Feb 21 2023

Franco-Israeli Gang Linked to $40 Million CEO Scam Busted

Category: Cyber crime,CybercrimeDISC @ 10:37 am
Franco-Israeli Gang Linked to $40 Million CEO Scam Busted

Europol has dismantled a gang linked to a $40 million CEO scam. Find out more about how this international criminal syndicate was uncovered and who was involved.

The email scam gang behind France’s largest-ever CEO scam has been dismantled after a coordinated police operation across multiple countries was successful in arresting six people in France and two in Israel. 

The Europe-wide operation to track down the Franco-Israeli criminal organization involved the Croatian National Police, the Croatian Anti Money Laundering Office, the French National Police, the French Gendarmerie, the Hungarian Budapest Metropolitan Police, the Israel Police, the Portuguese Judicial Police, and the Spanish National Police.

Franco-Israeli Gang Linked to $40 Million CEO Scam Busted
Law enforcement authorities involved in the operation (Image: Europol)

In early December 2021, one of the gang members, now arrested as a suspect, impersonated the CEO of a metallurgy company in northeastern France and tricked the accountant into making an urgent and confidential transfer of €500,000 ($530,000) which was subsequently spotted and blocked. 

In late December 2021, according to Europol’s press release, Sefri-Cime, a real-estate developer, fell victim to the same group after its members impersonated lawyers working for a well-known French accounting firm. According to Europol, they persuaded the Chief Financial Officer (CFO) to transfer almost €38 million ($40 million) altogether.

The criminal network, consisting of French and Israeli nationals, used a pre-existing money laundering scheme that laundered the funds via European countries, China, and then Israel. An investigation that followed revealed the money mules working for the gang in Croatia, Portugal, and Hungary.

The police were able to seize electronic equipment and vehicles, €3 million from Portuguese bank accounts, €1.1 million from Hungarian bank accounts, €600,000 from Croatian bank accounts, €EUR 400,000 from Spanish bank accounts and €350,000 in virtual currencies. 

The operation continued for five days between January 2022 and 2023 in France and Israel, leading to eight house searches and eight arrests, including the alleged Israeli gang leader, according to Europol.

Previous posts on Cybercrime

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Cyber Crime Scams and Fraud

Jan 02 2023

Cyber Crime: The Dark Web Uncovered

Category: Cybercrime,Dark Web,Information SecurityDISC @ 2:54 pm

Cyber Crime: The Dark Web Uncovered

11 of the world’s top cyber security experts gather to discuss how to protect ourselves against cybercrime. Includes interviews with Rob Boles, Jesse Castro, Michael Einbinder-Schatz, Rick Jordan, Konrad Martin, Rene Miller, Paul Nebb, Will Nobles, Adam Pittman, Leia Shilobod, and Peter Verlezza.

Directors Jeff Roldan Starring 11 Top Cyber Security Experts

Genres Documentary SubtitlesEnglish [CC] Audio languagesEnglish

Tags: cyber crime, dark web

Dec 30 2022

Cybercriminals create new methods to evade legacy DDoS defenses

Category: Cybercrime,DDoSDISC @ 10:40 am
Cybercriminals create new methods to evade legacy DDoS defenses

The number of DDoS attacks we see around the globe is on the rise, and that trend is likely to continue throughout 2023, according to Corero. We expect to see attackers deploy ever higher rate request-based or packets-per-second attacks.

“DDoS attacks have historically focused around sending packets of large sizes with the aim to paralyze and disrupt the internet pipeline by exceeding the available bandwidth. Recent request-based attacks, however, are sending smaller size packets, to target higher transaction processing to overwhelm a target. Those with responsibility for network health and internet service uptime should be taking note of this trend,” explained Corero CTO, Ashley Stephenson.

Legal responsibility

Corero also predicts that 2023 will see more breaches being reported, because of the increasing trend for transparency in data protection regulations. Regulations such as the UK Government’s Telecoms Security Bill will compel organizations to disclose more cyber-incidents publicly.

We are also likely to see the legal responsibility for bad corporate behaviour when dealing with breaches being linked to individual executives. Examples such as Joe Sullivan, the former head of security at Uber, who was recently found guilty of hiding a 2016 breach, could set a precedent for linking data protection decisions to the personal legal accountability of senior executives.

Evading DDoS defenses

Attackers will continue to make their mark in 2023 by trying to develop new ways to evade legacy DDoS defenses. We saw Carpet Bomb attacks rearing their head in 2022 by leveraging the aggregate power of multiple small attacks, designed specifically to circumvent legacy detect-and-redirect DDoS protections or neutralize ‘black hole’ sacrifice-the-victim mitigation tactics. This kind of cunning will be on display as DDoS attackers look for new ways of wreaking havoc across the internet and attempt to outsmart existing thinking around DDoS protection.

In 2023, the cyberwarfare that we have witnessed with the conflict in Ukraine will undoubtedly continue. DDoS will continue to be a key weapon in the Ukrainian and other conflicts both to paralyse key services and to drive political propaganda objectives. DDoS attack numbers rose significantly after the Russian invasion in February and DDoS continues to be used as an asymmetric weapon in the ongoing struggle.

Earlier this year, in other incidents related to the conflict, DDoS attackers attempted to disrupt the Eurovision song contest in an attempt to frustrate the victory of the Ukrainian contestants. Similarly, when Elon Musk showed support for Ukraine by providing Starlink satellite broadband services, DDoS attackers tried to take the satellite systems offline and deny Ukraine much needed internet services.

“Throughout 2022 we observed DDoS attacks becoming increasingly sophisticated while at the same time the DDoS attack surface is expanding. With the number of recorded attacks on the rise and significant shifts in attackers’ motives and goals, 2023 will require organizations to ensure they have robust DDoS defense in place,” said Lionel Chmilewsky, CEO at Corero Network Security.

