A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. We’ll also explore an array of cybercrime services aimed at phishers who target hotels that rely on the world’s most visited travel website.

According to the market share website statista.com, booking.com is by far the Internet’s busiest travel service, with nearly 550 million visits in September. KrebsOnSecurity last week heard from a reader whose close friend received a targeted phishing message via SMS within minutes of making a reservation at a California hotel via booking.com.

The missive bore the name of the hotel and referenced details from their reservation, claiming that booking.com’s anti-fraud system required additional information about the customer before the reservation could be finalized.

The phishing SMS our reader’s friend received after making a reservation at booking.com in late October.

In an email to KrebsOnSecurity, booking.com confirmed one of its partners had suffered a security incident that allowed unauthorized access to customer booking information.

“Our security teams are currently investigating the incident you mentioned and can confirm that it was indeed a phishing attack targeting one of our accommodation partners, which unfortunately is not a new situation and quite common across industries,” booking.com replied. “Importantly, we want to clarify that there has been no compromise of Booking.com’s internal systems.”

The phony booking.com website generated by visiting the link in the text message.

Booking.com said it now requires 2FA, which forces partners to provide a one-time passcode from a mobile authentication app (Pulse) in addition to a username and password.

“2FA is required and enforced, including for partners to access payment details from customers securely,” a booking.com spokesperson wrote. “That’s why the cybercriminals follow-up with messages to try and get customers to make payments outside of our platform.”

“That said, the phishing attacks stem from partners’ machines being compromised with malware, which has enabled them to also gain access to the partners’ accounts and to send the messages that your reader has flagged,” they continued.

It’s unclear, however, if the company’s 2FA requirement is enforced for all or just newer partners. Booking.com did not respond to questions about that, and its current account security advice urges customers to enable 2FA.

A scan of social media networks showed this is not an uncommon scam.

In November 2023, the security firm SecureWorks detailed how scammers targeted booking.com hospitality partners with data-stealing malware. SecureWorks said these attacks had been going on since at least March 2023.

“The hotel did not enable multi-factor authentication (MFA) on its Booking.com access, so logging into the account with the stolen credentials was easy,” SecureWorks said of the booking.com partner it investigated.

In June 2024, booking.com told the BBC that phishing attacks targeting travelers had increased 900 percent, and that thieves taking advantage of new artificial intelligence (AI) tools were the primary driver of this trend.

Booking.com told the BCC the company had started using AI to fight AI-based phishing attacks. Booking.com’s statement said their investments in that arena “blocked 85 million fraudulent reservations over more than 1.5 million phishing attempts in 2023.”

The domain name in the phony booking.com website sent via SMS to our reader’s friend — guestssecureverification[.]com — was registered to the email address ilotirabec207@gmail.com. According to DomainTools.com, this email address was used to register more than 700 other phishing domains in the past month alone.

Many of the 700+ domains appear to target hospitality companies, including platforms like booking.com and Airbnb. Others seem crafted to phish users of Shopify, Steam, and a variety of financial platforms. A full, defanged list of domains is available here.

A cursory review of recent posts across dozens of cybercrime forums monitored by the security firm Intel 471 shows there is a great demand for compromised booking.com accounts belonging to hotels and other partners.

One post last month on the Russian-language hacking forum BHF offered up to $5,000 for each hotel account. This seller claims to help people monetize hacked booking.com partners, apparently by using the stolen credentials to set up fraudulent listings.

A service advertised on the English-language crime community BreachForums in October courts phishers who may need help with certain aspects of their phishing campaigns targeting booking.com partners. Those include more than two million hotel email addresses, and services designed to help phishers organize large volumes of phished records. Customers can interact with the service via an automated Telegram bot.

Some cybercriminals appear to have used compromised booking.com accounts to power their own travel agencies catering to fellow scammers, with up to 50 percent discounts on hotel reservations through booking.com. Others are selling ready-to-use “config” files designed to make it simple to conduct automated login attempts against booking.com administrator accounts.

SecureWorks found the phishers targeting booking.com partner hotels used malware to steal credentials. But today’s thieves can just as easily just visit crime bazaars online and purchase stolen credentials to cloud services that do not enforce 2FA for all accounts.

That is exactly what transpired over the past year with many customers of the cloud data storage giant Snowflake. In late 2023, cybercriminals figured out that while tons of companies had stashed enormous amounts of customer data at Snowflake, many of those customer accounts were not protected by 2FA.

Snowflake responded by making 2FA mandatory for all new customers. But that change came only after thieves used stolen credentials to siphon data from 160 companies — including AT&T, Lending Tree and TicketMaster.

from Krebs on Security https://ift.tt/9ZzSjpf
via IFTTT

Change Healthcare says it has notified approximately 100 million Americans that their personal, financial and healthcare records may have been stolen in a February 2024 ransomware attack that caused the largest ever known data breach of protected health information.

Image: Tamer Tuncay, Shutterstock.com.

A ransomware attack at Change Healthcare in the third week of February quickly spawned disruptions across the U.S. healthcare system that reverberated for months, thanks to the company’s central role in processing payments and prescriptions on behalf of thousands of organizations.

In April, Change estimated the breach would affect a “substantial proportion of people in America.” On Oct 22, the healthcare giant notified the U.S. Department of Health and Human Resources (HHS) that “approximately 100 million notices have been sent regarding this breach.”

A notification letter from Change Healthcare said the breach involved the theft of:

-Health Data: Medical record #s, doctors, diagnoses, medicines, test results, images, care and treatment;
-Billing Records: Records including payment cards, financial and banking records;
-Personal Data: Social Security number; driver’s license or state ID number;
-Insurance Data: Health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.

The HIPAA Journal reports that in the nine months ending on September 30, 2024, Change’s parent firm United Health Group had incurred $1.521 billion in direct breach response costs, and $2.457 billion in total cyberattack impacts.

Those costs include $22 million the company admitted to paying their extortionists — a ransomware group known as BlackCat and ALPHV — in exchange for a promise to destroy the stolen healthcare data.

That ransom payment went sideways when the affiliate who gave BlackCat access to Change’s network said the crime gang had cheated them out of their share of the ransom. The entire BlackCat ransomware operation shut down after that, absconding with all of the money still owed to affiliates who were hired to install their ransomware.

A breach notification from Change Healthcare.

A few days after BlackCat imploded, the same stolen healthcare data was offered for sale by a competing ransomware affiliate group called RansomHub.

“Affected insurance providers can contact us to prevent leaking of their own data and [remove it] from the sale,” RansomHub’s victim shaming blog announced on April 16. “Change Health and United Health processing of sensitive data for all of these companies is just something unbelievable. For most US individuals out there doubting us, we probably have your personal data.”

It remains unclear if RansomHub ever sold the stolen healthcare data. The chief information security officer for a large academic healthcare system affected by the breach told KrebsOnSecurity they participated in a call with the FBI and were told a third party partner managed to recover at least four terabytes of data that was exfiltrated from Change by the cybercriminal group. The FBI did not respond to a request for comment.

Change Healthcare’s breach notification letter offers recipients two years of credit monitoring and identity theft protection services from a company called IDX. In the section of the missive titled “Why did this happen?,” Change shared only that “a cybercriminal accessed our computer system without our permission.”

But in June 2024 testimony to the Senate Finance Committee, it emerged that the intruders had stolen or purchased credentials for a Citrix portal used for remote access, and that no multi-factor authentication was required for that account.

Last month, Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.) introduced a bill that would require HHS to develop and enforce a set of tough minimum cybersecurity standards for healthcare providers, health plans, clearinghouses and businesses associates. The measure also would remove the existing cap on fines under the Health Insurance Portability and Accountability Act, which severely limits the financial penalties HHS can issue against providers.

According to the HIPAA Journal, the biggest penalty imposed to date for a HIPPA violation was the paltry $16 million fine against the insurer Anthem Inc., which suffered a data breach in 2015 affecting 78.8 million individuals. Anthem reported revenues of around $80 billion in 2015.

A post about the Change breach from RansomHub on April 8, 2024. Image: Darkbeast, ke-la.com.

There is little that victims of this breach can do about the compromise of their healthcare records. However, because the data exposed includes more than enough information for identity thieves to do their thing, it would be prudent to place a security freeze on your credit file and on that of your family members if you haven’t already.

The best mechanism for preventing identity thieves from creating new accounts in your name is to freeze your credit file with Equifax, Experian, and TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file. Parents and guardians can now also freeze the credit files for their children or dependents.

Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stymie all sorts of ID theft shenanigans. Having a freeze in place does nothing to prevent you from using existing lines of credit you may already have, such as credit cards, mortgage and bank accounts. When and if you ever do need to allow access to your credit file — such as when applying for a loan or new credit card — you will need to lift or temporarily thaw the freeze in advance with one or more of the bureaus.

All three bureaus allow users to place a freeze electronically after creating an account, but all of them try to steer consumers away from enacting a freeze. Instead, the bureaus are hoping consumers will opt for their confusingly named “credit lock” services, which accomplish the same result but allow the bureaus to continue selling access to your file to select partners.

If you haven’t done so in a while, now would be an excellent time to review your credit file for any mischief or errors. By law, everyone is entitled to one free credit report every 12 months from each of the three credit reporting agencies. But the Federal Trade Commission notes that the big three bureaus have permanently extended a program enacted in 2020 that lets you check your credit report at each of the agencies once a week for free.

from Krebs on Security https://ift.tt/iguhe6P
via IFTTT

Not long ago, the ability to digitally track someone’s daily movements just by knowing their home address, employer, or place of worship was considered a dangerous power that should remain only within the purview of nation states. But a new lawsuit in a likely constitutional battle over a New Jersey privacy law shows that anyone can now access this capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites.

Image: Shutterstock, Arthimides.

Delaware-based Atlas Data Privacy Corp. helps its users remove their personal information from the clutches of consumer data brokers, and from people-search services online. Backed by millions of dollars in litigation financing, Atlas so far this year has sued 151 consumer data brokers on behalf of a class that includes more than 20,000 New Jersey law enforcement officers who are signed up for Atlas services.

Atlas alleges all of these data brokers have ignored repeated warnings that they are violating Daniel’s Law, a New Jersey statute allowing law enforcement, government personnel, judges and their families to have their information completely removed from commercial data brokers. Daniel’s Law was passed in 2020 after the death of 20-year-old Daniel Anderl, who was killed in a violent attack targeting a federal judge — his mother.

Last week, Atlas invoked Daniel’s Law in a lawsuit (PDF) against Babel Street, a little-known technology company incorporated in Reston, Va. Babel Street’s core product allows customers to draw a digital polygon around nearly any location on a map of the world, and view a slighted dated (by a few days) time-lapse history of the mobile devices seen coming in and out of the specified area.

