Search This Blog

Showing posts with label Cyber Fraud. Show all posts

Global Scam Operation "Classiscam" Expanded to Singapore

 

Classiscam, a sophisticated scam-as-a-service business, has now entered Singapore, after more than 1.5 years  migrating to Europe. 

"Scammers posing as legitimate buyers approach sellers with the request to purchase goods from their listings and the ultimate aim of stealing payment data," Group-IB said in a report shared with The Hacker News. 

The operators were described as a "well-coordinated and technologically advanced scammer criminal network" by the cybersecurity firm. Classiscam is a Russia-based cybercrime operation that was originally detected in the summer of 2019 but only came to light a year later, coinciding with an uptick in activity due to an increase in online buying following the COVID-19 epidemic. 

Classiscam, the pandemic's most commonly utilised fraud scheme, targets consumers who use marketplaces and services related to property rentals, hotel bookings, online bank transfers, online retail, ride-sharing, and package deliveries. Users of major Russian ads and marketplaces were initially targeted, before spreading to Europe and the United States. 

Over 90 active organisations are said to be utilising Classiscam's services to target consumers in Bulgaria, the Czech Republic, France, Kazakhstan, Kirghizia, Poland, Romania, Ukraine, the United States, and Uzbekistan. The fraudulent operation spans 64 countries in Europe, the Commonwealth of Independent States (CIS), and the Middle East, and employs 169 brands to carry out the assaults. Criminals using Classiscam are reported to have gained at least $29.5 million in unlawful earnings between April 2020 and February 2022. 

This campaign is remarkable for its dependence on Telegram bots and conversations to coordinate activities and generate phishing and scam pages. Here's how it all works: Scammers put bait advertising on famous marketplaces and classified websites, frequently promising game consoles, laptops, and cellphones at steep prices. When a potential victim contacts the seller (i.e., the threat actor) via the online storefront, the Classiscam operator dupes the target into continuing the conversation on a third-party messaging service like WhatsApp or Viber before sending a link to a rogue payment page to complete the transaction. 

The concept includes a hierarchy of administrators, workers, and callers. While administrators are in charge of recruiting new members, automating the building of scam pages, and registering new accounts, it is the employees that make accounts on free classifieds websites and submit the false advertising. 

"Workers are key participants of the Classiscam scam scheme: their goal is to attract traffic to phishing resources," the researchers said. 

In turn, the phishing URLs are produced by Telegram bots that replicate the payment pages of local classified websites but are housed on lookalike domains. This necessitates the workers to submit the URL containing the bait product to the bot. 

"After initial contact with the legitimate seller, the scammers generate a unique phishing link that confuses the sellers by displaying the information about the seller's offer and imitating the official classified's website and URL," the researchers said. 

"Scammers claim that payment has been made and lure the victim into either making a payment for delivery or collecting the payment." 

The phishing pages also offer the option of checking the victim's bank account balance in order to find the most "valuable" cards. Furthermore, some cases involve a second attempt to deceive the victims by phoning them and requesting a refund in order to collect their money back. 

These calls are made by assistant employees posing as platform tech support professionals.  In this scenario, the targets are sent to a fraudulent payment page where they must input their credit card information and confirm it with an SMS passcode. Instead of a refund, the victim's card is charged the same amount again.

While the aforementioned method is an example of seller scam, in which a buyer (i.e., victim) receives a phishing payment link and is cheated of their money, buyer scams also exist.

A fraudster contacts a legal vendor as a client and sends a bot-generated fraudulent payment form imitating a marketplace, ostensibly for verification purposes. However, after the seller inputs their bank card details, an amount equal to the cost of the goods is debited from their account.

Classiscammers' complete attack infrastructure consists of 200 domains, 18 of which were constructed to deceive visitors of an undisclosed Singaporean classified website. Other sites in the network masquerade as Singaporean movers, European, Asian, and Middle Eastern classified websites, banks, markets, food and cryptocurrency businesses, and delivery services.

"As it sounds, Classiscam is far more complex to tackle than the conventional types of scams," Group-IB's Ilia Rozhnov siad. "Unlike the conventional scams, Classiscam is fully automated and could be widely distributed. Scammers could create an inexhaustible list of links on the fly."

"To complicate the detection and takedown, the home page of the rogue domains always redirects to the official website of a local classified platform."

Alert! Large-Scale AiTM Attacks Targeting Enterprise Users

 

A new large-scale phishing effort has been reported that use adversary-in-the-middle (AitM) tactics to circumvent security safeguards and attack business email accounts. 

Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu said in a Tuesday report, "It uses an adversary-in-the-middle (AitM) attack technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services." 

Fintech, lending, insurance, energy, manufacturing, and federal credit union verticals are major objectives in the United States, United Kingdom, New Zealand, and Australia. This is not the first time a phishing attack has been identified. Microsoft revealed this month that over 10,000 businesses had been targeted by AitM tactics to compromise accounts protected by multi-factor authentication since September 2021 (MFA). 

The ongoing campaign, which began in June 2022, starts with an invoice-themed email addressed to targets that include an HTML file with a phishing URL placed within it. Opening the attachment in a web browser takes the email recipient to a phishing website posing as a Microsoft Office login page, but not before fingerprinting the infected system to assess whether the victim is the targeted target. 

AitM phishing attacks go beyond standard phishing tactics aimed to steal credentials from unsuspecting users, primarily when MFA is implemented - a security barrier that prohibits the attacker from login into the account using just the stolen credentials. To get around this, the rogue landing page created using a phishing kit acts as a proxy, capturing and relaying all traffic between the client (i.e., victim) and the email server. 

"The kits intercept the HTML content received from the Microsoft servers, and before relaying it back to the victim, the content is manipulated by the kit in various ways as needed, to make sure the phishing process works," the researchers stated. 

