Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label FBI. Show all posts

FBI Warns Business Executives About Fake Extortion Scam

 



The Federal Bureau of Investigation (FBI) has warned corporate executives about a new scam designed to trick them into paying large sums of money. Criminals are sending threatening letters claiming to have stolen sensitive company data and demanding a ransom. They are falsely using the name of a well-known hacker group to appear more convincing. However, the FBI has found no actual link between the scammers and the group they claim to represent.  


How the Scam Operates  

According to an FBI alert issued on March 6, 2025, the scammers are mailing letters to company executives marked as urgent. These letters state that hackers have broken into their company's systems and taken confidential data. The scammers then demand a payment of anywhere between 250,000 and 500,000 dollars to prevent the data from being exposed online.  

To pressure victims into paying, the letter includes a QR code that directs them to a Bitcoin wallet for the ransom payment. The message also warns that the criminals will not negotiate, adding to the urgency.  

The letter claims to be from a group known for past cyberattacks, but investigators have found no evidence that the real organization is behind these threats. Instead, scammers are using the group's name to make their claims seem more credible and to scare victims into complying.  


Why Executives Are Being Targeted  

Top business leaders often have access to critical company information, making them valuable targets for cybercriminals. Attackers believe that these individuals will feel pressured to act quickly when they receive threats about stolen data. By creating a sense of urgency, the scammers hope their victims will pay the ransom without questioning its legitimacy.  

The FBI has stressed that companies should not assume the threats are real just because they mention a well-known hacking group. Instead, businesses should focus on improving their cybersecurity defenses and educating employees about potential scams.  


How to Protect Against This Scam  

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have shared several important steps businesses can take to safeguard themselves against such scams:  

1. Inform and Educate – Business executives and employees should be aware of this type of scam so they can identify suspicious threats and avoid panic.  

2. Strengthen Security Systems – Companies should ensure that their firewalls, antivirus software, and security protocols are up to date and functioning effectively.  

3. Establish a Response Plan – Organizations should have a clear strategy in place for handling extortion threats. They should not respond or pay the ransom but instead follow proper security procedures.  

4. Report Suspicious Activity – If a business receives one of these extortion letters, it should immediately inform the FBI or report the incident through the Internet Crime Complaint Center (IC3). Reporting such cases helps authorities track cybercriminals and take action against them.  


Why Awareness is Crucial  

This scam highlights the growing trend of cybercriminals using fear to manipulate victims into handing over large amounts of money. While there is no confirmation that the real hacker group mentioned in the letter is involved, this situation serves as a reminder for businesses to stay cautious.  

The best way to prevent falling victim to such scams is through strong security measures, employee awareness, and prompt reporting of suspicious activity. The FBI is closely monitoring the situation and urges companies to take cybersecurity seriously to avoid financial and reputational damage.

FBI Warns of Fake Ransom Demands Sent by Mail to US Executives

 



A new scam is targeting top business leaders in the United States, where criminals are sending letters demanding large ransom payments. Unlike typical ransomware attacks that involve hacking into computer systems, this scheme relies on physical mail. The letters claim that hackers have stolen company data and will leak it unless a ransom of $250,000 to $500,000 is paid. However, cybersecurity experts believe this is a fraud, with no actual hacking involved.  


How the Scam Works  

Investigators from the GuidePoint Research and Intelligence Team (GRIT) discovered that several companies have received these ransom letters through the US Postal Service (USPS). The letters are addressed to high-level executives and claim to be from the BianLian ransomware group, a known cybercriminal organization.  

The message states that the company's confidential information has been stolen and will be exposed unless the demanded payment is made within ten days. To make the threat appear real, the letter includes a Bitcoin wallet address and a QR code that links directly to it. Some letters also provide links to BianLian’s dark web site to add legitimacy to the claim.  

Despite these details, security analysts have found no proof that any actual data theft has occurred. The scam relies on fear and deception, hoping that executives will panic and send money.  


Why Experts Believe the Threat Is Fake  

Cybersecurity specialists have carefully examined multiple cases of this scam and found no signs of hacking or data breaches. The companies targeted in this scheme have not reported any unusual activity or unauthorized access to their systems. This strongly suggests that the criminals behind the letters are only pretending to be the BianLian ransomware group.  

The FBI has confirmed that these letters are part of a fraud campaign and do not represent a real cyberattack. Many of the envelopes are marked as "Time Sensitive" to create urgency, and some even list a return address in Boston, Massachusetts, which appears to be another false detail.  

Since there is no actual ransomware attack, businesses do not need to take technical action like removing malware or restoring stolen files. The main risk comes from executives believing the scam and paying the ransom.  


What to Do If You Receive One of These Letters  

If your company receives a similar ransom demand, take the following precautions:  

1. Check Your Systems for Security Issues – Ensure that company networks are protected and that there are no signs of hacking or data leaks. Keeping cybersecurity measures updated is always important.  

2. Do Not Send Any Money – These threats are fake, and paying the ransom will only encourage further scams.  

3. Report the Scam – Contact law enforcement and inform the nearest FBI field office about the letter. Complaints can also be filed with the Internet Crime Complaint Center (IC3).  

4. Inform Key Personnel – Let executives and employees know about this scam so they can recognize and ignore similar fraud attempts in the future.  

