Search This Blog

Showing posts with label Cyber Fraud. Show all posts

China-Based Hackers Luring Indians into Fake Tata Motors Scam

 

On Thursday, cyber-security researchers in India announced the discovery of a malicious free present marketing campaign managed by China-based hackers to gather personal user data. The marketing campaign is pretending to be an offer from Tata Motors, the biggest automobile manufacturing company in India, reports IANS.

The analysis workforce at New Delhi-based CyberPeace Foundation received some malicious links via WhatsApp, related to a free gift offer from Tata Motors, accumulating personal information about customers together with their browser and system information. 

“The campaign is pretended to be an offer from Tata Motors but hosted on the third-party domain instead of the official website of Tata Motors which makes it more suspicious,” the research team stated.

This malicious campaign being operated on a fake website is titled “Tata Motors Cars, Celebrates sales exceeding 30 million”. On the landing page, a congratulations message is displayed with an attractive photo of a Tata Safari car. Users are asked to participate in a quick survey to get a free TATA Safari vehicle. 

“Also, at the bottom of this page, a section comes up which seems to be a Facebook comment section where many users have commented about how the offer is beneficial,” the researchers revealed.

After clicking the OK button, users are given three chances to win the prize. After finishing all the attempts, it says that the user has won “TATA SAFARI”.

“Congratulations! You did it! You won the TATA SAFARI!” Clicking on the ‘OK’ button, it then instructs users to share the campaign with friends on WhatsApp. The user doesn’t actually end up winning the car, the page simply keeps redirecting the user to multiple advertisements webpages. The Foundation recommended that people avoid opening such messages sent via social platforms.

According to the researchers, hackers are using Cloudflare technologies to hide the real IP addresses of the front-end domain names used in the free gifts from Tata Motors campaign. The CyberPeace Foundation, a think tank and non-governmental organization of experts in the field of cybersecurity and policy, has collaborated with Autobot Infosec Private Limited to investigate this realization that these sites are online fraud.

Uttarakhand, India Special Task Force Exposed a China Based Money Laundering Racket

 

The Police of Uttarakhand, India claimed that the web racket has duped naïve investors with at least 250cr Rs by guaranteeing to almost double their money in just 15 days but rather by turning it out in the cryptocurrency. 

Pawan Kumar Pandey was detained on a Monday night from Gautam Buddh Nagar, Noida a district in Uttar Pradesh, who is accused of running a ghost corporation to transfer his defrauded money to his alleged "handler in China." He has been caught with his 19 laptops, 592 SIM, 5 mobile phones, 4 ATM cards, and a passport. 

Uttarakhand police chief (DGP) Ashok Kumar said that after two Haridwar locals, Rohit Kumar and Rahul Kumar Goyal had complained about this scam the racket was scrutinized. 

“A week ago, they claimed that one of their friends told them about a mobile app on Google Play Store named Power Bank, which doubled returns on investment within 15 days. Believing him, they downloaded the app and deposited ₹91,200 and ₹73000,” said Kumar. 

However, after one month of making the deposit, when they didn't receive any returns, they realized that they were tricked, he added. 

The special task force launched a test to find out that the relevant mobile app was available on the Google Play Store from February 2021 to May 12, 2021, during which a minimum of 50 lakh individuals installed the application. Police also established that the money deposited through the app was moved to the detained person's bank accounts via payment gates. 

He said the money was subsequently converted into cryptocurrencies. The application was connected to China during the cyber forensic examination, where Pandey's operators reside. They used to cash the cryptocurrencies into their local currencies to complete the money laundering chain, that began with the Indians being duped by the app. 

“In this case too, they partnered with Pandey and used his identity documents to register a shadow company with the Registrar of Companies (RoC) and to open two bank accounts, where the money siphoned off from the victims was deposited. They opened a shadow company in Noida named Purple Hui Zing Zihao. Pandey was registered as the company’s owner and the firm was shown as the developer of the fraudulent app,” said Bharne, Uttarakhand’s deputy inspector general (law & order). 

Pandey added that though he earned commissions from the Chinese accused, the bank accounts and the business was handled remotely. He had received a salary payment of 1.50 lakh from the Chinese. He also told cops that his operators are using the same modus operandi, as there are many other identical apps. Initially, however, the accused doubled certain investments to win the confidence of future investors. 

“We have taken at least 20 such shadow companies under our radar for suspected fraudulent activities like the above-mentioned one. We have received 20 other similar complaints from people in the state and they [the complaints] are under probe,” the senior police officer said.

Russian Man Convicted of $7 Million Digital Advertising Scam

 

A Russian person was found guilty in the United States of using a bot farm and hiring servers to create fraudulent internet traffic on media sites, causing businesses to pay inflated advertising rates. 

Prosecutors said Aleksandr Zhukov, 41, was the brains of the Methbot operation, in which 1,900 servers were used to generate millions of bogus online ad views on websites such as the New York Times and the Wall Street Journal. According to the US, Zhukov gained $7 million from the scheme and channeled the money into offshore accounts around the world, citing a text in which he referred to himself as the "King of Fraud." 

The group allegedly called their plan "Metan," which is the Russian term for methane, while the FBI and prosecutors referred to it as Methbot, and later as Media Methane, which was the name of Zhukov's company with operations in Russia and Bulgaria. 

