Login
U.S. and U.K. authorities have seized the darknet websites run by LockBit, a prolific and destructive ransomware group that has claimed more than 2,000 victims worldwide and extorted over $120 million in payments. Instead of listing data stolen from ransomware victims who didn’t pay, LockBit’s victim shaming website now offers free recovery tools, as well as news about arrests and criminal charges involving LockBit affiliates.
Investigators used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.
Dubbed “Operation Cronos,” the law enforcement action involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the unsealing of two indictments; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gang’s activities.
LockBit members have executed attacks against thousands of victims in the United States and around the world, according to the U.S. Department of Justice (DOJ). First surfacing in September 2019, the gang is estimated to have made hundreds of millions of U.S. dollars in ransom demands, and extorted over $120 million in ransom payments.
LockBit operated as a ransomware-as-a-service group, wherein the ransomware gang takes care of everything from the bulletproof hosting and domains to the development and maintenance of the malware. Meanwhile, affiliates are solely responsible for finding new victims, and can reap 60 to 80 percent of any ransom amount ultimately paid to the group.
A statement on Operation Cronos from the European police agency Europol said the months-long infiltration resulted in the compromise of LockBit’s primary platform and other critical infrastructure, including the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom. Europol said two suspected LockBit actors were arrested in Poland and Ukraine, but no further information has been released about those detained.
The DOJ today unsealed indictments against two Russian men alleged to be active members of LockBit. The government says Russian national Artur Sungatov used LockBit ransomware against victims in manufacturing, logistics, insurance and other companies throughout the United States.
Ivan Gennadievich Kondratyev, a.k.a. “Bassterlord,” allegedly deployed LockBit against targets in the United States, Singapore, Taiwan, and Lebanon. Kondratyev is also charged (PDF) with three criminal counts arising from his alleged use of the Sodinokibi (aka “REvil“) ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.
With the indictments of Sungatov and Kondratyev, a total of five LockBit affiliates now have been officially charged. In May 2023, U.S. authorities unsealed indictments against two alleged LockBit affiliates, Mikhail “Wazawaka” Matveev and Mikhail Vasiliev.
Vasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the complaint against Vasiliev is at this PDF). Matveev remains at large, presumably still in Russia. In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU.
An FBI wanted poster for Matveev.
In June 2023, Russian national Ruslan Magomedovich Astamirov was charged in New Jersey for his participation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.
LockBit was known to have recruited affiliates that worked with multiple ransomware groups simultaneously, and it’s unclear what impact this takedown may have on competing ransomware affiliate operations. The security firm ProDaft said on Twitter/X that the infiltration of LockBit by investigators provided “in-depth visibility into each affiliate’s structures, including ties with other notorious groups such as FIN7, Wizard Spider, and EvilCorp.”
In a lengthy thread about the LockBit takedown on the Russian-language cybercrime forum XSS, one of the gang’s leaders said the FBI and the U.K.’s National Crime Agency (NCA) had infiltrated its servers using a known vulnerability in PHP, a scripting language that is widely used in Web development.
Several denizens of XSS wondered aloud why the PHP flaw was not flagged by LockBit’s vaunted “Bug Bounty” program, which promised a financial reward to affiliates who could find and quietly report any security vulnerabilities threatening to undermine LockBit’s online infrastructure.
This prompted several XSS members to start posting memes taunting the group about the security failure.
“Does it mean that the FBI provided a pentesting service to the affiliate program?,” one denizen quipped. “Or did they decide to take part in the bug bounty program? :):)”
Federal investigators also appear to be trolling LockBit members with their seizure notices. LockBit’s data leak site previously featured a countdown timer for each victim organization listed, indicating the time remaining for the victim to pay a ransom demand before their stolen files would be published online. Now, the top entry on the shaming site is a countdown timer until the public doxing of “LockBitSupp,” the unofficial spokesperson or figurehead for the LockBit gang.
“Who is LockbitSupp?” the teaser reads. “The $10m question.”
In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head — offering $10 million to anyone who could discover his real name.
“My god, who needs me?,” LockBitSupp wrote on Jan. 22, 2024. “There is not even a reward out for me on the FBI website. By the way, I want to use this chance to increase the reward amount for a person who can tell me my full name from USD 1 million to USD 10 million. The person who will find out my name, tell it to me and explain how they were able to find it out will get USD 10 million. Please take note that when looking for criminals, the FBI uses unclear wording offering a reward of UP TO USD 10 million; this means that the FBI can pay you USD 100, because technically, it’s an amount UP TO 10 million. On the other hand, I am willing to pay USD 10 million, no more and no less.”
Mark Stockley, cybersecurity evangelist at the security firm Malwarebytes, said the NCA is obviously trolling the LockBit group and LockBitSupp.
“I don’t think this is an accident—this is how ransomware groups talk to each other,” Stockley said. “This is law enforcement taking the time to enjoy its moment, and humiliate LockBit in its own vernacular, presumably so it loses face.”
In a press conference today, the FBI said Operation Cronos included investigative assistance from the Gendarmerie-C3N in France; the State Criminal Police Office L-K-A and Federal Criminal Police Office in Germany; Fedpol and Zurich Cantonal Police in Switzerland; the National Police Agency in Japan; the Australian Federal Police; the Swedish Police Authority; the National Bureau of Investigation in Finland; the Royal Canadian Mounted Police; and the National Police in the Netherlands.
The Justice Department said victims targeted by LockBit should contact the FBI at https://lockbitvictims.ic3.gov/ to determine whether affected systems can be successfully decrypted. In addition, the Japanese Police, supported by Europol, have released a recovery tool designed to recover files encrypted by the LockBit 3.0 Black Ransomware.
The fake USPS phishing page.
Recent weeks have seen a sizable uptick in the number of phishing scams targeting U.S. Postal Service (USPS) customers. Here’s a look at an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS, as well as postal services in at least a dozen other countries.
KrebsOnSecurity recently heard from a reader who received an SMS purporting to have been sent by the USPS, saying there was a problem with a package destined for the reader’s address. Clicking the link in the text message brings one to the domain usps.informedtrck[.]com.
The landing page generated by the phishing link includes the USPS logo, and says “Your package is on hold for an invalid recipient address. Fill in the correct address info by the link.” Below that message is a “Click update” button that takes the visitor to a page that asks for more information.
The remaining buttons on the phishing page all link to the real USPS.com website. After collecting your address information, the fake USPS site goes on to request additional personal and financial data.
This phishing domain was recently registered and its WHOIS ownership records are basically nonexistent. However, we can find some compelling clues about the extent of this operation by loading the phishing page in Developer Tools, a set of debugging features built into Firefox, Chrome and Safari that allow one to closely inspect a webpage’s code and operations.
Check out the bottom portion of the screenshot below, and you’ll notice that this phishing site fails to load some external resources, including an image from a link called fly.linkcdn[.]to.
Click the image to enlarge.
A search on this domain at the always-useful URLscan.io shows that fly.linkcdn[.]to is tied to a slew of USPS-themed phishing domains. Here are just a few of those domains (links defanged to prevent accidental clicking):
usps.receivepost[.]com
usps.informedtrck[.]com
usps.trckspost[.]com
postreceive[.]com
usps.trckpackages[.]com
usps.infortrck[.]com
usps.quicktpos[.]com
usps.postreceive].]com
usps.revepost[.]com
trackingusps.infortrck[.]com
usps.receivepost[.]com
usps.trckmybusi[.]com
postreceive[.]com
tackingpos[.]com
usps.trckstamp[.]com
usa-usps[.]shop
usps.infortrck[.]com
unlistedstampreceive[.]com
usps.stampreceive[.]com
usps.stamppos[.]com
usps.stampspos[.]com
usps.trckmypost[.]com
usps.trckintern[.]com
usps.tackingpos[.]com
usps.posinformed[.]com
As we can see in the screenshot below, the developer tools console for informedtrck[.]com complains that the site is unable to load a Google Analytics code — UA-80133954-3 — which apparently was rejected for pointing to an invalid domain.
Notice the highlighted Google Analytics code exposed by a faulty Javascript element on the phishing website. Click to enlarge. That code actually belongs to the USPS.
The valid domain for that Google Analytics code is the official usps.com website. According to dnslytics.com, that same analytics code has shown up on at least six other nearly identical USPS phishing pages dating back nearly as many years, including onlineuspsexpress[.]com, which DomainTools.com says was registered way back in September 2018 to an individual in Nigeria.
A different domain with that same Google Analytics code that was registered in 2021 is peraltansepeda[.]com, which archive.org shows was running a similar set of phishing pages targeting USPS users. DomainTools.com indicates this website name was registered by phishers based in Indonesia.
DomainTools says the above-mentioned USPS phishing domain stamppos[.]com was registered in 2022 via Singapore-based Alibaba.com, but the registrant city and state listed for that domain says “Georgia, AL,” which is not a real location.
Alas, running a search for domains registered through Alibaba to anyone claiming to reside in Georgia, AL reveals nearly 300 recent postal phishing domains ending in “.top.” These domains are either administrative domains obscured by a password-protected login page, or are .top domains phishing customers of the USPS as well as postal services serving other countries.
