Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Crime. Show all posts
Ransomware Payload
China Cyber Crime cyber espionage Nailaolocker Ransomware Payload

European Healthcare Entities Targeted With NailaoLocker Ransomware

 

A previously undocumented ransomware payload named NailaoLocker has been detected in assaults targeting European healthcare entities between June and October 2024. 

The attackers employed CVE-2024-24919, a Check Point Security Gateway vulnerability, to obtain access to targeted networks and install the ShadowPad and PlugX malware families, which are closely associated with Chinese state-sponsored threat groups. Orange Cyberdefense CERT attributes the attacks to Chinese cyber-espionage tactics, while there is insufficient evidence to assign them to specific groups. 

According to Orange experts, NailaoLocker is a rather rudimentary ransomware strain when compared to the most renowned families in the area. Orange classifies NailaoLocker as a simple ransomware because it does not terminate security processes or operating services, lacks anti-debugging and sandbox evasion methods, and does not search network shares. 

The malware is installed on target systems using DLL sideloading (sensapi.dll), which involves a genuine and signed executable (usysdiag.exe). The malware loader (NailaoLoader) investigates the environment using memory address checks before decrypting and loading the main payload (usysdiag.exe.dat) into memory. 

The NailaoLocker then activates and begins encrypting files with an AES-256-CTR scheme, appending the ".locked" extension to the encrypted files. After the encryption is completed, the ransomware sends an HTML ransom note with the unusually long filename "unlock_please_view_this_file_unlock_please_view_this_file_unlock_please_view_this_file_unlock_please_view_this_file_unlock_please.html.”

Combining ransomware and espionage

After further investigation, Orange claims to have discovered some parallels between the ransom note's content and a ransomware tool sold by a cybercrime company known as Kodex Softwares (previously Evil Extractor). However, there were no obvious code overlaps, thus the relationship was fuzzy. 

Orange has proposed numerous hypotheses for the assaults, including false flag operations designed to distract, deliberate data theft operations combined with income creation, and, most likely, a Chinese cyberespionage organisation "moonlighting" to generate some money. 

Symantec only revealed last week that suspected Emperor Dragonfly (also known as Bronze Starlight) agents were using RA World ransomware to target Asian software companies and demanding a $2 million ransom. 

The shift in strategy is concerning since Chinese state-backed players have not adopted the strategy of North Korean actors, who are known to pursue several objectives concurrently, including financial advantages through ransomware operations.
Read more »
Password
Cyber Crime Data Breach DDOS Attacks IoT Password

Huge Data Leak Puts 2.7 Billion Records at Risk – What You Should Know

 



A security issue has surfaced involving an unprotected database linked to Mars Hydro, a Chinese company known for making smart devices like LED grow lights and hydroponic equipment. Security researcher Jeremiah Fowler discovered this database was left open without a password, exposing nearly 2.7 billion records.


What Data Was Leaked?  

The database contained sensitive details, including WiFi network names, passwords, IP addresses, and device identifiers. Although no personal identity information (PII) was reportedly included, the exposure of network details still presents serious security risks. Users should be aware that cybercriminals could misuse this information to compromise their networks.


Why Is This Dangerous?  

Many smart devices rely on internet connectivity and are often controlled through mobile apps. This breach could allow hackers to infiltrate users’ home networks, monitor activity, or launch cyberattacks. Experts warn that leaked details could be exploited for man-in-the-middle (MITM) attacks, where hackers intercept communication between devices. 

Even though there’s no confirmation that cybercriminals accessed this database, IoT security remains a growing concern. Previous reports suggest that 57% of IoT devices have critical security weaknesses, and 98% of data shared by these devices is unencrypted, making them prime targets for hackers.


Rising IoT Security Threats  

Cybercriminals often target IoT devices, and botnet attacks have increased by 500% in recent years. Once a hacker gains access to a vulnerable device, they can spread malware, launch large-scale Distributed Denial-of-Service (DDoS) attacks, or infiltrate critical systems. If WiFi credentials from this breach fall into the wrong hands, attackers could take control of entire networks.


How Can Users Protect Themselves?  

To reduce risks from this security lapse, users should take the following steps:

1. Update Device Passwords: Many IoT gadgets use default passwords that are the same across multiple devices. Changing these to unique, strong passwords is essential.

2. Keep Software Up-to-Date: Manufacturers release software patches to fix security flaws. Installing these updates regularly reduces the risk of exploitation.

3. Monitor Network Activity: Watch for unusual activity on your network. Separating IoT devices from personal computers and smartphones can add an extra layer of security.

4. Enhance Security Measures: Using encryption tools, firewalls, and network segmentation can help defend against cyberattacks. Consider investing in comprehensive security solutions for added protection.


This massive data leak stresses the importance of IoT security. Smart devices provide convenience, but users must stay proactive in securing them. Understanding potential risks and taking preventive measures can help safeguard personal information and prevent cyber threats.



Read more »
TRAI
COAI Cybeattacks Cyber Crime cyber threat CyberCrime Cyberhackers Cyberscam Cybersecurity TCCCPR Telecom TRAI

TRAI Enforces Stricter Regulations to Combat Telemarketing Spam Calls

 


There has been a significant shift in the Telecom Regulatory Authority of India (TRAI)'s efforts to curb spam calls and unsolicited commercial communications (UCC) as part of its effort to improve consumer protection, as TRAI has introduced stringent regulations. These amendments will take effect on February 12, 2025, and prohibit the use of 10-digit mobile numbers for telemarketing purposes, addressing the growing concern that mobile users have with fraudulent and intrusive messages.

To ensure greater transparency in telemarketing practices, the Telecom Regulatory Authority of India (TRAI) has enforced several measures that aim to ensure communication integrity while increasing the intelligence of telemarketers. A comprehensive consultation process was undertaken by the Telecom Regulatory Authority of India (TRAI), which involved a comprehensive stakeholder consultation process for the approval of changes to the Telecom Commercial Communications Customer Preference Regulations (TCCCPR), 2018, as a result of which significant changes have been made. This revision is intended to protect consumers against unsolicited commercial communications (UCCs) as well as to enhance compliance requirements for the providers of telecom services. 

Cellular Operators Association of India (COAI,) however, has expressed its concern over the updated regulation, especially about the penalties imposed on service providers as a result of it. The second amendment to the TCCCPR allows consumers to lodge complaints up to seven days after receiving the call or message, allowing them greater flexibility in reporting spam calls and messages for the second amendment. Furthermore, because of the new regulations, individuals are now able to lodge complaints without the need to first register their preferences for communication. 

Additionally, telecom operators are required to respond to complaints within five business days, a substantial reduction from the previous deadline of 30 days. A new set of stricter enforcement measures imposed by the law mandates that senders who receive five complaints within ten days must be held accountable for the complaint. To further safeguard consumer interests, telecom service providers will now be required to provide users with the option of opting out of all promotional emails. 

