RSS Security

🔒
❌ About FreshRSS
There are new articles available, click to refresh the page.
Today — 17 September 2021Krebs on Security

Trial Ends in Guilty Verdict for DDoS-for-Hire Boss

17 September 2021 at 01:22

A jury in California today reached a guilty verdict in the trial of Matthew Gatrel, a St. Charles, Ill. man charged in 2018 with operating two online services that allowed paying customers to launch powerful distributed denial-of-service (DDoS) attacks against Internet users and websites. Gatrel’s conviction comes roughly two weeks after his co-conspirator pleaded guilty to criminal charges related to running the services.

The user interface for Downthem[.]org.

Prosecutors for the Central District of California charged Gatrel, 32, and his business partner Juan “Severon” Martinez of Pasadena, Calif. with operating two DDoS-for-hire or “booter” services — downthem[.]org and ampnode[.]com.

Despite admitting to FBI agents that he ran these booter services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the entire time by public defenders. Facing the prospect of a hefty sentence if found guilty at trial, Martinez pleaded guilty on Aug. 26 to one count of unauthorized impairment of a protected computer.

Gatrel was convicted on all three charges of violating the Computer Fraud and Abuse Act, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer.

Investigators say Downthem helped some 2,000 customers launch debilitating digital assaults at more than 200,000 targets, including many government, banking, university and gaming Web sites.

Prosecutors alleged that in addition to running and marketing Downthem, the defendants sold huge, continuously updated lists of Internet addresses tied to devices that could be used by other booter services to make attacks far more powerful and effective. In addition, other booter services also drew firepower and other resources from Ampnode.

Booter and stresser services let customers pick from among a variety of attack methods, but almost universally the most powerful of these methods involves what’s known as a “reflective amplification attack.” In such assaults, the perpetrators leverage unmanaged Domain Name Servers (DNS) or other devices on the Web to create huge traffic floods.

Ideally, DNS servers only provide services to machines within a trusted domain — such as translating an Internet address from a series of numbers into a domain name, like example.com. But DNS reflection attacks rely on consumer and business routers and other devices equipped with DNS servers that are (mis)configured to accept queries from anywhere on the Web.

Attackers can send spoofed DNS queries to these DNS servers, forging the request so that it appears to come from the target’s network. That way, when the DNS servers respond, they reply to the spoofed (target) address.

The bad guys also can amplify a reflective attack by crafting DNS queries so that the responses are much bigger than the requests. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response that is 60-70 times as large. This “amplification” effect is especially pronounced if the perpetrators query dozens of DNS servers with these spoofed requests simultaneously.

The government charged that Gatrel and Martinez constantly scanned the Internet for these misconfigured devices, and then sold lists of Internet addresses tied to these devices to other booter service operators.

Gatrel’s sentencing is scheduled for January 27, 2022. He faces a statutory maximum sentence of 35 years in federal prison. However, given the outcome of past prosecutions against other booter service operators, it seems unlikely that Gatrel will spend much time in jail.

The case against Gatrel and Martinez was brought as part of a widespread crackdown on booter services in Dec. 2018, when the FBI joined with law enforcement partners overseas to seize 15 different booter service domains.

Federal prosecutors and DDoS experts interviewed at the time said the operation had three main goals: To educate people that hiring DDoS attacks is illegal, to destabilize the flourishing booter industry, and to ultimately reduce demand for booter services.

The jury is still out on whether any of those goals have been achieved with lasting effect.

The original complaint against Gatrel and Martinez is here (PDF).

Before yesterdayKrebs on Security

Customer Care Giant TTEC Hit By Ransomware

15 September 2021 at 21:31

TTEC, [NASDAQ: TTEC], a company used by some of the world’s largest brands to help manage customer support and sales online and over the phone, is dealing with disruptions from a network security incident resulting from a ransomware attack, KrebsOnSecurity has learned.

While many companies have been laying off or furloughing workers in response to the Coronavirus pandemic, TTEC has been massively hiring. Formerly TeleTech Holdings Inc., Englewood, Co.-based TTEC now has nearly 60,000 employees, most of whom work from home and answer customer support calls on behalf of a large number of name-brand companies, like Bank of America, Best Buy, Credit Karma, Dish Network, Kaiser Permanente, USAA and Verizon.

On Sept. 14, KrebsOnSecurity heard from a reader who passed on an internal message apparently sent by TTEC to certain employees regarding the status of a widespread system outage that began on Sunday, Sept. 12.

“We’re continuing to address the system outage impacting access to the network, applications and customer support,” reads an internal message sent by TTEC to certain employees.

TTEC has not responded to requests for comment. A phone call placed to the media contact number listed on an August 2021 TTEC earnings release produced a message saying it was a non-working number.

[Update, 6:20 p.m. ET: TTEC confirmed a ransomware attack. See the update at the end of this piece for their statement]

TTEC’s own message to employees suggests the company’s network may have been hit by the ransomware group “Ragnar Locker,” (or else by a rival ransomware gang pretending to be Ragnar). The message urged employees to avoid clicking on a file that suddenly may have appeared in their Windows start menu called “!RA!G!N!A!R!”

“DO NOT click on this file,” the notice read. “It’s a nuisance message file and we’re working on removing it from our systems.”

Ragnar Locker is an aggressive ransomware group that typically demands millions of dollars worth of cryptocurrency in ransom payments. In an announcement published on the group’s darknet leak site this week, the group threatened to publish the full data of victims who seek help from law enforcement and investigative agencies following a ransomware attack.

One of the messages texted to TTEC employees included a link to a Zoom videoconference line at ttec.zoom.us. Clicking that link opened a Zoom session in which multiple TTEC employees who were sharing their screens took turns using the company’s Global Service Desk, an internal TTEC system for tracking customer support tickets.

The TTEC employees appear to be using the Zoom conference line to report the status of various customer support teams, most of which are reporting “unable to work” at the moment.

For example, TTEC’s Service Desk reports that hundreds of TTEC employees assigned to work with Bank of America’s prepaid services are unable to work because they can’t remotely connect to TTEC’s customer service tools. More than 1,000 TTEC employees are currently unable to do their normal customer support work for Verizon, according to the Service Desk data. Hundreds of employees assigned to handle calls for Kaiser Permanente also are unable to work.

“They’ve been radio silent all week except to notify employees to take another day off,” said the source who passed on the TTEC messages, who spoke to KrebsOnSecurity on condition of anonymity. “As far as I know, all low-level employees have another day off today.”

The extent and severity of the incident at TTEC remains unknown. It is common for companies to disconnect critical systems in the event of a network intrusion, as part of a larger effort to stop the badness from spreading elsewhere. Sometimes disconnecting everything actually does help, or at least helps to keep the attack from spreading to partner networks. But it is those same connections to partner companies that raises concern in the case of TTEC’s ongoing outage.

In the meantime, if you’re unlucky enough to need to make a customer service call today, there’s a better-than-even chance you will experience….wait for it…longer-than-usual hold times.

This is a developing story. Further details or updates will be noted here with a date and time stamp.

Update, 5:37 p.m. ET: TTEC responded with the following statement:

TTEC is committed to cyber security, and to protecting the integrity of our clients’ systems and data. We recently became aware of a cybersecurity incident that has affected certain TTEC systems.  Although as a result of the  incident, some of our data was encrypted and business activities at several facilities have been temporarily disrupted, the company continuous to serve its global clients. TTEC immediately activated its information security incident response business continuity protocols, isolated the systems involved, and took other appropriate measures to contain the incident. We are now in the process of  carefully and deliberately restoring the systems that have been involved.

We also launched an investigation, typical under the circumstances, to determine the potential impacts.  In serving our clients TTEC, generally, does not maintain our clients’ data, and the investigation to date has not identified compromise to clients’ data. That investigation is on-going and we will take additional action, as appropriate, based on the investigation’s results. This is all the information we have to share until our investigation is complete.

Microsoft Patch Tuesday, September 2021 Edition

14 September 2021 at 21:00

Microsoft today pushed software updates to plug dozens of security holes in Windows and related products, including a vulnerability that is already being exploited in active attacks. Also, Apple has issued an emergency update to fix a flaw that’s reportedly been abused to install spyware on iOS products, and Google‘s got a new version of Chrome that tackles two zero-day flaws. Finally, Adobe has released critical security updates for Acrobat, Reader and a slew of other software.

Four of the flaws fixed in this patch batch earned Microsoft’s most-dire “critical” rating, meaning they could be exploited by miscreants or malware to remotely compromise a Windows PC with little or no help from the user.

Top of the critical heap is CVE-2021-40444, which affects the “MSHTML” component of Internet Explorer (IE) on Windows 10 and many Windows Server versions. In a security advisory last week, Microsoft warned attackers already are exploiting the flaw through Microsoft Office applications as well as IE.

The critical bug CVE-2021-36965 is interesting, as it involves a remote code execution flaw in “WLAN AutoConfig,” the component in Windows 10 and many Server versions that handles auto-connections to Wi-Fi networks. One mitigating factor here is that the attacker and target would have to be on the same network, although many systems are configured to auto-connect to Wi-Fi network names with which they have previously connected.

Allan Liska, senior security architect at Recorded Future, said a similar vulnerability — CVE-2021-28316 — was announced in April.

“CVE-2021-28316 was a security bypass vulnerability, not remote code execution, and it has never been reported as publicly exploited,” Liska said. “That being said, the ubiquity of systems deployed with WLAN AutoConfig enabled could make it an attractive target for exploitation.”

Another critical weakness that enterprises using Azure should prioritize is CVE-2021-38647, which is a remote code execution bug in Azure Open Management Infrastructure (OMI) that has a CVSS Score of 9.8 (10 is the worst). It was reported and detailed by researchers at Wiz.io, who said CVE-2021-38647 was one of four bugs in Azure OMI they found that Microsoft patched this week.

“We conservatively estimate that thousands of Azure customers and millions of endpoints are affected,” Wiz.io’s Nir Ohfeld wrote. “In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk.”

Kevin Breen of Immersive Labs calls attention to several “privilege escalation” flaws fixed by Microsoft this month, noting that while these bugs carry lesser severity ratings, Microsoft considers them more likely to be exploited by bad guys and malware.

CVE-2021-38639 and CVE-2021-36975 have also been listed as ‘exploitation more likely’ and together cover the full range of supported Windows versions,” Breem wrote. “I am starting to feel like a broken record when talking about privilege escalation vulnerabilities. They typically have a lower CVSS score than something like Remote Code Execution, but these local exploits can be the linchpin in the post-exploitation phases of an experienced attacker. If you can block them here you have the potential to significantly limit their damage. If we assume a determined attacker will be able to infect a victim’s device through social engineering or other techniques, I would argue that patching these is even more important than patching some other Remote Code execution vulnerabilities.”

Apple on Monday pushed out an urgent security update to fix a “zero-click” iOS vulnerability (CVE-2021-30860) reported by researchers at Citizen Lab that allows commands to be run when files are opened on certain Apple devices. Citizen Lab found that an exploit for CVE-2021-30860 was being used by the NSO Group, an Israeli tech company whose spyware enables the remote surveillance of smartphones.

Google also released a new version of its Chrome browser on Monday to fix nine vulnerabilities, including two that are under active attack. If you’re running Chrome, keep a lookout for when you see an “Update” tab appear to the right of the address bar. If it’s been a while since you closed the browser, you might see the Update button turn from green to orange and then red. Green means an update has been available for two days; orange means four days have elapsed, and red means your browser is a week or more behind on important updates. Completely close and restart the browser to install any pending updates.

As it usually does on Patch Tuesday, Adobe also released new versions of Reader, Acrobat and a large number of other products. Adobe says it is not aware of any exploits in the wild for any of the issues addressed in its updates today.

