Crime  Articles 2022-  2024 2023  2022  2021 2020  Crime  List -  H  2021  2020  2019  2018  2017

Ukrainian Authorities Arrested Phishing Gang That Stole 100 Million UAH
5.7.22  Crime  Thehackernews
Phishing Gang
The Cyber Police of Ukraine last week disclosed that it apprehended nine members of a criminal gang that embezzled 100 million hryvnias via hundreds of phishing sites that claimed to offer financial assistance to Ukrainian citizens as part of a campaign aimed at capitalizing on the ongoing conflict.

"Criminals created more than 400 phishing links to obtain bank card data of citizens and appropriate money from their accounts," the agency said in a press statement last week. "The perpetrators may face up to 15 years behind bars."

The law enforcement operation culminated in the seizure of computer equipment, mobile phones, bank cards as well as the criminal proceeds illicitly obtained through the scheme.

Some of the rogue domains registered by the actors included ross0.yolasite[.]com, foundationua[.]com, ua-compensation[.]buzz, www.bless12[.]store, help-compensation[.]xyz, newsukraine10.yolasite[.]com, and euro24dopomoga0.yolasite[.]com, among others.

The malicious landing pages, which were designed to siphon people's banking information, operated under the guise of surveys designed to fill up an application for payment of financial assistance from E.U. countries, underscoring the opportunistic nature of the social engineering attack.

Once in possession of the bank details, the threat actors unauthorizedly logged into the accounts and fraudulently withdrew money totaling more than 100 million hryvnias ($3.37 million) from over 5,000 citizens.

The distribution vector used to propagate the links is not immediately clear, but it could have been achieved through different methods such as SMS phishing (aka smishing), spam emails, direct messages on social media apps, SEO poisoning, or seemingly benign ads.

The agency has also warned citizens to "obtain information about financial payments only from official sources, not to click on dubious links, and in no case to communicate confidential, in particular banking, information to third parties or to indicate such data on suspicious resources."

Former Amazon Employee Found Guilty in 2019 Capital One Data Breach
21.6.22  Crime  Thehackernews
A 36-year-old former Amazon employee was convicted of wire fraud and computer intrusions in the U.S. for her role in the theft of personal data of no fewer than 100 million people in the 2019 Capital One breach.

Paige Thompson, who operated under the online alias "erratic" and worked for the tech giant till 2016, was found guilty of wire fraud, five counts of unauthorized access to a protected computer, and damaging a protected computer.

The seven-day trial saw the jury acquitted her of other charges, including access device fraud and aggravated identity theft. She is scheduled for sentencing on September 15, 2022. Cumulatively, the offenses are punishable by up to 25 years in prison.

"Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency," said U.S. Attorney Nick Brown. "Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself."

The incident, which came to light in July 2019, involved the defendant breaking into Amazon's cloud computing systems and stealing the personal information of roughly 100 million individuals in the U.S. and six million in Canada. This consisted of names, dates of birth, Social Security numbers, email addresses, and phone numbers.

Capital One Data Breach
It was made possible by developing a custom tool to scan for misconfigured Amazon Web Services (AWS) instances, allowing Thompson to siphon sensitive data belonging to over 30 entities, counting Capital One, and plant cryptocurrency mining software in the unlawfully accessed servers to illegally mint digital funds.

Furthermore, the hacker left an online trail for investigators to follow as she boasted about her illicit activities to others via text and online forums, the Justice Department noted. The data was also posted on a publicly accessible GitHub page.

"She wanted data, she wanted money, and she wanted to brag," Assistant U.S. Attorney Andrew Friedman told the jury in the closing arguments, according to a press statement from the Justice Department.

Capital One was fined $80 million by the Office of the Comptroller of the Currency (OCC) in August 2020 for failing to establish appropriate risk management measures before migrating its IT operations to a public cloud-based service. In December 2021, it agreed to pay $190 million to settle a class-action lawsuit over the hack.

Interpol Nabs 3 Nigerian Scammers Behind Malware-based Attacks
1.6.22  Crime  Thehackernews
Interpol
Interpol on Monday announced the arrest of three suspected global scammers in Nigeria for using remote access trojans (RATs) such as Agent Tesla to facilitate malware-enabled cyber fraud.

"The men are thought to have used the RAT to reroute financial transactions, stealing confidential online connection details from corporate organizations, including oil and gas companies in South East Asia, the Middle East and North Africa," the International Criminal Police Organization said in a statement.

One of the scammers in question, named Hendrix Omorume, has been charged and convicted of three counts of financial fraud and has been sentenced to a 12-month prison term. The two other suspects are still on trial.