TRAI has also mandated a standard messaging format, which requires message headers to contain specific codes that indicate that they are promotional, service-related, transactional, or government-related. This structured labelling system aims to enhance transparency and help users distinguish between different types of communication by adding a structured llabellingsystem to their communication systems. 

As a part of the regulatory framework implemented by the Telecom Regulatory Authority of India (TRAI) to improve transparency and curb unsolicited commercial communications (UCCs), 10-digit mobile numbers will no longer be allowed to be used for commercial purposes. A telemarketer is required to use a series of designated numbers for promotional and service calls, ensuring that the two are clearly distinguished.

It is expected that the existing ‘140’ series will remain available for promotional purposes while the newly launched ‘1600’ series will be used for transactional and service-related communications. TRAI has also removed the requirement for the consumer to pre-register their communication preferences in advance of lodging a complaint against spam messages and unwanted phone calls from unregistered senders as part of its anti-spam practices.

In addition to simplifying the complaint process, TRAI has also expanded the reporting period from three days to seven days to improve user convenience in reporting violations, providing consumers with more flexibility in reporting complaints with essential details. To further strengthen consumer protection, TRAI has extended the complaint reporting window from three days to seven days, thus creating an environment of greater flexibility for users. 

There has been a significant reduction in the timeframe for telecom operators to respond to UCC complaints, which was previously 30 days, down to five days now. Further, the threshold for penalizing senders has been lowered as well, with only five complaints within ten days instead of the earlier benchmark of ten complaints within seven days, requiring penalties to be imposed. To improve accessibility and foster consumer engagement, the government is now requiring that mobile applications and official websites of telecom service providers prominently display complaint registration options as a means of promoting consumer engagement. 

Several regulatory initiatives have been taken to improve the accountability, transparency, and consumer-friendly nature of the telecommunications sector while also making sure the anti-spam directives are strictly followed. A stringent series of measures has been introduced by the Telecom Regulatory Authority of India (TRAI) to counter the rising threat of spam calls and to prevent malicious entities from misusing SMS headers and content templates to forward fraudulent or deceptive messages to subscribers. 

Several initiatives are being implemented by the TRAI that will ensure that consumer interests are protected and a safer and more transparent messaging environment is established. To ensure compliance with telemarketing regulations, TRAI has mandated strict penalties for entities making unauthorized promotional calls that violate telemarketing regulations. A violation of these terms can result in severe consequences such as the disconnection of all telecommunications resources for a period of up to two years, a blacklisting for up to two years, and a prohibition on acquiring any new telecommunications resources during the period of blacklisting. 

More than 800 entities and individuals have been blacklisted as a result of these measures, and over 1.8 million SIP DIDs, mobile numbers, and other telecommunications resources have been deactivated as a consequence. As a consequence, fraudulent commercial communications have been eliminated in large part. TRAI's directives call for access providers to list URLs, APKs, and links to OTTs within SMS content, and we have implemented this requirement with effect from October 1, 2024, to further enhance consumers' protection.

In an attempt to ensure consumer safety, a regulation moving forward will limit the use of links in text messages that have been verified and authorized by the user, thereby reducing the risk of consumers being exposed to harmful websites, fraudulent software, and other online risks. The '140xx' numbering series is further enhanced by migrating all telemarketing calls that originate from this series of numbers to the Distributed Ledger Platform (Blockchain) platform. In this way, the surveillance and control of telemarketing activities can be improved. 

There have also been advances in technical solutions being deployed by access providers to improve traceability to ensure that every entity involved in the message transmission, from the initial sender through to the final recipient, is accounted for within the chain of communication. Any traffic containing messages that omit a clearly defined chain of telemarketers and can be vverifiedor deviate from the pre-registered framework will be automatically rejected as of December 1, 2024. Several significant advancements are being made in regulatory oversight in the telecom sector as a result of these measures. Consumer protection is reinforced,d and accountability is enhanced within the industry as a result of these measures. 

To ensure that consumers have an easier and more convenient way to report unsolicited commercial communications violations, telecom service providers are required to prominently display complaint registration options on their official websites and mobile applications, making the complaint system more user-friendly and accessible for them. As part of this initiative, consumers will have the opportunity to easily flag non-compliant telemarketing practices, allowing the complaint process to be streamlined. Furthermore, service providers must provide consumers with a mandatory ‘opt-out’ option within all promotional messages to give them greater control over how they want to communicate. 

The new Consumer Rights Rule establishes a mandatory 90-day waiting period before marketers can re-engage users who have previously opted out of receiving marketing communication from a brand before re-initiating a consent request for them. By implementing this regulatory measure, the telecom industry will be able to protect consumers, eliminate aggressive advertising tactics, and develop a more consumer-centric approach to commercial messaging within its infrastructure.

It was announced yesterday that the Telecom Regulatory Authority of India (TRAI) has introduced stringent compliance requirements for access providers to make sure unsolicited commercial communications (UCC) are curbed more effectively. This new set of guidelines requires telecom companies to comply with stricter reporting standards, with financial penalties imposed on those companies that fail to accurately report UCC violations. 

According to the punishment structure, the initial fine of 2 lakh rupees for a first offence is followed by a fine of 5 lakhs for the second offence and a fine of 10 lakhs for subsequent violations. There has been a move by access providers to further enhance the level of regulatory compliance by mandating that telemarketers place security deposits that will be forfeited if any violation of telemarketing regulations occurs. A telecom operator may also be required by law to enter into legally binding agreements with telemarketers and commercial enterprises, which will explicitly define and specify their compliance obligations, as well as enumerating the repercussions of non-compliance. 

This means that reducing spam levels will be a major benefit for businesses while ensuring that they can communicate through authorized, transparent, and compliant channels, leading to a significant reduction in spam levels. TRAI aims to increase the consumer safety and security of the telecommunications ecosystem by enforcing these stringent requirements while simultaneously balancing regulatory oversight with legitimate business needs to engage with customers by the means approved by TRAI.
Read more »
Thailand
8Base Cyber Crime Phobos Ransomware Thailand

Global Crackdown on Phobos Ransomware, Two Arrested

 



A major international police operation has resulted in the arrest of two individuals suspected of carrying out ransomware attacks worldwide. The operation also led to the takedown of dark web platforms associated with a notorious cybercrime group.  

Suspects Arrested in Thailand

Law enforcement authorities apprehended two Russian nationals in Phuket, Thailand, accusing them of orchestrating cyberattacks on businesses and institutions across multiple countries. Reports suggest that their activities led to financial losses amounting to millions of dollars, with ransom payments made in cryptocurrency.  

The investigation was conducted in collaboration with Swiss authorities, who have requested the extradition of the suspects. Officials believe that these individuals were behind ransomware attacks on at least 17 Swiss organizations between April 2023 and October 2024.  

