FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Mandiant's X Account Was Hacked Using Brute-Force Attack

By Newsroom
The compromise of Mandiant's X (formerly Twitter) account last week was likely the result of a "brute-force password attack," attributing the hack to a drainer-as-a-service (DaaS) group. "Normally, [two-factor authentication] would have mitigated this, but due to some team transitions and a change in X's 2FA policy, we were not adequately protected," the threat intelligence firm said 

X (Twitter) to Collect Biometric Data from Premium Users to Combat Impersonation

By THN
X, the social media site formerly known as Twitter, has updated its privacy policy to collect users’ biometric data to tackle fraud and impersonation on the platform. “Based on your consent, we may collect and use your biometric information for safety, security, and identification purposes,” the company said. The revised policy is expected to go into effect on September 29, 2023. The social

U.K. Cyber Thug “PlugwalkJoe” Gets 5 Years in Prison

By BrianKrebs

Joseph James “PlugwalkJoe” O’Connor, a 24-year-old from the United Kingdom who earned his 15 minutes of fame by participating in the July 2020 hack of Twitter, has been sentenced to five years in a U.S. prison. That may seem like harsh punishment for a brief and very public cyber joy ride. But O’Connor also pleaded guilty in a separate investigation involving a years-long spree of cyberstalking and cryptocurrency theft enabled by “SIM swapping,” a crime wherein fraudsters trick a mobile provider into diverting a customer’s phone calls and text messages to a device they control.

Joseph “PlugwalkJoe” O’Connor, in a photo from a Globe Newswire press release Sept. 02, 2020, pitching O’Connor as a cryptocurrency expert and advisor.

On July 16, 2020 — the day after some of Twitter’s most recognizable and popular users had their accounts hacked and used to tweet out a bitcoin scam —  KrebsOnSecurity observed that several social media accounts tied to O’Connor appeared to have inside knowledge of the intrusion. That story also noted that thanks to COVID-19 lockdowns at the time, O’Connor was stuck on an indefinite vacation at a popular resort in Spain.

Not long after the Twitter hack, O’Connor was quoted in The New York Times denying any involvement. “I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”

Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, PlugwalkJoe demanded that his real name be kept out of future blog posts here. After he was told that couldn’t be promised, he remarked that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didn’t like.

O’Connor was still in Spain a year later when prosecutors in the Northern District of California charged him with conspiring to hack Twitter. At the same time, prosecutors in the Southern District of New York charged O’Connor with an impressive array of cyber offenses involving the exploitation of social media accounts, online extortion, cyberstalking, and the theft of cryptocurrency then valued at nearly USD $800,000.

In late April 2023, O’Connor was extradited from Spain to face charges in the United States. Two weeks later, he entered guilty pleas in both California and New York, admitting to all ten criminal charges levied against him. On June 23, O’Connor was sentenced to five years in prison.

PlugwalkJoe was part of a community that specialized in SIM-swapping victims to take over their online identities. Unauthorized SIM swapping is a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control.

From there, the attackers can reset the password for any of the victim’s online accounts that allow password resets via SMS. SIM swapping also lets attackers intercept one-time passwords needed for SMS-based multi-factor authentication (MFA).

O’Connor admitted to conducting SIM swapping attacks to take control over financial accounts tied to several cryptocurrency executives in May 2019, and to stealing digital currency currently valued at more than $1.6 million.

PlugwalkJoe also copped to SIM-swapping his way into the Snapchat accounts of several female celebrities and threatening to release nude photos found on their phones.

Victims who refused to give up social media accounts or submit to extortion demands were often visited with “swatting attacks,” wherein O’Connor and others would falsely report a shooting or hostage situation in the hopes of tricking police into visiting potentially lethal force on a target’s address.

Prosecutors said O’Connor even swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.

In the case of the Twitter hack, O’Connor pleaded guilty to conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and conspiracy to commit money laundering.

The account “@shinji,” a.k.a. “PlugWalkJoe,” tweeting a screenshot of Twitter’s internal tools interface, on July 15, 2020.

