Login
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.
On July 10, Apple pushed a “Rapid Security Response” update to fix a code execution flaw in the Webkit browser component built into iOS, iPadOS, and macOS Ventura. Almost as soon as the patch went out, Apple pulled the software because it was reportedly causing problems loading certain websites. MacRumors says Apple will likely re-release the patches when the glitches have been addressed.
Launched in May, Apple’s Rapid Security Response updates are designed to address time-sensitive vulnerabilities, and this is the second month Apple has used it. July marks the sixth month this year that Apple has released updates for zero-day vulnerabilities — those that get exploited by malware or malcontents before there is an official patch available.
If you rely on Apple devices and don’t have automatic updates enabled, please take a moment to check the patch status of your various iDevices. The latest security update that includes the fix for the zero-day bug should be available in iOS/iPadOS 16.5.1, macOS 13.4.1, and Safari 16.5.2.
On the Windows side, there are at least four vulnerabilities patched this month that earned high CVSS (badness) scores and that are already being exploited in active attacks, according to Microsoft. They include CVE-2023-32049, which is a hole in Windows SmartScreen that lets malware bypass security warning prompts; and CVE-2023-35311 allows attackers to bypass security features in Microsoft Outlook.
The two other zero-day threats this month for Windows are both privilege escalation flaws. CVE-2023-32046 affects a core Windows component called MSHTML, which is used by Windows and other applications, like Office, Outlook and Skype. CVE-2023-36874 is an elevation of privilege bug in the Windows Error Reporting Service.
Many security experts expected Microsoft to address a fifth zero-day flaw — CVE-2023-36884 — a remote code execution weakness in Office and Windows.
“Surprisingly, there is no patch yet for one of the five zero-day vulnerabilities,” said Adam Barnett, lead software engineer at Rapid7. “Microsoft is actively investigating publicly disclosed vulnerability, and promises to update the advisory as soon as further guidance is available.”
Barnett notes that Microsoft links exploitation of this vulnerability with Storm-0978, the software giant’s name for a cybercriminal group based out of Russia that is identified by the broader security community as RomCom.
“Exploitation of CVE-2023-36884 may lead to installation of the eponymous RomCom trojan or other malware,” Barnett said. “[Microsoft] suggests that RomCom / Storm-0978 is operating in support of Russian intelligence operations. The same threat actor has also been associated with ransomware attacks targeting a wide array of victims.”
Microsoft’s advisory on CVE-2023-36884 is pretty sparse, but it does include a Windows registry hack that should help mitigate attacks on this vulnerability. Microsoft has also published a blog post about phishing campaigns tied to Storm-0978 and to the exploitation of this flaw.
Barnett said it’s while it’s possible that a patch will be issued as part of next month’s Patch Tuesday, Microsoft Office is deployed just about everywhere, and this threat actor is making waves.
“Admins should be ready for an out-of-cycle security update for CVE-2023-36884,” he said.
Microsoft also today released new details about how it plans to address the existential threat of malware that is cryptographically signed by…wait for it….Microsoft.
In late 2022, security experts at Sophos, Trend Micro and Cisco warned that ransomware criminals were using signed, malicious drivers in an attempt to evade antivirus and endpoint detection and response (EDR) tools.
In a blog post today, Sophos’s Andrew Brandt wrote that Sophos identified 133 malicious Windows driver files that were digitally signed since April 2021, and found 100 of those were actually signed by Microsoft. Microsoft said today it is taking steps to ensure those malicious driver files can no longer run on Windows computers.
As KrebsOnSecurity noted in last month’s story on malware signing-as-a-service, code-signing certificates are supposed to help authenticate the identity of software publishers, and provide cryptographic assurance that a signed piece of software has not been altered or tampered with. Both of these qualities make stolen or ill-gotten code-signing certificates attractive to cybercriminal groups, who prize their ability to add stealth and longevity to malicious software.
Dan Goodin at Ars Technica contends that whatever Microsoft may be doing to keep maliciously signed drivers from running on Windows is being bypassed by hackers using open source software that is popular with video game cheaters.
