Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CERT. Show all posts
Identity Theft
CERT Cyberattack CyberCrime Dark Web Data Breach Digital Vulnerability FBI Hospitality Security Identity Theft

Cybercriminals Steal Thousands of Guest ID Documents from Italian Hotels

 


Thousands of travellers have been left vulnerable to cyberattacks caused by hotel systems that have been breached by a sweeping cyberattack. Identities that have been stolen from hotel systems are now circulating on underground forums. According to the government's Agency for Digital Italy (CERT-AGID), the breach has now become among the most significant data security incidents to have struck the country's tourism industry in recent years due to the breach that has been confirmed by the agency. 

According to an FBI report, a hacker using the alias “mydocs” is suspected of gaining access to hotel reservation platforms from June to August, allowing them to download high-resolution copies of passports, identification cards, and other identity documents obtained during guest check-in. This hacker has been selling a total of over 90,000 documents on well-known cybercrime forums, spread across a number of batches. 

Hotels and Guests Caught Off Guard

A total of ten hotels have been confirmed to have been affected by the theft, but officials warn that this number may increase as the investigation continues. It has been observed that CERT-AGID has already intercepted at least one attempt to resell the data illegally, which suggests that much of the information being offered is genuinely accurate rather than exaggerated, as is often the case within cybercriminal circles. Passports, as well as national identification cards, are of particular value because of their potential for abuse, which means that they are particularly valuable. 

There is a possibility that fraudsters can exploit this information to create false identities, open accounts with banks, or launch sophisticated social engineering attacks in an effort to fool the victim into divulging even more personal information. It is stated in the CERT-AGID public advisory that the possible consequences for those affected are "serious, both legally and financially." 

The Scale of the Breach

Hotels are being questioned about how much information they keep, and for how long, based on the scope of the breach. In spite of the fact that the incidents are believed to have occurred between June and July, investigators can't rule out the possibility that years of archived guest scans were hacked. Several travelers would have been affected beyond the tens of thousands confirmed to have been affected, which is a significant increase in the number of affected travellers. 

There has been a report on the Ca’ dei Conti in Veneto, a four-star hotel in Venice, that was among the properties that were targeted. According to Corriere del Veneto, as many as 38,000 guest records have been gathered at this hotel, which demonstrates just how large the attack has been. It has been reported that stolen data is being offered on the dark web for sale at a price ranging from $937 to $11,714 per tranche, depending on the size and type of the data. 

A Familiar Target for Cybercriminals 

There has been a troubling pattern of attacks in the hospitality sector for some time now. As a result of collecting a combination of financial and identity data from millions of guests each year, hotels have always been a target for hackers. Due to their old IT systems, fragmented digital platforms, and global nature, they are a relatively easy target and high in value. 

In April of this year, CERT-AGID interrupted a separate smishing campaign aimed at stealing Italian citizens' identification documents. It was found that the attackers asked victims to send selfies with their identification cards as a way to increase the value of stolen credentials for fraudulent activity and impersonation schemes. This was done as a result of the fact that multiple, unrelated operations have emerged within the last few months, demonstrating the growing demand for identity data on criminal markets for a variety of reasons. 

How the Data Can Be Abused

It is important to note that cybersecurity experts warn that stolen identity scans can be reused in several ways that travellers might not anticipate. Besides the obvious risks of opening a bank account or applying for a loan, criminals can also use this information to rent properties or commit tax fraud or circumvent identity checks on the web. These documents can form the basis of long-term fraud campaigns when combined with other leaked information, such as email addresses and telephone numbers, that has been leaked. 

The authorities are warning anyone who stayed in an Italian hotel over the summer to keep an eye out for red flags such as credit inquiries, unusual account activity, or unsolicited bank correspondence. It is not uncommon for the first signs of misuse to emerge weeks or even months after the initial breach has taken place. 

Industry Response and Urgency 

It has been urged that hotels and other organisations that handle identity information take immediate steps to strengthen their defences. In the agency's advisory, it was stressed that businesses had to go beyond simply complying with data processing laws, and should adopt robust digital security practices, from encrypted storage to stronger authentication protocols as well as regular audits of their systems. 

The increase in illicit identity document sales confirms that increased awareness and protective measures should be taken by both the organisations that manage them and the citizens themselves, according to a statement released by the agency. Italy, where tourism is a significant part of its national economy, faces both economic and reputational risks as a consequence of the incident. 

