Dark Web Actors Reveals New Banking Trojan Sniffthem
Dark Web Actors Reveals Banking Trojan Sniffthem
[caption id="attachment_78990" align="alignnone" width="1906"]![Banking Trojan Sniffthem](../themes/icons/grey.gif)
Last week I was reviewing a publication by the United Nation Office on Drugs and Crime published in January 2024, titled "Casinos, Money Laundering, Underground Banking, and Transnational Organized Crime in East and Southeast Asia: A Hidden and Accelerating Threat."
(URL to the UNODC report: UNODC: Casinos, Money Laundering, Underground Banking ... full report)
(URL to the USIP report: https://www.usip.org/node/160386 )
The reason I was looking into the report is that this 106 page report is about how Chinese organized crime has planted themselves in Casino complexes across Cambodia, Indonesia, Lao PDR, the Philippine, Thailand, and Viet Nam. The same modus operandi that we associate with the crypto investment scams that use the horrible name "pig butchering" to describe the financial grooming that leads to the complete financial devastation of so many Americans. In fact, I discovered the UN report, only by seeing it quoted in he report by the United States Institute of Peace, "Transnational Crime in Southeast Asia: A Growing Threat to Global Peace and Security" where it was mentioned in a footnote.
The UNODC report shares statistics from a Ministry of Public Security of China note, without providing a URL, that "between January to November 2023, authorities in the country successfully resolved 391,000 cases related to telecommunications and network fraud, totaling the arrest of 79,000 suspects, including 263 'backbone members or paymasters' of cyberfraud groups" (in the countries mentioned above.) This included:
Since I am working on a project that we call "Twenty Targets for Takedown" that is attempting to shut own illicit websites by terminating their domain registrations and hosting arrangements, the number "8.36 million fraud-related domains" made me shudder.
I am fortunate to count among my network some of the leading experts in domain-name related fraud and abuse, the number seemed overwhelmingly high, and I asked my colleagues from CAUCE, the Coalition Against Unsolicited Commercial Email, for assistance in looking into it. One quick opinion was that this could include a definition of domain name that would be more akin to a hostname, similar to what we have on Blogspot. "garwarner.blogspot.com" is a hostname on the domain "blogspot.com" ... but some would call it a "fully qualified domain name" and consider it a separate FQDN than other xyz.blogspot.com or abc.blogspot.com "domains."
John Levine helped me solve the "did they really mean millions, or is this possibly a bad translation" by helping me find the Ministry of Public Security site where the article was coming from and share several updated versions of these statistics.
The latest article we can find, dated 31MAY2024, quotes Li Guozhong ( 李国中 ) the Spokesman for China's Ministry of Pubic Security describing their successes over the past five years. In 2021, they established a National Anti-Fraud Center which sent out 660 million notices and were able to help stop fraud against 18.44 million people. This most recent article, which is focused on fraud and doesn't mention gambling at all, says that they have "handled 18 million domain names and websites." That's a machine translation of ( 处置涉案域名网址1800万个 ). I can confirm the 18 million ... written as 1800 ten thousands - 1800万个. Handled is perhaps better rendered "disposed of" 处置 (Chǔzhì). Still unsure how to interpret 域名 ( Yùmíng - Domain name) 网址 (Wǎngzhǐ - website), but I think for now, I'm going to assume it means "URLs" or "FQDNs" as opposed to only registered domains
Just since July 2023, 49,000 cyber fraud suspects have been transferred to China from northern Myanmar. 82,000 criminal suspect have been arrested, including 426 key "financial backers" behind the fraud groups.
China's Ministry of Public Security is actively conducting military style raids to help recover these fraud suspects from northern Myanmar, where China shares a long border with the country, which remains deeply embroiled in a state of civil war. MPS is also working collectively with other Southeast Asian countries and says it has "destroyed 37 overseas fraud dens."
Gee, doesn't that sound like REACT's Erin West and Operation Shamrock -- but with the full cooperation of the Government and Society?
The post Millions and Millions of Fraud Domains: China attacks Illegal Gambling and Telecom Fraud appeared first on Security Boulevard.
