How to Avoid 2020 Online Shopping Threats

The shopping season is upon us and as in previous years, cybercriminals are preparing multiple ways to target the online shopping community, including phishing attempts to steal financial details, malspam campaigns distributing malware and more. In fact, while examining the credit card trade in the Dark Web during 2019, we discovered that the highest number of stolen cards offered for sale on dedicated marketplaces was in November 2019 with over 32M cards, although we should take in consideration that there are duplications of data, since it is likely that cybercriminals will try to sell the stolen data in multiple marketplaces.

In this post we will provide you with some tips for ensuring a secure shopping spree and we will also take a look at recent attacks and how attack groups operate to target online shoppers and vendors.

Are you shopping online this season? Here are essential Do’s and Don’ts for you:

  • Be extra aware of phishing attacks, especially with emails requesting you to verify or update your account details, register to get a free item or a coupon, etc.
  • Verify the URL address of the platform you are about to buy from – make sure the URL address of the official website of the desired brand.
  • Check that the platform you are shopping on to purchase goods is secured – look for an HTTPS URL, a trusted certificate, etc.
  • Do not open attachments sent from unknown sources, especially ones requesting to enable macro or editing permissions in order to open them.
  • Avoid clicking on ads of any kind, especially during the shopping season.
  • Do not download apps from unofficial App stores, especially shopping-themed apps.
  • Check apps permissions and update your mobile operating system on a regular basis.
  • Use 2FA or OTP protocols if provided by the service vendor.

What you see isn’t always what you get: Scam Websites and Fake Domains

Fake domains of popular brands can be used in spam or phishing campaigns that are carried out via mail, SMS, social media platforms and more. In last year’s shopping season, 124,000 suspicious domains were detected, abusing names of 26 brands. The most targeted brands were Apple, Amazon and Target.

This year, we researched how many domains with the word “Amazon” were registered during the first week of November 2020. We detected over 600 of recently registered domains with no official connection to Amazon in their registration details. Although it seems that many of them are not yet “operational”, as they do not lead to an active website, some of them sure look suspicious, for example: verification-amazonservices.com (detected as a phishing website via several AVs), account-verificationamazon.com, amazon-login-verify.com (detected as suspicious by one AV) and even amazon-black-friday.com (first created in 2010 and is being re-registered each year since then).

Scam websites usually use a similar web design and interface to the legitimate online shopping platforms, and therefore it is recommended to check the website’s domain or URL address before purchasing goods using your credit card.

A fake website of Taobao, a Chinese online shopping platform (the upper one) and the legitimate website (bottom)

Keep your systems updated to avoid E-skimming attacks (AKA: Magecart attacks)

E-skimming is one of the most popular ways these days to carry out credit card fraud. Cybercriminals usually exploit a vulnerability in the e-commerce or online payment platform (usually in third parties’ components), in order to inject a malicious code that will capture the user’s credit card data and send it the its operators. Once they hold the data, cybercriminals will probably sell it in the Dark Web or use it to make additional purchases.

Magecart is the name given for this type of attack and to cybercriminals that usually target platforms running outdated versions of Magento (while exploiting flaws, such as CVE-2017-7391 and CVE-2016-4010 in Magento) and use a malicious JavaScript code embedded into the compromised platform. In fact, Magecart attacks are so common that in September 2020, it was reported that approximately 2,000 e-commerce platforms were targeted in one weekend.

Additional ways to carry out e-skimming attacks are by accessing the e-commerce network, using administrative credentials. These can be obtained via phishing, brute-force attacks, or a cross-site scripting attack that redirects users to a malicious website with a JavaScript code. Access to networks of online shopping platforms are also traded on Dark Web forums, allowing threat actors to gain access to databases containing users’ details.

Cybercriminal offers access to a shopping platform on the Dark Web. This can be also used for e-skimming attacks. Source: Verint LUMINAR

Of note, nation-state groups were also spotted using this attack vector in the wild. In July 2020, researchers found that the North Korean group Lazarus was behind a serial of Magecart-style attacks against multiple e-commerce stores around the world.

Therefore, it is vital for organizations that operate online payment platforms to keep them updated and secured. We really can’t stress this enough. It is also recommended to use tools that will help detect such malicious injections and monitor suspicious activities in order to block them on time.

