alt=An illustration depicting China and the United States as the world's two largest economies, highlighting their global influence.
Cyber security
2024-10-28 Post a Comment

Chinese hackers said to have collected audio of American calls

The hackers are said to be part of a Chinese government-affiliated group that American researchers have dubbed Salt Typhoon.

By 

 and 

Chinese state-affiliated hackers have collected audio from the phone calls of U.S. political figures, according to three people familiar with the matter. Those whose calls have been intercepted include an unnamed Trump campaign adviser, said one of the people.

Sign up for Fact Checker, our weekly review of what’s true, false or in-between in politics.

The hackers are said to be part of a Chinese government-affiliated group that American researchers have dubbed Salt Typhoon and were able to collect audio on a number of calls as part of a wide-ranging espionage operation that began months ago, according to the people, who spoke on the condition of anonymity because a federal investigation is underway. The government is still seeking to determine how much audio the hackers have, one of the people said.

They were also able to access unencrypted communications, including text messages, of the individual, the people said. End-to-end encrypted communications such as those on the Signal platform are believed to have not been hacked, they said.

The development heightens concerns over the extent of the infiltration as the 2024 election is in high gear as well as the potential threat to long-term national security.

The FBI declined to comment on the matter.

The FBI and other U.S. agencies are still investigating the full extent and nature of the espionage campaign. The hackers targeted the phones of former president Donald Trump, who is running to regain the White House, and his running mate JD Vance, the New York Times first reported Friday. They were thought to have targeted information about call logs, and there is no evidence so far that the hackers listened in on calls of the two Republicans at the top of the ticket.

As previously reported, Democrats were also targeted in the hacking efforts, including the staff of Senate Majority Leader Charles E. Schumer (D-New York), according to another person familiar with the matter.

The Salt Typhoon group is also thought to have targeted the system that tracks lawful requests for wiretaps made by the federal government of carriers. The motive there could be to figure out who the FBI and other federal agencies have under surveillance, said people familiar with the matter.

The matter is so serious that the White House earlier this month set up an emergency multiagency team to ensure all relevant agencies have visibility into the investigation. The establishment of a “unified coordination group” triggers a separate mandatory investigation by a public-private Cyber Safety Review Board, which in this case will probe the lapses that led to the intrusions. The board is led by the Department of Homeland Security and includes cyber experts from industry. It’s unclear when the probe will begin, officials said.

The wide-ranging operation has involved at least 10 telecom companies, including major carriers such as AT&T, Verizon and Lumen.

At least one U.S. official was notified late last week that a personal cellphone had been accessed by the Salt Typhoon hackers, said one of the people familiar with the matter. The hackers were targeting phone logs, SMS text messages and other data on the device, said the person. It was not clear whether audio calls were successfully intercepted for that official, the person said.

read more
alt=A woman clutches a red purse with a cell phone, highlighting the importance of safeguarding personal belongings from theft.
Cyber security
2024-10-23 Post a Comment

Best smartphone features to combat thieves

By 

Best smartphone features to combat thieves

Android smartphones and iPhones have several useful features that protect them against use and data exfiltration by thieves — including locking mechanisms and location tracking.

Many apps and services available on smartphones require sensitive or personal data and documents to function properly.

They can also support powerful features like payments from your bank account, including through growingly popular digital wallets.

Fortunately, they come with several security features to prevent unauthorised access to your files and apps, which is a big threat in a country like South Africa.

However, many of these features are not enabled by default, and some users might consider them unnecessary during initial setup.

When it comes to protecting your device, it is imperative that you have a locking mechanism enabled.

While you can choose a secret PIN or pattern to unlock the device, repeatedly entering this will sometimes leave markings or smudges on the screen that thieves can use to figure it out.

It is also easier for thieves to get you to share your PIN once and then have near unlimited access to your phone than to require that you provide biometrics.

Most modern Android smartphones offer optical or ultrasonic fingerprint readers, typically located under their displays or on the rear of the phone.

Some also have facial unlocking support.

However, on most Android phones, this method is not deemed as sufficient verification for accessing sensitive information, changing important settings, or opening apps for mobile banking or payments.

That is because Android facial recognition typically relies on a single front camera and, in some cases, a depth sensor.

While Apple does not offer fingerprint readers on its iPhones, its facial recognition feature, Face ID, is regarded as far more advanced and secure than the options on Android.

