"Because credit card stealers often wait for keywords such as 'checkout' or 'onepage,' they may not become visible until the checkout page has loaded," Morrow said.
Crime 2024 2023 2022 2021 2020
Latvian Hacker Extradited to U.S. for Role in Karakurt Cybercrime Group
23.8.24 Crime The Hacker News
A 33-year-old Latvian national living in Moscow, Russia, has been charged in the U.S. for allegedly stealing data, extorting victims, and laundering ransom payments since August 2021.
Deniss Zolotarjovs (aka Sforza_cesarini) has been charged with conspiring to commit money laundering, wire fraud and Hobbs Act extortion. He was arrested in Georgia in December 2023 and has since been extradited to the U.S. as of this month.
"Zolotarjovs is a member of a known cybercriminal organization that attacks computer systems of victims around the world," the U.S. Department of Justice (DoJ) said in a press release this week.
"Among other things, the Russian cybercrime group steals victim data and threatens to release it unless the victim pays ransom in cryptocurrency. The group maintains a leaks and auction website that lists victim companies and offers stolen data for download."
Zolotarjovs is believed to have been an active member of the e-crime group, engaging with other members of the gang and laundering the ransom payments received from victims.
While the name of the cybercrime syndicate was not mentioned by the DoJ, a November 28, 2023, complaint filed in the U.S. District Court links the defendant to a data extortion crew tracked as Karakurt, which emerged as a splinter group in the wake of the crackdown on Conti in 2022.
"Further analysis of Sforza's communications [on Rocket.Chat] indicated Sforza appeared to be responsible for conducting negotiations on Karakurt victim cold case extortions, as well as open-source research to identify phone numbers, emails, or other accounts at which victims could be contacted and pressured to either pay a ransom or re-enter a chat with the ransomware group," the Federal Bureau of Investigation (FBI) said.
"Sforza also discussed efforts to recruit paid journalists to publish news articles about victims in order to convince the victims to take Karakurt's extortion demands seriously."
The FBI noted in its complaint that it was able to link the online alias "Sforza_cesarini" to Deniss Zolotarjovs by tracing Bitcoin transfers made in September 2021 from a cryptocurrency wallet that was registered to an Apple iCloud account.
The law enforcement agency further said some of the illicit proceeds were laundered through several addresses before arriving at a deposit address associated with Garantex, specifically a Bitcoin24.pro account bearing the same email address, prompting it to issue a search warrant to Apple in September 2023 for obtaining the records associated with the email address.
From the information shared by the tech giant, the FBI said the Rocket.Chat instant messaging account ID "Sforza_cesarini" was "accessed by the same IP addresses at or about the same times, on multiple occasions, as those used to access dennis.zolotarjov@icloud[.]com."
Zolotarjovs is the first alleged group member of Karakurt to be arrested and extradited to the U.S., a feat that could pave the way for the identification and prosecution of additional members in the future.
"Karakurt actors have contacted victims' employees, business partners, and clients with harassing emails and phone calls to pressure the victims to cooperate," the U.S. government said in a bulletin last year. "The emails have contained examples of stolen data, such as social security numbers, payment accounts, private company emails, and sensitive business data belonging to employees or clients."
Russian Hacker Jailed 3+ Years for Selling Stolen Credentials on Dark Web
17.8.24 Crime The Hacker News
A 27-year-old Russian national has been sentenced to over three years in prison in the U.S. for peddling financial information, login credentials, and other personally identifying information (PII) on a now-defunct dark web marketplace called Slilpp.
Georgy Kavzharadze, 27, of Moscow, Russia, pleaded guilty to one count of conspiracy to commit bank fraud and wire fraud earlier this February. In addition to a 40-month jail term, Kavzharadze has been ordered to pay $1,233,521.47 in restitution.
The defendant, who went by the online monikers TeRorPP, Torqovec, and PlutuSS, is believed to have listed over 626,100 stolen login credentials for sale on Slilpp and sold more than 297,300 of them on the illicit marketplace between July 2016 and May 2021.
"Those credentials were subsequently linked to $1.2 million in fraudulent transactions," the U.S. Department of Justice (DoJ) said.
"On May 27, 2021, Kavzharadze's account on Slilpp listed 240,495 login credentials for sale that would allow the buyer to use the information to steal money from the victim's online payment and bank accounts."