For a complete rundown of all patches released today and indexed by severity, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that are causing problems for Windows users.

On that note, before you update please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.

KrebsOnSecurity Hit By Huge New IoT Botnet “Meris”

10 September 2021 at 18:12

On Thursday evening, KrebsOnSecurity was the subject of a rather massive (and mercifully brief) distributed denial-of-service (DDoS) attack. The assault came from “Meris,” the same new botnet behind record-shattering attacks against Russian search giant Yandex this week and internet infrastructure firm Cloudflare earlier this summer.

Cloudflare recently wrote about its attack, which clocked in at 17.2 million bogus requests-per-second. To put that in perspective, Cloudflare serves over 25 million HTTP requests per second on average.

In its Aug. 19 writeup, Cloudflare neglected to assign a name to the botnet behind the attack. But on Thursday DDoS protection firm Qrator Labs identified the culprit — “Meris” — a new monster that first emerged at the end of June 2021.

Qrator says Meris has launched even bigger attacks since: A titanic and ongoing DDoS that hit Russian Internet search giant Yandex last week is estimated to have been launched by roughly 250,000 malware-infected devices globally, sending 21.8 million bogus requests-per-second.

While last night’s Meris attack on this site was far smaller than the recent Cloudflare DDoS, it was far larger than the Mirai DDoS attack in 2016 that held KrebsOnSecurity offline for nearly four days. The traffic deluge from Thursday’s attack on this site was more than four times what Mirai threw at this site five years ago. This latest attack involved more than two million requests-per-second. By comparison, the 2016 Mirai DDoS generated approximately 450,000 requests-per-second.

According to Qrator, which is working with Yandex on combating the attack, Meris appears to be made up of Internet routers produced by MikroTik. Qrator says the United States is home to the most number of MikroTik routers that are potentially vulnerable to compromise by Meris — with more than 42 percent of the world’s MikroTik systems connected to the Internet (followed by China — 18.9 percent– and a long tail of one- and two-percent countries).

The darker areas indicate larger concentrations of potentially vulnerable MikroTik routers. Qrator says there are about 328,000 MikroTik devices currently responding to requests from the Internet. Image: Qrator.

It’s not immediately clear which security vulnerabilities led to these estimated 250,000 MikroTik routers getting hacked by Meris.

“The spectrum of RouterOS versions we see across this botnet varies from years old to recent,” the company wrote. “The largest share belongs to the version of firmware previous to the current stable one.”

Qrator’s breakdown of Meris-infected MikroTik devices by operating system version.

It’s fitting that Meris would rear its head on the five-year anniversary of the emergence of Mirai, an Internet of Things (IoT) botnet strain that was engineered to out-compete all other IoT botnet strains at the time. Mirai was extremely successful at crowding out this competition, and quickly grew to infect tens of thousands of IoT devices made by dozens of manufacturers.

And then its co-authors decided to leak the Mirai source code, which led to the proliferation of dozens of Mirai variants, many of which continue to operate today.

The biggest contributor to the IoT botnet problem — a plethora of companies white-labeling IoT devices that were never designed with security in mind and are often shipped to the customer in default-insecure states — hasn’t changed much, mainly because these devices tend to be far cheaper than more secure alternatives.

The good news is that over the past five years, large Internet infrastructure companies like Akamai, Cloudflare and Google (which protects this site with its Project Shield initiative) have heavily invested in ramping up their ability to withstand these outsized attacks [full disclosure: Akamai is an advertiser on this site].

More importantly, the Internet community at large has gotten better at putting their heads together to fight DDoS attacks, by disrupting the infrastructure abused by these enormous IoT botnets, said Richard Clayton, director of Cambridge University’s Cybercrime Centre.

“It would be fair to say we’re currently concerned about a couple of botnets which are larger than we have seen for some time,” Clayton said. “But equally, you never know they may peter out. There are a lot of people who spend their time trying to make sure these things are hard to keep stable. So there are people out there defending us all.”

Microsoft: Attackers Exploiting Windows Zero-Day Flaw

8 September 2021 at 15:03

Microsoft Corp. warns that attackers are exploiting a previously unknown vulnerability in Windows 10 and many Windows Server versions to seize control over PCs when users open a malicious document or visit a booby-trapped website. There is currently no official patch for the flaw, but Microsoft has released recommendations for mitigating the threat.

According to a security advisory from Redmond, the security hole CVE-2021-40444 affects the “MSHTML” component of Internet Explorer (IE) on Windows 10 and many Windows Server versions. IE been slowly abandoned for more recent Windows browsers like Edge, but the same vulnerable component also is used by Microsoft Office applications for rendering web-based content.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft wrote. “The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Microsoft has not yet released a patch for CVE-2021-40444, but says users can mitigate the threat from this flaw by disabling the installation of all ActiveX controls in IE. Microsoft says the vulnerability is currently being used in targeted attacks, although its advisory credits three different entities with reporting the flaw.

On of the researchers credited — EXPMONsaid on Twitter that it had reproduced the attack on the latest Office 2019 / Office 365 on Windows 10.

“The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous),” EXPMON tweeted.

Windows users could see an official fix for the bug as soon as September 14, when Microsoft is slated to release its monthly “Patch Tuesday” bundle of security updates.

This year has been a tough one for Windows users and so-called “zero day” threats, which refers to vulnerabilities that are not patched by current versions of the software in question, and are being actively exploited to break into vulnerable computers.

Virtually every month in 2021 so far, Microsoft has been forced to respond to zero-day threats targeting huge swaths of its user base. In fact, by my count May was the only month so far this year that Microsoft didn’t release a patch to fix at least one zero-day attack in Windows or supported software.

Many of those zero-days involve older Microsoft technologies or those that have been retired, like IE11; Microsoft officially retired support for Microsoft Office 365 apps and services on IE11 last month. In July, Microsoft rushed out a fix for the Print Nightmare vulnerability that was present in every supported version of Windows, only to see the patch cause problems for a number of Windows users.

On June’s Patch Tuesday, Microsoft addressed six zero-day security holes. And of course in March, hundreds of thousands of organizations running Microsoft Exchange email servers found those systems compromised with backdoors thanks to four zero-day flaws in Exchange.

“FudCo” Spam Empire Tied to Pakistani Software Firm

6 September 2021 at 19:04

In May 2015, KrebsOnSecurity briefly profiledThe Manipulaters,” the name chosen by a prolific cybercrime group based in Pakistan that was very publicly selling spam tools and a range of services for crafting, hosting and deploying malicious email. Six years later, a review of the social media postings from this group shows they are prospering, while rather poorly hiding their activities behind a software development firm in Lahore that has secretly enabled an entire generation of spammers and scammers.

The Web site in 2015 for the “Manipulaters Team,” a group of Pakistani hackers behind the dark web identity “Saim Raza,” who sells spam and malware tools and services.

The Manipulaters’ core brand in the underground is a shared cybercriminal identity named “Saim Raza,” who for the past decade across dozens of cybercrime sites and forums has peddled a popular spamming and phishing service variously called “Fudtools,” “Fudpage,” “Fudsender,” etc.

The common acronym in nearly all of Saim Raza’s domains over the years — “FUD” — stands for “Fully Un-Detectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.

One of several current Fudtools sites run by The Manipulaters.

The current website for Saim Raza’s Fud Tools (above) offers phishing templates or “scam pages” for a variety of popular online sites like Office365 and Dropbox. They also sell “Doc Exploit” products that bundle malicious software with innocuous Microsoft Office documents; “scampage hosting” for phishing sites; a variety of spam blasting tools like HeartSender; and software designed to help spammers route their malicious email through compromised sites, accounts and services in the cloud.

For years leading up to 2015, “[email protected]” was the name on the registration records for thousands of scam domains that spoofed some of the world’s top banks and brand names, but particularly Apple and Microsoft. When confronted about this, The Manipulaters founder Madih-ullah Riaz replied, “We do not deliberately host or allow any phishing or any other abusive website. Regarding phishing, whenever we receive complaint, we remove the services immediately. Also we are running business since 2006.”

The IT network of The Manipulaters, circa 2013. Image: Facebook

Two years later, KrebsOnSecurity received an email from Riaz asking to have his name and that of his business partner removed from the 2015 story, saying it had hurt his company’s ability to maintain stable hosting for their stable of domains.

“We run web hosting business and due to your post we got very serious problems especially no data center was accepting us,” Riaz wrote in a May 2017 email. “I can see you post on hard time criminals we are not criminals, at least it was not in our knowledge.”

Riaz said the problem was his company’s billing system erroneously used The Manipulators’ name and contact information instead of its clients in WHOIS registration records. That oversight, he said, caused many researchers to erroneously attribute to them activity that was coming from just a few bad customers.

“We work hard to earn money and it is my request, 2 years of my name in your wonderful article is enough punishment and we learned from our mistakes,” he concluded.

The Manipulaters have indeed learned a few new tricks, but keeping their underground operations air-gapped from their real-life identities is mercifully not one of them.

ZERO OPERATIONAL SECURITY

Phishing domain names registered to The Manipulaters included an address in Karachi, with the phone number 923218912562. That same phone number is shared in the WHOIS records for 4,000+ domains registered through domainprovider[.]work, a domain controlled by The Manipulaters that appears to be a reseller of another domain name provider.

One of Saim Raza’s many ads in the cybercrime underground for his Fudtools service promotes the domain fudpage[.]com, and the WHOIS records for that domain share the same Karachi phone number. Fudpage’s WHOIS records list the contact as “[email protected],” which is another email address used by The Manipulaters to register domains.

As I noted in 2015, The Manipulaters Team used domain name service (DNS) settings from another blatantly fraudulent service called ‘FreshSpamTools[.]eu,’ which was offered by a fellow Pakistani who also conveniently sold phishing toolkits targeting a number of big banks.

The WHOIS records for FreshSpamTools briefly list the email address [email protected], which corresponds to the email address for a Facebook account of a Bilal “Sunny” Ahmad Warraich (a.k.a. Bilal Waddaich).

Bilal Waddaich’s current Facebook profile photo includes many current and former employees of We Code Solutions.

Warraich’s Facebook profile says he works as an IT support specialist at a software development company in Lahore called We Code Solutions.

The We Code Solutions website.

A review of the hosting records for the company’s website wecodesolutions[.]pk show that over the past three years it has shared a server with just a handful of other domains, including:

-saimraza[.]tools
-fud[.]tools
-heartsender[.]net
-fudspampage[.]com
-fudteam[.]com
-autoshopscript[.]com
-wecodebilling[.]com
-antibotspanel[.]com
-sellonline[.]tools

FUD CO

The profile image atop Warraich’s Facebook page is a group photo of current and former We Code Solutions employees. Helpfully, many of the faces in that photo have been tagged and associated with their respective Facebook profiles.

For example, the Facebook profile of Burhan Ul Haq, a.k.a. “Burhan Shaxx” says he works in human relations and IT support for We Code Solutions. Scanning through Ul Haq’s endless selfies on Facebook, it’s impossible to ignore a series of photos featuring various birthday cakes and the words “Fud Co” written in icing on top.

Burhan Ul Haq’s photos show many Fud Co-themed cakes the We Code Solutions employees enjoyed on the anniversary of the Manipulaters Team.

Yes, from a review of the Facebook postings of We Code Solutions employees, it appears that for at least the last five years this group has celebrated an anniversary every May with a Fud Co cake, non-alcoholic sparkling wine, and a Fud Co party or group dinner. Let’s take a closer look at that delicious cake:

The head of We Code Solutions appears to be a guy named Rameez Shahzad, the older individual at the center of the group photo in Warraich’s Facebook profile. You can tell Shahzad is the boss because he is at the center of virtually every group photo he and other We Code Solutions employees posted to their respective Facebook pages.

