Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/18/2018
03:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Actor Advertises Japanese PII on Chinese Underground

The dataset contains 200 million rows of information stolen from websites across industries, likely via opportunistic access.

A dataset containing more than 200 million lines of Japanese personally identifiable information (PII) has been found on the Chinese underground market, researchers report. It's believed the data is authentic and was exfiltrated from multiple Japanese website databases.

Experts at FireEye iSIGHT Intelligence first noticed the actor advertising the dataset in December 2017. This actor has sold site databases on Chinese underground forums since at least 2013 and is likely connected to someone living in China's Zhejiang province.

The team identified the actor and data as part of regular monitoring of the cyber threat landscape, explains Oleg Bondarenko, senior manager for international research at FireEye. The Chinese underground primarily consists of instant messenger groups such as QQ, he says. This dataset was not discovered on a forum but rather a group for sharing and offering data.

"Yes, we've observed actors who were selling Japanese PII data or interested in purchase," Bondarenko continues. "However [we] have never observed at such scale."

Given the number of sources and different types of data included, it's likely the data was taken via opportunistic compromise and not targeted attacks. The means of obtaining this data have not been confirmed, but Bondarenko says one possible way would be collecting data from previous public leaks and taking over victims' accounts. Motivation was likely financial gain.

Specific data types included in this set include names, credentials, email addresses, birthdates, phone numbers, and home addresses. The data seemingly comes from a range of 11-50 Japanese websites across industries including financial, retail, food and beverage, transportation, and entertainment. One folder indicated the data was collected between May and June 2016; another showed its data was acquired in May and July 2013.

The actor claims all credential sets are unique and priced them at ¥1,000 CNY ($150.96 USD) for the full dataset.

In a random sample of 200,000 leaked email addresses, most were previously leaked in major data breaches, a sign the addresses included in this dataset were not specifically created for it. Since most of the leaked data didn't come from one specific leak or public website, researchers don't think the actor scraped the info from other data leaks and resold it as a new product.

"The data was extremely varied and not available through publicly available data sources; therefore, we believe that the advertised data is genuine," researchers explain in a report.

That said, they do believe the number of real and unique credentials is lower than the actor claims. In a sample of 190,000 credentials, researchers noticed more than 36% contained duplicate values and there is a significant number of fake email addresses. Several actors commented on the ad to express interest in buying the data. However, the same actors later posted negative feedback, claiming they didn't receive the product advertised.

Most of the information advertised is commonly stored on websites with customer login and profile information. Researchers didn't notice the actor selling sensitive email or businesses data that would indicate he/she had access beyond servers connected to a site or Web portal.

Bondarenko says the team hasn't noticed any similar type of activity from a specific group in China. The actor behind this was active for a while, and during the time he was selling the data.

"However, there are no other insights available for the actor because he became inactive recently, so we've been closely monitoring to understand the reason behind that and potentially getting additional insights," he adds.

Since much of the data advertised had been exposed in large leaks, researchers don't think this specific dataset will enable large-scale cyberattacks toward the people whose credentials are included. It is worth noting the leaked PII could be used to target other entities if those people reused credentials between the compromised sites and other personal or business accounts.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
CVE-2019-10134
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
CVE-2019-10154
PUBLISHED: 2019-06-26
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
CVE-2019-9039
PUBLISHED: 2019-06-26
The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_a...
CVE-2018-20846
PUBLISHED: 2019-06-26
Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).