Flare’s Infected Device Market Monitoring Prevented a Data Breach for an Investment Firm’s Portfolio Company

Overview

  • A North American investment firm’s portfolio company had an infected device for sale on Genesis Market
  • Flare detected a bot for sale  that contained cookies for a webmail server located inside the company’s internal network, among other banking and payment application credentials
  • The infected device’s price was $100 USD, but detecting and notifying the affected organizations prevented thousands, if not millions of dollars worth of damage

Infected Devices are an increasingly common cause of data breaches. Threat actors install Redline/Raccoon malware through phishing emails or malicious ads, then sell access to the “fingerprint” of the browser on dark web markets with the potential to bypass MFA controls and access to all logins stored in the browser. Unlike stolen credentials, identifying infected devices can be challenging since there isn’t a single email associated with them. Instead Flare’s customers use identifiers (search terms) to automatically detect when a bot is for sale containing internal corporate logins saved in the browser. 

This success story explains how Flare’s botnet monitoring discovered and alerted a North American investment firm about a bot for sale on the Genesis Market. This bot contained cookies for a webmail server located inside the company’s internal network. Though the infected device’s price on the Genesis Market was only $100 USD, it could’ve caused thousands, if not millions of dollars worth of damage, if it hadn’t been stopped in time. 

With a Digital Footprint Monitoringplatform like Flare, organizations can not only monitor these external risks, but also accelerate their remediation and improve the cybersecurity team’s cost-effectiveness and efficiency. 

The Challenge

A Single Cookie or Email Login Can Lead to a Massive Data Breach

Genesis Market is an online marketplace that sells sensitive information like login credentials. After launching in 2018, it has played a role in several large cyberattacks. In June 2021, malicious actors breached video game publisher Electronic Arts, with access through a bot sold on the Genesis Market, resulting in the loss of source code.

Initially, threat actors entered the company’s Slack workspace, an internal messaging system, through a cookie (sold for $10) giving access without additional authentication. From there, they maneuvered through levels of access with social engineering techniques, until they reached source code.

Flare began monitoring this market in February 2020, as we noticed an uptick in traffic and number of listings for sale. Genesis Market lists more than 400,000 bots for sale from over 200 countries, with 800 new listings added per day. This research and intelligence report on the exchange of infected devices are a part of Flare’s commitment to stay at the forefront of cyber threats gaining popularity among threat actors. These data sources are included in our continuous monitoring. 

This incident shows that even basic access like employee Slack or email is more than enough leverage into elevated access that can lead to serious consequences like data breaches. 

How Flare Helped

A large investment firm in North America prevented a potentially catastrophic network intrusion for one of its portfolio companies. 

The Flare platform detected a bot for sale on Genesis Market, and it contained cookies for a webmail server located inside the company’s internal network, among other banking and payment application credentials. Flare’s Red Teamer had a high level of confidence that the infected computer belonged to an employee because of the specific subdomain in the Genesis listing (webmail.companyname.com). 

The Red Teamer obtained access to the credential for sale after receiving permission from the portfolio company. They then investigated the corporate mailbox of the employee, which included a large number of attachments, instances personal information, and other documents that could easily be leveraged by a threat actor. 

Both the investment firm and their portfolio company agreed that this infected computer access, sold on the Genesis Market for about $100 USD, could have had a much worse outcome. Flare’s platform prevented a costly breach through proactive cyber threat detection.

Want to gain back bandwidth for your security team? Book a demo to learn how we can reduce noise with our collected data combined with our industry-leading prioritization & scoring.