastructure that caused the data leak site to malfunction. This is a significant breakthrough. 

As a result of this flaw, unauthorized users could gain access to protected server files, revealing configuration parameters as well as authentication credentials that would otherwise remain concealed from the user. This vulnerability was exploited to obtain sensitive data including plaintext server logs, SSH credentials, and command-line activity history. A recording of a proof-of-concept video demonstrates parts of retrieved information.

It is reported that these logs contained unencrypted credentials as well as detailed sequences of data exfiltration and publication that marked what was considered one of the most severe operational security failures on the part of Blacklockgroup by Security. During a recent investigation, it was found that the cybercriminals were using at least eight MEGA cloud accounts registered with disposable YOPmail addresses to store stolen data. 

To communicate with victims, the group relied on Cyberfear.com's anonymous email service. Several IP addresses linked to this operation originated from the Russian and Chinese territories, which corresponds to linguistic and regional indicators gathered from cybercrime forums. During ongoing surveillance, S Security determined that the group had instructed affiliates not to target entities within BRICS nations as well as the Commonwealth of Independent States (CIS), indicating a degree of geopolitical alignment. S Security identified overlapping activities between BlackLock and other known ransomware programs, including El Dorado and Mamona, during ongoing surveillance. 

There was an ongoing monitoring of large-scale data transfers by Resecurity, and it alerted the international cybersecurity authorities in Canada, France, and other jurisdictions of impending data leaks during the operation. On February 26, 2025, a BlackLock representative who handled affiliate relations in the company directly got in contact with the firm, which in turn allowed for the acquisition of ransomware samples tailored for multiple operating systems, which contributed to the global threat intelligence effort.
Read more »
Hackers
CVE CVEs Cybersecurity Dark Web Data Breach Data Leak data security FortiGate devices Hackers

Hackers Leak 15,000 FortiGate Device Configs, IPs, and VPN Credentials

 

A newly identified hacking group, the Belsen Group, has leaked critical data from over 15,000 FortiGate devices on the dark web, making sensitive technical details freely available to cybercriminals. The leak includes configuration files, IP addresses, and VPN credentials, significantly increasing security risks for affected organizations. 

Emerging on cybercrime forums and social media just this month, the Belsen Group has been actively promoting itself. As part of its efforts, the group launched a Tor website where it released the stolen FortiGate data, seemingly as a way to establish its presence in the hacking community. In a post on an underground forum, the group claimed responsibility for breaching both government and private-sector systems, highlighting this operation as its first major attack. 

The exposed data is structured within a 1.6 GB archive, organized by country. Each country’s folder contains multiple subfolders corresponding to specific FortiGate device IP addresses. Inside, configuration files such as configuration.conf store FortiGate system settings, while vpn-passwords.txt holds various credentials, some of which remain in plaintext. 

Cybersecurity researcher Kevin Beaumont examined the leak and confirmed that these files include firewall rules, private keys, and other highly sensitive details that could be exploited by attackers. Further analysis suggests that the breach is linked to a known vulnerability from 2022—CVE-2022-40684—which was actively exploited before Fortinet released a security patch. 

According to Beaumont, evidence from a forensic investigation into a compromised device revealed that this zero-day vulnerability provided attackers with initial access. The stolen data appears to have been gathered in October 2022, around the same time this exploit was widely used. Fortinet had previously warned that CVE-2022-40684 was being leveraged by attackers to extract system configurations and create unauthorized super-admin accounts under the name fortigate-tech-support. 

Reports from the German news site Heise further confirm that the leaked data originates from devices running FortiOS firmware versions 7.0.0-7.0.6 or 7.2.0-7.2.2. The fact that FortiOS 7.2.2 was specifically released to address this vulnerability raises questions about whether some systems remained compromised even after the fix was made available. 

Although the leaked files were collected over two years ago, they still pose a significant threat. Configuration details, firewall rules, and login credentials could still be exploited if they were not updated after the original breach. Given the scale of the leak, cybersecurity experts strongly recommend that administrators review their FortiGate device settings, update passwords, and ensure that no outdated configurations remain in use.
Read more »
Yahoo
Astaroth Phishing Authentication Cyber Attacks CyberCrime Cybersecurity CyberThreat Dark Web Gmail PHaas Telegram URL Yahoo

2FA Under Attack as Astaroth Phishing Kit Spreads

 


Astaroth is the latest phishing tool discovered by cybercriminals. It has advanced capabilities that allow it to circumvent security measures such as two-factor authentication (2FA) when used against it. In January 2025, Astaroth made its public debut across multiple platforms, including Gmail, Yahoo, and Office 365, with sophisticated technologies such as session hijacking and real-time credentials interceptions, which compromise user accounts across multiple platforms. 

