Login
One of the most expensive aspects of any cybercriminal operation is the time and effort it takes to constantly create large numbers of new throwaway email accounts. Now a new service offers to help dramatically cut costs associated with large-scale spam and account creation campaigns, by paying people to sell their email account credentials and letting customers temporarily rent access to a vast pool of established accounts at major providers.
The service in question — kopeechka[.]store — is perhaps best described as a kind of unidirectional email confirmation-as-a-service that promises to “save your time and money for successfully registering multiple accounts.”
“Are you working on large volumes and are costs constantly growing?” Kopeechka’s website asks. “Our service will solve all your problems.”
As a customer of this service, you don’t get full access to the email inboxes you are renting. Rather, you configure your botnet or spam machine to make an automated application programming interface (API) call to the Kopeechka service, which responds with a working email address at an email provider of your choosing.
Once you’ve entered the supplied email address into the new account registration page at some website or service, you tell Kopeechka which service or website you’re expecting an account confirmation link from, and they will then forward any new messages matching that description to your Kopeechka account panel.
Ensuring that customers cannot control inboxes rented through the service means that Kopeechka can rent the same email address to multiple customers (at least until that email address has been used to register accounts at most of the major online services).
Kopeechka also has multiple affiliate programs, including one that pays app developers for embedding Kopeechka’s API in their software. However, far more interesting is their program for rewarding people who choose to sell Kopeechka usernames and passwords for working email addresses.
Kopeechka means “penny” in Russian, which is generous verbiage (and coinage) for a service that charges a tiny fraction of a penny for access to account confirmation links. Their pricing fluctuates slightly based on which email provider you choose, but a form on the service’s homepage says a single confirmation message from apple.com to outlook.com costs .07 rubles, which is currently equal to about $0.00087 dollars.
The pricing for Kopeechka works out to about a fraction of a penny per confirmation message.
“Emails can be uploaded to us for sale, and you will receive a percentage of purchases %,” the service explains. “You upload 1 mailbox of a certain domain, discuss percentage with our technical support (it depends on the liquidity of the domain and the number of downloaded emails).”
We don’t have to look very far for examples of Kopeechka in action. In May, KrebsOnSecurity interviewed a Russian spammer named “Quotpw“ who was mass-registering accounts on the social media network Mastodon in order to conduct a series of huge spam campaigns advertising scam cryptocurrency investment platforms.
Much of the fodder for that story came from Renaud Chaput, a freelance programmer working on modernizing and scaling the Mastodon project infrastructure — including joinmastodon.org, mastodon.online, and mastodon.social. Chaput told KrebsOnSecurity that his team was forced to temporarily halt all new registrations for these communities last month after the number of new registrations from Quotpw’s spam campaign started to overwhelm their systems.
“We suddenly went from like three registrations per minute to 900 a minute,” Chaput said. “There was nothing in the Mastodon software to detect that activity, and the protocol is not designed to handle this.”
After that story ran, Chaput said he discovered that the computer code powering Quotpw’s spam botnet (which has since been released as open source) contained an API call to Kopeechka’s service.
“It allows them to pool many bot-created or compromised emails at various providers and offer them to cyber criminals,” Chaput said of Kopeechka. “This is what they used to create thousands of valid Hotmail (and other) addresses when spamming on Mastodon. If you look at the code, it’s really well done with a nice API that forwards you the confirmation link that you can then fake click with your botnet.”
It’s doubtful anyone will make serious money selling email accounts to Kopeechka, unless of course that person already happens to run a botnet and has access to ridiculous numbers of email credentials. And in that sense, this service is genius: It essentially offers scammers a new way to wring extra income from resources that are already plentiful for them.
One final note about Quotpw and the spam botnet that ravaged Chaput’s Mastodon servers last month: Trend Micro just published a report saying Quotpw was spamming to earn money for a Russian-language affiliate program called “Impulse Team,” which pays people to promote cryptocurrency scams.
The crypto scam affiliate program “Project Impulse,” advertising in 2021.
