Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Cyber Crime. Show all posts

Identity Theft Concerns Rise as USPS Flags Suspicious Package Deliveries

 


Recently, the United States Postal Service (USPS) issued an advisory in which it advised citizens to be more vigilant in light of an increase in sophisticated mail fraud schemes. In addition to the deceptive activities that have notably increased across the country, particularly during the recent holiday season, consumers' financial and personal security have been threatened significantly as a result of these deceptive activities. In addition to traditional phishing emails and fraudulent text messages, the USPS reports that these scams are now taking a more sophisticated form. 

As the number of unsolicited packages delivered is on the rise, criminals are using increasingly inventive methods to deceive the recipients of their mail to exploit them. This makes it more difficult to tell a genuine email from a fraudulent email. There has been an increase in the number of individuals who are being affected, and as a result, the USPS has intensified its anti-fraud initiatives, reinforcing its commitment to maintaining the integrity of the national postal system in the long run. 

A collaboration between the agency and law enforcement agencies, and consumer protection agencies is being undertaken to track these schemes as well as educate the public about identifying and reporting suspicious activity. There has been a noticeable rise in text message fraud scams impersonating the United States Postal Service (USPS), posing an urgent threat to public data security. In these fraudulent communications, the recipient often receives an alleged pending package and is requested to take additional action to make sure that it is delivered by taking steps to ensure its delivery. 

Even though the message appears authentic, there is a malicious intent behind it, designed to deceive individuals into disclosing sensitive financial and personal information. The most alarming aspect of these scams is their sophisticated presentation. In most cases, the messages are designed to evoke a sense of urgency and legitimacy by using language that sounds official and even replicating USPS logos and branding. 

The victim is usually directed to click on links in the emails, which lead to fake websites that harvest personal information such as banking credentials, ID numbers, and other private data, utilising embedded links. To avoid falling victim to these unscrupulous tactics, it is important to recognise and resist them. In an era of increasingly advanced cyber threats, individuals are advised to maintain vigilance to protect themselves against identity theft and financial exploitation. 

As a result of this, individuals should scrutinise unexpected delivery notifications, refrain from engaging with suspicious links, and report any suspicious messages to the appropriate authorities. During the past few years, cybercriminals have become increasingly sophisticated with regards to the USPS-related text message scams, posing as automated postal service notifications. Under the pretence of facilitating package redelivery, these deceptive messages are designed to convince recipients that they have missed a delivery, causing them to confirm their personal information or click on embedded links. 

While these texts may seem innocuous at first glance, they are a deliberate attempt to compromise the privacy and security of individuals, as well as their financial security. Social engineering plays a significant role in the strategy behind these scams. In a first method, known as pretexting, a plausible narrative, usually a delayed or incomplete delivery, is used to trick the recipient into providing sensitive information in exchange for a fee. 

The second method of attack, SMS spoofing, allows attackers to conceal their true identity by modifying the sender's information to disguise the fraudulent message's origin, thereby appearing as though it has been sent by an official United States Postal Service. In general, these schemes are referred to as smishing, a type of phishing that involves sending text messages in exchange for a reward. Typically, the victims are directed to counterfeit websites that look remarkably similar to official USPS interfaces. 

When users get there, they will be prompted to provide personally identifiable information (PII) as well as their contact information, under the false assumption that this information is necessary to redeliver or verify their package. Many malicious websites out there are not only designed to gather sensitive information, but also to use fraudulent payment services to charge a small transaction fee. Often, the stolen data can be sold on illegal marketplaces or used directly to commit identity theft and financial fraud.

Individuals must be aware of the threats that continue to evolve regarding delivery-related messages and verify any requests that they make through official USPS channels to avoid harm. It has become increasingly apparent that crime has become increasingly sophisticated and frequent in the country's postal infrastructure, as the number and nature of criminal activity have increased. In response to this crime wave, the United States Postal Service (USPS) has intensified its efforts to improve its operations to combat these crimes. 

To implement this initiative, the Government of the United States has decided to implement a comprehensive 10-year strategy, Delivering for America, a $40 billion investment which is intended to transform the postal system into a secure, efficient, and financially sustainable institution that will meet the needs of future generations, thereby transforming the entire postal system. Project Safe Delivery was initiated as part of this larger strategy by USPS, in partnership with the US Postal Inspection Service, as a targeted enforcement campaign to combat crimes aimed at ensuring the safety of mail services and ensuring their integrity. 

It has been more than two years since this joint operation was launched, but since then, it has been able to achieve tangible results, such as more than 2,400 arrests and a significant decrease in mail carrier robberies by more than 27%. This program has been proving to be an effective tool for deterring and prosecuting postal crime, with over 1,200 people apprehended in 2024 alone for mail-related theft, thus demonstrating the program's effectiveness in deterring and prosecuting it. USPS has taken extensive measures to further enhance the security of its delivery network. 

In addition, over 49,000 high-security mailboxes have been installed across the country, designed to prevent tampering and unauthorised entry. Also, advanced electronic locking mechanisms are being installed in the mail carriers' offices to replace the traditional mechanical locks they were using in the past. These upgrades are essential for preventing the widespread theft of carrier keys, which have become frequent targets of criminal activity. It is also vital for the USPS's security framework to emphasise the importance of encouraging public cooperation. 

A substantial monetary reward program has been instituted, and individuals providing credible information that leads to arrests in postal robberies can now receive up to $150,000 for providing credible information. It is also possible for the agency to pay up to $100,000 for actionable tips that lead to the arrests of mail thieves, a practice that reinforces the agency's commitment to protecting both mail workers and the American public. According to Secretary of State Sherry Patterson, the United States Postal Service (USPS) is committed to confronting and dismantling any schemes that attempt to exploit the postal system to maximise revenue. 

USPS has released a set of precautionary guidelines for individuals to follow when receiving suspicious or unsolicited package deliveries, an increasingly common tactic used by identity thieves and fraudsters, as part of its public safety outreach program. When an unrequested parcel is received by a recipient, it is strongly recommended that the recipient refrain from engaging with any embedded links, QR codes, or digital prompts that may accompany the delivery or related notification.

There is a high probability that these elements will act as a gateway to malicious websites that will be used to harvest personal information or to install malware, so it is recommended that users report questionable mail or packages directly to the USPS using their official website. Also, recipients need to maintain ongoing vigilance, monitoring their financial accounts for any anomalies or unauthorised transactions that may suggest fraudulent activity. 