Zhukov and his colleagues negotiated deals with advertising networks to display their ads on websites, then received a commission for each ad that was viewed. According to prosecution filings, Zhukov and his collaborators instead established bogus sites and manipulated data centres to produce false users to make it appear like actual people were viewing the ads from September 2014 to December 2016.

"Zhukov represented to others that he ran a legitimate ad network that delivered advertisements to real human internet users accessing real internet web pages," according to a superseding indictment filed on February 12, 2020. 

"In fact, Zhukov faked both the users and the webpages: he and his co-conspirators programmed computers that they had rented from commercial data centers in the United States and elsewhere to load advertisements on fabricated webpages, via an automated program, in order to fraudulently obtain digital advertising revenue," it says. 

Victims of the scheme "included The New York Times, The New York Post, Comcast, Nestle Purina, the Texas Scottish Rite Hospital for Children, and Time Warner Cable," the Department of Justice said in a news release. 

On a temporary US arrest order, Zhukov was arrested in Bulgaria in November 2018. In January 2019, he was extradited to the United States and pleaded not guilty to the accusations against him.

Interpol Seize $83 Million in Operation Against Online Financial Fraud

 

More than 500 suspects were arrested in the Interpol-coordinated Operation ‘HAECHI-I’ and $83 million were seized which belonged to the victims of online financial crime. Over 40 law enforcement officers across the Asia Pacific region took part in the Interpol-coordinated Operation HAECHI-I and intercepted $83 million from being transferred to the accounts of their perpetrators.

Law enforcement agencies were specifically focused on five types of online financial crime: investment fraud, romance scams, money laundering associated with illegal online gambling, online sextortion, and voice phishing.

A total of 585 individuals were arrested, and more than 1,600 bank accounts belonging to perpetrators of the cyber-enabled financial crime were frozen. The stolen funds were blocked from getting into the scammers' accounts following multiple joint operations and months of collecting intelligence on the attackers' operations.

More than 1,400 investigations were opened during HAECHI-I’s six-month operational phase targeting cybercrime in the Asia Pacific region (i.e., Cambodia, China, Indonesia, Korea, Laos, The Philippines, Singapore, Thailand, and Vietnam), with 892 cases having already been solved and the rest still being investigated. 

“Online fraudsters often attempt to exploit the borderless nature of the Internet by targeting victims in other countries or transferring their illicit funds abroad. The results of Operation HAECHI-I demonstrate that online financial crime is fundamentally global and that only through close international cooperation can we effectively combat these criminals," said Ilana de Wild, Interpol's Director of Organized and Emerging Crime. 

Last year, Interpol also advised victims of online financial scams to immediately take action to intercept stolen funds before their money reached the scammers' bank accounts. In January 2021, Interpol warned all 194 member states of fraudsters targeting dating app users and trying to trick them into investing through fake trading apps. 

“The key factors in intercepting illicit money transfers are speed and international cooperation. The faster victims notify law enforcement, the faster we can liaise with INTERPOL and law enforcement in the relevant countries to recover their funds and put these criminals behind bars,” Amur Chandra, Brigadier General of the Indonesian National Police and Secretary of Indonesia’s INTERPOL National Central Bureau, stated.

Pay Attention: These Unsubscribe Emails Only Lead to Further Spam

 

Scammers send out fake 'unsubscribe' spam emails to validate legitimate email addresses for future phishing and spam campaigns. 

Spammers have been sending emails that merely inquire if the user wants to unsubscribe or subscribe for a long time. These emails don't specify what the user is unsubscribing or subscribing to, and spammers are using them to see if the recipient's email address is real and vulnerable to phishing scams and other nefarious activity. 

If they get the needed confirmation, they’ll bombard it with various spam emails. The campaign is simple in design - the victim will get a basic email with this call to action in it asking whether the consumer wants to unsubscribe or subscribe: 

“Please confirm your Subscribe (sic) or Unsubscribe. Confirm Subscribe me! Unsubscribe me! Thank you!” 

If the user clicks on the embedded subscribe/unsubscribe links, the mail client will generate a new email that will be forwarded to a large number of different email addresses controlled by the spammer. 

After sending the mail, users expect to be unsubscribed from future communications but they are, however, confirming for the spammers that their email address is real and under surveillance. 

BleepingComputer created a new email account for testing purposes, which they never used on any website or service. When they responded to multiple confirmation emails received on another email account using the new email address. After sending unsubscribe/subscribe responses from the new account, their new account was bombarded with spam emails within a few days. 

This test also revealed that spammers are utilizing these subscribe/unsubscribe emails to fine-tune their mailing lists and confirm email addresses that are vulnerable to phishing and frauds. 

It was also stated that these attacks aren't restricted to spam emails; nothing stops scammers from using phishing or social engineering against the target email, which is sometimes more hazardous and difficult to detect and stop. 

Consumers should never click any links they receive in an email unless they are fully certain of the sender's validity and the link's integrity, according to security experts. No credible company will ever send an email with only the alternatives to "Subscribe or Unsubscribe" and without any information.