The spamming season: Spam campaigns are used for malware distribution

In the shopping season of 2018, a massive spam campaign distributing Emotet, targeted online shoppers worldwide, especially in North and Latin America and the UK. Emotet is an infamous malware, active since 2014, that was first detected as a banking Trojan, but these days it is often used as a downloader or a dropper for additional Trojans or even ransomware. It is usually distributed via worldwide spam campaigns and malicious attachments that request users to unable Macros. During last year’s shopping season, approximately 130 million malware attacks and ~640,000 ransomware attacks were detected in the US. Based on what we’ve seen in the past few years, it is expected that malware operators will try to lure victims via shopping-themed emails and malicious attachments.

The world goes mobile: The rise in malicious mobile apps

Each year, malicious shopping-themed apps target unaware users during the shopping season, which is why it is recommended to download mobile apps from official platforms and to check the reviews. However, in January 2020, a new Trojan dubbed “Shopper” was spotted leaving fake applications reviews on Google Play, on behalf of the infected device’s owner, leaving users with no trust in apps rating. The Trojan was also detected turning off the Google Play Protect feature, in order to download additional apps without safety checks, using the victim’s Google or Facebook account to register to popular shopping and entertainment apps, spreading advertisements, etc. Infections were spotted worldwide, including in Russia, Brazil and India.

Additional malicious shopping season-themed Android apps were spotted in 2019 luring users with coupons, discounts and other shopping hacks. Some of them were detected sending sensitive information from the infected devices to their operators or containing adware used to spread malicious advertisements.

To conclude, the shopping season is open for all, including cybercriminals who are trying to maximize their gain. Awareness is the key when it comes to what shoppers can do to keep safe, whereas vendors need to take additional measures during these times to avoid financial loss, reputational damage and customer abandonment.

ARE RUSSIAN CYBERCRIMINALS OFFERING HACKING SERVICES IN CHINA ?

On July 27, 2020, a group of threat actors published a post in the advertisement section of a prominent Chinese Darknet marketplace offering hacking services. Hacking-as-a-service offers appear frequently on Chinese underground platforms, and many actors publish these services – accompanied by varying degrees of details – on both Clearnet hacking forums and Darknet marketplaces. However, what makes this offer unique is the identification of the actors, who claim to be Russian.

WHAT INDICATES THAT THE HACKERS ARE REALLY RUSSIAN ?

  1. Several linguistic features suggest the actors are indeed non-native Chinese speakers. First, they use anachronistic vocabulary and terms rarely seen in contemporary Chinese online chatter, which is common on these forums. Two examples are the use of the term 万维网 for “World Wide Web,” and the rare version of the word “hacker” 骇客 (pronounced haike, instead of the commonly used term 黑客, pronounced heike); Second, some sentences are oddly phrased, using a combination of wrong vocabulary and/or unnatural syntax or formulation, giving the impression the text was translated from a foreign language, possibly via a machine-translation tool; Third, there are linguistic inconsistencies in the group’s posts on the forum: whereas most of the posts are written in simplified Chinese characters, used in mainland China, one is written in traditional Chinese characters, used in Taiwan and Hong Kong – this transition by the same writer is very uncommon. Furthermore, different variations of the same word or term are used simultaneously in the same post.
  2. Contact details include several Telegram, QQ and Jabber accounts, with the former two widely used by Chinese cybercriminals and hackers selling their services. However, in addition to those, they also offer their services via Yandex email service, which is rarely used outside of Russia and the former Soviet Union countries, and even less so by Chinese users. This corroborates the assumption that these actors are not Chinese, and may indeed be Russian, as they claim to be.
The post from July 27, offering “high quality hacking services”, as appeared on the Chinese Darknet marketplace. The sentence highlighted in yellow reads: “we come from Russia”. Source: Verint LUMINAR

THE THREAT ACTORS’ OFFERING

The hacking services on offer are listed in more detail in another post by the same threat actors, published on this marketplace on June 15, 2020. The list of services includes:

  • Web penetration and data extraction. The actors state they have mastered the structure and special features of the main database types, such as MySQL, MSSQL, Oracle and PostgreSQL.
  • Obtaining web shells by exploiting major vulnerabilities, such as CMS, WP and Joomla, among others.
  • Cracking of software and encrypted files; secondary packaging and unpacking.
  • Software and source code secondary development.
  • Various web security-related services, such as penetration tests, code design, vulnerability scanning, emergency response, alerts and web security training, among others.
The post from June 15 listing the services this group offers. Unlike other posts by these actors, this post was written in Traditional Chinese characters. Source: Verint LUMINAR

In addition to these two posts offering hacking and web-security services, in two other posts from May and June 2020, these actors also offer for sale, bots for boosting the number of “friends” and “followers” on social media networks, as well as SMS-bombing services and tools.

