ReportWire

Tag: Malware

  • You’ve been targeted by government spyware. Now what? | TechCrunch

    [ad_1]

    It was a normal day when Jay Gibson got an unexpected notification on his iPhone. “Apple detected a targeted mercenary spyware attack against your iPhone,” the message read.

    Ironically, Gibson used to work at companies that developed exactly the kind of spyware that could trigger such a notification. Still, he was shocked that he received a notification on his own phone. He called his father, turned off and put his phone away, and went to buy a new one.

    “I was panicking,” he told TechCrunch. “It was a mess. It was a huge mess.”  

    Gibson is just one of an ever-increasing number of people who are receiving notifications from companies like Apple, Google, and WhatsApp, all of which send similar warnings about spyware attacks to their users. Tech companies are increasingly proactive in alerting their users when they become targets of government hackers, and in particular those who use spyware made by companies such as Intellexa, NSO Group, and Paragon Solutions.

    But while Apple, Google, and WhatsApp alert, they don’t get involved in what happens next. The tech companies direct their users to people who could help, but at which point the companies step away.

    This is what happens when you receive one of these warnings. 

    Warning 

    You have received a notification that you were the target of government hackers. Now what? 

    First of all, take it seriously. These companies have reams of telemetry data about their users and what happens on both their devices and their online accounts. These tech giants have security teams that have been hunting, studying, and analyzing this type of malicious activity for years. If they think you have been targeted, they are probably right. 

    It’s important to note that in the case of Apple and WhatsApp notifications, receiving one doesn’t mean you were necessarily hacked. It’s possible that the hacking attempt failed, but they can still tell you that someone tried. 

    A photo showing the text of a threat notification sent by Apple to a suspected spyware victim (Image: Omar Marques/Getty Images)

    In the case of Google, it’s most likely that the company blocked the attack, and is telling you so you can go into your account and make sure you have multi-factor authentication on (ideally a physical security key or passkey), and also turn on its Advanced Protection Program, which also requires a security key and adds other layers of security to your Google account. In other words, Google will tell you how to better protect yourself in the future. 

    In the Apple ecosystem, you should turn on Lockdown Mode, which switches on a series of security features that makes it more difficult for hackers to target your Apple devices. Apple has long claimed that it has never seen a successful hack against a user with Lockdown Mode enabled, but no system is perfect. 

    Mohammed Al-Maskati, the director of Access Now’s Digital Security Helpline, a 24/7 global team of security experts who investigate spyware cases against members of civil society, shared with TechCrunch the advice that the helpline gives people who are concerned that they may be targeted with government spyware.

    This advice includes keeping your devices’ operating systems and apps up-to-date; switching on Apple’s Lockdown Mode, and Google’s Advanced Protection for accounts and for Android devices; be careful with suspicious links and attachments; to restart your phone regularly; and to pay attention to changes in how your device functions.

    Contact Us

    Have you received a notification from Apple, Google, or WhatsApp about being targeted with spyware? Or do you have information about spyware makers? We would love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.

    Reaching out for help

    What happens next depends on who you are. 

    There are open source and downloadable tools that anyone can use to detect suspected spyware attacks on their devices, which requires a little technical knowledge. You can use the Mobile Verification Toolkit, or MVT, a tool that lets you look for forensic traces of an attack on your own, perhaps as a first step before looking for assistance. 

    If you don’t want or can’t use MVT, you can go straight to someone who can help. If you are a journalist, dissident, academic, or human rights activist, there are a handful of organizations that can help. 

    You can turn to Access Now and its Digital Security Helpline. You can also contact Amnesty International, which has its own team of investigators and ample experience in these cases. Or, you can reach out to The Citizen Lab, a digital rights group at the University of Toronto, which has been investigating spyware abuses for almost 15 years. 

    If you are a journalist, Reporters Without Borders also has a digital security lab that offers to investigate suspected cases of hacking and surveillance. 

    Outside of these categories of people, politicians or business executives, for example, will have to go elsewhere. 

    If you work for a large company or political party, you likely have a competent (hopefully!) security team you can go straight to. They may not have the specific knowledge to investigate in-depth, but in that case they probably know who to turn to, even if Access Now, Amnesty, and Citizen Lab cannot help those outside of civil society. 

    Otherwise, there aren’t many places executives or politicians you can turn to, but we have asked around and found the ones below. We can’t fully vouch for any of these organizations, nor do we endorse them directly, but based on suggestions from people we trust, it’s worth pointing them out. 

    Perhaps the most well known of these private security companies is iVerify, which makes an app for Android and iOS, and also gives users an option to ask for an in-depth forensic investigation. 

    Matt Mitchell, a well-regarded security expert who’s been helping vulnerable populations protect themselves from surveillance has a new startup, called Safety Sync Group, which offers this kind of service. 

    Jessica Hyde, a forensic investigator with experience in the public and private sectors, has her own startup called Hexordia, and offers to investigate suspected hacks. 

    Mobile cybersecurity company Lookout, which has experience analyzing government spyware from around the world, has an online form that allows people to reach out for help to investigate cyberattacks involving malware, device compromise, and more. The company’s threat intelligence and forensics teams may then get involved.  

    Then, there’s Costin Raiu, who heads TLPBLACK, a small team of security researchers who used to work at Kaspersky’s Global Research and Analysis Group, or GReAT. Raiu was the unit’s head when his team discovered sophisticated cyberattacks from elite government hacking teams from the United States, Russia, Iran, and other countries. Raiu told TechCrunch that people who suspect they’ve been hacked can email him directly.

    Investigation

    What happens next depends on who you go to for help. 

    Generally speaking, the organization you reach out to may want to do an initial forensic check by looking at a diagnostic report file that you can create on your device, which you can share with the investigators remotely. At this point, this doesn’t require you to hand over your device to anyone. 

    This first step may be able to detect signs of targeting or even infection. It may also turn out nothing. In both cases, the investigators may want to dig deeper, which will require you to send in a full backup of your device, or even your actual device. At that point, the investigators will do their work, which may take time because modern government spyware attempts to hide and delete its tracks, and will tell you what happened. 

    Unfortunately, modern spyware may not leave any traces. The modus operandi these days, according to Hassan Selmi, who leads the incident response team at Access Now’s Digital Security Helpline, is a “smash and grab” strategy, meaning that once spyware infects the target device, it steals as much data as it can, and then tries to remove any trace and uninstall itself. This is assumed as the spyware makers trying to protect their product and hide its activity from investigators and researchers.  

    If you are a journalist, a dissident, an academic, a human rights activist, the groups who help you may ask if you want to publicize the fact that you were attacked, but you’re not required to do so. They will be happy to help you without taking public credit for it. There may be good reasons to come out, though: To denounce the fact that a government targeted you, which may have the side effect of warning others like you of the dangers of spyware; or to expose a spyware company by showing that their customers are abusing their technology. 

    We hope you never get one of these notifications. But we also hope that, if you do, you find this guide useful. Stay safe out there.

    [ad_2]

    Lorenzo Franceschi-Bicchierai

    Source link

  • Meet the team that hunts government spyware

    [ad_1]

    For more than a decade, dozens of journalists and human rights activists have been targeted and hacked by governments all over the world. Cops and spies in Ethiopia, Greece, Hungary, India, Mexico, Poland, Saudi Arabia, and United Arab Emirates, among others, have used sophisticated spyware to compromise the phones of these victims, who at times have also faced real-world violence being intimidated, harassed, and in extreme cases, even murdered.

    In the last few years, in the fight to protect these higher-risk communities, a team of a dozen digital security experts, mostly based in Costa Rica, Manila, and Tunisia, among other places, have played a key role. They work for the New York-headquartered nonprofit Access Now, specifically its Digital Security Helpline

    Their mission is to be the team of people who journalists, human rights defenders, and dissidents can go to if they suspect they’ve been hacked, such as with mercenary spyware made by companies like NSO Group, Intellexa, or Paragon

    “The idea is to provide this 24/7 service to civil society and journalists so they can reach out whenever they have… a cybersecurity incident,” Hassen Selmi, who leads the incident response team at the Helpline, told TechCrunch. 

