15-Year-Old Malware Proxy Network VIP72 Goes Dark

September 1, 2021

Over the past 15 years, a cybercrime anonymity service known as VIP72 has enabled countless fraudsters to mask their true location online by routing their traffic through millions of malware-infected systems. But roughly two weeks ago, VIP72’s online storefront — which ironically enough has remained at the same U.S.-based Internet address for more than a decade — simply vanished.

Like other anonymity networks marketed largely on cybercrime forums online, VIP72 routes its customers’ traffic through computers that have been hacked and seeded with malicious software. Using services like VIP72, customers can select network nodes in virtually any country, and relay their traffic while hiding behind some unwitting victim’s Internet address.

The domain Vip72[.]org was originally registered in 2006 to “Corpse,” the handle adopted by a Russian-speaking hacker who gained infamy several years prior for creating and selling an extremely sophisticated online banking trojan called A311 Death, a.k.a. “Haxdoor,” and “Nuclear Grabber.” Haxdoor was way ahead of its time in many respects, and it was used in multiple million-dollar cyberheists long before multi million-dollar cyberheists became daily front page news.

An ad circa 2005 for A311 Death, a powerful banking trojan authored by “Corpse,” the administrator of the early Russian hacking clique Prodexteam. Image: Google Translate via Archive.org.

Between 2003 and 2006, Corpse focused on selling and supporting his Haxdoor malware. Emerging in 2006, VIP72 was clearly one of his side hustles that turned into a reliable moneymaker for many years to come. And it stands to reason that VIP72 was launched with the help of systems already infected with Corpse’s trojan malware.

The first mention of VIP72 in the cybercrime underground came in 2006 when someone using the handle “Revive” advertised the service on Exploit, a Russian language hacking forum. Revive established a sales presence for VIP72 on multiple other forums, and the contact details and messages shared privately by that user with other forum members show Corpse and Revive are one and the same.

When asked in 2006 whether the software that powered VIP72 was based on his Corpse software, Revive replied that “it works on the new Corpse software, specially written for our service.” Continue reading

Man Robbed of 16 Bitcoin Sues Young Thieves’ Parents

August 25, 2021

In 2018, Andrew Schober was digitally mugged for approximately $1 million worth of bitcoin. After several years of working with investigators, Schober says he’s confident he has located two young men in the United Kingdom responsible for using a clever piece of digital clipboard-stealing malware to siphon his crypto holdings. Schober is now suing each of their parents in a civil case that seeks to extract what their children would not return voluntarily.

In a lawsuit filed in Colorado, Schober said the sudden disappearance of his funds in January 2018 prompted him to spend more than $10,000 hiring experts in the field of tracing cryptocurrency transactions. After months of sleuthing, his investigators identified the likely culprits: Two young men in Britain who were both minors at the time of the crime (both are currently studying computer science at U.K. universities).

A forensic investigation of Schober’s computer found he’d inadvertently downloaded malicious software after clicking a link posted on Reddit for a purported cryptocurrency wallet application called “Electrum Atom.” Investigators determined that the malware was bundled with the benign program, and was designed to lie in wait for users to copy a cryptocurrency address to their computer’s temporary clipboard.

When Schober went to move approximately 16.4 bitcoins from one account to another — by pasting the lengthy payment address he’d just copied — the malware replaced his bitcoin payment address with a different address controlled by the young men.

Schober’s lawsuit lays out how his investigators traced the stolen funds through cryptocurrency exchanges and on to the two youths in the United Kingdom. In addition, they found one of the defendants — just hours after Schober’s bitcoin was stolen — had posted a message to GitHub asking for help accessing the private key corresponding to the public key of the bitcoin address used by the clipboard-stealing malware.

Investigators found the other defendant had the malware code that was bundled with the Electrum Atom application in his Github code library.

Initially, Schober hoped that the parents of the thieving teens would listen to reason, and simply return the money. So he wrote a letter to the parents of both boys:

“It seems your son has been using malware to steal money from people online,” reads the opening paragraph of the letter Schober emailed to the families. “Losing that money has been financially and emotionally devastating. He might have thought he was playing a harmless joke, but it has had serious consequences for my life.”

A portion of the letter than Schober sent to two of the defendants in 2018, after investigators determined their sons were responsible for stealing nearly $1 million in cryptocurrency from Schober.