 

This scam is a reminder that cybercriminals do not always rely on advanced hacking techniques. Sometimes, they use old-fashioned methods like physical mail to create fear and manipulate victims into paying. While real ransomware attacks remain a serious concern, this particular scheme is based on false claims.  

Companies should stay informed and take precautions to avoid falling victim to these types of fraud. Being aware of such scams is the best way to protect against them.

U.S. Pauses Offensive Cyberoperations Against Russia Amid Security Concerns

 

Defense Secretary Pete Hegseth has paused offensive cyberoperations against Russia by U.S. Cyber Command, rolling back some efforts to contend with a key adversary even as national security experts call for the U.S. to expand those capabilities. A U.S. official, speaking on condition of anonymity to discuss sensitive operations, on Monday confirmed the pause. 

Hegseth’s decision does not affect cyberoperations conducted by other agencies, including the CIA and the Cybersecurity and Infrastructure Security Agency. But the Trump administration also has rolled back other efforts at the FBI and other agencies related to countering digital and cyber threats. The Pentagon decision, which was first reported by The Record, comes as many national security and cybersecurity experts have urged greater investments in cyber defense and offense, particularly as China and Russia have sought to interfere with the nation’s economy, elections and security. 

Republican lawmakers and national security experts have all called for a greater offensive posture. During his Senate confirmation hearing this year, CIA Director John Ratcliffe said America’s rivals have shown that they believe cyberespionage — retrieving sensitive information and disrupting American business and infrastructure — to be an essential weapon of the modern arsenal. “I want us to have all of the tools necessary to go on offense against our adversaries in the cyber community,” Ratcliffe said. Cyber Command oversees and coordinates the Pentagon’s cybersecurity work and is known as America’s first line of defense in cyberspace. It also plans offensive cyberoperations for potential use against adversaries. 

Hegseth’s directive arrived before Friday’s dustup between President Donald Trump and Ukrainian President Volodymyr Zelenskyy in the Oval Office. It wasn’t clear if the pause was tied to any negotiating tactic by the Trump administration to push Moscow into a peace deal with Ukraine. Trump has vowed to end the war that began when Russia invaded Ukraine three years ago, and on Monday he slammed Zelenskyy for suggesting the end to the conflict was “far away.” 

The White House did not immediately respond to questions about Hegseth's order. Cyber warfare is cheaper than traditional military force, can be carried out covertly and doesn’t carry the same risk of escalation or retaliation, making it an increasingly popular tool for nations that want to contend with the U.S. but lack the traditional economic or military might, according to Snehal Antani, CEO of Horizon3.ai, a San Francisco-based cybersecurity firm founded by former national security officers. Cyberespionage can allow adversaries to steal competitive secrets from American companies, obtain sensitive intelligence or disrupt supply chains or the systems that manage dams, water plants, traffic systems, private companies, governments and hospitals. The internet has created new battlefields, too, as nations like Russia and China use disinformation and propaganda to undermine their opponents. 

Artificial intelligence now makes it easier and cheaper than ever for anyone — be it a foreign nation like Russia, China or North Korea or criminal networks — to step up their cybergame at scale, Antani said. Fixing code, translating disinformation or identifying network vulnerabilities once required a human — now AI can do much of it faster. “We are entering this era of cyber-enabled economic warfare that is at the nation-state level,” Antani said. “We’re in this really challenging era where offense is significantly better than defense, and it’s going to take a while for defense to catch up.” Meanwhile, Attorney General Pam Bondi also has disbanded an FBI task force focused on foreign influence campaigns, like those Russia used to target U.S. elections in the past. And more than a dozen people who worked on election security at the Cybersecurity and Infrastructure Security Agency were put on leave. 

These actions are leaving the U.S. vulnerable despite years of evidence that Russia is committed to continuing and expanding its cyber efforts, according to Liana Keesing, campaigns manager for technology reform at Issue One, a nonprofit that has studied technology’s impact on democracy. “Instead of confronting this threat, the Trump administration has actively taken steps to make it easier for the Kremlin to interfere in our electoral processes,” Keesing said.

FBI Warns: ‘Ghost’ Ransomware Is Spreading— Here’s How to Stay Safe

 


The Federal Bureau of Investigation (FBI) has released an urgent alert about a growing cyber threat known as Ghost ransomware. This group has been attacking various organizations across more than 70 countries, locking victims out of their own systems and demanding payment to restore access. In response, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have advised businesses and individuals to back up their data and strengthen their cybersecurity measures to prevent potential attacks.  


Who Is Behind the Ghost Ransomware?  

The Ghost ransomware group is a team of cybercriminals that use ransomware to encrypt data, making it unusable unless a ransom is paid. Unlike other hacking groups that trick people into clicking on harmful links or sharing personal information (phishing attacks), Ghost takes a different approach. They exploit security flaws in outdated software and hardware to break into systems without needing victims to take any action.  

Cybersecurity experts believe that Ghost operates from China and has used multiple names over time, including Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. These different names suggest the group has been active for a long time and may have carried out various attacks under different identities.  


How Does Ghost Ransomware Work?  