In addition to taking care of users' credit profiles as a precautionary measure, it is also advised that they review them periodically and consider freezing their credit profiles temporarily as an added measure of security. The proactive approach taken by the Post Office is one of the most effective methods of preventing unauthorised credit activity since it can help prevent a crime from potentially occurring, especially in the aftermath of an identity theft. Together, these measures form one of the most effective lines of defence against postal-related scams.

QR Code Frauds Growing Fast in the UK: What You Should Know

 



A new kind of digital scam is spreading across the UK, where criminals trick people using fake QR codes. This type of scam is called “quishing,” and it has been growing quickly. In 2023, there were over 1,300 reports of this scam, compared to only 100 cases in 2019, showing just how fast it's increasing.


How These Scams Work

Scammers take advantage of everyday places where QR codes are used for payments or information. This includes locations like parking spots or restaurant tables where you scan codes to pay or view menus. What these scammers do is cover the real QR codes with fake ones that they control.

When someone scans the fake code, it sends them to a fake website. The site may ask them to enter payment details, thinking it's a normal payment page. In some cases, clicking the link may even install harmful software on the person’s phone without them knowing.


Why It’s Hard to Notice

These scams can be hard to detect. Unlike large frauds that take big sums of money at once, these scams often take small amounts over time, making it less likely for someone to notice. The charges might look like monthly fees or parking payments, so they often go unnoticed.

Cyber experts say that what makes this scam dangerous is how real the fake websites appear. The links that come up after scanning look just like real ones, so people don’t think twice before entering their card numbers or other personal information.


What You Can Do to Stay Safe

Here are some simple steps to protect yourself:

1. Only scan QR codes that you trust. If the code looks tampered with or placed unevenly, avoid using it.

2. Never enter sensitive information like card numbers on a website you reached through a QR code unless you’re sure it’s safe.

3. Before submitting any details, double-check the website’s name or URL for spelling errors or anything unusual.

4. Use a reliable security app on your phone that can detect harmful links or files.


QR codes were created to make daily tasks faster and more convenient. But now, scammers are misusing them to steal people’s information and money. As these scams become more common, the best defense is to be alert and avoid scanning any QR code that looks even slightly suspicious.


Serious Flaw Found in Popular File-Sharing Tool Used by IT Providers

 



A major security problem has been found in a widely used file-sharing platform, and hackers have already started taking advantage of it. This tool, called CentreStack, is often used by IT service providers to help businesses manage and share files.

The issue is being tracked under the name CVE-2025-30406. It is considered a serious flaw and has been actively misused since March, though it was only officially revealed to the public in early April.

The problem is related to how the platform protects certain types of information. A key used to secure data was either left exposed or was built into the software in a way that made it easy to find. If someone with bad intentions gets hold of this key, they can send fake data that the system will wrongly accept as safe. This can allow the attacker to run harmful code on the servers, potentially giving them full control.

This becomes even more concerning because CentreStack is especially popular among managed service providers (MSPs). These companies use the platform to support several clients at once. If one provider is hacked, all of their customers could be at risk too. This kind of setup, known as multi-tenancy, means a single breach could affect many organizations.

The U.S. government’s cybersecurity team, CISA, officially added this bug to their list of known threats on April 9. They have given federal agencies until April 29 to fix the problem. The software maker, Gladinet, confirmed that the bug has already been used in real attacks.

Experts in the field warn that this bug allows cybercriminals to run programs on affected systems without permission. That’s why it’s extremely important for all users of the platform to install the latest updates right away.

Over the past few years, hackers have increasingly focused on software used by IT service providers. In one past incident, a separate tool used by providers was attacked, leading to the spread of ransomware to many businesses.

Businesses that rely on CentreStack are strongly advised to apply all updates and follow the safety steps recommended by the company. Taking action quickly can prevent much larger problems down the line.


Cybercriminal Group's Website Taken Over by Unknown Hacker

 


A criminal group known for using ransomware was recently caught off guard when its own website was tampered with. The website, which the gang normally uses to publish stolen data from their victims, was replaced with a short message warning against illegal activity. The message read: “Don’t do crime. CRIME IS BAD. xoxo from Prague.” What a sneaky way to reference gossip girl, isn't it? 

At the time of this report, the website remained altered. It is not yet known if the person or group behind the hack also accessed any files or data belonging to the ransomware gang.

The group, known by the name Everest, has been involved in several cyberattacks since it first appeared in 2020. It is believed to be based in Russia. Over the years, Everest has taken credit for stealing large amounts of data, including information from a popular cannabis store chain, which affected hundreds of thousands of customers. Government agencies in the United States and Brazil have also been listed among their victims.

Ransomware attacks like these are designed to scare companies and organizations into paying money in exchange for keeping their private information from being made public. But recent reports suggest that fewer victims are giving in to the demands. More businesses have started refusing to pay, which has made these attacks less profitable for criminals.

While international law enforcement agencies have had some success in shutting down hacking groups, Everest has managed to stay active. However, this incident shows that even experienced cybercriminals are not safe from being attacked themselves. Some believe this could have been done by a rival group, or possibly even someone from within the gang who turned against them.

It’s also not the first time that cybercrime groups have been sabotaged. In the past few years, other well-known ransomware gangs have faced setbacks due to both police actions and internal leaks.

This unusual case is forces us to face the inevitable reality that no one is completely untouchable online. Whether it’s a company or a hacker group, all digital systems can have weak points. People and organizations should always keep their online systems protected and stay alert to threats.

Karnataka Sets Up India’s First Cyber Command Centre to Tackle Online Crimes

 


Karnataka has taken a big step to fight the rising number of online crimes. It has launched the country’s first Cyber Command Centre. This new centre will handle all matters related to cyber safety and crime under one roof. It aims to respond faster and more effectively to online threats.

The number of cybercrime cases in the state has grown a lot in the past three years. In 2022, about 18,000 cases were reported. That number rose to 22,000 in 2023 and around 23,000 in 2024. In total, Karnataka has seen over 60,000 cybercrime cases in just three years. Officials say that 20% of all cybercrime cases in India are reported from this state.

These cases include many serious issues. Some examples are online scams, hacking, blackmail, cyberstalking, fake news, and financial fraud. Crimes targeting women and children have also increased. Criminals are using fake profiles, deepfakes, and other tricks to fool people and steal their money or personal data.

A senior officer explained that many of these crimes are hard to solve. Very few cases are taken to court, and almost none end in punishment. There is also concern that many investigating officers do not have the right training to deal with high-tech crimes. To fix this, the new command centre will provide special training for both police and legal teams.

The new command will also focus on protecting the state’s digital systems. A major hacking incident recently affected the Kaveri 2.0 portal, which is used for property records. This caused major delays and losses for the state government. Officials say such incidents show how important it is to secure public digital platforms.