We Code Solutions boss Rameez Shahzad (in sunglasses) is in the center of this group photo, which was posted by employee Burhan Ul Haq, pictured just to the right of Shahzad.

Shahzad’s postings on Facebook are even more revelatory: On Aug. 3, 2018, he posted a screenshot of someone logged into a website under the username Saim Raza — the same identity that’s been pimping Fud Co spam tools for close to a decade now.

“After [a] long time, Mailwizz ready,” Shahzad wrote as a caption to the photo:

We Code Solutions boss Rameez Shahzad posted on Facebook a screenshot of someone logged into a WordPress site with the username Saim Raza, the same cybercriminal identity that has peddled the FudTools spam empire for more than 10 years.

Whoever controlled the Saim Raza cybercriminal identity had a penchant for re-using the same password (“lovertears”) across dozens of Saim Raza email addresses. One of Saim Raza’s favorite email address variations was “[email protected][pick ISP here]”. Another email address advertised by Saim Raza was “[email protected]

So it was not surprising to see Rameez Shahzad post a screenshot to his Facebook account of his computer desktop, which shows he is logged into a Skype account that begins with the name “game.” and a Gmail account beginning with “bluebtc.”

Image: Scylla Intel

KrebsOnSecurity attempted to reach We Code Solutions via the contact email address on its website — [email protected][.]pk — but the message bounced back, saying there was no such address. Similarly, a call to the Lahore phone number listed on the website produced an automated message saying the number is not in service. None of the We Code Solutions employees contacted directly via email or phone responded to requests for comment.

FAIL BY NUMBERS

This open-source research on The Manipulaters and We Code Solutions is damning enough. But the real icing on the Fud Co cake is that sometime in 2019, The Manipulaters failed to renew their core domain name — manipulaters[.]com — the same one tied to so many of the company’s past and current business operations.

That domain was quickly scooped up by Scylla Intel, a cyber intelligence firm that specializes in connecting cybercriminals to their real-life identities. Whoops.

Scylla co-founder Sasha Angus said the messages that flooded their inbox once they set up an email server on that domain quickly filled in many of the details they didn’t already have about The Manipulaters.

“We know the principals, their actual identities, where they are, where they hang out,” Angus said. “I’d say we have several thousand exhibits that we could put into evidence potentially. We have them six ways to Sunday as being the guys behind this Saim Raza spammer identity on the forums.”

Angus said he and a fellow researcher briefed U.S. prosecutors in 2019 about their findings on The Manipulaters, and that investigators expressed interest but also seemed overwhelmed by the volume of evidence that would need to be collected and preserved about this group’s activities.

“I think one of the things the investigators found challenging about this case was not who did what, but just how much bad stuff they’ve done over the years,” Angus said. “With these guys, you keep going down this rabbit hole that never ends because there’s always more, and it’s fairly astonishing. They are prolific. If they had halfway decent operational security, they could have been really successful. But thankfully, they don’t.”

Gift Card Gang Extracts Cash From 100k Inboxes Daily

2 September 2021 at 16:40

Some of the most successful and lucrative online scams employ a “low-and-slow” approach — avoiding detection or interference from researchers and law enforcement agencies by stealing small bits of cash from many people over an extended period. Here’s the story of a cybercrime group that compromises up to 100,000 email inboxes per day, and apparently does little else with this access except siphon gift card and customer loyalty program data that can be resold online.

The data in this story come from a trusted source in the security industry who has visibility into a network of hacked machines that fraudsters in just about every corner of the Internet are using to anonymize their malicious Web traffic. For the past three years, the source — we’ll call him “Bill” to preserve his requested anonymity — has been watching one group of threat actors that is mass-testing millions of usernames and passwords against the world’s major email providers each day.

Bill said he’s not sure where the passwords are coming from, but he assumes they are tied to various databases for compromised websites that get posted to password cracking and hacking forums on a regular basis. Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials.

In about half the cases the credentials are being checked via “IMAP,” which is an email standard used by email software clients like Mozilla’s Thunderbird and Microsoft Outlook. With his visibility into the proxy network, Bill can see whether or not an authentication attempt succeeds based on the network response from the email provider (e.g. mail server responds “OK” = successful access).

You might think that whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victim’s contacts. But based on interactions that Bill has had with several large email providers so far, this crime gang merely uses custom, automated scripts that periodically log in and search each inbox for digital items of value that can easily be resold.

And they seem particularly focused on stealing gift card data.

“Sometimes they’ll log in as much as two to three times a week for months at a time,” Bill said. “These guys are looking for low-hanging fruit — basically cash in your inbox. Whether it’s related to hotel or airline rewards or just Amazon gift cards, after they successfully log in to the account their scripts start pilfering inboxes looking for things that could be of value.”

A sample of some of the most frequent search queries made in a single day by the gift card gang against more than 50,000 hacked inboxes.

According to Bill, the fraudsters aren’t downloading all of their victims’ emails: That would quickly add up to a monstrous amount of data. Rather, they’re using automated systems to log in to each inbox and search for a variety of domains and other terms related to companies that maintain loyalty and points programs, and/or issue gift cards and handle their fulfillment.

Why go after hotel or airline rewards? Because these accounts can all be cleaned out and deposited onto a gift card number that can be resold quickly online for 80 percent of its value.

“These guys want that hard digital asset — the cash that is sitting there in your inbox,” Bill said. “You literally just pull cash out of peoples’ inboxes, and then you have all these secondary markets where you can sell this stuff.”

Bill’s data also shows that this gang is so aggressively going after gift card data that it will routinely seek new gift card benefits on behalf of victims, when that option is available.  For example, many companies now offer employees a “wellness benefit” if they can demonstrate they’re keeping up with some kind of healthy new habit, such as daily gym visits, yoga, or quitting smoking.

Bill said these crooks have figured out a way to tap into those benefits as well.

“A number of health insurance companies have wellness programs to encourage employees to exercise more, where if you sign up and pledge to 30 push-ups a day for the next few months or something you’ll get five wellness points towards a $10 Starbucks gift card, which requires 1000 wellness points,” Bill explained. “They’re actually automating the process of replying saying you completed this activity so they can bump up your point balance and get your gift card.”

The Gift Card Gang’s Footprint

How do the compromised email credentials break down in terms of ISPs and email providers? There are victims on nearly all major email networks, but Bill said several large Internet service providers (ISPs) in Germany and France are heavily represented in the compromised email account data.

“With some of these international email providers we’re seeing something like 25,000 to 50,000 email accounts a day get hacked,” Bill said.  “I don’t know why they’re getting popped so heavily.”

That may sound like a lot of hacked inboxes, but Bill said some of the bigger ISPs represented in his data have tens or hundreds of millions of customers.

Measuring which ISPs and email providers have the biggest numbers of compromised customers is not so simple in many cases, nor is identifying companies with employees whose email accounts have been hacked.

This kind of mapping is often more difficult than it used to be because so many organizations have now outsourced their email to cloud services like Gmail and Microsoft Office365 — where users can access their email, files and chat records all in one place.

“It’s a little complicated with Office 365 because it’s one thing to say okay how many Hotmail connections are you seeing per day in all this credential-stuffing activity, and you can see the testing against Hotmail’s site,” Bill said. “But with the IMAP traffic we’re looking at, the usernames being logged into are any of the million or so domains hosted on Office365, many of which will tell you very little about the victim organization itself.”

On top of that, it’s also difficult to know how much activity you’re not seeing.

Looking at the small set of Internet address blocks he knows are associated with Microsoft 365 email infrastructure, Bill examined the IMAP traffic flowing from this group to those blocks. Bill said that in the first week of April 2021, he identified 15,000 compromised Office365 accounts being accessed by this group, spread over 6,500 different organizations that use Office365.

“So I’m seeing this traffic to just like 10 net blocks tied to Microsoft, which means I’m only looking at maybe 25 percent of Microsoft’s infrastructure,” Bill explained. “And with our puny visibility into probably less than one percent of overall password stuffing traffic aimed at Microsoft, we’re seeing 600 Office accounts being breached a day. So if I’m only seeing one percent, that means we’re likely talking about tens of thousands of Office365 accounts compromised daily worldwide.”

In a December 2020 blog post about how Microsoft is moving away from passwords to more robust authentication approaches, the software giant said an average of one in every 250 corporate accounts is compromised each month. As of last year, Microsoft had nearly 240 million active users, according to this analysis.

“To me, this is an important story because for years people have been like, yeah we know email isn’t very secure, but this generic statement doesn’t have any teeth to it,” Bill said. “I don’t feel like anyone has been able to call attention to the numbers that show why email is so insecure.”

Bill says that in general companies have a great many more tools available for securing and analyzing employee email traffic when that access is funneled through a Web page or VPN, versus when that access happens via IMAP.

“It’s just more difficult to get through the Web interface because on a website you have a plethora of advanced authentication controls at your fingertips, including things like device fingerprinting, scanning for http header anomalies, and so on,” Bill said. “But what are the detection signatures you have available for detecting malicious logins via IMAP?”

Microsoft declined to comment specifically on Bill’s research, but said customers can block the overwhelming majority of account takeover efforts by enabling multi-factor authentication.

“For context, our research indicates that multi-factor authentication prevents more than 99.9% of account compromises,” reads a statement from Microsoft. “Moreover, for enterprise customers, innovations like Security Defaults, which disables basic authentication and requires users to enroll a second factor, have already significantly decreased the proportion of compromised accounts. In addition, for consumer accounts, adding a second authentication factor is required on all accounts.”

A Mess That’s Likely to Stay That Way

Bill said he’s frustrated by having such visibility into this credential testing botnet while being unable to do much about it. He’s shared his data with some of the bigger ISPs in Europe, but says months later he’s still seeing those same inboxes being accessed by the gift card gang.

The problem, Bill says, is that many large ISPs lack any sort of baseline knowledge of or useful data about customers who access their email via IMAP. That is, they lack any sort of instrumentation to be able to tell the difference between legitimate and suspicious logins for their customers who read their messages using an email client.

“My guess is in a lot of cases the IMAP servers by default aren’t logging every search request, so [the ISP] can’t go back and see this happening,” Bill said.

Confounding the challenge, there isn’t much of an upside for ISPs interested in voluntarily monitoring their IMAP traffic for hacked accounts.

“Let’s say you’re an ISP that does have the instrumentation to find this activity and you’ve just identified 10,000 of your customers who are hacked. But you also know they are accessing their email exclusively through an email client. What do you do? You can’t flag their account for a password reset, because there’s no mechanism in the email client to affect a password change.”

Which means those 10,000 customers are then going to start receiving error messages whenever they try to access their email.

“Those customers are likely going to get super pissed off and call up the ISP mad as hell,” Bill said. “And that customer service person is then going to have to spend a bunch of time explaining how to use the webmail service. As a result, very few ISPs are going to do anything about this.”

Indictators of Compromise (IoCs)

It’s not often KrebsOnSecurity has occasion to publish so-called “indicators of compromise” (IoC)s, but hopefully some ISPs may find the information here useful. This group automates the searching of inboxes for specific domains and trademarks associated with gift card activity and other accounts with stored electronic value, such as rewards points and mileage programs.

This file includes the top inbox search terms used in a single 24 hour period by the gift card gang. The numbers on the left in the spreadsheet represent the number of times during that 24 hour period where the gift card gang ran a search for that term in a compromised inbox.

Some of the search terms are focused on specific brands — such as Amazon gift cards or Hilton Honors points; others are for major gift card networks like CashStar, which issues cards that are white-labeled by dozens of brands like Target and Nordstrom. Inboxes hacked by this gang will likely be searched on many of these terms over the span of just a few days.

