Shell Profiles on the Russian Underground

Russian underground cyber-markets are known venues for purchasing high-quality hacking tools and services. Many such tools, popular worldwide, make their first appearances on closed Russian forums. There are two main types of sellers on these platforms: well-known members with seniority and strong reputations, who have already sold tools and received positive buyer feedback, and an emerging “shell profile” type of user. According to our recent analysis, such users typically register to a forum a few days before posting an advertisement for the tool. These new users often enlist the aid of forum administrators and more senior members, by providing them with a copy of the tool for their review, and thus gain the trust of potential buyers.

CTB-Locker

For example, CTB-Locker, a malware program, was first advertised on a Russian underground forum on June 10, 2014 by a user called Tapkin. This ransomware scans the computer for data files, encrypts them with a unique algorithm, and demands a ransom to release them. Tapkin registered on this forum on June 2, 2014, several days before posting the advertisement, and posted a total of five messages to the forum, all on the subject of CTB-Locker. Around this time, a user by the same name posted identical information on other forums.

Tapkin registered to another Russian underground forum on June 13, 2014, and three days later, he advertised the tool on the forum. This was the first and only thread that Tapkin started on this platform, and all of his posts were about this topic.

Tapkin stopped selling CTB-Locker on June 27, but on November 19, 2014, he posted another advertisement, this time for “serious” clients only. Tapkin last advertised the ransomware on a carding forum on December 8, 2014, after registering to this forum the same day.

Thus, in three cases, Tapkin registered to a forum a few days before posting an advertisement for the tool and did not participate in any other forum discussions. As a newly created profile, Tapkin lacked seniority and therefore had low credibility. However, our impression is that this user demonstrates knowledge regarding the tool, its capabilities and can answer questions regarding the technical component of the tool fluently. An analysis of Tapkin’s posts indicates that behind the shell profile is not one person, but rather a group of people who developed the tool together.

Forum comments indicating the presence of a team behind the username Tapkin
Forum comments indicating the presence of a team behind the username Tapkin

This username appears to have been created for the sole purpose of selling the ransomware, which was only advertised on Russian-speaking platforms. On May 19, 2015, a well-known forum user posted a message stating that his computer had been infected by CTB-Locker and asking for Tapkin. However, Tapkin had by then already disappeared.

Forum member post searching for Tapkin in correlation with CTB-Locker
Forum member post searching for Tapkin in correlation with CTB-Locker

Loki Bot

Another example of malware advertised by a new forum member is the Loki Bot password and coin wallet stealer. Loki Bot, written in C++, can steal passwords from browsers, FTP/SSH applications, email accounts, and poker clients. It has an option to configure C&C IP addresses or domains.

Bot-selling advertisement
Bot-selling advertisement

This bot, which works on Windows versions XP, Vista, 7, 8, and 8.1, is relatively new and is still under development. It was first advertised on a well-known Russian underground forum in early May 2015 by a new user with no reputation. A week later, a user by the same name registered on two other well-known underground forums attempted to boost his credibility by sending the forum administrator a test version of the malware. Similar to the previous example, we assume that a group of people is behind this user as well.

Forum administrator approves a new tool advertised by a “shell profile” user (May 18, 2015)
Forum administrator approves a new tool advertised by a “shell profile” user (May 18, 2015)

We can see that new users are registering on Russian underground forums for one purpose only, to sell a particular malware program, and their entire online presence is focused on this. They register to a forum a few days before posting an advertisement for the tool and do not participate in other forum discussions. Newly created profiles lack seniority and therefore have low credibility ratings. Sometimes such users attempt to improve their credibility by sending the forum administrator a test version of the malware. In some cases we can see that behind the shell profile there is a team, and not an individual. They appear suddenly and disappear just as suddenly after their business is completed.

Anthem Hack: Is the Healthcare Industry the Next Big Target?