Kavzharadze is estimated to have made no less than $200,000 in illegal profits from the sale of stolen credentials. In August 2021, he was charged with conspiracy to commit bank fraud and wire fraud, bank fraud, access device fraud, and aggravated identity theft. He was subsequently extradited to the U.S. to face the charges.
Slilpp was one of the largest marketplaces that specialized in the sale of login credentials until June 2021, when its infrastructure was dismantled as part of an international law enforcement operation involving authorities from the U.S., Germany, the Netherlands, and Romania.
It had been in operation since 2012, selling more than 80 million login credentials from over 1,400 companies.
Magento Sites Targeted with Sneaky Credit Card Skimmer via Swap Files
24.7.24 Crime The Hacker News
Threat actors have been observed using swap files in compromised websites to conceal a persistent credit card skimmer and harvest payment information.
The sneaky technique, observed by Sucuri on a Magento e-commerce site's checkout page, allowed the malware to survive multiple cleanup attempts, the company said.
The skimmer is designed to capture all the data into the credit card form on the website and exfiltrate the details to an attacker-controlled domain named "amazon-analytic[.]com," which was registered in February 2024.
"Note the use of the brand name; this tactic of leveraging popular products and services in domain names is often used by bad actors in an attempt to evade detection," security researcher Matt Morrow said.
This is just one of many defense evasion methods employed by the threat actor, which also includes the use of swap files ("bootstrap.php-swapme") to load the malicious code while keeping the original file ("bootstrap.php") intact and free of malware.
"When files are edited directly via SSH the server will create a temporary 'swap' version in case the editor crashes, which prevents the entire contents from being lost," Morrow explained.
"It became evident that the attackers were leveraging a swap file to keep the malware present on the server and evade normal methods of detection."
Although it's currently not clear how the initial access was obtained in this case, it's suspected to have involved the use of SSH or some other terminal session.
The disclosure arrives as compromised administrator user accounts on WordPress sites are being used to install a malicious plugin that masquerades as the legitimate Wordfence plugin, but comes with capabilities to create rogue admin users and disable Wordfence while giving a false impression that everything is working as expected.
"In order for the malicious plugin to have been placed on the website in the first place, the website would have already had to have been compromised — but this malware could definitely serve as a reinfection vector," security researcher Ben Martin said.
"The malicious code only works on pages of WordPress admin interface whose URL contains the word 'Wordfence' in them (Wordfence plugin configuration pages)."
Site owners are advised to restrict the use of common protocols like FTP, sFTP, and SSH to trusted IP addresses, as well as ensure that the content management systems and plugins are up-to-date.
Users are also recommended to enable two-factor authentication (2FA), use a firewall to block bots, and enforce additional wp-config.php security implementations such as DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS.
17-Year-Old Linked to Scattered Spider Cybercrime Syndicate Arrested in U.K.
21.7.24 Crime The Hacker News
Law enforcement officials in the U.K. have arrested a 17-year-old boy from Walsall who is suspected to be a member of the notorious Scattered Spider cybercrime syndicate.
The arrest was made "in connection with a global cyber online crime group which has been targeting large organizations with ransomware and gaining access to computer networks," West Midlands police said. "The arrest is part of a global investigation into a large-scale cyber hacking community which has targeted a number of major companies which includes MGM Resorts in America."
The teen's arrest, carried out in coordination with the U.K. National Crime Agency (NCA) and the U.S. Federal Bureau of Investigation (FBI), comes a little over a month after another 22-year-old member of the e-crime syndicate from the U.K. was apprehended in Spain.
Scattered Spider, an offshoot of a loose-knit group called The Com, has evolved into an initial access broker and affiliate, delivering ransomware families like BlackCat, Qilin, and RansomHub. A recent report from Google-owned Mandiant revealed the attackers' pivot to encryptionless extortion attacks that aim to steal data from software-as-a-service (SaaS) applications.
The development comes as the DoJ announced the sentencing of Scott Raul Esparza, 24, of Texas, to nine months in prison for running a distributed denial-of-service (DDoS) attack solution named Astrostress between 2019 and 2022, following which he is expected to serve two years of supervised release. He pleaded guilty to the charges earlier in March.