Finally, in recent months, we have noticed an increasing trend of Chinese threat actors operating on non-Chinese platforms. They typically use their linguistic skills and familiarity with Chinese underground platforms to make easy profits by offering data sold exclusively on Chinese platforms (usually Darknet marketplaces and Telegram groups) on English-language platforms outside China for a higher price. However, it is highly unusual to see non-Chinese actors actively operating on Chinese-language platforms. If the actors’ claim of being Russian is indeed correct, this is a relatively novel and unusual phenomenon worth noting.

PERSONAL DATA OF TAIWAN’S ENTIRE POPULATION FOR SALE

A May 2020 media report disclosed that a Taiwanese database containing personal data from over 20 million citizens (Taiwan’s entire population) was posted for sale on the Dark Web. According to researchers, the source of the leak is governmental and originates from the Department of Household Registration, under the Ministry of Interior.

The sale offer was posted on May 19, 2020 in an English language underground Dark Web marketplace. The seller indeed claimed the database contains data of the entire country’s citizens and attached a sample where one can see each line in the database is arranged by full name, landline number, ID number, home address and sex. The seller has offered to sell the database for US$ 2,500.

Taiwan’s Population Database for Sale
Source: Verint Luminar

NOT THE FIRST TIME WE’VE SEEN SUCH AN OFFER

Although this database leak was defined by the above reports as unique, this is not the first time we have seen an offer for a database consisting of personal information for the entire population of Taiwan. In Chinese sources, such offers have appeared since August 2018 at least. Our findings, detailed below, may imply the database offer is in fact a resell of a previous database offered several times in the past in Chinese underground sources. These findings show the flow of data from one underground arena to another and stress the importance of multi-language monitoring across various sources to get a full picture of the origins of leaked databases.

THE TAIWANESE DATABASE ON THE CHINESE DARK WEB

Our first indication of a Taiwanese population database was in August and September 2018. In August 2018, an offer appeared on the Chinese Darknet marketplace to sell a Taiwanese population database consisting of the full names, landline numbers, gender and home addresses of 21,141,314 people.

Taiwan’s Population Database for Sale, August 2018
Source: Chinese Dark Web marketplace

About a month later, an actor who has offered several other major database leaks on the same Chinese language Darknet marketplace (including the Marriott database), offered a full database of the Taiwanese population, consisting – according to him – of approximately 25 million lines of data, claiming the data was updated to September 2017.

Taiwan’s Population Database for Sale
Source: Chinese Dark Web marketplace

Since then, similar offers have occasionally appeared in both the Darknet marketplaces and other underground chat groups operating on Telegram.

SIMILARITIES BETWEEN LEAKED SAMPLES SHARED ON THE DARK WEB

According to our research, the last time a similar offer was published was January 2020, when an actor on a Chinese Darknet marketplace offered a 25 million line Taiwanese population database containing – once more by that order: full names, landline telephone numbers, ID numbers, home addresses and sex. The actor also attached a short sample to prove the authenticity of the database. According to the marketplace’s inner data, this transaction was completed twice, meaning two different actors have purchased the database since. Of note, the same actor also offered the same database in April 2019, attaching a similar sampler. The two screenshots below show the two offers, from January 2020, and April 2019.

Offer to Sell Taiwan’s Full Population Database, Containing ~25 million Lines, January 2020. Source: Chinese Dark Web Marketplace
Similar Offer from the Same Actor, April 2019
Source: Verint Luminar

The two samples attached to the offers – the two Chinese posts from April 2019 and January 2020 and the English post from May 2020 – show different names but look strikingly similar. The pattern of the data is identical, and it is arranged in the exact same order: full name, landline number, ID number, home address and sex. Furthermore, the current seller admitted he obtained the data in 2019, which is in line with the date the same offer was published on a Chinese marketplace.

All the above leads us to conclude the current offer of the Taiwanese population database is an attempt to resell the same database leaked in the past in Chinese underground platforms. As the asking price for the data sold on the Chinese platform was merely US$ 200, whereas he offered the same database for US$ 2,500, we believe it is highly probable this actor acquired the database on the Chinese marketplace and then tried to make an easy profit from actors operating on other platforms who do not have access to the Chinese marketplace and/or cannot read Chinese.