Enlarge / Ten milligram tablets of the hyperactivity drug, Adderall, made by Shire Plc, is shown in a Cambridge, Massachusetts pharmacy Thursday, January 19, 2006. (credit: Getty | Jb Reed)
The Centers for Disease Control and Prevention on Thursday warned that a federal indictment of an allegedly fraudulent telehealth company may lead to a massive, nationwide disruption in access to ADHD medications—namely Adderall, but also other stimulants—and could possibly increase the risk of injuries and overdoses.
"A disruption involving this large telehealth company could impact as many as 30,000 to 50,000 patients ages 18 years and older across all 50 US states," the CDC wrote in its health alert.
The CDC warning came on the heels of an announcement from the Justice Department Thursday that federal agents had arrested two people in connection with an alleged scheme to illegally distribute Adderall and other stimulants through a subscription-based online telehealth company called Done Global. The company's CEO and founder, Ruthia He, was arrested in Los Angeles, and its clinical president, David Brody, was arrested in San Rafael, California.
The U.S. Department of Justice (DoJ) recently announced the successful takedown of what is likely the largest botnet ever recorded. This network, known as 911 S5, involved 19 million device botnet disruption across 190 countries and was used by various threat actors for numerous cybercrimes. Let’s have a look at the FBI botnet takedown and […]
The post FBI Botnet Takedown: 911 S5 With 19 Million Infected Devices appeared first on TuxCare.
The post FBI Botnet Takedown: 911 S5 With 19 Million Infected Devices appeared first on Security Boulevard.
Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Fraud Risk Management , Geo Focus: The United Kingdom Payments Regulator Says Banks Should Prioritize Customer Protection Over Losses Suparna Goswami (gsuparna) • June 11, 2024 Image: Shutterstock The U.K. Payments Systems Regulator has denied The Payment Association’s request to delay the contentious […]
La entrada UK Sides With APP Fraud Victims – Despite Industry Pressure – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Views: 2Source: www.infosecurity-magazine.com – Author: 1 A malicious email campaign has been discovered leveraging piano-themed messages to perpetrate advance fee fraud (AFF) scams. These campaigns, active since at least January 2024, primarily target students and faculty at North American colleges and universities. However, industries such as healthcare and food and beverage services have also been […]
La entrada Advance Fee Fraud Targets Colleges With Free Piano Offers – Source: www.infosecurity-magazine.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: securelist.com – Author: CFR team Marketplace fraud is nothing new. Cybercriminals swindle money out of buyers and sellers alike. Lately, we’ve seen a proliferation of cybergangs operating under the Fraud-as-a-Service model and specializing in tricking users of online marketplaces, in particular, message boards. Criminals are forever inventing new schemes for stealing personal data and […]
La entrada Message board scams – Source: securelist.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites. The protection scheme was exposed in 2022 when Russian authorities arrested six members of the group, which sold millions of stolen payment cards at flashy online shops like Trump’s Dumps.
A now-defunct carding shop that sold stolen credit cards and invoked 45’s likeness and name.
As reported by The Record, a Russian court last week sentenced former FSB officer Grigory Tsaregorodtsev for taking a $1.7 million bribe from a cybercriminal group that was seeking a “roof,” a well-placed, corrupt law enforcement official who could be counted on to both disregard their illegal hacking activities and run interference with authorities in the event of their arrest.
Tsaregorodtsev was head of the counterintelligence department for a division of the FSB based in Perm, Russia. In February 2022, Russian authorities arrested six men in the Perm region accused of selling stolen payment card data. They also seized multiple carding shops run by the gang, including Ferum Shop, Sky-Fraud, and Trump’s Dumps, a popular fraud store that invoked the 45th president’s likeness and promised to “make credit card fraud great again.”
All of the domains seized in that raid were registered by an IT consulting company in Perm called Get-net LLC, which was owned in part by Artem Zaitsev — one of the six men arrested. Zaitsev reportedly was a well-known programmer whose company supplied services and leasing to the local FSB field office.
The message for Trump’s Dumps users left behind by Russian authorities that seized the domain in 2022.
