Top hackers on Russian-speaking cybercriminal underground are making various deals to gain maximum profits, either by selling access to compromised accounts or auctioning stolen data from previous attacks. A threat actor dubbed Sheriff was seen making a similar offer for several active accounts on a cybercrime forum.
Sheriff targets eToro
‘Sheriff’, a threat actor who is known for its specialization in targeting banks, financial institutions, and government agencies, was found selling active accounts of eToro users.
- Earlier this month, ‘Sheriff’ advertised an auction for 62,000 accounts of eToro, a social trading platform.
- The offer included login credentials, contact numbers, postal addresses, and balances for a starting price of $1,500.
Recent attacks by Sheriff
Sheriff, which uses brute-forcing and credential-stealing malware and Citrix remote desktop protocol (RDP) exploits, has been involved in several cyberattacks in the past few months.
- In June 2020, Sheriff held Citrix RDP access to a European construction company focused on oil projects and advertised access to 3,200 cPanel accounts.
- In May 2020, they gained admin access to an e-commerce organization's WordPress plugin and information on about 815,000 orders.
Connections with REvil’s syndicate
Recently, cybersecurity firm AdvIntel found a connection between REvil operators and several other threat actors including Sheriff, all being part of a network intrusion-focused criminal syndicate.
- REvil gang has recently deepened its cooperation with Sheriff. It is believed that REvil used a new alias ‘unknown,’ which is similar to the group’s “UNKN” alias, to interact with the Sheriff.
- Besides Sheriff, the REvil gang is also in close contact with several other threat groups, namely Kerberos and Energydrinkkk, all apparently working together as a crime syndicate.