Met with continued silence from the parents for many months, Schober filed suit against the kids and their parents in a Colorado court. A copy of the May 2021 complaint is here (PDF).

Now they are responding. One of the defendants —Hazel D. Wells — just filed a motion with the court to represent herself and her son in lieu of hiring an attorney. In a filing on Aug. 9, Wells helpfully included the letter in the screenshot above, and volunteered that her son had been questioned by U.K. authorities in connection with the bitcoin theft.

Neither of the defendants’ families are disputing the basic claim that their kids stole from Mr. Schober. Rather, they’re asserting that time has run out on Schober’s legal ability to claim a cause of action against them. Continue reading

Advertisement

Wanted: Disgruntled Employees to Deploy Ransomware

August 19, 2021

Criminal hackers will try almost anything to get inside a profitable enterprise and secure a million-dollar payday from a ransomware infection. Apparently now that includes emailing employees directly and asking them to unleash the malware inside their employer’s network in exchange for a percentage of any ransom amount paid by the victim company.

Image: Abnormal Security.

Crane Hassold, director of threat intelligence at Abnormal Security, described what happened after he adopted a fake persona and responded to the proposal in the screenshot above. It offered to pay him 40 percent of a million-dollar ransom demand if he agreed to launch their malware inside his employer’s network.

This particular scammer was fairly chatty, and over the course of five days it emerged that Hassold’s correspondent was forced to change up his initial approach in planning to deploy the DemonWare ransomware strain, which is freely available on GitHub.

“According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Hassold wrote.

Abnormal Security documented how it tied the email back to a young man in Nigeria who acknowledged he was trying to save up money to help fund a new social network he is building called Sociogram.

Image: Abnormal Security.

Reached via LinkedIn, Sociogram founder Oluwaseun Medayedupin asked to have his startup’s name removed from the story, although he did not respond to questions about whether there were any inaccuracies in Hassold’s report.

“Please don’t harm Sociogram’s reputation,” Medayedupin pleaded. “I beg you as a promising young man.”

This attacker’s approach may seem fairly amateur, but it would be a mistake to dismiss the threat from West African cybercriminals dabbling in ransomware. While multi-million dollar ransomware payments are hogging the headlines, by far the biggest financial losses tied to cybercrime each year stem from so-called Business Email Compromise (BEC) or CEO Scams, in which crooks mainly based in Africa and Southeast Asia will spoof communications from executives at the target firm in a bid to initiate unauthorized international wire transfers.

According to the latest figures (PDF) released by the FBI Internet Crime Complaint Center (IC3), the reported losses from BEC scams continue to dwarf other cybercrime loss categories, increasing to $1.86 billion in 2020.

Image: FBI

“Knowing the actor is Nigerian really brings the entire story full circle and provides some notable context to the tactics used in the initial email we identified,” Hassold wrote. “For decades, West African scammers, primarily located in Nigeria, have perfected the use of social engineering in cybercrime activity.”

“While the most common cyber attack we see from Nigerian actors (and most damaging attack globally) is business email compromise (BEC), it makes sense that a Nigerian actor would fall back on using similar social engineering techniques, even when attempting to successfully deploy a more technically sophisticated attack like ransomware,” Hassold concluded.

DON’T QUIT YOUR DAY JOB

Cybercriminals trolling for disgruntled employees is hardly a new development. Big companies have long been worried about the very real threat of disgruntled employees creating identities on darknet sites and then offering to trash their employer’s network for a fee (for more on that, see my 2016 story, Rise of the Darknet Stokes Fear of the Insider). Continue reading

T-Mobile: Breach Exposed SSN/DOB of 40M+ People

August 18, 2021

T-Mobile is warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. The acknowledgment came less than 48 hours after millions of the stolen T-Mobile customer records went up for sale in the cybercrime underground.

In a statement Tuesday evening, T-Mobile said a “highly sophisticated” attack against its network led to the breach of data on millions of customers.

“Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile,” the company wrote in a blog post. “Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.”

Nevertheless, T-Mobile is urging all T-Mobile postpaid customers to proactively change their account PINs by going online into their T-Mobile account or calling customer care at 611. “This precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised,” the advisory reads.