This also includes replacing any links to Microsoft domains with identical connections to the phishing domain to guarantee that the back-and-forth with the phoney website continues throughout the session. According to Zscaler, the attacker manually logged into the account eight minutes after the credential theft, reading emails and verifying the user's personal information. 

Furthermore, compromised email inboxes are often used to send further phishing emails as part of the same campaign to conduct business email compromise (BEC) frauds. The researchers noted, "Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks. With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions."

Alert! This Huge Network of 11,000 Fake Investment Sites Targets Europe

 

Researchers discovered a massive network of over 11,000 domains used to market several bogus investment schemes to European users. 
To establish an air of credibility and attract a wider number of victims, the platforms display false evidence of affluence and falsified celebrity endorsements. The operation's purpose is to dupe people into believing they have a chance for high-return investments and persuade them to spend a minimum of 250 EUR ($255) to sign up for the bogus services. 

Group-IB researchers found the operation and documented the vast network of phishing sites, content hosting, and redirections. More than 5,000 of the discovered malicious domains are still operational, according to Group-IB. At the moment, the countries targeted by this initiative are the United Kingdom, Belgium, Germany, the Netherlands, Portugal, Poland, Norway, Sweden, and the Czech Republic. 

Scamming Process 

To reach as many users as possible, the fraudsters promote the ads on multiple social media platforms or utilise hacked Facebook and YouTube. Victims who fall for the scam and click on the advertisements to learn more are sent to landing pages with supposed success stories. 

The crooks then ask for contact information. In an extensive social engineering scam, a "customer agent" from a call centre contacts the victim and offers the investment terms and conditions. Eventually, the victim is persuaded to deposit at least 250 EUR, while the information given on the false site is saved and utilised in future operations or purchased on the dark web. 

After depositing the cash, the victim gains access to a bogus investment dashboard that supposedly lets them track daily gains. After depositing the cash, the victim obtains access to a bogus investment dashboard that purports to show daily returns. This is done to maintain the idea of a legitimate investment and attract victims to deposit more money in exchange for higher earnings. 

The fraud is uncovered when the victim attempts to withdraw money from the site without first requesting final payment. Group-IB researchers talked with the fraudsters and taped their chat with the operator during the inquiry. Parts of this audio have been muted for privacy concerns. 

Investments are never risk-free, thus promises of assured profits should be seen as warning flags. Furthermore, genuine investing platforms do not provide personal account managers for modest deposits.

Facebook Ads Push Android Adware, Installed 7M Times on Google Play Store

 

Several adware programmes marketed aggressively on Facebook as system cleansers and optimizers for Android devices have accumulated millions of downloads from the Google Play store. 

The applications lack all of the advertised functionality and push adverts while attempting to stay on the device for as long as possible. To avoid deletion, the applications regularly change their icons and names, posing as Settings or the Play Store itself. 

Adware applications make use of the Android component Contact Provider, which allows them to transport data between the device and web services. Because the subsystem is contacted whenever a new programme is installed, the adware might exploit it to start the ad-serving process. It may appear to the user that the advertising is being pushed by the legitimate app they installed. 

McAfee researchers found the adware applications. They point out that customers do not need to activate them after installation to see the advertising because the adware runs automatically without user intervention. The first thing these intrusive apps do is set up a permanent service for displaying adverts. If the process is "killed" (terminated), it instantly restarts. 

This video demonstrates how the adware's name and icon change automatically and how ad-serving occurs without user intervention. 

According to McAfee's analysis, consumers are persuaded to believe the adware applications because they see a Play Store link on Facebook, leaving little room for uncertainty. As a result, exceptionally high download counts for the specific type of apps have emerged, as shown below:
  • Junk Cleaner, cn.junk.clean.plp, 1M+ downloads
  • EasyCleaner, com.easy.clean.ipz, 100K+ downloads
  • Power Doctor, com.power.doctor.mnb, 500K+ downloads
  • Super Clean, com.super.clean.zaz, 500K+ downloads
  • Full Clean -Clean Cache, org.stemp.fll.clean, 1M+ downloads
  • Fingertip Cleaner, com.fingertip.clean.cvb, 500K+ downloads
  • Quick Cleaner, org.qck.cle.oyo, 1M+ downloads
  • Keep Clean, org.clean.sys.lunch, 1M+ downloads
  • Windy Clean, in.phone.clean.www, 500K+ downloads
  • Carpet Clean, og.crp.cln.zda, 100K+ downloads
  • Cool Clean, syn.clean.cool.zbc, 500K+ downloads
  • Strong Clean, in.memory.sys.clean, 500K+ downloads
  • Meteor Clean, org.ssl.wind.clean, 100K+ downloads
The majority of impacted users are from South Korea, Japan, and Brazil, however, the adware has regrettably spread globally. The adware applications have been removed from the Google Play Store. Users who installed them, on the other hand, must manually delete them from the device.

Despite their limited advantages, system cleansers and optimizers are popular software categories. Cybercriminals know that many people would attempt such methods to extend the life of their gadgets, thus they disguise dangerous software as such.

US Government Alerts Americans of Rising SMS Phishing Attacks

 

The Federal Communications Commission (FCC) has cautioned Americans about an increase in SMS (Short Message Service) phishing attacks aimed at stealing their personal information and money. Such attacks are also known as smishing or robotexts (as the FCC refers to them), and the fraudsters behind them may utilise a variety of enticements to fool you into disclosing sensitive information. 

"The FCC tracks consumer complaints – rather than call or text volume – and complaints about unwanted text messages have risen steadily in recent years from approximately 5,700 in 2019, 14,000 in 2020, 15,300 in 2021, to 8,500 through June 30, 2022," the US communications watchdog's Robocall Response Team said [PDF]. 