“The software comes in the form of two software tools that are available on GitHub,” Goodin explained. “Cheaters use them to digitally sign malicious system drivers so they can modify video games in ways that give the player an unfair advantage. The drivers clear the considerable hurdle required for the cheat code to run inside the Windows kernel, the fortified layer of the operating system reserved for the most critical and sensitive functions.”
Meanwhile, researchers at Cisco’s Talos security team found multiple Chinese-speaking threat groups have repurposed the tools—one apparently called “HookSignTool” and the other “FuckCertVerifyTimeValidity.”
“Instead of using the kernel access for cheating, the threat actors use it to give their malware capabilities it wouldn’t otherwise have,” Goodin said.
For a closer look at the patches released by Microsoft today, check out the always-thorough Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.
And as ever, please consider backing up your system or at least your important documents and data before applying system updates. If you encounter any problems with these updates, please drop a note about it here in the comments.
Joseph James “PlugwalkJoe” O’Connor, a 24-year-old from the United Kingdom who earned his 15 minutes of fame by participating in the July 2020 hack of Twitter, has been sentenced to five years in a U.S. prison. That may seem like harsh punishment for a brief and very public cyber joy ride. But O’Connor also pleaded guilty in a separate investigation involving a years-long spree of cyberstalking and cryptocurrency theft enabled by “SIM swapping,” a crime wherein fraudsters trick a mobile provider into diverting a customer’s phone calls and text messages to a device they control.
Joseph “PlugwalkJoe” O’Connor, in a photo from a Globe Newswire press release Sept. 02, 2020, pitching O’Connor as a cryptocurrency expert and advisor.
On July 16, 2020 — the day after some of Twitter’s most recognizable and popular users had their accounts hacked and used to tweet out a bitcoin scam — KrebsOnSecurity observed that several social media accounts tied to O’Connor appeared to have inside knowledge of the intrusion. That story also noted that thanks to COVID-19 lockdowns at the time, O’Connor was stuck on an indefinite vacation at a popular resort in Spain.
Not long after the Twitter hack, O’Connor was quoted in The New York Times denying any involvement. “I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”
Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, PlugwalkJoe demanded that his real name be kept out of future blog posts here. After he was told that couldn’t be promised, he remarked that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didn’t like.
O’Connor was still in Spain a year later when prosecutors in the Northern District of California charged him with conspiring to hack Twitter. At the same time, prosecutors in the Southern District of New York charged O’Connor with an impressive array of cyber offenses involving the exploitation of social media accounts, online extortion, cyberstalking, and the theft of cryptocurrency then valued at nearly USD $800,000.
In late April 2023, O’Connor was extradited from Spain to face charges in the United States. Two weeks later, he entered guilty pleas in both California and New York, admitting to all ten criminal charges levied against him. On June 23, O’Connor was sentenced to five years in prison.
PlugwalkJoe was part of a community that specialized in SIM-swapping victims to take over their online identities. Unauthorized SIM swapping is a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control.
From there, the attackers can reset the password for any of the victim’s online accounts that allow password resets via SMS. SIM swapping also lets attackers intercept one-time passwords needed for SMS-based multi-factor authentication (MFA).
O’Connor admitted to conducting SIM swapping attacks to take control over financial accounts tied to several cryptocurrency executives in May 2019, and to stealing digital currency currently valued at more than $1.6 million.
PlugwalkJoe also copped to SIM-swapping his way into the Snapchat accounts of several female celebrities and threatening to release nude photos found on their phones.
Victims who refused to give up social media accounts or submit to extortion demands were often visited with “swatting attacks,” wherein O’Connor and others would falsely report a shooting or hostage situation in the hopes of tricking police into visiting potentially lethal force on a target’s address.
Prosecutors said O’Connor even swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.
In the case of the Twitter hack, O’Connor pleaded guilty to conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and conspiracy to commit money laundering.
The account “@shinji,” a.k.a. “PlugWalkJoe,” tweeting a screenshot of Twitter’s internal tools interface, on July 15, 2020.
To resolve the case against him in New York, O’Connor pleaded guilty to conspiracy to commit computer intrusion, two counts of committing computer intrusions, making extortive communications, two counts of stalking, and making threatening communications.