THE SELLER HAS OTHER ACTIVITIES ON THE DARK WEB

According to our analysis, the seller was seen operating under the same nickname on a Chinese Telegram underground chat group, a Russian Clearnet hacking and fraud forum, and two English-language Darknet forums.

In all instances, he offered credit card user data from China Industrial Bank containing over 460,000 lines. In one of the offers seen below and posted on the English-language forum, the actor quoted a price of US$ 380 for the database.

The China Industrial Bank Credit Card User Database offered on a Chinese Underground Telegram Group
A Similar Offer by the Same Actor Posted on an English-language Darknet Forum for US$ 380
Source: Verint Luminar

BUY IN ONE LANGUAGE, RESELL (FOR A NICE PROFIT) IN ANOTHER

As in the case of the Taiwanese population database, the China Industrial Bank database offered by this actor appeared before in Chinese underground platforms. In March 2020, the offer was posted on a Chinese Darknet marketplace for US$56 (see first screenshot below.) According to this marketplace’s inner data, it was sold 21 times. A month later, in April 2020, it was also offered on a Chinese-language underground Telegram group (see second screenshot below.) This demonstrates a similar modus operandi by this actor, and presumably by many other actors who operate across various, multi-language platforms: acquiring databases in one language (Chinese) and reselling them at higher prices on platforms in other languages.

The Chinese Industrial Bank Database offered on a Chinese Darknet Marketplace, March 2020
The Same Database offered on a Chinese Telegram Group, April 2020. Source: Chinese Darknet Marketplace

DDoS Attacks for Hire: How the Gambling Crave Fuels Cybercrime in China

ddos-attack-Banner-DDos_1920x960-1024x512

The Forbidden Fruit – Gambling in China

Many card and board games are believed to have originated in Ancient China. Some of these games involved betting and gambling and they have been an inherent part of the Chinese leisure culture for centuries.

This changed when the Communist Party seized power in 1949, declaring gambling a “corrupt, feudal practice” and hence strictly banned by law.

When the Reform and Opening-up policy was introduced in China in the late 1970’s and early 1980’s, the authorities have somewhat released their strong grip on gambling and card games. Gaming and carding parlors (known in Chinese as 棋牌室, literally meaning “chess and card rooms”) sprang up in every street corner and card games and private betting among groups of friends thrived. Despite this, gambling remained illegal outside the two national lotteries (the China Sports Lottery and the China Welfare Lottery) and these establishments were far from satisfying the crave.

What do you do when your Favorite Pastime is Forbidden by Law?

Travel to Casino Hubs Abroad

A partial solution was found overseas. Chinese gamblers have flocked to casinos around the globe and went to neighboring Hong Kong to participate in horse race betting. And then there was Macau – with the help of the Chinese government, the former Portuguese colony just across the border from Guangdong Province has become the world’s largest casino center, surpassing Las Vegas since 2006.

Another casino hub attracting hordes of Chinese gamblers in recent years is the Philippines, where the hosting and entertainment industry, catering to the needs of the Chinese, was booming until the outburst of Covid-19 pandemic. This is manifested in job openings in the Philippines for Chinese nationals, many of which re published in dubious online platforms, such as QQ and Telegram groups dedicated to gambling and fraud as well as in Chinese-language underground forums. Another negative side to this craze is gambling-related crime, which has escalated in the Philippines over the past years.

However, traveling abroad is not accessible to everyone in China with a crave for gambling and even those who do travel, cannot always travel as often as they’d want to. There was a market rip for solutions, and with travel restrictions following the outburst of Covid-19 pandemic, this market’s potential grew even larger.

From Casino Hubs to Online Gambling Arenas

they satisfied the Chinese gambling community for about a decade. Since then, China has outlawed online gambling as well and the active websites are also situated offshore, on servers located outside the country.

These online casinos, gaming websites and gambling arenas cause a big headache to the Chinese Communist Party. If a decade ago the authorities have largely turned a blind eye to this phenomenon, nowadays, with the clear aim to promote a “civilized, harmonious society”, China sees it as a challenge and tries to fight these online platforms. Of course, these moral considerations, important as they may be, are dwarfed by the financial problem, as online gambling is draining hundreds of millions of yuan out of the country. Yet China is finding it hard to stop websites that are registered and operated abroad, especially when the hosting counties, such as the Philippines, are not so keen on cooperating.

