School Is Now in Session – The Spread of Hacking Tutorials in the Deep and Dark Web

One of the most common posts seen on hacker forums is “Hello, I’m new and I want to be a hacker.” Any aspiring hacker must learn coding, networking, system security, and the like, and increasingly, hacking forums are responding to this demand and providing tutorials for those who wish to learn the basics quickly.

Hacking forums have two main kinds of tutorial sections, one open to any forum member and the other exclusively for VIP members. In this post we will review two case studies from closed forums, one from the onion network and the other from the Deep Web.

Case Studies

The first tutorial, taken from a closed forum in the onion network, is actually four tutorials wrapped together to teach POS (point-of-sale) hacking. It includes a list of essential malware and software for POS hacking. While it starts with a basic overview of POS and of RAM (random-access memory) scraping, it very quickly dives into explanations that require an advanced understanding of hacking.

POS tutorial in the onion network

POS tutorial in the onion network

The second tutorial is a basic PayPal hacking tutorial, taken from a closed forum on the Deep Web and oriented toward noobs (beginners). It is actually more about scamming than hacking. It notes that one way to get user details is to hack vulnerable shopping sites using SQL injections and explains how to check whether the stolen user details are associated with a PayPal account. It also mentions that user details can simply be acquired from posts on the forum.

PayPal tutorial on closed forum

PayPal tutorial on closed forum

What is really interesting is that this practical forum has many tutorial sections and sub-sections (we counted six), which raises an interesting question: Why do hackers share?

Motives

There is no one answer to this question, but we can divide hackers’ motivations into four categories:

  • Self-promotion – One of the differences between regular hackers and good hackers is reputation. The most obvious way for hackers to improve their reputation is of course to perform a good hack, but they can also enhance their reputation by being part of a well-known hacking team or displaying vast knowledge, such as by publishing tutorials. It appears that Red, a junior member of the onion network forum who is not known and has a small number of posts, is increasing his value in the eyes of other forum members and site administrators by publishing tutorials, including the POS tutorial. This improved reputation can give him new privileges, such as access to the forum’s VIP sections. In most cases, tutorials shared for this reason range from beginner to intermediate level and can be understand by almost any beginner.
  • Site promotion – Commerce in hacking forums hiding deep in the Internet works like any other free market: if you have the right goods, people will come and your business will boom, but if your shop does not look successful, customers will stay away. Hacking forums, like other businesses, compete for the attention of their target audience. The PayPal tutorial was published by BigBoss, a site administrator, who was probably seeking publicity for the site. To ensure that there is a large number of tutorials on the site, the administrators publish their own from time to time. These can be very simple (as in this case) or very specialized and technical (such as those offered in closed forum sections).
  • Financial gain – As we noted, these forums are businesses, and like any business, they need to sell products in order to make a profit. They can do this by creating VIP sections with unique content (such as special tutorials) open to paying members only, as opposed to VIP sections based on reputation or Individual members also use the forums for financial gain and sell more concrete items—malware, credit cards, and the like—or more abstract items, like knowledge in the form of tutorials or lessons. In most cases the tutorials are very advanced, with extensive details, so that their creators can charge for them.
A forum member selling his knowledge

A forum member selling his knowledge

  • Knowledge sharing — Sometimes, people share their knowledge without any ulterior motive. This is usually done in a closed section of a forum and only with prime members or a group of friends. In this case, the knowledge shared varies according to the group and can be state-of-the-art or very simple.

Conclusions

In a society based heavily on information, we cannot escape the frequently rehashed concept that “knowledge is power.” As the technology world continues to evolve and the hacker community along with it, the need for “how to” knowledge is growing. Tutorials provide beginners with an effective gateway into the world of hacking and expose advanced users to new methods of operation. For us, the observers, they provide a small glimpse into developing trends, attack methods, methods of assessing hacker knowledge, and much more.