The three Nigerian individuals, who are aged between 31 and 38, have been apprehended for being in possession of fake documents such as fraudulent invoices and forged official letters.

The law enforcement said that the suspects systematically used Agent Tesla to breach business computers and divert financial transactions to bank accounts under their control.

Interpol
A .NET-based advanced malware that first appeared in 2014, Agent Tesla primarily gets delivered through phishing emails and has capabilities such as keylogging, screen capture, form-grabbing, credential stealing, and exfiltrating other sensitive information.

The arrests follow a sting operation conducted simultaneously in two different locations in the Nigerian cities of Lagos and Benin City, with private sector intelligence provided by cybersecurity company Trend Micro.

The operation is also part of a global law enforcement operation codenamed "Killer Bee" involving Interpol and authorities from 11 different countries across Southeast Asia, including Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam.

The development also comes close on the heels of the alleged leader of the SilverTerrier BEC cybercrime gang in a separate operation dubbed Delilah. It was preceded by two related operations called Falcon I and Falcon II in 2020 and 2021.

New York Man Sentenced to 4 Years in Transnational Cybercrime Scheme
28.5.22  Crime  Thehackernews

A 37-year-old man from New York has been sentenced to four years in prison for buying stolen credit card information and working in cahoots with a cybercrime cartel known as the Infraud Organization.

John Telusma, who went by the alias "Peterelliot," pleaded guilty to one count of racketeering conspiracy on October 13, 2021. He joined the gang in August 2011 and remained a member for five-and-a-half years.

"Telusma was among the most prolific and active members of the Infraud Organization, purchasing and fraudulently using compromised credit card numbers for his own personal gain," the U.S. Justice Department (DoJ) said.

Infraud, a transnational cybercrime behemoth, operated for more than seven years, advertising its activities under the slogan "In Fraud We Trust," before its online infrastructure was dismantled by U.S. law enforcement authorities in February 2018.

The rogue enterprise dabbled in the large-scale acquisition and sale of compromised credit card data, personally identifiable information, and other digital contraband, enabling the trade of more than four million stolen credit and debit card numbers.

"The organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware, and other illicit goods," the DoJ said at the time.

"It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information, and other contraband were permitted to advertise to members," it added.

The group is estimated to have caused no less than $568 million in losses to consumers, businesses, and financial institutions alike.

Telusma is the 14th member of the Infraud Organization to be sentenced in connection with the ​​Infraud scheme. Other co-conspirators include Sergey Medvedev, Marko Leopard, Valerian Chiochiu, David Jonathan Vargas, Pius Sushil Wilson, Gennaro Fioretti, Jose Gamboa, Aldo Ymeraj, and Taimoor Zaman.

Interpol Arrests Leader of SilverTerrier Cybercrime Gang Behind BEC Attacks
26.5.22  Crime  Thehackernews
A year-long international investigation has resulted in the arrest of the suspected head of the SilverTerrier cybercrime group by the Nigeria Police Force.

"The suspect is alleged to have run a transnational cybercrime syndicate that launched mass phishing campaigns and business email compromise schemes targeting companies and individual victims," Interpol said in a statement.

Operation Delilah, as the coordinated international effort is called, involved tracking the 37-year-old Nigerian man's physical movements, before he was apprehended at Murtala Muhammed International Airport in Lagos in March 2022.

Singapore-headquartered cybersecurity company Group-IB said it provided threat intelligence that led to the arrest as part of the police operation that commenced in May 2021.

SilverTerrier Cybercrime Gang
According to Palo Alto Networks' Unit 42, which also assisted in the probe into SilverTerrier activity, the unnamed suspect is said to have been active since 2015 and involved in the creation of over 240 domains, of which 50 were used to provide command-and-control for malware such as LokiBot.

Unit 42 also noted that the criminal actor evaded arrest during a prior sting by fleeing Nigeria in June 2021 only to be caught when trying to get back home earlier this March. Furthermore, he attempted to sell his Autobiography Special Edition Range Rover for 5.8 million Naira (about $14,000) on Facebook before leaving the country.

The development is the third in a series of law enforcement actions aimed at the identification and arrest of the suspected members of the SilverTerrier gang (aka TMT).

In November 2020, three alleged members of the group were arrested for compromising at least 500,000 government and private sector companies in more than 150 countries since 2017. This was followed by the arrests of 11 more members earlier this year as part of an operation dubbed Falcon.

U.S. Charges Venezuelan Doctor for Using and Selling Thanos Ransomware
17.5.22  Crime  Thehackernews

The U.S. Justice Department on Monday accused a 55-year-old cardiologist from Venezuela of being the mastermind behind Thanos ransomware, charging him with the use and sale of the malicious tool and entering into profit sharing arrangements.

