- An actor known as “Sheriff” sells tens of thousands of eToro user accounts on a dark web forum.
- The sale is an auction and the threat actor promises fully functional credentials.
- “Sheriff” has worked with “REvil” for the past two months, selling them access to corporate networks.
A new group of Russian hackers using the alias “Sheriff” has put 62,000 active eToro accounts on the dark web up for sale. The listing first appeared online on July 6, 2020, and it is an auction with auction milestones of $ 500 and a starting price of $ 1,500. The highest bidder exclusively gets this data pack, which allows funds to be withdrawn from 62,000 accounts. eToro is a popular cryptocurrency trading platform and equity investment portal that has been around since 2007, serving around 6 million users from 140 countries.
The sheriff promises that the login credentials of the users they offer for purchase all work, so the accounts are fully usable. In addition, the pack contains phone numbers, postal addresses and available balances. As of yet, eToro has not released an official statement on this matter, so it’s entirely possible that the data is indeed valid. Sheriff has had some sales in the recent past and they appear to be a new threat actor, but researchers believe they have ties to the REvil ransomware operators. In fact, some believe that REvil contracted Sheriff and paid them to attack various banks and financial institutions, which is apparently the specialization of the new player.
“Advanced Intelligence” found many links between REvil and Sheriff, the latter quickly gaining notoriety by successfully breaking into very large organizations. They then let REvil enter compromised networks, which exfiltrate all data and encrypt files locally, initiating their typical extortion process. In some cases Sheriff has used the character “UNKN” to collaborate with REvil, but they are essentially the same group of hackers. The fact that eToro’s user data is sold through the sheriff indicates that the two groups are independent.
Regarding the method of attack, AdvIntel believes Sheriff is breaking into the systems of large financial institutions through brute force attacks and deploying malicious credential theft tools. The group scours compromised networks and accesses administration panels until they find valuable data, which they then exfiltrate using SQL injections and cross-site scripting attacks. However, when working on the REvil account, Sheriff limits these activities to simply providing ransomware actors with access to the networks they seek to access. Over the past few months, Sheriff has knocked on Citrix RDP’s door, using stolen user credentials.