Mar 20, 2024NewsroomCybercrime / Dark Web

The Cyber Police of Ukraine has arrested three individuals on suspicion of hijacking more than 100 million emails and Instagram accounts from users across the world.

The suspects, aged between 20 and 40, are said to be part of an organized criminal group living in different parts of the country. If convicted, they face up to 15 years in prison.

The accounts, authorities said, were taken over by carrying out brute-force attacks, which employ trial-and-error methods to guess login credentials. The group operated under the direction of a leader, who distributed the hacking tasks to other members.

The cybercrime group subsequently monetized their ill-gotten credentials by putting them up for sale on dark web forums.

Other threat actors who purchased the information used the compromised accounts to conduct a variety of fraudulent schemes, including those in which scammers reach out to the victim’s friends to urgently transfer money to their bank account.

“You can protect your account from this method of hacking by setting up two-factor authentication and using strong passwords,” the agency said.

As part of the operation, officials conducted seven searches in Kyiv, Odesa, Vinnytsia, Ivano-Frankivsk, Donetsk, and Kirovohrad, confiscating 70 computers, 14 phones, bank cards, and cash worth more than $3,000.

The development comes as a U.S. national pleaded guilty to breaching over a dozen entities in the U.S., including a medical clinic in Griffin, and exfiltrating the personal information of more than 132,000 individuals. He is scheduled for sentencing on June 18, 2024.

Robert Purbeck (aka Lifelock or Studmaster) “aggravated his crimes by weaponizing sensitive data in an egregious attempt to extort his victims,” U.S. Attorney Ryan K. Buchanan said.

According to the U.S. Department of Justice (DoJ), Purbeck, who pleaded guilty today to federal charges of computer fraud and abuse, purchased access to the clinic’s computer server from the darknet in 2017, leveraging it to siphon medical records and other documents that contained data pertaining to over 43,000 individuals, such as names, addresses, birthdates, and social security numbers.

The defendant also bought credentials associated with the City of Newnan, Georgia, Police Department server on an underground marketplace. He then plundered records consisting of police reports and documents that had information belonging to no less than 14,000 people.

As part of the plea agreement, Purbeck agreed to pay more than $1 million in restitution to the impacted 19 victims. He was indicted by a federal jury in March 2021.

Feb 11, 2024NewsroomMalware / Cybercrime

The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called Warzone RAT.

The domains – www.warzone[.]ws and three others – were “used to sell computer malware used by cybercriminals to secretly access and steal data from victims’ computers,” the DoJ said.

Alongside the takedown, the international law enforcement effort has arrested and indicted two individuals in Malta and Nigeria for their involvement in selling and supporting the malware and helping other cybercriminals use the RAT for malicious purposes.

The defendants, Daniel Meli (27) and Prince Onyeoziri Odinakachi (31) have been charged with unauthorized damage to protected computers, with the former also accused of “illegally selling and advertising an electronic interception device and participating in a conspiracy to commit several computer intrusion offenses.”

Meli is alleged to have offered malware services at least since 2012 through online hacking forums, sharing e-books, and helping other criminals use RATs to carry out cyber attacks. Prior to Warzone RAT, he had sold another RAT known as Pegasus RAT.

Like Meli, Odinakachi also provided online customer support to purchasers of Warzone RAT malware between June 2019 and no earlier than March 2023. Both individuals were arrested on February 7, 2024.

Warzone RAT, also known as Ave Maria, was first documented by Yoroi in January 2019 as part of a cyber attack targeting an Italian organization in the oil and gas sector towards the end of 2018 using phishing emails bearing bogus Microsoft Excel files exploiting a known security flaw in the Equation Editor (CVE-2017-11882).

Sold under the malware-as-a-service (Maas) model for $38 a month (or $196 for a year), it functions as an information stealer and facilitates remote control, thereby allowing threat actors to commandeer the infected hosts for follow-on exploitation.

Some of the notable features of the malware include the ability to browse victim file systems, take screenshots, record keystrokes, steal victim usernames and passwords, and activate the computer’s webcams without the victim’s knowledge or consent.

“Ave Maria attacks are initiated via phishing emails, once the dropped payload infects the victim’s machine with the malware, it establishes communication with the attacker’s command-and-control (C2) server on non-HTTP protocol, after decrypting its C2 connection using RC4 algorithm,” Zscaler ThreatLabz said in early 2023.

On one of the now-dismantled websites, which had the tagline “Serving you loyally since 2018,” the developers of the C/C++ malware described it as reliable and easy to use. They also provided the ability for customers to contact them via email (solmyr@warzone[.]ws), Telegram (@solwz and @sammysamwarzone), Skype (vuln.hf), as well as via a dedicated “client area.”

An additional contact avenue was Discord, where the users were asked to get in touch with an account with the ID Meli#4472. Another Telegram account linked to Meli was @daniel96420.

Outside of cybercrime groups, the malware has also been put to use by several advanced threat actors like YoroTrooper as well as those associated with Russia over the past year.

The DoJ said the U.S. Federal Bureau of Investigation (FBI) covertly purchased copies of Warzone RAT and confirmed its nefarious functions. The coordinated exercise involved assistance from authorities in Australia, Canada, Croatia, Finland, Germany, Japan, Malta, the Netherlands, Nigeria, Romania, and Europol.

Feb 02, 2024NewsroomCyber Crime / Malware

An INTERPOL-led collaborative operation targeting phishing, banking malware, and ransomware attacks has led to the identification of 1,300 suspicious IP addresses and URLs.

The law enforcement effort, codenamed Synergia, took place between September and November 2023 in an attempt to blunt the “growth, escalation and professionalization of transnational cybercrime.”

Involving 60 law enforcement agencies spanning 55 member countries, the exercise paved the way for the detection of more than 1,300 malicious servers, 70% of which have already been taken down in Europe. Hong Kong and Singapore authorities took down 153 and 86 servers, respectively.

Servers, as well as electronic devices, were confiscated following over 30 house searches. Seventy suspects have been identified to date, and 31 from Europe, South Sudan, and Zimbabwe have been arrested.

Singapore-headquartered Group-IB, which also contributed to the operation, said it identified “more than 500 IP addresses hosting phishing resources and over 1,900 IP addresses associated with ransomware, Trojans, and banking malware operations.”

The rogue infrastructure was hosted in Australia, Canada, Hong Kong, and Singapore, among others, with the resources distributed across more than 200 web hosting providers around the world.

“The results of this operation, achieved through the collective efforts of multiple countries and partners, show our unwavering commitment to safeguarding the digital space,” Bernardo Pillot, assistant director to INTERPOL Cybercrime Directorate, said.

“By dismantling the infrastructure behind phishing, banking malware, and ransomware attacks, we are one step closer to protecting our digital ecosystems and a safer, more secure online experience for all.”

The development arrives more than a month after another six-month-long international police operation dubbed HAECHI-IV has resulted in the arrests of nearly 3,500 individuals and seizures worth $300 million across 34 countries.