How the Cyberattacks Were Carried Out

The hackers allegedly infiltrated computer networks, encrypting crucial data and demanding payment in digital currency in exchange for restoration. Victims who refused to pay faced the risk of having their sensitive information leaked online.  

Authorities revealed that the attackers used Phobos ransomware, a type of malicious software designed to lock files and prevent access unless a ransom is paid. Over time, the hackers are believed to have amassed around $16 million from their victims.  

To make tracking difficult, the ransom payments were processed through cryptocurrency mixing services, which obscure transaction details and the final destination of funds.  

Dark Web Platforms Shut Down

In a simultaneous effort, law enforcement agencies also took control of websites used by the 8Base ransomware group. These platforms functioned as communication hubs where cybercriminals engaged with victims, demanded ransoms, and published stolen data when their demands were not met.  

Now, visitors attempting to access these sites see a law enforcement notice confirming that they have been seized. The operation was an international effort, with agencies from Europe, the United States, and Asia working together to dismantle the group's online infrastructure.  

Who Are the 8Base Hackers?

The 8Base cybercriminal group surfaced in early 2022 but remained relatively unnoticed until mid-2023, when they intensified their ransomware operations. While they publicly identified themselves as "ethical hackers" conducting penetration testing, cybersecurity experts argue that their activities were anything but legal.  

Some researchers suspect that 8Base could be linked to an older ransomware group, as their ransom notes and data leak strategies resemble those used by another criminal organization. However, this connection has yet to be verified.  

How Their Ransomware Worked

Once inside a company's system, these hackers moved through different devices, gaining deeper access to networks. Their ultimate goal was to control the central system managing all devices. When they achieved this, they deployed Phobos ransomware, encrypting files and appending .8base or .eight extensions to the locked data.  

Victims would then receive a ransom note demanding a payment, sometimes reaching millions of dollars — to restore access and prevent public data leaks.  

Cyberattacks like these have severe financial and operational consequences for businesses, hospitals, and governments. In 2023, authorities warned that 8Base was increasingly targeting healthcare organizations, raising concerns over the security of sensitive medical records.  

This recent crackdown represents a substantial step in combating ransomware threats, but experts warn that cybercriminals are constantly developing their tactics.

Read more »
Microsoft security
ASP.NET cryptographic keys Cyber Crime Fraud Management Microsoft security

Hackers Exploit Exposed Security Keys to Inject Code into Websites

 



Cybercriminals are exploiting leaked cryptographic keys to manipulate authentication systems, decode protected data, and install harmful software on vulnerable web servers. These attacks can give hackers unauthorized control over websites and would allow them to maintain access for long periods.  


How Hackers Use Publicly Available Keys

Microsoft's cybersecurity experts have recently detected a new wave of Internet threats in which attacking groups use exposed ASP.NET machine keys to break into web applications. These keys are sometimes kept private, but they were nonetheless discovered in public code repositories so that hackers could easily gain access to and misuse them.  

Once the criminal possess this key, he would be able to manipulate ViewState, a methodology in ASP.NET Web Forms considered to store and manipulate user data between page interactions. If ViewState data with malicious content is injected by the attacker, the web server would then validate it and process it, allowing the hacker to execute harmful commands on that system.  

Microsoft, on its part, is tracking that more than 3,000 machine keys have been publicly leaked, putting numerous web applications at risk of code injection attacks.  


The Godzilla Malware Threat

In December 2024, evidence was found that an unidentified hacker group installed the military-grade malware Godzilla in a compromised machine with long-term access and control through an exposed ASP.NET machine key:  

Once this malware makes its way into the compromised system, the hackers can:  

- Run unauthorized commands on the web server.  

- Install additional malware to expand their control.  

- Maintain access even if initial security gaps are patched.  

Microsoft states these attacks are particularly concerning since leaked keys are available to the public, thus allowing many attackers to take advantage of this vulnerability.  


Why Publicly Exposed Machine Keys Are Dangerous

Previously, attackers sold stolen cryptographic keys in underground markets, but Microsoft now finds this case to be many freely exposed keys on public sites. It sure enhances the risks of exploitation.  

The threats include:  

- Developers could unwittingly copy exposed keys into genuinely existing projects, thereby rendering their applications exploitable.  

- Attackers could set up a script to carry out attacks against the known keys, which would allow for widespread exploitation.  

- One compromised key can cause a breach in multiple applications.  


Recommendations From Microsoft Security

To defend against these attacks, Microsoft thus recommends that organizations carry out the following:  

- Never use publicly available machine keys; generate application-specific keys at all times.  

- To limit the risks of long-term exposure, regular updates and rotations to cryptographic keys should be put into practice.  

- Check for exposed keys using Microsoft security tools and revoke any that are found.  

- Securely upgrade ASP.NET applications to the most recent version, preferably ASP.NET 4.8, which will have the strongest security protections.  

- Strengthening Windows Servers from persistent malwares through enabling security modules like Antimalware Scan Interface (AMSI) and attack surface reduction rules.  


What to Do If a System Has Been Compromised

If an organization feels its servers are under attack, it is insufficient to merely replace machine keys to avert any subsequent attacks. Microsoft suggests:  

1. To pay for a complete security investigation in order to search for backdoors and unauthorized users.  

2. Clear all malicious scripts and files from the system.  

3. Rebuild the server if necessary, to clear any other prospects of threats.  

Organizations using ASP.NET applications in web farms should replace remaining machine keys with automatically generated values that are securely stored in the system registry.  

Over 3,000 exposed cryptographic keys entail a major concern for cybersecurity since attacking groups can easily compromise web applications. Such a breach also becomes dreadful because it allows hackers to stay undetected in the system for long-spanning periods of time.  

Thus, in a bid to stay safe, businesses and developers ought to avoid using public keys, update their security settings regularly and harden defenses against malware. Every step above can assist the organizations in keeping unauthorized people out thus securing their web applications against exploitation.




Read more »
WhatsApp
Banking Scams Cyber Crime India WhatsApp

The Rising Problem of Banking Scams in East India

The Rising Problem of Banking Scams in East India

Currently, India is battling with a fake banking applications spoofing genuine institutions to loot credentials and money.

The scale of the campaign is massive, impacting around 900 different malware samples linked to more than 1000 different contact numbers used to commit frauds/scams. Experts from Zimperium found that malware was hiding in apps that imitiate financial institutions worth billion-dollars, aimed to target common man in India. 

The rise of banking scams in East India

Throughout India, majority of the people have been getting WhatsApp messages containing malicious Android Package Kit (APK) files. When downloaded, these malicious files change into  fake apps spoofing one or multiple banks- ICICI Bank, State Bank of India (SBI) and more. 

The apps demand targets to provide their personal financial info- this includes ATM PINs, debit/credit card numbers and PAN card deta- used for different government and financial reasons, for instance, opening a bank account or paying taxes- adhar card. 

Stealing confidential info

To let hackers get access into victims' bank accounts, the malware hacks one-time passwords and resends them either to a threat actor-controlled phone number or C3 servers operating on Firebase. 