There are millions of visitors who each year submit sensitive information to websites in the hope that their privacy will be protected. Experts warn, however, that if breaches of this scale continue, it will have a long-term impact on public trust in the industry. 

A Warning for the Global Hospitality Industry

There is no doubt that the "mydocs" case is a wake-up call for Italy, but it is also a wake-up call for the entire international hotel industry. Hotels around the world have adopted digital check-in tools and automated identification verification tools for the purpose of protecting sensitive data, often without the required security measures to protect them. 

As investigators continue to uncover the extent of this breach, it is becoming increasingly clear that cybersecurity must now take precedence in an industry where efficiency and convenience often dominate. When there is no stronger protection in place, hotels risk becoming prime hunting grounds for identity thieves, leaving guests to pay for their actions long after they have checked out of their hotel. 

Hotel businesses in Italy are facing a breach that is more than a cautionary tale. It is also an opportunity for their approach to digital trust to be reevaluated. The problem with maintaining guests’ confidence has become increasingly important in an age where privacy and security are key components of customer expectations, and hotels and tourism operators face the challenge of complying with regulatory requirements as well. 

Providing a high-quality service to guests must include a strong emphasis on cybersecurity, just as much as comfort and convenience. Investing in stronger encryption systems, secure data storage, periodic penetration testing, and employee awareness programs can considerably reduce risks, while partnering with cybersecurity firms may allow people to add a further layer of protection.

It is also important for guests to take steps to safeguard themselves against misuse of their credit reports by monitoring credit reports, using identity protection services, and limiting the sharing of unnecessary documents during check-in. The headlines of this incident emphasise the alarming reality of stolen identities, but if this incident prompts meaningful change in the future, it is likely to be one of resilience. 

Taking decisive action now could not only enable Italy's hospitality sector to recover from this blow but also be a driving force in setting a new benchmark for digital safety in global tourism in the future.
Read more »
ToolShell
CERT Croatia phishing Ransomware RBI Research ToolShell

Croatia’s Largest Research Institute Hit by Ransomware in Global ToolShell Exploits




The RuÄ‘er BoÅ¡ković Institute (RBI) in Zagreb — Croatia’s biggest science and technology research center has confirmed it was one of thousands of organizations worldwide targeted in a massive cyberattack exploiting Microsoft SharePoint’s “ToolShell” security flaws.

The incident occurred on Thursday, July 31, 2025, and resulted in ransomware being installed on parts of the Institute’s internal network. According to RBI’s statement, the affected systems were linked to its administrative and support operations, with attackers encrypting documents and databases to block access.


Refusing to Pay the Hackers

Unlike some victims, RBI has stated it will not pay the ransom. Instead, the Institute plans to follow strict security protocols, restore affected systems from backups, and upgrade its infrastructure to meet modern cybersecurity standards.

Past reports indicate that ToolShell vulnerabilities have been used to spread two strains of ransomware — Warlock and 4L4MD4R but RBI has not yet confirmed which variant hit its systems.


Restoration Underway

Recovery work is ongoing, with some systems already back online. Email services were restored the Friday after the attack, and the Institute is slowly bringing other parts of its network back into operation. A completely new IT system is also being built to improve defenses and reduce future risks.

The response involves not just RBI’s internal team but also the Ministry of the Interior, Croatia’s national CERT, and other cybersecurity agencies. A detailed forensic investigation is still in progress.


Possible Data Exposure

It’s still unclear whether the attackers accessed personal information. Croatia’s Personal Data Protection Agency has been notified, and the Institute has pledged to act in line with GDPR rules if any breach of personal data is confirmed.

As a precaution, RBI’s data protection officer has already warned staff that some sensitive information, such as personal ID numbers, addresses, financial reimbursements, and other records may have been stolen. Employees were advised to stay alert for phishing emails pretending to be from the Institute or official authorities.


Part of a Global Problem

RBI is one of at least 9,000 institutions worldwide affected by attacks using the same ToolShell vulnerabilities. These flaws in Microsoft SharePoint have become a major cybercrime tool, enabling hackers to infiltrate networks, steal or lock data, and demand large ransom payments.

While the Institute continues its recovery, the attack is a reminder that even highly respected research organizations can be vulnerable, and that refusing to pay ransom demands can be both a security stance and a financial gamble.