"Customers of Astrostress.com were offered various levels of subscriptions – depending on how many attacks they wanted to conduct and with what power – and were charged accordingly," the DoJ said. "This site thus enabled co-conspirators worldwide to set up accounts on Astrostress.com and then use the Astrostress.com resources to direct attacks at internet-connected computers around the globe."
Esparza, who procured the attack servers and maintained the service, is said to have collaborated with Shamar Shattock, 21, of Florida. Shattock faces up to five years in prison after pleading guilty in March 2023.
It also comes in the wake of sanctions imposed by the U.S. Treasury Department against Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, two members of CyberArmyofRussia_Reborn (CARR), a hacktivist persona tied to the prolific Russia-based Sandworm (aka APT44) group, for engaging in cyber attacks targeting critical infrastructure in the country.
Pankratova (aka YUliYA) is believed to be the leader of CARR and its spokesperson, with Degtyarenko (aka Dena) working as the primary hacker for the group and allegedly responsible for the compromise of a Supervisory Control and Data Acquisition (SCADA) system of an unnamed U.S. energy company.
"Using various unsophisticated techniques, CARR has been responsible for manipulating industrial control system equipment at water supply, hydroelectric, wastewater, and energy facilities in the U.S. and Europe," the department's Office of Foreign Assets Control (OFAC) said.
Global Police Operation Shuts Down 600 Cybercrime Servers Linked to Cobalt Strike
4.7.24 Crime The Hacker News
A coordinated law enforcement operation codenamed MORPHEUS has felled close to 600 servers that were used by cybercriminal groups and were part of an attack infrastructure associated with the Cobalt Strike.
The crackdown targeted older, unlicensed versions of the Cobalt Strike red teaming framework between June 24 and 28, according to Europol.
Of the 690 IP addresses that were flagged to online service providers in 27 countries as associated with criminal activity, 590 are no longer accessible.
The joint operation, which commenced in 2021, was led by the U.K. National Crime Agency (NCA) and involved authorities from Australia, Canada, Germany, the Netherlands, Poland and the U.S. Officials from Bulgaria, Estonia, Finland, Lithuania, Japan, and South Korea provided additional support.
Cobalt Strike is a popular adversary simulation and penetration testing tool developed by Fortra (formerly Help Systems), offering IT security experts a way to identify weaknesses in security operations and incident responses.
Cybersecurity
However, as previously observed by Google and Microsoft, cracked versions of the software have found their way into the hands of malicious actors, who have time-and-again abused it for post-exploitation purposes.
According to a recent report from Palo Alto Networks Unit 42, this involves the use of a payload called Beacon, which uses text-based profiles called Malleable C2 to alter the characteristics of Beacon's web traffic in an attempt to avoid detection.
"Although Cobalt Strike is a legitimate piece of software, sadly cybercriminals have exploited its use for nefarious purposes," Paul Foster, director of threat leadership at the NCA, said in a statement.
"Illegal versions of it have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise. Such attacks can cost companies millions in terms of losses and recovery."
The development comes as Spanish and Portuguese law enforcement have arrested 54 people for committing crimes against elderly citizens through vishing schemes by posing as bank employees and tricking them into parting with personal information under the guise of rectifying a problem with their accounts.
The details were then passed on to other members of the criminal network, who would visit the victims' homes unannounced and pressure them into giving away their credit cards, PIN codes, and bank details. Some instances also involved the theft of cash and jewelry.
The criminal scheme ultimately enabled the miscreants to take control of the targets' bank accounts or make unauthorized cash withdrawals from ATMs and other expensive purchases.
"Using a blend of fraudulent phone calls and social engineering, the criminals are responsible for €2,500,000 in losses," Europol said earlier this week.
"The funds were deposited into multiple Spanish and Portuguese accounts controlled by the fraudsters, from where they were funneled into an elaborate money laundering scheme. An extensive network of money mules overseen by specialist members of the organization was used to disguise the origin of the illicit funds."
Cybersecurity
The arrests also follow similar action undertaken by INTERPOL to dismantle human trafficking rings in several countries, including Laos, where several Vietnamese nationals were lured with promises of high-paying jobs, only to be coerced into creating fraudulent online accounts for financial scams.