15-Year-Old Malware Proxy Network VIP72 Goes Dark

1 September 2021 at 20:09

Over the past 15 years, a cybercrime anonymity service known as VIP72 has enabled countless fraudsters to mask their true location online by routing their traffic through millions of malware-infected systems. But roughly two weeks ago, VIP72’s online storefront — which ironically enough has remained at the same U.S.-based Internet address for more than a decade — simply vanished.

Like other anonymity networks marketed largely on cybercrime forums online, VIP72 routes its customers’ traffic through computers that have been hacked and seeded with malicious software. Using services like VIP72, customers can select network nodes in virtually any country, and relay their traffic while hiding behind some unwitting victim’s Internet address.

The domain Vip72[.]org was originally registered in 2006 to “Corpse,” the handle adopted by a Russian-speaking hacker who gained infamy several years prior for creating and selling an extremely sophisticated online banking trojan called A311 Death, a.k.a. “Haxdoor,” and “Nuclear Grabber.” Haxdoor was way ahead of its time in many respects, and it was used in multiple million-dollar cyberheists long before multi million-dollar cyberheists became daily front page news.

An ad circa 2005 for A311 Death, a powerful banking trojan authored by “Corpse,” the administrator of the early Russian hacking clique Prodexteam. Image: Google Translate via Archive.org.

Between 2003 and 2006, Corpse focused on selling and supporting his Haxdoor malware. Emerging in 2006, VIP72 was clearly one of his side hustles that turned into a reliable moneymaker for many years to come. And it stands to reason that VIP72 was launched with the help of systems already infected with Corpse’s trojan malware.

The first mention of VIP72 in the cybercrime underground came in 2006 when someone using the handle “Revive” advertised the service on Exploit, a Russian language hacking forum. Revive established a sales presence for VIP72 on multiple other forums, and the contact details and messages shared privately by that user with other forum members show Corpse and Revive are one and the same.

When asked in 2006 whether the software that powered VIP72 was based on his Corpse software, Revive replied that “it works on the new Corpse software, specially written for our service.”

One denizen of a Russian language crime forum who complained about the unexplained closure of VIP72 last month said they noticed a change in the site’s domain name infrastructure just prior to the service’s disappearance. But that claim could not be verified, as there simply are no signs that any of that infrastructure changed prior to VIP72’s demise.

In fact, until mid-August VIP72’s main home page and supporting infrastructure had remained at the same U.S.-based Internet address for more than a decade — a remarkable achievement for such a high-profile cybercrime service.

Cybercrime forums in multiple languages are littered with tutorials about how to use VIP72 to hide one’s location while engaging in financial fraud. From examining some of those tutorials, it is clear that VIP72 is quite popular among cybercriminals who engage in “credential stuffing” — taking lists of usernames and passwords stolen from one site and testing how many of those credentials work at other sites.

Corpse/Revive also long operated an extremely popular service called check2ip[.]com, which promised customers the ability to quickly tell whether a given Internet address is flagged by any security companies as malicious or spammy.

Hosted on the same Internet address as VIP72 for the past decade until mid-August 2021, Check2IP also advertised the ability to let customers detect “DNS leaks,” instances where configuration errors can expose the true Internet address of hidden cybercrime infrastructure and services online.

Check2IP is so popular that it has become a verbal shorthand for basic due diligence in certain cybercrime communities. Also, Check2IP has been incorporated into a variety of cybercrime services online — but especially those involved in mass-mailing malicious and phishous email messages.

Check2IP, an IP reputation service that told visitors whether their Internet address was flagged in any spam or malware block lists.

It remains unclear what happened to VIP72; users report that the anonymity network is still functioning even though the service’s website has been gone for two weeks. That makes sense since the infected systems that get resold through VIP72 are still infected and will happily continue to forward traffic so long as they remain infected. Perhaps the domain was seized in a law enforcement operation.

But it could be that the service simply decided to stop accepting new customers because it had trouble competing with an influx of newer, more sophisticated criminal proxy services, as well as with the rise of “bulletproof” residential proxy networks. For most of its existence until recently, VIP72 normally had several hundred thousand compromised systems available for rent. By the time its website vanished last month — that number had dwindled to fewer than 25,000 systems globally.

Man Robbed of 16 Bitcoin Sues Young Thieves’ Parents

25 August 2021 at 22:20

In 2018, Andrew Schober was digitally mugged for approximately $1 million worth of bitcoin. After several years of working with investigators, Schober says he’s confident he has located two young men in the United Kingdom responsible for using a clever piece of digital clipboard-stealing malware to siphon his crypto holdings. Schober is now suing each of their parents in a civil case that seeks to extract what their children would not return voluntarily.

In a lawsuit filed in Colorado, Schober said the sudden disappearance of his funds in January 2018 prompted him to spend more than $10,000 hiring experts in the field of tracing cryptocurrency transactions. After months of sleuthing, his investigators identified the likely culprits: Two young men in Britain who were both minors at the time of the crime (both are currently studying computer science at U.K. universities).

A forensic investigation of Schober’s computer found he’d inadvertently downloaded malicious software after clicking a link posted on Reddit for a purported cryptocurrency wallet application called “Electrum Atom.” Investigators determined that the malware was bundled with the benign program, and was designed to lie in wait for users to copy a cryptocurrency address to their computer’s temporary clipboard.

When Schober went to move approximately 16.4 bitcoins from one account to another — by pasting the lengthy payment address he’d just copied — the malware replaced his bitcoin payment address with a different address controlled by the young men.

Schober’s lawsuit lays out how his investigators traced the stolen funds through cryptocurrency exchanges and on to the two youths in the United Kingdom. In addition, they found one of the defendants — just hours after Schober’s bitcoin was stolen — had posted a message to GitHub asking for help accessing the private key corresponding to the public key of the bitcoin address used by the clipboard-stealing malware.

Investigators found the other defendant had the malware code that was bundled with the Electrum Atom application in his Github code library.

Initially, Schober hoped that the parents of the thieving teens would listen to reason, and simply return the money. So he wrote a letter to the parents of both boys:

“It seems your son has been using malware to steal money from people online,” reads the opening paragraph of the letter Schober emailed to the families. “Losing that money has been financially and emotionally devastating. He might have thought he was playing a harmless joke, but it has had serious consequences for my life.”

A portion of the letter than Schober sent to two of the defendants in 2018, after investigators determined their sons were responsible for stealing nearly $1 million in cryptocurrency from Schober.

Met with continued silence from the parents for many months, Schober filed suit against the kids and their parents in a Colorado court. A copy of the May 2021 complaint is here (PDF).

Now they are responding. One of the defendants —Hazel D. Wells — just filed a motion with the court to represent herself and her son in lieu of hiring an attorney. In a filing on Aug. 9, Wells helpfully included the letter in the screenshot above, and volunteered that her son had been questioned by U.K. authorities in connection with the bitcoin theft.

Neither of the defendants’ families are disputing the basic claim that their kids stole from Mr. Schober. Rather, they’re asserting that time has run out on Schober’s legal ability to claim a cause of action against them.

“Plaintiff alleges two common law causes of action (conversion and trespass to chattel), for which a three-year statute of limitations applies,” an attorney for the defendants argued in a filing on Aug. 6 (PDF). “Plaintiff further alleges a federal statutory cause of action, for which a two-year statute of limitations applies. Because plaintiff did not file his lawsuit until May 21, 2021, three years and five months after his injury, his claims should be dismissed.”

Schober’s attorneys argue (PDF) that “the statute of limitations begins to run when the Plaintiff knows or has reason to know of the existence and cause of the injury which is the base of his action,” and that inherent in this concept is the discovery rule, namely: That the statute of limitations does not begin to run until the plaintiff knows or has reason to know of both the existence and cause of his injury.

The plaintiffs point out that Schober’s investigators didn’t pinpoint one of the young men’s involvement until more than a year after they’d identified his co-conspirator, saying Schober notified the second boy’s parents in December 2019.

None of the parties to this lawsuit responded to requests for comment.

Image: Complaint, Schober v. Thompson, et. al.

Mark Rasch, a former prosecutor with the U.S. Justice Department, said the plaintiff is claiming the parents are liable because he gave them notice of a crime committed by their kids and they failed to respond.

“A lot of these crimes are being committed by juveniles, and we don’t have a good juvenile justice system that’s well designed to both civilly and criminally go after kids,” Rasch said.

Rasch said he’s currently an attorney in a number of lawsuits involving young men who’ve been accused of stealing and laundering millions of dollars of cryptocurrency — specifically crimes involving SIM swapping — where the fraudsters trick or bribe an employee at a mobile phone store into transferring control of a target’s phone number to a device they control.

In those cases, the plaintiffs have sought to extract compensation for their losses from the mobile phone companies — but so far those lawsuits have largely failed to yield results and are often pushed into arbitration.

Rasch said it makes sense that some victims of cryptocurrency theft are spending some serious coin to track down their assailants and sue them civilly. But he said the legwork needed to make that case is tremendous and costly, and there’s no guarantee those investments will pay off down the road.

“These crimes can be monumentally difficult and expensive to track down,” he said. “It’s designed to be difficult to do, but it’s also not designed to be impossible to do.”

As evidenced by this week’s CNBC story on a marked rise in reports of people having their Coinbase accounts emptied by fraudsters, many people investing in cryptocurrencies find out the hard way that unlike traditional banking transactions — cryptocurrency funds lost to theft are likely to stay lost because the transactions are irreversible.

Traditionally, the major crypto exchanges have said they’re not responsible for lost or stolen funds. But perhaps in response to the CNBC story, Coinbase said it was introducing a new pilot “guarantee” for U.K. customers only, wherein they will be eligible for a reimbursement of up £150,000 if someone gains unauthorized access to their account and steals funds.

However, it seems unlikely Coinbase’s new guarantee would cover cases like Schober’s — even if he’d been a U.K. customer and the theft occurred today. One of the caveats that is not covered in the guarantee is sending funds to the wrong address by accident.

Wanted: Disgruntled Employees to Deploy Ransomware

19 August 2021 at 16:27

Criminal hackers will try almost anything to get inside a profitable enterprise and secure a million-dollar payday from a ransomware infection. Apparently now that includes emailing employees directly and asking them to unleash the malware inside their employer’s network in exchange for a percentage of any ransom amount paid by the victim company.

Image: Abnormal Security.

Crane Hassold, director of threat intelligence at Abnormal Security, described what happened after he adopted a fake persona and responded to the proposal in the screenshot above. It offered to pay him 40 percent of a million-dollar ransom demand if he agreed to launch their malware inside his employer’s network.

This particular scammer was fairly chatty, and over the course of five days it emerged that Hassold’s correspondent was forced to change up his initial approach in planning to deploy the DemonWare ransomware strain, which is freely available on GitHub.

“According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Hassold wrote.

Abnormal Security documented how it tied the email back to a young man in Nigeria who acknowledged he was trying to save up money to help fund a new social network he is building called Sociogram.

Image: Abnormal Security.

Reached via LinkedIn, Sociogram founder Oluwaseun Medayedupin asked to have his startup’s name removed from the story, although he did not respond to questions about whether there were any inaccuracies in Hassold’s report.

“Please don’t harm Sociogram’s reputation,” Medayedupin pleaded. “I beg you as a promising young man.”

This attacker’s approach may seem fairly amateur, but it would be a mistake to dismiss the threat from West African cybercriminals dabbling in ransomware. While multi-million dollar ransomware payments are hogging the headlines, by far the biggest financial losses tied to cybercrime each year stem from so-called Business Email Compromise (BEC) or CEO Scams, in which crooks mainly based in Africa and Southeast Asia will spoof communications from executives at the target firm in a bid to initiate unauthorized international wire transfers.

According to the latest figures (PDF) released by the FBI Internet Crime Complaint Center (IC3), the reported losses from BEC scams continue to dwarf other cybercrime loss categories, increasing to $1.86 billion in 2020.