It is not clear how many people total may be impacted by this breach. T-Mobile hasn’t yet responded to requests for clarification regarding how many of the 7.8 million current customers may also have been affected by the credit application breach. Continue reading

T-Mobile Investigating Claims of Massive Data Breach

August 16, 2021

Communications giant T-Mobile said today it is investigating the extent of a breach that hackers claim has exposed sensitive personal data on 100 million T-Mobile USA customers, in many cases including the name, Social Security number, address, date of birth, phone number, security PINs and details that uniquely identify each customer’s mobile device.

On Sunday, Vice.com broke the news that someone was selling data on 100 million people, and that the data came from T-Mobile. In a statement published on its website today, the company confirmed it had suffered an intrusion involving “some T-Mobile data,” but said it was too soon in its investigation to know what was stolen and how many customers might be affected.

A sales thread tied to the allegedly stolen T-Mobile customer data.

“We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved,” T-Mobile wrote.

“We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” the statement continued. “This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.”

The intrusion came to light on Twitter when the account @und0xxed started tweeting the details. Reached via direct message, Und0xxed said they were not involved in stealing the databases but was instead in charge of finding buyers for the stolen T-Mobile customer data.

Und0xxed said the hackers found an opening in T-Mobile’s wireless data network that allowed access to two of T-Mobile’s customer data centers. From there, the intruders were able to dump a number of customer databases totaling more than 100 gigabytes.

They claim one of those databases holds the name, date of birth, SSN, drivers license information, plaintext security PIN, address and phone number of 36 million T-Mobile customers in the United States — all going back to the mid-1990s.

The hacker(s) claim the purloined data also includes IMSI and IMEI data for 36 million customers. These are unique numbers embedded in customer mobile devices that identify the device and the SIM card that ties that customer’s device to a telephone number.

“If you want to verify that I have access to the data/the data is real, just give me a T-Mobile number and I’ll run a lookup for you and return the IMEI and IMSI of the phone currently attached to the number and any other details,” @und0xxed said. “All T-Mobile USA prepaid and postpaid customers are affected; Sprint and the other telecoms that T-Mobile owns are unaffected.”

Other databases allegedly accessed by the intruders included one for prepaid accounts, which had far fewer details about customers.

“Prepaid customers usually are just phone number and IMEI and IMSI,” Und0xxed said. “Also, the collection of databases includes historical entries, and many phone numbers have 10 or 20 IMEIs attached to them over the years, and the service dates are provided. There’s also a database that includes credit card numbers with six digits of the cards obfuscated.” Continue reading

New Anti Anti-Money Laundering Services for Crooks

August 13, 2021

A new dark web service is marketing to cybercriminals who are curious to see how their various cryptocurrency holdings and transactions may be linked to known criminal activity. Dubbed “Antinalysis,” the service purports to offer a glimpse into how one’s payment activity might be flagged by law enforcement agencies and private companies that try to link suspicious cryptocurrency transactions to real people.

Sample provided by Antinalysis.

“Worried about dirty funds in your BTC address? Come check out Antinalysis, the new address risk analyzer,” reads the service’s announcement, pointing to a link only accessible via Tor. “This service is dedicated to individuals that have the need to possess complete privacy on the blockchain, offering a perspective from the opponent’s point of view in order for the user to comprehend the possibility of his/her funds getting flagged down under autocratic illegal charges.”

The ad continues:

Some people might ask, why go into all that? Just cash out in XMR and be done with it. The problem is, cashing out in Monero raises eyebrows on exchanges and mail by cash method is sometimes risky as well. If you use BTC->XMR->BTC method, you’ll still get flagged down by our services labelled as high risk exchange (not to mention LE and exchanges). Our service provides you with a view from LE/exchange’s perspective of things (with similar accuracy, but quite different approach) that provides you with basic knowledge of how “clean” your address is.”

Tom Robinson, co-founder of blockchain intelligence firm Elliptic, said Antinalysis is designed to help crypto money launderers test whether their funds will be identified as proceeds of crime by regulated financial exchanges.

“Cryptoassets have become an important tool for cybercriminals,” Robinson wrote. “The likes of ransomware and darknet markets rely on payments being made in Bitcoin and other cryptocurrencies. However, laundering and cashing-out these proceeds is a major challenge.”

Cryptocurrency exchanges make use of blockchain analytics tools, he said, to check customer deposits for links to illicit activity. By tracing a transaction back through the blockchain, these tools can identify whether the funds originated from a wallet associated with ransomware or any other criminal activity.