SlashNext researchers claim Astaroth makes use of a reverse proxy called an evilginx-style proxy to place itself between legitimate login pages and users. As a result, the tool is capable of intercepting and capturing sensitive credentials, such as usernames, passwords, 2FA tokens, and session cookies, without triggering security alerts, thereby making the tool effective. 

It has been demonstrated that attackers who have obtained these session cookies will be able to hijack authenticated sessions, bypass additional security protocols, and gain unauthorized access to user accounts once they have acquired these cookies. Astaroth demonstrates the evolution of cyber threats and the sophistication of phishing techniques that compromise online security. This development highlights how cybercriminals have been evolving their methods of phishing over the years.

Clearly, Astaroth highlights how cybercriminals' tactics have evolved over the last decade, as phishing has evolved into a lucrative business. The sophistication of sophisticated attacks has now reached a point where it is now marketed like commercial software products, with regular updates, customer support, and testing guarantees attached to them. 

The attacker can intercept real-time credentials and use reverse proxy techniques in order to hijack authenticated sessions in order to bypass even the most robust phishing defences, such as Multi Factor Authentication (MFA), which are designed to protect against phishing attacks. Due to the widespread availability of phishing kits such as Astaroth, which significantly reduces the barrier to entry, less experienced cybercriminals are now capable of conducting highly effective attacks given that the barriers to entry have been significantly lowered. 

The key to mitigating these threats is to adopt a comprehensive, multilayered security strategy that is both comprehensive and multifaceted. It must have a password manager, endpoint security controls, real-time threat monitoring, and ongoing employee training to ensure that employees are aware of cybersecurity threats in real time. 

As an additional consideration, implementing Privillege Access Management (PAM) is equally vital, since it prevents unauthorized access to critical systems, even if login credentials are compromised, through the use of PAM. Business owners remain vulnerable to increasingly sophisticated phishing techniques that can circumvent the traditional defenses of their organisations without appropriate proactive security measures. 

The Astaroth phishing kit has been developed to enable a more effective method of bypassing multi-factor authentication (MFA). By using an evilginx reverse proxy, it intercepts authentication processes in real time as they are happening. By using Astaroth, attackers will be able to steal authenticated sessions and hack them seamlessly with no technical knowledge. Astaroth is different from traditional phishing tools, which capture only static credentials; instead, it dynamically retrieves authorization tokens, 2FA tokens, and session cookies. This tool is a man-in-the-middle attack that renders conventional anti-phishing defenses and multi-factor authentication protections ineffective by acting as an intermediary. 

Discovered by SlashNext Threat Researchers on cybercrime marketplaces, Astaroth is marketed as a tool that can be used easily. It is a 2-in-1 solution that sells for $2000 and includes six months of continuous updates, which includes the newest bypass techniques, as well as pre-purchase testing to demonstrate its effectiveness in real-world attacks if the buyer wants to establish credibility within cybercriminal networks. There is no doubt that the sophistication of phishing kits such as Astaroth, as well as the implementation of behaviour-based authentication, endpoint security controls, and continuous threat monitoring, are critical to organizations in order to defend themselves from these ever-evolving cyber threats that are continually evolving. 

As a means of expanding the company's customer base, Astaroth's developers have publicly revealed the methodologies they use to bypass security measures, such as reCAPTCHA or BotGuard, as a way of demonstrating the kit's effectiveness at circumventing automatic security measures. Cybercriminals in cybercrime forums and underground marketplaces are actively promoting Astaroth among their communities and are primarily distributing it through Telegram, leading to its widespread adoption among cybercriminals world-wide. 

There are several advantages to using these platforms, the most important of which is their accessibility, along with the anonymity they provide. This makes monitoring, tracking, and disrupting the sale and distribution of phishing kits very challenging for law enforcement agencies. There is a particular application known as Telegram which is commonly used by cybercriminals to communicate and to distribute their illicit activities due to its end-to-end encryption, private groups, and minimal oversight. This makes it very difficult for law enforcement to trace illicit activities on Telegram. 

It may not only facilitate the proliferation of Astaroth on the dark web, but also on underground marketplaces - both of which allow threat actors to engage in peer-to-peer transactions without disclosing their identities to each other. The fact that these platforms are decentralized, along with the fact that cryptocurrency payments are used in conjunction with them, adds more layers of protection for cybercriminals, making it even more difficult for authorities to take enforcement action against them. Astaroth continue to be embraced by cybercriminal communities and is lowering the barrier to entry for less-experienced attackers, which in turn is promoting phishing-as-a-service (PhaaS) models which are becoming more prevalent as a consequence. 