Anthem Inc., the second largest health insurer in the US, has suffered a security breach to its databases. According to media reports, the breached database contains information from approximately 80 million individuals. Although medical records appear not to be in danger, names, birthdays, social security numbers, email addresses, employment information and more have been compromised.

Anthem described the hacking as a “very sophisticated attack,” and the company  reported it to the FBI and even hired a cyber security firm to help with the investigations. However, the extent of the stolen data is still being determined. In addition, there is no concrete information regarding the perpetrators and the modus operandi (MO) of this cyber-attack.

In February 2014 we wrote that cyber criminals are shifting their focus from the financial industry to the healthcare industry, which has become an easier target. Healthcare records contain a wealth of valuable information for criminals, such as social security numbers and personal information. This information can sometimes prove more valuable than credit card numbers, which the financial industry is working hard to protect.

In 2013, at least twice as many individuals were affected by healthcare data breaches than in the previous year, owing to a handful of mega-breaches in the industry. According to a cyber security forecast, published at the end of 2013, the healthcare industry was likely to make the most breach headlines in 2014. However, it appears that 2014 was the year in which American retailers suffered massive data breaches (Home Deopt, Staples, Kmart, and of course Target at the end of 2013).

We should consider the Anthem hack as a warning sign for all of us – the healthcare industry might be the prime target for cyber criminals in 2015. We already know that PPI (Personally Identifiable Information) and PHI (Protected Health Information) sales on black markets continue to rise. Such underground marketplaces are being used as a one-stop shop for identity theft and fraud. Such breaches can cost their victims dearly – putting their health coverage at risk, causing legal problems or leading to inaccurate medical records. Here at SenseCy, we monitor on a daily basis the usage of breached medical information on Underground forums and the Darknet platforms.

We believe that this industry is facing major threats from cyberspace. These threats encompass large areas of the industry and may become a greater burden for it, compromising patient safety, and causing financial and commercial damage to the associated bodies.

Cyber Threats to the Insurance Industry

Written by Gal Landesman

In recent years, insurance companies have been finding themselves affected by the rising number of major incidents of cyberattacks. On the one hand, this trend presents a business opportunity for selling cyber insurance to organizations concerned about protecting their sensitive assets. On the other hand, insurance companies are not excluded from the cyber battlefield, as they hold large amounts of sensitive information regarding their clientele and are therefore targeted by cyber criminals. Moreover, data breaches that occur in the insurance industry are more difficult to detect than credit card information theft because clients check their bank accounts more frequently.

(Please note –  this blog post is an excerpt from our report: “Cyber Threats to the Insurance Industry”. If you are interested in receiving the full report please write to: info@sensecy.com).

Cyber Insurance

Cyber insurance is a service much sought-after by many companies today. Most fear the bad PR in the wake of a cyberattack, the cost of dealing with the Data Protection Commissioner and handling affected clients. The financial burden and threat of reputation damage caused by downtime and data leakage are becoming more noticeable. Companies in industries such as healthcare, financial services, telecommunications and online retails now realize that cyber insurance is essential to minimize potential financial impact.

Some insurance companies selling cyber insurance have reported up to 30% increase in sales over the last year. This type of insurances typically covers such things as exposure to regulatory fines, damages and litigation expenses associated with defending claims from third parties, diagnostic of the source of the breach, recovering losses and reconfiguring networks.

The cyber insurance market is fast-growing with a value of EUR one billion annually in the U.S. and EUR 160 million annually in the E.U., where it has been adopted at a slower rate.

Cyber Insurance

Insurance Company Data Breaches

Insurance companies are now selling cyber insurance to organizations – ironically making them more vulnerable to attack as they withhold valuable information about organizations and people.

Lately, regulators have been focusing their efforts on insurance companies that can sometimes hold very sensitive information on their customers, such as PII (Personally Identifiable Information) and PHI (Protected Health Information). The New York State Department of Financial Services sent out a survey in 2013 to insurance companies asking them about their cyber security policy. Insurance companies hold not only information on regular people, but they also hold sensitive and valuable information on their corporate customers. Insurers hold sensitive information on companies across a variety of industries.