Since early 2021, Ghost ransomware has been targeting systems with outdated software and firmware. The hackers search for weaknesses in these systems and use publicly available hacking tools to gain access and install ransomware. Once inside, they encrypt important files and demand payment to unlock them.  

The FBI has identified several ransomware files linked to Ghost, including Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. These files have been used to lock data in critical industries such as healthcare, education, government services, manufacturing, technology, and small businesses. The impact has been severe, affecting essential services and causing financial losses.  


How to Stay Protected from Ghost Ransomware

The FBI has recommended several security steps to reduce the risk of being attacked:  

1. Create Secure Backups: Keep offline backups of important data so that even if ransomware encrypts your files, you can restore them without paying a ransom. Many organizations that had proper backups were able to recover quickly.  

2. Update Software and Firmware: Hackers often target outdated programs with security flaws. Ensure that your operating system, applications, and firmware are regularly updated with the latest security patches.  

3. Recognize Cyber Threats: While Ghost does not typically use phishing, it is still essential to train employees and individuals to identify suspicious activity and avoid downloading unknown files or clicking on unverified links.  

4. Monitor Network Activity: Keep an eye on unusual behavior in your network, such as unexpected logins, file modifications, or unauthorized access. Detecting an attack early can help prevent major damage.  


Cyber threats like Ghost ransomware continue to evolve, but staying informed and taking these preventive measures can help reduce the risk of falling victim to an attack. The FBI urges everyone to act now and secure their data before it’s too late.


FBI And CISA Issues Warning of Ongoing ‘Ghost’ Ransomware Attack

 

Ghost, a ransomware outfit, has been exploiting software and firmware flaws since January, according to an FBI and Cybersecurity and Infrastructure Security Agency (CISA) advisory issued last week.

The outfit, also known as Cring and based in China, focusses on internet-facing services with unpatched vulnerabilities that users might have fixed years ago, according to the agencies. Cybersecurity researchers initially raised concerns about the group in 2021. 

"This indiscriminate targeting of networks containing vulnerabilities has resulted in the compromise of organisations in more than 70 countries, including China," according to the notice issued by the Multi-State Information Sharing and Analysis Centre (MS-ISAC).

The notice lists the following vulnerabilities: Microsoft Exchange servers that are still vulnerable to the ProxyShell attack chain; servers running Adobe's ColdFusion for web applications; and issues in unpatched Fortinet security appliances. 
 
Critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses are among the listed victims since 2021, according to the notice. The goal is financial gain, with ransom demands occasionally amounting to hundreds of thousands of dollars.

“Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks,” the agencies further added. “In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day.” 

The notice claims that the ransomware outfit employs common hacking tools like Cobalt Strike and Mimikatz, and that the malware they deploy frequently has file names like Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. 

“The impact of Ghost ransomware activity varies widely on a victim-to-victim basis,” the agencies concluded. “Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.” 

Prevention tips 

To combat against Ghost ransomware attacks, network defenders should take the following steps:

  • Create regular, off-site system backups that cannot be encrypted by ransomware. 
  • Patch the operating system, software, and firmware vulnerabilities as quickly as feasible.
  • Focus on the security holes targeted by Ghost ransomware (i.e., CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). 
  • Segment networks to restrict lateral movement from compromised devices. 
  • Implement phishing-resistant multi-factor authentication (MFA) for all privileged accounts and email service accounts.

US Defense Industry Targeted in Infostealer Malware Campaign

 


Several major defence contractors, such as Lockheed Martin, Boeing, and Honeywell, as well as the United States Army, and Navy, and several major defence contractors have been recently revealed to be infected with the Infostealer malware, according to Hudson Rock's recent report. This alarming discovery emphasizes the increasing threats critical national security institutions face due to cybersecurity threats. The report shows that U.S. military agencies have been significantly impacted by these infections. 

The U.S. Army has reported infections among 71 employees, while the U.S. Navy has reported infections among 30 employees, and an additional 551 users have been infected. It has also been reported that the Federal Bureau of Investigation (FBI) has been affected, with 24 employees and 26 users affected. This raises concerns about the possible risk of exposure to sensitive law enforcement and intelligence data, as well. 

Further, the report highlights the extent to which cybersecurity breaches have occurred within the defence contracting industry as a whole. One of the most prominent defence contractors in the country, Lockheed Martin, reported that 55 employees and 96 users had been infected with the virus. Boeing, another major player in the defence industry, reported that 66 employees and 114 users had been infected with the virus. 

Honeywell seems to have the most severe case, as there have been a substantial number of infected employees and 472 infected users. One of the most concerning revelations of the report was the ease at which cybercriminals can steal data. Several illicit cyber marketplaces are offering sensitive data such as login credentials, classified access points, and other sensitive data for purchase for as little as $10, according to an investigation conducted by the FBI.

These findings raise serious national security concerns, as they suggest that adversarial entities could exploit these vulnerabilities and gain unauthorized access to critical defence and intelligence networks that are critical to the nation's security. Infostealer malware is becoming increasingly common in the military and defence sectors, which highlights the urgent need to strengthen cybersecurity measures. This report serves as a stark reminder of how cyber threats are evolving and the need to take proactive measures to safeguard sensitive information from governmental agencies and defence companies. 