"Victims worked 12-hour workdays, extended to 14 hours if they failed to recruit others, and had their documents confiscated," the agency said. "Families were extorted up to USD $10,000 to secure their return to Vietnam."
Last week, INTERPOL said it also seized $257 million worth of assets and froze 6,745 bank accounts following a global police operation spanning 61 countries that was conducted to disrupt online scam and organized crime networks.
The exercise, referred to as Operation First Light, targeted phishing, investment fraud, fake online shopping sites, romance, and impersonation scams. It led to the arrest of 3,950 suspects and identified 14,643 other possible suspects in all continents
New Credit Card Skimmer Targets WordPress, Magento, and OpenCart Sites
27.6.24 Crime The Hacker News
Multiple content management system (CMS) platforms like WordPress, Magento, and OpenCart have been targeted by a new credit card web skimmer called Caesar Cipher Skimmer.
A web skimmer refers to malware that is injected into e-commerce sites with the goal of stealing financial and payment information.
According to Sucuri, the latest campaign entails making malicious modifications to the checkout PHP file associated with the WooCommerce plugin for WordPress ("form-checkout.php") to steal credit card details.
"For the past few months, the injections have been changed to look less suspicious than a long obfuscated script," security researcher Ben Martin said, noting the malware's attempt to masquerade as Google Analytics and Google Tag Manager.
Specifically, it utilizes the same substitution mechanism employed in Caesar cipher to encode the malicious piece of code into a garbled string and conceal the external domain that's used to host the payload.
It's presumed that all the websites have been previously compromised through other means to stage a PHP script that goes by the names "style.css" and "css.php" in an apparent effort to mimic an HTML style sheet and evade detection.
These scripts, in turn, are designed to load another obfuscated JavaScript code that creates a WebSocket and connects to another server to fetch the actual skimmer.
"The script sends the URL of the current web pages, which allows the attackers to send customized responses for each infected site," Martin pointed out. "Some versions of the second layer script even check if it is loaded by a logged-in WordPress user and modify the response for them."
Some versions of the script have programmer-readable explanations (aka comments) written in Russian, suggesting that the threat actors behind the operation are Russian-speaking.
The form-checkout.php file in WooCommerce is not the only method used to deploy the skimmer, for the attackers have also been spotted misusing the legitimate WPCode plugin to inject it into the website database.
On websites that use Magento, the JavaScript injections are performed on database tables such as core_config_data. It's currently not known how this is accomplished on OpenCart sites.
Due to its prevalent use as a foundation for websites, WordPress and the larger plugin ecosystem have become a lucrative target for malicious actors, allowing them easy access to a vast attack surface.
It's imperative that site owners keep their CMS software and plugins up-to-date, enforce password hygiene, and periodically audit them for the presence of suspicious administrator accounts.
Police Chiefs Call for Solutions to Access Encrypted Data in Serious Crime Cases
24.4.24 Crime The Hacker News
European Police Chiefs said that the complementary partnership between law enforcement agencies and the technology industry is at risk due to end-to-end encryption (E2EE).
They called on the industry and governments to take urgent action to ensure public safety across social media platforms.
"Privacy measures currently being rolled out, such as end-to-end encryption, will stop tech companies from seeing any offending that occurs on their platforms," Europol said.
"It will also stop law enforcement's ability to obtain and use this evidence in investigations to prevent and prosecute the most serious crimes such as child sexual abuse, human trafficking, drug smuggling, homicides, economic crime, and terrorism offenses."
The idea that E2EE protections could stymie law enforcement is often referred to as the "going dark" problem, triggering concerns it could create new obstacles to gather evidence of nefarious activity.
The development comes against the backdrop of Meta rolling out E2EE in Messenger by default for personal calls and one-to-one personal messages as of December 2023.
The U.K. National Crime Agency (NCA) has since criticized the company's design choices, which made it harder to protect children from sexual abuse online and undermined their ability to investigate crime and keep the public safe from serious threats.
"Encryption can be hugely beneficial, protecting users from a range of crimes," NCA Director General Graeme Biggar said. "But the blunt and increasingly widespread rollout by major tech companies of end-to-end encryption, without sufficient consideration for public safety, is putting users in danger."
Europol's Executive Director Catherine de Bolle noted that tech companies have a social responsibility to develop a safe environment without hampering law enforcement's ability to collect evidence.