Those other nations include the Australia Post, An Post (Ireland), Correos.es (Spain), the Costa Rican post, the Chilean Post, the Mexican Postal Service, Poste Italiane (Italy), PostNL (Netherlands), PostNord (Denmark, Norway and Sweden), and Posti (Finland). A complete list of these domains is available here (PDF).
A phishing page targeting An Post, the state-owned provider of postal services in Ireland.
The Georgia, AL domains at Alibaba also encompass several that spoof sites claiming to collect outstanding road toll fees and fines on behalf of the governments of Australia, New Zealand and Singapore.
An anonymous reader wrote in to say they submitted fake information to the above-mentioned phishing site usps.receivepost[.]com via the malware sandbox any.run. A video recording of that analysis shows that the site sends any submitted data via an automated bot on the Telegram instant messaging service.
The traffic analysis just below the any.run video shows that any data collected by the phishing site is being sent to the Telegram user @chenlun, who offers to sell customized source code for phishing pages. From a review of @chenlun’s other Telegram channels, it appears this account is being massively spammed at the moment — possibly thanks to public attention brought by this story.
Meanwhile, researchers at DomainTools recently published a report on an apparently unrelated but equally sprawling SMS-based phishing campaign targeting USPS customers that appears to be the work of cybercriminals based in Iran.
Phishers tend to cast a wide net and often spoof entities that are broadly used by the local population, and few brands are going to have more household reach than domestic mail services. In June, the United Parcel Service (UPS) disclosed that fraudsters were abusing an online shipment tracking tool in Canada to send highly targeted SMS phishing messages that spoofed the UPS and other brands.
With the holiday shopping season nearly upon us, now is a great time to remind family and friends about the best advice to sidestep phishing scams: Avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly.
If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.
Update: Added information about the Telegram bot and any.run analysis.
Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States.
.US is the “country code top-level domain” or ccTLD of the United States. Most countries have their own ccTLDs: .MX for Mexico, for example, or .CA for Canada. But few other major countries in the world have anywhere near as many phishing domains each year as .US.
That’s according to The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. Interisle’s newest study examined six million phishing reports between May 1, 2022 and April 30, 2023, and found 30,000 .US phishing domains.
.US is overseen by the National Telecommunications and Information Administration (NTIA), an executive branch agency of the U.S. Department of Commerce. However, NTIA currently contracts out the management of the .US domain to GoDaddy, by far the world’s largest domain registrar.
Under NTIA regulations, the administrator of the .US registry must take certain steps to verify that their customers actually reside in the United States, or own organizations based in the U.S. But Interisle found that whatever GoDaddy was doing to manage that vetting process wasn’t working.
“The .US ‘nexus’ requirement theoretically limits registrations to parties with a national connection, but .US had very high numbers of phishing domains,” Interisle wrote. “This indicates a possible problem with the administration or application of the nexus requirements.”
Dean Marks is emeritus executive director for a group called the Coalition for Online Accountability, which has been critical of the NTIA’s stewardship of .US. Marks says virtually all European Union member state ccTLDs that enforce nexus restrictions also have massively lower levels of abuse due to their policies and oversight.
“Even very large ccTLDs, like .de for Germany — which has a far larger market share of domain name registrations than .US — have very low levels of abuse, including phishing and malware,” Marks told KrebsOnSecurity. “In my view, this situation with .US should not be acceptable to the U.S. government overall, nor to the US public.”
Marks said there are very few phishing domains ever registered in other ccTLDs that also restrict registrations to their citizens, such as .HU (Hungary), .NZ (New Zealand), and .FI (Finland), where a connection to the country, a proof of identity, or evidence of incorporation are required.
“Or .LK (Sri Lanka), where the acceptable use policy includes a ‘lock and suspend’ if domains are reported for suspicious activity,” Marks said. “These ccTLDs make a strong case for validating domain registrants in the interest of public safety.”
Sadly, .US has been a cesspool of phishing activity for many years. As far back as 2018, Interisle found .US domains were the worst in the world for spam, botnet (attack infrastructure for DDOS etc.) and illicit or harmful content. Back then, .US was being operated by a different contractor.
In response to questions from KrebsOnSecurity, GoDaddy said all .US registrants must certify that they meet the NTIA’s nexus requirements. But this appears to be little more than an affirmative response that is already pre-selected for all new registrants.
Attempting to register a .US domain through GoDaddy, for example, leads to a U.S. Registration Information page that auto-populates the nexus attestation field with the response, “I am a citizen of the US.” Other options include, “I am a permanent resident of the US,” and “My primary domicile is in the US.” It currently costs just $4.99 to obtain a .US domain through GoDaddy.
GoDaddy said it also conducts a scan of selected registration request information, and conducts “spot checks” on registrant information.
“We conduct regular reviews, per policy, of registration data within the Registry database to determine Nexus compliance with ongoing communications to registrars and registrants,” the company said in a written statement.
GoDaddy says it “is committed to supporting a safer online environment and proactively addressing this issue by assessing it against our own anti-abuse mitigation system.”
“We stand against DNS abuse in any form and maintain multiple systems and protocols to protect all the TLDs we operate,” the statement continued. “We will continue to work with registrars, cybersecurity firms and other stakeholders to make progress with this complex challenge.”
Interisle found significant numbers of .US domains were registered to attack some of the United States’ most prominent companies, including Bank of America, Amazon, Apple, AT&T, Citi, Comcast, Microsoft, Meta, and Target.
“Ironically, at least 109 of the .US domains in our data were used to attack the United States government, specifically the United States Postal Service and its customers,” Interisle wrote. “.US domains were also used to attack foreign government operations: six .US domains were used to attack Australian government services, six attacked Great’s Britain’s Royal Mail, one attacked Canada Post, and one attacked the Denmark Tax Authority.”
The NTIA recently published a proposal that would allow GoDaddy to redact registrant data from WHOIS registration records. The current charter for .US specifies that all .US registration records be public.
Interisle argues that without more stringent efforts to verify a United States nexus for new .US domain registrants, the NTIA’s proposal will make it even more difficult to identify phishers and verify registrants’ identities and nexus qualifications.
In a written statement, the NTIA said DNS abuse is a priority issue for the agency, and that NTIA supports “evidence-based policymaking.”
“We look forward to reviewing the report and will engage with our contractor for the .US domain on steps that we can take not only to address phishing, but the other forms of DNS abuse as well,” the statement reads.
Interisle sources its phishing data from several places, including the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus. For more phishing facts, see Interisle’s 2023 Phishing Landscape report (PDF).’
Update, Sept. 5, 1:44 p.m. ET: Updated story with statement provided today by the NTIA.
The Russian government today handed down a treason conviction and 14-year prison sentence on Iyla Sachkov, the former founder and CEO of one of Russia’s largest cybersecurity firms. Sachkov, 37, has been detained for nearly two years under charges that the Kremlin has kept classified and hidden from public view, and he joins a growing roster of former Russian cybercrime fighters who are now serving hard time for farcical treason convictions.
Ilya Sachkov. Image: Group-IB.com.
In 2003, Sachkov founded Group-IB, a cybersecurity and digital forensics company that quickly earned a reputation for exposing and disrupting large-scale cybercrime operations, including quite a few that were based in Russia and stealing from Russian companies and citizens.
In September 2021, the Kremlin issued treason charges against Sachkov, although it has refused to disclose any details about the allegations. Sachkov pleaded not guilty. After a three-week “trial” that was closed to the public, Sachkov was convicted of treason and sentenced to 14 years in prison. Prosecutors had asked for 18 years.
Group-IB relocated its headquarters to Singapore several years ago, although it did not fully exit the Russian market until April 2023. In a statement, Group-IB said that during their founder’s detainment, he was denied the right to communicate — no calls, no letters — with the outside world for the first few months, and was deprived of any visits from family and friends.
“Ultimately, Ilya has been denied a chance for an impartial trial,” reads a blog post on the company’s site. “All the materials of the case are kept classified, and all hearings were held in complete secrecy with no public scrutiny. As a result, we might never know the pretext for his conviction.”
Prior to his arrest in 2021, Sachkov publicly chastised the Kremlin for turning a blind eye to the epidemic of ransomware attacks coming from Russia. In a speech covered by the Financial Times in 2021, Sachkov railed against the likes of Russian hacker Maksim Yakubets, the accused head of a hacking group called Evil Corp. that U.S. officials say has stolen hundreds of millions of dollars over the past decade.
“Yakubets has been spotted driving around Moscow in a fluorescent camouflage Lamborghini, with a custom licence plate that reads ‘THIEF,'” FT’s Max Seddon wrote. “He also ‘provides direct assistance to the Russian government’s malicious cyber efforts,’ according to US Treasury sanctions against him.”
In December 2021, Bloomberg reported that Sachkov was alleged to have given the United States information about the Russian “Fancy Bear” operation that sought to influence the 2016 U.S. election. Fancy Bear is one of several names (e.g., APT28) for an advanced Russian cyber espionage group that has been linked to the Russian military intelligence agency GRU.
