Posts Tagged: The Dark Overlord


4
Mar 19

Hackers Sell Access to Bait-and-Switch Empire

Cybercriminals are auctioning off access to customer information stolen from an online data broker behind a dizzying array of bait-and-switch Web sites that sell access to a vast range of data on U.S. consumers, including DMV and arrest records, genealogy reports, phone number lookups and people searches. In an ironic twist, the marketing empire that owns the hacked online properties appears to be run by a Canadian man who’s been sued for fraud by the U.S. Federal Trade Commission, Microsoft and Oprah Winfrey, to name a few.

Earlier this week, a cybercriminal on a Dark Web forum posted an auction notice for access to a Web-based administrative panel for an unidentified “US Search center” that he claimed holds some four million customer records, including names, email addresses, passwords and phone numbers. The starting bid price for that auction was $800.

Several screen shots shared by the seller suggested the customers in question had all purchased subscriptions to a variety of sites that aggregate and sell public records, such as dmv.us.org, carhistory.us.org, police.us.org, and criminalrecords.us.org.

A (redacted) screen shot shared by the apparent hacker who was selling access to usernames and passwords for customers of multiple data-search Web sites.

A few hours of online sleuthing showed that these sites and dozens of others with similar names all at one time shared several toll-free phone numbers for customer support. The results returned by searching on those numbers suggests a singular reason this network of data-search Web sites changed their support numbers so frequently: They quickly became associated with online reports of fraud by angry customers.

That’s because countless people who were enticed to pay for reports generated by these services later complained that although the sites advertised access for just $1, they were soon hit with a series of much larger charges on their credit cards.

Using historic Web site registration records obtained from Domaintools.com (a former advertiser on this site), KrebsOnSecurity discovered that all of the sites linked back to two related companies — Las Vegas, Nev.-based Penguin Marketing, and Terra Marketing Group out of Alberta, Canada.

Both of these entities are owned by Jesse Willms, a man The Atlantic magazine described in an unflattering January 2014 profile as “The Dark Lord of the Internet” [not to be confused with The Dark Overlord].

Jesse Willms’ Linkedin profile.

The Atlantic pointed to a sprawling lawsuit filed by the Federal Trade Commission, which alleged that between 2007 and 2011, Willms defrauded consumers of some $467 million by enticing them to sign up for “risk free” product trials and then billing their cards recurring fees for a litany of automatically enrolled services they hadn’t noticed in the fine print.

“In just a few months, Willms’ companies could charge a consumer hundreds of dollars like this, and making the flurry of debits stop was such a convoluted process for those ensnared by one of his schemes that some customers just canceled their credit cards and opened new ones,” wrote The Atlantic’s Taylor Clark.

Willms’ various previous ventures reportedly extended far beyond selling access to public records. In fact, it’s likely everyone reading this story has at one time encountered an ad for one of his dodgy, bait-and-switch business schemes, The Atlantic noted:

“If you’ve used the Internet at all in the past six years, your cursor has probably lingered over ads for Willms’s Web sites more times than you’d suspect. His pitches generally fit in nicely with what have become the classics of the dubious-ad genre: tropes like photos of comely newscasters alongside fake headlines such as “Shocking Diet Secrets Exposed!”; too-good-to-be-true stories of a “local mom” who “earns $629/day working from home”; clusters of text links for miracle teeth whiteners and “loopholes” entitling you to government grants; and most notorious of all, eye-grabbing animations of disappearing “belly fat” coupled with a tagline promising the same results if you follow “1 weird old trick.” (A clue: the “trick” involves typing in 16 digits and an expiration date.)”

In a separate lawsuit, Microsoft accused Willms’ businesses of trafficking in massive quantities of counterfeit copies of its software. Oprah Winfrey also sued a Willms-affiliated site (oprahsdietscecrets.com) for linking her to products and services she claimed she had never endorsed.

KrebsOnSecurity reached out to multiple customers whose name, email address and cleartext passwords were exposed in the screenshot shared by the Dark Web auctioneer who apparently hacked Willms’ Web sites. All three of those who responded shared roughly the same experience: They said they’d ordered reports for specific criminal background checks from the sites on the promise of a $1 risk-free fee, never found what they were looking for, and were subsequently hit by the same merchant for credit card charges ranging from $20 to $38. Continue reading →


2
Oct 18

When Security Researchers Pose as Cybercrooks, Who Can Tell the Difference?

A ridiculous number of companies are exposing some or all of their proprietary and customer data by putting it in the cloud without any kind of authentication needed to read, alter or destroy it. When cybercriminals are the first to discover these missteps, usually the outcome is a demand for money in return for the stolen data. But when these screw-ups are unearthed by security professionals seeking to make a name for themselves, the resulting publicity often can leave the breached organization wishing they’d instead been quietly extorted by anonymous crooks.

