BLOG

The Underground Economist: Volume 2, Issue 16

5 minute read

Welcome back to The Underground Economist: Volume 2, Issue 16, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of September 2, 2022.

New Tool To Compromise VNC Servers

Well-regarded threat actor “Crux” advertised a new tool to compromise open virtual network computing (VNC) servers on the predominantly Russian language Deep Web forum “Exploit”. VNC is a cross-platform screen-sharing service that allows users to remotely control systems running Windows or Linux. The actor’s announcement is significant because it lowers the barrier to entry for threat actors to conduct these types of attacks by streamlining the process with an easy-to-use command line tool.

The actor specified the tool, dubbed VncStrike, works on hosts running most versions of Windows. According to the actor, this tool determines if IP address and port number combinations are associated with open VNC servers. If valid, the tool can use lists of known VNC passwords to perform credential stuffing attacks against the target machines. When a VNC server is successfully compromised, the tool will automatically return screenshots of the desktop. The actor claims the tool can compromise between 50 to 100 VNC servers per day, depending on the specifications of the host machine.

The actor charged $500 USD for the tool. They also agreed to use an escrow service, indicating the actor is more likely to have what they claim.

Original post from threat actor “Crux” advertising a new tool to perform credential stuffing attacks against Windows machines running virtual network computing (VNC) instances

Automated Service Checks Validity Of Stolen Payment Cards

New and untested threat actor “Alphas” advertised an automated service to check the validity of stolen payment cards on the predominantly Russian language Deep Web forum “Club2Crd”. The actor claims this new service, also dubbed “Alphas”, will not trigger alerts to victims or card issuers. Additional features of the service include:

  • Checks up to 500 cards per hour
  • Free BIN search to identify card issuers
  • Leverages stolen card data from various countries, including the U.S., U.K., Australia, and Canada
  • Determines if cards have 3D Secure (3DS) enabled for multi-factor authentication
  • Verifies CVV2 security codes
  • Supports various payment card brands, including Visa, Mastercard, American Express, and Discover

The actor charged $0.01 USD per check. They also claimed to offer discounts on orders of $100 or more. 

If legitimate, ZeroFox researchers assess this service could lead to a surge in payment card fraud since it increases the likelihood of a threat actor’s success by identifying payment cards with weaker security controls to target.

Original post from threat actor “Alphas” advertising a new automated service to check the validity of stolen payment cards

Actor Claims PII Of 2 Million Individuals Tied To U.K.-Based Lender

New and positively trending threat actor “Entropy” advertised access to a database and Amazon S3 bucket they claim contains the PII of two million individuals associated with a U.K.-based peer-to-peer lender, called The Money Platform, on the predominantly Russian language Deep Web forum “XSS”. In addition to the full information of victims, the actor said these resources also contain 32,000 scanned copies of sensitive documents used for customers verification purposes, including:

  • Driver’s licenses
  • Passports
  • Photos of victims holding their ID cards

The actor charged $2,000 USD for the access.

ZeroFox researchers assess that a deal involving this data will likely lead to more cases of identity theft against users of The Money Platform because the leak contains a comprehensive set of PII and verification documents impacting a high volume of lenders and borrowers.

Verified Bank Accounts For Money Mule Operations Advertised

New and untested threat actor “BullFrog” advertised Blackcatcard bank accounts verified using stolen PII on the predominantly Russian language Deep Web forum “WWH-Club”. This follows a recent trend where more threat actors are leveraging alternative banking services, such as Blackcatcard or Revolut, for money mule operations. These services allow threat actors to create free bank accounts with integrated cryptocurrency wallets that can be leveraged to cash out funds from compromised bank accounts or payment cards.

Additionally, the actor specified that Blackcatcard users can generate an unlimited number of virtual credit cards (VCCs) for fraudulent operations.

The actor charged $400 USD per account. After purchase, the actor said they would also provide the buyer with a copy of the stolen PII used to verify the account.

For more insights from the ZeroFox Intelligence team, download our new Quarterly Threat Landscape Report.

See ZeroFox in action