In 2019, a Moscow court meted out a 22-year prison sentence for alleged treason charges against Sergei Mikhailov, formerly deputy chief of Russia’s top anti-cybercrime unit. The court also levied a 14-year sentence against Ruslan Stoyanov, a senior employee at Kaspersky Lab. Both men maintained their innocence throughout the trial, and the supposed reason for the treason charges has never been disclosed.
Following their dramatic arrests in 2016, some media outlets reported that the men were suspected of having tipped off American intelligence officials about those responsible for Russian hacking activities tied to the 2016 U.S. presidential election.
That’s because two others arrested for treason at the same time — Mikhailov subordinates Georgi Fomchenkov and Dmitry Dokuchaev — were reported by Russian media to have helped the FBI investigate Russian servers linked to the 2016 hacking of the Democratic National Committee.
The number of phishing websites tied to domain name registrar Freenom dropped precipitously in the months surrounding a recent lawsuit from social networking giant Meta, which alleged the free domain name provider has a long history of ignoring abuse complaints about phishing websites while monetizing traffic to those abusive domains.
The volume of phishing websites registered through Freenom dropped considerably since the registrar was sued by Meta. Image: Interisle Consulting.
Freenom is the domain name registry service provider for five so-called “country code top level domains” (ccTLDs), including .cf for the Central African Republic; .ga for Gabon; .gq for Equatorial Guinea; .ml for Mali; and .tk for Tokelau.
Freenom has always waived the registration fees for domains in these country-code domains, but the registrar also reserves the right to take back free domains at any time, and to divert traffic to other sites — including adult websites. And there are countless reports from Freenom users who’ve seen free domains removed from their control and forwarded to other websites.
By the time Meta initially filed its lawsuit in December 2022, Freenom was the source of well more than half of all new phishing domains coming from country-code top-level domains. Meta initially asked a court to seal its case against Freenom, but that request was denied. Meta withdrew its December 2022 lawsuit and re-filed it in March 2023.
“The five ccTLDs to which Freenom provides its services are the TLDs of choice for cybercriminals because Freenom provides free domain name registration services and shields its customers’ identity, even after being presented with evidence that the domain names are being used for illegal purposes,” Meta’s complaint charged. “Even after receiving notices of infringement or phishing by its customers, Freenom continues to license new infringing domain names to those same customers.”
Meta pointed to research from Interisle Consulting Group, which discovered in 2021 and again last year that the five ccTLDs operated by Freenom made up half of the Top Ten TLDs most abused by phishers.
Interisle partner Dave Piscitello said something remarkable has happened in the months since the Meta lawsuit.
“We’ve observed a significant decline in phishing domains reported in the Freenom commercialized ccTLDs in months surrounding the lawsuit,” Piscitello wrote on Mastodon. “Responsible for over 60% of phishing domains reported in November 2022, Freenom’s percentage has dropped to under 15%.”
Interisle collects data from 12 major blocklists for spam, malware, and phishing, and it receives phishing-specific data from Spamhaus, Phishtank, OpenPhish and the APWG Ecrime Exchange. The company publishes historical data sets quarterly, both on malware and phishing.
Piscitello said it’s too soon to tell the full impact of the Freenom lawsuit, noting that Interisle’s sources of spam and phishing data all have different policies about when domains are removed from their block lists.
“One of the things we don’t have visibility into is how each of the blocklists determine to remove a URL from their lists,” he said. “Some of them time out [listed domains] after 14 days, some do it after 30, and some keep them forever.”
Freenom did not respond to requests for comment.
This is the second time in as many years that a lawsuit by Meta against a domain registrar has disrupted the phishing industry. In March 2020, Meta sued domain registrar giant Namecheap, alleging cybersquatting and trademark infringement.
The two parties settled the matter in April 2022. While the terms of that settlement have not been disclosed, new phishing domains registered through Namecheap declined more than 50 percent the following quarter, Interisle found.
Phishing attacks using websites registered through Namecheap, before and after the registrar settled a lawsuit with Meta. Image: Interisle Consulting.
Unfortunately, the lawsuits have had little effect on the overall number of phishing attacks and phishing-related domains, which have steadily increased in volume over the years. Piscitello said the phishers tend to gravitate toward registrars that offer the least resistance and lowest price per domain. And with new top-level domains constantly being introduced, there is rarely a shortage of super low-priced domains.
“The abuse of a new top-level domain is largely the result of one registrar’s portfolio,” Piscitello told KrebsOnSecurity. “Alibaba or Namecheap or another registrar will run a promotion for a cheap domain, and then we’ll see flocking and migration of the phishers to that TLD. It’s like strip mining, where they’ll buy hundreds or thousands of domains, use those in a campaign, exhaust that TLD and then move on to another provider.”
Piscitello said despite the steep drop in phishing domains coming out of Freenom, the alternatives available to phishers are many. After all, there are more than 2,000 accredited domain registrars, not to mention dozens of services that let anyone set up a website for free without even owning a domain.
“There is no evidence that the trend line is even going to level off,” he said. “I think what the Meta lawsuit tells us is that litigation is like giving someone a standing eight count. It temporarily disrupts a process. And in that sense, litigation appears to be working.”
We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX. The lengthy, complex intrusion has all the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.
Researchers at ESET say this job offer from a phony HSBC recruiter on LinkedIn was North Korean malware masquerading as a PDF file.
In late March 2023, 3CX disclosed that its desktop applications for both Windows and macOS were compromised with malicious code that gave attackers the ability to download and run code on all machines where the app was installed. 3CX says it has more than 600,000 customers and 12 million users in a broad range of industries, including aerospace, healthcare and hospitality.
3CX hired incident response firm Mandiant, which released a report on Wednesday that said the compromise began in 2022 when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER, a software package provided by Trading Technologies.
“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” reads the April 20 Mandiant report.
Mandiant found the earliest evidence of compromise uncovered within 3CX’s network was through the VPN using the employee’s corporate credentials, two days after the employee’s personal computer was compromised.
“Eventually, the threat actor was able to compromise both the Windows and macOS build environments,” 3CX said in an April 20 update on their blog.
Mandiant concluded that the 3CX attack was orchestrated by the North Korean state-sponsored hacking group known as Lazarus, a determination that was independently reached earlier by researchers at Kaspersky Lab and Elastic Security.
Mandiant found the compromised 3CX software would download malware that sought out new instructions by consulting encrypted icon files hosted on GitHub. The decrypted icon files revealed the location of the malware’s control server, which was then queried for a third stage of the malware compromise — a password stealing program dubbed ICONICSTEALER.
The double supply chain compromise that led to malware being pushed out to some 3CX customers. Image: Mandiant.
Meanwhile, the security firm ESET today published research showing remarkable similarities between the malware used in the 3CX supply chain attack and Linux-based malware that was recently deployed via fake job offers from phony executive profiles on LinkedIn. The researchers said this was the first time Lazarus had been spotted deploying malware aimed at Linux users.
As reported in a series last summer here, LinkedIn has been inundated this past year by fake executive profiles for people supposedly employed at a range of technology, defense, energy and financial companies. In many cases, the phony profiles spoofed chief information security officers at major corporations, and some attracted quite a few connections before their accounts were terminated.
Mandiant, Proofpoint and other experts say Lazarus has long used these bogus LinkedIn profiles to lure targets into opening a malware-laced document that is often disguised as a job offer. This ongoing North Korean espionage campaign using LinkedIn was first documented in August 2020 by ClearSky Security, which said the Lazarus group operates dozens of researchers and intelligence personnel to maintain the campaign globally.
Microsoft Corp., which owns LinkedIn, said in September 2022 that it had detected a wide range of social engineering campaigns using a proliferation of phony LinkedIn accounts. Microsoft said the accounts were used to impersonate recruiters at technology, defense and media companies, and to entice people into opening a malicious file. Microsoft found the attackers often disguised their malware as legitimate open-source software like Sumatra PDF and the SSH client Putty.
Microsoft attributed those attacks to North Korea’s Lazarus hacking group, although they’ve traditionally referred to this group as “ZINC“. That is, until earlier this month, when Redmond completely revamped the way it names threat groups; Microsoft now references ZINC as “Diamond Sleet.”
The ESET researchers said they found a new fake job lure tied to an ongoing Lazarus campaign on LinkedIn designed to compromise Linux operating systems. The malware was found inside of a document that offered an employment contract at the multinational bank HSBC.
“A few weeks ago, a native Linux payload was found on VirusTotal with an HSBC-themed PDF lure,” wrote ESET researchers Peter Kalnai and Marc-Etienne M.Leveille. “This completes Lazarus’s ability to target all major desktop operating systems. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload.”
ESET said the malicious PDF file used in the scheme appeared to have a file extension of “.pdf,” but that this was a ruse. ESET discovered that the dot in the filename wasn’t a normal period but instead a Unicode character (U+2024) representing a “leader dot,” which is often used in tables of contents to connect section headings with the page numbers on which those sections begin.
“The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as an executable instead of a PDF,” the researchers continued. “This could cause the file to run when double-clicked instead of opening it with a PDF viewer.”