In addition to the prison term, O’Connor was sentenced to three years of supervised release, and ordered to pay $794,012.64 in forfeiture.
To be clear, the Twitter hack of July 2020 did not involve SIM-swapping. Rather, Twitter said the intruders tricked a Twitter employee over the phone into providing access to internal tools.
Three others were charged along with O’Connor in the Twitter compromise. The alleged mastermind of the hack, then 17-year-old Graham Ivan Clarke from Tampa, Fla., pleaded guilty in 2021 and agreed to serve three years in prison, followed by three years probation.
This story is good reminder about the need to minimize your reliance on the mobile phone companies for securing your online identity. This means reducing the number of ways your life could be turned upside down if someone were to hijack your mobile phone number.
Most online services require users to validate a mobile phone number as part of setting up an account, but some services will let you remove your phone number after the fact. Those services that do you let you remove your phone number or disable SMS/phone calls for account recovery probably also offer more secure multi-factor authentication options, such as app-based one-time passwords and security keys. Check out 2fa.directory for a list of multi-factor options available across hundreds of popular sites and services.
The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. “smishing”) messages that spoofed UPS and other top brands. The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn’t be shipped unless the customer paid an added delivery fee.
In a snail mail letter sent this month to Canadian customers, UPS Canada Ltd. said it is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered, and that it has been working with partners in its delivery chain to try to understand how the fraud was occurring.
The recent letter from UPS about SMS phishers harvesting shipment details and phone numbers from its website.
“During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient’s phone number,” the letter reads. “Because this information could be misused by third parties, including potentially in a smishing scheme, UPS has taken steps to limit access to that information.”
The written notice goes on to say UPS believes the data exposure “affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023.”
As early as April 2022, KrebsOnSecurity began receiving tips from Canadian readers who were puzzling over why they’d just received one of these SMS phishing messages that referenced information from a recent order they’d legitimately placed at an online retailer.
In March, 2023, a reader named Dylan from British Columbia wrote in to say he’d received one of these shipping fee scam messages not long after placing an order to buy gobs of building blocks directly from Lego.com. The message included his full name, phone number, and postal code, and urged him to click a link to mydeliveryfee-ups[.]info and pay a $1.55 delivery fee that was supposedly required to deliver his Legos.
“From searching the text of this phishing message, I can see that a lot of people have experienced this scam, which is more convincing because of the information the phishing text contains,” Dylan wrote. “It seems likely to me that UPS is leaking information somehow about upcoming deliveries.”
Josh is a reader who works for a company that ships products to Canada, and in early January 2023 he inquired whether there was any information about a breach at UPS Canada.
“We’ve seen many of our customers targeted with a fraudulent UPS text message scheme after placing an order,” Josh said. “A link is provided (often only after the customer responds to the text) which takes you to a captcha page, followed by a fraudulent payment collection page.”
Pivoting on the domain in the smishing message sent to Dylan shows the phishing domain shared an Internet host in Russia [91.215.85-166] with nearly two dozen other smishing related domains, including upsdelivery[.]info, legodelivery[.]info, adidascanadaltd[.]com, crocscanadafee[.]info, refw0234apple[.]info, vista-printcanada[.]info and telus-ca[.]info.
The inclusion of big-name brands in the domains of these UPS smishing campaigns suggests the perpetrators had the ability to focus their lookups on UPS customers who had recently ordered items from specific companies.
Attempts to visit these domains with a web browser failed, but loading them in a mobile device (or in my case, emulating a mobile device using a virtual machine and Developer Tools in Firefox) revealed the first stage of this smishing attack. As Josh mentioned, what first popped up was a CAPTCHA; after the visitor solved the CAPTCHA, they were taken through several more pages that requested the user’s full name, date of birth, credit card number, address, email and phone number.
A smishing website targeting Canadians who recently purchased from Adidas online. The site would only load in a mobile browser.
In April 2022, KrebsOnSecurity heard from Alex, the CEO of a technology company in Canada who asked to leave his last name out of this story. Alex reached out when he began receiving the smishing messages almost immediately after ordering two sets of Airpods directly from Apple’s website.