Florian Tudor – The Shark Arrested in Mexico

 

Florian Tudor "The Shark," alleged mastermind of the renowned ATM skimming gang, has been detained in Mexico City on Thursday 27th May 2021 following a Romanian court's arrest demand and had gathered hundreds of millions of dollars from bank accounts of tourists visiting Mexico for the past eight years. 

Tudor, from Craiova, Romania, traveled to Mexico to establish Intacash a Top Life Servicios, an ATM services company that operated a network of comparatively new ATMs in Mexico. 

On Thursday, Florian Tudor, "The Shark" was arrested while he was taken into custody by Mexican Attorney General officers. As shown in a video published by media organizations, the situation broke out in wrestling, screaming, and officials bringing Tudor out of the house by his arms and legs. 

The federal law enforcement agency in Mexico alleged that members of Tudor tried to attack a policeman before they were arrested. 

Robert Bica, a Bucharest lawyer of Tudor, verified the Romanian newspaper Libertatea of his detention. Now, in the following two or three weeks, a Mexican judge will decide on his deportation. 

An insider from Romania's organized crime prosecution reported to the same publication that the United States authorities played an important role in investigating Tudor, who is said to have targeted thousands of US tourists in Mexico and is considered responsible for approximately 12% of global skimming. 

Tudor as well as his own Riviera Maya Gang are the most recent twist in a long history of criminality by law enforcement officers and foreign journalists. 

The gang, entitled by Organized Crime and Corruption Reporting Project -OCCRP, has hacked over 100 ATMs around Mexico – Cancun, Tulum, Cozumel, and elsewhere to discreetly raise $1.2 billion from victim bank accounts, as revealed by OCCRP. The system relied in part on Bluetooth skimmers, which bank staff paid for their services implanted in ATMs. 

Last year Tudor was arrested on charges of attempted murder, blackmail, and the development of an organized crime network that is specialized in human trafficking, by a Romanian court following his conviction in absentia. 

Tudor has also been investigated by the Bucharest authorities in the matter of the trafficking of thousands of Romanian of Roma origin in Mexico and the United States where they are reportedly taken to steal, beg and claim refuge for prosecution on the grounds of fleeing Romanian racial persecution. 

Over time, Mexican governments have examined Tudor and his firms' bank accounts and researchers believe that Tudor and his friends have offered protection and hushed money over the years for various Mexican politicians and officials. The Leader of the Green Party in Mexico came down in February when it became apparent that he was receiving cash from Tudor.

The authorities of Mexico have arrested Tudor for the second time. Tudor and his subordinates were arrested in April 2019 for illegally owning guns. The arrest took place only months after Tudor allegedly instructed a former bodyguard to assist US officials in bringing the organization down on profitable skimming practices.

Scammers Employ 'Vishing' Technique to Steal Personal Details of Online Shoppers

 

Scammers are using a unique methodology called ‘vishing’ to trick online customers. In a vishing attack, the fraudster impersonates someone from Amazon but uses a phone call as the weapon of choice. Another tactic employed by the cybercriminal is via email with a contact number and requesting the receiver to call that number. 

Recently, cybersecurity firm Armorblox discovered two distinct email campaigns posing as Amazon. Both emails were identical with a similar Amazon branding and followed a pattern similar to real order confirmation emails from Amazon but, if one knows where to look, there are many indications that the emails are fraudulent.

The first indication is that the emails are sent from a Gmail address or one that looks like it “might” belong to Amazon (no-reply@amzeinfo[.]com) and the recipient is not addressed by their name (a piece of information Amazon would know).

Armorblox researchers noted that scammers are not using the old taction of including a malicious attachment or URL / link, which allowed them to bypass any detection controls that block known bad links. They also made other choices that allowed them to slip past any deterministic filters or blocklists that check for brand names being impersonated (e.g., by writing AMAZ0N – with a zero instead of an “O”). 

What you can do to prevent yourself from these fraudulent schemes? 

With online shopping becoming the new normal, fraudsters will continue targeting this global and immense pool of potential victims. Scammers are using a combination of social engineering, brand imitation, and emotive trigger to lure victims into their trap. If successful, victims could end up handing over their personal data and credit card details, leading to consequences such as identity theft or fraudulent payments made on their behalf. 

The first thing you have to learn is not to open attachments and follow links from unknown emails, and not to call on included phone numbers which may cost you thousands of rupees. If you’re worried that you might be billed for an order you did not make, go to the shop’s website and find the correct phone number yourself.

Secondly, do not share your personal details on a phone call. If you feel the urgency to call back, don't contact the person through any phone number listed in the message. Instead, run a search for a publicly available number for the company.

Lastly, but most importantly use multi-factor authentication (MFA) on all accounts and for all sites. Don't use the same password across multiple accounts and use a password manager to store your passwords.

Virtual Wallet Users are Being Scammed

 

People are carrying less cash as technology advances, preferring to use debit cards, credit cards, and smartphone payment apps instead. Although using virtual wallets like Venmo, PayPal, and Cash App is easy and becoming more common, there is a risk of being scammed by someone who does not appear to be who they claim to be. Virtual wallets are applications that you can download on your Android or iPhone to make it simple to send and receive money from friends, relatives, and other people. To move money, these apps are connected to a bank account. 

