Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Crime. Show all posts

Rival Cybercrime Groups Offer Conflicting Accounts of Casino Attack

 

In the latest development, members of the hacking group Scattered Spider have asserted that they were the initial perpetrators of the MGM network breach last week. 

However, the ransomware gang Alphv, also known as Black Cat, countered this claim with a detailed statement on their dark-web platform, insisting that they were the true culprits.

Alphv's statement, while claiming responsibility, left a crucial question unanswered: whether Scattered Spider was acting as an affiliate of Alphv or an independent group utilizing Alphv-developed ransomware. This conflicting narrative is further muddying an already tumultuous news cycle, marked by speculative discussions on social media.

Definitive confirmation regarding the identity of the MGM attacker remains elusive until either the company or law enforcement authorities release public details about the incident. 

Both Scattered Spider and Alphv represent significant cyber threats in their own right, according to experts. Scattered Spider, believed to be comprised of young adults in the U.S. and the U.K., is notorious for employing social engineering tactics in their attacks. 

Charles Carmakal, CTO at Google Cloud's Mandiant, noted their recent use of Alphv's encryption. Their past exploits include a high-profile attack affecting over 130 organizations, resulting in the theft of more than 10,000 employees' login credentials.

Meanwhile, Alphv, thought to be based in Russia, has earned a reputation for conducting ruthless and widespread attacks. Their tactics have included releasing sensitive images from breast cancer patients' examinations while extorting the Lehigh Valley Health Network earlier this year. Notable victims have also included Western Digital and Sun Pharmaceuticals.

In the realm of ransomware, identities are intentionally obscured to hinder law enforcement's efforts to trace attacks back to their source. It's not uncommon for a major ransomware operator to claim credit for an attack initiated by an affiliate. Additionally, a larger group like Alphv could independently carry out an entire attack internally.

Ultimately, MGM, in conjunction with the FBI and third-party cyber incident response firms, will possess the most reliable information regarding the assailant's identity and the specifics of how the breach occurred.

Emerging Technology Facilitating Increased Vehicle Thefts and Accidents by Criminals

 

The automotive industry is abuzz with discussions about the "Internet of vehicles" (IoV), which envisions a network of interconnected cars and other vehicles capable of sharing data via the Internet. The goal is to revolutionize transportation by enhancing its autonomy, safety, and efficiency.

IoV has the potential to empower vehicles to identify obstacles, traffic congestion, and pedestrians. It could also facilitate precise vehicle positioning, potentially leading to autonomous driving and streamlined fault diagnosis. This concept is already manifesting to some extent through smart motorways, where technology is deployed to optimize motorway traffic management.

However, the realization of a more advanced IoV necessitates the integration of additional sensors, software, and technology into vehicles and the surrounding road infrastructure. Modern cars are already equipped with an array of electronic systems, ranging from cameras and mobile connectivity to infotainment setups.

Nevertheless, the proliferation of these systems comes with security concerns. Certain vulnerabilities could render vehicles susceptible to theft and malicious attacks as criminals exploit weaknesses in this burgeoning technology. In fact, instances of such exploitation are already being observed.

A common security measure to guard against car theft is the use of smart keys. These keys possess a button that deactivates the vehicle's immobilizer—a device preventing unauthorized starting—enabling the car to be driven. However, thieves have discovered a method to bypass this security measure using a handheld relay tool. By collaborating, one person stands near the car while the other stays in proximity to the key, often near the owner's residence. 

The tool captures the key's signal and relays it to the car, tricking it into thinking the key is nearby. This kind of theft, which typically occurs at night, can be facilitated with relay equipment readily available online for a modest sum. Protective measures such as Faraday bags or cages are employed to counteract such attacks.

Now, a more advanced attack technique is emerging—referred to as a "CAN (Controller Area Network) injection attack." This approach involves establishing a direct connection to the vehicle's internal communication system, the CAN bus. Criminals attempt to access this system by manipulating the front lights of the vehicle, usually requiring the manipulation of the bumper to insert a CAN injector.

This enables the thieves to send fraudulent messages to the car, convincing it that they are from the legitimate smart key and subsequently disabling the immobilizer. Once access is gained, the thieves can start the engine and drive away with the vehicle.

To counteract the rising threat of vehicle theft, manufacturers are adopting innovative strategies. One such approach involves a "zero trust" philosophy, which involves scrutinizing and verifying all received messages. Hardware security modules are being incorporated into vehicles to generate cryptographic keys, enabling data encryption and decryption as well as digital signature verification.