Several users affiliated with six major defence contractors are infected with Infostealer malware: Lockheed Martin, BAE Systems, Boeing, Honeywell, L3 Harris, and Leidos. As a result of these companies' efforts, advanced military technology, such as warships, fighter jets, and other critical defence systems, is being developed and manufactured. 

The government's contract with Lockheed Martin will award it $5 billion alone in 2024, which shows that Lockheed Martin is a key player in the defence industry in the United States. Malware infections have exposed corporate credentials in various ways, raising concerns regarding the security of corporate data in general. The firm discovered that 472 third-party corporate credentials were compromised, including those linked to essential enterprise applications such as Cisco, SAP Integrations, and Microsoft systems used by defence contractors. 

Cybercriminals are increasingly targeting supply chain vendors as businesses, government agencies, and organizations become more interconnected as a result of cybercrime. In light of this growing vulnerability, it is clear that an adversary could have access to stolen credentials to breach the supply chain of a defence contractor if they intended to do so. Honeywell's infrastructure was one of the most vulnerable places in the world, which revealed significant security vulnerabilities. According to researchers, Honeywell's internal systems, including the company's intranet, Active Directory Federation Services login, and Identity and Access Management system, had been compromised for several reasons. 

Honeywell employees and employees connected to the company were identified as infected three times over the past decade. An especially concerning case occurred when a single compromised employee was found to have 56 corporate credentials to Honeywell's internal systems, as well as 45 additional credentials from third parties. 

In light of this level of access, unauthorized access to sensitive systems can be scaled up, highlighting the need for strengthened cybersecurity measures, which have become increasingly important in the defence sector due to the growing number of cyber threats. The threat of exploitation of sensitive military and corporate data becomes more sophisticated as time passes, so users must prioritize the protection of these data to prevent further exploitation. 

Having Infostealer malware present within a defence organization raises serious security concerns since each infected employee represents one possible weak point in critical operations within the military and intelligence communities. There is no doubt that these individuals could range from engineers building advanced military artificial intelligence systems to procurement officers who handle classified contracts to defence analysts who have access to mission-critical data. 

As a result of compromised credentials, not only can their login information be exposed, but their entire digital footprint can also be compromised. Several factors could have contributed to further security breaches, such as browsing history, autofill data, internal documents, and session cookies that allow users access to sensitive applications. According to cybersecurity experts, such thefts of data pose a serious national security threat, and they warn against them. 

It is believed by Thomas Richards, a principal consultant at Black Duck, that adversaries could exploit the stolen credentials to gain unauthorized access to highly secure networks so that they could move laterally within the system and compromise additional personnel and infrastructure, allowing them to reach further into the network. If such a breach occurs, affected users should reset their passwords immediately. A comprehensive forensic investigation should be conducted to assess the extent of the compromise and determine whether unauthorized access to classified information has occurred. 

Information stealer computers can be infected by a wide range of sources, making them an extremely persistent and widespread threat to the computer community. A phishing attack, a drive-by download from a compromised website, and even applications that look legitimate, such as an unsuspicious meeting program, are the most frequent sources of these infections. Further, there is a growing awareness that cybercriminals are spreading malware via misleading Google Adwords, YouTube video descriptions, and even pirated software in addition to malicious Google Adwords. According to a recent study, millions of computers have been infected with infostealer malware, emphasizing the urgent need to enhance security measures across critical industries. 

A spokesperson for Hudson Rock, Alon Gal, says that Infostealer malware has infected employees at major U.S. defence contractors as well as the U.S. Army and Navy, as well as government agencies like the FBI and GAO. The threat of cybercriminals targeting individual computers for as little as $10 poses a serious threat to investigative and cybersecurity personnel, and they can be found online for as little as $10. By downloading modified game content, pirated software, or infected documents, employees inadvertently download malware, which is far more effective than using force to gain entry into networks. 

Infostealer malware exploits human error as opposed to forcing entry into networks. Upon entering the system, this malware extracts sensitive information silently, such as VPN credentials, authentication session cookies, e-mail login information, and access to internal development tools, as well as putting not only individual users at risk but also entire defence networks at risk. As well as identifying infections, cybersecurity experts emphasize the importance of addressing how these threats penetrate in users' system. 

Roger Grimes, a cybersecurity expert at KnowBe4, argues that Infostealers are secondary problems—what matters is their initial access, whether it be social engineering, unpatched software, or outdated firmware. Organizations that fail to address these entry points risk much more than a theft of credentials, which is why proactive cybersecurity defences are essential for national security protection.

FBI Alerts Users of Surge in Gmail AI Phishing Attacks

 

Phishing scams have been around for many years, but they are now more sophisticated than ever due to the introduction of artificial intelligence (AI). 

As reported in the Hoxhunt Phishing Trends Report, AI-based phishing attacks have increased dramatically since the beginning of 2022, with a whopping 49% increase in total phishing attempts. These attacks are not only more common, but also more sophisticated, making it challenging for common email filters to detect them. 

Attackers are increasingly using AI to create incredibly convincing phoney websites and email messages that deceive users into disclosing sensitive data. What makes Gmail such an ideal target is its interaction with Google services, which keep massive quantities of personal information. 

Once a Gmail account has been compromised, attackers have access to a wealth of information, making it a tempting target. While users of other email platforms are also vulnerable, Gmail remains the primary target because of its enormous popularity. 

