Pierluigi Paganini October 06, 2022

Researchers at cybersecurity firm Resecurity spotted a new group of hacktivists targeting financial institutions in Egypt,

Resecurity, a California-based cybersecurity company protecting Fortune 500 corporations globally, has noticed a new group of hacktivists targeting financial institutions in Egypt. The bad actors go under the campaign “EG Leaks” (also known as “Egypt Leaks”), they started leaking large volumes of compromised payment data belonging to the customers of major Egyptian banks on the Dark Web. First mention of this activity have been detected in a Telegram channel created to leak Excel files containing 12,229 credit cards.

The leaked data includes references to PII belonging to potential customers of major banks in Egypt – including National Bank of Egypt, HSBC Bank Egypt, Bank of Alexandria, Banque Misr, Alexbank, Credit Agricole Egypt, and multiple other banks. While some of the data seem to be incomplete, it was confirmed the data contained multiple customers with valid details, these customers were contacted individually to confirm and validate it.

According to experts, the source of this data may be related to one of the compromised underground marketplaces and the actor was previously investigated by Resecurity HUNTER unit:- the threat intelligence and research arm of the company. Notably, some of the observed leaked fields of data were inspected independently, they contained the signatures of possible script or parser scrapping entries – it is known that the engines of some underground shops on Dark Web and TOR network are not always properly protecting fields of records, and in some cases, it could result in the possible leak without an actual data acquisition.

The data contains e-mail, billing address, first name and last name, name of the bank and type of card. The bad actors haven’t shared CVV or Track 2 Data, but in a private conversation, threat actors demonstrated other fields confirming the data is legitimate. Likely, the motivation of the threat actors is solely financially driven, and by leaking this data they are attempting to extort the affected consumers of the financial institutions, or alternatively to demonstrate the security precedent which requires attention by the banks to get paid, similar to how ransomware groups negotiate the buyout of exfiltrated data.

The geography of the affected banking clients is primarily centered in Cairo (70%), but includes Alexandria (12%), Aswan (8%), Giza (7%), Sohag (2%), Luxor (1%) and other major cities. It’s worth noting, multiple customers from Bahrain and the Kingdom of Saudi Arabia have also been identified in the leak.

Experts warn the data released by threat actors may be used for identity theft and financial fraud, that’s why it is extremely important to take swift action and the proper steps to minimize the probability of a negative impact. According to multiple sources, law enforcement authorities are currently investigating the incident.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Egypt Leaks)

[adrotate banner=”5″]

[adrotate banner=”13″]