The Face ID system uses three sensors in the iPhone’s notch or “Dynamic Island” to accurately verify users — even in the dark.

It uses a combination of a laser dot projector, an infrared flood illuminator, and an infrared camera to scan, store, and read a 3D pattern of your face.

Apple says that its system is so meticulous that there is only a one-in-one million chance that another random person will have features similar enough for Face ID to fool them into thinking they are the verified users

Seasoned Android users used to simple hole-punch camera cutouts might think the Dynamic Island unsightly, but it serves an important security purpose.

Location detection

Another way to protect your phone against thieves is to enable location tracking services, which allows you to monitor the location of your device from another device where you are logged into the same account.

For Apple, this is called Find My iPhone, Android’s iteration is Find My Devices, and Samsung’s version is SmartThings Find.

These features can track your smartphone via its GPS and use low-power Bluetooth tracking, pinging from various other devices on their networks to pinpoint your device’s location.

Apple and Google’s Find My networks are not enabled by default, but Samsung’s is.

Therefore, if you have a non-Samsung smartphone, be sure to turn on the feature in your phone’s settings.

It should also be noted that Samsung users can benefit from both the Find My Device network and SmartThings Find network.

It is recommended not to try to track down dangerous criminals who might have your smartphone, but it can assist law enforcement or professional private security in tracking down the culprits.

The networks also allow you to remotely lock and wipe your device, which is very useful if you have sensitive data on it and have a secure backup on the cloud.

Unfortunately, thieves can simply turn off the device to take it offline and prevent your device from updating its location.

However, certain smartphones — including recently released iPhones and Google Pixel devices — can be tracked for some time, even when turned off.

This capability is enabled through a special provision that preserves a part of their batteries for offline Bluetooth Low Power tracking.

To use it on iPhones, be sure to turn on “Find My Network” under your “Find My iPhone” settings.

On Google Pixel devices, users must turn on the capability under “Find your offline devices” in the “Find My Device” section.

Specialised anti-theft features

Apple’s iPhones also have a Stolen Device Protection feature, which is not enabled by default.

This feature implements a time delay for certain security-sensitive actions, like changing your Apple account password.

To use it, you must enable two-factor authentication for your Apple account and have the following enable:

  • A device passcode, Face ID, or Touch ID; and
  • Significant Locations (also known as Location Services)

To turn Stolen Device Protection on, head to your iPhone Settings page, and tap Face ID & Passcode.

You will be required to submit your passcode or biometrics before turning Stolen Device Protection on or off.

Google recently began rolling out a slew of new anti-theft features that will become available on millions of smartphones running Android 10 or later through a Google Play Services update later in 2024.

The first big upgrade is a new AI-powered theft protection lock.

Google said this can detect whether a phone was potentially snatched out of your hand by a thief and they tried to run, bike, or drive away.

“If a common motion associated with theft is detected, your phone screen quickly locks — which helps keep thieves from easily accessing your data,” Google explains.

The second capability is offline device lock, which will automatically lock your smartphone if a thief tries to disconnect your device from a network for prolonged periods.

The third new feature lets you remotely lock your smartphone simply by entering your phone number and completing a quick security challenge on any device instead of logging into your account first.

“This buys you time to recover your account details and access additional helpful options in Find My Device, including sending a full factory reset command to completely wipe the device,” Google explains.

In addition to the above, newer devices that support updating Android 15 are getting the following features:

  • Factory reset blocking requiring account credentials
  • Private space for hiding sensitive apps
  • Requiring PIN, password, or biometric authentication for disabling Find My Device
  • Compulsory biometric authentication if a thief figures out a PIN
read more
alt=A diagram illustrating the HTML-based infection chain, showcasing the flow of malware through web vulnerabilities.
Cyber security
2024-10-23 Post a Comment

Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans

î „Ravie Lakshmanan

Russian-speaking users have become the target of a new phishing campaign that leverages an open-source phishing toolkit called Gophish Framework to deliver DarkCrystal RAT (aka DCRat) and a previously undocumented remote access trojan dubbed PowerRAT.

“The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim’s intervention to trigger the infection chain,” Cisco Talos researcher Chetan Raghuprasad said in a Tuesday analysis.

The targeting of Russian-speaking users is an assessment derived from the language used in the phishing emails, the lure content in the malicious documents, links masquerade as Yandex Disk (“disk-yandex[.]ru”), and HTML web pages disguised as VK, a social network predominantly used in the country.

