Search This Blog

Showing posts with label Cyber Fraud. Show all posts

Pakistani Scammer Sentenced to 12 Years in $200 Million Phone-Fraud Scheme


AT&T, the world’s largest telecommunications firm, lost over $200 million after a Pakistani scammer and his partners coordinated a seven-year scheme that led to the fraudulent unlocking of nearly 2 million phones. 

Muhammad Fahd, 35, of Karachi, has been sentenced to 12 years in prison after he bribed several AT&T employees to do his bidding, including unlocking phones, giving him access to their credentials, and installing malware that gave him remote access to the mobile carrier’s servers, the Department of Justice (DOJ) said. 

How it all started?

It all began in the summer of 2012 when Fahd recruited an AT&T employee via Facebook using the false name “Frank Zhang”. He bribed the employee and his co-workers with “significant sums of money” to remove the carrier’s protection that locked cellular phones to its network. 

In April 2013, the scammer was forced to recruit a malware developer to manufacture malicious tools after AT&T launched a new unlocking system that restricted corrupt employees from continuing unlocking phones on his behalf. 

“At Fahd’s request, the employees provided confidential information to Fahd about AT&T’s computer system and unlocking procedures to assist in this process. Fahd also had the employees install malware on AT&T’s computers that captured information about AT&T’s computer system and the network access credentials of other AT&T employees. Fahd provided the information to his malware developer, so the developer could tailor the malware to work on AT&T’s computers,” according to the sentencing documents. 

Fahd and his co-conspirators also used multiple shell companies to cover up their illegal activity, including Swift Unlocks Inc, Endless Trading FZE (aka Endless Trading FZC), Endless Connections Inc, and iDevelopment Co, according to the indictment. 

Millions Lost 

AT&T forensic analysis discovered that 1,900,033 cellular phones were unlocked unlawfully by the scammers behind this scheme, resulting in $201,497,430.94 of losses due to lost payments. 

The company also sued former employees after unearthing they were bribed into illegally unlocking phones and seeding malware and malicious tools on its network. “We’re seeking damages and injunctive relief from several people who engaged in a scheme a couple of years ago to illegally unlock wireless telephones used on our network,” AT&T said in a statement to a local media outlet.

“It’s important to note that this did not involve any improper access of customer information or any adverse effect on our customers.” In 2018 Fahd was arrested in Hong Kong and he was extradited to the US in 2019. He remained in jail until he was sentenced earlier this week to 12 years in prison after pleading to conspiracy to commit wire fraud in September 2020. 

At the sentencing hearing, U.S. District Judge Robert S. Lasnik for the Western District of Washington noted that Fahd had executed a terrible cybercrime over a long period even after he was aware that law enforcement was investigating.

Hackers Impersonate Bank Customers and Make $500k in Fraudulent Credit Card Payments


Hackers from other countries were able to impersonate 75 bank clients and made $500,000 in fraudulent credit card payments. This was accomplished using a clever way of intercepting one-time passwords (OTPs) sent by banks via SMS text messages. In a joint statement released on Wednesday, the Infocomm Media Development Authority (IMDA), the Monetary Authority of Singapore (MAS), and the Singapore Police Force detailed how hackers redirected SMS OTPs from banks to foreign mobile networks systems. 

The SMS diversion method, they said, “requires highly sophisticated expertise to compromise the systems of overseas telecommunication networks”. Last year's fraudulent transactions took place between September and December. The bank clients claimed that they did not initiate the transactions and that they did not get the SMS OTPs that were required to complete them. 

According to Mr. Wong, the MAS' deputy chairman, the Monetary Authority of Singapore (MAS) would engage with financial institutions to fine-tune the existing framework on fraudulent payment transactions, which covers the responsibilities and liabilities of banks and customers in such instances. 

Between September last year and February, the police received 89 reports of fraudulent card transactions using SMS one-time passwords (OTPs), according to Mr. Wong. Ms. Yeo Wan Ling (Pasir-Ris Punggol GRC) had inquired if bank-related cyber frauds had increased in the previous six months.

"While these cases represent less than 0.1 percent of fraudulent online card transactions reported, and the number of cases has come down since March 2021, it is nevertheless concerning," Mr. Wong said. 

Singapore's financial and telecommunications networks have not been hacked, according to the authorities. Affected customers who took efforts to safeguard their credentials would not be charged for any of the fraudulent transactions as a gesture of goodwill from the banks, according to the authorities. The names of the banks involved were kept under wraps. 

The cybercriminals utilized this method to get the victims' credit card information and mobile phone numbers in this incident. They also got into the networks of international telecoms and exploited them to alter the location information of the Singapore victims' mobile phones. 

By doing so, the hackers deceived Singapore telecom networks into believing that Singapore phone numbers were roaming overseas on the networks of other countries. The hackers subsequently made fraudulent online card payments using the victims' stolen credit card information.

As a result, when banks issued SMS OTPs to victims to authenticate transactions, the criminals were able to reroute these text messages to foreign mobile network systems. The fraudulent card payments were subsequently completed using the stolen OTPs. This corresponds to the victims' claims that they did not get the OTPs.

Beware of New Advance Fee Fraud Scheme Targeting Cryptocurrency Users

Researchers at Proofpoint have detected a new series of email fraud campaigns trying to lure potential victims with the promise of a considerable amount of tax-free cryptocurrency.

In this new Advance Fee Fraud scheme, scammers employ advanced social engineering tactics and send potential target functioning sets of login credentials to fake cryptocurrency exchange platforms and then tempt victims with the promise of being able to withdraw hundreds of thousands of dollars worth of cryptocurrency from an already established account on the platform.

Sophisticated Campaigns 

Although similar to other conventional Advance Fee Fraud techniques, these new campaigns are highly sophisticated from a technical point of view and are fully automated. They also require substantial victim interaction as a victim would first need to login into the platform and create their own account on it to even begin trying to withdraw any cryptocurrency. 

In a new write-up, Proofpoint researchers highlight the fact that the use of cryptocurrency is notable because it delivers anonymity for both the scammer and the potential target. Potential victims may fall into the trap of how the money would be acquired anonymously and tax-free since it is in Bitcoin.

