hit counter

The Good, the Bad, and the Ugly in Cybersecurity – Week 48

The good

Thanking the good folks at Interpol this week along with fraud investigators from 30 countries around the world for bringing us HAECHI-III – a cybercrime-fighting operation that has resulted in nearly 1000 arrests and the confiscation of approximately $130 million worth of virtual assets.

HAECHI-III is (as the name suggests) the third iteration of a coordinated law enforcement operation targeting international cybercrime operations. Almost a year ago today, we reported on HAECHI-II, which resulted in a similar number of arrests but only raked in around $27 million in illicit funds. The larger return this time was the result of fighting voice phishing, love scams, sextortion, investment fraud and money laundering related to illegal online gambling. The cops also used financial experts to help them identify money mules and money laundering activities.

Love scam, sextortion, investment scam

Among the approximately 1,600 cases closed thanks to the operation was one involving scammers from call centers in Austria and India posing as Interpol officials and duping victims with over $150,000. Victims of a Business Email Correspondence Fraud (BEC) in Ireland were also grateful for the €1.2 million payback as one of HAECHI-III’s many achievements.

Aside from the arrests and asset seizures, authorities also seized or blocked 2,800 bank accounts and virtual asset accounts related to financial crimes during the five-month operation, which lasted from June to November 2022.

The bad

This week’s bad news concerns Amazon, Paypal, Steam and Roblox users in 111 countries targeted by info-stealers by Russian-speaking cybercrime gangs.

A new report claims that the gangs infected nearly 900,000 devices and stole over 50 million account passwords in the first seven months of 2022. The gangs primarily use info-stealers like Raccoon and Redline, and use Telegram groups as a vehicle to coordinate their criminal activities, including generating malicious content and facilitating communications between members.

Infostealer malware

Info-stealers target caches in browsers like Chrome, Firefox, and Edge to steal stored account passwords, bank card details, and crypto wallet information from infected computers. The stolen data is then sold on darknet markets or used directly by the cybercriminals themselves for account takeovers or online fraud.

According to the researchers, around $6 million worth of data and bank card details were stolen from 34 active Telegram groups in the first seven months of 2022. The main targets of the Russian-speaking cybercriminals were users in the United States, Brazil, India, and Germany. The most commonly stolen data was PayPal account details and Amazon account details. However, a five-fold increase in password theft for gaming services from Steam, Roblox, and EpicGames has also been reported.

Information thieves usually demand some form of social engineering from the victim – often in the form of downloading and running suspicious software, including fake AV software, fake video players or other “software updates”, as well as free or cracked apps. A recent info-stealer campaign provided by RedLine used a fake version of the popular GPU utility MSI Afterburner to infect victims.

Aside from being careful and avoiding downloading software from unknown sources, users are advised to use password managers instead of storing login information in browsers and clear browser cookies regularly.

the ugly

Speaking of info stealers, Facebook business account users were the target of a cybercrime campaign conducted via social media site LinkedIn and messaging software WhatsAppwas reported this week.

A Vietnam-linked operation dubbed “Ducktail” is believed to be responsible for tricking Facebook business account holders into downloading and launching malware that can steal credentials and allow attackers to hijack their accounts. Facebook business accounts have high privileges, and access to the business manager panel can give an attacker control over settings, permissions, and financial details, including credit card numbers.

Facebook phishing

According to the report, the threat actors behind Ducktail used these compromised accounts to run their own Facebook ad campaigns at the victim’s expense. The operation is believed to have caused around $600,000 worth of losses to the companies so far.

The information-stealing malware used in the operation, originally reported in June this year, was delivered to victims via bait on LinkedIn related to brands and products relevant to the victim. In the latest activity reported this week, victims were also reportedly targeted via WhatsApp and Telegram.

Once the target accepts and launches the Ducktail malware, it steals stored session cookies and interacts with a series of Facebook API endpoints to collect access tokens, 2FA codes, IP addresses, and geolocation data, allowing the attackers to masquerade as the victim to impersonate and login their own devices. Independent research by Zscaler also identified a phishing campaign last month targeting the same goals.

Facebook account managers are encouraged to review the roles and permissions associated with their accounts and follow the recommendations here.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button