Skip to content
Aug 30 14

Bifrose malware leveraging on Tor caught in a targeted attack on a device manufacturer

by Pierluigi Paganini
bifrose 1

Security experts at TrendMicro have detected a new variant of the BIFROSE malware leveraging on the Tor network in a targeted attack.

Security experts at TrendMicro have been investigating a targeted attack against a device manufacturer when they discovered that BIFROSE malware, a well-known backdoor, has infected the systems of the company.  BIFROSE has been around for many years and it is quite easy to acquire it the underground. BIFROSE has data stealing capability, but it is mostly popular for its keylogging routines, but the variant detected by the malware experts at TrendMicro (detected as BKDR_BIFROSE.ZTBG-A and has the hash 5e2844b20715d0806bfa28bd0ebcba6cbb637ea1) leverages the Tor network to hide the communications between the infected machines and the C&C server.

What makes this variant more elusive is its ability of Tor to communicate with its command-and-control [C&C] server.”” reports a blog post published by TrendMicro.

BIFROSE malware The BIFROSE malware was widely used by cyber criminals, in 2010 a threat actor targeted human resource (HR) personnel of different government offices, including the African Union and the NATO. The BIFROSE variant used in the targeted attack on the device manufacturer is able to perform the following operations, as explained in the blog post:

  • Download a file
  • Upload a file
  • Get file details (file size, last modified time)
  • Create a folder
  • Delete a folder
  • Open a file using ShellExecute
  • Execute a command line
  • Rename a file
  • Enumerate all windows and their process IDs
  • Close a window
  • Move a window to the foreground
  • Hide a window
  • Send keystrokes to a window
  • Send mouse events to a window
  • Terminate a process
  • Get display resolution
  • Upload contents of %Windows%\winieupdates\klog.dat
  • Capture screenshot or webcam image

As explained in the post to discover the presence of a BIFROSE variant in the network, the administrators could check the existence of the file klog.dat in systems which is a file associated with the keylogging routines.

“Another indicator would be seeing abnormal activities, such as those seen through network and mail logs. As we’ve mentioned in our past post, 7 Places to Check for Signs of a Targeted Attack in Your Network, network activities such as logins and emails during “abnormal” times need to be checked.” suggests Christopher Daniel So, Threat Response Engineer at TrendMicro.

The use of Tor network is becoming popular within the community of malware authors, also a recent variant of Zeus was able to hide its communications in the anonymizing network. The use of Tor makes troubling tracking and taking down the malware infrastructure, but IT administrator could carefully monitor their network to detect Tor activity, since several strain of malware uses Tor in communicating with their C&C servers.

Pierluigi Paganini

(Security Affairs – BIFROSE, malware)

Aug 29 14

97K Bugzilla users affected by data disclosure

by Pierluigi Paganini

Mozilla Security Team announced a new accidental disclosure of email addresses and encrypted passwords of about 97,000 Bugzilla users.

On Wednesday, officials at Bugzilla, the bug-tracking system managed by Mozilla, confirmed that email addresses and encrypted passwords belonging to 97,000 of their users had been disclosed. Bugzilla is a bug-tracking software system widely used by many organizations, according to Mozilla’s Bugzilla, the data were hosted on a publicly accessible test server named Landfill since early May.

“One of our developers discovered that, starting on about May 4th, 2014, for a period of around 3 months, during the migration of our testing server for test builds of the Bugzilla software, database dump files containing email addresses and encrypted passwords of roughly 97,000 users of the test build were posted on a publicly accessible server.  As soon as we became aware, the database dump files were removed from the server immediately, and we’ve modified the testing process to not require database dumps,” Mark Côté, an assistant project lead at Bugzilla, said in a blog post.

As explained in the post published by Mozilla’s Bugzilla team, the database dump files containing the disclosed data were posted on a publicly accessible server.

bugzilla search

Officials confirmed that the incident didn’t affect any users of

It’s important to note that, unless users reused the password they used, this does not affect email addresses or passwords.” reports the Bugzilla uptade.