Babel Street’s LocateX platform also allows customers to track individual mobile users by their Mobile Advertising ID or MAID, a unique, alphanumeric identifier built into all Google Android and Apple mobile devices.

Babel Street can offer this tracking capability by consuming location data and other identifying information that is collected by many websites and broadcast to dozens and sometimes hundreds of ad networks that may wish to bid on showing their ad to a particular user.

This image, taken from a video recording Atlas made of its private investigator using Babel Street to show all of the unique mobile IDs seen over time at a mosque in Dearborn, Michigan. Each red dot represents one mobile device.

In an interview, Atlas said a private investigator they hired was offered a free trial of Babel Street, which the investigator was able to use to determine the home address and daily movements of mobile devices belonging to multiple New Jersey police officers whose families have already faced significant harassment and death threats.

Atlas said the investigator encountered Babel Street while testing hundreds of data broker tools and services to see if personal information on its users was being sold. They soon discovered Babel Street also bundles people-search services with its platform, to make it easier for customers to zero in on a specific device.

The investigator contacted Babel Street about possibly buying home addresses in certain areas of New Jersey. After listening to a sales pitch for Babel Street and expressing interest, the investigator was told Babel Street only offers their service to the government or to “contractors of the government.”

“The investigator (truthfully) mentioned that he was contemplating some government contract work in the future and was told by the Babel Street salesperson that ‘that’s good enough’ and that ‘they don’t actually check,’” Atlas shared in an email with reporters.

KrebsOnSecurity was one of five media outlets invited to review screen recordings that Atlas made while its investigator used a two-week trial version of Babel Street’s LocateX service. References and links to reporting by other publications, including 404 Media, Haaretz, NOTUS, and The New York Times, will appear throughout this story.

Collectively, these stories expose how the broad availability of mobile advertising data has created a market in which virtually anyone can build a sophisticated spying apparatus capable of tracking the daily movements of hundreds of millions of people globally.

The findings outlined in Atlas’s lawsuit against Babel Street also illustrate how mobile location data is set to massively complicate several hot-button issues, from the tracking of suspected illegal immigrants or women seeking abortions, to harassing public servants who are already in the crosshairs over baseless conspiracy theories and increasingly hostile political rhetoric against government employees.

WARRANTLESS SURVEILLANCE

Atlas says the Babel Street trial period allowed its investigator to find information about visitors to high-risk targets such as mosques, synagogues, courtrooms and abortion clinics. In one video, an Atlas investigator showed how they isolated mobile devices seen in a New Jersey courtroom parking lot that was reserved for jurors, and then tracked one likely juror’s phone to their home address over several days.

While the Atlas investigator had access to its trial account at Babel Street, they were able to successfully track devices belonging to several plaintiffs named or referenced in the lawsuit. They did so by drawing a digital polygon around the home address or workplace of each person in Babel Street’s platform, which focused exclusively on the devices that passed through those addresses each day.

Each red dot in this Babel Street map represents a unique mobile device that has been seen since April 2022 at a Jewish synagogue in Los Angeles, Calif. Image: Atlas Data Privacy Corp.

One unique feature of Babel Street is the ability to toggle a “night” mode, which makes it relatively easy to determine within a few meters where a target typically lays their head each night (because their phone is usually not far away).

Atlas plaintiffs Scott and Justyna Maloney are both veteran officers with the Rahway, NJ police department who live together with their two young children. In April 2023, Scott and Justyna became the target of intense harassment and death threats after Officer Justyna responded to a routine call about a man filming people outside of the Motor Vehicle Commission in Rahway.

The man filming the Motor Vehicle Commission that day is a social media personality who often solicits police contact and then records himself arguing about constitutional rights with the responding officers.

Officer Justyna’s interaction with the man was entirely peaceful, and the episode appeared to end without incident. But after a selectively edited video of that encounter went viral, their home address and unpublished phone numbers were posted online. When their tormentors figured out that Scott was also a cop (a sergeant), the couple began receiving dozens of threatening text messages, including specific death threats.

According to the Atlas lawsuit, one of the messages to Mr. Maloney demanded money, and warned that his family would “pay in blood” if he didn’t comply. Sgt. Maloney said he then received a video in which a masked individual pointed a rifle at the camera and told him that his family was “going to get [their] heads cut off.”

Maloney said a few weeks later, one of their neighbors saw two suspicious individuals in ski masks parked one block away from the home and alerted police. Atlas’s complaint says video surveillance from neighboring homes shows the masked individuals circling the Maloney’s home. The responding officers arrested two men, who were armed, for unlawful possession of a firearm.

According to Google Maps, Babel Street shares a corporate address with Google and the consumer credit reporting bureau TransUnion.

Atlas said their investigator was not able to conclusively find Scott Maloney’s iPhone in the Babel Street platform, but they did find Justyna’s. Babel Street had nearly 100,000 hits for her phone over several months, allowing Atlas to piece together an intimate picture of Justyna’s daily movements and meetings with others.

An Atlas investigator visited the Maloneys and inspected Justyna’s iPhone, and determined the only app that used her device’s location data was from the department store Macy’s.

In a written response to questions, Macy’s said its app includes an opt-in feature for geo-location, “which allows customers to receive an enhanced shopping experience based on their location.”

“We do not store any customer location information,” Macy’s wrote. “We share geo-location data with a limited number of partners who help us deliver this enhanced app experience. Furthermore, we have no connection with Babel Street” [link added for context].

Justyna’s experience highlights a stark reality about the broad availability of mobile location data: Even if the person you’re looking for isn’t directly identifiable in platforms like Babel Street, it is likely that at least some of that person’s family members are. In other words, it’s often trivial to infer the location of one device by successfully locating another.

The terms of service for Babel Street’s Locate X service state that the product “may not be used as the basis for any legal process in any country, including as the basis for a warrant, subpoena, or any other legal or administrative action.” But Scott Maloney said he’s convinced by their experience that not even law enforcement agencies should have access to this capability without a warrant.

“As a law enforcement officer, in order for me to track someone I need a judge to sign a warrant – and that’s for a criminal investigation after we’ve developed probable cause,” Mr. Maloney said in an interview. “Data brokers tracking me and my family just to sell that information for profit, without our consent, and even after we’ve explicitly asked them not to is deeply disturbing.”

Mr. Maloney’s law enforcement colleagues in other states may see things differently. In August, The Texas Observer reported that state police plan to spend more than $5 million on a contract for a controversial surveillance tool called Tangles from the tech firm PenLink. Tangles is an AI-based web platform that scrapes information from the open, deep and dark web, and it has a premier feature called WebLoc that can be used to geofence mobile devices.

The Associated Press reported last month that law enforcement agencies from suburban Southern California to rural North Carolina have been using an obscure cell phone tracking tool called Fog Reveal — at times without warrants — that gives them the ability to follow people’s movements going back many months.

It remains unclear precisely how Babel Street is obtaining the abundance of mobile location data made available to users of its platform. The company did not respond to multiple requests for comment.

But according to a document (PDF) obtained under a Freedom of Information Act request with the Department of Homeland Security’s Science and Technology directorate, Babel Street re-hosts data from the commercial phone tracking firm Venntel.

On Monday, the Substack newsletter All-Source Intelligence unearthed documents indicating that the U.S. Federal Trade Commission has opened an inquiry into Venntel and its parent company Gravy Analytics.

“Venntel has also been a data partner of the police surveillance contractor Fog Data Science, whose product has been described as ‘mass surveillance on a budget,’” All-Source’s Jack Poulson wrote. “Venntel was also reported to have been a primary data source of the controversial ‘Locate X’ phone tracking product of the American data fusion company Babel Street.”

MAID IN HELL

The Mobile Advertising ID or MAID — the unique alphanumeric identifier assigned to each mobile device — was originally envisioned as a way to distinguish individual mobile customers without relying on personally identifiable information such as phone numbers or email addresses.

However, there is now a robust industry of marketing and advertising companies that specialize in assembling enormous lists of MAIDs that are “enriched” with historical and personal information about the individual behind each MAID.

One of many vendors that “enrich” MAID data with other identifying information, including name, address, email address and phone number.

Atlas said its investigator wanted to know whether they could find enriched MAID records on their New Jersey law enforcement customers, and soon found plenty of ad data brokers willing to sell it.

Some vendors offered only a handful of data fields, such as first and last name, MAID and email address. Other brokers sold far more detailed histories along with their MAID, including each subject’s social media profiles, precise GPS coordinates, and even likely consumer category.

How are advertisers and data brokers gaining access to so much information? Some sources of MAID data can be apps on your phone such as AccuWeather, GasBuddy, Grindr, and MyFitnessPal that collect your MAID and location and sell that to brokers.

A user’s MAID profile and location data also is commonly shared as a consequence of simply using a smartphone to visit a web page that features ads. In the few milliseconds before those ads load, the website will send a “bid request” to various ad exchanges, where advertisers can bid on the chance to place their ad in front of users who match the consumer profiles they’re seeking. A great deal of data can be included in a bid request, including the user’s precise location (the current open standard for bid requests is detailed here).

The trouble is that virtually anyone can access the “bidstream” data flowing through these so-called “realtime bidding” networks, because the information is simultaneously broadcast in the clear to hundreds of entities around the world.

The result is that there are a number of marketing companies that now enrich and broker access to this mobile location information. Earlier this year, the German news outlet netzpolitik.org purchased a bidstream data set containing more than 3.6 billion data points, and shared the information with the German daily BR24. They concluded that the data they obtained (through a free trial, no less) made it possible to establish movement profiles — some of them quite precise — of several million people across Germany.

A screenshot from the BR24/Netzpolitik story about their ability to track millions of Germans, including many employees of the German Federal Police and Interior Ministry.

Politico recently covered startling research from universities in New Hampshire, Kentucky and St. Louis that showed how the mobile advertising data they acquired allowed them to link visits from investigators with the U.S. Securities and Exchange Commission (SEC) to insiders selling stock before the investigations became public knowledge.

The researchers in that study said they didn’t attempt to use the same methods to track regulators from other agencies, but that virtually anyone could do it.

Justin Sherman, a distinguished fellow at Georgetown Law’s Center for Privacy and Technology, called the research a “shocking demonstration of what happens when companies can freely harvest Americans’ geolocation data and sell it for their chosen price.”

“Politicians should understand how they, their staff, and public servants are threatened by the sale of personal data—and constituent groups should realize that talk of data broker ‘controls’ or ‘best practices” is designed by companies to distract from the underlying problems and the comprehensive privacy and security solutions, Sherman wrote for Lawfare this week.

A BIDSTREAM DRAGNET?