How Hackers Use Social Media Networks to Put Your Organization at Risk

SenseCy’s teams monitor underground and password-protected forums and communities in many languages – Russian, Arabic, Persian, Chinese, Portuguese, English, and more. By gaining access to the Deep Web and Darknet, we identify suspicious activity and new hacker tools and enable our clients to mitigate or eliminate cyber threats.

Hacker communities on social networks continue to evolve. More and more communities are creating Twitter accounts as well as pages and groups in popular social networks such as Facebook and VKontakte (a Russian social network) to share information, tools, and experience.

In the past, hackers came together on social networks to hold operational discussions, share targets, and join forces for DDoS attacks, but less to upload or download hacking tools. Since this is changing, we are now monitoring hacking tools offered for download on Twitter, Facebook, and VKontakte.

Source code published on Twitter

Source code published on Twitter

These hacker communities can be classified into three main categories:

  1. Open public groups and accounts that make common, well-known tools available.

    Open Facebook group of well-known Arab hackers

    Open Facebook group of well-known Arab hackers

  2. Closed, secret groups sharing rare or sector-related tools or programs in a specific language.

    Secret Facebook group from Southeast Asia

    Secret Facebook group from Southeast Asia

  3. Groups sharing or even selling self-developed tools.
    Facebook post in closed Asian hacker group

    Facebook post in closed Asian hacker group

    A prominent example is the self-developed DDoS tool created by hacker group AnonGhost for the #OpIsrael cyber campaign, which is expected to take place on April 7, 2015. This tool uses three flooding methods, TCP, UDP, and HTTP and can operate through a proxy if needed. AnonGhost posted its new tool on its official Facebook page with a link to a tutorial on YouTube, and soon it was widely distributed among hacktivists through social media.

    From AnonGhost's official Facebook Page

    From AnonGhost’s official Facebook Page

    We regularly monitor trends and developments in social networks, since they are becoming the preferred platform for groups of hackers to share and improve attack tools. SenseCy also takes part in these communities, which gives us the edge in preventing attacks in real time. We continue to track new trends and developments to detect cyber threats for our clients.

‘BandarChor’ and ‘Ebola Virus’ Ransomware – Are They the Same?

F-Secure recently reported on BandarChor, a new player in the field of ransomware. The SenseCy team that analyzed the so-called new malware was intrigued by some of its characteristics. Further analysis revealed that BandarChor is another variant of Ebola Virus, ransomware we reported on in October 2014.

Brief Review of BandarChor (according to F-Secure)

First documented infections – November 2014
Spreading platform/method – Malicious emails or distribution by exploit kits
Capabilities – Upon execution, the ransomware encrypts multiple files on the infected machine. Afterwards the files are renamed to [original_file_name].id-[ID]_fud@india.com.

The Link Connecting BandarChor with Ebola Virus

BandarChor’s “file name modification” attribute caught our attention, as SenseCy had already encountered ransomware with a very similar modus operandi. In a blog post in October 2014, we reported on Ebola Virus, a new ransomware whose victims were mainly in Russia. Based on our research, we believe that Ebola and BandarChor are variants of the same ransomware, although with slight differences. This is because both use the same file name modification after encryption. BandarChor renames files to [filename].id-[ID]_fud@india.com, while one of the previously discovered Ebola variants changes file names to id-*_decrypt@india.com, indicating that the attackers were using the same domain.

BandarChor / Ebola Ransomware Evolution as Observed by SenseCy

SenseCy first encountered Ebola malware in a discussion on VKontakte, a very popular Russian social network. One of the participants uploaded a sample of the virus that had infected his computer. The sample that we examined was received by the victim in an email that contained a malicious link. Clicking the link initiated downloading of an RAR archive, and unzipping the archive encrypted all files stored on the PC that had the extensions .pdf, .doc, .docx, .xls, .xlsx, .jpg, or .dwg. After that, the filenames were changed to *id-*help@antivirusebola.com. According to an infected user, to recover the files on the PC, he had to send an email to help[at]antivirusebola.com, and he was subsequently instructed to pay one bitcoin to a certain address.

