According to business security software vendor Proofpoint, TA505, a prominent email phishing threat actor, has risen from the grave. TA505, which had been inactive since 2020, resumed mass emailing efforts in September, equipped with fresh malware loaders and a RAT. 

The TA505 cybercrime organization has restarted its financial rip-off apparatus, bombarding malware at a variety of sectors into what are originally low-volume waves that researchers noticed spike late last month. 

The group, which aggressively targets a variety of businesses such as finance, retail, and hotels, has been functional since at least 2014. It is well-known for rapid virus changes and for influencing worldwide trends in illegal malware dissemination. 

It is responsible for one of the firm's largest spam efforts, the spread of the Dridex banking malware. Proofpoint has also identified the organization that is delivering the Locky and Jaff ransomware, the Trick banking trojan, and other malware "in very high volumes," according to the company. 

According to habit, the gang's most recent ads span a wide spectrum of sectors. They're additionally bringing new tools, such as an improved KiXtart loader, the MirrorBlast loader, which downloads Rebol script stagers, the retooled FlawedGrace RAT, and improved malicious Excel files.

Proofpoint researchers tracked renewed malware campaigns from TA505 that began slowly at the start of September – only with a few thousand emails per wave, disseminating malicious Excel attachments – and afterward ramped up the volume later in the month, resulting in tens to hundreds of thousands of emails by the end of September, according to an analysis published by the company. 

As per the report, several of the efforts, especially the larger ones, "strongly resemble" what the group was up to between 2019 and 2020, involving identical domain naming patterns, email lures, Excel file lures, and the distribution of the FlawedGrace RAT. TA505 utilized more targeted lures in the early September waves of email attacks, which didn't impact as many sectors as the more recent October 2021 operations, according to Proofpoint experts. 

Significant new advancements include an updated FlawedGrace RAT, as well as retooled intermediate loader phases written in Rebol and KiXtart. According to experts, the gang is utilizing a different downloader than the previously successful Get2 downloader. 

“The new downloaders perform similar functionality of reconnaissance and pulling in the next stages,” Proofpoint researchers noted. 

“The emails contained an Excel attachment that, when opened and macros enabled, would lead to the download and running of an MSI file,” Proofpoint said. MSI files are used to install software on a Windows system. “The MSI file, in turn, would execute an embedded Rebol loader, dubbed by Proofpoint as MirrorBlast.” 

Researchers also discovered that TA505 is now employing numerous intermediary loaders before the distribution of the FlawedGrace RAT, and they are written in unusual scripting languages — Rebol and KiXtart. 

The intermediary loaders appear to fulfill the very same purpose as Get2, a downloader used by TA505 since 2019 to distribute a range of secondary payloads, according to researchers. 

“The loaders perform minimal reconnaissance of an infected machine, such as collecting user domain and username information and downloading further payloads,” according to the research. 

“The code responsible for downloading the next stage MSI file was typically lightly obfuscated with filler characters, string reversing or similar simple functions and hidden in the document Comments, Title, in a Cell or other locations,” the researchers noted. 

Considering that TA505 alters TTP and is "considered a trendsetter in the world of cybercrime," Proofpoint does not anticipate them going anywhere any time soon. The malicious actors do not restrict its target set and are, in fact, an equal opportunist in terms of the regions and sectors it chooses to attack, researchers said. This, along with TA505's capacity to be adaptable, focusing on what is most profitable and altering its TTP as needed, makes the actor persistent threat.

A resident of Palmdale, California, the accused goes by the name of Ryan S. Hernandez.

A couple of days back the FBI and two federal agencies, the Department of Homeland Security and the Department of Health and Human Services issued a caution that they had “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers”. 

This news comes after federal agencies cautioned that the US healthcare systems are confronting an “increased and imminent” danger of cybercrime, and that cybercriminals are releasing an influx of coercion endeavors intended to lock up hospital information systems, which could hurt patient care similarly to cases of Coronavirus are on a steady rise. 

The cyberattacks include ransomware, which scrambles information into the hogwash that must be opened with software keys given once targets pay up. Independent security specialists state it has 'already hobbled at least five US hospitals' this week, and might affect hundreds more. 

Charles Carmakal, chief technical officer of the cybersecurity firm Mandiant, said in a statement, “we are experiencing the most significant cybersecurity threat we’ve ever seen in the United States." 

The US has seen a plague of ransomware in the course of the recent 18 months with significant urban cities from Baltimore to Atlanta hit and local governments and schools hit especially hard.

In September, a ransomware attack shook all 250 US facilities of the hospital chain Universal Health Services, constraining doctors and nurses to 'depend on paper and pencil for record-keeping and slowing lab work'. 