While this mechanism is being increasingly integrated into new vehicles, retrofitting existing cars is impractical due to time and cost constraints, leaving many vehicles susceptible to CAN injection attacks.

Another security consideration is the vulnerability of the onboard computer system, often referred to as the "infotainment system." Attackers can potentially exploit this system using "remote code execution" to inject malicious code into the vehicle's computer. Such attacks can manipulate various car components, including the engine and wheels, with potentially catastrophic consequences.

Hence, it's crucial for vehicle owners with infotainment systems to grasp fundamental security mechanisms to shield themselves from potential hacking endeavours. 

The spectre of a surge in vehicle thefts and insurance claims stemming from CAN attacks underscores the need for a balanced approach between the advantages of IoV—such as enhanced safety and improved recovery of stolen vehicles—and the associated risks.

Out of 50,000 Cybercrimes Reported in 6 Years, Only 23% Successfully Solved

 

Over the span of nearly six and a half years, a significant number of cybercrime cases, totaling 50,027, were reported in the city up until May 31 of this year. 

However, the resolution rate for these cases is rather low, with only 11,895 (approximately 23%) of them being solved, and merely 29 individuals convicted. The home minister, G Parameshwara, revealed these statistics in response to a query during a legislative assembly session.

The data further revealed that the highest number of cybercrime cases, 10,553, were recorded in 2019, while the lowest, 2,042, was reported in 2017 The trend continued with 9,940 cases in 2022 and a total of 6,226 cases in the first five months of 2025, indicating a potential increase in cybercrime incidents this year.

Among the various types of cybercrimes, a substantial portion, 41% (20,662 cases), were related to debit/credit card fraud and illegal money transfers online. Other prevalent scams included advance fees frauds (9,198 cases - 18%) and card skimming (5,012 cases - 10%). In the case of advance fees or gift scams, online fraudsters would convince victims that they have received gifts, but they need to pay various fees to release them from customs authorities.

Addressing this concerning trend, Bengaluru police commissioner, Dayananda, emphasized the importance of raising public awareness as a key measure to combat cybercrime effectively. He acknowledged that cybercriminals continuously develop new techniques, making it crucial to alert the public about emerging threats. 

The police have been actively disseminating cautionary messages through social media platforms to alert the public about cybercrimes. Additionally, they have been conducting awareness programs in educational institutions such as schools and colleges to educate students about different forms of cybercrimes and ways to protect themselves.

To enhance their capabilities in handling cybercrime cases, the police have been conducting regular workshops for police personnel to keep them updated with the latest developments and investigative techniques in the field of cybercrime.

Surge in 'Call Center Gangs' Linked to Organized Crime and Human Trafficking

 

Online, robocall, and other call scams are well-coordinated and often operated by criminal organizations based overseas. These scams primarily target older Americans.

Biocatch, a biometric company, conducted a recent study revealing a significant surge of 200% in call scams between 2022 and 2023. These scams are conducted by "call center gangs" located in Southeast Asia, engaging in various illegal activities, including investment fraud and human trafficking.

“These organized cybercriminal entities conduct a variety of scams,” the Biocatch report found, “including tech support, romance, and investment frauds, often targeting victims internationally and exploiting legal jurisdictional complexities to evade consequences.”

“The disconcerting link between these scams and human trafficking is hard to ignore,” Biocatch warns. 

Further, it added, “Amid the COVID-19 lockdowns, unsuspecting victims lured with job offers are detained in these call centers. Criminal rings are shifting from sex trafficking to human trafficking for scam call centers, with a higher profit margin in cybercrime.”

The primary objective of these scams is to deceive individuals into providing them with money or personal information. It is advised to disregard any unsolicited calls, text messages, or emails received.

Interpol is Determining How to Police the Metaverse

 

Interpol, the International Criminal Police Organization, is researching how to police the metaverse, a digital world envisioned as an alternative to the real world. Jurgen Stock, the secretary general of Interpol, believes that the organization must be prepared for this task in order to avoid being left behind by the metaverse and its associated technology. 

When it comes to enforcing the law in the metaverse, police organizations face challenges. However, Jurgen Stock, the secretary general of the International Criminal Police Organization, Interpol, appears to believe that the organization must be prepared to take action on cybercrime. 