    According to Bill Marczak, a senior researcher at the University of Toronto’s Citizen Lab who has been investigating spyware for almost 15 years, Access Now’s Helpline is a “frontline resource” for journalists and others who may have been targeted or hacked with spyware.

    The helpline has become a critical funnel for victims. So much so that when Apple sends its users a so-called “threat notification” alerting them that they have been targeted with mercenary spyware, the tech giant has long directed victims to Access Now’s investigators

    In speaking with TechCrunch, Selmi described a scenario where someone gets one of these threat notifications, and where Access Now can help victims.

    “Having someone who could explain it to them, tell them what they should do, what they should not do, what this means… This is a big relief for them,” said Selmi. 

    According to several digital rights experts who have investigated spyware cases and previously spoke with TechCrunch, Apple is generally taking the right approach, even if the optics look like a trillion-dollar tech giant offloading its responsibility to a small team of nonprofit workers. 

    Being mentioned by Apple in the notifications, said Selmi, was “one of the biggest milestones” for the helpline.

    Selmi and his colleagues now look into about 1,000 cases of suspected government spyware attacks per year. Around half of those cases turn into actual investigations, and only around 5% of them, around 25, result in a confirmed case of spyware infection, according to Mohammed Al-Maskati, the helpline’s director.

    When Selmi started doing this work in 2014, Access Now were only investigating around 20 cases of suspected spyware attacks per month. 

    At the time, there were three or four people working in each timezone in Costa Rica, Manila, and Tunisia, locations that allowed them to have someone online throughout the whole day. The team isn’t that much bigger now, with fewer than 15 people working for the helpline. The helpline has more people in Europe, the Middle East, North Africa, and Sub-Saharan region, given that these are hotspots for spyware cases, according to Selmi.  

    The increase in cases, Selmi explained, is due to several circumstances. For one, the helpline is now more well known, so it attracts more people. Then, with government spyware going global and becoming more available, there are potentially more cases of abuse. Finally, the helpline team has done more outreach to potentially targeted populations, finding cases of abuse they may not have found otherwise. 

    Contact Us

    Have you received a notification from Apple, Google, or WhatsApp about being targeted with spyware? Or do you have information about spyware makers? We would love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.

    When someone contacts the helpline, Selmi told TechCrunch, its investigators first acknowledge receipt, then they do a first check to see if the person who contacted them is within the organization’s mandate, meaning if they are part of civil society — and not, for example, a business executive or lawmaker. Then, the investigators assess the case in triage. If a case is prioritized, the investigators ask questions, such as why the person believes they were targeted (if there was no notification), and what device they own, which helps to establish what kind of information the investigators may need to collect from the victim’s device.

    After an initial, limited check of the device performed remotely over the internet, the helpline’s handlers and investigators may ask the victim to send more data, such as a full backup of their device, to do a more thorough analysis examining for signs of intrusions. 

    “For each known kind of exploit that has been used in the last five years, we have a process on how to check that exploit,” said Selmi, referring to known hacking techniques. 

    “We know more or less what is normal, what is not,” said Selmi.

    The Access Now handlers, who manage communication and often speak the victim’s language, will also give the victim advice on what to do, such as whether to get another device, or take other precautions. 

    Every case that the nonprofit looks into is unique. “It’s different from person to person, from culture to culture,” Selmi told TechCrunch. “I think we should do more research, get more people on board — not just technical people — to know how to deal with these kinds of victims.”

    Selmi said that the helpline has also been supporting similar investigative teams in some regions of the world, sharing documentation, knowledge, and tools, as part of a coalition called CiviCERT, a global network of organizations that can help members of civil society who suspect they were targeted with spyware. 

    Selmi said this network has also helped to reach journalists and others in places where otherwise they could not get to. 

    “No matter where they are, [victims] have people who could talk to and report to,” Selmi told TechCrunch. “Having these people talk their language and know their context helped a lot.”

    [ad_2]

    Lorenzo Franceschi-Bicchierai

    Source link

  • The Government Shutdown Is a Ticking Cybersecurity Time Bomb

    [ad_1]

    Amid a government shutdown that has dragged on for more than five weeks, the United States Congressional Budget Office said on Thursday that it recently suffered a hack and moved to contain the breach. CBO provides nonpartisan financial and economic data to lawmakers, and The Washington Post reported that the agency was infiltrated by a “suspected foreign actor.”

    CBO spokesperson Caitlin Emma told WIRED in a statement that it has “implemented additional monitoring and new security controls to further protect the agency’s systems” and that “CBO occasionally faces threats to its network and continually monitors to address those threats.” Emma did not address questions from WIRED about whether the government shutdown has impacted technical personnel or cybersecurity-related work at CBO.

    With increasing instability in the Supplemental Nutrition Assistance Program (SNAP) leaving Americans hungry, air traffic control personnel shortages disrupting flights, financial devastation for federal workers, and mounting operational shortages at the Social Security Administration, the shutdown is increasingly impacting every corner of the US. But researchers, former and current government workers, and federal technology experts warn that gaps in foundational activities during the shutdown—things like system patching, activity monitoring, and device management—could have real effects on federal defenses, both now and for years to come.

    “A lot of federal digital systems are still just running in the cloud throughout the shutdown, even if the office is empty,” says Safi Mojidi, a longtime cybersecurity researcher who previously worked for NASA and as a federal security contractor. “If everything was set up properly, then the cloud offers an important baseline of security, but it’s hard to rest easy during a shutdown knowing that even in the best of times there are problems getting security right.”

    Even before the shutdown, federal cybersecurity workers were being impacted by reductions in force at agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency—potentially hindering digital defense guidance and coordination across the government. And CISA has continued cutting staff during the shutdown as well.

    In a statement, spokesperson Marci McCarthy said “CISA continues to execute on its mission” but did not answer WIRED’s specific questions about how its work and digital defenses at other agencies have been impacted by the government shutdown, which she blamed on Democrats.

    The government’s transition to the cloud over the last decade, as well as increased attention to cybersecurity in recent years, does provide an important backstop for a disruption like a shutdown. Experts emphasize, though, that the federal landscape is not homogenous, and some agencies have made more progress and are better equipped than others. Additionally, missed and overlooked digital security work that accumulates during the shutdown will create a backlog when workers return that could be difficult to surmount.

    [ad_2]

    Lily Hay Newman

    Source link

  • A New Attack Lets Hackers Steal 2-Factor Authentication Codes From Android Phones

    [ad_1]

    Android devices are vulnerable to a new attack that can covertly steal two-factor authentication codes, location timelines, and other private data in less than 30 seconds.

    The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.

    Like Taking a Screenshot

    Pixnapping attacks begin with the malicious app invoking Android programming interfaces that cause the authenticator or other targeted apps to send sensitive information to the device screen. The malicious app then runs graphical operations on individual pixels of interest to the attacker. Pixnapping then exploits a side channel that allows the malicious app to map the pixels at those coordinates to letters, numbers, or shapes.

    “Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping,” the researchers wrote on an informational website. “Chat messages, 2FA codes, email messages, etc. are all vulnerable since they are visible. If an app has secret information that is not visible (e.g., it has a secret key that is stored but never shown on the screen), that information cannot be stolen by Pixnapping.”

    The new attack class is reminiscent of GPU.zip, a 2023 attack that allowed malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites. It worked by exploiting side channels found in GPUs from all major suppliers. The vulnerabilities that GPU.zip exploited have never been fixed. Instead, the attack was blocked in browsers by limiting their ability to open iframes, an HTML element that allows one website (in the case of GPU.zip, a malicious one) to embed the contents of a site from a different domain.