DDoS

AWS Best Practices for DDoS Resiliency

DDoS Defense Standard Requirements

Infosec books | InfoSec tools | InfoSec services

Tags: ddos

Oct 22 2022

Student Jailed for Hacking into Email & Snapchat Accounts of Female Classmates

Category: Cyber crime,Cybercrime,HackingDISC @ 12:55 pm
Student Jailed for Hacking into Email & Snapchat Accounts of Female Classmates

As part of the criminal case against a former student of the University of Puerto Rico (UPR), a judge in Puerto Rico sentenced him to serve 13 months in federal prison. 

The former student, Iván Santell-Velázquez (aka Slay3r_r00t) was accused of hacking over a dozen of the university’s female classmates’ email and Snapchat accounts.

On July 13, Ivan pled guilty to being a cyberstalker, admitting that he had targeted over 100 students in his online campaign. He also engaged in other schemes to steal information such as using spoofing and phishing.

He has been accused of harassing women and in some cases, he has published pictures that he has stolen from them in their nudist states between 2019 and 2021.

Apart from hacking student email accounts, he also managed to get access to multiple university email accounts by spoofing and phishing attempts through which he gathered personal information.

Students Data Stolen

The appellant, Iván Santell-Velázquez targeted 15 female students in total at the University of Puerto Rico. A victim of cyberstalking may experience a significant amount of emotional distress as a result of it.

Here’s what U.S. Attorney Muldrow stated:-

“The prosecution of cyber criminals is a top priority in the Justice Department. Cybercrimes not only cause financial losses to corporate victims but also result in financial and psychological harm to vulnerable victims, oftentimes children or the elderly. This conduct will not be tolerated.” 

“This case also demonstrates the importance of safeguarding personal information and passwords, and the care we must take when responding to suspicious e-mails and text messages.”

As a result of his illicit crimes, Iván Santell-Velázquez was sentenced to 13 months of rigorous imprisonment along with 2 years of supervised release for cyberstalking by Silvia Carreño Coll, the U.S. District Court Judge.

Student Jailed for Hacking into Email & Snapchat Accounts of Female Classmates

Cyber Crime

Tags: cyber crime

Oct 17 2022

New UEFI rootkit Black Lotus offered for sale at $5,000

Category: APT,Cyber crime,CybercrimeDISC @ 10:02 am
New UEFI rootkit Black Lotus offered for sale at $5,000

Black Lotus is a new, powerful Windows UEFI rootkit advertised on underground criminal forums, researcher warns.

Cybersecurity researcher Scott Scheferman reported that a new Windows UEFI rootkit, dubbed Black Lotus, is advertised on underground criminal forums. The powerful malware is offered for sale at $5,000, with $200 payments per new updates.

The researcher warns that the availability of this rootkit in the threat landscape represents a serious threat for organizations due to its evasion and persistence capabilities.

“Considering this tradecraft used to be relegated to APTs like the Russian GRU and APT 41 (China nexus), and considering prior criminal discoveries we’ve made (e.g. Trickbot‘s #Trickboot module), this represents a bit of a ‘leap’ forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the forms of persistence, evasion and/or destruction.” wrote Scheferman.

Black Lotus is written in assembly and C and is only 80kb in size, the malicious code can be configured to avoid infecting systems in countries in the CIS region.

The malware supports anti-virtualization, anti-debugging, and code obfuscation. Black Lotus is able to disable security solutions, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The rootkit is able to bypass security defenses like UAC and Secure Boot, it is able to load unsigned drivers used to perform a broad range of malicious activities.

The threat is very stealth, it can achieve persistence at the UEFI level with Ring 0 agent protection.

Black Lotus supports a full set of backdoor capabilities, it could be also used to potential target IT and OT environments.

Black Lotus is bringing APT capabilities to malicious actors in the threat landscape.

New UEFI rootkit Black Lotus

Tags: APT, Black Lotus, criminal forums, UEFI rootkit

Oct 12 2022

Refund Fraud-as-a-Service Ads on Hacker Forums Increase by 60%

Category: Cyber crime,Cyber Threats,CybercrimeDISC @ 9:42 am

Research from Netacea reveals that as of September 2022, there are over 1,600 professional refund service adverts on hacker forums.

Cybercrime’s continued shift to a service-driven economy has enabled several new professionalized hacking services with Refund Fraud-as-a-Service being one of the latest to rise in popularity over the last few years. This is according to Netacea’s latest threat report, which researched rising trends across a multitude of hacking forums.

Refund fraud is the abuse of refund policies for financial gain and costs e-commerce businesses more than $25 billion every year. Those interested in committing refund fraud can outsource the process to professional social engineers offering Refund-as-a-Service. This poses a significant challenge to retailers, as previously legitimate customers can enlist highly experienced fraudsters to perpetrate this fraud on their behalf, making it difficult to identify fraudulent activity. As online shopping continues its upward trend, professional fraudsters will look to cash in on the opportunity.

Netacea’s research also found:

  • Over 540 new refund fraud service adverts were identified in the first three quarters of 2022
  • Refund fraud services increased by almost 150% from 2019 – 2021

Netacea’s report explores the current structure of the underground Refund-as-a-Service market, the changing tactics and methods used by adversarial groups to perform refund fraud, and how threat intelligence and fraud teams can work collaboratively to effectively combat it.

“As shown in the rise of ransomware-as-a-service attacks, cybercriminals have shifted to a service-based economy — and refund fraud is no exception” said Cyril Noel-Tagoe, Principal Security Researcher, Netacea. “As we approach Black Friday and the holiday season, e-commerce stores should take the necessary steps to reduce their risk of refund fraud, including educating employees on the methods and tactics fraudsters take.”

