Login
China has attacked critical infrastructure organizations in the US using a "living off the land" attack that hides offensive action among everyday Windows admin activity.β¦
Google Play has been caught with its cybersecurity pants down yet again after a once-legit Android screen-and-audio recorder app was updated to include malicious code that listened in on device microphones.β¦
The Philadelphia Inquirer has punched back at the Cuba ransomware gang after the criminals leaked what they said were files stolen from the newspaper.β¦
Nobody wants to spend their time dealing with the fallout of a security incident instead of building up their business
The post Digital security for the selfβemployed: Staying safe without an IT team to help appeared first on WeLiveSecurity
A former IT security analyst at Oxford Biomedica has admitted, five years after the fact, to turning to the dark side β by hijacking a cyber attack against his own company in an attempt to divert any ransom payments to himself.β¦
When businesses go shopping for IT services, North Korea-controlled companies probably struggle to make it into many lists.β¦
Personal and financial data describing almost 1.9 million Apria Healthcare patients and employees may have been accessed by crooks who breached the company's networks over a series of months in 2019 and 2021.β¦
Dish Network has admitted that a February cybersecurity incident and associated multi-day outage led to the extraction of data on nearly 300,000 people, while also appearing to indirectly admit it may have paid cybercriminals to delete said data.β¦
TikTok, the social video platform used by around 150 million people in the US, is set to hand access to its source code, algorithm and content moderation material to Oracle in a bid to allay data protection and national security concerns stateside.β¦
ESET researchers discover AhRat β a new Android RAT based on AhMyth β that exfiltrates files and records audio
The post Android app breaking bad: From legitimate screen recording to file exfiltration within a year appeared first on WeLiveSecurity
The FBI has issued a warning about fake job ads that recruit workers into forced labor operations in Southeast Asia β some of which enslave visitors and force them to participate in cryptocurrency scams.β¦
US memory-maker Micron has no idea why Chinese authorities have decided its products represent a security risk, or which customers it's not allowed to sell to.β¦
Social networks are constantly battling inauthentic bot accounts that send direct messages to users promoting scam cryptocurrency investment platforms. What follows is an interview with a Russian hacker responsible for a series of aggressive crypto spam campaigns that recently prompted several large Mastodon communities to temporarily halt new registrations. According to the hacker, their spam software has been in private use until the last few weeks, when it was released as open source code.
Renaud Chaput is a freelance programmer working on modernizing and scaling the Mastodon project infrastructure β including joinmastodon.org, mastodon.online, and mastodon.social. Chaput said that on May 4, 2023, someone unleashed a spam torrent targeting users on these Mastodon communities via βprivate mentions,β a kind of direct messaging on the platform.
The messages said recipients had earned an investment credit at a cryptocurrency trading platform called moonxtrade[.]com. Chaput said the spammers used more than 1,500 Internet addresses across 400 providers to register new accounts, which then followed popular accounts on Mastodon and sent private mentions to the followers of those accounts.
Since then, the same spammers have used this method to advertise more than 100 different crypto investment-themed domains. Chaput said that at one point this month the volume of bot accounts being registered for the crypto spam campaign started overwhelming the servers that handle new signups at Mastodon.social.
βWe suddenly went from like three registrations per minute to 900 a minute,β Chaput said. βThere was nothing in the Mastodon software to detect that activity, and the protocol is not designed to handle this.β
One of the crypto investment scam messages promoted in the spam campaigns on Mastodon this month.
Seeking to gain a temporary handle on the spam wave, Chaput said he briefly disabled new account registrations on mastodon.social and mastondon.online. Shortly after that, those same servers came under a sustained distributed denial-of-service (DDoS) attack.
Chaput said whoever was behind the DDoS was definitely not using point-and-click DDoS tools, like a booter or stresser service.
βThis was three hours non-stop, 200,000 to 400,000 requests per second,β Chaput said of the DDoS. βAt first, they were targeting one path, and when we blocked that they started to randomize things. Over three hours the attack evolved several times.β
Chaput says the spam waves have died down since they retrofitted mastodon.social with a CAPTCHA, those squiggly letter and number combinations designed to stymie automated account creation tools. But heβs worried that other Mastodon instances may not be as well-staffed and might be easy prey for these spammers.
βWe donβt know if this is the work of one person, or if this is [related to] software or services being sold to others,β Chaput told KrebsOnSecurity. βWeβre really impressed by the scale of it β using hundreds of domains and thousands of Microsoft email addresses.β
Chaput said a review of their logs indicates many of the newly registered Mastodon spam accounts were registered using the same 0auth credentials, and that a domain common to those credentials was quot[.]pw.
The domain quot[.]pw has been registered and abandoned by several parties since 2014, but the most recent registration data available through DomainTools.com shows it was registered in March 2020 to someone in Krasnodar, Russia with the email address edgard011012@gmail.com.