"In addition, some independent reports estimate billions of robotexts each month – for example, RoboKiller estimates consumers received over 12 billion robotexts in June." 

Smishing baits reported to the FCC by American customers include statements concerning unpaid bills, package delivery concerns, bank account problems, or police enforcement activities. Links sending users to landing pages imitating bank websites and requesting them to authenticate a transaction or unlock frozen credit cards are among the most clever and persuasive baits used in text message phishing attempts. 

Phishing SMS messages may also be faked to make it look that the sender is someone you're more likely to trust, such as the IRS or a company one is familiar with. While some attackers will try to steal financial information, others are less fussy and will collect whatever personal information they can get their hands on to use in later frauds or sell to other bad actors. The FCC suggests the following methods to protect against SMS phishing attacks:
  • Do not respond to texts from unknown numbers or any others that appear suspicious.
  • Never share sensitive personal or financial information by text.
  • Be on the lookout for misspellings or texts that originate with an email address.
  • Think twice before clicking any links in a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to ensure they weren't hacked.
  • If a business sends you a text you weren't expecting, look up their number online and call them back.
  • Remember that government agencies almost never initiate contact by phone or text.
  • Report texting scam attempts to your wireless service provider by forwarding unwanted texts to 7726 (or "SPAM").
"If you think you're the victim of a texting scam, report it immediately to your local law enforcement agency and notify your wireless service provider and financial institutions where you have accounts," the FCC added.

Microsoft: Large-Scale AiTM Phishing Attacks Against 10K+Organizations

 

More than 10,000 companies were targeted in a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites. Microsoft identified a large-scale phishing effort that employed adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user's sign-in session, and circumvent authentication even when the victim had activated MFA. 

Threat actors utilise AiTM phishing to set up a proxy server between a target user and the website the user desires to access, which is the phishing site controlled by the attackers. The proxy server enables attackers to intercept communications and steal the target's password and a session cookie. 

Threat actors started business email compromise (BEC) attacks against other targets after obtaining the credentials and session cookies needed to access users' mails. Since September 2021, Microsoft specialists think the AiTM phishing effort has targeted over 10,000 companies. 

Phishing using AITM 

By impersonating the Office online authentication page, the landing sites utilised in this campaign were meant to attack the Office 365 authentication process. Microsoft researchers discovered that the campaign's operators utilise the Evilginx2 phishing kit as its AiTM infrastructure. Threat actors utilised phishing emails with an HTML file attachment in several of the attacks seen by the experts. The message alerted recipients that they had a voice message in order to deceive them into opening the file.
 
The analysis published by Microsoft states, “This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable.”

“By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.” 

After capturing the session cookie, the attackers inserted it into their browser to bypass the authentication procedure, even if the receiver had activated MFA for his account. Microsoft advises organisations to use systems that enable Fast ID Online (FIDO) v2.0 and certificate-based authentication to make their MFA deployment "phish-resistant."

Microsoft also advises establishing conditional access controls if an attacker attempts to utilise a stolen session cookie and monitoring for suspicious or anomalous activity, such as sign-in attempts with suspicious features and odd mailbox operations. 

“This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organisations put in place to defend themselves against potential attacks. While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place," concludes the report.

CEO of Multiple Fake Companies Charged in $1bn Counterfeit Scheme to Traffic Fake Cisco Devices

 

Last Friday, the US Department of Justice (DOJ) revealed that a Florida citizen named Ron Aksoy had been arrested and alleged with selling thousands of fake and counterfeit Cisco goods over 12 years. 

Aksoy, also known as Dave Durden, would have operated at least 19 firms based in New Jersey and Florida, as well as at least 15 Amazon stores, around 10 eBay storefronts, and many additional corporations worth more than $1 billion. Aksoy faces three counts of mail fraud, four counts of wire fraud, and three counts of trafficking in counterfeit products. 

According to court records, the fraudulent firms purchased tens of thousands of counterfeit Cisco networking equipment from China and Hong Kong and resold them to consumers in the United States and across the world, fraudulently advertising the items as new and authentic. Chinese counterfeiters modified earlier, lower-model goods (some of which had been sold or dumped) to look to be authentic versions of newer, improved, and more expensive Cisco gear. 

As a result, the fraudulent and counterfeit items had severe performance, functionality, and safety issues, costing users tens of thousands of dollars. According to the indictment, between 2014 and 2022, Customs and Border Protection (CBP) confiscated approximately 180 shipments of counterfeit Cisco equipment being transported to the Pro Network Entities (the fraudulent firm name under which Aksoy operated) from China and Hong Kong. 

In response to some of these seizures, Aksoy would have filed fraudulent official papers to CBP using the pseudonym "Dave Durden," which he also used to contact with Chinese co-conspirators. The entire enterprise reportedly generated over $100 million in income, with Aksoy keeping a sizable portion while his co-conspirators received the remainder. Potential victims have been advised to get in touch with authorities. 

The DOJ has developed a publicly available list of Pro Network firms, as well as the accused criminal's eBay and Amazon stores.

Hackers Target National Portal of India Via ‘Unprecedented’ Phishing Method

 

On Thursday, cyber-security experts announced the discovery of an "unprecedented, sophisticated" phishing method that has been extorting people from official websites worldwide, including the Indian government's portal https://india.gov.in. 

According to AI-driven cyber-security startup CloudSEK, threat actors have been targeting the Indian government's webpage by using a fake URL to deceive users into entering sensitive information such as credit card numbers, expiration months, and CVV codes. 

In a most advanced phishing technique known as Browser-in-the-Browser (BitB) attack, hackers imitate the browser window of the Indian government website, most typically SSO (single sign-on) pages, with a unique login. BitB attacks impersonate reputable websites in order to steal user passwords and other sensitive data such as personally identifying information (PII). The new URL that emerges as a result of the BitB attack looks to be legitimate. 

