The login page for the criminal reshipping service SWAT USA Drop.
One of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. Here’s a closer look at the Russia-based SWAT USA Drop Service, which currently employs more than 1,200 people across the United States who are knowingly or unwittingly involved in reshipping expensive consumer goods purchased with stolen credit cards.
Among the most common ways that thieves extract cash from stolen credit card accounts is through purchasing pricey consumer goods online and reselling them on the black market. Most online retailers grew wise to these scams years ago and stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia.
But such restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe to receive stolen goods and relay them to crooks living in the embargoed areas.
Services like SWAT are known as “Drops for stuff” on cybercrime forums. The “drops” are people who have responded to work-at-home package reshipping jobs advertised on craigslist.com and job search sites. Most reshipping scams promise employees a monthly salary and even cash bonuses. In reality, the crooks in charge almost always stop communicating with drops just before the first payday, usually about a month after the drop ships their first package.
The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the US Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.
SWAT takes a percentage cut (up to 50 percent) where “stuffers” — thieves armed with stolen credit card numbers — pay a portion of each product’s retail value to SWAT as the reshipping fee. The stuffers use stolen cards to purchase high-value products from merchants and have the merchants ship the items to the drops’ address. Once the drops receive and successfully reship the stolen packages, the stuffers then sell the products on the local black market.
The SWAT drop service has been around in various names and under different ownership for almost a decade. But in early October 2023, SWAT’s current co-owner — a Russian-speaking individual who uses the handle “Fearlless” — took to his favorite cybercrime forum to lodge a formal complaint against the owner of a competing reshipping service, alleging his rival had hacked SWAT and was trying to poach his stuffers and reshippers by emailing them directly.
Milwaukee-based security firm Hold Security shared recent screenshots of a working SWAT stuffer’s user panel, and those images show that SWAT currently lists more than 1,200 drops in the United States that are available for stuffers to rent. The contact information for Kareem, a young man from Maryland, was listed as an active drop. Contacted by KrebsOnSecurity, Kareem agreed to speak on condition that his full name not be used in this story.
A SWAT panel for stuffers/customers. This page lists the rules of the service, which do not reimburse stuffers for “acts of god,” i.e. authorities seizing stolen goods or arresting the drop.
Kareem said he’d been hired via an online job board to reship packages on behalf of a company calling itself CTSI, and that he’s been receiving and reshipping iPads and Apple watches for several weeks now. Kareem was less than thrilled to learn he would probably not be getting his salary on the promised payday, which was coming up in a few days.
Kareem said he was instructed to create an account at a website called portal-ctsi[.]com, where each day he was expected to log in and check for new messages about pending shipments. Anyone can sign up at this website as a potential reshipping mule, although doing so requires applicants to share a great deal of personal and financial information, as well as copies of an ID or passport matching the supplied name.
A SWAT panel for stuffers/customers, listing hundreds of drops in the United States by their status. “Going to die” are those who are about to be let go without promised payment, or who have quit on their own.
On a suspicion that the login page for portal-ctsi[.]com might be a custom coding job, KrebsOnSecurity selected “view source” from the homepage to expose the site’s HTML code. Grabbing a snippet of that code (e.g., “smarty/default/jui/js/jquery-ui-1.9.2.min.js”) and searching on it at publicwww.com reveals more than four dozen other websites running the same login panel. And all of those appear to be geared toward either stuffers or drops.