Additional steps include:

  1. Delivery carriers should replace or complement signatures with one-time passwords to prevent refund fraudsters from claiming that packages did not arrive.
  2. E-commerce stores and delivery carriers should work together to look for patterns in their data sets that may indicate fraudulent activity.
  3. Reputation is power in the underground market. In the instance that an e-commerce store identifies the claim to be fraudulent after a refund payment has been made, the store should rebill the customer’s account. An influx of rebill complaints from customers may cause the refund fraud service to drop the retailer from their store list, to avoid negative reviews.

Source:

https://www.darkreading.com/attacks-breaches/refund-fraud-as-a-service-ads-on-hacker-forums-increase-by-60-

What are refunding services and how to stop them - Kount
Kount
What are refunding services and how to stop them – Kount

The Increase in Ransomware Attacks on Local Governments

Tags: Refund Fraud-as-a-Service

Sep 22 2022

IT admin gets 7 years for wiping his company’s servers to prove a point

Category: Cyber crime,Cybercrime,Information SecurityDISC @ 2:47 pm

Han Bing allegedly felt undervalued after his security warnings were ignored, and decided to prove his point by trashing four financial servers.

Servers at risk
(Image credit: Getty – Andrew Aitchison)

An indignant IT admin, seemingly aiming to prove the lax security his employer had hitherto ignored, proceeded to delete a bunch of vital financial databases, and has subsequently been given seven years in prison as a result. It’s what’s known in the IT trade as ‘cutting your nose off to spite your face,’ or inadvisably hulking out on a server you’re known to have access to and have already complained about.

Han Bing, a database administrator for Lianjia, a Chinese real estate brokerage, previously known as Homelink, was allegedly one of only five people in the security team with access to the company’s financial system databases. So when someone logged in with root access to Lianjia’s financial system and deleted the lot(opens in new tab) (via Bleeping Computer(opens in new tab)), the company already had a handful of suspects.

Four of the five handed over their laptops and passwords immediately, while Bing refused to hand over his password, claiming that it held private information. He agreed to access the device for the company’s investigators while he was present, and no incriminating evidence was found on his machine. 

The company, however, claimed the attack could be done simply by connecting to the server in a way that would leave no residual trace on the client laptop. 

Subsequent electronic forensic analysis of the company’s server logs, alongside the use of CCTV footage, linked records held on the server with the host name of Bing’s MacBook, “Yggdrasil,” as well as certain MAC and IP addresses linked on his computer.

Yeah, Yggdrasil. The tree of life. The roots of which can be seen sprawling across the sky in Valheim, and as that big f-off plant glowing away in Elden Ring. Everything in 2022 always seems to lead back to Elden Ring. This whole case is probably in the game somewhere as lore.

With all the evidence in hand, the Beijing Tongda Fazheng Forensic Identification Centre concluded none of the other potential suspects could be linked to the attack on June 4, 2018, and Han Bing was found guilty of damaging computer information and sentenced to seven years in prison. 

Initially that feels a bit harsh on the guy, but he did basically destroy four different servers, salting the earth so nothing could be recovered, and grinding the company’s operation to a halt. It then had to pay some $30,000 as amends for the fact that Lianjia employees were left without pay for an extended amount of time.

Which is also pretty harsh.

Bing’s colleagues have suggested that the reasoning behind his deletion of company records was down to the fact he discovered the security of the financial system was compromised, and his concerns were ignored.

He worked with another database admin to bring the issues to his seniors in the organisation but was apparently dismissed. It’s alleged this led to Bing arguing with other colleagues, and after his office was relocated it is suggested that he no longer felt valued by the company, was “passive and sluggish, often late and early, and there is also the phenomenon of absenteeism.” That’s according to the Edge machine translation, so make of that what you will.

Maybe Bing thought he was going to be rewarded for highlighting the problems more obviously, or maybe he was just a grumpy, vengeful admin by the end of it. Either way going to prison for seven years was most definitely not what he was aiming to get out of this.

https://www.pcgamer.com/it-admin-gets-7-years-for-wiping-his-companys-servers-to-prove-a-point/?

#CyberCrime

Tags: cyber crime

Sep 12 2022

FBI warns of vulnerabilities in medical devices following several CISA alerts

Category: Cyber crime,Cybercrime,hipaaDISC @ 2:14 pm
FBI warns of vulnerabilities in medical devices following several CISA alerts

The FBI on Monday warned that hundreds of vulnerabilities in widely used medical devices are leaving a door open for cyberattacks.

In a white notice from the FBI’s Internet Crime Complaint Center (IC3), the law enforcement agency said it has identified “an increasing number” of vulnerabilities posed by unpatched medical devices that run on outdated software and devices that lack adequate security features.

The FBI specifically cited vulnerabilities found in insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps, noting that malicious hackers could take over the devices and change readings, administer drug overdoses, or “otherwise endanger patient health.”

“Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity,” the alert said. 

“Medical device vulnerabilities predominantly stem from device hardware design and device software management. Routine challenges include the use of standardized configurations, specialized configurations, including a substantial number of managed devices on the network, lack of device embedded security features, and the inability to upgrade those features.”

The FBI noted that medical device hardware is often used for more than 30 years at some healthcare facilities, giving cybercriminals and state actors ample time to discover and exploit bugs. 

Many legacy devices used by hospitals and clinics contain outdated software because they do not get manufacturer support for patches or updates, the FBI said, adding that many devices are not designed with security in mind. 

The white notice then quotes several reports from cybersecurity firms that highlighted the magnitude of the problem, most notably that about 53% of all connected medical devices and other internet of things (IoT) devices in hospitals had known critical vulnerabilities. 

One report found an average of 6.2 vulnerabilities per medical device and reported that more than 40% of medical devices are at the end-of-life stage, offering little to no security patches or upgrades.

The alert comes days after the multibillion-dollar healthcare company Baxter International notified customers of four vulnerabilities affecting their infusion pumps and WiFi batteries. CISA released its own advisory about the issues, the second they released last week related to medical devices. 

In March, Palo Alto Networks security researchers discovered that more than 100,000 infusion pumps were susceptible to two known vulnerabilities that were disclosed in 2019.

