You can find out the location of any Russian for 8,000 rubles, said Ashot Oganesyan, founder of the DLBI data leak intelligence and darknet monitoring service. In an interview, he also named other prices on the “breakthrough” market. For example, for only 3 thousand rubles. you can find out if a person left Russia. The expert also reported on a new fraud with "Gosuslugi" and spoke about the danger of transferring the smartphone to repair shops.
Alluring "Gosuslugi"
- Russians are increasingly drawing up all documents, payments, cards, in general, they carry out more transactions through digital, for example, in the same "Gosuslugi". What do you think about the security of this resource?“So far, everything indicates that Gosuslugi themselves are safe, but failure to follow the recommendations for working with the service (for example, refusing two-factor authentication) or the use of social engineering methods by fraudsters can quite easily lead to hacking.
For example, lately scammers quite successfully ask users for an SMS code to change the password to the personal account of the service and thus gain control over it.
And the consequences of such gullibility are already affected by a problem that is typical for all Russian IT systems, including government services and online banking: they give the user too many opportunities, without regard to the degree of his understanding of what he is doing. It is no coincidence that today banks are beginning to consider limiting the user's capabilities - the "second hand", setting limits on the types and amounts of transactions, etc. as a means of combating fraudsters.
- There was a leak of the source code of "Gosuslug" of the Penza region. It has been argued by some that this is essentially a leak of the source code and the All-Russian "Gosuslug". Is it correct to say so? If not, what are the differences between the Penza version and the federal one?
- Since no one has seen the source code of the federal portal "Gosuslugi", it is impossible to answer this question exactly. However, imagining the process of developing such services, we can assume that, at a minimum, the code for calling the API of information systems (Application Programming Interface is a software interface for interaction between systems that contains a description of the ways in which one computer program can interact with another program. -) there may be close.
Whether this will give any new opportunities to attackers, we will find out in the near future, since “Public Services” has become one of the most important targets for hackers today, and they clearly invest time and resources in analyzing the received code.
Are our government information platforms secure enough? The same sites of departments, chambers of parliament?
- State sites are more like mass media and most often do not contain any important information, and the most “terrible threat” for them is “deface”, when information and even design are replaced with others. And judging by the fact that such problems happened with regional state sites, but not with federal ones, it all depends on the amount of investment in information security. As for the internal information systems of departments, they are most often isolated from the Internet, which makes it possible to be less afraid of external attacks.
But with what in state IT there is a real problem, it is with protection from its own employees-insiders.
It is nothing that the cost of breaking through state bases is the lowest on the black market and about 20 times lower than breaking through banks.
Not only counteracting the upload of data, but also access control in general is extremely poorly set, and often entire departments use the same login, which may belong to an employee who has long since quit.
Breaking out counted
— What happens to the breakout market after 2020?- In quantitative terms, the market is falling, but in monetary terms it is growing. Breaking through is in demand among crime and "gray" detectives, therefore, despite all efforts, it does not disappear, but only grows in price. Last year, the median cost of a breach has risen 2.25 times since 2020 and almost seven times since 2017, when we conducted the first study.
Maximum - 4.3 times - since 2020, information on accounts and transactions of citizens has risen in price (the so-called "bank breakdown").
Data on calls, SMS and geolocation of phones were sold last year at 1.6 times more expensive than in 2020, and the price of “breakthrough” in state information systems remained virtually unchanged.
- How much does it cost to break through for one person in rubles?
- As for the cost of breaking through, the statement on the account / card of an individual costs from 15 thousand to 25 thousand rubles. per month. Establishment of the card/account number by the number of the linked phone - from 7 thousand rubles.Identification of all client phones linked to cards/accounts according to his passport data - from 15 thousand rubles. Detailing calls and SMS of a subscriber per month - from 5 thousand to 30 thousand rubles. depending on the operator. Obtaining subscriber data by his mobile phone number - from 1 thousand rubles. One-time determination of the location of the subscriber ("flash") - from 8 thousand rubles.