In fact, more than half of the domains that use this same login panel actually include the word “stuffer” in the login URL, according to publicwww. Each of the domains below that end in “/user/login.php” are sites for active and prospective drops, and each corresponds to a unique fake company that is responsible for managing its own stable of drops:
lvlup-store[.]com/stuffer/login.php
personalsp[.]com/user/login.php
destaf[.]com/stuffer/login.php
jaderaplus[.]com/stuffer/login.php
33cow[.]com/stuffer/login.php
panelka[.]net/stuffer/login.php
aaservice[.]net/stuffer/login.php
re-shipping[.]ru/stuffer/login.php
bashar[.]cc/stuffer/login.php
marketingyoursmall[.]biz/stuffer/login.php
hovard[.]xyz/stuffer/login.php
pullback[.]xyz/stuffer/login.php
telollevoexpress[.]com/stuffer/login.php
postme[.]today/stuffer/login.php
wint-job[.]com/stuffer/login.php
squadup[.]club/stuffer/login.php
mmmpack[.]pro/stuffer/login.php
yoursmartpanel[.]com/user/login.php
opt257[.]org/user/login.php
touchpad[.]online/stuffer/login.php
peresyloff[.]top/stuffer/login.php
ruzke[.]vodka/stuffer/login.php
staf-manager[.]net/stuffer/login.php
data-job[.]club/stuffer/login.php
logistics-services[.]org/user/login.php
swatship[.]club/stuffer/login.php
logistikmanager[.]online/user/login.php
endorphine[.]world/stuffer/login.php
burbon[.]club/stuffer/login.php
bigdropproject[.]com/stuffer/login.php
jobspaket[.]net/user/login.php
yourcontrolboard[.]com/stuffer/login.php
packmania[.]online/stuffer/login.php
shopping-bro[.]com/stuffer/login.php
dash-redtag[.]com/user/login.php
mnger[.]net/stuffer/login.php
begg[.]work/stuffer/login.php
dashboard-lime[.]com/user/login.php
control-logistic[.]xyz/user/login.php
povetru[.]biz/stuffer/login.php
dash-nitrologistics[.]com/user/login.php
cbpanel[.]top/stuffer/login.php
hrparidise[.]pro/stuffer/login.php
d-cctv[.]top/user/login.php
versandproject[.]com/user/login.php
packitdash[.]com/user/login.php
avissanti-dash[.]com/user/login.php
e-host[.]life/user/login.php
pacmania[.]club/stuffer/login.php
Why so many websites? In practice, all drops are cut loose within approximately 30 days of their first shipment — just before the promised paycheck is due. Because of this constant churn, each stuff shop operator must be constantly recruiting new drops. Also, with this distributed setup, even if one reshipping operation gets shut down (or exposed online), the rest can keep on pumping out dozens of packages a day.
A 2015 academic study (PDF) on criminal reshipping services found the average financial hit from a reshipping scheme per cardholder was $1,156.93. That study looked into the financial operations of several reshipping schemes, and estimated that approximately 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year.
It’s not hard to see how reshipping can be a profitable enterprise for card crooks. For example, a stuffer buys a stolen payment card off the black market for $10, and uses that card to purchase more than $1,100 worth of goods. After the reshipping service takes its cut (~$550), and the stuffer pays for his reshipping label (~$100), the stuffer receives the stolen goods and sells them on the black market in Russia for $1,400. He has just turned a $10 investment into more than $700. Rinse, wash, and repeat.
The breach at SWAT exposed not only the nicknames and contact information for all of its stuffers and drops, but also the group’s monthly earnings and payouts. SWAT apparently kept its books in a publicly accessible Google Sheets document, and that document reveals Fearlless and his business partner each routinely made more than $100,000 every month operating their various reshipping businesses.
The exposed SWAT financial records show this crime group has tens of thousands of dollars worth of expenses each month, including payments for the following recurring costs:
-advertising the service on crime forums and via spam;
-people hired to re-route packages, usually by voice over the phone;
-third-party services that sell hacked/stolen USPS/Fedex labels;
-“drops test” services, contractors who will test the honesty of drops by sending them fake jewelry;
-“documents,” e.g. sending drops to physically pick up legal documents for new phony front companies.
The spreadsheet also included the cryptocurrency account numbers that were to be credited each month with SWAT’s earnings. Unsurprisingly, a review of the blockchain activity tied to the bitcoin addresses listed in that document shows that many of them have a deep association with cybercrime, including ransomware activity and transactions at darknet sites that peddle stolen credit cards and residential proxy services.
The information leaked from SWAT also has exposed the real-life identity and financial dealings of its principal owner — Fearlless, a.k.a. “SwatVerified.” We’ll hear more about Fearlless in Part II of this story. Stay tuned.
Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.
Apple last week shipped emergency updates in iOS 17.0.3 and iPadOS 17.0.3 in response to active attacks. The patch fixes CVE-2023-42724, which attackers have been using in targeted attacks to elevate their access on a local device.
