Tag Archives: It’s

New Intel AMT Security Issue Lets Hackers Gain Full Control of Laptops in 30 Seconds

It’s been a terrible new-year-starting for Intel.

Researchers warn of a new attack which can be carried out in less than 30 seconds and potentially affects millions of laptops globally.

As Intel was rushing to roll out patches for Meltdown and Spectre vulnerabilities, security researchers have discovered a new critical security flaw in Intel hardware that could allow hackers to access corporate laptops remotely.

Finnish cyber security firm F-Secure reported unsafe and misleading default behaviour within Intel Active Management Technology (AMT) that could allow an attacker to bypass login processes and take complete control over a user’s device in less than 30 seconds.

AMT is a feature that comes with Intel-based chipsets to enhance the ability of IT administrators and managed service providers for better controlling their device fleets, allowing them to remotely manage and repair PCs, workstations, and servers in their organisation.

The bug allows anyone with physical access to the affected laptop to bypass the need to enter login credentials—including user, BIOS and BitLocker passwords and TPM pin codes—enabling remote administration for post-exploitation.

In general, setting a BIOS password prevents an unauthorised user from booting up the device or making changes to the boot-up process. But this is not the case here.

The password doesn’t prevent unauthorised access to the AMT BIOS extension, thus allowing attackers access to configure AMT and making remote exploitation possible.

Although researchers have discovered some severe AMT vulnerabilities in the past, the recently discovered issue is of particular concern because it is:

  • easy to exploit without a single line of code,
  • affects most Intel corporate laptops, and
  • could enable attackers to gain remote access to the affected system for later exploitation.

“The attack is almost deceptively simple to enact, but it has incredible destructive potential,” said F-Secure senior security researcher Harry Sintonen, who discovered the issue in July last year.

“In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

According to the researchers, the newly discovered bug has nothing to do with the Spectre and Meltdown vulnerabilities recently found in the microchips used in almost all PCs, laptops, smartphones and tablets today.

Here’s How to Exploit this AMT Issue

To exploit this issue, all an attacker with physical access to a password (login and BIOS) protected machine needs to do is reboot or power-up the targeted PC and press CTRL-P during boot-up, as demonstrated by researchers at F-Secure in the above video.

The attacker then can log into Intel Management Engine BIOS Extension (MEBx) with a default password.

Here, the default password for MEBx is “admin,” which most likely remains unchanged on most corporate laptops.

Once logged in, the attacker can then change the default password and enable remote access, and even set AMT’s user opt-in to “None.”

Now, since the attacker has backdoored the machine efficiently, he/she can access the system remotely by connecting to the same wireless or wired network as the victim.

Although exploiting the issue requires physical access, Sintonen explained that the speed and time at which it can be carried out makes it easily exploitable, adding that even one minute of a distraction of a target from its laptop is enough to do the damage.

Attackers have identified and located a target they wish to exploit. They approach the target in a public place—an airport, a café or a hotel lobby—and engage in an ‘evil maid’ scenario,” Sintonen says.

Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn’t require a lot of time—the whole operation can take well under a minute to complete.

Along with CERT-Coordination Center in the United States, F-Secure has notified Intel and all relevant device manufacturers about the security issue and urged them to address it urgently.

Meanwhile, users and IT administrators in an organisation are recommended to change the default AMT password of their device to a strong one or disable AMT if this option is available, and never leave their laptop or PC unattended in a public place.

Nissan Finance Canada Suffers Data Breach — Notifies 1.13 Million Customers

nissan-finance-loan-data-breach

It’s the last month of this year, but possibly not the last data breach report.

Nissan warns of a possible data breach of personal information on its customers who financed their vehicles through Nissan Canada Finance and INFINITI Financial Services Canada.

Although the company says it does not know precisely how many customers were affected by the data breach, Nissan is contacting all of its roughly 1.13 million current and previous customers.

In a statement released Thursday, Nissan Canada said the company became aware of an “unauthorized access to personal information” of some customers on December 11.

Nissan Canada Finance recently became aware it was the victim of a data breach that may have involved an unauthorized person(s) gaining access to the personal information of some customers that have financed their vehicles through Nissan Canada Finance and INFINITI Financial Services Canada,” the company said.