ESET said anyone who opened the file would see a decoy PDF with a job offer from HSBC, but in the background the executable file would download additional malware payloads. The ESET team also found the malware was able to manipulate the program icon displayed by the malicious PDF, possibly because fiddling with the file extension could cause the user’s system to display a blank icon for the malware lure.
Kim Zetter, a veteran Wired.com reporter and now independent security journalist, interviewed Mandiant researchers who said they expect “many more victims” will be discovered among the customers of Trading Technologies and 3CX now that news of the compromised software programs is public.
“Mandiant informed Trading Technologies on April 11 that its X_Trader software had been compromised, but the software maker says it has not had time to investigate and verify Mandiant’s assertions,” Zetter wrote in her Zero Day newsletter on Substack. For now, it remains unclear whether the compromised X_Trader software was downloaded by people at other software firms.
If there’s a silver lining here, the X_Trader software had been decommissioned in April 2020 — two years before the hackers allegedly embedded malware in it.
“The company hadn’t released new versions of the software since that time and had stopped providing support for the product, making it a less-than-ideal vector for the North Korean hackers to infect customers,” Zetter wrote.
The domain name registrar Freenom, whose free domain names have long been a draw for spammers and phishers, has stopped allowing new domain name registrations. The move comes after the Dutch registrar was sued by Meta, which alleges the company ignores abuse complaints about phishing websites while monetizing traffic to those abusive domains.
Freenom’s website features a message saying it is not currently allowing new registrations.
Freenom is the domain name registry service provider for five so-called “country code top level domains” (ccTLDs), including .cf for the Central African Republic; .ga for Gabon; .gq for Equatorial Guinea; .ml for Mali; and .tk for Tokelau.
Freenom has always waived the registration fees for domains in these country-code domains, presumably as a way to encourage users to pay for related services, such as registering a .com or .net domain, for which Freenom does charge a fee.
On March 3, 2023, social media giant Meta sued Freenom in a Northern California court, alleging cybersquatting violations and trademark infringement. The lawsuit also seeks information about the identities of 20 different “John Does” — Freenom customers that Meta says have been particularly active in phishing attacks against Facebook, Instagram, and WhatsApp users.
The lawsuit points to a 2021 study (PDF) on the abuse of domains conducted by Interisle Consulting Group, which discovered that those ccTLDs operated by Freenom made up five of the Top Ten TLDs most abused by phishers.
“The five ccTLDs to which Freenom provides its services are the TLDs of choice for cybercriminals because Freenom provides free domain name registration services and shields its customers’ identity, even after being presented with evidence that the domain names are being used for illegal purposes,” the complaint charges. “Even after receiving notices of infringement or phishing by its customers, Freenom continues to license new infringing domain names to those same customers.”
Meta further alleges that “Freenom has repeatedly failed to take appropriate steps to investigate and respond appropriately to reports of abuse,” and that it monetizes the traffic from infringing domains by reselling them and by adding “parking pages” that redirect visitors to other commercial websites, websites with pornographic content, and websites used for malicious activity like phishing.
Freenom has not yet responded to requests for comment. But attempts to register a domain through the company’s website as of publication time generated an error message that reads:
“Because of technical issues the Freenom application for new registrations is temporarily out-of-order. Please accept our apologies for the inconvenience. We are working on a solution and hope to resume operations shortly. Thank you for your understanding.”
Image: Interisle Consulting Group, Phishing Landscape 2021, Sept. 2021.
Although Freenom is based in The Netherlands, some of its other sister companies named as defendants in the lawsuit are incorporated in the United States.
Meta initially filed this lawsuit in December 2022, but it asked the court to seal the case, which would have restricted public access to court documents in the dispute. That request was denied, and Meta amended and re-filed the lawsuit last week.
According to Meta, this isn’t just a case of another domain name registrar ignoring abuse complaints because it’s bad for business. The lawsuit alleges that the owners of Freenom “are part of a web of companies created to facilitate cybersquatting, all for the benefit of Freenom.”
“On information and belief, one or more of the ccTLD Service Providers, ID Shield, Yoursafe, Freedom Registry, Fintag, Cervesia, VTL, Joost Zuurbier Management Services B.V., and Doe Defendants were created to hide assets, ensure unlawful activity including cybersquatting and phishing goes undetected, and to further the goals of Freenom,” Meta charged.
It remains unclear why Freenom has stopped allowing domain registration. In June 2015, ICANN suspended Freenom’s ability to create new domain names or initiate inbound transfers of domain names for 90 days. According to Meta, the suspension was premised on ICANN’s determination that Freenom “has engaged in a pattern and practice of trafficking in or use of domain names identical or confusingly similar to a trademark or service mark of a third party in which the Registered Name Holder has no rights or legitimate interest.”
A spokesperson for ICANN said the organization has no insight as to why Freenom might have stopped registering domain names. But it said Freenom (d/b/a OpenTLD B.V.) also received formal enforcement notices from ICANN in 2017 and 2020 for violating different obligations.
A copy of the amended complaint against Freenom, et. al, is available here (PDF).
March 8, 6:11 p.m. ET: Updated story with response from ICANN. Corrected attribution of the domain abuse report.
Authorities in the United States and United Kingdom today levied financial sanctions against seven men accused of operating “Trickbot,” a cybercrime-as-a-service platform based in Russia that has enabled countless ransomware attacks and bank account takeovers since its debut in 2016. The U.S. Department of the Treasury says the Trickbot group is associated with Russian intelligence services, and that this alliance led to the targeting of many U.S. companies and government entities.
Initially a stealthy trojan horse program delivered via email and used to steal passwords, Trickbot evolved into “a highly modular malware suite that provides the Trickbot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks,” the Treasury Department said.
A spam email from 2020 containing a Trickbot-infected attachment. Image: Microsoft.
“During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States,” the sanctions notice continued. “In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.”
Only one of the men sanctioned today is known to have been criminally charged in connection with hacking activity. According to the Treasury Department, the alleged senior leader of the Trickbot group is 34-year-old Russian national Vitaly “Bentley” Kovalev.
A New Jersey grand jury indicted Kovalev in 2012 after an investigation by the U.S. Secret Service determined that he ran a massive “money mule” scheme, which used phony job offers to trick people into laundering money stolen from hacked small to mid-sized businesses in the United States. The 2012 indictment against Kovalev relates to cybercrimes he allegedly perpetrated prior to the creation of Trickbot.
In 2015, Kovalev reportedly began filming a movie in Russia about cybercrime called “Botnet.” According to a 2016 story from Forbes.ru, Botnet’s opening scene was to depict the plight of Christina Svechinskaya, a Russian student arrested by FBI agents in September 2010.
Christina Svechinskaya, a money mule hired by Bentley who was arrested by the FBI in 2010.
Svechinskaya was one of Bentley’s money mules, most of whom were young Russian students on temporary travel visas in the United States. She was among 37 alleged mules charged with aiding an international cybercrime operation — basically, setting up phony corporate bank accounts for the sole purpose of laundering stolen funds.
Although she possessed no real hacking skills, Svechinskaya’s mugshot and social media photos went viral online and she was quickly dubbed “the world’s sexiest computer hacker” by the tabloids.
Kovalev’s Botnet film project was disrupted after Russian authorities raided the film production company’s offices as part of a cybercrime investigation. In February 2016, Reuters reported that the raid was connected to a crackdown on “Dyre,” a sophisticated trojan that U.S. federal investigators say was the precursor to the Trickbot malware. The Forbes.ru article cited sources close to the investigation who said the film studio was operating as a money-laundering front for the cybercrooks behind Dyre.
But shifting political winds in Russia would soon bring high treason charges against three of the Russian cybercrime investigators tied to the investigation into the film studio. In a major shakeup in 2017, the Kremlin levied treason charges against Sergey Mikhaylov, then deputy chief of Russia’s top anti-cybercrime unit.
Also charged with treason was Ruslan Stoyanov, then a senior employee at Russian security firm Kaspersky Lab [the Forbes.ru report from 2016 said investigators from Mikhaylov’s unit and Kaspersky Lab were present at the film company raid].
Russian media outlets have speculated that the men were accused of treason for helping American cybercrime investigators pursue top Russian hackers. However, the charges against both men were classified and have never been officially revealed. After their brief, closed trial, both men were convicted of treason. Mikhaylov was given a 22 year prison sentence; Stoyanov was sentenced to 14 years in prison.
In September 2021, the Kremlin issued treason charges against Ilya Sachkov, formerly head of the cybersecurity firm Group-IB. According to Reuters, Sachkov and his company were hired by the film studio “to advise the Botnet director and writers on the finer points of cybercrime.” Sachkov remains imprisoned in Russia pending his treason trial.
Trickbot was heavily used by Conti and Ryuk, two of Russia’s most ruthless and successful ransomware groups. Blockchain analysis firm Chainalysis estimates that in 2021 alone, Conti extorted more than USD $100 million from its hacking victims; Chainalysis estimates Ryuk extorted more than USD $150 million from its ransomware victims.
The U.S. cybersecurity firm CrowdStrike has long tracked the activities of Trickbot, Ryuk and Conti under the same moniker — “Wizard Spider” — which CrowdStrike describes as “a Russia-nexus cybercriminal group behind the core development and distribution of a sophisticated arsenal of criminal tools, that allow them to run multiple different types of operations.”