To resolve the case against him in New York, O’Connor pleaded guilty to conspiracy to commit computer intrusion, two counts of committing computer intrusions, making extortive communications, two counts of stalking, and making threatening communications.

In addition to the prison term, O’Connor was sentenced to three years of supervised release, and ordered to pay $794,012.64 in forfeiture.

To be clear, the Twitter hack of July 2020 did not involve SIM-swapping. Rather, Twitter said the intruders tricked a Twitter employee over the phone into providing access to internal tools.

Three others were charged along with O’Connor in the Twitter compromise. The alleged mastermind of the hack, then 17-year-old Graham Ivan Clarke from Tampa, Fla., pleaded guilty in 2021 and agreed to serve three years in prison, followed by three years probation.

This story is good reminder about the need to minimize your reliance on the mobile phone companies for securing your online identity. This means reducing the number of ways your life could be turned upside down if someone were to hijack your mobile phone number.

Most online services require users to validate a mobile phone number as part of setting up an account, but some services will let you remove your phone number after the fact. Those services that do you let you remove your phone number or disable SMS/phone calls for account recovery probably also offer more secure multi-factor authentication options, such as app-based one-time passwords and security keys. Check out 2fa.directory for a list of multi-factor options available across hundreds of popular sites and services.

UK hacker busted in Spain gets 5 years over Twitter hack and more

By Naked Security writer
Not just that infamous Twitter hack, but SIM-swapping, stalking and swatting too...

Twitter Hacker Sentenced to 5 Years in Prison for $120,000 Crypto Scam

By Ravie Lakshmanan
A U.K. citizen who took part in the massive July 2020 hack of Twitter has been sentenced to five years in prison in the U.S. Joseph James O'Connor (aka PlugwalkJoe), 24, was awarded the sentence on Friday in the Southern District of New York, a little over a month after he pleaded guilty to the criminal schemes. He was arrested in Spain in July 2021. The infamous Twitter breach allowed the

Interview With a Crypto Scam Investment Spammer

By BrianKrebs

Social networks are constantly battling inauthentic bot accounts that send direct messages to users promoting scam cryptocurrency investment platforms. What follows is an interview with a Russian hacker responsible for a series of aggressive crypto spam campaigns that recently prompted several large Mastodon communities to temporarily halt new registrations. According to the hacker, their spam software has been in private use until the last few weeks, when it was released as open source code.

Renaud Chaput is a freelance programmer working on modernizing and scaling the Mastodon project infrastructure — including joinmastodon.org, mastodon.online, and mastodon.social. Chaput said that on May 4, 2023, someone unleashed a spam torrent targeting users on these Mastodon communities via “private mentions,” a kind of direct messaging on the platform.

The messages said recipients had earned an investment credit at a cryptocurrency trading platform called moonxtrade[.]com. Chaput said the spammers used more than 1,500 Internet addresses across 400 providers to register new accounts, which then followed popular accounts on Mastodon and sent private mentions to the followers of those accounts.

Since then, the same spammers have used this method to advertise more than 100 different crypto investment-themed domains. Chaput said that at one point this month the volume of bot accounts being registered for the crypto spam campaign started overwhelming the servers that handle new signups at Mastodon.social.

“We suddenly went from like three registrations per minute to 900 a minute,” Chaput said. “There was nothing in the Mastodon software to detect that activity, and the protocol is not designed to handle this.”

One of the crypto investment scam messages promoted in the spam campaigns on Mastodon this month.

Seeking to gain a temporary handle on the spam wave, Chaput said he briefly disabled new account registrations on mastodon.social and mastondon.online. Shortly after that, those same servers came under a sustained distributed denial-of-service (DDoS) attack.

Chaput said whoever was behind the DDoS was definitely not using point-and-click DDoS tools, like a booter or stresser service.

“This was three hours non-stop, 200,000 to 400,000 requests per second,” Chaput said of the DDoS. “At first, they were targeting one path, and when we blocked that they started to randomize things. Over three hours the attack evolved several times.”

Chaput says the spam waves have died down since they retrofitted mastodon.social with a CAPTCHA, those squiggly letter and number combinations designed to stymie automated account creation tools. But he’s worried that other Mastodon instances may not be as well-staffed and might be easy prey for these spammers.