The risks are evident in the following examples of reported data breaches of insurance companies:

  • Aviva Insurance company suffered a data leak disclosing information and car details to third party companies, by two of their workers.
  • The Puerto Rican insurance company Triple-S Salud (TSS) suffered a data breach and its management was fined $6.8 million by the Puerto Rico Health Insurance Administration.
  • In October 2012, Nationwide insurance provider was hacked, compromising the personal information of 1.1 million customers.

Commercial Espionage

Not only is the insurance sector suffering from the aforementioned threats, but insurance companies are apparently also facing threats from their competitors in the industry, who are going after their data in commercial espionage, employing hacking techniques. According to a report released by The Independent, SOCA – the British Serious Organized Crime Agency – suppressed reports revealing that law firms, telecom giants and insurance companies routinely hire hackers to steal information from rivals. According to the report, a key hacker admitted that 80% of his clientele were law firms, wealthy individuals and insurance companies.

Selling Insurance Information on the Underground Black Market

PPI (Personally Identifiable Information) and PHI (Protected Health Information) sales on the underground continue to rise.

Several underground marketplaces include the selling of information packages containing “verified” health insurance credentials, bank account numbers/logins, SSN and other PPI. According to Dell SecureWorks, these packages are called “fullz” – an underground term for the electronic dossier on individuals used for identity theft and fraud, and they sell for about $500 each.

Such underground marketplaces can be used as a one-stop shop for identity theft and fraud. Health insurance credentials are sold for about $20 each and their value continues to rise as the cost of health insurance and medical services rise.

Online Jihadists Express Interest in Cyber Warfare and Cyber Security

In March 2013, a hacker group called the “Tunisian Cyber Army” (TCA) claimed that they, in coordination with the al-Qaeda Electronic Army (AQEA), (or AQECA – al-Qaeda Electronic Cyber Army), have hacked several U.S. government websites.

The attackers stated that they were assisted by “Chinese hackers.” In addition, the groups claimed that these attacks were in preparation for #OpBlackSummer, a cyber campaign designed to target U.S. websites between May and September 2013.

OpBlackSummer

Regardless of the authenticity of these attacks, we clearly see the increased motivation of AQ-affiliated cyber units to wage attacks against Western targets. We would not be at all surprised to see sophisticated AQ attacks in the near future. We can assume that they are developing cyber attack tools, or even worse – purchasing advanced tools from the underground black market.

In September 2013, the Global Islamic Media Front (GIMF) – a propaganda organization associated with AQ – posted an encryption program for mobile phones on jihadi forums. The program is called Tashfeer al-Jawwal, or Mobile Encryption, and the GIMF described it as the “first Islamic encryption software for mobiles.”

The release was prefaced by an introduction from renowned jihadi ideologue Abu Sa’ad al-A’mili, who promised that the program would be a qualitative move for secure communications between jihadists and a surprising shock to the enemy. It should be mentioned that the GIMF provided a description of the program on their website, as well as tutorials in Arabic, English, Indonesian and Urdu.

Tashfeer al-Jawwal -  encryption program for mobile phones
Tashfeer al-Jawwal – encryption program for mobile phones

In December 2013, the exclusively online AQ propaganda distributor, the al-Fajr Media Center, published a new encryption program called Amn al-Mujahid (“Security of the Mujahid”) on jihadi forums, accompanied by a 28-page instructional manual. Al-Fajr said that AQ’s Technical Committee sought to develop an encryption program equipped with the latest technology that would enable the user  to use advanced encryption standards.

Although these developments are merely versions of available programs, the steady introduction of programs such as these reveals jihadi interest in cyber security and cyber warfare.