It’s believed that the unknown hacker(s) may have had access to the following information:

  • Customers’ names
  • Home addresses
  • Vehicle makes and models
  • Vehicle identification numbers (VIN)
  • Credit scores
  • Loan amounts
  • Monthly payments

The company says there no indication, at least at this moment, that if the data breach also includes payment information and contactable information like email addresses or phone numbers.

The company offers 12 months of free credit monitoring services through TransUnion to all of its financed customers.

Since the investigation into the data breach incident is still ongoing, it is not clear if the hack also impacts customers outside of Canada and customers who did not obtain financing through NCF.

“We sincerely apologize to the customers whose personal information may have been illegally accessed and for any frustration or inconvenience that this may cause,” Nissan Canada president Alain Ballu said. “We are focused on supporting our customers and ensuring the security of our systems.”

Nissan Canada has contacted Canadian privacy regulators, law enforcement, and data security experts to help rapidly investigate the matter.

MailSploit — Email Spoofing Flaw Affects Over 30 Popular Email Clients

email-spoofing

If you receive an email that looks like it’s from one of your friends, just beware! It’s possible that the email has been sent by someone else in an attempt to compromise your system.

A security researcher has discovered a collection of vulnerabilities in more than 30 popular email client applications that could allow anyone to send spoofed emails bypassing anti-spoofing mechanisms.

Discovered by security researcher Sabri Haddouche, the set of vulnerabilities, dubbed MailSploit, affects Apple Mail (macOS, iOS, and watchOS), Mozilla Thunderbird, several Microsoft email clients, Yahoo Mail, ProtonMail, and others.

Although most of these affected email client applications have implemented anti-spoofing mechanisms, such as DKIM and DMARC, MailSploit takes advantage of the way email clients and web interfaces parse “From” header.

Email spoofing is an old-school technique, but it works well, allowing someone to modify email headers and send an email with the forged sender address to trick recipients into believing they are receiving that email from a specific person.

In a dedicated website went up today, Haddouche explained how the lack of input sanitization implemented by vulnerable email clients could lead to email spoofing attack—without actually exploiting any flaw in DMARC.

To demonstrate this attack, Haddouche created a payload by encoding non-ASCII characters inside the email headers, successfully sending a spoofed email from an official address belonging to President of the United States.

“Using a combination of control characters such as new lines or null-byte, it can result in hiding or removing the domain part of the original email,” Haddouche says in his blog post.

mailsploit

“We’ve seen a lot of malware spreading via emails, relying on social engineering techniques to convince users to open unsafe attachments, or click on phishing links. The rise of ransomware distributed over email clearly demonstrates the effectivity of those mechanisms.”

Besides spoofing, the researcher found some of the email clients, including Hushmail, Open Mailbox, Spark, and Airmail, are also vulnerable to cross-site scripting (XSS) vulnerabilities, which stems from the email spoofing issue.

Haddouche reported this spoofing bug to 33 different client applications, 8 of which have already patched this issue in their products before the public disclosure and 12 are on their way to fix it.

mailsploit

Here you can find the list of all email and web clients (both patched and unpatched) that are vulnerable to MailSploit attack.

However, Mozilla and Opera consider this bug to be a server-side issue and will not be releasing any patch. Mailbird closed the ticket without responding to the issue, while remaining 12 vendors did not yet comment on the researcher’s report.

Patch Tuesday: Microsoft Releases Update to Fix 53 Vulnerabilities

microsoft-security-patch-updates

It’s Patch Tuesday—time to update your Windows devices.

Microsoft has released a large batch of security updates as part of its November Patch Tuesday in order to fix a total of 53 new security vulnerabilities in various Windows products, 19 of which rated as critical, 31 important and 3 moderate.

The vulnerabilities impact the Windows OS, Microsoft Office, Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, .NET Core, and more.

At least four of these vulnerabilities that the tech giant has now fixed have public exploits, allowing attackers to exploit them easily. But fortunately, none of the four are being used in the wild, according to Gill Langston at security firm Qualys.

The four vulnerabilities with public exploits identified by Microsoft as CVE-2017-8700 (an information disclosure flaw in ASP.NET Core), CVE-2017-11827 (Microsoft browsers remote code execution), CVE-2017-11848 (Internet Explorer information disclosure) and CVE-2017-11883 (denial of service affecting ASP.NET Core).