Proofpoint researchers say they first discovered the campaign in May 2021 using a coins45[.]com landing page. The most recent version, which started in July, directs potential victims to securecoins[.]net. 

According to the Proofpoint researchers, every single email strategy has been dispatched to anywhere from tens to hundreds of recipients across the globe. However, emails from the same campaign comprise the same credentials for all recipients and it appears that multiple people can log in with the same user ID and password if they log in from a unique IP address and browser. The moment the potential target changes the password and adds a contact number though, the account becomes exclusive and victims will not see any traces of other victims' activities. 

Consumers that create an account for the phony cryptocurrency platform will see that there is 28.85 BTC in their bitcoin wallet. To get this money out of their funds, victims first require to transfer 0.0001 BTC to ensure everything works smoothly. After successfully accomplishing this, victims discover that the minimum withdrawal amount is 29.029 BTC and they must add more money in order to be able to withdraw the full amount. However, even if they do add the required funds, they won't be able to withdraw all of their Bitcoin from their account on the platform. 

As is the case with other email fraud campaigns, users need to remain cautious of any emails from unknown senders promising them a financial incentive. While Proofpoint has identified and brought light to a number of these campaigns, the firm's researchers believe that the scammers accountable will continue to evolve their strategies in future campaigns.

SEC: Watch Out for Hurricane Ida Related Investment Scams


The Securities and Exchange Commission (SEC) has issued a warning about fraud associated with Hurricane Ida, which wreaked havoc in numerous states last week with torrential rain and tornadoes, leaving millions without power. 

The SEC's Office of Investor Education and Advocacy releases investor alerts regularly to caution investors about the latest investment frauds and scams. Fraudsters would most likely target people who may receive compensation from insurance companies in the form of huge payouts as a direct result of Hurricane Ida's destruction. 

The SEC explained, “These scams can take many forms, including promoters touting companies purportedly involved in cleanup and repair efforts, trading programs that falsely guarantee high returns, and classic Ponzi schemes where new investors' money is used to pay money promised to earlier investors." 

"Some scams may be promoted through email and social media posts promising high returns for small, thinly-traded companies that supposedly will reap huge profits from recovery and cleanup efforts." 

AccuWeather CEO, Dr Joel Myers calculated that Hurricane Ida caused almost $95 billion in total damage and economic loss. Millions of individuals will now have to deal with insurance companies to cover the cost of water damage and other difficulties caused by the hurricane's aftermath. 

The SEC added that following the devastation by Hurricane Katrina in 2005, they were compelled to take action against hundreds of false and misleading statements concerning alleged business prospects.

Precautionary Measures

In the context of mitigating the risk and preventive measures, SEC urged, "Be sceptical if you are approached by somebody touting an investment opportunity. Ask that person whether he or she is licensed and whether the investment they are promoting is registered with the SEC or with a state." 

"Take a close look at your entire financial situation before making any investment decision, especially if you are a recipient of a lump sum payment. Remember, your payment may have to last you and your family for a long time." 

This advisory follows the one issued by the FBI's New Orleans office, which warned the public about an elevated risk of scammers attempting to profit from the natural calamity. 

"Unfortunately, hurricane or natural disaster damage often provides opportunities for criminals to scam storm victims and those who are assisting victims with recovery," the FBI warned. 

The FBI also offered a list of safeguards that victims of natural disasters should follow to avoid getting scammed, including: 
  • Unsolicited (spam) emails should be ignored. 
  • Be cautious of anyone posing as government officials and requesting money via email. 
  • Clicking on links in unsolicited emails is not a fine decision. 
  • Only open attachments from known senders; be wary of emails purporting to have photos in attached files, as the files may contain viruses. 
  • Do not give out personal or financial information to anybody asking for donations; doing so might jeopardize your identity and leave you vulnerable to identity theft. 
  • Be vigilant of emails purporting to provide employment. 
  • Before transferring money to a potential landlord, do your research on the advertisement.

Driver's License Exploitation Scams Surge


The Covid epidemic has provided a ripe opportunity for cybercriminals, who are taking advantage of internet information from outdated driver's licenses of targeted individuals. 

According to Stateline, the “phishing” scams benefit from the fact that several nations have made emergency declarations permitting driver's licenses to remain in force beyond expiry dates. With the expiration of such renewals, drivers must now ensure that their licenses are updated, but scammers are taking full advantage of that shift, according to Stateline. 

In conventional phishing, cybercriminals send malicious links or attachments via email, and victims inadvertently click on them. Fraudsters use messaging to conduct their operations, which is known as "SMS phishing" or "smishing." 

As per state motor vehicle agencies, driver's license phishing frauds attempts to steal individual identities and personal information, that have already been sprouting up across the United States. Iowa, Minnesota, Ohio, Vermont, and Wyoming are among the states in which the frauds have been detected until now. 

Scam artists send out SMS or emails making false claims that the target's license needs an urgent update, as some of the information is missing, or even that it is about to expire and will be invalid within a few days. When a person clicks the hyperlink, a Google Forms spreadsheet with personally identifiable information such as a Social Security number and birth date is often opened. 

“It’s despicable,” said David Druker, a spokesperson for the Illinois secretary of state’s office, which issues driver’s licenses. “It’s just outrageous that when the country is going through the COVID crisis, people are taking the time and energy to steal information from others.” 

A large number of people in Illinois, according to Druker, reportedly obtained texts and emails from fraudsters posing as the secretary of state or employees from the state transportation department. Druker also added that he had no idea if anyone else has succumbed to the ruses. 

Upon learning well about phishing and smishing, Illinois officials notified the FBI and IRS, who had collaborated with Google to remove the bogus webpages. According to Druker, the authorities have discovered 1,035 sites so far, and Google has halted nearly 900 such websites. 

As per a notice issued earlier this month by the U.S. Department of Health and Human Services' Office of Inspector General, fraudsters are now employing door-to-door visits, along with telemarketing calls, messages, and social networking sites, to conduct COVID-19-related frauds. 

“Do not provide personal, medical, or financial details to anyone in exchange for vaccine information, and obtain vaccinations from trusted providers,” the Office of Inspector General urges. 

“Posting content that includes your date of birth, health care details, or other personally identifiable information can be used to steal your identity,” said the Inspector General’s office.