Employees described disorderly conditions blocking patient care, including mounting trauma centers wait and the failure of wireless vital signs monitoring hardware. 

Alex Holden, CEO of Hold Security, which has been intently following the ransomware being referred to for over a year, said he informed the federal law enforcement after monitoring infection endeavors at various hospitals. 

Furthermore, added that the group was demanding ransoms above $10 million for each target and that criminals involved on the dull web were talking about plans to attempt to infect at least 400 or more hospitals, clinics, and other medical facilities.

“One of the comments from the bad guys is that they are expecting to cause panic and, no, they are not hitting election systems,” Holden said. “They are hitting where it hurts even more and they know it.”

The cybercriminals launching the attacks are said to have been utilizing a strain of ransomware known as Ryuk, and while nobody has proved the speculated ties between the Russian government and groups that utilization the Trickbot platform, Holden said he has “no doubt that the Russian government is aware of this operation – of terrorism”.

Graham Clark, a resident of Tampa Florida has been arrested under charges of being involved in July’s Twitter hack that targeted the handles of famous personalities including the CEO of SpaceX and Tesla Inc., Elon Musk, and former President of the US Barack Obama, to name a few. The other two suspects arrested by Californian authorities are Nima “Rolex” Fazeli of Orlando and Mason “Chaewon” Sheppard from Bognor Regis, U.K.

The alleged three ran a scheme under which they hijacked the twitter accounts of various public figures and posted tweets advertising a bitcoin scam from these high-profile accounts. In order to acquire access to internal support tools and these Twitter accounts, Clark compromised a Twitter employee and made use of his credentials. After gaining access to 130 accounts belonging to politicians and celebrities, he tweeted Bitcoin scam messages from 45 and accessed direct messages inbox of 36 of them and stopped with downloading the Twitter Data for a total of 7 accounts. Reportedly, the three cybercriminals involved made a profit worth $120,000 worth of bitcoins as a result of the scam.

Among the affected accounts were Amazon’s founder, Jeff Bezos, Microsoft’s CEO Bill Gates, Kim Kardashian West and Joe Biden.

According to operation led by the FBI in collaboration with the Secret Service and IRS, 17-year-old, Graham Clark is identified as the mastermind of the sophisticated incident; the teenager is just a high-school graduate who will be prosecuted by Hillsborough State authorities.

Bearing charges of conspiracy to commit wire fraud and money laundering, aiding the mastermind in orchestrating the attack, Sheppard is subjected to 45 years of imprisonment as the maximum penalty.

In a related video news conference, State Attorney, Warren said, "I want to congratulate our federal law enforcement partners, the US Attorney’s Office for the Northern District of California, the FBI, the IRS, the US Secret Service, and the Florida Department of Law enforcement. These partners worked extremely quickly to investigate and identify the perpetrators of this sophisticated and extensive fraud."

"This defendant lives here in Tampa, he committed the crimes here, and he’ll be prosecuted here,"

"The State Attorney's Office is handling this prosecution rather than federal prosecutors because Florida law allows for us greater flexibility to charge a minor as an adult in a financial fraud case like this." He added.

Meanwhile, in the regard, Twitter said "We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses.

"For our part, we are focused on being transparent and providing updates regularly."

Researchers at IntSight have discovered that IM platforms such as WhatsApp, Telegram, Discord, IRC, and Jabber are being used by cybercriminals for advertising and putting their goods and services on sale. One of the major reason as to why cybercriminals are switching to these IM platforms from the conventional ones is 'law enforcement practices'; law enforcement operations have been targeting online darknet markets one after another. Earlier in 2017, the world's largest dark web market, AlphaBay was taken offline, sending darknet users into chaos. Immediately after, the cyberspace witnesses the shut down of Hansa, another major darknet market. As more and more major dark web markets went offline due to the law enforcement penetrations, cybercriminals are wisely migrating to new platforms.

Although threat actors are loving IM platforms, the regular cybercrime sources such as dark web markets, credit card shops, and forums are still witnessing their web usual traffic. These platforms have more advantages such as chatbots, fewer rules, and automated replies due to their core nature, unlike IM platforms that are majorly meant for communication.

While giving insights, Etay Maor, IntSights CSO, said, "Telegram appears to be experiencing the most growth, with more than 56,800 Telegram invite links shared across cybercrime forums and over 223,000 general mentions of the application across forums. Telegram is also the platform most often discussed in foreign language forums."

"Financial threat actors and fraudsters exchange stolen carding information, selling or trading all kinds of credit card dumps, and publishing methods or techniques relevant for the fraud community. In addition, there is also a trade of physical items stolen or counterfeited from organizations in the retail industry.” He added.