"The bad actors have also replicated the original page's user interface. Once their victims click into the phishing page, a pop-up appears on the phoney window claiming that their systems have been blocked, posing as a notification from the Home Affairs Enforcement and Police," the researchers asserted. 

The users are then alerted that their excessive usage of pornographic websites is banned under Indian law, and they are asked to pay a Rs 30,000 fee in order to unlock their computers.

"They are given a form to fill out in order to pay the fine, which asks them to divulge personal information, including their credit card information. The victims become panicked because the warning has a sense of urgency and appears to be time-bound," the researchers stated. 

The information entered by the victims into the form is sent to the attacker's server. Once the attackers have obtained the card information, it may be sold to other purchasers in a bigger network of cyber criminals, or the victim may be extorted for more funds. 

When users attempt to connect to a website, they may click on a malicious link that appears as an SSO login pop-up window. Users are requested to check in to the website using their SSO credentials when they visit the provided URL. The victims are then sent to a fraudulent webpage that appears just like the SSO page. The attack often triggers single sign-on windows and presents bogus web pages that are identical to the legitimate page. 

"Combine SSO with MFA (multi-factor authentication) for secure login across accounts, check for suspicious logins and account takeovers and avoid clicking on email links from unknown sources," the researchers suggested.

Ukrainian Authorities Take Down Phishing Gang That Siphoned 100 Million Hryvnias

 

The Ukraine Cyber Police Department and the Pechersk Police Department arrested nine members of a cybercriminal organization that defrauded over 5,000 citizens of Ukraine of more than 100 million hryvnias (about $3.39 million) via phishing attacks. 

The fraudsters designed more than 400 phishing sites for exfiltrating the banking details of Ukrainian citizens under the guise of social security payments from E.U. countries. The malicious landing pages were hosting an application form to fill out to receive financial help from the European Union. 

Some of the phishing sites registered by the hackers included ross0.yolasite[.]com, foundationua[.]com, ua-compensation[.]buzz, www.bless12[.]store, help-compensation[.]xyz, newsukraine10.yolasite[.]com, and euro24dopomoga0.yolasite[.]com, among others. 

“Nine people created and administered more than 400 fake web resources for obtaining banking data of citizens. Through the websites, Ukrainians were offered to form an application for the payment of financial assistance from the countries of the European Union. Using phishing links, victims took surveys and entered bank card details.” reads the advisory published by the Ukrainian Cyber Police. 

Once in possession of the bank details, the malicious hackers carried out unauthorized access to the victim’s online banking and siphoned money from their accounts. The hackers defrauded more than 5,000 citizens, stealing a total amount of more than 100 million hryvnias. 

The law enforcement operation culminated in the seizure of computer equipment, mobile phones, and bank cards as well as the criminal proceeds illicitly obtained through unlawful activities. If the arrested individuals are found guilty of fraud charges under the Criminal Code of Ukraine, they face up to 15 years in prison. 

“Criminal proceedings have been opened under Part 3 of Art. 190 (Fraud), Part 5 of Art. 361 (Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks) of the Criminal Code of Ukraine. Perpetrators may face up to fifteen years in prison.,” the advisory further reads. “The issue of declaring suspicion and selecting preventive measures for the persons involved is being resolved.” 

The local police warned citizens to receive information regarding financial payments only from official sources, avoid clicking on suspicious links, and never provide private and banking information to third parties posing as government organizations.

Fraudulent UK Visa Scams Circulate on WhatsApp


According to a Malwarebytes report, individuals working in the UK are being scammed by a recent phishing campaign on WhatsApp. 

Scammers claim in a WhatsApp message that users who are willing to relocate to the UK for work will be eligible for a free visa as well as other perks. 

Bogus scam message 

Scam operators are disseminating information under the pretext of the UK government, promising a free visa and other advantages to anyone who wants to migrate there. The chosen candidates would be given travel and lodging expenses as well as access to medical facilities. 

The WhatsApp chat app is used to transmit to target volumes to start the fraud. Users are informed that the UK is conducting a recruiting drive with more than 186,000 open job positions because the country will require more than 132,000 additional workers by the year 2022. 

The objective of the scam 

When a victim clicks on the scam link, a malicious domain that looks like a website for UK Visas and Immigration is displayed to them. "Apply for thousands of jobs already available in the United Kingdom," is the request made to foreign nationals as per the scam.

The website's goal is to collect victims' names, email addresses, phone numbers, marital statuses, and employment statuses. 

Any information entered into the free application form is instantly 'accepted,' and the user is informed that they "will be provided a work permit, visa, plane tickets, and housing in the UK for free" according to a Malwarebytes report. 


Report fake WhatsApp messages

Users have the option to Report and Block on WhatsApp if they get a message from someone who is not on their contact list. One should disregard these spam communications and use the report button to file a complaint. Additionally, users can block these contacts in order to stop getting future scam messages from them.

Phishing attacks with a Visa theme are a typical occurrence in the world of cybercriminals. A similar hoax circulated several times in the past to entice people looking to work or study abroad.


Indian Crypto Users Duped Of Rs 1,000 Crore By Fake Exchange

 

CloudSEK researchers have identified a new scam called CoinEgg, which duped Indian investors of more than $128 million (nearly Rs 1,000 crore). 

“We discovered an on-going malicious scheme involving multiple payment gateway domains and Android-based applications, used to lure unsuspecting individuals into a mass gambling scam,” the researchers explained in a blog post. 

The hackers designed several bogus domains mimicking crypto trading platforms, with the word ‘CloudEgg’ in them. “The sites are designed to replicate the official website’s dashboard and user experience,” the researchers stated, adding that the crypto scam is divided into seven phases. 