“CrowdStrike Intelligence has observed WIZARD SPIDER targeting multiple countries and industries such as academia, energy, financial services, government, and more,” said Adam Meyers, head of intelligence at CrowdStrike.
This is not the U.S. government’s first swipe at the Trickbot group. In early October 2020, KrebsOnSecurity broke the news that someone had launched a series of coordinated attacks designed to disrupt the Trickbot botnet. A week later, The Washington Post ran a story saying the attack on Trickbot was the work of U.S. Cyber Command, a branch of the Department of Defense headed by the director of the U.S. National Security Agency (NSA).
Days after Russia invaded Ukraine in February 2022, a Ukrainian researcher leaked several years of internal chat logs from the Conti ransomware gang. Those candid conversations offer a fascinating view into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. They also showed that Conti enjoyed protection from prosecution by Russian authorities, as long as the hacker group took care not to target Russian organizations.
In addition, the leaked Conti chats confirmed there was considerable overlap in the operation and leadership of Conti, Trickbot and Ryuk.
Michael DeBolt, chief intelligence officer at cybersecurity firm Intel 471, said the leaked Conti chats showed Bentley oversaw a team of coders tasked with ensuring that the Trickbot and Conti malware remained undetected by the different antivirus and security software vendors.
In the years prior to the emergence of Trickbot in 2016, Bentley worked closely on the Gameover ZeuS trojan, a peer-to-peer malware threat that infected between 500,000 and a million computers with an automated ransomware strain called Cryptolocker, DeBolt said.
The FBI has a standing $3 million bounty offered for the capture of Evgeny “Slavik” Bogachev, the alleged author of the Zeus trojan. And there are indications that Bentley worked directly with Bogachev. DeBolt pointed to an October 2014 discussion on the exclusive Russian hacking forum Mazafaka that included a complaint by a Russian hosting firm against a forum user by the name “Ferrari” who had failed to pay a $30,000 hosting bill.
In that discussion thread, it emerged that the hosting company thought it was filing a complaint against Slavik. But the Mazafaka member who vouched for Ferrari’s membership on the forum said they knew Ferrari as Bentley the mule handler, and at some point Slavik and Bentley must have been sharing the Ferrari user account.
“It is likely that Slavik (aka. Bogachev) and Bentley (aka. Kovalev) shared the same ‘Ferrari’ handle on the Mazafaka forum circa 2014, which suggests the two had a working relationship at that time, and supports the recent US and UK Government announcements regarding Kovalev’s past involvement in cybercrime predating Dyre or the Trickbot Group,” DeBolt said.
CrowdStrike’s Meyers said while Wizard Spider operations have significantly reduced following the demise of Conti in June 2022, today’s sanctions will likely cause temporary disruptions for the cybercriminal group while they look for ways to circumvent the financial restrictions — which make it illegal to transact with or hold the assets of sanctioned persons or entities.
“Often, when cybercriminal groups are disrupted, they will go dark for a time only to rebrand under a new name,” Meyers said.
The prosecution of Kovalev is being handled by the U.S. Attorney’s Office in New Jersey. A copy of the now-unsealed 2012 indictment of Kovalev is here (PDF).
Have you ever been browsing online and clicked a link or search result that took you to a site that triggers a “your connection is not private” or “your connection is not secure” error code? If you’re not too interested in that particular result, you may simply move on to another result option. But if you’re tempted to visit the site anyway, you should be sure you understand what the warning means, what the risks are, and how to bypass the error if you need to.
A “your connection is not private” error means that your browser cannot determine with certainty that a website has safe encryption protocols in place to protect your device and data. You can bump into this error on any device connected to the internet — computer, smartphone, or tablet.
So, what exactly is going on when you see the “this connection is not private” error?
For starters, it’s important to know that seeing the error is just a warning, and it does not mean any of your private information is compromised. A “your connection is not private” error means the website you were trying to visit does not have an up-to-date SSL (secure sockets layer) security certificate.
Website owners must maintain the licensing regularly to ensure the site encryption capabilities are up to date. If the website’s SSL certificate is outdated, it means the site owners have not kept their encryption licensing current, but it doesn’t necessarily mean they are up to no good. Even major websites like LinkedIn have had momentary lapses that would throw the error. LinkedIn mistakenly let their subdomain SSL certificates lapse.
In late 2021, a significant provider of SSL certificates, Let’s Encrypt, went out of business. When their root domain officially lapsed, it created issues for many domain names and SSL certificates owned by legitimate companies. The privacy error created problems for unwitting businesses, as many of their website visitors were rightfully concerned about site security.
While it does not always mean a website is unsafe to browse, it should not be ignored. A secure internet connection is critical to protecting yourself online. Many nefarious websites are dangerous to visit, and this SSL certificate error will protect you from walking into them unaware.
SSL certification standards have helped make the web a safer place to transact. It helps ensure online activities like paying bills online, ordering products, connecting to online banking, or keeping your private email accounts safe and secure. Online security continues to improve with a new Transport Layer Security (TLS) standard, which promises to be the successor protocol to SSL.
So be careful whenever visiting sites that trigger the “connection is not private” error, as those sites can potentially make your personal data less secure and make your devices vulnerable to viruses and malware.
Note: The “your connection is not private” error is Google Chrome‘s phrasing. Microsoft Edge or Mozilla Firefox users will instead see a “your connection is not secure” error as the warning message.
If you feel confident that a website or page is safe, despite the warning from your web browser, there are a few things you can do to troubleshoot the error.
Remember, you are taking your chances anytime you ignore an error. As we mentioned, you could leave yourself vulnerable to hackers after your passwords, personal information, and other risks.
Your data and private information are valuable to hackers, so they will continue to find new ways to try and procure it. Here are some ways to protect yourself and your data when browsing online.
As we continue to do more critical business online, we must also do our best to address the risks of the internet’s many conveniences.
A comprehensive cybersecurity tool like McAfee+ Ultimate can help protect you from online scams, identity theft, and phishing attempts, and ensure you always have a secure connection. McAfee helps keep your sensitive information out of the hands of hackers and can help you keep your digital data footprints lighter with personal data cleanup.
With McAfee’s experts on your side, you can enjoy everything the web offers with the confidence of total protection.
The post “This Connection Is Not Private” – What it Means and How to Protect Your Privacy appeared first on McAfee Blog.
Vyacheslav “Tank” Penchukov, the accused 40-year-old Ukrainian leader of a prolific cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses in the United States and Europe, has been arrested in Switzerland, according to multiple sources.
Wanted Ukrainian cybercrime suspect Vyacheslav “Tank” Penchukov (right) was arrested in Geneva, Switzerland. Tank was the day-to-day manager of a cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses.
Penchukov was named in a 2014 indictment by the U.S. Department of Justice as a top figure in the JabberZeus Crew, a small but potent cybercriminal collective from Ukraine and Russia that attacked victim companies with a powerful, custom-made version of the Zeus banking trojan.
The U.S. Federal Bureau of Investigation (FBI) declined to comment for this story. But according to multiple sources, Penchukov was arrested in Geneva, Switzerland roughly three weeks ago as he was traveling to meet up with his wife there.
Penchukov is from Donetsk, a traditionally Russia-leaning region in Eastern Ukraine that was recently annexed by Russia. In his hometown, Penchukov was a well-known deejay (“DJ Slava Rich“) who enjoyed being seen riding around in his high-end BMWs and Porsches. More recently, Penchukov has been investing quite a bit in local businesses.
The JabberZeus crew’s name is derived from the malware they used, which was configured to send them a Jabber instant message each time a new victim entered a one-time password code into a phishing page mimicking their bank. The JabberZeus gang targeted mostly small to mid-sized businesses, and they were an early pioneer of so-called “man-in-the-browser” attacks, malware that can silently siphon any data that victims submit via a web-based form.
Once inside a victim company’s bank accounts, the crooks would modify the firm’s payroll to add dozens of “money mules,” people recruited through work-at-home schemes to handle bank transfers. The mules in turn would forward any stolen payroll deposits — minus their commissions — via wire transfer overseas.
Tank, a.k.a. “DJ Slava Rich,” seen here performing as a DJ in Ukraine in an undated photo from social media.
The JabberZeus malware was custom-made for the crime group by the alleged author of the Zeus trojan — Evgeniy Mikhailovich Bogachev, a top Russian cybercriminal with a $3 million bounty on his head from the FBI. Bogachev is accused of running the Gameover Zeus botnet, a massive crime machine of 500,000 to 1 million infected PCs that was used for large DDoS attacks and for spreading Cryptolocker — a peer-to-peer ransomware threat that was years ahead of its time.
Investigators knew Bogachev and JabberZeus were linked because for many years they were reading the private Jabber chats between and among members of the JabberZeus crew, and Bogachev’s monitored aliases were in semi-regular contact with the group about updates to the malware.
Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, noted in his blog from 2014 that Tank told co-conspirators in a JabberZeus chat on July 22, 2009 that his daughter, Miloslava, had been born and gave her birth weight.
