The Federal Bureau of Investigation (FBI) has alerted the public to a widespread SMS phishing scam sweeping across the United States. The scam, which began in early March 2024, specifically targets individuals with fraudulent messages regarding unpaid road toll fees.
What Does The Scam Entails?
Thousands of Americans have already fallen victim to this harrowing scam, with over 2,000 complaints flooding the FBI's Internet Crime Complaint Center (IC3) from at least three states. The deceptive messages typically claim that the recipient owes money for outstanding tolls, urging them to click on embedded hyperlinks.
The perpetrators behind these attacks employ sophisticated tactics to deceive their targets. By impersonating legitimate toll services and altering phone numbers to match those of the respective states, they create a false sense of authenticity. However, the links provided within the messages lead to fake websites designed to extract personal and financial information from unsuspecting victims.
Cautionary Advice
Authorities are urging individuals who receive such messages to exercise caution and take immediate action. The Pennsylvania Turnpike, one of the affected toll services, has advised recipients not to click on any suspicious links and to promptly delete the messages. Similarly, the Pennsylvania State Police have issued warnings about the scam, emphasising the dangers of providing personal information to fraudulent sources.
To safeguard against falling prey to this scam, the FBI recommends several preventive measures. Victims are encouraged to file complaints with the IC3, providing details such as the scammer's phone number and the fraudulent website. Additionally, individuals should verify their toll accounts using the legitimate websites of the respective toll services and contact customer service for further assistance. Any suspicious messages should be promptly deleted, and if personal information has been compromised, immediate steps should be taken to secure financial accounts and dispute any unauthorised charges.
What Is Smishing?
Smishing, a blend of "SMS" and "phishing," is a form of social engineering attack wherein fraudulent text messages are used to deceive individuals into divulging sensitive information or downloading malware. In this instance, the scam preys on individuals' concerns regarding unpaid toll fees, exploiting their trust in official communication channels.
As the SMS phishing scam continues to proliferate, it is imperative for individuals to remain vigilant and sceptical of unsolicited messages. By staying informed and taking proactive measures to protect personal information, users can mitigate the risks posed by such malicious activities. Authorities are actively investigating these incidents, but it is crucial for the public to be proactive in safeguarding their financial and personal information from exploitation.
Tarrant Appraisal District (TAD) finds itself grappling with a major setback as its website falls prey to a criminal ransomware attack, resulting in a disruption of its essential services. The attack, which was discovered on Thursday, prompted swift action from TAD, as the agency collaborated closely with cybersecurity experts to assess the situation and fortify its network defences. Following a thorough investigation, TAD confirmed that it had indeed fallen victim to a ransomware attack, prompting immediate reporting to relevant authorities, including the Federal Bureau of Investigation and the Texas Department of Information Resources.
Despite concerted efforts to minimise the impact, TAD continues to work towards restoring full functionality to its services. Presently, while the TAD website remains accessible, the ability to search for records online has been temporarily suspended. Moreover, disruptions extend beyond the digital realm, with phone and email services also facing temporary outages. This development comes hot on the heels of a recent database failure experienced by TAD, which necessitated the expedited launch of a new website. Originally intending to run both old and new sites concurrently for a fortnight, the agency was compelled to hasten the transition following the database crash.
Chief Appraiser Joe Don Bobbitt has moved seamlessly to reassure the public, asserting that no sensitive information was compromised during the disruption. However, TAD remains vigilant and committed to addressing any lingering concerns. The agency is poised to provide further updates during an upcoming board meeting.
These recent challenges encountered by TAD underscore the critical importance of robust cybersecurity measures and organisational resilience in the face of unforeseen disruptions. Against the backdrop of escalating property values across North Texas, scrutiny of appraisal processes has intensified, with TAD having previously grappled with website functionality issues. Nevertheless, the agency remains steadfast in its commitment to enhancing user experience and fostering transparency.
In light of recent events, TAD remains resolute in prioritising the integrity of its operations and the safeguarding of sensitive data. The deliberate response to the ransomware attack prompts the agency's unwavering dedication to addressing emerging threats and maintaining public trust. As TAD diligently works towards restoring full operational capacity, stakeholders are urged to remain careful and report any suspicious activity promptly.
