image
A 36-year-old Russian man recently identified by KrebsOnSecurity as the likely proprietor of the massive RSOCKS botnet has been arrested in Bulgaria at the request of U.S. authorities. At a court hearing in Bulgaria this month, the accused hacker requested and was granted extradition to the United States, reportedly telling the judge, "America is looking for me because I have enormous information and they need it." A copy of the passport for Denis Kloster, as posted to his Vkontakte page in 2019. On June 22, KrebsOnSecurity published Meet the Administrators of the RSOCKS Proxy Botnet, which identified Denis Kloster, a.k.a. Denis Emelyantsev, as the apparent owner of RSOCKS, a collection of millions of hacked devices that were sold as "proxies" to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. A native of Omsk, Russia, Kloster came into focus after KrebsOnSecurity followed clues from the RSOCKS botnet master's identity on the cybercrime forums to Kloster's personal blog, which featured musings on the challenges of running a company that sells "security and anonymity services to customers around the world." Kloster's blog even included a group photo of RSOCKS employees. "Thanks to you, we are now developing in the field of information security and anonymity!,” Kloster's blog enthused. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t…

Source

image
A Florida teenager who served as a lackey for a cybercriminal group that specializes in cryptocurrency thefts was beaten and kidnapped last week by a rival cybercrime gang. The teen's captives held guns to his head while forcing him to record a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life. The youth is now reportedly cooperating with U.S. federal investigators, who are responding to an alarming number of reports of physical violence tied to certain online crime communities. The SIM-swapper known as "Foreshadow" pleading for his life. The grisly kidnapping video has been circulating on a number of Telegram chat channels dedicated to SIM-swapping — the practice of tricking or bribing mobile phone store employees into diverting a target's phone number, text messages and calls to a device the attackers control. The teen, known to the SIM-swapping community by the handle "Foreshadow," appears to have served as a "holder" — a term used to describe a low-level member of any SIM-swapping group who agrees to carry out the riskiest and least rewarding role of the crime: Physically keeping and managing the various mobile devices and SIM cards that are used in SIM-swapping scams. "Yo, Dan, please bro send the 200k," Foreshadow said in the video, which was shot on Sept. 15 in the backseat of a moving car. Bleeding from a swollen mouth with two handguns pointed at his head, Foreshadow pleaded for his life. "They're going to kill me if…

Source

image
Three men in the United Kingdom were arrested this month for attempting to assault a local man and steal his virtual currencies. The incident is the latest example of how certain cybercriminal communities are increasingly turning to physical violence to settle scores and disputes. Shortly after 11 p.m. on September 6, a resident in the Spalding Common area in the district of Lincolnshire, U.K. phoned police to say three men were acting suspiciously, and had jumped a nearby fence. "The three men made off in a VW Golf and were shortly stopped nearby," reads a statement by the Lincolnshire Police. "The car was searched by officers who found an imitation firearm, taser, a baseball bat and police uniform in the boot." Thomas Green, 23, Rayhan Miah, 23, and Leonardo Sapiano, 24 were all charged with possession of the weapons, and "with intent to cause loss to another to make an unwarranted demand of Crypto Currency from a person." KrebsOnSecurity has learned that the defendants were in Spalding Common to pay a surprise visit to a 19-year-old hacker known by the handles "Discoli," "Disco Dog," and "Chinese." In December 2020, Discoli took credit for hacking and leaking the user database for OGUsers, a forum overrun with people looking to buy, sell and trade access to compromised social media accounts. Reached via Telegram, Discoli confirmed that police believe the trio was trying to force their way into his home in Spalding Common, and that one of them was wearing a police…

Source

image
A number of financial institutions in and around New York City are dealing with a rash of super-thin "deep insert" skimming devices designed to fit inside the mouth of an ATM's card acceptance slot. The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the cash machine. Here's a look at some of the more sophisticated deep insert skimmer technology that fraud investigators have recently found in the wild. This ultra thin and flexible "deep insert" skimmer recently recovered from an NCR cash machine in New York is about half the height of a U.S. dime. The large yellow rectangle is a battery. Image: KrebsOnSecurity.com. The insert skimmer pictured above is approximately .68 millimeters tall. This leaves more than enough space to accommodate most payment cards (~.54 mm) without interrupting the machine's ability to grab and return the customer's card. For comparison, this flexible skimmer is about half the height of a U.S. dime (1.35 mm). These skimmers do not attempt to siphon chip-card data or transactions, but rather are after the cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans. Here's what the other side of that insert skimmer looks like: The other side of the deep insert skimmer. Image: KrebsOnSecurity.com. The thieves who designed this skimmer were after the magnetic stripe data and the customer's 4-digit personal identification number (PIN). With those two…

Source

image
This month's Patch Tuesday offers a little something for everyone, including security updates for a zero-day flaw in Microsoft Windows that is under active attack, and another Windows weakness experts say could be used to power a fast-spreading computer worm. Also, Apple has also quashed a pair of zero-day bugs affecting certain macOS and iOS users, and released iOS 16, which offers a new privacy and security feature called "Lockdown Mode." And Adobe axed 63 vulnerabilities in a range of products. Microsoft today released software patches to plug at least 64 security holes in Windows and related products. Worst in terms of outright scariness is CVE-2022-37969, which is a "privilege escalation" weakness in the Windows Common Log File System Driver that allows attackers to gain SYSTEM-level privileges on a vulnerable host. Microsoft says this flaw is already being exploited in the wild. Kevin Breen, director of cyber threat research at Immersive Labs, said any vulnerability that is actively targeted by attackers in the wild must be put to the top of any patching list. "Not to be fooled by its relatively low CVSS score of 7.8, privilege escalation vulnerabilities are often highly sought after by cyber attackers," Breen said. "Once an attacker has managed to gain a foothold on a victim’s system, one of their first actions will be to gain a higher level of permissions, allowing the attacker to disable security applications and any device monitoring. There is no known workaround…

