Login
Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.
Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus.
Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.
Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.
“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”
Which might explain why their latest scheme centers on trying to frame executives at public companies for insider trading charges. Venus indicated it recently had success with a method that involves carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company’s stock based on non-public information.
“We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling.
“You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.”
Holden said it’s not easy to plant emails into an inbox, but it can be done with Microsoft Outlook .pst files, which the attackers may also have access to if they’d already compromised a victim network.
“It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”
The Venus ransom group’s extortion note. Image: Tripwire.com
Holden said the CLOP ransomware gang has a different problem of late: Not enough victims. The intercepted CLOP communication seen by KrebsOnSecurity shows the group bragged about twice having success infiltrating new victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.
The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver.
“Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.”
While CLOP as a money making collective is a fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE’s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.
In April, 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at pushing more victims into paying an extortion demand: Emailing the ransomware victim’s customers and partners directly and warning that their data would be leaked to the dark web unless they can convince the victim firm to pay up.
Security firm Tripwire points out that the HHS advisory on Venus says multiple threat actor groups are likely distributing the Venus ransomware. Tripwire’s tips for all organizations on avoiding ransomware attacks include:
While the above tips are important and useful, one critical area of ransomware preparedness overlooked by too many organizations is the need to develop — and then periodically rehearse — a plan for how everyone in the organization should respond in the event of a ransomware or data ransom incident. Drilling this breach response plan is key because it helps expose weaknesses in those plans that could be exploited by the intruders.
As noted in last year’s story Don’t Wanna Pay Ransom Gangs? Test Your Backups, experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups of their systems and data is that nobody at the victim organization bothered to test in advance how long this data restoration process might take.
“Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files,” said Fabian Wosar, chief technology officer at Emsisoft. “A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”
As 2022 draws to a close, the Threat Research Team at McAfee Labs takes a look forward—offering their predictions for 2023 and how its threat landscape may take shape.
This year saw the continued evolution of scams, which is unlikely to slow down, as well as greater adoption of Chrome as an operating system. It also saw the introduction of AI tools that are easy and accessible to virtually anyone with a phone or laptop, which will continue to have significant implications, as will the fluctuating popularity of cryptocurrency and the emergence of “Web3.”
Advances such as these have set the stage for 2023, which will continue to reshape our interactions with technology—advances that bad actors will try to exploit, and in turn, us.
Yet as the threat landscape continues to evolve, so do the ways we can protect ourselves. With that, we share McAfee’s threat predictions for 2023, along with insights and advice that can help us enjoy the advances to come with confidence.
By Steve Grobman, Chief Technology Officer
Humans have been fascinated by artificial intelligence (AI) for almost as long as we’ve been using computers. And in some cases, even fearful of it. Depictions in pop culture range from HAL, the sentient computer from 2001: A Space Odyssey to Skynet, the self-aware neural network at the center of the Terminator franchise. The reality of current AI technologies is both more complicated and less autonomous than either of these. While AI is rapidly evolving, humans remain at the heart of it, and whether it’s put to beneficial or nefarious use.
Within the last few months, creating AI-generated images, videos, and even voices are no longer strictly left to professionals. Now anyone with a phone or computer can take advantage of the technology using publicly available applications like Open AI’s Dall-E or stability.ai’s Stable Diffusion. Google has even made creating AI-generated videos easier than ever.
What does this mean for the future? It means the next generation of content creation is becoming available to the masses and will only continue to evolve. People both at work and at home will have the ability to create the AI-generated content in minutes. Just as desktop publishing, photo editing, and inexpensive photorealistic home printers created major advances that empowered individuals to create content that previously required a professional designer, these technologies will enable sophisticated outputs with minimal expertise or effort.
Advances in desktop publishing and consumer printing also provided benefits to criminals, enabling better counterfeiting and more realistic manipulation of images. Similarly, these emerging next-generation content tools will also be used by a range of bad actors. From cybercriminals to those seeking to falsely influence public opinion, these tools will empower scammers and propagandists to take their tradecraft to the next level with more realistic results and significantly improved efficiency.
This is especially likely to ramp up in 2023 as the U.S. begins the 2024 presidential election cycle in earnest. Globally, the political environment is polarized. The confluence of the emergence of accessible next-generation generative AI tools and what is sure to be a highly contested 2024 election season is a perfect storm for creating and distributing disinformation for political and monetary gain.
We’ll all need to be more mindful of the content we consume and the sources that it originates from. Fact-checking images, videos, and news content, something that’s already on the rise, will continue to be a necessary and valuable part of media consumption.
By Oliver Devane, Security Researcher
Cryptocurrency scams
In 2022 we saw several online scams making use of existing content to make crypto scams more believable. One such example was the double your money cryptocurrency scam that used an old Elon Musk video as a lure. We expect such scams to evolve in 2023 and make use of deep fake videos, as well as audio, to trick victims into parting ways with their hard-earned money.
The financial outlook of 2023 remains uncertain for many people. During these times, people often look for ways to make some extra money and this can lead them vulnerable to social media messages and online ads that offer huge financial gains for little investment.
According to the IC3 2021 report, the losses for financial scams increased from $336,469,000 in 2020 to $1,455,943,193 in 2021, this shows that this type of scam is growing by an enormous amount, and we expect this to continue.
Unfortunately, scammers will often target the most vulnerable people. Fake loan scams are one such scam where the scammers know that the victims are desperate for the loan and therefore are less likely to react to warning signs such as asking for an upfront fee. McAfee predicts that there will be a large increase in these types of scams in 2023. When looking for a loan, always use a trusted provider and be careful of clicking on online ads.
Metaverses such as Facebook’s Horizon enable their users to explore an online world that was previously unimaginable. When these platforms are in the early stages, malicious actors will usually attempt to exploit the lack of understanding of how they work and use this to scam people. We have observed phishing campaigns targeting users of these platforms in 2022 and we expect this to increase dramatically in 2023 as more and more users sign up for the platforms.
By Craig Schmugar, McAfee Senior Principal Engineer
More than 25 years ago, Windows 95 became the platform of choice not just for millions of users around the globe, but for malware authors targeting those users. Over the years, Windows has evolved, as has the threat landscape. Today, Windows 10 and 11 make up the majority of the desktop PC market, but thanks to the rise of the mobile Internet, device diversity has greatly evolved since the advent of Windows 95.
Over five years ago, Android overtook Windows as the world’s most popular OS and with this shift bad actors have been pursing alternative methods of attack. The ultimate vectors are those which impact users across a spectrum of devices. Email and web-based scams (some of which are outlined in the blog above) are as prolific as ever as these technologies are ubiquitous across desktop and mobile devices.
Meanwhile, other technologies span across desktop and mobile experiences as well. For Google, such cross-platform capabilities are highlighted by increased adoption of ChromeOS and a few underlying technologies. This includes 270 million active Android users and a 270% increase in Progressive Web Application (PWA) installations [https://chromeos.dev]. ChromeOS’ ability to run Android applications, combined with its wide-spread adoption, provides the climate for increased attention by those with ill intentions.
Similarly, adoption of PWAs provide bad actors with additional incentive to deliver deceptive and imposter attacks through this multi-OS channel, including ChromeOS, iOS, MacOS, and Windows.
Finally, on the heels of COVID restrictions that impacted schools in various countries, Google reported 50 million students and educators worldwide [https://chromeos.dev] using ChromeOS. Many users will be unaware of malicious Chrome extensions lurking in the Chrome Web Store.
All of this means that the stage is set for a marked increase in threats impacting Chromebook in the year to come. In 2023, we can expect to see Chromebook users among millions of unsuspecting victims that download and run malicious content, whether from malicious Android Apps, Progressive Web Apps, or Chrome Web Store extensions, users should be leery of popups and push notifications urging them to install untrusted apps.
By Fernando Ruiz, Senior Security Researcher
Editor’s Note: Web3? FOMO? If you’re already lost, you’re not alone. Web3 is a term some use to encompass decentralized internet services, technologies like Bitcoin and Non-Fungible Tokens (digital art that collectors can purchase with cryptocurrency). Still confused? A lot of people are. This New York Times article is a good primer on what is currently considered Web3.
As for FOMO, that’s just an acronym meaning the “Fear of Missing Out.” That nagging feeling, most often felt by extroverts, that others are out there having more fun than them and that they’re missing the party.
Whether you invest in cryptocurrency or just see the headlines on Twitter, no doubt you’ve seen that the price of cryptocurrency has sharply declined during 2022. These fluctuations are becoming more normal as crypto becomes even more mainstream. It’s very likely that the value of crypto will rise again.
When the last upturn in valuation happened near the start of the pandemic, the hype about crypto also skyrocketed. Suddenly Bitcoin and other cryptocurrencies were everywhere. Out of that, rose the concept of Web3, with more companies investing in new applications over blockchain (the technology that is the backbone of cryptocurrency).
McAfee predicts that the popularity of cryptocurrency will rise again, and consumers will hear much more about Web3 concepts like decentralized finance (DeFi), decentralized autonomous organizations (DAOs), self-sovereign identity (SSI) and more.
Some amateur investors, remembering the rapid rise of the value of Bitcoin earlier this decade, won’t want to miss out on what they think will be a great opportunity to get rich quick. It’s this group that bad actors will seek to exploit, offering up links or applications that play on these users’ crypto/Web3 FOMO.
As crypto bounces back and initial awareness of decentralization grows in the general population, consumers will begin to explore these Web3 offerings without fully understanding what they mean or what dangers they should be aware of, leaving them open to scams as they invest time and money into crypto or creating their own NFT content. These scams could entice users to click on a link or download an app that appears to legitimately interact with some blockchains, but in actuality:
Additionally, when consumers DO hold crypto, NFT, digital land, or other blockchain financial assets they are going to be targeted for more sophisticated threats that can drain their funds: smart contracts, exchanges, digital wallets, and synchronization services can all be associated with hidden authorizations that allow a third party (potentially a bad actor) to take control of the assets. It’s important that users read the terms and conditions of any app they download, especially those that will be accessing ANY type of financial institution or currency, whether traditional or crypto.
Social engineering will also continue to be a top entry point for cybercriminals. The complexity of the attacks will evolve as the technology does, which will require more preparation and understanding of how Web3 applications and tools work in order to safely interact with them.
What has emerged from the world of Web3 thus far, while exciting, has also expanded attack surfaces and vectors, which we expect to see grow throughout 2023 as Web3 evolves.
The post McAfee 2023 Threat Predictions: Evolution and Exploitation appeared first on McAfee Blog.
In December 2021, Google filed a civil lawsuit against two Russian men thought to be responsible for operating Glupteba, one of the Internet’s largest and oldest botnets. The defendants, who initially pursued a strategy of counter suing Google for interfering in their sprawling cybercrime business, later brazenly offered to dismantle the botnet in exchange for payment from Google. The judge in the case was not amused, found for the plaintiff, and ordered the defendants and their U.S. attorney to pay Google’s legal fees.
A slide from a talk given in Sept. 2022 by Google researcher Luca Nagy. https://www.youtube.com/watch?v=5Gz6_I-wl0E&t=6s
Glupteba is a rootkit that steals passwords and other access credentials, disables security software, and tries to compromise other devices on the victim network — such as Internet routers and media storage servers — for use in relaying spam or other malicious traffic.
Collectively, the tens of thousands of systems infected with Glupteba on any given day feed into a number of major cybercriminal businesses: The botnet’s proprietors sell the credential data they steal, use the botnet to place disruptive ads on the infected computers, and mine cryptocurrencies. Glupteba also rents out infected systems as “proxies,” directing third-party traffic through the infected devices to disguise the origin of the traffic.
In June 2022, KrebsOnSecurity showed how the malware proxy services RSOCKS and AWMProxy were entirely dependent on the Glupteba botnet for fresh proxies, and that the founder of AWMProxy was Dmitry Starovikov — one of the Russian men named in Google’s lawsuit.
Google sued Starovikov and 15 other “John Doe” defendants, alleging violations of the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, trademark and unfair competition law, and unjust enrichment.
In June, Google and the named defendants agreed that the case would proceed as a nonjury action because Google had withdrawn its claim for damages — seeking only injunctive relief to halt the operations of the botnet.
The defendants, who worked for a Russian firm called “Valtron” that was also named in the lawsuit, told Google that they were interested in settling. The defendants said they could potentially help Google by taking the botnet offline.
Another slide from Google researcher Luca Nagy’s September 2022 talk on Glupteba.
But the court expressed frustration that the defendants were unwilling to consent to a permanent injunction, and at the same time were unable to articulate why an injunction forbidding them from engaging in unlawful activities would pose a problem.
“The Defendants insisted that they were not engaged in criminal activity, and that any alleged activity in which they were engaged was legitimate,” U.S. District Court Judge Denise Cote wrote. “Nevertheless, the Defendants resisted entry of a permanent injunction, asserting that Google’s use of the preliminary injunction had disrupted their normal business operations.”
While the defendants represented that they had the ability to dismantle the Glupteba botnet, when it came time for discovery — the stage in a lawsuit where both parties can compel the production of documents and other information pertinent to their case — the attorney for the defendants told the court his clients had been fired by Valtron in late 2021, and thus no longer had access to their work laptops or the botnet.