Having broken through the “Rozysk-Magistral” system, that is, traveling by plane, train, bus, ferry costs from 1.5 thousand to 3 thousand rubles. for an entry, search by AS "Russian Passport": data on all issued internal and foreign passports) - from 900 to 1.5 thousand rubles. for one request, and according to the "Frontier" system (crossing the border of Russia in any place and on any transport) - from 3 thousand rubles. for one request.
- Are its participants “cleaned out”? Have they become more or less?
- Both law enforcement agencies and security services of companies are struggling with the "breakthrough", however, only banks have managed to achieve some success, and even there this criminal service has not disappeared, but only risen in price.
Sentences to employees of mobile operators who sell data on calls and SMS of subscribers are made almost weekly, but there are no fewer people who want to earn money.
In government departments, they don’t even try to deal with a breakdown - it is believed that there is no such problem.
Back to news »
So many pandemic waves have flown away
— The pandemic has been going on for two years now. What changes have occurred during this time in the field of leaks? What methods have become more, and which ones we could not have presented at the beginning of 2020?- There has been no downright tectonic shift in the field of data leaks as a result of the pandemic. There was a strong surge in the first half of 2020, when companies massively switched to remote work, and IT services could not cope with the deployment of terminal solutions, which often turned out to be poorly protected and made it possible to attack the internal networks of companies.
However, by the end of the year, everyone adapted to remote work and the scale of leaks began to decline. Moreover, if we talk about mass leaks (and not about individual “breakthrough”), then there are even fewer of them, since, at least, banks have begun a real fight against this problem.
So there are fewer bank leaks? Has anything new appeared in the toolkit of online banking fraudsters?
- Under pressure from both the Central Bank and constant public scandals, banks began to implement DLP systems (Data Leak Prevention - specialized software that protects the organization from data leaks. -) not on paper, but in practice, and now it has become almost impossible to quietly upload a large amount of data .
As a result, today it is extremely rare to find a database with information about private bank clients for sale. The situation with state-owned banks is not as good, but still better than in 2018, which saw rampant telephone fraud.
Unfortunately, the banks failed to destroy the “breakthrough” services, however, the price for it has almost doubled, which indicates the complication of the drain process.
True, another problem arose - leaks from the marketing systems of financial organizations. The transfer of the process of attracting customers to outsourcing and the growth in the number of marketplaces have led to the fact that applications for the purchase of financial products and opening accounts walk between contractors and the bank itself, are stored and processed with a minimum level of protection and, naturally, leak and fall into sales.
Themselves do not lag behind, developing digital infrastructure according to the principle of "bump and go into production" and not testing even the most banal security holes. As a result, data collected by "brute force" (enumeration of parameters - for example, the client's phone number) appears on the sale.
Such databases do not contain critical information, but allow, for example, to compile a list of bank customers, which can then be enriched with data from other sources and used for social attacks.
Advice from an expert on leaks
— There was a study about popular Russian passwords. There were, among other things, the names "Natasha", "Maxim", "Marina", "Andrey" and "Kristina". Is there a name that could be chosen as a strong password?- No name or word in general contained in the dictionary should be used as a password, since it is the dictionaries that are used in the primary enumeration both during brute-force (password guessing) and when decrypting data from leaks. On a computer, it's best to use a random set of letters, numbers, and symbols, which are best stored in a password manager.
For passwords that need to be remembered, it is better to use mnemonic rules - for example, long sentences of certain letters of words that form the password itself.
- There was news that the client gave her mobile phone for repair, and the master got access to her mobile bank and stole money. How is this possible? Did he manage to get her password? And how could the operation be carried out in this case? Through an ATM with Apple/Google Pay that lets you withdraw money with a password?- This happens quite often, but the basement service is not NSO Group (the Israeli company that developed the Pegasus spyware to spy on iPhone users. - Ed.) And such thefts also do not do without social engineering.
Most often, the repairman receives a password, as it is allegedly required to turn on and check the phone. At the same time, additional passwords in the banking application are either not used or are the same as the main one.
As a result, the thief simply transfers funds to the account of the desired bank card or, less commonly, pays for purchases using Apple or Google Pay.
Naturally, you need to take the phone in for repair without telling the repairman the password and untying the cards and accounts from the internal wallet and applications that use them, and best of all without a SIM card if it is tied to an online bank or "Gosuslugi".
bbabo.Net