Trending cyber news

Telegram Becomes the New Dark Web, Here’s What Cybercriminals are Selling

Cybercrime trade on Telegram is exploding as cybercriminals take to the popular instant messaging app to buy, sell, and share stolen data and hacking tools. New research highlights that threat actors consider Telegram as their new channel of choice to conduct their evil businesses.

What is the matter ???

A joint study by Cyberint and Financial Times found that there has been a 100% rise in Telegram usage by cybercriminals.
A large number of hackers are using the messaging platform to share leaked data in groups or channels with more than thousands of subscribers.
Interestingly, the list of stolen emails and passwords that go by the terms ‘Email:pass’ and ‘Combo’ has risen fourfold over the past year.
In one incident, a channel named ‘Combolist’ with more than 47,000 subscribers was shut down after it was found to be a marketplace for stolen financial data, personal documents, malware, hacking guides, and online account credentials.
Among the other data traded on the Telegram channel include copies of passports, exploits, and credit card information.

What’s the reason?

The reason for the increased use of the platform among threat actors is attributed to a number of operational benefits:

Unlike the dark web, Telegram is a legitimate and easy-to-use service that isn’t blocked by antivirus engines or network management tools.
Attackers can remain anonymous as the registration process requires only a phone number.
In some cases, it’s easier to find buyers on Telegram which makes it more convenient for cybercriminals.
Moreover, the unique communication features of Telegram enables attackers to exfiltrate data from victim’s PCs or transfer malicious files to infected machines.

Other malicious use of Telegram :

In the past months, researchers raised alarms to warn about the misuse of Telegram by cybercriminals to evade detection.

CheckPoint said it tracked more than 130 cyberattacks in the first quarter of 2021 that distributed the ToxicEye trojan through Telegram.
Post-infection, the RAT enables attackers to take full control over a victim’s machine and engage in a range of other nefarious activities.
Besides malware infection, threat actors had flovked to the messaging app to sell fake COVID-19 vaccine cards.

What does this imply?

Although Telegram has taken steps to shut these dangerous groups, there are some that are still operating and action against them is yet to be taken. The fact that Telegram is gaining traction among cybercriminals indicates a serious escalation in cybercrime. With over 500 million active users, Telegram should ensure that it does not become the future attack surface for illegal hacking, online fraud, and other criminal activities.

WHAT IS DARK WEB ??

The dark web is the hidden collective of internet sites only accessible by a specialized web browser. It is used for keeping internet activity anonymous and private, which can be helpful in both legal and illegal applications.

What is the statics of cybercrime??

Epik hack exposes lax security practices at controversial web host

Hacktivists affiliated with Anonymous are pouring over the entrails of a cyber attack against controversial web host Epik that led onto the leak of customer data.

US-based web host and domain registrar Epik is known for offering services to sites that carry far-right and extremist content including social networks Gab and Parler (a locus of planning for the January 2021 US Capitol riots) and image board 8chan.

In early September, Epik reportedly offered services to a “whistleblower” site run by antiabortion activists based in Texas, placing it in the crosshairs of hacktivists involved in operation jane, the campaign against the controversial Texas Heartbeat Act.

Anonymous hacked and defaced the Epik-hosted Republican Party of Texas on September 11, following this up with an assault on Epik’s infrastructure days later.

Masses of stolen data from Epik were subsequentially released through the DDoSecrets organization.

Hacktivists boasted of releasing a “decade’s worth of data” in databases containing domain ownership records, transaction details, emails, and unsorted or at least unindexed, encryption keys among the 32GB trove of leaked data.

In response to queries from The Daily Swig, Epik said only that it was investigating the alleged breach.

In a brief statement on Wednesday, Jessica Robison, Epik’s Director of Client Services, said:

We are aware of the messages that have been posted. We take the security of our clients’ data extremely seriously, and we are investigating the allegation.

Using random samples of customer data exposed in the hack, journalists including those from The record and The daily deep confirmed that the leaked data was real.

Data breach experts polled by The Daily Swig confirmed that the dump of information looked legit.

While the security shortcomings that evidentially led to a hack on its systems remain unclear, data encryption and privacy policies provided by lax , according to those revelling in the web host’s misfortunes.

An internet user offering snippets from what’s become known as the “EpikFail hack” offered The Daily Swig a run-down of the company’s operational and network security shortcomings.

At the very least, Epik is guilty of the laziest design possible. They should have segmented their user’s data across various databases, utilized multiple access credentials, and the only user they should’ve had access to that is their production application.

Instead, Epik took the easy way out. They charged their customers an additional fee to “protect their data” (via a Domain Add-On from http://Anonymize.com) and when a customer would sign up, Anonymize would assign them a UserID, which is fairly standard.