The lawyer for the defendants — New York-based cybercrime defense attorney Igor Litvak — told the court he first learned about his clients’ termination from Valtron on May 20, a fact Judge Cote said she found “troubling” given statements he made to the court after that date representing that his clients still had access to the botnet.
The court ultimately suspended the discovery process against Google, saying there was reason to believe the defendants sought discovery only “to learn whether they could circumvent the steps Google has taken to block the malware.”
On September 6, Litvak emailed Google that his clients were willing to discuss settlement.
“The parties held a call on September 8, at which Litvak explained that the Defendants would be willing to provide Google with the private keys for Bitcoin addresses associated with the Glupteba botnet, and that they would promise not to engage in their alleged criminal activity in the future (without any admission of wrongdoing),” the judge wrote.
“In exchange, the Defendants would receive Google’s agreement not to report them to law enforcement, and a payment of $1 million per defendant, plus $110,000 in attorney’s fees,” Judge Cote continued. “The Defendants stated that, although they do not currently have access to the private keys, Valtron would be willing to provide them with the private keys if the case were settled. The Defendants also stated that they believe these keys would help Google shut down the Glupteba botnet.”
Google rejected the defendants’ offer as extortionate, and reported it to law enforcement. Judge Cote also found Litvak was complicit in the defendants’ efforts to mislead the court, and ordered him to join his clients in paying Google’s legal fees.
“It is now clear that the Defendants appeared in this Court not to proceed in good faith to defend against Google’s claims but with the intent to abuse the court system and discovery rules to reap a profit from Google,” Judge Cote wrote.
Litvak has filed a motion to reconsider (PDF), asking the court to vacate the sanctions against him. He said his goal is to get the case back into court.
“The judge was completely wrong to issue sanctions,” Litvak said in an interview with KrebsOnSecurity. “From the beginning of the case, she acted as if she needed to protect Google from something. If the court does not decide to vacate the sanctions, we will have to go to the Second Circuit (Court of Appeals) and get justice there.”
In a statement on the court’s decision, Google said it will have significant ramifications for online crime, and that since its technical and legal attacks on the botnet last year, Google has observed a 78 percent reduction in the number of hosts infected by Glupteba.
“While Glupteba operators have resumed activity on some non-Google platforms and IoT devices, shining a legal spotlight on the group makes it less appealing for other criminal operations to work with them,” reads a blog post from Google’s General Counsel Halimah DeLaine Prado and vice president of engineering Royal Hansen. “And the steps [Google] took last year to disrupt their operations have already had significant impact.”
A report from the Polish computer emergency response team (CERT Orange Polksa) found Glupteba was the biggest malware threat in 2021.
For these Cisconians, hands-on is the way to go when it comes to giving back. Using Cisco’s Time2Give benefit that provides 10 paid days to volunteer each year, team members rolled up their sleeves to build homes, cuddle and care for animals, distribute food and more. If you also value giving back, check out our open roles.
Marketing Specialist, Global Events Julie Kramer used Time2Give to build a shed with Habitat for Humanity of Huron Valley. Kramer especially appreciated learning about the organization’s purpose in addition to learning how to build.
John Hindman, an account executive, used Time2Give to spend a week in Nicaragua with SuNica, an organization centered on clean water and fellowship. Hindman cleared out downed trees, picked coffee and built treehouses to allow the organization to host more children from surrounding communities.
In the community Hindman visited, repurposing recycled materials is critical to the economy, and one way that happens is through “mining” the local landfill. Hindman’s team encouraged local employees and led games and activities for local children.
For those considering Time2Give, Hindman says, “Do it. Unplug, find something you’re passionate about, set up your out-of-office, and ignore everything work-related for the time you’re serving.”
Animal lover Carrie Cordeiro, a Cisco Secure digital strategist/manager on the Brand Marketing team, volunteers with Hopalong and Muttville as a kitten cuddler and dog walker. Most of her time is spent transporting kittens, puppies, cats and dogs around the Bay Area to vet appointments, adoption centers and foster locations.
The best part for Cordeiro is “getting to interact with so many adorable animals,” she said. As for leadership support around utilizing Time2Give? “I love doing it and my management team absolutely supports it, especially when I share photos.”
Customer Success Manager Kristen Gehrke reminds us that, “You don’t always have to look far to utilize Time2Give.” She sewed a baby blanket for Bluebonnet Trails Community Services. “The best part of the experience was giving back to mothers and their babies, as I am an expecting mother myself,” she said.
Engineering Manager Blake Ellingham organized food pantry shelves and packed bags for food distributions with HTB Food Bank. “I love getting to do work with my hands that helps others,” he said.
Ellingham recommends scheduling something routine for Time2Give. “Consistency matters! By going in every week for a half day of volunteering, I was able to make great friends with the staff,” he said.
From empowering youth globally and remotely to volunteering across community hubs, Cisconians deeply value innovative ways to contribute their time and talents.
If you are interested in increasing the impact of your skills and passions at work and beyond, check out our open positions.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
We're in Copenhagen! Scott and family joined us in Oslo for round 2 of wedding celebrations this week before jumping on the ferry to Copenhagen and seeing the sights here. There's lots of cyber things in this week's vid relating to HIBP's birthday, Medibank and financial penalties for breaches, but I'm just going to leave you with one of the most amazing moments of my life captured in pics:
🇳🇴 ❤️ 👰♀️ 🤵 pic.twitter.com/pPY49DArIF
— Troy Hunt (@troyhunt) December 2, 2022
With the rapidly rising energy prices putting a strain on many households, what are some quick wins to help reduce the power consumption of your gadgets?
The post Top tips to save energy used by your electronic devices appeared first on WeLiveSecurity
Cisco supports the Open Cybersecurity Schema Framework and is a launch partner of AWS Security Lake
The Cisco Secure Technical Alliance supports the open ecosystem and AWS is a valued technology alliance partner, with integrations across the Cisco Secure portfolio, including SecureX, Secure Firewall, Secure Cloud Analytics, Duo, Umbrella, Web Security Appliance, Secure Workload, Secure Endpoint, Identity Services Engine, and more.
We are proud to be a launch partner of AWS Security Lake, which allows customers to build a security data lake from integrated cloud and on-premises data sources as well as from their private applications. With support for the Open Cybersecurity Schema Framework (OCSF) standard, Security Lake reduces the complexity and costs for customers to make their security solutions data accessible to address a variety of security use cases such as threat detection, investigation, and incident response. Security Lake helps organizations aggregate, manage, and derive value from log and event data in the cloud and on-premises to give security teams greater visibility across their organizations.
With Security Lake, customers can use the security and analytics solutions of their choice to simply query that data in place or ingest the OCSF-compliant data to address further use cases. Security Lake helps customers optimize security log data retention by optimizing the partitioning of data to improve performance and reduce costs. Now, analysts and engineers can easily build and use a centralized security data lake to improve the protection of workloads, applications, and data.
Cisco Secure Firewall serves as an organization’s centralized source of security information. It uses advanced threat detection to flag and act on malicious ingress, egress, and east-west traffic while its logging capabilities store information on events, threats, and anomalies. By integrating Secure Firewall with AWS Security Lake, through Secure Firewall Management Center, organizations will be able to store firewall logs in a structured and scalable manner.
The eNcore client provides a way to tap into message-oriented protocol to stream events and host profile information from the Cisco Secure Firewall Management Center. The eNcore client can request event and host profile data from a Management Center, and intrusion event data only from a managed device. The eNcore application initiates the data stream by submitting request messages, which specify the data to be sent, and then controls the message flow from the Management Center or managed device after streaming begins.
These messages are mapped to OCSF Network Activity events using a series of transformations embedded in the eNcore code base, acting as both author and mapper personas in the OCSF schema workflow. Once validated with an internal OCSF schema the messages are then written to two sources, first a local JSON formatted file in a configurable directory path, and second compressed parquet files partitioned by event hour in the S3 Amazon Security Lake source bucket. The S3 directories contain the formatted log are crawled hourly and the results are stored in an AWS Security Lake database. From there you can get a visual of the schema definitions extracted by the AWS Glue Crawler, identify fieldnames, data types, and other metadata associated with your network activity events. Event logs can also be queried using Amazon Athena to visualize log data.
To utilize the eNcore client with AWS Security Lake, first go to the Cisco public GitHub repository for Firepower eNcore, OCSF branch.
Download and run the cloud formation script eNcoreCloudFormation.yaml.
The Cloud Formation script will prompt for additional fields needed in the creation process, they are as follows:
Cidr Block: IP Address range for the provisioned client, defaults to the range shown below
Instance Type: The ec2 instance size, defaults to t2.medium
KeyName A pem key file that will permit access to the instance
AmazonSecurityLakeBucketForCiscoURI: The S3 location of your Data Lake S3 container.
FMC IP: IP or Domain Name of the Cisco Secure Firewall Mangement Portal
After the Cloud Formation setup is complete it can take anywhere from 3-5 minutes to provision resources in your environment, the cloud formation console provides a detailed view of all the resources generated from the cloud formation script as shown below.
Once the ec2 instance for the eNcore client is ready, we need to whitelist the client IP address in our Secure Firewall Server and generate a certificate file for secure endpoint communication.
In the Secure Firewall Dashboard, navigate to Search->eStreamer, to find the allow list of Client IP Addresses that are permitted to receive data, click Add and supply the Client IP Address that was provisioned for our ec2 instance. You will also be asked to supply a password, click Save to create a secure certificate file for your new ec2 instance.
Download the Secure Certificate you just created, and copy it to the /encore directory in your ec2 instance.
Use CloudShell or SSH from your ec2 instance, navigate to the /encore directory and run the command bash encore.sh test
You will be prompted for the certificate password, once that is entered you should see a Successful Communication message as shown below.
Run the command bash encore.sh foreground
This will begin the data relay and ingestion process. We can then navigate to the S3 Amazon Security Lake bucket we configured earlier, to see OCSF compliant logs formatted in gzip parquet files in a time-based directory structure. Additionally, a local representation of logs is available under /encore/data/* that can be used to validate log file creation.
Amazon Security Lake then runs a crawler task every hour to parse and consume the logs files in the target s3 directory, after which we can view the results in Athena Query.
More information on how to configure and tune the encore eStreamer client can be found on our official website, this includes details on how filter certain event types to focus your data retention policy, and guidelines for performance and other detailed configuration settings.
You can participate in the AWS Security Lake public preview. For more information, please visit the Product Page and review the User Guide.
While you are at AWS re:Invent, go see a demo video of the Security Lake integrations in the Cisco Booth #2411, from November 29 to December 2, 2022, at the Cloud, Network and User Security with Duo demo station.
Learn more about Cisco and AWS on the Cisco Secure Technical Alliance website for AWS.
Thank you to Seyed Khadem-Djahaghi, who spend long hours working with the beta to develop this integration and is the primary for developer of eNore.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Finally, after nearly 3 long years, I'm back in Norway! We're here at last, leaving our sunny paradise for a winter wonderland. It's almost surreal given how much has happened in that time, not just the pandemic but returning to Oslo with Charlotte as my Norwegian wife is super cool 😎 Other things this week are not so different, namely people complaining on Twitter (albeit also complaining about Twitter). As I find myself continually caveating, YMMV but it does feel like events are being overly dramatised by some at present. Time will tell, but I think we'll all still be using the platform to complain about things just as effectively in a year from now as we are today 🙂
It's very strange to have gone 1,051 days without spending more than a few hours apart, but here we are... very temporarily:
Only 15,501km away 😢 And only 4 days until I head back to Oslo 😊 pic.twitter.com/PDn1Syplig
— Troy Hunt (@troyhunt) November 20, 2022
Which means that right now, I'm throwing myself into a gazillion other things to keep me busy including how schools advise parents to manage devices, wrapping gup that HTML signature, asking probing questions about paying ransoms and, unbelievably, fighting off the most ridiculous claim of HIBP having been P'd. That last one especially, FFS, just listen...
A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic.
The Disneyland Team’s Web interface, which allows them to interact with malware victims in real time to phish their login credentials using phony bank websites.
The Disneyland Team uses common misspellings for top bank brands in its domains. For example, one domain the gang has used since March 2022 is ushank[.]com — which was created to phish U.S. Bank customers.
But this group also usually makes use of Punycode to make their phony bank domains look more legit. The U.S. financial services firm Ameriprise uses the domain ameriprise.com; the Disneyland Team’s domain for Ameriprise customers is https://www.xn--meripris-mx0doj[.]com [brackets added to defang the domain], which displays in the browser URL bar as ạmeriprisẹ[.]com.
Look carefully, and you’ll notice small dots beneath the “a” and the second “e”. You could be forgiven if you mistook one or both of those dots for a spec of dust on your computer screen or mobile device.
This candid view inside the Disneyland Team comes from Alex Holden, founder of the Milwaukee-based cybersecurity consulting firm Hold Security. Holden’s analysts gained access to a Web-based control panel the crime group has been using to keep track of victim credentials (see screenshot above). The panel reveals the gang has been operating dozens of Punycode-based phishing domains for the better part of 2022.
Have a look at the Punycode in this Disneyland Team phishing domain: https://login2.xn--mirtesnbd-276drj[.]com, which shows up in the browser URL bar as login2.ẹmirạtesnbd[.]com, a domain targeting users of Emirates NBD Bank in Dubai.
