Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label IdentityTheft. Show all posts
techhiring
AIdeepfakes Compliance Cyber Crime Cybersecurity IdentityTheft NorthKorea remotejobs techhiring

North Korean Operatives Posing as Remote IT Workers Infiltrate U.S. Tech Firms

 

A rising number of top-tier tech companies in the U.S. have unknowingly employed North Korean cyber agents disguised as remote IT professionals, with the operatives channeling lucrative tech salaries back to Pyongyang to support the regime's weapons program.

Cybersecurity leaders warn that the scope of the deception is broader than previously believed, impacting numerous Fortune 500 firms. The trend is driven by a national shortage of cybersecurity talent and the ongoing popularity of remote work arrangements following the pandemic.

These North Korean agents are constantly refining their tactics—using advanced AI tools and enlisting U.S.-based collaborators to set up operations across the country—raising serious concerns among Chief Information Security Officers (CISOs) and technology executives.

Though it's hard to pinpoint the exact number of companies affected, many industry leaders are now publicly sharing their experiences. Law enforcement agencies continue to investigate and expose the intricate tactics being used.

“I’ve talked to a lot of CISOs at Fortune 500 companies, and nearly every one that I’ve spoken to about the North Korean IT worker problem has admitted they’ve hired at least one North Korean IT worker, if not a dozen or a few dozen,”
— Charles Carmakal, CTO, Google Cloud’s Mandiant

Interviews with a dozen leading cybersecurity experts reveal that the threat is serious and growing. Several experts acknowledged that their own companies had been targeted and were struggling to contain the damage. During the same briefing, Iain Mulholland, Google Cloud’s CISO, confirmed that North Korean operatives had been spotted “in our pipeline,” although he didn’t specify whether they had been screened out or hired.

SentinelOne, a cybersecurity firm, has been vocal about its experience. In a recent report, the company revealed it had received nearly 1,000 job applications tied to the North Korean scheme.

“The scale and speed of this operation, as used by the North Korean government to generate funds for weapons development, is unprecedented,”
— Brandon Wales, former executive director at CISA and current VP at SentinelOne

Experts outline a repeated pattern: Operatives build fake LinkedIn profiles, impersonate U.S. citizens using stolen data such as addresses and Social Security numbers, and apply for high-paying roles in bulk. At the interview stage, they deploy AI-powered deepfake technology to mimic the real person in real-time.

“There are individuals located around the country who work in software development whose personas are being used,”
— Alexander Leslie, Threat Intelligence Analyst, Recorded Future

Once hired, these agents navigate onboarding using stolen credentials and request laptops to be shipped to U.S. addresses. These addresses often lead to "laptop farms"—homes filled with dozens of work devices operated by Americans paid to assist the scheme.

CrowdStrike began tracking this infiltration trend in 2022 and identified 30 affected companies within the first week of launching a monitoring program. Since early 2024, advancements in AI have only strengthened these operatives’ capabilities. According to an interagency advisory from the FBI, Treasury, and State Department, each operative can earn as much as $300,000 annually.

“This money is directly going to the weapons program, and sometimes you see that money going to the Kim family,”
— Meyers

In one significant case, American citizen Christina Chapman pleaded guilty in February to collaborating with North Korean agents for three years, helping them steal identities and manage a $17 million laptop farm operation that employed North Koreans at more than 300 U.S. companies.

“It’s hard for us to say how many humans are actually operating these personas, but somewhere in the thousands of unique personas,”
— Greg Schloemer, Senior Threat Analyst, Microsoft

In January, the U.S. Justice Department charged two Americans for enabling another North Korean scheme that brought in over $800,000 from more than 60 companies over six years.

FBI Special Agent Elizabeth Pelker explained at the RSA Conference in San Francisco that once one operative is in, they often refer others, leading to networks of up to 10 imposters within the same organization.

Even after dismissal, many operatives leave behind malware or backdoor access, extorting companies for ransom or stealing sensitive data.

“This is very adaptive,” Pelker said. “Even if [the hackers] know they’re going to get fired at some point, they have an exit strategy for them to still … have some sort of monetary gain.”

Authorities are targeting U.S.-based "laptop farm" operators as a key strategy to dismantle the scam’s infrastructure.

“If the FBI goes and knocks on that door and puts that person in cuffs and takes all the laptops away, they’ve lost 10 to 15 jobs, and they’ve lost a person who they’ve already invested in that relationship with,”
— Schloemer

The scheme is expanding internationally. CrowdStrike reports similar patterns in the U.K., Poland, Romania, and other European nations. Recorded Future has also traced activity in South Asian regions.