Additionally, the malware uses stealth and anti-analysis measures such as "packing," where the malware is hidden, compressed, and encrypted in ways that its almost impossible to notice them. It self installs by exploiting accessibility service, and get all required permissions on users' devices by just poking a user to careless click "Allow" when the malware asks nicely. 

Zimperium chief scientist Nico Chiaraviglio says "since we don't see the app, it's not easy to uninstall it." He adds "you [have to deal with the] higher permissions. So if you want to uninstall the app, the device will say you cannot install it because it's a system app. You basically need to connect the phone to a computer and uninstall it using the Android Debug Bridge (ADB). It's not something that you can do from a regular user's standpoint."

The success behind scams in India

Dark Reading reports "Phone numbers tied to the campaign lovingly named "FatBoyPanel" have tended to concentrate in eastern states: West Bengal (30.2%), Bihar (22.6%), Jharkjand (10%)."

According to experts, two reasons add to the problem- use of outdated phones in India that aren't equipped with latest updates, and the rise of scammers trapping innocent victims.

Read more »
Saim Raza
Cyber Crime Dark Web Internet Operation Talent Saim Raza

DoJ Cracks Down Pakistan Linked Dark Web Forums Impacting 17 Million

DoJ Cracks Down Pakistan Linked Dark Web Forums Impacting 17 Million

The US Department of Justice (DoJ) joined forces with international law enforcement to shut down a few Dark Web cybercrime forums, two operations that impacted underground markets associated with the attacks on millions of victims worldwide. 

Pakistani dark web forum shut down

Result? “Cracked” and “nulled” websites are down, along with the Pakistani “Saim Raza” network of dark web forums, also called “HeartSender.” The long-term implications of this operation are not known.

DoJ partnered with international agencies to crack down on cybercrime

First, DoJ with the Dutch National Police captured 39 domains operated by a Pakistani group known as Saim Raza (aka HeartSender). DoJ says Saim Raza has been working since 2020, selling fraud tools and phishing kits to the highest bidder throughout a network of dark websites. 

Criminals purchasing the tools are accountable for global business email compromise (BEC) attacks and other dangerous scams- against victims in the US who were robbed of $3 million. 

The DoJ believes Saim Raza made these “tools widely available on the open Internet” and “also trained end users on how to use the tools against victims by linking to instructional YouTube videos.” 

The group explained, “how to execute schemes using these malicious programs, making them accessible to criminal actors that lacked this technical criminal expertise.” Saim Raza also “advertised its tools as 'fully undetectable' by antispam software,” the agency said in its announcement.

More About "Cracked" & "Nulled" Dark Web Markets 

Called “Operation Talent,” the DoJ and Europol worked together to crack down the two dark web marketplaces, linked to cybercrimes against more than 17 million victims.

In a separate action, the DoJ participated in "Operation Talent," a Europol-backed international operation that disrupted the Cracked and Nulled Dark Web marketplaces. Together, the forums have been linked to cybercrimes against at least 17 million US victims.

The cracked marketplace surfaced in 2018, DoJ believes, having 4 million users, making $4 million in revenue, and hosting over 28 million cybercrime ads in its career.

“The Nulled website domain seizure meanwhile came in tandem with the unsealing of charges against one of its administrators, Lucas Sohn, an Argentinian national living in Spain,” says cybersecurity news portal Dark Reading. Nulled has been in the game since 2016, hosted 5 million users, and made $1 million per year, also listing over 43 million ads.

Read more »
North Korea
Cyber Crime Lazarus hacking group MFA North Korea

North Korean Hackers Exploit RID Hijacking to Gain Full Control Over Windows Systems

 


A North Korean cybercriminal group, Andariel, has been found using a stealthy hacking technique called RID hijacking to gain full control over Windows systems. This method allows attackers to manipulate a computer’s security settings, turning a low-privilege user account into an administrator account and granting them hidden control over the system.

What is RID Hijacking and How Does It Work?

Windows assigns each user account a Security Identifier (SID), which includes a Relative Identifier (RID) that defines the account’s access level. Key RIDs include:

  • 500 – Default administrator account
  • 501 – Guest account
  • 1000+ – Regular user accounts

Hackers exploit this system by modifying the RID of a normal user account to match that of an administrator. Since Windows determines permissions based on RID values, the system unknowingly grants higher-level access to what appears to be a low-privilege account. However, this attack requires deep access to the system’s core security files, specifically the Security Account Manager (SAM) registry, where user login details are stored.

Researchers from AhnLab Security Intelligence Center (ASEC) have linked these attacks to Andariel, a North Korean hacking group that is part of Lazarus, a well-known state-sponsored cybercrime organization. Andariel typically gains initial access by exploiting software vulnerabilities or tricking users into downloading malware. Once inside, they use hacking tools like PsExec and JuicyPotato to obtain SYSTEM-level privileges, the highest level of access on a Windows machine.

However, SYSTEM-level access has limitations, such as the inability to log in remotely, lack of persistence after a system restart, and high visibility to security systems. To overcome these, Andariel creates a hidden user account using the Windows "net user" command, adding a "$" symbol at the end of the username to make it invisible in regular user lists. They then modify its RID to that of an administrator, granting it full control over the system while remaining undetected.

How to Defend Against RID Hijacking

To protect against RID hijacking, organizations and IT administrators can take the following steps:

  1. Monitor User Login Activity: Use the Local Security Authority (LSA) Subsystem Service to track unusual logins or permission changes.
  2. Secure Critical System Files: Restrict unauthorized modifications to the SAM registry, where login credentials are stored.
  3. Block Hacking Tools: Prevent tools like PsExec and JuicyPotato from running, as they are commonly used for privilege escalation.
  4. Implement Multi-Factor Authentication (MFA): Require an extra authentication step for all accounts, even low-level ones, to prevent unauthorized access.
  5. Regularly Audit User Accounts: Check for hidden or suspicious accounts, especially those with "$" symbols or unusual RID values.

RID hijacking has been known since 2018, when cybersecurity researchers first demonstrated it as a way to maintain persistent access on Windows systems. However, its recent use by North Korean state-sponsored hackers highlights the growing sophistication of cyberattacks. By making small, undetectable changes to Windows user settings, hackers can silently maintain control over a compromised system, making it much harder for security teams to remove them.

The use of RID hijacking by North Korean hackers underscores the importance of proactive cybersecurity measures. Organizations must monitor user accounts, detect hidden activity, and secure critical system files to defend against such stealthy attacks. By staying vigilant and implementing robust security practices, businesses can better protect their systems from advanced threats like RID hijacking.

Read more »
Protonmail
AT&T Cloud Services comcast credential harvesting Cyber Crime Protonmail

Cybercriminals Exploit Cloud Services to Steal Login Information

 


You may think you are receiving an email from your trusted ProtonMail account — only to discover it’s a trap set by cybercriminals. Recent research throws light on how attackers are targeting both widely known and lesser-used cloud platforms like AT&T, Comcast Xfinity, and Gravatar to deceive users into handing over their credentials.  

