Search This Blog

Showing posts with label FBI. Show all posts

Phishing Emails Faking Voicemails aim to Steal Your Data

 

Vishing is the practice of sending phishing emails to victims that appear to be voicemail alerts to acquire their Microsoft 365 and Outlook login information. Researchers at Zscaler's ThreatLabz said this email campaign, which resembles phishing emails from a few years ago, was discovered in May and is still active. 

The researchers stated this month that the recent wave targets US organizations across various industries, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain. 

An email is where it all begins

Attackers inform recipients of missed voicemails via email notifications that contain links to web-based attachments. Although many people don't check voicemail, audio messages on LinkedIn and WhatsApp have been there for a while, so using them to deceive consumers into clicking a link in an email can be successful. 

Naturally, when the target clicks the link, they are taken to a credential phishing web page hosted on Japanese servers rather than a voicemail at all. The user gets directed to the Microsoft Office website or the Wikipedia page if the encoded email address at the end of the URL is missing.

The user is shown the final page, which is an Office 365 phishing page after they have correctly supplied the CAPTCHA information. The 2020 campaign Zscaler tracked using the same approach. 

"Since they can persuade the victims to open the email attachments, voicemail-themed phishing attacks continue to be an effective social engineering strategy for attackers. This, together with the use of evasion techniques to get around automatic URL inspection tools, aids the threat actor in acquiring the users' credentials more successfully "reports Zscaler ThreatLabz

Microsoft 365 Remains a Popular Victim 

In a 2022 Egress research titled "Fighting Phishing: The IT Leader's View," it was found that 40% of firms utilizing Microsoft 365 reported becoming victims of credential theft, and 85% of organizations using Microsoft 365 reported being victims of phishing in the previous 12 months. 

As the majority of businesses quickly transitioned to a primarily remote-work style, with many workers working from their homes, phishing usage continued to increase. It peaked during the peak of the COVID-19 pandemic in 2020 and 2021. 

A substantial majority of credentials have been successfully compromised by the effort, which can be utilized for a number of different cybercrime endgames. These consist of taking control of accounts to gain access to files and data theft to send malicious emails that appear to be from a legitimate organization, and implanting malware,. The goal is to trick victims into using the same passwords for several accounts by adding the user ID/password combinations to credential-stuffing lists. 

A rich mine of data that may be downloaded in bulk can usually be found in Microsoft 365 accounts, according to Robin Bell, CISO of Egress. Hackers may also use compromised Microsoft 365 accounts to send phishing emails to the victim's contacts in an effort to boost the success of their attacks.

Feds Take Down SSNDOB Marketplace for Selling Private Data of 24 Million US Citizens

 

SSNDOB, an illicit online marketplace that sold private details of nearly 24 million US citizens, has been taken down following an international law enforcement operation conducted by the FBI, the Internal Revenue Service, the Department of Justice, and Cyprus Police. 

The feds seized four domains hosting the SSNDOB marketplace as part of this operation: "ssndob.ws," "ssndob.vip," "ssndob.club," and "blackjob.biz." 

According to the DOJ, the leaked details included names, dates of birth, SSNs and credit card numbers and generated more than $19 million in revenue. 

"A series of websites that operated for years and were used to sell personal information, including the names, dates of birth, and Social Security numbers belonging to individuals in the United States. The SSNDOB Marketplace has listed the personal information for approximately 24 million individuals in the United States, generating more than $19 million USD in sales revenue," DOJ stated. 

While the website also sold UK citizens' birth dates, it was primarily used to sell the private data of US people for as little as $0.50. 

According to cybersecurity firm Advanced Intel, most of the data was stolen via healthcare and hospital data breaches. Subsequently, the attackers used the information to launch a financial scam. 

"SSNDOB was one of the largest crime shops offering a collection of personally identifiable information for fraudsters and played an integral part in fraud schemes. The majority of the customers used the shop data for various types of scams from tax to bank fraud," AdvIntel CEO Vitali Kremez explained. 

Chainalysis, a blockchain analysis firm, published its own report on the SSNDOB incident revealing that the marketplace received approximately $22 million worth of Bitcoin across over 100,000 transactions since April 2015, though the marketplace is believed to have been operating since at least 2013. 

However, one of the most interesting details researchers identified was a link between SSNDOB and Joker's Stash, which shut down its operations voluntarily in January 2021 due to increased pressure from law enforcement agencies, disruptions due to COVID-19, and the decreasing quality of stolen credit cards. 

"Perhaps most interesting of all though is the activity we see between SSNDOB and Joker’s Stash, a large darknet market focused on stolen credit card information and other PII that shut down in January 2021," explains Chainalysis' report. Between December 2018 and June 2019, SSNDOB sent over $100,000 worth of Bitcoin to Joker’s Stash, suggesting the two markets may have had some relationship to one another, including possibly shared ownership."

U.S. Agencies Seize Domains Employed for Selling Credentials

 

Earlier this week, the U.S. Department of Justice and the FBI announced that they seized three domains selling compromised personal information and launching cyber assaults on victim networks. 