Still, legal and compliance fears prevent many companies from speaking up.

“That North Korean IT worker has access to your whole host of web development software, all the assets that you’ve been collecting. And then that worker is being paid by you, funneled back into the North Korean state, and is conducting espionage at the same time,”
— Leslie

“We don’t want there to be a stigma to talking about this,”
— Wales
“It is really important that everyone be open and honest, because that is the way that we’re going to deal with this, given the scale of what we are facing.”
Read more »
SSA
Cybersecurity Datatheft Fraud IdentityTheft malware phishing remotetool Scam screenconnect SSA

Cybercriminals Target Social Security Users with Sophisticated Phishing Scam

 

A new wave of phishing attacks is exploiting public trust in government agencies. Cybercriminals are sending fraudulent emails that appear to come from the Social Security Administration (SSA), aiming to trick recipients into downloading a remote access tool that gives hackers full control over their computers, according to a report by Malwarebytes.

The scam emails, often sent from compromised WordPress websites, claim to offer a downloadable Social Security statement. However, the entire message is typically embedded as an image—a tactic that allows it to bypass most email filters. Clicking on the link initiates the installation of ScreenConnect, a powerful malware tool that enables attackers to infiltrate your device remotely.

The campaign has been attributed to a phishing group known as Molatori, whose goal is to extract personal, banking, and other sensitive information. “Once in, the attackers can steal your data, commit financial fraud, and engage in identity theft,” the report warns.

To avoid falling victim, experts suggest staying alert to red flags. These scam emails often contain poor grammar, missing punctuation, strange formatting, and unusual colour schemes for links. Such errors—evident in screenshots shared by Malwarebytes and the SSA—are clear signs of a scam, even as AI-driven tactics make phishing attempts more convincing than ever.

“If you want to view your Social Security statement, the safest option is to visit ssa.gov,” the SSA advises.

What to Do If  You're Targeted:

  • Cut off all communication with the scammer
  • Report the incident to the SSA Office of the Inspector General (OIG)
  • File a report with your local police
  • If you've lost money, submit a complaint to the FBI’s Internet Crime Complaint Center (IC3)

As phishing threats continue to evolve, cybersecurity awareness remains your best defense.


Read more »
Ransomware
Credentialstealing Cyber Security Cybersecurity IdentityTheft infostealers phishing Ransomware

Cybercriminals Shift Tactics Towards Stealth and Identity Theft: IBM X-Force 2025 Report

 

iThe IBM X-Force 2025 Threat Intelligence Index highlights a growing trend of cybercriminals adopting more covert attack strategies. Drawing from analysis of over 150 billion security events daily across 130+ countries, the report notes an 84% spike in email-delivered infostealers in 2024 compared to the previous year. This surge signals a marked pivot towards credential theft, even as enterprise-targeted ransomware attacks show a notable decline.

“Cybercriminals are most often breaking in without breaking anything – capitalising on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points,” said IBM cybersecurity services global managing partner Mark Hughes. “Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernising authentication management, plugging multi-factor authentication holes and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.”

The report found that critical infrastructure organisations bore the brunt of attacks, accounting for 70% of incidents handled by IBM X-Force last year. More than a quarter of these breaches exploited system vulnerabilities. Data theft (18%) overtook encryption-based attacks (11%) as the preferred method, reflecting improvements in detection tools and increased law enforcement pressure, which have forced threat actors to rethink their strategies.

Asia and North America emerged as the primary targets, together representing almost 60% of all global attacks. Asia faced 34% of the incidents, while North America encountered 24%. For the fourth consecutive year, the manufacturing industry remained the most impacted sector, attributed to its sensitivity to operational disruptions and susceptibility to ransomware.

Emerging AI-related threats also garnered attention. Although no major AI-focused attacks surfaced in 2024, security teams are racing to find and patch vulnerabilities before they are exploited. A critical remote code execution flaw within an AI development framework is expected to gain traction in 2025 as adoption grows. Experts warn that attackers may soon develop dedicated toolkits aimed specifically at AI systems, underlining the urgent need to secure AI infrastructure.Persistent challenges in critical infrastructure security largely stem from outdated technologies and delayed patch management. IBM X-Force revealed that vulnerabilities accounted for over 25% of exploited incidents. Analyzing discussions on dark web forums showed that four of the ten most talked-about CVEs were associated with advanced threat groups, including state-sponsored actors, escalating the risks of disruption and extortion.

Research in collaboration with Red Hat Insights found that over 50% of Red Hat Enterprise Linux users had not patched at least one critical vulnerability, with 18% leaving five or more critical CVEs unaddressed. Moreover, ransomware variants like Akira, Lockbit, Clop, and RansomHub have expanded their capabilities to affect both Windows and Linux systems.