The incident occurred a few weeks after Mozilla requested about 76,000 members of the Mozilla Developer Network to change their passwords due to the accidental disclosure of MDN email addresses and encrypted passwords of about 4,000 users.

“While it is important to note that the disclosure of this development database does not affect, we continue to believe that the broader community would benefit from our increased focus on data practices and therefore will continue with our plan of including the Bugzilla project as well as other community projects in the data practices initiatives we’ve described above.”

Generally, developers use to access the test builds with passwords they would not reuse elsewhere because they are aware that test infrastructures are usually not secure like live environments.

The Bugzilla team has reset all of the passwords of users’ accounts used on the Landfill test server and impacted by the data disclosure.

Pierluigi Paganini

(Security Affairs – Bugzilla, data leakage)  

Aug 29 14

Google Dorking is a threat to Gov sensitive data according to a Feds memo

by Pierluigi Paganini
Google Dorking FBI memo 2

FBI and National Counterterrorism Center issued a memo to warn Government agencies on the risks related to Google Dorking on their websites.

On July 7th, the FBI and the National Counterterrorism Center issued a memo to warn law enforcement and private security agencies about the practice of Google Dorking  and its capabilities.

The FBI warns the recipients of the memo on the possible use of Google Dorking to  “locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks.”

Google Dorking FBI memo

The Bureau is concerned about the possibility that information gathered with Google Dorking could be used to gather sensitive information to use in cyber attacks, a common practice in the hacking and the intelligence community.

“Malicious cyber actors are using advanced search techniques, referred to as ‘Google dorking,’ to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks,”  “By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities.” states the memo.

The memo mentions the Advanced Operators for Web Search and their possible use to locate specific contents based on site, file type, URL and much more.

The FBI isn’t the unique agency interested to Google Dorking, in May 2013 it was revealed the existence of the book written by Robyn Winder and Charlie Speight for the NSA, titled Untangling the Web: A Guide to Internet Research, which also includes a specific session on the Google Hacking. NSA reserved an entire chapter to instruct its agents on how to conduct complex research thanks to queries composed with advanced operators.

The memo highlights an incident occurred in 2011 when a group of hackers discovered Social Security numbers of 43,000 people affiliated with Yale University using to Google Dorking.

Another similar incident mentioned in the memo occurred in October 2013, when nearly 35,000 websites compromised by hackers that used Google Dorking to locate vulnerable vBulletin installations.

The memo explains how it is possible to retrieve content and documents indexed in the government space, data that an attacker could use for various kinds of attacks like spear phishing.

Using the following query is possible to discover Government documents containing confidential data

filetype:"xls | xlsx | doc | docx | ppt | pptx | pdf" site:gov "FOUO" | "NOFORN" | "Confidential"

there FOUO states for “For Official Use Only” and NOFORN states means “Not for release to foreign nationals“.

The memo also provides the following suggestions to prevent Google Dorking used to search sensitive information:

» (U//FOUO) Minimize putting sensitive information on the web. If you must put sensitive information on the web, ensure it is
password protected and encrypted.
» (U//FOUO) Use tools such as the Google Hacking Database, found at, to run pre-made
dork queries to find discoverable proprietary information and website vulnerabilities.
» (U//FOUO) Ensure sensitive websites are not indexed in search engines. GoogleUSPER provides webmaster tools to remove entire
sites, individual URLs, cached copies, and directories from Google’s index. These can be found at: home?hl=en.
» (U//FOUO) Use the robots.txt file to prevent search engines from indexing individual sites, and place it in the top-level directory of
the web server.
» (U//FOUO) Test your website using a web vulnerability scanner.

Pierluigi Paganini

(Security Affairs – Google Dorking, FBI)  

Aug 29 14

Major cyber attacks hit 5 US banks including JPMorgan

by Pierluigi Paganini
jpmorgan 2

US law enforcement and private security firms are investigating on a series of cyber attacks which hit JPMorgan and other financial institutions.

The FBI announced that the Bureau is investigating media reports of cyber attacks on US banks and financial firms, but law enforcement hasn’t provided further information on the incidents neither on the affected companies.