“We don’t know if this is the work of one person, or if this is [related to] software or services being sold to others,” Chaput told KrebsOnSecurity. “We’re really impressed by the scale of it — using hundreds of domains and thousands of Microsoft email addresses.”

Chaput said a review of their logs indicates many of the newly registered Mastodon spam accounts were registered using the same 0auth credentials, and that a domain common to those credentials was quot[.]pw.

A DIRECT QUOT

The domain quot[.]pw has been registered and abandoned by several parties since 2014, but the most recent registration data available through DomainTools.com shows it was registered in March 2020 to someone in Krasnodar, Russia with the email address edgard011012@gmail.com.

This email address is also connected to accounts on several Russian cybercrime forums, including “__edman__,” who had a history of selling “logs” — large amounts of data stolen from many bot-infected computers — as well as giving away access to hacked Internet of Things (IoT) devices.

In September 2018, a user by the name “ципа” (phonetically “Zipper” in Russian) registered on the Russian hacking forum Lolzteam using the edgard0111012@gmail.com address. In May 2020, Zipper told another Lolzteam member that quot[.]pw was their domain. That user advertised a service called “Quot Project” which said they could be hired to write programming scripts in Python and C++.

“I make Telegram bots and other rubbish cheaply,” reads one February 2020 sales thread from Zipper.

Quotpw/Ahick/Edgard/ципа advertising his coding services in this Google-translated forum posting.

Clicking the “open chat in Telegram” button on Zipper’s Lolzteam profile page launched a Telegram instant message chat window where the user Quotpw responded almost immediately. Asked if they were aware their domain was being used to manage a spam botnet that was pelting Mastodon instances with crypto scam spam, Quotpw confirmed the spam was powered by their software.

“It was made for a limited circle of people,” Quotpw said, noting that they recently released the bot software as open source on GitHub.

Quotpw went on to say the spam botnet was powered by well more than the hundreds of IP addresses tracked by Chaput, and that these systems were mostly residential proxies. A residential proxy generally refers to a computer or mobile device running some type of software that enables the system to be used as a pass-through for Internet traffic from others.

Very often, this proxy software is installed surreptitiously, such as through a “Free VPN” service or mobile app. Residential proxies also can refer to households protected by compromised home routers running factory-default credentials or outdated firmware.

Quotpw maintains they have earned more than $2,000 sending roughly 100,000 private mentions to users of different Mastodon communities over the past few weeks. Quotpw said their conversion rate for the same bot-powered direct message spam on Twitter is usually much higher and more profitable, although they conceded that recent adjustments to Twitter’s anti-bot CAPTCHA have put a crimp in their Twitter earnings.

“My partners (I’m programmer) lost time and money while ArkoseLabs (funcaptcha) introduced new precautions on Twitter,” Quotpw wrote in a Telegram reply. “On Twitter, more spam and crypto scam.”

Asked whether they felt at all conflicted about spamming people with invitations to cryptocurrency scams, Quotpw said in their hometown “they pay more for such work than in ‘white’ jobs” — referring to legitimate programming jobs that don’t involve malware, botnets, spams and scams.

“Consider salaries in Russia,” Quotpw said. “Any spam is made for profit and brings illegal money to spammers.”

THE VIENNA CONNECTION

Shortly after edgard011012@gmail.com registered quot[.]pw, the WHOIS registration records for the domain were changed again, to msr-sergey2015@yandex.ru, and to a phone number in Austria: +43.6607003748.

Constella Intelligence, a company that tracks breached data, finds that the address msr-sergey2015@yandex.ru has been associated with accounts at the mobile app site aptoide.com (user: CoolappsforAndroid) and vimeworld.ru that were created from different Internet addresses in Vienna, Austria.

A search in Skype on that Austrian phone number shows it belongs to a Sergey Proshutinskiy who lists his location as Vienna, Austria. The very first result that comes up when one searches that unusual name in Google is a LinkedIn profile for a Sergey Proshutinskiy from Vienna, Austria.

