Menu
Blog

The Underground Economist: Volume 3, Issue 14

by ZeroFox Intelligence
The Underground Economist: Volume 3, Issue 14
5 minute read

Welcome back to The Underground Economist: Volume 3, Issue 14, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of July 24th, 2023.

Tool Designed To Compromise iCloud Accounts For Sale

Moderately credible threat actor “vivid” is auctioning a tool designed to compromise iCloud accounts on the predominantly Russian language Deep Web forum “Exploit.” This tool is unique because it steals seed recovery phrases and other sensitive data from Apple users. It is highly likely a threat actor can use these seed recovery phrases to further compromise a victim’s cryptocurrency wallet and drain their assets.  

The starting bid for the tool was $10,000 USD, with a minimum bid of $1,000 USD and an instant purchase price of $15,000 USD.  

ZeroFox researchers assess the tool is likely to intrigue threat actors because offerings specifically designed to target Apple products or services are rare on the criminal underground.

Original screenshot from threat actor “vivid,” who is auctioning a tool designed to compromise iCloud accounts

Service Steals Sensitive Data From Client’s Preferred Target

Well-regarded and established threat actor “bugbounty” advertised a service to compromise and steal sensitive data from targets on the English language Deep Web forum “BreachForums.” The service scans a client’s preferred target for vulnerabilities, including:

  • Websites
  • Mobile applications
  • Software

If the threat actor group can identify vulnerabilities to exploit, they will compromise the target and exfiltrate any sensitive data. The price for the service varies depending on the engagement. The actor charged a 20 percent fee for all engagements. 

Original screenshot from threat actor “bugbounty” advertising a service that steals sensitive data from various targets

Administrator Access To Web Panel Of Undisclosed E-commerce Platform Alleged

In early July 2023, well-regarded and established threat actor “kickroot” advertised administrator access to the web panel of an undisclosed E-commerce platform on the English language Dark Web forum “Onniforums.” The actor claims the panel would give the buyer access to a database containing the personally identifiable information (PII) of more than 7,000 E-commerce vendors that operate on the website. A threat actor can likely use this information to perform malicious actions, such as launching spear phishing attacks or stealing clients from competitors.    

The actor was auctioning the web panel access, with a starting bid of $3,000 USD. 

ZeroFox researchers assess that “Onniforums” is filling a niche and strengthening its market position in the English-speaking underground because network access deals are predominantly conducted on Russian language forums.

Original screenshot from threat actor “kickroot” advertising administrator access to the web panel of an undisclosed ecommerce platform

New Data Breach Search Engine, Dubbed ‘OSINTLeak,’ Announced

Well-regarded and established threat actor “shuja1337” stated they are developing a new data breach search engine, dubbed “OSINTLeak,” on the predominantly Russian language Deep Web forum “XSS.” The search engine will allow users to query more than 15TB of stealer malware logs containing the compromised account credentials and other sensitive data of victims worldwide. Some of the compromised resources include:

  • FTP accounts
  • Databases
  • WordPress administrator dashboards

The actor claims that pricing for the service will be cheaper than similar legitimate services, like intelx[.]io. ZeroFox researchers assess the launch of this search engine will likely lead to an increase in credential related cyber-attacks because it lowers the barrier to entry for threat actors looking to gain initial access to compromised targets’ accounts.

Original screenshot from threat actor “shuja1337” announcing the development of a new data breach search engine dubbed “OSINTLeak”

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.

Tags: Cyber TrendsDeep & Dark WebThreat Intelligence

See ZeroFox in action