Read more »
phishing
AI Deepfakes CERT Cyber Security Fraud phishing

How to Protect Your Small Business from Cyber Attacks

 


It so coincided that October was international cybersecurity awareness month, during which most small businesses throughout Australia were getting ready once again to defend themselves against such malicious campaigns. While all cyber crimes are growing both here and all around the world, one area remains to be targeted more often in these cases: the smaller ones. Below is some basic information any small businessman or woman should know before it can indeed fortify your position.

Protect yourself from Phishing and Scamming.

One of the most dangerous threats that small businesses are exposed to today is phishing. Here, attackers pose as trusted sources to dupe people into clicking on malicious links or sharing sensitive information. According to Mark Knowles, General Manager of Security Assurance at Xero, cyber criminals have different forms of phishing, including "vishing," which refers to voice calls, and "smishing," which refers to text messages. The tactics of deception encourage users to respond to these malicious messages, which brings about massive financial losses.

Counter-phishing may be achieved by taking some time to think before answering any unfamiliar message or link. Delaying and judging if the message appears suspicious would have averted the main negative outcome. Knowles further warns that just extra seconds to verify could have spared a business from an expensive error.

Prepare for Emerging AI-driven Threats Like Deepfakes

The emergence of AI has provided new complications to cybersecurity. Deepfakes, the fake audio and video produced using AI, make it increasingly difficult for people to distinguish between what is real and what is manipulated. It can cause critical problems as attackers can masquerade as trusted persons or even executives to get employees to transfer money.

Knowles shares a case, where the technology was implemented in Hong Kong to cheat a finance employee of $25 million. This case highlights the need to verify identities in this high-pressure situation; even dialling a phone can save one from becoming a victim of this highly sophisticated fraud.

Develop a Culture of Cybersecurity

Even a small team is a security-aware culture and an excellent line of defence. Small business owners will often hold regular sessions with teams to analyse examples of attempted phishing and discuss awareness about recognising threats. Such collective confidence and knowledge make everyone more alert and watchful.

Knowles further recommends that you network with other small business owners within your region and share your understanding of cyber threats. Having regular discussions on common attack patterns will help businesses learn from each other's experiences and build collective resilience against cybercrime.

Develop an Incident Response Plan for Cyber

Small businesses typically don't have dedicated IT departments. However, that does not mean they can't prepare for cyber incidents. A simple incident-response plan is crucial. This should include the contact details of support: trusted IT advisors or local authorities such as CERT Australia. If an attack locks down your systems, immediate access to these contacts can speed up recovery.

Besides, a "safe word" that will be used for communication purposes can help employees confirm each other's identities in such crucial moments where even digital impersonation may come into play.

Don't Let Shyness Get in Your Way

The embarrassment of such an ordeal by cyber crooks results in the likelihood that organisations are not revealing an attack as it can lead the cyber criminals again and again. Knowles encourages any organisation affected to report suspicions of the scam immediately to bankers, government, or experienced advisors in time to avoid possible future ramifications to the firm. Communicating the threat is very beneficial for mitigating damages, but if nothing was said, chances are slim to stop that firm further from getting another blow at that point of time in question.

Making use of the local networks is beneficial. Open communication adds differences in acting speedily and staying well-informed to build more resilient proactive approaches toward cybersecurity.


Read more »
URL Shortener
CERT Critical Flaw cyber security agency DHS DNS attacks Domain Malicious actor Phising Attacks unauthorised access URL URL Shortener

PUMA Network: Unmasking a Cybercrime Empire

A massive cybercrime URL shortening service known as "Prolific Puma" has been uncovered by security researchers at Infoblox. The service has been used to deliver phishing attacks, scams, and malware for at least four years, and has registered thousands of domains in the U.S. top-level domain (usTLD) to facilitate its activities.

Prolific Puma works by shortening malicious URLs into shorter, more memorable links that are easier to click on. These shortened links are then distributed via email, social media, and other channels to unsuspecting victims. When a victim clicks on a shortened link, they are redirected to the malicious website.

Security researchers were able to track Prolific Puma's activity by analyzing DNS data. DNS is a system that translates domain names into IP addresses, which are the numerical addresses of websites and other devices on the internet. By analyzing DNS data, researchers were able to identify the thousands of domains that Prolific Puma was using to deliver its malicious links.

Prolific Puma's use of the usTLD is particularly noteworthy. The usTLD is one of the most trusted TLDs in the world, and many people do not suspect that a link with a usTLD domain could be malicious. This makes Prolific Puma's shortened links particularly effective at deceiving victims.