The Orwellian nature of modern mobile advertising networks may soon have far-reaching implications for women’s reproductive rights, as more states move to outlaw abortion within their borders. The 2022 Dobbs decision by the U.S. Supreme Court discarded the federal right to abortion, and 14 states have since enacted strict abortion bans.

Anti-abortion groups are already using mobile advertising data to advance their cause. In May 2023, The Wall Street Journal reported that an anti-abortion group in Wisconsin used precise geolocation data to direct ads to women it suspected of seeking abortions.

As it stands, there is little to stop antiabortion groups from purchasing bidstream data (or renting access to a platform like Babel Street) and using it to geofence abortion clinics, potentially revealing all mobile devices transiting through these locations.

Atlas said its investigator geofenced an abortion clinic and was able to identify a likely employee at that clinic, following their daily route to and from that individual’s home address.

A still shot from a video Atlas shared of its use of Babel Street to identify and track an employee traveling each day between their home and the clinic.

Last year, Idaho became the first state to outlaw “abortion trafficking,” which the Idaho Capital Sun reports is defined as “recruiting, harboring or transporting a pregnant minor to get an abortion or abortion medication without parental permission.” Tennessee now has a similar law, and GOP lawmakers in five other states introduced abortion trafficking bills that failed to advance this year, the Sun reports.

Atlas said its investigator used Babel Street to identify and track a person traveling from their home in Alabama — where abortion is now illegal — to an abortion clinic just over the border in Tallahassee, Fla. — and back home again within a few hours. Abortion rights advocates and providers are currently suing Alabama Attorney General Steve Marshall, seeking to block him from prosecuting people who help patients travel out-of-state to end pregnancies.

Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), a non-profit digital rights group, said she’s extremely concerned about dragnet surveillance of people crossing state lines in order to get abortions.

“Specifically, Republican officials from states that have outlawed abortion have made it clear that they are interested in targeting people who have gone to neighboring states in order to get abortions, and to make it more difficult for people who are seeking abortions to go to neighboring states,” Galperin said. “It’s not a great leap to imagine that states will do this.”

APPLES AND GOOGLES

Atlas found that for the right price (typically $10-50k a year), brokers can provide access to tens of billions of data points covering large swaths of the US population and the rest of the world.

Based on the data sets Atlas acquired — many of which included older MAID records — they estimate they could locate roughly 80 percent of Android-based devices, and about 25 percent of Apple phones. Google refers to its MAID as the “Android Advertising ID,” (AAID) while Apple calls it the “Identifier for Advertisers” (IDFA).

What accounts for the disparity between the number of Android and Apple devices that can be found in mobile advertising data? In April 2021, Apple shipped version 14.5 of its iOS operating system, which introduced a technology called App Tracking Transparency (ATT) that requires apps to get affirmative consent before they can track users by their IDFA or any other identifier.

Apple’s introduction of ATT had a swift and profound impact on the advertising market: Less than a year later Facebook disclosed that the iPhone privacy feature would decrease the company’s 2022 revenues by about $10 billion.

Source: cnbc.com.

Google runs by far the world’s largest ad exchange, known as AdX. The U.S. Department of Justice, which has accused Google of building a monopoly over the technology that places ads on websites, estimates that Google’s ad exchange controls 47 percent of the U.S. market and 56 percent globally.

According to recent figures, Google’s Android is also the dominant mobile operating system worldwide, with more than 72 percent of the market. In the U.S., however, iPhone users claim approximately 55 percent of the market, according to TechRepublic.

In response to requests for comment, Google said it does not send real time bidding requests to Babel Street, nor does it share precise location data in bid requests. The company added that its policies explicitly prohibit the sale of data from real-time bidding, or its use for any purpose other than advertising.

Google said its MAIDs are randomly generated and do not contain IP addresses, GPS coordinates, or any other location data, and that its ad systems do not share anyone’s precise location data.

“Android has clear controls for users to manage app access to device location, and reset or delete their advertising ID,” Google’s written statement reads. “If we learn that someone, whether an app developer, ad tech company or anyone else, is violating our policies, we take appropriate action. Beyond that, we support legislation and industry collaboration to address these types of data practices that negatively affect the entire mobile ecosystem, including all operating systems.”

In a written statement shared with reporters, Apple said Location Services is not on by default in its devices. Rather, users must enable Location Services and must give permission to each app or website to use location data. Users can turn Location Services off at any time, and can change whether apps have access to location at any time. The user’s choices include precise vs. approximate location, as well as a one-time grant of location access by the app.

“We believe that privacy is a fundamental human right, and build privacy protections into each of our products and services to put the user in control of their data,” an Apple spokesperson said. “We minimize personal data collection, and where possible, process data only on users’ devices.”

Zach Edwards is a senior threat analyst at the cybersecurity firm SilentPush who has studied the location data industry closely. Edwards said Google and Apple can’t keep pretending like the MAIDs being broadcast into the bidstream from hundreds of millions of American devices aren’t making most people trivially trackable.

“The privacy risks here will remain until Apple and Google permanently turn off their mobile advertising ID schemes and admit to the American public that this is the technology that has been supporting the global data broker ecosystem,” he said.

STATES ACT, WHILE CONGRESS DITHERS

According to Bloomberg Law, between 2019 and 2023, threats against federal judges have more than doubled. Amid increasingly hostile political rhetoric and conspiracy theories against government officials, a growing number of states are seeking to pass their own versions of Daniel’s Law.

Last month, a retired West Virginia police officer filed a class action lawsuit against the people-search service Whitepages for listing their personal information in violation of a statute the state passed in 2021 that largely mirrors Daniel’s Law.

In May 2024, Maryland passed the Judge Andrew F. Wilkinson Judicial Security Act — named after a county circuit court judge who was murdered by an individual involved in a divorce proceeding over which he was presiding. The law allows current and former members of the Maryland judiciary to request their personal information not be made available to the public.

Under the Maryland law, personal information can include a home address; telephone number, email address; Social Security number or federal tax ID number; bank account or payment card number; a license plate or other unique vehicle identifier; a birth or marital record; a child’s name, school, or daycare; place of worship; place of employment for a spouse, child, or dependent.

The law firm Troutman Pepper writes that “so far in 2024, 37 states have begun considering or have adopted similar privacy-based legislation designed to protect members of the judiciary and, in some states, other government officials involved in law enforcement.”

Atlas alleges that in response to requests to have data on its New Jersey law enforcement clients scrubbed from consumer records sold by LexisNexis, the data broker retaliated by freezing the credit of approximately 18,500 people, and falsely reporting them as identity theft victims.

In addition, Atlas said LexisNexis started returning failure codes indicating they had no record of these individuals, resulting in denials when officers attempted to refinance loans or open new bank accounts.

The data broker industry has responded by having at least 70 of the Atlas lawsuits moved to federal court, and challenging the constitutionality of the New Jersey statute as overly broad and a violation of the First Amendment.

Attorneys for the data broker industry argued in their motion to dismiss that there is “no First Amendment doctrine that exempts a content-based restriction from strict scrutiny just because it has some nexus with a privacy interest.”

Atlas’s lawyers responded that data covered under Daniel’s Law — personal information of New Jersey law enforcement officers — is not free speech. Atlas notes that while defending against comparable lawsuits, the data broker industry has argued that home address and phone number data are not “communications.”

“Data brokers should not be allowed to argue that information like addresses are not ‘communications’ in one context, only to turn around and claim that addresses are protectable communications,” Atlas argued (PDF). “Nor can their change of course alter the reality that the data at issue is not speech.”

The judge overseeing the challenge is expected to rule on the motion to dismiss within the next few weeks. Regardless of the outcome, the decision is likely to be appealed all the way to the U.S. Supreme Court.

Meanwhile, media law experts say they’re concerned that enacting Daniel’s Law in other states could limit the ability of journalists to hold public officials accountable, and allow authorities to pursue criminal charges against media outlets that publish the same type of public and government records that fuel the people-search industry.

Sen. Ron Wyden (D-Ore.) said Congress’ failure to regulate data brokers, and the administration’s continued opposition to bipartisan legislation that would limit data sales to law enforcement, have created this current privacy crisis.

“Whether location data is being used to identify and expose closeted gay Americans, or to track people as they cross state lines to seek reproductive health care, data brokers are selling Americans’ deepest secrets and exposing them to serious harm, all for a few bucks,” Wyden said in a statement shared with KrebsOnSecurity, 404 Media, Haaretz, NOTUS, and The New York Times.

Sen. Wyden said Google also deserves blame for refusing to follow Apple’s lead by removing companies’ ability to track phones.

“Google’s insistence on uniquely tracking Android users – and allowing ad companies to do so as well – has created the technical foundations for the surveillance economy and the abuses stemming from it,” Wyden said.

Georgetown Law’s Justin Sherman said the data broker and mobile ad industries claim there are protections in place to anonymize mobile location data and restrict access to it, and that there are limits to the kinds of invasive inferences one can make from location data. The data broker industry also likes to tout the usefulness of mobile location data in fighting retail fraud, he said.

“All kinds of things can be inferred from this data, including people being targeted by abusers, or people with a particular health condition or religious belief,” Sherman said. “You can track jurors, law enforcement officers visiting the homes of suspects, or military intelligence people meeting with their contacts. The notion that the sale of all this data is preventing harm and fraud is hilarious in light of all the harm it causes enabling people to better target their cyber operations, or learning about people’s extramarital affairs and extorting public officials.”

WHAT CAN YOU DO?

Privacy experts say disabling or deleting your device’s MAID will have no effect on how your phone operates, except that you may begin to see far less targeted ads on that device.

Any Android apps with permission to use your location should appear when you navigate to the Settings app, Location, and then App Permissions. “Allowed all the time” is the most permissive setting, followed by “Allowed only while in use,” “Ask every time,” and “Not allowed.”

Android users can delete their ad ID permanently, by opening the Settings app and navigating to Privacy > Ads. Tap “Delete advertising ID,” then tap it again on the next page to confirm. According to the EFF, this will prevent any app on your phone from accessing the ad ID in the future.

Image: eff.org

By default, Apple’s iOS requires apps to ask permission before they can access your device’s IDFA. When you install a new app, it may ask for permission to track you. When prompted to do so by an app, select the “Ask App Not to Track” option. Apple users also can set the “Allow apps to request to track” switch to the “off” position, which will block apps from asking to track you.

Apple’s Privacy and Ad Tracking Settings.

Apple also has its own targeted advertising system which is separate from third-party tracking enabled by the IDFA. To disable it, go to Settings, Privacy, and Apple Advertising, and ensure that the “Personalized Ads” setting is set to “off.”