Infusion pumps have long been a source of ire for cybersecurity experts and vendors who have spent more than a decade trying to improve their security. Palo Alto noted that the Food and Drug Administration announced seven recalls for infusion pumps or their components in 2021 and nine more recalls in 2020.

Last year, German healthcare giant B. Braun updated several faulty IV pumps after McAfee discovered vulnerabilities allowing attackers to change doses.

Healthcare organizations continue to face a barrage of ransomware incidents and cyberattacks. Cybersecurity firm Proofpoint released a report last week that found 89% of healthcare professionals surveyed experienced at least one cyberattack in the last 12 months.

More than 20% of those attacked saw an increase in mortality rates and over half said the attacks caused longer patient stays, delays in procedures and overall decreases in the quality of care.

https://therecord.media/fbi-warns-of-vulnerabilities-in-medical-devices-following-several-cisa-alerts/

Cybersecurity for Healthcare Professionals: Keeping You and Your Patients Safe from Cyberattacks

Tags: healthcarecybercrime

Jul 28 2022

Messaging Apps Tapped as Platform for Cybercriminal Activity

Category: Cyber crime,Cybercrime,Information SecurityDISC @ 8:56 am

Built-in Telegram and Discord services are fertile ground for storing stolen data, hosting malware and using bots for nefarious purposes.

Cybercriminals are tapping the built-in services of popular messaging apps like Telegram and Discord as ready-made platforms to help them perform their nefarious activity in persistent campaigns that threaten users, researchers have found.

Threat actors are tapping the multi-feature nature of messaging apps—in particularly their content-creation and program-sharing components—as a foundation for info-stealing, according to new research from Intel 471.

Specifically, they use the apps “to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users,” researchers wrote in a blog post published Tuesday.

“While messaging apps like Discord and Telegram are not primarily used for business operations, their popularity coupled with the rise in remote work means a cybercriminal has a bigger attack surface at their disposal than in past years,” researchers wrote.

Intel 471 identified three key ways in which threat actors are leveraging built-in features of popular messaging apps for their own gain: storing stolen data, hosting malware payloads, and using bots that perform their dirty work, they said.

Storing Exfiltrated Data

Having one’s own dedicated and secure network to store data stolen from unsuspecting victims of cybercrime can be costly and time-consuming. Instead, threat actors are using data-storage features of Discord and Telegram as repositories for info-stealers that actually depend upon the apps for this aspect of functionality, researchers have found.

Indeed, novel malware dubbed Ducktail that steals data from Facebook Business users was recently seen storing exfiltrated data in a Telegram channel, and it’s far from the only one.

Researchers from Intel 471 observed a bot known as X-Files that uses bot commands inside Telegram to steal and store data, they said. Once the malware infects a system, threat actors can swipe passwords, session cookies, login credentials and credit-card details from popular browsers– including Google Chrome, Chromium, Opera, Slimjet and Vivaldi–and then deposit that stolen info “into a Telegram channel of their choosing,” researchers said.

Another stealer known as Prynt Stealer functions in a similar fashion, but does not have the built-in Telegram commands, they added.

Other stealers use Discord as their messaging platform of choice for storing stolen data. One stealer observed by Intel 471, known as Blitzed Grabber, uses Discord’s webhooks feature to deposit data lifted by the malware, including autofill data, bookmarks, browser cookies, VPN client credentials, payment card information, cryptocurrency wallets and passwords, researchers said. Webhooks are similar to APIs in that they simplify the transmission of automated messages and data updates from a victim’s machine to a particular messaging channel.

Blitzed Grabber and two other stealers observed using messaging apps for data storage–—Mercurial Grabber and 44Caliber–also target credentials for the Minecraft and Roblox gaming platforms, researchers added.

“Once the malware spits that stolen information back into Discord, actors can then use it to continue their own schemes or move to sell the stolen credentials on the cybercrime underground,” researchers noted.

Payload Hosting

Messaging Apps Tapped as Platform for Cybercriminal Activity

Tags: Messaging Apps

Apr 21 2022

Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns By Mimicking Government Vendors

Category: Cyber Threats,Cybercrime,PhishingDISC @ 8:28 am
Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns By Mimicking Government Vendors

Threat intelligence firm Resecurity details how crooks are delivering IRS tax scams and phishing attacks posing as government vendors.

Cybercriminals are leveraging advanced tactics in their phishing-kits granting them a high delivery success rate of spoofed e-mails which contain malicious attachments right before the end of the 2021 IRS income tax return deadline in the U.S. April 18th, 2022 – there was a notable campaign detected which leveraged phishing e-mails impersonating the IRS, and in particular one of the industry vendors who provide solutions to government agencies which including e-mailing, digital communications management, and the content delivery system which informs citizens about various updates.

Cybercriminals purposely choose specific times when all of us are busy with taxes, and preparing for holidays (e.g., Easter), that’s why you need to be especially careful during these times.

The IT services vendor actors impersonated is widely used by major federal agencies, including the DHS, and other such WEB-sites of States and Cities in the U.S. The identified phishing e-mail warned the victims about overdue payments to the IRS, which should then be paid via PayPal, the e-mail contained an HTML attachment imitating an electronic invoice.

Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns by Mimicking Government Vendors

Notably, the e-mail doesn’t contain any URLs, and has been successfully delivered to the victim’s inbox without getting flagged as potential spam. Based on the inspected headers, the e-mail has been sent through multiple “hops” leveraging primarily network hosts and domains registered in the U.S.:

Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns by Mimicking Government Vendors

It’s worth noting, on the date of detection none of the involved hosts have previously been ‘blacklisted’ nor have they had any signs of negative IP or abnormal domain reputation:

Cybercriminals Deliver IRS Tax Scams & Phishing Campaigns by Mimicking Government Vendors

The HTML attachment with the fake IRS invoice contains JS-based obfuscated code.