The discovery of Prolific Puma is a reminder of the importance of being vigilant when clicking on links, even if they come from seemingly trusted sources. It is also a reminder that cybercriminals are constantly developing new and sophisticated ways to attack their victims.

Here are some tips for staying safe from Prolific Puma and other malicious URL shortening services:

  • Be wary of clicking on links in emails, social media posts, and other messages from unknown senders.
  • If you are unsure whether a link is safe, hover over it with your mouse to see the full URL. If the URL looks suspicious, do not click on it.
  • Use a security solution that can detect and block malicious links.
  • Keep your web browser and operating system up to date with the latest security patches.

The security researchers who discovered Prolific Puma have contacted the United States Computer Emergency Readiness Team (US-CERT) and the Department of Homeland Security (DHS) about the service. Both agencies are working to take down Prolific Puma's infrastructure and prevent it from being used to launch further attacks.

Prolific Puma is not the first malicious URL-shortening service to be discovered. In recent years, there have been a number of other high-profile cases of cybercriminals using URL shortening services to deliver malware and phishing attacks.

The discovery of Prolific Puma is a reminder that URL shortening services can be abused for malicious purposes. Users should be cautious when clicking on shortened links, and should take steps to protect themselves from malware and phishing attacks.

Read more »
VMware
CERT CISA & FBI CVE vulnerability Encryption malware Patch Fix Ransomware Attacks. VMware

Ransomware Targeting VMware ESXi Servers Rises

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint advisory warning about an ongoing ESXiArgs ransomware campaign targeting unpatched and out-of-service or out-of-date versions of the VMware ESXi hypervisor for virtual machines (VMs).

The OpenSLP service contains a heap overflow bug that can be exploited by unverified threat actors in simple attacks. This security hole is identified as CVE-2021-21974 on the CVE database. 3,800 VMware ESXi servers around the world have reportedly been compromised, potentially rendering any running VMs useless, as per CISA.

Application of the patch as soon as feasible is strongly advised by CERT-FR, but it also says that systems that are not patched should be checked for indicators of compromise.

Although it has since moved to North America, the ESXiArgs ransomware appears to have begun attacking servers in Europe around February 3. Organizations should isolate impacted servers, reinstall ESXi 7. x or ESXi 8. x in a supported version, and apply any patches, according to the French computer emergency response team (CERT).

Updated ESXiArgs Ransomware

On infected ESXi hosts, the ransomware encrypts files with the. vmxf,.vmx,.vmdk,.vmsd, and. nvram extensions and produces a.args file for each encrypted document with metadata.

The research shows that ESXiArgs is based largely on stolen Babuk source code, which has previously been used by other ESXi ransomware attacks, including CheersCrypt and the PrideLocker encryptor from the Quantum/Dagon group. It is unclear whether this is a new variety or simply a shared Babuk codebase because the ransom notes for ESXiArgs and Cheerscrypt are quite similar but the encryption technique is distinct.

CISA and FBI urged owners of VMware ESXi servers to upgrade them to the most recent version, harden ESXi hypervisors by turning off the SLP service and make sure the ESXi hypervisor is not accessible through the open internet.

Read more »
Technology
CERT Cyber Attacks CYBER Research Cybersecurity malware NIC Technology

Defending Data Breaches Through Cybersecurity

 


This year the government has been working on a cybersecurity strategy that aims to thwart the risk of data breaches, which has been considered a top priority since 2020. In light of a series of ransomware attacks concerning critical data that may have been compromised in recent months, experts and officials view these measures as imperative to protect against such attacks. 

There has been a recent breach of Solar India Industries Limited, which is a company that supplies defense-related equipment, and the All India Institute of Medical Sciences (AIIMS), which is a leading research and healthcare organization in the country, that was reported to be the work of attackers in the last couple months. 

One of the strategies is to assess the severity of several vertical segments of data breaches, according to a person familiar with the matter. As part of these mitigation measures, a national threat intelligence exchange is being set up. A malware repository is being created. Baseline audits are being conducted, and awareness events such as Cyber Week are being planned. 

There is a three-pronged strategy centered on people, processes, and technology. A prime example is the people vertical, which entails improving cyber hygiene so that more cybersecurity professionals are trained and increasing cyber hygiene education. 

The document contains recommendations for processes, a plan for managing cybercrime crises, a standard operating procedure, and a privilege system. This is to ensure that users are given the minimum access to the system. 

