KELA Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/kela/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 06 Dec 2022 17:24:44 +0000 en-US hourly 1 https://wordpress.org/?v=82381 200474804 The 2easy trading platform is gaining popularity on the darknet https://gridinsoft.com/blogs/the-2easy-trading-platform-is-gaining-popularity/ https://gridinsoft.com/blogs/the-2easy-trading-platform-is-gaining-popularity/#respond Wed, 22 Dec 2021 16:05:58 +0000 https://gridinsoft.com/blogs/?p=6777 KELA analysts say that the 2easy trading platform is gaining popularity on the darknet, gradually becoming an important player in the sale of stolen data. The company’s report states that the stolen information was collected from approximately 600,000 devices infected with malware. 2easy mostly sells so-called Logs, which are archives of data stolen by malware… Continue reading The 2easy trading platform is gaining popularity on the darknet

The post The 2easy trading platform is gaining popularity on the darknet appeared first on Gridinsoft Blog.

]]>
KELA analysts say that the 2easy trading platform is gaining popularity on the darknet, gradually becoming an important player in the sale of stolen data.

The company’s report states that the stolen information was collected from approximately 600,000 devices infected with malware.

2easy mostly sells so-called Logs, which are archives of data stolen by malware from hacked browsers and systems. Typically, such dumps include credentials, cookies, and information about stored bank cards.

I think you will also be interested to know: what is the darknet?

2easy was launched back in 2018, but the site has shown rapid growth since last year, since until recently the site sold data from only 28,000 infected devices and was considered a minor player in this market.

According to KELA experts, the sharp growth is due to the development of the platform and the stable quality of its offerings, which is why 2easy has earned itself a reputation and popularity in the hacker community.

2easy trading platform
Advertising 2easy

The site is fully automated, that is, anyone can create an account, add money to the wallet and make purchases without interacting with sellers directly. Data is available for purchase at an average of $ 5, which is about five times less than on the Genesis marketplace, and three times less than the average cost on the Russian black market.

Experts point out that the 2easy graphical interface is user-friendly and allows users to perform the following actions on the site:

  • view all URLs where infected machines have logged in;
  • search for URLs of interest;
  • view a list of infected machines from which credentials for the specified site were stolen;
  • check seller rating;
  • check for tags assigned by sellers, which usually include the date the machine was infected, and sometimes additional notes;
  • get credentials for selected purposes.

The only drawback of 2easy in KELA is the fact that the platform does not provide potential buyers with the ability to preview the product, that is, edited IP addresses or OS versions for devices from where the data was stolen.

Each “lot” purchased at 2easy comes in the form of an archive containing the stolen logs of the selected bot. The type of content in each case depends on the specific malware and its capabilities. However, in 50% of cases, merchants use the RedLine malware, and it is capable of stealing passwords, cookies, bank card data stored in browsers, FTP credentials, and much more.

2easy trading platform
Dump example

Five of the eighteen merchants working for 2easy use RedLine exclusively, while the rest use other malware, including Raccoon Stealer, Vidar and AZORult.

KELA analysts warn that such logs, as well as the information they contain, often become the key to penetrate corporate networks.

A similar example could be seen during the Electronic Arts attack, which took place in June 2021. The attack began with hackers buying stolen cookies online for just $10 and using them to gain access to EA’s Slack channel. Having infiltrated Slack, the hackers successfully tricked an EA employee into providing them with a multi-factor authentication token, which allowed them to steal the source code for a number of games.the researchers cite as an example.

Let me remind you that I also talked about the fact that Researchers noticed that the darknet is discussing exploits as a service.

The post The 2easy trading platform is gaining popularity on the darknet appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/the-2easy-trading-platform-is-gaining-popularity/feed/ 0 6777
Attackers Hacked OGUsers Hacking Forum Again https://gridinsoft.com/blogs/attackers-hacked-ogusers-hacking-forum-again/ https://gridinsoft.com/blogs/attackers-hacked-ogusers-hacking-forum-again/#respond Thu, 29 Apr 2021 16:10:14 +0000 https://blog.gridinsoft.com/?p=5429 Recently, the media reported that attackers hacked one of the most popular hacking forums on the Internet, OGUSERS (aka OGU) again, for the second time in the last year. Then an unknown attacker stole the data of 200,000 users, according to the official statistics of users indicated on the forum. As a result, OGUSERS was… Continue reading Attackers Hacked OGUsers Hacking Forum Again

The post Attackers Hacked OGUsers Hacking Forum Again appeared first on Gridinsoft Blog.

]]>
Recently, the media reported that attackers hacked one of the most popular hacking forums on the Internet, OGUSERS (aka OGU) again, for the second time in the last year. Then an unknown attacker stole the data of 200,000 users, according to the official statistics of users indicated on the forum.

As a result, OGUSERS was temporarily disabled and put into maintenance mode, and users were notified of a password reset, urging everyone to turn on two-factor authentication for their accounts so that the stolen data could not be used to hack accounts.

Let me remind you that another OGUSERS hack occurred in May 2019. Then the attackers entered the server through a vulnerability in one of the custom plugins and gained access to a backup dated December 26, 2018. The site was then hacked again in November 2020.