Phishing has never been easier 

The ease with which fraudsters can now carry out phishing attacks was highlighted by Adrianus Warmenhoven, a cybersecurity specialist at Nord Security. According to Warmenhoven, "Phishing is easier than assembling flat-pack furniture," and numerous customers fall for phishing attempts in less than 60 seconds. 

Hackers no longer require coding knowledge to generate convincing replicas of genuine websites due to the widespread availability of AI tools. With only a few clicks, these tools can replicate a website, increasing the frequency and potency of phishing attacks. 

The fact that these attacks are AI-powered has made it easier for cybercriminals to get started, according to Forbes. Convincing emails and websites that steal private information from unwary victims can be simply created by someone with little technological expertise. 

Here's how to stay safe 

  • Employ a password manager: By automatically entering your login information on trustworthy websites, a password manager keeps you from entering it on phishing websites. Before auto-filling private data, verify that your password manager requires URL matching. 
  • Monitor your accounts regularly: Keep an eye out for signs of unauthorised activity on your accounts. Take quick action to safeguard your data if you see anything fishy. 
  • Turn on two-factor authentication: Make sure your Google account is always turned on for two-factor authentication (2FA). Even if hackers are able to get your password, this additional security makes it far more challenging for them to access your account. 
  • Verify requests for private details: Whether via phone calls, texts, or emails, Gmail users should never reply to unsolicited demands for personal information. Always check the request by going directly to your Google account page if you are unsure.

FBI Warning: Avoid Installing Malicious Apps to Safeguard Your Financial Data

 

FBI Warns Smartphone Users About Malicious Apps

Smartphone users are being urged to exercise caution when downloading apps as some may be designed to steal personal data and send it to fraudsters, leading to potential scams. This alert applies to both Android and iPhone users. Malicious apps often disguise themselves as legitimate but, once installed, request permissions that grant access to sensitive information, making users vulnerable to cybercrimes.

On January 18, the FBI issued a public warning, highlighting that these apps have already compromised numerous bank accounts. Despite ongoing efforts by Google and Apple to strengthen app regulations, scammers continue to exploit vulnerabilities. The FBI has labeled this threat as the "Phantom Hacker," underscoring the sophisticated techniques fraudsters use to infiltrate devices through deceptive applications.

Once malicious apps gain access to customer data, scammers often pose as bank officials, warning users of a fake security breach on their accounts. In the panic that follows, users may be coerced into transferring funds to a so-called "secure" account, falling prey to the scam. Additionally, fraudsters sometimes impersonate technical support representatives, tricking users into revealing even more personal information.

To protect yourself, always verify the authenticity of an app before downloading it. Research the developer thoroughly, read customer reviews, and scrutinize app ratings. For banking and financial apps, ensure you download only from official sources, such as scanning the QR code provided on your financial institution's website. Scammers frequently submit counterfeit apps to the Google Play Store and Apple App Store, which unsuspecting users might download, unknowingly exposing private data to hackers.

Cybersecurity experts emphasize the importance of vigilance when interacting with unfamiliar apps or unsolicited communications. Being aware of potential risks and taking proactive steps can help smartphone users avoid falling victim to these increasingly sophisticated scams.

FBI Hacks 4,200 Computers to Remove PlugX Malware Linked to Chinese Hackers

 

The FBI has successfully hacked and removed PlugX malware from approximately 4,200 computers across the US in a large-scale cybersecurity operation. The malware, allegedly deployed by the China-based hacking group known as “Mustang Panda” or “Twill Typhoon,” has been used since at least 2012 to steal sensitive information from victims in the US, Asia, and Europe. 

The Department of Justice announced the takedown on Tuesday, highlighting the collaborative efforts with French law enforcement to mitigate the cyber threat and prevent further damage. PlugX malware, which infects Windows computers via USB ports, allows hackers to gain unauthorized access and remotely execute commands on compromised systems. The malware operates stealthily in the background, enabling cybercriminals to exfiltrate data, monitor activity, and take control of infected machines. 

According to the FBI, compromised computers establish a connection with a command-and-control server operated by the attackers, with the malware’s IP address embedded directly into the code. Since September 2023, at least 45,000 US-based IP addresses have communicated with the server, indicating the widespread reach of the cyberattack. To eliminate the malware, the FBI leveraged the same exploit used by the attackers. After gaining access to the command-and-control infrastructure, agents retrieved the IP addresses of affected devices and issued a native command that instructed PlugX to delete itself from compromised systems. 

This command removed all files created by the malware, stopped its operation, and ensured its permanent deletion from the infected machines. The successful execution of this operation marks a significant step in neutralizing the ongoing cyber threat posed by Mustang Panda. This coordinated effort was not the first time the FBI has intervened remotely to remove malicious software from infected systems. 

In 2023, the agency dismantled a network of Quakbot-infected computers by deploying an uninstallation tool to affected devices, effectively neutralizing the botnet. Similarly, in 2021, the FBI took proactive measures to counter the Hafnium hack, which targeted Microsoft Exchange servers, by remotely patching vulnerabilities and securing affected systems. These operations demonstrate the FBI’s evolving approach to addressing cyber threats through direct intervention and international cooperation. 