The specific domains seized were weleakinfo.to, ipstress.in, and ovh-booter.com — the first of which allowed its users to traffic compromised personal data and offered a searchable database containing illegally amassed information obtained from over 10,000 data breaches. The other two domains offered DDoS-for-hire services to their users. 

The domains were taken down as part of an international investigation, in which the National Police Corps of the Netherlands and the Federal Police of Belgium arrested the primary suspect, searched several locations, and seized the underlying infrastructure. 

The weleakinfo.to domain offered access to seven billion records containing private data such as names, phone numbers, usernames, email addresses, and passwords. 

The seizure of this domain comes roughly two years after the FBI and the US Department of Justice took control of the internet domain name weleakinfo.com, which offered identical services. 

"Today, the FBI and the Department stopped two distressingly common threats: websites trafficking in stolen personal information and sites which attack and disrupt legitimate internet businesses," stated Matthew M. Graves, U.S. Attorney for the District of Columbia. “With the execution of the warrant, the seized domain names – weleakinfo.to and the related domains – are now in the federal government's custody, effectively suspending the website’s operation.” 

 "Cybercrime often crosses national borders. Using strong working relationships with our international law enforcement partners, we will address crimes like these that threaten privacy, security, and commerce around the globe." 

According to the DOJ, it remains unclear how long the weleakinfo.to the domain was in operation. Still, the website developed a reputation for selling names, email addresses, usernames, phone numbers, and passwords for online accounts to cybercriminals who would buy a subscription for a period of one day, one week, one month, three months, or a lifetime. 

Two years ago in January 2020, the FBI and the US DOJ announced the seizure of the WeLeakInfo.com domain, used in similar cybercrime activity. Just as WeLeakInfo.to, it also offered subscriptions, allowing customers to search 12 billion indexed records for specific information exposed in thousands of data breaches.

FBI Warns of Hackers Selling US College VPN Credentials on Underground Forums

 

Threat actors are advertising network credentials and virtual private network (VPN) access for colleges and universities based in the United States on underground and public criminal marketplaces. 

Last week, the Federal Bureau of Investigation (FBI) issued an advisory regarding usernames and passwords giving access to colleges and universities based in the U.S. that are put up for sale on Russian cybercriminal platforms. The price of stolen credentials varies between a few U.S. dollars to thousands. 

Hackers use several tactics such as ransomware and spear-phishing, to execute credential harvesting attacks and sell them on Russian hacking forums. The credentials allow hackers to launch brute-force attacks to infiltrate into victim accounts spanning different accounts, internet sites, and services. 

"If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations," the FBI warned. 

Last year in May, the agency said it identified more than 36,000 email and password combinations for email accounts ending in the ".edu" domain publicly available on an instant messaging platform posted by a group that specialized in the trafficking of stolen login credentials. 

According to Emsisoft threat analyst Brett Callow, 10 of the 13 attacks on colleges this year involved data exfiltration. Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas, Florida International University, and Stratford University are just a few of the schools impacted by ransomware this year. 

Security tips 

The FBI advises academic institutions to liaise with their local FBI Field Office and update their incident response and communication plans. Implementing brute-force protection, training sessions for students and faculty to identify phishing attempts, using strong, unique passwords, and multi-factor authentication are regular recommendations that are valid for all organizations. 

"Universities, especially, should be providing students and staff with training to spot convincing phishing emails and the steps to undertake when opening various attachments or emails. Students are an easy target because unlike in a work environment, they often lack the necessary understanding to spot these types of attacks," stated Steven Hope, CEO, and co-founder of password management firm Authlogics.

NCSC Warns Of Threats Posed By Malicious Apps

 

A new report by the UK's National Cyber Security Centre (NCSC) has alerted of the threats posed by malicious applications. While most people are familiar with apps downloaded to smartphones, they are also available on everything from smart TVs to smart speakers. 

The government is seeking input on new security and privacy guidelines for applications and app stores. Ian Levy, the NCSC's technical director, stated app stores could do more to improve security. Cybercriminals are currently exploiting vulnerabilities in app stores on all types of linked devices to cause harm,  as per Mr Levy. 

Android phone users downloaded apps containing the Triada and Escobar malware from various third-party app stores last year, according to the FBI.  "This resulted in cyber-criminals remotely taking control of people's phones and stealing their data and money by signing them up for premium subscription services," it said.

The NCSC's report noted that apps "can also be installed on laptops, computers, games consoles, wearable devices (such as smartwatches or fitness trackers), smart TVs, smart speakers (such as Alexa devices), and IoT (internet of things) devices". It includes an example of a security firm illustrating how it could construct a malicious app for a prominent fitness tracker that could be downloaded via a link that seemed legitimate because it used the company's web address. 

Spyware/stalkerware capable of stealing anything from location to personal body data was found in the app. After the security firm alerted the company, it proceeded to rectify the situation. 

 The thirst for applications grew during the pandemic, according to the NCSC research, with the UK app market currently valued at £18.6 billion ($23.2 billion). The government's proposal to ask app retailers to commit to a new code of practice outlining baseline security and privacy requirements is supported by the cyber-security centre. 

"Developers and store operators making apps available to UK users would be covered. This includes Apple, Google, Amazon, Huawei, Microsoft and Samsung," the government stated.