Finally, if you’re the type of reader who’s the default IT support person for a small group of family or friends (bless your heart), it would be a good idea to set their devices not to track them, and to disable any apps that may have location data sharing turned on 24/7.

There is a dual benefit to this altruism, which is clearly in the device owner’s best interests. Because while your device may not be directly trackable via advertising data, making sure they’re opted out of said tracking also can reduce the likelihood that you are trackable simply by being physically close to those who are.

from Krebs on Security https://ift.tt/X7z6i5I
via IFTTT

Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being “USDoD,” a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBI’s InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led to the leak of Social Security numbers and other personal information for a significant portion of the U.S. population.

USDoD’s InfraGard sales thread on Breached.

The Brazilian news outlet TV Globo first reported the news of USDoD’s arrest, saying the Federal Police arrested a 33-year-old man from Belo Horizonte. According to TV Globo, USDoD is wanted domestically in connection with the theft of data on Brazilian Federal Police officers.

USDoD was known to use the hacker handles “Equation Corp” and “NetSec,” and according to the cyber intelligence platform Intel 471 NetSec posted a thread on the now-defunct cybercrime community RaidForums on Feb. 22, 2022, in which they offered the email address and password for 659 members of the Brazilian Federal Police.

TV Globo didn’t name the man arrested, but the Portuguese tech news outlet Tecmundo published a report in August 2024 that named USDoD as 33-year-old Luan BG from Minas Gerais, Brazil. Techmundo said it learned the hacker’s real identity after being given a draft of a detailed, non-public report produced by the security firm CrowdStrike.

CrowdStrike did not respond to a request for comment. But a week after Techmundo’s piece, the tech news publication hackread.com published a story in which USDoD reportedly admitted that CrowdStrike was accurate in identifying him. Hackread said USDoD shared a statement, which was partially addressed to CrowdStrike:

A recent statement by USDoD, after he was successfully doxed by CrowdStrike and other security firms. Image: Hackread.com.

In August 2024, a cybercriminal began selling Social Security numbers and other personal information stolen from National Public Data, a private data broker in Florida that collected and sold SSNs and contact data for a significant slice of the American population.

Additional reporting revealed National Public Data had inadvertently published its own passwords on the Internet. The company is now the target of multiple class-action lawsuits, and recently declared bankruptcy. In an interview with KrebsOnSecurity, USDoD acknowledged stealing the NPD data earlier this year, but claimed he was not involved in leaking or selling it.

In December 2022, KrebsOnSecurity broke the news that USDoD had social-engineered his way into the FBI’s InfraGard program, an FBI initiative designed to build informal information sharing partnerships with vetted professionals in the private sector concerning cyber and physical threats to critical U.S. national infrastructure.

USDoD applied for InfraGard membership using the identity of the CEO of a major U.S. financial company. Even though USDoD listed the real mobile phone number of the CEO, the FBI apparently never reached the CEO to validate his application, because the request was granted just a few weeks later. After that, USDoD said he used a simple program to collect all of the contact information shared by more than 80,000 InfraGard members.

The FBI declined to comment on reports about USDoD’s arrest.

In a lengthy September 2023 interview with databreaches.net, USDoD told the publication he was a man in his mid-30s who was born in South America and who holds dual citizenship in Brazil and Portugal. Toward the end of that interview, USDoD said they were planning to launch a platform for acquiring military intelligence from the United States.

Databreaches.net told KrebsOnSecurity USDoD has been a regular correspondent since that 2023 interview, and that after being doxed USDoD made inquiries with a local attorney to learn if there were any open investigations or charges against him.

“From what the lawyer found out from the federal police, they had no open cases or charges against him at that time,” Databreaches.net said. “From his writing to me and the conversations we had, my sense is he had absolutely no idea he was in imminent danger of being arrested.”

When KrebsOnSecurity last communicated with USDoD via Telegram on Aug. 15, 2024, they claimed they were “planning to retire and move on from this,” referring to multiple media reports that blamed USDoD for leaking nearly three billion consumer records from National Public Data.

Less than four days later, however, USDoD was back on his normal haunt at BreachForums, posting custom exploit code he claimed to have written to attack recently patched vulnerabilities in a popular theme made for WordPress websites.

from Krebs on Security https://ift.tt/kUryvC0
via IFTTT

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. The younger brother is facing charges that could land him life in prison for allegedly seeking to kill people with his attacks.

Image: FBI

Active since at least January 2023, AnonSudan has been described in media reports as a “hacktivist” group motivated by ideological causes. But in a criminal complaint, the FBI said those high-profile cyberattacks were effectively commercials for the hackers’ DDoS-for-hire service, which they sold to paying customers for as little as $150 a day — with up to 100 attacks allowed per day — or $700 for an entire week.

The complaint says despite reports suggesting Anonymous Sudan might be state-sponsored Russian actors pretending to be Sudanese hackers with Islamist motivations, AnonSudan was led by two brothers in Sudan — Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27.

AnonSudan claimed credit for successful DDoS attacks on numerous U.S. companies, causing a multi-day outage for Microsoft’s cloud services in June 2023. The group hit PayPal the following month, followed by Twitter/X (Aug. 2023), and OpenAI (Nov. 2023). An indictment in the Central District of California notes the duo even swamped the websites of the FBI and the Department of State.

Prosecutors say Anonymous Sudan offered a “Limited Internet Shutdown Package,” which would enable customers to shut down internet service providers in specified countries for $500 (USD) an hour. The two men also allegedly extorted some of their victims for money in exchange for calling off DDoS attacks.

The government isn’t saying where the Omed brothers are being held, only that they were arrested in March 2024 and have been in custody since. A statement by the U.S. Department of Justice says the government also seized control of AnonSudan’s DDoS infrastructure and servers after the two were arrested in March.

AnonSudan accepted orders over the instant messaging service Telegram, and marketed its DDoS service by several names, including “Skynet,” “InfraShutdown,” and the “Godzilla botnet.” However, the DDoS machine the Omer brothers allegedly built was not made up of hacked devices — as is typical with DDoS botnets.

Instead, the government alleges Skynet was more like a “distributed cloud attack tool,” with a command and control (C2) server, and an entire fleet of cloud-based servers that forwards C2 instructions to an array of open proxy resolvers run by unaffiliated third parties, which then transmit the DDoS attack data to the victims.

Amazon was among many companies credited with helping the government in its investigation, and said AnonSudan launched its attacks by finding hosting companies that would rent them small armies of servers.

“Where their potential impact becomes really significant is when they then acquire access to thousands of other machines — typically misconfigured web servers — through which almost anyone can funnel attack traffic,” Amazon explained in a blog post. “This extra layer of machines usually hides the true source of an attack from the targets.”

The security firm CrowdStrike said the success of AnonSudan’s DDoS attacks stemmed from a combination of factors, including sophisticated techniques for bypassing DDoS mitigation services. Also, AnonSudan typically launched so-called “Layer 7” attacks that sought to overwhelm targeted “API endpoints” — the back end systems responsible for handling website requests — with bogus requests for data, leaving the target unable to serve legitimate visitors.

The Omer brothers were both charged with one count of conspiracy to damage protected computers. The younger brother — Ahmed Salah — was also charged with three counts of damaging protected computers.

A passport for Ahmed Salah Yousif Omer. Image: FBI.

If extradited to the United States, tried and convicted in a court of law, the older brother Alaa Salah would be facing a maximum of five years in prison. But prosecutors say Ahmed Salah could face life in prison for allegedly launching attacks that sought to kill people.

As Hamas fighters broke through the border fence and attacked Israel on Oct. 7, 2023, a wave of rockets was launched into Israel. At the same time, AnonSudan announced it was attacking the APIs that power Israel’s widely-used “red alert” mobile apps that warn residents about any incoming rocket attacks in their area.

In February 2024, AnonSudan launched a digital assault on the Cedars-Sinai Hospital in the Los Angeles area, an attack that caused emergency services and patients to be temporarily redirected to different hospitals.

The complaint alleges that in September 2023, AnonSudan began a week-long DDoS attack against the Internet infrastructure of Kenya, knocking offline government services, banks, universities and at least seven hospitals.

from Krebs on Security https://ift.tt/m0StL1X
via IFTTT

The parents of a 19-year-old Connecticut honors student accused of taking part in a $243 million cryptocurrency heist in August were carjacked a week later — while out house-hunting in a brand new Lamborghini. Prosecutors say the couple was beaten and briefly kidnapped by six young men who traveled from Florida as part of a botched plan to hold the parents for ransom.

Image: ABC7NY.  youtube.com/watch?v=xoiaGzwrunY

Late in the afternoon of Aug. 25, 2024 in Danbury, Ct., a married couple in their 50s pulled up to a gated community in a new Lamborghini Urus (investigators say the sports car still had temporary tags) when they were intentionally rear-ended by a Honda Civic.

A witness told police they saw three men exit a van that was following the Honda, and said the men began assaulting the couple and forcing them into the van. Local police officers spotted the van speeding from the scene and pursued it, only to find the vehicle crashed and abandoned a short distance away.

Inside the disabled van the police found the couple with their hands and feet bound in duct tape, the man visibly bruised after being assaulted with a baseball bat. Danbury police soon reported arresting six suspects in the kidnapping, all men aged 18-26 from Florida. They also recovered the abandoned Lamborghini from a wooded area.

A criminal complaint (PDF) filed on Sept. 24 against the six men does not name the victims, referring to them only as a married couple from Danbury with the initials R.C. and S.C. But prosecutors in Connecticut said they were targeted “because the co-conspirators believed the victims’ son had access to significant amounts of digital currency.”

What made the Miami men so convinced R.C. and S.C.’s son was loaded with cryptocurrency? Approximately one week earlier, on Aug. 19, a group of cybercriminals that allegedly included the couple’s son executed a sophisticated phone-based social engineering attack in which they stole $243 million worth of cryptocurrency from a victim in Washington, D.C.

That’s according to ZachXBT, a frequently cited crypto crime investigator who published a lengthy thread that broke down how the theft was carried out and ultimately exposed by the perpetrators themselves.

ZachXBT’s post included a screen recording of a Discord chat session made by one of the participants to the $243 million robbery, noting that two of the people involved managed to leak the username of the Microsoft Windows PCs they were using to participate in the chat.

One of the usernames leaked during the chat was Veer Chetal. According to ZachXBT, that name corresponds to a 19-year-old from Danbury who allegedly goes by the nickname “Wiz,” although in the leaked video footage he allegedly used the handle “Swag.”  Swag was reportedly involved in executing the early stages of the crypto heist — gaining access to the victim’s Gmail and iCloud accounts.