Apple said it also patched CVE-2023-5217, which is not listed as a zero-day bug. However, as Bleeping Computer pointed out, this flaw is caused by a weakness in the open-source “libvpx” video codec library, which was previously patched as a zero-day flaw by Google in the Chrome browser and by Microsoft in Edge, Teams, and Skype products. For anyone keeping count, this is the 17th zero-day flaw that Apple has patched so far this year.
Fortunately, the zero-days affecting Microsoft customers this month are somewhat less severe than usual, with the exception of CVE-2023-44487. This weakness is not specific to Windows but instead exists within the HTTP/2 protocol used by the World Wide Web: Attackers have figured out how to use a feature of HTTP/2 to massively increase the size of distributed denial-of-service (DDoS) attacks, and these monster attacks reportedly have been going on for several weeks now.
Amazon, Cloudflare and Google all released advisories today about how they’re addressing CVE-2023-44487 in their cloud environments. Google’s Damian Menscher wrote on Twitter/X that the exploit — dubbed a “rapid reset attack” — works by sending a request and then immediately cancelling it (a feature of HTTP/2). “This lets attackers skip waiting for responses, resulting in a more efficient attack,” Menscher explained.
Natalie Silva, lead security engineer at Immersive Labs, said this flaw’s impact to enterprise customers could be significant, and lead to prolonged downtime.
“It is crucial for organizations to apply the latest patches and updates from their web server vendors to mitigate this vulnerability and protect against such attacks,” Silva said. In this month’s Patch Tuesday release by Microsoft, they have released both an update to this vulnerability, as well as a temporary workaround should you not be able to patch immediately.”
Microsoft also patched zero-day bugs in Skype for Business (CVE-2023-41763) and Wordpad (CVE-2023-36563). The latter vulnerability could expose NTLM hashes, which are used for authentication in Windows environments.
“It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given,” said Adam Barnett, lead software engineer at Rapid7. “Unsurprisingly, Microsoft recommends Word as a replacement for WordPad.”
Other notable bugs addressed by Microsoft include CVE-2023-35349, a remote code execution weakness in the Message Queuing (MSMQ) service, a technology that allows applications across multiple servers or hosts to communicate with each other. This vulnerability has earned a CVSS severity score of 9.8 (10 is the worst possible). Happily, the MSMQ service is not enabled by default in Windows, although Immersive Labs notes that Microsoft Exchange Server can enable this service during installation.
Speaking of Exchange, Microsoft also patched CVE-2023-36778, a vulnerability in all current versions of Exchange Server that could allow attackers to run code of their choosing. Rapid7’s Barnett said successful exploitation requires that the attacker be on the same network as the Exchange Server host, and use valid credentials for an Exchange user in a PowerShell session.
For a more detailed breakdown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.
Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.
The victim shaming site operated by the Snatch ransomware group is leaking data about its true online location and internal operations, as well as the Internet addresses of its visitors, KrebsOnSecurity has found. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord.
First spotted in 2018, the Snatch ransomware group has published data stolen from hundreds of organizations that refused to pay a ransom demand. Snatch publishes its stolen data at a website on the open Internet, and that content is mirrored on the Snatch team’s darknet site, which is only reachable using the global anonymity network Tor.
KrebsOnSecurity has learned that Snatch’s darknet site exposes its “server status” page, which includes information about the true Internet addresses of users accessing the website.
Refreshing this page every few seconds shows that the Snatch darknet site generates a decent amount of traffic, often attracting thousands of visitors each day. But by far the most frequent repeat visitors are coming from Internet addresses in Russia that either currently host Snatch’s clear web domain names or recently did.
The Snatch ransomware gang’s victim shaming site on the darknet is leaking data about its visitors. This “server status” page says that Snatch’s website is on Central European Summer Time (CEST) and is powered by OpenSSL/1.1.1f, which is no longer supported by security updates.
Probably the most active Internet address accessing Snatch’s darknet site is 193.108.114[.]41, which is a server in Yekaterinburg, Russia that hosts several Snatch domains, including snatchteam[.]top, sntech2ch[.]top, dwhyj2[.]top and sn76930193ch[.]top. It could well be that this Internet address is showing up frequently because Snatch’s clear-web site features a toggle button at the top that lets visitors switch over to accessing the site via Tor.