The officer leading this new centre is Pronab Mohanty. He is already in charge of internal security and cybercrime for the state. Now, all 45 cyber police stations in Karnataka will report directly to him. This central system is expected to improve coordination and case tracking.

The officer will also serve as the Chief Information Security Officer, or CISO, for Karnataka. That means he will look after both investigations and the security of government digital systems.

The goal of the Cyber Command Centre is not just to track and stop cybercriminals, but to make sure they face legal action. Officials believe that stronger action and more convictions will help create fear among those involved in online crimes.

This new setup could become a model for other states to follow. As cybercrime spreads its rampant growth across India, Karnataka’s decision to create a single, expert-led team could lead the way for better digital safety in the country.


Hospital Equipments Can be Used as Murder Weapons, Swiss Experts Warn

 

Swiss specialists have issued a grave warning that cyber attackers could use hospital devices to commit murder. In an alarming new research from Zurich-based cybersecurity firm Scip AG, specialists showed how they were simply able to hijack medical devices in a major healthcare facility and exploit them remotely. 

Png pacemakers, insulin pumps, and painkiller drips can all be automatically converted into twisted weapons of assassination.

“We could have overdosed patients with lethal amounts of drugs within minutes,” said Marc Ruef, head of research at Scip. “And we even hacked the monitors to fake the vital signs so no one would know it had happened.”

One expert admitted to hacking his own pain pump during a hospital stay, simply out of boredom. But the situation is far more serious, as perpetrators might not only silently kill victims in their beds, but they could also hide their tracks by showing completely normal health indicators. This isn't the first red flag either. A German university warned last year that pacemakers might be a 'perfect target for assassination.’

Johannes Rundfeldt, a cybersecurity expert and spokesperson for the independent expert organisation AG Kritis, claimed that this even applies to really powerful people, like world leaders, who may be subtly removed using a heart-hacking device.

“These can involve individual attacks on individuals: heads of state, generals, ministers, or similar individuals.How would we even prove it?...A sudden cardiac arrest wouldn't raise suspicion – and hackers leave no fingerprints,” Rundfeldt stated.

Cyber attacks have recently crippled entire hospitals, not simply devices. In January, cybercriminals took down a clinic in Lower Saxony, western Germany, and demanded a ransom to restore equipment. The first instance of a patient's death being specifically connected to a cyberattack occurred in 2020. 

Prosecutors in Cologne stated that a female patient from Düsseldorf was set to receive critical care at Düsseldorf University Hospital in Germany when the September 9 attack disrupted systems. The ransomware attack struck the hospital at night, encrypting data and rendering computer systems inoperable. When Düsseldorf could no longer provide care, she was moved 30 kilometres away to another hospital for life-saving therapy. 

Ciaran Martin, former CEO of the UK's National Cyber Security Centre, stated at the time: "If confirmed, this tragedy would be the first known case of a death directly linked to a cyber-attack.”

“It is not surprising that the cause of this is a ransomware attack by criminals rather than an attack by a nation state or terrorists. Although the purpose of ransomware is to make money, it stops systems working. So if you attack a hospital, then things like this are likely to happen. There were a few near misses across Europe earlier in the year and this looks, sadly, like the worst might have come to pass.”

Hacker's Dual Identity: Cybercriminal vs Bug Bounty Hunter

Hacker's Dual Identity: Cybercriminal vs Bug Bounty Hunter

EncryptHub is an infamous threat actor responsible for breaches at 618 organizations. The hacker reported two Windows zero-day flaws to Microsoft, exposing a conflicted figure that blurs the lines between cybercrime and security research. 

The reported flaws are CVE-2025-24061 (Mark of the Web bypass) and CVE-2025-24071 (File Explorer spoofing), which Microsoft fixed in its March 2025 Patch Tuesday updates, giving credit to the reporter as ‘SkorikARI.’ In this absurd incident, the actor had dual identities—EncryptHub and SkorikARI. The entire case shows us an individual who works in both cybersecurity and cybercrime. 

Discovery of EncryptHub’s dual identity 

Outpost24 linked SkorikARI and EncryptHub via a security breach, where the latter mistakenly revealed their credentials, exposing links to multiple accounts. The disclosed profile showed the actor’s swing between malicious activities and cybersecurity operations. 

Actor tried to sell zero-day on dark web

Outpost24’ security researcher Hector Garcia said the “hardest evidence was from the fact that the password files EncryptHub exfiltrated from his system had accounts linked to both EncryptHub” such as credentials to EncryptRAT- still in development, or “his account on xss.is, and to SkorikARI, like accesses to freelance sites or his own Gmail account.” 

Garcia also said there was a login to “hxxps://github[.]com/SkorikJR,” which was reported in July’s Fortinet story about Fickle Stealer; this helped them solve the puzzle. Another big reveal of the links to dual identity was ChatGPT conversations, where activities of both SkorikARI and EncryptHub could be found. 

Zero-day activities and operational failures in the past

Evidence suggests this wasn't EncryptHub's first involvement with zero-day flaws, as the actor has tried to sell it to other cybercriminals on hacking forums.

Outpost24 highlighted EncryptHub's suspicious activities- oscillating between cybercrime and freelancing. An accidental operational security (OPSEC) disclosed personal information despite their technical expertise. 

EncryptHub and ChatGPT 

Outpost24 found EncryptHub using ChatGPT to build phishing sites, develop malware, integrate code, and conduct vulnerability research. One ChatGPT conversation included a self-assessment showing their conflicted nature: “40% black hat, 30% grey hat, 20% white hat, and 10% uncertain.” The conversation also showed plans for massive (although harmless) publicity stunts affecting tens of thousands of computers.

Impact

EncryptHub has connections with ransomware groups such as BlackSuit and RansomHub who are known for their phishing attacks, advanced social engineering campaigns, and making of Fickle Stealer- a custom PowerShell-based infostealer. 

Malicious Actors Employ Atlantis AIO to Target 140+ Platforms

 

A new cybercrime platform dubbed 'Atlantis AIO' provides automatic credential stuffing against 140 internet platforms, including email, e-commerce, banking, and VPNs. Atlantis AIO includes pre-configured modules for performing brute force assaults, bypassing CAPTCHAs, automating account recovery operations, and monetising stolen credentials/accounts. 

Credential stuffing and automation 

Credential stuffing is a type of cyberattack in which attackers utilise a list of credentials (usernames and passwords) stolen or acquired via leaked data breaches to gain access to accounts on sites.

