(iStock)
(iStock)

Stolen digital masks, user accounts available on dark net: Kaspersky

  • Stolen data is no longer just held for ransom but is circulated for sale on illegal marketplaces on the dark web
  • Darknet market place has over 60,000 stolen digital identities that can be used to carry out online or credit card transactions without the knowledge of the real user

New Delhi: Organised cybercrime is changing the threat landscape with hackers now having more resources to carry out sophisticated and new forms of attacks.

Stolen data, for instance, is no longer just held for ransom but is circulated for sale on illegal marketplaces on the dark web, a part of the internet that is not indexed by search engines.

A case in point is the Genesis darknet market place where anyone can buy stolen digital masks and user accounts for $5 to $200. The platform has over 60,000 stolen digital identities that can be used to carry out online or credit card transactions without the knowledge of the real user, according to a Kaspersky Labs note released on Monday.

Digital masks are a machine learning-based anti-fraud solution used by financial institutions to verify if it is the actual user who is trying to make another transaction or a hacker who has acquired the payment details illegally. It remembers fingerprints of devices and browsers, used for payments, and then uses AI to match them with the browser cookies, and online and computer behaviour of a new transaction.

Anyone with a stolen digital mask and the login credentials of a user can use these to make online payments using a proxy connection without raising any suspicion.

Kaspersky Labs also found that there are tools that can be used to create digital masks from scratch. One such tool is the Tenebris browser, which comes with an embedded configuration generator to develop unique fingerprints. Using the fingerprint, an attacker can launch the mask through a browser and proxy connection and carry out online transactions.

The sophisticated nature of the attacks continues to baffle security experts. Kaspersky Labs recently uncovered a cyber espionage framework called Taj Mahal. Active since 2013, this APT (advanced persistent threat) framework appears to have no connection to any of the known threat actors, which could be the reason for the late detection.

What makes it a high risk threat is the presence of more than 80 modules for stealing information, such as audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers. It can grab browser cookies, steal information from printer queues, capture previously seen files from a USB drive and gather backup lists from Apple iPhones. It is named after the file used to exfiltrate the stolen data. As of now, Taj Mahal has been used against a central Asian diplomatic entity in 2014.

It seems highly unlikely that such a huge investment would be undertaken for only one victim. This suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both. The distribution and infection vectors for the threat also remain unknown. Somehow, it has stayed under the radar for over five years. Whether this is due to relative inactivity or something else is another intriguing question, said Alexey Shulmin, lead malware analyst at Kaspersky Labs, at the recently concluded Security Analysts Summit in Singapore.

Kaspersky Labs has also been on the trail of a cyber espionage operation run by an Arabic speaking cyber crime organisation, Gaza Cybergang. Known as SneakyPastes, the operation used malicious emails and domains to carry out phishing attacks against 240 high-profile individuals in embassies, media houses, political parties, government agencies and banks in 39 countries. However, most of them were located in Palestine, Jordan, Israel and Lebanon.

The researchers identified three different groups within the organisation with each showing a slightly different MO. SneakyPastes was the handiwork of one such sub-group called Mole Rats.

To avoid detection and hide the location of the command and control server, the hackers would download an additional malware on the targeted devices via free sites, including Pastebin and Github. In the final stage, a Remote Access Trojan was installed on the device, which opened a backdoor with their command and control server to steal, encrypt and upload information from the targeted device.

Close