Mar 20, 2024NewsroomCybercrime / Dark Web

The Cyber Police of Ukraine has arrested three individuals on suspicion of hijacking more than 100 million emails and Instagram accounts from users across the world.

The suspects, aged between 20 and 40, are said to be part of an organized criminal group living in different parts of the country. If convicted, they face up to 15 years in prison.

The accounts, authorities said, were taken over by carrying out brute-force attacks, which employ trial-and-error methods to guess login credentials. The group operated under the direction of a leader, who distributed the hacking tasks to other members.

The cybercrime group subsequently monetized their ill-gotten credentials by putting them up for sale on dark web forums.

Other threat actors who purchased the information used the compromised accounts to conduct a variety of fraudulent schemes, including those in which scammers reach out to the victim’s friends to urgently transfer money to their bank account.

“You can protect your account from this method of hacking by setting up two-factor authentication and using strong passwords,” the agency said.

As part of the operation, officials conducted seven searches in Kyiv, Odesa, Vinnytsia, Ivano-Frankivsk, Donetsk, and Kirovohrad, confiscating 70 computers, 14 phones, bank cards, and cash worth more than $3,000.

The development comes as a U.S. national pleaded guilty to breaching over a dozen entities in the U.S., including a medical clinic in Griffin, and exfiltrating the personal information of more than 132,000 individuals. He is scheduled for sentencing on June 18, 2024.

Robert Purbeck (aka Lifelock or Studmaster) “aggravated his crimes by weaponizing sensitive data in an egregious attempt to extort his victims,” U.S. Attorney Ryan K. Buchanan said.

According to the U.S. Department of Justice (DoJ), Purbeck, who pleaded guilty today to federal charges of computer fraud and abuse, purchased access to the clinic’s computer server from the darknet in 2017, leveraging it to siphon medical records and other documents that contained data pertaining to over 43,000 individuals, such as names, addresses, birthdates, and social security numbers.

The defendant also bought credentials associated with the City of Newnan, Georgia, Police Department server on an underground marketplace. He then plundered records consisting of police reports and documents that had information belonging to no less than 14,000 people.

As part of the plea agreement, Purbeck agreed to pay more than $1 million in restitution to the impacted 19 victims. He was indicted by a federal jury in March 2021.

Feb 21, 2024NewsroomPhishing Attack / Information Warfare

Cybersecurity researchers have unearthed a new influence operation targeting Ukraine that leverages spam emails to propagate war-related disinformation.

The activity has been linked to Russia-aligned threat actors by Slovak cybersecurity company ESET, which also identified a spear-phishing campaign aimed at a Ukrainian defense company in October 2023 and a European Union agency in November 2023 with an aim to harvest Microsoft login credentials using fake landing pages.

Operation Texonto, as the entire campaign has been codenamed, has not been attributed to a specific threat actor, although some elements of it, particularly the spear-phishing attacks, overlap with COLDRIVER, which has a history of harvesting credentials via bogus sign-in pages.

The disinformation operation took place over two waves in November and December 2023, with the email messages bearing PDF attachments and content related to heating interruptions, drug shortages, and food shortages.

The November wave targeted no less than a few hundred recipients in Ukraine, including the government, energy companies, and individuals. It’s currently not known how the target list was created.

“What’s interesting to note is that the email was sent from a domain masquerading as the Ministry of Agrarian Policy and Food of Ukraine, while the content is about drug shortages and the PDF is misusing the logo of the Ministry of Health of Ukraine,” ESET said in a report shared with The Hacker News.

“It is possibly a mistake from the attackers or, at least, shows they did not care about all details.”

The second disinformation email campaign that commenced on December 25, 2023, is notable for expanding its targeting beyond Ukraine to include Ukrainian speakers in other European nations owing to the fact that all the messages are in Ukrainian.

These messages, while wishing recipients a happy holiday season, also adopted a darker tone, going as far as to suggest that they ampute one of their arms or legs to avoid military deployment. “A couple of minutes of pain, but then a happy life!,” the email goes.

ESET said one of the domains used to propagate the phishing emails in December 2023, infonotification[.]com, also engaged in sending hundreds of spam messages beginning January 7, 2024, redirecting potential victims to a fake Canadian pharmacy website.

It’s exactly unclear why this email server was repurposed to propagate a pharmacy scam, but it’s suspected that the threat actors decided to monetize their infrastructure for financial gain after realizing that their domains have been detected by defenders.

“Operation Texonto shows yet another use of technologies to try to influence the war,” the company said.

The development comes as Meta, in its quarterly Adversarial Threat Report, said it took down three networks across its platforms originating from China, Myanmar, and Ukraine that engaged in coordinated inauthentic behavior (CIB).

While none of the networks were from Russia, social media analytics firm Graphika said posting volumes by Russian state-controlled media has declined 55% from pre-war levels and engagement has plummeted 94% compared to two years ago.

“Russian state media outlets have increased their focus on non-political infotainment content and self-promotional narratives about Russia since the start of the war,” it said. “This could reflect a wider off-platform effort to cater to domestic Russian audiences after multiple Western countries blocked the outlets in 2022.”