The resilience demonstrated by TAD in navigating these challenges serves as a testament to its dedication to serving the community and upholding the highest standards of accountability and transparency in property valuation processes.
Threats have been improving their ransomware attacks for years now. Traditional forms of ransomware attacks used encryption of stolen data. After successful encryption, attackers demanded ransom in exchange for a decryption key. This technique started to fail as businesses could retrieve data from backups.
To counter this, attackers made malware that compromised backups. Victims started paying, but FBI recommendations suggested they not pay.
The attackers soon realized they would need something foolproof to blackmail victims. They made ransomware that stole data without encryption. Even if victims had backups, attackers could still extort using stolen data, threatening to leak confidential data if the ransom wasn't paid.
Making matters even worse, attackers started "milking" the victims and further profiting from the stolen data. They started selling the stolen data to other threat actors who would launch repeated attacks (double and triple extortion attacks). Even if the victims' families and customers weren't safe, attackers would even go to the extent of blackmailing plastic surgery patients in clinics.
Regulators and law enforcement organizations cannot ignore this when billions of dollars are on the line. The State Department is offering a $10 million prize for the head of a Hive ransomware group, like to a scenario from a Wild West film.
Businesses are required by regulatory bodies to disclose “all material” connected to cyber attacks. Certain regulations must be followed to avoid civil lawsuits, criminal prosecution, hefty fines and penalties, cease-and-desist orders, and the cancellation of securities registration.
Cyber-swatting is another strategy used by ransomware perpetrators to exert pressure. Extortionists have used swatting attacks to threaten hospitals, schools, members of the C-suite, and board members. Artificial intelligence (AI) systems are used to mimic voices and alert law enforcement to fictitious reports of a hostage crisis, bomb threat, or other grave accusation. EMS, fire, and police are called to the victim's house with heavy weapons.
What was once a straightforward phishing email has developed into a highly skilled cybercrime where extortionists use social engineering to steal data and conduct fraud, espionage, and infiltration. These are some recommended strategies that businesses can use to reduce risks.
1. Educate Staff: It's critical to have a continuous cybersecurity awareness program that informs staff members on the most recent attacks and extortion schemes used by criminals.
2. Pay Attention To The Causes Rather Than The Symptoms: Ransomware is a symptom, not the cause. Examine the methods by which ransomware infiltrated the system. Phishing, social engineering, unpatched software, and compromised credentials can all lead to ransomware.
3. Implement Security Training: Technology and cybersecurity tools by themselves are unable to combat social engineering, which modifies human nature. Employees can develop a security intuition by participating in hands-on training exercises and using phishing simulation platforms.
4. Use Phishing-Resistant MFA and a Password Manager: Require staff members to create lengthy, intricate passwords. To prevent password reuse, sign up for a paid password manager (not one built into your browser). Use MFA that is resistant to phishing attempts to lower the risk of corporate account takeovers and identity theft.
5. Ensure Employee Preparedness: Employees should be aware of the procedures to follow in the case of a cyberattack, as well as the roles and duties assigned to incident responders and other key players.
The leak is likely from a frustrated employee of Chinese cybersecurity company I-soon (Anxun in China), which tells a denting story of China's cyberespionage operations. It provides us with a backstage glimpse of China's hacking ecosystem.
Since 2010, China has leveled up its cyberespionage and cybertheft game to such extremes that FBI Chief Christopher Wray said that China's state-sponsored hackers outnumber U.S. cyber intelligence personnel 50-to-1.
I-Soon works for Chinese government agencies and private players. It has ties to China's major government contractors such as the Ministry of Public Security (police) and the Ministry of State Security (intelligence). I-Soon is a shadowy figure that plans campaigns crossing borders. Its weapons include zero-day exploits, sophisticated tools, and a diverse team of skilled hackers.
The leaked documents disclose I-Soon's wide range of surveillance. Their spying targets include both Chinese citizens and foreigners. The main targets are:
1. Foreign Networks: I-Soon's reach goes beyond Chinese borders. They hack foreign networks, steal sensitive info, and leave no digital stone untouched. Whether military intelligence, personal data, or corporate secrets, I-soon is involved in everything.
2. Political Dissidents: Regions like Hong Kong and Xinjiang are constantly under I-Soon's surveillance radar. The aim is to keep an eye on any form of dissent and opposition and inform the Chinese government.