Unfortunately, Epik chose to use that UserID as the prefix for the domain’s WHOIS registration’s contact email address. Thus, providing the keys to go directly from domain name to “anonymous” domain owner with one line of code.

All these oversights were far from accidental and arose because customer protection was not part of Epik’s culture, according to the source.

“This is evident by passwords stored as plaintext and unhashed credit cards with expiration dates in the future,” they concluded.

The data included more than 15 million unique email addresses (including anonymised versions for domain privacy), names, phone numbers, physical addresses, purchase records and passwords. The data relates not only to Epik customers, but also scraped WHOIS records belonging to individuals and organisations who were not Epik customers, according to Hunt.

DDoS Attack Service Admin Behind 200,000 Attacks Face 35 Years in Prison

A federal jury in California, at the end of a nine-day trial, found an Illinois man guilty, who have operated several websites with paid DDoS attack services.

After executing an investigation it was found that 32-year old Matthew Gatrel of St. Charles, Illinois allowed users to launch more than 200,000 DDoS attacks for which he may face 35-years in prison

Matthew Gatrel was found guilty of three crimes and here they are mentioned below:-

Conspiracy to commit unauthorized impairment of a guarded computer.
Conspiracy to commit wire fraud.
For committing unauthorized impairment of a secured computer.

Bulletproof server hosting and DDoS services

Since at least October 2014, Matthew has been operating the DDoS services, and mainly he ran two websites with illegal paid DDoS attack services; here they are mentioned below:-

DownThem.[org]
AmpNode.[com]

Here via DownThem.[org] website Matthew use to provide DDoS attacks services to users, while through the second website, AmpNode.[com] he use to provide “bulletproof” server hosting to its users.

The most interesting thing about the servers is that it provides two key abilities, and they are:-

Spoofing
Lists of vulnerable attack amplifiers

In the “DownThem” web portal the security authorities have found more than 2000 registered users, and all these users are the ones who have actually executed more than 200,000 DDOS attacks.

Here’s what the U.S. Department of Justice stated:-

“Often called a “booting” service, DownThem itself relied upon powerful servers associated with Gatrel’s AmpNode bulletproof hosting service. Many AmpNode customers were themselves operating for-profit DDoS services.”

Targets

Here’s the list of targets that are attacked in these DDoS attack events:-

Homes
Schools
Universities
Municipal
Local government websites
Financial institutions from all over the world

Moreover, in his web portals, there are several options are provided by him to his customers like multiple services, multiple subscription packages, various attack capabilities like:-

Duration of the attacks
Strength of the attacks
The possibility of concurrent attacks

Apart from this, for Gatrel’s final trial and imprisonment hearing, John A. Kronstadt, the United States District Judge has fixed January 27, 2022, as the final date, and in this time he may face a statutory maximum sentence of 35-years in prison.

In this event, Gatrel is not alone, since with him 28-year old Juan Martinez is also involved, as he helped Gatrel in managing and administering the DownThem website for their illegal activities.

However, Juan Martinez already pleaded guilty unlike Gatrel, and right now he was is awaiting his final hearing which is scheduled for December 2, and in his final trial, he may face a statutory maximum sentence of 10-years in prison.

Hackers pose as bank customers by stealing OTPs, making $500k in fake credit card payments

SINGAPORE – Hackers abroad have been able to pose as 75 bank customers here to make about $500,000 in fake credit card payments.

This was done by a sophisticated method of hijacking the one-time passwords (OTPs) sent through SMS text messages by banks.

The hackers had diverted the SMS OTPs from the banks to overseas mobile network systems, explained the Infocomm Media Development Authority (IMDA), Monetary Authority of Singapore (MAS), and Singapore Police Force in a joint statement on Wednesday (Sept 15).

They said the SMS diversion method “requires highly sophisticated expertise to compromise the systems of overseas telecommunication networks”.

The fraudulent transactions happened between September and December last year.

The bank customers said they did not initiate the transactions and did not receive the SMS OTPs needed to complete the transactions

The authorities gave an assurance that Singapore’s banking and telecommunication systems were not compromised.

Affected customers who had taken steps to protect their credentials will not have to pay for any of the fake transactions as a gesture of goodwill by the banks, “given the unique circumstances of these cases”, said the authorities. The identities of the banks involved were not revealed.

So far, UOB has said that it has “proactively reviewed” the cases involving its affected customers and will work with each of them on a case-by-case basis to offer the payment waiver.

They said the SMS diversion method “requires highly sophisticated expertise to compromise the systems of overseas telecommunication networks”.