A still shot from a video screenshare in which one of the participants on the Discord voice chat used the Windows username Veer Chetal. Image: x.com/zachxbt

The same day ZachXBT published his findings, a criminal indictment was issued in Washington D.C. charging two of the men he named as involved in the heist. Prosecutors allege Malone “Greavys” Lam, 20, of Miami and Los Angeles, and Jeandiel “Box” Serrano, 21, of Los Angeles conspired to steal and launder over $230 million in cryptocurrency from a victim in Washington, D.C. The indictment alleges Lam and Serrano were helped by other unnamed co-conspirators.

“Lam and Serrano then allegedly spent the laundered cryptocurrency proceeds on international travel, nightclubs, luxury automobiles, watches, jewelry, designer handbags, and rental homes in Los Angeles and Miami,” reads a press release from the U.S. Department of Justice.

By tracing the flow of funds stolen in the heist, ZachXBT concluded that Wiz received a large percentage from the theft, noting that “additional comfort [in naming him as involved] was gained as throughout multiple recordings accomplices refer to him as ‘Veer’ on audio and in chats.”

“A cluster of [cryptocurrency] addresses tied to both Box/Wiz received $41M+ from two exchanges over the past few weeks primarily flowing to luxury goods brokers to purchase cars, watches, jewelry, and designer clothes,” ZachXBT wrote.

KrebsOnSecurity sought comment from Veer Chetal, and from his parents — Radhika Chetal and Suchil Chetal. This story will be updated in the event that anyone representing the Chetal family responds. Veer Chetal has not been publicly charged with any crime.

According to a news brief published by a private Catholic high school in Danbury that Veer Chetal attended, in 2022 he successfully completed Harvard’s Future Lawyers Program, a “unique pre-professional program where students, guided by qualified Harvard undergraduate instructors, learn how to read and build a case, how to write position papers, and how to navigate a path to law school.” A November 2022 story at patch.com quoted Veer Chetal (class of 2024) crediting the Harvard program with his decision to pursue a career in law.

It remains unclear which Chetal family member acquired the 2023 Lamborghini Urus, which has a starting price of around $233,000. Sushil Chetal’s LinkedIn profile says he is a vice president at the investment bank Morgan Stanley.

It is clear that other alleged co-conspirators to the $243 million heist displayed a conspicuous consumption of wealth following the date of the heist. ZachXBT’s post chronicled Malone’s flashy lifestyle, in which he allegedly used the stolen money to purchase more than 10 vehicles, rent palatial properties, travel with friends on chartered jets, and spend between $250,000 and $500,000 a night at clubs in Los Angeles and Miami.

In the photo on the bottom right, Greavys/Lam is the individual on the left wearing shades. They are pictured leaving a luxury goods store. Image: x.com/zachxbt

WSVN-TV in Miami covered an FBI raid of a large rented Miami waterfront home around the time Malone and Serrano were arrested. The news station interviewed a neighbor of the home’s occupants, who reported a recent large party at the residence wherein the street was lined with high-end luxury vehicles — all of them with temporary paper tags.

ZachXBT unearthed a video showing a person identified as Wiz at a Miami nightclub earlier this year, wherein they could be seen dancing to the crowd’s chants while holding an illuminated sign with the message, “I win it all.”

It appears that all of the suspects in the cyber heist (and at least some of the alleged carjackers) are members of The Com, an archipelago of crime-focused chat communities which collectively functions as a kind of distributed cybercriminal social network that facilitates instant collaboration.

As documented in last month’s deep dive on top Com members,  The Com is also a place where cybercriminals go to boast about their exploits and standing within the community, or to knock others down a peg or two. Prominent Com members are endlessly sniping over who pulled off the most impressive heists, or who has accumulated the biggest pile of stolen virtual currencies.

And as often as they extort and rob victims for financial gain, members of The Com are trying to wrest stolen money from their cybercriminal rivals — often in ways that spill over into physical violence in the real world.

One of the six Miami-area men arrested in the carjacking and extortion plot gone awry — Reynaldo “Rey” Diaz — was shot twice while parked in his bright yellow Corvette in Miami’s design district in 2022. In an interview with a local NBC television station, Diaz said he was probably targeted for the jewelry he was wearing, which he described as “pretty expensive.”

KrebsOnSecurity has learned Diaz also went by the alias “Pantic” on Telegram chat channels dedicated to stealing cryptocurrencies. Pantic was known for participating in several much smaller cyber heists in the past, and spending most of his cut on designer clothes and jewelry.

The Corvette that Diaz was sitting in when he was shot in 2022. Image: NBC 6, South Florida.

Earlier this year, Diaz was “doxed,” or publicly outed as Pantic, with his personal and family information posted on a harassment and extortion channel frequented by members of The Com. The reason cited for Pantic’s doxing was widely corroborated by multiple Com members: Pantic had inexplicably robbed two close friends at gunpoint, one of whom recently died of a drug overdose.

Government prosecutors say the brazen daylight carjacking was paid for and organized by 23-year-old Miami resident Angel “Chi Chi” Borrero. In 2022, Borrero was arrested in Miami for aggravated assault with a deadly weapon.

The six Miami men face charges including first-degree assault, kidnapping and reckless endangerment, and five of them are being held on a $1 million bond. One suspect is also charged with reckless driving, engaging police in pursuit and evading responsibility; his bond was set at $2 million. Lam and Serrano are each charged with conspiracy to commit wire fraud and conspiracy to launder money.

Cybercriminals hail from all walks of life and income levels, but some of the more accomplished cryptocurrency thieves also tend to be among the more privileged, and from relatively well-off families. In other words, these individuals aren’t stealing to put food on the table: They’re doing it so they can amass all the trappings of instant wealth, and so they can boast about their crimes to others on The Com.

There is also a penchant among this crowd to call attention to their activities in conspicuous ways that hasten their arrest and criminal charging. In many ways, the story arc of the young men allegedly involved in the $243 million heist tracks closely to that of Joel Ortiz, a valedictorian who was sentenced in 2019 to 10 years in prison for stealing more than $5 million in cryptocurrencies.

Ortiz famously posted videos of himself and co-conspirators chartering flights and partying it up at LA nightclubs, with scantily clad women waving giant placards bearing their “OG” usernames — highly-prized, single-letter social media accounts that they’d stolen or purchased stolen from others.

Ortiz earned the distinction of being the first person convicted of SIM-swapping, a crime that involves using mobile phone company insiders or compromised employee accounts to transfer a target’s phone number to a mobile device controlled by the attackers. From there, the attacker can intercept any password reset links, and any one-time passcodes sent via SMS or automated voice calls.

But as the mobile carriers seek to make their networks less hospitable to SIM-swappers, and as more financial platforms seek to harden user account security, today’s crypto thieves are finding they don’t need SIM-swaps to steal obscene amounts of cryptocurrency. Not when tricking people over the phone remains such an effective approach.

According to ZachXBT, the crooks responsible for the $243 million theft initially compromised the target’s personal accounts after calling them as Google Support and using a spoofed number. The attackers also spoofed a call from account support representatives at the cryptocurrency exchange Gemini, claiming the target’s account had been hacked.

From there the target was social engineered over the phone into resetting multi-factor authentication and sending Gemini funds to a compromised wallet. ZachXBT says the attackers also convinced the victim to use AnyDesk to share their screen, and in doing so the victim leaked their private keys.

from Krebs on Security https://ift.tt/8sHXIES
via IFTTT

Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes across a range of products, and Apple has addressed a bug in its new macOS 15 “Sequoia” update that broke many cybersecurity tools.

One of the zero-day flaws — CVE-2024-43573 — stems from a security weakness in MSHTML, the proprietary engine of Microsoft’s Internet Explorer web browser. If that sounds familiar it’s because this is the fourth MSHTML vulnerability found to be exploited in the wild so far in 2024.

Nikolas Cemerikic, a cybersecurity engineer at Immersive Labs, said the vulnerability allows an attacker to trick users into viewing malicious web content, which could appear legitimate thanks to the way Windows handles certain web elements.

“Once a user is deceived into interacting with this content (typically through phishing attacks), the attacker can potentially gain unauthorized access to sensitive information or manipulate web-based services,” he said.

Cemerikic noted that while Internet Explorer is being retired on many platforms, its underlying MSHTML technology remains active and vulnerable.

“This creates a risk for employees using these older systems as part of their everyday work, especially if they are accessing sensitive data or performing financial transactions online,” he said.

Probably the more serious zero-day this month is CVE-2024-43572, a code execution bug in the Microsoft Management Console, a component of Windows that gives system administrators a way to configure and monitor the system.

Satnam Narang, senior staff research engineer at Tenable, observed that the patch for CVE-2024-43572 arrived a few months after researchers at Elastic Security Labs disclosed an attack technique called GrimResource that leveraged an old cross-site scripting (XSS) vulnerability combined with a specially crafted Microsoft Saved Console (MSC) file to gain code execution privileges.

“Although Microsoft patched a different MMC vulnerability in September (CVE-2024-38259) that was neither exploited in the wild nor publicly disclosed,” Narang said. “Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on a system.”

Microsoft also patched Office, Azure, .NET, OpenSSH for Windows; Power BI; Windows Hyper-V; Windows Mobile Broadband, and Visual Studio. As usual, the SANS Internet Storm Center has a list of all Microsoft patches released today, indexed by severity and exploitability.

Late last month, Apple rolled out macOS 15, an operating system update called Sequoia that broke the functionality of security tools made by a number of vendors, including CrowdStrike, SentinelOne and Microsoft. On Oct. 7, Apple pushed an update to Sequoia users that addresses these compatibility issues.

Finally, Adobe has released security updates to plug a total of 52 vulnerabilities in a range of software, including Adobe Substance 3D Painter, Commerce, Dimension, Animate, Lightroom, InCopy, InDesign, Substance 3D Stager, and Adobe FrameMaker.

Please consider backing up important data before applying any updates. Zero-days aside, there’s generally little harm in waiting a few days to apply any pending patches, because not infrequently a security update introduces stability or compatibility issues. AskWoody.com usually has the skinny on any problematic patches.

And as always, if you run into any glitches after installing patches, leave a note in the comments; chances are someone else is stuck with the same issue and may have even found a solution.

from Krebs on Security https://ift.tt/sOhbt4q
via IFTTT

Organizations that get relieved of credentials to their cloud environments can quickly find themselves part of a disturbing new trend: Cybercriminals using stolen cloud credentials to operate and resell sexualized AI-powered chat services. Researchers say these illicit chat bots, which use custom jailbreaks to bypass content filtering, often veer into darker role-playing scenarios, including child sexual exploitation and rape.

Image: Shutterstock.