Russian news sites report that Internal Affairs officials with the FSB grew suspicious when Tsaregorodtsev became a little too interested in the case following the hacking group’s arrests. The former FSB agent had reportedly assured the hackers he could have their case transferred and that they would soon be free.
But when that promised freedom didn’t materialize, four the of the defendants pulled the walls down on the scheme and brought down their own roof. The FSB arrested Tsaregorodtsev, and seized $154,000 in cash, 100 gold bars, real estate and expensive cars.
At Tsaregorodtsev’s trial, his lawyers argued that their client wasn’t guilty of bribery per se, but that he did admit to fraud because he was ultimately unable to fully perform the services for which he’d been hired.
The Russian news outlet Kommersant reports that all four of those who cooperated were released with probation or correctional labor. Zaitsev received a sentence of 3.5 years in prison, and defendant Alexander Kovalev got four years.
In 2017, KrebsOnSecurity profiled Trump’s Dumps, and found the contact address listed on the site was tied to an email address used to register more than a dozen domains that were made to look like legitimate Javascript calls many e-commerce sites routinely make to process transactions — such as “js-link[dot]su,” “js-stat[dot]su,” and “js-mod[dot]su.”
Searching on those malicious domains revealed a 2016 report from RiskIQ, which shows the domains featured prominently in a series of hacking campaigns against e-commerce websites. According to RiskIQ, the attacks targeted online stores running outdated and unpatched versions of shopping cart software from Magento, Powerfront and OpenCart.
Those shopping cart flaws allowed the crooks to install “web skimmers,” malicious Javascript used to steal credit card details and other information from payment forms on the checkout pages of vulnerable e-commerce sites. The stolen customer payment card details were then sold on sites like Trump’s Dumps and Sky-Fraud.
For nearly a dozen years, residents of South Carolina have been kept in the dark by state and federal investigators over who was responsible for hacking into the state’s revenue department in 2012 and stealing tax and bank account information for 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity found compelling clues suggesting the intrusion was carried out by the same Russian hacking crew that stole of millions of payment card records from big box retailers like Home Depot and Target in the years that followed.
Questions about who stole tax and financial data on roughly three quarters of all South Carolina residents came to the fore last week at the confirmation hearing of Mark Keel, who was appointed in 2011 by Gov. Nikki Haley to head the state’s law enforcement division. If approved, this would be Keel’s third six-year term in that role.
The Associated Press reports that Keel was careful not to release many details about the breach at his hearing, telling lawmakers he knows who did it but that he wasn’t ready to name anyone.
“I think the fact that we didn’t come up with a whole lot of people’s information that got breached is a testament to the work that people have done on this case,” Keel asserted.
A ten-year retrospective published in 2022 by The Post and Courier in Columbia, S.C. said investigators determined the breach began on Aug. 13, 2012, after a state IT contractor clicked a malicious link in an email. State officials said they found out about the hack from federal law enforcement on October 10, 2012.
KrebsOnSecurity examined posts across dozens of cybercrime forums around that time, and found only one instance of someone selling large volumes of tax data in the year surrounding the breach date.
On Oct. 7, 2012 — three days before South Carolina officials say they first learned of the intrusion — a notorious cybercriminal who goes by the handle “Rescator” advertised the sale of “a database of the tax department of one of the states.”
“Bank account information, SSN and all other information,” Rescator’s sales thread on the Russian-language crime forum Embargo read. “If you purchase the entire database, I will give you access to it.”
A week later, Rescator posted a similar offer on the exclusive Russian forum Mazafaka, saying he was selling information from a U.S. state tax database, without naming the state. Rescator said the data exposed included Social Security Number (SSN), employer, name, address, phone, taxable income, tax refund amount, and bank account number.
“There is a lot of information, I am ready to sell the entire database, with access to the database, and in parts,” Rescator told Mazafaka members. “There is also information on corporate taxpayers.”
On Oct. 26, 2012, the state announced the breach publicly. State officials said they were working with investigators from the U.S. Secret Service and digital forensics experts from Mandiant, which produced an incident report (PDF) that was later published by South Carolina Dept. of Revenue. KrebsOnSecurity sought comment from the Secret Service, South Carolina prosecutors, and Mr. Keel’s office. This story will be updated if any of them respond. Update: The Secret Service declined to comment.