Moises Luis Zagala Gonzalez, also known by the monikers Nosophoros, Aesculapius, and Nebuchadnezzar, is alleged to have both developed and marketed the ransomware to other cybercriminals to facilitate the intrusions and get a share of the bitcoin payment.

If convicted, Zagala faces up to five years' imprisonment for attempted computer intrusion, and five years' imprisonment for conspiracy to commit computer intrusions.

"The multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran," U.S. attorney Breon Peace said.

The ransomware-as-a-service (RaaS) scheme involved encrypting files belonging to companies, non-profit entities, and other institutions, and then demanding a ransom in exchange for the decryption key.

At its core, Thanos is a private ransomware builder that allows its purchasers (aka affiliates) to create their own custom ransomware software, which they could then use or lease it to other actors, effectively widening the scope of the attacks.

An analysis by Recorded Future in June 2020 revealed that the builder comes with 43 different configuration options, calling it the first ransomware family to leverage the RIPlace technique to bypass ransomware protection features built into Windows 10.

Some of the options available include the ability to modify the ransom notes, specify the list of file types to be exfiltrated prior to encryption, and settings to evade detection and self-delete the ransomware after execution.

Zagala is believed to have advertised the software on darknet cybercrime forums for $500 a month with "basic options" or $800 with "full options," while also recruiting affiliates for the RaaS program.

"On or about May 1, 2020, a confidential human source of the FBI (CHS-1) discussed joining Zagala's 'affiliate program,'" the DoJ said. "Zagala responded: 'Not for now. Don't have spots," before proceeding to license the software to CHS-1 and helping the informant with tutorials on how to use the software and set up an affiliate crew.

Zagala, who received favorable reviews for his ransomware tools, was ultimately traced on May 3, 2022, after identifying a PayPal account belonging to his relative who resides in the U.S. state of Florida and which used to obtain the illicit proceeds.

"The individual confirmed that Zagala resides in Venezuela and had taught himself computer programming," the DoJ said.

Ukrainian Hacker Jailed for 4-Years in U.S. for Selling Access to Hacked Servers
17.5.22  Crime  Thehackernews
Ukrainian Hacker
A 28-year-old Ukrainian national has been sentenced to four years in prison for siphoning thousands of server login credentials and selling them on the dark web for monetary gain as part of a credential theft scheme.

Glib Oleksandr Ivanov-Tolpintsev, who pleaded guilty to his offenses earlier this February, was arrested in Poland in October 2020, before being extradited to the U.S. in September 2021.

The illegal sale involved the trafficking of login credentials to servers located across the world and personally identifiable information such as dates of birth and Social Security numbers belonging to U.S. residents on a darknet marketplace.

The unnamed site purportedly offered over 700,000 compromised servers for sale, including at least 150,000 in the U.S. alone. Believed to have been operational from around October 2014, the underground marketplace was seized by law enforcement authorities on January 24, 2019, according to court documents.

This exactly coincides with the dismantling of the xDedic Marketplace on the same date following a year-long investigation by agencies from the U.S., Belgium, Ukraine, and Germany.

"The xDedic Marketplace sold access to compromised computers worldwide as well as personal data," Europol said at the time, adding, "users of xDedic could search for compromised computer credentials by criteria, such as price, geographic location, and operating system."

Victims spanned a wide gamut of sectors like governments, hospitals, emergency services, call centers, metropolitan transit authorities, law firms, pension funds, and universities.

"Once purchased, criminals used these servers to facilitate a wide range of illegal activity that included ransomware attacks and tax fraud," the U.S. Justice Department (DoJ) noted in a press statement.

Ivanov-Tolpintsev is said to have obtained the server usernames and passwords by means of a botnet that was used to brute-force and password spraying attacks, listing on sale these hacked credentials on the marketplace from 2017 through 2019 and netting $82,648 in return.

The sentencing comes as the DoJ awarded a jail term of at least five years to a trio of cybercriminals for conspiracy to commit fraud and aggravated identity theft.

"From at least 2015 through 2020, [Jean Elie Doreus] Jovin, Alessandro Doreus, and Djouman Doreus conspired to knowingly, and with intent to defraud, possess tens of thousands of counterfeit and unauthorized access devices—including the names, Social Security numbers, account numbers, usernames, and passwords of identity theft victims," the department said.

Ukrainian FIN7 Hacker Gets 5-Year Sentence in the United States
9.4.22  Crime  Thehackernews

A 32-year-old Ukrainian national has been sentenced to five years in prison in the U.S. for the individual's criminal work as a "high-level hacker" in the financially motivated group FIN7.

