Cyber Updates – May 13th, 2021

Posted on May 13, 2021 by Webhose

read the article

This month our cyber updates include the Aurora exit scam, the hijacking of Dark.fail, and the seizure of BoysTown pedophilia site. Of course, no cyber update would be complete without mentioning the colossal Colonial Pipeline cyberattack and the DarkSide hacking group responsible for it. 

But before you read on, take a minute to learn more about increasing digital threats to organizations across all industries in a booklet we’ve prepared for you with real examples we’ve found recently on the dark web.

Discover Digital Threats from the Dark Web

Leaked credit cards, counterfeiting attempts, leaked data, illicit trafficking for drugs, weapons, and hacking tools – these are just a few of the threats organizations across all industries face today. Learn about the top digital risks your organization and customers are exposed to that Webhose can help you identify, detect and mitigate against with examples we recently found in our daily dark web monitoring.

Aurora Market Exit Scam

Established in November 2020, Aurora market has a reputation for its original site design. This is opposed to other marketplaces which are based on an existing script. Aurora market is also unique in its ability to allow users to buy more than one product at a time. 

Last week, users in dark web forums started to speculate about a potential exit scam being executed by the site admins. Users of the site claimed the admin named Polarlight took over the site wallets and servers. As a result, buyers were no longer able to withdraw their funds in the market. Last Tuesday, the other Admin, Northernlight, posted on Dread forum and claimed Polarlight deceived him. Consequently. he lost the $50,000 he invested in the site while Polarlight stole nearly $250,000. 

At the time of this publication, the market domain is still active but users all over the dark web have been alerted not to use it. 

To see posts Webhose crawled from Aurora and to read further discussions on the current situation of the market use the following query:
(aurora AND (“exit scam” OR “exitscamming” OR situation))

Dark.fail Hijacked

Dark web sites on the TOR network have a special suffix: “.onion”. These sites are not searchable through search engines and cannot be indexed. Instead, actors share them with the public online in announcements and site links in forums, chatting applications, and directories. 

Dark.fail is a dark web director, it provides trusted links to dark web marketplaces. But on April 29th, Dark.fail was compromised by an actor that successfully “stole” the domain. He used a fake court order to convince a domain registrar to transfer ownership of the domain to him. He then changed the dark web links on the site. The new links led to copies of the original market sites designed to steal users’ bitcoin, a classic phishing scam.

 

Phishing scams like this – when hackers make lookalike sites on the dark web  – occur often.  But the use of a fake court order is unusual. 

 

On May 5th, Dark.fail announced that it had regained control of the domain. 

To see posts related to Dark.fail hijack use the query: site.domain:darkfailllnkf4vf.onion OR dark.fail OR darkdotfail

DarkSide Hacking Group and Colonial Pipeline Cyberattack

On May 7th, Colonial Pipeline Company, the operator of the biggest gasoline pipeline in the U.S., shut down its operations due to a cybersecurity attack. 

The attack on Colonial Pipeline is one of the most significant attacks on critical national infrastructure in history. Colonial is the main source of gasoline, diesel and jet fuel for the East Coast. Following the attack, President Joe Biden declared a state of emergency on May 9th.

So who is responsible for this colossal attack?

The FBI confirmed after a few days that a relatively new ransomware group known as DarkSide is responsible. The group made a statement about the attack as well on its dark web website:

Growth of child sexual abuse chattering found in Webhose’s dark web data

The statement claimed that it had not intended to damage national infrastructure and announced that they would. Their main goal, they explained, was to extort money from big companies like Colonial. 

 DarkSide, first known in August 2020, is a ransomware-as-a-service (RaaS) platform that cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims. The group is known for its Robin Hood-style image of stealing from the rich and giving a portion to the poor. DarkSide claimed it targets only big companies, and forbids affiliates from executing ransomware attacks on organizations in industries such as healthcare, funeral services, education, public sector and non-profits.

Webhose has crawled DarkSide’s site since September 2020. We also collect data revolving around its activities in dark web forums. 

To see more content related to the group and the event, use the query:

site.domain:darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/press-center OR darkside OR darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion OR (Colonial Pipeline)

BoysTown Pedophilia Site Seized

Child sexual abuse (CSA) is a form of maltreatment recognized globally as a serious human rights violation and a major public health concern. According to experts, the full extent of CSA perpetration remains unknown. The vast majority of survivors (93%) don’t report the abuse to authorities before the age of fifteen. 

One of the largest international platforms for child sexual abuse sites in the dark web  was seized recently after a complex investigation of the German authorities. Four German citizens that actively operated this platform were arrested.

Our Webhose dark web data has detected strong indications that the child pornography (CP) chattering is growing, as can be seen from the graph below.

Growth of child sexual abuse chattering found in Webhose’s dark web data

Using Webhose, organizations can not only detect pedo chattering, but also profile relevant criminals.

That’s it for our Cyber News Update from our Cyber Team this time. We’ll be back again with more exciting updates from the world of cyber. Stay tuned for more updates!

 Until next time, 

Team Webhose