Another Internet address that showed up frequently in the Snatch server status page was 194.168.175[.]226, currently assigned to Matrix Telekom in Russia. According to DomainTools.com, this address also hosts or else recently hosted the usual coterie of Snatch domains, as well as quite a few domains phishing known brands such as Amazon and Cashapp.
The Moscow Internet address 80.66.64[.]15 accessed the Snatch darknet site all day long, and that address also housed the appropriate Snatch clear-web domains. More interestingly, that address is home to multiple recent domains that appear confusingly similar to known software companies, including libreoff1ce[.]com and www-discord[.]com.
This is interesting because the phishing domains associated with the Snatch ransomware gang were all registered to the same Russian name — Mihail Kolesnikov, a name that is somewhat synonymous with recent phishing domains tied to malicious Google ads.
Kolesnikov could be a nod to a Russian general made famous during Boris Yeltsin’s reign. Either way, it’s clearly a pseudonym, but there are some other commonalities among these domains that may provide insight into how Snatch and other ransomware groups are sourcing their victims.
DomainTools says there are more than 1,300 current and former domain names registered to Mihail Kolesnikov between 2013 and July 2023. About half of the domains appear to be older websites advertising female escort services in major cities around the United States (e.g. the now-defunct pittsburghcitygirls[.]com).
The other half of the Kolesnikov websites are far more recent phishing domains mostly ending in “.top” and “.app” that appear designed to mimic the domains of major software companies, including www-citrix[.]top, www-microsofteams[.]top, www-fortinet[.]top, ibreoffice[.]top, www-docker[.]top, www-basecamp[.]top, ccleaner-cdn[.]top, adobeusa[.]top, and www.real-vnc[.]top.
In August 2023, researchers with Trustwave Spiderlabs said they encountered domains registered to Mihail Kolesnikov being used to disseminate the Rilide information stealer trojan.
But it appears multiple crime groups may be using these domains to phish people and disseminate all kinds of information-stealing malware. In February 2023, Spamhaus warned of a huge surge in malicious ads that were hijacking search results in Google.com, and being used to distribute at least five different families of information stealing trojans, including AuroraStealer, IcedID/Bokbot, Meta Stealer, RedLine Stealer and Vidar.
For example, Spamhaus said victims of these malicious ads would search for Microsoft Teams in Google.com, and the search engine would often return a paid ad spoofing Microsoft or Microsoft Teams as the first result — above all other results. The malicious ad would include a logo for Microsoft and at first glance appear to be a safe and trusted place to download the Microsoft Teams client.
However, anyone who clicked on the result was whisked away instead to mlcrosofteams-us[.]top — yet another malicious domain registered to Mr. Kolesnikov. And while visitors to this website may believe they are only downloading the Microsoft Teams client, the installer file includes a copy of the IcedID malware, which is really good at stealing passwords and authentication tokens from the victim’s web browser.
The founder of the Swiss anti-abuse website abuse.ch told Spamhaus it is likely that some cybercriminals have started to sell “malvertising as a service” on the dark web, and that there is a great deal of demand for this service.
In other words, someone appears to have built a very profitable business churning out and promoting new software-themed phishing domains and selling that as a service to other cybercriminals. Or perhaps they are simply selling any stolen data (and any corporate access) to active and hungry ransomware group affiliates.
The tip about the exposed “server status” page on the Snatch darkweb site came from @htmalgae, the same security researcher who alerted KrebsOnSecurity earlier this month that the darknet victim shaming site run by the 8Base ransomware gang was inadvertently left in development mode.
That oversight revealed not only the true Internet address of the hidden 8Base site (in Russia, naturally), but also the identity of a programmer in Moldova who apparently helped to develop the 8Base code.
@htmalgae said the idea of a ransomware group’s victim shaming site leaking data that they did not intend to expose is deliciously ironic.
“This is a criminal group that shames others for not protecting user data,” @htmalgae said. “And here they are leaking their user data.”
All of the malware mentioned in this story is designed to run on Microsoft Windows devices. But Malwarebytes recently covered the emergence of a Mac-based information stealer trojan called AtomicStealer that was being advertised through malicious Google ads and domains that were confusingly similar to software brands.
Please be extra careful when you are searching online for popular software titles. Cracked, pirated copies of major software titles are a frequent source of infostealer infections, as are these rogue ads masquerading as search results. Make sure to double-check you are actually at the domain you believe you’re visiting *before* you download and install anything.