There is no need for firewalls to be installed, intrusion prevention systems to be installed, behavioral analysis tools to be installed, network segmentation to be created, and offline backups to be configured. 

According to one of the officials mentioned above, some of these investment areas have already been taken on by the government. 

Aside from the National Informatics Centre (NIC), the government is also looking to revamp the Department of Information and Communication Technology, which is responsible for storing most of the government's information, as well as providing IT solutions to the government. 

The Indian National Security Council Secretariat has been conceptualizing a policy for the past two years under the leadership of Lieutenant General Rajesh Pant. He is the head of the National Security Council Secretariat. An emerging threat in the technology sector is being addressed through a policy called the National Cyber Security Strategy, 2021. This policy identifies the need for a legislative framework to address this challenge. 

To better protect data and ensure that data breaches are reported and punished, the federal ministry of electronics and information technology is drafting a digital data protection bill to govern the process of reporting and penalizing data breaches. The former official mentioned above pointed out the need for a system of regular auditing systems to make sure that data breaches are minimized. He also pointed out that an overarching mechanism is in place to ensure this happens. 

Based on a response to a question in parliament, according to the answer to the question, there were 41,378 cyber security incidents in 2017 and 1,267,564 announced in 2022. 

The government also replied to a question in the context of cyberspace being anonymous, and borderless, and now incorporating different types of devices and services into it. It uses technological innovations and innovation to make it even more sophisticated and complex. 

CERT-In is a national nodal agency responsible for incident response in the country as well as collecting information on cyber incidents that occur to Indian users. Any data breach affecting Indian users must be reported to the Indian Computer Emergency Response Team. The ministry of electronics and information technology informed Parliament on November 16 that there were a total of 14, 6, and 22 incidents identified between the years 2020, 2021, and 2022 (until November) according to the information reported to CERT-In and tracked by it. 

It was also reported to Parliament that between June 2018 and March 2022, Indian banks reported 248 data breaches that resulted in the leak of card-related information from their systems. 

There is no single National Cyber Security Strategy that can be effective without the inclusion of robust resilience measures, which is the view of Supreme Court lawyer NS Nappinai, the founder of Cybersaathi. Consequently, it is only this kind of thing that can protect us in the event of a black swan occurring. There have always been and will always be cyber security threats, but what protects against attacks on critical infrastructure is to make sure they are anticipated and avoided and to have a recovery plan that is quick and simple, she explained further.
Read more »
Vulnerabilities and Exploits
CERT CERT-In Cyberattack Cybersecurity Remote Code Execution Vulnerabilities and Exploits

Take Steps to Protect Your Enterprise Against the Risks

 

Earlier this month, the Apache Software Foundation announced that its log4j Java-based logging utility (CVE-2021-44228) had been vulnerable to a remote code execution vulnerability (CVE-2021-4428). It was rated a critical severity vulnerability by MITRE and given a CVSS score of 10 out of 10. After the release of the Log4j patch, the vulnerability in the database was exploited in the wild shortly thereafter.

Consequently, several governmental cybersecurity organizations throughout the world, including the United States Cybersecurity and Infrastructure Security Agency, the Austrian CERT, and the United Kingdom National Cyber Security Centre, issued alerts urging organizations around the globe to instantly patch their systems. 
 
During a discussion with Jonathan Care, Senior Director Analyst at Gartner a better understanding of the security implications of the Log4j vulnerability was given. In his presentation, he discussed how organizations are susceptible to threats arising from this vulnerability. He also discussed what measures they should be taking to ensure their enterprise systems are protected against potential threats arising from the vulnerability. 
 

Are There Any Systems Affected by the Log4j Vulnerability? 
 

In addition to affecting enterprise applications and embedded systems, Log4j's vulnerability is extremely widespread. Thus, it may influence their sub-components, as well as their sub-systems. Java-based applications including Cisco Webex, Minecraft, and FileZilla FTP are all examples of affected programs, but this is by no means an exhaustive list. Ingenuity, a NASA helicopter mission in the Mars 2020 program, uses Apache Log4j's logging API to record events, so the vulnerability affects this mission as well. 
  
There are many resources available on the web which list vulnerable systems in the security community. Nevertheless, it should be noted that these lists are constantly changing, which makes it imperative to keep an eye on them. As a result, do not take a non-inclusion of a particular application or system as an indication that it will not be impacted by the patch. 

There is a high probability that a particular technology stack will be exposed to this vulnerability. The vulnerability is likely to affect key suppliers such as SaaS vendors, cloud hosting providers, and web hosting providers. 
 