Image: FBI

“Knowing the actor is Nigerian really brings the entire story full circle and provides some notable context to the tactics used in the initial email we identified,” Hassold wrote. “For decades, West African scammers, primarily located in Nigeria, have perfected the use of social engineering in cybercrime activity.”

“While the most common cyber attack we see from Nigerian actors (and most damaging attack globally) is business email compromise (BEC), it makes sense that a Nigerian actor would fall back on using similar social engineering techniques, even when attempting to successfully deploy a more technically sophisticated attack like ransomware,” Hassold concluded.

DON’T QUIT YOUR DAY JOB

Cybercriminals trolling for disgruntled employees is hardly a new development. Big companies have long been worried about the very real threat of disgruntled employees creating identities on darknet sites and then offering to trash their employer’s network for a fee (for more on that, see my 2016 story, Rise of the Darknet Stokes Fear of the Insider).

Indeed, perhaps this enterprising Nigerian scammer is just keeping up with current trends. Several established ransomware affiliate gangs that have recently rebranded under new banners seem to have done away with the affiliate model in favor of just buying illicit access to corporate networks.

For example, the Lockbit 2.0 ransomware-as-a-service gang actually includes a solicitation for insiders in the desktop wallpaper left behind on systems encrypted with the malware.

“Would you like to earn millions of dollars? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company,” LockBit’s unusual ad reads. “You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. Companies pay us the foreclosure for the decryption of files and prevention of data leak.”

Image: Sophos.

Likewise, the newly formed BlackMatter ransomware gang kicked off its presence on the cybercrime forums with the unassuming thread, “Buying/monetizing your access to corporate networks.” The rest of the post reads:

We are looking for access to corporate networks in the following countries:
– the USA
– Canada
– Australia
– the UK

All lines of business except for:
– Healthcare
– Government entities.

Requirements:
– Revenue according to ZoomInfo: over 100 million.
– Number of hosts: 500 to 15,000.
– We do not accept networks that anybody else has already tried to work on.

Two options of cooperation:
– We buy networks: 3 to 100k.
– We monetize them (subject to negotiation on a case-by-case basis).

How we work:
You select an option of cooperation. -> You provide access to the network. -> We check it. -> We take it or not (depending on whether it meets the requirements).

T-Mobile: Breach Exposed SSN/DOB of 40M+ People

18 August 2021 at 16:24

T-Mobile is warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. The acknowledgment came less than 48 hours after millions of the stolen T-Mobile customer records went up for sale in the cybercrime underground.

In a statement Tuesday evening, T-Mobile said a “highly sophisticated” attack against its network led to the breach of data on millions of customers.

“Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile,” the company wrote in a blog post. “Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.”

Nevertheless, T-Mobile is urging all T-Mobile postpaid customers to proactively change their account PINs by going online into their T-Mobile account or calling customer care at 611. “This precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised,” the advisory reads.

It is not clear how many people total may be impacted by this breach. T-Mobile hasn’t yet responded to requests for clarification regarding how many of the 7.8 million current customers may also have been affected by the credit application breach.

The intrusion first came to light on Twitter when the account @und0xxed started tweeting the details, and someone on a cybercrime forum began selling what they claimed were more than 100 million freshly hacked records from T-Mobile. The hackers claimed one of those databases held the name, date of birth, SSN, drivers license information, plaintext security PIN, address and phone number of 36 million T-Mobile customers in the United States — all going back to the mid-1990s.

T-Mobile said it was also able to confirm approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed.

“We have already proactively reset ALL of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away. No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed,” T-Mobile said. “We have also confirmed that there was some additional information from inactive prepaid accounts accessed through prepaid billing files. No customer financial information, credit card information, debit or other payment information or SSN was in this inactive file.”

T-Mobile said it would pay for two years of identity theft protection services for any affected customers, and that it was offering “an extra step to protect your mobile account with our Account Takeover Protection capabilities for postpaid customers, which makes it harder for customer accounts to be fraudulently ported out and stolen.” Why it wouldn’t make that extra protection standard for all accounts all the time is not entirely clear.

This stolen data is being actively sold, but if the past is any teacher much of it will wind up posted online soon. It is a safe bet that scammers will use some of this information to target T-Mobile users with phishing messages, account takeovers and harassment.

T-Mobile customers should expect to see phishers taking advantage of public concern over the breach to impersonate the company — and possibly even messages that include the recipient’s compromised account details to make the communications look more legitimate.

Data stolen and exposed in this breach may also be used for identity theft. Credit monitoring and ID theft protection services can help you recover from having your identity stolen, but most will do nothing to stop the ID theft from happening. If you want the maximum control over who should be able to view your credit or grant new lines of credit in your name, then a security freeze is your best option.

If you’re a current T-Mobile customer, by all means change your account PIN as instructed. But regardless of which mobile provider you patronize, consider removing your phone number from as many online accounts as you can. Many online services require you to provide a phone number upon registering an account, but in many cases that number can be removed from your profile afterwards.

Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.

T-Mobile Investigating Claims of Massive Data Breach

16 August 2021 at 23:53

Communications giant T-Mobile said today it is investigating the extent of a breach that hackers claim has exposed sensitive personal data on 100 million T-Mobile USA customers, in many cases including the name, Social Security number, address, date of birth, phone number, security PINs and details that uniquely identify each customer’s mobile device.

On Sunday, Vice.com broke the news that someone was selling data on 100 million people, and that the data came from T-Mobile. In a statement published on its website today, the company confirmed it had suffered an intrusion involving “some T-Mobile data,” but said it was too soon in its investigation to know what was stolen and how many customers might be affected.

A sales thread tied to the allegedly stolen T-Mobile customer data.

“We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved,” T-Mobile wrote.

“We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” the statement continued. “This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.”

The intrusion came to light on Twitter when the account @und0xxed started tweeting the details. Reached via direct message, Und0xxed said they were not involved in stealing the databases but was instead in charge of finding buyers for the stolen T-Mobile customer data.

Und0xxed said the hackers found an opening in T-Mobile’s wireless data network that allowed access to two of T-Mobile’s customer data centers. From there, the intruders were able to dump a number of customer databases totaling more than 100 gigabytes.

They claim one of those databases holds the name, date of birth, SSN, drivers license information, plaintext security PIN, address and phone number of 36 million T-Mobile customers in the United States — all going back to the mid-1990s.

The hacker(s) claim the purloined data also includes IMSI and IMEI data for 36 million customers. These are unique numbers embedded in customer mobile devices that identify the device and the SIM card that ties that customer’s device to a telephone number.

“If you want to verify that I have access to the data/the data is real, just give me a T-Mobile number and I’ll run a lookup for you and return the IMEI and IMSI of the phone currently attached to the number and any other details,” @und0xxed said. “All T-Mobile USA prepaid and postpaid customers are affected; Sprint and the other telecoms that T-Mobile owns are unaffected.”

Other databases allegedly accessed by the intruders included one for prepaid accounts, which had far fewer details about customers.

“Prepaid customers usually are just phone number and IMEI and IMSI,” Und0xxed said. “Also, the collection of databases includes historical entries, and many phone numbers have 10 or 20 IMEIs attached to them over the years, and the service dates are provided. There’s also a database that includes credit card numbers with six digits of the cards obfuscated.”

T-Mobile declined to comment beyond what the company said in its blog post today.

In 2015, a computer breach at big three credit bureau Experian exposed the Social Security numbers and other data on 15 million people who applied for financing from T-Mobile.

Like other mobile providers, T-Mobile is locked in a constant battle with scammers who target its own employees in SIM swapping attacks and other techniques to wrest control over employee accounts that can provide backdoor access to customer data. In at least one case, retail store employees were complicit in the account takeovers.

WHO HACKED T-MOBILE?

The Twitter profile for the account @Und0xxed includes a shout out to @IntelSecrets, the Twitter account of a fairly elusive hacker who also has gone by the handles IRDev and V0rtex. Asked if @IntelSecrets was involved in the T-Mobile intrusion, @und0xxed confirmed that it was.

The IntelSecrets nicknames correspond to an individual who has claimed responsibility for modifying the source code for the Mirai “Internet of Things” botnet to create a variant known as “Satori,” and supplying it to others who used it for criminal gain and were later caught and prosecuted. Like Kenny “NexusZeta” Schuchmann, who pleaded guilty in 2019 to operating the Satori botnet. Two other young men have been charged in connection with Satori — but not IntelSecrets.

How do we know all this about IntelSecrets/IRDev/V0rtex? That identity has acknowledged as much in a series of bizarre lawsuits filed by a person who claims their real name is John Erin Binns. The same Binns identity operates the website intelsecrets[.]su. 

On that site, Binns claims he fled to Germany and Turkey to evade prosecution in the Satori case, only to be kidnapped in Turkey and subjected to various forms of psychological and physical torture. According to Binns, the U.S. Central Intelligence Agency (CIA) falsely told their counterparts in Turkey that he was a supporter or member of the Islamic State (ISIS), a claim he says led to his alleged capture and torture by the Turks.

Since then, Binns has filed a flood of lawsuits naming various federal agencies — including the FBI, the CIA, and the U.S. Special Operations Command (PDF), demanding that the government turn over information collected about him and seeking restitution for his alleged kidnapping at the hands of the CIA.

Speaking to the researcher Alon Gal (@underthebreach), the hackers responsible for the T-Mobile intrusion said they did it to “retaliate against the US for the kidnapping and torture of John Erin Binns in Germany by the CIA and Turkish intelligence agents in 2019. We did it to harm US infrastructure.”

Update, Aug. 18, 9:15 a.m. ET: In a blog post Monday evening, T-Mobile acknowledged that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers.

New Anti Anti-Money Laundering Services for Crooks

13 August 2021 at 17:28

A new dark web service is marketing to cybercriminals who are curious to see how their various cryptocurrency holdings and transactions may be linked to known criminal activity. Dubbed “Antinalysis,” the service purports to offer a glimpse into how one’s payment activity might be flagged by law enforcement agencies and private companies that try to link suspicious cryptocurrency transactions to real people.

Sample provided by Antinalysis.

“Worried about dirty funds in your BTC address? Come check out Antinalysis, the new address risk analyzer,” reads the service’s announcement, pointing to a link only accessible via Tor. “This service is dedicated to individuals that have the need to possess complete privacy on the blockchain, offering a perspective from the opponent’s point of view in order for the user to comprehend the possibility of his/her funds getting flagged down under autocratic illegal charges.”

The ad continues:

Some people might ask, why go into all that? Just cash out in XMR and be done with it. The problem is, cashing out in Monero raises eyebrows on exchanges and mail by cash method is sometimes risky as well. If you use BTC->XMR->BTC method, you’ll still get flagged down by our services labelled as high risk exchange (not to mention LE and exchanges). Our service provides you with a view from LE/exchange’s perspective of things (with similar accuracy, but quite different approach) that provides you with basic knowledge of how “clean” your address is.”

Tom Robinson, co-founder of blockchain intelligence firm Elliptic, said Antinalysis is designed to help crypto money launderers test whether their funds will be identified as proceeds of crime by regulated financial exchanges.

“Cryptoassets have become an important tool for cybercriminals,” Robinson wrote. “The likes of ransomware and darknet markets rely on payments being made in Bitcoin and other cryptocurrencies. However, laundering and cashing-out these proceeds is a major challenge.”

Cryptocurrency exchanges make use of blockchain analytics tools, he said, to check customer deposits for links to illicit activity. By tracing a transaction back through the blockchain, these tools can identify whether the funds originated from a wallet associated with ransomware or any other criminal activity.