Gophish refers to an open-source phishing framework that allows organizations to test their phishing defenses by leveraging easy-to-use templates and launch email-based campaigns that can then be tracked in near real-time.

The unknown threat actor behind the campaign has been observed taking advantage of the toolkit to send phishing messages to their targets and ultimately push DCRat or PowerRAT depending on the initial access vector used: A malicious Microsoft Word document or an HTML embedding JavaScript.

When the victim opens the maldoc and enables macros, a rogue Visual Basic (VB) macro is executed to extract an HTML application (HTA) file (“UserCache.ini.hta”) and a PowerShell loader (“UserCache.ini”).

The macro is responsible for configuring a Windows Registry key such that the HTA file is automatically launched every time a user logs into their account on the device.

The HTA file, for its part, drops a JavaScript file (“UserCacheHelper.lnk.js”) that’s responsible for executing the PowerShell Loader. The JavaScript is executed using a legitimate Windows binary named “cscript.exe.”

“The PowerShell loader script masquerading as the INI file contains base64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim’s machine memory,” Raghuprasad said.

The malware, in addition to performing system reconnaissance, collects the drive serial number and connects to remote servers located in Russia (94.103.85[.]47 or 5.252.176[.]55) to receive further instructions.

“[PowerRAT] has the functionality of executing other PowerShell scripts or commands as directed by the [command-and-control] server, enabling the attack vector for further infections on the victim machine.”

In the event no response is received from the server, PowerRAT comes fitted with a feature that decodes and executes an embedded PowerShell script. None of the analyzed samples thus far have Base64-encoded strings in them, indicating that the malware is under active development.

The alternate infection chain that employs HTML files embedded with malicious JavaScript, in a similar vein, triggers a multi-step process that leads to the deployment of DCRat malware.

“When a victim clicks on the malicious link in the phishing email, a remotely located HTML file containing the malicious JavaScript opens in the victim machine’s browser and simultaneously executes the JavaScript,” Talos noted. “The JavaScript has a Base64-encoded data blob of a 7-Zip archive of a malicious SFX RAR executable.”

Present within the archive file (“vkmessenger.7z”) – which is downloaded via a technique called HTML smuggling – is another password-protected SFX RAR that contains the RAT payload.

It’s worth noting that the exact infection sequence was detailed by Netskope Threat Labs in connection with a campaign that leveraged fake HTML pages impersonating TrueConf and VK Messenger to deliver DCRat. Furthermore, the use of a nested self-extracting archive has been previously observed in campaigns delivering SparkRAT.

“The SFX RAR executable is packaged with the malicious loader or dropper executables, batch file, and a decoy document in some samples,” Raghuprasad said.

“The SFX RAR drops the GOLoader and the decoy document Excel spreadsheet in the victim machine user profile applications temporary folder and runs the GOLoader along with opening the decoy document.”

The Golang-based loader is also designed to retrieve the DCRat binary data stream from a remote location through a hard-coded URL that points to a now-removed GitHub repository and save it as “file.exe” in the desktop folder on the victim’s machine.

DCRat is a modular RAT that can steal sensitive data, capture screenshots and keystrokes, and provide remote control access to the compromised system and facilitate the download and execution of additional files.

“It establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process,” Talos said. “The RAT communicates to the C2 server through a URL hardcoded in the RAT configuration file […] and exfiltrates the sensitive data collected from the victim machine.”

The development comes as Cofense has warned of phishing campaigns that incorporate malicious content within virtual hard disk (VHD) files as a way to avoid detection by Secure Email Gateways (SEGs) and ultimately distribute Remcos RAT or XWorm.

“The threat actors send emails with .ZIP archive attachments containing virtual hard drive files or embedded links to downloads that contain a virtual hard drive file that can be mounted and browsed through by a victim,” security researcher Kahng An said. “From there, a victim can be misled into running a malicious payload.”

read more
alt=Sophos Secreworks logo featuring a modern design with bold typography and a secure, innovative theme.
Cyber security
2024-10-23 Post a Comment

Sophos Fortifies XDR Muscle With $859M Secureworks Purchase

Michael Novinson (MichaelNovinson)

Sophos plans to make the largest acquisition in its four-decade history, scooping up Secureworks for $859 million to turbocharge its threat intelligence, detection and response. Sophos Fortifies XDR Muscle

See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR

The Oxford, U.K.-based platform security vendor will combine its managed detection and response services with Atlanta-based Secureworks’ XDR, SIEM and identity detection and response capabilities. The deal will enhance threat detection, response times and security posture for businesses worldwide, helping the combined company serve customers ranging from small businesses to large enterprises (see: Why Dell Is Once Again Eyeing the Sale of MSSP Secureworks).