Despite these successful operations, cybersecurity experts warn that PlugX and similar malware strains continue to pose a significant risk, especially given their ability to spread through USB devices. Organizations and individuals are advised to remain vigilant by implementing strong cybersecurity practices such as regularly updating software, disabling USB autorun features, and using endpoint protection tools to detect and prevent unauthorized access. 

The FBI’s decisive action highlights the persistent threat posed by state-sponsored hacking groups and underscores the importance of international collaboration in combating cybercrime. Moving forward, law enforcement agencies are expected to adopt more aggressive measures to counter cyber threats and protect sensitive information from being exploited by malicious actors.

T-Mobile Thwarts Cyberattack Amid Growing Telecom Threats

 

Between September and November, T-Mobile successfully defended against a cyberattack attributed to the Chinese state-sponsored group Salt Typhoon. Unlike previous incidents, this time, no data was compromised. However, the attack highlights growing cybersecurity vulnerabilities in the U.S. telecom sector. 

The Federal Bureau of Investigation (FBI) has identified nine telecom carriers targeted by cyberattacks, with Verizon, AT&T, and Lumen among the known victims. The identity of the ninth carrier remains undisclosed. Hackers reportedly accessed SMS metadata and communication patterns from millions of Americans, including high-profile figures such as presidential candidates and government officials. 

While China denies any involvement in the cyberattacks, its alleged role in the breach underscores the persistent threat of state-sponsored cyber espionage. Though the attackers did not obtain classified information, they managed to collect substantial data for analyzing communication patterns, fueling concerns over national security. 

In response, the Federal Communications Commission (FCC) is weighing penalties for carriers that fail to secure their networks. The agency is also considering a ban on China Telecom operations within the United States. Additionally, the U.S. government has advised citizens to use encrypted telecom services to bolster their privacy and security. 

Senator Ben Ray Luján called the Salt Typhoon incident one of the most significant cyberattacks on the U.S. telecom industry. He stressed the urgent need to address vulnerabilities within national infrastructure to prevent future breaches. 

Anne Neuberger, Deputy National Security Advisor, highlighted the inadequacy of voluntary cybersecurity measures. The FCC is now working on a proposed rule requiring telecom companies to submit annual cybersecurity reports, with penalties for non-compliance. The rule aims to make it harder for hackers to exploit weak networks by encouraging stronger protections.  

Neuberger also emphasized the importance of network segmentation to limit the damage from potential breaches. By isolating sections of a network, companies can contain attackers and reduce the scope of compromised data. She cited a troubling example where a single administrative account controlling 100,000 routers was breached, granting attackers widespread access. 

The FCC’s proposed rule is expected to be voted on by January 15. If passed, it could mandate fundamental security practices to protect critical infrastructure from cyberattacks by adversarial nations. 

The telecom industry’s repeated exposure to breaches highlights the necessity of robust security frameworks and accountability measures. As hackers evolve their tactics, stronger regulations and proactive measures are essential to safeguarding sensitive data and national security. By adopting stricter cybersecurity practices, telecom companies can mitigate risks and enhance their resilience against state-sponsored threats.

CISA's Enhanced Mobile Security Recommendations Following U.S. Telecom Breach

 



The Cybersecurity and Infrastructure Security Agency (CISA) issued updated recommendations in December 2024 aimed at enhancing mobile phone cybersecurity. Following a significant hack involving major U.S. telecom companies like AT&T, Verizon, and Lumen Technologies, these guidelines focus on adopting more secure multifactor authentication (MFA) methods. 
  
Understanding MFA and Its Vulnerabilities 
 
Multifactor authentication (MFA) is a popular cybersecurity measure requiring users to provide additional verification beyond a password. Common practices include:
  • Text Message Verification: Receiving a one-time code via SMS.
  • Device-Based Approvals: Confirming login attempts on associated devices.
However, CISA has raised concerns about the vulnerability of certain MFA techniques, particularly text-based verification. Text message-based MFA, while convenient, is susceptible to interception by hackers. 

The breach highlighted flaws in text messaging systems, particularly when messages were sent between incompatible platforms like Android and iPhone. Malicious actors exploited these weaknesses to intercept authentication codes and gain unauthorized access to user accounts. While CISA continues to advocate for MFA, it strongly urges users to shift away from text-based methods. 

  
Recommendations for Safer Alternatives 

 
CISA recommends adopting authenticator apps as a more secure MFA option. These apps generate time-sensitive codes that operate independently of messaging systems, making them less prone to interception. However, they remain vulnerable to phishing attacks, where users may be tricked into revealing sensitive information. 

For users seeking the most secure MFA solution, CISA suggests transitioning to phishing-resistant methods like the FIDO (Fast Identity Online) protocol. Developed by the FIDO Alliance, this technology eliminates traditional passwords and uses:
  • Digital Passkeys: Unique codes linked to user accounts.
  • Physical USB Devices: Hardware keys that connect to computers.
The FIDO protocol also supports PINs and biometric identifiers like fingerprints and facial recognition, providing a robust defense against phishing attempts. 

CISA’s latest recommendations highlight the growing need for stronger cybersecurity measures. By moving away from text-based MFA and adopting secure alternatives like authenticator apps and the FIDO protocol, users can better protect their personal information and maintain digital security in an increasingly interconnected world.