“While the data itself is fully encrypted and law enforcement needs sophisticated algorithms in order to decrypt it, some countries have authorized law enforcement agencies to access the private information of their citizens if sanctioned by courts or other judicial authorities – including information that lives in IM platforms. Threat actors are worried about the cooperation between technology companies and law enforcement agencies, especially in the United States.” Maor further explained.

More and more small and medium enterprises are being affected by business e-mail compromise, according to a webinar, conducted by the PHD Chamber of Commerce and Industry.


Business Email Compromise also known as BEC is a security exploit in which the threat actor obtains access to a corporate email account having links to company funds and then attempts to defraud the company or the employees by spoofing the targeted employee's identity. The attackers manipulate the target to transfer money into a bank account that belongs to them.

In the year 2019, BEC scams have amounted for losses of more than $1.77 billion, as per the FBI's Internet Crime Report. Businesses are being warned as BEC exploits surge due to the ongoing pandemic; companies that rely primarily on wire transfers to transfer money to international customers are the most common target of BEC.

An infected email network can cause a significant amount of damage to a company's interests, therefore safeguarding an enterprise is crucial – along with empowering employees, it will also shield business interests and longevity.

While giving insights on the subject matter, deputy commissioner of police (cyber) Anyesh Roy said, “The fraudsters do compromise with the email account of the person who is dealing with the company accounts and financial transactions. They create an email account that is similar to either company’s or client’s account. They come in the middle and start interacting with both the parties. They change the destination of financial transactions on some pretext, following which the money goes to the fraudsters’ account.”

“Whatever an instruction has been received from the client about changing the destination of banking account, it needs to be confirmed through alternate means, including phone call, e-mail, and other.”

“Cyber-crime is like any other crime and one can report it anywhere at any police station or DCP office. The complaint can be registered through e-mail also. Cyber-crimes are happening through digital medium and the evidences can easily be destroyed so the victim needs to capture it as a screenshot and give it to police with their complaint,” the officer added.

Per reports, Microsoft has hinted that the next main version of Windows 10 will come stacked with a fresh security feature that would allow the users to facilitate the Windows Defender’s secret feature that helps hunt and bar the installation of known PUAs (Potentially Unwanted Applications).

PUA’s are also widely known as PUPs that stands for Potentially Unwanted Programs. These aren’t as well known by the users in the cyber-crime world as all the other major threats but are a valid threat nevertheless.

Per sources, these are software that is installed on devices via fooling the targets. The term for which the PUP/PUA stands is self-explanatory with regards to applications or programs that your device may not really need.

PUPs/PUAs go around with tactics like either by employing “silent installs” to dodge user permissions or by “bundling” an unrequired application with the installer of an authentic program.

Sources mention that PUAs most commonly contain applications that alter browser history, hinder security controls, install root certificates, track users and sell their data, and display invasive ads.

As per reports, the May 2020 update is to be rolled out to the users in the last week of this month. Microsoft mentioned that it has added a fresh new feature in its setting panel that would allow users to bar the installation of any unwanted applications or programs in the form of known PUAs/PUPs.

As it turns out, researchers mention that the feature has been available in the Windows Defender for quite a lot of time, but for it to kick start it would need group policies and not the usual Windows user interface.

As per sources, to enable the feature a user must go to ‘Start’, ‘Settings’, ‘Update & Security’, ‘Windows Security’, ‘App & Browser Control’, and finally 'Reputation-based Protection Settings’. Once updated, the feature would show two settings, the above-mentioned feature is disabled by default and would need to be enabled manually. However, Microsoft suggests, enabling both the settings.

Reports mention, that the “Block Apps” feature will scan for PUAs that have already been downloaded or installed, so if the user’s using a different browser Windows Security would intercept it after it’s downloaded. However, the “Block Downloads” feature hunts the PUAs while they are being downloaded.

In times where info-stealer is progressively becoming one of the most common threats, the Infostealer market has thus risen as one of the most lucrative for cyber crooks, for the data gathered from infected frameworks could be 'resold' in the cybercrime underground or utilized for credential stuffing attacks.

This class of malware is said to incorporate many well-known malware like Azorult, Tesla, and Hawkeye.

Recently over the two months, Researchers from Cybaze-Yoroi ZLab observed the evolution and the diffusion of an info stealer dubbed as Poulight that most probably has a Russian origin. First spotted by MalwareBytes specialists in middle March and indicators of compromise have been as of now shared among the security community.

The vindictive code has propelled further stealing capabilities and continues to evolve. 