Due to the complexities posed by sophisticated phishing kits like Astaroth, security professionals emphasize the need for proactive security measures, which include real-time threat intelligence, endpoint detection, and multi-layered authentication strategies, as well as real-time threat intelligence. Aside from offering custom hosting solutions, Astaroth also offers bulletproof hosting, which will make Astaroth more resilient against legal authorities’ efforts to take down its websites. 

Cybercriminals are able to conduct attacks with minimal disruption in jurisdictions with weak regulatory oversight when using the phishing kit since it operates in jurisdictions that lack regulatory oversight. As a Field CTO of SlashNext, J Stephen Kowski believes that the emergence of Astaroth with regards to authentication is one of the most important implication that could be borne out by the fact that even the most robust authentication systems can be compromised if the attackers obtain the two-factor authentication (2FA) codes and session information during the authentication process in real time. 

Thomas Richards, Principal Consultant and Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, has emphasized the sophistication and severity of the Astaroth phishing kit. According to Richards, this phishing kit demonstrates an advanced level of complexity, making it increasingly difficult for users to identify and avoid such attacks. "Traditional security awareness training often instructs users to recognize phishing attempts by looking for red flags such as suspicious URLs, grammatical errors, or lack of SSL certification. 

However, Astaroth’s highly sophisticated approach significantly reduces these indicators, making detection far more challenging," Richards stated. Furthermore, the infrastructure supporting these attacks is often hosted by providers that do not cooperate with law enforcement agencies, complicating efforts to dismantle these operations. In response to this growing threat, the United States and several European nations have imposed sanctions on countries that provide bulletproof hosting services, which are frequently exploited by cybercriminals to evade legal action. 

Richards advises users to exercise extreme caution when receiving emails that appear to originate from legitimate organizations and contain urgent requests for immediate action. Rather than clicking on embedded links, users should manually navigate to the official website to verify the authenticity of any alerts or account-related issues. This proactive approach is essential in mitigating the risks posed by advanced phishing campaigns like Astaroth. 

Organizations must implement advanced security measures beyond traditional login protections in order to protect themselves from these threats. According to Thomas Richards, a Principal Consultant and Network and Red Team Practice Director for Black Duck, a Burlington-based company that provides applications security solutions, Astaroth's phishing kit is sophisticated and quite severe. As Richards points out, this phishing kit shows a remarkable degree of complexity, which makes it increasingly difficult for users to identify and avoid attacks such as these as they run across them. 

It has always been taught to users during traditional security awareness training to look for red flags, such as suspicious URLs, grammatical errors, or a lack of SSL certification, so they can identify phishing attempts. Although these indicators are largely reduced by Astaroth's highly sophisticated approach, Richards noted that the detection of them is much more challenging as a result. The infrastructure that supports these malicious attacks is typically hosted by providers who do not cooperate with law enforcement agencies, which complicates the process of dismantling these attacks.

Several European countries and the United States have increased sanctions in response to its growing threat, increasing the chance that these countries (including the United States) will use defenseless host hosting services, which are regularly exploited by cybercriminals to avoid legal action and avoid repercussions for their crimes. 

The American scientist Richards urges users to exercise extreme caution if they receive an email that appears to be coming from a legitimate organization and contains urgent requests for action that need to be taken immediately. As a precaution, users should not click on embedded links in emails, but instead should visit the official site to verify the authenticity of any alerts they receive or account-related issues. Taking a proactive approach effectively mitigates the threats posed by advanced phishing campaigns such as Astaroth.
Read more »
Saim Raza
Cyber Crime Dark Web Internet Operation Talent Saim Raza

DoJ Cracks Down Pakistan Linked Dark Web Forums Impacting 17 Million

DoJ Cracks Down Pakistan Linked Dark Web Forums Impacting 17 Million

The US Department of Justice (DoJ) joined forces with international law enforcement to shut down a few Dark Web cybercrime forums, two operations that impacted underground markets associated with the attacks on millions of victims worldwide. 

Pakistani dark web forum shut down

Result? “Cracked” and “nulled” websites are down, along with the Pakistani “Saim Raza” network of dark web forums, also called “HeartSender.” The long-term implications of this operation are not known.

DoJ partnered with international agencies to crack down on cybercrime

First, DoJ with the Dutch National Police captured 39 domains operated by a Pakistani group known as Saim Raza (aka HeartSender). DoJ says Saim Raza has been working since 2020, selling fraud tools and phishing kits to the highest bidder throughout a network of dark websites. 

Criminals purchasing the tools are accountable for global business email compromise (BEC) attacks and other dangerous scams- against victims in the US who were robbed of $3 million. 

The DoJ believes Saim Raza made these “tools widely available on the open Internet” and “also trained end users on how to use the tools against victims by linking to instructional YouTube videos.” 