The joint declaration also urges the tech industry to build products keeping cybersecurity in mind, but at the same time provide a mechanism for identifying and flagging harmful and illegal content.
"We do not accept that there need be a binary choice between cybersecurity or privacy on the one hand and public safety on the other," the agencies said.
"Our view is that technical solutions do exist; they simply require flexibility from industry as well as from governments. We recognise that the solutions will be different for each capability, and also differ between platforms."
Meta, for what it's worth, already relies on a variety of signals gleaned from unencrypted information and user reports to combat child sexual exploitation on WhatsApp.
Earlier this month, the social media giant also said it's piloting a new set of features in Instagram to protect young people from sextortion and intimate image abuse using client-side scanning.
"Nudity protection uses on-device machine learning to analyze whether an image sent in a DM on Instagram contains nudity," Meta said.
"Because the images are analyzed on the device itself, nudity protection will work in end-to-end encrypted chats, where Meta won't have access to these images – unless someone chooses to report them to us."
Ex-Security Engineer Jailed 3 Years for $12.3 Million Crypto Exchange Thefts
14.4.24 Crime The Hacker News
A former security engineer has been sentenced to three years in prison in the U.S. for charges relating to hacking two decentralized cryptocurrency exchanges in July 2022 and stealing over $12.3 million.
Shakeeb Ahmed, the defendant in question, pled guilty to one count of computer fraud in December 2023 following his arrest in July.
"At the time of both attacks, Ahmed, a U.S. citizen, was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills Ahmed used to execute the hacks," the U.S. Department of Justice (DoJ) noted at the time.
While the name of the company was not disclosed, he was residing in Manhattan, New York, and working for Amazon before he was apprehended.
Court documents show that Ahmed exploited a security flaw in an unnamed cryptocurrency exchange's smart contracts to insert "fake pricing data to fraudulently generate millions of dollars' worth of inflated fees," which he was able to withdraw.
Subsequently, he initiated contact with the company and agreed to return most of the funds except for $1.5 million if the exchange agreed not to alert law enforcement about the flash loan attack.
It's worth noting that CoinDesk reported in early July 2022 that an unknown attacker returned more than $8 million worth of cryptocurrency to a Solana-based crypto exchange called Crema Finance, while keeping $1.68 million as a "white hat" bounty.
Ahmed has also been accused of carrying out an attack on a second decentralized cryptocurrency exchange called Nirvana Finance, siphoning $3.6 million in the process, ultimately leading to its shutdown.
"Ahmed used an exploit he discovered in Nirvana's smart contracts to allow him to purchase cryptocurrency from Nirvana at a lower price than the contract was designed to allow," the DoJ said.
"He then immediately resold that cryptocurrency to Nirvana at a higher price. Nirvana offered Ahmed a 'bug bounty' of as much as $600,000 to return the stolen funds, but Ahmed instead demanded $1.4 million, did not reach agreement with Nirvana, and kept all the stolen funds."
The defendant then laundered the stolen funds to cover up the trail using cross-chain bridges to move the illicit digital assets from Solana to Ethereum and exchanging the proceeds into Monero using mixers like Samourai Whirlpool.
Besides the three-year jail term, Ahmed has been sentenced to three years of supervised release and ordered to forfeit approximately $12.3 million and pay restitution amounting more than $5 million to both the impacted crypto exchanges.
Sneaky Credit Card Skimmer Disguised as Harmless Facebook Tracker
12.4.24 Crime The Hacker News
Cybersecurity researchers have discovered a credit card skimmer that's concealed within a fake Meta Pixel tracker script in an attempt to evade detection.
Sucuri said that the malware is injected into websites through tools that allow for custom code, such as WordPress plugins like Simple Custom CSS and JS or the "Miscellaneous Scripts" section of the Magento admin panel.
"Custom script editors are popular with bad actors because they allow for external third party (and malicious) JavaScript and can easily pretend to be benign by leveraging naming conventions that match popular scripts like Google Analytics or libraries like JQuery," security researcher Matt Morrow said.
The bogus Meta Pixel tracker script identified by the web security company contains similar elements as its legitimate counterpart, but a closer examination reveals the addition of JavaScript code that substitutes references to the domain "connect.facebook[.]net" with "b-connected[.]com."