“The launderer therefore risks being identified as a criminal and being reported to law enforcement whenever they send funds to a business using such a tool,” Robinson said. “Antinalysis seeks to help crypto launderers to avoid this, by giving them a preview of what a blockchain analytics tool will make of their bitcoin wallet and the funds it contains.”

Each lookup at Antinalysis costs roughly USD $3, with a minimum $30 purchase. Other plans go as high as $6,000 for 5,000 requests.

Robinson says the creator of Antinalysis is also one of the developers of Incognito Market, a darknet marketplace specializing in the sale of narcotics.

“Incognito was launched in late 2020, and accepts payments in both Bitcoin and Monero, a cryptoasset offering heightened anonymity,” he wrote. “The launch of Antinalysis likely reflects the difficulties faced by the market and its vendors in cashing out their Bitcoin proceeds.”

Elliptic wasn’t impressed with the quality of the intelligence provided by Antinalysis, saying it performs poorly on detecting links to major darknet markets and other criminal entities. But with countless criminals now making millions from ransomware, there is certainly a vast, untapped market for services that help those folks improve their operational security.

“It is also significant because it makes blockchain analytics available to the public for the first time,” Robinson wrote. “To date, this type of analysis has been used primarily by regulated financial service providers.”

That may not be entirely true. Nick Bax is an independent expert in tracing cryptocurrency transactions, and he said it appears Antinalysis may be little more than a clone of AMLBot, an anti- anti-money laundering intelligence service that first came online in 2019.

AMLBot’s user interface.

“It looks almost identical to the cheap version of AMLBot,” Bax told KrebsOnSecurity. “My guess is they’re just white-labeling that.”

Bax said a lookup at AMLBot on the virtual currency address used in the sample provided by Antinalysis shows a near identical result. Here’s AMLBot’s result for the same crypto analysis performed by Antinalysis in the screenshot at the top of this story:

AMLBot’s response for the same cryptocurrency address provided as an example by Antinalysis.

“If you look at the breakdown the percentages are all almost identical,” Bax said. “I use AMLBot occasionally for good and righteous purposes. And it could also be useful for people who are just selling stuff online to make sure they aren’t receiving tainted funds.”

Update, 1:42 p.m. ET: Corrected the story to note that AMLBot has been around since 2019.

Update, 1:52 p.m. ET: Elliptic updated its blog post to confirm the connection between Antinanlysis and AMLBot, noting that AMLBot itself is a reseller of yet another service: “As first suggested in an article by Brian Krebs, we can now confirm that the results provided by Antinalysis are identical to those provided by AMLBot. It is therefore likely that Antinalysis makes use of the AMLBot API. AMLBot is itself a reseller for Crystal Blockchain, an analytics provider.”

Microsoft Patch Tuesday, August 2021 Edition

10 August 2021 at 21:12

Microsoft today released software updates to plug at least 44 security vulnerabilities in its Windows operating systems and related products. The software giant warned that attackers already are pouncing on one of the flaws, which ironically enough involves an easy-to-exploit bug in the software component responsible for patching Windows 10 PCs and Windows Server 2019 machines.

Microsoft said attackers have seized upon CVE-2021-36948, which is a weakness in the Windows Update Medic service. Update Medic is a new service that lets users repair Windows Update components from a damaged state so that the device can continue to receive updates.

Redmond says while CVE-2021-36948 is being actively exploited, it is not aware of exploit code publicly available. The flaw is an “elevation of privilege” vulnerability that affects Windows 10 and Windows Server 2019, meaning it can be leveraged in combination with another vulnerability to let attackers run code of their choice as administrator on a vulnerable system.

“CVE-2021-36948 is a privilege escalation vulnerability – the cornerstone of modern intrusions as they allow attackers the level of access to do things like hide their tracks and create user accounts,” said Kevin Breen of Immersive Labs. “In the case of ransomware attacks, they have also been used to ensure maximum damage.”

According to Microsoft, critical flaws are those that can be exploited remotely by malware or malcontents to take complete control over a vulnerable Windows computer — and with little to no help from users. Top of the heap again this month: Microsoft also took another stab at fixing a broad class of weaknesses in its printing software.

Last month, the company rushed out an emergency update to patch “PrintNightmare” — a critical hole in its Windows Print Spooler software that was being attacked in the wild. Since then, a number of researchers have discovered holes in that patch, allowing them to circumvent its protections.

Today’s Patch Tuesday fixes another critical Print Spooler flaw (CVE-2021-36936), but it’s not clear if this bug is a variant of PrintNightmare or a unique vulnerability all on its own, said Dustin Childs at Trend Micro’s Zero Day Initiative.

“Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritize testing and deployment of this Critical-rated bug,” Childs said.

Microsoft said the Print Spooler patch it is pushing today should address all publicly documented security problems with the service.

“Today we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges,” Microsoft said in a blog post. “This change may impact Windows print clients in scenarios where non-elevated users were previously able to add or update printers. However, we strongly believe that the security risk justifies the change. This change will take effect with the installation of the security updates released on August 10, 2021 for all versions of Windows, and is documented as CVE-2021-34481.

August brings yet another critical patch (CVE-2021-34535) for the Windows Remote Desktop service, and this time the flaw is in the Remote Desktop client instead of the server.

CVE-2021-26424 — a scary, critical bug in the Windows TCP/IP component — earned a CVSS score of 9.9 (10 is the worst), and is present in Windows 7 through Windows 10, and Windows Server 2008 through 2019 (Windows 7 is no longer being supported with security updates).

Microsoft said it was not aware of anyone exploiting this bug yet, although the company assigned it the label “exploitation more likely,” meaning it may not be difficult for attackers to figure out. CVE-2021-26424 could be exploited by sending a single malicious data packet to a vulnerable system.

For a complete rundown of all patches released today and indexed by severity, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that are causing problems for Windows users.

On that note, before you update please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.

Phishing Sites Targeting Scammers and Thieves

9 August 2021 at 15:21

I was preparing to knock off work for the week on a recent Friday evening when a curious and annoying email came in via the contact form on this site:

“Hello I go by the username Nuclear27 on your site Briansclub[.]com,” wrote “Mitch,” confusing me with the proprietor of perhaps the underground’s largest bazaar for stolen credit and identity data. “I made a deposit to my wallet on the site but nothing has shown up yet and I would like to know why.”

The real BriansClub login page.

Several things stood out in Mitch’s message. For starters, that is not the actual domain for BriansClub. And it’s easy to see why Mitch got snookered: The real BriansClub site is currently not at the top of search results when one queries that shop name at Google.

Also, this greenhorn criminal clearly had bought into BriansClub’s advertising, which uses my name and likeness in a series of ads that run on all the top cybercrime forums. In those ads, a crab with my head on it zigs and zags on the sand. This is all meant to be a big joke: Krebs means “crab” or “cancer” in German, but a “crab” is sometimes used in Russian hacker slang to refer to a “carder,” or a person who regularly engages in street-level credit card fraud. Like Mitch.

In late 2019, BriansClub changed its homepage to include doctored images of my Social Security and passport cards, credit report and mobile phone bill information. That was right after KrebsOnSecurity broke the news that someone had hacked BriansClub and siphoned information on 26 million stolen debit and credit accounts. The hacked BriansClub database had an estimated collective street value of $566 million, and that data was subsequently shared with thousands of financial institutions.

Mitch said he’d just made a deposit of $240 worth of bitcoin at BriansClub[.]com, and was wondering when the funds would be reflected in the balance of his account on the shop.

Playing along, I said I was sorry to hear about his ordeal, and asked Mitch if there were any stolen cards issued by a particular bank or to a specific region that he was seeking.

Mitch didn’t bite, but neither would he be dissuaded that I was at fault for his wayward funds. He shared a picture showing funds he’d sent to the bitcoin address instructed by BriansClub[.]com — 1PLALmM5rrmLTGGVRHHTnB6VnZd3FFwh1Zusing a Bitcoin ATM in Canada.

The real BriansClub uses a dodgy virtual currency exchange service based in St. Petersburg, Russia called PinPays. The company’s website has long featured little more than a brand icon and an instant messenger address to reach the proprietor. The fake BriansClub told Mitch the Bitcoin address he was asked to pay was a PinPays address that would change with each transaction.

The payment message displayed by the carding site phishing domain BriansClub[.]com.

However, upon registering at the phishing site and clicking to fund my account, I was presented with the exact same Bitcoin address that Mitch said he paid. Also, the site wasn’t using PinPays; it was just claiming to do so to further mimic the real BriansClub.

According to the Blockchain, that Bitcoin address Mitch paid has received more than a thousand payments over the past five months totaling more than USD $40,000 worth of Bitcoin. Most are relatively small payments like Mitch’s.

The screenshot Mitch sent of his deposit.

Unwary scammers like Mitch are a dime a dozen, as are phishing sites that spoof criminal services online. Shortly after it came online as a phishing site last year, BriansClub[.]com was hosted at a company in Moscow with just a handful of other domains phishing popular cybercrime stores, including Jstashbazar[.]com, vclub[.]cards, vclubb[.]com and vclub[.]credit.

Whoever’s behind these sites is making a decent income fleecing clueless crooks. A review of the Bitcoin wallet listed as the payment address for BriansClub[.]org, for example, shows a similar haul: 704 transactions totaling $38,000 in Bitcoin over the past 10 months.

“Wow, thanks for ripping me off,” Mitch wrote, after I’d dozed off for the evening without responding to his increasingly strident emails. “Should have spent the last money on my bills I’m trying to pay off. Should have known you were nothing but a thief.”

Deciding the ruse had gone too far, I confessed to Mitch that I wasn’t really the administrator of BriansClub, and that the person he’d reached out to was an independent journalist who writes about cybercrime. I told him not to feel bad, as more than a thousand people had been similarly duped by the carding shop.

But Mitch did not appear to accept my confession.

“If that’s the case then why is your name all over it including in the window that opens up when you go to make a deposit?,” Mitch demanded, referring to the phishing site.

Clearly, nothing I said was going to deter Mitch at this point. He asked in a follow-up email if a link he included in the message was indeed the “legitimate” BriansClub address. My only reply was that he should maybe consider another line of work before he got ripped off yet again, or the Royal Canadian Mounted Police showed up at his doorstep.

Scammers who fall for fake carding sites can expect to have their accounts taken over at the real shop, which usually means someone spends your balance on stolen cards. But mostly, these imposter carding sites are asking new members to fund their accounts by making deposits in virtual currency like Bitcoin.

In 2018, KrebsOnSecurity examined a huge network of phishing sites masquerading as the top carding stores which all traced back to a web development group in Pakistan that’s apparently been stealing from thieves for years.

As I noted in that piece, creating a network of fake carding sites is the perfect cybercrime. After all, nobody who gets phished or scammed is going to report the crime to the authorities. Nor will anyone help the poor sucker who gets snookered by one of these fake carding sites. Caveat Emptor!

The most one can hope for is that the occasional enterprising phisher is brought to justice. While it may be hard to believe that authorities would go after crooks stealing from one another, in 2017 a Connecticut man pleaded guilty to charges of phishing several criminal dark web markets in a scheme that eventually netted over $365,000 and more than 10,000 stolen user credentials.

And what about the provenance of the phishing domain briansclub[.]com? Looking closer at the original WHOIS registration records for briansclub[.]com via DomainTools (an advertiser on this site), we can see it was registered in November 2015 — several months after the real BriansClub came online. It was registered to a “Brian Billionaire,” a.k.a. Brian O’Connor, an apparently accomplished music deejay, rapper and rap music producer in Florida.

Brian Billionaire.

For several years after it came online, BriansClub[.]com and other domains apparently registered to Mr. Billionaire redirected to his main site — newhotmusic.com, which predates the carding shop BriansClub and also has a members-only section of the site called Brian’s Club.