On Nov. 18, 2012, Rescator told fellow denizens of the forum Verified he was selling a database of 65,000 records with bank account information from several smaller, regional financial institutions. Rescator’s sales thread on Verified listed more than a dozen database fields, including account number, name, address, phone, tax ID, date of birth, employer and occupation.
Asked to provide more context about the database for sale, Rescator told forum members the database included financial records related to tax filings of a U.S. state. Rescator added that there was a second database of around 80,000 corporations that included social security numbers, names and addresses, but no financial information.
The AP says South Carolina paid $12 million to Experian for identity theft protection and credit monitoring for its residents after the breach.
“At the time, it was one of the largest breaches in U.S. history but has since been surpassed greatly by hacks to Equifax, Yahoo, Home Depot, Target and PlayStation,” the AP’s Jeffrey Collins wrote.
As it happens, Rescator’s criminal hacking crew was directly responsible for the 2013 breach at Target and the 2014 hack of Home Depot. The Target intrusion saw Rescator’s cybercrime shops selling roughly 40 million stolen payment cards, and 56 million cards from Home Depot customers.
Who is Rescator? On Dec. 14, 2023, KrebsOnSecurity published the results of a 10-year investigation into the identity of Rescator, a.k.a. Mikhail Borisovich Shefel, a 36-year-old who lives in Moscow and who recently changed his last name to Lenin.
Mr. Keel’s assertion that somehow the efforts of South Carolina officials following the breach may have lessened its impact on citizens seems unlikely. The stolen tax and financial data appears to have been sold openly on cybercrime forums by one of the Russian underground’s most aggressive and successful hacking crews.
While there are no indications from reviewing forum posts that Rescator ever sold the data, his sales threads came at a time when the incidence of tax refund fraud was skyrocketing.
Tax-related identity theft occurs when someone uses a stolen identity and SSN to file a tax return in that person’s name claiming a fraudulent refund. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually owed a refund from the U.S. Internal Revenue Service (IRS).
According to a 2013 report from the Treasury Inspector General’s office, the IRS issued nearly $4 billion in bogus tax refunds in 2012, and more than $5.8 billion in 2013. The money largely was sent to people who stole SSNs and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.
It remains unclear why Shefel has never been officially implicated in the breaches at Target, Home Depot, or in South Carolina. It may be that Shefel has been indicted, and that those indictments remain sealed for some reason. Perhaps prosecutors were hoping Shefel would decide to leave Russia, at which point it would be easier to apprehend him if he believed no one was looking for him.
But all signs are that Shefel is deeply rooted in Russia, and has no plans to leave. In January 2024, authorities in Australia, the United States and the U.K. levied financial sanctions against 33-year-old Russian man Aleksandr Ermakov for allegedly stealing data on 10 million customers of the Australian health insurance giant Medibank.
A week after those sanctions were put in place, KrebsOnSecurity published a deep dive on Ermakov, which found that he co-ran a Moscow-based IT security consulting business along with Mikhail Shefel called Shtazi-IT.
A Google-translated version of Shtazi dot ru. Image: Archive.org.
Skater brand Vans emailed customers last week to tell them about a recent “data incident.”
On December 13, 2023, Vans said it detected unauthorized activities on its IT systems, attributed to “external threat actors.” An investigation revealed that the incident involved some personal information of Vans’ customers. The affected information could include:
In certain cases, the affected data may also include order history, total order value, and information about the payment method used for the purchases. Vans notes that the payment method does not specify details like account number, just the method described as “credit card”, “Paypal”, or “bank account payment”, with no additional details attached.
The data incident turned out to be a ransomware attack. In a filing with the Securities and Exchanges Commission (SEC), parent company V.F. Corporation stated the hackers disrupted business operations and stole the personal information of approximately 35.5 million individual consumers.