Potentially Exploitable Security Vulnerabilities

What’s interesting about this month’s patch Tuesday is that none of the Windows OS patches are rated as Critical. However, Device Guard Security Feature Bypass Vulnerability (CVE-2017-11830) and Privilege Elevation flaw (CVE-2017-11847) are something you should focus on.

Also, according to an analysis of Patch Tuesday fixes by Zero-Day Initiative, CVE-2017-11830 and another flaw identified as CVE-2017-11877 can be exploited to spread malware.

“CVE-2017-11830 patches a Device Guard security feature bypass vulnerability that would allow malware authors to falsely authenticated files,” Zero-Day Initiative said.

“CVE-2017-11877 fixes an Excel security feature bypass vulnerability that fails to enforce macro settings, which are often used by malware developers.”

The tech giant also fixed six remote code execution vulnerabilities exist “in the way the scripting engine handles objects in memory in Microsoft browsers.”

Microsoft identified these vulnerabilities as CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11871, and CVE-2017-11873, which could corrupt memory in such a way that attackers could execute malicious code in the context of the current user.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website,” Microsoft said. “These websites could contain specially crafted content that could exploit the vulnerability.” 

17-Year-Old MS Office Flaw Lets Hackers Install Malware

Also, you should be extra careful when opening files in MS Office.

All versions of Microsoft Office released in the past 17 years found vulnerable to remote code execution flaw (CVE-2017-11882) that works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

However, due to improper memory operations, the component fails to properly handle objects in the memory, corrupting it in such a way that the attacker could execute malicious code in the context of the logged-in user.

Exploitation of this vulnerability requires opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software, which could allow attackers to remotely install malware on targeted computers.

Adobe Patch Tuesday: Patches 62 Vulnerabilities

Besides fixing vulnerabilities in its various products, Microsoft has also released updates for Adobe Flash Player.

These updates correspond with Adobe Update APSB17-33, which patches 62 CVEs for Acrobat and Reader alone. So, Flash Player users are advised to ensure that they update Adobe across their environment to stay protected.

It should also be noted that last Patch Tuesday, Microsoft quietly released the patch for the dangerous KRACK vulnerability (CVE-2017-13080) in the WPA2 wireless protocol.

Therefore, users are also recommended to make sure that they have patched their systems with the last month’s security patches.

Alternatively, users are strongly advised to apply November security patches as soon as possible in order to keep hackers and cybercriminals away from taking control of their computers.

For installing security updates, just head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Equifax Hack Exposes Personal Info of 143 Million US Consumers

equifax-data-breach-credit-report-hack

It’s ironic—the company that offers credit monitoring and ID theft protection solutions has itself been compromised, exposing personal information of as many as 143 million Americans—that’s almost half the country.

Equifax, one of the largest credit reporting firm in the US, admitted today that it had suffered a massive data breach somewhere between mid-May and July, which was discovered on July 29.

However, it’s unknown that why did Equifax wait 6 weeks before informing their millions of affected customers about the massive security breach.

Stolen data includes consumers’ names, Social Security numbers, birth dates for 143 million Americans, in some instances driving licence numbers, and credit card numbers for about 209,000 citizens.

The company said that some personal information for Canadian and British residents was also compromised.

Moreover, reportedly, three senior executives at Equifax, John Gamble (CFO), Joseph Loughran and Rodolfo Ploder, sold almost $2 million worth of their shares just days after the company learned of this massive hack.

Equifax says its investigation is ongoing.

Meanwhile, all Equifax customers are advised to visit http://www.equifaxsecurity2017.com website to check if their information has also been stolen.

Equifax is asking affected customers to sign up for credit-monitoring and identity theft protection services—isn’t this funny?

Don’t worry; it’s free for affected users.

Stay tuned for more information, stay safe online.

Powered by WPeMatico

Incapsula Updated Review — New Security Options, Improved Delivery and Reliability

incapsula-cdn-ddos

It’s been close to five years since we last looked at Incapsula, a security-focused CDN service known for its DDoS mitigation and web application security features.

As one would expect, during these five years the company has expanded and improved, introducing lots of new features and even several new products.