 A new code of practice would require retailers to set up procedures to find and repair security problems more quickly.

FBI: Business Email Compromise is a $43 Billion Scam

 

The FBI recently announced that the amount of money lost to business email compromise (BEC) scams is increasing each year, with a 65 per cent rise in identified global exposure losses between July 2019 and December 2021.

From June 2016 to July 2019, IC3 received victim complaints about 241,206 domestic and international occurrences, totalling $43,312,749,946 in exposed cash loss. 

The FBI stated, "Based on the financial data reported to the IC3 for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds. China, which ranked in the top two destinations in previous years, ranked third in 2021 followed by Mexico and Singapore." 

This was revealed in a new public service announcement issued on the Internet Crime Complaint Center (IC3) site as an update to a prior PSA dated September 2019, in which the FBI stated victims reported losses to BEC attacks totalling more than $26 billion between June 2016 and July 2019. 

About BEC scams:

BEC scams were the cybercrime type with the highest recorded overall victim losses last year, according to the IC3 2021 Internet Crime Report [PDF]. Based on 19,954 registered complaints relating to BEC attacks against individuals and businesses in 2021, victims reported losses of about $2.4 billion. BEC scammers use a variety of techniques to infiltrate business email accounts, including social engineering, phishing, and hacking, to transfer payments to attacker-controlled bank accounts. 

Small, medium and big enterprises are frequently targeted in this form of scam (also known as EAC or Email Account Compromise). Nonetheless, if the payout is high enough, they will attack individuals. Given that they often imitate someone who has the target's trust, their success rate is also very high. 

However, "the scam is not always associated with a transfer-of-funds request," as the FBI explained in the PSA alert. "One variation involves compromising legitimate business email accounts and requesting employees' Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even cryptocurrency wallets."

The FBI also offered advice on how to protect yourself from BEC scams:
  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business/individual it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying log-in credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from.
  • Ensure the settings in employees' computers are enabled to allow full email extensions to be viewed.
  • Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.

PYSA Ransomware Group: Experts Share In-Depth Details

 

Since August 2020, the cybercrime group adopted a five-stage system design, with the malware developers prioritizing enhancements to boost the efficiency of its activities, according to an 18-month examination of the PYSA ransomware operation. The GSOC explores the PYSA ransomware inside this Threat Analysis Report. Once the Federal Bureau of Investigation (FBI) informed of the ransomware's increased activity and significant harmful impact early this year, it became known as the PYSA ransomware. 

This includes a user-friendly tool, such as a full-text search engine, to make metadata extraction easier and allow threat actors to easily locate and access victim information. "The group is notorious for thoroughly researching high-value targets before unleashing its operations, compromising business systems, and forcing researchers to pay significant ransoms to retrieve sensitive data," stated PRODAFT, a Swiss cybersecurity firm, in a comprehensive report released last week. 

PYSA, which stands for "Protect Your System, Amigo" and is a descendant of the Mespinoza ransomware, was initially discovered in December 2019 and has since risen to become the third most common ransomware strain reported in the fourth quarter of 2021. The cybercriminal cell is thought to have exfiltrated confidential info linked to as many as 747 individuals since September 2020, until its databases were taken down earlier this January. 

The majority of its victims are in the United States and Europe, and the gang primarily targets the federal, medical, and educational sectors. "The United States was the most-affected country, contributing for 59.2 percent of all PYSA occurrences documented," Intel 471 stated in a review of ransomware assaults observed from October to December 2021. PYSA, like all other malware attacks, is renowned for using the "big game hunting" method of double ransom, which involves making the stolen data public if the victim refuses to comply with the firm's demands. 

Every relevant key is encrypted and assigned the ".pysa" extension, which can only be decoded with the RSA private key given after paying the fee. PYSA victims are claimed to have paid about 58 percent in digital payments to get access to protected data. PRODAFT was able to find a publicly accessible. git folder owned by PYSA operators and designated one of the project's writers as "dodo@mail.pcc," a danger actor based on the commit history thought to be situated in a country that observes daylight savings time.

As per the study, at least 11 accounts are in control of the whole operation, the mass of which was formed on January 8, 2021. However, four of these accounts — t1, t3, t4, and t5 — account for approximately 90% of activity on the management panel of the company. Other operational security failures committed by the group's members allowed a concealed system running on the TOR secrecy network — a server provider (Snel.com B.V.) based in the Netherlands — to be identified, providing insight into the actor's techniques. PYSA's infrastructure also includes dockerized containers for global leak servers, database servers, administrative servers, and an Amazon S3 cloud for storing the files, which total 31.47TB.

The panel is written in PHP 7.3.12 by using the Laravel framework and uses the Git version monitoring system to oversee the development process. Furthermore, the admin panel exposes several API endpoints that allow the system to display files, auto-generate GIFs, and scan data, which is used to group stolen victim data into broad categories for simple retrieval. Several or more potential threat groups spent nearly five months within the system of an undisclosed regional US government agency before delivering the LockBit ransomware malware at the start of the year, as per research from cybersecurity firm Sophos.