“Secureworks offers an innovative, market-leading solution with their Taegis XDR platform,” Sophos CEO Joe Levy said in a statement. “Combined with our security solutions and industry leadership in MDR, we will strengthen our collective position in the market and provide better outcomes for organizations of all sizes globally.”

Why Sophos, Secureworks Are Better Together

Secureworks, founded in 1999, employed 1,516 people as of Feb. 2, and is publicly traded, with Dell having 97.4% of the total voting power. The deal is set to close in early 2025 and will pay Secureworks shareholders $8.50 per share, which is 28% higher than the firm’s average trading price over the past 90 days. Secureworks’ stock is down $0.10 – or 1.18% – to $8.37 per share in trading Monday morning.

Sophos will pay for Secureworks through a combination of debt financing and backing from private equity firm Thoma Bravo, which acquired the company for $3.9 billion in March 2020. This is the largest of the 18 acquisitions Sophos has made since its founding in 1985, dwarfing the company’s $120 million purchase of endpoint security startup Invincea in February 2017 (see: Cybersecurity for SMBs: Joe Levy’s Take on Risk Mitigation).

“Sophos’ portfolio of leading endpoint, cloud and network security solutions – in combination with our XDR-powered managed detection and response – is exactly what organizations are looking for to strengthen their security posture and collectively turn the tide against the adversary,” Secureworks CEO Wendy Thomas said in a statement.

Sophos plans to integrate Secureworks’ capabilities around ITDR, SIEM, OT security and vulnerability risk prioritization into its broader suite of tools. The fusion will help customers detect, investigate and respond to threats more quickly, according to Sophos. The synergy between Sophos’ end-to-end products and Secureworks’ managed services expertise will further strengthen their offering, according to Sophos.

Secureworks and Sophos currently cater to different types of customers, and the firm said combining their technologies and services will make advanced security more accessible to smaller organizations while also benefiting large enterprises. This deal will also accelerate the use of AI, aiming for faster detection times and enhanced security visibility across both native and third-party tools, Sophos said.

Why Secureworks Was Seeking a Suitor

Both organizations work with channel partners, and Sophos said the acquisition is expected to create more value for these partners by offering them enhanced capabilities and a broader set of solutions to sell and support. Virtually all of Sophos’ business goes through channel partners, while Secureworks generated 23% of its revenue last year through referral agents, VARs, trade associations and MSSPs.

Secureworks has faced challenges in recent years, including declining revenue and layoffs. Despite growing adoption of its Taegis XDR platform, the company has reduced in its workforce as its stock value has fallen. This proposed acquisition by Sophos comes as Secureworks has been working to streamline its business and focus on high-growth areas including XDR.

Specifically, Secureworks’ sales for the fiscal year ended Feb. 2, 2024, fell to $365.9 million, down 21.1% from $463.5 million the prior year. And the size of Secureworks’ staff has fallen by nearly 44%, with headcount plummeting from 2,696 employees on Jan. 29, 2021, to just 1,516 workers on Feb. 2, 2024. Secureworks’ stock is down nearly 70% from its all-time high of $25.98 per share in September 2021.

Forrester didn’t include Secureworks in its 11-vendor evaluation of the XDR market in June of this year. Sophos, meanwhile, was the eighth highest-rated vendor, ahead of Trellix, Broadcom and Fortinet. Forrester praised Sophos for integrating native tools and third-party data from Google and Microsoft, but said the security analyst experience falls short, with little contextualization and cumbersome management.

Dell has been exploring options to sell off non-core assets like Secureworks as part of its strategy to focus on its core businesses. Dell in September 2020 sold encryption titan RSA Security to private equity firm Symphony Technology Group for $2.08 billion. Dell first teamed up with Morgan Stanley to explore a sale of Secureworks in 2019 when the stock was trading at a then-record high.

read more
alt=1. A visual representation of the Wayback Machine, showcasing its role as an archive of the internet's history.
Cyber security
2024-10-23 Post a Comment

Hackers Disable Internet Archive’s Wayback Machine Once Again

4
By Matt L. Hall

Hackers have again created havoc with the Internet Archive and its Wayback Machine, just one day after the site reported it had been restored. While Archive-It and the Internet Archive blog are still up, currently, the rest of IA’s services are seemingly unavailable.

