Security experts from Kaspersky Labs have identified a malicious site known as Priv8Shop which holds stolen data and offers various hacking tools for sale.
Priv8Shop Identified As A Dangerous Host
Computer security experts have tracked the network traffic that is being fed by the HawkEye ransomware. During their analysis they have uncovered an interesting site and its associated domain called Priv8Shop. The experts note that to a larger extent the research was aided by a collective of whitehat hackers called Group Demóstenes who have monitored the data stream.
The group have sent emails to affected victims in Portugese an English which give detailed information about the host:
Hi ***********
Our SERVERS detected information from a server on the US, we don’t even know goverment or another sourse …. we send a file with all your logins and passwords of all your accounts from hxxp://www.p******op[.]biz/*******
WE HAVE TESTING IN YOUR PAYPAL ACCOUNT. LOG IN TO YOUR ACCOUNT AND YOU WILL SEE TWO CANCELED BILLING (OUR JOB IS WHITE HAT NO HACK …. Steal)
Seme you verify this information. it’s better thing we hurt all change password on the other computer Because Called ComputerName PC USER-PC
Local Time: 03.10.2016. 18:45:02
Installed Language: en-
Net Version: 2.0.50727.5485
Operating System Platform: Win32NT
Operating System Version: 6.1.7601.65536
Operating System: Microsoft Windows 7 Home Premium
Internal IP Address: 192.168.0.101
External IP Address:
Installed Anti virus: Avast Antivirus
Installed Firewall:have a keylogger harm report All That You write, messages, passwords or more.
¿Why we do it?
We have a Cause Called Group Demóstenes looking for Ciber attacks and false info.
Please Donate by PayPal at h**cg**an@gmail[.]com 5 USD or more, Because this is only our ingress.PLEASE WRITE ME AT THIS MAIL FOR KNOW IF YOU KNOW ABOUT THIS
A network scan of the service has discovered that the server is used to host stolen credentials transferred from the Hawkete ransomware. The relevant site is also used to sell some of the harvested data alongside with other hacking tools. The site uses a forum-like structure which allows the registered users to communicate easily and trade the black market goods.
The purchase of the goods is done through an online deposit account which can be loaded with the money using Bitcoins, PerfectMoney and WebMoney.
The harvested data from the Hawkeye ransomware contains data such as stolen keystrokes, login events and account credentials. Some of the identified datasets contain passwords to banking, healthcare, government and payment web applications. Among the stolen data is also a web server account that belongs to the Pakistani government.
For more detailed information you can read Kaspersky’s detailed blog post.