Here’s another domain registered this year by the Disneyland Team: https://xn--clientchwb-zxd5678f[.]com, which spoofs the login page of financial advisor Charles Schwab with the landing page of cliẹntșchwab[.]com. Again, notice the dots under the letters “e” and “s”. Another Punycode domain of theirs sends would-be victims to cliẹrtschwạb[.]com, which combines a brand misspelling with Punycode.
We see the same dynamic with the Disneyland Team Punycode domain https://singlepoint.xn--bamk-pxb5435b[.]com, which translates to singlepoint.ụșbamk[.]com — again phishing U.S. Bank customers.
What’s going on here? Holden says the Disneyland Team is Russian-speaking — if not also based in Russia — but it is not a phishing gang per se. Rather, this group uses the phony bank domains in conjunction with malicious software that is already secretly installed on a victim’s computer.
Holden said the Disneyland Team domains were made to help the group steal money from victims infected with a powerful strain of Microsoft Windows-based banking malware known as Gozi 2.0/Ursnif. Gozi specializes in collecting credentials, and is mainly used for attacks on client-side online banking to facilitate fraudulent bank transfers. Gozi also allows the attackers to connect to a bank’s website using the victim’s computer.
In years past, crooks like these would use custom-made “web injects” to manipulate what Gozi victims see in their Web browser when they visit their bank’s site. These web injects allowed malware to rewrite the bank’s HTML code on the fly, and copy and/or intercept any data users would enter into a web-based form, such as a username and password.
Most Web browser makers, however, have spent years adding security protections to block such nefarious activity. As a result, the Disneyland Team simply tries to make their domains look as much like the real thing as possible, and then funnel victims toward interacting with those imposter sites.
“The reason that it is infeasible for them to use in-browser injects include browser and OS protection measures, and difficulties manipulating dynamic pages for banks that require multi-factor authentication,” Holden said.
In reality, the fake bank website overlaid by the Disneyland Team’s malware relays the victim’s browser activity through to the real bank website, while allowing the attackers to forward any secondary login requests from the bank, such as secret questions or multi-factor authentication challenges.
The Disneyland Team included instructions for its users, noting that when the victim enters their login credentials, he sees a 10-second spinning wheel, and then the message, “Awaiting back office approval for your request. Please don’t close this window.”
A fake PNC website overlay or “web inject” displaying a message intended to temporarily prevent the user from accessing their account.
The “SKIP” button in the screenshot above sends the user to the real bank login page, “in case the account is not interesting to us,” the manual explains. “Also, this redirect works if none of our operators are working at the time.”
The “TAKE” button in the Disneyland Team control panel allows users or affiliates to claim ownership over a specific infected machine or bot, which then excludes other users from interacting with that victim.
In the event that it somehow takes a long time to get the victim (bot) connected to the Disneyland Team control panel, or if it is necessary to delay a transaction, users can push a button that prompts the following message to appear on the victim’s screen:
“Your case ID number is 875472. An online banking support representative will get in touch shortly. Please provide your case ID number, and DO NOT close this page.”
The Disneyland user manual explains that the panel can be used to force the victim to log in again if they transmit invalid credentials. It also has other options for stalling victims whilst their accounts are drained. Another fake prompt the panel can produce shows the victim a message saying, “We are currently working on updating our security system. You should be able to log in once the countdown timer expires.”
The user manual says this option blocks the user from accessing their account for two hours. “It is possible to block for an hour with this button, in this case they get less frustrated, within the hours ddos will kill their network.”
Cybercrime groups will sometimes launch distributed denial-of-service (DDoS) attacks on the servers of the companies they’re trying to rob — which is usually intended to distract victims from their fleecing, although Holden said it’s unclear if the Disneyland Team employs this tactic as well.
For many years, KrebsOnSecurity tracked the day-to-day activities of a similar malware crew that used web injects and bots to steal tens of millions of dollars from small- to mid-sized businesses across the United States.
At the end of each story, I would close with a recommendation that anyone concerned about malware snarfing their banking information should strongly consider doing their online banking from a dedicated, security-hardened system which is only used for that purpose. Of course, the dedicated system approach works only if you always use that dedicated system for managing your account online.
Those stories also observed that since the vast majority of the malicious software used in cyberheists is designed to run only on Microsoft Windows computers, it made sense to pick a non-Windows computer for that dedicated banking system, such as a Mac or even a version of Linux. I still stand by this advice.
In case anyone is interested, here (PDF) is a list of all phishing domains currently and previously used by the Disneyland Team.
Vyacheslav “Tank” Penchukov, the accused 40-year-old Ukrainian leader of a prolific cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses in the United States and Europe, has been arrested in Switzerland, according to multiple sources.
Wanted Ukrainian cybercrime suspect Vyacheslav “Tank” Penchukov (right) was arrested in Geneva, Switzerland. Tank was the day-to-day manager of a cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses.
Penchukov was named in a 2014 indictment by the U.S. Department of Justice as a top figure in the JabberZeus Crew, a small but potent cybercriminal collective from Ukraine and Russia that attacked victim companies with a powerful, custom-made version of the Zeus banking trojan.
The U.S. Federal Bureau of Investigation (FBI) declined to comment for this story. But according to multiple sources, Penchukov was arrested in Geneva, Switzerland roughly three weeks ago as he was traveling to meet up with his wife there.
Penchukov is from Donetsk, a traditionally Russia-leaning region in Eastern Ukraine that was recently annexed by Russia. In his hometown, Penchukov was a well-known deejay (“DJ Slava Rich“) who enjoyed being seen riding around in his high-end BMWs and Porsches. More recently, Penchukov has been investing quite a bit in local businesses.
The JabberZeus crew’s name is derived from the malware they used, which was configured to send them a Jabber instant message each time a new victim entered a one-time password code into a phishing page mimicking their bank. The JabberZeus gang targeted mostly small to mid-sized businesses, and they were an early pioneer of so-called “man-in-the-browser” attacks, malware that can silently siphon any data that victims submit via a web-based form.
Once inside a victim company’s bank accounts, the crooks would modify the firm’s payroll to add dozens of “money mules,” people recruited through work-at-home schemes to handle bank transfers. The mules in turn would forward any stolen payroll deposits — minus their commissions — via wire transfer overseas.
Tank, a.k.a. “DJ Slava Rich,” seen here performing as a DJ in Ukraine in an undated photo from social media.
The JabberZeus malware was custom-made for the crime group by the alleged author of the Zeus trojan — Evgeniy Mikhailovich Bogachev, a top Russian cybercriminal with a $3 million bounty on his head from the FBI. Bogachev is accused of running the Gameover Zeus botnet, a massive crime machine of 500,000 to 1 million infected PCs that was used for large DDoS attacks and for spreading Cryptolocker — a peer-to-peer ransomware threat that was years ahead of its time.
Investigators knew Bogachev and JabberZeus were linked because for many years they were reading the private Jabber chats between and among members of the JabberZeus crew, and Bogachev’s monitored aliases were in semi-regular contact with the group about updates to the malware.
Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, noted in his blog from 2014 that Tank told co-conspirators in a JabberZeus chat on July 22, 2009 that his daughter, Miloslava, had been born and gave her birth weight.
“A search of Ukrainian birth records only showed one girl named Miloslava with that birth weight born on that day,” Warner wrote. This was enough to positively identify Tank as Penchukov, Warner said.
Ultimately, Penchukov’s political connections helped him evade prosecution by Ukrainian cybercrime investigators for many years. The late son of former Ukrainian President Victor Yanukovych (Victor Yanukovych Jr.) would serve as godfather to Tank’s daughter Miloslava. Through his connections to the Yanukovych family, Tank was able to establish contact with key insiders in top tiers of the Ukrainian government, including law enforcement.
Sources briefed on the investigation into Penchukov said that in 2010 — at a time when the Security Service of Ukraine (SBU) was preparing to serve search warrants on Tank and his crew — Tank received a tip that the SBU was coming to raid his home. That warning gave Tank ample time to destroy important evidence against the group, and to avoid being home when the raids happened. Those sources also said Tank used his contacts to have the investigation into his crew moved to a different unit that was headed by his corrupt SBU contact.
Writing for Technology Review, Patrick Howell O’Neil recounted how SBU agents in 2010 were trailing Tank around the city, watching closely as he moved between nightclubs and his apartment.
“In early October, the Ukrainian surveillance team said they’d lost him,” he wrote. “The Americans were unhappy, and a little surprised. But they were also resigned to what they saw as the realities of working in Ukraine. The country had a notorious corruption problem. The running joke was that it was easy to find the SBU’s anticorruption unit—just look for the parking lot full of BMWs.”
I first encountered Tank and the JabberZeus crew roughly 14 years ago as a reporter for The Washington Post, after a trusted source confided that he’d secretly gained access to the group’s private Jabber conversations.
From reading those discussions each day, it became clear Tank was nominally in charge of the Ukrainian crew, and that he spent much of his time overseeing the activities of the money mule recruiters — which were an integral part of their victim cashout scheme.
It was soon discovered that the phony corporate websites the money mule recruiters used to manage new hires had a security weakness that allowed anyone who signed up at the portal to view messages for every other user. A scraping tool was built to harvest these money mule recruitment messages, and at the height of the JabberZeus gang’s activity in 2010 that scraper was monitoring messages on close to a dozen different money mule recruitment sites, each managing hundreds of “employees.”
Each mule was given busy work or menial tasks for a few days or weeks prior to being asked to handle money transfers. I believe this was an effort to weed out unreliable money mules. After all, those who showed up late for work tended to cost the crooks a lot of money, as the victim’s bank would usually try to reverse any transfers that hadn’t already been withdrawn by the mules.
When it came time to transfer stolen funds, the recruiters would send a message through the fake company website saying something like: “Good morning [mule name here]. Our client — XYZ Corp. — is sending you some money today. Please visit your bank now and withdraw this payment in cash, and then wire the funds in equal payments — minus your commission — to these three individuals in Eastern Europe.”
Only, in every case the company mentioned as the “client” was in fact a small business whose payroll accounts they’d already hacked into.
So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Tank and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob.
My spiel on all of these calls was more or less the same: “You probably have no idea who I am, but here’s all my contact info and what I do. Your payroll accounts have been hacked, and you’re about to lose a great deal of money. You should contact your bank immediately and have them put a hold on any pending transfers before it’s too late. Feel free to call me back afterwards if you want more information about how I know all this, but for now please just call or visit your bank.”
In many instances, my call would come in just minutes or hours before an unauthorized payroll batch was processed by the victim company’s bank, and some of those notifications prevented what otherwise would have been enormous losses — often several times the amount of the organization’s normal weekly payroll. At some point I stopped counting how many tens of thousands of dollars those calls saved victims, but over several years it was probably in the millions.
Just as often, the victim company would suspect that I was somehow involved in the robbery, and soon after alerting them I would receive a call from an FBI agent or from a police officer in the victim’s hometown. Those were always interesting conversations.
Collectively, these notifications to victims led to dozens of stories over several years about small businesses battling their financial institutions to recover their losses. I never wrote about a single victim that wasn’t okay with my calling attention to their plight and to the sophistication of the threat facing other companies.
This incessant meddling on my part very much aggravated Tank, who on more than one occasion expressed mystification as to how I knew so much about their operations and victims. Here’s a snippet from one of their Jabber chats in 2009, after I’d written a story for The Washington Post about their efforts to steal $415,000 from the coffers of Bullitt County, Kentucky. In the chat below, “lucky12345” is the Zeus author Bogachev:
tank: Are you there?
tank: This is what they damn wrote about me.
tank: http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html#more
tank: I’ll take a quick look at history
tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court
tank: Well, you got [it] from that cash-in.
lucky12345: From 200K?
tank: Well, they are not the right amounts and the cash out from that account was shitty.
tank: Levak was written there.
tank: Because now the entire USA knows about Zeus.
tank:
lucky12345: It’s fucked.
On Dec. 13, 2009, one of Tank’s top money mule recruiters — a crook who used the pseudonym “Jim Rogers” — told his boss something I hadn’t shared beyond a few trusted confidants at that point: That The Washington Post had eliminated my job in the process of merging the newspaper’s Web site (where I worked at the time) with the dead tree edition.
jim_rogers: There is a rumor that our favorite (Brian) didn’t get his contract extension at Washington Post. We are giddily awaiting confirmation
tank: Mr. Fucking Brian Fucking Kerbs!
Another member of the JabberZeus crew — Ukrainian-born Maksim “Aqua” Yakubets — also is currently wanted by the FBI, which is offering a $5 million reward for information leading to his arrest and conviction.
Alleged “Evil Corp” bigwig Maksim “Aqua” Yakubets. Image: FBI
Update, Nov. 16, 2022, 7:55 p.m. ET:: Multiple media outlets are reporting that Swiss authorities confirmed they arrested a Ukrainian national wanted on cybercrime charges. The arrest occurred in Geneva on Oct. 23, 2022. “The US authorities accuse the prosecuted person of extortion, bank fraud and identity theft, among other things,” reads a statement from the Swiss Federal Office of Justice (FOJ).
“During the hearing on 24 October, 2022, the person did not consent to his extradition to the USA via a simplified proceeding,” the FOJ continued. “After completion of the formal extradition procedure, the FOJ has decided to grant his extradition to the USA on 15 November, 2022. The decision of the FOJ may be appealed at the Swiss Criminal Federal Court, respectively at the Swiss Supreme Court.”