Most recently, Incapsula underwent an extensive network expansion that includes new PoPs in Asia including two new data centers in New Delhi and Mumbai.

This seems like an excellent opportunity to revisit the service and see how it has evolved.

Acquisition, Award and Growth

Before we jump into Incapsula’s service upgrades, we want to mention the changes in the company itself briefly.

The most notable of those is Incapsula’s 2014 acquisition by Imperva—an authority in web application security and a four-time Gartner Magic Quadrant leader for web application firewalls.

The acquisition boosted Incapsula’s security capabilities, resulting in its own cloud-based WAF also being recognised by Gartner analysts. Similarly, Incapsula’s DDoS mitigation solutions were awarded a leadership position in a Forrester Wave for DDoS Service Providers report.

Even more impressive is the company’s growth.

When we reviewed Incapsula, its services had a few thousand users. It is now the platform of choice for numerous prominent organisations, including some of the largest bitcoin exchanges (BTC China, Bitstamp & Unocoin), online retailers (KickUSA) and popular SaaS companies (Moz).

Today, Incapsula services are being used by over 160,000 organisations worldwide.

Incapsula Service Review

Leveraging its newfound success and resources, Incapsula spent the last five years investing heavily in its technology, both to boost its legacy business and to venture into new directions, such as addressing its customers’ non-security needs.

New DDoS Protection Options

Incapsula-ddos

Incapsula was always known for its DDoS mitigation. Playing to its strengths, many of its newest features expand its DDoS mitigation capabilities.

When we first reviewed Incapsula, they were already mitigating layer 3-4 and layer 7 DDoS attacks.

Today, Incapsula has evolved to protect against direct-to-DNS attacks. It now also offers a BGP-enabled DDoS mitigation service to complement its previous CDN-based offering. This BGP-based solution allows Incapsula to protect any type of online service (email servers, FTP, you name it) in addition to websites and web applications.

To address the increase in attack sizes and demand from new customers, Incapsula improved network protection by upgrading its scrubbing capacity to over 3.5 tbps.

One of its most interesting solutions is DDoS protection for individual IPs.

Usually, this kind of protection is only available to companies that have an entire Class C subnet. Incapsula, however, has found a smart way around that requirement, which makes it an excellent choice for small and medium businesses that don’t own a subnet but still find themselves bombarded by DDoS assaults.

Incapsula-ddos-attack
Incapsula recently mitigated a massive 650gbps DDoS flood

Using its array of new technologies, Incapsula has mitigated some of the largest and highest profile attacks in recent memory, including a record-setting 650gbps DDoS flood and a recent 54-hour assault against a prominent US college.

These are just a few prominent examples. To give you some idea of the entire scope of Incapsula activity, in the first quarter of 2017 the company mitigated an average of 266 network layer attacks and 1,099 application layer assaults every week. This adds up to just over 17,500 attacks in a quarter.

Performance and Reliability

Incapsula

In addition to its new anti-DDoS solutions, and the benefits that Imperva brought to its cloud-based WAF, Incapsula also expanded its offering to include several reliability and performance features.

In our opinion, the most interesting of these is a cloud-based load balancer that offers one centralised option for both in-data center and cross-data center load management.

The service is not TTL reliant, which enables near-instant rerouting. What’s more, the traffic distribution techniques it uses are more accurate than most appliance counterparts. Specifically, it has the ability to distribute the load, based on the actual volume of process requests on each end server and the ability to perform failover in a matter of seconds.

These benefits and the fact that the service is offered in a subscription-based model makes it great value for money; especially for organisations that operate several data centers and need to purchase multiple services and appliances. On the performance front, Incapsula’s CDN offering was boosted by a host of additional control and optimisation features. These offer granular control over caching policies based on resource type and file location, as well as the ability to purge cache in real-time, a standard issue for many CDN platforms.

Other new control features include an Incapsula application rule engine that governs application end delivery through custom policies. These offer a literally limitless amount of custom optimisation options that are most likely to benefit larger and more complex sites.

A Security First Application Delivery Platform

Five years ago we mostly viewed Incapsula as a CDN based WAF with some DDoS mitigation solutions. The service has since outgrown that description.

Incapsula’s new availability and application delivery services, as well as many new security features, make Incapsula what it always claimed to be: a full-fledged application delivery platform that marries security, performance and availability in one cost-effective service package.