Scammers are always on the lookout for their next victim, and these apps provide them with an ideal opportunity to defraud people of their hard-earned money. Fraudsters have devised a number of strategies for intercepting payments or convincing app users to pay them directly. 

Last year, the Better Business Bureau reported on a new scheme in which con artists send messages requesting the return of unintended payments after making deposits into their victims' accounts. 

When the victim checks their account and discovers these transfers, which were made with stolen credit cards, they refund the funds, by which point the scammer has replaced the stolen credit card credentials with their own. The money is then sent to the fraudster, and the victim is held responsible until the owner of the stolen card files restitution claims. 

In contrast to Cash App and Venmo, PayPal is the oldest form of virtual wallet. In a PayPal scam, the scammer asks a seller to send the things he or she "bought" to a particular address. They discover that the address is invalid after the scammer "pays" for the item and the seller sends the package, but it's too late. 

If the shipping company is unable to locate the address, the item will be marked as undeliverable. The scammer would then contact the shipping company and provide a new address in order to accept the package while claiming they did not receive it. 

The scammer would then collect the item and file a complaint with PayPal claiming that the item was never delivered. PayPal will refund the money charged to the scammer because the buyer has no evidence that the item was shipped. As a result, the seller loses both money and goods to the con artist. 

App developers should take action to protect their users from these types of scams. Multifactor authentication and secondary confirmation, such as emailed security codes, are examples of these safeguards. According to Microsoft research, multifactor authentication will prevent 99.9% of fraud attempts involving compromised login credentials.

Meal Kit Delivery Scams Increase with Phishing Campaigns

 

Attackers are sending phishing text messages which appear like authentic correspondence from famous brands, such as HelloFresh and Gousto, and thus are piggybacking from this booming marketplace for meal kit delivery services since the epidemic.

Centered in Berlin, HelloFresh SE is a German public-traded meal kit firm. The company is the biggest supplier of meal kits in the USA and operates also in Australia, Canada, New Zealand, Sweden, Western Europe, and Denmark. Whereas Gousto is a meal kit retailer based in Shepherds Bush, London, UK – established by Timo Boldt and James Carter and an SCA Investments Limited trading company. Gousto provides customers with ready-made, fresh ingredients, and easy-to-follow recipe kit boxes. 

The meal-kit phishing operations were uncovered by researchers of Tessian and then several variations of the phishing pitch were published. Some of them are sent via SMS, some via WhatsApp. Some people have been asked to assess their experience. In terms of complexity, messages are widespread, from very persuasive to a Tessian example called “easy to spot,” which has various spelling errors. 

“Your Gousto box is now delivered,” the phishing message read. “Enjoy the reoipej! Rate delivesy and enter wrize diaw at ‘URL’.” 

Tessian added that, usually, thousands of these messages are sent simultaneously via SMS and WhatsApp. 

Gousto however has alerted its clients of the scams by posting a message on their Twitter account: “We are aware that these emails/texts are in circulation, unfortunately, and we would advise against opening them. Our Info Tech team are looking into this suspicious activity." 

The increasing popularity of meal kits coincides with an increase in phishing attacks focused on SMS, known as "smishing," around the world. Digital devices lack a lot of safety, they are all there and the emotional dependency with which many devices have grown makes customers vulnerable to shaking down. Meal kits have been established as an important weapon for cybercriminals to leverage against targets like other pandemic-related issues. 

Commenting on the findings, Tim Sadler, CEO, and co-founder of Tessian said: "Throughout the pandemic, we've seen cyber-criminals jump on trending topics and impersonate well-known brands, with increasing sophistication. Often, scammers will register new web domains to set up convincing-looking fake websites, luring their victims to these pages using phishing scams, and then harvest valuable information.” 

He further added, “These scams are getting harder and harder to spot, with the perpetrators regularly coming up with new tactics to convince users to follow their link and input their confidential data.”

Apple App Store Saved Users $1.5 Billion Worth in Fraud Transactions

 

Tech giant Apple claimed that the measures taken to detect malicious apps and actions by developers on the App Store saved users as much as $1.5 billion in potentially fraudulent transactions in 2020. 

The company published detailed statistics on fraud prevention, which prevented more than a million risky and vulnerable apps off the App Store. There are more than 1.8 million apps on the Apple App Store for the iPhone, iPad, and Mac devices. The company has highlighted that the measures in place prevented stolen cards from making transactions, apps that switch functionality after initial review for App Store listing, account frauds by users and developers as well as verified fraudulent reviews.

Apple says that more than 48,000 apps were rejected for containing hidden or undocumented features. The App Review team also rejected more than 1,50,000 apps for spam– copying other popular apps or misleading users with regards to functionality. While over 2,15,000 apps were also rejected for violating the privacy policy guidelines.

The company also had security measures in place for payment methods and didn’t permit more than 3 million stolen credit and debit cards from purchasing on the App Store. In these wide-ranging measures in place, as many as 1 million user accounts were banned from any transactions, 244 million customer accounts were deactivated, 424 million account creation attempts were rejected, and 470,000 developer accounts were terminated for various violations.

“Apple has rejected or removed apps that switched functionality after initial review to become real-money gambling apps, predatory loan issuers, and pornography hubs; used in-game signals to facilitate drug purchasing; and rewarded users for broadcasting illicit and pornographic content via video chat,” says Apple. 