Proshutinskiy’s LinkedIn profile says he is a Class of 2024 student at TGM, which is a state-owned, technical and engineering school in Austria. His resume also says he is a data science intern at Mondi Group, an Austrian manufacturer of sustainable packaging and paper.

Mr. Proshutinskiy did not respond to requests for comment.

Quotpw denied being Sergey, and said Sergey was a friend who registered the domain as a birthday present and favor last year.

“Initially, I bought it for 300 rubles,” Quotpw explained. “The extension cost 1300 rubles (expensive). I waited until it expired and forgot to buy it. After that, a friend (Sergey) bought [the] domain and transferred access rights to me.”

“He’s not even an information security specialist,” Quotpw said of Sergey. “My friends do not belong to this field. None of my friends are engaged in scams or other black [hat] activities.”

It may seem unlikely that someone would go to all this trouble to spam Mastodon users over several weeks using an impressive number of resources — all for just $2,000 in profit. But it is likely that whoever is actually running the various crypto scam platforms advertised by Quotpw’s spam messages pays handsomely for any investments generated by their spam.

According to the FBI, financial losses from cryptocurrency investment scams dwarfed losses for all other types of cybercrime in 2022, rising from $907 million in 2021 to $2.57 billion last year.

Update, May 25, 10:30 a.m.:  Corrected attribution of the Austrian school TGM.

Twitter Finally Rolling Out Encrypted Direct Messages — Starting with Verified Users

By Ravie Lakshmanan
Twitter is officially beginning to roll out support for encrypted direct messages (DMs) on the platform, more than five months after its chief executive Elon Musk confirmed plans for the feature in November 2022. The "Phase 1" of the initiative will appear as separate conversations alongside existing direct messages on users' inboxes. Encrypted chats carry a lock icon badge to visually

Mastermind Behind Twitter 2020 Hack Pleads Guilty and Faces up to 70 Years in Prison

By Ravie Lakshmanan
A U.K. national has pleaded guilty in the U.S. in connection with the July 2020 Twitter attack affecting numerous high-profile accounts and defrauding other users of the platform. Joseph James O'Connor, who also went by the online alias PlugwalkJoe, admitted to "his role in cyberstalking and multiple schemes that involve computer hacking, including the July 2020 hack of Twitter," the U.S.

Twitter tells users: Pay up if you want to keep using insecure 2FA

By Paul Ducklin
Ironically, Twitter Blue users will be allowed to keep using the very 2FA process that's not considered secure enough for everyone else.

Twitter Limits SMS-Based 2-Factor Authentication to Blue Subscribers Only

By Ravie Lakshmanan
Twitter has announced that it's limiting the use of SMS-based two-factor authentication (2FA) to its Blue subscribers. "While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors," the company said. "We will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers." <!--

Twitter Denies Hacking Claims, Assures Leaked User Data Not from its System

By Ravie Lakshmanan
Twitter on Wednesday said that its investigation found "no evidence" that users' data sold online was obtained by exploiting any security vulnerabilities in its systems. "Based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems," the company said in a statement. "The data

Twitter data of “+400 million unique users” up for sale – what to do?

By Paul Ducklin
If the crooks have connected up your phone number and your Twitter handle... what could go wrong?

Ex-Twitter employee Gets 3.5 Years Jail for Spying on Behalf of Saudi Arabia

By Ravie Lakshmanan
A former Twitter employee who was found guilty of spying on behalf of Saudi Arabia by sharing data pertaining to specific individuals has been sentenced to three-and-a-half years in prison. Ahmad Abouammo, 45, was convicted earlier this August on various criminal counts, including money laundering, fraud, falsifying records, and being an illegal agent of a foreign government. Abouammo was

Elon Musk Confirms Twitter 2.0 will Bring End-to-End Encryption to Direct Messages

By Ravie Lakshmanan
Twitter chief executive Elon Musk confirmed plans for end-to-end encryption (E2EE) for direct messages on the platform. The feature is part of Musk's vision for Twitter 2.0, which is expected to be what's called an "everything app." Other functionalities include longform tweets and payments, according to a slide deck shared by Musk over the weekend. <!--adsense--> The company's plans for
❌