What puzzled Alex most was that he’d instructed Apple to send the Airpods as a gift to two different people, and less than 24 hours later the phone number he uses for his Apple account received two of the phishing messages, both of which contained salutations that included the names of the people for whom he’d bought Airpods.
“I’d put the recipient as different people on my team, but because it was my phone number on both orders I was the one getting the texts,” Alex explained. “That same day, I got text messages referring to me as two different people, neither of whom were me.”
Alex said he believes UPS Canada either doesn’t fully understand what happened yet, or it is being coy about what it knows. He said the wording of UPS’s response misleadingly suggests the smishing attacks were somehow the result of hackers randomly looking up package information via the company’s tracking website.
Alex said it’s likely that whoever is responsible figured out how to query the UPS Canada website for only pending orders from specific brands, perhaps by exploiting some type of application programming interface (API) that UPS Canada makes or made available to its biggest retail partners.
“It wasn’t like I put the order through [on Apple.ca] and some days or weeks later I got a targeted smishing attack,” he said. “It was more or less the same day. And it was as if [the phishers] were being notified the order existed.”
The letter to UPS Canada customers does not mention whether any other customers in North America were affected, and it remains unclear whether any UPS customers outside of Canada may have been targeted.
In a statement provided to KrebsOnSecurity, Sandy Springs, Ga. based UPS [NYSE:UPS] said the company has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it.
“Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries,” reads an email from Brian Hughes, director of financial and strategy communications at UPS.
“Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted,” Hughes said. “We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting the UPS Fight Fraud website.”
For the past seven years, a malware-based proxy service known as “Faceless” has sold anonymity to countless cybercriminals. For less than a dollar per day, Faceless customers can route their malicious traffic through tens of thousands of compromised systems advertised on the service. In this post we’ll examine clues left behind over the past decade by the proprietor of Faceless, including some that may help put a face to the name.
The proxy lookup page inside the malware-based anonymity service Faceless. Image: spur.us.
Riley Kilmer is co-founder of Spur.us, a company that tracks thousands of VPN and proxy networks, and helps customers identify traffic coming through these anonymity services. Kilmer said Faceless has emerged as one of the underground’s most reliable malware-based proxy services, mainly because its proxy network has traditionally included a great many compromised “Internet of Things” devices — such as media sharing servers — that are seldom included on malware or spam block lists.
Kilmer said when Spur first started looking into Faceless, they noticed almost every Internet address that Faceless advertised for rent also showed up in the IoT search engine Shodan.io as a media sharing device on a local network that was somehow exposed to the Internet.
“We could reliably look up the [fingerprint] for these media sharing devices in Shodan and find those same systems for sale on Faceless,” Kilmer said.
In January 2023, the Faceless service website said it was willing to pay for information about previously undocumented security vulnerabilities in IoT devices. Those with IoT zero-days could expect payment if their exploit involved at least 5,000 systems that could be identified through Shodan.
Notices posted for Faceless users, advertising an email flooding service and soliciting zero-day vulnerabilities in Internet of Things devices.
Recently, Faceless has shown ambitions beyond just selling access to poorly-secured IoT devices. In February, Faceless re-launched a service that lets users drop an email bomb on someone — causing the target’s inbox to be filled with tens of thousands of junk messages.
And in March 2023, Faceless started marketing a service for looking up Social Security Numbers (SSNs) that claims to provide access to “the largest SSN database on the market with a very high hit rate.”
Kilmer said Faceless wants to become a one-stop-fraud-shop for cybercriminals who are seeking stolen or synthetic identities from which to transact online, and a temporary proxy that is geographically close to the identity being sold. Faceless currently sells this bundled product for $9 — $8 for the identity and $1 for the proxy.
“They’re trying to be this one-stop shop for anonymity and personas,” Kilmer said. “The service basically says ‘here’s an SSN and proxy connection that should correspond to that user’s location and make sense to different websites.'”
Faceless is a project from MrMurza, a particularly talkative member of more than a dozen Russian-language cybercrime forums over the past decade. According to cyber intelligence firm Flashpoint, MrMurza has been active in the Russian underground since at least September 2012. Flashpoint said MrMurza appears to be extensively involved in botnet activity and “drops” — fraudulent bank accounts created using stolen identity data that are often used in money laundering and cash-out schemes.