    Pixnapping targets the same side channel as GPU.zip, specifically the precise amount of time it takes for a given frame to be rendered on the screen.

    [ad_2]

    Dan Goodin, Ars Technica

    Source link

  • A Cyberattack on Jaguar Land Rover Is Causing a Supply Chain Disaster

    [ad_1]

    Almost immediately after the cyberattack, a group on Telegram called Scattered Lapsus$ Hunters, claimed responsibility for the hack. The group name implies a potential collaboration between three loose hacking collectives— Scattered Spider, Lapsus$, and Shiny Hunters—that have been behind some of the most high-profile cyberattacks in recent years. They are often made up of young, English-speaking, cybercriminals who target major businesses.

    Building vehicles is a hugely complex process. Hundreds of different companies provide parts, materials, electronics, and more to vehicle manufacturers, and these expansive supply chain networks often rely upon “just-in-time” manufacturing. That means they order parts and services to be delivered in the specific quantities that are needed and exactly when they need them—large stockpiles of parts are unlikely to be held by auto makers.

    “The supplier networks that are supplying into these manufacturing plants, they’re all set up for efficiency—economic efficiency, and also logistic efficiency,” says Siraj Ahmed Shaikh, a professor in systems security at Swansea University. “There’s a very carefully orchestrated supply chain,” Shaikh adds, speaking about automotive manufacturing generally. “There’s a critical dependency for those suppliers supplying into this kind of an operation. As soon as there is a disruption at this kind of facility, then all the suppliers get affected.”

    One company that makes glass sun roofs has started laying off workers, according to a report in the Telegraph. Meanwhile, another firm told the BBC it has laid off around 40 people so far. French automotive company OPmobility, which employs 38,000 people across 150 sites, told WIRED it is making some changes and monitoring the events. “OPmobility is reconfiguring its production at certain sites as a consequence of the shutdown of its production by one of its customers based in the United Kingdom and depending on the evolution of the situation,” a spokesperson for the firm says.

    While it is unclear which specific JLR systems have been impacted by the hackers and what systems JLR took offline proactively, many were likely taken offline to stop the attack from getting worse. “It’s very challenging to ensure containment while you still have connections between various systems,” says Orla Cox, head of EMEA cybersecurity communications at FTI Consulting, which responds to cyberattacks and works on investigations. “Oftentimes as well, there will be dependencies on different systems: You take one down, then it means that it has a knock on effect on another.”

    Whenever there’s a hack in any part of a supply chain—whether that is a manufacturer at the top of the pyramid or a firm further down the pipeline—digital connections between companies may be severed to stop attackers from spreading from one network to the next. Connections via VPNs or APIs may be stopped, Cox says. “Some may even take stronger measures such as blocking domains and IP addresses. Then things like email are no longer usable between the two organizations.”

    The complexity of digital and physical supply chains, spanning across dozens of businesses and just-in-time production systems, means it is likely that bringing everything back online and up to full-working speed may take time. MacColl, the RUSI researcher, says cybersecurity issues often fail to be debated at the highest level of British politics—but adds this time could be different due to the scale of the disruption. “This incident has the potential to cut through because of the job losses and the fact that MPs in constituencies affected by this will be getting calls,” he says. That breakthrough has already begun.

    [ad_2]

    Matt Burgess

    Source link

  • A Dangerous Worm Is Eating Its Way Through Software Packages

    [ad_1]

    New findings this week showed that a misconfigured platform used by the Department of Homeland Security left sensitive national security information—including data related to the surveillance of Americans—exposed and accessible to thousands of people. Meanwhile, 15 New York officials were arrested by Immigration and Customs Enforcement and the New York Police Department this week in or around 26 Federal Plaza—where ICE detains people in what courts have ruled are unsanitary conditions.

    Russia conducted conspicuous military exercises testing hypersonic missiles near NATO borders, stoking tensions in the region after the Kremlin had already recently flown drones into Polish and Romanian airspace. Scammers have a new tool for sending spam texts, known as “SMS blasters,” that can send up to 100,000 texts per hour while evading telecom company anti-spam measures. Scammers deploy rogue cell towers that trick people’s phones into connecting to the malicious devices so they can send the texts directly and bypass filters. And a pair of flaws in Microsoft’s Entra ID identity and access management system, which have been patched, could have been exploited to access virtually all Azure customer accounts—a potentially catastrophic disaster.

    WIRED published a detailed guide this week to acquiring and using a burner phone, as well as alternatives that are more private than a regular phone but not as labor-intensive as a true burner. And we updated our guide to the best VPNs

    But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    The cybersecurity world has seen, to its growing dismay, plenty of software supply-chain attacks, in which hackers hide their code in a legitimate piece of software so that it’s silently seeded out to every system that uses that code around the world. In recent years, hackers have even tried linking one software supply-chain attack to another, finding a second software developer target among their victims to compromise yet another piece of software and launch a new round of infections. This week saw a new and troubling evolution of those tactics: a full-blown self-replicating supply-chain attack worm.

    The malware, which has been dubbed Shai-Hulud after the Fremen name for the monstrous Sandworms in the sci-fi novel Dune (and the name of the Github page where the malware published stolen credentials of its victims), has compromised hundreds of open source software packages on the code repository Node Packet Management, or NPM, used by developers of Javascript. The Shai-Hulud worm is designed to infect a system that uses one of those software packages, then hunt for more NPM credentials on that system so that it can corrupt another software package and continue its spread.

    By one count, the worm has spread to more than 180 software packages, including 25 used by the cybersecurity firm CrowdStrike, though CrowdStrike has since had them removed from the NPM repository. Another count from cybersecurity firm ReversingLabs put the count far higher, at more than 700 affected code packages. That makes Shai-Hulud one of the biggest supply-chain attacks in history, though the intent of its mass credential-stealing remains far from clear.

    Western privacy advocates have long pointed to China’s surveillance systems as the potential dystopia awaiting countries like the United States if tech industry and government data collection goes unchecked. But a sprawling Associated Press investigation highlights how China’s surveillance systems have reportedly been largely built on US technologies. The AP’s reporters found evidence that China’s surveillance network—from the “Golden Shield” policing system that Beijing officials have used to censor the internet and crack down on alleged terrorists to the tools used to target, track, and often detain Uyghurs and the country’s Xinjiang region—appear to have been built with the help of American companies, including IBM, Dell, Cisco, Intel, Nvidia, Oracle, Microsoft, Thermo Fisher, Motorola, Amazon Web Services, Western Digital, and HP. In many cases, the AP found Chinese-language marketing materials in which the Western companies specifically offer surveillance applications and tools to Chinese police and domestic intelligence services.

    Scattered Spider, a rare hacking and extortion cybercriminal gang based largely in Western countries, has for years unleashed a trail of chaos across the internet, hitting targets from MGM Resorts and Caesar’s Palace to the Marks & Spencer grocery chain in the United Kingdom. Now two alleged members of that notorious group have been arrested in the UK: 19-year-old Thalha Jubair and 18-year-old Owen Flowers, both charged with hacking the Transport for London transit system—reportedly inflicting more than $50 million in damage—among many other targets. Jubair alone is accused of intrusions targeting 47 organizations. The arrests are just the latest in a string of busts targeting Scattered Spider, which has nonetheless continued a nearly uninterrupted string of breaches. Noah Urban, who was convicted on charges related to Scattered Spider activity, spoke from jail to Bloomberg Businessweek for a long profile of his cybercriminal career. Urban, 21, has been sentenced to a decade in prison.

    [ad_2]

    Lily Hay Newman, Andy Greenberg

    Source link

  • Crypto-Stealing Malware Infiltrates Core JavaScript Libraries Used by Millions

    [ad_1]

    The NPM (node packet manager) account of developer ‘qix’ was compromised, allowing hackers to publish malicious versions of his packages.