Websites under the banner of the Impulse Scam Crypto Project are all essentially “advanced fee” scams that tell people they have earned a cryptocurrency investment credit. Upon registering at the site, visitors are told they need to make a minimum deposit on the service to collect the award. However, those who make the initial investment never hear from the site again, and their money is gone.
Interestingly, Trend Micro says the scammers behind the Impulse Team also appear to be operating a fake reputation service called Scam-Doc[.]com, a website that mimics the legitimate Scamdoc.com for measuring the trustworthiness and authenticity of various sites. Trend notes that the phony reputation site routinely gave high trust ratings to a variety of cryptocurrency scam and casino websites.
“We can only suppose that either the same cybercriminals run operations involving both or that several different cybercriminals share the scam-doc[.]com site,” the Trend researchers wrote.
The ScamDoc fake reputation websites, which were apparently used to help make fake crypto investment platforms look more trustworthy. Image: Trend Micro.
According to the FBI, financial losses from cryptocurrency investment scams dwarfed losses for all other types of cybercrime in 2022, rising from $907 million in 2021 to $2.57 billion last year.
A number of Discord communities focused on cryptocurrency have been hacked this past month after their administrators were tricked into running malicious Javascript code disguised as a Web browser bookmark.
This attack involves malicious Javascript that is added to one’s browser by dragging a component from a web page to one’s browser bookmarks.
According to interviews with victims, several of the attacks began with an interview request from someone posing as a reporter for a crypto-focused news outlet online. Those who take the bait are sent a link to a Discord server that appears to be the official Discord of the crypto news site, where they are asked to complete a verification step to validate their identity.
As shown in this Youtube video, the verification process involves dragging a button from the phony crypto news Discord server to the bookmarks bar in one’s Web browser. From there, the visitor is instructed to go back to discord.com and then click the new bookmark to complete the verification process.
However, the bookmark is actually a clever snippet of Javascript that quietly grabs the user’s Discord token and sends it to the scammer’s website. The attacker then loads the stolen token into their own browser session and (usually late at night after the admins are asleep) posts an announcement in the targeted Discord about an exclusive “airdrop,” “NFT mint event” or some other potential money making opportunity for the Discord members.
The unsuspecting Discord members click the link provided by the compromised administrator account, and are asked to connect their crypto wallet to the scammer’s site, where it asks for unlimited spend approvals on their tokens, and subsequently drains the balance of any valuable accounts.
Meanwhile, anyone in the compromised Discord channel who notices the scam and replies is banned, and their messages are deleted by the compromised admin account.
Nicholas Scavuzzo is an associate at Ocean Protocol, which describes itself as an “open-source protocol that aims to allow businesses and individuals to exchange and monetize data and data-based services.” On May 22, an administrator for Ocean Protocol’s Discord server clicked a link in a direct message from a community member that prompted them to prove their identity by dragging a link to their bookmarks.
Scavuzzo, who is based in Maine, said the attackers waited until around midnight in his timezone time before using the administrator’s account to send out an unauthorized message about a new Ocean airdrop.
Scavuzzo said the administrator’s account was hijacked even though she had multi-factor authentication turned on.
“A CAPTCHA bot that allows Discord cookies to be accessed by the person hosting the CAPTCHA,” was how Scavuzzo described the attack. “I’ve seen all kinds of crypto scams, but I’ve never seen one like this.”
In this conversation, “Ana | Ocean” is a compromised Discord server administrator account promoting a phony airdrop.
Importantly, the stolen token only works for the attackers as long as its rightful owner doesn’t log out and back in, or else change their credentials.
Assuming the administrator can log in, that is. In Ocean’s case, one of the first things the intruders did once they swiped the administrator’s token was change the server’s access controls and remove all core Ocean team members from the server.
Fortunately for Ocean, Scavuzzo was able to reach the operator of the server that hosts the Discord channel, and have the channel’s settings reverted back to normal.
“Thankfully, we are a globally distributed team, so we have people awake at all hours,” Scavuzzo said, noting that Ocean is not aware of any Discord community members who fell for the phony airdrop offer, which was live for about 30 minutes. “This could have been a lot worse.”