Risk to Enterprise Applications and Systems, if the Vulnerability is Exploited

 
This vulnerability can be exploited by attackers if it is left unpatched, thus allowing them to take control of and infiltrate enterprise networks if it is left unpatched. The vulnerability is already being exploited by malware, ransomware, and a wide array of other automated threats that are actively taking advantage of this vulnerability. 
 
This vulnerability can be exploited with a great deal of ease  all an attacker needs to do is enter a simple string into a chat window, which is all that it takes. 
 
It is referred to as a "pre-authentication" exploit, which means that to exploit the vulnerability, the attacker does not have to sign into the vulnerable system. You should be prepared for the possibility of your web server becoming vulnerable. 
 

To Protect Their Enterprises From Cybersecurity Threats, What Should CyberSecurity Leaders Do? 

 
Identifying this vulnerability and remediating it as quickly as possible should be one of the top priorities for cybersecurity leaders. The first thing you should do is conduct a detailed audit of any applications, websites, and systems within your domain of responsibility that are connected to the internet or can be viewed as public-facing on the Internet. 

Consider the importance of protecting sensitive operational data such as customer details and access credentials, which are stored on systems that contain sensitive operational data. 
 
When you have completed the audit of your remote employees, you should turn your attention to the next step. Personal devices and routers that constitute a vital link in the chain of security should be updated by these provisions. An active, involved approach is likely to be required to achieve this. There is no point in simply issuing a list of instructions since this does not suffice. To gain access to a key enterprise application or data repository, vulnerable routers could be a potential entry point. Your IT team needs to support and cooperate with you in this endeavor. 
 
When an organization has created an incident response plan and initiated formal severe incident response actions, now is the appropriate time to implement formal severe incident response measures. A board of directors, the CEO, the CIO, and the entire organization must be involved in this incident as we believe all levels of the organization should be involved. 

Make sure you have informed senior leadership and that they are prepared to answer public questions about this issue. For at least the next 12 months, vigilance will be crucial for preventing the exploitation of this vulnerability and the attack patterns exploiting it. This is because neither is likely to disappear for some time.
Read more »
Malicious actor
"IS that you" Phishing Scam CERT Credential stealing Cyber Attacks Facebook Scams Malicious actor

Facebook :"Is that you?" 500,000 People Were Victims of this Phishing Scam

 

Facebook has often been a favorite hunting ground for cybercriminals who delight in preying on the naive members of the internet community. While addressing a very prevalent fraud known as "Is that you?" cybernews has conducted research. It's a type of video phishing scam in which the attacker delivers a link to a fictitious video in which the victim appears. When you click, the trouble begins as soon as you enter some personal information and log in. 

Researchers were recently rewarded for such diligence when they received a warning from fellow cyber investigator Aidan Raney – who originally contacted them after the original results were released – that malicious links were being sent to users. Upon further investigation, it was discovered that thousands of these phishing links had been circulated via a devious network spanning the social media platform's back channels. If left unchecked, hundreds of thousands of naive social network users might fall prey to the shady connections - the "Is That You?" scam was said to have ensnared half a million victims before researchers discovered it. 

Raney explained, "I worked out what servers did what, where code was hosted, and how I might identify additional servers." "I then used this information, as well as urlscan.io, to seek for more phishing sites with similar features to this one." 

A thorough examination of the servers linked to the phishing links revealed a page that was transmitting credentials to devsbrp. app. A banner believed to be attached to a control panel was discovered with the wording "panelfps by braunnypr" printed on it. A second search using keywords led the study team right to the panel and banner designer, whose email address and password variations were also identified  neatly turning the tables on fraudsters who prey on unwary web users' credentials. 

Cybernews accessed a website which proved to be the command and control hub for most of the phishing assaults linked to the gang, known to include at least 5 threat actors but could have plenty more, using the threat actor's personal details. This gave our brave investigators a wealth of information about the culprits of the Facebook phishing scam, including the likely country of residence  the Dominican Republic.

"We were able to distribute the user list for everyone who has signed up for this panel," the Cybernews researcher explained. "We started unearthing the identities with as many people on the list as we could using the usernames on the list, but there is still more work to be done." Researchers provided the appropriate information to the Dominican Republic's Cyber Emergency Response Team (CERT) at the time, as evidence suggested that the campaign had started there as well.
Read more »
Subscribe to: Comments (Atom)