    The attackers published malicious versions of dozens of extremely popular JavaScript packages, including fundamental utilities. The hack was massive in scope since the affected packages have over 1 billion combined weekly downloads.

    This attack on the software supply chain specifically targets the JavaScript/Node.js ecosystem.

    Crypto Clipper Malware

    The malicious code was a “crypto-clipper” designed to steal cryptocurrency by swapping wallet addresses in network requests and hijacking crypto transactions directly. It was also heavily obfuscated to avoid detection.

    The crypto-stealing malware has two attack vectors. When no crypto wallet extension is found, the malware intercepts all network traffic by replacing the browser’s native fetch and HTTP request functions with extensive lists of attacker-owned wallet addresses.

    Using sophisticated address swapping, it employs algorithms to find replacement addresses that look visually similar to legitimate ones, making the fraud nearly impossible to spot with the naked eye, said cybersecurity researchers.

    If a crypto wallet is found, the malware intercepts transactions before signing, and when users initiate transactions, it modifies them in memory to redirect funds to attacker addresses.

    The attack targeted packages such as ‘chalk,’ ‘strip-ansi,’ ‘color-convert,’ and ‘color-name,’ which are core building blocks buried deep in the dependency trees of countless projects.

    The attack was discovered accidentally when a build pipeline failed with a “fetch is not defined” error as the malware attempted to exfiltrate data using the fetch function.

    “If you use a hardware wallet, pay attention to every transaction before signing, and you’re safe. If you don’t use a hardware wallet, refrain from making any on-chain transactions for now,” advised Ledger CEO Charles Guillemet.

    Broad Attack Vector

    While the malware’s payload specifically targets cryptocurrency, the attack vector is much broader. It affects any environment running JavaScript/Node.js applications, such as web applications running in browsers, desktop applications, server-side Node.js applications, and mobile apps using JavaScript frameworks.

    So a regular business web application could unknowingly include these malicious packages, but the malware would only activate when users interact with cryptocurrency on that site.

    Uniswap and Blockstream were among the first to reassure users that their systems were not at risk.

    SPECIAL OFFER (Sponsored)

    Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).

    LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!

    [ad_2]

    Martin Young

    Source link

  • Automated Sextortion Spyware Takes Webcam Pics of Victims Watching Porn

    [ad_1]

    Sextortion-based hacking, which hijacks a victim’s webcam or blackmails them with nudes they’re tricked or coerced into sharing, has long represented one of the most disturbing forms of cybercrime. Now one specimen of widely available spyware has turned that relatively manual crime into an automated feature, detecting when the user is browsing pornography on their PC, screenshotting it, and taking a candid photo of the victim through their webcam.

    On Wednesday, researchers at security firm Proofpoint published their analysis of an open-source variant of “infostealer” malware known as Stealerium that the company has seen used in multiple cybercriminal campaigns since May of this year. The malware, like all infostealers, is designed to infect a target’s computer and automatically send a hacker a wide variety of stolen sensitive data, including banking information, usernames and passwords, and keys to victims’ crypto wallets. Stealerium, however, adds another, more humiliating form of espionage: It also monitors the victim’s browser for web addresses that include certain NSFW keywords, screenshots browser tabs that include those words, photographs the victim via their webcam while they’re watching those porn pages, and sends all the images to a hacker—who can then blackmail the victim with the threat of releasing them.

    “When it comes to infostealers, they typically are looking for whatever they can grab,” says Selena Larson, one of the Proofpoint researchers who worked on the company’s analysis. “This adds another layer of privacy invasion and sensitive information that you definitely wouldn’t want in the hands of a particular hacker.”

    “It’s gross,” Larson adds. “I hate it.”

    Proofpoint dug into the features of Stealerium after finding the malware in tens of thousands of emails sent by two different hacker groups it tracks (both relatively small-scale cybercriminal operations), as well as a number of other email-based hacking campaigns. Stealerium, strangely, is distributed as a free, open source tool available on Github. The malware’s developer, who goes by the named witchfindertr and describes themselves as a “malware analyst” based in London, notes on the page that the program is for “educational purposes only.”

    “How you use this program is your responsibility,” the page reads. “I will not be held accountable for any illegal activities. Nor do i give a shit how u use it.”

    In the hacking campaigns Proofpoint analyzed, cybercriminals attempted to trick users into downloading and installing Stealerium as an attachment or a web link, luring victims with typical bait like a fake payment or invoice. The emails targeted victims inside companies in the hospitality industry, as well as in education and finance, though Proofpoint notes that users outside of companies were also likely targeted but wouldn’t be seen by its monitoring tools.

    Once it’s installed, Stealerium is designed to steal a wide variety of data and send it to the hacker via services like Telegram, Discord, or the SMTP protocol in some variants of the spyware, all of which is relatively standard in infostealers. The researchers were more surprised to see the automated sextortion feature, which monitors browser URLs a list of pornography-related terms such as “sex” and “porn,” which can be customized by the hacker and trigger simultaneous image captures from the user’s webcam and browser. Proofpoint notes that it hasn’t identified any specific victims of that sextortion function, but the existence of the feature suggests it was likely used.

    [ad_2]

    Andy Greenberg

    Source link

  • Scammers Will Try to Trick You Into Filling Out Google Forms. Don’t Fall for It

    [ad_1]

    One of the lesser-known apps in the Google Drive online suite is Google Forms. It’s an easy, intuitive way to create a web form for other people to enter information into. You can use it for employee surveys, for organizing social gatherings, for giving people a way to contact you, and much more. But Google Forms can also be used for malicious purposes.

    These forms can be created in minutes, with clean and clear formatting, official-looking images and video, and—most importantly of all—a genuine Google Docs URL that your web browser will see no problem with. Scammers can then use these authentic-looking forms to ask for payment details or login information.

    It’s a type of scam that continues to spread, with Google itself issuing a warning about the issue in February. Students and staff at Stanford University were among those targeted with a Google Forms link that asked for login details for the academic portal there, and the attack beat standard email malware protection.

    How the Scam Works

    Google Forms are quick and easy to put together.

    David Nield

    These scams can take a variety of guises, but they’ll typically start with a phishing email that will try to trick you into believing it’s an official and genuine communication. It might be designed to look like it’s from a colleague, an administrator, or someone from a reputable organization.

    The apparent quality and trustworthiness of this original phishing email is part of the con. Our inboxes are regularly filled with requests to reset passwords, verify details, or otherwise take action. Like many scams, the email might suggest a sense or urgency, or indicate that your security has been compromised in some way.

    Even worse, the instigating email might actually come from a legitimate email address, if someone in your social circle, family, or office has had their account hijacked. In this case you wouldn’t be able to run the usual checks on the sender identity and email address, because everything would look genuine—though the wording and style would be off.

    This email (or perhaps a direct message on social media) will be used to deliver a Google Forms link, which is the second half of the scam. This form will most often be set up to look genuine, and may be trying to spoof a recognized site like your place of work or your bank. The form might prompt you for sensitive information, offer up a link to malware, or feature a phone number or email address to lead you into further trouble.

    [ad_2]

    David Nield

    Source link

  • Pig Butchering Scams Are Going High Tech

    Pig Butchering Scams Are Going High Tech

    [ad_1]

    As digital scamming explodes in Southeast Asia, including so called “pig butchering” investment scams, the United Nations Office on Drugs and Crime (UNODC) issued a comprehensive report this week with a dire warning about the rapid growth of this criminal ecosystem. Many digital scams have traditionally relied on social engineering, or tricking victims into giving away their money willingly, rather than leaning on malware or other highly technical methods. But researchers have increasingly sounded the alarm that scammers are incorporating generative AI content and deepfakes to expand the scale and effectiveness of their operations. And the UN report offers the clearest evidence yet that these high tech tools are turning an already urgent situation into a crisis.