“The launderer therefore risks being identified as a criminal and being reported to law enforcement whenever they send funds to a business using such a tool,” Robinson said. “Antinalysis seeks to help crypto launderers to avoid this, by giving them a preview of what a blockchain analytics tool will make of their bitcoin wallet and the funds it contains.”

Each lookup at Antinalysis costs roughly USD $3, with a minimum $30 purchase. Other plans go as high as $6,000 for 5,000 requests.

Robinson says the creator of Antinalysis is also one of the developers of Incognito Market, a darknet marketplace specializing in the sale of narcotics.

“Incognito was launched in late 2020, and accepts payments in both Bitcoin and Monero, a cryptoasset offering heightened anonymity,” he wrote. “The launch of Antinalysis likely reflects the difficulties faced by the market and its vendors in cashing out their Bitcoin proceeds.”

Elliptic wasn’t impressed with the quality of the intelligence provided by Antinalysis, saying it performs poorly on detecting links to major darknet markets and other criminal entities. But with countless criminals now making millions from ransomware, there is certainly a vast, untapped market for services that help those folks improve their operational security.

“It is also significant because it makes blockchain analytics available to the public for the first time,” Robinson wrote. “To date, this type of analysis has been used primarily by regulated financial service providers.” Continue reading

Microsoft Patch Tuesday, August 2021 Edition

August 10, 2021

Microsoft today released software updates to plug at least 44 security vulnerabilities in its Windows operating systems and related products. The software giant warned that attackers already are pouncing on one of the flaws, which ironically enough involves an easy-to-exploit bug in the software component responsible for patching Windows 10 PCs and Windows Server 2019 machines.

Microsoft said attackers have seized upon CVE-2021-36948, which is a weakness in the Windows Update Medic service. Update Medic is a new service that lets users repair Windows Update components from a damaged state so that the device can continue to receive updates.

Redmond says while CVE-2021-36948 is being actively exploited, it is not aware of exploit code publicly available. The flaw is an “elevation of privilege” vulnerability that affects Windows 10 and Windows Server 2019, meaning it can be leveraged in combination with another vulnerability to let attackers run code of their choice as administrator on a vulnerable system.

“CVE-2021-36948 is a privilege escalation vulnerability – the cornerstone of modern intrusions as they allow attackers the level of access to do things like hide their tracks and create user accounts,” said Kevin Breen of Immersive Labs. “In the case of ransomware attacks, they have also been used to ensure maximum damage.” Continue reading

Phishing Sites Targeting Scammers and Thieves

August 9, 2021

I was preparing to knock off work for the week on a recent Friday evening when a curious and annoying email came in via the contact form on this site:

“Hello I go by the username Nuclear27 on your site Briansclub[.]com,” wrote “Mitch,” confusing me with the proprietor of perhaps the underground’s largest bazaar for stolen credit and identity data. “I made a deposit to my wallet on the site but nothing has shown up yet and I would like to know why.”

The real BriansClub login page.

Several things stood out in Mitch’s message. For starters, that is not the actual domain for BriansClub. And it’s easy to see why Mitch got snookered: The real BriansClub site is currently not at the top of search results when one queries that shop name at Google.

Also, this greenhorn criminal clearly had bought into BriansClub’s advertising, which uses my name and likeness in a series of ads that run on all the top cybercrime forums. In those ads, a crab with my head on it zigs and zags on the sand. This is all meant to be a big joke: Krebs means “crab” or “cancer” in German, but a “crab” is sometimes used in Russian hacker slang to refer to a “carder,” or a person who regularly engages in street-level credit card fraud. Like Mitch.

In late 2019, BriansClub changed its homepage to include doctored images of my Social Security and passport cards, credit report and mobile phone bill information. That was right after KrebsOnSecurity broke the news that someone had hacked BriansClub and siphoned information on 26 million stolen debit and credit accounts. The hacked BriansClub database had an estimated collective street value of $566 million, and that data was subsequently shared with thousands of financial institutions.

Mitch said he’d just made a deposit of $240 worth of bitcoin at BriansClub[.]com, and was wondering when the funds would be reflected in the balance of his account on the shop.

Playing along, I said I was sorry to hear about his ordeal, and asked Mitch if there were any stolen cards issued by a particular bank or to a specific region that he was seeking.