That means if you’re an avid user of the digital library, expect the platform to be down until further notice. It’s frustrating, and unfortunately, we don’t have any details about when the website will be back up.

The Fourth Outage This Month

A hacker in front of a laptop with a login window and some warning signs around.
Brian A Jackson/Shutterstock

Many consider the Internet Archive’s Wayback Machine to be an important historical resource. Its libraries contain valuable data regarding the internet’s past, including previous versions of websites.

This is the fourth time since the start of the month that cyberattacks have disabled the site. But the trouble initially started a bit earlier. On October 11th, we reported a data breach in late September that had compromised personal details for over 31 million accounts. The breach allowed hackers to gain access to screen names, emails, and encrypted passwords

Additionally, a DDoS attack on October 9th brought archive.org offline. Beginning that evening, users who logged into the site received a strange pop-up that stated:

“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP.” The acronym referencing “Have I Been Pwned,” a site that informs users when data breaches occur.

The group responsible for the October 9th attack claimed political motives. However, social media comments were quick to note that the Internet Archive is a 503c non-profit that has no governmental affiliation.

A second and third breach over the last two weeks allowed a cybercriminal to break into Archive’s Zendesk support system. In a bold move, the malcontent even fielded requests from folks attempting to get support from the Internet Archive

One of those requests was an email from Mashable staff. On Sunday, Mashable received a response written by the previous hacker, to an email sent through IA’s Zendesk support system. The reply implied the motivation for the attack was due to a failure of the Internet Archive to rotate certain API keys. Mashable also reported the attacker claimed to have access to over 800,000 support tickets going back as far as 2018.

Today’s attack has again brought archive.org to its knees. Yet, it’s unclear who is responsible, or the nature of their motives. Still, the shutdown is another blow to a site recently pummeled by a slew of keyboard criminals.

Should I Be Concerned?

a man looking at his phone and seeming frustrated
Prostock-studio / ShutterstockAs we stated in our first report, there’s no sign that this attack will create individual issues. But, if you maintain an account on archive.org, you might want to take appropriate security measures just to be safe. Especially if you’re a person who is particularly anxious about your data. There’s no indication, however, that this attack was performed with the intent of stealing additional data from users. At this point, it seems the main goal was only to bring archive.org offline.
read more
alt=A man in a green hat and shirt is led away by police officers, indicating a law enforcement action. Arrests in international operation targeting cybercriminals in West Africa
Cyber security
2024-10-20 Post a Comment

Arrests in international operation targeting cybercriminals in West Africa

Global law enforcement unites with INTERPOL to combat cybercrime

Arrests in international operation targeting cybercriminals in West Africa

Eight individuals have been arrested as part of an ongoing international crackdown on cybercrime, dealing a major blow to criminal operations in Côte d’Ivoire and Nigeria.

The arrests were made as part of INTERPOL’s Operation Contender 2.0, an initiative aimed at combating cyber-enabled crimes, primarily in West Africa, through enhanced international intelligence sharing.

Phishing scam targets Swiss citizens

In Côte d’Ivoire authorities dismantled a large-scale phishing scam, thanks to a collaborative effort with Swiss police and INTERPOL.

The scam, which resulted in reported financial losses of over USD 1.4 million, involved perpetrators who posed as buyers on small advertising websites. The fraudsters used QR codes to direct victims to fraudulent websites that mimicked a legitimate payment platform where victims would unwittingly enter personal information such as their log in details or card number. They also impersonated the platform’s customer service agents over the phone to further deceive victims.

Swiss authorities received over 260 reports regarding the scam between August 2023 and April 2024, which prompted an investigation that traced the suspects back to Côte d’Ivoire.

With coordination and intelligence from INTERPOL, the Ivorian Cyber Unit led the investigation, locating and arresting the main suspect, who confessed to the offence and to making financial gains of over USD 1.9 million.

The arrest also led to the seizure of digital devices, which are currently undergoing forensic analysis. Five other individuals were found to be conducting cybercriminal activities at the same location, increasing the scope of the operation.

