top of page
Search

Everything can be bought

  • Writer: RFERL Watch
    RFERL Watch
  • Apr 9, 2023
  • 4 min read

When I last browsed through "our site", I was alerted that we haven't published any useful article for you for a long time. So let me share with you one computer security article this time that might seem a bit "out of the box" to you in the context of the Radio ГА / ГА website. Never mind, I'll try anyway, and even if you don't speak my tribe's language, I'll try to make you think in a simple way about how valuable your digital wealth can be, how and what you can lose from it, especially in case when you don't take care.



Digital assets and digital heritage include, for example:



Since this area is very broad and, as you can see, very diverse, I will focus on the first one, i.e. the area of email accounts. After all, the events described in many of our previous posts prove that since I should have the most experience with them, thanks to the position of "Chief Postman".


According to an article on "BLEEPINGCOMPUTER.COM", on the dark web here are automated e-shops that offer business e-mail accounts for about 2 US bucks each. These e-shops are increasingly selling stolen corporate email addresses to meet the growing demand from hackers who use them to compromise business emails and for phishing attacks or to gain initial access to networks.


Among the most active webmail e-shops are "Xleet" and "Lufix", which claim to offer access to more than 100,000 stolen corporate e-mail accounts for between $2 and $30, depending on the reputation of the organisation .



These accounts were usually stolen through password cracking (via a password generator), credential disclosure, phishing, or purchase from other cybercriminals.


Sales of corporate email access have reportedly remained steady in cybercrime over the past few years, since hacker forums are selling compromised email accounts as a sort of 'combo', with the final price set at "package" as a whole.


The image below shows a recent case where a ransomware vendor called "Everest" allegedly offered $15,000 to access the email accounts of an aircraft manufacturing company.



Mass and individual offers involve a lengthy process of negotiation with the seller, and the risk of the currentness of the offered data thus increases, including the demand.


This is what has created the need for automated webmail shops such as "Xleet", "Odin", "Xmina" and "Lufix" that allow cyber criminals to easily purchase access to email accounts of their exact choice. Basically such a regular e-shop.


The entire sale takes place simply by electronic communication via a computer keyboard, and payment is made due to a lack of tracking in digital currency.



In the image below, it can be seen that the transaction takes place also by means of immediate verification of access to the offered e-mail, or via the display of a screenshot from the attacked mailbox of the unfortunate person's account. It's just that a hacker doesn't buy a rabbit with ones money.


The seller is identified each time only as "seller" with a number. The red "Check" button is simply flawless.



Of course, the most attractive offers on these e-shops are Office 365 accounts, which account for almost half of all listed webmails. This is followed by email hosting providers such as "cPanel", "GoDaddy" and "Ionos".



Sellers in these stores do not use their nicknames, but hide behind names generated by a system that assigns them numbers. The "Odin" store offers additional seller details such as number of items sold, total sales and user ratings.


He can simply come to some "action" and "discount". There is also an average rating ("Average Rating"), so it is possible to choose between sellers with the "best reputation".

How did #MV ("Mgr. Prasátko") say it during the court hearing?


"Today, almost no one uses the system you managed. Everyone uses Office 365 and it's the most modern one.”


As #RC ("Remotely Controlled") used to say - I was simply "legacy".



The "Odin" and "Xleet" stores also specify how email accesses were gained, categorising these methods as - "hacked", "cracked", "logged" or "newly created". However, the majority (98%) in "Xleet" are either "hacked" or "cracked".


Logged" are email credentials stolen by malicious malware (malicious software) that steals this information when logging into the system without the attacker's knowledge, while "created" are new email accounts that attackers created in the attacked company using compromised administrator accounts.


On the latter category, I'll just make a small note - this type of global admin account compromise was used here on that famous October day (please not to be confused with the "Great October Revolution"of the summer of 2019) by the hacker group #STRONTIUM, controlled by the Russian GRU.

For the forgetful or for those new to visiting here, I refer to the article "OMG, WTF and the rest" here .


The rise of these markets can be prevented by forcing regular changes (resets) of passwords for all services and platforms so that potentially compromised credentials are useless to these criminal individuals. Also, using strong (longer) passwords and training users to identify phishing emails should help significantly reduce these threats.


While reading these basic security recommendations, I remember the closing speech of the righteous couple of #JH ("Dr. Hustá") and #MV ("Mgr. Prasátko"), who at that time were fitted in role of IT specialists for computer security themselves. Reading my judgment they evaluated passwords reset as something which was not crucial recommendation and as insufficient.


That the lady judge called a good moment phishing" with the word "bushing still brings a convulsive smile to my face.


Although probably the compromised Radio ГА / ГA accounts did not end up on any of those famous e-shops, these events here led to the strengthening of computer security and to internal extensive organisational changes (which is certainly a very positive thing).


In October 2019 the money was not flowing. It was all about politics.



Comments

bottom of page