Bitcoin Heist in Japan Attributed to North Korean Cybercriminals

 


A joint alert from the FBI, the Department of Defense (D.O.D.) Cyber Crime Center and the National Police Agency of Japan reveal that a North Korean threat group carried out a significant cryptocurrency theft from Japan's crypto firm DMM in May 2024. The group, referred to as TraderTraitor—also known as Jade Sleet, UNC4899, and Slow Pisces — is believed to be linked to the Lazarus Group, a notorious hacking collective with ties to Pyongyang authorities.

The Lazarus Group, infamous for high-profile cyberattacks, gained notoriety for hacking Sony Pictures in retaliation for the 2009 film The Interview, which mocked North Korean leader Kim Jong Un. Their recent activities, however, focus on cryptocurrency theft, leveraging advanced social engineering techniques and malicious code.

Social Engineering and the Ginco Incident

In late March 2024, a TraderTraitor operative posing as a recruiter contacted an employee of Ginco, a Japanese cryptocurrency wallet software company, via LinkedIn. Disguised as part of a pre-employment process, the operative sent a malicious Python script under the guise of a coding test. The employee unknowingly uploaded the script to their GitHub account, granting the attackers access to session cookie information and Ginco’s wallet management system.

The attackers intercepted legitimate transaction requests from DMM employees by maintaining this access. This led to the theft of over 4,500 bitcoins, valued at $308 million. The funds were traced to accounts managed by the TraderTraitor group, which utilized mixing and bridging services to obfuscate the stolen assets.

North Korea's Financial Strategy and Cryptocurrency Exploitation

With international sanctions severely restricting North Korea's access to global financial systems, the regime increasingly relies on cybercrime and cryptocurrency theft for revenue generation. Due to their decentralized and pseudonymous nature, cryptocurrency presents a lucrative target for laundering stolen funds and bypassing traditional banking systems.

Chainalysis Findings

Blockchain intelligence firm Chainalysis attributed the DMM Bitcoin hack to North Korean actors. The attackers exploited weaknesses in the platform's infrastructure to perform unauthorized withdrawals. The stolen cryptocurrency was routed through multiple intermediary addresses and processed via the Bitcoin CoinJoin mixing service to conceal its origins. Portions of the funds were further transferred through various bridge services before being channelled to HuiOne Guarantee, a website linked to the Cambodian conglomerate HuiOne Group, a known facilitator of cybercrime.

Additional Findings by AhnLab Security Intelligence Center

The AhnLab Security Intelligence Center (ASEC) has reported another North Korean threat actor, Andariel — part of the Lazarus Group — deploying a backdoor known as SmallTiger. This tool has been used in campaigns parallel to those executed by TraderTraitor, highlighting the group's continued evolution in cybercrime tactics.

The coordinated alert from international agencies underscores the urgent need for enhanced cybersecurity measures within the cryptocurrency industry to counter sophisticated threats like those posed by the Lazarus Group and its affiliates.


How to Protect Yourself from Email Scams: FBI’s Top Tips for Staying Safe

 



While phishing scams are on the rise over the holiday period, the FBI has reminded Gmail, Outlook, Apple Mail, and other services users to be more alert. More phishing schemes are becoming common as criminals use the festive season rush as an opportunity to target more people. Here is how the FBI has warned its citizens against phishing attacks:.

It has generally entailed scamming emails that request the stealing of personal information or even money. Scammers try to deceive a victim with deals they will promise; discounted products, gift cards, or exclusive offers, amongst others. These appear quite legitimate, mimicking familiar brands with realistic logos and designs. With AI tools, it is now more possible for cybercriminals to generate messages that are shiny and polished yet professional-looking, targeting the most vigilant users in their deception.

Three Things to Check in Every Email

To counter these scams, the FBI points out three important checks:  

1. Check the Sender's Email Address: Look closely at the sender's email address. Scammers often use addresses that mimic real ones but with minor changes, like replacing a letter or adding extra characters.

2. Inspect Links Before Clicking: Hover over any link in the email to see where it leads. If the URL looks suspicious or doesn’t match the claimed source, avoid clicking it.  

3. Look for Errors: Scammers sometimes make spelling or grammatical mistakes in emails and URLs. These errors can signal that an email is fake.  

Additional Safety Tips  

The FBI also advises:

  • Avoid disclosing passwords and any form of financial information to any email. No business firm will ask for this type of information through email. 
  • Don't open attachments or click on links coming from unknown senders.  
  • Set up two-factor authentication (2FA) on your accounts for extra protection.
  • Share as little personal information on social media as possible, to make it harder for fraudsters to guess your passwords.

AI In the Wake Of Scams

The more advanced AI technology makes the scammers create the most realistic phishing schemes. This way, they can use artificial intelligence to design fake emails, replicate the look of an official email, or extract confidential information from documents or images. All this puts a bigger burden on users when trying to spot scams.

What Can You Do?

Tech companies, such as Google, have been increasing their efforts to secure users. For example, the majority of phishing attempts in Gmail are blocked, and the service provides direction to help users identify scams. Google instructs users to slow down before acting on an email by verifying its claims independently and reporting anything suspicious.

