, , , , , , , , , , , , , , , , ,

“Want to buy some profile dumps. Is there any? I’m ready to pay in Bitcoins.”
After posting this message in three “TOR NETWORK” message boards, hidden in the dark web, my wait was over after nearly twenty hours when an “Anonymous” asked in a “TORCHAN” board (http://zw3crggtadila2sg.onion/): “How we know you’re not an FBI scum”?

A real scummy question indeed! I wish I had a gentle reply!

It’ll attract more slang designed only for the dark web if you can’t prove that you’re not really an “FBI scum”. Other boards bore no fruit, at least not in twenty hours deadline I had set knowing that it was too short.

I sneaked into dark web to get some tips about the ‘biggest data heist’ that had shaken the web world few months back where one billion ‘Yahoo!’ user profiles were stolen and sold at least to three parties for a hefty price and according to the security farms the hoaxers were still hanging around for some final dollars. Is anyone still there lurking behind the darkness to sell some more staff? I just tried my luck to trace. I wish I had some luck and some lead.
Waiting for twenty hours is no time in dark web and you need to wait for long and take every precaution possible to hide your IP before moving towards any illegitimate transaction! Considering such transactions the year 2016 saw the record rate of increasing cyber attacks, data theft and the Yahoo data breach was the biggest among them. It is not only the biggest data heist in web history but it has some more grim implications and cataclysm for future generation who are ‘digitally connected’. The disaster has just begun. It’s personal and financial. Forget about the rest of the world, in India alone the cyber crimes registered under Indian Penal Code rocketed up to nearly fifty percent in the last year! When a giant organization loses user profile database because of hacking the worst hit are those individuals who don’t know the ‘ABCD’ of cyber security. They instantly become soft targets for Phishing attacks and social engineering and the news of individual financial losses are rarely published.
Actually anyone could buy anything in the dark web through the ‘TOR NETWORK’ and the insatiable appetite could titillate from ‘anything’ to ‘anybody’. And that was the reason why after nearly three years those stolen data were resurfaced in the dark web marketplace by a black hat hacker having pseudo name ‘Tressa88’.
It started the same way in one fine morning in March, last year. The date was 25.03.2016. The time – showing in the forum board was – 05.28. It must have been early morning in Russia when the black hat hacker “Tressa88” logged in and hinted about the “Yahoo!” data dumps for the first time. Primarily the language appeared as Russian indeed and it was a Russian message board running undercover – at least from its apparent mystifying appearance.
Who is ‘Tressa88’? The black hat hacker claimed, ‘I am a very old inhabitant of the network :)’; and that was true. Why the name ‘Tressa’? Tressa88 announced in a chat, it is not his real name because that is just the name of ‘a whore from Australia.’ These are minor information. The director of Eastern European research and analysis for the security firm Flashpoint Intel Andrei Barysevich claimed that behind the alias Tessa88 there are actually two people, perhaps a female and a male. It’s quite likely that behind this alias an underground group lurks in shadows.
“Tressa88” posted the first message in Russian and the first few lines in English translation were like this:
[Only registered and activated users can see links]
For a review 10% discount
Important:! All goods in EMEIL format; PASS or a HASH
Only fresh and 100% private boxes
Shell for mailing. With the criteria of sending and delivery pisma._3 $ _1
1) VK.COM _137.000.000 email accounts; pass_pfone; pass
2) MOBANGO_6.000.000 entries id: email; pass
3) MYSPACE_380.000.000 id records: mail: hash