The fraudulent transactions happened between September and December last year.

The bank customers said they did not initiate the transactions and did not receive the SMS OTPs needed to complete the transactions.

The authorities gave an assurance that Singapore’s banking and telecommunication systems were not compromised.

So far, UOB has said that it has “proactively reviewed” the cases involving its affected customers and will work with each of them on a case-by-case basis to offer the payment waiver.

It is understood that customers of DBS and OCBC, as well as some foreign banks, were affected too. The banks would have informed affected customers.

The method used by the cyber criminals in this incident involved their getting hold of the victims’ credit card details and mobile phone numbers.

They also hacked into the systems of overseas telcos and used them to change the location information of the mobile phones used by the Singapore victims.

By doing so, the hackers tricked Singapore telco networks into thinking that the Singapore numbers were roaming overseas on the networks of other countries.

The hackers then used the victims’ stolen credit card details to make fraudulent online card payments.

So when the banks sent out SMS OTPs to the victims to verify the transactions, the crooks were able to divert these text messages to the overseas mobile network systems.

The stolen OTPs were then used to complete the fraudulent card payments. This matches with the victims saying they did not get the OTPs.

The compromised overseas telecommunication networks have been identified and notified, but the agencies did not reveal who they were or where they were from.

Investigations are ongoing to identify the criminals and bring them to justice. It is also unclear where the hackers are from.

Mr Eric Nagel, general manager for the Asia-Pacific at cyber-security firm Cybereason, said SMS OTPs rely on third-party technology on an operating system that is not immune to sophisticated attacks.

One such technology that can be hacked is that used for text-messaging management services.

Such services can be hired by businesses for US$16 (S$21) in the United States to redirect SMSes, business news outlet Business Today reported. So besides hacking them, cyber criminals can also hire these services.

Mr Nagel added that the discovery of the SMS OTP diversion here is not surprising.

Earlier this year, Cybereason found that three Chinese threat groups, which recently attacked telcos in Asean, had previously carried out cyber attacks in other countries like the United States and the United Kingdom.

But Mr Nagel said that banks and telcos are trying to reduce reliance on third-party vendors.

“This should diminish these types of attacks over time, as they take back control (of systems),” he said.

While Singapore’s telco networks were not compromised, IMDA has told them to put in place additional safeguards. They include specialised firewalls and system safeguards to monitor and block suspicious SMS diversions.

IMDA had earlier consulted the Cyber Security Agency of Singapore (CSA) on the additional telco measures.

When contacted, CSA said it has assessed that the controls in place are adequate to address the hackers’ current methods.

“Cyber criminals are constantly developing new and sophisticated methods and tools to target their victims,” said the agency. “Organisations and individuals must continue to stay vigilant and take steps to keep their assets and information secure.”

The authorities’ statement comes after the Government said in July that a review would be done by the end of the year to provide clearer guidelines on what happens to consumers and banks in the event of scams.

MAS will be working with financial institutions to fine-tune the existing framework on fraudulent payment transactions, covering the responsibilities and liabilities of banks and consumers in such situations.

At the time, it was reported the police had received 89 reports of fraudulent card transactions performed with SMS OTPs, where the victims said they did not make the transaction or receive the OTP to authorise it, between September last year and February this year.

The amount stolen in these cases was $550,500.

Finance Minister Lawrence Wong, who is MAS’ deputy chairman, said in Parliament that while these cases represented less than 0.1 per cent of fraudulent online card transactions reported, and the number of cases has come down since March 2021, “it is nevertheless concerning”.

IMDA, MAS and the police urged the public to be alert and vigilant against malware and phishing attempts that seek to steal their personal details, since the incident involved stolen credit card information.

For instance, consumers should keep their bank account, credit and debit card details safe at all times. They should never disclose to anyone these details, as well as their personal identification numbers, passwords and codes like OTPs.

They can also set low thresholds for payment transaction alerts, which can allow unauthorised activities to be detected early. Consumers should alert their banks as soon as possible if there are any discrepancies or unauthorised transactions.

They should keep their devices updated with the latest security patches and anti-virus software.

Consumers should use only credible online services, download apps from official app stores, and make online purchases through trustworthy platforms.

Members of the public should also never click on suspicious links from unknown sources.

FBI: $113 million lost to online romance scams this year

The FBI warned today that a massive spike of online romance scams this year caused Americans to lose more than $113 million since the start of 2021.

The scammers behind this type of online fraud trend (also known as confidence fraud) — which can lead to significant financial losses and devastating emotional scars — use fake online identities to gain potential victims’ trust on dating or social media platforms.