Hash                                8ef7b98e2fc129f59dd8f23d324df1f92277fcc16da362918655a1115c74ab95
Threat                              Poulight Stealer
Brief Description             Poulight Stealer
Ssdeep                       1536:GJv5McKmdnrc4TXNGx1vZD8qlCGrUZ5Bx5M9D7wOHUN4ZKNJH:                                               GJeunoMXNQC+E5B/MuO0Ogt

Above is the sample information / Technical Analysis

Like a large portion of the malware of this particular family, it is created from a builder accessible to cyber-criminal groups that offer a 'subscription plan' for its "product". The outcome is a .NET executable:

Static information about the binary file

A quirk of this sample is that it doesn't have a minimal indication of obscurity; the analysis is very simple to depict the malware abilities/capabilities. When the malware is propelled, it plays out a classical evasion technique (as shown in Fig.3):

Figure 3: Evasion Technique

This implemented evasion technique is one of the most exemplary ones, where, through the utilization of Windows Management Instrumentation (WMI) by executing the inquiry "Select * from Win32_ComputerSystem". Specifically, along these lines, a few checks of the most relevant tracks of virtualization are given, as:
• “vmware”
• “VIRTUAL”
 • “VirtualBox”
• “sbiedll.dll” (Sandboxie)
• “snxhk.dll” (Avast sandbox)
• “SxIn.dll” (Avast sandbox)
• “Sf2.dll” (Avast Sandbox”)

These checks are additionally recorded from the Al-Khaser or Pafish tools which are planned to be a test suite to distinguish malware analysis environments and intended to test the strength of the sandboxes. At that point, the malware can continue with the infection beginning giving rise to another threat called "Starter".

Figure 4: Loader module of the malware

The "Starter" class contains the routine to load the segments of the malware. Prior to that, there is the initialization of certain directories and files utilized to store the accumulated data from the victim machine. This activity is performed by the primary instruction "global:: Buffer.Start()", the method is very simple and easy: a series of folders were created within Windows Special folders (AppData, Local AppData, Personal, Desktop) along these lines:

Figure 5: Creation of folders in the Windows Special Folders

From that point forward, the malware extracts the configuration document and its parameters from the asset named "String0", a Base64 encoded string and through the following strategy they are then decoded:

Figure 6: Routine to extract the configuration file

The primary data tag "prog.params" is quickly recovered in the instruction "HandlerParams.Start()" which can be seen in Figure 4. Presently, a check of a previous infection is performed before beginning another one. The instruction "AntiReplaySender.CheckReplayStart()" (in figure 4) is assigned.

Figure 7: Check of a previous infection

The malware attempts to discover the id of the mutex. In the event that the file is available, the malware doesn't execute itself some other time, else it composes this empty document to sign the infection is begun. From that point forward, it transforms into the real vindictive main contained inside the "XS" class, as seen in figure 4. The primary bit of the code is the following:

Figure 8: Initialization of the mail module

The first instruction is "Information.Start()" where all the data about the hardware and software of the host is collected along these lines:

Figure 9: Routine for retrieving the configuration of the victim machine

It is clearly evident that the malware utilizes both English and Russian dialects to log the data assembled. From that point onward, the stealer turns to count and log all the active processes inside the operative system.

Figure 10: Routine to extract the process list

Now as seen in figure 8, a 'check' on the third parameter is performed. On the off chance that it is equivalent to one; the "clippers" module is executed.

Figure 11: Routine to decode and execute an embedded component

As show in the above figure, this code can decode a component contained inside the "clbase" tag with the AES key stored within the "update" tag. Be that as it may, in the particular configuration there is no "clbase" field, so we don't have any other component to install. The last instruction seen in Figure 8 is "CBoard.Start", which works in the following way:

Figure 12: Routine to steal clipboard data

The subsequent stage is to accumulate all the sensitive data on the victim machine:

Figure 14: Detail of the stealing modules

The malware steals an immense amount of data:

• Desktop Snapshot 
• Sensitive Documents 
• Webcam snapshot 
• Filezilla credentials 
• Pidgin credentials 
• Discord Credentials 
• Telegram 
• Skype 
• Steam 
• Crypto Currencies 
• Chrome chronology  

The most fascinating part is that the module "DFiles" instructed to steal sensitive documents. It begins with looking through the records with one of the accompanying extensions:

Figure 15: Routine to search the documents with specific extensions

Within the gathered files, the malware searches for the classic keywords showing that the content of the files conserves some valuable accreditations. The keywords are the accompanying:

Figure 16: List of keywords searched within the documents

Then the malware proceeds to gather all the data inside a unique data structure and sends it to the C2 retrieved in another resource named "connect":

Figure 17: Routine to upload to the C2 the stolen information

At long last, it downloads and executes various components from the Internet. The parameters are recovered similarly observed in the past segment: a tag named "file" contains the component to download.

