A dark web marketplace named ‘2easy’ is becoming a major player in the sale of hijacked data “Logs” harvested from roughly 600,000 devices affected with information-hijacking Malware. “Logs” are the repository of data hijack from the negotiated web browser or systems utilizing trojan, and their most essential aspect is that they usually included account credentials, cookies, and saved credit cards.  

2easy began in 2018 and has experienced expeditious growth since last year when it only sold information from 28,000 affected devices and was taken as a minor player. Based on the assessment by the security investigators, the rapid growth is attributed to the market’s platform development and the consistent quality of the offerings that have resulted in favorable reviews in the cybercrimes community.

Low-priced and Valid Logs

The market is fully automated, which means someone can create an account, add money to their wallets, and make purchases without interacting with the sellers directly. The logs are made available for purchase for as low as $5 per item, roughly five times less than the average Genesis prices and three times less than the average cost of bot logs on the Russian Market.

Moreover, based on attacker feedback analysts from multiple dark web forums, 2easy logs consistently offer valid credentials that provide the network access to multiple organizations. In addition to the cost and validity, 2easy’s GUI is user-friendly and powerful at the same time, allowing actors to execute the following function on the site:

• View all URLs to which the infected machines logged in
• Search URLs of interest
• Browse through a list of infected machines from which credentials to said the website was stolen.
• Check the seller’s rating
• Review tags assigned by sellers, which most times include the date the machine was infected and sometimes additional notes from the seller
• Acquire credentials to selected targets

The only downside compared to various platforms is that 2easy doesn’t give eventual buyers a preview of a sold item, such as the redacted IP address or OS version for the device the information was seized.

What is the RedLine Plague?

Every item which was purchased on 2easy comes in an archive file containing the hijacked logs from the selected bot. The content type relies on the info-stealing malware utilized for thejob and its capabilities, as every pressure has a different focus set.

However, in 50% of the situations, the sellers utilize RedLine as their malware of choice, which can hijack passwords, cookies, credit cards stored in web browsers, FTP credentials, and more, as given below:

Out of 18 sellers, five are active on 2easy utilize RedLine exclusively, while the other four use it in conjunction with other malware strains like Raccoon Stealer, Vidar, and AZORult.

Why this is Essential?

Logs containing credentials are important keys to doors, whether these doors lead to online accounts, financial information, or even entry to corporate networks. Attackers sell this information or even entry to corporate networks.

Attackers sell this information for as little as $5 per piece, but the damage incurred to negotiate entities could be counted in the millions. “Such an example can be observed through the attack of Electronic Arts that was revealed in June 2021,” explains KELA’s report.

“The attack reportedly began with hackers who purchased stolen cookies sold online for just $10 and continued with hackers using those credentials to gain access to a Slack channel used by EA.” “Once in the Slack channel, those hackers successfully tricked one of EA’s employees to provide a multi-factor authentication token, which enabled them to steal multiple source codes for EA games.”

The initial access broker market is on the rise and is directly linked to catastrophic ransomware infections, while log marketplaces like 2easy are a part of the same ecosystem. Millions of account credentials are offered for purchase on the dark web, so appropriate security measures that treat accounts as potentially compromised are needed.

Examples of those measures include multi-factor authentication steps, frequent password rotation, and applying the principle of least privilege for all users.