The organization is currently preparing to expand its operations to metaverse platforms, which are already in use by some groups to commit crimes. In an interview with the BBC, Stock stated:

"Criminals are sophisticated and professional in very quickly adapting to any new technological tool that is available to commit crime. We need to sufficiently respond to that. Sometimes lawmakers, police, and our societies are running a little bit behind."

Among the current metaverse crimes are verbal harassment, assaults, and others such as ransomware, counterfeiting, money laundering, and financial fraud. However, some of these remain in the legal gray areas.

Thefts in the Metaverse

According to Dr. Madan Oberoi, Interpol's executive director of technology and innovation, one of the most difficult problems the organization is currently facing is determining whether an action on the metaverse constitutes a crime or not. Recognizing that there are still difficulties in this regard, he stated:

"If you look at the definitions of these crimes in physical space, and you try to apply it in the metaverse, there is a difficulty. We don’t know whether we can call them a crime or not, but those threats are definitely there, so those issues are yet to be resolved."

For Oberoi, one thing is certain: to police the metaverse, Interpol needs to have contact and be present on metaverse platforms. This is why the organization already has its own location in the metaverse, which was inaugurated during its 90th General Assembly in New Delhi in October.

Interpol's metaverse platform also serves another purpose, enabling it to offer courses online to members of the force in other countries and directly practice the acquired skills in the metaverse.

The Cybercrime Ecosystem Knits a Profitable Underground Gig Economy

 

Over a 30-month period, cybercriminal groups and threat groups advertised for workers with expertise in software development, IT infrastructure maintenance, and designing fraudulent websites and email campaigns. In accordance with a new report from cybersecurity firm Kaspersky, demand for technically skilled individuals continues, but it spiked during the coronavirus pandemic, with double the average job advertisements coming during March 2020, the first month of the pandemic. 

The analysis gathered messages from 155 Dark Web forums between January 2020 and June 2022, focusing on those that mentioned employment — either by cybercriminal groups or individuals looking for work. The majority of job postings (83%) were from threat groups looking for highly skilled workers, such as developers (61%), attack specialists (16%), and fraudulent website designers (10%).

As per Polina Bochkareva, a security services analyst at Kaspersky, enhancing defenses has compelled attackers to optimize their tools and techniques, driving the need for more technical experts.

"Business related to illegal activities is growing on underground markets, and technologies are developing along with it," she says. "All this leads to the fact that attacks are also developing, which requires more skilled workers."

The data on underground jobs reveals a spike in activity in cybercriminal services as well as the professionalization of the cybercrime ecosystem. According to a December report, ransomware groups have become much more efficient as they have turned specific aspects of operations into services, such as offering ransomware-as-a-service (RaaS), running bug bounties, and forming sales teams.

Furthermore, initial access brokers have productized the opportunistic compromise of enterprise networks and systems, frequently selling that access to third parties. According to the Kaspersky report, such a segment of labor necessitates the use of technically skilled individuals to develop and support complex features.

"The ads we analyzed also suggest that a substantial number of people are willing to engage in illicit or semilegal activities despite the accompanying risks," the report stated. "In particular, many turn to the shadow market for extra income in a crisis."

Pandemic caused spike 

A similar crisis sparked a surge in activity on Dark Web forums in early 2020. The pandemic, with its sudden layoffs and work-from-home mandates, fueled significant activity in the cybercrime underground, with 2020 seeing the highest number of employment-related posts. Overall, 41% of advertisements and job-seeking inquiries were posted on the Dark Web during the year, which is about average. However, March 2020 was the first month of worldwide lockdowns and saw approximately 6% of all postings, roughly double the average rate.

"Some ... living in the region suffered from the reduction of income, took a mandatory furlough, or lost their jobs altogether, which subsequently resulted in rising unemployment levels," Kaspersky stated in the report. "Some job seekers lost all hope to find steady, legitimate employment and began to search on Dark Web forums, spawning a surge of resumes there. As a result, we observed the highest ad numbers, both from prospective employers and job seekers."

Personal crises emerged to drive some technically inclined workers to seek employment with cybercriminal organizations. A common refrain in job advertisements is that applicants should not be addicted to drugs or alcohol.

"Teamwork skills, stable connection, no alcohol or drug addictions," read one job posting's translated requirements in the Kaspersky report.

"Dirty Work"

In many cases, the terms of the Dark Web jobs were similar to those of legitimate jobs, such as full-time employment, paid time off, and regular pay increases, with salaries ranging from $1,300 to $4,000 per month. However, the majority did not have an employment contract, and only 10% included a promise to pay salaries on time. The underground employment opportunities were dubbed "dirty jobs" in the report.