Scammers Use Fake DMCA Complaints, DDoS Threats to Deploy BazaLoader Malware


Threat actors responsible for the BazaLoader malware designed a brand-new bait to trick website owners into opening malicious files: fake notifications concerning the internet site being engaged in distributed denial-of-service (DDoS) assaults.

The notifications contain a legal risk and a file stored in a Google Drive directory that supposedly provides evidence of the source of the strike. 

Phony lawful threats 

The DDoS theme is a variation of another bait, a Digital Millennium Copyright Act (DMCA) infringement complaint, link to data that allegedly includes documentation of copyright infringement.

Brian Johnson, a website developer, and designer posted last week concerning his two clients receiving legal notifications about their websites being actually hacked to operate DDoS assaults versus a major company (Intuit, Hubspot). The sender was threatened with a lawsuit unless the recipients failed to “immediately clean” their website of the malicious files that assisted in deploying the DDoS attack. 

“I have shared the log file with the recorded evidence that the attack is coming from [] and also detailed guidelines on how to safely deal with, find and clean up all malicious files manually in order to eradicate the threat to our network,” read the fake alert. 

The malicious sender also included a link to a file hosted in Google Drive claiming to provide evidence of the DDoS attack and its origin.

Earlier this year in April, Microsoft researchers warned about this technique used by attackers to deliver IcedID. At the time, only the lure and the payload were different. It was Matthew Mesa, a security researcher at Proofpoint, who unearthed that the campaign is sending out phishing emails that drop the BazaLoader malware.

Cybersecurity website BleepingComputer has received many of these breach alerts over the past few months with accusations of using shielded pictures without the owner’s consent. The notification provides a link to a file that supposedly lists the pictures used without authorization. The data is hosted in Google’s Firebase cloud storage. 

To make the matter seem urgent, the sender additionally points out that the website’s owner is “possibly be liable for statutory damage as high as $120,000.” However, it is all a stunt to deliver malware.

Cybersecurity researcher Brad Duncan analyzed the file and spotted it was a ZIP archive with JavaScript that gets the BazaLoader DLL, a backdoor associated with the TrickBot gang that generally leads to a ransomware infection. The malware then reaches its command and control (C2) server and gets Cobalt Strike, a penetration-testing tool largely exploited by attackers to maintain persistence and supply other payloads. 

The fake notifications are quite convincing and can increase the chances of receiving a "safe" mark from email security solutions. It is important to be vigilant and look for signs of malicious intent, such as incomplete contact information, poor grammar, and suspicious links to avoid falling into this social engineering trap, researchers advised.

Fraudsters Pose as Europol Chief in an Attempt to Steal Victims PayPal Account Details


The federal police's Computer Crime Unit is looking into an identity fraud case concerning Catherine De Bolle, the executive head of the EU's law enforcement organization Europol. Fraudsters are masquerading as the director of Europol, the European Union's law enforcement organization, to mislead individuals into providing their financial information. 

The European Union Agency for Law Enforcement Cooperation, popularly known as Europol, previously called European Police Office and Europol Drugs Unit, is a law enforcement agency of the European Union (EU) constituted in 1998 to properly manage criminal intelligence and counteract significant global organized crime and terrorism through coexistence among competent authorities of EU member states. The Agency has no executive powers, as well as its personnel, are not authorized to detain suspects or act without prior consent from appropriate authorities in the member states. 

According to the Brussels Times, Belgian police have obtained numerous reports of emails posing to have been from Catherine De Bolle, Europol's executive director. The email badmouths the receiver of child pornography and sex trafficking before allegedly stealing the recipient's PayPal account details. 

Catherine De Bolle took over as Europol's executive director in 2018, following Rob Wainwright, whose tenure ended on May 1, 2018. She was previously the top commissioner of the Belgian federal police (1 March 2012–1 May 2018) as well as the police chief of zone Ninove (2001–2012). 

Europol, which had expressed concerns against this type of scam in April, asked web users not to fall for this fraud once again. 

“Our executive director would never contact members of the public threatening individuals with opening a criminal investigation,” tweeted Europol, which does investigate lots of actual cybercrime. 

The email is written in French and the sender introduces itself to be a COPJ – communication by an officer of the judicial police – and commences as: 

“At the request of Ms. Catherine De Bolle, Commissioner General of the Federal Police, elected to the post of Director of Europol — Brigade for the Protection of Minors (BPM), we are sending you this invitation. […] We are initiating legal proceedings against you for child pornography, pedophilia, exhibitionism, cyber pornography, and sex trafficking.” 

This email sent to individuals intimidates the receiver with criminal prosecution if they do not respond within 72 hours. 

“After this deadline, we will be obliged to send our report to the deputy prosecutor at the high court in Créteil [a suburb of Paris] and a cybercrime specialist to establish an arrest warrant against you.” 

This wasn't the first instance where Director De Bolle's name is being used in a phishing scam. Another fraudulent email claimed her power, and that of her successor as commissioner-general of the federal police, Marc De Mesmaeker, in March of this year. 

Following the FBI's Internet Crime Complaint Center, 12,827 individuals in the United States reported being victims of "government impersonation scams" in 2020, leading to severe losses of about $110 million. 

Whereas on the other hand, Check Point analysts disclosed in April 2020 that perhaps a ransomware gang was incarcerating Android phones, alleging victims of owning sexually explicit material and asserting that their personally identifiable information had been transmitted to an FBI data center.

Among the most high-profile cloning frauds, one came in July 2020, where fraudsters stole over $118,000 in bitcoin by hacking more than 100 famous Twitter accounts, including those of then-Amazon CEO Jeff Bezos and then-Democratic presidential contender Joe Biden.

Scammers Steal Victims Cryptowallets And NFTs, Posing as OpenSea Agents


The latest, quite significant, and severe Discord phishing attack intended at stealing cryptocurrency funds and NFTs have badly attacked OpenSea users. Cybercriminals have been sneaking on OpenSea's Discord server for the past week, masquerading as authorized support representatives for the website. These bogus employees provide confidential support to an OpenSea user in need, resulting in the loss of cryptocurrency and NFT collectibles managed in the victim's MetaMask wallets. 