Denys Iarmak, who worked as a penetration tester for the cartel from November 2016 through November 2018, had been previously arrested in Bangkok, Thailand in November 2019, before being extradited to the U.S. in May 2020.

In November 2021, Iarmak had pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.

FIN7 has been attributed to a number of attacks that have led to the theft of more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations in the U.S, costing the victims $1 billion in losses.

The criminal gang, also known as Carbanak Group and the Navigator Group, has a track record of hitting restaurant, gambling, and hospitality industries to siphon customer credit and debit card numbers since at least 2015 that were then used or sold for profit.

"Mr. Iarmak was directly involved in designing phishing emails embedded with malware, intruding on victim networks, and extracting data such as payment card information," said U.S. Attorney Nicholas W. Brown of the Western District of Washington. "To make matters worse, he continued his work with the FIN7 criminal enterprise even after the arrests and prosecution of co-conspirators."

According to court documents released by the U.S. Justice Department (DoJ), the defendant used Atlassian's Jira project management and issue-tracking software to coordinate and share details pertaining to different intrusions conducted by the group.

"Under each issue, FIN7 members tracked their progress breaching a victim's security, uploaded data stolen from the victim, and provided guidance to each other," the DoJ said.

Iarmak is the third FIN7 member of the group to be sentenced in the U.S. after Fedir Hladyr and Andrii Kolpakov, both of whom were awarded a prison term of 10 years and seven years respectively in April and June last year.

The development comes as threat intelligence and incident response firm Mandiant detailed the evolution of FIN7 into a resilient cyber crime group, linking it to 17 clusters of previously unattributed threat activity spanning several years, while also calling out its upgraded attack toolkit and initial access techniques and its shift to ransomware to monetize its attacks.

British Police Charge Two Teenagers Linked to LAPSUS$ Hacker Group
2.4.22 Crime  Thehackernews
LAPSUS$ Hacker Group

The City of London Police on Friday disclosed that it has charged two of the seven teenagers, a 16-year-old and a 17-year-old, who were arrested last week for their alleged connections to the LAPSUS$ data extortion gang.

"Both teenagers have been charged with: three counts of unauthorized access to a computer with intent to impair the reliability of data; one count of fraud by false representation and one count of unauthorized access to a computer with intent to hinder access to data," Detective Inspector Michael O'Sullivan, from the City of London Police, said in a statement.

In addition, the unnamed 16-year-old minor has been charged with one count of causing a computer to perform a function to secure unauthorized access to a program.

The charges come as the City of London Police moved to arrest seven suspected LAPSUS$ gang members aged between 16 and 21 on March 25, with the agency telling The Hacker News that all the individuals had been subsequently "released under investigation."

But the arrests are yet to put a dampener on the cartel's activities, which returned from a "vacation" this week to leak 70GB of data belonging to software services giant Globant on March 30. The Luxembourg-headquartered company said it's currently "conducting an exhaustive investigation" and that it's "taking strict measures to prevent further incidents."

LAPSUS$, in a short span of a few months, has gained notoriety for their hacking spree, stealing and publishing source code of multiple top-tier technology companies on their Telegram channel, which currently has close to 58,000 subscribers.

"In today's environment, threat actors favor using ransomware to encrypt data and systems and often extort victims for significant amounts of cryptocurrency in exchange for decryption keys, sometimes turning up the pressure with the threat of publishing stolen data," Palo Alto Networks' Unit 42 team said.

"LAPSUS$, however, is unusual in its approach – for this group, notoriety most often appears to be the goal, rather than financial gain."

Europol Ordered to Delete Data of Individuals With No Proven Links to Crimes
19.1.2022 Crime Thehackernews

The European Union's data protection watchdog on Monday ordered Europol to delete a vast trove of personal data it obtained pertaining to individuals with no proven links to criminal activity.

"Datasets older than six months that have not undergone this Data Subject Categorisation must be erased," the European Data Protection Supervisor (EDPS) said in a press statement. "This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline."

EDPS' investigation into Europol's handling of sensitive data commenced in April 2019, with the authority noting that the storage of large volumes of data with no Data Subject Categorisation poses a risk to individuals' fundamental rights and amounts to mass surveillance. The cache is said to contain at least four petabytes, according to The Guardian.

In addition, the ruling also imposed a six-month retention period to filter and to extract the personal data, in addition to giving the cross-border law enforcement agency a year to comply and review its databases for potential removal of any information that cannot be linked to a criminal investigation.

"A six-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of E.U. Member States relying on Europol for technical and analytical support, while minimizing the risks to individuals' rights and freedoms," Wojciech Wiewiórowski of EDPS said.

We have reached out to Europol for further comment, and we'll update the story when we hear back.