This growing trend is a testament to how cybercriminals evolve to exploit users’ trust in familiar brands and unsuspecting services, creating significant security risks for individuals and businesses alike.  


What Are Cloud Services, and Why Are They Targeted?

To understand these threats, it’s crucial to know what cloud services are. These platforms allow users to access tools and store data online, eliminating the need for physical hardware. Examples include ProtonMail, which provides secure email communication, and Gravatar, a service that manages user avatars across the web.  

Cybercriminals target these services due to their widespread adoption and the trust users place in them. Services like Gravatar, often overlooked in cybersecurity protocols, become particularly attractive to attackers as they can bypass many conventional defenses.  


How Attackers Exploit Cloud Platforms 

While telecom giants like AT&T and Comcast Xfinity are attacked for their reputation and vast user base, platforms like Gravatar are exploited due to their unique features. For instance, Gravatar’s “Profiles as a Service” functionality allows attackers to create convincing fake profiles, tricking users into revealing sensitive information.  

The methods attackers use often depend on two key factors:  

1. Familiarity: Trusted brands like AT&T and Comcast Xfinity are lucrative targets because users inherently trust their platforms.  

2. Low Visibility: Lesser-known platforms, such as Gravatar, often evade suspicion and security monitoring, making them easy prey.  


How Credential Theft Works  

Cybercriminals follow a systematic approach to harvest user credentials:  

1. Deceptive Emails: Victims receive phishing emails that mimic trusted platforms.  

2. Fake Websites: These emails direct users to fraudulent login pages resembling legitimate ones.  

3. Impersonation: Fake profiles and interfaces add credibility to the scam.  

4. Data Theft: Once users input their login details, attackers gain unauthorized access, leading to potential breaches.  


Telecom Companies Under Siege  

Telecommunications companies like AT&T, Comcast Xfinity, and regional Canadian ISPs, including Kojeko and Eastlink, are particularly vulnerable. These companies manage vast amounts of sensitive user data, making them high-value targets. A successful breach could enable hackers to exploit customer data on a massive scale, creating widespread consequences.  


How to Protect Yourself from These Attacks  

To stay secure against credential theft attempts, follow these precautions:  

  1. Verify Websites: Always confirm the authenticity of a URL before entering personal information.  
  2. Scrutinize Emails: Be cautious of unsolicited emails, especially those requesting sensitive data.  
  3. Strengthen Passwords: Use complex, unique passwords for every account.  
  4. Two-Factor Authentication (2FA): This adds an extra security layer, making it harder for attackers to succeed.  
  5. Stay Updated: Regularly educate yourself on emerging cybersecurity threats.  


Conclusion: Awareness is Key to Cybersecurity

Credential theft campaigns have become more intricate in their execution, targeting both renowned and overlooked platforms. By understanding the tactics used by attackers and adopting proactive security measures, individuals and businesses can safeguard themselves from these evolving threats.  

For an in-depth look at this issue and additional insights, refer to the SlashNext report.


Read more »
IABs
ADT data breach Cyber Crime Cyber Threat Intelligence Hacking IABs

How Hackers Sell Access to Corporate Systems Using Stolen Credentials

 


In the cybercrime world, Initial Access Brokers (IABs) are essential for facilitating attacks. These specific hackers break into company systems, steal login credentials, and then sell access to other criminals who use it to launch their own attacks. They essentially act as locksmiths for hackers, making it easy for those willing to pay to get into systems.

What Exactly Do IABs Do?

IABs function as a business where they sell access to corporate systems stolen from their organizations on dark markets, either private forums or Telegram channels. The credentials offered include the most basic login information and even the highest administrator accounts. They even have guarantees by giving a refund if the stolen credentials fail to work.

This system benefits both inexperienced attackers and advanced hacking groups. For less skilled criminals, IABs provide access to high-value targets they could never reach independently. For seasoned ransomware operators, purchasing pre-stolen access saves time and allows them to focus on deploying malware or stealing sensitive data.

Such credentials as usernames and passwords are a hacker's key to entering a system directly, bypassing all the security barriers. Such an attack occurred during major breaches such as in the 

  • Geico Case: Cyber thieves in 2024 accessed Geico's online tools with stolen credentials and compromised sensitive information for 116,000 customers and paid the company millions in fines.
  • ADT Breach: Thieves had used the credentials of one of ADT's partners to breach ADT's internal systems twice, releasing customer records and proving that even trusted relationships can be compromised. In a report released by IBM in 2024, compromised credentials accounted for nearly 20% of all data breaches and were frequently unobserved for months, leaving attackers sufficient time to steal their information.


How to Protect Against IABs  

Organizations must adopt proactive measures to counteract these threats:  

1. Threat Intelligence: Tools can monitor underground markets for stolen credentials. If a company’s data appears on these platforms, immediate action—like forcing password changes can help minimize damage.

2. Complex Passwords: It is recommendable that companies enforce rules forcing employees to use complex, unique passwords and to update them regularly. Platforms like Specops Password Policy allow companies to check their credentials against known breached databases to prevent using the same breached passwords.

Although IABs have made cybercrime more efficient, organizations can protect themselves by understanding their tactics and strengthening their defenses. Regular monitoring, strong password practices, and quick responses to breaches are key to staying ahead of these threats. By closing the gaps hackers exploit, companies can make it harder for cybercriminals to succeed.




Read more »
User Security
14C Cyber Crime Digital Fraud Indian Government User Security

India Launches 'Report and Check Suspect' Feature to Combat Cybercrime

 

India’s National Cyber Crime Reporting Portal now features a ‘Report and Check Suspect’ tool, allowing users to verify UPI IDs, phone numbers, emails, and social media handles against a database of known cyber fraudsters.

Focusing on Digital Arrest Scams

The system targets scams where fraudsters impersonate officials to extort money under the pretense of “digital arrests.” Users can search the database at cybercrime.gov.in to identify potential threats.

Integrated Cybersecurity Measures

The tool complements other initiatives like blocking 669,000 fake SIM cards and implementing enhanced KYC protocols for digital lending. Major tech firms, including Google and Facebook, are collaborating with the Indian Cyber Crime Coordination Centre (I4C) to share threat intelligence and curb misuse of platforms like Google Firebase and Android banking malware.

The Ministry of Home Affairs has also established a Cyber Volunteer Framework, enabling citizens to report illegal online content and promote cyber hygiene. Additionally, the Citizen Financial Cyber Frauds Reporting and Management System (CFCFRMS) expedites action against financial frauds.

These initiatives align with India’s broader efforts to secure digital transactions, including mandating multi-factor authentication for government services by 2025.