IRS Internal Revenue Service

Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists

Tags: IRS Tax Scams, phishing, phishing countermeasures

Feb 03 2022

Fake Cash Scams Thrive on Facebook and Insta—FTC

Category: Cyber crime,Cyber sanctions,CybercrimeDISC @ 10:01 am
Fake Cash Scams Thrive on Facebook and Insta—FTC

Cryptocurrency scammers love social media—especially Meta’s platforms. The Federal Trade Commission says hundreds of millions of dollars were scammed from U.S. consumers in 2021 (and that’s just the scams the FTC knows about).

And the problem’s growing incredibly fast—with no hint of a fix in sight. Meta claims to be “tackling” it, but we’ve probably all experienced scam reports to Facebook and Instagram being ignored or closed with no action. But why expect anything different? Meta makes money from all the scam ads and “engagement.”

Of course, some say all cryptocurrencies, NFTs and DeFi are scams. In today’s SB Blogwatch, we couldn’t possibly comment.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Nothingverse.

Imaginary Money Enriches Zuckerberg

What’s the craic? Sarah Perez reports—“US consumers lost $770 million in social media scams in 2021, up 18x from 2017”:

“A large majority … involve cryptocurrency”
A growing number of U.S. consumers are getting scammed on social media. … That number has also increased 18 times … the FTC said, as new types of scams involving cryptocurrency and online shopping became more popular. This has also led to many younger consumers getting scammed.

Facebook and Instagram were where most of these social media scams took place. … More than half (54%) of the investment scams in 2021 began with social media platforms, where scammers would promote bogus investment opportunities or connect with people directly to encourage them to invest. … A large majority of the investment scams now involve cryptocurrency.

Why does it matter? Sara Fischer and Margaret Harding McGill tells us—“Crypto leads to massive surge in online scams”:

“Bogus investment sites”
Cryptocurrency is an easy target because while it’s surging in popularity, there’s still a lot of confusion about how it works. … One type of crypto scam reported to the agency involves someone bragging about their own success to drive people to bogus investment sites.

“We put significant resources towards tackling this kind of fraud and abuse,” said a spokesperson for … Meta. “We also go beyond suspending and deleting accounts, Pages, and ads. We take legal action against those responsible when we can and always encourage people to report this behavior when they see it.”

Horse’s mouth? Here’s the FTC’s Emma Fletcher—“Social media a gold mine for scammers”:

“Urgent need for money”
Social media is also increasingly where scammers go to con us. More than one in four people who reported losing money to fraud in 2021 said it started on social media with an ad, a post, or a message.

For scammers, there’s a lot to like about social media. It’s a low-cost way to reach billions of people. [It] is a tool for scammers in investment scams, particularly those involving bogus cryptocurrency investments — an area that has seen a massive surge. … People send money, often cryptocurrency, on promises of huge returns, but end up empty handed.

If you get a message from a friend about an opportunity or an urgent need for money, call them. Their account may have been hacked – especially if they ask you to pay by cryptocurrency, gift card, or wire transfer. … To learn more about how to spot, avoid, and report scams—and how to recover money if you’ve paid a scammer—visit ftc.gov/scams.

Who would fall for such scams? King_TJ hates to admit it:

“Facebook is complicit”
Hate to admit it, but I fell for one of these scams on Facebook myself. It was probably about a year ago. I ran across a “seller” in one of the ads that scrolled by on my feed. … There were plenty of comments posted ranging from other people interested in one, to claims they got one and liked it.

After a little while … the tracking info showed the package as delivered, but I never received anything at all. … When I started digging around more on Facebook after that, I realized the scammers … were actually running dozens of ads for various products, giving out web URLs that were almost identical except with one letter changed in their name. Reported the original ad … to Facebook, but … got no response.

That’s when it struck me that Facebook is complicit in all of this, in the sense they make a lot of ad revenue off of these scams. … It’s more profitable for them to turn a blind eye and simply take one down when a user complains about it specifically.

Facebook is complicit? Carrie Goldberg—@cagoldberglaw—puts it more bluntly:

Platforms love scams because user engagement is so high from all the accounts they create, posts, and messaging; not to mention the panicked use by victims.

Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-off Artists

Tags: Fake Cash Scams

Jan 02 2022

North Korea-linked threat actors stole $1.7 billion from cryptocurrency exchanges

Category: Crypto,CybercrimeDISC @ 10:57 am
North Korea-linked threat actors stole $1.7 billion from cryptocurrency exchanges

North Korea-linked threat actors are behind some of the largest cyberattacks against cryptocurrency exchanges.

North Korea-linked APT groups are suspected to be behind some of the largest cyberattacks against cryptocurrency exchanges. According to South Korean media outlet Chosun, North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years.

According to local media, US federal prosecutors believe that North Korea’s government considers cryptocurrency a long-term investment and it is amassing crypto funds through illegal activities.

In a classified report cited by Chosun, the US National Intelligence Service (DNI) found that North Korea was financing its ‘priority policies’, such as nuclear and missile development, through cybercrime. Government experts noticed that nation-state actors are not immediately cashing out all the stolen crypto to create a crypto fund reserve.

“Citing the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the media reported that all banks in the world are being targeted by North Korea’s cyberattacks. It also reported that North Korea is committing cybercriminals such as stealing defense secrets from major powers, using ransomware to steal funds, hijacking cryptocurrencies, and “laundering” criminal proceeds into cryptocurrencies.” reads a post published by Chosun.

“Then, citing the results of investigations by the United States and the UN Security Council, it was estimated that the Kim Jong-un regime’s fraudulent profits from cyber crimes have already reached $2.3 billion (about 2.7 trillion won).”

The report states that North Korea-linked attacks employed the AppleJeus malware to steal cryptocurrency. According to Bloomberg, multiple versions of Apple Zeus have been used in attacks against entities in 30 countries since 2018, and according to a UN and US investigation, between 2019 and November 2020, North Korean hackers stole $316.4 million in cryptocurrency through this program. 380 billion.