    In addition to buying written scripts to use with potential victims or relying on templates for malicious websites, attackers have increasingly been leaning on generative AI platforms to create communication content in multiple languages and deepfake generators that can create photos or even video of nonexistent people to show victims and enhance verisimilitude. Scammers have also been expanding their use of tools that can drain a victim’s cryptocurrency wallets, have been manipulating transaction records to trick targets into sending cryptocurrency to the wrong places, and are compromising smart contracts to steal cryptocurrency. And in some cases, they’ve been purchasing Elon Musk’s Starlink satellite internet systems to help power their efforts.

    “Agile criminal networks are integrating these new technologies faster than anticipated, driven by new online marketplaces and service providers which have supercharged the illicit service economy,” John Wojcik, a UNODC regional analyst, tells WIRED. “These developments have not only expanded the scope and efficiency of cyber-enabled fraud and cybercrime, but they have also lowered the barriers to entry for criminal networks that previously lacked the technical skills to exploit more sophisticated and profitable methods.”

    For years, China-linked criminals have trafficked people into gigantic compounds in Southeast Asia, where they are often forced to run scams, held against their will, and beaten if they refuse instructions. Around 200,000 people, from at least 60 countries, have been trafficked to compounds largely in Myanmar, Cambodia, and Laos over the last five years. However, as WIRED reporting has shown, these operations are spreading globally—with scamming infrastructure emerging in the Middle East, Eastern Europe, Latin America, and West Africa.

    Most prominently, these organized crime operations have run pig butchering scams, where they build intimate relationships with victims before introducing an “investment opportunity” and asking for money. Criminal organizations may have conned people out of around $75 billion through pig butchering scams. Aside from pig butchering, according to the UN report, criminals across Southeast Asia are also running job scams, law enforcement impersonation, asset recovery scams, virtual kidnappings, sextortion, loan scams, business email compromise, and other illicit schemes. Criminal networks in the region earned up to $37 billion last year, UN officials estimate. Perhaps unsurprisingly, all of this revenue is allowing scammers to expand their operations and diversify, incorporating new infrastructure and technology into their systems in the hope of making them more efficient and brutally effective.

    For example, scammers are often constrained by their language skills and ability to keep up conversations with potentially hundreds of victims at a time in numerous languages and dialects. However, generative AI developments within the last two years—including the launch of writing tools such as ChatGPT—are making it easier for criminals to break down language barriers and create the content needed for scamming.

    [ad_2]

    Matt Burgess, Lily Hay Newman

    Source link

  • Stealthy Malware Has Infected Thousands of Linux Systems for Years

    Stealthy Malware Has Infected Thousands of Linux Systems for Years

    [ad_1]

    Other discussions include: Reddit, Stack Overflow (Spanish), forobeta (Spanish), brainycp (Russian), natnetwork (Indonesian), Proxmox (Deutsch), Camel2243 (Chinese), svrforum (Korean), exabytes, virtualmin, serverfault and many others.

    After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from a server, which, in most cases, has been hacked by the attacker and converted into a channel for distributing the malware anonymously. An attack that targeted the researchers’ honeypot named the payload httpd. Once executed, the file copies itself from memory to a new location in the /temp directory, runs it, and then terminates the original process and deletes the downloaded binary.

    Once moved to the /tmp directory, the file executes under a different name, which mimics the name of a known Linux process. The file hosted on the honeypot was named sh. From there, the file establishes a local command-and-control process and attempts to gain root system rights by exploiting CVE-2021-4043, a privilege-escalation vulnerability that was patched in 2021 in Gpac, a widely used open source multimedia framework.

    The malware goes on to copy itself from memory to a handful of other disk locations, once again using names that appear as routine system files. The malware then drops a rootkit, a host of popular Linux utilities that have been modified to serve as rootkits, and the miner. In some cases, the malware also installs software for “proxy-jacking,” the term for surreptitiously routing traffic through the infected machine so the true origin of the data isn’t revealed.

    The researchers continued:

    As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.

    All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.

    By extrapolating data such as the number of Linux servers connected to the internet across various services and applications, as tracked by services such as Shodan and Censys, the researchers estimate that the number of machines infected by Perfctl is measured in the thousands. They say that the pool of vulnerable machines—meaning those that have yet to install the patch for CVE-2023-33426 or contain a vulnerable misconfiguration—is in the millions. The researchers have yet to measure the amount of cryptocurrency the malicious miners have generated.

    People who want to determine if their device has been targeted or infected by Perfctl should look for indicators of compromise included in Thursday’s post. They should also be on the lookout for unusual spikes in CPU usage or sudden system slowdowns, particularly if they occur during idle times. Thursday’s report also provides steps for preventing infections in the first place.

    This story originally appeared on Ars Technica.

    [ad_2]

    Dan Goodin, Ars Technica

    Source link

  • Unbelievable facts

    Unbelievable facts

    [ad_1]

    A malicious ZIP file circulating online is 42 KB compressed but expands to 4.5 petabytes when…

    [ad_2]

    Source link

  • Russia’s Most Notorious Special Forces Unit Now Has Its Own Cyber Warfare Team

    Russia’s Most Notorious Special Forces Unit Now Has Its Own Cyber Warfare Team

    [ad_1]

    Russia’s military intelligence agency, the GRU, has long had a reputation as one of the world’s most aggressive practitioners of sabotage, assassination, and cyber warfare, with hackers who take pride in working under the same banner as violent special forces operators. But one new group within that agency shows how the GRU may be intertwining physical and digital tactics more tightly than ever before: a hacking team, which has emerged from the same unit responsible for Russia’s most notorious physical tactics, including poisonings, attempted coups, and bombings inside Western countries.

    A broad group of Western government agencies from countries including the US, the UK, Ukraine, Australia, Canada, and five European countries on Thursday revealed that a hacker group known as Cadet Blizzard, Bleeding Bear, or Greyscale—one that has launched multiple hacking operations targeting Ukraine, the US, and other countries in Europe, Asia, and Latin America—is in fact part of the GRU’s Unit 29155, the division of the spy agency known for its brazen acts of physical sabotage and politically motivated murder. That unit has been tied in the past, for instance, to the attempted poisoning of GRU defector Sergei Skripal with the Novichok nerve agent in the UK, which led to the death of two bystanders, as well as another assassination plot in Bulgaria, the explosion of an arms depot in the Czech Republic, and a failed coup attempt in Montenegro.

    Now that infamous section of the GRU appears to have developed its own active team of cyber warfare operators—distinct from those within other GRU units such as Unit 26165, broadly known as Fancy Bear or APT28, and Unit 74455, the cyberattack-focused team known as Sandworm. Since 2022, GRU Unit 29155’s more recently recruited hackers have taken the lead on cyber operations, including with the data-destroying wiper malware known as Whispergate, which hit at least two dozen Ukrainian organizations on the eve of Russia’s February 2022 invasion, as well as the defacement of Ukrainian government websites and the theft and leak of information from them under a fake “hacktivist” persona known as Free Civilian.

    Cadet Blizzard’s identification as a part of GRU Unit 29155 shows how the agency is further blurring the line between physical and cyber tactics in its approach to hybrid warfare, according to one of multiple Western intelligence agency officials whom WIRED interviewed on condition of anonymity because they weren’t authorized to speak using their names. “Special forces don’t normally set up a cyber unit that mirrors their physical activities,” one official says. “This is a heavily physical operating unit, tasked with the more gruesome acts that the GRU is involved in. I find it very surprising that this unit that does very hands-on stuff is now doing cyber things from behind a keyboard.”