Mr. Billionaire did not respond to multiple requests for comment, but it looks like his only crime is being a somewhat cringeworthy DJ. DomainTools’ record for briansclub[.]com says the domain was abandoned or dormant for a period in 2019, only to be scooped up again by someone in May 2020 when it became a phishing site spoofing the real BriansClub.

Ransomware Gangs and the Name Game Distraction

5 August 2021 at 11:38

It’s nice when ransomware gangs have their bitcoin stolen, malware servers shut down, or are otherwise forced to disband. We hang on to these occasional victories because history tells us that most ransomware moneymaking collectives don’t go away so much as reinvent themselves under a new name, with new rules, targets and weaponry. Indeed, some of the most destructive and costly ransomware groups are now in their third incarnation.

A rough timeline of major ransomware operations and their reputed links over time.

Reinvention is a basic survival skill in the cybercrime business. Among the oldest tricks in the book is to fake one’s demise or retirement and invent a new identity. A key goal of such subterfuge is to throw investigators off the scent or to temporarily direct their attention elsewhere.

Cybercriminal syndicates also perform similar disappearing acts whenever it suits them. These organizational reboots are an opportunity for ransomware program leaders to set new ground rules for their members — such as which types of victims aren’t allowed (e.g., hospitals, governments, critical infrastructure), or how much of a ransom payment an affiliate should expect for bringing the group access to a new victim network.

I put together the above graphic to illustrate some of the more notable ransom gang reinventions over the past five years. What it doesn’t show is what we already know about the cybercriminals behind many of these seemingly disparate ransomware groups, some of whom were pioneers in the ransomware space almost a decade ago. We’ll explore that more in the latter half of this story.

One of the more intriguing and recent revamps involves DarkSide, the group that extracted a $5 million ransom from Colonial Pipeline earlier this year, only to watch much of it get clawed back in an operation by the U.S. Department of Justice.

After acknowledging someone had also seized their Internet servers, DarkSide announced it was folding. But a little more than a month later, a new ransomware affiliate program called BlackMatter emerged, and experts quickly determined BlackMatter was using the same unique encryption methods that DarkSide had used in their attacks.

DarkSide’s demise roughly coincided with that of REvil, a long-running ransomware group that claims to have extorted more than $100 million from victims. REvil’s last big victim was Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. That attack let REvil deploy ransomware to as many as 1,500 organizations that used Kaseya.

REvil demanded a whopping $70 million to release a universal decryptor for all victims of the Kaseya attack. Just days later, President Biden reportedly told Russian President Vladimir Putin that he expects Russia to act when the United States shares information on specific Russians involved in ransomware activity.

A REvil ransom note.

Whether that conversation prompted actions is unclear. But REvil’s victim shaming blog would disappear from the dark web just four days later.

Mark Arena, CEO of cyber threat intelligence firm Intel 471, said it remains unclear whether BlackMatter is the REvil crew operating under a new banner, or if it is simply the reincarnation of DarkSide.

But one thing is clear, Arena said: “Likely we will see them again unless they’ve been arrested.”

Likely, indeed. REvil is widely considered a reboot of GandCrab, a prolific ransomware gang that boasted of extorting more than $2 billion over 12 months before abruptly closing up shop in June 2019. “We are living proof that you can do evil and get off scot-free,” Gandcrab bragged.

And wouldn’t you know it: Researchers have found GandCrab shared key behaviors with Cerber, an early ransomware-as-a-service operation that stopped claiming new victims at roughly the same time that GandCrab came on the scene.

GOOD GRIEF

The past few months have been a busy time for ransomware groups looking to rebrand. BleepingComputer recently reported that the new “Grief” ransomware startup was just the latest paintjob of DoppelPaymer, a ransomware strain that shared most of its code with an earlier iteration from 2016 called BitPaymer.

All three of these ransom operations stem from a prolific cybercrime group known variously as TA505, “Indrik Spider” and (perhaps most memorably) Evil Corp. According to security firm CrowdStrike, Indrik Spider was formed in 2014 by former affiliates of the GameOver Zeus criminal network who internally referred to themselves as “The Business Club.”

The Business Club was a notorious Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide. In 2015, the FBI offered a standing $3 million bounty for information leading to the capture of the Business Club’s leader — Evgeniy Mikhailovich Bogachev. By the time the FBI put a price on his head, Bogachev’s Zeus trojan and later variants had been infecting computers for nearly a decade.

The alleged ZeuS Trojan author, Evgeniy Mikhaylovich Bogachev. Source: FBI

Bogachev was way ahead of his colleagues in pursuing ransomware. His Gameover Zeus Botnet was a peer-to-peer crime machine that infected between 500,000 and a million Microsoft Windows computers. Throughout 2013 and 2014, PCs infected with Gameover were seeded with Cryptolocker, an early, much-copied ransomware strain allegedly authored by Bogachev himself.

CrowdStrike notes that shortly after the group’s inception, Indrik Spider developed their own custom malware known as Dridex, which has emerged as a major vector for deploying malware that lays the groundwork for ransomware attacks.

“Early versions of Dridex were primitive, but over the years the malware became increasingly professional and sophisticated,” CrowdStrike researchers wrote. “In fact, Dridex operations were significant throughout 2015 and 2016, making it one of the most prevalent eCrime malware families.”

That CrowdStrike report was from July 2019. In April 2021, security experts at Check Point Software found Dridex was still the most prevalent malware (for the second month running). Mainly distributed via well-crafted phishing emails — such as a recent campaign that spoofed QuickBooks — Dridex often serves as the attacker’s initial foothold in company-wide ransomware attacks, CheckPoint said.

REBRANDING TO AVOID SANCTIONS

Another ransomware family tied to Evil Corp. and the Dridex gang is WastedLocker, which is the latest name of a ransomware strain that has rebranded several times since 2019. That was when the Justice Department put a $5 million bounty on the head of Evil Corp., and the Treasury Department’s Office of Foreign Asset Control (OFAC) said it was prepared to impose hefty fines on anyone who paid a ransom to the cybercrime group.

Alleged Evil Corp leader Maksim “Aqua” Yakubets. Image: FBI

In early June 2021, researchers discovered the Dridex gang was once again trying to morph in an effort to evade U.S. sanctions. The drama began when the Babuk ransomware group announced in May that they were starting a new platform for data leak extortion, which was intended to appeal to ransomware groups that didn’t already have a blog where they can publicly shame victims into paying by gradually releasing stolen data.

On June 1, Babuk changed the name of its leaks site to payload[dot]bin, and began leaking victim data. Since then, multiple security experts have spotted what they believe is another version of WastedLocker dressed up as payload.bin-branded ransomware.

“Looks like EvilCorp is trying to pass off as Babuk this time,” wrote Fabian Wosar, chief technology officer at security firm Emsisoft. “As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations.”

Experts are quick to point out that many cybercriminals involved in ransomware activity are affiliates of more than one distinct ransomware-as-a-service operation. In addition, it is common for a large number of affiliates to migrate to competing ransomware groups when their existing sponsor suddenly gets shut down.

All of the above would seem to suggest that the success of any strategy for countering the ransomware epidemic hinges heavily on the ability to disrupt or apprehend a relatively small number of cybercriminals who appear to wear many disguises.

Perhaps that’s why the Biden Administration said last month it was offering a $10 million reward for information that leads to the arrest of the gangs behind the extortion schemes, and for new approaches that make it easier to trace and block cryptocurrency payments.

The Life Cycle of a Breached Database

29 July 2021 at 16:20

Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Here’s a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database.

Our continued reliance on passwords for authentication has contributed to one toxic data spill or hack after another. One might even say passwords are the fossil fuels powering most IT modernization: They’re ubiquitous because they are cheap and easy to use, but that means they also come with significant trade-offs — such as polluting the Internet with weaponized data when they’re leaked or stolen en masse.

When a website’s user database gets compromised, that information invariably turns up on hacker forums. There, denizens with computer rigs that are built primarily for mining virtual currencies can set to work using those systems to crack passwords.

How successful this password cracking is depends a great deal on the length of one’s password and the type of password hashing algorithm the victim website uses to obfuscate user passwords. But a decent crypto-mining rig can quickly crack a majority of password hashes generated with MD5 (one of the weaker and more commonly-used password hashing algorithms).

“You hand that over to a person who used to mine Ethereum or Bitcoin, and if they have a large enough dictionary [of pre-computed hashes] then you can essentially break 60-70 percent of the hashed passwords in a day or two,” said Fabian Wosar, chief technology officer at security firm Emsisoft.

From there, the list of email addresses and corresponding cracked passwords will be run through various automated tools that can check how many email address and password pairs in a given leaked data set also work at other popular websites (and heaven help those who’ve re-used their email password elsewhere).

This sifting of databases for low-hanging fruit and password re-use most often yields less than a one percent success rate — and usually far less than one percent.

But even a hit rate below one percent can be a profitable haul for fraudsters, particularly when they’re password testing databases with millions of users. From there, the credentials are eventually used for fraud and resold in bulk to legally murky online services that index and resell access to breached data.

Much like WeLeakInfo and others operated before being shut down by law enforcement agencies, these services sell access to anyone who wants to search through billions of stolen credentials by email address, username, password, Internet address, and a variety of other typical database fields.

TARGETED PHISHING

So hopefully by this point it should be clear why re-using passwords is generally a bad idea. But the more insidious threat with hacked databases comes not from password re-use but from targeted phishing activity in the early days of a breach, when relatively few ne’er-do-wells have got their hands on a hot new hacked database.

Earlier this month, customers of the soccer jersey retailer classicfootballshirts.co.uk started receiving emails with a “cash back” offer. The messages addressed customers by name and referenced past order numbers and payment amounts tied to each account. The emails encouraged recipients to click a link to accept the cash back offer, and the link went to a look-alike domain that requested bank information.

The targeted phishing message that went out to classicfootballshirts.co.uk customers this month.

“It soon became clear that customer data relating to historic orders had been compromised to conduct this attack,” Classicfootballshirts said in a statement about the incident.

Allison Nixon, chief research officer with New York City-based cyber intelligence firm Unit221B, recalled what happened in the weeks leading up to Dec. 22, 2020, when cryptocurrency wallet company Ledger acknowledged that someone had released the names, mailing addresses and phone numbers for 272,000 customers.

Nixon said she and her colleagues noticed in the preceding months a huge uptick in SIM-swapping attacks, a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.

“A week or two prior to that we were seeing a whole lot of SIM swapping activity,” Nixon said. “We knew the information was coming from some database but we couldn’t figure out what service they all had in common. After the Ledger database got leaked publicly, we started looking at the [SIM swapping] victims and found 100 percent of them were present in the Ledger database.”

In a statement about the breach, Ledger said the data was likely stolen in June 2020, meaning hackers had roughly six months to launch targeted attacks using extremely detailed information about customers.

“If you were to look [on cybercrime forums] at the past history of people posting about that Ledger database, you’d see people were selling it privately for months prior to that,” Nixon said. “It seems like this database was slowly percolating out wider and wider, until someone decided to remove a lot of its value by posting the whole thing publicly.”

Here are some tips to help avoid falling prey to incessant data breaches and increasingly sophisticated phishing schemes:

Avoid clicking on links and attachments in email, even in messages that appear to be sent from someone you have heard from previously. And as the phishing examples above demonstrate, many of today’s phishing scams use elements from hacked databases to make their lures more convincing.

Urgency should be a giant red flag. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly. Take a deep breath. If you’re unsure whether the message is legitimate, visit the site or service in question manually (ideally, using a browser bookmark so as to avoid potential typosquatting sites).

Don’t re-use passwords. If you’re the kind of person who likes to use the same password across multiple sites, then you definitely need to be using a password manager. That’s because password managers handle the tedious task of creating and remembering unique, complex passwords on your behalf; all you need to do is remember a single, strong master password or passphrase. In essence, you effectively get to use the same password across all Web sites. Some of the more popular password managers include DashlaneKeepassLastPass and Roboform.