SaaS Security Marketing Manager Laura O’Melia has always been interested in living and working internationally. After living in Austin, Texas for twenty years, O’Melia was ready for a new adventure and decided to move to Sydney, Australia with the support and encouragement of her manager and Cisco. The pandemic delayed her plans, but now that O’Melia’s settling into life and work in Australia, she shared how she made the move to work from anywhere and how you can, too.
What do you do?
O’Melia: I am on the Security Marketing team and focus on driving demand for our Zero Trust solution in the Asia-Pacific, Japan and China (APJC) region. I work closely with the Sales teams to do activities that will generate pipeline and educate prospects on our security solutions. I spend time finding new leads and trying new ways to engage with our top prospects while having fun along the way.
What do you like most about working at Cisco?
O’Melia: What I love most about working at Cisco is the amount of positive contributions we get to have on the world, from solving some of the world’s biggest problems around cybersecurity to giving money and resources to others in need. I also love the feeling of empowerment to create my own work/life balance as Cisco allows me the opportunity to have a flexible schedule.
What has been your career journey within Cisco?
O’Melia: I started at Duo Security in 2017. While working in Field Marketing, I was able to gain experience across many different teams. For example, I worked closely with a region in the U.S. as well as the Managed Service Provider team, which is a global team with a completely different business model. The needs differ greatly, from how we report and track metrics to the messaging and offers from one team to the next. I am now working in a very different market that is much larger and includes many more languages, so that brings a new level of understanding to how we show up in the market to achieve business goals.
“Stepping outside of my comfort zone is one of my favorite things to do.”
– Laura O’Melia
What prompted you to relocate from Austin, Texas to Sydney, Australia?
O’Melia: Austin is great and was my home for 20 years, but I still wanted to gain international work experience to learn what it would be like somewhere else and compare it to what I know.
Stepping outside of my comfort zone is one of my favorite things to do, so when I heard Duo was expanding internationally and there was an opportunity in Australia, I was immediately interested. Everyone I know that has visited Australia always has absolutely wonderful things to say, so without ever having visited I agreed to take a long-term international two-year assignment.
How has Cisco supported your relocation?
O’Melia: I worked closely with my manager on the process from start to finish. We had the support of Cisco’s Mobility Services team, a group of Cisco employees that help with relocation services. We worked with immigration to obtain my work visa. I was planning to relocate in March 2020 but as we know, the borders were closed and visas were not being processed for nearly two years. I was already in-role, so continued to support the APJC team from Austin.
When the time came, Cisco had a team of experts that I worked with to pack and ship my belongings and help get set up with an overseas bank. I also worked with a realtor to help me find a place to live, and the team even assists with my U.S. and Australian tax returns while I am away.
How has your work changed since relocating?
O’Melia: My role has expanded from doing lead-gen events for Duo in Australia and New Zealand to now being responsible for driving demand across the APJC region through digital campaigns and other marketing channels. I still strive to provide qualified leads to Sales and educate the market on our offerings. My goal is to help get Cisco Secure solutions into more doors to ultimately give users a better experience and stop the bad actors from doing harm.
What advice do you have for others who want to work from anywhere?
O’Melia: If you get the opportunity, take it. Everyone has their own path, but if you feel your career could benefit, even slightly, from the experience you will gain moving to another country and figuring things out far from what you know today, why not give it a try? You can learn so much from meeting and working with people that have a very different experience than you might know.
Ready for an adventure? If you want to solve global challenges through cybersecurity with the potential to work anywhere, check out our open roles.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
What a week to pick to be in Canberra. Planned well before things got cyber-crazy in Australia, I spent a few days catching up with folks in our capital and talking to the Australia Federal Police for scam awareness week. That it coincided with the dumping of Medibank customer health records made it an especially interesting time to talk with police, politicians and industry leaders. A bit of a bizarre, whirlwind week if I'm honest, but full of very positive encounters even though it coincided with such a demanding time for many of us in this industry down here.
I feel like life is finally complete: I have beaches, sunshine and fast internet! (Yes, and of course an amazing wife, but that goes without saying 😊) For the folks asking via various channels, the speed is not exactly symmetrical at 1000/400 and I'm honestly not sure why that's the case here in Australia. I also had to shell out quite a bit extra to go from 50 up to a "business" plan of 400 up, but with the volumes of data I ship around it'll make a pretty big difference to the way I work over time. Also this week, much more on the work we're doing with HIBP from pricing the annual plans to a proper support system via Zendesk. I'm really hoping that by next week's update we'll have shipped the new rate limits too, stay tuned for that but for now, here's number 320:
A 25-year-old Finnish man has been charged with extorting a once popular and now-bankrupt online psychotherapy company and its patients. Finnish authorities rarely name suspects in an investigation, but they were willing to make an exception for Julius “Zeekill” Kivimaki, a notorious hacker who — at the tender age of 17 — had been convicted of more than 50,000 cybercrimes, including data breaches, payment fraud, operating botnets, and calling in bomb threats.
In late October 2022, Kivimaki was charged (and arrested in absentia, according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center. On October 21, 2020, Vastaamo became the target of blackmail when a tormentor identified as “ransom_man” demanded payment of 40 bitcoins (~450,000 euros at the time) in return for a promise not to publish highly sensitive therapy session notes Vastaamo had exposed online.
In a series of posts over the ensuing days on a Finnish-language dark net discussion board, ransom_man said Vastaamo appeared unwilling to negotiate a payment, and that he would start publishing 100 patient profiles every 24 hours “to provide further incentive for the company to continue communicating with us.”
“We’re not asking for much, approximately 450,000 euros which is less than 10 euros per patient and only a small fraction of the around 20 million yearly revenues of this company,” ransom_man wrote.
When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.
The extortion message targeted Vastaamo patients.
On Oct. 23, 2020, ransom_man uploaded to the dark web a large compressed file that included all of the stolen Vastaamo patient records. But investigators found the file also contained an entire copy of ransom_man’s home folder, a likely mistake that exposed a number of clues that they say point to Kivimaki.
Ransom_man quickly deleted the large file (accompanied by a “whoops” notation), but not before it had been downloaded a number of times. The entire archive has since been made into a searchable website on the Dark Web.
Among those who grabbed a copy of the database was Antti Kurittu, a team lead at Nixu Corporation and a former criminal investigator. In 2013, Kurittu worked on investigation involving Kivimaki’s use of the Zbot botnet, among other activities Kivimaki engaged in as a member of the hacker group Hack the Planet.
“It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,” Kurittu told KrebsOnSecurity, declining to discuss specifics of the evidence investigators seized. “There were also other projects and databases.”
Kurittu said he and others he and others who were familiar with illegal activities attributed to Kivimäki couldn’t shake suspicion that the infamous cybercriminal was also behind the Vastaamo extortion.
“I couldn’t find anything that would link that data directly to one individual, but there were enough indicators in there that put the name in my head and I couldn’t shake it,” Kurittu said. “When they named him as the prime suspect I was not surprised.”
A handful of individually extorted victims paid a ransom, but when news broke that the entire Vastaamo database had been leaked online, the extortion threats no longer held their sting. However, someone would soon set up a site on the dark web where anyone could search this sensitive data.
Kivimaki stopped using his middle name Julius in favor of his given first name Aleksanteri when he moved abroad several years ago. A Twitter account by that name was verified by Kivimaki’s attorney as his, and through that account he denied being involved in the Vastaamo extortion.
“I believe [the Finnish authorities] brought this to the public in order to influence the decision-making of my old case from my teenage years, which was just processed in the Court of Appeal, both cases are investigated by the same persons,” Kivimaki tweeted on Oct. 28.
Kivimaki is appealing a 2020 district court decision sentencing him to “one year of conditional imprisonment for two counts of fraud committed as a young person, and one of gross fraud, interference with telecommunications as a young person, aggravated data breach as a young person and incitement to fraud as a young person,” according to the Finnish tabloid Ilta-Sanomat.
“Now in the Court of Appeal, the prosecutor is demanding a harsher punishment for the man, i.e. unconditional imprisonment,” reads the Ilta-Sanomat story. “The prosecutor notes in his complaint that the young man has been committing cybercrimes from Espoo since he was 15 years old, and the actions have had to be painstakingly investigated through international legal aid.”
As described in this Wired story last year, Vastaamo filled an urgent demand for psychological counseling, and it won accolades from Finnish health authorities and others for its services.
“Vastaamo was a private company, but it seemed to operate in the same spirit of tech-enabled ease and accessibility: You booked a therapist with a few clicks, wait times were tolerable, and Finland’s Social Insurance Institution reimbursed a big chunk of the session fee (provided you had a diagnosed mental disorder),” William Ralston wrote for Wired. “The company was run by Ville Tapio, a 39-year-old coder and entrepreneur with sharp eyebrows, slicked-back brown hair, and a heavy jawline. He’d cofounded the company with his parents. They pitched Vastaamo as a humble family-run enterprise committed to improving the mental health of all Finns.”
But for all the good it brought, the healthcare records management system that Vastaamo used relied on little more than a MySQL database that was left dangerously exposed to the web for 16 months, guarded by nothing more than an administrator account with a blank password.
The Finnish daily Iltalehti said Tapio was relieved of his duties as CEO of Vastaamo in October 2020, and that in September, prosecutors brought charges against Tapio for a data protection offense in connection with Vastaamo’s information leak.
“According to Vastaamo, the data breach in Vastaamo’s customer databases took place in November 2018,” Iltalehti reported last month. “According to Vastaamo, Tapio concealed information about the data breach for more than a year and a half.”
Cisconians delight in contributing to their communities in a variety of ways including at the local theatre, farm and library. Cisco’s paid Time2Give benefit encourages team members to volunteer at the places where their passions thrive.
How should you decide where to get involved? Customer Success Program Manager Kate Pydyn advises: “Find something that speaks to your passion while giving back. There are so many opportunities that involve being outdoors, crafting, teaching skills you’ve developed, telling stories or providing comfort.”
With ten paid days a year to give, these Cisconians demonstrate that building relationships with people, the arts and the earth can increase fulfillment, connection and community.
Urban farming is an issue very close to the heart of Petra Hammerl, a senior enterprise customer success manager who works on Duo Security. Hammerl frequently volunteers at Farm City Detroit, part of Detroit Blight Busters. Using Time2Give, Hammerl has shared the experience by “bringing a crew of awesome co-workers which has been amazing and a lot of fun,” she said.
“It felt great to take action! There are so many problems in the world, and I often feel powerless to make a difference. What I did was small, but with all of the volunteers together, the work that was done makes a real difference in the lives of my neighbors.” – Kate Pydyn
Pydyn and Emily Gennrich, a manager of operations for security customer success at Cisco Secure, joined in on the fun by contributing to multiple facets of gardening from weeding to harvesting food. “It felt great to take action! There are so many problems in the world, and I often feel powerless to make a difference. What I did was small, but with all of the volunteers together, the work that was done makes a real difference in the lives of my neighbors,” Pydyn said.
Senior Communications Manager, Brand Strategy & Design at Cisco Secure Chrysta Cherrie spent her Time2Give as a sighted assistant at the VISIONS vendor fair, hosted at the Ann Arbor District Library Downtown. “I was really happy to take some time to volunteer at the VISIONS vendor fair for people who are blind, visually impaired or physically disabled,” Cherrie said.
Learning how to be a sighted assistant was “a reminder that we can do more when we can rely on each other. Taking the time to better understand how someone makes their way through life gives you a chance to build empathy,” Cherrie said. She escorted attendees around the event where exhibitors offered products and services like electronic readers, leader dogs and transportation. There were also talks throughout the day and Cherrie helped attendees navigate between the presentation and vendor areas.
Meeting attendees of the VISIONS vendor fair and experiencing how meaningful the event is also moved Cherrie. The fair “brings out folks throughout southeast Michigan, so there’s a good chance that the person you’re assisting will run into some friends, and getting to see people connect like that can’t help but make you feel good,” Cherrie said.
Jenny Callans, a senior design researcher who works on Duo Security, serves as the chair of the Friends of the Detroit Film Theatre’s Auxiliary, a part of the Detroit Institute of Arts. “We support the mission of the Friends of the Detroit Film Theatre to make great niche films accessible to audiences,” she said. To do that, the organization is responsible for building a community of film fans and overseeing how donations are spent.
For Callans, the most meaningful part of using Time2Give to support the FDFT and the DIA is sharing her love of film with others. Time2Give supports her duties as FDFT chair, and gives her a sense of connection when she’s visiting the DFT to take in a movie. “Sitting in a theatre next to my young adult son, but surrounded by strangers watching a film that is unusual or unexpected but which moves me and challenges me to think is the best part hands-down,” Callans said.
From supporting youth to volunteering at community hubs, Time2Give “is a fantastic opportunity to have a long-lasting, meaningful relationship with your community by volunteering as a board or committee member! Having a long-term presence with an org is amazingly impactful, for you and for the organization,” Callans said.
Time2Give is one of Cherrie’s favorite things about working at Cisco. She says, “Take advantage of the opportunity! Time2Give is a great way to give back to your community and the people and causes that you care about.”
Stay tuned for more posts celebrating the community engagement Time2Give fosters and check out our open roles to join in on giving back.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
A 26-year-old Ukrainian man is awaiting extradition from The Netherlands to the United States on charges that he acted as a core developer for Raccoon, a popular “malware-as-a-service” offering that helped paying customers steal passwords and financial data from millions of cybercrime victims. KrebsOnSecurity has learned that the defendant was busted in March 2022, after fleeing mandatory military service in Ukraine in the weeks following the Russian invasion.