    In addition to the joint public statement revealing Cadet Blizzard’s link to the GRU’s unit 29155, the US Cybersecurity and Infrastructure Security Agency published an advisory detailing the group’s hacking methods and ways to spot and mitigate them. The US Department of Justice indicted five members of the group by name, all in absentia, in addition to a sixth who had been previously charged earlier in the summer without any public mention of Unit 29155.

    “The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” the US Justice Department’s assistant attorney general Matthew G. Olsen wrote in a statement. “Today’s indictment underscores that the Justice Department will use every available tool to disrupt this kind of malicious cyber activity and hold perpetrators accountable for indiscriminate and destructive targeting of the United States and our allies.”

    [ad_2]

    Andy Greenberg

    Source link

  • Powerful Spyware Exploits Enable a New String of ‘Watering Hole’ Attacks

    Powerful Spyware Exploits Enable a New String of ‘Watering Hole’ Attacks

    [ad_1]

    In recent years, elite commercial spyware vendors like Intellexa and NSO Group have developed an array of powerful hacking tools that exploit rare and unpatched “zero-day” software vulnerabilities to compromise victim devices. And increasingly, governments around the world have emerged as the prime customers for these tools, compromising the smartphones of opposition leaders, journalists, activists, lawyers, and others. On Thursday, though, Google’s Threat Analysis Group is publishing findings about a series of recent hacking campaigns—seemingly carried out by Russia’s notorious APT29 Cozy Bear gang—that incorporate exploits very similar to ones developed by Intellexa and NSO Group into ongoing espionage activity.

    Between November 2023 and July 2024, the attackers compromised Mongolian government websites and used the access to conduct “watering hole” attacks, in which anyone with a vulnerable device who loads a compromised website gets hacked. The attackers set up the malicious infrastructure to use exploits that “were identical or strikingly similar to exploits previously used by commercial surveillance vendors Intellexa and NSO Group,” Google’s TAG wrote on Thursday. The researchers say they “assess with moderate confidence” that the campaigns were carried out by APT29.

    These spyware-esque hacking tools exploited vulnerabilities in Apple’s iOS and Google’s Android that had largely already been patched. Originally, they were deployed by the spyware vendors as unpatched, zero-day exploits, but in this iteration, the suspected Russian hackers were using them to target devices that hadn’t been updated with these fixes.

    “While we are uncertain how suspected APT29 actors acquired these exploits, our research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors,” the TAG researchers wrote. “Moreover, watering hole attacks remain a threat where sophisticated exploits can be utilized to target those that visit sites regularly, including on mobile devices. Watering holes can still be an effective avenue for … mass targeting a population that might still run unpatched browsers.”

    It is possible that the hackers purchased and adapted the spyware exploits or that they stole them or acquired them through a leak. It is also possible that the hackers were inspired by commercial exploits and reverse engineered them by examining infected victim devices.

    “NSO does not sell its products to Russia,” Gil Lainer, NSO Groups vice president for global communications, told WIRED in a statement. “Our technologies are sold exclusively to vetted US & Israel-allied intelligence and law enforcement agencies. Our systems and technologies are highly secure and are continuously monitored to detect and neutralize external threats.”

    Between November 2023 and February 2024, the hackers used an iOS and Safari exploit that was technically identical to an offering that Intellexa had first debuted a couple of months earlier as an unpatched zero-day in September 2023. In July 2024, the hackers also used a Chrome exploit adapted from an NSO Group tool that first appeared in May 2024. This latter hacking tool was used in combination with an exploit that had strong similarities to one Intellexa debuted back in September 2021.

    When attackers exploit vulnerabilities that have already been patched, the activity is known as “n-day exploitation,” because the vulnerability still exists and can be abused in unpatched devices as time passes. The suspected Russian hackers incorporated the commercial spyware adjacent tools, but constructed their overall campaigns—including malware delivery and activity on compromised devices—differently than the typical commercial spyware customer would. This indicates a level of fluency and technical proficiency characteristic of an established and well-resourced state-backed hacking group.

    “In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits from [commercial surveillance vendors], Intellexa and NSO Group,” TAG wrote. “We do not know how the attackers acquired these exploits. What is clear is that APT actors are using n-day exploits that were originally used as 0-days by CSVs.”

    Updated at 2pm ET, August 29, 2024: Added comment from NSO Group.

    [ad_2]

    Lily Hay Newman

    Source link

  • A New Plan to Break the Cycle of Destructive Critical Infrastructure Hacks

    A New Plan to Break the Cycle of Destructive Critical Infrastructure Hacks

    [ad_1]

    “It’s not just that the water goes out, it’s that when the sole wastewater facility in your community is down really bad things start to happen. For example, no water means no hospital,” he says. “I really encountered a lot of this during my leadership of the Covid Task Force. There is such interdependence across the basic functions of society.”

    UnDisruptable27 will focus on interacting with communities who aren’t reached by Washington DC-based policy discussions or Information Sharing and Analysis Centers (ISACs), which are meant to represent each infrastructure sector of the US. The project aims to communicate directly with people who actually work on the ground in US critical infrastructure, and grapple together with the reality that cybersecurity-related disasters could impact their daily work.

    “There’s a data breach, you get whatever services like identity protection for some period of time, and life carries on, and people think that there’s no long-term impact,” says Megan Stifel, IST’s chief strategy officer. “There’s this expectation that it’s fine, things will just continue. So we’re very interested in getting after this issue and thinking about how do we tackle critical infrastructure security with perhaps a new approach.”

    Corman notes that even though cybersecurity incidents have become a well-known fact of life, business owners and infrastructure operators are often shaken and caught off guard when a cybersecurity incident actually affects them. Meanwhile, when government entities try to impose cybersecurity standards or become a partner on defense initiatives, communities often balk at the intrusion and perceived overreach. Last year, for example, the US Environmental Protection Agency was forced to rescind new cybersecurity guidelines for water systems after water companies and Republicans in Congress filed a lawsuit over the initiative.

    “Time and time again, trade associations or lobbyists or owners and operators have an allergic reaction to oversight and say, ‘We prefer voluntary, we’re doing fine on our own,’ ” Corman says. “And they really are trying to do the right thing. But then also time and time again, people are just shocked that disruption could happen and feel very blindsided. So you can only conclude that the people who feel the pain of our failures are not included in the conversation. They deserve to understand the risks inherent in this level of connectivity. We’ve tried a lot of things, but we have not tried just leveling with people.”

    UnDisruptable27 is launching this week for visibility among attendees at BSides as well as the other conferences, Black Hat and Defcon, that will run through Sunday in Las Vegas. Corman says that the goal is to combine the hacker mentality and, essentially, a call for volunteers with plans to work with creative collaborators on producing engaging content to fuel discourse and understanding. Information campaigns using memes and social media posts or moonshots like narrative podcasts and even reality TV are all on the table.

    “We must prioritize the security, safety, and resilience of critical infrastructure — including water, health care facilities, and utilities,” Craig Newmark, the Craigslist founder whose philanthropy is funding UnDisruptable27, told WIRED. “The urgency of this issue requires affecting human behavior through storytelling.”

    [ad_2]

    Lily Hay Newman

    Source link

  • Prince George’s Co. police flag scheme involving tech support – WTOP News

    Prince George’s Co. police flag scheme involving tech support – WTOP News

    [ad_1]

    Prince George’s County police are reminding people about what to watch for when it comes to scams, while revealing more about how scammers target victims.

    Scam artists keep getting more sophisticated, and the sheer number of them and the amount of money they’ve taken continues to spike compared to a year ago. That has Prince George’s County police reminding people about what to watch for, while revealing more about how scammers target victims.

    In June, a county resident called police embarrassed to admit she had fallen prey to what’s considered a tech scam. Malware on her computer popped up and told her to call a number because of a virus.