Researchers at security firm Permiso Security say attacks against generative artificial intelligence (AI) infrastructure like Bedrock from Amazon Web Services (AWS) have increased markedly over the last six months, particularly when someone in the organization accidentally exposes their cloud credentials or key online, such as in a code repository like GitHub.

Investigating the abuse of AWS accounts for several organizations, Permiso found attackers had seized on stolen AWS credentials to interact with the large language models (LLMs) available on Bedrock. But they also soon discovered none of these AWS users had enabled logging (it is off by default), and thus they lacked any visibility into what attackers were doing with that access.

So Permiso researchers decided to leak their own test AWS key on GitHub, while turning on logging so that they could see exactly what an attacker might ask for, and what the responses might be.

Within minutes, their bait key was scooped up and used to power a service that offers AI-powered sex chats online.

“After reviewing the prompts and responses it became clear that the attacker was hosting an AI roleplaying service that leverages common jailbreak techniques to get the models to accept and respond with content that would normally be blocked,” Permiso researchers wrote in a report released today.

“Almost all of the roleplaying was of a sexual nature, with some of the content straying into darker topics such as child sexual abuse,” they continued. “Over the course of two days we saw over 75,000 successful model invocations, almost all of a sexual nature.”

Ian Ahl, senior vice president of threat research at Permiso, said attackers in possession of a working cloud account traditionally have used that access for run-of-the-mill financial cybercrime, such as cryptocurrency mining or spam. But over the past six months, Ahl said, Bedrock has emerged as one of the top targeted cloud services.

“Bad guy hosts a chat service, and subscribers pay them money,” Ahl said of the business model for commandeering Bedrock access to power sex chat bots. “They don’t want to pay for all the prompting that their subscribers are doing, so instead they hijack someone else’s infrastructure.”

Ahl said much of the AI-powered chat conversations initiated by the users of their honeypot AWS key were harmless roleplaying of sexual behavior.

“But a percentage of it is also geared toward very illegal stuff, like child sexual assault fantasies and rapes being played out,” Ahl said. “And these are typically things the large language models won’t be able to talk about.”

AWS’s Bedrock uses large language models from Anthropic, which incorporates a number of technical restrictions aimed at placing certain ethical guardrails on the use of their LLMs. But attackers can evade or “jailbreak” their way out of these restricted settings, usually by asking the AI to imagine itself in an elaborate hypothetical situation under which its normal restrictions might be relaxed or discarded altogether.

“A typical jailbreak will pose a very specific scenario, like you’re a writer who’s doing research for a book, and everyone involved is a consenting adult, even though they often end up chatting about nonconsensual things,” Ahl said.

In June 2024, security experts at Sysdig documented a new attack that leveraged stolen cloud credentials to target ten cloud-hosted LLMs. The attackers Sysdig wrote about gathered cloud credentials through a known security vulnerability, but the researchers also found the attackers sold LLM access to other cybercriminals while sticking the cloud account owner with an astronomical bill.

“Once initial access was obtained, they exfiltrated cloud credentials and gained access to the cloud environment, where they attempted to access local LLM models hosted by cloud providers: in this instance, a local Claude (v2/v3) LLM model from Anthropic was targeted,” Sysdig researchers wrote. “If undiscovered, this type of attack could result in over $46,000 of LLM consumption costs per day for the victim.”

Ahl said it’s not certain who is responsible for operating and selling these sex chat services, but Permiso suspects the activity may be tied to a platform cheekily named “chub[.]ai,” which offers a broad selection of pre-made AI characters with whom users can strike up a conversation. Permiso said almost every character name from the prompts they captured in their honeypot could be found at Chub.

Some of the AI chat bot characters offered by Chub. Some of these characters include the tags “rape” and “incest.”

Chub offers free registration, via its website or a mobile app. But after a few minutes of chatting with their newfound AI friends, users are asked to purchase a subscription. The site’s homepage features a banner at the top that strongly suggests the service is reselling access to existing cloud accounts. It reads: “Banned from OpenAI? Get unmetered access to uncensored alternatives for as little as $5 a month.”

Until late last week Chub offered a wide selection of characters in a category called “NSFL” or Not Safe for Life, a term meant to describe content that is disturbing or nauseating to the point of being emotionally scarring.

Fortune profiled Chub AI in a January 2024 story that described the service as a virtual brothel advertised by illustrated girls in spaghetti strap dresses who promise a chat-based “world without feminism,” where “girls offer sexual services.” From that piece:

Chub AI offers more than 500 such scenarios, and a growing number of other sites are enabling similar AI-powered child pornographic role-play. They are part of a broader uncensored AI economy that, according to Fortune’s interviews with 18 AI developers and founders, was spurred first by OpenAI and then accelerated by Meta’s release of its open-source Llama tool.

Fortune says Chub is run by someone using the handle “Lore,” who said they launched the service to help others evade content restrictions on AI platforms. Chub charges fees starting at $5 a month to use the new chatbots, and the founder told Fortune the site had generated more than $1 million in annualized revenue.

KrebsOnSecurity sought comment about Permiso’s research from AWS, which initially seemed to downplay the seriousness of the researchers’ findings. The company noted that AWS employs automated systems that will alert customers if their credentials or keys are found exposed online.

AWS explained that when a key or credential pair is flagged as exposed, it is then restricted to limit the amount of abuse that attackers can potentially commit with that access. For example, flagged credentials can’t be used to create or modify authorized accounts, or spin up new cloud resources.

Ahl said Permiso did indeed receive multiple alerts from AWS about their exposed key, including one that warned their account may have been used by an unauthorized party. But they said the restrictions AWS placed on the exposed key did nothing to stop the attackers from using it to abuse Bedrock services.

Sometime in the past few days, however, AWS responded by including Bedrock in the list of services that will be quarantined in the event an AWS key or credential pair is found compromised or exposed online. AWS confirmed that Bedrock was a new addition to its quarantine procedures.

Additionally, not long after KrebsOnSecurity began reporting this story, Chub’s website removed its NSFL section. It also appears to have removed cached copies of the site from the Wayback Machine at archive.org. Still, Permiso found that Chub’s user stats page shows the site has more than 3,000 AI conversation bots with the NSFL tag, and that 2,113 accounts were following the NSFL tag.

The user stats page at Chub shows more than 2,113 people have subscribed to its AI conversation bots with the “Not Safe for Life” designation.

Permiso said their entire two-day experiment generated a $3,500 bill from AWS. Some of that cost was tied to the 75,000 LLM invocations caused by the sex chat service that hijacked their key. But they said the remaining cost was a result of turning on LLM prompt logging, which is not on by default and can get expensive very quickly.

Which may explain why none of Permiso’s clients had that type of logging enabled. Paradoxically, Permiso found that while enabling these logs is the only way to know for sure how crooks might be using a stolen key, the cybercriminals who are reselling stolen or exposed AWS credentials for sex chats have started including programmatic checks in their code to ensure they aren’t using AWS keys that have prompt logging enabled.

“Enabling logging is actually a deterrent to these attackers because they are immediately checking to see if you have logging on,” Ahl said. “At least some of these guys will totally ignore those accounts, because they don’t want anyone to see what they’re doing.”

In a statement shared with KrebsOnSecurity, AWS said its services are operating securely, as designed, and that no customer action is needed. Here is their statement:

“AWS services are operating securely, as designed, and no customer action is needed. The researchers devised a testing scenario that deliberately disregarded security best practices to test what may happen in a very specific scenario. No customers were put at risk. To carry out this research, security researchers ignored fundamental security best practices and publicly shared an access key on the internet to observe what would happen.”

“AWS, nonetheless, quickly and automatically identified the exposure and notified the researchers, who opted not to take action. We then identified suspected compromised activity and took additional action to further restrict the account, which stopped this abuse. We recommend customers follow security best practices, such as protecting their access keys and avoiding the use of long-term keys to the extent possible. We thank Permiso Security for engaging AWS Security.”

AWS said customers can configure model invocation logging to collect Bedrock invocation logs, model input data, and model output data for all invocations in the AWS account used in Amazon Bedrock. Customers can also use CloudTrail to monitor Amazon Bedrock API calls.

The company said AWS customers also can use services such as GuardDuty to detect potential security concerns and Billing Alarms to provide notifications of abnormal billing activity. Finally, AWS Cost Explorer is intended to give customers a way to visualize and manage Bedrock costs and usage over time.

Anthropic told KrebsOnSecurity it is always working on novel techniques to make its models more resistant to the kind of jailbreaks.

“We remain committed to implementing strict policies and advanced techniques to protect users, as well as publishing our own research so that other AI developers can learn from it,” Anthropic said in an emailed statement. “We appreciate the research community’s efforts in highlighting potential vulnerabilities.”

Anthropic said it uses feedback from child safety experts at Thorn around signals often seen in child grooming to update its classifiers, enhance its usage policies, fine tune its models, and incorporate those signals into testing of future models.

from Krebs on Security https://ift.tt/Xyzq04g
via IFTTT

A California man accused of failing to pay taxes on tens of millions of dollars allegedly earned from cybercrime also paid local police officers hundreds of thousands of dollars to help him extort, intimidate and silence rivals and former business partners, a new indictment charges. KrebsOnSecurity has learned that many of the man’s alleged targets were members of UGNazi, a hacker group behind multiple high-profile breaches and cyberattacks back in 2012.

A photo released by the government allegedly showing Iza posing with several LASD officers on his payroll.

An indictment (PDF) unsealed last week said the Federal Bureau of Investigation (FBI) has been investigating Los Angeles resident Adam Iza. Also known as “Assad Faiq” and “The Godfather,” Iza is the 30-something founder of a cryptocurrency investment platform called Zort that advertised the ability to make smart trades based on artificial intelligence technology.

But the feds say investors in Zort soon lost their shorts, after Iza and his girlfriend began spending those investments on Lamborghinis, expensive jewelry, vacations, a $28 million home in Bel Air, even cosmetic surgery to extend the length of his legs.

The indictment states the FBI started looking at Iza after receiving multiple reports that he had on his payroll several active deputies with the Los Angeles Sheriff’s Department (LASD). Iza’s attorney did not immediately respond to requests for comment.

The complaint cites a letter from an attorney for a victim referenced only as “E.Z.,” who was seeking help related to an extortion and robbery allegedly committed by Iza. The government says that in March 2022, three men showed up at E.Z.’s home, and tried to steal his laptop in an effort to gain access to E.Z. cryptocurrency holdings online. A police report referenced in the complaint says three intruders were scared off when E.Z. fired several handgun rounds in the direction of his assailants.

The FBI later obtained a copy of a search warrant executed by LASD deputies in January 2022 for GPS location information on a phone belonging to E.Z., which shows an LASD deputy unlawfully added E.Z.’s mobile number to a list of those associated with an unrelated firearms investigation.