Ukrainian national Mark Sokolovsky, seen here in a Porsche Cayenne on Mar. 18 fleeing mandatory military service in Ukraine. This image was taken by Polish border authorities as Sokolovsky’s vehicle entered Germany. Image: KrebsOnSecurity.com.
The U.S. Attorney for the Western District of Texas unsealed an indictment last week that named Ukrainian national Mark Sokolovsky as the core developer for the Raccoon Infostealer business, which was marketed on several Russian-language cybercrime forums beginning in 2019.
Raccoon was essentially a Web-based control panel, where — for $200 a month — customers could get the latest version of the Raccoon Infostealer malware, and interact with infected systems in real time. Security experts say the passwords and other data stolen by Raccoon malware were often resold to groups engaged in deploying ransomware.
Working with investigators in Italy and The Netherlands, U.S. authorities seized a copy of the server used by Raccoon to help customers manage their botnets. According to the U.S. Justice Department, FBI agents have identified more than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) stolen with the help of Raccoon.
The Raccoon v. 1 web panel, where customers could search by infected IP, and stolen cookies, wallets, domains and passwords.
The unsealed indictment (PDF) doesn’t delve much into how investigators tied Sokolovsky to Raccoon, but two sources close to the investigation shared more information about that process on condition of anonymity because they were not authorized to discuss the case publicly.
According to those sources, U.S. authorities zeroed in on an operational security mistake that the Raccoon developer made early on in his posts to the crime forums, connecting a Gmail account for a cybercrime forum identity used by the Raccoon developer (“Photix”) to an Apple iCloud account belonging to Sokolovsky. For example, the indictment includes a photo that investigators subpoenaed from Sokolovsky’s iCloud account that shows him posing with several stacks of bundled cash.
A selfie pulled from Mark Sokolovsky’s iCloud account. Image: USDOJ.
When Russia invaded Ukraine in late February 2022, Sokolovsky was living in Kharkiv, a city in northeast Ukraine that would soon come under heavy artillery bombardment from Russian forces. Authorities monitoring Sokolovsky’s iCloud account had spent weeks watching him shuttle between Kharkiv and the Ukrainian capital Kyiv, but on Mar. 18, 2022, his phone suddenly showed up in Poland.
Investigators learned from Polish border guards that Sokolovsky had fled Ukraine in a Porsche Cayenne along with a young blond woman, leaving his mother and other family behind. The image at the top of this post was shared with U.S. investigators by Polish border security officials, and it shows Sokolovsky leaving Poland for Germany on Mar. 18.
At the time, all able-bodied men of military age were required to report for service to help repel the Russian invasion, and it would have been illegal for Sokolovsky to leave Ukraine without permission. But both sources said investigators believe Sokolovsky bribed border guards to let them pass.
Authorities soon tracked Sokolovsky’s phone through Germany and eventually to The Netherlands, with his female companion helpfully documenting every step of the trip on her Instagram account. Here is a picture she posted of the two embracing upon their arrival in Amsterdam’s Dam Square:
Authorities in The Netherlands arrested Sokolovsky on Mar. 20, and quickly seized control over the Raccoon Infostealer infrastructure. Meanwhile, on March 25 the accounts that had previously advertised the Raccoon Stealer malware on cybercrime forums announced the service was closing down. The parting message to customers said nothing of an arrest, and instead insinuated that the core members in charge of the malware-as-a-service project had perished in the Russian invasion.
“Unfortunately, due to the ‘special operation,’ we will have to close our Raccoon Stealer project,” the team announced Mar. 25. “Our team members who were responsible for critical components of the product are no longer with us. Thank you for this experience and time, for every day, unfortunately everything, sooner or later, the end of the WORLD comes to everyone.”
Sokolovsky’s extradition to the United States has been granted, but he is appealing that decision. He faces one count of conspiracy to commit computer fraud; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering, and one count of aggravated identity theft.
Sources tell KrebsOnSecurity that Sokolovsky has been consulting with Houston, Tx.-based attorney F. Andino Reynal, the same lawyer who represented Alex Jones in the recent defamation lawsuit against Jones and his conspiracy theory website Infowars. Reynal was responsible for what Jones himself referred to as the “Perry Mason” moment of the trial, wherein the plaintiff’s lawyer revealed that Reynal had inadvertently given them an entire digital copy of Jones’s cell phone. Mr. Reynal did not respond to requests for comment.
If convicted, Sokolovsky faces a maximum penalty of 20 years in prison for the wire fraud and money laundering offenses, five years for the conspiracy to commit computer fraud charge, and a mandatory consecutive two-year term for the aggravated identity theft offense.
The Justice Department has set up a website — raccoon.ic3.gov — that allows visitors to check whether their email address shows up in the data collected by the Raccoon Stealer service.
Geez we've been getting hammered down here: Optus, MyDeal, Vinomofo, Medibank and now Australian Clinical Labs. It's crazy how much press interest there's been down here and whilst I think some of it is a bit hyperbolic, bringing the issue to the forefront and ensuring it's being discussed is certainly a good thing. Anyway, let's see what happens between now and next week's video, at this rate there'll be at least one more major Aussie breach to talk about!
Aussie breachapalooza! That what it feels like this week between Optus (ok, it was weeks ago but it's still in the news), Vinomofo, My Deal and the mother of all of them (at least as far as media interest goes), Medibank. That last one totally smashed my week out with unprecedented press enquiries, so is it any wonder I totally missed the Microsoft one? I read through that last one live in this week's video and as you'll hear, a breach of any kind is never a good look but what stands out for me about this one isn't the breach itself, rather the marketing effort SOCRadar has made around it. As I say in the video, it just feels... icky. See if you agree.
On October 10, 2022, there were 576,562 LinkedIn accounts that listed their current employer as Apple Inc. The next day, half of those profiles no longer existed. A similarly dramatic drop in the number of LinkedIn profiles claiming employment at Amazon comes as LinkedIn is struggling to combat a significant uptick in the creation of fake employee accounts that pair AI-generated profile photos with text lifted from legitimate users.
Jay Pinho is a developer who is working on a product that tracks company data, including hiring. Pinho has been using LinkedIn to monitor daily employee headcounts at several dozen large organizations, and last week he noticed that two of them had far fewer people claiming to work for them than they did just 24 hours previously.
Pinho’s screenshot below shows the daily count of employees as displayed on Amazon’s LinkedIn homepage. Pinho said his scraper shows that the number of LinkedIn profiles claiming current roles at Amazon fell from roughly 1.25 million to 838,601 in just one day, a 33 percent drop:
The number of LinkedIn profiles claiming current positions at Amazon fell 33 percent overnight. Image: twitter.com/jaypinho
As stated above, the number of LinkedIn profiles that claimed to work at Apple fell by approximately 50 percent on Oct. 10, according to Pinho’s analysis:
Image: twitter.com/jaypinho
Neither Amazon or Apple responded to requests for comment. LinkedIn declined to answer questions about the account purges, saying only that the company is constantly working to keep the platform free of fake accounts. In June, LinkedIn acknowledged it was seeing a rise in fraudulent activity happening on the platform.
KrebsOnSecurity hired Menlo Park, Calif.-based SignalHire to check Pinho’s numbers. SignalHire keeps track of active and former profiles on LinkedIn, and during the Oct 9-11 timeframe SignalHire said it saw somewhat smaller but still unprecedented drops in active profiles tied to Amazon and Apple.
“The drop in the percentage of 7-10 percent [of all profiles], as it happened [during] this time, is not something that happened before,” SignalHire’s Anastacia Brown told KrebsOnSecurity.
Brown said the normal daily variation in profile numbers for these companies is plus or minus one percent.
“That’s definitely the first huge drop that happened throughout the time we’ve collected the profiles,” she said.
In late September 2022, KrebsOnSecurity warned about the proliferation of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. A follow-up story on Oct. 5 showed how the phony profile problem has affected virtually all executive roles at corporations, and how these fake profiles are creating an identity crisis for the businesses networking site and the companies that rely on it to hire and screen prospective employees.
A day after that second story ran, KrebsOnSecurity heard from a recruiter who noticed the number of LinkedIn profiles that claimed virtually any role in network security had dropped seven percent overnight. LinkedIn declined to comment about that earlier account purge, saying only that, “We’re constantly working at taking down fake accounts.”
A “swarm” of LinkedIn AI-generated bot accounts flagged by a LinkedIn group administrator recently.
It’s unclear whether LinkedIn is responsible for this latest account purge, or if individually affected companies are starting to take action on their own. The timing, however, argues for the former, as the account purges for Apple and Amazon employees tracked by Pinho appeared to happen within the same 24 hour period.
It’s also unclear who or what is behind the recent proliferation of fake executive profiles on LinkedIn. Cybersecurity firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.
On this point, Pinho said he noticed an account purge in early September that targeted fake profiles tied to jobs at cryptocurrency exchange Binance. Up until Sept. 3, there were 7,846 profiles claiming current executive roles at Binance. The next day, that number stood at 6,102, a 23 percent drop (by some accounts that 6,102 head count is still wildly inflated).
Fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.
In addition, identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams.
Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley, suggested another explanation for the recent glut of phony LinkedIn profiles: Someone may be setting up a mass network of accounts in order to more fully scrape profile information from the entire platform.
“Even with just a standard LinkedIn account, there’s a pretty good amount of profile information just in the default two-hop networks,” Weaver said. “We don’t know the purpose of these bots, but we know creating bots isn’t free and creating hundreds of thousands of bots would require a lot of resources.”
In response to last week’s story about the explosion of phony accounts on LinkedIn, the company said it was exploring new ways to protect members, such as expanding email domain verification. Under such a scheme, LinkedIn users would be able to publicly attest that their profile is accurate by verifying that they can respond to email at the domain associated with their current employer.
LinkedIn claims that its security systems detect and block approximately 96 percent of fake accounts. And despite the recent purges, LinkedIn may be telling the truth, Weaver said.
“There’s no way you can test for that,” he said. “Because technically, it may be that there were actually 100 million bots trying to sign up at LinkedIn as employees at Amazon.”
Weaver said the apparent mass account purge at LinkedIn underscores the size of the bot problem, and could present a “real and material change” for LinkedIn.
“It may mean the statistics they’ve been reporting about usage and active accounts are off by quite a bit,” Weaver said.
I decided to do something a bit different this week and mostly just answer questions from my talk at GOTO Copenhagen last week. I wasn't actually in Denmark this time, but a heap of really good questions came through and as I started reading them, I thought "this would actually make for a really good weekly update". So here we are, and those questions then spurned on a whole heap more from the live audience too so this week's video became one large Q&A. I hope you enjoy this one, let me know if I should do more of these in the future.
AMLBot, a service that helps businesses avoid transacting with cryptocurrency wallets that have been sanctioned for cybercrime activity, said an investigation published by KrebsOnSecurity last year helped it shut down three dark web services that secretly resold its technology to help cybercrooks avoid detection by anti-money laundering systems.
Antinalysis, as it existed in 2021.
In August 2021, KrebsOnSecurity published “New Anti Anti-Money Laundering Services for Crooks,” which examined Antinalysis, a service marketed on cybercrime forums that purported to offer a glimpse of how one’s payment activity might be flagged by law enforcement agencies and private companies that track and trace cryptocurrency transactions.
“Worried about dirty funds in your BTC address? Come check out Antinalysis, the new address risk analyzer,” read the service’s opening announcement. “This service is dedicated to individuals that have the need to possess complete privacy on the blockchain, offering a perspective from the opponent’s point of view in order for the user to comprehend the possibility of his/her funds getting flagged down under autocratic illegal charges.”
Antinalysis allows free lookups, but anyone wishing to conduct bulk look-ups has to pay at least USD $3, with a minimum $30 purchase. Other plans go for as high as $6,000 for 5,000 requests. Nick Bax, a security researcher who specializes in tracing cryptocurrency transactions, told KrebsOnSecurity at the time that Antinalysis was likely a clone of AMLBot because the two services generated near-identical results.
AMLBot shut down Antinalysis’s access just hours after last year’s story went live. However, Antinalysis[.]org remains online and accepting requests, as does the service’s Tor-based domain, and it is unclear how those services are sourcing their information.
AMLBot spokesperson Polina Smoliar said the company undertook a thorough review after that discovery, and in the process found two other services similar to Antinalysis that were reselling their application programming interface (API) access to cybercrooks.
Smoliar said that following the revelations about Antinalysis, AMLBot audited its entire client base, and implemented the ability to provide APIs only after a contract is signed and the client has been fully audited. AMLBot said it also instituted 24/7 monitoring of all client transactions.
“As a result of these actions, two more services with the name AML (the same as AMLBot has) were found to be involved in fraudulent schemes,” Smoliar said. “Information about the fraudsters was also sent to key market participants, and their transaction data was added to the tracking database to better combat money laundering.”
Experts say the founder of Antinalysis also runs a darknet market for narcotics.
The Antinalysis homepage and chatter on the cybercrime forums indicates the service was created by a group of coders known as the Incognito Team. Tom Robinson, co-founder of the blockchain intelligence firm Elliptic, said the creator of Antinalysis is also one of the developers of Incognito Market, a darknet marketplace specializing in the sale of narcotics.