After creating the fake domains, the scammers design a female profile on social media to lure the potential victim and establish a friendship. This phony profile is used to entice the victim to invest in crypto and start trading. The profile also shares a $100 gift voucher, which will be deposited when they invest in specific crypto. 

Upon registering and depositing funds on the exchange, the hacker freezes their account to keep them from withdrawing the funds and disappears. If you think the scam ends here, you are mistaken. In the last phase of the scam, when the victims switch to other platforms to share their experience, the hacker uses other fake accounts to reach out to them and pose as if they are investigators.

“To retrieve the frozen assets, they request victims to provide confidential information such as ID cards and bank details via email. These details are then used to perpetrate other nefarious activities,” the researchers said.

The researchers also identified two domains used by the scammers. It was said that both were registered on GoDaddy on March 3, 2022, as part of the strategy to set up several backup domains in the case of a takedown.

Earlier this year in March, the Pune City police’s cybercrime cell detained two specialists — Pankaj Ghode (38) and Ravindranath Patil (45) and an ex-IPS officer of Jammu and Kashmir cadre, following an exhaustive probe that began in April 2021.

In 2018, Ghode and Patil aided a Pune police Special Investigations squad in uncovering two multimillion-dollar Bitcoin Ponzi schemes. The duo transferred the cryptocurrencies, recovered from the Gainbitcoin scam, and then manipulated the screenshots of those transactions and gave them to the police as proof. However, the technical investigation revealed that there were some bitcoins in the said wallet and Ghode did not give information regarding them to the investigating officer.

Fraudsters Resorting to 'Synthetic Identity Fraud to Commit Financial Crimes

 

Identity theft is still a common tactic for hackers to damage the credit score. To steal even more and avoid discovery, an increasing number of fraudsters are turning to "synthetic identity fraud," which includes constructing spoof personalities to deceive financial institutions.

Michael Timoney, VP of Secure Payments at the Federal Reserve Bank of Boston stated, “This is growing. It’s got big numbers tied to $20 billion(Opens in a new window) plus (in losses), and we’re not really seeing a drop in it. Due to the pandemic, the numbers have gotten even higher."

Timoney described how the threat exploits a critical vulnerability in the US banking system at the RSA conference in San Francisco: when a customer applies for a credit card or a loan, many businesses do not always verify their identification. Timoney defined synthetic identity fraud as the use of multiple pieces of personally identifiable information to create a totally new person. 

He added, “It’s different from traditional identity theft because if someone stole my identity they would be acting in my name. I would go into my bank account and see my money is gone or I’d try to log into my account but I’d be locked out.” 

“Because of data breaches, there is so much information out there for sale. In other cases, the crooks will alter or make up the Social Security number and address data entirely, hoping the companies won't catch on. Once you apply for credit with your brand new identity, there is no credit file out there for you, but one gets created immediately. So right off the bat, you now have a credit file associated with this synthetic. So it sort of validates the identity. Now you got an identity and it has a credit record."  

The hacker will then strive to improve the credit rating of the spoof identity in order to secure larger loans or credit card limits before bailing without ever paying the lending agency. He added that the fraudster will settle their charges and request further credit. 

According to Timoney, the scammers have also been using the fraudulent personas to seek for unemployment benefits and obtain loans from the Paycheck Protection Program, which began during the pandemic to assist businesses in paying their employees. 

How to stop synthetic identity fraud?

To combat synthetic identity fraud, the United States is developing (Opens in a new window) the Electronic Consent Based Social Security Number Verification Service, which can determine whether a Social Security number matches one of these on record. However, Timoney stated that the system will only be offered to financial institutions and will not be open to other industries that provide credit to clients. 

In response, Timoney emphasized that it is critical for businesses to be on the lookout for warning indicators linked with synthetic identity fraud. This might include inconsistencies in the applicant's background. For example, consider a person who is 60 years old but has never had a credit history while having lived in the United States their whole life or an 18-year-old with a credit score of at least 800. 

Another method for detecting synthetic identity theft is to see if a loan application has any confirmed family members. One should be looking at a lot more than just the name, address, and Social Security number.

Dark Web Selling Alleged Western Weapons Sent to Ukraine

 

According to the recent reports, various weapon marketplaces on the dark websites have been listing military-grade firearms that are coming from Western countries to support the Ukrainian army in its fight against Russian aggression. 

These weapons were illegally put aside from the received supplies and are now made available to terrorists who are looking to buy rocket launchers and other deadly attack systems. 

This data has been released by Israeli cyber-intelligence specialist KELA who found military weapons listed by Ukrainians on various dark web markets. The report further read that one marketplace was tracked as “Thief,” which had a total number of 9 listings from three sellers associated with Ukraine.

Another seller named “Weapons Ukraine,” sells rifles, grenades, and bulletproof vests for amounts ranging from $1,100 to $3,600, and promises delivery in Ukraine. As per the statistics of the website, 32 users have completed purchases from the site however no user has left a review yet. 

Subsequently, another market that is supplying weapons allegedly to Ukraine by NATO countries is the "Black Market Guns," which offers U.S.-made Switchblade 600 Kamikaze Drone for $7,000 and NLAW anti-tank missiles for $15,000. 

However, the coordination of the publication on various platforms increases the chances of this being a part of a large disinformation scam campaign to take advantage of the current political situation of the county for profit. 

While the listings of these weapons seem genuine with the price of weapons also being offered realistically, the chances of them being created by pro-Russian malicious actors for propaganda purposes are high. If that is the case, pro-Russian media houses could use this information as real to serve their purposes. And at this time, the authenticity of these listed weapons from Ukraine on the dark market websites cannot be verified.