“Damn my guy actually filed the warrant,” Iza allegedly texted someone after the location warrant was entered. “That’s some serious shit to do for someone….risking a 24 years career. I pay him 280k a month for complete resources. They’re active-duty.”

The FBI alleges LASD officers had on several previous occasions tried to kidnap and extort E.Z. at Iza’s behest. The complaint references a November 2021 incident wherein Iza and E.Z. were in a car together when Iza asked to stop and get snacks at a convenience store. While they were still standing next to the car, a van with several armed LASD deputies showed up and tried to force E.Z. to hand over his phone. E.Z. escaped unharmed, and alerted 911.

E.Z. appears to be short for Enzo Zelocchi, a self-described “actor” who was featured in an ABC News story about a home invasion in Los Angeles around that same time, in which Zelocchi is quoted as saying at least two men tried to rob him at gunpoint (we’ll revisit Zelocchi’s acting credits in a moment).

One of many self portraits published on the Instagram account of Enzo Zelocchi.

The indictment makes frequent references to a co-conspirator of Iza (“CC-1”) — his girlfriend at the time — who allegedly helped Iza run his businesses and spend the millions plunked down by Zort investors. We know what E.Z. stands for because Iza’s girlfriend then was a woman named Iris Au, and in November 2022 she sued Zelocchi for allegedly stealing Iza’s laptop.

Iza’s indictment says he also harassed a man identified only as T.W., and refers to T.W. as one of two Americans currently incarcerated in the Philippines for murder. In December 2018, a then 21-year-0ld Troy Woody Jr. was arrested in Manilla after he was spotted dumping the body of his dead girlfriend Tomi Masters into a local river.

Woody is accused of murdering Masters with the help of his best friend and roommate at the time: Mir Islam, a.k.a. “JoshTheGod,” referred to in the Iza complaint as “M.I.” Islam and Woody were both core members of UGNazi, a hacker collective that sprang up in 2012 and claimed credit for hacking and attacking a number of high-profile websites.

In June 2016, Islam was sentenced to a year in prison for an impressive array of crimes, including stalking people online and posting their personal data on the Internet. Islam also pleaded guilty to reporting dozens of phony bomb threats and fake hostage situations at the homes of celebrities and public officials (Islam participated in a swatting attack against this author in 2013).

Troy Woody Jr. (left) and Mir Islam, are currently in prison in the Philippines for murder.

In December 2022, Troy Woody Jr. sued Iza, Zelocchi and Zort, alleging (PDF) Iza and Zelocchi were involved in a 2018 home invasion at his residence, wherein Woody claimed his assailants stole laptops and phones containing more than $200 million in cryptocurrencies.

Woody’s complaint states that Masters also was present during his 2018 home invasion, as was another core UGNazi member: Eric “CosmoTheGod” Taylor. CosmoTheGod rocketed to Internet infamy in 2013 when he and a number of other hackers set up the Web site exposed[dot]su, which published the address, Social Security numbers and other personal information of public figures, including the former First Lady Michelle Obama, the then-director of the FBI and the U.S. attorney general. The group also swatted many of the people they doxed.

Exposed was built with the help of identity information obtained and/or stolen from ssndob dot ru.

In 2017, Taylor was sentenced to three years probation for participating in multiple swatting attacks, including the one against my home in 2013.

Iza’s indictment says the FBI interviewed Woody in Manilla where he is currently incarcerated, and learned that Iza has been harassing him about passwords that would unlock access to cryptocurrencies. The FBI’s complaint leaves open the question of how Woody and Islam got the phones in the first place, but the implication is that Iza may have instigated the harassment by having mobile phones smuggled to the prisoners.

The government suggests its case against Iza was made possible in part thanks to Iza’s propensity for ripping off people who worked for him. The indictment cites information provided by a private investigator identified only as “K.C.,” who said Iza hired him to surveil Zelocchi but ultimately refused to pay him for much of the work.

K.C. stands for Kenneth Childs, who in 2022 sued Iris Au and Zort (PDF) for theft by deception and commercial disparagement, after it became clear his private eye services were being used as part of a scheme by the Zort founders to intimidate and extort others. Childs’ complaint says Iza ultimately clawed back tens of thousands of dollars in payments he’d previously made as part of their contract.

The government also included evidence provided by an associate of Iza’s — named only as “R.C.” — who was hired to throw a party at Iza’s home. According to the feds, Iza paid the associate $50,000 to craft the event to his liking, but on the day of the party Iza allegedly told R.C. he was unhappy with the event and demanded half of his money back.

When R.C. balked, Iza allegedly surrounded the man with armed LASD officers, who then extracted the payment by seizing his phone. The indictment claims Iza kept R.C.’s phone and spent the remainder of his bank balance.

A photo Iza allegedly sent to Tassilo Heinrich immediately after Heinrich’s arrest on unsubstantiated drug charges.

The FBI said that after the incident at the party, Iza had his bribed sheriff deputies to pull R.C. over and arrest him on phony drug charges. The complaint includes a photo of R.C. being handcuffed by the police, which the feds say Iza sent to R.C. in order to intimidate him even further. The drug charges were later dismissed for lack of evidence.

The government alleges Iza and Au paid the LASD officers using Zelle transfers from accounts tied to two different entities incorporated by one or both of them: Dream Agency and Rise Agency. The complaint further alleges that these two entities were the beneficiaries of a business that sold hacked and phished Facebook advertising accounts, and bribed Facebook employees to unblock ads that violated its terms of service.

The complaint says Iza ran this business with another individual identified only as “T.H.,” and that at some point T.H. had some personal problems and checked himself into rehab. T.H. told the FBI that Iza responded by stealing his laptop and turning his associate in to the government.

KrebsOnSecurity has learned that T.H. in this case is Tassilo Heinrich, a man indicted in 2022 for hacking into the e-commerce platform Shopify, and leaking the user database for Ledger, a company that makes hardware wallets for storing cryptocurrencies.

Heinrich pleaded guilty in 2022 and was sentenced to time served, three years of supervised release, and ordered to pay restitution to Shopify. Upon his release from custody, Heinrich told the FBI that Iza was still using his account at the public screenshot service Gyazo to document communications regarding his alleged bribing of LASD officers.

Prosecutors say Iza and Au portrayed themselves as glamorous and wealthy individuals who were successful social media influencers, but that most of that was a carefully crafted facade designed to attract investment from cryptocurrency enthusiasts. Meanwhile, the U.K. tabloids reported this summer that Au was dating Davide Sanclimenti, the 2022 co-winner on the dating reality show Love Island.

Au was featured on the July 2024 cover of “Womenpreneur Middle East.”

Recall that we promised to revisit Mr. Zelocchi’s claimed acting credits. Despite being briefly listed on the Internet Movie Data Base (imdb.com) as the most awarded science fiction actor of all time, it’s not clear whether Mr. Zelocchi has starred in any real movies.

Earlier this year, an Internet sleuth on Youtube showed that even though Zelocchi’s IMDB profile has him earning more awards than most other actors on the platform (here he is holding a Youtube top viewership award), Zelocchi is probably better known as the director of the movie once rated the absolute worst sci-fi flick on IMDB: A 2015 work called “Angel’s Apocalypse.” Most of the video shorts on Zelocchi’s Instagram page appear to be short clips, some of which look more like a commercial for men’s cologne than a clip from a real movie.

A Reddit post from a year ago calling attention to Zelocchi’s sci-fi film Angel’s Apocalypse somehow earning more audience votes than any other movie in the same genre.

In many ways, the crimes described in this indictment and the various related civil lawsuits would prefigure a disturbing new trend within English-speaking cybercrime communities that has bubbled up in the past few years: The emergence of “violence-as-as-service” offerings that allow cybercriminals to anonymously extort and intimidate their rivals.

Found on certain Telegram channels are solicitations for IRL or “In Real Life” jobs, wherein people hire themselves out as willing to commit a variety of physical attacks in their local geographic area, such as slashing tires, firebombing a home, or tossing a brick through someone’s window.

Many of the cybercriminals in this community have stolen tens of millions of dollars worth of cryptocurrency, and can easily afford to bribe police officers. KrebsOnSecurity would expect to see more of this in the future as young, crypto-rich cybercriminals seek to corrupt people in authority to their advantage.

from Krebs on Security https://ift.tt/NIxYfmR
via IFTTT

The United States today unveiled sanctions and indictments against the alleged proprietor of Joker’s Stash, a now-defunct cybercrime store that peddled tens of millions of payment cards stolen in some of the largest data breaches of the past decade. The government also indicted and sanctioned a top Russian cybercriminal known as Taleon, whose cryptocurrency exchange Cryptex has evolved into one of Russia’s most active money laundering networks.

A 2016 screen shot of the Joker’s Stash homepage. The links have been redacted.

The U.S. Department of Justice (DOJ) today unsealed an indictment against a 38-year-old man from Novosibirsk, Russia for allegedly operating Joker’s Stash, an extremely successful carding shop that came online in late 2014. Joker’s sold cards stolen in a steady drip of breaches at U.S. retailers, including Saks Fifth Avenue, Lord and Taylor, Bebe Stores, Hilton Hotels, Jason’s Deli, Whole Foods, Chipotle, Wawa, Sonic Drive-In, the Hy-Vee supermarket chain, Buca Di Beppo, and Dickey’s BBQ.

The government believes the brains behind Joker’s Stash is Timur Kamilevich Shakhmametov, an individual who is listed in Russian incorporation documents as the owner of Arpa Plus, a Novosibirsk company that makes mobile games.

Early in his career (circa 2000) Shakhmametov was known as “v1pee” and was the founder of the Russian hacker group nerf[.]ru, which periodically published hacking tools and exploits for software vulnerabilities.

The Russian hacker group Nerf as described in a March 2006 article in the Russian hacker magazine xakep.ru.

By 2004, v1pee had adopted the moniker “Vega” on the exclusive Russian language hacking forum Mazafaka, where this user became one of the more reliable vendors of stolen payment cards.

In the years that followed, Vega would cement his reputation as a top carder on other forums, including Verified, DirectConnection, and Carder[.]pro.

Vega also became known as someone who had the inside track on “unlimited cashouts,” a globally coordinated cybercrime scheme in which crooks hack a bank or payment card processor and use cloned cards at cash machines to rapidly withdraw millions of dollars in just a few hours.

“Hi, there is work on d+p, unlimited,” Vega wrote in a private message to another user on Verified in Dec. 2012, referring to “dumps and PINs,” the slang term for stolen debit cards with the corresponding PINs that would allow ATM withdrawals.

This batch of some five million cards put up for sale Sept. 26, 2017 on the now-defunct carding site Joker’s Stash has been tied to a breach at Sonic Drive-In.