“Incognito was launched in late 2020, and accepts payments in both Bitcoin and Monero, a cryptoasset offering heightened anonymity,” Robinson said. “The launch of Antinalysis likely reflects the difficulties faced by the market and its vendors in cashing out their Bitcoin proceeds.”
From a little girl financially helping her family in Jerusalem to a Nobel Prize laureate. That is the exceptional life of Ada Yonath in a nutshell.
The post Life in pursuit of answers: In the words of Ada Yonath appeared first on WeLiveSecurity
Geez it's nice to be home 😊 It's nice to live in a home that makes you feel that way when returning from a place as beautiful as Bali 😊 This week's video is dominated by the whole discussion around this tweet:
I love that part of the Microsoft Security Score for Identity in Azure improves your score if you *don't* enforce password rotation, what a sign of the times! Who out there still works somewhere that forces rotation (because "reasons")? pic.twitter.com/a2yQQvNRpa
— Troy Hunt (@troyhunt) October 6, 2022
I love this for the way it throws traditional logic out the window, logic we all knew sucked and I suspect the massive engagement the tweet drove is due to precisely that: Microsoft giving us all a good reason to whinge about a sucky practice that still prevails so broadly. So... I hope you enjoy listening to just how bad enforced password rotation sucks 😊
When U.S. consumers have their online bank accounts hijacked and plundered by hackers, U.S. financial institutions are legally obligated to reverse any unauthorized transactions as long as the victim reports the fraud in a timely manner. But new data released this week suggests that for some of the nation’s largest banks, reimbursing account takeover victims has become more the exception than the rule.
The findings came in a report released by Sen. Elizabeth Warren (D-Mass.), who in April 2022 opened an investigation into fraud tied to Zelle, the “peer-to-peer” digital payment service used by many financial institutions that allows customers to quickly send cash to friends and family.
Zelle is run by Early Warning Services LLC (EWS), a private financial services company which is jointly owned by Bank of America, Capital One, JPMorgan Chase, PNC Bank, Truist, U.S. Bank, and Wells Fargo. Zelle is enabled by default for customers at over 1,000 different financial institutions, even if a great many customers still don’t know it’s there.
Sen. Warren said several of the EWS owner banks — including Capital One, JPMorgan and Wells Fargo — failed to provide all of the requested data. But Warren did get the requested information from PNC, Truist and U.S. Bank.
“Overall, the three banks that provided complete data sets reported 35,848 cases of scams, involving over $25.9 million of payments in 2021 and the first half of 2022,” the report summarized. “In the vast majority of these cases, the banks did not repay the customers that reported being scammed. Overall these three banks reported repaying customers in only 3,473 cases (representing nearly 10% of scam claims) and repaid only $2.9 million.”
Importantly, the report distinguishes between cases that involve straight up bank account takeovers and unauthorized transfers (fraud), and those losses that stem from “fraudulently induced payments,” where the victim is tricked into authorizing the transfer of funds to scammers (scams).
A common example of the latter is the Zelle Fraud Scam, which uses an ever-shifting set of come-ons to trick people into transferring money to fraudsters. The Zelle Fraud Scam often employs text messages and phone calls spoofed to look like they came from your bank, and the scam usually relates to fooling the customer into thinking they’re sending money to themselves when they’re really sending it to the crooks.
Here’s the rub: When a customer issues a payment order to their bank, the bank is obligated to honor that order so long as it passes a two-stage test. The first question asks, Did the request actually come from an authorized owner or signer on the account? In the case of Zelle scams, the answer is yes.
Trace Fooshee, a strategic advisor in the anti money laundering practice at Aite-Novarica, said the second stage requires banks to give the customer’s transfer order a kind of “sniff test” using “commercially reasonable” fraud controls that generally are not designed to detect patterns involving social engineering.
Fooshee said the legal phrase “commercially reasonable” is the primary reason why no bank has much — if anything — in the way of controlling for scam detection.
“In order for them to deploy something that would detect a good chunk of fraud on something so hard to detect they would generate egregiously high rates of false positives which would also make consumers (and, then, regulators) very unhappy,” Fooshee said. “This would tank the business case for the service as a whole rendering it something that the bank can claim to NOT be commercially reasonable.”
Sen. Warren’s report makes clear that banks generally do not pay consumers back if they are fraudulently induced into making Zelle payments.
“In simple terms, Zelle indicated that it would provide redress for users in cases of unauthorized transfers in which a user’s account is accessed by a bad actor and used to transfer a payment,” the report continued. “However, EWS’ response also indicated that neither Zelle nor its parent bank owners would reimburse users fraudulently induced by a bad actor into making a payment on the platform.”
Still, the data suggest banks did repay at least some of the funds stolen from scam victims about 10 percent of the time. Fooshee said he’s surprised that number is so high.
“That banks are paying victims of authorized payment fraud scams anything at all is noteworthy,” he said. “That’s money that they’re paying for out of pocket almost entirely for goodwill. You could argue that repaying all victims is a sound strategy especially in the climate we’re in but to say that it should be what all banks do remains an opinion until Congress changes the law.”
However, when it comes to reimbursing victims of fraud and account takeovers, the report suggests banks are stiffing their customers whenever they can get away with it. “Overall, the four banks that provided complete data sets indicated that they reimbursed only 47% of the dollar amount of fraud claims they received,” the report notes.
How did the banks behave individually? From the report:
-In 2021 and the first six months of 2022, PNC Bank indicated that its customers reported 10,683 cases of unauthorized payments totaling over $10.6 million, of which only 1,495 cases totaling $1.46 were refunded to consumers. PNC Bank left 86% of its customers that reported cases of fraud without recourse for fraudulent activity that occurred on Zelle.
-Over this same time period, U.S. Bank customers reported a total of 28,642 cases of unauthorized transactions totaling over $16.2 million, while only refunding 8,242 cases totaling less than $4.7 million.
-In the period between January 2021 and September 2022, Bank of America customers reported 81,797 cases of unauthorized transactions, totaling $125 million. Bank of America refunded only $56.1 million in fraud claims – less than 45% of the overall dollar value of claims made in that time.
–Truist indicated that the bank had a much better record of reimbursing defrauded customers over this same time period. During 2021 and the first half of 2022, Truist customers filed 24,752 unauthorized transaction claims amounting to $24.4 million. Truist reimbursed 20,349 of those claims, totaling $20.8 million – 82% of Truist claims were reimbursed over this period. Overall, however, the four banks that provided complete data sets indicated that they reimbursed only 47% of the dollar amount of fraud claims they received.
Fooshee said there has long been a great deal of inconsistency in how banks reimburse unauthorized fraud claims — even after the Consumer Financial Protection Bureau (CPFB) came out with guidance on what qualifies as an unauthorized fraud claim.
“Many banks reported that they were still not living up to those standards,” he said. “As a result, I imagine that the CFPB will come down hard on those with fines and we’ll see a correction.”
Fooshee said many banks have recently adjusted their reimbursement policies to bring them more into line with the CFPB’s guidance from last year.
“So this is heading in the right direction but not with sufficient vigor and speed to satisfy critics,” he said.
Seth Ruden is a payments fraud expert who serves as director of global advisory for digital identity company BioCatch. Ruden said Zelle has recently made “significant changes to its fraud program oversight because of consumer influence.”
“It is clear to me that despite sensational headlines, progress has been made to improve outcomes,” Ruden said. “Presently, losses in the network on a volume-adjusted basis are lower than those typical of credit cards.”
But he said any failure to reimburse victims of fraud and account takeovers only adds to pressure on Congress to do more to help victims of those scammed into authorizing Zelle payments.
“The bottom line is that regulations have not kept up with the speed of payment technology in the United States, and we’re not alone,” Ruden said. “For the first time in the UK, authorized payment scam losses have outpaced credit card losses and a regulatory response is now on the table. Banks have the choice right now to take action and increase controls or await regulators to impose a new regulatory environment.”
Sen. Warren’s report is available here (PDF).
There are, of course, some versions of the Zelle fraud scam that may be confusing financial institutions as to what constitutes “authorized” payment instructions. For example, the variant I wrote about earlier this year began with a text message that spoofed the target’s bank and warned of a pending suspicious transfer.
Those who responded at all received a call from a number spoofed to make it look like the victim’s bank calling, and were asked to validate their identities by reading back a one-time password sent via SMS. In reality, the thieves had simply asked the bank’s website to reset the victim’s password, and that one-time code sent via text by the bank’s site was the only thing the crooks needed to reset the target’s password and drain the account using Zelle.
None of the above discussion involves the risks affecting businesses that bank online. Businesses in the United States do not enjoy the same fraud liability protection afforded to consumers, and if a banking trojan or clever phishing site results in a business account getting drained, most banks will not reimburse that loss.
This is why I have always and will continue to urge small business owners to conduct their online banking affairs only from a dedicated, access restricted and security-hardened device — and preferably a non-Windows machine.
For consumers, the same old advice remains the best: Watch your bank statements like a hawk, and immediately report and contest any charges that appear fraudulent or unauthorized.
Giving back is part of the ethos at Cisco. Part of how that happens is through employees volunteering as part of Cisco’s Time2Give benefit in which employees can use paid time to contribute to their communities and support the causes they’re passionate about. During the pandemic, Cisco increased this benefit from five paid volunteering days to 10 and encourages virtual volunteering, too.
Elizabeth Chang, a software engineer on the Duo Security platform services team, considers Time2Give a great opportunity to “invest in people around you. It is amazing that Cisco supports what we are passionate about and that we can use this time to grow ourselves in other areas of life,” she said.
Cisconians care deeply about many causes, and this post celebrates how teammates spend their time supporting children, youth and teens in and out of school and those preparing for college. Stay tuned for future posts highlighting how other employees give their time. You may even be inspired to find out how you can develop your skills while contributing to organizations that matter to you!
Pierpaolo Panarotto, an account executive on Duo’s EMEAR continental team, volunteers at Sport senza frontiere onlus, a summer sports camp in Italy for refugee children. This summer Panarotto tutored and taught badminton. The program also welcomed children from Ukraine this year.
For Panarotto, the best part, hands down, was seeing the children’s smiles. He advised, “Give back to your community. Sometimes we forget how lucky we are.”
Chang also volunteered at a summer camp, supporting middle and high school students in Boston. The program she supported, Area Youth Ministry Leadership Camp and Summer Boost, fosters leadership skills and college readiness while promoting mentorship.
By helping lead a coding workshop, Chang was able to share what she does professionally. “I was glad that I got to help inspire youth to pursue computer science,” she said. The camp was such a hit that many participants “didn’t want to go home because they had such a fun time,” Chang shared.
“Take the time! You’ll never get the opportunity to go back and take it later. Your community and your heart will thank you!” – Sarah Moon-Musser
Now that school has started, Engineering Program Manager in Platform Engineering Sarah Moon-Musser helps teach the Belleville High School Marching Band’s color guard choreography for their halftime show. She loves spending time with the students. To those considering utilizing Time2Give Moon-Musser says, “Take the time! You’ll never get the opportunity to go back and take it later. Your community and your heart will thank you!”
College readiness is also a passion for Justin Fan and Seema Kathuria who both volunteer with Code2College. They’re able to volunteer virtually by reviewing resumes and college entrance essays and providing constructive feedback through shared documents.
Senior Product Marketing Manager, Kathuria appreciates “learning about the experiences of high school students and how they approach writing about their accomplishments,” she said.
For Fan, a senior customer success manager in security customer success, “the best part is supporting younger generations as they move into college and career. They’re so much more focused and mature than I was at their age,” he said. Fan also participates in virtual career workshops with high school and college students with Students Rising Above.
For others wanting to use Time2Give, Fan suggests finding opportunities you’re passionate about and utilizing light meeting days to volunteer. Kathuria says, “Take advantage of the 10 Time2Give days per year that Cisco gives us. It is very generous, and it feels so good to give back to the community in whatever way makes you happy and fulfilled.”
If you’re looking to feel fulfilled by your work and the impact you can make, please check out our open roles.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
A recent proliferation of phony executive profiles on LinkedIn is creating something of an identity crisis for the business networking site, and for companies that rely on it to hire and screen prospective employees. The fabricated LinkedIn identities — which pair AI-generated profile photos with text lifted from legitimate accounts — are creating major headaches for corporate HR departments and for those managing invite-only LinkedIn groups.
Some of the fake profiles flagged by the co-administrator of a popular sustainability group on LinkedIn.
Last week, KrebsOnSecurity examined a flood of inauthentic LinkedIn profiles all claiming Chief Information Security Officer (CISO) roles at various Fortune 500 companies, including Biogen, Chevron, ExxonMobil, and Hewlett Packard.
Since then, the response from LinkedIn users and readers has made clear that these phony profiles are showing up en masse for virtually all executive roles — but particularly for jobs and industries that are adjacent to recent global events and news trends.
Hamish Taylor runs the Sustainability Professionals group on LinkedIn, which has more than 300,000 members. Together with the group’s co-owner, Taylor said they’ve blocked more than 12,700 suspected fake profiles so far this year, including dozens of recent accounts that Taylor describes as “cynical attempts to exploit Humanitarian Relief and Crisis Relief experts.”