This email address is also connected to accounts on several Russian cybercrime forums, including β__edman__,β who had a history of selling βlogsβ β large amounts of data stolen from many bot-infected computers β as well as giving away access to hacked Internet of Things (IoT) devices.
In September 2018, a user by the name βΡΠΈΠΏΠ°β (phonetically βZipperβ in Russian) registered on the Russian hacking forum Lolzteam using the edgard0111012@gmail.com address. In May 2020, Zipper told another Lolzteam member that quot[.]pw was their domain. That user advertised a service called βQuot Projectβ which said they could be hired to write programming scripts in Python and C++.
βI make Telegram bots and other rubbish cheaply,β reads one February 2020 sales thread from Zipper.
Quotpw/Ahick/Edgard/ΡΠΈΠΏΠ° advertising his coding services in this Google-translated forum posting.
Clicking the βopen chat in Telegramβ button on Zipperβs Lolzteam profile page launched a Telegram instant message chat window where the user Quotpw responded almost immediately. Asked if they were aware their domain was being used to manage a spam botnet that was pelting Mastodon instances with crypto scam spam, Quotpw confirmed the spam was powered by their software.
βIt was made for a limited circle of people,β Quotpw said, noting that they recently released the bot software as open source on GitHub.
Quotpw went on to say the spam botnet was powered by well more than the hundreds of IP addresses tracked by Chaput, and that these systems were mostly residential proxies. A residential proxy generally refers to a computer or mobile device running some type of software that enables the system to be used as a pass-through for Internet traffic from others.
Very often, this proxy software is installed surreptitiously, such as through a βFree VPNβ service or mobile app. Residential proxies also can refer to households protected by compromised home routers running factory-default credentials or outdated firmware.
Quotpw maintains they have earned more than $2,000 sending roughly 100,000 private mentions to users of different Mastodon communities over the past few weeks. Quotpw said their conversion rate for the same bot-powered direct message spam on Twitter is usually much higher and more profitable, although they conceded that recent adjustments to Twitterβs anti-bot CAPTCHA have put a crimp in their Twitter earnings.
βMy partners (Iβm programmer) lost time and money while ArkoseLabs (funcaptcha) introduced new precautions on Twitter,β Quotpw wrote in a Telegram reply. βOn Twitter, more spam and crypto scam.β
Asked whether they felt at all conflicted about spamming people with invitations to cryptocurrency scams, Quotpw said in their hometown βthey pay more for such work than in βwhiteβ jobsβ β referring to legitimate programming jobs that donβt involve malware, botnets, spams and scams.
βConsider salaries in Russia,β Quotpw said. βAny spam is made for profit and brings illegal money to spammers.β
Shortly after edgard011012@gmail.com registered quot[.]pw, the WHOIS registration records for the domain were changed again, to msr-sergey2015@yandex.ru, and to a phone number in Austria: +43.6607003748.
Constella Intelligence, a company that tracks breached data, finds that the address msr-sergey2015@yandex.ru has been associated with accounts at the mobile app site aptoide.com (user: CoolappsforAndroid) and vimeworld.ru that were created from different Internet addresses in Vienna, Austria.
A search in Skype on that Austrian phone number shows it belongs to a Sergey Proshutinskiy who lists his location as Vienna, Austria. The very first result that comes up when one searches that unusual name in Google is a LinkedIn profile for a Sergey Proshutinskiy from Vienna, Austria.
Proshutinskiyβs LinkedIn profile says he is a Class of 2024 student at TGM, which is a state-owned, technical and engineering school in Austria. His resume also says he is a data science intern at Mondi Group, an Austrian manufacturer of sustainable packaging and paper.
Mr. Proshutinskiy did not respond to requests for comment.
Quotpw denied being Sergey, and said Sergey was a friend who registered the domain as a birthday present and favor last year.
βInitially, I bought it for 300 rubles,β Quotpw explained. βThe extension cost 1300 rubles (expensive). I waited until it expired and forgot to buy it. After that, a friend (Sergey) bought [the] domain and transferred access rights to me.β
βHeβs not even an information security specialist,β Quotpw said of Sergey. βMy friends do not belong to this field. None of my friends are engaged in scams or other black [hat] activities.β
It may seem unlikely that someone would go to all this trouble to spam Mastodon users over several weeks using an impressive number of resources β all for just $2,000 in profit. But it is likely that whoever is actually running the various crypto scam platforms advertised by Quotpwβs spam messages pays handsomely for any investments generated by their spam.
According to the FBI, financial losses from cryptocurrency investment scams dwarfed losses for all other types of cybercrime in 2022, rising from $907 million in 2021 to $2.57 billion last year.
Update, May 25, 10:30 a.m.:Β Corrected attribution of the Austrian school TGM.
Uncle Sam announced its commenced over 4,000 legal actions in three months β mostly harshly worded letters β to rein in "money mules" involved in romance scams, business email compromise, and other fraudulent schemes.β¦
ispoof-1200
FreshRSS 