Joker’s Stash came online in the wake of several enormous card breaches at retailers like Target and Home Depot, and the resulting glut of inventory had depressed prices for stolen cards. But Joker’s would distinguish itself by catering to high-roller customers — essentially street gangs in the United States that would purchase thousands of stolen payment cards in one go.

Faced with a buyer’s market, Joker’s Stash set themselves apart by focusing on loyalty programs, frequent buyer discounts, money-back guarantees, and just plain good customer service. Big spenders were given access to the most freshly hacked payment cards, and were offered the ability to get free replacement cards if any turned out to be duds.

Joker’s Stash also was unique because it claimed to sell only payment cards that its own hackers had stolen directly from merchants. At the time, card shops typically resold payment cards that were stolen and supplied by many third-party hackers of unknown reliability or reputation.

In January 2021, Joker’s Stash announced it was closing up shop, after European authorities seized a number of servers for the fraud store, and its proprietor came down with the Coronavirus.

Prosecutors allege Joker’s Stash earned revenues of at least $280 million, but possibly more than $1 billion (the broad range is a consequence of several variables, including the rapid fluctuation in the price of bitcoin and the stolen goods they were peddling).

TALEON

The proprietors of Joker’s Stash may have sold tens of millions of stolen payment cards, but Taleon is by far the bigger fish in this law enforcement action because his various cryptocurrency and cash exchanges have allegedly helped to move billions of dollars into and out of Russia over the past 20 years.

An indictment unsealed today names Taleon as Sergey Sergeevich Ivanov, 44, of Saint Petersburg, Russia. The government says Ivanov, who likely changed his surname from Omelnitskii at some point, laundered money for Joker’s Stash, among many other cybercrime stores.

In a statement today, the Treasury Department said Ivanov has laundered hundreds of millions of dollars’ worth of virtual currency for ransomware actors, initial access brokers, darknet marketplace vendors, and other criminal actors for approximately the last 20 years.

First appearing on Mazafaka in the early 2000s, Taleon was known on the forums as someone who could reliably move large amounts of physical cash. Sources familiar with the investigation said Taleon’s service emerged as one of the few remaining domestic cash delivery services still operating after Russia invaded Ukraine in Feb. 2022.

Taleon set up his service to facilitate transfers between Moscow, St. Petersburg and financial institutions in the West. Taleon’s private messages on some hacker forums have been leaked over the years and indexed by the cyber intelligence platform Intel 471. Those messages indicate Taleon worked on many of the same ATM cashouts as Vegas, so it’s clear the two had an established business relationship well before Joker’s Stash came into being.

Sometime around 2013, Taleon launched a partnership with a money transfer business called pm2btc[.]me. PM2BTC allowed customers to convert funds from the virtual currency Perfect Money (PM) into bitcoin, and then have the balance (minus a processing fee) available on a physical debit card that could be used at ATMs, for shopping online, or at retail stores.

A screenshot of a website reviewing PM2BTC.

The U.S. government itself set things in motion for Taleon’s nascent cryptocurrency exchange business in 2013 after the DOJ levied money laundering charges against the proprietors of Liberty Reserve, one of the largest virtual currencies in operation at the time.  Liberty Reserve was heavily used by cybercriminals of all stripes. The government said the service had more than a million users worldwide, and laundered in excess of $6 billion in suspected criminal proceeds.

In the days following the takedown of Liberty Reserve, KrebsOnSecurity ran a story that examined discussions across multiple top Russian cybercrime forums about where crooks could feel safe parking their stolen funds. The answer involved Bitcoin, but also Taleon’s new service.

UAPS

Part of the appeal of Taleon’s exchange was that it gave its vetted customers an “application programming interface” or API that made it simple for dodgy online shops selling stolen goods and cybercrime services to accept cryptocurrency deposits from their customers, and to manage payouts to any suppliers and affiliates.

This API is synonymous with a service Taleon and friends operate in the background called UAPS, short for “Universal Anonymous Payment System.” UAPS has gone by several other names including “Pinpays,” and in October 2014 it landed Joker’s Stash as its first big client.

A law enforcement source with knowledge of the investigation told KrebsOnSecurity that Taleon is a pilot who owns and flies around in his own helicopter.

Ivanov appears to have little to no social media presence, but the 40-year-old woman he lives with in St. Petersburg does, and she has a photo on her Vktontake page that shows the two of them in 2019 flying over Lake Ladoga, a large body of water directly north of St. Petersburg.

Sergey “Taleon” Ivanov (right) in 2019 in his helicopter with the woman he lives with, flying over a lake north of St. Petersburg, Russia.

BRIANS CLUB

In late 2015, a major competitor to Joker’s Stash emerged using UAPS for its back-end payments: BriansClub. BriansClub sullies this author’s name, photos and reputation to peddle millions of credit and debit cards stolen from merchants in the United States and around the world.

An ad for BriansClub has been using my name and likeness for years to peddle millions of stolen credit cards.

In 2019, someone hacked BriansClub and relieved the fraud shop of more than 26 million stolen payment cards — an estimated one-third of the 87 million payment card accounts that were on sale across all underground shops at that time. An anonymous source shared that card data with KrebsOnSecurity, which ultimately shared it with a consortium of financial institutions that issued most of the cards.

After that incident, the administrator of BriansClub changed the site’s login page so that it featured a copy of my phone bill, Social Security card, and a link to my full credit report [to this day, random cybercriminals confuse Yours Truly with the proprietor of BriansClub].

Alex Holden is founder of the Milwaukee-based cybersecurity firm Hold Security. Holden has long maintained visibility into cryptocurrency transactions made by BriansClub.

Holden said those records show BriansClub sells tens of thousands of dollars worth of stolen credit cards every day, and that in the last two years alone the BriansClub administrator has removed more than $242 million worth of cryptocurrency revenue from the UAPS platform.

The BriansClub login page, as it looked from late 2019 until recently.

Passive domain name system (DNS) records show that in its early days BriansClub shared a server in Lithuania along with just a handful of other domains, including secure.pinpays[.]com, the crime forum Verified, and a slew of carding shops operating under the banner Rescator.

As KrebsOnSecurity detailed in December 2023, the Rescator shops were directly involved in some of the largest payment card breaches of the past decade. Those include the 2013 breach at Target and the 2014 breach at Home Depot, intrusions that exposed more than 100 million payment card records.

CRYPTEX

In early 2018, Taleon and the proprietors of UAPS launched a cryptocurrency exchange called Cryptex[.]net that has emerged as a major mover of ill-gotten crypto coins.

Taleon reminds UAPS customers they will enjoy 0% commission and no “know your customer” (KYC) requirements “on our exchange Cryptex.”

Cryptex has been associated with quite a few ransomware transactions, including the largest known ransomware payment to date. In February 2024, a Fortune 50 ransomware victim paid a record $75 million ransom to a Russian cybercrime group that calls themselves the Dark Angels. A law enforcement source with knowledge of the investigation said an analysis of that payment shows roughly half of it was processed through Cryptex.

That law enforcement source provided a screen shot of Cryptex’s sending and receiving exposure as viewed by Chainalysis, a company the U.S. government and many cryptocurrency exchanges rely on to flag transactions associated with suspected money laundering, ransomware payouts, or facilitating payments for darknet websites.

Chainalysis finds that Cryptex has received more than $1.6 billion since its inception, and that this amount is roughly equal to its sending exposure (although the total number of outflows is nearly half of the inflows).

The graphic indicates a great deal of money flowing into Cryptex — roughly a quarter of it — is coming from bitcoin ATMs around the world. Experts say most of those ATM inflows to Cryptex are bitcoin ATM cash deposits from customers of carding websites like BriansClub and Jokers Stash.

A screenshot of Chainalysis’s summary of illicit activity on Cryptex since the exchange’s inception in 2018.

The indictments released today do not definitively connect Taleon to Cryptex. However, PM2BTC (which teamed up with Taleon to launch UAPS and Pinpays) and Cryptex have now been sanctioned by the U.S. Department of the Treasury.

Treasury’s Financial Crimes Enforcement Network (FinCEN) levied sanctions today against PM2BTC under a powerful new “Section 9714” authority included in the Combating Russian Money Laundering Act, changes enacted in 2022 to make it easier to target financial entities involved in laundering money for Russia.

Treasury first used this authority last year against Bitzlato, a cryptocurrency exchange operating in Russia that became a money laundering conduit for ransomware attackers and dark market dealers.

THE LAUNDROMAT

An investigation into the corporate entities behind UAPS and Cryptex reveals an organization incorporated in 2012 in Scotland called Orbest Investments LP. Records from the United Kingdom’s business registry show the owners of Orbest Investments are two entities: CS Proxy Solutions CY, and RM Everton Ltd.

Public business records further reveal that CS Proxy Solutions and RM Everton are co-owners of Progate Solutions, a holding company that featured prominently in a June 2017 report from Bellingcat and Transparency International (PDF) on money laundering networks tied to the Kremlin.

“Law enforcement agencies believe that the total amount laundered through this process could be as high as US$80 billion,” the joint report reads. “Although it is not clear where all of this money came from, investigators claim it includes significant amounts of money that were diverted from the Russian treasury and state contracts.”

Their story built on reporting published earlier that year by the Organized Crime and Corruption Project (OCCRP) and Novaya Gazeta, which found that at least US$20.8 billion was secretly moved out of Russia between 2010 and 2014 through a vast money laundering machine comprising over 5,000 legal entities known as “The Laundromat.”

Image: occrp.org

“Using company records, reporters tracked the names of some clients after executives refused to give them out,” the OCCRP report explains. “They found the heavy users of the scheme were rich and powerful Russians who had made their fortunes from dealing with the Russian state.”

Rich Sanders is a blockchain analyst and investigator who advises the law enforcement and intelligence community. Sanders just returned from a three-week sojourn through Ukraine, traveling with Ukrainian soldiers while mapping out dodgy Russian crypto exchanges that are laundering money for narcotics networks operating in the region. Sanders said today’s sanctions by the Treasury Department will likely have an immediate impact on Cryptex and its customers.

“Whenever an entity is sanctioned, the implications on-chain are immense,” Sanders told KrebsOnSecurity. “Regardless of whether an exchange is actually compliant or just virtue signals it, it is the case across the board that exchanges will pay attention to these sanctions.”

“This action shows these payment processors for illicit platforms will get attention eventually,” Sanders continued. “Even if it took way too long in this case, Cryptex knew the majority of their volume was problematic, knew why it was problematic, and did it anyway. And this should be a wake up call for other exchanges that know full well that most of their volume is problematic.”

from Krebs on Security https://ift.tt/VBwXI8d
via IFTTT