On May 26, Aura Network reported on Twitter that its Discord server was compromised in a phishing attack that resulted in the deletion of Discord channels and the dissemination of fake Aura Network Airdrop Campaign links.
On May 27, Nahmii — a cryptocurrency technology based on the Ethereum blockchain — warned on Twitter that one of its community moderators on Discord was compromised and posting fake airdrop details.
On May 9, MetrixCoin reported that its Discord server was hacked, with fake airdrop details pushed to all users.
KrebsOnSecurity recently heard from a trusted source in the cybersecurity industry who dealt firsthand with one of these attacks and asked to remain anonymous.
“I do pro bono Discord security work for a few Discords, and I was approached by one of these fake journalists,” the source said. “I played along and got the link to their Discord, where they were pretending to be journalists from the Cryptonews website using several accounts.”
The source took note of all the Discord IDs of the admins of the fake Cryptonews Discord, so that he could ensure they were blocked from the Discords he helps to secure.
“Since I’ve been doing this for a while now, I’ve built up a substantial database of Discord users and messages, so often I can see these scammers’ history on Discord,” the source said.
In this case, he noticed a user with the “CEO” role in the fake Cryptonews Discord had been seen previously under another username — “Levatax.” Searching on that Discord ID and username revealed a young Turkish coder named Berk Yilmaz whose Github page linked to the very same Discord ID as the scammer CEO.
Reached via instant message on Telegram, Levatax said he’s had no involvement in such schemes, and that he hasn’t been on Discord since his Microsoft Outlook account was hacked months ago.
“The interesting thing [is] that I didn’t use Discord since few months or even social media because of the political status of Turkey,” Levatax explained, referring to the recent election in his country. “The only thing I confirm is losing my Outlook account which connected to my Discord, and I’m already in touch with Microsoft to recover it.”
The verification method used in the above scam involves a type of bookmark called a “bookmarklet” that stores Javascript code as a clickable link in the bookmarks bar at the top of one’s browser.
While bookmarklets can be useful and harmless, malicious Javascript that is executed in the browser by the user is especially dangerous. So please avoid adding (or dragging) any bookmarks or bookmarklets to your browser unless it was your idea in the first place.
Responding to a recent surge in AI-generated bot accounts, LinkedIn is rolling out new features that it hopes will help users make more informed decisions about with whom they choose to connect. Many LinkedIn profiles now display a creation date, and the company is expanding its domain validation offering, which allows users to publicly confirm that they can reply to emails at the domain of their stated current employer.
LinkedIn’s new “About This Profile” section — which is visible by clicking the “More” button at the top of a profile — includes the year the account was created, the last time the profile information was updated, and an indication of how and whether an account has been verified.
LinkedIn also said it is adding a warning to some LinkedIn messages that include high-risk content, or that try to entice the user into taking the conversation to another platform (like WeChat).
“We may warn you about messages that ask you to take the conversation to another platform because that can be a sign of a scam,” the company said in a blog post. “These warnings will also give you the choice to report the content without letting the sender know.”
In late September 2022, KrebsOnSecurity warned about the proliferation of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. A follow-up story on Oct. 5 showed how the phony profile problem has affected virtually all executive roles at corporations, and how these fake profiles are creating an identity crisis for the businesses networking site and the companies that rely on it to hire and screen prospective employees.
Reporting here last month also tracked a massive drop in profiles claiming to work at several major technology companies, as LinkedIn apparently took action against hundreds of thousands of inauthentic accounts that falsely claimed roles at these companies.
For example, on October 10, 2022, there were 576,562 LinkedIn accounts that listed their current employer as Apple Inc. The next day, half of those profiles no longer existed. At around the same time, the number of LinkedIn profiles claiming current roles at Amazon fell from roughly 1.25 million to 838,601 in just one day, a 33 percent drop.
For whatever reason, the majority of the phony LinkedIn profiles reviewed by this author were young women with profile photos that appear to have been generated by artificial intelligence (AI) tools.