Since we’re not registered, we could not see the links that user “Tressa88” had posted and boasted about the ‘dumps’. But as usual they were either ‘onion’ links for Bitcoin wallet or belonged to any private network and they were meant for the dark web transactions only.
If you go through the whole message, you would not probably find any mention of ‘Yahoo!’ data at first glance. Instead “Tress88” said that he was ready to sell user profile data from other sites like MYSPACE, MOBANGO etc. This part of the message was important as on the last line of the list he hinted about ‘many other sites’.
1) VK.COM _137.000.000 email accounts; pass_pfone; pass
2) MOBANGO_6.000.000 entries id: email; pass
3) MYSPACE_380.000.000 id records: mail: hash
4) QIP-133.000.000 records
10) And many other sites. Specify in Message
He was ready to sell from MYSPACE and other sites including Russian social media. And the largest data belong to MYSAPCE – it was almost 4 hundred million user profile database. But there was a hint that he had something special to announce at the end of the page.
After his first post within eight hours “Tressa88” got an answer from a user called “Mr.Mongo”. And then afterwards users like “Fifty”, “Edgar” and “ionline” joined the conversation asking questions about getting the data and in no time that soon became sensational international news and because of that “Yahoo!” had to admit on September 22: “Yahoo believes that “at least” 500 million user accounts were stolen, which would make it the biggest breach of all time, bigger than the MySpace breach of 427 million user accounts.”
Remember the list, ‘Tressa88’ posted in that message board. MYSPACE was among them and the number matched with the ‘Yahoo!’ statement.
As their conversation moved forward, “Tressa88” kept writing like this on 28th March:
03/28/2016, 06:12
Reviews have to exploit. kardklub Fak and others.
Dame forward to nick a turnip.
Garant welcome.
There are many other dumps, full format, and a lot of different dating mail; pass
Look at the date “Tressa88” wrote his second message. It was March 28 and on September 22, after nearly six months, “Yahoo!” again published a long statement on their website: “We have confirmed, based on a recent investigation, that a copy of certain user account information was stolen from our network in late 2014 by what we believe is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers…..” At the same breadth ‘Yahoo!’ frantically assured their users that the stolen data did not contain credit card and debit card details. Was this assurance enough to have the peace of mind? No! Any computer literate person knows that any type of profile information may invite Phishing attacks much later once black hat hackers get that profile data in their possession. The hackers will definitely use it for social engineering. Both these hacking tricks involve disguise as the hacker may appear as a friend or the user’s known bank source. An innocent user will never suspect and once he clicks a link sending by the known ‘bank’ source, the link leads to a fake login page that collects user’s login credentials and delivers them to the attackers.
By the time when the whole world came to know about the biggest data heist in the history of web the cyber security people were in tizzy. The question tormented ever cyber security personnel. The ‘Yahoo!’ data breach occurred in 2013. Why ‘Tressa88’ took so many years to announce about the ‘dumps’? What happened in between? Had they social engineered millions of people in between? Had they exhausted all potentials of Phishing attacks in between?
Later it came out that the stolen profile database included plenty of American military and security personnel who used to keep their official emails as recovering emails in their “Yahoo!” accounts. Was there really any ‘state actor’ functioning behind when that attack took place as ‘Yahoo!’ claimed? Did ‘Tressa88’ act as a front man for any foreign spy master? Or the black hat hackers simply sold the stolen data to any ‘state actor’? Mystery deepened.
On 14 December “Yahoo!” again issued a statement: “Yahoo has identified data security issues concerning certain Yahoo user accounts. Yahoo has taken steps to secure user accounts and is working closely with law enforcement.”
It’s too late! The damage has already been done! You’ll never get the exact figure of individual victims. Common people, who usually use the same username and password combinations in various sites, fall prey easily to the cyber criminals and these innocent people have a tendency to click every links sent by the fraudsters disguised as ‘friends’ and ‘banks’ without suspecting any fraud. In the last year’s RSA Conference, ‘Tripwire’ conducted a survey. It asked 200 security professionals to express their concerns about the state of Phishing attacks and it came out that more than half (58 percent) of respondents stated their organizations had seen an increase in Phishing attacks in the past year. ‘Verizon’, in its 2016 Data Breach Investigations Report, noted that the growth of Phishing attacks in both frequency and sophistication poses a significant threat to all organizations.