“We receive over 500 fake profile requests to join on a weekly basis,” Taylor said. “It’s hit like hell since about January of this year. Prior to that we did not get the swarms of fakes that we now experience.”
The opening slide for a plea by Taylor’s group to LinkedIn.
Taylor recently posted an entry on LinkedIn titled, “The Fake ID Crisis on LinkedIn,” which lampooned the “60 Least Wanted ‘Crisis Relief Experts’ — fake profiles that claimed to be experts in disaster recovery efforts in the wake of recent hurricanes. The images above and below show just one such swarm of profiles the group flagged as inauthentic. Virtually all of these profiles were removed from LinkedIn after KrebsOnSecurity tweeted about them last week.
Another “swarm” of LinkedIn bot accounts flagged by Taylor’s group.
Mark Miller is the owner of the DevOps group on LinkedIn, and says he deals with fake profiles on a daily basis — often hundreds per day. What Taylor called “swarms” of fake accounts Miller described instead as “waves” of incoming requests from phony accounts.
“When a bot tries to infiltrate the group, it does so in waves,” Miller said. “We’ll see 20-30 requests come in with the same type of information in the profiles.”
After screenshotting the waves of suspected fake profile requests, Miller started sending the images to LinkedIn’s abuse teams, which told him they would review his request but that he may never be notified of any action taken.
Some of the bot profiles identified by Mark Miller that were seeking access to his DevOps LinkedIn group. Miller said these profiles are all listed in the order they appeared.
Miller said that after months of complaining and sharing fake profile information with LinkedIn, the social media network appeared to do something which caused the volume of group membership requests from phony accounts to drop precipitously.
“I wrote our LinkedIn rep and said we were considering closing the group down the bots were so bad,” Miller said. “I said, ‘You guys should be doing something on the backend to block this.”
Jason Lathrop is vice president of technology and operations at ISOutsource, a Seattle-based consulting firm with roughly 100 employees. Like Miller, Lathrop’s experience in fighting bot profiles on LinkedIn suggests the social networking giant will eventually respond to complaints about inauthentic accounts. That is, if affected users complain loudly enough (posting about it publicly on LinkedIn seems to help).
Lathrop said that about two months ago his employer noticed waves of new followers, and identified more than 3,000 followers that all shared various elements, such as profile photos or text descriptions.
“Then I noticed that they all claim to work for us at some random title within the organization,” Lathrop said in an interview with KrebsOnSecurity. “When we complained to LinkedIn, they’d tell us these profiles didn’t violate their community guidelines. But like heck they don’t! These people don’t exist, and they’re claiming they work for us!”
Lathrop said that after his company’s third complaint, a LinkedIn representative responded by asking ISOutsource to send a spreadsheet listing every legitimate employee in the company, and their corresponding profile links.
Not long after that, the phony profiles that were not on the company’s list were deleted from LinkedIn. Lathrop said he’s still not sure how they’re going to handle getting new employees allowed into their company on LinkedIn going forward.
It remains unclear why LinkedIn has been flooded with so many fake profiles lately, or how the phony profile photos are sourced. Random testing of the profile photos shows they resemble but do not match other photos posted online. Several readers pointed out one likely source — the website thispersondoesnotexist.com, which makes using artificial intelligence to create unique headshots a point-and-click exercise.
Cybersecurity firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.
Fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.
In addition, identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams.
But the Sustainability Group administrator Taylor said the bots he’s tracked strangely don’t respond to messages, nor do they appear to try to post content.
“Clearly they are not monitored,” Taylor assessed. “Or they’re just created and then left to fester.”
This experience was shared by the DevOp group admin Miller, who said he’s also tried baiting the phony profiles with messages referencing their fakeness. Miller says he’s worried someone is creating a massive social network of bots for some future attack in which the automated accounts may be used to amplify false information online, or at least muddle the truth.
“It’s almost like someone is setting up a huge bot network so that when there’s a big message that needs to go out they can just mass post with all these fake profiles,” Miller said.
In last week’s story on this topic, I suggested LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a “created on” date for every profile. Twitter does this, and it’s enormously helpful for filtering out a great deal of noise and unwanted communications.
Many of our readers on Twitter said LinkedIn needs to give employers more tools — perhaps some kind of application programming interface (API) — that would allow them to quickly remove profiles that falsely claim to be employed at their organizations.
Another reader suggested LinkedIn also could experiment with offering something akin to Twitter’s verified mark to users who chose to validate that they can respond to email at the domain associated with their stated current employer.
In response to questions from KrebsOnSecurity, LinkedIn said it was considering the domain verification idea.
“This is an ongoing challenge and we’re constantly improving our systems to stop fakes before they come online,” LinkedIn said in a written statement. “We do stop the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scams. We’re also exploring new ways to protect our members such as expanding email domain verification. Our community is all about authentic people having meaningful conversations and to always increase the legitimacy and quality of our community.”
In a story published Wednesday, Bloomberg noted that LinkedIn has largely so far avoided the scandals about bots that have plagued networks like Facebook and Twitter. But that shine is starting to come off, as more users are forced to waste more of their time fighting off inauthentic accounts.
“What’s clear is that LinkedIn’s cachet as being the social network for serious professionals makes it the perfect platform for lulling members into a false sense of security,” Bloomberg’s Tim Cuplan wrote. “Exacerbating the security risk is the vast amount of data that LinkedIn collates and publishes, and which underpins its whole business model but which lacks any robust verification mechanisms.”
How's this weeks video for a view?! It's a stunning location here in Bali and it's just been the absolute most perfect spot for a honeymoon, especially after weeks of guests and celebrations. But whoever hacked and ransom'd Optus didn't care about me taking time out and I've done more media in the last week than I have in a long time. I don't mind, it's a fascinating story the way this has unfolded and that's where most of the time in this week's video has gone, I hope you enjoy my analysis of what has become a pretty crazy story back home in Australia.
Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. It’s not clear who’s behind this network of fake CISOs or what their intentions may be. But the fabricated LinkedIn identities are confusing search engine results for CISO roles at major companies, and they are being indexed as gospel by various downstream data-scraping sources.
If one searches LinkedIn for the CISO of the energy giant Chevron, one might find the profile for a Victor Sites, who says he’s from Westerville, Ohio and is a graduate of Texas A&M University.
The LinkedIn profile for Victor Sites, who is most certainly NOT the CISO of Chevron.
Of course, Sites is not the real CISO of Chevron. That role is currently occupied by Christopher Lukas of Danville, Calif. If you were confused at this point, you might ask Google who it thinks is the current Chief Information Security Officer of Chevron. When KrebsOnSecurity did that earlier this morning, the fake CISO profile was the very first search result returned (followed by the LinkedIn profile for the real Chevron CISO).
Helpfully, LinkedIn seems to be able to detect something in common about all these fake CISO profiles, because it suggested I view a number of them in the “People Also Viewed” column seen in the image above. There are two fake CISO profiles suggested there, including one for a Maryann Robles, who claims to be the CISO of another energy giant — ExxonMobil.
Maryann’s profile says she’s from Tupelo, Miss., and includes this detail about how she became a self-described “old-school geek.”
“Since playing Tradewars on my Tandy 1000 with a 300 baud modem in the early ’90s, I’ve had a lifelong passion for technology, which I’ve carried with me as Deputy CISO of the world’s largest health plan,” her profile reads.
However, this description appears to have been lifted from the profile for the real CISO at the Centers for Medicare & Medicaid Services in Baltimore, Md.
Interestingly, Maryann’s LinkedIn profile was accepted as truth by Cybercrime Magazine’s CISO 500 listing, which claims to maintain a list of the current CISOs at America’s largest companies:
The fake CISO for ExxOnMobil was indexed in Cybercrime Magazine’s CISO 500.
Rich Mason, the former CISO at Fortune 500 firm Honeywell, began warning his colleagues on LinkedIn about the phony profiles earlier this week.
“It’s interesting the downstream sources that repeat LinkedIn bogus content as truth,” Mason said. “This is dangerous, Apollo.io, Signalhire, and Cybersecurity Ventures.”
Google wasn’t fooled by the phony LinkedIn profile for Jennie Biller, who claims to be CISO at biotechnology giant Biogen (the real Biogen CISO is Russell Koste). But Biller’s profile is worth mentioning because it shows how some of these phony profiles appear to be quite hastily assembled. Case in point: Biller’s name and profile photo suggest she is female, however the “About” description of her accomplishments uses male pronouns. Also, it might help that Jennie only has 18 connections on LinkedIn.
Again, we don’t know much about who or what is behind these profiles, but in August the security firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.
None of the profiles listed here responded to requests for comment (or to become a connection).
In a statement provided to KrebsOnSecurity, LinkedIn said its teams were actively working to take these fake accounts down.
“We do have strong human and automated systems in place, and we’re continually improving, as fake account activity becomes more sophisticated,” the statement reads. “In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scam.”
LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a “created on” date for every profile. Twitter does this, and it’s enormously helpful for filtering out a great deal of noise and unwanted communications.
The former CISO Mason said LinkedIn also could experiment with offering something akin to Twitter’s verified mark to users who chose to validate that they can respond to email at the domain associated with their stated current employer.
“If I saw that a LinkedIn profile had been domain-validated, then my confidence in that profile would go way up,” Mason said, noting that many of the fake profiles had hundreds of followers, including dozens of real CISOs. Maryann’s profile grew by a hundred connections in just the past few days, he said.
“If we have CISOs that are falling for this, what hopes do the masses have?” Mason said.
Mason said LinkedIn also needs a more streamlined process for allowing employers to remove phony employee accounts. He recently tried to get a phony profile removed from LinkedIn for someone who falsely claimed to have worked for his company.
“I shot a note to LinkedIn and said please remove this, and they said, well, we have to contact that person and arbitrate this,” he said. “They gave the guy two weeks and he didn’t respond, so they took it down. But that doesn’t scale, and there needs to be a mechanism where an employer can contact LinkedIn and have these fake profiles taken down in less than two weeks.”
Wow, what a week! Of course there's lots of cyber / tech stuff in this week's update, but it was really only the embedded tweet below on my mind so I'm going to leave you with this then come to you from somewhere much more exotic than usual (and I reckon that's a pretty high bar for me!) next week 😎
Absolutely over the moon to formally make @Charlotte_Hunt_ a part of our family ❤️ 💍 pic.twitter.com/XfahXElboC
— Troy Hunt (@troyhunt) September 21, 2022
A 36-year-old Russian man recently identified by KrebsOnSecurity as the likely proprietor of the massive RSOCKS botnet has been arrested in Bulgaria at the request of U.S. authorities. At a court hearing in Bulgaria this month, the accused hacker requested and was granted extradition to the United States, reportedly telling the judge, “America is looking for me because I have enormous information and they need it.”
A copy of the passport for Denis Kloster, as posted to his Vkontakte page in 2019.
On June 22, KrebsOnSecurity published Meet the Administrators of the RSOCKS Proxy Botnet, which identified Denis Kloster, a.k.a. Denis Emelyantsev, as the apparent owner of RSOCKS, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer.
A native of Omsk, Russia, Kloster came into focus after KrebsOnSecurity followed clues from the RSOCKS botnet master’s identity on the cybercrime forums to Kloster’s personal blog, which featured musings on the challenges of running a company that sells “security and anonymity services to customers around the world.” Kloster’s blog even included a group photo of RSOCKS employees.
“Thanks to you, we are now developing in the field of information security and anonymity!,” Kloster’s blog enthused. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”
The Bulgarian news outlet 24Chasa.bg reports that Kloster was arrested in June at a co-working space in the southwestern ski resort town of Bansko, and that the accused asked to be handed over to the American authorities.
“I have hired a lawyer there and I want you to send me as quickly as possible to clear these baseless charges,” Kloster reportedly told the Bulgarian court this week. “I am not a criminal and I will prove it in an American court.”
Launched in 2013, RSOCKS was shut down in June 2022 as part of an international investigation into the cybercrime service. According to the Justice Department, the RSOCKS botnet initially targeted Internet of Things (IoT) devices, including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers; later in its existence, the RSOCKS botnet expanded into compromising additional types of devices, including Android devices and conventional computers, the DOJ said.
The Justice Department’s June 2022 statement about that takedown cited a search warrant from the U.S. Attorney’s Office for the Southern District of California, which also was named by Bulgarian news outlets this month as the source of Kloster’s arrest warrant.
When asked about the existence of an arrest warrant or criminal charges against Kloster, a spokesperson for the Southern District said, “no comment.”
Update, Sept. 24, 9:00 a.m. ET: Kloster was named in a 2019 indictment (PDF) unsealed Sept. 23 by the Southern District court.
The employees who kept things running for RSOCKS, circa 2016. Notice that nobody seems to be wearing shoes.
24Chasa said the defendant’s surname is Emelyantsev and that he only recently adopted the last name Kloster, which is his mother’s maiden name.
As KrebsOnSecurity reported in June, Kloster also appears to be a major player in the Russian email spam industry. In several private exchanges on cybercrime forums, the RSOCKS administrator claimed ownership of the RUSdot spam forum. RUSdot is the successor forum to Spamdot, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010.
Email spam — and in particular malicious email sent via compromised computers — is still one of the biggest sources of malware infections that lead to data breaches and ransomware attacks. So it stands to reason that as administrator of Russia’s most well-known forum for spammers, the defendant in this case probably knows quite a bit about other top players in the botnet spam and malware community.