“We’re seeing rapid advances in AI-based synthetic image generation technology and we’ve created a deep learning model to better catch profiles made with this technology,” LinkedIn’s Oscar Rodriguez wrote. “AI-based image generators can create an unlimited number of unique, high-quality profile photos that do not correspond to real people.”
It remains unclear who or what is behind the recent proliferation of fake executive profiles on LinkedIn, but likely they are from a combination of scams. Cybersecurity firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.
Identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams.
Also, fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.
Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.
KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”
A copy of the phishing message included in the PayPal.com invoice.
While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.
Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.
Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:
“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”
Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:
The phony PayPal invoice, which was sent and hosted by PayPal.com.
The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport[.]com to download a remote administration tool. It was clear then where the rest of this call was going.
I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phishing@paypal.com) and media relations teams.
PayPal said in a written statement that phishing attempts are common and can take many forms.
“We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers,” PayPal said. “We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”
It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.
Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?
The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.
Email scammers sent an Uber to the home of an 80-year-old woman who responded to a well-timed email scam, in a bid to make sure she went to the bank and wired money to the fraudsters. In this case, the woman figured out she was being scammed before embarking for the bank, but her story is a chilling reminder of how far crooks will go these days to rip people off.
Travis Hardaway is a former music teacher turned app developer from Towson, Md. Hardaway said his mother last month replied to an email she received regarding an appliance installation from BestBuy/GeekSquad. Hardaway said the timing of the scam email couldn’t have been worse: His mom’s dishwasher had just died, and she’d paid to have a new one delivered and installed.
“I think that’s where she got confused, because she thought the email was about her dishwasher installation,” Hardaway told KrebsOnSecurity.
Hardaway said his mom initiated a call to the phone number listed in the phony BestBuy email, and that the scammers told her she owed $160 for the installation, which seemed right at the time. Then the scammers asked her to install remote administration software on her computer so that they could control the machine from afar and assist her in making the payment.
After she logged into her bank and savings accounts with scammers watching her screen, the fraudster on the phone claimed that instead of pulling $160 out of her account, they accidentally transferred $160,000 to her account. They said they they needed her help to make sure the money was “returned.”
“They took control of her screen and said they had accidentally transferred $160,000 into her account,” Hardaway said. “The person on the phone told her he was going to lose his job over this transfer error, that he didn’t know what to do. So they sent her some information about where to wire the money, and asked her to go to the bank. But she told them, ‘I don’t drive,’ and they told her, “No problem, we’re sending an Uber to come help you to the bank.'”
Hardaway said he was out of town when all this happened, and that thankfully his mom eventually grew exasperated and gave up trying to help the scammers.
“They told her they were sending an Uber to pick her up and that it was on its way,” Hardaway said. “I don’t know if the Uber ever got there. But my mom went over to the neighbor’s house and they saw it for what it was — a scam.”
Hardaway said he has since wiped her computer, reinstalled the operating system and changed her passwords. But he says the incident has left his mom rattled.
“She’s really second-guessing herself now,” Hardaway said. “She’s not computer-savvy, and just moved down here from Boston during COVID to be near us, but she’s living by herself and feeling isolated and vulnerable, and stuff like this doesn’t help.”
According to the Federal Bureau of Investigation (FBI), seniors are often targeted because they tend to be trusting and polite. More importantly, they also usually have financial savings, own a home, and have good credit—all of which make them attractive to scammers.
“Additionally, seniors may be less inclined to report fraud because they don’t know how, or they may be too ashamed of having been scammed,” the FBI warned in May. “They might also be concerned that their relatives will lose confidence in their abilities to manage their own financial affairs. And when an elderly victim does report a crime, they may be unable to supply detailed information to investigators.”
In 2021, more than 92,000 victims over the age of 60 reported losses of $1.7 billion to the FBI’s Internet Crime Complaint Center (IC3). The FBI says that represents a 74 percent increase in losses over losses reported in 2020.
The abuse of ride-sharing services to scam the elderly is not exactly new. Authorities in Tampa, Fla. say they’re investigating an incident from December 2021 where fraudsters who’d stolen $700,000 from elderly grandparents used Uber rides to pick up bundles of cash from their victims.
FreshRSS 