Figure 18: Routine to download other components from the Internet

Thus there is no doubt in the fact that Poulight stealer has a mind-boggling potential to steal delicate data and it ought not to be disregarded that later on, it may supplant other info stealers like Agent Tesla, remcos, etc.

In any case, the limitation of the embed is the absence of code obfuscation and data protection, however, this could be clarified due to the fact that, possibly, the malware is in its early stages of development.

Since now that the attackers likely will enhance these features, therefore, being aware of them is the best step forward for the users now. RN

Internet users have been alerted by national federal cybersecurity agency against a fake email campaign that is going on in the country; the authors behind the campaign are threatening to post a personal video of a victim that they claim to have recorded if the demanded ransom in the form of cryptocurrency is not paid to them.

While assuring users that there's nothing major to worry about these emails as the claims made in it are fake, the Computer Emergency Response Team of India (CERT-In) in a related advisory, suggested users assign new passwords to all their online platforms including their social media handles.

CERT-In (the Indian Computer Emergency Response Team) is a government-mandated information technology security organization. It has been designated as the national agency to respond to computer security incidents. The purpose of CERT-In is to issue guidelines, advisories, and promote effective IT security practices throughout the country.

A number of emails have been sent as a part of the campaign, claiming that the receiver's computer was compromised and a video was recorded via their webcam and that the sender has access to their passwords, as per the CERT-In latest advisory on the matter. The attacker attempts to convince the user into falling in his trap by mentioning his previous password in the email, then by strategic use of computer jargon, the attacker comes up with a story to appear as a highly-skilled scammer to the recipient. The story tells the victim that while he was surfing a porn website, his display screen and webcam was compromised by a malware placed by the hacker onto the website. It states that all of the user's contacts from Facebook, email, and messenger have been hacked alongside.

As these emails are scams and claim false information, users are advised to not get tricked into paying the demanded ransom in haste as even if the password mentioned by attackers in the email seems familiar it's because they accessed it via leaked data posted online and not through hacking their account. All you have to do is change or update your password for all the online platforms where it is being used.

These days of lock-down have left cyber-criminals feeling pretty antsy about “working from home”. Not that it has mattered because apparently, that is why the number of cyber-crime cases has only hiked especially the Phishing attacks.

This has gotten Google working on its machine-learning models to bolster the security of Gmail to create a stronger security front against cyber-criminals.

Given the current conditions, the attackers seem to have a morbid sense when it comes to the themes of the Phishing attacks, i.e. COVID-19. Reportedly, 18 Million such attacks were blocked in a single week. Which amount up to 2.5% of the 100 Million phishing attacks it allegedly dodges every day.

Google, per sources, is also occupied with jamming around 240 Million spam messages on a daily basis. These phishing attacks and spams at such a worrisome time have impelled Google and Microsoft to modify their products’ mechanisms for creating a better security structure.

Reportedly, the number of phishing attacks, in general, hasn’t risen but in the already existing number of attacks, the use of COVID-19 or Coronavirus seems to have been used a lot.

Malware and phishing attacks, especially the ones related to COVID-19 are being pre-emptively monitored. Because being resourceful as the cyber-criminals are the existing campaigns are now being employed with little upgradations to fit the current situation.


A few of the annoying phishing emails include, ones pretending to be from the World Health Organization (WHO) to fool victims into making donations for VICTIMS to a falsified account.

Per the intelligence teams of Microsoft, the Coronavirus themed phishing attacks and scams are just the remodeled versions of the previous attacks.

The attackers are extremely adaptive to the things and issues that their victims might easily get attracted to. Hence a wide variety of baits could be noticed from time to time.

During the lock-down period of the pandemic, health-related and humanitarian organizations have been extensively mentioned in the scams and phishing emails.

Per sources, the Advanced Protection Program (APP) lately acquired new malware protections by enabling Google Play Protect On Android devices to some specifically enrolled accounts.

Allegedly, users trying to join the program with default security keys were suspended, while the ones with physical security keys were still allowed to be enrolled.

All the bettered security provisions of Google shall be turned on by default so that the users can continue to live a safe and secure life amidst the pandemic.

In addition to all the reasons ransomware were already dangerous and compulsive, there’s another one that the recent operators are employing to scare the wits out of their targets.

Cyber-criminals now tend to be threatening their victims with publishing and compromising their stolen data if the ransom doesn’t get paid or any other conditions aren’t followed through with.

The tactic in question is referred to as “Double Extortion” and quite aptly so. Per sources, its usage emerged in the latter half of 2019 apparently in use, by the Sodinokibi, DopplePaymer and Clop ransomware families.