OpenSea is the world's largest NFT marketplace, with a 542 percent rise in volume over the last month, accounting for over half of the company's entire lifetime transaction volume of $2.423 billion. 

OpenSea is indeed a peer-to-peer marketplace for crypto collectibles and non-fungible tokens. It encompasses collectibles, gaming items, and other virtual products secured by a blockchain. A smart contract on OpenSea allows anybody to buy or sell these products. This instance was a scenario where the fraudsters took advantage of the working of the site. 

Whenever an OpenSea user requires assistance, they could contact the site's help center or the site's Discord server. Later when the user joins the Discord server and publishes a help request, fraudsters lurking on the server immediately start sending the user personal messages. These messages include an invitation to an OpenSea Support server to receive further assistance. 

Jeff Nicholas, an artist who was a victim of this fraud, informed Bleeping Computer that after joining the bogus OpenSea support server, the scammers urged him to open the tab on screen sharing so that they could offer assistance and guidance in resolving the issue. 

“Lots of grooming, processing through the issue pulling you in. Then ask you to screen share so they can see what you are seeing”, Nicholas told. 

“Say you require to resync you MM and at this point your sort of stuck into fixing this thing whatever it is. Pull up QR code and it immediately says “synced” (because they scanned it). So then they have your seed phrase (without actually having it),” he explained.  

It is possible to sync the mobile MetaMask wallet with the Chrome extension by going to 'Settings', clicking on 'Advanced', and thereafter tapping 'Sync with mobile'. On this screen, users would be required to enter the password and then a QR code would be generated. 

The Mobile MetaMask Software automatically scans this QR Code to synchronize and import the user's Chrome wallet, immediately. Nevertheless, any user who encounters this QR code along with the bogus support representatives, can take a screenshot and use that snapshot to synchronize the wallet into their smartphone apps. 

Whenever the bogus support agents scan the QR code on their smartphone app, they gain complete access to the cryptocurrency and any NFT collectibles stored within it. The victims are then transported to the threat actors' wallets. 

To avoid having the wallets swiped by these types of frauds, one must never disclose their wallet's recovery keys, password phrases, or QR codes used for synchronizing. 

“Saddened to listen an OpenSea user was the victim of a significant phishing attack last night,” read a tweet by OpenSea’s Head of Product Nate Chastain. “The scammer masquerades as an OpenSea employee and has the user scan a QR code granting wallet access. Please be attentive and direct support requests through our Help Center/ZenDesk.”

COVID19 Vaccine Fraudsters Targeted Health Authorities in 40 Countries


INTERPOL has issued a global alert regarding organized criminal organizations approaching governments and peddling COVID-19 vaccinations through fraudulent offers. 

After INTERPOL reported about 60 incidents from 40 nations, the international law enforcement organization sent a warning to all 194 member countries. 

The staff of hospitals and health ministries was targeted, with fraudsters promising to offer COVID-19 vaccinations that had been licensed for distribution in their respective countries. To mislead their victims, the hackers pretended to be executives of vaccine manufacturers or government officials in charge of vaccine distribution. 

To finalize the deal, the fraudsters targeted their victims' work and personal email accounts, as well as tried to contact them over the phone, cold calling, and pitched about fraudulent vaccines. The fraudsters' techniques should raise certain red flags as vaccination purchases are negotiated on a government level or, in the case of the European Union (EU), by a special Joint Negotiation Team.

Vaccine producers also played a key role in drafting the warning, since INTERPOL based it on information supplied by the manufacturers, stressing additional scam strategies such as the use of counterfeit websites and social media profiles. 

The INTERPOL Secretary General Jürgen Stock stated, “As we see with cybercrime, usually it is the private sector which has the most information about attacks and trends, which is exactly what has happened with these attempted vaccine scams. Even when a fraud fails, it is important that it is reported to the police so that potential links can be identified and also, as in the case of the alert INTERPOL has issued, to warn law enforcement about these threats.” 

He further said that with the pandemic still spreading and nations striving to vaccinate their citizens promptly and safely, the vaccine rollout process needed to be safeguarded from the beginning of the production process until the vaccines are distributed. 

An Ongoing Issue

INTERPOL and the Homeland Security Investigations (HSI) of the United States published a joint alert earlier this year advising against the purchase of fraudulent COVID-19 vaccinations and treatments. 

Throughout the COVID-19 pandemic, cybercriminals have been highly active, attacking everyone from ordinary individuals to medical companies and government agencies engaged in the vaccine development, approval, and distribution process.  

Scammers have deployed a series of COVID-19 vaccine-related frauds in the past year, hacked an Oxford University research lab working on strategies to prevent the COVID-19 pandemic, and even hacked the European Medicines Agency and disclosed stolen vaccine papers. 

To avoid being scammed, using a trustworthy security solution with a spam filter is one of the simplest ways to remain secure. If people get an unsolicited email from someone they don't know, they should be extremely cautious and look out for general red flags.

Nigerian Threat Actor Offers $1 million to Insiders for Planting Ransomware


Researchers at Abnormal Security have identified a Nigerian threat actor attempting to recruit employees by offering them to pay $1 million in Bitcoin to deploy Black Kingdom ransomware on companies’ computers or Windows servers as part of an insider threat scheme. 

“The sender tells the employee that if they're able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in Bitcoin or 40% of the presumed $2.5 million ransom. The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested—an Outlook email account and a Telegram username, researchers explained in a report published on Thursday. 

Earlier in March, Black Kingdom, also widely known as DemonWare, caught the attention of the researchers when attackers were found abusing ProxyLogon vulnerabilities affecting Microsoft Exchange Servers to infect an unpatched system with the ransomware strains. 

Security researchers identified and blocked phishing emails on August 12 that solicited recipients to infect their employers’ networks with ransomware. Researchers created a fake identity to communicate with the ransomware operator — who went by the screen name “Pablo”.

Crane Hassold, director of threat intelligence for Abnormal Security, communicated with the ransomware operator via telegram and was able to talk the mastermind into sending what turned out to be a file named “Walletconnect (1).exe” containing the ransomware. The amount of the planned ransom demand changed, dropping from $2.5 million to as low as $120,000. 