Read more »
Ransom
Crypto Extortion Crypto Scam Cyber Crime Kidnapping Ransom

Crypto Dealers Targeted in Alarming Kidnapping and Extortion Cases

 

Recent incidents have revealed a troubling trend of cryptocurrency dealers being targeted for kidnappings and extortion. These cases underline the risks associated with the growing prominence of the cryptocurrency sector.

French authorities recently rescued a 56-year-old man found tied in the trunk of a car in Le Mans. According to France Bleu Normandie, the man had been abducted on New Year’s Eve by masked assailants who broke into his home, tied him and his wife up, and transported him approximately 500 kilometers across the country.

The captors used encrypted communication networks to demand a ransom from his son, a cryptocurrency influencer based in Dubai. The victim was discovered disoriented and covered in gasoline, prompting an ongoing investigation as the perpetrators remain at large.

Global Surge in Crypto-Related Crimes

Cryptocurrency's rising value and adoption have made it a lucrative target for cybercriminals. On December 17, Bitcoin (BTC) reportedly reached significant highs, amplifying interest in the sector. This growth has drawn attention from threat actors engaging in malware attacks, kidnappings, and extortion schemes.

For instance, on December 25, a cryptocurrency merchant in Pakistan was kidnapped in Karachi. The assailants coerced the victim into transferring $340,000 in cryptocurrency before abandoning him. Seven individuals, including a Counter-Terrorism Department officer, were later arrested, and charges for kidnapping and extortion were filed under the Pakistan Penal Code.

Cryptocurrency and Ransom Scams

In Australia, a case involving a Saudi royal highlighted the use of social platforms in abduction schemes. The victim was lured via a dating app to a location where he was ambushed and restrained. Threatened with severe harm, he transferred $40,000 in Bitcoin. While the lead perpetrator, Catherine Colivas, avoided prison due to mitigating circumstances, the case underscores the broader vulnerabilities in cryptocurrency transactions.

According to analysts at Chainalysis, the expanding ransomware landscape compounds these risks. Tracking incidents and ransom payments made in cryptocurrencies remains a significant challenge, emphasizing the need for heightened security and vigilance in the sector.

Read more »
User Security
Cyber Crime Email scam Indian Citizens Threat Landscape User Security

Threat Actors Are Sending Fraudulent Legal Notices to Target Indians

 

The Indian authorities have issued an urgent warning to residents over the widespread circulation of counterfeit emails impersonating Rajesh Kumar, CEO of the Indian Cyber Crime Coordination Centre (I4C). 

These fraudulent emails, with misleading subject lines like "Urgent Notification!" and "Court Notification," falsely accuse recipients of cybercrime and pressure them to respond. The PIB Fact Check team has identified these emails as fraudulent, emphasising that they were sent with malicious purpose to trick recipients and exploit their fears. 

Fake email threat

The bogus emails exploit the logos of prominent Indian institutions, such as the Indian Cyber Crime Coordination Centre (I4C), Intelligence Bureau (IB), and Delhi Police, as proof of legitimacy. They also represent themselves by using the names and contact information of senior officials to deceive recipients. These fake emails have been sent to government offices, people, and organisations, posing as official correspondence. 

In a tweet from its official handle, @PIBFactCheck, the bureau clarified that these emails are absolutely fraudulent and deceitful. "It is vital to note that neither the undersigned nor this unit originated such emails. Furthermore, no permission has been obtained for the creation or distribution of such content," the release noted. 

Cybercrime impact in India 

Concern over the rise in cybercrime in India is growing. Avinash Mohanty, the commissioner of police for Cyberabad, claims that cybercrime makes up more than 30% of the commissionerate's cognisable offences and that it may soon reach 50%. It is alarming to learn that every minute, Indian residents lose between 1.3 and 1.5 lakh rupees to hackers. This startling statistic emphasises the importance of raising awareness and vigilance against online fraud and scams. 

The recovery rate for cybercrime damages in the nation remains dismally low, averaging less than 20%. This increases the financial and emotional toll on sufferers. The increase in cybercrime impacts not only individuals and businesses, but also government institutions, which have been targeted in cases of espionage and data breaches.

In recent years, India has had a number of high-profile data breaches, the most significant of which involved Aadhaar, the country's unique citizen identification system. This breach affected over a billion Indians' personal information, including bank account numbers, addresses, and fingerprints. In 2024, the cost of data breaches in India would exceed two million US dollars, illustrating the increasing sophistication of cyberattacks and their devastating consequences.
Read more »
KYC
Cyber Crime Financial Security Identity Theft IDS KYC

Cybercriminals Exploit Identity Verification Systems

 


Cybercriminals on the dark web have developed new ways to exploit identity verification systems. Rather than hacking or stealing personal information, they are purchasing it directly from individuals, as revealed by security researchers at iProov. This approach allows them to bypass Know Your Customer (KYC) processes used by businesses to verify customer identities. Researchers found that a criminal group in Latin America is gathering identity documents, such as passports and driver's licenses, along with corresponding facial images. 

In some cases, these criminals pay individuals for their personal data. While the exact amount paid remains unclear, this practice raises serious concerns. This group’s activities extend beyond Latin America, with similar tactics reported in Eastern Europe. Law enforcement agencies in these regions have been alerted to the threat. 
 
Why Is This Dangerous? 
 
Selling personal data equips fraudsters with real identity "kits," which combine authentic documents with matching biometrics. This makes it challenging to identify the kits as counterfeit. According to iProov Chief Scientific Officer Andrew Newell, these kits enable criminals to execute sophisticated impersonation scams, putting victims’ financial security and personal identities at risk. 
  
What Can Be Done? 
 
Classic verification methods have proven inadequate against such advanced attacks. iProov recommends implementing multi-layered security measures to combat these threats. Key steps include:
  • Real-Time Authentication: Verifying that the user is a human being in real-time.
  • Identity Verification: Ensuring the user matches the rightful owner of the presented identity.
These layered methods significantly hinder cybercriminals, even when they possess convincing identity data. iProov notes that even sophisticated attackers struggle to bypass such systems while maintaining realistic interactions.
  • Never sell or share your personal information, regardless of incentives.
  • Be cautious of schemes offering money for personal data, as they can fuel large-scale fraud.
  • Stay vigilant and report any suspicious activity to relevant authorities.
As cybercriminals continue to innovate, businesses must invest in robust security systems, and individuals must take proactive steps to safeguard their sensitive information.
Read more »
International
Cyber Crime Digital Arrest Fraud Calls International

Getting Fake International Calls? Here’s What You Need to Know

 

 
Fraudulent international calls are on the rise, targeting mobile users nationwide. The scams involve unknown numbers pretending to be from trusted organizations, deceiving individuals into sharing sensitive information or making payments. The Department of Telecommunications (DoT) recently reported identifying over 1.35 crore fake calls within just 24 hours of launching its new detection system. 
  