Double extortion is all about doubling the malicious impact a normal ransomware attack could create. So the cyber-criminals try and stack up all sorts of pressure on the victims in the form of leaked information on the dark web, etc.

They just want to make sure that the victims are left with no other option but to pay the ransom and meet all the conditions of the attack, no matter how outrageous they are.

The pattern of Double Extortion was tracked after a well-known security staffing company from America experienced the “Maze ransomware” attack and didn’t pay up the 300 Bitcoin which totaled up to $2.3 Million. Even after they were threatened that their stolen email data and domain name certificates would be used for impersonating the company!

Per sources, all of the threatening wasn’t without proof. The attackers released 700 MB of data which allegedly was only 10% of what they had wrested from the company! And what’s more, they HIKED the ransom demand by 50%!

According to sources, the Maze ransomware group has a website especially fabricated to release data of the disobliging organizations and parties that don’t accept their highly interesting “deals” in exchange for the data.

Reportedly, ranging from extra sensitive to averagely confidential data of dozens of companies and firms from all the industries has found its way to the Maze ransomware website.

Clearly impressed by it many other operators of similar intentions opened up their own versions of the above-mentioned website to carry forward their “business” of threatening companies for digital currency and whatnot! They sure seem to have a good sense of humor because per sources the blog names are the likes of “Happy Blog”.

Per reports, the Sodinokibi ransomware bullied to leak a complete database from the global currency exchange, Travelex. The company had to pay $2.3 Million worth Bitcoin to get the attackers to bring their company back online.


Per reports of the researchers, the attackers would always release some kind of proof that they have the extremely valuable data of the company, before publishing it, to give the company a fair chance at paying up the ransom demanded.

Usually, these attacks are a win-win for the attackers and a “lose-lose” for the victims because if they decide not to pay up they would be putting their company in a very dangerous situation with all the valuable data compromised online for anyone to exploit, they would have to report the breach and they would have to pay a considerably high fine to the data privacy regulator. And if they pay up, they would be losing a giant plop of money! And sadly the latter feels like a better option.

Hospitals happen to be the organizations that are the most vulnerable to these attacks because of all the sensitive health-related data their databases are jam-packed with on any other day and additionally due to the Coronavirus outbreak.

The organizations could always follow the most widely adapted multi-layered security measures for keeping their data safe obviously including updating systems, keeping backups and keeping data protected in any way they possibly can.

The most conscientious gangs of the many ransomware families, per sources, have promised to not attack hospitals amidst this pandemic. But that doesn’t stop the other mal-actors from employing cyber-attacks.

The cyber-crime forecasters have mentioned that the year 2020 would be quite a difficult year for these organizations what with the lock-down and no easier (malicious) way to earn money, apparently? Food for thought!

While the Coronavirus pandemic has practically driven people to stay locked up in their homes and spend a lot more (in some cases almost all) of their time online, the possibilities for cyber-criminals have only flourished.

Cyber-security experts have realized this and made a note out of it that everyone knows the kind of danger is lurking in their cyber-world.

From elaborate scams to phishing attacks that target the victim’s personal information, there is a lot of people who need to be cautious about it.

The Cryptocurrency industry is going through a lot due to the current crisis the world is in. The 'crypto-partakers" are being particularly on the hit list with something as attention-grabbing as purportedly “celebrity endorsement”. The latest bait names for this attempt happen to be that of charming Meghan Markle and Prince Harry.

Well-known personalities’ names like Bill Gates, Lord Sugar and even Richard Branson have been misused to lure people in as a part of similar scams. It is not necessary for the people mentioned to belong to a particular industry. They could be anyone famous for that matter.

The scams are so elaborate that once fooled the victims can’t even trace the mal-agent and. The latest scam, per sources, employs a fake report from the “BBC” mentioning how Prince Harry and Meghan Markle found themselves a “wealth loophole”.
Per sources, they also assure their targets that in a matter of three to four months they could convert them into millionaires. Further on, allegedly, it is also mentioned that the royals think of the Cryptocurrency auto-trading as the “Bitcoin Evolution”. It reportedly also includes a fake statement to have been made by Prince Harry.

The overconfident scammers also declare that there is no other application that performs the trading with the accuracy like theirs. Reportedly, on their website, there are banners with “countdowns” forcing people to think that there are limited period offers.

According to researchers this is one of the many schemes desperate cyber-criminals resort to. People not as used to the Cryptocurrency industry and the trading area, in particular, are more vulnerable to such highly bogus scams and tricks that the cyber-criminals usually have up their sleeves.