“We are working with the United States Secret Service to determine the scope of recently reported cyber attacks against several American financial institutions,” said FBI spokesman Joshua Campbell.

JPMorgan Chase & Co is one of the company recently targeted by cyber attack, according post published by the Reuters agency, which refers as source two people familiar with the incident who asked not to be identified because they were not authorized to speak publicly about the matter.

Also other media reported the cyber attacks on US banking industry, The New York Times reported late on Wednesday that systems of  JPMorgan and at least other four US banks had been compromised in a series of targeted attacks in August.


JPMorgan was still investigating on the cyber attacks, at time the time I’m writing, the are no information on the effects of the incident, JPMorgan spokesman Brian Marchiony declined comment the events.

“Companies of our size unfortunately experience cyber attacks nearly every day. We have multiple, layers of defense to counteract any threats and constantly monitor fraud levels,” he said in a statement.

Bloomberg News published an article that speculates on the author of the attack, the media agency suspect the involvement of a Russian cyber gang, which has carried out cyber attacks against JPMorgan Chase and another unnamed financial institutions in August.

According Bloomberg the attacks caused the disclosure of a huge amount of sensitive data, including checking and savings account information:

“Russian hackers attacked the U.S. financial system in mid-August, infiltrating and stealing data from JPMorgan Chase & Co. (JPM) and at least one other bank, an incident the FBI is investigating as a possible retaliation for government-sponsored sanctions, according to two people familiar with the probe. The attack resulted in the loss of gigabytes of sensitive data,”

Law enforcement is investigating whether recent attacks of major European banks are linked to the attacks on US banking industry, in particular if threat actors exploited a similar vulnerability in the recent attacks. According to Bloomberg the hackers exploited a zero-day vulnerability in one of the banks’ websites.

The Times report reported that several private security firms have been hired to conduct forensic analysis of the breached networks.

Pierluigi Paganini

(Security Affairs – JPMorgan, banking)  

Aug 28 14

470 million sites are One Day Wonders, one in five is malicious

by Pierluigi Paganini
Bluecoat one day worders website

A study conducted by Blue Coat on 660 million unique hostnames reports that 470 Million websites are One Day Wonders and 22 Percent are malicious.

A recent research conducted by security experts at Blue Coat revealed that 470 million websites exist only for one day and nearly one on five is malicious. Blue Coat experts over a 90-day period  analyzed more than 660 million unique hostnames requested by 75 million Internet users discovering that 71 percent of the them (470 million) were online only for a single day, for this reason called “One Day Wonders,”.
“71 percent of hostnames appeared for just 24 hours. While the majority of these “One-Day Wonders” are the backbone for how Internet content is shared and delivered, the sheer volume provides cover for malicious activity, including communication to infected systems. ” states the post published by Blue Coat
The worrying news is that of the top 50 parent domains (22%) that most frequently used One-Day Wonders were malicious.
“While most One-Day Wonders are essential to legitimate Internet practices and aren’t malicious, the sheer volume of them creates the perfect environment for malicious activity,” said Tim van der Horst, senior threat researcher for Blue Coat Systems. “The rapid building up and tearing down of new and unknown sites destabilizes many existing security controls. Understanding what these sites are and how they are used is a key to building a better security posture.”
These websites are used by cyber criminals to serve malicious code, manage botnets, taking advantage of the site being “new and unknown” to evade security solutions. Content Delivery Networks often create a unique sub-sub-domain per user to track its visit for marketing purposes, but cybercriminals are adopting the approach too. One Day Wonders websites are difficult to track and could be quickly online, for this reason they could be used by threat actors to easily build dynamic command and control architectures. Another common use of such domains is the creation of unique subdomain for each spam email, attackers use this technique to make hard detection by spam filters.
Bluecoat one day worders website 2
The principal organizations that manage One-Day Wonders are companies with a meaningful presence on the Internet, like Google, Amazon and Yahoo and Web optimization companies that help their customers to accelerate the delivery of content. One-Day Wonders are a privileged choice in the cyber crime ecosystem  because they:
  • Dynamic domains are harder to track than static domains and help crooks to maintain under the radar their malicious campaigns.
  • Are easy to generate for this reason criminals used to generate a high volume of domains to increase the chances that some of elude security controls.
  • Improve detection avoidance capabilities of malicious code, combining One-Day Wonders with the usage of encryption.