We conducted a further investigation on the Russian-speaking web that revealed many other reports of Ebola virus infections. In most of the cases, the malicious link was sent through an email, allegedly from the tax authorities or traffic police.

The ransomware was reported on several security firm forums (such as Kaspersky, Symantec, and Dr.Web), and later in November, was included in TrendMicro’s threat encyclopedia under TROJ_CRYPAURA.A (with a decryption solution).

According to Russian security firm Dr.Web, the the Ebola virus first appeared on August 20, though a slightly different version has been distributed since August 7 that changes the file names to id-*_decrypt@india.com or id-*_com@darkweider.com. All three versions are probably variants of the same malware, identified by Dr.Web as Trojan.Encoder.741, and were coded by a Russian nicknamed Korrektor (presumably the author of other ransomware as well). The malware is written in Delphi language, packed with an Armadillo packer, and encrypted with the AES-128 algorithm.

Additional Variants of this Ransomware

After performing additional research, we discovered more formats of this ransomware. In most cases, it is disguised in an email allegedly from the tax authorities, courts, or the like. Here is a list of email addresses identified as being connected to this ransomware (according to a Russian cyber security blog):

  • Com[at]darkweider.com
  • protectdata[at]inbox.com
  • xsmail[at]india.com
  • decrypt[at]india.com
  • decode[at]india.com
  • help[at]antivirusebola.com
  • foxmail[at]inbox.com
  • marineelizz[at]inbox.com
  • protectdata[at]inbox.com
  • sos[at]xsmail.com

In conclusion, this case study demonstrates the importance of near-real-time cyber intelligence. By identifying future threats and notifying our customers in advance, we can help them to protect themselves before the threat can be detected by traditional security systems.

 

Australian Banks Targeted by Russian Malware for Android Devices

Introduction

Several months ago, while monitoring Russian underground forums, we came across a new malware designed to attack Android smartphones via a social engineering vector, luring victims into providing their banking data, as well as credit card details to the attackers.

The malware is dubbed GM BOT, and it has been offered for rent since October 2014 on a Russian underground forum dealing with malware development and sales. The price was $4,000 for one month, and this later dropped to $2,000. In January 2015, the renter of the GM BOT posted about deploying the malware on Australian botnet, including screenshots of banking details from Australian banks.

Later, in February 2015, the renter posted examples of Man-in-the-Middle (MitM) attacks that can be carried out by his malware, two of them presenting fake login pages to Australian banks.

GM BOT Capabilities

The first version of the malware was released on October 29, 2014 and according to the thread, it is designed to collect banking and credit card details. The data collection from the infected devices is performed via a social engineering vector, when fake pages are presented to victims. The tool works in different ways:

  • Collection of VBV data by using a fake Google Play application (Luhn algorithm is used for validation).
  • Scanning the mobile phone for installed banking services, and presenting dialog boxes for filling in confidential data.
  • Checking for email and social media accounts linked to the phone (Gmail, Facebook, Twitter, etc.) and presenting dialog boxes for filling in confidential data.

In addition, the malware is capable of incoming SMS message interception and blocking (to avoid alerts from the bank from reaching the victim), as well as incoming call redirection, GPS data monitoring and more. The malware received highly positive feedback from other forum members, as suitable for cybercrime activity.

Initially, the thread’s author specified that the bot would be rented to five clients – Russian speakers only. On November 3, 2014, the renter announced that all the five clients had been found, and that the ad was no longer relevant. However, one month later, on December 2, he posted about updates of GM BOT capabilities, saying that he is looking for more clients. The new version of the bot enables its operator to create JS or HTML dialog boxes that are presented to the victim, thus expanding the number of accounts whose credentials can be achieved.

The Australian Link

On January 13, 2015, the author posted again. This time the post included screenshots showing the results of GM BOT activity. According to the post, 165 users in Australia were infected on January 10. 68 of these were communicating back with the C&C infrastructure at the moment of the post. Screenshots of the collected data were attached.