A sharp rise in phishing campaigns distributing infostealers was another key finding, with a 180% jump compared to 2023. The use of credential phishing and infostealers enables hackers to swiftly exfiltrate sensitive information while maintaining a low profile.

While ransomware still accounted for 28% of malware attacks in 2024, its overall prevalence declined compared to previous years. Cybercriminals are increasingly shifting towards identity-based attacks, adapting to countermeasures that have made traditional ransomware operations more difficult.
Read more »
Privacy
creditmonitoring Cybersecurity Databreach Dataleak Healthcare IdentityTheft labtesting medicalrecords PlannedParenthood Privacy

Over 1.6 Million Affected in Planned Parenthood Lab Partner Data Breach

 

A cybersecurity breach has exposed the confidential health data of more than 1.6 million individuals—including minors—who received care at Planned Parenthood centers across over 30 U.S. states. The breach stems from Laboratory Services Cooperative (LSC), a company providing lab testing for reproductive health clinics nationwide.

In a notice filed with the Maine Attorney General’s office, LSC confirmed that its systems were infiltrated on October 27, 2024, and the breach was detected the same day. Hackers reportedly gained unauthorized access to sensitive personal, medical, insurance, and financial records.

"The information compromised varies from patient to patient but may include the following:
  • Personal information: Name, address, email, phone number
  • Medical information: Date(s) of service, diagnoses, treatment, medical record and patient numbers, lab results, provider name, treatment location
  • Insurance information: Plan name and type, insurance company, member/group ID numbers
  • Billing information: Claim numbers, bank account details, billing codes, payment card details, balance details
  • Identifiers: Social Security number, driver's license or ID number, passport number, date of birth, demographic data, student ID number"

In addition to patient data, employee information—including details about dependents and beneficiaries—may also have been compromised.

Patients concerned about whether their data is affected can check if their Planned Parenthood location partners with LSC via the FAQ section on LSC’s website or by calling their support line at 855-549-2662.

While it's impossible to reverse the damage of a breach, experts recommend immediate protective actions:

Monitor your credit reports (available weekly for free from all three major credit bureaus)

Place fraud alerts, freeze credit, and secure your Social Security number

Stay vigilant for unusual account activity and report potential identity theft promptly

LSC is offering 12–24 months of credit monitoring through CyEx Medical Shield Complete to impacted individuals. Those affected must call the customer service line between 9 a.m. and 9 p.m. ET, Monday to Friday, to get an activation code for enrollment.

For minors or individuals without an SSN or credit history, a tailored service named Minor Defense is available with a similar registration process. The enrollment deadline is July 14, 2025.
Read more »
Yoojo
AppSecurity CloudMisconfiguration CloudStorage Cybersecurity Data Breach Europe GDPR IdentityTheft Leak PersonalData phishing Privacy TechSecurity UserPrivacy Yoojo

Yoojo Exposes Millions of Sensitive Files Due to Misconfigured Database

 

Yoojo, a European service marketplace, accidentally left a cloud storage bucket unprotected online, exposing around 14.5 million files, including highly sensitive user data. The data breach was uncovered by Cybernews researchers, who immediately informed the company. Following the alert, Yoojo promptly secured the exposed archive.

The database contained a range of personally identifiable information (PII), including full names, passport details, government-issued IDs, user messages, and phone numbers. This level of detail, according to experts, could be exploited for phishing, identity theft, or even financial fraud.

Yoojo offers an online platform connecting users with service providers for tasks like cleaning, gardening, childcare, IT support, moving, and homecare. With over 500,000 downloads on Google Play, the app has gained significant traction in France, Spain, the Netherlands, and the UK.

Cybernews stated that the exposed database was publicly accessible for at least 10 days, though there's no current evidence of malicious exploitation. Still, researchers cautioned that unauthorized parties might have already accessed the data. Yoojo has yet to issue a formal comment on the incident.

“Leaked personal details enables attackers to create highly targeted phishing, vishing, and smishing campaigns. Fraudulent emails and SMS scams could involve impersonating Yoojo service providers asking for sensitive information like payment details or verification documents,” Cybernews researchers said.

The incident underscores how frequently misconfigured databases lead to data exposures. While many organizations rely on cloud services for storing confidential information, they often overlook the shared responsibility model that cloud infrastructure follows.

On a positive note, most companies act swiftly once made aware of such vulnerabilities—just as Yoojo did—by promptly restricting access to the exposed data.
Read more »
Subscribe to: Posts (Atom)