Cybercrime , Cybercrime as a service , Fraud and cybercrime management

DOJ: Site now closed Sold data obtained from 10,000 data breaches

Prajeet Nair (@prajeetspeaks) •
June 4, 2022

The The US Department of Justice and the FBI announced that they had seized three domains after an international investigation found that the domains were selling stolen personal information and providing access to distributed denial of service attacks on victims’ networks.

See also: On demand | Understanding Human Behaviour: Meeting the ATO and Retail Fraud Prevention Challenge

The three Internet domain names seized include weleakinfo.to and two related domain names, ipstress.in and ovh-booter.com.

“Today, the FBI and the Department stopped two common and distressing threats: websites that traffic in stolen personal information and sites that attack and disrupt legitimate Internet businesses,” said Matthew M. Graves, U.S. District Attorney. of Columbia. “Cybercrime often crosses national borders. Through strong working relationships with our international law enforcement partners, we will address crimes like these that threaten privacy, security and commerce around the world. entire.”

WeLeakInfo.to website

The site functioned as a database and search engine, with stolen data indexed so users could search for files and information “illegally obtained in over 10,000 data breaches containing seven billion indexed records – including including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts,” the DOJ says.

It’s unclear how long the WeLeakInfo domain has been running, but the website has gained a reputation for selling names, email addresses, usernames, phone numbers, and passwords for accounts. online to cybercriminals who would buy a subscription for a period of one day, one week. , a month, three months or a lifetime, depending on the DOJ.

Government agencies also announced that they seized weleakinfo.com in January 2020, shutting down a similar service then provided on that site. Back then, the same services were provided for as little as $2 a day to access data. (See also: Closure of the “WeLeakInfo” website).

This police action involving five countries led to the closure of WeLeakInfo.com. At the time, the site offered cybercriminals access to more than 12 billion personal records extracted from 10,000 data breaches.

In July 2019, the WeLeakInfo website and its Twitter feed began reporting that 23 million personal records extracted from CafePress were available to subscribers (see: Hacked Off: Lawsuit Alleges CafePress Used Poor Security).

When law enforcement in the US, UK and Europe first shut down the WeLeakInfo site in January 2020, police in Northern Ireland and the Netherlands also announced the arrest of two men, both aged 22, suspected of running the estate and profiting from it. selling personally identifiable information, malware and other malicious tools. None of the suspects have been named.

The domains ipstress.in and ovh-booter.com were also seized, which allegedly offered to carry out a DDoS attack for customers, a format called booter or stressor attacks.

Visitors to WeLeakInfo are now greeted with a sign that the domain has been seized.

“With the execution of the warrant, the seized domain name weleakinfo.to is now in federal custody, effectively suspending operation of the website,” according to the DOJ. “Visitors to the site will now find a seizure banner informing them that the domain name has been seized by federal authorities. The United States District Court for the District of Columbia has issued the seizure warrant.”

International withdrawal

In addition to the DOJ and FBI, the closure of these areas was part of a coordinated law enforcement action with the National Police Corps of the Netherlands and the Federal Police of Belgium.

“Actions executed by our international partners included the arrest of a primary subject, searches at multiple locations, and seizures of web server infrastructure,” according to the DOJ.

In December 2020, the UK National Crime Agency reported the arrest of 21 people suspected of purchasing personally identifiable information from the WeLeakInfo website for various purposes, including buying and selling malicious cyber tools such as Remote Access Trojans, also known as RATs. as for buying “encryptors,” which can be used to obfuscate malware code, according to the NCA.

He said all are male, between the ages of 18 and 38, and the arrests took place over a five-week period from November 2020.

As well as the 21 people arrested by police, a further 69 people in England, Wales and Northern Ireland have received warnings from the NCA or other domestic law enforcement, saying they may have engaged in criminal activities related to the investigation.

Sixty of those people also received cease and desist notices from the police.

Recently entered domain

In April, Microsoft said it took control of 65 domains that the ZLoader gang used to grow, control, and communicate with their botnet. (See: Microsoft disrupts the ZLoader botnet in its global operation).

ZLoader, a descendant of the ubiquitous Zeus banking malware, is run by a global internet-based organized crime gang that operates malware as a service designed to steal and extort money.

Microsoft has obtained an order from the United States District Court for the Northern District of Georgia allowing it to take control of 65 domains that the ZLoader gang uses to grow, control, and communicate with their botnet.

“Domains are now directed to a Microsoft sinkhole where they can no longer be used by criminal botnet operators,” Microsoft said.

The United States had also seized three domains – raidforums.com, Rf.ws and Raid.lol – which hosted the hacker forum. The year-long joint operation by law enforcement from multiple countries led to the shutdown of the RaidForums darknet market and the seizure of these three domains hosting the website. (See: Joint law enforcement operation dismantles RaidForums).

RaidForums has been used by hackers primarily to buy and sell stolen information, including financial data such as credit card details, bank account numbers, social security numbers, login credentials and personally identifiable information. identifiable.

The dismantling of RaidForums comes days after German police, leading a cross-agency effort, shut down the Russian darknet market Hydra, which is notorious for offering stolen credit and SIM cards, VPN access and cryptocurrency laundering services. Although there were no known arrests, Germany’s Federal Criminal Police Office seized 543 bitcoins, worth approximately $25 million, associated with the market. (See: Germany closes Russian darknet market Hydra).