I-Soon has vast databases of hacked info. These databases have stolen credentials, surveillance footage, and hacked emails. But where does it end? The hacked data is sold on the dark web. Chinese police are always on the lookout for this information, they buy these digital assets to improve their surveillance operations.
Cyberespionage is a war fought on an unseen battlefield. Contrary to traditional conflicts, there are no casualties or damage that can be seen in the open. However, cyber espionage destroys firewalls, lines of code are disrupted, and digital footprints disappear. A lot is at stake, economic dominance, national security, and ideological superiority.
I-Soon's operations highlight the murky relationship between state-sponsored cyber operations and private contractors. While the Chinese government shows it has no involvement, contractors like I-soon do their dirty work. The blurred lines between private and public actors create an environment where accountability doesn't exist.
The leak serves as a reminder to individuals, corporations, and nations to strengthen their digital defenses. Cybersecurity is a basic need for digital survival, it's not a luxury. Threat intelligence, encryption, and partnership across borders can be the defense against unknown cyber terror.
The leak is only a glimpse into the dark world of cyberespionage, what we see is just the tip of the iceberg- the iceberg is hiding much more. I-Soon's leak is a wake-up call.
In a major victory against cybercrime, the FBI has successfully taken down the Warzone RAT malware operation. This operation led to the arrest of two individuals involved in the illicit activities. One of the suspects, 27-year-old Daniel Meli from Malta, was apprehended for his role in the distribution of Warzone RAT, a notorious remote access trojan used for various cybercrimes.
Warzone RAT, also known as 'AveMaria,' surfaced in 2018 as a commodity malware offering a range of malicious features. These include bypassing User Account Control (UAC), stealing passwords and cookies, keylogging, remote desktop access, webcam recording, and more. Meli's arrest took place last week in Malta following an indictment issued by U.S. law enforcement authorities on December 12, 2023.
The charges against Meli include unauthorised damage to protected computers, illegally selling and advertising an electronic interception device, and participating in a conspiracy to commit several computer intrusion offences. He has been involved in the cybercrime space since at least 2012, starting at the age of 15 by selling hacking ebooks and the Pegasus RAT for a criminal group called 'Skynet-Corporation.'
Simultaneously, another key figure linked to Warzone RAT, Prince Onyeoziri Odinakachi, 31, from Nigeria, was arrested for providing customer support to cybercriminals purchasing access to the malware. Federal authorities in Boston seized four domains, including the primary website "warzone.ws," associated with Warzone RAT.
The international law enforcement effort coordinated by the FBI not only resulted in arrests but also identified and confiscated server infrastructure related to the malware across various countries, including Canada, Croatia, Finland, Germany, the Netherlands, and Romania.
While the U.S. Department of Justice (DoJ) mainly implicates Meli in the distribution and customer support for the malware, it remains unclear whether he is the original creator of Warzone RAT. The DoJ announcement reveals Meli's involvement as a seller in the cybercrime space since the age of 15, raising questions about the malware's origin.
Meli faces serious consequences, with a potential 15-year prison sentence, three years of supervised release, and fines of up to $500,000 or twice the gross gain or loss (whichever is greater) for the charges against him. The Northern District of Georgia seeks Meli's extradition from Malta to the United States for trial.
This successful operation not only brings two significant cybercriminals to justice but also marks a crucial step in dismantling the infrastructure supporting Warzone RAT. The FBI's coordinated efforts with international law enforcement agencies highlight the commitment to combating cyber threats on a global scale. The implications of this takedown will likely have a positive impact on cybersecurity efforts worldwide, deterring future vicious activities.
Sydney's Woollahra Council Libraries were the target of a cyberattack that sent shockwaves across the community, demonstrating how susceptible information is in the digital age. Concerns regarding protecting personal data and the possible repercussions of such breaches have been raised in response to the occurrence, which was covered by several news sources.
The attack, which targeted libraries in Double Bay, Paddington, and Watsons Bay, has left thousands affected, with the possibility of personal information being stolen. The breach has underscored the importance of robust cybersecurity measures, especially for institutions that store sensitive data.
Woollahra Council has not disclosed the nature of the information compromised, but the potential risks to affected individuals are substantial. Cybersecurity experts are emphasizing the need for swift and comprehensive responses to mitigate the fallout from such breaches. As investigations unfold, users are advised to remain vigilant and monitor their accounts for suspicious activity.