A Google-translated version of the Rusdot spam forum.
Despite maintaining his innocence, Kloster reportedly told the Bulgarian judge that he could be useful to American investigators.
“America is looking for me because I have enormous information and they need it,” Kloster told the court, according to 24Chasa. “That’s why they want me.”
The Bulgarian court agreed, and granted his extradition. Kloster’s fiancee also attended the extradition hearing, and reportedly wept in the hall outside the entire time.
Kloster turned 36 while awaiting his extradition hearing, and may soon be facing charges that carry punishments of up to 20 years in prison.
A Florida teenager who served as a lackey for a cybercriminal group that specializes in cryptocurrency thefts was beaten and kidnapped last week by a rival cybercrime gang. The teen’s captives held guns to his head while forcing him to record a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life. The youth is now reportedly cooperating with U.S. federal investigators, who are responding to an alarming number of reports of physical violence tied to certain online crime communities.
The grisly kidnapping video has been circulating on a number of Telegram chat channels dedicated to SIM-swapping — the practice of tricking or bribing mobile phone store employees into diverting a target’s phone number, text messages and calls to a device the attackers control.
The teen, known to the SIM-swapping community by the handle “Foreshadow,” appears to have served as a “holder” — a term used to describe a low-level member of any SIM-swapping group who agrees to carry out the riskiest and least rewarding role of the crime: Physically keeping and managing the various mobile devices and SIM cards that are used in SIM-swapping scams.
“Yo, Dan, please bro send the 200k,” Foreshadow said in the video, which was shot on Sept. 15 in the backseat of a moving car. Bleeding from a swollen mouth with two handguns pointed at his head, Foreshadow pleaded for his life. A still shot from that video is available here [Warning: the image is quite graphic].
“They’re going to kill me if you don’t,” Foreshadow continued, offering to get a job as a complicit mobile store employee or “plug” to help with future SIM-swaps. “I’ll pay you back. Just let me know what you need. I got you, for real. Any work for free. Whatever. However long you need me, too. I’ll apply to any store you need me to apply to. I can be a plug. I don’t care if I get caught by the cops or anything. I’ll get that money back for you. I used to do that work.”
It’s not clear where in the world the hostage video was recorded. But at one point in the video, the vehicle’s radio can be heard in the background mentioning WMIB, which is a hip-hop station in South Florida that serves both Ft. Lauderdale and Miami.
As Foreshadow’s hostage video began making the rounds on SIM-swapping Telegram channels, a rumor surfaced that Foreshadow had died after being shot in the leg. It soon emerged that Foreshadow had not died, and that he was cooperating with the Federal Bureau of Investigation (FBI). Members of the SIM-swapping community were then warned to delete any messages to or from Foreshadow. One of those messages read:
JUST IN: FORESHADOW IS NOT DEAD!!!!
HES CURRENTLY CO-OPERATING WITH THE FBI DUE TO HIM BEING KIDNAPPED AND AN ATTEMPT TO EXTORT HIM FOR 200K
IF YOU HAVE CHATS WITH HIM CLEAR THEM
Foreshadow appears to be a teenager from Florida whose first name is Justin. Foreshadow’s main Telegram account was converted from a user profile into a channel on Sept. 15 — the same day he was assaulted and kidnapped — and it is not currently responding to messages.
Foreshadow’s erstwhile boss Jarik told KrebsOnSecurity that the youth was indeed shot by his captors, and blamed the kidnapping on a rival SIM-swapper from Australia who was angry over getting shortchanged of the profits from a previous SIM-swapping escapade.
The FBI did not immediately respond to requests for comment.
Reached via Telegram, the alleged mastermind of the kidnapping — a SIM-swapper who uses the handle “Gus” — confirmed that he ordered the attack on Foreshadow because the holder had held back some of his stolen funds. In the same breath, Gus said Jarik was “gonna get done in next” for sharing Gus’ real name and address with KrebsOnSecurity.
“No1 cared about that nigga anyway, he snaked targs [targets] and flaunted it everywhere,” Gus said of Foreshadow. “I’ve been fucked over so many times I’ve lost millions. I am just a guy trying to make more money.”
Foreshadow’s experience is the latest example of a rapidly escalating cycle of physical violence that is taking hold of criminal SIM-swapping communities online. Earlier this month, KrebsOnSecurity detailed how multiple SIM-swapping Telegram channels are now replete with “violence-as-a-service” offerings, wherein denizens of the underground hire themselves out to perform various forms of physical violence — from slashing tires and throwing a brick through someone’s window, to conducting drive-by shootings, firebombings and home invasions.
On Aug. 12, 2022, 21-year-old Patrick McGovern-Allen of Egg Harbor Township, N.J. was arrested by the FBI and charged with stalking in connection with several of these violence-as-a-service jobs. Prosecutors say the defendant fired a handgun into a Pennsylvania home, and helped to torch another residence in the state with a Molotov Cocktail — all allegedly in service of a beef over stolen cryptocurrency.
Earlier this month, three men in the United Kingdom were arrested for attempting to assault a local man and steal his virtual currencies. The local man’s neighbor called the cops and said the three men were acting suspiciously and that one of them was wearing a police uniform. U.K. police stopped the three men allegedly fleeing the scene, and found a police uniform and weapons in the trunk of the car. All three defendants in that case were charged with “intent to cause loss to another to make an unwarranted demand of Crypto Currency from a person.”
Dina Temple-Raston and Sean Powers over at The Record recently interviewed several members of the SIM-swapping community about this escalation in violence. That story is also available on the Click Here podcast — Throwing Bricks for $$$: Violence-as-a-Service Comes of Age.
Three men in the United Kingdom were arrested this month for attempting to assault a local man and steal his virtual currencies. The incident is the latest example of how certain cybercriminal communities are increasingly turning to physical violence to settle scores and disputes.
Shortly after 11 p.m. on September 6, a resident in the Spalding Common area in the district of Lincolnshire, U.K. phoned police to say three men were acting suspiciously, and had jumped a nearby fence.
“The three men made off in a VW Golf and were shortly stopped nearby,” reads a statement by the Lincolnshire Police. “The car was searched by officers who found an imitation firearm, taser, a baseball bat and police uniform in the boot.”
Thomas Green, 23, Rayhan Miah, 23, and Leonardo Sapiano, 24 were all charged with possession of the weapons, and “with intent to cause loss to another to make an unwarranted demand of Crypto Currency from a person.”
KrebsOnSecurity has learned that the defendants were in Spalding Common to pay a surprise visit to a 19-year-old hacker known by the handles “Discoli,” “Disco Dog,” and “Chinese.” In December 2020, Discoli took credit for hacking and leaking the user database for OGUsers, a forum overrun with people looking to buy, sell and trade access to compromised social media accounts.
Reached via Telegram, Discoli confirmed that police believe the trio was trying to force their way into his home in Spalding Common, and that one of them was wearing a police uniform when they approached his residence.
“They were obvious about being fake police, so much so that one of our neighbours called,” Discoli said in an instant message chat. “That call led to the arrests. Their intent was for robbery/blackmail of crypto, I just happened to not be home at the time.”
The Lincolnshire Police declined to comment for this story, citing an ongoing investigation.
Discoli said he didn’t know any of the men charged, but believes they were hired by one of his enemies. And he said his would-be assailants didn’t just target him specifically.
“They had a list of people they wanted to hit consecutively as far as I know,” he said.
The foiled robbery is the latest drama tied to members of certain criminal hacking communities who are targeting one another with physical violence, by making a standing offer to pay thousands of dollars to anyone in the target’s region who agrees to carry out the assaults.
Last month, a 21-year-old New Jersey man was arrested and charged with stalking in connection with a federal investigation into groups of cybercriminals who are settling scores by hiring people to carry out physical attacks on their rivals.
Prosecutors say Patrick McGovern-Allen recently participated in several of these schemes — including firing a handgun into a Pennsylvania home and torching a residence in another part of the state with a Molotov Cocktail.
McGovern-Allen and the three U.K. defendants are part of an online community that is at the forefront of a dangerous escalation in coercion and intimidation tactics increasingly used by competing cybercriminal groups to steal cryptocurrency from one another and to keep their rivals in check.
The Telegram chat channels where these young men transact have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.
A number of these classified ads are in service of performing “brickings,” where someone is hired to visit a specific address and toss a brick through the target’s window. Indeed, prior to McGovern-Allen’s arrest, his alleged Telegram persona bragged that he’d carried out several brickings for hire.
Many of the individuals involved in paying others to commit these physical attacks are also frequent participants in Telegram chat channels focused singularly on SIM swapping, a crime in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s various online accounts and identities.
Unsurprisingly, the vast majority of people currently being targeted for brickings and other real-life physical assaults via Telegram tend to be other cybercriminals involved in SIM swapping crimes (or individuals on the periphery of that scene).
The United Kingdom is home to a number of young men accused of stealing millions of dollars worth of cryptocurrencies via SIM swapping. Joseph James O’Connor, a.k.a. “Plugwalk Joe”, was arrested in Spain in July 2021 under an FBI warrant on 10 counts of offenses related to unauthorized computer access and cyber bullying. U.S. investigators say O’Connor also played a central role in the 2020 intrusion at Twitter, wherein Twitter accounts for top celebrities and public figures were forced to tweet out links to cryptocurrency scams. O’Connor is currently fighting extradition to the United States.
Robert Lewis Barr, a 25-year-old Scottish man who allegedly stole more than $8 million worth of crypto, was arrested on an FBI warrant last year and is also fighting his extradition. U.S. investigators say Barr SIM swapped a U.S. bitcoin broker in 2017, and that he spent much of the stolen funds throwing lavish parties at rented luxury apartments in central Glasgow.
In many ways, these violence-as-a-service incidents are a natural extension of “swatting,” wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address. According to prosecutors, both Barr and O’Connor have a history of swatting their enemies and their SIM swapping victims.
I came so close to skipping this week's video. I'm surrounded by family, friends and my amazing wife to be in only a couple of days. But... this video has been my constant companion through very difficult times, and I'm happy to still being doing it at the best of times 😊 So, with that, I'm signing out and heading off to do something much more important. See you next week.
Taking a bit of time off Twitter while @charlottelyng and I do more important things 💍 👰♀️ pic.twitter.com/9JJrPM9kWX
— Troy Hunt (@troyhunt) September 13, 2022
Safety has a feeling all its own, and that’s what’s at the heart of McAfee+.
We created McAfee+ so people can not only be safe but feel safe online, particularly in a time when there’s so much concern about identity theft and invasion of our online privacy.
And those concerns have merit. Last year, reported cases of identity theft and fraud in the U.S. shot up to 5.7 million, to the tune of $5.8 billion in losses, a 70% increase over the year prior. Meanwhile, online data brokers continue to buy and sell highly detailed personal profiles with the data cobbled together from websites, apps, smartphones, connected appliances, and more, all as part of a global data-gathering economy estimated at well over $200 billion a year.
Yet despite growing awareness of the ways personal information is collected, bought, sold, and even stolen, it remains a somewhat invisible problem. You simply don’t see it as it happens, let alone know who’s collecting what information about you and toward what ends—whether legal, illegal, or somewhere in between. A recent study we conducted showed that 74% of consumers are concerned about keeping their personal information private online. Yet, most of us have found out the hard way (when we search for our name on the internet) that there is a lot of information about us that has been made public. It is our belief that every individual should have the right to be private, yet we know too many individuals don’t know where to begin. It is this very worry that made us focus our new product line on empowering our users to take charge of their privacy and identity online.
McAfee+ gives you that control.
Now available in the U.S., McAfee+ provides all-in-one online protection for your identity, privacy, and security. With McAfee+, you’ll feel safer online because you’ll have the tools, guidance and support to take the steps to be safer online. Here’s how:
You can see the entire range of features that cover your identity, privacy, and security with a visit to our McAfee+ page.
McAfee+ Ultimate offers our most thorough protection, with which you can lock your credit with a click or put a comprehensive security freeze in place, both to thwart potential identity theft. You can keep tabs on your credit with daily credit monitoring and get an alert when there’s credit activity to spot any irregularities quickly.
You’ll also feel like someone has your back. Even with the most thorough measures in place, identity theft and ransomware attacks can still strike, which can throw your personal and financial life into a tailspin. What do you do? Where do you start? Here, we have you covered. We offer two kinds of coverage that can help you recover your time, money, and good name:
Starting today, customers in the U.S. can purchase McAfee+ online at McAfee.com in Premium, Advanced, and Ultimate plans, in addition to individual and family subscriptions. McAfee+ will also be available online in the U.K., Canada, and Australia in the coming weeks with additional regions coming in the months ahead (features may vary by region).
We are very excited about bringing these new protections to you and we hope you will be too.
The post The Feeling of Safety with McAfee+ appeared first on McAfee Blog.
I'm so excited to see the book finally out and awesome feedback coming in, but I'm disappointed with this week's video. I frankly wasn't in the right frame of mind to do it justice (it's been a very hard road up until this point, for various reasons), then my connection dropped out halfway through and I had to roll to 5G, and now I'm hearing (both from other people and with my own ears), a constant background noise being picked up by the mic. Argh! But, that's the reality of scheduled live streams and for better or worse, you end up getting the "warts and all" version. It is what it is, and next week's will be better 😊
FreshRSS 