The only way to prevent such attacks it to improve security with adoption of real-time intelligence systems that can help security experts to quickly identify malicious One Day Wonders.

An infographic summarizing key findings is available for download at following link.

Pierluigi Paganini

(Security Affairs – One Day Wonderscybercrime)  

Aug 28 14

Russian Hackers disguise Kelihos bot as Anti-Government Software

by Pierluigi Paganini
kelihos distribution_markers_2

Russian Hackers are spreading the Kelihos Trojan leading victims into believing that it is a software to hit Western Governments.

Kelihos botnet is still active and exploited by the cybercrime ecosystem to monetize its effort as discovered by security experts at Bitdefender. Cyber criminals have a single purpose, to earn money by any means, for this reason it is not surprising that Russian hackers are riding the interest on the conflict in Ukraine to serve malware via links found in spam emails purporting to support the Russian cause.

“We, a group of hackers from the Russian Federation, are worried about the unreasonable sanctions that Western states imposed against our country,” “We have coded our answer and bellow you will find the link to our program. Run the application on your computer, and it will secretly begin to attack government agencies of the states that have adopted those sanctions.” the malicious spam messages read.

The criminal gang behind the last wave of attacks are tricking victims proposing a software by pretending it was designed to attack online resources belonging to US and Western governments, instead it is the Hlux data stealing trojan used to recruit new machine for the malicious Kelihos botnet.

The Kelihos botnet was discovered for the first time in 2010 and at least three versions were discovered by security firm in these years.

Originally used for spam, phishing  and DDoS attack, the last version has several capabilities, including communicating with infected computers, data stealing (including  FTP and email credentials), stealing bitcoin wallets and sending spam emails.

Kelihos bots are able to provide attackers full control of victims, the malicious code could download and execute further payloads and monitor traffic for FTP, POP3 and SMTP protocols.

Hlux trojan drops three clean files, npf_sys, packet_dll and wpcap_dll, used by attackers to monitor traffic. The experts discovered the malicious campaign during the investigation on one of the recent spam waves.

“We analyzed one of the recent malicious spam waves and noticed that all the .eml files lead to setup.exe URLs, with 49 unique IPs,” Bitdefender Virus Analyst Doina Cosovan explained.

Track the Kelihos botnet is not so simple because it a peer-to-peer botnet, experts started from a collection of infected machines to try to track the map of overall malicious infrastructure.

“To find out the size and distribution of the computers infected during this campaign, we relied on the fact that Kelihos uses P2P. Starting from the 49 distinct IPs, we obtained the list of domains associated to each IP address. For each resulting domain, we obtained the list of corresponding IPs. In the end, we obtained 25.680.758 IP addresses, of which only 55.981 were unique.” 

Surprisingly enough, the experts discovered that over 40 percent of the infected machine was located in Ukraine.


kelihos botnet distribution


“This can either be an anti-Russian diversion crafted by Ukrainian cyberwar ‘soldiers’ or, more likely, a sign that many of the infected machines belong to Ukraine and now unwillingly distribute the malware.”  said Bianca Stanescu, a security analyst at Bitdefender

The malware is distributed on a global scale and used to serve further malware, more than 500 infected IPs were detected in US.

Pierluigi Paganini

(Security Affairs – Kelihos botnet, cybercrime)  

Aug 27 14

A Wide Open Backdoor is present in million Netis Routers

by Pierluigi Paganini
Netis router WF-24191

Routers manufactured by Netcore and sold worldwide under Netis brand have a wide-open backdoor that can be fairly easily exploited by threat actors.

Experts at TrendMicro discovered that routers manufactured by Chinese security vendor and sold under the brand name Netcore in China have a hard-coded password. The hard-coded password allows attackers to access user’s traffic with a backdoor, the Netcore routers are also sold in other countries, including South Korea, Taiwan, Israel and United States, under the brand Netis.