“At one point in the conversation, we asked the actor if he had created the ransomware himself or if he was just using it. The actor told us that he ‘programmed the software using python language. In reality, however, all of the code for DemonWare is freely available on GitHub. … In this case, our actor simply needed to download the ransomware from GitHub and socially engineer someone to deploy the malware for them,” Hassold wrote in the blog post. 

The use of the DemonWare malware “demonstrates the appeal of ransomware-as-a-service, as it lowers the barrier of entry for less technically sophisticated actors to get into the ransomware space,” Hassold added.

Researchers believe the ransomware operator with whom they communicated was likely Nigerian, “based on information found on a Naira (Nigerian currency) trading website and a Russian social media platform website”.

A signature style of Nigerian fraudsters is social engineering, most infamously in the “Nigerian prince” schemes in which scammers attempt to lure victims to send money under another guise. “It makes sense that a Nigerian actor would fall back on using similar social engineering techniques, even when attempting to successfully deploy a more technically sophisticated attack like ransomware,” Hassold concluded.

US Military Personnel Lost Over $822m to Cyber Frauds


The US military personnel have lost over $822 million in different kinds of internet crimes and scams between 2017 and 30 June 2021, according to the recent report published by AtlasVPN researchers.

The security experts analyzed data compiled by the US Federal Trade Commission (FTC) who is responsible for handling such cyber fraud complaints. During the analysis, researchers identified more than 836,374 reports of fraud, identity theft, and other consumer concerns were filed by military personnel between 2017 and 30 June 2021.

The FTC has divided US military members into three categories. The complaints from reservists and family members fall into the first category. The second group consists of complaints from active-duty personnel only, followed by the third group containing veteran and military retiree complaints. 

The first category, military personnel families and reservists lost $484.4 million which accounted for 59% of all military monetary damages and submitted around 322,000 unique complaints. The second group of active-duty service members was the least affected with a $47.6 million loss since 2017, and this group submitted the least complaints. 

The third category of veterans and retirees whose financial damages account for 35% of all losses ($290.1 million) fell prey to a wide range of cybercrimes, and the medical loss in this particular category is $700, while the median loss suffered by active-duty service personnel was $600. 

Romance scams also known as catfishing, topped the list of cyber scams that the military personnel was found to be vulnerable to as threat actors lured out a whopping $92 million via these scams. Though catfishing is a widespread scam, victims are still not afraid to send large amounts of money to someone they met online. US military personnel also lost nearly $90.2 million to bogus investments. The median loss was not that far behind romance scams, hovering at $2,000. 

“Even though the US has numerous task forces to deal with this growing epidemic of internet crime, each individual should be cautious and stay on the lookout for any red flags when dealing with internet-related money transfers,” AtlasVPN’s cybersecurity researcher and writer Edward Garb recommended users to follow his advice on how to avoid cyber scams. 

New Robocall Bot on Telegram can Trick Targets Into Giving Up Their Password


Researchers at CyberNews have identified a new form of automated social engineering tool that can harvest one-time passwords (OTPs) from users in the United States, the United Kingdom, and Canada. 

Without any direct connection with the victim, the so-called OTP Bot may mislead victims into providing criminals credentials to their bank accounts, email, and other internet services. It's exhausting for a probable victim to listen to someone try to scam them blind by taking advantage of their generosity. 

As a new type of bot-for-hire is conquering the field of social engineering, OTP Bot, the latest form of malicious Telegram bot that uses robocalls to trick unsuspecting victims into handing over their one-time passwords, which fraudsters then use to login and empty their bank accounts. Even worse, the newfangled bot's userbase has exploded in recent weeks, with tens of thousands of people signing up. 

How Does OTP Bot Works?

OTP Bot is the latest example of the emerging Crimeware-as-a-Service model, where cybercriminals rent out destructive tools and services to anybody ready to pay, according to CyberNews expert Martynas Vareikis. After being purchased, OTP Bot enables the users to collect one-time passwords from innocent people by simply typing the target's phone number, as well as any extra information obtained via data leaks or the black market, into the bot's Telegram chat window. 

“Depending on the service the threat actor wishes to exploit, this additional information could include as little as the victim’s email address,” says Vareikis. The bot is being marketed on a Telegram chat channel with over 6,000 users, allowing its owners to make a lot of money by selling monthly memberships to cybercriminals. Meanwhile, its users brag about their five-figure profits from robbing their targets' bank accounts. 

Bot-for-hire services, according to Jason Kent, a hacker in residence at Cequence Security, have already commoditized the automated threat industry, making it very easy for criminals to enter into social engineering. 

Kent told CyberNew, “At one time, a threat actor would need to know where to find bot resources, how to cobble them together with scripts, IP addresses, and credentials. Now, a few web searches will uncover full Bot-as-a-Service offerings where I need only pay a fee to use a bot. It’s a Bots-for-anyone landscape now and for security teams.” 

Gift cards make the scam go-round: 

Card linking is the most common scamming tactic used by OTP Bot subscribers. It comprises linking a victim's credit card to their mobile payment app account and then purchasing gift cards in real stores with it.

“Credit card linking is a favorite among scammers because stolen phone numbers and credit card information are relatively easy to come by on the black market,” reckons Vareikis. 

“With that data in hand, a threat actor can choose an available social engineering script from the chat menu and simply feed the victim’s information to OTP Bot.” 

The bot also contacts the victim's number, acting as a support representative, and tries to mislead them into giving their one-time password, which is necessary to log in to the victim's Apple Pay or Google Pay account, using a fake caller ID. The threat actor can then link the victim's credit card to the payment app and go on a gift card buying spree in a nearby physical store after logging in with the stolen one-time password. 

Scammers use linked credit cards to buy prepaid gifts for one simple reason as they leave no financial footprints. This is particularly useful during a pandemic, when mask regulations are in effect in almost all interior areas, making it considerably simpler for criminals to conceal their identities throughout the process. 

Since its release on Telegram in April, the service looks to be gaining a lot of momentum, especially in the last few weeks. The OTP Bot Telegram channel currently has 6,098 members, a massive 20 percent growth in just seven days. 

The simplicity of use and the bot-for-hire model, which allow unskilled or even first-time fraudsters to easily rob their victims with the least input and zero social contact, appear to be some of the reasons for the fast rise. In fact, some OTP Bot users blatantly broadcast their success tales in the Telegram conversation, flaunting to other members of the channel about their ill-gotten gains. 