“A search of Ukrainian birth records only showed one girl named Miloslava with that birth weight born on that day,” Warner wrote. This was enough to positively identify Tank as Penchukov, Warner said.
Ultimately, Penchukov’s political connections helped him evade prosecution by Ukrainian cybercrime investigators for many years. The late son of former Ukrainian President Victor Yanukovych (Victor Yanukovych Jr.) would serve as godfather to Tank’s daughter Miloslava. Through his connections to the Yanukovych family, Tank was able to establish contact with key insiders in top tiers of the Ukrainian government, including law enforcement.
Sources briefed on the investigation into Penchukov said that in 2010 — at a time when the Security Service of Ukraine (SBU) was preparing to serve search warrants on Tank and his crew — Tank received a tip that the SBU was coming to raid his home. That warning gave Tank ample time to destroy important evidence against the group, and to avoid being home when the raids happened. Those sources also said Tank used his contacts to have the investigation into his crew moved to a different unit that was headed by his corrupt SBU contact.
Writing for Technology Review, Patrick Howell O’Neil recounted how SBU agents in 2010 were trailing Tank around the city, watching closely as he moved between nightclubs and his apartment.
“In early October, the Ukrainian surveillance team said they’d lost him,” he wrote. “The Americans were unhappy, and a little surprised. But they were also resigned to what they saw as the realities of working in Ukraine. The country had a notorious corruption problem. The running joke was that it was easy to find the SBU’s anticorruption unit—just look for the parking lot full of BMWs.”
I first encountered Tank and the JabberZeus crew roughly 14 years ago as a reporter for The Washington Post, after a trusted source confided that he’d secretly gained access to the group’s private Jabber conversations.
From reading those discussions each day, it became clear Tank was nominally in charge of the Ukrainian crew, and that he spent much of his time overseeing the activities of the money mule recruiters — which were an integral part of their victim cashout scheme.
It was soon discovered that the phony corporate websites the money mule recruiters used to manage new hires had a security weakness that allowed anyone who signed up at the portal to view messages for every other user. A scraping tool was built to harvest these money mule recruitment messages, and at the height of the JabberZeus gang’s activity in 2010 that scraper was monitoring messages on close to a dozen different money mule recruitment sites, each managing hundreds of “employees.”
Each mule was given busy work or menial tasks for a few days or weeks prior to being asked to handle money transfers. I believe this was an effort to weed out unreliable money mules. After all, those who showed up late for work tended to cost the crooks a lot of money, as the victim’s bank would usually try to reverse any transfers that hadn’t already been withdrawn by the mules.
When it came time to transfer stolen funds, the recruiters would send a message through the fake company website saying something like: “Good morning [mule name here]. Our client — XYZ Corp. — is sending you some money today. Please visit your bank now and withdraw this payment in cash, and then wire the funds in equal payments — minus your commission — to these three individuals in Eastern Europe.”
Only, in every case the company mentioned as the “client” was in fact a small business whose payroll accounts they’d already hacked into.
So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Tank and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob.
My spiel on all of these calls was more or less the same: “You probably have no idea who I am, but here’s all my contact info and what I do. Your payroll accounts have been hacked, and you’re about to lose a great deal of money. You should contact your bank immediately and have them put a hold on any pending transfers before it’s too late. Feel free to call me back afterwards if you want more information about how I know all this, but for now please just call or visit your bank.”
In many instances, my call would come in just minutes or hours before an unauthorized payroll batch was processed by the victim company’s bank, and some of those notifications prevented what otherwise would have been enormous losses — often several times the amount of the organization’s normal weekly payroll. At some point I stopped counting how many tens of thousands of dollars those calls saved victims, but over several years it was probably in the millions.
Just as often, the victim company would suspect that I was somehow involved in the robbery, and soon after alerting them I would receive a call from an FBI agent or from a police officer in the victim’s hometown. Those were always interesting conversations.
Collectively, these notifications to victims led to dozens of stories over several years about small businesses battling their financial institutions to recover their losses. I never wrote about a single victim that wasn’t okay with my calling attention to their plight and to the sophistication of the threat facing other companies.
This incessant meddling on my part very much aggravated Tank, who on more than one occasion expressed mystification as to how I knew so much about their operations and victims. Here’s a snippet from one of their Jabber chats in 2009, after I’d written a story for The Washington Post about their efforts to steal $415,000 from the coffers of Bullitt County, Kentucky. In the chat below, “lucky12345” is the Zeus author Bogachev:
tank: Are you there?
tank: This is what they damn wrote about me.
tank: http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html#more
tank: I’ll take a quick look at history
tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court
tank: Well, you got [it] from that cash-in.
lucky12345: From 200K?
tank: Well, they are not the right amounts and the cash out from that account was shitty.
tank: Levak was written there.
tank: Because now the entire USA knows about Zeus.
tank:
lucky12345: It’s fucked.
On Dec. 13, 2009, one of Tank’s top money mule recruiters — a crook who used the pseudonym “Jim Rogers” — told his boss something I hadn’t shared beyond a few trusted confidants at that point: That The Washington Post had eliminated my job in the process of merging the newspaper’s Web site (where I worked at the time) with the dead tree edition.
jim_rogers: There is a rumor that our favorite (Brian) didn’t get his contract extension at Washington Post. We are giddily awaiting confirmation
tank: Mr. Fucking Brian Fucking Kerbs!
Another member of the JabberZeus crew — Ukrainian-born Maksim “Aqua” Yakubets — also is currently wanted by the FBI, which is offering a $5 million reward for information leading to his arrest and conviction.
Alleged “Evil Corp” bigwig Maksim “Aqua” Yakubets. Image: FBI
Update, Nov. 16, 2022, 7:55 p.m. ET:: Multiple media outlets are reporting that Swiss authorities confirmed they arrested a Ukrainian national wanted on cybercrime charges. The arrest occurred in Geneva on Oct. 23, 2022. “The US authorities accuse the prosecuted person of extortion, bank fraud and identity theft, among other things,” reads a statement from the Swiss Federal Office of Justice (FOJ).
“During the hearing on 24 October, 2022, the person did not consent to his extradition to the USA via a simplified proceeding,” the FOJ continued. “After completion of the formal extradition procedure, the FOJ has decided to grant his extradition to the USA on 15 November, 2022. The decision of the FOJ may be appealed at the Swiss Criminal Federal Court, respectively at the Swiss Supreme Court.”
ossl-code-1200
Authorities in the United States, Germany, the Netherlands and the U.K. last week said they dismantled the “RSOCKS” botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. While the coordinated action did not name the Russian hackers allegedly behind RSOCKS, KrebsOnSecurity has identified its owner as a 35-year-old Russian man living abroad who also runs the world’s top spam forum.
The RUSdot mailer, the email spamming tool made and sold by the administrator of RSOCKS.
According to a statement by the U.S. Department of Justice, RSOCKS offered clients access to IP addresses assigned to devices that had been hacked:
“A cybercriminal who wanted to utilize the RSOCKS platform could use a web browser to navigate to a web-based ‘storefront’ (i.e., a public web site that allows users to purchase access to the botnet), which allowed the customer to pay to rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.”
The DOJ’s statement doesn’t mention that RSOCKS has been in operation since 2014, when access to the web store for the botnet was first advertised on multiple Russian-language cybercrime forums.
The user “RSOCKS” on the Russian crime forum Verified changed his name to RSOCKS from a previous handle: “Stanx,” whose very first sales thread on Verified in 2016 quickly ran afoul of the forum’s rules and prompted a public chastisement by the forum’s administrator.
Verified was hacked twice in the past few years, and each time the private messages of all users on the forum were leaked. Those messages show that after being warned of his forum infraction, Stanx sent a private message to the Verified administrator detailing his cybercriminal bona fides.
“I am the owner of the RUSdot forum (former Spamdot),” Stanx wrote in Sept. 2016. “In spam topics, people know me as a reliable person.”
A Google-translated version of the Rusdot spam forum.
RUSdot is the successor forum to Spamdot, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010. Even today, the RUSdot Mailer is advertised for sale at the top of the RUSdot community forum.
Stanx said he was a longtime member of several major forums, including the Russian hacker forum Antichat (since 2005), and the Russian crime forum Exploit (since April 2013). In an early post to Antichat in January 2005, Stanx disclosed that he is from Omsk, a large city in the Siberian region of Russia.
According to the cyber intelligence firm Intel 471, the user Stanx indeed registered on Exploit in 2013, using the email address stanx@rusdot.com, and the ICQ number 399611. A search in Google for that ICQ number turns up a cached version of a Vkontakte profile for a Denis “Neo” Kloster, from Omsk, Russia.
Cybersecurity firm Constella Intelligence shows that in 2017, someone using the email address istanx@gmail.com registered at the Russian freelancer job site fl.ru with the profile name of “Denis Kloster” and the Omsk phone number of 79136334444. Another record indexed by Constella suggests Denis’s real surname may in fact be “Emilyantsev” [Емельянцев].
That phone number is tied to the WHOIS registration records for multiple domain names over the years, including proxy[.]info, allproxy[.]info, kloster.pro and deniskloster.com.