If the credentials match and the account is not safeguarded by multi-factor authentication, they can take over the account, shut out the legitimate owner, and then abuse or resell it to others. This type of attack is common and ubiquitous, with major credential-stuffing attacks happening every day. 

Over time, these attacks have had an impact on businesses and services such as Okta, Roku, Chick-fil-A, Hot Topic, PayPal, PetSmart, and 23andMe. Credential stuffing assaults are regularly carried out by malicious actors using free tools such as Open Bullet 2 and SilverBullet, as well as prepackaged "configs" available on cybercrime forums. 

Credential stuffing as a service 

Atlantis AIO is a new Credential Stuffing as a Service (CSaaS) platform that enables attackers to pay for a membership and automate such operations

Abnormal Security identified the cybercrime service Atlantis AIO, which says that it can target over 140 online services globally. Hotmail, AOL, Mail.ru, Mail.com, Gmx, Wingstop, Buffalo Wild Wings, and Safeway are among the services being targeted. Atlantis AIO is a modular tool that allows cybercriminals to launch targeted assaults. Its three major modules are: 

  • Email account testing: Automates brute-force and takeover efforts on popular email services such as Hotmail, Yahoo, and Mail.com, allowing cybercriminals to take control of accounts and access inboxes for phishing or data theft. 
  • Brute force assaults: Rapidly cycles through common or weak passwords on targeted platforms in order to breach accounts with poor password management. 
  • Account recovery: Account recovery processes are exploited (for example, on eBay and Yahoo), CAPTCHAs are bypassed, and takeovers are automated using programs such as "Auto-Doxer Recovery" for faster and more efficient credential exploitation.

When cybercriminals gain access to accounts, they frequently sell them in bulk, posting hundreds or even thousands of compromised accounts for sale on underground forums. Other threat actors set up stores to sell stolen accounts for as little as $0.50 per account. 

Prevention tips 

You can prevent credential stuffing attacks by using multi-factor authentication and strong, one-of-a-kind passwords on all websites where you have accounts. Even if credentials are compromised, threat actors will be unable to log in without also acquiring the MFA information, which is why multi-factor authentication is so important. 

If online services notify you of odd logins from odd places or unexpected emails requesting a password reset, you should look into if your credentials were compromised right away. Websites can help prevent these attacks by introducing rate limitation and IP throttling, utilising complex CAPTCHA puzzles, and monitoring for unusual behaviour patterns.

SIM Swap Scams Growing in the Middle East — Here’s How They Work

 



The Middle East is seeing a sharp rise in SIM swapping scams, where criminals find ways to take over people’s mobile numbers and misuse them for financial fraud. A new report by cybersecurity experts reveals that scammers are using smarter tricks to fool both people and phone companies.


What Is SIM Swapping?

In this type of fraud, scammers get their hands on personal information like ID numbers and bank details. They usually collect this information through fake websites that look like real ones — such as those of insurance companies, government services, or job portals.

Once they have enough details, they contact the victim’s mobile service provider and request a SIM card replacement or number transfer. If the trick works, the victim’s phone number gets linked to a new SIM card controlled by the scammer.

With access to the phone number, the scammer can receive all calls and messages, including important security codes sent by banks. This allows them to break into accounts, approve transactions, and steal money without the victim knowing immediately.


Why the Threat Is Increasing

The new wave of these scams targets services that are commonly used in the region. Criminals create convincing fake websites that copy platforms offering car insurance, domestic help services, or government schemes. People often fall into the trap, thinking they are using a genuine site.

In one case, many users complained their SIM cards stopped working after interacting with a fake insurance site. Investigations found that the same fraudster was running several fake websites. They even used small changes in website spellings to avoid getting caught — a tactic known as typosquatting.

The financial damage from these attacks is growing. Studies show that in many cases, victims lose money more than once in a single attack. Losses can range from a few hundred dollars to more than $160,000 in extreme cases. Once the scammer controls the phone number, they reset passwords, move money to fake accounts, and make payments through digital wallets.


How to Stay Safe

Both companies and individuals must take action to reduce the risk of falling victim to such frauds.

For Banks and Mobile Companies:

• Block or double-check risky transactions if a SIM change is detected.

• Ask for extra proof of identity before processing sensitive requests.

• Share important security updates with other banks and telecom firms to stay alert.

For People:

• Stop using SMS codes for two-factor authentication if possible. Switch to apps like Google Authenticator or Duo, which are safer.

• Think twice before sharing personal details online. Always check the website’s name and spelling carefully.

• If your phone suddenly stops working or you’re locked out of your accounts, report it immediately — it could be a sign of a SIM swap.


SIM swapping is becoming a serious problem, especially as criminals improve their techniques. Staying alert, using better security methods, and acting fast in case of suspicious activity are the best ways to protect your personal information and money.

Turning The Screws: Pressure Techniques Used by Ransomware Outfits

 

Over the past ten years, ransomware attacks have increased in frequency and sophistication. While exploits like social engineering and unpatched software may help with an initial breach, it's the coercive tactics that force victims to make rash and emotionally charged decisions, like paying the ransom. 

Below are three of the most common tactics used by ransomware perpetrators to persuade victims into complying with their extortion demands.

1. Fear and humiliation 

Fear is a potent emotion that threat actors use. When a victim's documents are encrypted, the message is usually clear: pay the ransom or lose your data forever. In addition to the fear of data loss, cybercriminals use the threat of humiliation to demand ransom in order to prevent the disclosure of sensitive information such as company files, financial data, or personal images. 

Cybercriminals sometimes go one step further by threatening legal action, especially in highly regulated sectors like healthcare or finance: Pay the ransom, or we'll denounce you to the authorities. Due to the increased pressure, victims are compelled to take action out of fear about possible legal action. 

2. Deadlines and ultimatums

Most ransomware demands include a tight deadline to intensify the pressure. Attackers usually give victims a deadline, like 48 hours, to comply, frequently along with a clear warning of the repercussions. Some ransomware programs show a countdown meter, which acts as a continual reminder that time is running out, to further exacerbate panic. Attackers may raise the stakes, such as making some of the stolen material publicly available, or double the ransom if the deadline is missed.

3. False hope and fake assurances 

False promises are another tactic used by ransomware operators to trick victims into believing there is a possible solution. However, victims are merely coerced into complying by this hope. Attackers may provide a solution like a trial decryption tool to "prove" their solution works, a discount for speedy payment, or an extension on the payment deadline—tactics intended to strengthen the notion that paying the ransom would result in a complete recovery.