Based on the popularity of OTP Bot, it's apparent that this new sort of automated social engineering tool will only gain more popularity. Indeed, it'll only be a matter of time until a slew of new knockoff services hit the market, attracting even more fraudsters looking to make a fast buck off unsuspecting victims. 

The creator of Spyic, Katherine Brown, warns that as more bots enter the market, the opportunities for social engineering and abuse will grow exponentially. “This year we’ve already seen bots emerge that automate attacks against political targets to drive public opinion,” says Brown. 

The growth of social engineering bots-for-hire is even more alarming, according to Dr. Alexios Mylonas, senior cybersecurity lecturer at the University of Hertfordshire, since the pandemic has put greater limitations on our social connections. 

“This is particularly true for those who are not security-savvy. Threat actors are known to use automation and online social engineering attacks, which enables them to optimize their operations, to achieve their goals and the CyberNews team has uncovered yet another instance of it,” Mylonas stated CyberNews. 

How to Recognize Social Engineering Scams?

Keeping all of this in mind, understanding how to detect a social engineering attempt is still critical for protecting money and personal information. Here's how to do it: 

1.Calls from unknown numbers should not be answered. 

2.Never give out personal information: Names, usernames, email addresses, passwords, PINs, and any other information that may be used to identify you fall into this category. 

3. Don’t fall into the trap: Scammers frequently use a false feeling of urgency to get targets to hand up their personal information. If someone is attempting to persuade the user to make a decision, they should hang up or say they will call back them later. Then dial the toll-free number for the firm they claim to represent. 

4.Don't trust caller ID: By mimicking names and phone numbers, scammers might impersonate a firm or someone from your contact list. 

Financial service companies, on the other hand, never call their clients to validate personal information. They will simply block the account if they detect suspicious behavior and expect the user to contact the firm through official means to fix the problem. As a result, be watchful, even if the caller ID on your phone screen appears to be legitimate.

The FBI and SEC Provided Guidance Against Imposter Scams


The FBI and SEC have come with new guidance for investors to fight against financial scams. Users are being suggested to reject and report fraud if they want to protect their business from scams and save their money from being paid to an imposter. 

Among various sectors, consumer markets have taken a major hit as stringent lockdowns have brought economic activity to a standstill. 

Nowadays, cyber-attackers are employing highly sophisticated tricks to carry out financial scams activity. According to the FBI's Criminal Investigative Division, and the United States Securities and Exchange Commission, fraudsters always try to mock as they are a real broker or investment adviser and trick users. Once a belief has been suspended, the fraudsters can trick investors into surrendering more information. 

The FBI and the SEC said, that cybercriminals are using very advanced technology for becoming real investors including fake social media profiles, fake websites that look exact to those of legitimate firms and are hiding their actual locations. 

In addition, cybercriminals have been falsifying legitimate documents, like public reports with a real identity and Central Registration Depository (CRD) numbers but unorganized firm names. Fraudsters who are tricking investors reportedly used poor grammar and had spelling errors. Besides the FBI and the SEC, a similar warning had been issued by FINRA last week. 

"The doctored BrokerCheck report was emailed to potential “clients” using the name and CRD number of a registered investment professional—but with a company that is not registered as a broker-dealer with FINRA..." 

"...The solicitation included other documentation and a request for investors to respond with a photo of their driver’s license and other personal information...", the group wrote. 

Safety Measures

•According to the FBI and SEC recommendation if someone is claiming that investment is legitimate then users should research their name on, and verify thoroughly. 

• Be aware of fake offers like high investment returns 

•Before going ahead with any firm, investors are advised to use FINRA's BrokerCheck to verify. 

•The FBI and SEC also highlighted that most licensed and registered investment organizations don't allow investors to use credit cards or cryptocurrencies to invest, so you are advised to think twice before making investments. 

•At the of payment, investors are advised not to send money directly without verifying the recipient. Also, one must not send personal data including date of birth, driver's license number, or any other official documents.

Microsoft Warns Office 365 Users of 'Sneaky' Phishing Campaign


Microsoft's Security Intelligence staff has issued an alert to Office 365 users and administrators to watch out for a sneaky phishing email with fake sender addresses.

Researchers at Microsoft noticed an active campaign targeting Office 365 organizations with cogent emails and several strategies to evade phishing detection, including an Office 365 phishing page, Google cloud web app hosting, and an exploited SharePoint site that entices victims to write in their credentials.

“An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters," the Microsoft Security Intelligence team said in an update. 

“The original sender addresses contain variations of the word "referral" and use various top-level domains, including the domain com[.]com, popularly used by phishing campaigns for spoofing and typo-squatting.”

The fraudsters are using Microsoft SharePoint in the display name to tempt victims to click the link. Researchers identified phishing emails that seemed as if they were sent from a trusted source. Many of these emails contained a "file share" request to access bogus "Staff Reports", "Bonuses", "Pricebooks", and other content hosted in a supposed Excel spreadsheet. It also contained a link that navigates to the phishing page and plenty of Microsoft branding.

“The emails contain two URLs that have malformed HTTP headers. The primary phishing URL is a Google storage resource that points to an AppSpot domain that requires the user to sign in before finally serving another Google User Content domain with an Office 365 phishing page,” Microsoft notes.

Phishing campaigns have skyrocketed with the emergence of remote jobs due to Covid-19. It continues to be a tricky issue for businesses to stamp out, requiring regularly updated phishing awareness training and technical solutions, like multi-factor authentication on all accounts – which both Microsoft and CISA highly recommend. 

According to the FBI's latest figures, phishing attacks have cost Americans more than $4.2 billion last year. Fraudsters employ business email compromise (BEC) attacks, which rely on compromised email accounts or email addresses that are similar to legitimate ones, and are difficult to filter as they blend within normal, expected traffic. BEC attacks are far more costly than high-profile ransomware attacks.

Researchers at Microsoft have published details on GitHub regarding the architectures connected to the spoofed emails mimicking SharePoint and other products for credential phishing. "The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages," Microsoft added.