Reverse Tunnelling & URL Shortening Services Used in Evasive Phishing

 

Researchers are detecting an increase in the usage of reverse tunnel services, as well as URL shorteners, for large-scale phishing operations, leaving malicious activity more difficult to detect. This strategy differs from the more typical practise of registering domains with hosting providers, who are more inclined to answer complaints and remove phishing sites. 

Threat actors can use reverse tunnels to host phishing websites locally on their own computers and route connections through an external service. They can evade detection by using a URL shortening service to produce new links as frequently as they desire. Many phishing URLs are renewed in less than 24 hours, making tracing and eliminating the domains more complex. 

CloudSEK, a digital risk prevention company, has seen a rise in the number of phishing efforts that combine reverse tunnelling and URL shortening services. According to a report shared with BleepingComputer by the business, researchers discovered more than 500 sites hosted and disseminated in this manner. CloudSEK discovered that the most extensively misused reverse tunnel services are Ngrok, LocalhostRun, and Cloudflare's Argo. They also saw an increase in the use of URL shortening services such as Bit.ly, is.gd, and cutt.ly. 

Reverse tunnel services protect the phishing site by managing all connections to the local server where it is housed. The tunnel service resolves any incoming connections and forwards them to the local computer. Victims who interact with these phishing sites have their personal data saved directly on the attacker's computer. Thus according to CloudSEK, the threat actor conceals the name of the URL, which is often a string of random characters, by utilising URL shorteners. 

As a result, a suspicious domain name is masked under a short URL. Opponents, according to CloudSEK, are disseminating these links using popular communication channels such as WhatsApp, Telegram, emails, SMS, or bogus social media pages. It is important to note that the abuse of these services is not new. 

In February 2021, for example, Cyble produced proof of Ngrok misuse. However, according to CloudSEK's results, the situation is worsening. CloudSEK discovered one phishing campaign that impersonated YONO, a digital banking platform provided by the State Bank of India. The attacker's URL was masked under "cutt[.]ly/UdbpGhs" and directed to the site "ultimate-boy-bacterial-generates[.]trycloudflare[.]com/sbi," which made advantage of Cloudflare's Argo tunnelling service. 

This phishing page asked for bank account information, PAN card numbers, Aadhaar unique identification numbers, and mobile phone numbers. CloudSEK did not disclose the effectiveness of this operation, but it did point out that threat actors seldom use the same domain name for more than 24 hours, however, they do recycle the phishing page designs.

"Even if a URL is reported or blocked, threat actors can easily host another page, using the same template" - CloudSEK 

This sensitive information may be sold on the dark web or utilised by attackers to deplete bank accounts. If the information comes from a business, the threat actor might use it to execute ransomware attacks or business email compromise (BEC) fraud. 

Users should avoid clicking on links obtained from unknown or dubious sources to protect themselves from this sort of danger. Manually typing a bank's domain name into the browser is an excellent way to avoid being exposed to a bogus website.

HR Manager of Private Company Duped of ₹28 Lakh

 

The cybercrime police are looking for a person who pretended to be the managing director of a private company and duped the firm's HR manager into transferring 28.8 lakh online before fleeing. 

On Sunday, the police lodged a case against the unknown individual, accusing him of different sections of the IT Act as well as cheating and impersonation under the IPC, based on a complaint filed by Nirmal Jain, the owner of the private enterprise. 

According to Mr. Jain's allegation, the accused sent a WhatsApp message to HR manager Thirupathi Rao pretending to be Paras Jain, the company's MD. The MD's image was on the WhatsApp profile, and the message stated that it was his personal number and that he was at a meeting and should not be disturbed. 

The individual then requested that Mr. Rao move the funds to three bank accounts online on an emergency basis. Mr. Rao followed the instructions and transferred a total of 28.89,807 to the private bank account numbers specified in the communication. When he told higher officials about the transactions, the scam was discovered. 

Based on the transaction information, the authorities are now attempting to locate the accused. This is a new trend among internet fraudsters who download the profile images of senior executives of organisations in order to scam their office staff, according to experts.

U.S. Citizens Lost $39.5 Billion to Phone Frauds Alone Over the Past Year

 

A recent study estimates that scams have increased threefold in the US in the last 12 months resulting in the loss of $39.5 billion, which is the highest number registered since Truecaller, Swedish caller identification and spam blocking app, began researching scam and spam calls in the U.S. eight years ago. 

According to the report, which was undertaken in partnership with The Harris Poll in March 2022, 33% of US citizens reported having fallen victim to phone scams, and 20% on more than one occasion. 55.6% of those who fell victim to a phone scam were men, compared to only 42.2% of those who were women. 

Furthermore, men aged 65 and above, and Hispanics were more likely to fall for scams and phone frauds than those aged below or belonging to any other ethnicity. Nearly, 74% of Hispanic people were targeted and lost money in the last 12 months when compared to Black or White adult individuals.

Approximately 63% of Americans feel like they may miss legitimate calls due to the fear of spam calls. To protect themselves, 43% of people reported they downloaded a spam blocker and/or caller ID. A whopping 86% of Americans said only pick up when the caller is recognizable, 60% have stopped picking up calls altogether and have shifted to other methods of communicating. These include texts, emails, social media apps, faxes, etc. 

To mitigate risks, adults preferred to take action by downloading Spam Blocker/Caller ID apps while people above the age of 65 preferred blocking their credit cards or altering account numbers after being scammed. 

The study suggests that despite the Federal Communication Commission’s (FCC) efforts to regulate via the STIR/SHAKEN framework (a set of FCC standards aimed at protecting Americans from robocalls/scammers) nearly 68.4 million Americans fell victim to at least a phone scam in the last 12 months, indicating fraudsters are bypassing government regulation and finding more sophisticated methods to target users. 