Credit card data and banking credentials of Australian bank clients, collected by GM BOT

Credit card data and banking credentials of Australian bank clients, collected by GM BOT

On February 12, 2015, another post regarding GM BOT was uploaded by the author, focusing on its MitM attacks capabilities. According to this post, the bot can inject JS or HTML code into running application, thus showing the user fake pages for drawing out data.

It should be mentioned that the malware distribution method is not included in the rented product. This means that the attacker who purchases the malware delivers it to the victims by a method of his choosing, spam emails for instance.

Anthem Hack: Is the Healthcare Industry the Next Big Target?

Anthem Inc., the second largest health insurer in the US, has suffered a security breach to its databases. According to media reports, the breached database contains information from approximately 80 million individuals. Although medical records appear not to be in danger, names, birthdays, social security numbers, email addresses, employment information and more have been compromised.

Anthem described the hacking as a “very sophisticated attack,” and the company  reported it to the FBI and even hired a cyber security firm to help with the investigations. However, the extent of the stolen data is still being determined. In addition, there is no concrete information regarding the perpetrators and the modus operandi (MO) of this cyber-attack.

In February 2014 we wrote that cyber criminals are shifting their focus from the financial industry to the healthcare industry, which has become an easier target. Healthcare records contain a wealth of valuable information for criminals, such as social security numbers and personal information. This information can sometimes prove more valuable than credit card numbers, which the financial industry is working hard to protect.

In 2013, at least twice as many individuals were affected by healthcare data breaches than in the previous year, owing to a handful of mega-breaches in the industry. According to a cyber security forecast, published at the end of 2013, the healthcare industry was likely to make the most breach headlines in 2014. However, it appears that 2014 was the year in which American retailers suffered massive data breaches (Home Deopt, Staples, Kmart, and of course Target at the end of 2013).

We should consider the Anthem hack as a warning sign for all of us – the healthcare industry might be the prime target for cyber criminals in 2015. We already know that PPI (Personally Identifiable Information) and PHI (Protected Health Information) sales on black markets continue to rise. Such underground marketplaces are being used as a one-stop shop for identity theft and fraud. Such breaches can cost their victims dearly – putting their health coverage at risk, causing legal problems or leading to inaccurate medical records. Here at SenseCy, we monitor on a daily basis the usage of breached medical information on Underground forums and the Darknet platforms.

We believe that this industry is facing major threats from cyberspace. These threats encompass large areas of the industry and may become a greater burden for it, compromising patient safety, and causing financial and commercial damage to the associated bodies.

Al-Qaeda’s Electronic Jihad

Al-Qaeda (AQ) announced on its official video that they have established a new branch, Qaedat al-Jihad al-Electroniyya that will be responsible for performing electronic jihad under the command of AQ member Yahya al-Nemr. According to our research, his deputy is another AQ member, Mahmud al-Adnani.

From al-Qaeda official video

From al-Qaeda official video

The Qaedat al-Jihad al-Electroniyya YouTube channel publishes basic hacking lessons. Some of them deal with the famous njRAT tool. They also have an official Twitter account called al-Qaeda al-Electroniyya (@alqaeda_11_9).

Official Twitter account

Official Twitter account

This new AQ branch has already launched cyber-attacks against Western websites, such as the American Coyalta website that they defaced.

SenseCy 2014 Annual Cyber Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

Executive Summary

Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.

This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.

The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: info@sensecy.com

Insights

Below are several of our insights regarding cyber activity this past year:

  • The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
  • In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
  • This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
  • Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees  may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.

The Past Year on the Russian Underground

In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.

The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.

Malware_Russian Underground

Prices

The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):

Average_Price_by_Category

Key Trends Observed on the Russian Underground this Past Year

Trojan Horses for the Financial Sector

Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.

In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.

MitM Attacks

This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.

Ransomware

This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.

Additional trends and insights are detailed in the full report.