While the former is a genuine domain linked to the Pixel tracking functionality, the replacement domain is used to load an additional malicious script ("fbevents.js") that monitors if a victim is on a checkout page, and if so, serves a fraudulent overlay to grab their credit card details.
It's worth noting that "b-connected[.]com" is a legitimate e-commerce website that has been compromised at some point to host the skimmer code. What's more, the information entered into the fake form is exfiltrated to another compromised site ("www.donjuguetes[.]es").
To mitigate such risks, it's recommended to keep the sites up-to-date, periodically review admin accounts to determine if all of them are valid, and update passwords on a frequent basis.
This is particularly important as threat actors are known to leverage weak passwords and flaws in WordPress plugins to gain elevated access to a target site and add rogue admin users, which are then used to perform various other activities, including adding additional plugins and backdoors.
"Because credit card stealers often wait for keywords such as 'checkout' or 'onepage,' they may not become visible until the checkout page has loaded," Morrow said.
"Since most checkout pages are dynamically generated based on cookie data and other variables passed to the page, these scripts evade public scanners and the only way to identify the malware is to check the page source or watch network traffic. These scripts run silently in the background."
The development comes as Sucuri also revealed that sites built with WordPress and Magento are the target of another malware called Magento Shoplift. Earlier variants of Magento Shoplift have been detected in the wild since September 2023.
The attack chain starts with injecting an obfuscated JavaScript snippet into a legitimate JavScript file that's responsible for loading a second script from jqueurystatics[.]com via WebSocket Secure (WSS), which, in turn, is designed to facilitate credit card skimming and data theft while masquerading as a Google Analytics script.
"WordPress has become a massive player in e-commerce as well, thanks to the adoption of Woocommerce and other plugins that can easily turn a WordPress site into a fully-featured online store," researcher Puja Srivastava said.
"This popularity also makes WordPress stores a prime target — and attackers are modifying their MageCart e-commerce malware to target a wider range of CMS platforms."
Ukraine Arrests Trio for Hijacking Over 100 Million Email and Instagram Accounts
20.3.24 Crime The Hacker News
The Cyber Police of Ukraine has arrested three individuals on suspicion of hijacking more than 100 million emails and Instagram accounts from users across the world.
The suspects, aged between 20 and 40, are said to be part of an organized criminal group living in different parts of the country. If convicted, they face up to 15 years in prison.
The accounts, authorities said, were taken over by carrying out brute-force attacks, which employ trial-and-error methods to guess login credentials. The group operated under the direction of a leader, who distributed the hacking tasks to other members.
The cybercrime group subsequently monetized their ill-gotten credentials by putting them up for sale on dark web forums.
Other threat actors who purchased the information used the compromised accounts to conduct a variety of fraudulent schemes, including those in which scammers reach out to the victim's friends to urgently transfer money to their bank account.
"You can protect your account from this method of hacking by setting up two-factor authentication and using strong passwords," the agency said.
As part of the operation, officials conducted seven searches in Kyiv, Odesa, Vinnytsia, Ivano-Frankivsk, Donetsk, and Kirovohrad, confiscating 70 computers, 14 phones, bank cards, and cash worth more than $3,000.
The development comes as a U.S. national pleaded guilty to breaching over a dozen entities in the U.S., including a medical clinic in Griffin, and exfiltrating the personal information of more than 132,000 individuals. He is scheduled for sentencing on June 18, 2024.
Robert Purbeck (aka Lifelock or Studmaster) "aggravated his crimes by weaponizing sensitive data in an egregious attempt to extort his victims," U.S. Attorney Ryan K. Buchanan said.
According to the U.S. Department of Justice (DoJ), Purbeck, who pleaded guilty today to federal charges of computer fraud and abuse, purchased access to the clinic's computer server from the darknet in 2017, leveraging it to siphon medical records and other documents that contained data pertaining to over 43,000 individuals, such as names, addresses, birthdates, and social security numbers.
The defendant also bought credentials associated with the City of Newnan, Georgia Police Department server on an underground marketplace. He then plundered records consisting of police reports and documents that had information belonging to no less than 14,000 people.
As part of the plea agreement, Purbeck agreed to pay more than $1 million in restitution to the impacted 19 victims. He was indicted by a federal jury in March 2021.