In reality, just 4% of individuals who pay are able to restore all their data. Furthermore, criminals frequently say that if the ransom is paid, the stolen data will be completely destroyed and the victim will be left alone. However, 78% of victims who pay report recurring attacks, proving that these assurances are nothing more than intentional deception. 

Mitigation tips 

The following are some best practices that can help organisations in handling these pressure tactics: 

Preparedness:    Ransomware attacks can happen to anyone. Employers must provide clear instructions and techniques for their employees to follow, as well as teach them how to respond and report in stressful situations while remaining calm and composed. 

Avoiding impulsiveness:  Avoid making decisions primarily based on emotional factors such as anxiousness or desperation. Evaluate all available information and investigate possible solutions and alternatives. 

Not making a payment right away: Don't ever give in to the urge to pay. Speak with law enforcement, cybersecurity experts, and skilled ransomware negotiators, or get advice from cyber insurance companies. Investigate backups and other recovery options. Online decryptors may even be accessible for some ransomware strains.

Terror Ourfits Are Using Crypto Funds For Donations in India: TRM Labs

 

Transaction Monitoring (TRM) Labs, a blockchain intelligence firm based in San Francisco and recognised by the World Economic Forum, recently published a report revealing the links between the Islamic State Khorasan Province (ISKP) and ISIS-affiliated fund-collecting networks in India. ISKP, an Afghan terrorist outfit, is reportedly using the cryptocurrency Monero (XMR) to gather funds.

Following the departure of US soldiers from Afghanistan, the ISKP terrorist group garnered significant attention. The "TRM Labs 2025 Crypto Crime Report," published on February 10th, focusses on unlawful cryptocurrency transactions in 2024. According to the reports, illicit transactions have fallen by 24% compared to 2023. 

The "TRM Labs 2025 Crypto Crime Report," published on February 10th, focusses on illicit cryptocurrency transactions in 2024. According to the reports, illicit transactions have fallen by 24% compared to 2023. However, it also emphasises the evolving techniques employed by terrorist organisations. 

TRM Labs' report uncovered on-chain ties between ISKP-affiliated addresses and covert fundraising campaigns in India. The on-chain link is a component of the Chainlink network that runs directly on a blockchain, featuring smart contracts that handle data requests and connect to off-chain oracles. The TRM report states that the ISKP has begun receiving donations in Monero (XMR). 

News reports state that Voice of Khorasan, a periodical created by ISKP's media branch, al-Azaim, announced the commencement of the organization's first donation drive in support of Monero. Since then, Monero's fundraising activities have consistently included requests for donations. 

According to the report, ISKP and other terrorist organisations are favouring Monero more and more because of its blockchain anonymity capabilities. Monero is now worth ₹19,017.77. This powerful privacy tool aids in transaction concealment. However, the report emphasises that terrorist groups will choose more stable cryptocurrencies over Monero money for the foreseeable future due to its volatility and possible crackdowns. 

Furthermore, reliance on cryptocurrency mixers and unidentified wallets has risen. The primary venues for exchanging guidance on best practices and locating providers with the highest security requirements are now online forums. Fake proofs are being used by people to get over Know Your Customer (KYC) rules enforced by exchanges, which makes it challenging for law enforcement to follow the illicit transactions. 

In contrast to Bitcoin and other well-known digital assets, Monero gained attention for its sophisticated privacy features that make transactions trickier to identify. Because of this, they are a tempting option for people who engage in illicit financial activity.

Scammers Still Use the Same Tricks, Just in New Ways

 



As technology furthers, scams are becoming more advanced, but the way scammers manipulate people hasn't changed. Despite using modern tools, they still rely on the same psychological tactics to deceive their victims.  

Clinical psychologist Dr. Khosi Jiyane explains that scammers understand how human behavior works and use it to their advantage. Even though scams look different today, the methods of tricking people remain similar.  


Thinking You're Safe Can Make You a Target  

One major reason people fall for scams is the belief that it can't happen to them. This mindset, known as optimism bias, makes people think they're less likely to be scammed compared to others.  

Because of this, people often ignore clear warning signs in suspicious emails, messages, or offers. They assume they’re too smart to get fooled, which lowers their guard and makes it easier for scammers to succeed.  


Scammers Play on Trust  

Another trick scammers use is truth bias, where people naturally believe what they are told unless there's a clear reason to doubt it. Scammers pretend to be trustworthy figures like bank officials or family members to gain trust.  

By appearing credible, they can convince people to share personal information, make payments, or click harmful links without hesitation. This works even on cautious people because trust often overrides suspicion.  


Creating Urgency to Trick You  

Scammers often create a sense of urgency to rush people into making quick decisions. Messages like "Act now to protect your account!" or "Claim your prize before time runs out!" are designed to trigger panic and fast responses.  

Dr. Jiyane explains that when people feel rushed, they think less critically, making them easier targets. Scammers use this tactic, especially during busy times, to pressure people into acting without verifying facts.  


How to Protect Yourself  

The best way to avoid scams is to always pause and verify before taking action. Whether you receive a call, email, or message asking for personal information or urgent action, always confirm with the source directly.  

It’s also important to stay aware of your vulnerability. No one is completely immune to scams, and understanding this can help you stay cautious. Avoid making quick decisions under pressure and take time to think before responding.  

By staying alert and verifying information, you can reduce the risk of falling for scams, no matter how convincing they appear.

European Healthcare Entities Targeted With NailaoLocker Ransomware

 

A previously undocumented ransomware payload named NailaoLocker has been detected in assaults targeting European healthcare entities between June and October 2024. 

The attackers employed CVE-2024-24919, a Check Point Security Gateway vulnerability, to obtain access to targeted networks and install the ShadowPad and PlugX malware families, which are closely associated with Chinese state-sponsored threat groups. Orange Cyberdefense CERT attributes the attacks to Chinese cyber-espionage tactics, while there is insufficient evidence to assign them to specific groups. 

According to Orange experts, NailaoLocker is a rather rudimentary ransomware strain when compared to the most renowned families in the area. Orange classifies NailaoLocker as a simple ransomware because it does not terminate security processes or operating services, lacks anti-debugging and sandbox evasion methods, and does not search network shares. 

The malware is installed on target systems using DLL sideloading (sensapi.dll), which involves a genuine and signed executable (usysdiag.exe). The malware loader (NailaoLoader) investigates the environment using memory address checks before decrypting and loading the main payload (usysdiag.exe.dat) into memory. 

The NailaoLocker then activates and begins encrypting files with an AES-256-CTR scheme, appending the ".locked" extension to the encrypted files. After the encryption is completed, the ransomware sends an HTML ransom note with the unusually long filename "unlock_please_view_this_file_unlock_please_view_this_file_unlock_please_view_this_file_unlock_please_view_this_file_unlock_please.html.”