A copy of the passport for Denis Kloster, as posted to his Vkontakte page in 2019. It shows that in Oct. 2019, he obtained a visa from the American Embassy in Bangkok, Thailand.
The “about me” section of DenisKloster.com says the 35-year-old was born in Omsk, that he got his first computer at age 12, and graduated from high school at 16. Kloster says he’s worked in many large companies in Omsk as a system administrator, web developer and photographer.
According to Kloster’s blog, his first real job was running an “online advertising” firm he founded called Internet Advertising Omsk (“riOmsk“), and that he even lived in New York City for a while.
“Something new was required and I decided to leave Omsk and try to live in the States,” Kloster wrote in 2013. “I opened an American visa for myself, it was not difficult to get. And so I moved to live in New York, the largest city in the world, in a country where all wishes come true. But even this was not enough for me, and since then I began to travel the world.”
The current version of the About Me page on Kloster’s site says he closed his advertising business in 2013 to travel the world and focus on his new company: One that provides security and anonymity services to customers around the world. Kloster’s vanity website and LinkedIn page both list him as CEO of a company called “SL MobPartners.”
In 2016, Deniskloster.com featured a post celebrating three years in operation. The anniversary post said Kloster’s anonymity business had grown to nearly two dozen employees, most of whom were included in a group photo posted to that article (and some of whom Kloster thanked by their first names and last initials).
The employees who kept things running for RSOCKS, circa 2016.
“Thanks to you, we are now developing in the field of information security and anonymity!,” the post enthuses. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”
Mr. Kloster did not respond to repeated requests for comment.
It’s not clear if the coordinated takedown targeting the RSOCKS botnet will be permanent, as the botnet’s owners could simply rebuild — and possibly rebrand — their crime machine. Based on the RSOCKS owner’s posts, that is exactly what they intend to do.
“RSocks ceases to exist,” wrote the Rsocks account on the BlackHatWorld forum on June 17. “But don’t worry. All the active plans and fund balances will be transferred to another service. Stay tuned. We will inform you about its name and all the details later.”
Rsocks told the BlackHatWorld community they would be back soon under a new name.
Malware-based proxy services like RSOCKS have struggled to remain competitive in a cybercrime market with increasingly sophisticated proxy services that offer many additional features. The demise of RSOCKS follows closely on the heels of VIP72[.]com, a competing proxy botnet service that operated for a decade before its owners pulled the plug on the service last year.
Have you noticed that when parents gather, it doesn’t take long before the topic of kids and social media comes up. That’s because concern over screen time is a big deal, especially in this post-pandemic season. Parents want to know: How much is too much screen time? When should we step in? How do we reverse poor habits, and what will the lasting digital fallout of the lockdown be?
These conversations weigh heavy on parents for a good reason. According to a report from Common Sense Media, teens spend an average of seven hours and 22 minutes on their phones a day. Tweens (ages 8 to 12) spend four hours and 44 minutes daily. This is time outside of schoolwork.
Since the pandemic, another study claims that screen time for teens doubled to 7.7 hours a day—plus 5 to 7 daily hours of online learning, according to a study published in JAMA Pediatrics. In addition, according to the Journal of Affective Disorders Reports, children overall have been spending nearly triple the recommended amount of time on their screens.
The good news is that social media also became a powerful tool for kids during the pandemic. Social channels helped kids connect with peers and combat loneliness and other mental health challenges. Still, the poor habit of device dependence may have come with those benefits.
While the debate continues over social media’s impact on kids and the research methodology continues to evolve, we can hold on to one clear truth: Any activity in excess can cause kids harm. When it comes to social media, too much screen time may contribute to sleep deprivation, a lack of healthy, and poor academics. In addition, studies show that mental health can be impacted by exposure to hate speech, sexual content, cyberbullying, and comparing oneself to others both physically and financially.
As parents, we know when our family’s wellbeing is in jeopardy. We see it even if we fail to acknowledge it right away. Our kids might become compelled to check their phones. In fact, they panic when they can’t check their likes and comments every few minutes. We notice the red eyes and moodiness at the breakfast table caused by a late-night Tic Tock marathon. We sense a surge of anxiety in our kids when technology goes from entertaining to distressing.
Thankfully, it’s never too late to help your kids better understand the impact of their actions and revise digital habits.
In the bestselling book Atomic Habits, author James Clear says, “The task of breaking a bad habit is like uprooting a powerful oak within us.” He adds, “The task of building a good habit is like cultivating a delicate flower one day at a time.” Lasting change, says clear, needs to be enjoyable, not a punishment. If the goal is shaving a few hours off your child’s screen time, consider connecting time limits to an enjoyable activity such as making a meal together or creating an art space in your home for creative projects.
The data is in: The bright screens (and blue light emitted from devices( can cause permanent sleep cycle and brain/melatonin issues, which can have a cascading effect on physical and mental health. Turning off (or limiting the use of) electronic devices at least 15-30 minutes before going to bed may help prevent any adverse effects of technology and screen use on sleep. Consider investing in filtering software that comes with the time limits the whole family can all agree on. Do your research to ensure your family’s technology functions to empower, educate, and entertain.
Consider how your child uses their time before suggesting sweeping changes to your child’s screen time. Are they vegetating, or are they consciously engaged? Are they creating and learning? Are they engaging with others or stalking accounts and slipping into “comparison despair?” Are family and school responsibilities suffering? Is there a compulsion to post or thoughtfulness? All kids are different, and all online experiences vary. Encourage your child to take time to consider how they feel and what they think while they are using their technology.
One way to negotiate screen limits is to make sure your kids understand the impact of excess media. Balance includes tapping into the benefits of social media while also taking steps to protect the body’s need for physical activity, real-life relationships, goal-setting, creative activities, mindfulness, and self-reflection.
Helping kids manage and constantly revise their social media habits is a 24/7 endeavor from the minute they wake up to the minute they fall asleep. The biggest piece of that “management” plan and is keeping frequent, open, and honest communication a critical part of designing habits that encourage a healthy relationship with both peers and technology.
The post Does Your Child Have an Unhealthy Relationship with Social Media? appeared first on McAfee Blog.
If you pick up your teen’s phone on any given day, chances are the next stop you make will be Google. That’s because, if you’re like most parents, you’re beyond baffled by texting language kids use.
It’s okay, you are not alone if you feel out of the loop. As parents, we’re not invited to the party—and that’s okay. Slag belongs to the generation that coined it. And few of us are aching to use words like “sus” and “simp,” right? The goal of these updates isn’t to decode or invade. It’s digital parenting 101. The more we know about what’s going on in our child’s world, the better we can parent. It’s our job to know.
So once a year we do our best to decipher some of the more common terms you may hear or see your kids use. Keep in mind: Slang isn’t universal. It changes from city to city and culture to culture. Terms and meanings may vary. Many of the words are fun and harmless, while others are specifically meant to mask risky behavior. Remember, McAfee frees you to live your connected life safe from threats like viruses, malware, phishing, and more. Download award-winning antivirus that protects your data and devices today.
A real one. A person who is being authentic, genuine, trusted.
And I oop. A phrase used after a funny mistake or accident.
Awks. Short for awkward.
Baddie. Name for an independent female who is tough and beautiful.
Bands. Refers to bands around cash or a wealthy person. No doubt, the dude’s got bands.
Bet. A willingness to do something; means “yes” or “okay.”
Big yikes. When you see something, that is a huge embarrassment.
Booed up. To be in a romantic relationship.
Bop. A really good song. That song is such a bop!
Bread or Cheddar. Terms that refer to money.
Breadcrumbing. Sending flirtatious text messages to another person to get their attention but remain non-committal.
Bussin. Something is awesome. Her new hair color is bussin’.
Cake. When someone’s body looks good. The girl in my science class has cake.
Cancel. Reject or stop supporting a group or idea.
Cap. A term that means “lie” or “false.” He said we were a couple. Cap!
No cap. A phrase that means “no lie” or “for real” emphasizes telling the truth. I just saw him eat a bug. No cap!
CEO. A term used to describe something that you’re very good at, making you the CEO of it. I’m the CEO of being late to class.
Cheug. This term describes a person, idea, or situation that is outdated or inauthentic.
Clout. A term that relates to a person’s follower count, fame, or influencer status. Sometimes an expression for an extravagant way of living.
Chasing Clout. A term that describes a person who does and says things for the sole purpose of becoming more popular.
Curve. To reject someone romantically.
Cuffing. Wanting to date or cuff yourself to someone temporarily—at least until summer break.
Do it for the gram. A phrase that describes someone doing something for the sole purpose of posting online.
Drip. A term that describes someone’s style as sexy or cool. Zayne has some serious drip.
Facts. When you agree with someone.
Finsta. A second Instagram account used for sharing with a smaller circle of friends and followers.
Fish. Fishing for compliments.
Fit. Short for outfit.
Flex. To show off or show something off.
Get after it. Start with something with intensity.
Ghost. Suddenly stop all contact with someone online and in person.
Hundo P. Being 100% certain.
Hypebeast. A term that describes someone who cares too much about popular things rather than being self-aware and genuine.
