CyberCrime - W/E - 080318
Check Point Discovers a New Twist to the Standard Malvertising Campaign (07/31/2018)
Check Point Software has uncovered a malvertising campaign that uses a partnership between a threat actor called "Master134" and several legitimate resellers to push out banking Trojans, ransomware, and bots. Master134 has redirected stolen traffic from over 10,000 hacked WordPress sites and sold it to AdsTerra, the real time bidding (RTB) ad platform, which then sold it to the resellers. These resellers then passed this traffic on to the highest bidding "advertiser." However, instead of the advertiser being a legitimate company selling actual products, the advertisers were threat actors looking to distribute malware to Master134's traffic.
Check Point Software has uncovered a malvertising campaign that uses a partnership between a threat actor called "Master134" and several legitimate resellers to push out banking Trojans, ransomware, and bots. Master134 has redirected stolen traffic from over 10,000 hacked WordPress sites and sold it to AdsTerra, the real time bidding (RTB) ad platform, which then sold it to the resellers. These resellers then passed this traffic on to the highest bidding "advertiser." However, instead of the advertiser being a legitimate company selling actual products, the advertisers were threat actors looking to distribute malware to Master134's traffic.
Chinese Scam Targeting US Government Uses Snail Mail and Malicious CDs (07/30/2018)
KrebsOnSecurity has learned that several US state and local government agencies received snail mail letters that included CDs containing malware and the information was sent from China. Brian Krebs discovered a non-public alert from the Multi-State Information Sharing and Analysis Center (MS-ISAC), which explained that the scheme sends information in a Chinese postmarked envelope and it contains a "confusingly worded typed letter with occasional Chinese characters." The alert stated that the State Archives, State Historical Societies, and a State Department of Cultural Affairs had all received these letters.
KrebsOnSecurity has learned that several US state and local government agencies received snail mail letters that included CDs containing malware and the information was sent from China. Brian Krebs discovered a non-public alert from the Multi-State Information Sharing and Analysis Center (MS-ISAC), which explained that the scheme sends information in a Chinese postmarked envelope and it contains a "confusingly worded typed letter with occasional Chinese characters." The alert stated that the State Archives, State Historical Societies, and a State Department of Cultural Affairs had all received these letters.
College Student Stole Millions Through SIM Card Hacking Scheme (07/31/2018)
A college student was arrested after it was determined he hacked dozens of phone numbers and stole millions in cryptocurrency in what has been called a "port out scam," Motherboard reported. Joel Ortiz, with the assistance of others, hacked about 40 individuals using the SIM hijacking method, which involves tricking a cell carrier to transfer the victim's phone number to a SIM card controlled by the criminal. Ortiz netted about $5 million USD in the scam and is facing 28 charges, which include identity theft, hacking, and grand theft.
A college student was arrested after it was determined he hacked dozens of phone numbers and stole millions in cryptocurrency in what has been called a "port out scam," Motherboard reported. Joel Ortiz, with the assistance of others, hacked about 40 individuals using the SIM hijacking method, which involves tricking a cell carrier to transfer the victim's phone number to a SIM card controlled by the criminal. Ortiz netted about $5 million USD in the scam and is facing 28 charges, which include identity theft, hacking, and grand theft.
Cyber Thieves Continue to Impersonate US Government to Scam Victims (07/31/2018)
The Federal Trade Commission (FTC) is reminding Americans to be vigilant to government imposter scams, which can come by phone, email, or text. The scams can claim that the victim needs to pay a fine for missing jury duty or that the victim has won a large prize and needs to pay a fee to claim it. The FTC warned that the government - or any legitimate government employee - will never ask for or demand money by phone, email, or text.
The Federal Trade Commission (FTC) is reminding Americans to be vigilant to government imposter scams, which can come by phone, email, or text. The scams can claim that the victim needs to pay a fine for missing jury duty or that the victim has won a large prize and needs to pay a fee to claim it. The FTC warned that the government - or any legitimate government employee - will never ask for or demand money by phone, email, or text.
FELIXROOT Backdoor Reemerges with Weaponized Documents in Tow (07/30/2018)
FireEye observed the same FELIXROOT backdoor that was used in 2017 targeting Ukrainians being distributed as part of a newer campaign. The latest campaign weaponized lure documents claiming to contain seminar information on environmental protection and were observed exploiting known Microsoft Office vulnerabilities to drop and execute the backdoor binary on the victim's machine. The FELIXROOT backdoor contains several commands for specific tasks. After execution of every task, the malware sleeps for one minute before executing the next task. Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine.
FireEye observed the same FELIXROOT backdoor that was used in 2017 targeting Ukrainians being distributed as part of a newer campaign. The latest campaign weaponized lure documents claiming to contain seminar information on environmental protection and were observed exploiting known Microsoft Office vulnerabilities to drop and execute the backdoor binary on the victim's machine. The FELIXROOT backdoor contains several commands for specific tasks. After execution of every task, the malware sleeps for one minute before executing the next task. Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine.
Jailed Inmates Hack Bug in JPay to Steal Nearly a Quarter of a Million Dollars (07/30/2018)
More than 350 inmates at prisons in Idaho hacked a vulnerability in the JPay tablets that are used in correctional facilities for email, music, and games to siphon about $225,000 USD into their own accounts, the Associated Press (AP) reported. The tablets are available to Idaho inmates through a contract with JPay and CenturyTel. There were 364 inmates involved in the scheme. Idaho Department of Correction spokesman Jeff Ray said in a statement, "This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system's vulnerability to improperly credit their account."