The investigation is still ongoing, with Ivorian investigators working to identify additional victims, recover stolen funds, and trace goods purchased with illicit proceeds.

 

Arrests in international operation targeting cybercriminals in West Africa

Operation Contender 2.0 combats cybercrime through enhanced intelligence sharing

Arrests in international operation targeting cybercriminals in West Africa

Arrests in Nigeria as part of a crackdown on cybercrime

Arrests in international operation targeting cybercriminals in West Africa

Global law enforcement united with INTERPOL for the operation

Arrests in international operation targeting cybercriminals in West Africa

The arrests led to the seizure of digital devices
4/4

An international campaign against romance cyber fraud

The Contender 2.0 operation is the latest wave of ongoing action coordinated by INTERPOL’s African Joint Operation against Cybercrime (AFJOC). The initiative was launched in 2021 in response to intelligence from authorities and private partners on the activities of cybercriminal syndicates operating within the African region, particularly in West Africa.

The project targets a variety of cyber threats, including business email compromise schemes, a type of phishing attack in which criminals exploit trust to deceive senior executives into transferring funds or divulging sensitive information.

Another key AFJOC objective is romance scams and other financial grooming crimes which often involve cryptocurrencies or other digital assets. Romance scams refer to criminals creating fake online identities to develop romantic or close relationships with their victims, ultimately to manipulate or steal money from them.

In one recent example, authorities in Finland alerted the Nigerian Police Force via INTERPOL that a victim had been scammed out of a substantial amount of money. Leveraging its private sector partners, including Trend Micro and Group-IB, INTERPOL’s AFJOC was able to provide detailed information to the Nigerian authorities. This intelligence was instrumental in guiding investigative efforts, and local police arrested the suspect on 27 April 2024, along with an accomplice. The investigation revealed the offender’s involvement in similar scams and uncovered links to other potential victims.

Neal Jetton, Director of the Cybercrime Directorate said:

“Leveraging the increased reliance on technology in every aspect of our daily lives, cybercriminals are employing a range of techniques to steal data and execute fraudulent activities. These recent successful collaborations, under the umbrella of Operation Contender 2.0, demonstrate the importance of continued international cooperation in combating cybercrime and bringing perpetrators to justice.”

The AFJOC project is funded by the UK’s Foreign, Commonwealth & Development Office.

Countries involved

Côte d'IvoireCÔTE D’IVOIRE
NigeriaNIGERIA
FinlandFINLAND
SwitzerlandSWITZERLAND

read more
alt= A hoodie-clad person using a laptop, highlighting a scene of modern technology and personal engagement.
Cyber security
2024-10-20 Post a Comment

Police bust cybercrime racket operating from shop in Palghar district, two held

Tracking the bank accounts where the money had been transferred, the police reached a shop near Vasai railway station in Palghar district, said senior inspector Deepali Patil of the Evidence Management Centre of the Navi Mumbai police

The Navi Mumbai police have arrested two persons who were running a cybercrime racket from a shop in Palghar district, an official said on Saturday.

The Nhava Sheva police recently registered a case after a man approached them claiming that a woman he had met on a dating app duped him of over Rs 10 lakh promising attractive returns on investment.

Tracking the bank accounts where the money had been transferred, the police reached a shop near Vasai railway station in Palghar district, said senior inspector Deepali Patil of the Evidence Management Centre of the Navi Mumbai police.

Nine youngsters were working in the shop rented by two men, identified as Yogesh Jain and Himanshu Jain, the official said. Police recovered over 50 debit cards, 18 mobile phones, 17 chequebooks, 15 SIM cards, 8 Aadhaar cards and many other documents from the duo, the official said.

Police said Yogesh and Himanshu had recruited the youths from Rajasthan and Uttar Pradesh and opened several bank accounts in their names using fake documents like rent agreements. The duo used the youngsters to commit cybercrimes, the official said.

Yogesh and Himanshu have been arrested, the official said, adding that a probe is underway.

read more
alt=A man is being escorted by police officers, indicating a situation involving law enforcement intervention.
Cyber security
2024-10-19 Post a Comment

Massive illegal online gambling crackdown: Interpol coordinates 5,100 arrests in 28 countries

Ernestas NaprysErnestas Naprys

 Senior Journalist:

Interpol has busted thousands of illicit football betting websites, scam centers, human trafficking, fraud schemes, and other criminal activities in a massive operation, which led to over 5,100 arrests and the recovery of more than $59 million in unlawful proceeds.