I’m dead. Describes how you feel when something is hilarious.
I’m weak. Like, dead, describes how you feel when something is hilarious.
I can’t even. An expression used when you’ve had enough of someone or a situation.
Keep it 100. Stay true to yourself and stick to your values.
Lewk. Look.
Left on read. When someone does not respond to your text. He left me on read!
Lit. Cool or awesome.
Mood. A term used to express a relatable feeling or experience. Seeing that kid by himself kicking a can is such a mood.
Mutuals. People who follow and support one another on social media.
Oof. An expression used when something bad happens, and you don’t know how to respond.
Periodt. A term used to emphasize what you just said.
Purr. Expressing approval. I’ve got nothing but purr for my friends.
Receipts. Evidence to prove someone is either lying. Often in the form of screenshots, videos, or images.
Savage. A cool person or someone overly direct or candid.
Sketch. A sketchy or ominous situation, place, or person.
Skrrt. To leave quickly or get away from someone (the sound a car makes).
Ship. Short for relationship.
Simp. Used to describe a guy who is seen as being too attentive and submissive to a girl.
Sheesh. A term used to compliment someone when they look good or do something good.
Suh. A combination of “sup” and “huh” used as a greeting.
Sus. Short for suspect describing a situation, a person, or a claim. That guy is sus. Let’s get out of here.
Shawty. An attractive female. Sometimes a short, attractive female.
Sheee. An expression of disappointment, annoyance, or surprise.
Slaps. A term used when something is awesome. The DJ slaps.
Snatched. Describing a person or a thing that looks great. I’m jealous her makeup is so snatched.
Stan. A combination of “stalker” and “fan” refers to an overly obsessed fan of a celebrity.
Straight Fire or Fire. Describes something amazing. His new truck is straight fire.
Thumpin’. Word to describe someone going very. I didn’t even see him leave. He was thumpin’.
Vaguebooking. The act of posting vague Facebook or other social status updates for attention or as a cry for help. Wondering what the point of it all is anyway.
Whip. A word that means car. Have you seen his new whip?
Wig. When something has you so excited, your wig might come off; mind-blowing. The new Adele song!! WIIIIGGG!
Yeet. Throwing something out of rage. Also used as an exclamation for being excited.
NGL. Not Gonna Lie.
NMH. Nodding My Head; an expression of agreement.
NSA. No Strings Attached.
HWU. Hey, what’s up?
IYKWIM. If You Know What I Mean.
RLY. Really?
OG.Short for Original Gangster;a compliment for someone who is exceptional or authentic.
ORLY. Oh really?
SMH. Shaking My Head.
TFW. That Feeling When
TT2T. Too Tired to Talk.
L. Short for loose or loss.
V. Short for very.
W. Short for win. Their loss is our w.
WYA. Where are you at?
WYD. What are you doing?
YK. You’re Kidding.
YKTS. You Know the Score.
YKTV. You know the vibe.
Addy/Study Buddy. Terms used in place of the medication Adderal.
Break Green. A term that means to share marijuana with others.
Crashy. Combo of “crazy” and “trashy.”
Daddy. An attractive man, usually older, who conveys a sense of power and dominance.
Faded/Cooked. Terms used to describe being high on drugs.
Lit/Turnt Up. It can mean party or get drunk.
MOS/POS. Mom Over Shoulder; Parent Over Shoulder.
Kush/Flower/Gas. Terms used in place of marijuana.
Smash. To hook up for casual sex. Is he a smash or a pass?
Thirsty. Adjective for a person desperate for attention or sex.
Xan/Xans. Terms short for Xanax, a sedative used to treat anxiety. Also called xanny, beans, bars, and footballs.
ASL. Age/sex/location.
CD9. Can’t talk parents are here.
CU46. See You For Sex.
GALMA. Go Away Leave Me Alone.
GOMB. Get Off My Back.
GSW. Get Some Weed.
LMIRL. Let’s meet in Real Life.
KMS/KYS. Kill myself, Kill Yourself.
ONG. On God; a term that implies a person is serious enough to swear “on god.”
ONS. One Night Stand.
Spice or K2. Code for synthetic marijuana, which can be more harmful than actual cannabis.
URAL. You’re A Loser.
WWTP. Want to Trade Pics?
X or E. Letters that stand for ecstasy, otherwise known as “molly” or MDMA.
Zaddy. A well-dressed, attractive man of any age.
Zerg. A term that originated in the gaming community for gamers using the many against one strategy to win a game. A Zerg is a person who employs the same bullying tactics in real life. Stay away from him. He’s such a Zerg! Or Stay off that site. There’s too much zerging.
Protect your connected life today with McAfee Total Protection
*Content collected from various sources, including NetLingo.com, slangit.com, cyberdefinitions.com, UrbanDictionary.com, webopedia.com, and conversations on TikTok, Reddit, and YouTube.
The post Teen Slang and Texting Acronyms Parents Should Know appeared first on McAfee Blog.
It’s hard to believe, right, parents? In just a blink or two, you went from being the teenager dropping cool phrases like “rad” and “gnarly” to monitoring a teenager texting words like “lowkey,” “IRL” and “CD9” into her smartphone non-stop.*
For generations, teens have been crafting terms to differentiate themselves from other age groups. The difference today is that smartphone texting has multiplied the scope of that code to include words, emojis, numbers, and hashtags.
The times have changed, fo’ sho.’
You don’t have to speak your child’s language (please don’t). However, with new terms and risks emerging online each day, it’s a good idea to at least understand what they are saying.
Since kids have been spending more time online due to the pandemic, we thought we might discover a few new and interesting terms. We were right. We found stories of teens referring to the Coronavirus as “Miss Rona” and “Rona,” and abbreviating quarantine to “Quar.” A “Corona Bae” is the person you would only plan to date during a lockdown.
Much of the coded language kids use is meant to be funny, sarcastic, or a quick abbreviation. However, there are times when a text exchange can slip into risky territory. Seemingly harmless, text exchanges can spark consequences such as bullying, sextortion, privacy violations, and emotional or physical harm.
To help kids avoid dangerous digital situations, we recommend three things: 1) Talk early and often with your kids about digital risk and behavior expectations, 2) Explore and use parental monitoring software, and 3) Know your child’s friends and communities online and in real life.
Note: Context is everything. Many of these terms are used in jest or as casual banter. Be sure to understand the context in which a word is used.
Flex. This term means showing off. For example, “Look at her trying to flex with her new car.”
Crashy. Description of a person who is thought to be both crazy and trashy.
Clap back. A comeback filled with attitude.
Cringey. Another word for embarrassing.
Hop off. Mind your own business.
Spill tea or Kiki. Dishing gossip.
Sip tea. Listening to gossip.
Salty. Mad, angry, jealous, bitter, upset, or irritated.
“She gave me a salty look in class.”
Extra. Over the top or unnecessarily dramatic.
Left on read. Not replying to someone’s message.
Ghosting. Ending a friendship or relationship online with no explanation.
Neglext. Abandon someone in the middle of a text conversation.
Ok, Boomer. Dismissing someone who is not up to date enough.
(Throw) shade. Insult or trash talk discreetly.
Receipts. Getting digital proof, usually in the form of screenshots.
THOT. Acronym for That H__ Over There.
Thirsty. A term describing a person as desperate or needy. “Look at her staring at him — she’s so thirsty.”
Thirst trap. A sexy photograph or message posted on social media.
Dis. Short for showing blatant disrespect.
Preeing. A word that describes stalking or being stalked on Facebook.
Basic. Referring to a person as mainstream, nothing special. Usually used in a negative connotation.
Chasing Clout. A negative term describing someone trying too hard to get followers on social media.
9, CD9, or Code9, PAW, POS. Parents are around, over the shoulder.
99. All clear, the parents are gone. Safe to resume texting or planning.
KPC. Keeping parents clueless.
Cheddar, Cheese, or Bread. These are all terms that mean money.
Cap. Means to lie as in “she’s capping.” Sending the baseball cap emoji expresses the same feeling. No capping means “I’m not lying.”
Hundo P. Term that is short for “hundred percent;” absolutely, for sure.
Woke. Aware of and outspoken on current on political and social issues.
And I oop. Lighthearted term to describe a silly mistake.
Big oof. A slightly bigger mistake.
Yeet. An expression of excitement. For example, “He kissed me. Yeeeet!”
Retweet. Instead of saying, “yes, I agree,” you say, “retweet.”
Canceled. Absurd or foolish behavior is “canceled.” For example, “He was too negative on our date, so I canceled him.”
Slap or Snatched. Terms that mean fashionable or on point. For instance, “Those shoes are slap” or “You look snatched.”
And just for fun, here’s a laugh out loud video from comedian Seth Meyer’s on teen Coronavirus slang you’ll enjoy on YouTube.
* lowkey (a feeling you want to keep secret), IRL (In Real Life), CD9 also Code9 (Adult Alert used to hide secretive activity). ** Terms collected from various sources, including NetLingo.com, UrbanDictionary.com, webopedia.com, and from tweets and posts from teens online.
The post Can You Decode Your Teen’s Texting Language? appeared first on McAfee Blogs.
FreshRSS 