FBI: North Korean Hackers Stole $600M+ Worth Cryptocurrency

 

The FBI accused North Korean government associated hackers of stealing more than $600 million in bitcoin from a video game company last month, the latest in a sequence of sophisticated cyber thefts linked to Pyongyang. 

The FBI said in a statement, "Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29th." "DPRK" is an abbreviation for North Korea's official name, the Democratic People's Republic of Korea, and Ethereum is a technology platform linked with a type of cryptocurrency. 

The FBI was referring to the recent hack of Axie Infinity's computer network, which allows gamers to win cryptocurrency. Undiscovered hackers stole the equivalent of about $600 million — estimated at the time of the hack's detection — on March 23 from a "bridge," or network that allows users to transmit cryptocurrency from one blockchain to another, according to Sky Mavis, the business that developed Axie Infinity. 

The US Treasury Department sanctioned Lazarus Group, a large group of hackers suspected of working for the North Korean government, on Thursday. The precise "wallet," or bitcoin address, that was utilised to cash out on the Axie Infinity hack was sanctioned by the Treasury Department.

According to a United Nations panel and outside cybersecurity experts, cyberattacks have been a major source of revenue for the North Korean state for years as its leader, Kim Jong Un, pursued nuclear weapons. North Korea is reported to have fired its first intercontinental ballistic missile in more than four years last month. According to Chainalysis, a company that records digital currency transactions, the Lazarus Group has stolen an estimated $1.75 billion in cryptocurrencies in recent years. 

Ari Redbord, head of legal affairs at TRM Labs, a firm that investigates financial crime said,"A hack of a cryptocurrency business, unlike a retailer, for example, is essentially bank robbery at the speed of the internet and funds North Korea's destabilizing activity and weapons proliferation. As long as they are successful and profitable, they will not stop." 

While much of the focus of cybersecurity analysts has been on Russian hacking in the wake of the Ukraine conflict, suspected North Korean hackers have been far from silent. Last month, Google researchers revealed two separate suspected North Korean cyber attempts aimed at US media and IT businesses, as well as the bitcoin and financial technology industries. Users who are targeted by state-sponsored hackers are notified by Google. 

If a Google user has "any link to being active in Bitcoin or cryptocurrencies" and receives a warning from Google about state-backed hacking, it nearly invariably turns out to be North Korean activity, according to Shane Huntley, who leads Google's Threat Analysis Group.

Further, Huntley told CNN, "It seems to be an ongoing strategy for them to supplement and make money through this activity." 

FBI Investigating More than 100 Ransomware Variants

 

Ransomware attacks spread more quickly than most organizations can respond. The United States Federal Bureau of Investigation (FBI) is on a mission to investigate more than 100 different variants of ransomware, many of which have been used extensively in various cyberattack campaigns. 

Bryan Vorndran, assistant director of the FBI’s Cyber Division has explained his team’s efforts against the malware threats to the United States House Committee on the Judiciary in Washington. 

Following the incident, Bryan Vorndran said that “There is not a day that goes by without multiple FBI field offices responding to ransomware attacks. The ransomware threat is not new, and it has been one of the FBI’s top cybercriminal investigative priorities for some time, but we have seen ransomware attack reporting increase significantly in the past two years, and the impact of these attacks has grown to dangerous proportions, threatening our economic and national security.” 

According to new data published by the FBI this week, cyberattackers wreaked havoc across the U.S., resulting in a record-high number of cyber threat complaints. Describing the rise in ransomware attacks, Vorndran said that from 2019 to 2021, the number of ransomware complaints reported to the FBI’s Internet Crime Complaint Center (IC3) increased by 82%, with a 449% rise in ransom payments and more than 847,000 total complaints that corresponded with crimes had cost victims an estimated sum exceeding $6.9 billion. 

“Ransomware-as-a-service’ (when a developer sells or leases ransomware tools to criminal customers) has decreased the barrier to entry and technological savviness needed to carry out and benefit from these compromises and increased the number of criminals conducting ransomware campaigns,” noted Vorndran. 

Further, FBI Deputy Director Paul Abbate has said that the bureau’s cyber division is investigating and working harder than before against the surging cyber threats to protect people. 

He further said, “We can put a cyber-trained FBI agent on nearly any doorstep in this country within one hour, and we can accomplish the same in more than 70 countries in one day through our network of legal attachés and cyber assistants legal attachés.”

Cyberattack in New York City, Sensitive Data of 820,000 Students was Exposed

After a digital education network used by dozens of city schools revealed hackers acquired access to confidential information of 820,000 present and former classmates during a January breach, the mayor of New York City and several education officials expressed strong outrage. 

The incident occurred in January, according to the city's Department of Education, when an internet grading system and attendance system utilized by many public schools was hijacked. 

Hackers might have gotten names, nationalities, birthdays, first languages, and student ID numbers from those platforms, as well as sensitive data including whether children used special education or free lunch programs.

The hack affected both present and former public school pupils dating back to the 2016-17 scholastic year. 

Officials from the California-based firm behind the system, Illuminate Education, have lambasted it for allegedly falsifying its cybersecurity measures. The corporation hasn't said what, if anything, was done with the information. The Department of Education has requested the NYPD, FBI, and state attorney general examine the incident. 