That said, Incapsula is still a security first enterprise-grade service, so it isn’t a good alternative to free CDNs on the market.

However, for commercial organisations looking for more than an underlying CDN and check box security, we recommend checking out Incapsula. You can start by signing up for a free enterprise plan trial to see if it’s a good fit.

Powered by WPeMatico

Instagram Hacker Puts 6 Million Celebrities Personal Data Up For Sale On DoxaGram

doxagram-Instagram-hack

It’s now official, Instagram has suffered a massive data breach, and reportedly an unknown hacker has stolen personal details of more than 6 million Instagram accounts.

Just yesterday, we reported that Instagram had patched a critical API vulnerability that allowed the attacker to access phone numbers and email addresses for high-profile verified accounts.

However, Instagram hack now appears to be more serious than initially reported.

Not just a few thousands of high-profile users—it’s more than 6 million Instagram users, including politicians, sports stars, and media companies, who have had their Instagram profile information, including email addresses and phone numbers, available for sale on a website, called Doxagram.

The suspected Instagram hacker has launched Doxagram, an Instagram lookup service, where anyone can search for stolen information only for $10 per account.

A security researcher from Kaspersky Labs, who also found the same vulnerability and reported it to Instagram, told The Hacker News that the issue actually resided in the Instagram’s mobile API, specifically in the password reset option, which apparently exposed mobile numbers and email addresses of the users in the JSON response—but not passwords.

doxagram-Instagram-hack

Instagram has not confirmed the hacker’s claims yet, but the company said Friday it is investigating the data breach.

The news comes three days after an unknown hacker hijacked most-followed-account on Instagram belonged to Selena Gomez—with over 125 Million followers—and posted her ex-boyfriend Justin Bieber’s full-frontal nude photographs.

However, Instagram did not confirm if the recent data breach was related to Selena’s hacked account.

The company had already notified all of its verified users of the issue via emails and also encouraged them to be cautious if they receive any suspicious or unrecognised phone call, text message, or email.

With email addresses and phone numbers in hand, the hacker’s next step could be used the stolen info in tandem with social engineering techniques to gain access to verified Instagram accounts and post on their behalves in order to embarrass them.

Instagram users are also highly recommended to enable two-factor authentication on their accounts and always secure them with a robust and different password.

Additionally, avoid clicking on suspicious links and attachments you receive in an email and providing your personal or financial details without verifying the source properly.

Powered by WPeMatico

Game of Thrones and HBO — Twitter, Facebook Accounts Hacked

Game of Thrones And HBO Twitter Accounts Hacked

The Game of Thrones hacking saga continues, but this time it’s the HBO’s and GOT’s official Twitter and Facebook accounts got compromised, rather than upcoming episodes.

As if the leak of episodes by hackers and the accidental airing of an upcoming episode of Game of Thrones by HBO itself were not enough, a notorious group of hackers took over the official Twitter and Facebook accounts for HBO as well as Game of Thrones Wednesday night.

The hacker group from Saudi Arabia, dubbed OurMine, claimed responsibility for the hack, posting a message on both HBO’s official Twitter and Facebook accounts, which read:

“Hi, OurMine are here, we are just testing your security, HBO team, please contact us to upgrade the security,” followed by a contact link for the group.

This message was followed by another one, wherein hackers asked people to make the hashtag #HBOhacked trending on Twitter, which it did.

Ourmine is the same group of hackers from Saudi Arabia that previously compromised social media accounts of major companies CEOs, including Twitter CEO Jack Dorsey, Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Facebook-owned virtual reality company Oculus CEO Brendan Iribe.

In most of the cases, Ourmine hackers gain access to the social media accounts by credentials exposed in previous, publicly known data breaches.

Game of Thrones And HBO Twitter Accounts Hacked

However, the hacking group does not seem to ever go beyond just demonstrating its ability to take over the account, without doing much damage to the accounts or its protected information.

OurMine offers companies security against hacking, charging up to $5,000 for a “scan” of their social media accounts, site security holes, and other security vulnerabilities, and advertises its commercial services by breaking into famous accounts.

HBO managed to remove the offending tweets shortly after the hackers posted them.