Additionally, 95,000 apps were also removed because they asked users for more data than they needed or mishandled the data that was collected. Apple has repeatedly insisted that privacy is a fundamental right, something that Apple CEO Tim Cook has also asserted, time and again, ahead of the rollout of the new Privacy Labels for all apps on the App Store and the addition of the App Tracking Transparency feature in iOS 14.5 for the iPhone.

The Russian Ministry of Internal Affairs began to identify serial cybercrimes with a special program

The press service of the Russian Ministry of Internal Affairs reported that employees of the department have been using a special program "Remote fraud" in their work for more than one year. Thanks to its program, it was possible to detect signs of about 324,000 crimes committed in cyberspace

"The "Remote Fraud" system, which has been used by employees of the Ministry of Internal Affairs for a year now, shows a high level of its effectiveness. With its help, we detect signs of serial cybercrimes more quickly and qualitatively," said the press service of the Russian Interior Ministry.

It is reported that special software developed for Russian law enforcers collects systematizes, processes, analyzes information that was collected during the investigation of criminal cases committed in cyberspace with the use of computer or telecommunication technologies.

The "Remote Fraud" system captures the required data from the moment a cybercrime report is registered.

On May 2, 2021, the Russian Ministry of Internal Affairs also announced that it was finalizing the development of the service, which will soon be implemented in the ministry's mobile application. The new service, called "Anti-fraudster", is created to increase the efficiency of counteraction to telephone fraud.

The main functionality of "Anti-fraud" is to warn the user that cybercriminals or scammers are calling or sending SMS from phone numbers previously seen in the commission of criminal, fraudulent actions.

"The total cost of developing, implementing and deploying the application is 44.9 million rubles ($606,000). All work will be completed, as we expect, by December 25 of this year. Despite the fact that the idea of developing such a service has long been in the Russian Interior Ministry, the contract with the selected contractor was concluded only at the end of March 2021", reported the press service of the Ministry of Internal Affairs.

Application of the Ministry of Internal Affairs of Russia, which will add the service "Anti-fraud", is already available for download on App Store and Google Play.

It is interesting to note that at the end of April 2021, Sberbank said that the application "Sberbank Online" with the next update will have a service, with the help of which the mobile app will automatically check the phone numbers of incoming calls and warn users in a situation where the caller is suspected of being a fraudster.

Lloyds Bank Warns Britons of Phishing Scam That Could Drain Their Bank Accounts

 

LLOYDS BANK has issued an urgent warning to Britons as many have been attacked by a highly dangerous scam text message. The latest phishing campaign once again centres around text messages, as more and more people become used to using their phones to manage their finances. The text reads: “LLOYDS-SECURITY: You have successfully scheduled a payment of £69.99 to payee MR ADAMS 28/04. If this was NOT you, visit: https://payee-confirmationcentre.com.” 

The malicious link contained within the text message often directs to a phishing website which can easily extract the personal details of unsuspecting individuals. It may also be the case that websites of this kind can download harmful malware onto a person’s desktop which could access their passwords and other sensitive information.

Lloyds Bank has now confirmed the text, and those like it, are a scam that Britons should do their best to avoid. Taking to their social media account, the bank wrote: “This is indeed a scam message and hasn’t been sent by us. Please don’t click on the link and delete the message”. Individuals should also look out for spelling or grammar errors contained within messages, as this is usually a sign of fraudulent correspondence.

Lloyds Bank will never ask their customers to share account details such as user IDs, passwords, or memorable information. Neither will they ask Britons for a PIN code, card expiry date, or Personal Security Number. Individuals who are asked to move their money or transfer funds by someone claiming to be from Lloyds Bank can be assured this correspondence is a scam. People who come into contact with a scam text message are strongly encouraged never to click the link and delete the message upon receipt. This is the best way to protect oneself and keep a guard up against dangerous cyber criminals looking to take advantage.

Several individuals have reported close brushes with this scam, which could have the potential to financially devastate those who fall victim. As such, individuals are being warned they must stay alert to such correspondence currently circulating widely. This could go on to be used for the purposes of identity fraud, and could clear out a person’s bank account. In some cases, banks are receptive to helping a person recoup the cost of falling prey, but in other circumstances, there may be nothing that can be done.

Threat Actors are Using YouTube to Lure Users into their Trap

 

Fortinet security researcher ‘accidentally discovered a unique way of tricking YouTube users. Due to Covid-19, as well as the recent surge in the value of the stock market and cryptocurrencies, more people than ever are at home looking for livestock market/crypto-related content on streaming platforms like YouTube, etc. This might be to compensate for the lack of in-person interactions that we would normally have in a non-Covid-19 world, as well as to perhaps make some quick income on the side. During a random midnight search for similar content, the researcher accidentally stumbled upon a LIVE Bitcoin scam on YouTube (yes, this time it was on YouTube and not on Twitter). 

YouTube has various labels/buttons on its home page to identify trending categories of videos, and this one indicated that several scams were streaming “live”. The first video researcher saw after clicking the Live button was titled, “Chamath Palihapitiya - What will be the New World of Finance? | SPACs, Coinbase IPO and NFT” with the URL link “hxxps://www[.]youtube[.]com/watch=cFstoyKl99s”. 