According to Chosun, North Korea’s dependence on cybercrime will increase due to international sanctions that limit the amount of money that North Korea can earn from coal exports to $400 million (about 480 billion won) per year.

The Infinite Machine: How an Army of Crypto-hackers Is Building the Next Internet with Ethereum

Tags: Crypto-hackers, North Korea-linked threat

Nov 09 2021

Healthcare – Patient or Perpetrator? – The Cybercriminals Within

Category: Cybercrime,hipaaDISC @ 10:08 am
Healthcare – Patient or Perpetrator? – The Cybercriminals Within

With copious amounts of data collected by healthcare facilities, cybercriminals often target such entities. Moreover, the healthcare industry collects unique data, known as Protected Health Information (PHI), which is extremely valuable. Our PHI is engrained within us; medical history cannot get changed. As such, this information can sell for three times as much as Personally Identifiable Information (PII) on the dark web and can get used in much more nefarious ways. Identity theft takes on a whole new meaning when a bad actor gets ahold of your PHI.

A Silent Sickness

Cybercriminals are turning to hardware-based attacks to carry out their harmful activities. What makes such attacks so perilous is their clandestine nature; Rogue Devices can inject malware, cause data breaches, and more, all while operating covertly. Traditional security software, such as NAC, EPS, IDS, or IoT Network Security, fails to provide the Layer 1 visibility required to detect and accurately identify all hardware assets. As a result of this blind spot, Rogue Devices, which operate on Layer 1, go undetected. By hiding or spoofing their identity through Layer 1 manipulation, Rogue Devices bypass existing security efforts, even those as stringent as Zero Trust. All it takes is a few seconds to attach the Rogue Device to an endpoint, and the attack is underway.

An Open Wound

In addition to visibility challenges, there are several vulnerabilities within the healthcare industry that enable hardware-based attacks. Malicious insiders pose a significant threat to healthcare providers thanks to their physical access to the organization – a requirement for hardware-based attacks. However, gaining physical access to a healthcare facility is fairly easy; many healthcare entities, such as hospitals, are open to the public, with hundreds of people walking in and out each day. A malicious actor can walk in freely, disguised as a visitor or even acting as a patient, and carry out a hardware attack. Further, the interconnected environment typically found within healthcare facilities only makes life easier for these external perpetrators. Interconnectedness creates a larger attack surface as there are more entry points to the organization; outside attackers only need access to just one device to infiltrate their target’s network.

Worryingly, the large number of devices used within medical facilities proliferates the hardware threat. The industry is undergoing a digital transformation and is becoming increasingly reliant on technology and, more importantly, Internet of Medical Things (IoMT) devices. Not only do IoMTs act as an entry point, but the devices themselves are often the target of an attack. Firstly, IoMTs collect significant amounts of valuable data, and the ease with which they can get accessed makes them appealing targets. Additionally, an attack on IoMTs can have a physical impact, which could have dire consequences; some IoMTs perform life-saving operations, such as heart-rate monitors and insulin pumps. Should malicious actors gain control over such devices, the outcome can be fatal.

Cyberattacks on healthcare providers are a very serious matter as patients’ lives are at risk, as is the country’s national security. To protect against dangerous hardware-based attacks – and strengthen existing security measures – healthcare entities should invest in hardware security. With Layer 1 visibility, there is protection on the first line of defense.

About the author:

Jessica Amado – Head of Cyber Research – Sepio Systems

Tags: Healthcare insider threat

Nov 03 2021

Cybercrime underground flooded with offers for initial access to shipping and logistics orgs

Category: Access Control,Cyber Threats,CybercrimeDISC @ 9:02 am
Cybercrime underground flooded with offers for initial access to shipping and logistics orgs

Experts warn of the availability in the cybercrime underground of offers for initial access to networks of players in global supply chains.

Researchers from threat intelligence firm Intel 471 published an analysis of current cybercrime underground trends online, warning that initial access brokers are offering credentials or other forms of access to shipping and logistics organizations. 

These organizations provide essential services to the global supply chain in multiple industries, they operate air, ground and maritime cargo transport on several continents.

Experts believe threat actors selling initial access to the organizations have obtained these credentials by expliting well-known vulnerabilities in remote access solutions, including Remote Desktop Protocol (RDP), VPN, Citrix, and SonicWall.

Intel 471 experts monitored the activities on the Dark Web over the past few months and observed a prevalence in the listing of offers for initial access to organizations operating in the global supply chain are.

The experts provided multiple examples of the offers they have found:

Disrupting Logistics: Startups, Technologies, and Investors Building Future Supply Chains – “This book presents readers with a straightforward and comprehensive assessment of supply chain innovation and trends and their impact on the industry. With contributions from several industry leaders, it provides critical knowledge and insight that supply chain and logistics managers need to implement disruptive technologies strategically.” 

Tags: dark net, dark web, shipping and logistics

Oct 22 2021

FIN7 cybercrime gang creates fake cybersecurity firm to recruit pentesters for ransomware attacks

Category: Cyber crime,Cybercrime,Pen Test,RansomwareDISC @ 9:08 am
FIN7 cybercrime gang creates fake cybersecurity firm to recruit pentesters for ransomware attacks

The FIN7 hacking group is attempting to enter in the ransomware business and is doing it with an interesting technique. The gang space creates fake cybersecurity companies that hire experts requesting them to carry out pen testing attacks under the guise of pentesting activities.

FIN7 is a Russian criminal group that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.

One of the companies created by the cyber criminal organizations with this purpose is Combi Security, but researchers from Gemini Advisory discovered other similar organizations by analyzing the site of another fake cybersecurity company named Bastion Security.