How Scammers Operate 
 
Fraudsters use international numbers, often genuine ones, to pose as representatives of government agencies or organizations. By exploiting the trust of unsuspecting users, they gather personal data or extort money. The use of legitimate international numbers makes it harder to identify these scams. 

To combat this issue, the government introduced the International Incoming Fake Call Prevention System on October 22. Within a single day, it flagged 90% of suspicious calls, which were then blocked by telecom operators. As scammers switched to using legitimate international numbers, further action was taken. The DoT has advised caution when answering calls from unknown international numbers, especially those not starting with India’s country code, +91. Citizens are encouraged to avoid such calls and report those claiming to represent government agencies. 
  
The New ‘Digital Arrest’ Scam 
 
Scammers are now employing a tactic called the ‘digital arrest’ scam. They pose as police or CBI officers during video calls, accuse victims of serious crimes, and demand immediate payments to avoid arrest. The convincing nature of these scams can leave victims feeling compelled to comply. 
  
Here's How to Prevent Yourself
  • Never share personal or financial information with unknown callers.
  • Verify the caller’s identity before engaging in any conversation.
  • Avoid picking up calls from unfamiliar international numbers.
With scams becoming more sophisticated, staying informed and vigilant is crucial. If you suspect fraudulent activity, refrain from responding and report the incident to the appropriate authorities.
Read more »
Ransomware
Cyber Crime LockBit RaaS Ransomware

Look Who’s Back: LockBit Gears Up for a Comeback With Version 4.0

 



The infamous LockBit ransomware group has announced its return with the upcoming release of LockBit 4.0, set for February 2025. This marks a big moment for the group, which has had major setbacks over the last year. A global law enforcement crackdown shut down its operations, with arrests and recovery of nearly 7,000 decryption keys. As other ransomware groups like RansomHub take the lead, it remains uncertain if LockBit can reclaim its former dominance.  


Challenges Facing LockBit’s Return

LockBit's return is definitely not in the cards, though. The group did a lot of damage to itself, mainly because law enforcement was doing their job and newer Ransomware groups were outperforming it. Probably, the development of this 4.0 version involves deep changes in its codebase since the previous variant had been compromised. Experts therefore wonder whether LockBit manages to overcome these obstacles or gets back into the crowded field of ransomware services.

Another emerging favorite is ransomware-as-a-service, where groups start to sell their tools and infrastructure to affiliates in a specific ratio of the profits being extracted by that affiliate. LockBit will find itself competing not just with opponents such as RansomHub but also with variants from the same ransomware assembled using leaked source code.


What to Expect With LockBit 4.0

The group's announcement for LockBit 4.0 has bold claims, enticing potential affiliates with promises of wealth and success. The official launch is scheduled for February 3, 2025, and keys are provided to access their dark web leak site. While specific details about the 4.0 version are unclear, cybersecurity researchers are closely monitoring its development.

The group may also change its tactics to stay off the radar of international law enforcement. In the past, LockBit has been criticized for hitting high-profile victims, including the Toronto Hospital for Sick Children in 2022. After public backlash, the group issued an apology and provided a free decryption key, an unusual move for a ransomware organization.  


The Future

LockBit's ability to stage a successful comeback will depend on its capacity to adapt to the challenges it faces. With competitors gaining ground and its credibility in question, the group's path forward is uncertain. Cybersecurity experts will be watching closely to see how LockBit 4.0 impacts the ransomware infrastructure.

For now, organizations are advised to remain vigilant, as ransomware groups continue to improvise their tactics. Implementing robust security measures and staying informed about emerging threats are critical steps in defending against such attacks.



Read more »
Zero-day vulnerability
Cyber Crime Cyber Hackers CyberCrime Cybersecurity CyberThreat Internet Explorer Microsoft North Korea South Korea Zero-day vulnerability

Cyber Threat Alert for South Korea from North Korean Hackers

 


In a recent cyber-espionage campaign targeted at the United States, North Korean state-linked hacker ScarCruft recently exploited a zero-day vulnerability in Internet Explorer to distribute RokRAT malware to targets nationwide. APT37, or RedEyes as it is sometimes called, is one of the most notorious North Korean state-sponsored hacking groups, and its activities are thought to be aimed at cyber espionage. 

There is typically a focus on human rights activists from South Korea, defectors from the country, and political entities in Europe from this group. An unknown threat actor with ties to North Korea has been observed delivering a previously undocumented backdoor and remote access Trojan (RAT) called VeilShell as part of a campaign targeted at Cambodia and potentially other Southeast Asian countries, including Indonesia, Malaysia, and Thailand. 

Known to Securonix as SHROUDED#SLEEP, the activity is believed to have been carried out by APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft as well as several other names. ScarCruft, also known as APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a state-sponsored cyber-espionage threat group that almost entirely targets South Korean individuals and organizations. 

It uses spear phishing to deliver customized tools via phishing, watering holes, and zero-days for Internet Explorer. It has been reported by AhnLab that APT37 compromised one of the servers of a domestic advertising agency. Hence, the purpose is to push specially crafted 'Toast ads' as a part of an unidentified free software that is widely used by South Koreans. As a result of the CVE-2024-38178 flaw found in the JavaScript 9.dll file (Chakra) of Internet Explorer used for displaying these advertisements, it caused the JavaScript file named 'ad_toast' to trigger remote code execution via CVE-2024-38178 in the JavaScript9.dll file.

There is a deep correlation between the malware that was dropped in this attack and the RokRAT malware, which ScarCruft has been using for years to launch attacks. In essence, RokRATs primary function is to exfiltrate to Yandex cloud instances every 30 minutes file matching 20 extension types (including .doc, .mdb, .xls, .ppt, .txt, .amr) that match these extensions. In addition to keylogging, Keylogger also monitors for changes made to the clipboard and captures screenshots (every three minutes) as well. 

In July 2022, ScarCruft, a North Korean threat actor who operates in North Korean cyberspace, began experimenting with oversized LNK files as a delivery route for RokRAT malware, just a couple of months after Microsoft began blocking macros by default across several Office documents. Check Point has released a new report on its technical analysis of RokRAT that concludes that the malware has not changed significantly over the years, but the deployment method has evolved. RokRAT now uses archives that contain LNK files, resulting in infection chains that move through multiple stages. 

As a result of this round of activity, is another indication of a major trend in the threat landscape, where both APTs, as well as cybercriminals, will try to overcome the restriction on macros coming from untrusted sources. Having made the news in the past few days, a new campaign with the intriguing name "Code on Toast," has raised serious concerns about the vulnerability of software still embedded in widely used systems, even after the retirement of Internet Explorer. According to a joint report by the National Cyber Security Center (NCSC) of South Korea, and AhnLab (ASEC), the incident occurred earlier this year. 