Enter Cybercrime

The size of the market is a huge business incentive, creating more and more actors and fierce competition. These online casinos use various methods in order to lure more gamblers onto their websites. One of these methods, is fraud. For example, one of the common frauds that takes place is when fake gambling websites pretend to be official sites of famous casinos in Macau.

But competition does not stop there. In order to gain bigger chunks of online traffic, gambling websites fight and attack one another, and their weapon is – ironically – online traffic.

chinese-gambling-website-1024x519

Chinese Gambling Website Posing as Macao’s Venetian Official Online Casino

The DDoS Fighting Ring

Chinese hackers are more than eager to lend a helping hand. As most state-sponsored cyber activities handled by patriotic hacking groups from the early 1990’s until about a decade ago, are now under the wings of the Chinese intelligence apparatus, many idle hackers have turned into cybercrime, looking for easy profit. This type of cybercrime is mostly directed inbounds.

One of the ways in which Chinese hackers are involved in the online gambling industry is by breaching online casinos and gaming websites, stealing their user data and selling it on Darknet marketplaces or offering it on designated QQ and Telegram groups.

gambling-site-database-leak

Sample from a Gambling Site Database Leak,
Offered for Sale on a Chinese Darknet Marketplace

Another way, which drives a whole underground sector of cybercrime in China, is by conducting DDoS attacks against competitors. These attacks take the gambling websites down and thus, hopefully, drive their customers to the gambling site that ordered the attack.

DDoS has also become a popular weapon for pornography websites and Darknet marketplaces, who launch DDoS attacks against each other. For example, China’s largest online marketplace on the Darknet, has experienced a large-scale DDoS attack during the summer, disrupting its activity for several weeks.

flashing-ads

Flashing Ads on a Chinese Hacking Forum, Offering Tailor-made DDoS Attacks,
among other Hacking Services

The DDoS Chain

The first step in a DDoS attack is to gain control of a large number of computers and other online devices and to turn them into bots, in order to divert huge traffic to the attacked website and thus shut it down. In Chinese hacking slang, these computers are named “broilers” or “meat chickens” (肉鸡). Members of Chinese underground hacking forums constantly offer tools for detecting these “broilers”, namely scanners that trace vulnerabilities in computers and servers. These tools allow the attacker to penetrate these vulnerable devices, implant trojans in them and hence control them remotely. The tools are referred to in Chinese as “Chicken Catchers” (抓鸡) and hackers who operate on those forums trade them between themselves.

broiler-detection

‘Broiler’ Detection Tool Offered on a Chinese Hacking Forum

In addition to buying tools to detect “broilers”, DDoS attackers can also buy these “broilers” directly, as these are sold in bulks on forums and designated QQ/Telegram groups. Based on the number of messages in forums and chat groups, of people requesting to buy “broilers”, it is quite clear they are in high demand.

The customers of the “broiler” market are in turn becoming the suppliers of DDoS attacks and offer their tailor-made services online. Whoever orders the attack can contact the attacker via private messaging, define the target and agree on a price according to the length of the attack and the nature of the attacked website. According to a report published by the Chinese tech firm Tencent, this is what the chain of custom-made DDoS attacks looks like:

DDOS-diagram-1024x595

The Offer: DDoS as-a-Service

The screenshot below, showing an offer posted on a prominent Chinese Darknet marketplace, can shed light on the how these DDoS as-a-service transactions are conducted. It also demonstrates what kind of websites are legitimate targets and which websites are off-limits, for fear of being prosecuted by the authorities. The post reads:

ddos-as-a-service

DDoS as-a-service Offer Posted on Chinese Darknet

Translation:

ddos-as-a-service-translation

Hunting Down Cybercriminals

Chinese law enforcement authorities are well aware of this problem and are relentlessly trying to crack down these cybercriminals and their activities. In late 2018, a man in his twenties from Suining County, Jiangsu Province, was arrested by local authorities, after discovering he had implanted a malicious code, which allowed him to remotely control a local server. During his investigation, he admitted to being part of a team of at least 20 hackers from all over the country that had used “broilers” in order to conduct DDoS attacks by demand.