The regional director of K12 Security Information Exchange, Doug Levin, told the New York Daily News, "It can't remember of another school system which has had a student data leak of magnitude originating from one occurrence." 

The DOE said it will work with Illuminate in the coming weeks to send individualized letters to the families of each of the roughly 820,000 kids affected by the hack, detailing what data was exposed. According to school officials, Illuminate will likely fund a credit-monitoring program for affected kids, and will now be vulnerable to identity theft.

Chancellor of the New York City Schools, David Banks, has asked for a probe of Illuminate Education's cybersecurity safeguards, pushing the state's education agency to inquire into it.

FBI Witnesses Rising Russian Hacker Interest in US Energy Firms

 

Since the outbreak of Russia's war against Ukraine, the FBI has detected an uptick in Russian hackers' interest in energy firms, though it gives no evidence that a specific attack is planned. 

According to an FBI advisory received by The Associated Press on Tuesday, Russian hackers have assessed at least five energy businesses and at least 18 other companies in sectors such as military and financial services for vulnerabilities. None of the companies is identified in the advisory. 

Scanning a network for vulnerabilities or flaws is widespread, and it does not always mean that an assault is on the way, though it can be a sign of one. Nonetheless, the FBI's Friday warning highlights the Biden administration's increased cybersecurity concerns as a result of Russia's war in Ukraine. The White House said on Monday that there was "evolving intelligence" suggesting Russia was planning cyberattacks against critical infrastructure in the United States. 

At a White House press briefing, Anne Neuberger, the White House's deputy national security advisor for cyber and emerging technologies, expressed disappointment that some critical infrastructure firms have failed to repair known software vulnerabilities that Russian hackers may exploit. The FBI advisory lists 140 internet protocol, or IP addresses it claims have been linked to critical infrastructure scans in the United States since at least March 2021. 

According to the alert, scanning has grown since the beginning of the war last month, leading to a greater likelihood of future incursions. The FBI acknowledges that scanning activity is frequent, but the IP addresses have been linked to the active exploitation of a foreign victim, which resulted in the victim's systems being destroyed, according to the advisory.

Ukrainian Researcher Released  Software for Conti Ransomware

 

Conti, the notorious ransomware gang, is now the subject of cyberattacks following its proclamation early last week, it wholeheartedly supports Russia's continuing invasion of neighboring Ukraine, with the most recent blow being the public release of its source code. 

This comes only days after an archive comprising well over a year's worth of instant conversations between members of Conti, believed to be based in Russia, was leaked: speaking 400 files and tens of thousands of lines of Russian-language internal chat logs. Messages from January 2021 to February 27 of such a year can be found in the internal communication files.

Its analysis cited a cybersecurity bulletin issued jointly by the Cybercrime and Infrastructure Agency (CISA) and the FBI over the weekend, which warned Russia's attack on Ukraine – which also included cyberattacks on the Ukrainian government and key infrastructure organizations – could spill over Ukraine's borders, especially in the wake of US and allied sanctions. 

Throughout the night, ContiLeaks began publishing more information, including the source code for the gang's administration panel, the BazarBackdoor API, storage server screenshots, and more. A password-protected folder including the source code for the Conti ransomware encryptor, decryptor, and function Object() { [native code] } was one component of the release to get people interested.While the leaker did not reveal the password publicly, another researcher cracked it soon after, giving everyone access to the Conti ransomware malware files' source code. 

The code may not provide more information if you are a reverse engineer. For those who can program in C but not reverse engineer, the source code contains a wealth of information about how the malware operates. While this is beneficial for security research, having this code available to the public has its pitfalls. Threat actors immediately coopt the code to establish their own operations, as we observed when the HiddenTear (for "educational purposes") and Babuk malware source code was leaked. 

In May, the FBI issued a five-page [PDF] warning to American firms about Conti ransomware assaults on healthcare and first-responder networks, citing at least 16 such attacks by Conti in the previous year and ransom demands as high as $25 million. 

"As a result of Russia's invasion, cybercrime organizations such as Conti have taken sides, with the assumption that many of these organizations are linked to Russia and perhaps to Russian intelligence", Brett Callow, a vulnerability analyst at Emsisoft, a cybersecurity firm based in New Zealand, stated.

Russian Man and his Wife Arrested in U.S. for Stealing Record $4.5 billion in Bitcoins

Russian citizen Ilya Lichtenstein and his wife Heather Morgan were arrested in the United States on Tuesday. The U.S. Justice Department in a statement called them the largest Internet fraudsters in history. 

The spouses are suspected of hacking the Hong Kong cryptocurrency exchange Bitfinex in 2016 and withdrawing 120,000 bitcoins from its accounts, which is $4.5 billion at current prices. Intelligence agencies managed to confiscate $3.6 billion worth of bitcoins stored in the Russian's e-wallets. 

On Tuesday night, after the arraignment in the Court of the Southern District of New York, Magistrate Judge Debra Freeman decided to release the suspects on bail of $8 million for two. However, the spouses were unable to leave federal prison as the judge's decision was put on hold by Washington. 

According to the prosecution, the couple should remain in custody because "they are sophisticated cybercriminals and money launderers, and there is a serious risk of their escape." Prosecutors admit that the couple may have passports in other names. 