    “The victim called the number and was then connected with three separate individuals who all identified themselves to be working on the victim’s behalf,” said Lt. Joseph Bellino, who leads the police department’s financial crimes division. “First was the tech support scammer, who advised her that he was working to resolve her computer (issues) and requested to remote access into her device.”

    A lot of the time, that malware is in the form of a “pop-up” ad that gives you a number to call, but sometimes it can be embedded in an ad on whatever search engine you use. Police have concerns about how well the links in those ads are vetted by companies that run the search engines.

    “When they ask to remote into your device, what we believe they’re doing is looking at the browsing history of the victim,” said Bellino. “And from that, they’re able to determine the banking institution just from looking at the browsing history. They then bring that information forward, as if it was information that only somebody who knows them would have known, and the victims don’t realize that they’re viewing their browsing history.”

    Bellino said that gives the scammers legitimacy in the eyes of the victim.

    Last month, the scammers then posed as officials with the Social Security Administration, using official letterhead to email a letter as an attachment, since the victim was around the age where they would begin receiving Social Security.

    Bellino said the language in the letter was grammatically weak, as if it was written by someone in a foreign country. But he worries that the use of artificial intelligence will make those letters even more believable in the coming months, while also helping scam artists better disguise their voices.

    In this case, the victim was led to believe her bank account had been hacked and her bank and the federal government were working to limit the damage. She withdrew a large amount of money from her account, thinking she was acting before bad guys on the dark web could steal from her.

    But the man who showed up to help her wasn’t a representative from the bank, and he wasn’t there to help.

    Video shows a man giving her a code word, which had been provided by people she had spoken with on the phone before. Police are hoping someone can help identify him.

    “In recent history, we have had cases where transnational, organized crime groups have had syndicates in our region, groups of individuals who come and do personal courier pickups, who are in communication with the call centers,” Bellino said.

    Between January and August of last year, 13 similar tech scams were reported to police — the financial losses of which totaled $287,000. So far this year, more than 20 such scams have resulted in almost double the amount of losses.

    “Scams of this nature do not get reported to law enforcement; many times, because the victims feel ashamed for the loss and how the crime is perpetrated,” Bellino said. “We urge members of the public, if they have been victimized by tech support scams, please come forward.”

    How are victims found?

    Inadvertently or not, you can make yourself visible to scammers by clicking on malware. But with all the calls, text messages and emails you get from these scammers every day, the reality is there’s a huge list of potential victims, and your name is probably on it.

    “Information is sold on the dark web,” Bellino said. “From what we see, some of our victims are middle aged and younger, but many of them are older adults, who are more prone to respond and answer (to these scams).”

    “When they’re making a phone call, they have information on their end of who they’re contacting, potentially who their relatives could be, an idea of maybe the value of their home,” Bellino added. “You have to believe that all this information is out there. And so, when they’re making contact with their victims, they already are holding information that the victim thinks may be private.”

    Once scammers get a response from you, Bellino described it as “psychological warfare” and the goal is to always keep you in fear about what could happen. The easiest way to not become a victim is to not answer the phone if you don’t recognize a phone number, whether it comes in the form of a call or a text message. Likewise, never call a number on a pop-up ad.

    “It’s difficult as the population ages and the mental capacities of older adults diminishes on all of us,” Bellino said. “We see that the targeting by these criminal groups is only going to increase.”

    Get breaking news and daily headlines delivered to your email inbox by signing up here.

    © 2024 WTOP. All Rights Reserved. This website is not intended for users located within the European Economic Area.

    [ad_2]

    John Domen

    Source link

  • How Infostealers Pillaged the World’s Passwords

    How Infostealers Pillaged the World’s Passwords

    [ad_1]

    These platforms take cues in how they are designed and marketed from legitimate information and ecommerce services. Many markets and forums charge a subscription fee to access the platform and then have different pricing structures for data depending on how valuable it might be. Currently, Gray says, Russian Market has so much stolen data available from infostealers that it has been charging a low flat rate, typically no more than $10, for any subset of data users want to download.

    “Organizations have become very good with their security, and people have also gotten more savvy, so they’re not the best targets now,” for traditional tailored attacks, Gray says. “So attackers need something that’s less targeted and more based on what they can make use of. Infostealers are modular and often sold on a subscription basis, and that evolution probably aligns with the rise of modern subscription services like video streaming.”

    Infostealers have been especially effective with the rise of remote work and hybrid work, as companies adapt to allowing employees to access work services from personal devices and personal accounts from work devices. This creates opportunities for infostealers to randomly compromise individuals on, say, their home computers but still end up with corporate access credentials because the person was logged into some of their work systems as well. It also makes it easier for infostealing malware to get around corporate protections, even on enterprise devices, if employees are able to have their personal email or social media accounts open.

    “I started paying attention to this once it became an enterprise problem,” Mandiant’s Carmakal says. “And particularly around 2020, because I started seeing more intrusions of enterprises first starting from compromises of home computers—through phishing of people’s Yahoo accounts, Gmail accounts, and Hotmail accounts that were totally unrelated to any enterprise targeting, but to me look very opportunistic.”

    Victoria Kivilevich, director of threat research at security firm KELA, says that in some instances criminals can use cybercrime markets to search for the domain of potential targets and see if any credentials are available. Kivilevich says the sale of infostealer data can be considered as the “supply chain” for various types of cyberattacks, including ransomware operators looking for the details of potential victims, those involved in business email compromise, and even initial access brokers who can sell the details along again to other cybercriminals.

    On various cybercrime marketplaces and Telegram, Kivilevich says, there have been more than 7,000 compromised credentials linked to Snowflake accounts being shared. In one instance, a criminal has been touting access to 41 companies from the education sector; another cybercriminal claims to be selling access to US companies with revenues between $50 million and $8 billion, according to Kivilevich’s analysis.

    “I don’t think there was one company that came to us and had zero accounts compromised by infostealer malware,” Kivilevich says of the threat that infostealer logs provide to businesses, with KELA saying infostealer-related activity jumped in 2023. Irina Nesterovsky, KELA’s chief research officer, says millions of credentials have been collected by infostealing malware in recent years. “This is a real threat,” Nesterovsky says.

    Carmakal says there are multiple steps companies and individuals can take to protect themselves from the threat of infostealers and their aftereffects, including using antivirus or EDR products to detect malicious activity. Companies should be strict on enforcing multifactor authentication across their users, he says. “We try to encourage people to not synchronize passwords on their corporate devices with their personal devices,” Carmakal adds.

    The use of infostealers has been working so well that it is all but inevitable that cybercriminals will look to replicate the success of compromise sprees like Snowflake and get creative about other enterprise software services that they can use as entry points for access to an array of different customer companies. Carmakal warns that he expects to see this result in more breaches in the coming months. “There’s no ambiguity about this,” he says. “Threat actors will start hunting for infostealer logs, and looking for other SaaS providers, similar to Snowflake, where they log in and steal data, and then extort those companies.”

    [ad_2]

    Lily Hay Newman, Matt Burgess

    Source link

  • Notorious Hacker Kingpin ‘Tank’ Is Finally Going to Prison

    Notorious Hacker Kingpin ‘Tank’ Is Finally Going to Prison

    [ad_1]

    For more than a decade, Vyacheslav Igorevich Penchukov—a Ukrainian who used the online hacker name “Tank”—managed to evade cops. When FBI and Ukrainian officials raided his Donetsk apartment in 2010, the place was deserted and Penchukov had vanished. But the criminal spree came to a juddering halt at the end of 2022, when he traveled to Switzerland, was arrested, then was extradited to the United States.

    Today, at a US federal court in Lincoln, Nebraska, a judge sentenced Penchukov to two concurrent nine-year sentences, after he pleaded guilty to two charges of conspiracy to participate in racketeering and a conspiracy to commit wire fraud. United States District Judge John M. Gerrard also ordered Penchukov to pay more than $73 million, according to court records. The court also ordered three years of supervised release for each count and said they should run concurrently.

    Both charges carried a maximum sentence of up to 20 years each. According to court documents, however, the US government and Penchukov’s lawyers both requested a less severe sentence following him signing a plea agreement in February. It is unclear what the terms of the plea deal include. At the time, documents show, Penchukov could also face having to repay up to $70 million—less than the combined amount he’s ordered to pay in restitution and forfeited funds. “I understand this, but I don’t have such amounts of money,” he said in court earlier this year.

    The US prosecution of Penchukov—who has been on the FBI’s “most wanted” cyber list for more than a decade—is a rare blow against one of the most well-connected leaders of a prolific 2010s cybercrime gang. It also highlights the ongoing challenges Western law enforcement officials face when taking action against Eastern European cybercriminals—particularly those based in Russia or Ukraine, which do not have extradition agreements with the US.

    Ahead of the sentencing, the Department of Justice refused to comment on the case, and the FBI and Penchukov’s lawyers did not respond to WIRED’s requests for comment.

    When the Ukrainian pleaded guilty in February—a number of charges were dropped following him signing the plea agreement—he admitted to being one of the leaders of the Jabber Zeus hacking group, starting in 2009, that used the Zeus malware to infect computers and steal people’s bank account information. The group used the details to log in to accounts, withdraw money, and then send it to various money mules—stealing tens of millions from small US and European businesses.

    “The defendant played a crucial role, a leadership role, in this scheme by directing and coordinating the exchange of stolen banking credentials and money mules,” prosecutors said in court earlier this year. They would steal thousands from victim companies, often draining their accounts.

    Penchukov, who was also a well-known DJ in Ukraine, also admitted to a key role organizing the IcedID (also known Bokbot) malware, which collected the victim’s financial details and allowed ransomware to be deployed on systems. He was involved from November 2018 to at least February 2021, officials say. Investigators found he kept a spreadsheet detailing the $19.9 million income IcedID made in 2021.

    [ad_2]

    Matt Burgess

    Source link

  • The $11 Billion Marketplace Enabling the Crypto Scam Economy

    The $11 Billion Marketplace Enabling the Crypto Scam Economy

    [ad_1]

    That public nature of the criminal transactions is all the more shocking given that Huione Guarantee is operated by Huione Group, a Cambodian financial conglomerate that includes a company linked to the family of Cambodia’s prime minister, Hun Manet. One of the companies’ directors, in fact, is Hun To, the prime minister’s cousin, who has been linked in an Al Jazeera investigation to an alleged scam compound reportedly owned by Heng He, a Cambodian conglomerate owned by two Chinese nationals.

    Crypto scam researchers say that Huione Guarantee, despite its size, is just one of many money laundering methods that pig butcherers use. Given that much of the pig butchering ecosystem has ties to Chinese organized crime, pig butchering revenue is often laundered in a decentralized way by convincing individual Chinese citizens to accept and hand off cryptocurrency through their personal Alipay accounts for a small fee, notes Gary Warner, director of intelligence at cybersecurity firm DarkTower. Markets like Huione Guarantee, however, offer a path for scammers who don’t already have a laundering network they can rely on or who need to diversify their options for liquidating funds.

    A listing on Huione Guaranteed for electrified GPS-tracking shackles for detaining enslaved scam laborers.

    Courtesy of Elliptic

    It’s perhaps no surprise that Huione Guarantee began operating in 2021, given that crypto scams surged during the Covid-19 pandemic. Sophos’ Gallagher notes that in Cambodia, pig butchering operations are largely run out of hotels and resorts that struggled with plummeting tourism in 2020 and 2021. “They were financed heavily or outright owned by Chinese companies in connection with special economic zones and other development tied to Belt and Road,” he says. Gallagher’s research indicates that laborers working on pig butchering in Cambodia—often against their will—are typically not citizens but have come from the surrounding region. “These facilities follow the same playbook as far as taking people’s passports and then using electrical shocks, cattle prods, and other physical punishment for not following the rules.”

    As disturbing as it may be that a service enabling billions of dollars annually in crypto scam industry transactions is being run in the open—and with links to one of Cambodia’s most powerful families—Elliptic’s Robinson suggests that brazenness offers an opportunity to disrupt a keystone of that criminal industry: He proposes international sanctions targeting Huione’s leadership.

    “This has the hallmarks of a darknet marketplace, but it’s run by a large Cambodian conglomerate, which has documented links to the ruling family there,” Robinson argues. “There is surely scope to impose sanctions on a business such as this, to hinder this type of marketplace from operating.”

    [ad_2]

    Andy Greenberg, Lily Hay Newman

    Source link

  • Hackers Leaking Taylor Swift Tickets? Don’t Get Your Hopes Up

    Hackers Leaking Taylor Swift Tickets? Don’t Get Your Hopes Up

    [ad_1]

    Proton, the company behind Proton Mail, launched an end-to-end encrypted alternative to Google Docs, seeking to compete with the cloud giant on privacy. We broke down how Apple is taking a similar approach with its implementation of AI, using a system it calls Private Cloud Compute in its new Apple Intelligence features.

    In other news, we dug into how the US bans on TikTok and Kaspersky software, despite their national security justifications, pose a threat to internet freedom. We went inside a crash course for US diplomats on cybersecurity, privacy, surveillance, and other digital threats. And we published an in-depth investigation into the origins of the world’s most popular 3D-printed gun, which revealed that its creator was a self-described “incel” with fantasies of right-wing terror.

    But that’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

    The giant hack against Ticketmaster may have taken another twist. In June, criminal hackers claimed they had stolen 560 million people’s information from the ticketing company owned by Live Nation. The company has since confirmed a breach, saying its information was taken from its Snowflake account. (More than 165 Snowflake customers were impacted by attacks on the cloud storage company that exploited a lack of multi-factor authentication and stolen login details).

    Now in a post on cybercrime marketplace BreachForums, a hacker going by the name of Sp1d3rHunters is threatening to publish more data from Ticketmaster. The account claims to be sharing 170,000 ticket barcodes for upcoming Taylor Swift gigs in the US during October and November. The hacker demanded Ticketmaster “pay us $2million USD” or it will leak “680 million” users’ information and publish millions more event barcodes, including for concerts by artists such as Pink and Sting, and sporting events such as NFL games and F1 races.

    The claims appear to be dubious, however, as Ticketmaster’s barcodes aren’t static, according to the company. “Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied,” a Ticketmaster spokesperson tells WIRED in a statement. The spokesperson adds that the company has not paid any ransom or engaged with the hackers’ demands.

    Hacker groups are known to lie, exaggerate, and overinflate their claims as they try to get victims to pay. The 680 million customers that Sp1d3rHunters claimed to have data on is higher than the original figure provided when the Ticketmaster breach was first claimed, and neither number has been confirmed. Even if victims do decide to pay, hackers can still keep the data and try to extort companies for a second time.

    Despite the breach at Ticketmaster originally being publicized in June, the company has only recently begun emailing customers alerting them to the incident, which happened between April 2 and May 18 this year. The company says the database accessed may include emails, phone numbers, encrypted credit card information, and other personal information.

    In recent years, there’s been a sharp uptick in cybercriminals deploying infostealers. This malware can grab all of the login and financial details that someone enters on their machine, which hackers then sell to others who want to exploit the information.

    Cybersecurity researchers at Recorded Future have now published proof-of-concept findings showing these stolen login details can be used to potentially track down people visiting dark-web child sexual abuse material (CSAM) sites. Within infostealer logs, the researchers say they were able to find thousands of login details for known CSAM websites, which they could then cross-reference with other details and identify the potential real-world names connected to the abusive website logins. The researchers reported details of individuals to law enforcement.

    [ad_2]

    Matt Burgess, Andy Greenberg

    Source link