After the victims are lured in, the crooks take advantage of the illusion of a romantic relationship they project to manipulate the targets into sending money or financial info that later can be used for other types of fraud schemes, including investment scams.

“The FBI warns of a rising trend in which scammers are defrauding victims via online romance scams, persuading individuals to send money to allegedly invest or trade cryptocurrency,” the federal law enforcement agency said in a PSA published today on the Internet Crime Complaint Center (IC3) site.

“From January 1, 2021 — July 31, 2021, the FBI Internet Crime Complaint Center (IC3) received over 1,800 complaints, related to online romance scams, resulting in losses of approximately $133,400,000.”

The FBI also provided tips on protecting yourself from romance scams :

Never send money, trade, or invest per the advice of someone you have solely met online.
Do not disclose your current financial status to unknown and untrusted individuals.
Do not provide your banking information, Social Security Number, copies of your identification or passport, or any other sensitive information to anyone online or to a site you do not know is legitimate.
If an online investment or trading site is promoting unbelievable profits, it is most likely that—unbelievable.
Be cautious of individuals who claim to have exclusive investment opportunities and urge you to act fast.

Over $1 billion lost to romance scams in 2019 and 2020

The 2019 and 2020 Internet Crime Reports published by FBI’s Internet Crime Complaint Center (IC3) show that romance scams have tens of thousands of Americans to lose more than $1 billion ($475M in dollar 2019and over $600M dollar 2020).

The FBI also warned romance scam victims that they’re they’re facing the risk of being recruited as money mules and persuaded to transfer money illegally on scammers’ behalf.

To further illustrate the scale of this ongoing problem, the Department of Justice’s website cases where fraudsters were indicted or found guilty of running large-scale romance scam fraud schemes targeting US citizens.

If you have fallen victim to such a scam, you should immediately stop communicating with the scammer and file a complaint with the IC3 at www.ic3.gov.

You should also reach out to your financial institution to see if it’s still possible to stop or revert any financial transactions you might have made after the scammer contacted you.

Singaporean telco StarHub discloses data leak affecting 57,000 customers

The personal data of more than 57,000 StarHub customers has been exposed in a data breach disclosed by the Singaporean telco.

StarHub’s cybersecurity team discovered the data on July 6 in a file that had been “illegally uploaded” to “a third-party data dump website”, according to a data breach also published by StarHub on Friday (August 6).

The data file in question comprised “identity card numbers, mobile numbers, and email addresses belonging to 57,191 individual customers who had subscribed to StarHub services before 2007,” said StarHub.

The company emphasized that “no credit card or bank account information is at risk”.

StarHub added that “there is no indication that any data in this document has been maliciously misused”.

The telco – one of three major Singaporean telecommunications providers along with Singtel and M1 – said its IT systems and databases had not been compromised.

Incident response

Upon finding the file, StarHub said it “activated an incident management team” and “attempted to have the document removed from the data dump site”.

It was also “working closely with cybersecurity experts and the relevant authorities”, and reviewing “existing security measures to protect core infrastructure and systems”.

Victims are being notified via email and being offered six months of complimentary credit monitoring, a process StarHub said it expected to conclude within 14 days.

“Data security and customer privacy are serious matters for StarHub, and I apologise for the concern this incident may be causing our affected customers,” said StarHub CEO Nikhil Eapen.

“We have made substantial cybersecurity investments over the years, shoring up our cyber defences, and we will continue to stay vigilant in safeguarding our infrastructure and IT systems against cyber threats.”

He added: “We assure our customers that StarHub will continue to take all protection measures to ensure their information is safe with us.”

A spokesperson for StarHub told The Daily Swig: “We would like to reiterate that we have investigated and verified the integrity of our network infrastructure, and that no StarHub information systems nor customer database are compromised. We are continuing to investigate the incident with the assistance of a leading cybersecurity firm, as well as working with the relevant authorities.”

News of the data leak follow’s last month’s announcement by StarHub that it was giving away two-year rentals of its StarHub TV+ Box media player worth S$120 (US$88) to customers who hand in pirated set-up boxes.

Tech companies pledge billions in cybersecurity investments

Washington: Some of the country’s leading technology companies have committed to investing billions of dollars to strengthen cybersecurity defences and to train skilled workers, the White House has announced, following President Joe Biden’s private meeting with top executives.

The gathering was held Wednesday during a relentless stretch of ransomware attacks that have targeted critical infrastructure, in some cases with the attackers extorting multimillion-dollar payments from major corporations, as well as other illicit cyber operations that US authorities have linked to foreign hackers.