In particular, agents found a file named Passport_ideas on Liechtenstein's computer. And a plastic container with disposable phones was found under the bed in the apartment of the defendants. Under American law, Ilya Lichtenstein and Heather Morgan face up to 25 years in prison. 

A few years ago, 34-year-old Ilya Lichtenstein unsuccessfully tried to create a technology startup and become an investor. He came to the United States from Russia at the age of six, when his family was granted asylum for religious reasons. 

His wife, Heather Morgan, called herself an economist, a journalist, and a "Crocodile of Wall Street", was a freelance writer for Forbes magazine and even performed as a rapper under the name Razzltkhan. According to the New York Times, giant billboards with her image decorated Times Square. 

According to the investigation conducted by the FBI and the US Internal Revenue Service, Lichtenstein and Morgan hacked the Bitfinex protection system and made about 2 thousand illegal transactions, transferring funds from the accounts of the exchange's clients to their electronic wallet. 

In subsequent years, the suspects managed to launder about 25 thousand bitcoins through third-party exchanges and online services on the darknet. A new hearing on Lichtenstein and his wife's bail application will be held in Washington on February 11.

FBI Issued a Warning to U.S Firms Concerning Iranian Hackers

 

The FBI issues a warning concerning Iranian hackers, posing as radical right organization Proud Boys during the 2020 presidential election, have now broadened operations, launching cyberattacks against a variety of industry divisions and spreading propaganda hostile to Saudi Arabia. 

"Over time, as Iranian operators have evolved both the strategic priorities and tradecraft, the hackers have matured into more proficient malicious attackers being capable of performing a whole spectrum of operations," read a Microsoft report.

Ransomware works by encrypting a device's data and making it inaccessible until the hacker receives a ransom payment. 

In a recent alert, the FBI stated, in addition to its election-related operation, the Emennet malicious attacker has been engaged in "conventional cyber exploitation activity," targeting industries such as news, transportation, tourism, oil and petrochemicals, telecoms, and financial services. It has been using VPNs to launch attacks on websites operated by certain software applications, such as WordPress, which cybercriminals can exploit to launch hacks in countries other than the United States, Europe, and the Middle East. 

The hackers employed multiple free source and commercial tools in activities, including SQLmap, Acunetix, DefenseCode, Wappalyzer, Dnsdumpster, Netsparker, wpscan, and Shodan, to mask location. The threat actor picked possible victims during the discovery phase of the hacking operations by browsing the web for prominent corporations representing various sectors. For initial access, the hackers would try to locate flaws in the program. 

"In certain cases, the goal may have been to target a large assortment of networks/websites inside a specific sector rather than a specific target company. Emennet would also attempt to discover hosting/shared hosting services in other scenarios," according to the FBI. 

Users must keep personal anti-virus and anti-malware products up to date, patch obsolete software, and make use of reliable web hosting companies, according to the authorities. In any case, Iran's state-sponsored hacker organizations aren't the only ones who have exploited the BIG-IP flaw.

The Medical Review Institute of America Alerts Patients of a Privacy Breach

 

On November 9, 2021, MRIoA discovered that it had been the victim of a sophisticated cyber-attack that affected over 134,000 people, according to a data breach notification filed by the Maine Attorney General's Office. Following the realization of the security incident, the institution set forth to protect and restore the organization's systems and operations. MRIoA also promptly enlisted the assistance of third-party forensic and incident response experts to conduct a thorough investigation into the nature and scope of the problem, as well as sought assistance with remediation efforts. The incident was further reported to the FBI as well. 

According to MRIoA, which discovered the incident on November 12, 2021, the security incident primarily involved the unauthorized gathering of information; MRIoA retrieved and validated the deletion of the received information to the best of its abilities and knowledge on November 16, 2021. 

The HITRUST Common Security Framework (CSF) and associated standards/regulations, such as HIPAA, HITECH, and state data and privacy legislation, are incorporated into MRIoA's privacy and security program, according to the company's conditions. MRIoA enforces tight access controls, including privileged access, file integrity monitoring, input validation, and complete audit logging, and protects data confidentiality by encrypting data at rest with AES-256 and data in transit using TLS1.2. 

"We place a high importance on the security and privacy of the information stored on our systems, and we were astonished and disheartened to learn that we were one of the thousands of victims of this type of cyberattack," MRIoA's CEO, Ron Sullivan said. 

Meanwhile, as iterated below, additional cybersecurity precautions were installed and are being deployed to MRIoA's existing infrastructure to better limit the possibility of this type of event occurring again. 

  • Continuous threat hunting and detection software monitoring of their systems.
  • When attempting to access the systems, add extra multifactor authentication protections.
  • To ensure that all threat remains were eradicated, new servers were constructed from the ground up. Working with outside cybersecurity specialists to help them with their security initiatives.
  • Creating a new and hardened backup environment; enhancing their cybersecurity training for employees.

As MRIoA reviews, rewrites, and amends their existing cybersecurity rules in the wake of the attack, they suggest individuals report any fraudulent conduct to the appropriate law enforcement agencies, such as their state attorney general and the Federal Trade Commission (FTC).
 