Just yesterday, in a devastating blunder, HBO Spain accidentally aired Episode 6 of Game of Thrones season 7 five days prior to its official premiere.

The popular entertaining company is also facing a threat from hacker or group of hackers who claimed to have obtained nearly 1.5 terabytes of information from HBO.

Over two weeks ago, the unknown hackers dropped episodes of “Ballers” and “Room 104,” along with a script of the fourth episode of Game of Thrones on the internet.

This leak was followed by another dump of a half-gigabyte sample of stolen data, including the company’s emails, employment agreements, balance sheets, and the script of the upcoming GOT episode, demanding a ransom—nearly $6 Million in Bitcoins.

Although it was revealed that the company offered hackers $250,000 for extending the ransom payment deadline by one week, the proposal apparently failed to satisfy hackers, and they threatened to release more data every Sunday until the full ransom was paid.

Powered by WPeMatico

Self-Driving Cars Can Be Hacked By Just Putting Stickers On Street Signs

self-driving-car-hacking

Car Hacking is a hot topic, though it’s not new for researchers to hack cars. Previously they had demonstrated how to hijack a car remotely, how to disable car’s crucial functions like airbags, and even how to steal cars.

But the latest car hacking trick doesn’t require any extra ordinary skills to accomplished. All it takes is a simple sticker onto a sign board to confuse any self-driving car and cause accident.

Isn’t this so dangerous?

A team of researchers from the University of Washington demonstrated how anyone could print stickers off at home and put them on a few road signs to convince “most” autonomous cars into misidentifying road signs and cause accidents.

According to the researchers, image recognition system used by most autonomous cars fails to read road sign boards if they are altered by placing stickers or posters over part or the whole road sign board.

In a research paper, titled “Robust Physical-World Attacks on Machine Learning Models,” the researchers demonstrated several ways to disrupt the way autonomous cars read and classify road signs using just a colour printer and a camera.

self-driving-car-hacking-trick

By simply adding “Love” and “Hate” graphics onto a “STOP” sign (as shown in the figure), the researchers were able to trick the autonomous car’s image-detecting algorithms into thinking it was just a Speed Limit 45 sign in 100 percent of test cases.

The researchers also performed the same exact test on a RIGHT TURN sign and found that the cars wrongly classified it as a STOP sign two-thirds of the time.

The researchers did not stop there. They also applied smaller stickers onto a STOP sign to camouflage the visual disturbances and the car identified it as a street art in 100 percent of the time.

“We [think] that given the similar appearance of warning signs, small perturbations are sufficient to confuse the classifier,” the researchers told Car and Driver. “In future work, we plan to explore this hypothesis with targeted classification attacks on other warning signs.”

The sign alterations in all the experiments performed by the researchers were very small that can go unnoticed by humans, but since the camera’s software was using an algorithm to understand the image, it interpreted the sign in a profoundly different way.

This small alteration to the signs could result in cars skipping junctions and potentially crashing into one another.

The research were carried out by the researchers from the University of Washington, the University of Michigan Ann Arbor, Stony Brook University and the University of California Berkeley, and credit researchers, including Ivan Evtimov, Kevin Eykholt, Earlence Fernandes, Tadayoshi Kohno, Bo Li, Atul Prakash, Amir Rahmati, and Dawn Song.

Although the researchers did not reveal the manufacturer whose self-driving car they used in their experiments, threats to self-driving cars have once again made us all think of having one in future.

Powered by WPeMatico

Feds Seize AlphaBay and Hansa Markets in Major Dark-Web Bust

Feds Seize AlphaBay and Hansa Markets in Major Dark-Web Bust

It’s finally confirmed — In a coordinated International operation, Europol along with FBI, DEA (Drug Enforcement Agency) and Dutch National Police have seized and taken down AlphaBay, one of the largest criminal marketplaces on the Dark Web.

But not just AlphaBay, the law enforcement agencies have also seized another illegal dark web market called HANSA, Europol confirmed in a press release today.

According to Europol, both underground criminal markets are “responsible for the trading of over 350,000 illicit commodities including drugs, firearms and cybercrime malware.”

On July 4th, AlphaBay suddenly went down without any explanation from its administrators, which left its customers in panic. Some of them even suspected that the website’s admins had pulled an exit scam and stole user funds.

