There’s no honor among cyberthieves. It seems the prospect of accessing new hacking tools and other valuable assets is just too lucrative for some hackers to respect their counterparts-in-crime, since for the second time in a little more than a year, user data – that’s hacker user data – from the Swarmshop card shop has been leaked online.
The hackers leaked the data from Swarmshop, known as “a mid-size ‘neighborhood’ store for stolen personal and payment records,” on another underground forum, according to researchers at Group-IB who discovered the leak. The database housed 12,344 records of card shop admins, sellers and buyers – including data like nicknames, contact information, activity history, hashed passwords and current balances. Because card shop users “do not store large amounts of money on their accounts and top up the balance to make payments if necessary,” Group-IB said the total deposited on all accounts was only a little over $18 million.
“Honor Among Thieves” is a Hollywood Myth
Chris Morales, CISO at Netenrich, said honor among thieves is “a Hollywood myth;” he added, “above and beyond the normal for-profit attack motive we most often focus on, ego is still very much a motive, too.”
Among the other information exposed was compromised data traded on Swarmshop, such as 623,036 payment card records from a wide assortment of banks in the U.S., Canada, the U.K., China and other countries, as well as 498 sets of credentials for online bank accounts. The database also leaked 69,592 sets of Social Security numbers and Canadian Insurance numbers.
Naveen Sunkavally, chief architect at Horizon3.ai, is more concerned about the proliferation of user credit card information, as well as online banking credentials, than hackers turning on their own. “Attackers can use these credentials against a variety of systems, rarely triggering any security events, because they look like legitimate users,” Sunkavally said. “In the end, regular users are the ones who lose the most.”
The origins of the breach are not clear, the researchers said, but noted that a review of the exposed records revealed that two of the card shop users “attempted to inject a malicious script searching for website vulnerabilities in the contact information field.” Still, they said it’s impossible to confirm if those two attempts are related to the breach.
What researchers do know about the incident is that “a newly registered user posted a link and a password to the database of the Swarmshop card shop on different forums,” prompting the card shop’s admins to argue that the data didn’t come from last year’s breach. They did recommend that Swarmshop users change the passwords after news of the breach broke. “A week after the post, Swarmshop users were redirected to an ‘under maintenance’ page when trying to log in,” Group-IB said. “At the same time, card shop users reported problems with their account balance.”
Hacking Other Hackers
That hackers would hack their peers is nothing new – Swarmshop records were leaked in an underground forum in January 2020. In that case, the user likely was motivated by revenge, Group-IB said. It’s possible that this latest breach also was motivated by revenge, the researchers suggested.
A successful hack of other hackers can yield a lucrative bounty. “What better way to gain access to new hacking tools, dumps, cards, personally identifiable information (PII) and other items of value than hacking the people that are stealing it in the first place,” said Tyler Shields, CMO at JupiterOne.
Card shops are rarely breached, and this incident will likely throw shade on Swarmshop’s reputation, at least for the time being, something that CISOs and cybersecurity pros at legitimate businesses likely can relate to. Whether it evokes a speck of empathy or just cold comfort, cybercriminals, as Shields said, “have trouble with security just like everyone else. It just goes to show you that cybersecurity is a difficult problem, no matter who you are.”