Faceless grew out of a popular anonymity service called iSocks, which was launched in 2014 and advertised on multiple Russian crime forums as a proxy service that customers could use to route their malicious Web traffic through compromised computers.
Flashpoint says that in the months before iSocks went online, MrMurza posted on the Russian language crime forum Verified asking for a serious partner to assist in opening a proxy service, noting they had a botnet that was powered by malware that collected proxies with a 70 percent infection rate.
MrMurza’s Faceless advertised on the Russian-language cybercrime forum ProCrd. Image: Darkbeast/Ke-la.com.
In September 2016, MrMurza sent a message to all iSocks users saying the service would soon be phased out in favor of Faceless, and that existing iSocks users could register at Faceless for free if they did so quickly — before Faceless began charging new users registration fees between $50 and $100.
Verified and other Russian language crime forums where MrMurza had a presence have been hacked over the years, with contact details and private messages leaked online. In a 2014 private message to the administrator of Verified explaining his bona fides, MrMurza said he received years of positive feedback as a seller of stolen Italian credit cards and a vendor of drops services.
MrMurza told the Verified admin that he used the nickname AccessApproved on multiple other forums over the years. MrMurza also told the admin that his account number at the now-defunct virtual currency Liberty Reserve was U1018928.
According to cyber intelligence firm Intel 471, the user AccessApproved joined the Russian crime forum Zloy in Jan. 2012, from an Internet address in Magnitogorsk, RU. In a 2012 private message where AccessApproved was arguing with another cybercriminal over a deal gone bad, AccessApproved asked to be paid at the Liberty Reserve address U1018928.
In 2013, U.S. federal investigators seized Liberty Reserve and charged its founders with facilitating billions of dollars in money laundering tied to cybercrime. The Liberty Reserve case was prosecuted out of the Southern District of New York, which in 2016 published a list of account information (PDF) tied to thousands of Liberty Reserve addresses the government asserts were involved in money laundering.
That document indicates the Liberty Reserve account claimed by MrMurza/AccessApproved — U1018928 — was assigned in 2011 to a “Vadim Panov” who used the email address lesstroy@mgn.ru.
Constella Intelligence, a threat intelligence firm that tracks breached databases, says lesstroy@mgn.ru was used for an account “Hackerok” at the accounting service klerk.ru that was created from an Internet address in Magnitogorsk. The password chosen by this user was “1232.”
In addition to selling access to hacked computers and bank accounts, both MrMurza and AccessApproved ran side hustles on the crime forums selling clothing from popular retailers that refused to ship directly to Russia.
On one cybercrime forum where AccessApproved had clothing customers, denizens of the forum created a lengthy discussion thread to help users identify incoming emails associated with various reshipping services advertised within their community. Reshippers tend to rely on a large number of people in the United States and Europe helping to forward packages overseas, but in many cases the notifications about purchases and shipping details would be forwarded to reshipping service customers from a consistent email account.
That thread said AccessApproved’s clothing reshipping service forwarded confirmation emails from the address panov-v@mail.ru. This address is associated with accounts on two Russian cybercrime forums registered from Magnitogorsk in 2010 using the handle “Omega^gg4u.”
This Omega^gg4u identity sold software that can rapidly check the validity of large batches of stolen credit cards. Interestingly, both Omega^gg4u and AccessApproved also had another niche: Reselling heavily controlled substances — such as human growth hormone and anabolic steroids — from chemical suppliers in China.
A search in Constella on the address panov-v@mail.ru and many variations on that address shows these accounts cycled through the same passwords, including 055752403k, asus666, 01091987h, and the relatively weak password 1232 (recall that 1232 was picked by whoever registered the lesstroy@mgn.ru account at Klerk.ru).
Constella says the email address asus666@yandex.ru relied on the passwords asus666 and 01091987h. The 01091987h password also was used by asus666@mail.ru, which also favored the password 24587256.
Constella further reports that whoever owned the much shorter address asus@mail.ru also used the password 24587256. In addition, it found the password 2318922479 was tied to both asus666@mail.ru and asus@mail.ru.