E-Root Marketplace Admin Sentenced to 42 Months for Selling 350K Stolen Credentials
19.3.24 Crime The Hacker News
A 31-year-old Moldovan national has been sentenced to 42 months in prison in the U.S. for operating an illicit marketplace called E-Root Marketplace that offered for sale hundreds of thousands of compromised credentials, the Department of Justice (DoJ) announced.
Sandu Boris Diaconu was charged with conspiracy to commit access device and computer fraud and possession of 15 or more unauthorized access devices. He pleaded guilty on December 1, 2023.
"The E-Root Marketplace operated across a widely distributed network and took steps to hide the identities of its administrators, buyers, and sellers," the DoJ said last week.
"Buyers could search for compromised computer credentials on E-Root, such as usernames and passwords that would allow buyers to access remote computers for purposes of stealing private information or manipulating the contents of the remote computer."
Prospective customers could also search for RDP and SSH credentials based on various filter criteria such as price, geographic location, internet service provider, and operating system.
In an attempt to hide the transaction trails, the marketplace provided an online payment system called Perfect Money, which further made it possible to convert Bitcoin to and from Perfect Money. The infrastructure associated with E-Root and Perfect Money has since been seized by law enforcement as of late 2020.
More than 350,000 credentials are estimated to have been advertised for sale on the illegal marketplace, with many of the victims subjected to ransomware attacks and identity tax fraud schemes.
Diaconu, who served as the administrator between January 2015 and February 2020, was arrested in the U.K. in May 2021 while trying to flee the country. He was extradited to the U.S. in late October 2023.
"The E-Root Marketplace operated across a widely distributed network and took steps to hide the identities of its administrators, buyers, and sellers," the DoJ said.
The development comes as the DoJ also said it's recovering $2.3 million worth of cryptocurrency linked to a pig butchering romance scam that victimized at least 37 individuals across the U.S.
Such schemes seek to build trust with victims in online communications and then entice them into investing in a cryptocurrency scam under the guise of quick returns. Instead, the funds are diverted to the scammers' wallets, leading to financial losses.
According to Web3 anti-fraud company Scam Sniffer, approximately 57,000 victims have lost about $47 million to crypto phishing scams in the month of February 2024 alone.
"Compared to January, the number of victims who lost over $1 million decreased by 75%," it said in a series of posts on X (formerly Twitter). "Most victims were lured to phishing websites through phishing comments from impersonated Twitter accounts."
U.S. Charges Iranian Hacker, Offers $10 Million Reward for Capture
2.3.24 Crime The Hacker News
The U.S. Department of Justice (DoJ) on Friday unsealed an indictment against an Iranian national for his alleged involvement in a multi-year cyber-enabled campaign designed to compromise U.S. governmental and private entities.
More than a dozen entities are said to have been targeted, including the U.S. Departments of the Treasury and State, defense contractors that support U.S. Department of Defense programs, and an accounting firm and a hospitality company, both based in New York.
Alireza Shafie Nasab, 39, claimed to be a cybersecurity specialist for a company named Mahak Rayan Afraz while participating in a persistent campaign targeting the U.S. from at least in or about 2016 through or about April 2021.
"As alleged, Alireza Shafie Nasab participated in a cyber campaign using spear-phishing and other hacking techniques to infect more than 200,000 victim devices, many of which contained sensitive or classified defense information," said U.S. Attorney Damian Williams for the Southern District of New York.
The spear-phishing campaigns were managed via a custom application that made it possible for Nasab and his co-conspirators to organize and deploy their attacks.
In one instance, the threat actors breached an administrator email account belonging to an unnamed defense contractor, subsequently leveraging the access to create rogue accounts and send out spear-phishing emails to employees of a different defense contractor and a consulting firm.
Outside of spear-phishing attacks, the conspirators have masqueraded as other people, typically women, to obtain the confidence of victims and deploy malware onto victim computers.
Nasab, while working for the front company, is believed to be responsible for procuring infrastructure utilized in the campaign by using the stolen identity of a real person in order to register a server and email accounts.
He has been charged with one count of conspiracy to commit computer fraud, one count of conspiracy to commit wire fraud, one count of wire fraud, and one count of aggravated identity theft. If convicted on all counts, Nasab could face up to 47 years in prison.