The operation, code-named SOGA X, spanned 28 countries and territories between June and July 2024 during the UEFA 2024 European Football Championships.

The feds correctly predicted the tournament would catalyze a surge in illegal online football gambling, generating betting turnover and lucrative profits for criminals.

55 suspects were arrested in Macao (China)
55 suspects were arrested in Macao (China)

SOGA X investigations also led to the shutting down of tens of thousands of illegal websites, the rescue of trafficked workers, and the exposure of money laundering syndicates, Interpol announced.

“Organized crime networks reap huge profits from illegal gambling, which is often intertwined with corruption, human trafficking, and money laundering. The successes of Operation SOGA X would not have been achieved without global information sharing and significant efforts by law enforcement authorities on the ground,” said Stephen Kavanagh, Interpol Executive Director of Police Services.

interpol-operation

In the Philippines, the operation dismantled a scam center operating alongside a licensed gambling site. Local authorities, supported by Interpol, rescued more than 650 human trafficking victims, 400 Filipinos, and more than 250 foreign nationals from six different countries among them.

The people were forced into working for legal gambling sites and running illegal cyber scams, such as romance scams and crypto-related frauds.

interpol-operation2

“Many of the victims had been lured to the location with false promises of employment and were kept there through threats, intimidation, and even passport confiscation,” Interpol said.

Another large bust was a large-scale financial fraud and illegal betting sites scheme in Vietnam and Thailand.

operation tackled illicit gambling

In Vietnam, where online gambling is prohibited for citizens, the feds locked up a sophisticated gambling ring that was generating $800,000 in daily transactions. Meanwhile, in Thailand, police seized assets worth over $9 million after raiding two locations hosting major illegal betting websites.

Another part of the operation took place in Europe. Greek authorities took down an illegal betting ring behind at least seven illegal gambling sites, which also had access to accounts on 60 other illegal websites. The criminals exploited fake and mule user accounts to place bets on sports events. Interpol noted that the ring employed VPNs to bypass internet blocks in Greece.

Seizures during operation SOGA X
Seizures in Philippines

The criminal group managed 3,000 fake and ‘mule’ accounts on legal gambling websites, which had been created using stolen identity cards or forged documents. Police seized laptops, containing at least 9,000 pictures of fake IDs.

interpol-support-in-philippines

Interpol suspects that criminals tried to break down large sums of money into smaller, less detectable chunks by dispersing profits across multiple accounts. This method of money laundering helps avoid detection.

Ringleaders arrested during SOGA X
The ringleaders arrested in Thailand

Illegal online gambling is closely linked to other crimes and match-fixing as criminals try to manipulate the outcomes of sports events to guarantee profits, Interpol noted.

read more
alt=1. Google's new QR code feature assists users in locating their phones, while cautioning against fake Google Meet pages.
Cyber security
2024-10-19 Post a Comment

Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

î „Ravie Lakshmanan

Threat actors are leveraging fake Google Meet web pages as part of an ongoing malware campaign dubbed ClickFix to deliver infostealers targeting Windows and macOS systems.

“This tactic involves displaying fake error messages in web browsers to deceive users into copying and executing a given malicious PowerShell code, finally infecting their systems,” French cybersecurity company Sekoia said in a report shared with The Hacker News.

Variations of the ClickFix (aka ClearFake and OneDrive Pastejacking) campaign have been reported widely in recent months, with threat actors employing different lures to redirect users to bogus pages that aim to deploy malware by urging site visitors to run an encoded PowerShell code to address a supposed issue with displaying content in the web browser.

These pages are known to masquerade as popular online services, including Facebook, Google Chrome, PDFSimpli, and reCAPTCHA, and now Google Meet as well as potentially Zoom –

  • meet.google.us-join[.]com
  • meet.googie.com-join[.]us
  • meet.google.com-join[.]us
  • meet.google.web-join[.]com
  • meet.google.webjoining[.]com
  • meet.google.cdm-join[.]us
  • meet.google.us07host[.]com
  • googiedrivers[.]com
  • us01web-zoom[.]us
  • us002webzoom[.]us
  • web05-zoom[.]us
  • webroom-zoom[.]us

On Windows, the attack chain culminates in the deployment of StealC and Rhadamanthys stealers, while Apple macOS users are served a booby-trapped disk image file (“Launcher_v1.94.dmg”) that drops another stealer known as Atomic.