The next thing the researcher noticed was the video’s caption message, “Our mission is to advance humanity by solving the world’s hardest problems. We want to thank our supporters and also help crypto mass adoption, so 1000 BTC will be distributed among everyone who takes part in the event. You can find all the information on the website.” And also, unlike most content creators, the website link “More info: cham-event[.]com” did not include any video descriptions.

Another red flag was that while this YouTube channel had 252k subscribers, there was only ONE video on the channel. This could either be a case of a hacked YouTube channel that had all previous videos deleted, OR it could be that the malicious attacker somehow found a way to add fake subscribers to his/her channel. 

Earlier this month, hackers associated with these scams escalated their activity when they compromised two YouTube channels that maintain over eight million subscribers. In this particular case, the hackers modified these channels to impersonate our brand, using the Gemini name and logo. In light of these ongoing events, we want to share how these attacks work, discuss Gemini’s ongoing actions to protect our customers and provide some tips for YouTube channel owners to better secure. 

Lazarus E-Commerce Attackers Adapt Web Skimming for Stealing Cryptocurrency

 

Cybercriminals with apparent ties to North Korea that hit e-commerce shops in 2019 and 2020 to steal payment card data also tested functionality for stealing cryptocurrency, according to the cybersecurity firm Group-IB. 

Group-IB's latest report builds on findings revealed in July 2020 by Dutch security firm Sansec, which reported that malicious infrastructure and, in many cases, the malware was being used for Magecart-style attack campaigns that had previously been attributed to the Lazarus Group. 

Lazarus - aka Hidden Cobra, Dark Seoul, Guardians of Peace, APT38, Bluenoroff, and a host of other names - refers to a group of hackers with apparent ties to the Pyongyang-based government officially known as the Democratic People's Republic of Korea, led by Kim Jong-Un.

Magecart-style attacks refer to using so-called digital card skimming or scraping tools - aka JavaScript sniffers - that they inject into victim organizations' e-commerce sites. Victims of such attacks have included jewelry and accessories retailer Claire's and Ticketmaster UK, among thousands of others. 

Researchers at Group-IB stated that after reviewing the attack campaign discovered by Sansec, it also found signs suggesting that attackers had been experimenting not just with stealing payment card data but also cryptocurrency.

Group-IB reports that it found the same infrastructure being used, together with a modified version of the same JavaScript sniffer - aka JS-sniffer - that Sansec described in its report. Group-IB has dubbed the cryptocurrency-targeting campaign Lazarus BTC Changer. 

The attackers appear to have stolen relatively little cryptocurrency via the sites' customers: just $9,000 worth of Ethereum and $8,400 worth of bitcoins, Group-IB reports. Group-IB says those stolen funds appeared to have been routed to bitcoin cryptocurrency wallets allegedly owned by CoinPayments.net, "a payment gateway that allows users to conduct transactions involving bitcoin, Ethereum, Litecoin, and other cryptocurrencies." 

Lazarus may have used the site to launder the stolen funds by moving them to other cryptocurrency exchanges or wallets. The cybersecurity firm notes that CoinPayment's "know your customer" policy could help identify the individuals who initiated the transactions. The service's user agreement stipulates that individuals attest that they are not operating in or on behalf of anyone in a prohibited jurisdiction, which includes North Korea.

Threat Actors Target Covid-19 Vaccine Cold Chain Via Spear-Phishing Campaign

 

Cybercriminals are continuing to target the COVID-19 vaccine cold chain, the means of delivering and storing vaccines at safe temperatures, with spear-phishing campaigns that leverage pharma and biomedical lures, according to an updated IBM X-Force report. 

Threat actors are specifically targeting transportation, healthcare, IT, and electronics sectors. Researchers also discovered the attackers targeting government agencies and vendors that support public health entities, among other targets.

The latest research is an update of a December IBM X-Force report that shed light on widespread phishing tactics leveraged by cybercriminals against vaccine supply chain organizations and other healthcare sectors. IBM X-Force established a cyber task force at the beginning of the pandemic to track cyber threats targeting critical infrastructure organizations.

The global phishing campaign against cold storage supply chain members was first discovered in September, initially tied to Gavi, the Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program. The threat actors masqueraded as biomedical executives and targeted enterprise leadership members in the IT, finance, sales, and procurement departments, who would likely be involved with vaccine cold chain efforts.

 The attackers sent the messages to multiple employees across the enterprise, with some messages purporting to be of help or support pages of the targeted enterprise. Instead, the messages contained malicious HTML attachments that opened locally on the devices and prompted victims to enter user credentials for access. This week’s update revealed the researchers have detected an additional 50 files tied to spear-phishing emails targeting at least 44 entities in 44 different countries, including the US and Canada. 

“The expanded scope of precision targeting includes key organizations likely underpinning the transport, warehousing, storage, and ultimate distribution of vaccines. Spear-phishing attempts were associated with multiple executive activities and other roles," researchers explained.