“The findings from this year are concerning and shed light on the fact that fraudsters and scammers continue to outsmart increased government regulation. Additionally, with many robocalls coming from overseas, the increase in regulation will need to work in parallel with technological advancements provided by caller ID and spam-blocking apps, such as Truecaller,” stated Alan Mamedi, CEO of Truecaller. 

India: 4th most spammed nation 

According to Truecaller’s Global Scam Report 2021, India received 4th position in spam sales and telemarketing calls and was placed right behind Brazil, Peru, and Ukraine. 

The sales-related calls made up a vast majority (93.5%) of all incoming spam calls in the country. The report also made a special mention of a single number in India that apparently made over 202 Mn spam calls – more than 664,000 calls every day or 27,000 calls every hour.

Suspected Phishing Email Fraudster Arrested in Nigeria

 

A Nigerian man has been arrested by Interpol and African cops on suspicion of running a multi-continent cybercrime network that specialised in sending phishing emails to businesses. His alleged operation was behind so-called business email compromise (BEC), a combination of fraud and social engineering in which employees at targeted firms are duped into doing things like wiring money to scammers or sending sensitive information abroad. 

This is done by impersonating executives or suppliers and sending messages with instructions on where to deliver payments or data, often by getting into an employee's work email account. The 37-year-arrest old's is part of a year-long counter-BEC operation code-named Operation Delilah, which began with intelligence from cybersecurity firms Group-IB and Palo Alto Networks Unit 42, and Trend Micro. 

According to the groups involved, Op Delilah, which began in May 2021, is another success story from Interpol's Cyber Fusion Center, a public-private partnership between law enforcement and industry experts based in Singapore. The arrest, however, comes after the FBI issued a strong warning about BEC earlier this month, claiming that it is still the most costly threat to businesses throughout the world. Between June 2016 and December 2022, email scams cost businesses and people at least $43.3 billion. 

The FBI stated that BEC continues to develop and change, targeting small local companies to larger enterprises, and personal transactions, adding that it monitored a 65 per cent increase in identified global exposed losses, with victims in 177 countries, between July 2019 and December 2021. When law enforcement attempted to catch the suspected fraudster in this case, he fled Nigeria in 2021. He attempted to return to Nigeria in March 2022 but was recognised and detained as a result of the intelligence-gathering relationship. The intelligence was passed on to Nigerian police by Interpol's African Joint Operation against Cybercrime (AFJOC), which was assisted by law enforcement from Australia, Canada, and the United States. Nigerian cops eventually apprehended the man at Lagos' Murtala Mohammed International Airport. Delilah is the third in a series of law-enforcement actions that have resulted in the identification and arrest of suspected gang members. 

"The arrest of this alleged prominent cybercriminal in Nigeria is testament to the perseverance of our international coalition of law enforcement and Interpol's private sector partners in combating cybercrime," Garba Baba Umar, assistant inspector general of the Nigeria Police Force, said in a statement this week. 

The security companies involved in the operation closely monitored the alleged Nigerian BEC crew under the name SilverTerrier, or TMT, and Delilah is the third in a series of law-enforcement actions that have resulted in the identification and arrest of these suspected gang members. Delilah was preceded by the Interpol-led Falcon I and Falcon II operations, which took place in 2020 and 2021 and resulted in the arrest of 14 members of the criminal gang. 

The earlier operations, as well as the most recent one, were assisted by Unit 42 and Group-IB, among other security analysts. TMT has been tracked by Group-IB since 2019. We're warned that by 2020, the criminals would have infiltrated more than 500,000 businesses in 150 nations. One of the defendants seized in Nigeria during Falcon II had more than 50,000 possible victim domain credentials on his laptop, according to Interpol. 

Meanwhile, Unit 42 researchers allege that the 37-year-old Nigerian detained as part of Delilah has been a criminal since 2015. 

The security analysts at Palo Alto Networks wrote in a blog, "We have identified over 240 domains that were registered using this actor's aliases. Of that number, over 50 were used to provide command and control for malware. Most notably, this actor falsely provided a street address in New York city associated with a major financial institution when registering his malicious domains." 

They discovered that he has a stated affinity for ISRStealer, Pony, and LokiBot malware. He also prefers enormous gold, blingy jewellery, according to a social media snapshot of the alleged perp on the Unit 42 blog. According to the security researchers, the suspect is well-connected with other BEC criminals and also appears to share social media contacts with a trio detained in 2021 as part of Falcon II.

Bad Bot Traffic is Significantly Contributing to Rise of Online Scam

 

Recently, many organizations have been left wrestling with the challenge of overcoming the rise in bot traffic, which is also sometimes referred to as non-human traffic. According to an Imperva analysis, bad bots, or software applications that conduct automated operations with malicious intent, accounted for a record-breaking 27.7% of all global internet traffic in 2021, up from 25.6 percent in 2020. Account takeover (ATO), content or price scraping, and scalping to purchase limited-availability items were the three most typical bot attacks. 

Bot traffic has the potential to damage organisations if they do not learn how to recognise, control, and filter it. Sites that rely on advertising in addition to sites that sell limited-quantity products and merchandise are particularly vulnerable. Bad bots are frequently the first sign of online fraud, posing a threat to both digital enterprises and their customers. 

Evasive bad bots accounted for 65.6 percent of all bad bot traffic in 2021, a grouping of moderate and advanced bad bots that circumvent ordinary security protections. This type of bot employs the most advanced evasion strategies, such as cycling through several IP addresses, using anonymous proxies, changing identities, and imitating human behaviour. 

Bad bots make it possible to exploit, misuse, and assault websites, mobile apps, and APIs at high speed. Personal information, credit card details, and loyalty points can all be stolen if an attack is successful. Organizations' non-compliance with data privacy and transaction requirements is exacerbated by automated misuse and online fraud. 