Business Email Compromise (BEC) scams have surfaced among several US companies and have caused them damage costing along the lines of Billions, mentions a warning of the Federal Bureau of Investigation.

Per sources, BECs are “sophisticated scams” aiming at businesses involving electronic payments encompassing “wire transfers or automated clearing house transfers”. Usually, these scams include a cyber-con penetrating a legitimate business email account via device intrusion procedures.

Once the access has been acquired, the cyber-con is free to deceitfully dive into the email account to obtain funds by sending emails to suppliers, loaded with invoices of modified bank account details.

The hit list mostly consists of organizations that employ cloud-based email services, which makes it easier to go for Business Email Compromise (BEC) scams.

Per FBI, specially engineered “phish kits” with the ability to impersonate the cloud-based email services are used to prompt these scams only to exploit the business accounts and request or mi-sallocate funds.

Sources mention that the Internet Crime Complaint Center (IC3) received numerous complaints over the past years about companies having experienced damages amounting to a couple of Billions in “actual losses” as a result of the BEC scams.

The IC3 focused their attention on the BEC scams right after their number began to multiply rapidly across all the states of America.

The issue allegedly stands in the configuration of the cloud-based services which makes it almost effortless for cyber-criminals to exploit the company’s email accounts.

Obviously most cloud-based services are laden with security measures that intend to block all the BEC attempts. But that depends on the ability of the users to make good use of them. The maximum of these features needs to be enabled and manually configured.

Per sources, what makes these scams dangerous is that any organization, big or small, with kerbed IT resources is vulnerable.

The cyber-cons in addition to having control over the email accounts, usually also retrieve the address books of the exploited accounts to have a list of potential targets. Hence, a single bad apple could affect the entire basket, meaning a single affected organization could have ramifications for the entire business industry.

"Well, even Facebook is hackable but at least their security is better than Twitter.", this opening statement was posted on Facebook's official Twitter account by the hacking group OurMine.



Though the accounts have now been restored, the hacking group OurMine posted the same on Facebook's Twitter, messenger and Instagram accounts.

OurMine says its hacks are to show the sheer vulnerability of cyberspace. In January, they attacked and hijacked dozens of US National Football League teams accounts.

They posted the following on Facebook's Twitter page-

Hi, we are O u r M i n e,
Well, even Facebook is hackable but at least their security is better than twitter. 

 to improve your account security
 Contact us: contact@o u r m In e.org 

 For security services visit: o u r m In e.org 

On Instagram, they posted OurMine logo whereas Facebook's own website was left alone. Twitter has confirmed that the accounts were hacked albeit via a third-party and the accounts were then locked.

"As soon as we were made aware of the issue, we locked the compromised accounts and are working closely with our partners at Facebook to restore them," Twitter said in a statement.

These attacks followed the same trend as they did in the attack on the teams of the National Football League.

The accounts were accessed by Khoros, a third-party platform. Khoros is a marketing platform, a software that allows people to manage their social media accounts all in one space. It can be used by businesses to manage their social media communications. These platforms like Khoros, have the login details of the customers. OurMine seemed to have gained access to these accounts through this platform.

OurMine is a Dubai based hacking group known for attacking accounts of corporations and high profile people. It has hacked social media accounts of quite a few influential individuals like Twitter's founder Jack Dorsey, Google's chief executive Sundar Pichai, and the corporate accounts of Netflix and ESPN. According to OurMine, their attacks are intended to show people cybersecurity vulnerabilities and advises it's victims to use its services to improve security.

A leading cyber-security firm recently alerted all the netizens about a vulnerability discovered in the measurement tools that support the Standard Commands for Programmable Instruments (SCPI) protocol, mentioned reports.

According to sources, SCPI is an ASCII-based standard especially crafted out for the purposes of testing and measurement machines that came into existence in 1990.

SCPI still happens to be used quite a lot given its easy and user-friendly interface and the inclusion of commands that could help alter any setting on the devices.

In recent times, most of the measurement devices are connected to networks and in some cases even to the internet. Hence, SCPI’s holding no authentication mechanism is a matter of risk and insecurity for all its users.

Per sources, when one of the major cyber-security research firms ran analytic research on SCPI they uncovered all the devices that use it and therefore are vulnerable to cyber-crime.

Per reports, the aforementioned measurement devices encompass of multimeters, signal analyzers, oscilloscopes, data acquisition systems, and waveform generators.

The researchers carried forward their analysis on different brands and different products of the same type and came across the fact that all the vendors’ products could be equally susceptible to cyber-attacks of similar nature if they used SCPI.

A multimeter was analyzed by the researcher wherein they found that its web and other interfaces were quite easily available and were very easy to get to as they were neither password-protected nor had any security functions by default.