Particularly, the cybercriminals are targeting CEOs, purchasing managers, system administrators, presidents, heads of supply and logistics, finance directors, HR officers, and a host of other leaders within the enterprise organization. IBM researchers first noticed the latest phishing campaign directly following the publication of the previous report. The malicious email was addressed to a German pharmaceutical and bioscience solutions company working on vaccine production and associated activities. The target also appeared to be a client of one of the original targets detected in the initial campaign.

“While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat,” wrote the researchers.

Cyber Criminals began to use a new scheme to defraud Russians

The classic scheme to defraud Russian bank clients with the help of malicious emails is experiencing a second birth. Now the scammers, presenting themselves as Yandex.Money operators, demand to transfer funds to a bitcoin wallet under the threat of publishing compromising videos.

They are relying primarily on the fact that the potential victim will react to a familiar brand: the letters are sent from the email address inform@money.yandex.ru. Yandex.Money electronic payment service, which belongs to Sberbank, changed its name to YooMoney last year.

In the letter, the attacker, who calls himself a programmer, claims that he managed to hack into the user's computer and gain full access to it and related devices, including the camera. According to the scammer, he managed to make an intimate video of the victim, and if he doesn't get what he wants, he will send the video to his entire contact list.

"Transfer $650 to my bitcoin wallet. My bitcoin wallet (BTC Wallet): bc1qpg0uv2dcsjvpe9k2y7knxpzfdqu26tvydeu4pf. After receiving payment, I will delete the video and you will never hear from me again. I give you 50 hours (over two days) to pay. I have a notification of reading this email and a timer will go off when you see this email," the scammer intimidates the victim.

YooMoney's press office said they are aware of this technique by the scammers and have already taken appropriate action. "The information is sent from a domain that we no longer own. Yesterday we received information about this and passed it on to the domain owner's security service," the service stated.

Extortion of this kind is quite well known and has a long history, explained the agency executive director of the Association of participants in the market of electronic money and remittances Pavel Shust. Such messages can be sent in the thousands, hoping that someone will believe the threats and transfer money after all. The expert explained that in reality, of course, no one has hacked the computer and has no compromising materials, this letter should simply be deleted and forgotten about it.

Mackenzie Scott Scam: Fraudsters asking Fake Donations in Billionaire's name

 

A major phishing campaign that reached tens of thousands of inboxes impersonated as MacKenzie Bezos-Scott grant foundation promising monetary advantages to recipients of the e-mail in exchange for a processing fee. 

The processing fee is referred to as an "advance fee," and it has been used since before the internet, with the "Nigerian prince" version popularising it. But this phishing campaign took advantage of the charitable acts last year from author MacKenzie Scott, ex-wife of Amazon founder Jeff Bezos. 

The scam surfaced after Mackenzie Scott revealed in December that she had donated $4.2 billion of her fortune to over 300 organizations, including food banks and other charities that assist the people in need. Ironically, one food bank in Arkansas, which had received an authentic email from Scott about a legitimate donation, initially mistook it for a hoax. 

Eyal Benishti, the CEO of tech security company Ironscales said, “That may have primed fraudsters to develop a phishing scam based on Scott's donations in the hope that some organizations would believe that they, too, are receiving valid emails”. About 200 of its customers have received the bogus Mackenzie Scott emails, although none have fallen for the bait, he added. 

Fraudsters initiated the scam by sending out spoofed emails that claimed, MacKenzie Bezos-Scott grant foundation is distributing funds from their foundation. In fact, the emails were sent not to distribute billions to charity, but fleece victims. 

However, the fake Mackenzie Scott emails had a few tip-offs that hints they weren't real: 

1. Sender’s title appeared as “Mackenzie Scott Grant” but the return email address was to the domain ‘@mintme.com’ 
2. Multiple grammatical errors in the email body 
3. Sender’s name and signature were different 

The fraudsters alleged that they are from the "MacKenzie Bezos-Scott foundation" and have chosen a recipient for a grant. Further, they ask for the recipients' full name and address, and if they answer, recipients are required to submit a small processing fee to unlock the grant. Of course, there's no grant; it's just a tactic to extort money from the victims.

Scams have escalated as a result of large-scale relief programs such as stimulus checks and the Paycheck Protection Program, which has drawn out fraudsters trying to trick people into giving away sensitive data, such as Social Security numbers. With the ongoing levels of hardship due to the coronavirus pandemic, people are more susceptible to scams at the moment.

Centre of Attraction for Scammers : NFTs

 

NFTs - non-fungible token have been around for a few years now, but recent attention has sparked a surge throughout the market. NFTs are all here to stay, according to proponents, as they're more stable. Though enthusiasts may be correct about NFTs' long-term viability, as they may also no longer be a significant part of the art market once the original frenzy subsides. The art market's key elements are authenticity and originality, and NFTs certainly delivers both. 

A non-fungible token (NFT) is a data unit on a digital ledger known as a blockchain that really can represent a single digital object and therefore is not interchangeable. NFTs can be used to depict digital files like art, audio, video, video game objects, and other types of creative work. However, the definition can appear to be fundamentally abstract, it comes down to being able to assert exclusive possession of a collectible. 

"The higher the value of a cryptocurrency, the higher the volume of fraud targeting its users," says Abhilash Garimella, research scientist at fraud prevention firm Bolster.

