Written by Reporter, Ronald Mizen

Stolen data from Australian businesses is being auctioned on the dark web for up to $US60,000 ($82,000) by hackers, with some selling access to loan information, drivers’ licences, Medicare cards and passports.

In one case, access to the active loan dashboard of a finance company was auctioned for $US1000. According to the auction details, the buyer received information on 3700 active loans and 3800 closed and pending loans.

“Client documents have IDs (DL or passport, sometimes Medicare even payment card pictures and scans),” the threat actor known as Ronny posted on an underground Russian-language forum.

Ronny later bragged about having access to the “best Aussie stuff” in a post selling access to another finance firm with “39,6k+ aussie bank accounts”. The starting bid was $US5,000 and it had a “Buy Now” price of $US10,000.

“You will have at least 55k Name+DoB and address. And of course [the] server may have customer IDs, DLs, Medicare, statements, signatures, and all scans of what Aussies need to get a loan,” Ronny wrote.

Hacker groups are also threatening to sell data stolen in ransomware attacks to blackmail companies into paying up. One group, Sodinokibi (also known as rEvil), has held at least 22 auctions on its website, Happy Blog.

“Hello, hope you are smart guys and contact us, otherwise your financial, personal information about clients and other important private documents will be published on our happy blog,” Sodinokibi posted in June after claiming to have hacked Australian company Chem Pack.

In July, a further post appeared: “We have downloaded your databases and financial documents. We recommend contacting us.” This time, Quest Worldwide was the victim.

Quest confirmed the attack but played down its significance. “A UK-based server belonging to a dormant UK-domiciled sister entity was breached,” regional director Wiet Pruim said.

“The UK-based server contains only limited historical internal management data and no client nor operational data is on that server.”

Other companies targeted by ransomware hackers include drinks giant Lion, Regis Aged Care and an entity called Arafmi (the latter stands for Association of Relatives And Friends of the Mentally Ill and could refer to several different groups across Australia).

The Australian Financial Review understands the Australian Cyber Security Centre reached out to some Arafmi entities after data was leaked online.

A spokesman for Regis said the company had promptly implemented its back-up and business continuity systems. “The incident has not materially impacted the company’s day-to-day operations,” he said.

A spokeswoman for Lion said there was no evidence any data had been stolen in the $US1 million ransomware attack, but Lion had “made contact with our customers, suppliers and people to inform them of this possibility”.

Victoria Kivilevich, threat intelligence analyst at Israeli intelligence firm KELA – which discovered the breaches of Australian financial data – said there had been an increase in attacks in recent years, and also RaaS, or ransomware-as-a-service; hackers were also often working together.

“The most popular ransomware strains are operated by cybercriminals looking for financial gain,” Ms Kivilevich said. “Chasing profits, ransomware actors are always inventing new methods of intimidating victims.”

These methods include “stealing data and requesting double ransoms; collaborating with other ransomware gangs; using stolen data to attack other victims; selling stolen data on auctions; notifying media, as well as victims’ partners and clients about leaks”.

KELA specialises in dark web threat intelligence and offers clients a real-time dark web search engine called Darkbeast.

https://www.afr.com/technology/hacked-best-australian-financial-data-for-sale-on-the-dark-web-20200910-p55u6g