Security News

The rise of the OGUsers hacking group

David Strom, 3 December 2020

Here's the backstory of the notorious account hijacking forum

The hacker’s forum called OGUsers has ironically been a tempting target for criminals, with a series of at least three successful hacking attempts in the past couple of years: Once in May 2019, a second time in March 2020, and a third time just last week.

The forum trades in gathering up and reselling private users' data collections, including social media and gaming identities, some of which have sold for thousands of dollars. The group began operations in April 2017 to sell shorter usernames (such as Adrian Lamo’s unused Twitter account, @6). They now have more than 50,000 registered users who have generated millions of posts, with about 1,000 of them active at least daily. Brian Krebs, who has been following the OGUsers hacks, documents this latest attempt, calling it “schadenfraud,” a play on the German word for those who feel satisfaction at others’ problems.

There are numerous such operations across the dark web, that great underbelly of the internet which deals in drugs, deviants, directories of criminal hackers and compromised domains – all of which are for sale, cryptocurrency preferred. Most of these dark web denizens are scammers and swindlers, looking to separate you from your cash and steal your data. Lately, they have gotten more adept at trading in sophisticated exploits and malware tools that can avoid many detection efforts.

Some of the groups that collect this kind of data aren’t scammers, but instead, legitimate data brokers. We talk about some of these data brokers in an earlier blog post.

The latest OGUser attempt was defacing their website’s homepage, putting up a page saying the site had been penetrated. The site’s administrator acknowledged the hack but claimed that none of the passwords of the OGUser accounts themselves had been compromised. Instead, the people supposedly behind this latest breach have posted a pricelist that ranges from $50 per OGUser looking to remove their data from various data leaks to $100 per user for regain access to their Twitter direct messages. Turnabout can be fair play.

The group makes its first move into stealing data by specializing in SIM swapping attacks. This is where the hacker can change the cell phone account of a target to something under their own control, usually by calling up the phone company and using social engineering to convince a support staffer to make the change. This was the method used by OGUsers to compromise numerous high-profile Twitter account holders in July, as we wrote about it on our blog at the time. This other story by Wired documents how Kirk, the handle of the main criminal behind the hack and a member of OGUsers, eventually got caught.

So what can you do to prevent this from happening to you?

First and foremost, you should employ some kind of multi-factor authentication on all of your social media accounts, website administrators, and anything involving banking activities. This includes using an additional password on your cell phone account, too.

Second, there are a few Avast products that can be used to research these dark web data collections. A free tool is Avast’s Hack Check, which can quickly find out if your email address has found its way into one of these breached collections that are traded on the dark web. Second, you can be more proactive at protecting your accounts by using Avast BreachGuard. This will flag when your account is revealed in a breach or used by a data broker and prompt you to change your password to something more unique and more complex.