The Cybercrime markets keep surprising us with new events and at times, massive data breaches. But this time, our researchers stumbled on an interesting case. This was tipped off to us from an “alleged” ex-cartel member (alias: KelvinSec) of a credible hacking group “John Wick“.
Background of the actor: “John Wick” is the same notorious group or actor who broke into multiple India companies, and collected ransoms from various organizations. The actor has other aliases such as “South Korea”, “HCKINDIA”. One of the tactics used by this group is “to act” as a grey-hat hacker and offer help to companies or victims to fix their bugs.
Some of their previous targets include Zee5, SquareYards, Stashfin, Sumo Payroll, Square Capital, i2ifunding, e27 and many others. The actor / group typically operates from 1:30 PM UTC to 5:30 PM UTC (or 7:30 PM to 11:30 PM IST).
On this instance, it is about an alleged data breach at Paytm Mall
About Paytm Mall – According to Wikipedia: “In February 2017, Paytm launched its Paytm Mall app, which allows consumers to shop from 140,000 registered sellers. Paytm Mall is a B2C model inspired by China’s largest B2C retail platform TMall. Sellers have to pass through Paytm-certified warehouses and channels to ensure consumer trust. Paytm Mall has set up 17 fulfilment centres across India and partnered with more than 40 couriers. Paytm Mall raised $200 million from Alibaba Group and SAIF Partners in March 2018.
According to an online report from 2018, it has over 5.5 Million daily active users, 80,000 sellers and a product portfolio of 110 million items.
About Paytm – Valued at over $10B, it’s one of the most successful technology companies in India. Paytm is an Indian e-commerce payment gateway that provides payment services to merchants and allows consumers to make seamless mobile payments from cards, bank accounts, and digital credit among others. Paytm is currently available in 11 Indian languages and offers online use-cases like mobile recharges, utility bill payments, travel, movies, and events bookings as well as in-store payments at grocery stores, fruits and vegetable shops, restaurants, parking, tolls, pharmacies and educational institutions with the Paytm QR code.
About: The company in 2019 posted a revenue of USD $500 Million. Their website – paytm.com – ranked 594 in Alexa ranking.
Paytm also runs a bug-bounty program, an industry-standard to invite researchers to submit security issues securely. Paytm Mall is part of its program scope.
What Happened: A known cybercrime group with the alias ‘John Wick’ was allegedly able to upload a backdoor/Adminer on Paytm Mall application/website and was able to gain unrestricted access to their entire databases.
Based on the above, it appears the actor gained access to their production database and potentially affects all accounts and related information at Paytm mall.
Insider job? According to the messages forwarded to us by the source, the perpetrator claimed the hack happened due to an insider at Paytm Mall. The claims, however, are unverified, but possible. In 2019, the company faced a fraud allegedly caused due to their junior employees.
Our sources also forwarded us the messages where the perpetrator also claimed they are receiving the ransom payment from the Paytm mall as well. Leaking data when failing to meet hackers demands is a known technique deployed by various cybercrime groups, including ransomware operators. At this stage, we are unaware that the ransom was paid.
High profile breaches such as this one indicate that cybercriminals are increasingly targeting the blindspots of organizations’ digital footprint. As part of the Cyble’s continuous digital risk monitoring capabilities, we detect 10,000s of exposed systems on the Internet with terabytes of sensitive data of users and their customers.
Why Targeting Indian Companies? The actor seems to have a keen interest in the Indian companies, and this is likely due to the high degree of his success rate in receiving ransom payments. Based on their attack patterns, one thing which stands out is that the group targets tech-based companies the most – and demand ransom by sending them emails on their support channels etc.
Is Paying Ransom Worthwhile? No! While Cyble themselves does offer “Ransomware Negotiation-as-a-Service”, it still comes with some level of inherent risks such as data being leaked despite ransom payment etc. With that said, the profile and reputation of the actor and previous engagements is the key.
On this instance, the tactics and previous trends of “John Wick” actor/group is close to “CyberCrime Robinhood” [a metaphor] – who take money from the victims and still leaks the information to cybercriminals.
In the case of Paytm Mall, our source confirmed that the perpetrator demanded 10 ETH, equivalent to USD 4,000. Organizations shouldn’t fall to this prey, as they might end up taking actions where their reputations can also be ruined.
Data Breach Notification? Assuming Paytm Group will do the right thing, we should expect to see a data breach notification soon with more details about the breach.
Do you have more information? In case you’ve more information about this incident, please reach out to us at firstname.lastname@example.org
The actor has posted this on one of the following Russian-speaking hacking forums as well.
We had recently published a blog on Paytm Mall’s database being hacked by a group named as ‘John Wick’ and a ransom was demanded from the company. This report was based on a tip off from an alleged excartel member (alias: Kelvin Sec) of the hacking group and other information made available to us.
In relation to the said blog, the company has reached out to us and has explained that the security mechanism of the company is robust enough to resist and withstand any sort of security threats and attacks and therefore, all users, as well as company data is completely safe and secure. Paytm Mall has clarified that its database was not hacked or attacked. We have published the aforesaid clarification, in furtherance of our commitment to promote fair reporting, to work towards the betterment of Indian Cyber Space and to promote and support tech groups based in India.
Cyble is an Atlanta, US-based, global premium cyber-security firm with tools and capabilities to provide near real-time cyber intelligence. The company is focused on de-hashing cyber threats at upstream.
This monitoring and notification platform gives the average consumer insights into their personal cybersecurity issues, allowing them to take action then as needed. It has recently earned accolades from Forbes as being the top 20 cyber-security companies to watch in 2020.