Stay tuned for Part II of this post, which includes a closer look at the Snatch ransomware group and their founder.
Further reading:
@HTMalgae’s list of the top Internet addresses seen accessing Snatch’s darknet site
Ars Technica: Until Further Notice Think Twice Before Using Google to Download Software
Bleeping Computer: Hackers Abuse Google Ads to Spread Malware in Legit Software
Security consulting giant Kroll disclosed today that a SIM-swapping attack against one of its employees led to the theft of user information for multiple cryptocurrency platforms that are relying on Kroll services in their ongoing bankruptcy proceedings. And there are indications that fraudsters may already be exploiting the stolen data in phishing attacks.
Cryptocurrency lender BlockFi and the now-collapsed crypto trading platform FTX each disclosed data breaches this week thanks to a recent SIM-swapping attack targeting an employee of Kroll — the company handling both firms’ bankruptcy restructuring.
In a statement released today, New York City-based Kroll said it was informed that on Aug. 19, 2023, someone targeted a T-Mobile phone number belonging to a Kroll employee “in a highly sophisticated ‘SIM swapping’ attack.”
“Specifically, T-Mobile, without any authority from or contact with Kroll or its employees, transferred that employee’s phone number to the threat actor’s phone at their request,” the statement continues. “As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis.”
T-Mobile has not yet responded to requests for comment.
Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.
SIM-swapping groups will often call employees on their mobile devices, pretend to be someone from the company’s IT department, and then try to get the employee to visit a phishing website that mimics the company’s login page.
Multiple SIM-swapping gangs have had great success using this method to target T-Mobile employees for the purposes of reselling a cybercrime service that can be hired to divert any T-Mobile user’s text messages and phone calls to another device.
In February 2023, KrebsOnSecurity chronicled SIM-swapping attacks claimed by these groups against T-Mobile employees in more than 100 separate incidents in the second half of 2022. The average cost to SIM swap any T-Mobile phone number was approximately $1,500.
The unfortunate result of the SIM-swap against the Kroll employee is that people who had financial ties to BlockFi, FTX, or Genesis now face increased risk of becoming targets of SIM-swapping and phishing attacks themselves.
And there is some indication this is already happening. Multiple readers who said they got breach notices from Kroll today also shared phishing emails they received this morning that spoofed FTX and claimed, “You have been identified as an eligible client to begin withdrawing digital assets from your FTX account.”
A phishing message targeting FTX users that went out en masse today.
A major portion of Kroll’s business comes from helping organizations manage cyber risk. Kroll is often called in to investigate data breaches, and it also sells identity protection services to companies that recently experienced a breach and are grasping at ways to demonstrate that they doing something to protect their customers from further harm.
Kroll did not respond to questions. But it’s a good bet that BlockFi, FTX and Genesis customers will soon enjoy yet another offering of free credit monitoring as a result of the T-Mobile SIM swap.
Kroll’s website says it employs “elite cyber risk leaders uniquely positioned to deliver end-to-end cyber security services worldwide.” Apparently, these elite cyber risk leaders did not consider the increased attack surface presented by their employees using T-Mobile for wireless service.
The SIM-swapping attack against Kroll is a timely reminder that you should do whatever you can to minimize your reliance on mobile phone companies for your security. For example, many online services require you to provide a phone number upon registering an account, but that number can often be removed from your profile afterwards.
Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.
If you haven’t done so lately, take a moment to inventory your most important online accounts, and see how many of them can still have their password reset by receiving an SMS at the phone number on file. This may require stepping through the website’s account recovery or lost password flow.
If the account that stores your mobile phone number does not allow you to delete your number, check to see whether there is an option to disallow SMS or phone calls for authentication and account recovery. If more secure options are available, such as a security key or a one-time code from a mobile authentication app, please take advantage of those instead. The website 2fa.directory is a good starting point for this analysis.
Now, you might think that the mobile providers would share some culpability when a customer suffers a financial loss because a mobile store employee got tricked into transferring that customer’s phone number to criminals. But earlier this year, a California judge dismissed a lawsuit against AT&T that stemmed from a 2017 SIM-swapping attack which netted the thieves more than $24 million in cryptocurrency.