At DarkArmor, we are constantly researching and developing new techniques to detect threats and provide intelligence for organizations to proactively protect their assets. Our systems have identified three times the amount of data compared to when we began our research and we are continuously adding new assets for mitigation. Our platform allows organizations to filter out irrelevant information and take action on meaningful intelligence, which helps to reduce the risk of fraud in the future. From account takeover to compromised users, our platform helps organizations to stay one step ahead of cybercriminals.
Cybercriminals are constantly evolving their tactics and technologies to exploit organizations and individuals. From social engineering to ransomware, the threat landscape is always expanding. No one is immune, whether it be end users, enterprises, open-source software, supply chains, or password managers. Criminals use automation to enhance their attacks, such as automated account stuffing/checking, using messaging platforms like Telegram for phishing, utilizing voice technology like Twilio to deceive users into providing MFA codes, or hosting phishing websites on InterPlanetary File System (IPFS) like Fleek. As their methods improve, it is essential for organizations to stay proactive in protecting their assets.
In 2022, DarkArmor uncovered 9,573 accounts being sold on the darkweb with the sum of $683 million. These accounts were openly available for sale and the cybercriminals even provided online banking screenshots as proof. Our systems also identified 426 thousand credit/debit cards and 12 million credentials stolen through phishing and malware attacks. Figure 1 illustrates an overview of the data we uncovered for 2022.
Accounts For Sale
Compromised accounts refer to those that have been taken over by an attacker, usually as a result of phishing or malware attacks. These accounts are often advertised for sale on the darkweb or Telegram platforms, with prices as low as $5 depending on the value of the account. Once the attacker has taken control of the account, they can steal money through ACH transfer, Zelle, or by transferring it to a mule account.
Credit Cards/Debit Cards Found on the DarkWeb
According to our observations, there was an increase in the number of credit/debit cards shared on the underground market in 2022. These cards were often obtained through malware stealers and phishing attacks. Criminals have developed various tools to allow actors to verify the validity of the cards. They then use the stolen data to create cloned cards and conduct fraudulent activities.
Compromised Credentials
Data breaches remain a significant issue in cyber security. From Microsoft to Uber, cybercriminals are able to steal credentials and take over accounts. Once they have access, they can pivot and steal additional data, which can cause additional problems for users in the future. As seen in the LastPass breach at the end of 2022, criminals have the knowledge and skills to steal critical assets such as customer data. This incident will likely lead to attacks in the immediate future through phishing or social engineering, or when the credentials are exposed after the criminal cracks the vault. In 2022, we identified almost 13 million credentials in the wild. Criminals can use these credentials in tools such as account checkers to identify credential reuse and perform takeovers.
Automated Phishing Attacks
Phishing attacks are one of the most common methods used by cybercriminals to steal a user’s credentials and credit card information. There are two typical types of methods a phishing kit uses to store the credentials. The first method is to send the credentials directly to the hacker via email, and the second method is to store the credentials in a file that can be accessed later. Both of these classical approaches have multiple issues, such as being unable to bypass multi-factor authentication (MFA) if the targeted brand has enabled MFA for its users.
Recently, many phishing kits have begun leveraging Telegram platforms as the destination for stolen credentials. This allows the attacker to receive the credentials in near real-time and log in, triggering the one-time password (OTP). As the user receives the OTP, the phishing website updates to request the OTP. Once the user submits the OTP on the phishing website, the cybercriminal receives the OTP and is able to enter the real website, allowing them to take over the account in near real-time. Figure 2 illustrates the attack flow using a Telegram phishing kit.
Below is the flow of the automated attack:
- The attacker sends a phishing campaign to the targets.
- The target user reads the email and clicks on the phishing link.
- The user accesses the phishing website through their browser and submits their credentials through the login screen.
- The phishing website sends the credentials to the Telegram channel using the Telegram Bot API.
- The attacker accesses the credentials in their Telegram channel.
- The attacker opens the legitimate website and submits the user’s credentials.
- The attacker triggers the OTP through email or SMS, which is sent to the user’s device.
- The user submits the OTP code on the phishing website.
- The phishing website sends the OTP code to the Telegram channel.
- The attacker retrieves the OTP and submits it to the legitimate website.
- The attacker takes over the user’s account.
By using the Telegram Bot API, the attacker is able to compromise the user’s account in real-time. The following code shows a simple API used by a phisher to accomplish this:
As mentioned above, the phisher sends an HTTPs POST request to the Telegram endpoint to deliver the phished credentials to the attacker’s channel. The following is the Telegram endpoint.
hxxps://api.telegram.org/bot<bot_token>/sendMessage
Malware Stealers
In addition to social engineering tactics, cybercriminals also use malware stealers such as Redline malware to steal credentials from users, allowing them to take over accounts and commit fraud. We have identified over 12 million unique credentials stolen by various malware families.
With malware stealers, the malware is able to steal credentials from both password storage and browser password managers. The stolen credentials can be used in a password checker to identify if they are being reused in a different organization. To reduce the risk of compromise through third-party breaches, using a password manager to generate random passwords is an important step to keep oneself safe. In addition to password managers, using hardware authentication devices such as Yubikey can improve your protection.
Conclusion
As we have been analyzing the Darkweb and improving our detection over the past few years, we have observed fraud continuing to rise and cybercriminals taking every opportunity to steal money. We have seen how criminals have taken advantage of the Covid-19 pandemic in 2020 to steal money through SBA, PPP, and PUA programs. They have moved from using private forums and Tor networks to more open platforms such as Telegram, Facebook, and Discord. To reduce losses from fraud and stay ahead, financial institutions must continue to adapt to the latest technologies. With fraud within the financial sector on the rise in the coming year, we look forward to helping customers protect their assets. If you would like more information, please visit our contact page.