Netis routers provide the best wireless transfer speed up to 300Mbps, offering a better performance for different applications like video streaming and VoIP phone calling.

As explained in the blog post published by Tim Yeh, Threat Researcher at Trend Micro, bad actors could exploit the backdoor to bypass router security and to run malicious code on device or change settings.

“This backdoor is “protected” by a single, hardcoded password located in the router’s firmware. Netcore/Netis routers appear to all have the same password. This “protection” is essentially ineffective, as attackers can easily log into these routers and users cannot modify or disable this backdoor. Almost all Netcore/Netis routers appear to have this vulnerability, based on the information we examined.”states the post.

The backdoor discovered by experts is an open UDP port, accessible from the WAN side of the router, listening at port 53413. The presence of the backdoor allows attackers to compromise the Netcore router if it is accessible from the Internet just knowing the password hardcoded into the firmware. This attack scenario is common for almost all residential and SMB users, exploiting the backdoor the threat actors could upload or download malicious code, change device settings, run a man-in-the-middle (MitM) attack to eavesdrop the user’s internet communication and steal sensitive information.

In the following image is reported the output Netstat tool which reports the Local addressed for the web admin and backdoor ports.


Netcore Netis routers


Netcore – Netis routers are known for providing the best wireless transfer speed up to 300Mbps, offering a better performance on online gaming, video streaming, and VoIP phone calling.

An additional element of concern it that Netcor – Netis routers have all the same password and the backdoor cannot be changed or disable. The security issue has an impact on millions of devices worldwide, this is the number of routers discovered online with a large scale scanning. It is quite easy to discover vulnerable Netcore – Netis routers with an ordinary port scan searching for the above UDP port open.

Using ZMap to scan vulnerable routers, we found more than two million IP addresses with the open UDP port,” “Almost all of these routers are in China, with much smaller numbers in other countries, including but not limited to South Korea, Taiwan, Israel, and the United States.” Yeh wrote in the post.

Experts at Trend Micro also discovered that a configuration file containing the credentials for the web-based administration panel on the router is stored in clear text and for accessible to attackers.

The post closes with a bad news for Netcore – Netis owners as explained by Yeh:

Users have relatively few solutions available to remedy this issue. Support for Netcore routers by open source firmware like dd-wrt and Tomato is essentially limited; only one router appears to have support at all. Aside from that, the only adequate alternative would be to replace these devices,”

Pierluigi Paganini

(Security Affairs – Netcore – Netis routers, backdoor)  

Aug 27 14

An automated DDoS reflection attack tool used in the wild

by Pierluigi Paganini
DERP team

A group of hackers dubbed DERP has created a super tool to coordinate multi protocol DDoS reflection attacks as explained by Melbourne-based Micron21 firm.

For the first time ever a hacking group coordinated a range of different DDoS reflection attacks against a data center of the firm Melbourne-based Micron21, the attack occurred on August 2nd.

The experts consider the attack singular and for this reason have used the term ‘Combination Distributed Reflective Denial of Service’ or CDRDoS to describe its dynamic.

The particularity of the DDoS reflection attack is that while attackers usually exploit UDP traffic, this time the threat actor abused configuration weaknesses in servers using the NTP, DNS, SSDP and CHARGEN protocols to increase the magnitude of  the ‘reflection’ attack.

The company Melbourne-based Micron21 observed that one of its customers was hit by a modest DDoS attack that that peaked at 40Gbps internationally, or 1.2Gbps domestically.

DDoS reflection attacks were considered very dangerous due to the level of amplification they allow attackers, in March 2013 Spamhaus company was hit by a major attack which abused DNS and recently CloudFlare was hit by an attack which abused of the NTP protocol peaking 400Gbps while VeriSign was hit by 300Gbps attack which exploited the Content Delivery Network.

The experts believe that attackers have created a super tool to coordinate the attack on Micron21, as explained in a blog post, the group called ‘DERP’ or ‘DerpTrolling’ is responsible for the attack.