This Little Rhino Went to the (Underground) Market…

Illegal Trade in Ivory

The Internet is the world’s largest marketplace. Anything can be bought and sold, and with Internet access available in almost every corner of the earth, many people trade and profit from this wonderful platform. What most people do not realize is that you can buy or sell just about anything online. Sure, there are some obscure memorabilia which can be bought on eBay or its Chinese equivalents, but for more hardcore items, like contraband goods, you have to delve deeper into the web  to understand the scope of the trade.

One such  item is rhino horn. This illustrious item, made of keratin (the same type of protein that makes up hair and fingernails) is surreptitiously sought after for ornamental or traditional medicinal purposes in East Asia, specifically Vietnam and China. The rhino horns are removed from slaughtered animals all over Africa, taken to central warehouses and distribution centers and then shipped to the East, toward southeast Asia.

This trade is an ancient one and certainly precedes the Internet, but what is conspicuous today is that the Internet has become an essential virtual marketplace, where distributors, buyers and sellers communicate and trade. One platform where this  is taking place is Baidu Space (百度空间) – a popular online social networking service provided by China’s Internet giant Baidu, which also runs the country’s most popular search engine. There are many active users trade in rhino horns on this platform.

One such user is “zt04010623”. Not much is known about this individual, other than the fact that he is a married male university graduate in his 30’s, living in the Beijing metropolitan area. Messages on zt04010623’s “wall” in his Baidu Space account reveal his extensive engagement in the trade – most address ivory, ivory products and rhinoceros horns. Below are some samples:

A user named ssssssdddddwww asked: “Is it true that you buy ivory carvings? Where?”

A user named SUNTORY19895 wrote: “I’m a bit confused regarding how much I should ask for my ivory necklace. Can you take a look and give me a rough estimate?” 20 days later zt04010623 answered: “Yes, I can. Send it to me and I’ll have a look.”

A user named wwlleon9 asked: “Hello, can you get ivory from abroad?” On June 1, zt04010623 answered: “Ha ha, add my QQ number XXXX (Instant messaging service, popular in China).

A user named “Dark Blue Qinqin (深蓝的钦钦) wrote: “Hello brother, I have two ivory bracelets that my father’s friend brought from Equatorial Guinea when I was little. I have had them for about 15 years now. I heard that you buy, right? I wanted to ask how much? Please let me know. Thanks.”

A user by the name “Private Ivory Art (个体牙艺)13” wrote: “If you need ivory carvings, please contact me.” On January 18, zt04010623 sent his QQ number in response.

A picture of ivory taken from “Private Ivory Art’s” profile
A picture of ivory taken from “Private Ivory Art’s” profile

zt04010623 also shared his photo albums:

Ivory_2

Ivory_3

Ivory_4

In addition to his activity on Baidu Space, zt04010623 is also active on Baidu Knows (百度知道), an extremely popular Web service provided by Baidu where users can raise questions and/or answer them.

Since opening an account in Baidu Space, zt04010623 has already participated in 193 conversations and supplied 212 answers, most of which are related to ivory, ivory products and rhino horns. His intensive participation in these conversations has undoubtedly boosted his reputation as an ivory expert, and therefore many people approach him directly on his personal space with inquiries.

zt04010623 pays particular attention to the following keywords on Baidu Knows: ivory, rhino horns and ivory carvings. For instance, when a user asked: “Where can one buy genuine ivory in Tanggu district?” The next day, zt04010623 answered: “I have a friend who can help you. Please contact me.”

Some parts of the discussions clearly illustrate the illegal nature of the trade, such as a discussion where a user asked: “In which countries does the customs office not forbid importing ivory from countries that manufacture ivory?” zt040100623 answered: “Ha ha, I reckon you should have asked in which county are customs most loose. Go for small countries with unstable regimes, over there, customs exist in name only. Just give them some money and you can pass.”

As this individual shows, this kind of trade blossoms on the Internet, which has made communication between suppliers, sellers/distributors and customers so much easier, and the perceived anonymity of the web allows this illegal trade to take place interrupted, leading to large profits for all involved (all but the poor rhinos, now on the verge of extinction).