Chipotle's Email Marketing Account Compromised to Spread Malware


In mid-July, a new phishing attack was detected that used a compromised mailing service account. In the four days between July 13, 2021, and July 16, 2021, the anti-phishing company uncovered 121 phishing emails in this campaign. 

In May 2021, Nobelium (suspected of being behind the SolarWinds attack) tried a similar phishing method. Microsoft reported in May on a Nobelium campaign in which fraudulent emails were delivered to 3,000 accounts across 150 companies in 24 countries. All of the fraudulent emails were sent by Constant Contact mailing service, using the hacked account of the US Agency for International Development (USAID). 

Inky, the anti-phishing firm identified the new campaign, and the amount is likely to be a small fraction of the overall number of emails sent. Inky states in its study that it is examining if the current campaign was initiated by the same threat actor or by copycat criminals using the same approach as Nobelium. 

The method comprises of hacking into a legitimate mail service user's account. The account used in the most recent instance belonged to Chipotle, a fast-food chain, and the mail provider used was Mailgun. Because the emails look authentic from high-reputation sources, this approach has a high success rate. 

Since they come from a high-reputation IP address (Mailgun: and pass SPF and DKIM authentication, the emails clear various automated phish detection systems. 

Two were vishing attacks (phony voicemail alerts with malware attachments), 14 impersonated the USAA Bank, and 105 impersonated Microsoft, out of 121 phishing emails discovered. Inky does not specify what malware was used in the vishing attacks, nor does it mention the firms which were phished. 

A mail.chipotle[.]com link in the 14 USAA bank impersonations was linked to a fake and fraudulent USAA Bank credential harvesting site. The credential harvesting site is a convincing copy of the legitimate bank site, along with a flawless logo of USAA logo. 

The researchers commented, “The black hats can make these pages by simply cloning the real page, changing just one or two details to the underlying HTML, and voila! A credential-harvesting page is born.” 

The majority of phishing emails masquerade to be from Microsoft. This is predictable, given that nearly everyone has a Microsoft account, and almost all store a wealth of information (such as other logins, trade secrets, financial details, and more). 

In the sample presented by Inky, the email is sent by ‘Microsoft 365 Message Center'. The subject reads, “You have (7) clustered/undelivered emails 16 July 2021,” This should not mislead an informed user who wonders why Microsoft is sending emails through a fast-food chain, but it may deceive automated detection systems that depend largely on the sender reputations. 

The email's body is a classic fraud trap. Seven emails from the target have been held up due to storage difficulties, but they are now ready for collection (the curiosity trigger). Ignoring the notification may result in the account being disabled (the fear trigger). Then there's a button that says "Release messages to the inbox." The user is sent to a credential harvesting fake Microsoft login page when they click this button. 

The difference between the sender's name (in this case, Microsoft, USAA, and VM Caller ID) and the actual email sender (in this case, postmaster[@]chipotle[.]com) is the key to identifying this sort of phishing email. The former is unlikely to send emails using the latter. However, on the other hand, secure email gateways frequently rely on verifying simply whether the sending domain is authentic and that the email is coming from an approved range of IP addresses.

Swedish Crypto Scammer Jailed for 15 Years in Gold-Backed Fraud


A citizen of Sweden was sentenced to 15 years in prison for manipulating a cryptocurrency scam claiming to pay investors based on the value of gold reserves.

Roger Nils-Jonas Karlsson, 47, and his firm, Eastern Metal Securities (EMS), were charged with a securities fraud, wire fraud, and money laundering in March this year after being prosecuted in the United States following his arrest in Thailand in 2019. Later, he was extradited. 

Karlsson claimed to operate an investment service based on cryptocurrency and investors who participated in EMS from 2012 to 2019 were offered a plan to buy stocks for less than $100 and ultimately realize a return equivalent to 1.15 kilograms of gold. In 2019, 1.15 kg of gold was worth more than $45,000. Today, its worth could be over $58,000.

To participate in the scheme, investors were asked to buy shares through cryptocurrencies: Bitcoin (BTC) and Ethereum (ETH). Moreover, merchants had been instructed that in case of the ‘unlikely’ occasion wherein the shares fail to attain their promised worth, participants would have 97% of their initial investment returned.

Karlsson ensured that EMS remained functional for the longest possible duration, he did so via frequent rebranding and issuing updates offering asset statements. Additionally, he misleadingly argued that paying out an unlimited sum all of sudden, would have a damaging impact on international monetary methods, and the company worked with the US Securities and Exchange Commission (SEC) to explain payment delays.

However, as is commonly the case with extreme return on investment, the promise was too good to be true. Investors found no profit, and instead, Carlson, who also used online aliases such as Steve Hayden, Euclid Deodoris, and Joshua Millard, sucked up cryptocurrencies and used the money to buy properties and a resort in Thailand. US prosecutors estimate that investors have been fooled for more than $16 million.

"Karlsson admitted he had no way to pay off the investors. Karlsson's fraud targeted financially insecure investors, causing severe financial hardship for many of them,” the US Department of Justice (DoJ) said.

In addition to the 15-year sentence, Karlsson has been ordered to forfeit the resort in Thailand, different properties, accounts, and has obtained a financial judgment of $16,263,820. Prosecutors also hope to secure restitution for past EMS investors and an order is expected in court within 90 days. 

Sussex-Based Couple Loses £15,000 to Scammers


Loreta and Mindaugas from Horsham, Sussex, were lured in a fake bonus offer from a fraudster who seemed to be working for Coinbase Platform - shortly before the site was listed as a public company.

Mindaugas, an executive at a UK-based company, received an email on March 24, 2021, that purportedly came from Coinbase, claiming that he was eligible for a bonus on Coinbase. The victim tried to claim a £60 bonus supposedly offered by Coinbase and in just nine minutes, £ 15,000 were deducted from the couple’s crypto savings. 

“At first, we thought it might be some kind of mistake or a glitch. But since their knowledge base had no option that covered any bugs or glitches, we decided to inform Coinbase that my husband’s account has been compromised. But all we got back was a password reset request,” Loreta said. 

Coinbase is a popular stock trading website used for buying and selling Cryptocurrency with over 56 million users and worth $ 99.6 billion. 