The team had been involved in more than a hundred DDoS attacks, harming or controlling more than 200,000 websites and earning more than 10 million yuan along the way. Members of the team were arrested across China, yet this only emphasized the magnitude and popularity of the DDoS and DDoS as-a-Service markets, and the success of taking down this cybercriminal operation was merely a drop in the ocean.

Suspicious Domains Selling Tickets to the Tokyo 2020 Olympics

Tokyothumbnail_840x620

As a cloud of uncertainty still hangs over the opening of the Tokyo 2020 Olympics due to the Coronavirus pandemic, cyber criminals are still working (remotely) on finding ways to maliciously profit from the event.

Events at the center of global attention such as major sports events and tournaments are often used by attackers to trick users into phishing scams, malware campaigns and the theft of personal and payment details.

We have been monitoring potential threats to the upcoming Tokyo 2020 Olympics for our customers and we recently discovered two suspicious domains allegedly selling tickets for the Games. In both cases, further investigation led us to find additional suspicious domains allegedly selling tickets to the Euro 2020 tournament. In this blog post you can find a summary of our findings.

tickets-tokyo2020[.]com

The domain tickets-tokyo2020[.]com was created on February 11, 2020 by a private registrant at the NICENIC INTERNATIONAL GROUP domain registrar.

When accessing the domain, the user is presented with a page in Russian where the official logo of the 2020 Tokyo Olympics appears. It is also stated that this website is an “authorized Ticket Reseller” for the Olympics. However, we could not find this domain in the list of authorized resellers on the official website of the 2020 Olympics. The user can change the language of the website to English and the website contains search fields, where the user can search for a specific event in the Olympics, for which they are looking to purchase tickets. At the time of publishing this post, the search option does not appear to function, thus, it is possible the website is still under development. There is also a “cart” banner where the user is supposed to be able to view the selected tickets and pay for them.

tickets-tokyo-1-1024x562

tickets-tokyo2020[.]com

This domain is hosted on the 5.45.72[.]40 IP address, together with only two more domains: ticket-mafia[.]com and euro-2020-tickets[.]com. The ticket-mafia[.]com domain was created on November 2016, and until December 20, 2019, it was registered by a private registrant at the GoDaddy domain registrar. However, on December 20, 2019, its registry was updated by a private registrant and was registered at the same domain registrar as the tickets-tokyo2020[.]com domain, NICENIC INTERNATIONAL GROUP.

The ticket-mafia[.]com domain displays a login page in Russian. It is worth mentioning that when inserting HTTPS:// before the tickets-tokyo2020[.]com domain, we were presented with the same login page of ticket-mafia[.]com. There is no option to sign up and therefore we believe it is designed for a user with preset login credentials, presumably the admin of the websites. We estimate the login page leads to a backend dashboard of some kind, although it remains unknown whether it is used for legitimate purposes or not.

login-window-small

Login Window

The euro-2020-tickets[.]com domain was created on January 6, 2020, by a private registrant and is also registered at the NICENIC INTERNATIONAL GROUP domain registrar. This website resembles the tickets-tokyo2020[.]com: it is also presented in Russian and uses the official UEFA Euro 2020 logo, it enables the user to switch the language to English and it allows users to search for a specific match. However, in this case, the search function does work. Upon selecting a match and a seat, the user can select the “order” function and enter his name, phone number and email address and move on to the payment, yet the “Go to the payment” button does not work, as of the time of publishing this post. Of note, the official UEFA Euro 2020 website specifically states that “Third-party ticketing websites and secondary ticketing platforms are not authorized to sell tickets for UEFA EURO 2020”. Thus, it appears this website is not an official Euro 2020 tickets reseller and is not authorized to offer tickets for the tournament for sale.

euro-tickets2020-1

euro-2020-tickets[.]com

In light of these findings, we estimate that the above domains were created by the same actor. Our investigation did not reveal any malicious activity associated with these domains. However, it appears that these are not official resellers of tickets for the two events. In addition, as the search function in the Tokyo 2020 domain and the payment function in the Euro 2020 domain do not work, it appears that these domains are still under development, and thus could materialize into a more serious threat in the future.