Combining ransomware and espionage

After further investigation, Orange claims to have discovered some parallels between the ransom note's content and a ransomware tool sold by a cybercrime company known as Kodex Softwares (previously Evil Extractor). However, there were no obvious code overlaps, thus the relationship was fuzzy. 

Orange has proposed numerous hypotheses for the assaults, including false flag operations designed to distract, deliberate data theft operations combined with income creation, and, most likely, a Chinese cyberespionage organisation "moonlighting" to generate some money. 

Symantec only revealed last week that suspected Emperor Dragonfly (also known as Bronze Starlight) agents were using RA World ransomware to target Asian software companies and demanding a $2 million ransom. 

The shift in strategy is concerning since Chinese state-backed players have not adopted the strategy of North Korean actors, who are known to pursue several objectives concurrently, including financial advantages through ransomware operations.

Huge Data Leak Puts 2.7 Billion Records at Risk – What You Should Know

 



A security issue has surfaced involving an unprotected database linked to Mars Hydro, a Chinese company known for making smart devices like LED grow lights and hydroponic equipment. Security researcher Jeremiah Fowler discovered this database was left open without a password, exposing nearly 2.7 billion records.


What Data Was Leaked?  

The database contained sensitive details, including WiFi network names, passwords, IP addresses, and device identifiers. Although no personal identity information (PII) was reportedly included, the exposure of network details still presents serious security risks. Users should be aware that cybercriminals could misuse this information to compromise their networks.


Why Is This Dangerous?  

Many smart devices rely on internet connectivity and are often controlled through mobile apps. This breach could allow hackers to infiltrate users’ home networks, monitor activity, or launch cyberattacks. Experts warn that leaked details could be exploited for man-in-the-middle (MITM) attacks, where hackers intercept communication between devices. 

Even though there’s no confirmation that cybercriminals accessed this database, IoT security remains a growing concern. Previous reports suggest that 57% of IoT devices have critical security weaknesses, and 98% of data shared by these devices is unencrypted, making them prime targets for hackers.


Rising IoT Security Threats  

Cybercriminals often target IoT devices, and botnet attacks have increased by 500% in recent years. Once a hacker gains access to a vulnerable device, they can spread malware, launch large-scale Distributed Denial-of-Service (DDoS) attacks, or infiltrate critical systems. If WiFi credentials from this breach fall into the wrong hands, attackers could take control of entire networks.


How Can Users Protect Themselves?  

To reduce risks from this security lapse, users should take the following steps:

1. Update Device Passwords: Many IoT gadgets use default passwords that are the same across multiple devices. Changing these to unique, strong passwords is essential.

2. Keep Software Up-to-Date: Manufacturers release software patches to fix security flaws. Installing these updates regularly reduces the risk of exploitation.

3. Monitor Network Activity: Watch for unusual activity on your network. Separating IoT devices from personal computers and smartphones can add an extra layer of security.

4. Enhance Security Measures: Using encryption tools, firewalls, and network segmentation can help defend against cyberattacks. Consider investing in comprehensive security solutions for added protection.


This massive data leak stresses the importance of IoT security. Smart devices provide convenience, but users must stay proactive in securing them. Understanding potential risks and taking preventive measures can help safeguard personal information and prevent cyber threats.



TRAI Enforces Stricter Regulations to Combat Telemarketing Spam Calls

 


There has been a significant shift in the Telecom Regulatory Authority of India (TRAI)'s efforts to curb spam calls and unsolicited commercial communications (UCC) as part of its effort to improve consumer protection, as TRAI has introduced stringent regulations. These amendments will take effect on February 12, 2025, and prohibit the use of 10-digit mobile numbers for telemarketing purposes, addressing the growing concern that mobile users have with fraudulent and intrusive messages.

To ensure greater transparency in telemarketing practices, the Telecom Regulatory Authority of India (TRAI) has enforced several measures that aim to ensure communication integrity while increasing the intelligence of telemarketers. A comprehensive consultation process was undertaken by the Telecom Regulatory Authority of India (TRAI), which involved a comprehensive stakeholder consultation process for the approval of changes to the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018, as a result of which significant changes have been made. This revision is intended to protect consumers against unsolicited commercial communications (UCCs) as well as to enhance compliance requirements for the providers of telecom services. 

Cellular Operators Association of India (COAI,) however, has expressed its concern over the updated regulation, especially about the penalties imposed on service providers as a result of it. The second amendment to the TCCCPR allows consumers to lodge complaints up to seven days after receiving the call or message, allowing them greater flexibility in reporting spam calls and messages for the second amendment. Furthermore, because of the new regulations, individuals are now able to lodge complaints without the need to first register their preferences for communication. 

Additionally, telecom operators are required to respond to complaints within five business days, a substantial reduction from the previous deadline of 30 days. A new set of stricter enforcement measures imposed by the law mandates that senders who receive five complaints within ten days must be held accountable for the complaint. To further safeguard consumer interests, telecom service providers will now be required to provide users with the option of opting out of all promotional emails. 

TRAI has also mandated a standard messaging format, which requires message headers to contain specific codes that indicate that they are promotional, service-related, transactional, or government-related. This structured labelling system aims to enhance transparency and help users distinguish between different types of communication by adding a structured llabellingsystem to their communication systems. 

As a part of the regulatory framework implemented by the Telecom Regulatory Authority of India (TRAI) to improve transparency and curb unsolicited commercial communications (UCCs), 10-digit mobile numbers will no longer be allowed to be used for commercial purposes. A telemarketer is required to use a series of designated numbers for promotional and service calls, ensuring that the two are clearly distinguished.

It is expected that the existing ‘140’ series will remain available for promotional purposes while the newly launched ‘1600’ series will be used for transactional and service-related communications. TRAI has also removed the requirement for the consumer to pre-register their communication preferences in advance of lodging a complaint against spam messages and unwanted phone calls from unregistered senders as part of its anti-spam practices.

In addition to simplifying the complaint process, TRAI has also expanded the reporting period from three days to seven days to improve user convenience in reporting violations, providing consumers with more flexibility in reporting complaints with essential details. To further strengthen consumer protection, TRAI has extended the complaint reporting window from three days to seven days, thus creating an environment of greater flexibility for users. 