Affected individuals are being offered free credit monitoring and identity protection services by the MRIoA. Further, individuals who want to sign up for the free credit monitoring service must do so within 90 days of getting their MRIoA notice letter. 

A Data Breach To An AWS Portal Glitch By Ravkoo, A US-based Online Pharmacy

 

Ravkoo, an online prescription filling service, suffered a data breach, exposing health and other sensitive information. The company's prescription interface is hosted by Amazon Web Services (AWS). 

A security incident occurred in a specific instance that saved prescription information, allowing the information to be easily accessed. The unauthorized access occurred in September 2021, and the Ravkoo security team discovered it in October of that year. 

On January 3rd, 2022, around 150,000 potentially affected customers received breach notification letters. Ravkoo has discovered no cause to assume the exposed data was spreading or being utilized for nefarious activities at the time of writing their public statement, but that could change. The FBI and other authorities have been notified, and they are working with Ravkoo to investigate the situation further to determine who may be responsible. 

"Ravkoo has no indication that any of your personal information has been or will be exploited as a result of this occurrence at this time. Nonetheless, out of an abundance of caution, Ravkoo chose to alert you about this incident," according to Alpesh Patel, the online pharmacy's CEO, because it hasn't received any reports of identity theft relating to the data breach since September 27, the date of the incident. Ravkoo also claims to have reported the event to the appropriate authorities and to be working with forensic experts to examine the issue and improve its security posture. The hacker also provided records of 340,000 prescriptions written by Ravkoo between November 3, 2020, and September 11, 2021, totaling $8.5 million in medicine prices, according to Micah Lee of The Intercept. 

Ravkoo's identity monitoring services are available to users who may have been affected by the breach. The scope of the exposed data has not been released, however, the concerned parties should report any unlawful activity they see. Health information can be sold and exploited to commit medical identity theft, as we discussed earlier this week. For those who have their information utilized unlawfully, this might result in a variety of problems. Following an occurrence like this, it's critical to remain vigilant.

$50 Million Lost to Fraudsters Impersonating as Broker-Dealers

 

A California man admitted his involvement in a large-scale and long-running Internet-based fraud scam that allowed him and other fraudsters to drain about $50 million from hundreds of investors.

Between 2012 and October 2020 Allen Giltman, 56, and his co-conspirators constructed phoney websites to collect money from people via the internet by advertising various investment opportunities (mainly the purchase of certificates of deposit). 

According to court documents, "The Fraudulent Websites advertised higher than average rates of return on the CDs, which enhanced the attractiveness of the investment opportunities to potential victims. At times, the fraudulent websites were designed to closely resemble websites being operated by actual, well-known, and publicly reputable financial institutions; at other times, the fraudulent websites were designed to resemble legitimate-seeming financial institutions that did not exist." 

They advertised the phoney investment sites in Google and Microsoft Bing search results for phrases like "best CD rates" and "highest cd rates." The scammers pretended to be FINRA broker-dealers in interactions with victims seeking investment possibilities, claiming to be employed by the financial companies they imitated on the scam sites. 

They employed virtual private networks (VPNs), prepaid gift cards to register web domains, prepaid phones, and encrypted applications to interact with their targets, and false invoices to explain the huge wire transfers they obtained from their victims to mask their genuine identities during their fraud schemes. 

"To date, law enforcement has identified at least 150 fraudulent websites created as part of the scheme," the Justice Department stated. 

"At least 70 victims of the fraud scheme nationwide, including in New Jersey, collectively transmitted approximately $50 million that they believed to be investments." 

The charge of wire fraud conspiracy, which Giltman consented, carries a possible sentence of 20 years in jail, while the charge of securities fraud carries a maximum sentence of five years in prison. Both are punishable by fines of $250,000 or double the gross gain or loss from the offence, whichever is greater. Giltman is scheduled to be sentenced on May 10, 2022. 

Stay Vigilant

The FBI's Criminal Investigative Division and the Securities and Exchange Commission cautioned investors in July 2021 that scammers posing as registered financial professionals such as brokers and investment advisers were posing as them. 

The July alert came after FINRA issued a similar fraud alert the same week regarding broker imposter frauds involving phishing sites that impersonate brokers and faked SEC or FINRA registration documents. 

"Fraudsters may falsely claim to be registered with the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA) or a state securities regulator in order to lure investors into scams, or even impersonate real investment professionals who actually are registered with these organizations," the FBI and SEC stated. 

Investors should first use the Investor.gov search engine to see if people marketing investment possibilities are licensed or registered, and then ensure they're not scammers by contacting the seller using independently confirmed contact information from the firm's Client Relationship Summary (Form CRS).

You Might Be A Victim Of Google Voice Scam, Here's How To Protect Your Account

 

According to the FBI, Americans sharing their contact numbers online are attacked by Google Voice authentication scams. FBI explains that scammers are targeting users who have posted their phone numbers as a form of contact while trying to sell their products or services on online market platforms and social media. 

"Recently, we have also been getting reports of people who are getting targeted in other locations, including sites where you post about lost pets," reports FBI. 