There was a unique way for these malware infections to be spread by using toast pop-up ads as how the campaign was delivered. There is a unique aspect of this campaign that focuses on the way ScarCruft distributes its malware through the use of toast notifications and small pop-ups that appear when antivirus software or free utilities are running. As a result of ScarCruft’s compromise of the server of a domestic ad agency in South Korea, a malicious "toast ad" made by ScarCruft was sent to many South Korean users through a popular, yet unnamed, free piece of software. 

To accomplish ScarCruft’s attack, a zero-day Internet Explorer vulnerability, CVE-2024-38178, with a severity rating of 7.5, must be exploited cleverly. As a consequence of this, Edge users in Internet Explorer mode can potentially execute remote code through a memory corruption bug in the Scripting Engine, which can result in remote code execution. This vulnerability was patched for August 2024 as part of Microsoft's Patch Tuesday update, part of this annual update program. 

By using toast notifications, typically harmless pop-up ads from anti-virus software or utility programs, the group silently delivered malware through a zero-click infection method using a zero-click virus delivery mechanism. As a result, it has become necessary for an attacker to convince a user to click on a URL that has been specially crafted to initiate the execution of malicious code to successfully exploit a vulnerability. 

Having used such advanced techniques, ScarCruft clearly emphasizes the need for South Korea's digital landscape to remain protected from such threats in the future. It is unfortunate that no matter how much effort is put into phasing out outdated systems, security vulnerabilities have caused problems in legacy components like Internet Explorer. Although Microsoft announced it would retire Internet Explorer at the end of 2022, many of the browser's components remain in Windows, or they are being used by third-party products, allowing threat actors to come across new vulnerabilities and exploit them for their purposes. As a result of this campaign, organizations will be reminded of the importance of prioritizing cybersecurity updates and maintaining robust defences against increasingly sophisticated cyber threats backed by governments.
Read more »
Telecom Firm
Cyber Crime France GSMA Online fraud Telecom Firm

French Telecom Companies Band Together to Combat Rising Fraud

 

The four leading mobile network carriers (MNOs) in France have teamed up to combat identity theft and online fraud. To help online companies fight fraud and digital identity theft, Bouygues Telecom, Free, Orange, and SFR announced on December 3 that they will introduce two network Application Programmable Interfaces (APIs) for the French market in the first half of 2025. This initiative is part of the Open Gateway system of the Global System for Mobile Communications Association (GSMA).

About GSMA

The GSMA, a trade association representing the global interests of mobile operators, was established in 1995. As of 2024, it has more than 750 members. In 2023, the GSMA launched the Open Gateway Initiative, aiming to create digital solutions that work seamlessly across devices, regardless of the nation or operator.

Since its inception, the program has onboarded 67 mobile network operators (MNOs) and 26 channel partners, representing 278 networks and covering three-quarters of global mobile connections. Developers can access these network capabilities via APIs through the CAMARA repository, an open-source initiative by the Linux Foundation.

“This aligned market launch of CAMARA APIs from France’s leading operators will make it easier to keep people safe from the growing threat of fraud. The initiative benefits businesses, mobile operators, and their customers, saving developers time, money, and effort while allowing for the quick launch of innovative new services.”

Henry Calvert, Head of Networks at the GSMA

Role of APIs in Mitigating Fraud

1. KYC Match API

Purpose: Cross-check user-provided information with verified data stored by the mobile network operator during the Know Your Customer (KYC) process.

The KYC Match API validates details such as mobile phone numbers, names, postal codes, and email addresses, without transferring any personally identifiable information (PII).

France is the first country to have all its national MNOs adopt KYC Match. Several financial institutions, including Crédit Agricole's online subsidiary BforBank and Credit Mutuel Arkéa's Fortuneo, are already utilizing this API in collaboration with DQE Software to screen new customers.

2. SIM Swap API

Purpose: Detect recent SIM card changes to prevent account takeover fraud.

This API checks if a phone number has recently had its SIM card swapped, helping financial institutions verify the relationship between a customer’s phone number and their SIM card during transactions.

Use Case: This helps prevent fraudsters from using stolen personal data and social engineering tactics to take over accounts.

“For example, at the time of a financial transaction, a financial institution can check whether the relationship between the customer’s phone number and SIM Card has been recently changed, helping them decide whether to approve the transaction or not.”

What’s Next?

Following the launch of KYC Match and SIM Swap APIs, French MNOs plan to release a third API, Number Verification, which will provide robust authentication for mobile numbers, potentially replacing SMS-based multi-factor authentication (MFA) solutions.

Key Benefits of These APIs

  • Enhanced Security: Protects users from identity theft and account takeover.
  • Operational Efficiency: Saves businesses and developers time and resources.
  • Improved Fraud Detection: Strengthens verification processes without compromising user privacy.

By adopting these APIs, French mobile carriers are setting a global benchmark for digital security and fraud prevention, making online interactions safer and more secure for businesses and consumers alike.

Read more »
Printer Driver Strategy
Artificial Intelligence Cyber Crime Data Theft Printer Printer Driver Strategy

Printer Problems? Don’t Fall for These Dangerous Scams

 


Fixing printer problems is a pain, from paper jams to software bugs. When searching for quick answers, most users rely on search engines or AI solutions to assist them. Unfortunately, this opens the door to scammers targeting unsuspecting people through false ads and other fraudulent sites.

Phony Ads Pretend to be Official Printer Support

When researching online troubleshooting methods for your printer, especially for big-name brands like HP and Canon, you will find many sponsored ads above the search results. Even though they look legitimate, most have been prepared by fraudsters pretending to be official support.

Clicking on these ads can lead users to websites that mimic official brand pages, complete with logos and professional layouts. These sites promise to resolve printer issues but instead, push fake software downloads designed to fail.

How the Driver Scam Works

Printer drivers are a program that allows your computer to connect with your printer. Most modern systems will automatically install these drivers, but some users don’t know how it works and get scammed in the process.

On fraudulent websites, users have to input their printer model in order to download the "necessary" driver. But all the installation processes displayed are fake — pre-recordings typically — and no matter what, the installation fails, leading frustrated users to dial a supposed tech support number for further help.

What are the Risks Involved?

Once the victim contacts the fake support team, scammers usually ask for remote access to the victim's computer to fix the problem. This can lead to:

  • Data theft: Scammers may extract sensitive personal information.
  • Device lockdown: Fraudsters can lock your computer and demand payment for access.
  • Financial loss: They may use your device to log into bank accounts or steal payment details.

These scams not only lead to financial loss but also compromise personal security.

How to Stay Safe

To keep yourself safe, follow these tips:

  1. Do not click on ads when searching for printer help. Instead, look for official websites in the organic search results.
  2. Use reliable security software, such as Malwarebytes Browser Guard, to prevent rogue ads and scam websites.
  3. Look for legitimate support resources, like official support pages, online forums, or tech-savvy friends or family members.

By being vigilant and cautious, you can avoid these scams and troubleshoot your printer issues without getting scammed. Be informed and double-check the legitimacy of support resources.

Read more »
Subscribe to: Posts (Atom)