The Biden administration has been urging the private sector to do its part to strengthen cybersecurity defences against those increasingly sophisticated attacks. In public remarks before the private meeting got underway, Biden referred to cybersecurity as a “core national security challenge” for the US.

The reality is most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone,” Biden said. “I’ve invited you all here today because you have the power, the capacity and the responsibility, I believe, to raise the bar on cybersecurity.”

After the meeting, the White House announced that Google had committed to invest $10 billion in cybersecurity over the next five years, money aimed at helping secure the software supply chain and expand zero-trust programmes.

The Biden administration has looked for ways to safeguard the government’s supply chain following a massive Russian government cyber espionage campaign that exploited vulnerabilities and gave hackers access to the networks of US government agencies and private companies.

Microsoft, meanwhile, said it would invest $20 billion in cybersecurity over the next five years and make available $150 million in technical services to help local governments improve their defences. IBM plans to train 150,000 people in cybersecurity over three years, and Apple said it would develop a new programme to help strengthen the supply chain.

Top executives of each of those companies were invited to Wednesday’s meeting, as were financial industry executives and representatives from the energy, education and insurance sectors.

A government initiative that at first supported the cybersecurity defences of electric utilities has been expanded to focus on natural gas pipelines, the White House said Wednesday.

Though ransomware was intended as one focus of Wednesday’s gathering, a senior administration official who briefed reporters in advance said the purpose was much broader, centered on identifying the “root causes of malicious cyber activities” and ways in which the private sector can help bolster cybersecurity. The official briefed reporters on the condition of anonymity.

The meeting took place as Biden’s national security team has been consumed by the troop withdrawal in Afghanistan and the chaotic evacuation of Americans and Afghan citizens. That it remained on the calendar indicates the administration regards cybersecurity as a major agenda item, with the administration official describing Wednesday’s meeting as a “call to action”.

The broad cross-section of participants underscores how cyber attacks have cut across virtually all sectors of commerce. In May, for instance, hackers associated with a Russia-based cyber gang launched a ransomware attack on a major fuel pipeline in the US, causing the company to temporarily halt operations.

Weeks later, the world’s largest meat processor, JBS SA, was hit with an attack by a different hacking group.

In both instances, the companies made multimillion-dollar ransom payments in an effort to get back online.

Biden on Wednesday pointed to a summit with Russian President Vladimir Putin in June when he said he made clear his expectation that Russia take steps to rein in ransomware gangs because “they know where they are and who they are”.

Greyfly Chinese hackers group behind sidewalk malware

A previously undocumented backdoor that was recently found targeting an unnamed computer retail company based in the U.S. has been linked to a longstanding Chinese espionage operation dubbed Grayfly.

In late August, Slovakian cybersecurity firm ESET disclosed details of an implant called SideWalk, which is designed to load arbitrary plugins sent from an attacker-controlled server, gather information about running processes in the compromised systems, and transmit the results back to the remote server.

The cybersecurity firm attributed the intrusion to a group it tracks as SparklingGoblin, an adversary believed to be connected to the Winnti (aka APT41) malware family

But latest research published by researchers from Broadcom’s Symantec has pinned the SideWalk backdoor on the China-linked espionage group, pointing out the malware’s overlaps with the older Crosswalk malware, with the latest Grayfly hacking activities singling out a number of organizations in Mexico, Taiwan, the U.S., and Vietnam.

“A feature of this recent campaign was that a large number of targets were in the telecoms sector. The group also attacked organizations in the IT, media, and finance sectors,” Symantec’s Threat Hunter Team said in a write-up published on Thursday.

Known to be active at least since March 2017, Grayfly functions as the “espionage arm of APT41” that’s notorious for targeting a variety of industries in pursuit of sensitive data by exploiting publicly facing Microsoft Exchange or MySQL web servers to install web shells for initial intrusion, before spreading laterally across the network and install additional backdoors that enable the threat actor to maintain remote access and exfiltrate amassed information.

In one instance observed by Symantec, the adversary’s malicious cyber activity commenced with targeting an internet reachable Microsoft Exchange server to gain an initial foothold into the network. This was followed by executing a string of PowerShell commands to install an unidentified web shell, ultimately leading to the deployment of the Sidewalk backdoor and a custom variant of the Mimikatz credential-dumping tool that’s been put to use in previous Grayfly attacks.

No follow-on activity was observed beyond this point, the company noted.

“Grayfly is a capable actor, likely to continue to pose a risk to organizations in Asia and Europe across a variety of industries, including telecommunications, finance, and media,” the researchers said. “It’s likely this group will continue to develop and improve its custom tools to enhance evasion tactics along with using commodity tools such as publicly available exploits and web shells to assist in their attacks.”