While Nasab remains at large, the U.S. State Department has announced monetary rewards of up to $10 million for information leading to the identification or location of Nasab.
Mahak Rayan Afraz (MRA) was first outed by Meta in July 2021 as a Tehran-based firm with ties to the Islamic Revolutionary Guard Corps (IRGC), Iran's armed force charged with defending the country's revolutionary regime.
The activity cluster, which also overlaps with Tortoiseshell, has been previously linked to elaborate social engineering campaigns, including posing as an aerobics instructor on Facebook in an attempt to infect the machine of an employee of an aerospace defense contractor with malware.
The development comes as German law enforcement announced the takedown of Crimemarket, a German-speaking illicit trading platform with over 180,000 users that specialized in the sale of narcotics, weapons, money laundering, and other criminal services.
Six people have been arrested in connection with the operation, counting a 23-year-old considered the main suspect, with authorities also seizing mobile phones, IT equipment, one kilogram of marijuana, ecstasy tablets, and €600,000 in cash.
FBI's Most-Wanted Zeus and IcedID Malware Mastermind Pleads Guilty
17.2.24 Crime The Hacker News
A Ukrainian national has pleaded guilty in the U.S. to his role in two different malware schemes, Zeus and IcedID, between May 2009 and February 2021.
Vyacheslav Igorevich Penchukov (aka Vyacheslav Igoravich Andreev, father, and tank), 37, was arrested by Swiss authorities in October 2022 and extradited to the U.S. last year. He was added to the FBI's most-wanted list in 2012.
The U.S. Department of Justice (DoJ) described Penchukov as a "leader of two prolific malware groups" that infected thousands of computers with malware, leading to ransomware and the theft of millions of dollars.
This included the Zeus banking trojan that facilitated the theft of bank account information, passwords, personal identification numbers, and other details necessary to login to online banking accounts.
Penchukov and his co-conspirators, as part of the "wide-ranging racketeering enterprise" dubbed Jabber Zeus gang, then masqueraded as employees of the victims to initiate unauthorized fund transfers.
They also used individuals residing in the U.S. and other parts of the world as "money mules" to receive the wired funds, which were ultimately funneled to overseas accounts controlled by Penchukov et al. A successor to Zeus was dismantled in 2014.
The defendant has also been accused of facilitating malicious activity by helping lead attacks involving the IcedID (aka BokBot) malware from at least November 2018. The malware is capable of acting as an information stealer and a loader for other payloads, such as ransomware.
Ultimately, as investigative journalist Brian Krebs reported back in 2022, he managed to evade prosecution by Ukrainian cybercrime investigators for many years due to his political connections with former Ukrainian President Victor Yanukovych.
Following his arrest and extradition, Penchukov pleaded guilty to one count of conspiracy to commit a racketeer-influenced and corrupt organization (RICO) act offense for his leadership role in the Jabber Zeus group. He also pleaded guilty to one count of conspiracy to commit wire fraud for his leadership role in the IcedID malware group.
Penchukov is scheduled to be sentenced on May 9, 2024, and faces a maximum penalty of 20 years in prison for each count.
The development comes as the DoJ announced the extradition of a 28-year-old Ukrainian national from the Netherlands in connection with fraud, money laundering and aggravated identity theft by allegedly operating and advertising an information stealer known as Raccoon.
Mark Sokolovsky, who was arrested by Dutch authorities in March 2022, leased Raccoon to other cybercriminals on a malware-as-a-service (MaaS) model for $200 a month. It first became available in April 2019.
"These individuals used various ruses, such as email phishing, to install the malware onto the computers of unsuspecting victims," the DoJ said.
"Raccoon infostealer then stole personal data from victim computers, including login credentials, financial information, and other personal records. Stolen information was used to commit financial crimes or was sold to others on cybercrime forums."
At least 50 million unique credentials and forms of identification have been harvested by the malware, according to the U.S. Federal Bureau of Investigation (FBI) estimates.
Sokolovsky's arrest was accompanied by a coordinated takedown of Raccoon's digital infrastructure, but a new version of the stealer, called RecordBreaker, has since emerged in the wild.
He has been charged with one count of conspiracy to commit fraud and related activity in connection with computers, one count of conspiracy to commit wire fraud, one count of conspiracy to commit money laundering, and one count of aggravated identity theft.