The attack was claimed by the ALPHV/BlackCat ransomware group. This happened during the period that ALPHV was in a spot of trouble themselves by events eventually leading to faking their own death. It is unclear whether VF Corporation was able to use the decryptor made available after law enforcement seized control of ALPHV’s infrastructure, even though ALPHV reportedly claimed that the company tried to obtain a decryptor from law enforcement.
Vans says there’s no evidence suggesting any actual impact on any individual consumer whose personal data were part of the affected data set, but it does warn about phishing and fraud attempts which could lead to identity theft.
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
Check if your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll send you a report.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
A Canadian man who says he’s been falsely charged with orchestrating a complex e-commerce scam is seeking to clear his name. His case appears to involve “triangulation fraud,” which occurs when a consumer purchases something online — from a seller on Amazon or eBay, for example — but the seller doesn’t actually own the item for sale. Instead, the seller purchases the item from an online retailer using stolen payment card data. In this scam, the unwitting buyer pays the scammer and receives what they ordered, and very often the only party left to dispute the transaction is the owner of the stolen payment card.
Triangulation fraud. Image: eBay Enterprise.
Timothy Barker, 56, was until recently a Band Manager at Duncan’s First Nation, a First Nation in northwestern Alberta, Canada. A Band Manager is responsible for overseeing the delivery of all Band programs, including community health services, education, housing, social assistance, and administration.
Barker told KrebsOnSecurity that during the week of March 31, 2023 he and the director of the Band’s daycare program discussed the need to purchase items for the community before the program’s budget expired for the year.
“There was a rush to purchase items on the Fiscal Year 2023 timeline as the year ended on March 31,” Barker recalled.
Barker said he bought seven “Step2 All Around Playtime Patio with Canopy” sets from a seller on Amazon.ca, using his payment card on file to pay nearly $2,000 for the items.
On the morning of April 7, Barker’s Facebook account received several nasty messages from an Ontario woman he’d never met. She demanded to know why he’d hacked her Walmart account and used it to buy things that were being shipped to his residence. Barker shared a follow-up message from the woman, who later apologized for losing her temper.
One of several messages from the Ontario woman whose Walmart account was used to purchase the goods that Barker ordered from Amazon.
“If this is not the person who did this to me, I’m sorry, I’m pissed,” the lady from Ontario said. “This order is being delivered April 14th to the address above. If not you, then someone who has the same name. Now I feel foolish.”
On April 12, 2023, before the Amazon purchases had even arrived at his home, Barker received a call from an investigator with the Royal Canadian Mounted Police (RCMP), who said Barker urgently needed to come down to the local RCMP office for an interview related to “an investigation.” Barker said the officer wouldn’t elaborate at the time on the nature of the investigation, and that he told the officer he was in Halifax for several days but could meet after his return home.
According to Barker, the investigator visited his home anyway the following day and began questioning his wife, asking about his whereabouts, his work, and when he might return home.
On April 14, six boxes arrived to partially fulfill his Amazon order; another box was delayed, and the Amazon.ca seller he’d purchased from said the remaining box was expected to ship the following week. Barker said he was confused because all six boxes came from Walmart instead of Amazon, and the shipping labels had his name and address on them but carried a contact phone number in Mexico.
Three days later, the investigator called again, demanding he submit to an interview.
“He then asked where my wife was and what her name is,” Barker said. “He wanted to know her itinerary for the day. I am now alarmed and frightened — this doesn’t feel right.”
Barker said he inquired with a local attorney about a consultation, but that the RCMP investigator showed up at his house before he could speak to the lawyer. The investigator began taking pictures of the boxes from his Amazon order.
“The [investigator] derisively asked why would anyone order so many play sets?” Barker said. “I started to give the very logical answer that we are helping families improve their children’s home life and learning for toddlers when he cut me off and gave the little speech about giving a statement after my arrest. He finally told me that he believes that I used someone’s credit card in Ontario to purchase the Walmart products.”
Eager to clear his name, Barker said he shared with the police copies of his credit card bills and purchase history at Amazon. But on April 21, the investigator called again to say he was coming to arrest Barker for theft.