"Many are drawn by expectations of easy money and large financial gain," the report stated. "Most times, this is only an illusion. Salaries offered on the Dark Web are seldom significantly higher than those you can earn legally."

Reverse engineers had the highest potential median salary of $4,000 per month, with attack specialists and developers coming in second and third with promises of $2,500 and $2,000, respectively. However, the majority of offers (61%) were geared toward developers. According to Kaspersky's Bochkareva, these workers are the key to the cybercriminal underground.

"The most sought-after professionals were developers and attack specialists, particularly for coding malicious programs, phishing websites, and planning and implementing attacks," she says.

Over 1M+ Credit Cards Exposed to Criminals on the Dark Web

 

A recently launched underground marketplace has distributed over 1.2 million credit cards via the dark web.

According to Bleeping Computer, the hackers behind 'BidenCash' have distributed the details of 1,221,551 credit cards in an effort to attract cybercriminals to their platform. The illegal carding market, which is accessible via the dark web, went live in June 2022. This particular marketplace began by leaking thousands of credit cards.

However, in order for its services to gain traction, BidenCash decided to release information for over 1.2 million cards all at once. Stealing and selling credit card information can be lucrative for the individuals involved, as such sensitive data is typically sold in batches. After all, cybercriminals can use the cards to purchase items, withdraw cash from accounts, or simply charge the card itself until the bank realises the transactions are false. 

So, what's the point of BidenCash's giveaway? The solution lies in distributed denial of service (DDoS) attacks on its original domains. As a result, in order to spread the word about new URLs for the service, the hackers are distributing the data for free. In addition to a clearnet domain, they distributed the new URLs via various hacking and social media channels.

In terms of credit cards, the file contains cards with expiry dates ranging from 2023 to 2026. Although some of the cards belonged to non-US residents, the vast majority belonged to Americans. Along with the obvious sensitive data pertaining to the cards, the dump also includes personal information such as email addresses, phone numbers, and the cardholder's address.

According to security analysts, the majority of the 1.2 million cards come from web skimmers, which are scripts found within checkout pages of compromised e-commerce sites that send any credit card information entered directly to the threat actors. As previously stated, credit card fraud is a lucrative business for criminals. Global payments fraud has increased from $9.84 billion in 2011 to a staggering $32.39 billion in 2020, according to Merchant Savvy data.

TrickBot Group Likely Moving Operations to Switch to New Malware

 

TrickBot, the notorious Windows crimeware-as-a-service (CaaS) solution used by several threat actors to distribute next-stage payloads like ransomware, looks to be in the midst of a transition, with no new activity since the beginning of the year. 

Researchers at Intel 471 stated in a study provided with The Hacker News that the slowdown in malware activities is partially due to a huge shift by Trickbot's operators, including working with the operators of Emotet. Even as the malware's command-and-control (C2) infrastructure continued to serve additional plugins and web injects to infected nodes in the botnet, the last round of TrickBot attacks was recorded on December 28, 2021. 

Surprisingly, the drop in campaign volume has coincided with the TrickBot gang collaborating closely with the operators of Emotet, which resurfaced late last year after a 10-month break due to law enforcement efforts to combat the malware. The attacks, which began in November 2021, comprised an infection sequence that utilized TrickBot to download and execute Emotet binaries, whereas Emotet binaries were frequently used to drop TrickBot samples previous to the shutdown. 

The researchers stated, "It's likely that the TrickBot operators have phased TrickBot malware out of their operations in favour of other platforms, such as Emotet. TrickBot, after all, is relatively old malware that hasn't been updated in a major way." 

Additionally, immediately after Emotet's comeback in November 2021, Intel 471 discovered instances of TrickBot sending Qbot installs to the infected systems, highlighting the possibility of a behind-the-scenes shake-up to relocate to other platforms. With TrickBot becoming more visible to law enforcement in 2021, it's not unexpected that the threat actor behind it is actively working to change tactics and modify their protective mechanisms. 

"Perhaps a combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it. We suspect that the malware control infrastructure (C2) is being maintained because there is still some monetization value in the remaining bots," the researchers added.

According to a separate investigation published last week by Advanced Intelligence (AdvIntel), the Conti ransomware group is thought to have acqui-hired several elite TrickBot developers to deactivate the malware and replace it with improved variations like BazarBackdoor.