Mitch didn’t bite, but neither would he be dissuaded that I was at fault for his wayward funds. He shared a picture showing funds he’d sent to the bitcoin address instructed by BriansClub[.]com — 1PLALmM5rrmLTGGVRHHTnB6VnZd3FFwh1Zusing a Bitcoin ATM in Canada.

The real BriansClub uses a dodgy virtual currency exchange service based in St. Petersburg, Russia called PinPays. The company’s website has long featured little more than a brand icon and an instant messenger address to reach the proprietor. The fake BriansClub told Mitch the Bitcoin address he was asked to pay was a PinPays address that would change with each transaction.

The payment message displayed by the carding site phishing domain BriansClub[.]com.

However, upon registering at the phishing site and clicking to fund my account, I was presented with the exact same Bitcoin address that Mitch said he paid. Also, the site wasn’t using PinPays; it was just claiming to do so to further mimic the real BriansClub.

According to the Blockchain, that Bitcoin address Mitch paid has received more than a thousand payments over the past five months totaling more than USD $40,000 worth of Bitcoin. Most are relatively small payments like Mitch’s.

The screenshot Mitch sent of his deposit.

Unwary scammers like Mitch are a dime a dozen, as are phishing sites that spoof criminal services online. Shortly after it came online as a phishing site last year, BriansClub[.]com was hosted at a company in Moscow with just a handful of other domains phishing popular cybercrime stores, including Jstashbazar[.]com, vclub[.]cards, vclubb[.]com and vclub[.]credit.

Whoever’s behind these sites is making a decent income fleecing clueless crooks. A review of the Bitcoin wallet listed as the payment address for BriansClub[.]org, for example, shows a similar haul: 704 transactions totaling $38,000 in Bitcoin over the past 10 months.

“Wow, thanks for ripping me off,” Mitch wrote, after I’d dozed off for the evening without responding to his increasingly strident emails. “Should have spent the last money on my bills I’m trying to pay off. Should have known you were nothing but a thief.”

Deciding the ruse had gone too far, I confessed to Mitch that I wasn’t really the administrator of BriansClub, and that the person he’d reached out to was an independent journalist who writes about cybercrime. I told him not to feel bad, as more than a thousand people had been similarly duped by the carding shop.

But Mitch did not appear to accept my confession.

“If that’s the case then why is your name all over it including in the window that opens up when you go to make a deposit?,” Mitch demanded, referring to the phishing site.

Clearly, nothing I said was going to deter Mitch at this point. He asked in a follow-up email if a link he included in the message was indeed the “legitimate” BriansClub address. My only reply was that he should maybe consider another line of work before he got ripped off yet again, or the Royal Canadian Mounted Police showed up at his doorstep. Continue reading

Ransomware Gangs and the Name Game Distraction

August 5, 2021

It’s nice when ransomware gangs have their bitcoin stolen, malware servers shut down, or are otherwise forced to disband. We hang on to these occasional victories because history tells us that most ransomware moneymaking collectives don’t go away so much as reinvent themselves under a new name, with new rules, targets and weaponry. Indeed, some of the most destructive and costly ransomware groups are now in their third incarnation.

A rough timeline of major ransomware operations and their reputed links over time.

Reinvention is a basic survival skill in the cybercrime business. Among the oldest tricks in the book is to fake one’s demise or retirement and invent a new identity. A key goal of such subterfuge is to throw investigators off the scent or to temporarily direct their attention elsewhere.

Cybercriminal syndicates also perform similar disappearing acts whenever it suits them. These organizational reboots are an opportunity for ransomware program leaders to set new ground rules for their members — such as which types of victims aren’t allowed (e.g., hospitals, governments, critical infrastructure), or how much of a ransom payment an affiliate should expect for bringing the group access to a new victim network.

I put together the above graphic to illustrate some of the more notable ransom gang reinventions over the past five years. What it doesn’t show is what we already know about the cybercriminals behind many of these seemingly disparate ransomware groups, some of whom were pioneers in the ransomware space almost a decade ago. We’ll explore that more in the latter half of this story.

One of the more intriguing and recent revamps involves DarkSide, the group that extracted a $5 million ransom from Colonial Pipeline earlier this year, only to watch much of it get clawed back in an operation by the U.S. Department of Justice.