Source

image
Communities like Craigslist, OfferUp, Facebook Marketplace and others are great for finding low- or no-cost stuff that one can pick up directly from a nearby seller, and for getting rid of useful things that don't deserve to end up in a landfill. But when dealing with strangers from the Internet, there is always a risk that the person you've agreed to meet has other intentions. Nearly all U.S. states now have designated safe trading stations — mostly at local police departments — which ensure that all transactions are handled in plain view of both the authorities and security cameras. These safe trading places exist because sometimes in-person transactions from the Internet don't end well for one or more parties involved. The website Craigslistkillers has catalogued news links for at least 132 murders linked to Craigslist transactions since 2015. Many of these killings involved high-priced items like automobiles and consumer electronics, where the prospective buyer apparently intended all along to kill the owner and steal the item offered for sale. Others were motivated simply by a desire to hurt people. This is not to say that using Craigslist is uniquely risky or dangerous; I'm sure the vast majority of transactions generated by the site end amicably and without physical violence. And that probably holds true for all of Craigslist's competitors. Still, the risk of a deal going badly when one meets total strangers from the Internet is not zero, and so it's only sensible…

Source

image
A 21-year-old New Jersey man has been arrested and charged with stalking in connection with a federal investigation into groups of cybercriminals who are settling scores by hiring people to carry out physical attacks on their rivals. Prosecutors say the defendant recently participated in several of these schemes — including firing a handgun into a Pennsylvania home and torching a residence in another part of the state with a Molotov Cocktail. Patrick McGovern-Allen of Egg Harbor Township, N.J. was arrested on Aug. 12 on a warrant from the U.S. Federal Bureau of Investigation. An FBI complaint alleges McGovern-Allen was part of a group of co-conspirators who are at the forefront of a dangerous escalation in coercion and intimidation tactics increasingly used by competing cybercriminal groups. Prosecutors say that around 2 a.m. on Jan 2, 2022, McGovern-Allen and an unidentified co-conspirator fired multiple handgun rounds into a residence in West Chester, Pa. Fortunately, none of the residents inside the home at the time were injured. But prosecutors say the assailants actually recorded video of the attack as "proof" that the shooting had been carried out. A copy of that video was obtained by KrebsOnSecurity. According to investigators, McGovern-Allen was one of the shooters, who yelled "Justin Active was here" as they haphazardly fired at least eight rounds into the lower story of the West Chester residence. On Dec. 18, 2021, police in Abington Township, Pa., responded…

Source

image
Last year, I posted a series of articles about a purported "breach" at Ubiquiti. My sole source for that reporting was the person who has since been indicted by federal prosecutors for his alleged wrongdoing – which includes providing false information to the press. As a result of the new information that has been provided to me, I no longer have faith in the veracity of my source or the information he provided to me. I always endeavor to ensure that my articles are properly sourced and factual. This time, I missed the mark and, as a result, I would like to extend my sincerest apologies to Ubiquiti, and I have decided to remove those articles from my…

Source

image
EdFinancial and the Oklahoma Student Loan Authority (OSLA) are notifying over 2.5 million loanees that their personal data was exposed in a data breach. The target of the breach was Nelnet Servicing, the Lincoln, Neb.-based servicing system and web portal provider for OSLA and EdFinancial, according to a breach disclosure letter. Nelnet revealed the breach to affected loan recipients on July 21, 2022 via a letter. “[Our] cybersecurity team took immediate action to secure the information system, block the suspicious activity, fix the issue, and launched_[sic]_ an investigation with third-party forensic experts to determine the nature and scope of the activity,” according to the letter. By August 17th, the investigation determined that personal user information was accessed by an unauthorized party. That exposed information included names, home addresses, email addresses, phone numbers and social security numbers for a total of 2,501,324 student loan account holders. Users’ financial information was not exposed. According to a breach disclosure filing submitted by Nelnet’s general counsel, Bill Munn, to the state of Maine the breach occurred sometime between June 1, 2022 and July 22, 2022. However, a letter to affected customers pinpoints the breach to July 21. The breach was discovered on August 17, 2022. “On July 21, 2022, Nelnet Servicing, LLC (Nelnet), our servicing system and customer website portal provider, notified us that they had discovered a vulnerability that we…

Source

image
A China-based threat actor has ramped up efforts to distribute the ScanBox reconnaissance framework to victims that include domestic Australian organizations and offshore energy firms in the South China Sea. The bait used by the advanced threat group (APT) is targeted messages that supposedly link back to Australian news websites. The cyber-espionage campaigns are believed to have launched April 2022 through mid-June 2022, according to a Tuesday report by Proofpoint’s Threat Research Team and PwC’s Threat Intelligence team. The threat actor, according to researchers, is believed to be the China-based APT TA423, also known as Red Ladon. “Proofpoint assesses with moderate confidence that this activity may be attributable to the threat actor TA423 / Red Ladon, which multiple reports assess to operate out of Hainan Island, China,” according to the report. The APT is most recently known for a recent indictment. “A 2021 indictment by the US Department of Justice assessed that TA423 / Red Ladon provides long-running support to the Hainan Province Ministry of State Security (MSS),” researchers said. MSS is the civilian intelligence, security and cyber police agency for the People’s Republic of China. It is believed responsible for counter-intelligence, foreign intelligence, political security and tied to industrial and cyber espionage efforts by China. Dusting Off the ScanBox The campaign leverages the ScanBox framework. ScanBox is a customizable and multifunctional…

Source