“He said that if I was home at five o’clock then he would serve the papers at the house and it would go easy and I wouldn’t have to go to the station,” Barker recalled. “If I wasn’t home, then he would send a search team to locate me and drag me to the station. He said he would kick the door down if I didn’t answer my phone. He said he had every right to break our door down.”
Barker said he briefly conferred with an attorney about how to handle the arrest. Later that evening, the RCMP arrived with five squad cars and six officers.
“I asked if handcuffs were necessary – there is no danger of violence,” Barker said. “I was going to cooperate. His response was to turn me around and cuff me. He walked me outside and stood me beside the car for a full 4 or 5 minutes in full view of all the neighbors.”
Barker believes he and the Ontario woman are both victims of triangulation fraud, and that someone likely hacked the Ontario woman’s Walmart account and added his name and address as a recipient.
But he says he has since lost his job as a result of the arrest, and now he can’t find new employment because he has a criminal record. Barker’s former employer — Duncan’s First Nation — did not respond to requests for comment.
“In Canada, a criminal record is not a record of conviction, it’s a record of charges and that’s why I can’t work now,” Barker said. “Potential employers never find out what the nature of it is, they just find out that I have a criminal arrest record.”
Barker said that right after his arrest, the RCMP called the Ontario woman and told her they’d solved the crime and arrested the perpetrator.
“They even told her my employer had put me on administrative leave,” he said. “Surely, they’re not allowed to do that.”
Contacted by KrebsOnSecurity, the woman whose Walmart account was used to fraudulently purchase the child play sets said she’s not convinced this was a case of triangulation fraud. She declined to elaborate on why she believed this, other than to say the police told her Barker was a bad guy.
“I don’t think triangulation fraud was used in this case,” she said. “My actual Walmart.ca account was hacked and an order was placed on my account, using my credit card. The only thing Mr. Barker did was to order the item to be delivered to his address in Alberta.”
Barker shared with this author all of the documentation he gave to the RCMP, including screenshots of his Amazon.ca account showing that the items in dispute were sold by a seller named “Adavio,” and that the merchant behind this name was based in Turkey.
That Adavio account belongs to a young computer engineering student and “SEO expert” based in Adana, Turkey who did not respond to requests for comment.
Amazon.ca said it conducted an investigation and found that Mr. Barker never filed a complaint about the seller or transaction in question. The company noted that Adavio currently has a feedback rating of 4.5 stars out of 5.
“Amazon works hard to provide customers with a great experience and it’s our commitment to go above and beyond to make things right for customers,” Amazon.ca said in a written statement. “If a customer has an issue with an order, they may flag to Amazon through our Customer Service page.”
Barker said when he went to file a complaint with Amazon last year he could no longer find the Adavio account on the website, and that the site didn’t have a category for the type of complaint he wanted to file.
When he first approached KrebsOnSecurity about his plight last summer, Barker said he didn’t want any media attention to derail the chances of having his day in court, and confronting the RCMP investigator with evidence proving that he was being wrongfully prosecuted and maligned.
But a week before his court date arrived at the end of November 2023, prosecutors announced the charges against him would be stayed, meaning they had no immediate plans to prosecute the case further but that the investigation could still be reopened at some point in the future.
The RCMP declined to comment for this story, other than to confirm they had issued a stay of proceedings in the case.
Barker says the stay has left him in legal limbo — denying him the ability to clear his name, while giving the RCMP a free pass for a botched investigation. He says he has considered suing the investigating officer for defamation, but has been told by his attorney that the bar for success in such cases against the government is extremely high.
“I’m a 56-year-old law-abiding citizen, and I haven’t broken any laws,” Barker said, wondering aloud who would be stupid enough to use someone else’s credit card and have the stolen items shipped directly to their home.
“Their putting a stay on the proceedings without giving any evidence or explanation allows them to cover up bad police work,” he said. “It’s all so stupid.”
Triangulation fraud is hardly a new thing. KrebsOnSecurity first wrote about it from an e-commerce vendor’s perspective in 2015, but the scam predates that story by many years and is now a well-understood problem. The Canadian authorities should either let Mr. Barker have his day in court, or drop the charges altogether.