After acknowledging someone had also seized their Internet servers, DarkSide announced it was folding. But a little more than a month later, a new ransomware affiliate program called BlackMatter emerged, and experts quickly determined BlackMatter was using the same unique encryption methods that DarkSide had used in their attacks.

DarkSide’s demise roughly coincided with that of REvil, a long-running ransomware group that claims to have extorted more than $100 million from victims. REvil’s last big victim was Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. That attack let REvil deploy ransomware to as many as 1,500 organizations that used Kaseya.

REvil demanded a whopping $70 million to release a universal decryptor for all victims of the Kaseya attack. Just days later, President Biden reportedly told Russian President Vladimir Putin that he expects Russia to act when the United States shares information on specific Russians involved in ransomware activity.

A REvil ransom note.

Whether that conversation prompted actions is unclear. But REvil’s victim shaming blog would disappear from the dark web just four days later.

Mark Arena, CEO of cyber threat intelligence firm Intel 471, said it remains unclear whether BlackMatter is the REvil crew operating under a new banner, or if it is simply the reincarnation of DarkSide.

But one thing is clear, Arena said: “Likely we will see them again unless they’ve been arrested.”

Likely, indeed. REvil is widely considered a reboot of GandCrab, a prolific ransomware gang that boasted of extorting more than $2 billion over 12 months before abruptly closing up shop in June 2019. “We are living proof that you can do evil and get off scot-free,” Gandcrab bragged.

And wouldn’t you know it: Researchers have found GandCrab shared key behaviors with Cerber, an early ransomware-as-a-service operation that stopped claiming new victims at roughly the same time that GandCrab came on the scene. Continue reading

The Life Cycle of a Breached Database

July 29, 2021

Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Here’s a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database.

Our continued reliance on passwords for authentication has contributed to one toxic data spill or hack after another. One might even say passwords are the fossil fuels powering most IT modernization: They’re ubiquitous because they are cheap and easy to use, but that means they also come with significant trade-offs — such as polluting the Internet with weaponized data when they’re leaked or stolen en masse.

When a website’s user database gets compromised, that information invariably turns up on hacker forums. There, denizens with computer rigs that are built primarily for mining virtual currencies can set to work using those systems to crack passwords.

How successful this password cracking is depends a great deal on the length of one’s password and the type of password hashing algorithm the victim website uses to obfuscate user passwords. But a decent crypto-mining rig can quickly crack a majority of password hashes generated with MD5 (one of the weaker and more commonly-used password hashing algorithms).

“You hand that over to a person who used to mine Ethereum or Bitcoin, and if they have a large enough dictionary [of pre-computed hashes] then you can essentially break 60-70 percent of the hashed passwords in a day or two,” said Fabian Wosar, chief technology officer at security firm Emsisoft.

From there, the list of email addresses and corresponding cracked passwords will be run through various automated tools that can check how many email address and password pairs in a given leaked data set also work at other popular websites (and heaven help those who’ve re-used their email password elsewhere).

This sifting of databases for low-hanging fruit and password re-use most often yields less than a one percent success rate — and usually far less than one percent.

But even a hit rate below one percent can be a profitable haul for fraudsters, particularly when they’re password testing databases with millions of users. From there, the credentials are eventually used for fraud and resold in bulk to legally murky online services that index and resell access to breached data.

Much like WeLeakInfo and others operated before being shut down by law enforcement agencies, these services sell access to anyone who wants to search through billions of stolen credentials by email address, username, password, Internet address, and a variety of other typical database fields.

TARGETED PHISHING

So hopefully by this point it should be clear why re-using passwords is generally a bad idea. But the more insidious threat with hacked databases comes not from password re-use but from targeted phishing activity in the early days of a breach, when relatively few ne’er-do-wells have got their hands on a hot new hacked database.

Earlier this month, customers of the soccer jersey retailer classicfootballshirts.co.uk started receiving emails with a “cash back” offer. The messages addressed customers by name and referenced past order numbers and payment amounts tied to each account. The emails encouraged recipients to click a link to accept the cash back offer, and the link went to a look-alike domain that requested bank information.

The targeted phishing message that went out to classicfootballshirts.co.uk customers this month.

“It soon became clear that customer data relating to historic orders had been compromised to conduct this attack,” Classicfootballshirts said in a statement about the incident. Continue reading