Cyber Updates – June 10, 2021
This month we see many trends and developments in cyber data. Dark web actors now prefer Telegram over dark web forums and marketplaces. Phishing and ransomware is on the rise. More than 520 suspects in Seoul were rounded up for trading drugs on the dark net – and identified via their use of cryptocurrency.
But not only do we see these trends in the mainstream media – we can also confirm them in our data here at Webhose.
Here’s what’s new in Webhose’s dark web monitoring this month.
Phishing, Ransomware and Web App Attacks are on the Rise
According to the latest Verizon Data Breach Report, there has been a significant spike in the number of phishing, ransomware and web app attacks on companies. We are able to support this claim in our dark web data.
The report is based on over 29,000 reported incidents in 2020. Over 5,200 were confirmed breaches. DDOS was the most common attack, with social engineering, phishing and web application exploits causing most of the breaches. Since cloud infrastructure is now the data center for many organizations, attackers have now focused on it as a primary target. It also gives attackers potential access to a lot of sensitive data.
The graph below shows mentions of dark web cloud and Business Email Compromise (BEC) tools from Webhose’s dark web data repository last year. As you can see, demand rose for these tools from July to October.
With dark web monitoring, businesses across all types of industries can receive both targeted intelligence as well as intelligence about specific trends of attack vectors or indications of compromise.
Malicious Actors Now Prefer Telegram to the Dark Web
With more than 500 million users all over the world, Telegram is now one of the most popular chat applications. Since it offers its users end-to-end encryption, ease of use, and the ability to open new groups and control its permissions, dark web actors have migrated to Telegram from other dark web platforms such as forums and marketplaces. This trend shows no signs of stopping.
Webhose crawls more than a million new messages in Telegram each day. We also monitor and discover new groups and channels actors use for different illicit activities.
As Telegram gained more popularity over the last two years, we also saw a big increase in its use for illicit activity. We cover thousands of different channels and groups that include discussions related to illegal topics such as drug sales, sharing of compromised data, extremist activity, hacking related activities and much more.
One of the recent phenomena we saw is when an individual actor or groups of malicious actors open their own group or channel, sharing content related to their activities. For example, Arvin Club is a group of Persian actors who have their own website. On the website they share leaked databases of different companies and organizations such as the Iraninan bank, Mellat. Recently, they started to share information about the leaks in their own Telegram channel as well.
More Than 520 Suspects Caught Trading Drugs on Dark Web Using Cryptocurrencies
More than 520 drug trafficking suspects in Seoul, Korea have recently been caught on charges of distributing, selling or buying drugs over the dark web using cryptocurrencies. This isn’t a big surprise to us, since at Webhose we often encounter the phenomenon of the illegal use of crypto coins as a payment for hacking services, drug selling and more.
Cryptocurrencies are popular on the dark web because they provide a convenient method for covert trading. We cover several types of cryptocurrencies, such as BTC, ETH, Monero, Litecoin, Coinbase, and Ripple, etc. BTC is the most common coin used on all platforms.
Bitcoin is accepted at all e-commerce storefronts (marketplaces and stores) as well as hacking forums on the dark web. It is used by hackers, drug dealers, PII traders, weapon sellers, fraudsters – anyone who wants to stay anonymous or keep their occupation secret. Slowly, we are starting to see Ethereum becoming more popular and accepted as a method of payment in more marketplaces.
Here are a few examples we found using our Cyber API just from the past week:
To see content related to the usage of crypto coins for illicit manners, use the query:
enriched.wallet_id.count:>0 OR (ETH OR ethereum OR ether OR Ξ OR “My eth” OR BTC OR bitcoin OR ₿ OR monero OR XMR OR Bytecoin OR BitMonero OR ripple OR litecoin OR LTC OR Ł OR XRP OR coinbase OR square OR dash OR BitcoinCash OR BCH) AND (buy OR sell OR sale OR trade OR exchange OR dump)
Turkish Hacking Forums Available in Webhose’s Coverage
Webhose covers several Turkish deep web hacking forums. Although these sites are most likely local Turkish sites, some of them are very large; they can include hundreds of thousands of users and posts. Two very popular sites in the Turkish hacking community that Webhose covers are siberdeyiz and imhatimi.
These deep web forums have various site sections dedicated to different topics. Most of them are illicit and related to hacking and cyber threats.
The most popular subjects include:
- PII – Leaked or cracked accounts and databases shared for free or for sale.
- Web hacking sections – Actors posting hacking tools, methods and cyber-attacks both for free and for sale. We can also see discussions related to vulnerabilities and exploits on websites.
- Warezs – Pirated software distributed over the Internet. Hackers often install their own viruses on pirated software before distribution.
The image below shows a hacker sharing the database of tutter.com. In the post he mentions the database includes names, surnames and phone numbers.
To see content from Turkish hacking forums, use the query:
Site.domain:(siberdeyiz.com OR turkhackteam.org OR turkhacks.com)
That’s it for our Cyber News Update from our Cyber Team this time. We’ll be back again next time though with more exciting updates from the world of cyber.
Stay tuned for more updates!
Until next time,