Now, think about the common people who don’t even know that clicking a link may spell bloody disaster for them, at least financially. Let us again forget about India. Consider the case of British supermarket giant Tesco Bank. Earlier November, last year, the consumer finance wing of Tesco Bank had to freeze their online operations after as many as 20 thousand customers had their money stolen from their accounts. They admitted in their website that nearly 40 thousand accounts had been compromised and half of those had lost their money. It’s really difficult to diagnose the Phishing attack in isolation when someone steals money from a British account sitting many thousand miles away in a different country.
“All-in-Once-Checker,” is a hacking tool, available in the market and it can check if hacked username and password combinations from one website work on another website or not! So, there are plenty of depressing possibilities that these black hat hackers stole the data much before and exhausted all the ways of making money and after that they decided to make some ‘final dollars’ and appeared after three years.
‘Yahoo!’ claimed in their statement that they found some ‘state actors’ behind the whole breach. By the middle of 2016, we came to know about one more hacker – ‘Peace of Mind’. A few months after Tressa88 started selling through Russian underground forums, the same data resurfaced in TRDM (The Real Deal Market) – a dark web marketplace. This time the seller’s name was ‘Peace of Mind’ and the hacker identified as male and a clear rivalry started brewing between them as Tressa88 later told a security farm, ‘Peace_of_mind [is] a fagot who takes undue credit’. According to ‘Tressa88’ this ‘Peace of Mind’ was his accomplice whom “I shared a dump for analysis! And he started selling it.” ‘Peace of Mind’ made same allegations about ‘Tressa88’, “He stole [the hacked databases] from an old buddy long ago. And he started to sell them.”
‘Tressa88’ accused ‘Peace of Mind’ had been cheating him since he gave Peace few database dumps to decrypt. ‘Peace of Mind’ slapped back, ‘Tressa88’ was a thief as one of his old friend had had the dumps originally but Tressa88 stole from him and started selling it. As soon as this saber-rattling died down other hackers started pelting the TRDM with ‘Denial of Service’ attacks. The black hat hacker community was angry because the ‘dumps’ were not up to the mark. The buyers were disgusted with low quality of ‘dumps’. The reason was simple. They had hoped they could gain financially from those ‘dumps’ by duping common innocent people.
We are not in a position to decide whether this was a pure drama and they had made this story simply to show the investigators a different line of attack. All we know now that in last two three years countless people had their money stolen without knowing the sources of the fraudulent activities.
All the time through the TOR NETWORK forums people want information about other people in exchange of money. What type of information? Let’s have a look at the ‘INTEL EXCHANGE’ forum (HTTP:// rrcc5uuudhh4oz3c.onion). A user asks, ‘im trying to get some info on a person. her name is ‘…..’ Shes from sarasota florida, got 2 kids – ‘….’ and ‘…..’ she did me wrong so im looking for all the info I can get on her.’ (I have kept the spelling unchanged and the names withheld). Another user asks about an ‘Onion’ site and the forum admin warns that the site might be a FBI honey spot.
But these types of people who are asking for trivial help in the underground forum are not real concerns of the civilized world. What happened after ‘Tressa88’ and ‘Peace of Mind’ had started selling the ‘dumps’ was the perfect storm. The black hat hackers went for a ‘Denial of Service’ attacks on ‘The Real Deal Market’ (TRDM) and tried to shut it down simply because there had been a feeling among them that they were cheated by ‘Tressa88’ and ‘Peace of Mind’. It was enough proof of how common people were the main target of those fraudsters.
For the time being we may conclude that the financial disaster has just begun. It has not completed the full circle yet. We have to wait another five or ten years to realize its full impact. From the ‘Digital India’ perspective we may also hope that government would organize more awareness campaign on how to spot a Phishing attack. Otherwise we’ll give these new-age cyber criminals free rein to exploit our digital dream.