–Phone-based phishing uses hacked databases, too: A great many scams are perpetrated over the phone, leveraging personal and financial information gleaned from past data breaches to make them sound more believable. If you think you’d never fall for someone trying to scam you over the phone, check out this story about how a tech-savvy professional got taken for thousands of dollars by a fraudster masquerading as his credit union. Remember, When in Doubt: Hang Up, Look Up, & Call Back.

PlugwalkJoe Does the Perp Walk

26 July 2021 at 18:18

Joseph “PlugwalkJoe” O’Connor, in a photo from a paid press release on Sept. 02, 2020, pitching him as a trustworthy cryptocurrency expert and advisor.

One day after last summer’s mass-hack of Twitter, KrebsOnSecurity wrote that 22-year-old British citizen Joseph “PlugwalkJoe” O’Connor appeared to have been involved in the incident. When the U.S. Justice Department last week announced O’Connor’s arrest and indictment, his alleged role in the Twitter compromise was well covered in the media.

But most of the coverage seems to have overlooked the far more sinister criminal charges in the indictment, which involve an underground scene wherein young men turn to extortion, sextortion, SIM swapping, death threats and physical attacks — all in a frenzied effort to seize control over social media accounts.

Skim the government’s indictment and you might overlook a footnote on Page 4 that says O’Connor is part of a group that had exactly zero reservations about using their playbook of harassment tactics against law enforcement agents who were already investigating their alleged crimes.

O’Connor has potentially been linked to additional prior swatting incidents and possibly (although not confirmed and currently still under investigation) the swatting of a U.S. law enforcement officer,” the footnote reads.

Swatting involves making a false report to authorities in a target’s name with the intention of sending a heavily armed police force to that person’s address. It’s a potentially deadly hoax: Earlier this month, a Tennessee man was sentenced to 60 months in prison for setting in motion a swatting attack that led to the death of a 60-year-old grandfather.

As for the actual criminal charges, O’Connor faces ten counts, including conspiracy, computer intrusion, extortive communications, stalking and threatening communications.

FEMALE TARGETS

All of those come into play in the case of the Snapchat account of actor Bella Thorne, who was allegedly targeted by PlugwalkJoe and associates in June 2019.

Investigators say O’Connor was involved in a “SIM swap” against Thorne’s mobile phone number. Unauthorized SIM swapping is a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.

In this case, the SIM swap was done to wrest control over Thorne’s Snapchat account. Once inside, the attackers found nude photos of Thorne, which they then threatened to release unless she agreed to post on social media thanking the hackers using their online handles.

The intruders posted on Thorne’s Snapchat, “Will drop nudes if 5000 of you follow @PlugwalkJoe.” Thorne told the feds her phone lost service shortly before her account was hijacked. Investigators later found the same Internet address used to access Thorne’s Snapchat account also was used minutes later to access “@Joe” on Instagram, which O’Connor has claimed publicly.

On June 15, 2019, Thorne posted on Twitter that she’d been “threatened with my own nudes,” and posted screenshots of the text message with the individual who had extorted him/her. Thorne said she was releasing the photographs so that the individual would not be able to “take yet another thing from me.”

The indictment alleges O’Connor also swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.

Social media personality Addison Rae had 55 million followers when her TikTok account got hacked last August. I noted on Twitter at the time that PlugWalkJoe had left his calling card yet again. The indictment alleges O’Connor also was involved in a SIM-swap against Rae’s mobile number.


BAD REACTION

Prosecutors believe that roughly a week after the Twitter hack O’Connor called in bomb threats and swatting attacks targeting a high school and an airport in California. They’re confident it was O’Connor making the swatting and bomb threat calls because his voice is on record in a call he made to federal investigators, as well as to an inmate arrested for SIM swapping.

Curiously left out of the media coverage of O’Connor’s alleged crimes is that PlugwalkJoe appears to have admitted in a phone call with the FBI to being part of a criminal conspiracy. In the days following the Twitter mass-hack, O’Connor was quoted in The New York Times denying any involvement in the Twitter bitcoin scam. “I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”

Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, O’Connor demanded that his name be kept out of future blog posts here. After he was told that couldn’t be promised, he mentioned that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didn’t like. In nearly the same breath, O’Connor said he was open to talking to federal investigators and telling his side of the story.

According to the indictment, a week after the Twitter hack a man identifying himself as O’Connor called federal investigators in Northern California. Specifically, the call went to the REACT Task Force. REACT is a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that is focused on catching criminal SIM swappers, and by this point REACT already had plenty of audio from phone calls traced back to O’Connor in which he allegedly participated in a SIM swapping or swatting attack.

“REACT began receiving tips in 2018 regarding illegal activity of an individual using the online moniker ‘PlugwalkJoe,’ purportedly identified as O’Connor from the United Kingdom,” the indictment states.

Prosecutors redacted the name of the law enforcement officer who allegedly was swatted by PlugwalkJoe, referring to him only as “C.T.,” a criminal investigator for the Santa Clara District Attorney and a REACT Task Force member.

FBI agents called O’Connor back at the number he left. O’Connor told the FBI that on the afternoon of July 15, 2020 he’d been in contact with other associates who were in communications with the alleged mastermind of the Twitter bitcoin scam. Those intermediaries worked directly with Graham Clark, then 17, who pleaded guilty to fraud charges last summer in connection with the Twitter hack and agreed to serve three years in prison followed by three years of probation.

The indictment says O’Connor told the feds he only wanted his friends to relay his desire for Clark to secure several different short Twitter usernames that belonged to other people, accounts that were to be later sold for a profit. The other associates who allegedly helped PlugwalkJoe interact with Clark also have since been charged in connection with the Twitter hack.

A copy of the indictment is here (PDF).

Serial Swatter Who Caused Death Gets Five Years in Prison

21 July 2021 at 19:59

A 18-year-old Tennessee man who helped set in motion a fraudulent distress call to police that led to the death of a 60-year-old grandfather in 2020 was sentenced to 60 months in prison today.

60-year-old Mark Herring died of a heart attack after police surrounded his home in response to a swatting attack.

Shane Sonderman, of Lauderdale County, Tenn. admitted to conspiring with a group of criminals that’s been “swatting” and harassing people for months in a bid to coerce targets into giving up their valuable Twitter and Instagram usernames.

At Sonderman’s sentencing hearing today, prosecutors told the court the defendant and his co-conspirators would text and call targets and their families, posting their personal information online and sending them pizzas and other deliveries of food as a harassment technique.

Other victims of the group told prosecutors their tormentors further harassed them by making false reports of child abuse to social services local to the target’s area, and false reports in the target’s name to local suicide prevention hotlines.

Eventually, when subjects of their harassment refused to sell or give up their Twitter and Instagram usernames, Sonderman and others would swat their targets — or make a false report to authorities in the target’s name with the intention of sending a heavily armed police response to that person’s address.

For weeks throughout March and April 2020, 60-year-old Mark Herring of Bethpage, Tenn. was inundated with text messages asking him to give up his @Tennessee Twitter handle. When he ignored the requests, Sonderman and his buddies began having food delivered to Herring’s home via cash on delivery.

At one point, Sonderman posted Herring’s home address in a Discord chat room used by the group, and a minor in the United Kingdom quickly followed up by directing a swatting attack on Herring’s home.

Ann Billings was dating Mr. Herring and was present when the police surrounded his home. She recalled for the Tennessee court today how her friend died shortly thereafter of a heart attack.

Billings said she first learned of the swatting when a neighbor called and asked why the street was lined with police cars. When Mr. Herring stepped out on the back porch to investigate, police told him to put his hands up and to come to the street.

Unable to disengage a lock on his back fence, Herring was instructed to somehow climb over the fence with his hands up.

“He was starting to get more upset,” Billings recalled. “He said, ‘I’m a 60-year-old fat man and I can’t do that.'”

Billings said Mr. Herring then offered to crawl under a gap in the fence, but when he did so and stood up, he collapsed of a heart attack. Herring died at a nearby hospital soon after.

Mary Frances Herring, who was married to Mr. Herring for 28 years, said her late husband was something of a computer whiz in his early years who secured the @Tennessee Twitter handle shortly after Twitter came online. Internet archivist Jason Scott says Herring was the creator of the successful software products Sparkware and QWIKMail; Scott has 2 hours worth of interviews with Herring from 20 years ago here.

Perhaps the most poignant testimony today came when Ms. Herring said her husband — who was killed by people who wanted to steal his account — had a habit of registering new Instagram usernames as presents for friends and family members who’d just had children.

“If someone was having a baby, he would ask them, ‘What are your naming the baby?’,” Ms. Herring said. “And he would get them that Instagram name and give it to them as a gift.”

Valerie Dozono also was an early adopter of Instagram, securing the two-letter username “VD” for her initials. When Dozono ignored multiple unsolicited offers to buy the account, she and many family and friends started getting unrequested pizza deliveries at all hours.

When Dozono continued to ignore her tormentors, Sonderman and others targeted her with a “SIM-swapping attack,” a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.

But it wasn’t the subsequent bomb threat that Sonderman and friends called in to her home that bothered Dozono most. It was the home invasion that was ordered at her address using strangers on social media.

Dozono said Sonderman created an account on Grindr — the location-based social networking and dating app for gay, bi, trans and queer people — and set up a rendezvous at her address with an unsuspecting Grindr user who was instructed to waltz into her home as if he was invited.

“This gentleman was sent to my home thinking someone was there, and he was given instructions to walk into my home,” Dozono said.

The court heard from multiple other victims targeted by Sonderman and friends over a two-year period. Including Shane Glass, who started getting harassed in 2019 over his @Shane Instagram handle. Glass told the court that endless pizza deliveries, as well as SIM swapping and swatting attacks left him paranoid for months that his assailant could be someone stalking him nearby.

Judge Mark Norris said Sonderman’s agreement to plead to one count of extortion by threat of serious injury or damage carries with it a recommended sentence of 27 to 33 months in prison. However, the judge said other actions by the defendant warranted up to 60 months (5 years) in prison.

Sonderman might have been eligible to knock a few months off his sentence had he cooperated with investigators and refrained from committing further crimes while out on bond.

But prosecutors said that shortly after his release, Sonderman went right back to doing what he was doing when he got caught. Investigators who subpoenaed his online communications found he’d logged into the Instagram account “FreeTheSoldiers,” which was known to have been used by the group to harass people for their social media handles.

Sonderman was promptly re-arrested for violating the terms of his release, and prosecutors played for the court today a recording of a phone call Sonderman made from jail in which he brags to a female acquaintance that he wiped his mobile phone two days before investigators served another search warrant on his home.

Sonderman himself read a lengthy statement in which he apologized for his actions, blaming his “addiction” on several psychiatric conditions — including bipolar disorder. While his recitation was initially monotone and practically devoid of emotion, Sonderman eventually broke down in tears that made the rest of his statement difficult to hear over the phone-based conference system the court made available to reporters.

The bipolar diagnoses was confirmed by his mother, who sobbed as she simultaneously begged the court for mercy while saying her son didn’t deserve any.

Judge Norris said he was giving Sonderman the maximum sentenced allowed by law under the statute — 60 months in prison followed by three years of supervised release, but implied that his sentence would be far harsher if the law permitted.

“Although it may seem inadequate, the law is the law,” Norris said. “The harm it caused, the death and destruction….it’s almost unspeakable. This is not like cases we frequently have that involve guns and carjacking and drugs. This is a whole different level of insidious criminal behavior here.”

Sonderman’s sentence pales in comparison to the 20-year prison time handed down in 2019 to serial swatter Tyler Barriss, a California man who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident.

❌