Bad bot traffic is increasing at a time when businesses are making investments to improve online customer experiences. More digital services, greater online functionality, and the creation of broad API ecosystems have all emerged.

Unfortunately, evil bot operators will use this slew of new endpoints to launch automated assaults. The key findings of the research are:
  • Account takeover grew148% in 2021: In 2021, 64.1% of ATO attacks used an advanced bad bot. Financial Services was the most targeted industry (34.6%), followed by Travel (23.2%). The United States was the leading origin country of ATO attacks (54%) in 2021. The implications of account takeover are extensive; successful attacks lock customers out of their accounts, while fraudsters gain access to sensitive information that can be stolen and abused. For businesses, ATO contributes to revenue loss, risk of non-compliance with data privacy regulations, and tarnished reputations.
  • Travel, retail, and financial services targeted by bad bots: The volume of attacks originating from sophisticated bad bots was most notable across Travel (34.2%), Retail (33.8%), and Financial Services (8.8%) in 2021. These industries remain a prime target because of the valuable personal data they store behind user login portals on their websites and mobile apps.
  • The proportion of bad bot traffic differs by country: In 2021, Germany (39.6%), Singapore (39.1%), and Canada (30.2%) experienced the highest volumes of bad bot traffic, while the United States (29.1%) and the United Kingdom (29.7%) were also higher than the global average (27.7%) of bad bot traffic.
  • 35.6% of bad bots disguise as mobile web browsers: Mobile user agents were a popular disguise for bad bot traffic in 2021, accounting for more than one-third of all internet traffic, increasing from 28.1% in 2020. Mobile Safari was a popular agent in 2021 because bots exploited the browser’s improved user privacy settings to mask their behaviour, making them harder to detect.
According to the findings, no industry will be immune to negative bot activity in 2021. Bots hoarding popular gaming consoles and clogging vaccine appointment scheduling sites gained attention in 2021, but any degree of bot activity on a website can create considerable downtime, degrade performance, and reduce service reliability.

Payment Gateway Firm Razorpay Loses ₹7.3 Crore in Cyber Fraud Incident

 

The South East cybercrime police are investigating a fraudulent case where a hacker stole ₹7.3 crores over three months by exploiting the authorization process of Razorpay Software Private Limited, a payment gateway company to authenticate 831 failed transactions. 

The fraud came to light when officials of the payment gateway company Razorpay Software Private Limited conducted an audit of the transactions, and they couldn’t accommodate the receipt of Rs. 7,38,36,192 against 831 transactions. 

Razorpay Software Private Limited was founded by Shashank Kumar and Harshil Mathur in 2015. The company offers online payment services that allow businesses in India to collect payments via credit card, debit card, net banking, and wallets. 

On May 16, Abhishek Abhinav Anand, head of Legal Disputes and Law Enforcement at Razorpay Software Private Limited, lodged a complaint with the South East cybercrime police. The police are currently attempting to track down the hacker on the basis of online transactions.
 
An internal probe has revealed that some person or persons have tampered with and manipulated the authorization and authentication process. As a result, false ‘approvals’ were sent to Razorpay against the 831 failed transactions, resulting in a loss amounting to ₹7,38,36,192. The company provided details of the 831 failed transactions, including date, time, IP address, and other relevant information to the police. 

"Razorpay's payment gateway is at par with the industry standards on data security. During a routine payment process, an unauthorized actor(s) with malicious intent used the browser to tamper with authorization data on a few merchant sites that used an older version of Razorpay's integration, due to gaps in their payment verification process. The company has conducted an audit of the platform to ensure no other systems, no merchant data, and funds, and neither their end-consumers were affected by this incident,” Razorpay’s spokesperson stated. 

According to the ministry of electronics and information technology (Meity), between 2018 and 2021, there was an over a five-fold jump in the number of cybercrime and fraud incidents recorded by the government. 

Basically, the number of incidents surged from 208,456 in 2018 to 1,402,809 in 2021, as per the Data available with the Indian Computer Emergency Response Team (Cert-In). Indian Computer Emergency Response Team is the government agency for computer security.

Phishing Scam Adds a Chatbot Like Twist to Steal Data

 

According to research published Thursday by Trustwave's SpiderLabs team, a newly uncovered phishing campaign aims to reassure potential victims that submitting credit card details and other personal information is safe. 

As per the research, instead of just embedding an information-stealing link directly in an email or attached document, the procedure involves a "chatbot-like" page that tries to engage and create confidence with the victim. 

Researcher Adrian Perez stated, “We say ‘chatbot-like’ because it is not an actual chatbot. The application already has predefined responses based on the limited options given.” 

Responses to the phoney bot lead the potential victim through a number of steps that include a false CAPTCHA, a delivery service login page, and finally a credit card information grab page. Some of the other elements in the process, like the bogus chatbot, aren't very clever. According to SpiderLabs, the CAPTCHA is nothing more than a jpeg file. However, a few things happen in the background on the credit card page. 

“The credit card page has some input validation methods. One is card number validation, wherein it tries to not only check the validity of the card number but also determine the type of card the victim has inputed,” Perez stated.

The campaign was identified in late March, according to the business, and it was still operating as of Thursday morning. The SpiderLabs report is only the latest example of fraudsters' cleverness when it comes to credit card data. In April, Trend Micro researchers warned that fraudsters were utilising phoney "security alerts" from well-known banks in phishing scams. 

Last year, discussions on dark web forums about deploying phishing attacks to capture credit card information grew, according to Gemini Advisory's annual report. Another prevalent approach is stealing card info directly from shopping websites. Researchers at RiskIQ claimed this week that they've noticed a "constant uptick" in skimming activity recently, albeit not all of it is linked to known Magecart malware users.