NFTs can reflect digital possession of almost everything, for instance we can take, Twitter CEO Jack Dorsey's first tweet, Grimes' original art, Marvel artists' exclusive superhero comic drawings, and every other form of artistic work, including videos and audio. The Marvel comics entered the blockchain world, where an Ethereum-based Spiderman NFT was sold for $25,000. And till now the NFT "cryptocurrency collectibles" have sold for more than $100 million. 

Bitcoin and other cryptocurrencies have been questioned, despite proponents believing they are the future of economic systems and opponents dismissing them as nothing but a digital Ponzi scheme. Bitcoin mining is said to use as much energy as used by entire countries. People have become much more hesitant to buy and sell off their assets on the blockchain as they have become more aware of its vast energy requirements. Despite the fact that the blockchain is also said to be safe, there've been numerous cryptocurrency hacks. Both of these factors can deter young people from joining the craze, making it more difficult for NFTs to achieve long-term success. 

Hackers are indeed searching for ways to get as many Bitcoin, Monero, Ethereum, and other valuable digital coins as feasible, as shown by their fondness for ransomware, crypto mining, and hacking through cryptocurrency exchanges and extracting all of their assets in recent times. 

In 2020, two Florida teens and a British man duped a number of people into thinking that the 130 high-profile Twitter accounts they'd took over might potentially double people's bitcoin assets once they'd been collected by Elon Musk and Bill Gates. Many people have fallen for the scam which involves Musk allegedly offering "free" NFTs after victims "verified" themselves by giving a small number of bitcoins "temporarily". This was one of the NFTs scams.

Email Scam Under the Name of IRS Try to gain EFIN of Tax Preparers

 

A lot of people are familiar with the US Internal Revenue Service (IRS) scam letters about the tax season that are phishing for money. Now, in a virtual version of the fake IRS letter, a different kind of IRS scam aims for tax practitioners. 

The IRS has instructed tax practitioners to seek for the scam that tries to obtain the E-Filing Identification Number (EFIN) of a victim. Here, intruders use a fake email to attack the identity and customer information of tax preparers. Besides, attackers can impersonate the tax preparer and submit fake tax returns to receive refunds, if they have the data. 

The hoax started with a scam email, as per the IRS. The message claimed to have come from 'IRS tax e-filing.' This was an e-mail that went under the heading - ‘Verifying your EFIN before e-filing.’ The e-mail informs the tax preparer that certain documents are to be sent to check and get approved by the e-file staff. It then requests a copy of its EFIN and the license number of its driver. To make the situation more urgent, the email warns that, unless you comply, the IRS will disable e-filing access for the tax preparer. 

This season, many other major tax scams have also been identified by the IRS and other sources. For example, the IRS cautioned taxpayers in early February against threatening 'ghost' preparers of the tax return who are refusing to sign the returns they are making. Every return prepared needs the Preparer Tax Number and it should be signed by the tax preparers as well. The IRS says that the lack of signature may suggest the fraudulent activity of the tax preparer. They may be promising, depending on the size of those refunds, for example, big refunds charging huge fees and accordingly. 

Through investing in their e-mail security defense, organizations can protect themselves and their users against such an IRS scam. One way they could do this is to develop a safety education program and educate employees about some of the most common kinds of publicly available tax-based phishing emails and other scams. Organizations should continuously test their employees to keep their employees informed of this IRS scam and similar attacks. Threat intelligence should be used to keep up with the latest tax scams. 

Furthermore, the IRS advised the tax preparers to avoid undertaking any of the email steps. It's best to delete the email and not respond in any way.

India's Top 5 Banks Targeted in a Phishing Scam

 

The customers of State Bank of India (SBI), ICICI, HDFC, Axis Bank, and Punjab National Bank (PNB) have been alerted regarding a serious security vulnerability. Threat actors are trying to lure Indian users into revealing important private information using the mobile apps of the aforementioned banks. The report suggests that suspicious messages prompted users to submit an application for disbursement of the income tax refund. 

The threat actors are attaching a link with these texts that looks like an income tax e-filing web page. The suspicious links originate from the US and France without a domain name and are not linked with the Indian government, as per the revelation made in an investigation by New Delhi-based think tank CyberPeace Foundation along with cybersecurity services firm Autobot Infosec. 

Furthermore, the report claims that all IP addresses associated with the campaign belong to some third-party cloud hosting providers. The entire campaign uses the normal or plain HTTP protocol instead of the secure https. This means that anyone on the network or the internet can intercept traffic and obtain confidential information in normal text format to misuse against the victim.

How do threat actors exploit vulnerabilities?

Threat actors install malware in these banking apps and then lure the users in downloading an application from a third-party source instead of the Google Play Store. This application then asks the administrator to provide all rights and permit unnecessary use of the device. 

On opening the link http://204.44.124[.]160/ITR, users are redirected to a landing page, which looks similar to the official government income tax e-filing websites. Now, the users are asked to click on the 'green color' and proceed to the verification steps. Users are further asked to submit private information such as their full name, PAN number, Aadhaar number, address, PIN code, date of birth, mobile number, email address, gender, marital status, and banking. 

Apart from this, they are also asked to fill in information such as account number, IFSC code, card number, expiration date, CVV, and card PIN. All of this information is being finally transferred to the threat actors.