The Bastion Secure website is hosted on the Russian domain registrar Beget, which is popular in the Russian cybercrime communities. Most of the submenus of the site return a Russian-language HTTP 404 error, a circumstance that suggests the site creators were Russian speakers. At the time of the report, some of the HTTP 404 errors remain unfixed.

The website is a clone of the website of Convergent Network Solutions Ltd, Bastion Secure’s ‘About’ page states that is a spinoff of the legitimate cybersecurity firm that anyway not linked to the criminal gang.

Pentest as a Service (PtaaS)

Tags: FIN7, pentester, ransomware attacks

Oct 01 2021

Gift card fraud: four suspects hit with money laundering charges

Category: CybercrimeDISC @ 11:44 am
Gift card fraud: four suspects hit with money laundering charges

You might be forgiven for thinking that cybercrime is almost all about ransomware and cryptocoins these days.

In a ransomware attack, the crooks typically blackmail you to send them cryptocurrency in return for giving you your stolen data back (or for not selling it on to someone else).

In a cryptocoin attack, the crooks typically take your cryptocurrency for themselves, perhaps by exploiting a bug in the trading software you use, or by stealing your private keys so they have direct access to your cryptocurrency wallet.

This sort of criminality sometimes involves amounts reaching tens of millions of dollars, or even hundreds of millions of dollars, in a single attack.

But gift card fraud still fills a distressing niche in the cybercrime ecosystem, where a gang of crooks redeem gift cards that you paid for, either because you were convinced that those cards were earmarked for something else, or because the crooks got temporary access to one of your online accounts that allowed them to buy gift cards on your dime.

Indeed, the US Department of Justice announced this week the indictment of four suspected gift card scammers, and alleges that that these four had ended up with more than 5000 fraudulently obtained cards to spend on themselves.

This sort of crime might not reach the stratospheric financial territory of ransomware criminals, or the truly cosmic amounts seen in cryptocurrency attacks…

…but if we reasonably assume an average of $200 a gift card (we know that in many scams, crooks come away with more than that on each card), we’re still looking at $1,000,000 of ill-gotten gains in this court case alone.

Don’t Panic! I’m A Professional Fraud Analyst – 2022 Diary: Customized Work Planner Gift For A Busy Fraud Analyst.

Tags: Gift card fraud, money laundering

Sep 20 2021

“Back to basics” as courier scammers skip fake fees and missed deliveries

Category: Cyber Threats,Cybercrime,Information SecurityDISC @ 9:24 am
“Back to basics” as courier scammers skip fake fees and missed deliveries

These scams can take many different forms, including:

  • A fake gift sent by an online “friend” is delayed by customs charges. This is a common ruse used by romance scammers, who sucker you into an online friendship, for example by stealing other people’s profile data from online data sites, courting you online, and then “sending” you a “gift”, often jewellery or something they know you would appreciate if it were real. The scammer then pretends to be the courier company handling the “delivery”, correctly identifying the item, its value and its made-up shipping code. Finally, there’s a customs or tax payment to make before the item can be released in your country (something that often happens with genuine deliveries via geniune courier companies). Some unfortunate victims pay out this fee, in cash, in good faith. In this sort of scam, the crooks are directly after your money.
  • A fake order will be delivered once you have confirmed the purchase. These fake orders range from low-value subscriptions that have auto-renewed, all the way to expensive new mobile phones or gaming consoles that will ship imminently. Given that it’s easier to guess what you haven’t just bought than what you have, these crooks are banking that you will click the link or phone the “customer support” number they’ve helpfully provided in order to cancel or dispute the charge. Once they have you on the hook, skilled social scammers in a call centre operated by the crooks offer to “help” you to cancel the bogus order or subscription (something that can be annoyingly hard for legitimate goods and services). In this sort of scam, the crooks are after as much personal information as they can persuade you to hand over, notably including full credit card data, phone number and home address.
  • A fake delivery failed and the item was returned to the depot. These fake delivery notices typically offer to help you reschedule the missed delivery (something that is occasionally necessary for legitimate deliveries of geniune online orders), but before you can choose a new date you usually need to login to a fake “courier company” website, hand over credit card data, or both. The credit card transactions are almost always for very small amounts, such as $1 or $2.99, and some crooks helpfully advise that your card “won’t be charged until the delivery is complete”, as a way of making you feel more comfortable about committing to the payment. In this sort of scam, the crooks won’t bill you $2.99 now, but they will almost certainly sell your credit card details on to someone else to rack up charges later on.

KISS – Keep It Simple and Straightforward

Tags: Cyber Scam, Scam Me If You Can, scammers

Jul 20 2021

NSO Group Hacked

Category: Cyber Espionage,Cyber Spy,Cybercrime,Cyberweapons,Hacking,Malware,Smart PhoneDISC @ 1:36 pm
NSO Group Hacked

There’s a lot to read out there. Amnesty International has a report. Citizen Lab conducted an independent analysis. The Guardian has extensive coverageMore coverage.

Worldwide probe finds tech by Israel's NSO Group targeted media, politicians | The Times of Israel

Most interesting is a list of over 50,000 phone numbers that were being spied on by NSO Group’s software. Why does NSO Group have that list? The obvious answer is that NSO Group provides spyware-as-a-service, and centralizes operations somehow. Nicholas Weaver postulates that “part of the reason that NSO keeps a master list of targeting…is they hand it off to Israeli intelligence.

This isn’t the first time NSO Group has been in the news. Citizen Lab has been researching and reporting on its actions since 2016. It’s been linked to the Saudi murder of Jamal Khashoggi. It is extensively used by Mexico to spy on — among others — supporters of that country’s soda tax.

 here’s a tool that you can use to test if your iPhone or Android is infected with Pegasus. (Note: it’s not easy to use.)