DDoS reflection attack tool 2


We believe this new super weapon or a variant of it was used to target one of our Soak and Scrub customers on the 2nd of August 2014 reaching speeds of 40+gbits internationally and over 1.2gbit domestically within Australia. Whilst this attack is very small compared to previous global attacks of 400gbit, we believe it represents the start of the age of what is to be expected in the future for denial of service attacks.” states the post.

DERP group has been active since 2011 and is known for attacks on the gaming industry, the post speculated that hackers have created a super-tool, the CDRDoS,  able to coordinate the multi protocol DDoS reflection attacks.

“DERP GLB™ attack technology which was publicly named on the 3rd of January 2014 for its involvement against an attack which targeted riot game servers hosted within Internap NY, which in turn affected Internap’s global network. The DERP GLB™ attack tool looks to be originally based on exploiting the NTP protocol targeting NTP servers that reply to mon_list command. The combination of a spoofed source address creates a distributed reflection denial of service attack (DR DoS) However, we suspect this tool was used much earlier evolving in late December 2013 and early January 2014as NTP DR DoS attacks started making waves across the internet targeting game service providers and bringing network protection services down to their knees, such as the below tweets whilst DERP developed a list of open NTP servers.” states the post.

DDoS reflection attack tool

The tool referred in the blog post is able to try the different protocols to exploit flaws in unpatched/miconfigured servers. Using the tool the DERP was able to identify flawed servers to point at the data centre.

In the past, experts noticed that DERP don’t only use NTP as an attack vector, they exploited the Character Generator Protocol (CHARGEN) used by Internet of Things devices.

Despite DDoS attacks are largely known by security firms they are still very effective against IT firms has demonstrated by recent attacks.

Pierluigi Paganini

(Security Affairs – DDoS reflection attack,  CDRDoS )  

Aug 26 14

ICREACH program, NSA Search Engine for communications analysis

by Pierluigi Paganini

ICREACH is the codename for the NSA’s Secret Google-Like Search Engine for Metadata Analysis disclosed by a new collection of documents leaked by Snowden.

ICREACH is the name of a Google-like search engine designed by the National Security Agency (NSA) that provides metadata related to individuals living in US to more than two dozen US government agencies.

The Intercept has revealed the existence of ICREACH,  a platform used to share data on more than 850 billion communications records detailing e-mails, phone calls, instant messages, and phone geolocation. The revelation is based on classified documents, dated 2006 and 2007 and disclosed by whistleblower Edward Snowden, which describe ICREACH as a “federated query” engine that would search “across all data sets for information relating to a target identifier.”

The knowledge of a so huge amount of metadata shared through ICREACH program allows agencies to track people in real life and online, map out their networks of associates and predict future actions.



“The National Security Agency is secretly providing data to nearly two dozen U.S. government agencies with a “Google-like” search engine built to share more than 850 billion records about phone calls, emails, cellphone locations, and internet chats, according to classified documents obtained by The Intercept.” states the Intercept.

The ICREACH program was already mentioned by journalist Glenn Greenwald in his book “No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State”:


icreach fig1


The FBI and the Drug Enforcement Administration are referred as the “key participants” in the ICREACH program, but the documents confirm that the platform has been accessible to more than 1,000 analysts at 23 US Government agencies involved in Intelligence activities.

According to The Intercept the large-scale of ICREACH represents a serious threat to citizens’ privacy, it seems that also individuals not accused of illegal activities were monitored by the system.

“Legal experts told The Intercept they were shocked to learn about the scale of the ICREACH system and are concerned that law enforcement authorities might use it for domestic investigations that are not related to terrorism.” reports The Intercept.

“To me, this is extremely troublesome,” “The myth that metadata is just a bunch of numbers and is not as revealing as actual communications content was exploded long ago—this is a trove of incredibly sensitive information.” said Elizabeth Goitein, co-director of the Liberty and National Security Program at the New York University School of Law’s Brennan Center for Justice. 

The mastermind of ICREACH program was recently retired NSA director Gen. Keith Alexander, the official in 2006 described, in a classified 2006 letter to the then-Director of National Intelligence John Negroponte, the search-engine as a system that would “allow unprecedented volumes of communications metadata to be shared and analyzed,” opening up a “vast, rich source of information” for other agencies to exploit.