OGUSERS started out as a website selling stolen accounts on a wide variety of platforms and services.

But if it all started with ‘interesting’ social media accounts (Twitter, Instagram) with unique or short usernames, it later developed into a full-fledged resource for the sale of any accounts, including user accounts of PlayStation Network, Steam, Domino’s Pizza and etc.media talk about the forum.

In addition, Motherboard reporters turned their attention to OGUSERS back in 2018, when they were preparing a series of articles on the increasing cases of SIM card fraud. Such attacks with the capture of someone else’s phone numbers are used to steal accounts on social networks, steal large amounts of cryptocurrency, and so on. OGUSERS is one of the largest trading platforms where accounts stolen under such circumstances were sold.

As the information security company KELA now reports, the administrator of the OGUsers forum said that the site was hacked again, as unknown persons uploaded the web shell to the server. At first, the site administration doubted that the database was damaged, but soon a rival hack forum began selling the stolen OGUsers database for $3,000.

Hacked OGUsers Forum

Bleeping Computer, citing its own sources, writes that OGusers were hacked on April 11, 2021, and the attackers had full access to the database dump. The database included records of approximately 350,000 users and private messages.

A source told the publication that OGUsers uses a variety of plug-ins that contain vulnerabilities that attackers can chain together to install a web shell.

Vitaly Kremez, head of Advanced Intel, says that such leaks from criminal forums may be beneficial to law enforcements and information security researchers:

This OGUsers leak could potentially help identify cybercriminals via email and IP addresses and then link this information to their real identities. Previous OGUsers leaks contained important clues that helped uncover cybercriminal operations, especially related to fraud and hijacking of cryptocurrency accounts, as well as operations to swap SIM cards.

Let me remind you that I talked about the fact that the Netherlands police posted warnings on hacker forums.

The post Attackers Hacked OGUsers Hacking Forum Again appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/attackers-hacked-ogusers-hacking-forum-again/feed/ 0 5429
CISA experts warned about the growth of LokiBot infostealer activity https://gridinsoft.com/blogs/cisa-experts-warned-about-the-growth-of-lokibot-infostealer-activity/ https://gridinsoft.com/blogs/cisa-experts-warned-about-the-growth-of-lokibot-infostealer-activity/#respond Wed, 23 Sep 2020 16:37:26 +0000 https://blog.gridinsoft.com/?p=4322 Specialists from the Agency for Cybersecurity and Infrastructure Protection, organized by the US Department of Homeland Security (DHS CISA), warned about growth of activity of LokiBot infostealer aka Loki and Loki PWS; not to be confused with the Trojan of the same name for Android), which has been increasing since July this year. ZDNet journalists… Continue reading CISA experts warned about the growth of LokiBot infostealer activity

The post CISA experts warned about the growth of LokiBot infostealer activity appeared first on Gridinsoft Blog.

]]>
Specialists from the Agency for Cybersecurity and Infrastructure Protection, organized by the US Department of Homeland Security (DHS CISA), warned about growth of activity of LokiBot infostealer aka Loki and Loki PWS; not to be confused with the Trojan of the same name for Android), which has been increasing since July this year.

ZDNet journalists note that Malwarebytes experts also drew attention to the surge in LokiBot activity, confirming the findings of CISA specialists.

LokiBot infostealer activity growth

LokiBot is one of the most dangerous infostealers at the moment. The Trojan has been known to cybersecurity experts since the mid-2010s.

For many years, its source code was distributed on hacker forums completely free of charge, which made LokiBot one of the most popular password stealing tools (mainly among low and medium-skilled cybercriminals).

Currently, several hack groups actively use malware at once, spreading it using a variety of methods, from email spam to hacked installers and malicious torrent files.

“By infecting victims’ computers, LokiBot focuses on finding locally installed applications and retrieving credentials from their internal databases. For example, LokiBot steals data from browsers, email clients, FTP applications and cryptocurrency wallets”, – inform DHS CISA researchers.

Today LokiBot is no longer just an info-stealer, but a more complex threat. Thus, the malware is equipped with a keylogger that intercepts keystrokes in real time (in order to steal passwords that are not always stored in the internal database of the browser), and a utility for creating screenshots (usually used to capture documents after they have been opened on a computer victims). In addition, LokiBot also acts as backdoor, allowing hackers to launch other malware on infected hosts.

The data stolen by LokiBot usually ends up on underground marketplaces. According to KELA analysts, LokiBot is one of the main providers of credentials for the Genesis marketplace.

In 2019, SpamHaus experts named LokiBot the malware with the most active command servers, Any.Run experts placed LokiBot in 4th place in the ranking of the most common threats in 2019, and in the SpamHaus ranking for the first half of 2020, LokiBot confidently occupies second place.

