SECURITY EVANGELIST

Jaff ransomware, one of the newest and fast-rising strains, has been sweeping the world in the past month. As it turns out, the operations behind it run much further than malicious data encryption.

While analyzing a recent variant of Jaff, researchers have uncovered that this ransomware type shares server space with a refined cyber crime web store.

As observed in previous campaigns, the Jaff ransomware infection starts with a malicious PDF, which, when opened, prompts the user to click on an additional file, while triggering the infection in the background.

jaff ransomware malicious PDF

By following the trail and digging deeper into cyber criminal infrastructure, researchers discovered the web shop that provides access to tens of thousands of compromised bank accounts, complete with details about their balance, location and attached email address.

Malicious hackers can use Bitcoins to purchase stolen credit cards, some of which have already been verified, and compromised accounts on Paypal, Amazon, eBay and many more.

Prices per item vary from under a dollar to several Bitcoins.

cyber crime web shop - 1

Access to the marketplace doesn’t include a vetting process, making the barrier to entry quite low for malicious actors of all kinds.

What’s more, the shop also includes filters, so the buyer can find the targets with the most lucrative potential. For example, the screenshot below shows that the compromised accounts from New Zealand bank ASB listed in the shop total up to $275,241.

Banks from all over the world are listed, ranging from German financial institutions, to US and Australian ones. The highest volume of compromised records appears to originate from these countries: USA, Germany, France, Spain, Canada, Australia, Italy and New Zealand.

cyber crime web shop - 2

Other types of user accounts that include financial data are available as well. Unsuspecting Internet users who have shopped online at Apple, Bed Bath & Beyond, Barnes & Noble, Best Buy, Booking.com, Asos.com and many other ecommerce portals can become victims of cyber fraud or other types of malicious activity.

This doesn’t mean that those specific web shops have been compromised. Cyber criminals use a wide range of tactics to get into victims’ accounts, often focusing on breaking weak and/or reused passwords.

cyber crime web shop - 3

Black hat hackers can not only harvest financial data from these accounts, but also use them to make purchases through them.

cyber crime web shop - 4

Credit card data remains one of the hottest commodities in the malware economy, providing easy access to cash, which cyber criminals can then turn into untraceable Bitcoins.

The server used for these criminal operations is located in St. Petersburg, Russia and is hosted on 5.101.66 [.] 85 (sanitized for your protection). The same server is also part of the infrastructure that fuels the Jaff ransomware attacks that have been sweeping across Europe and the rest of the world.

The cyber crime marketplace uses the following domains (sanitized for your protection):

http://paysell[.]info
http://paysell[.]net
http://paysell[.]me
http://paysell[.]bz
http://paysell[.]org
http://paysell[.]ws

And TOR:

paysellzh4l5lso7[.]onion

cyber crime web shop jaff ransomware

This discovery shows once more that cyber criminal operations focus on diversifying their assets and revenue channels so they can play an increasingly larger role in the malware economy.

As we know, a ransomware attack never stops at just encrypting data. It also harvests as much information as possible about the victim.

What’s more, some of the largest data breaches in the past years (Target, Home Depot, TJX Companies, etc.) have targeted payment card data, constantly feeding the Dark Web with stolen credentials to be sold and purchased.

The information advantage is an ace that black hat hackers want to own, so they can play it at the right time.

By combining these informational assets, cyber criminals are engaging in both the long game, required to monetize stolen card data, and in quick wins, such as targeted ransomware attacks, whose simpler business model yields a fast return on investment.

It can happen that we will see these two models combined, with data breaches becoming accompanied by subsequent ransomware attacks, which would make it a nightmare for companies to deal with.

The best protection against these attacks, for companies and home users alike, remains proactive security accompanied by at least basic cyber security education.

*This article features cyber intelligence provided by CSIS Security Group researchers.

What is Ransomware
2017.05.15 SLOW READ

What is Ransomware and 15 Easy Steps To Keep Your System Protected [Updated]

Exploit Kits as a Service
2016.01.18 SLOW READ

Exploit Kits as a Service – How Automation Is Changing the Face of Cyber Crime

The Malware Economy
2015.06.23 QUICK READ

The Malware Economy

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
166 queries in 1.104 seconds