olympic2020tickets[.]com

The code of a malicious HTML file recently uploaded to the VirusTotal platform, contained a link to the olympic2020tickets[.]com domain. This domain does not appear in the official website of the Tokyo 2020 Olympics as an official and authorized reseller. The website offers users to buy or sell tickets to the 2020 Tokyo Olympics. The website also displays the logos of some of the Olympics’ official sponsors, such as Toyota, Panasonic, Visa, Alibaba Group, and more. The use of the logos of the sponsors can increase the credibility of the website in the eyes of visitors, and trick them into thinking the website is a legitimate and official ticket reseller for the Games.

olympic2020tickets-1

olympic2020tickets[.]com

Using an HTML interpreter, we discovered that the above-mentioned malicious file uploaded to VirusTotal, contains the HTML code of the main page of olympic2020tickets[.]com. In addition, the olympic2020tickets[.]com domain itself is identified as malicious by three different anti-virus engines. Our technical analysis of the website’s code did not reveal any use of a malicious JavaScript. The website provides the following phone number for contact: +4402074425560. We identified two additional similar domains, eurosportstickets[.]com and ticketsmarketplace.co[.]uk, which provide the same phone number for contact, and are also dedicated to selling tickets to various sports events and games. As can be seen in the screenshots below, the three domains resemble each other in their structure and design. In addition, eurosportstickets[.]com is identified as a phishing website by two anti-virus engines.

eurosportstickets-1-1024x524

eurosportstickets[.]com

ticketsmarketplace-1

ticketsmarketplace[.]co.uk

None of the Whois details of the three domains, reveal the identity of the registrant. However, we noticed that two of the domains, olympic2020tickets[.]com and ticketsmarketplace[.]co.uk, are hosted on the same IP address, 77.72.1.20, while eurosportstickets[.]com is hosted on the approximate 77.72.1.21 IP address.

Using the graph function of VirusTotal, we managed to establish connections between the three domains and the IP addresses they are hosted on, as can be seen below. The graph also shows how this infrastructure is related to malicious activity, and how both IP addresses are used for downloading malware, such as the Tofsee backdoor, the Artemis malware or the QRat.

mapping-1024x711

Connections Between the Domains and Their Surrounding Malicious Infrastructure

 

The Awakening of PoS Malware (or, Has It Really Been Dormant?)

The peak of activity of Point-of-Sale (PoS) malware was in late 2013 (with the disclosure of the notorious Target breach), and over the course of 2014, when we witnessed the development and trade of new PoS malware strains. The vigorous discussions on hacking communities at the time, has led hackers to believe PoS malware would ensure them an easy profit. However, as time passed, Continue reading “The Awakening of PoS Malware (or, Has It Really Been Dormant?)”

What will The Dark Overlord Do Next – a CTI Assessment

On December 31, 2018, a cybercrime group going by the handle The Dark Overlord (hereafter TDO) claimed he had hacked an unnamed company, and exfiltrated a large volume of sensitive documents related to the 9/11 terror attacks-related lawsuits. TDOaims to extort the impacted organizations into paying a Bitcoin ransom and he already published batches of the leakage after creating a public auction system, where anyone can contribute Bitcoins to unlock new documents. Continue reading “What will The Dark Overlord Do Next – a CTI Assessment”

Cybercriminals Integrate Exploit for CVE-2018-8174 into Numerous Attack Tools

The CVE-2018-8174 vulnerability, also dubbed “Double Kill,” was discovered in the beginning of May 2018, when it was exploited as a 0-day in an APT attack leveraging malicious Office files in China. The vulnerability affects users with Internet Explorer installed, either after they browse the web or after they open crafted Office documents – even if the default browser on the victim’s machine is not set to IE. Moreover, it will also affect IE11, even though VBScript is no longer supported by using the compatibility tag for IE10. Microsoft patched the vulnerability on May 8, 2018. Continue reading “Cybercriminals Integrate Exploit for CVE-2018-8174 into Numerous Attack Tools”

Insider Threats – Sometimes it is your Colleagues, and not Remote Attackers

Insiders pose the most substantial threat to organizations everywhere, a recent across-the-board study conducted by IBM demonstrates. Although in the majority of the cases, the insider is an employee of the company, he could also be a third party, such as an external contractor, a consultant or a business partner. An insider generally has all the Continue reading “Insider Threats – Sometimes it is your Colleagues, and not Remote Attackers”

Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)

While monitoring closed platforms that propagate an Islamic State agenda, we detected an initial interest in hacking lessons, focusing on spam and phishing methods. Many discussions in the technical sections of closed platforms affiliated with the Islamic State deal with the implementation of Continue reading “Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)”