More than 350 inmates at prisons in Idaho hacked a vulnerability in the JPay tablets that are used in correctional facilities for email, music, and games to siphon about $225,000 USD into their own accounts, the Associated Press (AP) reported. The tablets are available to Idaho inmates through a contract with JPay and CenturyTel. There were 364 inmates involved in the scheme. Idaho Department of Correction spokesman Jeff Ray said in a statement, "This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system's vulnerability to improperly credit their account."
Kaspersky Identifies Worldwide Spear-Phishing E-Mail Attack (08/01/2018)
Kaspersky Lab has identified a wave of financial spear-phishing e-mails that are often disguised as legitimate procurement and accounting letters. This worldwide scam is believed to have hit "more than 400 industrial organizations," primarily in Russia. Per Kaspersky's researchers, the messages targeted approximately 800 employee PCs, and were designed to steal money and confidential data for use in future attacks. "Of note," Kaspersky noted, "the attackers even addressed the targeted victims by name," which suggests the attacks were "carefully prepared" and that criminals "took the time to develop an individual letter for each user." The attacks are believed to have begun as early as the Fall of 2017.
Kaspersky Lab has identified a wave of financial spear-phishing e-mails that are often disguised as legitimate procurement and accounting letters. This worldwide scam is believed to have hit "more than 400 industrial organizations," primarily in Russia. Per Kaspersky's researchers, the messages targeted approximately 800 employee PCs, and were designed to steal money and confidential data for use in future attacks. "Of note," Kaspersky noted, "the attackers even addressed the targeted victims by name," which suggests the attacks were "carefully prepared" and that criminals "took the time to develop an individual letter for each user." The attacks are believed to have begun as early as the Fall of 2017.
Massachusetts Man Found Guilty of DDoSing Children's Healthcare Facilities (08/02/2018)
A Massachusetts man has been found guilty of orchestrating disruptive computer attacks on Boston Children's Hospital and Wayside Youth and Family Support Network in a federal courtroom, according to the US Department of Justice (DOJ). Martin Gottesfeld, 32, was convicted of one count of conspiracy to damage protected computers and one count of damaging protected computers, he will be sentenced on August 14, 2018. Gottesfeld perpetrated a DDoS (Deliberate Denial of Service) attack on the aforementioned facilities on March 25, 2014. The attack crippled Wayside's network for more than a week and caused the facility to spend $18,000 on response and mitigation efforts."
A Massachusetts man has been found guilty of orchestrating disruptive computer attacks on Boston Children's Hospital and Wayside Youth and Family Support Network in a federal courtroom, according to the US Department of Justice (DOJ). Martin Gottesfeld, 32, was convicted of one count of conspiracy to damage protected computers and one count of damaging protected computers, he will be sentenced on August 14, 2018. Gottesfeld perpetrated a DDoS (Deliberate Denial of Service) attack on the aforementioned facilities on March 25, 2014. The attack crippled Wayside's network for more than a week and caused the facility to spend $18,000 on response and mitigation efforts."
New Attack Method Hits "Supply Chain within a Supply Chain" (07/30/2018)
A new software supply chain attack unearthed by Microsoft found that attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app's legitimate installer the unsuspecting carrier of a malicious payload. The app vendor's systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation. The attackers used two cryptocurrency mining variants to monetize their campaign. The compromise was active between January and March 2018 but was limited in nature. Microsoft dubbed this attack as involving "the supply chain of the supply chain."
A new software supply chain attack unearthed by Microsoft found that attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app's legitimate installer the unsuspecting carrier of a malicious payload. The app vendor's systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation. The attackers used two cryptocurrency mining variants to monetize their campaign. The compromise was active between January and March 2018 but was limited in nature. Microsoft dubbed this attack as involving "the supply chain of the supply chain."
Russian Hacker Gets Prison Term for Scheme that Resulted in Losses of $4 Million (07/31/2018)
The Justice Department (DOJ) announced that a Russian national was sentenced to 70 months in federal prison for hacking into the accounts of two companies and issuing unauthorized debit cards associated with dependent care accounts to conspirators around the world, leading to losses of more than $4 million USD. Mikhail Konstantinov Malykhin used login credentials supplied to him by another hacker to illegally access the online software platform of a Massachusetts company, which other companies used to manage flexible spending accounts and dependent care accounts. Once he illegally accessed the platform, Malykhin reactivated dormant dependent care accounts associated with an Oregon company and issued debit cards from these accounts with limits of up to $5 million. Malykhin also illegally accessed the platform and issued debit cards linked to a Colorado company that later went out of business as the result of the losses suffered through the hack.
The Justice Department (DOJ) announced that a Russian national was sentenced to 70 months in federal prison for hacking into the accounts of two companies and issuing unauthorized debit cards associated with dependent care accounts to conspirators around the world, leading to losses of more than $4 million USD. Mikhail Konstantinov Malykhin used login credentials supplied to him by another hacker to illegally access the online software platform of a Massachusetts company, which other companies used to manage flexible spending accounts and dependent care accounts. Once he illegally accessed the platform, Malykhin reactivated dormant dependent care accounts associated with an Oregon company and issued debit cards from these accounts with limits of up to $5 million. Malykhin also illegally accessed the platform and issued debit cards linked to a Colorado company that later went out of business as the result of the losses suffered through the hack.