7 Steps to Removing Spyware

7 Steps to Removing Spyware by Nick Laughter

Spyware and Adware

Spyware and Adware

Tags: Amnesty International, mobile spyware, NSO Group Hacked, rouge anti-spyware, Spyware, Spyware and Adware

Jun 10 2021

Global Scamdemic: Scams Become Number One Online Crime

Category: CybercrimeDISC @ 8:25 pm
Global Scamdemic: Scams Become Number One Online Crime

Threat hunting and adversarial cyber intelligence company Group-IB published a comprehensive analysis of fraud cases on a global scale.

Group-IB,  a global threat hunting and adversarial cyber intelligence company specializing in the investigation and prevention of high-tech cybercrime, has published a comprehensive analysis of fraud cases on a global scale. 

Group-IB,  a global threat hunting and adversarial cyber intelligence company specializing in the investigation and prevention of high-tech cybercrime, has published a comprehensive analysis of fraud cases on a global scale. 

Overall, fraud accounts for  73% of  all online attacks:  56% are scams  (fraud that results in the victim voluntarily disclosing sensitive data) and  17% are  phishing attacks  (theft of bank card details). Using patented  Digital Risk Protection (DRP) technologies, the experts at Group-IB discovered over  70 groups of fraudsters that are only used in one of the fraudulent schemes, Classiscam, of which 36 are aimed at Europe. Classiscam threat actors alone were found to defraud users by $ 7.75 million in one year   .

On June 10th, during the Digital Risk Summit 2021  online conference ( Amsterdam ), Group-IB presented its research on various fraudulent machinations, obtained thanks to neural networks and ML-based scorings of the  Group-IB Digital Risk Protection System. Group-IB also unveiled Scam Intelligence, a fraud-tracking technology that paved the way for DRP, the company’s proprietary solution. In one year, the system has helped save  € 363 million for companies in Asia Pacific, Europe and the Middle East by preventing potential damage.

The number of scam and phishing violations detected by Group-IB in Europe in 2020 increased by 39% compared to the previous year. DRP’s research into threat actors’ fraud activity around the world helped categorize fraud schemes, uncovering over 100 basic schemes and their modifications. For example, a scheme of fake branded social media accounts (typical of the financial sector)  affected over 500 fake accounts per bank on average in 2020  . Insurance companies around the world are now suffering from phishing. Over the past year, an average of over 100 phishing websites were created  per insurer.

In 2020, a multi-stage scam called Rabbit Hole targeted companies’ brands, primarily retail and online services. Users received a link from friends, via social media or in messengers with the request to take part in a competition, a promotional offer or a survey. On average, users visited  40,000 fraudulent websites every day. Rabbit Hole has attacked the customers of at least  100 brands worldwide. The threat actors target the theft of personal and bank card details.

Classiscam has been the most widespread fraud in the world during the pandemic. The scheme is aimed at people using marketplaces and services related to property rentals, hotel bookings, online bank transfers, online retail stores, ridesharing and deliveries. The scheme aims to extort money as payment for non-existent goods. At least  44 countries, including Austria, France, Italy, the Netherlands and Great Britain, are affected by Classiscam. According to Group IB, a total of  93 brands were misused as part of Classiscam. As of early 2021, there were more than  12,500 threat actors made money with fake delivery services. The total number of websites involved in the scheme reached  10,000. A Classiscam -Bedrohungsgruppe makes up to  97,000 euros  per month.

“Last year the world was searched by the scamdemicheim, which represents the influx of online scams on an unprecedented scale: if your business is successful and well-known, it’s only a matter of time before scammers keep an eye out”, explains  Dmitry Tiunkin , Group-IB DRB Head, Europe. “Digital risks to brands such as online fraud, the illegal sale of products and services, and intellectual property infringement are the most widespread crimes on the Internet. Group-IB’s DRP system gives analysts a tool to uncover the entire infrastructure of fraudsters and learn about different categories of fraud attempts that could target their organizations. Group-IB DRP helps our clients identify the person behind the wrongdoing, gather as much information about them as possible, and bring them to justice.”

Tags: Global Scamdemic, Scam Me If You Can

Jun 07 2021

In a huge sting operation, FBI and Australian Federal Police ran an encrypted chat service AN0M for 3+ years to intercept messages between criminals globally

Category: CybercrimeDISC @ 10:52 pm

The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members …

The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members from all over the world for more than three years.

Named Operation Ironside, on Monday, law enforcement agencies from Australia, Europe, and the US conducted house searches and arrested hundreds of suspects across a wide spectrum of criminal groups, from biker gangs in Australia to drug cartels across Asia and South America, and weapons and human traffickers in Europe.

In a press conference today, Australian police said the sting operation got underway in 2018 after the FBI successfully seized encrypted chat platform Phantom Secure.

Knowing that the criminal underworld would move to a new platform, US and Australian officials decided to create their own service, which they called Anøm (also stylized as AN0M).

Just like Phantom Secure, the new service consisted of secure smartphones that were configured to run only the An0m app and nothing else.

The app, advertised through word of mouth and via the anom.io website, allowed phone owners to send encrypted text and voice messages between devices and prevented them from installing any other apps.

No phone number was required to use the app, which relayed all its messages via An0m’s central platform.

But according to investigators, this app design allowed officials to intercept the messages and decrypt texts sent by gang members to each other, many of which included details of drug movements or murder plots.

According to Australian police officials, the FBI ran the platform while the AFP technical staff built a system to decrypt messages that passed through the platform in real-time.

Officials initially relied on undercover agents to promote the An0m devices, but as law enforcement agencies shut down competing platforms, such as EncroChat and Sky ECC, other gangs found refuge on the network, which eventually amassed more than 11,000 users.

Investigators described Operation Ironside as one of the largest sting operations in law enforcement history.

Investigators appear to have decided to shut down the sting operation after criminal groups started catching on that the An0m app was leaking their conversations.

Source: In a huge sting operation, FBI and Australian Federal Police ran an encrypted chat

Listening In: Cybersecurity in an Insecure Age

The Wires of War

Tags: AN0M, encrypted chat

« Previous PageNext Page »