Double Fraud

Shortly after changing his account password, Mindaugas received a second call from the supposed Coinbase support agent. The scammer told him that Coinbase was answering to the open support ticket concerning his compromised account and promptly began to question Mindaugas about the cyber fraud. 

After finishing the interrogation, the scammer offered Mindaugas two options.“Either we call the police, in which case there is no guarantee that we’ll ever get our money back, or they give us a refund without getting involved with the authorities. My husband was still in shock and rather disoriented, so at that moment, he agreed to proceed with the second option,” Loreta told CyberNews. 

“He said 'we see that you have an account at Binance and since Coinbase and Binance are sister companies' - and that’s when I saw he was trying to dupe us. Next thing I hear; he’s telling us to prove our identity either by transferring £5,000 from our Binance account to Coinbase or by giving them our Binance authentication code so that they can transfer the missing £15,000 to my husband’s Binance account" Loreta explained.

After spotting suspicious activity, Mindaugas and Loreta declined to trade and reported the fraud to the police. However, his case was promptly closed due to a ‘lack of evidence’. They also contacted Coinbase for help but they've had no response. 

"We’re still waiting for an answer. And since 'only' £15,000 was stolen, we’re not very hopeful that the police will do anything about it," Loreta said. 

The Cyber News investigation team began investigating the fraud after the couple contacted them for help. Researchers have identified that cryptocurrencies have been cleaned in an elaborate way Wallet network. This effectively makes stolen funds “untraceable” and helps scammers to prevent them from being caught. 

“Due to the anonymity of the crypto market, scams targeting the general public tend to be barely visible. In fact, phishing attacks are becoming more sophisticated, making it increasingly difficult to identify fake messages that appear to come from trusted people or brands. Companies like Coinbase need to be responsible for keeping their customers as safe as possible,” Edvardas Mikalauskas, Senior Researcher at Cyber News, stated. 

“They need to implement strict controls in detecting and blocking malicious or anomalous activity before criminals have the opportunity to steal cryptocurrencies. CyberNews always previews URLs before clicking links or buttons, pays attention to messages sent to your inbox, and tells consumers to use unique passwords and multi-factor authentication for their online accounts, and warned that the embedded link is a “serious danger signal,” Edvardas added.

Russian banks to launch a system against telephone fraud

Financial organizations are planning to launch a pilot project of a system for accounting and analyzing telephone fraud, said Alexey Voilukov, vice president of the Association of Banks of Russia. The service will allow to monitor calls, identify unscrupulous operators and more effectively track the fraudsters.

The Association will present the developments to the regulatory agencies along with proposals for changing the legislation. In order to improve the response to criminal attacks, the project should be implemented on the basis of the site of the supervisory authority, for example, the Ministry of Internal Affairs.

Experts believe that the owner of such a system should be one of the government agencies, authorized to request information from operators about the sources of traffic and to process data containing the secrecy of communications.

"It is necessary to tighten legislation in the field of personal data protection and tighten control over bank employees since fraudsters often obtain information about customers through leaks," added experts.

Tinkoff Bank believes that it will take about a month to test the project after the creation of an interdepartmental anti-fraud group. The bank will become one of the pilot's participants.

Other major credit organizations also supported the idea of implementing the system. The pilot of the project can start as early as the end of 2021 or the beginning of 2022. However, full work will require changes in the law.

According to Tinkoff, the number of malicious calls in the first quarter of 2021 increased 2.3 times compared to the same period in 2020. In addition, about 80% of phone scammers use number spoofing, so after launching the project of the system of accounting and analysis of telephone fraud, it will be much more difficult for them to carry out attacks.

Chinese Hackers Target Indian SBI Users Via Phishing


Recently Indian officials have reported that China-based cybercriminals are targeting customers of the Indian National Bank State Bank of India (SBI) with phishing scams by offering gifts. Hackers are asking users to update their KYC through a website link as they offer gifts worth around 5 million (INR 50 lakh) from the bank via a WhatsApp message. 

The research wing of New Delhi-based think tank CyberPeace Foundation, in collaboration with Autobot Infosec Pvt Ltd, investigated two similar cases that have targeted SBI customers, as of late. 

"All the domain names associated with the campaign have the registrant country like China," the research team informed IANS. The operational group will send you a message in which you will find a requesting KYC verification, the message will appear to be authentic and will resemble the official SBI online page. 

On clicking the "Continue to login" button, it will redirect the users to a full-kyc.php page, then it will ask them to fill in their credentials like username, password, and a captcha to log in to the online banking. 

"Following this, it asks for an OTP sent to the user's mobile number. As soon as the OTP is entered, it redirects the user to another page that asks the users to enter some confidential information again like account holder name, mobile number, date of birth. After entering the data, it redirects the user to an OTP page," the researchers informed. 

The team of researchers has suggested that the customers should avoid opening such links sent via social platforms, and if anyone finds anything suspicious they are recommended to contact their bank branch.

More than 3 million Russians have become victims of a new online fraud scheme

Experts of the cybersecurity company Group-IB note that fraudsters skillfully disguise fake payment pages: they often contain logos of the international payment systems Visa, MasterCard.

"By creating phishing sites for popular services and online stores, scammers have learned to imitate payment pages protected by 3-D Secure, a technology that was previously considered one of the most effective to ensure the protection of user payment data when paying for online purchases worldwide", said the experts.

Attackers attract the victim with fraudulent advertising or spam mailing to the phishing page of the online store. There, the user enters payment data, paying for the selected product or service. Then SMS code is sent to the user's phone number to confirm the transaction. The user enters the code into the same form on the legitimate 3-D Secure page, and the money goes to the fraudster's card.

According to experts, to protect themselves, users must first pay attention to the source of the payment in an SMS message from the bank with a transaction confirmation code.

"If the words Card2Card or P2P are specified there, but the payment was not initiated from the specified resources, you should not enter the received code to confirm the payment," noted experts.

Information security expert Alexey Lukatsky stressed that it is necessary to pay attention to the name of the site, to its design, to possibly grammatical errors that are there, and to the domain on which this site is hosted.

The expert added that it is necessary to pay attention also to the 3-D Secure page.

"Because this domain must also be identical to the domain whose bank issues a card. Accordingly, if the domain name indicates something different or similar to our bank, then this is also a sign of fraud," added Mr. Lukatsky.