There has been a significant reduction in the timeframe for telecom operators to respond to UCC complaints, which was previously 30 days, down to five days now. Further, the threshold for penalizing senders has been lowered as well, with only five complaints within ten days instead of the earlier benchmark of ten complaints within seven days, requiring penalties to be imposed. To improve accessibility and foster consumer engagement, the government is now requiring that mobile applications and official websites of telecom service providers prominently display complaint registration options as a means of promoting consumer engagement. 

Several regulatory initiatives have been taken to improve the accountability, transparency, and consumer-friendly nature of the telecommunications sector while also making sure the anti-spam directives are strictly followed. A stringent series of measures has been introduced by the Telecom Regulatory Authority of India (TRAI) to counter the rising threat of spam calls and to prevent malicious entities from misusing SMS headers and content templates to forward fraudulent or deceptive messages to subscribers. 

Several initiatives are being implemented by the TRAI that will ensure that consumer interests are protected and a safer and more transparent messaging environment is established. To ensure compliance with telemarketing regulations, TRAI has mandated strict penalties for entities making unauthorized promotional calls that violate telemarketing regulations. A violation of these terms can result in severe consequences such as the disconnection of all telecommunications resources for a period of up to two years, a blacklisting for up to two years, and a prohibition on acquiring any new telecommunications resources during the period of blacklisting. 

More than 800 entities and individuals have been blacklisted as a result of these measures, and over 1.8 million SIP DIDs, mobile numbers, and other telecommunications resources have been deactivated as a consequence. As a consequence, fraudulent commercial communications have been eliminated in large part. TRAI's directives call for access providers to list URLs, APKs, and links to OTTs within SMS content, and we have implemented this requirement with effect from October 1, 2024, to further enhance consumers' protection.

In an attempt to ensure consumer safety, a regulation moving forward will limit the use of links in text messages that have been verified and authorized by the user, thereby reducing the risk of consumers being exposed to harmful websites, fraudulent software, and other online risks. The '140xx' numbering series is further enhanced by migrating all telemarketing calls that originate from this series of numbers to the Distributed Ledger Platform (Blockchain) platform. In this way, the surveillance and control of telemarketing activities can be improved. 

There have also been advances in technical solutions being deployed by access providers to improve traceability to ensure that every entity involved in the message transmission, from the initial sender through to the final recipient, is accounted for within the chain of communication. Any traffic containing messages that omit a clearly defined chain of telemarketers and can be vverifiedor deviate from the pre-registered framework will be automatically rejected as of December 1, 2024. Several significant advancements are being made in regulatory oversight in the telecom sector as a result of these measures. Consumer protection is reinforced,d and accountability is enhanced within the industry as a result of these measures. 

To ensure that consumers have an easier and more convenient way to report unsolicited commercial communications violations, telecom service providers are required to prominently display complaint registration options on their official websites and mobile applications, making the complaint system more user-friendly and accessible for them. As part of this initiative, consumers will have the opportunity to easily flag non-compliant telemarketing practices, allowing the complaint process to be streamlined. Furthermore, service providers must provide consumers with a mandatory ‘opt-out’ option within all promotional messages to give them greater control over how they want to communicate. 

The new Consumer Rights Rule establishes a mandatory 90-day waiting period before marketers can re-engage users who have previously opted out of receiving marketing communication from a brand before re-initiating a consent request for them. By implementing this regulatory measure, the telecom industry will be able to protect consumers, eliminate aggressive advertising tactics, and develop a more consumer-centric approach to commercial messaging within its infrastructure.

It was announced yesterday that the Telecom Regulatory Authority of India (TRAI) has introduced stringent compliance requirements for access providers to make sure unsolicited commercial communications (UCC) are curbed more effectively. This new set of guidelines requires telecom companies to comply with stricter reporting standards, with financial penalties imposed on those companies that fail to accurately report UCC violations. 

According to the punishment structure, the initial fine of 2 lakh rupees for a first offence is followed by a fine of 5 lakhs for the second offence and a fine of 10 lakhs for subsequent violations. There has been a move by access providers to further enhance the level of regulatory compliance by mandating that telemarketers place security deposits that will be forfeited if any violation of telemarketing regulations occurs. A telecom operator may also be required by law to enter into legally binding agreements with telemarketers and commercial enterprises, which will explicitly define and specify their compliance obligations, as well as enumerating the repercussions of non-compliance. 

This means that reducing spam levels will be a major benefit for businesses while ensuring that they can communicate through authorized, transparent, and compliant channels, leading to a significant reduction in spam levels. TRAI aims to increase the consumer safety and security of the telecommunications ecosystem by enforcing these stringent requirements while simultaneously balancing regulatory oversight with legitimate business needs to engage with customers by the means approved by TRAI.

Global Crackdown on Phobos Ransomware, Two Arrested

 



A major international police operation has resulted in the arrest of two individuals suspected of carrying out ransomware attacks worldwide. The operation also led to the takedown of dark web platforms associated with a notorious cybercrime group.  

Suspects Arrested in Thailand

Law enforcement authorities apprehended two Russian nationals in Phuket, Thailand, accusing them of orchestrating cyberattacks on businesses and institutions across multiple countries. Reports suggest that their activities led to financial losses amounting to millions of dollars, with ransom payments made in cryptocurrency.  

The investigation was conducted in collaboration with Swiss authorities, who have requested the extradition of the suspects. Officials believe that these individuals were behind ransomware attacks on at least 17 Swiss organizations between April 2023 and October 2024.  

How the Cyberattacks Were Carried Out

The hackers allegedly infiltrated computer networks, encrypting crucial data and demanding payment in digital currency in exchange for restoration. Victims who refused to pay faced the risk of having their sensitive information leaked online.  

Authorities revealed that the attackers used Phobos ransomware, a type of malicious software designed to lock files and prevent access unless a ransom is paid. Over time, the hackers are believed to have amassed around $16 million from their victims.  

To make tracking difficult, the ransom payments were processed through cryptocurrency mixing services, which obscure transaction details and the final destination of funds.  

Dark Web Platforms Shut Down

In a simultaneous effort, law enforcement agencies also took control of websites used by the 8Base ransomware group. These platforms functioned as communication hubs where cybercriminals engaged with victims, demanded ransoms, and published stolen data when their demands were not met.  

Now, visitors attempting to access these sites see a law enforcement notice confirming that they have been seized. The operation was an international effort, with agencies from Europe, the United States, and Asia working together to dismantle the group's online infrastructure.  

Who Are the 8Base Hackers?

The 8Base cybercriminal group surfaced in early 2022 but remained relatively unnoticed until mid-2023, when they intensified their ransomware operations. While they publicly identified themselves as "ethical hackers" conducting penetration testing, cybersecurity experts argue that their activities were anything but legal.  