The group explained, “how to execute schemes using these malicious programs, making them accessible to criminal actors that lacked this technical criminal expertise.” Saim Raza also “advertised its tools as 'fully undetectable' by antispam software,” the agency said in its announcement.

More About "Cracked" & "Nulled" Dark Web Markets 

Called “Operation Talent,” the DoJ and Europol worked together to crack down the two dark web marketplaces, linked to cybercrimes against more than 17 million victims.

In a separate action, the DoJ participated in "Operation Talent," a Europol-backed international operation that disrupted the Cracked and Nulled Dark Web marketplaces. Together, the forums have been linked to cybercrimes against at least 17 million US victims.

The cracked marketplace surfaced in 2018, DoJ believes, having 4 million users, making $4 million in revenue, and hosting over 28 million cybercrime ads in its career.

“The Nulled website domain seizure meanwhile came in tandem with the unsealing of charges against one of its administrators, Lucas Sohn, an Argentinian national living in Spain,” says cybersecurity news portal Dark Reading. Nulled has been in the game since 2016, hosted 5 million users, and made $1 million per year, also listing over 43 million ads.

Read more »
Security System
Cyber Attacks Dark Web leaked credentials OSINT Security System

Dark Web Exposure Increases Risk of Cyber Attacks, Study Finds

 



A new research study has determined that any companies that are ever mentioned on the dark web will be much more vulnerable to cyberattacks. In collaboration with Marsh McLennan's Cyber Risk Intelligence Center, Searchlight Cyber has carried out research on more than 9,000 organizations, revealing that dark web exposure has a strong link to breaches in cybersecurity. This has established a critical urgency for businesses to track their presence online and develop better security protocols.


How the Dark Web Poses a Threat to Businesses  

The dark web is a hidden part of the internet where cybercriminals operate anonymously. It is commonly used for illegal activities, including the sale of stolen data such as passwords, financial records, and personal information. Many businesses are unaware that their sensitive data is already circulating on the dark web, making them prime targets for cyberattacks.

Based on the study, companies that experienced any type of exposure on the dark web suffered a 3.7% breach rate over four years. This simply means that after an organization's information hits underground marketplaces, hacking forums, or leaked databases, the chance of a security breach becomes a lot higher.

The researchers found several routes through which a company's information can find its way to the dark web, each step of which heightens the potential for cyberattacks: 

1. Exposed Employee Credentials  

In case employee login credentials (e.g., email and password) are leaked, the chances of hacking into a company increase by 2.56 times. The hackers use these leaked credentials to infiltrate internal systems without authorization.


2. References on Dark Web Marketplaces  

 Being associated with an underground trading platform increases a company's chance of being targeted by 2.41 times. Mainly, the hackers sell the stolen information to other attackers for use.  

3. Company Network Tied to Dark Web

If an organization's IT systems have activity on the dark web, whether intentional or accidental, an attack will happen 2.11 times more frequently.

4. Paste Sites Data Leaks 

Pastes are commonly used by hackers to share data that they have stolen from an organization. If a company's data is posted on such sites, there is an 88% increase in the possibility of breach.

5. Public Exposure through OSINT  

At times, some companies' information might be published due to either a misconfigured environment or breaches in data storage. If there is a firm's exposure within OSINT reports, then that increases the business's risk level by 2.05 times.

This research also demonstrated that companies featured in five or more of these risk categories had a 77% chance of facing a cyberattack than companies without any. 


How Companies Can Protect Themselves

Cyberattacks have been increasing by the day. Businesses, therefore, have to take proactive steps to ensure the security of their sensitive data. Experts say companies should consider taking the following actions: 


  •  Check the Dark Web Daily

Businesses must employ cybersecurity that scans the dark web for data breaches and responds immediately if data belonging to a company is located. 


  •  Strong Password Policies 

 Employees must be compelled to use strong passwords and to also activate MFA to block hackers from unauthorized access. 


  •  Frequently Update Security Systems

Software updates and system patches keep cybercriminals from exploiting vulnerabilities in outdated technology.


  •  Train Employees on Cybersecurity Risks 

  Human error is one of the biggest causes of cyber breaches. Educating staff on how to identify phishing scams and suspicious activities can significantly reduce security threats.


Why Dark Web Awareness is Crucial

According to Ben Jones, CEO of Searchlight Cyber, companies must be aware of their dark web exposure. Hackers, he explained, plan cyberattacks in underground forums and marketplaces and use leaked credentials to gain access to company systems.

By monitoring their exposure, strengthening their security policies, and educating employees, businesses will be able to minimize their risk and stay one step ahead of cybercriminals. Protect sensitive information before an attack happens and save money on security breaches.


Read more »
Subscribe to: Posts (Atom)