However, last week it was reported that the mysterious shut down of the dark web marketplace was due to a series of raids conducted by the international authorities.

The raid also resulted in the arrest of Alexandre Cazes, a 26-year-old Canadian citizen who was one of the alleged AlphaBay’s operators and was awaiting extradition to the US when a guard found him hanged in his jail cell the next day.

Now, Europol just announced that two of the largest criminal Dark Web markets—AlphaBay and Hansa— have shut down by the authorities, as the infrastructure “responsible for the trading of over 350 000 illicit commodities including drugs, firearms and cybercrime malware.”

“This is an outstanding success by authorities in Europe and the US. The capability of drug traffickers and other serious criminals around the world has taken a serious hit today after a highly sophisticated joint action in multiple countries,” Rob Wainwright, Europol Executive Director said. 

“By acting together on a global basis the law enforcement community has sent a clear message that we have the means to identify criminality and strike back, even in areas of the Dark Web. There are more of these operations to come.”

Feds Covertly Monitored Activities of Criminals Hansa Market 

This is what made the operation more interesting.
The federal authorities revealed that they secretly took control over the Hansa market around a month ago and kept it running in an effort to monitor the activities of vendors and buyers without their knowledge.

And here’s the Icing on the cake — During the same period federal authorities purposely only took down AlphaBay, forcing their users to join the Hansa market for illegal trading and purchasing.

“We could identify and disrupt the regular criminal activity that was happening on Hansa market but also sweep up all of those new users that were displaced from AlphaBay and looking for a new trading platform for their ciminal activities,” Rod Jay Rosenstein, the Deputy Attorney General for the DoJ, said today in a live press conference in Washington DC.

How One Simple Mistake Revealed AlphaBay Operator’s Identity

Cazes made the same mistake that most cyber criminals do which revealed his real identity and led to his arrest. He was using his personal email (Pimp_Alex_91@hotmail.com) to send out welcome & support emails to all members of his AlphaBay websites.

The feds learned that the email address belonged to a Canadian man named Alexandre Cazes with the birth date October 19, 1991, and was working as president of a software company called EBX Technologies.

Cazes has been charged with a total of 16 counts, including:

  • 1 count of conspiracy to engage in racketeering
  • 1 count of conspiracy to distribute narcotics
  • 6 counts of distribution of narcotics
  • 1 count of conspiracy to commit identity theft
  • 4 counts of unlawful transfer of false identification documents
  • 1 count of conspiracy to commit access device fraud
  • 1 count of trafficking in device making equipment
  • 1 count of money laundering conspiracy

“Law enforcement authorities in the United States worked with numerous foreign partners to freeze and preserve millions of dollars’ worth of cryptocurrencies that were the subject of forfeiture counts in the indictment, and that represent the proceeds of the AlphaBay organization’s illegal activities,” the DoJ says.

After the disappearance of Silk Road, AlphaBay emerged in 2014 and became a leader among dark web marketplaces for selling illicit goods from drugs to stolen credit card numbers, exploits, and malware.

Prior to its takedown, AlphaBay Market reached more than 200,000 customers and 40,000 vendors, with over 250,000 listings for illegal drugs and over 100,000 stolen and fraudulent identification documents and access devices, malware and other computer hacking tools.

Authorities believed that the dark websites like AlphaBay and Hansa were responsible for lost of many lives in America.

“Today, some of the most prolific drug suppliers use what is called the dark web, which is a collection of hidden websites that you can only access if you mask your identity and your location,” Rosenstein said.

“One victim was just 18 years old when in February she overdosed on a powerful synthetic opioid which she had bought on AlphaBay. Grant Siever, only 13 years of age, a student at Treasure Mountain Junior High School, Utah, Park City. When he passed away, after overdosing on a synthetic opioid that had been purchased by a classmate on AlphaBay.”

Like AlphaBay, Silk Road, the largest Dark Web market at that time, was also shut down after the law enforcement raided its servers in 2013 and arrested its founder Ross William Ulbricht, who has been sentenced to life in prison.

The feds also seized Bitcoins (worth $33.6 million, at that time) from the dark web site. Those Bitcoins were later sold in a series of auctions by the United States Marshals Service (USMS).

Powered by WPeMatico