Some researchers suspect that 8Base could be linked to an older ransomware group, as their ransom notes and data leak strategies resemble those used by another criminal organization. However, this connection has yet to be verified.  

How Their Ransomware Worked

Once inside a company's system, these hackers moved through different devices, gaining deeper access to networks. Their ultimate goal was to control the central system managing all devices. When they achieved this, they deployed Phobos ransomware, encrypting files and appending .8base or .eight extensions to the locked data.  

Victims would then receive a ransom note demanding a payment, sometimes reaching millions of dollars — to restore access and prevent public data leaks.  

Cyberattacks like these have severe financial and operational consequences for businesses, hospitals, and governments. In 2023, authorities warned that 8Base was increasingly targeting healthcare organizations, raising concerns over the security of sensitive medical records.  

This recent crackdown represents a substantial step in combating ransomware threats, but experts warn that cybercriminals are constantly developing their tactics.

Hackers Exploit Exposed Security Keys to Inject Code into Websites

 



Cybercriminals are exploiting leaked cryptographic keys to manipulate authentication systems, decode protected data, and install harmful software on vulnerable web servers. These attacks can give hackers unauthorized control over websites and would allow them to maintain access for long periods.  


How Hackers Use Publicly Available Keys

Microsoft's cybersecurity experts have recently detected a new wave of Internet threats in which attacking groups use exposed ASP.NET machine keys to break into web applications. These keys are sometimes kept private, but they were nonetheless discovered in public code repositories so that hackers could easily gain access to and misuse them.  

Once the criminal possess this key, he would be able to manipulate ViewState, a methodology in ASP.NET Web Forms considered to store and manipulate user data between page interactions. If ViewState data with malicious content is injected by the attacker, the web server would then validate it and process it, allowing the hacker to execute harmful commands on that system.  

Microsoft, on its part, is tracking that more than 3,000 machine keys have been publicly leaked, putting numerous web applications at risk of code injection attacks.  


The Godzilla Malware Threat

In December 2024, evidence was found that an unidentified hacker group installed the military-grade malware Godzilla in a compromised machine with long-term access and control through an exposed ASP.NET machine key:  

Once this malware makes its way into the compromised system, the hackers can:  

- Run unauthorized commands on the web server.  

- Install additional malware to expand their control.  

- Maintain access even if initial security gaps are patched.  

Microsoft states these attacks are particularly concerning since leaked keys are available to the public, thus allowing many attackers to take advantage of this vulnerability.  


Why Publicly Exposed Machine Keys Are Dangerous

Previously, attackers sold stolen cryptographic keys in underground markets, but Microsoft now finds this case to be many freely exposed keys on public sites. It sure enhances the risks of exploitation.  

The threats include:  

- Developers could unwittingly copy exposed keys into genuinely existing projects, thereby rendering their applications exploitable.  

- Attackers could set up a script to carry out attacks against the known keys, which would allow for widespread exploitation.  

- One compromised key can cause a breach in multiple applications.  


Recommendations From Microsoft Security

To defend against these attacks, Microsoft thus recommends that organizations carry out the following:  

- Never use publicly available machine keys; generate application-specific keys at all times.  

- To limit the risks of long-term exposure, regular updates and rotations to cryptographic keys should be put into practice.  

- Check for exposed keys using Microsoft security tools and revoke any that are found.  

- Securely upgrade ASP.NET applications to the most recent version, preferably ASP.NET 4.8, which will have the strongest security protections.  

- Strengthening Windows Servers from persistent malwares through enabling security modules like Antimalware Scan Interface (AMSI) and attack surface reduction rules.  


What to Do If a System Has Been Compromised

If an organization feels its servers are under attack, it is insufficient to merely replace machine keys to avert any subsequent attacks. Microsoft suggests:  

1. To pay for a complete security investigation in order to search for backdoors and unauthorized users.  

2. Clear all malicious scripts and files from the system.  

3. Rebuild the server if necessary, to clear any other prospects of threats.  

Organizations using ASP.NET applications in web farms should replace remaining machine keys with automatically generated values that are securely stored in the system registry.  

Over 3,000 exposed cryptographic keys entail a major concern for cybersecurity since attacking groups can easily compromise web applications. Such a breach also becomes dreadful because it allows hackers to stay undetected in the system for long-spanning periods of time.  

Thus, in a bid to stay safe, businesses and developers ought to avoid using public keys, update their security settings regularly and harden defenses against malware. Every step above can assist the organizations in keeping unauthorized people out thus securing their web applications against exploitation.




The Rising Problem of Banking Scams in East India

The Rising Problem of Banking Scams in East India

Currently, India is battling with a fake banking applications spoofing genuine institutions to loot credentials and money.

The scale of the campaign is massive, impacting around 900 different malware samples linked to more than 1000 different contact numbers used to commit frauds/scams. Experts from Zimperium found that malware was hiding in apps that imitiate financial institutions worth billion-dollars, aimed to target common man in India. 

The rise of banking scams in East India

Throughout India, majority of the people have been getting WhatsApp messages containing malicious Android Package Kit (APK) files. When downloaded, these malicious files change into  fake apps spoofing one or multiple banks- ICICI Bank, State Bank of India (SBI) and more. 

The apps demand targets to provide their personal financial info- this includes ATM PINs, debit/credit card numbers and PAN card deta- used for different government and financial reasons, for instance, opening a bank account or paying taxes- adhar card. 

Stealing confidential info

To let hackers get access into victims' bank accounts, the malware hacks one-time passwords and resends them either to a threat actor-controlled phone number or C3 servers operating on Firebase. 

Additionally, the malware uses stealth and anti-analysis measures such as "packing," where the malware is hidden, compressed, and encrypted in ways that its almost impossible to notice them. It self installs by exploiting accessibility service, and get all required permissions on users' devices by just poking a user to careless click "Allow" when the malware asks nicely. 

Zimperium chief scientist Nico Chiaraviglio says "since we don't see the app, it's not easy to uninstall it." He adds "you [have to deal with the] higher permissions. So if you want to uninstall the app, the device will say you cannot install it because it's a system app. You basically need to connect the phone to a computer and uninstall it using the Android Debug Bridge (ADB). It's not something that you can do from a regular user's standpoint."

The success behind scams in India

Dark Reading reports "Phone numbers tied to the campaign lovingly named "FatBoyPanel" have tended to concentrate in eastern states: West Bengal (30.2%), Bihar (22.6%), Jharkjand (10%)."

According to experts, two reasons add to the problem- use of outdated phones in India that aren't equipped with latest updates, and the rise of scammers trapping innocent victims.