This incident is a stark reminder that cybersecurity is an ongoing challenge for organizations across the globe. As technology advances, so do the methods employed by malicious actors seeking to exploit vulnerabilities. In the words of cybersecurity expert Bruce Schneier, "The user's going to pick dancing pigs over security every time." This emphasizes the delicate balance between user experience and safeguarding sensitive information.
The attack on Woollahra Council Libraries adds to the growing list of cyber threats institutions worldwide face. It joins a series of high-profile incidents that have targeted government agencies, businesses, and educational institutions. The consequences of such breaches extend beyond the immediate loss of data; they erode public trust and raise questions about the effectiveness of existing cybersecurity protocols.
In response to the incident, the Woollahra Council has assured the public that it is working diligently to address the issue and enhance its cybersecurity infrastructure. This event serves as a call to action for organizations to prioritize cybersecurity measures, invest in cutting-edge technologies, and educate users on best practices for online security.
The data breach took place last Sunday, on November 19. The stolen data comprise of the laboratory’s employees’ critical data, which was later leaked on online forums.
The investigation on the breach is being carried out by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, who are working in collaboration with INL, a spokesperson informed. Physical addresses, bank account details, and Social Security numbers are among the data that are impacted.
In an interview regarding the incident, the spokesperson told local news outlet EastIdahoNews.com that the breach has impacted INL’s Oracle HCM system, a cloud-based workforce management platform that offers payroll and other HR solutions, was impacted by the attack.
SiegedSec, a self-entitled hacktivist group has since taken responsibility of the attack, following which it published a sample of the stolen employee data online, which included full names, dates of birth, email addresses, contact details and other identity info of the INL employees to their data breach forum.
The group, which seems to have political motivations, was also accused in the past of stealing information from the Communities of Interest Cooperation Portal, an unclassified information-sharing portal run by NATO.
However, INL has not implied that the breach has had any impact on its classified information or nuclear research, and CISA did not immediately respond to the request for a comment.
Regardless of whether the classified nuclear details were accessed by the threat actors, Colin Little, security engineer at the cybersecurity firm Centripetal, said it is "highly disconcerting that the staff generating that intellectual property and participating in the most advanced nuclear energy research and development have had their information leaked online."
"Now those who are politically motivated and would very much like to know the names and addresses of the top nuclear energy researchers in the U.S. have that data," he said.
INL supports large-scale initiatives from the Department of Energy, the Department of Defense. The laboratory bills itself as "a world leader in securing critical infrastructure systems and improving the resiliency of vital national security and defense assets."
Giving further details of the original advisory published in March, in the information acquired during the FBI investigation, the agencies noted that the ransomware campaign was connected to ransom demands totalling more than $275 million.
"Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD," the advisory reads.
"Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors."
In March, the two agencies shared their initial indicators of an apparent compromise, along with a list of tactics, methods, and procedures (TTPs), in order to assist defenders in identifying and thwarting attempts to deploy Royal ransomware payloads onto their networks.
The Department of Health and Human Services (HHS) security team discovered in December 2022 that the ransomware operation was responsible for several attacks against U.S. healthcare organizations. This led to the release of the joint advisory.
The advisory update also states that BlackSuit ransomware shares several coding traits with Royal, suggesting that Royal may be planning a rebranding campaign and/or a spinoff variation.
While it was anticipated that the Royal ransomware operation would rebrand in May, during the course of the BlackSuit ransomware operation, the rebranding never happened.
According to a report published by BleepingCompter in June, the Royal ransomware gang was apparently testing a new BlackSuit encryptor, similar to the operation’s conventional encryptor.
At the time, Partner and Head of Research and Development at RedSense – Yelisey Bohuslavskiy believed that this experiment did not in fact go well.
However, since then, Royal was able to rebrand into BlackSuit and restructure into a more centralized business, following the same blueprint as Team 2 (Conti2) when they were a member of the Conti syndicate.
"In September 2023, Royal accomplished a full rebrand into BlackSuit, most likely entirely dismantling their Royal infrastructure. Moreover, according to the primary source intel, Royal has also accomplished a broader reorganization during the rebrand, making the group structure more corporate and more similar to their Conti2 origins," said Yelisey Bohuslavskiy.