The dark web marketplace “2easy” is becoming a major player in the underground of stolen data

A dark web marketplace called "2easy" is becoming a major player in the sale of "logs" of stolen data collected from approximately 600,000 devices infected with "information-stealing" malware.

The most important aspect of "logs," which are archives of data stolen from infected Web browsers or systems with malware, is that they often include account credentials, cookies and saved credit card information.

Launched in 2018, 2easy has experienced rapid growth since last year, when it was considered a minor player by selling data from only 28,000 infected devices, but grew rapidly from 28,000 infected devices to 600,000 in one year.

According to analysis by researchers at KELA, an Israeli dark web intelligence firm, the sudden growth is attributed to the development of market platforms and consistent product quality, which have gained acclaim in the cybercrime community.

Cheap and effective logs

The marketplace is fully automated, meaning that those who need them can create an account themselves, add money to their wallet, and make purchases without interacting directly with the seller.

These logs can be purchased for as low as $5 each, roughly five times less than the average Genesis price and three times less than the average cost of machine logs on the Russian market.

In addition, based on analysis of participant feedback from multiple dark web forums, 2easy logs consistently provide valid credentials that provide network access to many organizations.

In addition to cost and effectiveness, 2easy's graphical user interface is simultaneously user-friendly and powerful, enabling actors to perform the following functions on a website.

View all URLs logged in by infected machines
Search for URLs of interest
Browse the list of infected machines from which the credentials of the said website were stolen
View the seller's ratings
View the tags assigned by the seller, most of the time including the date the machine was infected, and sometimes including additional notes from the seller
Get the credentials of the selected target

The only drawback compared to other platforms is that 2easy does not provide potential buyers with a preview of sold items, such as the redacted IP address or OS version of the device whose data was stolen.

RedLine Malware

Each item purchased on 2easy contains an archive file with stolen logs from the selected machine.

The type of content depends on the information-stealing malware used to work and its functionality, as each Trojan has a different focus.

However, in 50% of cases, sellers use RedLine as their malware of choice, which can steal passwords, cookies, credit cards stored in web browsers, FTP credentials, etc.

Of the 18 sellers active on 2easy, five use RedLine exclusively, while the other four use it in combination with other malware such as Raccoon Stealer, Vidar and AZORult.

Why this is important

Logs containing credentials are essentially keys that unlock doors, whether those doors lead to your online accounts, financial information, or entry points to your corporate network.

Threat actors sell this information for as little as $5 per entry, but the damage to infected entities can be in the millions.

The KELA report explains, "One such example can be observed through the attack on video game company EA, disclosed in June 2021."

"The attack reportedly began when hackers purchased stolen cookies sold online for $10, and then the hackers proceeded to use those credentials to access a Slack channel used by EA."

"Once in the Slack channel, these hackers successfully tricked an EA employee into providing a multi-factor authentication token, which allowed them to steal multiple source codes for EA games."

The initial market for access proxies is on the rise and is directly linked to catastrophic ransomware infections, and the market for logs like 2easy is part of the same ecosystem.

Millions of account credentials are available for purchase on the dark web, so proper security measures are needed to protect accounts.

Some of these security measures are: multi-factor authentication, frequent password changes, and applying the principle of least privilege to all users, among others.