Therefore, any cyber-attack that even a basic attacker plans could have a high possibility of success as the “configuration panel” could be very easily accessed and the password could be changed to anything in accordance with the attacker’s whims.

And as if all this wasn’t enough, the attacker could actually configure the measurement instruments to cause physical harm to people. The devices could be set to show illogical and unsystematic text any number of times, as well.

Per sources, the memory of the measurement instruments could be written for a definite number of times but incessant writing could lead to the devices’ physical distortion which couldn’t be reversed without changing the parts.

The power supply units of the devices could also be easy targets for attackers, according to sources, and could trigger DoS leading to physical corruption of the device.

We've all heard about sim swapping, SIM splitting, simjacking or sim hijacking- the recent trend with cybercriminals and now a study by Princeton University prooves the vulnerability of wireless carriers and how these SIM swapping has helped hackers ease their hands into frauds and crimes.



SIM swapping gained quite an attention when Twitter CEO Jack Dorsey’s account was hacked on his own platform. A study by Princeton University has revealed that five major US wireless carriers - AT&T, T-Mobile, Verizon, Tracfone, and US Mobile - are susceptible to SIM swap scams. And this sim hijacking is on a rise in developing countries like Africa and Latin America.

What is SIM swapping? 

SIM swapping is when your account is taken over by someone else by fraud through phone-based authentication usually two-factor authentication or two-step verification. This could give the hacker access to your email, bank accounts, online wallets and more.

How does the swap occur? 

In a SIM swap, scammers exploit the second step in two-factor verification, where either a text message or a call is given to your number for verification.

Citywire further explains the process, "Usually, a basic SIM-card swapping work when scammers call a mobile carrier, impersonating the actual owner and claiming to have lost or damaged their SIM card. They then try to convince the customer service representative to activate a new SIM card in the fraudster’s possession. This enables the fraudsters to port the victim’s telephone number to the fraudster’s device containing a different SIM."

After accessing the account, the scammers can control your email, bank accounts, online wallets and more.

 Detecting SIM swapping attack

• The first sign is if your text messages and cell phones aren't functioning, it's probable that your account is hijacked.

• If the login credentials set by you stop working then it's probably a sign that your account has been taken over. Contact your telecom provider and bank immediately.

• If you get a message from your telecom provider that your SIM card has been activated on another device, be warned it's a red sign.

Cybercrime is on a rapid rise in Venezuela as an effect of the country's economic and political turmoil, according to a report released Thursday by IntSights, a global threat intelligence company. More and more people are being driven into the underground criminal world as it provides a lucrative alternative to make money.



IntSights analysts found sophisticated and systematic operations working to steal personal information of individuals from Latin America, such as bankers and retailers and they either sell the information online to the highest bidder or use it further to dig more data. These hacks and data gathering operations are quite profitable and remunerative for Venezuelans, as they sell it for cryptocurrency like Bitcoin, a better alternative to the drowning national currency-Venezuelan bolivar.

Venezuela, once amongst the richest countries in Latin America, with large oil reserves and gold mines has now become a mere shell of its former self as decades of corruption and socialist rule have plunged the economy. The political condition of the country is also severe as there have been ongoing protests and rebels against President Nicolás Maduro from last year. This hyperinflation in Venezuela has caused a deterioration in the national currency and thus citizens have turned to cryptocurrency.

The International Monetary Fund says inflation of the Venezuelan bolivar, the country’s currency, is expected to hit a startling 200,000 percent this year. A cup of coffee that cost 150 bolivars in November 2018 now costs 18,000 bolivars, according to Bloomberg (Quoting nbcnews).

These hackers are based in Venezuela and neighbouring countries like Colombia and they don't seem to be hiding unlike experienced hackers from Russia and China. Information about the operations, their phone numbers and where to find them is easily available.
“They don’t seem too concerned about hiding,” Charity Wright, an analyst at IntSights said. “I think it’s because they don’t sense law enforcement will do anything.”

The law enforcers have also turned a blind eye to the victims, as they are more concerned about handling the political turmoil, the reports said.

There has been heavy censorship in the country with bans on CNN, major newspapers, VPN's. Social networks like Instagram, Snapchat, Facebook and Twitter, and messaging apps like WhatsApp are the major means of communication for the people. Cybercriminals can also be found easily on these platforms collaborating and looking for work.

"The Venezuelan underground has risen to the surface with the anarchy and chaos of the Maduro regime,” said Tom Kellermann, head of cybersecurity strategy for cloud computer company VMware and a global fellow for cyber policy at the Wilson Center. These crimes comprise large-scale email phishing and malware campaigns, sensitive data being sold on public websites and over the dark web.