Prolific Cybercrime Marketplace WT1SHOP Shut Down in Law Enforcement Operation
Read also: Albania cuts diplomatic ties with Iran over a cyberattack, a new Apple zero-day is being sold on the dark web, and more.
Thursday, September 8, 2022
Authorities dismantle WT1SHOP, one of the largest marketplaces for stolen credentials and credit cards
An international operation carried out by law enforcement agencies from Portugal, Moldova, the U.S., the U.K., and the Netherlands, has resulted in the seizure of a website and several domains belonging to WT1SHOP, one of the largest cybercrime marketplaces that sold stolen credit cards, ID cards, and login credentials.
According to the authorities, WT1SHOP held over 5.85 million records, including scanned driver’s licenses and passports, login credentials for online shops, financial institutions, email accounts, and computers, servers, and network devices.
The authorities have also charged an alleged WT1SHOP’ s operator with conspiracy and with trafficking in unauthorized access devices. If found guilty, the man faces up to 10 years in prison.
New EvilProxy PhaaS allows even low-skilled hackers to conduct advanced phishing attacks
A new phishing-as-a-service (PhaaS) platform called “EvilProxy” has emerged on the dark web that offers a means for threat actors to bypass multi-factor authentication (MFA) mechanism on accounts associated with Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, PyPI, and other major brands.
First discovered in May 2022, the service uses reverse proxy and cookie injection techniques to bypass two-factor authentication (2FA) - the two methods previously observed in campaigns conducted by state-sponsored hackers.
EvilProxy is offered on a subscription basis per service, with prices ranging from $150 for ten days to $400 for a month. Google accounts are more expensive, costing $250 for ten days, $450 for 20 days, and $600 for 31 days.
New Apple zero-day exploit is available on the dark web for €2.5m
An exploit for a zero-day flaw in iOS and macOS devices is being sold on the dark web for a price of €2.5 million. In August, Apple issued security updates to address two zero-day RCE vulnerabilities (CVE-2022-32893 and CVE-2022-32894) said to have been actively exploited in the wild.
However, mere days after the patches resolving the flaws were released, security researchers stumbled upon a publication on an underground forum in which a user was offering an exploit for a new zero-day vulnerability related to CVE-2022-32893 for €2.5 million.
An internet search for the two vulnerabilities showed that hackers were actively discussing CVE-2022-32893/4 on platforms ranging from Telegram hacking channels to Tor sites and were interested in additional zero-days around the existing patch.
Albania blames Iran for a July cyberattack, cuts diplomatic ties
Albania has severed diplomatic relations with Iran after blaming Tehran for orchestrating a massive cyberattack on July 15 that caused disruption of government services and websites. Iranian embassy personnel have been asked to leave the country in 24 hours.
Albanian Prime Minister Edi Rama said that the investigation into the incident provided “indisputable evidence” that the Islamic Republic of Iran was behind the cyber intrusion, which allegedly was carried out by four hacker groups on its behalf.
Nasser Ka’nani, the spokesperson of the Iranian Foreign Minister, has denied the accusations and called them baseless.
The U.S. said it strongly condemns Iran’s cyberattack against Albania, a NATO ally, and will take further steps “to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace.”
Some former Conti members repurpose their tools to target Ukraine
Former members of the notorious Conti ransomware operation, now part of a hacker group cybersecurity researchers track as UAC-0098, are adapting their sophisticated attack techniques for use against Ukrainian entities, as well as humanitarian and non-profit organizations in Europe.
UAC-0098 has previously used the IcedID banking trojan in ransomware attacks, acting as an initial access broker for various ransomware groups, such as Quantum and Conti, but recently has switched its focus to Ukraine.
From April to August 2022, UAC-0098 carried out five different phishing campaigns, with one of them delivering a tool designed to provide backdoor access to systems called “AnchorMail,” which was developed by Conti. Interestingly, attacks appeared to be both politically and financially motivated, Google’s TAG team noted.
What’s next:
- Follow ImmuniWeb on Twitter and LinkedIn
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Application Security Weekly is a weekly review of the most important news and events in cybersecurity, privacy and compliance. We cover innovative cyber defense technologies, new hacking techniques, data breaches and evolving cyber law. 
