Cybercrime Markets Sell Access to Hacked Sites, DatabasesPayment Card Theft, Ransomware Facilitated by Cybercrime-as-a-Service Offerings
One mystery with the recently discovered payment card sniffing attacks against such organizations as British Airways and Newegg has been how attackers might have first gained access to the victims' networks to inject their attack code.
In the case of those two payment card data breach victims - as well as Ticketmaster and a steadily expanding list of other victims - security firms say that an umbrella group of cybercrime gangs, known as Magecart, appears to have been behind the attacks.
"Thousands of companies are hit by this," says British information security expert Kevin Beaumont in a blog post. He's released an endpoint threat hunter organizations can use to scan their endpoints for signs of Magecart infection.
Easy Access to Hacked Sites
While the full scale of this problem continues to emerge, security experts say that one underlying problem is the degree to which illicit access to sites regularly gets bought, sold and resold on cybercrime marketplaces. In other words, while one group of attackers may hack a website, another may have first breached it, then sold their access to others.
Last year, law enforcement agencies disrupted the world's three biggest cybercrime marketplaces: AlphaBay, Hansa and RAMP.
But other marketplaces still abound.
On Wednesday, business risk intelligence firm Flashpoint reported that it had found a Russian-language underground forum called MagBo that has been selling access to 3,000 websites - mainly e-commerce sites, but also firms in the healthcare, legal, education, insurance and government sectors.
"MagBo is an exclusive underground breach platform marketplace catering to some vetted criminals," Vitali Kremez, Flashpoint's director of research, tells Information Security Media Group. "Marketplaces such as MagBo are rather common among criminals; however, the better quality of the breached website is the main MagBo distinction."
Flashpoint says the earliest signs of the marketplace's existence date from March, when advertisements for MagBo began appearing.
"Illicit access to compromised or back-doored sites and databases is used by criminals for a number of activities, ranging from spam campaigns, to fraud, or cryptocurrency mining," Kremez says in research report.
"Prices for compromised websites range from $0.50 to $1,000 per access, depending on a website ranking listing various host parameters," Kremez says. "These parameters allow the buyer to purchase the exact breach they need depending on the website value as determined and checked by the store.
"High-value targets would obviously fetch a higher price and capabilities to inject payment card sniffers or other tools for deeper network penetration. Sites with a lower ranking and a lesser perceived value are more likely to be abused for cryptocurrency mining or spam delivery."
How Hackers Buy Access to Sites
Flashpoint found posts on the site advertising access to breached sites via:
- Admin panel access;
- Database or structured query language (SQL) access;
- Domain control access;
- File transfer protocol (FTP) access;
- Hosting control access;
- PHP shell access;
- Secure socket shell (SSH) access.
MagBo offers wares from about a dozen vendors and appears to have more than 200 registered buyers "who sell and take part in auctions in order to gain access to breached sites, databases and administrator panels," Kremez says.
Flashpoint says it's shared information about the marketplace with law enforcement agencies, who are helping to notify organizations from which information for sale on the site appears to have been stolen.
To be clear, there's no indication that the attackers involved with Magecart use this particular service - or any other - to gain access to the sites on which they install card-sniffing malware. Indeed, the attackers could, in theory, directly hack the sites they're targeting instead.
On the other hand, buying and selling access to hacked sites remains a cornerstone of the cybercrime-as-a-service economy, which offers would-be criminals a vast array of tools and services designed to maximize their illicit profits as quickly as possible.
Successive Waves of Attacks Not Uncommon
How do attackers go about harvesting credentials for websites, or gaining access and activating services such as SSH that will provide easy access later for themselves or others?
Leading culprits are "default credentials and unpatched systems - often combined with a change to the network that exposes the service to the internet for the first time - and then gets owned," incident response expert David Stubley, who heads Edinburgh-based security testing firm and consultancy 7 Elements, tells ISMG.
Access to breached sites may not just get sold by a site, but resold, with infiltrated sites getting raided by successive waves of attackers, Stubley says (see Obama-Themed Ransomware Also Mines for Monero).
Each attacker may seek to monetize their illicit access to the site in different ways.
In many cases, Stubley says, more advanced initial attackers will raid a site for intellectual property or personal data or payment card data that can be resold, before selling on the site access to other criminals.
At some point, attackers now often install cryptocurrency mining software that can use PC and server CPUs as part of cryptojacking attacks, which law enforcement agencies warn are growing increasingly common.
Cryptojacking attacks and malware are designed to use infected systems' CPUs to mine for cryptocurrency. Mining means solving complex computational challenges that verify cryptocurrency system transactions, which adds them to the cryptocurrency's blockchain. In return, miners may receive cryptocurrency back as a reward.
"While knowing what the individual motivation is will always by difficult, it would appear that the more sophisticated attackers are using the most appropriate components," Stubley says. "So if mining will return profit, then they will utilize that. If not, then they default to ransoms."
Prevalent Access Vector: RDP
Stubley says that many intrusions his company investigates today trace to stolen or brute-forced remote desktop protocol credentials. While RDP is a legitimate access technique used by many organizations, stolen credentials give attackers - and anyone else they sell or share the credentials with - an easy way to remotely access a site (see How Much Is That RDP Credential in the Window?).
RDP access to sites is a feature of many cybercrime marketplaces, which would-be criminals can access via the open internet, via "darknet" sites accessible only by using the Tor browser, or by interacting with sellers using encrypted messaging apps (see Cybercrime: 15 Top Threats and Trends).
Last year, Flashpoint reviewed a darknet marketplace called UAS - for "Ultimate Anonymity Services" - and found that it sold stolen RDP credentials for $3 and up (see How Much Is That RDP Credential in the Window?).
While RDP remains a popular way to access sites, Kremez says it's not the only one. "MagBo does not offer RDP credentials as it specializes more on website breaches," he says.
How to Safeguard Sites
Kremez says all organizations should be taking proactive measures to ensure that their sites haven't been compromised and access credentials shared on marketplaces such as MagBo. "Pre-emptive measures to protect against website exploitation include conducting audits and reviews of any externally accessible websites and their connections" to the organization's own networks, he says.
Beyond keeping systems patched - and never using default credentials - Stubley says that from an access management perspective, "proactive log analysis" is a must, especially for firms that use RDP.
"There are specific event logs created for logon events within the logs that show time/date and source IP," he says. "If you are seeing multiple logon events from geographic locations you do not recognize, then this could be an indication that something is up."