This emerging social engineering tactic is notable for the fact that it cleverly evades detection by security tools, as it involves the users manually running the malicious PowerShell command directly on the terminal, as opposed to being automatically invoked by a payload downloaded and executed by them.

Fake Google Meet

Sekoia has attributed the cluster impersonating Google Meet to two traffers groups, namely Slavic Nation Empire (aka Slavice Nation Land) and Scamquerteo, which are sub-teams within markopolo and CryptoLove, respectively.

“Both traffers teams […] use the same ClickFix template that impersonates Google Meet,” Sekoia said. “This discovery suggests that these teams share materials, also known as ‘landing project,’ as well as infrastructure.”

This, in turn, has raised the possibility that both the threat groups are making use of the same, as-yet-unknown cybercrime service, with a third-party likely managing their infrastructure.

The development comes amid the emergence of malware campaigns distributing the open-source ThunderKitty stealer, which shares overlaps with Skuld and Kematian Stealer, as well as new stealer families named Divulge, DedSec (aka Doenerium), Duck, Vilsa, and Yunit.

“The rise of open-source infostealers represents a significant shift in the world of cyber threats,” cybersecurity company Hudson Rock noted back in July 2024.

“By lowering the barrier of entry and fostering rapid innovation, these tools could fuel a new wave of computer infections, posing challenges for cybersecurity professionals and increasing the overall risk to businesses and individuals.”

read more
alt=Image illustrating steps to remove Safari from a Mac, highlighting a recent macOS vulnerability affecting privacy controls.
Cyber security
2024-10-19 Post a Comment

Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser

î „Ravie Lakshmanan

Microsoft Reveals macOS Vulnerability

Microsoft has disclosed details about a now-patched security flaw in Apple’s Transparency, Consent, and Control (TCC) framework in macOS that has likely come under exploitation to get around a user’s privacy preferences and access data.

The shortcoming, codenamed HM Surf by the tech giant, is tracked as CVE-2024-44133. It was addressed by Apple as part of macOS Sequoia 15 by removing the vulnerable code.

HM Surf “involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent,” Jonathan Bar Or of the Microsoft Threat Intelligence team said.

Microsoft said the new protections are limited to Apple’s Safari browser, and that it’s working with other major browser vendors to further explore the benefits of hardening local configuration files.

Microsoft Reveals macOS Vulnerability

HM Surf follows Microsoft’s discovery of Apple macOS flaws like Shrootless, powerdir, Achilles, and Migraine that could enable malicious actors to sidestep security enforcements.

While TCC is a security framework that prevents apps from accessing users’ personal information without their consent, the newly discovered bug could enable attackers to bypass this requirement and gain access to location services, address book, camera, microphone, downloads directory, and others in an unauthorized manner.

The access is governed by a set of entitlements, with Apple’s own apps like Safari having the ability to completely sidestep TCC using the “com.apple.private.tcc.allow” entitlement.

While this allows Safari to freely access sensitive permissions, it also incorporates a new security mechanism called Hardened Runtime that makes it challenging to execute arbitrary code in the context of the web browser.

That said, when users visit a website that requests location or camera access for the first time, Safari prompts for access via a TCC-like popup. These entitlements are stored on a per-website basis within various files located in the “~/Library/Safari” directory.

The HM Surf exploit devised by Microsoft hinges on performing the following steps –

  • Changing the home directory of the current user with the dscl utility, a step that does not require TCC access in macOS Sonoma
  • Modifying the sensitive files (e.g., PerSitePreferences.db) within “~/Library/Safari” under the user’s real home directory
  • Changing the home directory back to the original directory causes Safari to use the modified files
  • Launching Safari to open a web page that takes a snapshot via the device’s camera and grab the location

The attack could be extended further to save an entire camera stream or stealthily capture audio through the Mac’s microphone, Microsoft said. Third-party web browsers don’t suffer from this problem as they do not have the same private entitlements as Apple applications.

Microsoft noted it observed suspicious activity associated with a known macOS adware threat named AdLoad likely exploiting the vulnerability, making it imperative that users take steps to apply the latest updates.

“Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself,” Bar Or said. “Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique.”

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights