The Cybercrime markets keep surprising us with new events and at times, massive data breaches. But this time, cybleinc researchers stumbled on an interesting case. This was tipped off to us from an “alleged” ex-cartel member (alias: KelvinSec) of a credible hacking group “John Wick“.
Background of the actor: “John Wick” is the same notorious group or actor who broke into multiple India companies, and collected ransoms from various organizations. The actor has other aliases such as “South Korea”, “HCKINDIA”. One of the tactics used by this group is “to act” as a grey-hat hacker and offer help to companies or victims to fix their bugs.
Some of their previous targets include Zee5, SquareYards, Stashfin, Sumo Payroll, Square Capital, i2ifunding, e27 and many others. The actor / group typically operates from 1:30 PM UTC to 5:30 PM UTC (or 7:30 PM to 11:30 PM IST).
On this instance, it is about a massive data breach at Paytm Mall
About Paytm Mall – According to Wikipedia: “In February 2017, Paytm launched its Paytm Mall app, which allows consumers to shop from 140,000 registered sellers. Paytm Mall is a B2C model inspired by China’s largest B2C retail platform TMall. Sellers have to pass through Paytm-certified warehouses and channels to ensure consumer trust. Paytm Mall has set up 17 fulfilment centres across India and partnered with more than 40 couriers. Paytm Mall raised $200 million from Alibaba Group and SAIF Partners in March 2018.
According to an online report from 2018, it has over 5.5 Million daily active users, 80,000 sellers and a product portfolio of 110 million items.
About Paytm – Valued at over $10B, it’s one of the most successful technology companies in India. Paytm is an Indian e-commerce payment gateway that provides payment services to merchants and allows consumers to make seamless mobile payments from cards, bank accounts, and digital credit among others. Paytm is currently available in 11 Indian languages and offers online use-cases like mobile recharges, utility bill payments, travel, movies, and events bookings as well as in-store payments at grocery stores, fruits and vegetable shops, restaurants, parking, tolls, pharmacies and educational institutions with the Paytm QR code.
About: The company in 2019 posted a revenue of USD $500 Million. Their website – paytm.com – ranked 594 in Alexa ranking.
Paytm is backed by some of world’s leading VC funds such as Ant Financials, Softbank Vision Fund, SAIF Partners, Alibaba Group, Berkshire Hathway and many others.
Paytm also runs a bug-bounty program, an industry-standard to invite researchers to submit security issues securely. Paytm Mall is part of its program scope.
What Happened: A known cybercrime group with the alias ‘John Wick’ was able to upload a backdoor/Adminer on Paytm Mall application/website and was able to gain unrestricted access to their entire databases.
Based on the screenshot he released, it appears the actor gained access to their production database and potentially affects all accounts and related information at Paytm mall.
Insider job? According to the messages forwarded to us by the source, the perpetrator claimed the hack happened due to an insider at Paytm Mall. The claims, however, are unverified, but possible. In 2019, the company faced a fraud allegedly caused due to their junior employees.
cybleinc sources also forwarded us the messages where the perpetrator also claimed they are receiving the ransom payment from the Paytm mall as well. Leaking data when failing to meet hackers demands is a known technique deployed by various cybercrime groups, including ransomware operators. At this stage, we are unaware that the ransom was paid.
High profile breaches such as this one indicate that cybercriminals are increasingly targeting the blindspots of organizations’ digital footprint. As part of the Cyble’s continuous digital risk monitoring capabilities, we detect 10,000s of exposed systems on the Internet with terabytes of sensitive data of users and their customers.
Why Targeting Indian Companies? The actor seems to have a keen interest in the Indian companies, and this is likely due to the high degree of his success rate in receiving ransom payments. Based on their attack patterns, one thing which stands out is that the group targets tech-based companies the most – and demand ransom by sending them emails on their support channels etc.
News Source @ cybleinc.com
No comments:
Post a Comment