Last week, I was on a train from New York to Washington, D.C. when I received a phone call from Vinny Troia, a security researcher who runs a startup in Missouri called NightLion Security. Troia had discovered that All American Entertainment, a speaker bureau which represents a number of celebrities who also can be hired to do public speaking, had exposed thousands of speaking contracts via an unsecured Amazon cloud instance.

The contracts laid out how much each speaker makes per event, details about their travel arrangements, and any requirements or obligations stated in advance by both parties to the contract. No secret access or password was needed to view the documents.

It was a juicy find to be sure: I can now tell you how much Oprah makes per event (it’s a lot). Ditto for Gwyneth Paltrow, Olivia Newton John, Michael J. Fox and a host of others. But I’m not going to do that.

Firstly, it’s nobody’s business what they make. More to the point, All American also is my speaker bureau, and included in the cache of documents the company exposed in the cloud were some of my speaking contracts. In fact, when Troia called about his find, I was on my way home from one such engagement.

I quickly informed my contact at All American and asked them to let me know the moment they confirmed the data was removed from the Internet. While awaiting that confirmation, my pent-up frustration seeped into a tweet that seemed to touch a raw nerve among others in the security industry.

The same day I alerted them, All American took down its bucket of unsecured speaker contract data, and apologized profusely for the oversight (although I have yet to hear a good explanation as to why this data needed to be stored in the cloud to begin with).

This was hardly the first time Troia had alerted me about a huge cache of important or sensitive data that companies have left exposed online. On Monday, TechCrunch broke the story about a “breach” at Apollo, a sales engagement startup boasting a database of more than 200 million contact records. Calling it a breach seems a bit of a stretch; it probably would be more accurate to describe the incident as a data leak.

Just like my speaker bureau, Apollo had simply put all this data up on an Amazon server that anyone on the Internet could access without providing a password. And Troia was again the one who figured out that the data had been leaked by Apollo — the result of an intensive, months-long process that took some extremely interesting twists and turns.

That journey — which I will endeavor to describe here — offered some uncomfortable insights into how organizations frequently learn about data leaks these days, and indeed whether they derive any lasting security lessons from the experience at all. It also gave me a new appreciation for how difficult it can be for organizations that screw up this way to tell the difference between a security researcher and a bad guy.

THE DARK OVERLORD

I began hearing from Troia almost daily beginning in mid-2017. At the time, he was on something of a personal mission to discover the real-life identity behind The Dark Overlord (TDO), the pseudonym used by an individual or group of criminals who have been extorting dozens of companies — particularly healthcare providers — after hacking into their systems and stealing sensitive data.

The Dark Overlord’s method was roughly the same in each attack. Gain access to sensitive data (often by purchasing access through crimeware-as-a-service offerings), and send a long, rambling ransom note to the victim organization demanding tens of thousands of dollars in Bitcoin for the safe return of said data.

Victims were typically told that if they refused to pay, the stolen data would be sold to cybercriminals lurking on Dark Web forums. Worse yet, TDO also promised to make sure the news media knew that victim organizations were more interested in keeping the breach private than in securing the privacy of their customers or patients.

In fact, the apparent ringleader of TDO reached out to KrebsOnSecurity in May 2016 with a remarkable offer. Using the nickname “Arnie,” the public voice of TDO said he was offering exclusive access to news about their latest extortion targets.

Snippets from a long email conversation in May 2016 with a hacker who introduced himself as Adam but would later share his nickname as “Arnie” and disclose that he was a member of The Dark Overlord. In this conversation, he is offering to sell access to scoops about data breaches that he caused.

Arnie claimed he was an administrator or key member on several top Dark Web forums, and provided a handful of convincing clues to back up his claim. He told me he had real-time access to dozens of healthcare organizations they’d hacked into, and that each one which refused to give in to TDO’s extortion demands could turn into a juicy scoop for KrebsOnSecurity.

Arnie said he was coming to me first with the offer, but that he was planning to approach other journalists and news outlets if I declined. I balked after discovering that Arnie wasn’t offering this access for free: He wanted 10 bitcoin in exchange for exclusivity (at the time, his asking price was roughly equivalent to USD $5,000).

Perhaps other news outlets are accustomed to paying for scoops, but that is not something I would ever consider. And in any case the whole thing was starting to smell like a shakedown or scam. I declined the offer. It’s possible other news outlets or journalists did not; I will not speculate on this matter further, other than to say readers can draw their own conclusions based on the timeline and the public record. Continue reading →