The post CISA experts warned about the growth of LokiBot infostealer activity appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cisa-experts-warned-about-the-growth-of-lokibot-infostealer-activity/feed/ 0 4322
Experts confirm data leak of 26 million LiveJournal users https://gridinsoft.com/blogs/experts-confirm-data-leak-of-26-million-livejournal-users/ https://gridinsoft.com/blogs/experts-confirm-data-leak-of-26-million-livejournal-users/#respond Thu, 28 May 2020 16:12:49 +0000 https://blog.gridinsoft.com/?p=3847 In mid-May 2020, in the Telegram channel of the head of DeviceLock company Ashot Hovhannisyan appeared information on data leak of 33.7 million LiveJournal users. Now, experts have confirmed a data leak of 26 million users. It was reported that the detected text file contains 33,726,800 lines, among which you can find user IDs, email… Continue reading Experts confirm data leak of 26 million LiveJournal users

The post Experts confirm data leak of 26 million LiveJournal users appeared first on Gridinsoft Blog.

]]>
In mid-May 2020, in the Telegram channel of the head of DeviceLock company Ashot Hovhannisyan appeared information on data leak of 33.7 million LiveJournal users. Now, experts have confirmed a data leak of 26 million users.

It was reported that the detected text file contains 33,726,800 lines, among which you can find user IDs, email addresses, links to user profiles, as well as passwords in plain text format (among them 795,402 lines had a blank password).

Subsequent analysis of passwords shoed that 69% of mail/password combinations were unique, that is, they had never been found in other leaks before.

Now ZDNet has published material that sheds light on the details of what happened.

“Apparently, LJ suffered from a break-in back in 2014, and rumors about this have been circulating in the network for many years. For example, they talked about compromise in October 2018, when LiveJournal users massively reported that they received old but unique passwords from LiveJournal as part of a blackmail sextortion campaign”, – write ZDNet reporters.

Although the 2014 hack was not officially confirmed, in recent months the DreamWidth blogging platform, created on the basis of the LiveJournal code base, has also been attacked. In a series of posts and tweets, DreamWidth developers talked about the massive credential stuffing attacks they have noted recently.

[box]Reference:

Stuffing attacks are situations, when usernames and passwords are stolen from one sites and then used on others. Therefore, attackers have a ready-made database of credentials (purchased on the darknet, collected independently, and so on) and try to use this data to log in to any sites and services under the logins of their victims.

Unfortunately, users often apply the same usernames and passwords for different services without changing them for years, which makes such attacks very effective.[/box]

DreamWidth claims that hackers used old combinations of user names and passwords from LiveJournal to crack DreamWidth accounts and posted spam messages on the site.

However, the Rambler company, which owns LiveJournal, still refused to acknowledge the fact of compromise, even after DreamWidth administrators contacted it.

Now, the authoritative leak aggregator Have I Been Pwned (HIBP) has confirmed the fact of leakage of user data from LJ. The administration of the service received a copy of the LiveJournal user database and indexed it on its website.

“The dump contains data of 26 372 781 LiveJournal users: user names, email addresses and passwords in plain text. This is consistent with Ashot Hovhannisyan’s information, which estimates that the dump contains approximately 22.5 million unique mail/password combinations”, – reported in HIBP.

Analysts of the information security company KELA found many references to the stolen database and its copies in different places of the hacker underground, and confirmed the existence of a dump.

So, first KELA and ZDNet discovered several ads that posted data brokers. In these ads, hackers said they wanted to sell or buy the LiveJournal database. That is, criminals were well aware of the data stolen from LJ and actively exchanged it.

Judging by these announcements, after LJ was compromised in 2014, hackers sold the stolen data privately, handing databases from hand to hanв among spammer groups and botnet operators. Since this data was exchanged again and again, information eventually leaked to the public.

The first notification that the LiveJournal database became public arrived in July 2019, which was announced by the now defunct WeLeakInfo service that was selling stolen data.

Over time, this dump became available even wider. For example, recently LiveJournal databases were sold on darknet for the price of only $35. The ad, which is shown in the illustration below, refers to 33 million records, but this is the overall dump before removing duplicates.

Experts confirmed LiveJournal leak

As a result, the LiveJournal database was published on the well-known hacker forum, from where it instantly spread, and now the dump is offered for free on Telegram channels and uploaded to file sharing services.

Experts confirmed LiveJournal leak

ZDNet notes that the DreamWidth platform still suffers from attacks with the use of old credentials, stolen from LiveJournal, although the company’s developers release updates and try to protect their users.

Of course, not only DreamWidth users are at risk. People that use LJ logins and passwords on other sites are also at risk of hacking due to credential stuffing attacks. Users that changed their LJ password after 2014 may be safe, however, experts still advise changing the passwords from any other accounts where the same credentials could be reused.

Interestingly, ZDNet managed to get a comment from Rambler representatives yesterday. The fact is that two weeks ago the company announced that the information about the data leak “is not true – this is one of the clickbait news, the task of which is to attract interest of a third party in this matter.”

No representatives of the Rambler Group holding continue to deny that hackers have gained access to their systems, but confirm the existence of a dump and say that the database contains information that hackers have been collecting for many years from various sources: malware-infected systems (data stolen from browsers) and brute force – attack (hackers simply selected passwords to LiveJournal accounts).

The post Experts confirm data leak of 26 million LiveJournal users appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/experts-confirm-data-leak-of-26-million-livejournal-users/feed/ 0 3847