Once successful, scammers set up a Google voice account in their victims' name or hack the target's Gmail accounts. Scammers use these hijacked emails later for other malicious campaigns or phishing attacks. 

The scammers contact their targets using text messages or emails that show their interest in items up for selling, the scammer then asks the seller to verify themselves by providing an authentication code from Google. FBI says "what he is really doing is setting up a Google Voice account in your name using your real phone number as verification."

After the Google Voice account is set up, scammers can easily launch other attacks, these attacks can't be retracted back to their origin. An attacker can also use these codes to penetrate and take control of a victim's Gmail account. 

How to protect yourself? 

If you have suffered a Google Voice authentication scam, the FBI suggests visiting Google's support website for assistance on how to get back your Google Voice account and retake your Voice number. 
  • You can also follow these tips suggested by the FBI:  ‌
  • Never share your Google verification code with anyone.  ‌
  • Only deal with buyers or customers in person. Use verified payment platforms for money transfer. ‌Avoid sharing your email Ids to buyers/sellers doing business on phone. 
  • Don't rush yourself into a sale. Your buyer may pressure you to respond, keep patience, don't get manipulated. 
If you suspect you have fallen victim to these online scams, you can report the incident to the FBI's Internet Crime Complaint Center, or call their local FBI office. 

"If your linked number gets claimed, that means you or someone else is using that number with another Voice account. If you still own the linked number, you can add it back to the Voice account where you want to use it," says the Google support website.

Over 100,000 Spam Emails were Sent when Hackers Broke Into FBI Servers

 

An email spam watchdog group discovered that an apparently malevolent hacker sent spam emails to at least 100,000 people from an FBI email server on Friday night. The individual's motivations remain unknown. The email message was a strange, incomprehensible warning that included cybersecurity journalist Vinny Troia and a cybercriminal gang known as The Dark Overlord. In January, Troia's company, Night Lion Security, released research on The Dark Overlord. 

 The hacker signed off as the Cyber Threat Detection and Analysis Group of the US Department of Homeland Security, which hasn't existed in at least two years. The FBI often alerts American corporations to cyber threats aimed at certain industries or when it learns of criminal hackers employing a successful new tactic. This is thought to be the first instance of a threat actor gaining access to one of those systems in order to distribute spam to a large number of individuals. 

 Hackers broke into the Federal Bureau of Investigation's email servers and sent spam messages, according to the FBI. Hackers were unable to access any personal identifiable information or other information on the bureau's network, according to the bureau. The FBI claimed in a statement on Saturday that the bogus emails seemed to come from a valid FBI email account ending in @ic.fbi.gov. The hardware affected by the incident was "immediately taken offline upon discovery of the issue," according to the FBI. 

 The incident follows a series of high-profile hacking attacks on US government networks in recent months, including a Russian-based attack that compromised at least nine federal agencies and a Chinese-based hacking campaign so severe that the Cybersecurity and Infrastructure Security Agency had to issue a rare mandate requiring all government agencies to update their software immediately.

 An FBI official said in an amended statement on Sunday that the hacker discovered and exploited a flaw in how an agency messaging system is configured, but that they were unable to access FBI information. 

"The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners," the emailed statement said.

Surge in Sextortion Attacks Cost Targeted Users $8 This Year

 

The FBI IC3 (Internet Crime Complaint Center) raised an alert about a great surge in sextortion complaints since January 2021, which has led to a total financial loss of around $8 Million till July. FBI got over 16000 complaints of sextortion until July, most of them coming from the age group of 20-39. "Victims over 60 years comprised the third largest reporting age group, while victims under the age of 20 reported the fewest number of complaints," says FBI. Sextortion happens when potential victims are blackmailed by criminals in person or through dating sites, emails, and online chats that may expose sensitive or private photos/videos if the victims fail to pay the ransom. 

Started with an email scam, the Sextortion incident came to light in July 2018, when criminals started mailing victims threatening that they had proof of them surfing adult sites (which include victim passwords exposed through data leaks) to get credibility. Email sextortion campaign scammers also distributed various malware strains that range from ransomware to data-stealing trojans. As per the majority of the victims, the initial contact with the criminal is mutual as it is made via dating apps and websites. After the interaction, the criminal then requests the target to connect on some other platform for conversation. 

According to the FBI, "the fraudster instigates the exchange of sexually explicit material and then encourages the victim to participate via video chat or send their own explicit photos. Immediately after the victim complies, the fraudster blackmails the victim and demands money to prevent the release of the photos or videos on social media." The victims have it even worse, as the criminal may also get access to the target's social media account or contact no. They threaten the victims to leak sensitive images which the criminals possess and show them to the victim's friends and family. 

If any user ends up as a victim in such situations, they are advised to immediately stop all contact with the criminal, they should immediately report the incident to authorities and register a complaint at FBI IC3 as soon as the sextortion incident happens. To be safe from such incidents FBI suggests: 

•NEVER send compromising images of yourself to anyone, no matter who they areâ or who they say they are. 

•Do not open attachments from people you do not know. Links can secretly hack your electronic devices using malware to gain access to your private data, photos, and contacts, or control your web camera and microphone without your knowledge. 

•Turn off your electronic devices and web cameras when not in use.