One year later the system had gone live as a pilot program, it would enable at least a 12-fold increase in the volume of metadata being shared between intelligence agencies.

“The NSA described ICREACH as a “one-stop shopping tool” for analyzing communications. The system would enable at least a 12-fold increase in the volume of metadata being shared between intelligence community agencies, the documents stated. “

As reported in the following slide there was a significant increase in the volume of metadata collected by the NSA.

Systems like ICREACH are continuously improved by the NSA, the intelligence top-secret “Black Budget” for 2013 disclosed by Snowden shows that the US Intelligence is investing to upgrade ICREACH to “provide IC analysts with access to a wider set of shareable data.”

Pierluigi Paganini

(Security Affairs – ICREACH,  Intelligence)  

Aug 26 14

Compromised data of 27 million people South Korea. 70 percent of the population suffered a data breach.

by Pierluigi Paganini
27 million data breach South Korea 2

Authorities confirmed that 27 million individuals in South Korea suffered a data breach, nearly 70 percent of  the population aged between 15 and 65 was hit.

A new massive data breach hit more that 27 million people in South Korea, according to the authorities stolen data comes from the gaming industry.

It isn’t the first time that Internet users in South Korea suffered a massive breach, in 2011, 35 million individuals had personal information exposed because hackers violated the database South Cyworld, a South Korean social network, and the search engine Nate.

Early 2014, 20 million South Koreans suffered another data breach caused by an employee of the Korea Credit Bureau.

South Korean law enforcement confirmed that information were stolen from databases for various games and online gambling promotions, movie ticketing and ringtones. The number of victims is amazing if we consider that more than 70 percent of the population aged between 15 and 65 was hit.

” South Korean authorities have unveiled a massive leak of personal information related to more than 70% of the population aged between 15 and 65 in the country. A hacker from China is one of the perpetrators, reports Duowei News, a news website operated by overseas Chinese.

The main perpetrator, last name Kim, was arrested along with over a dozen others for stealing and selling over 220 million items of personal information from 27 million South Koreans aged between 15 and 65, which accounts for about 72% of that demographic range, according to the South Jeolla Provincial Police Agency on Aug. 21.

The information had been stolen through hacking registrations on websites for online games, movie ticketing and ring tone downloads. A registration on any one of the websites can be used to trace registrations for the same person from other online service providers, the police said.” reported WantChinaTimes.

The Kim Bong-Moon of Korea JoongAng Daily reports that 16 individuals were arrested and added:

“According to police, Kim reportedly received 220 million personal information items, including the names, resident registration numbers, account names and passwords, of the 27 million people from a Chinese hacker he met in an online game in 2011.

The police suspect he used the personal information to steal online game currency by using a hacking tool known as an “extractor,” which automatically logs on to a user’s accounts once the login and password are entered. He is also thought to have sold those cyber items for profit.

When passwords he received were wrong, he allegedly bought the personal information on the identification cards and their issue dates from a cellphone retailer in Daegu to change the passwords himself.”

As reported in the above statements, the South Jeolla Provincial Police Agency arrested a 24-year-old man named Kim along with 15 others, for allegedly stealing and selling 220 million records with personal information from 27 million South Korean.

27 million Korean individuals hacked

First details on the investigation revealed that Kim obtained the data from a Chinese hacker he met online in 2011, stolen data includes names, account credentials and resident registration numbers. The investigation is still on-going, law enforcement is trying to track the complete network of persons which had access to the records, but it isn’t an easy job.

Data stolen by hackers was used to seal in-game currency and other game-related items that could be commercialized, law enforcement is worried by the sale of the information to other gangs of criminals. Personal information is a valuable commodity in the underground market, groups of cyber criminals are always interested to acquire user’s data to arrange further cyber attacks and any other kind of scam.

With a cost per record item ranged from a minimum of $0.001 to a maximum of $20, it seems that Kim have earned $390,919 USD by selling/using stolen records of 27 million Koreans.

Stay tuned for further details on the investigation.

Pierluigi Paganini

(Security Affairs – 27 million people victims of a data breach,  South Korea)