The email addresses asus@mail.ru, asus2504@mail.ru, and zaxar2504@rambler.ru were all used to register Vkontakte social media accounts for a Denis ***@VIP*** Pankov. There are a number of other Vkontakte accounts registered to asus@mail.ru and many variations of this address under a different name. But none of those other profiles appear tied to real-life identities.
A mind map simplifying the research detailed here.
Constella’s data shows the email addresses asus2504@mail.ru and zaxar2504@rambler.ru used the rather unique password denis250485, which was also used by the email address denispankov@yandex.ru and almost a dozen variations at other Russian-language email providers.
Russian vehicle registration records from 2016 show the email address denispankov@yandex.ru belongs to Denis Viktorovich Pankov, born on April 25, 1985. That explains the “250485” portion of Pankov’s favored password. The registration records further indicate that in 2016 Pankov’s vehicle was registered in a suburb of Moscow.
Russian incorporation records show that denispankov@yandex.com is tied to IP Pankov Denis Viktorovich, a now-defunct transportation company in the Volograd Oblast, a region in southern Russia that shares a long border with western Kazazkhstan.
More recent records for IP Pankov Denis Viktorovich show a microenterprise with this name in Omsk that described its main activity as “retail sale by mail or via the Internet.” Russian corporate records indicate this entity was liquidated in 2021.
A reverse password search on “denis250485” via Constella shows this password was used by more than 75 email addresses, most of which are some variation of gaihnik@mail.ru — such as gaihnik25@mail.ru, or gaihnik2504@rambler.ru.
In 2012, someone posted answers to a questionnaire on behalf of Denis Viktorovich Pankov to a Russian-language discussion forum on Chinese crested dog breeds. The message said Pankov was seeking a puppy of a specific breed and was a resident of Krasnogorsk, a city that is adjacent to the northwestern boundary of Moscow.
The message said Pankov was a then 27-year-old manager in an advertising company, and could be reached at the email address gaihnik@mail.ru.
Constella Intelligence shows gaihnik@mail.ru registered at the now-defunct email marketing service Smart Responder from an address in Gagarin, which is about 115 miles west of Moscow.
Back in 2015, the user Gaihnik25 was banned from the online game World of Tanks for violating the game’s terms that prohibit “bot farming,” or the automated use of large numbers of player accounts to win some advantage that is usually related to cashing out game accounts or inventory.
For the past few years, someone using the nickname Gaihnik25 has been posting messages to the Russian-language hacking forum Gerki[.]pw, on discussion threads regarding software designed to “brute force” or mass-check online accounts for weak or compromised passwords.
A new member of the Russian hacking forum Nohide[.]Space using the handle Gaihnik has been commenting recently about proxy services, credential checking software, and the sale of hacked mailing lists. Gaihnik’s first post on the forum concerned private software for checking World of Tanks accounts.
The address gaihnik@mail.ru shows how so many email addresses tied to Pankov were also connected to apparently misleading identities on Vkontakte and elsewhere. Constella found this address was tied to a Vkontakte account for a Dmitriy Zakarov.
Microsoft’s Bing search engine says gaihnik@mail.ru belongs to 37-year-old Denis Pankov, yet clicking the Mail.ru profile for that user brings up a profile for a much older man by the name Gavril Zakarov. However, when you log in to a Mail.ru account and view that profile, it shows that most of the account’s profile photos are of a much younger man.
Many of those same photos show up in an online dating profile at dating.ru for the user Gaihnik, a.k.a “Denchik,” who says he is a 37-year-old Taurus from Gagarin who enjoys going for walks in nature, staying up late, and being on the Internet.
Mr. Pankov did not respond to multiple requests for comment sent to all of the email addresses mentioned in this story. However, some of those addresses produced detailed error responses; Mail.ru reported that the users panov-v@mail.ru, asus666@mail.ru, and asus2504@mail.ru were terminated, and that gaihnik25@mail.ru is now disabled.
Messages sent to many other email addresses connected via passwords to Pankov and using some variation of asus####@mail.ru also returned similar account termination messages.
FreshRSS 