This has proven true for phishing attacks, and growing sophistication is only outpaced by awareness. Take some time and understand emails before rushing to execute a 

response to urgent messages. As a result, your sensitive information is safe and can therefore have a secure online experience. 




Salt Typhoon Hack: A Grave Threat to U.S. Telecommunications

 


The Chinese state-sponsored hacking group Salt Typhoon has been implicated in one of the most severe breaches in U.S. telecommunications history. Sensitive information, including call logs, timestamps, phone numbers, and location data, was compromised across the networks of at least eight major telecom carriers, including AT&T and Verizon. Despite the scale of the intrusion, many affected consumers remain uninformed about the breach.

Scope and Impact of the Breach

According to reports, Salt Typhoon’s hacking campaign has targeted high-value intelligence figures, including presidential candidates Donald Trump and Kamala Harris, as well as Senator Chuck Schumer's office. The FBI estimates that millions of users’ metadata, particularly in the Washington, D.C., area, were accessed. Yet, most affected individuals have not been notified, raising serious privacy concerns.

AT&T and Verizon, the most severely impacted companies, have faced backlash for their limited response to the breach. Privacy groups have criticized the telecom giants for failing to comply with the Federal Communications Commission (FCC) mandate requiring companies to inform customers of breaches that could cause significant harm, such as identity theft or financial loss.

Telecom Industry’s Response

While high-value targets were promptly alerted, the majority of users whose data was compromised were not informed. In an interview with NBC, Alan Butler, executive director of the Electronic Privacy Information Center, condemned the carriers’ "deficient practices." He emphasized the need for transparency, urging companies to notify all affected customers, regardless of whether their metadata or the actual content of their communications was accessed.

Charter Communications, a midsize internet service provider, has taken a relatively open approach, acknowledging infiltration by Salt Typhoon. According to Chief Security Officer Jeff Simon, access by the hackers has since been cut off, and no customer information was reportedly accessed. In contrast, other companies like Lumen, another internet service provider, have downplayed or refused to disclose the extent of the breach.

Ongoing Threats and Legislative Action

Cybersecurity experts warn that Salt Typhoon continues to target U.S. telecom networks and IT infrastructure. Government agencies are closely monitoring the situation to mitigate further risks. Lawmakers are now considering stricter cybersecurity regulations to compel telecom companies to adopt robust practices and provide detailed breach notifications to consumers.

However, some companies targeted by Salt Typhoon claim the hackers did not gain substantial information. For example, Lumen stated that federal partners found no evidence of ongoing activity in its networks.

Consumer Awareness and Future Outlook

While telecom companies have yet to adequately address these breaches, consumers must stay informed about security risks by following news updates on data breaches. Public pressure is likely to drive industry-wide changes, prompting carriers like AT&T and Verizon to adopt comprehensive notification systems for all affected users.

The Salt Typhoon breach serves as a wake-up call for the telecommunications industry to prioritize data security. Enhanced transparency, stricter cybersecurity regulations, and informed decision-making will be crucial to safeguarding sensitive information in an increasingly digital world.

FBI Warns of Security Risks in RCS Messaging

 

The FBI has issued a warning to Apple and Android device users regarding potential vulnerabilities in Rich Communication Services (RCS). While RCS was designed to replace traditional SMS with enhanced features, a critical security flaw has made it a risky option for messaging. Currently, RCS messages exchanged between Apple and Android devices lack end-to-end encryption, exposing users to potential cyber threats.

Why RCS Messaging is Problematic

Apple introduced RCS support to its iMessage app with iOS 18 to facilitate seamless communication between iPhone and Android users. However, unlike secure messaging apps like Signal or WhatsApp, RCS lacks end-to-end encryption for messages exchanged across these platforms. This absence of encryption leaves sensitive information vulnerable to interception by unauthorized individuals, including hackers and rogue actors.

The FBI’s warning follows a significant breach known as the Salt Typhoon attack, which targeted major U.S. telecommunications carriers. This breach highlighted the vulnerabilities in unencrypted messaging systems. In response, both the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have recommended using secure messaging platforms to mitigate such risks.

The GSMA, which oversees RCS technology, is actively working to implement end-to-end encryption for RCS messages. While progress has been made through industry collaboration, no specific timeline has been provided for the rollout of these crucial security updates.

Secure Alternatives for Messaging

Until RCS achieves full encryption, users are advised to switch to secure messaging apps that offer robust end-to-end encryption. Popular options include:

  • WhatsApp: Provides end-to-end encryption for text, voice, and video communications.
  • Signal: Known for its focus on privacy and strong encryption standards.
  • Telegram: Offers encrypted messaging with additional privacy features like Secret Chats.

In related news, Apple users are urged to update their devices to iOS 18.2 to address a critical vulnerability in the Apple Password app. This flaw could potentially expose sensitive user information, making the update essential for enhanced security.

While the integration of RCS messaging aims to enhance cross-platform communication, the current lack of encryption poses significant risks. As the industry works toward resolving these vulnerabilities, users are encouraged to rely on secure messaging apps and keep their devices updated with the latest security patches. Taking proactive steps and making informed decisions remain vital for ensuring safety in the digital landscape.

FTC Stops Data Brokers from Unlawful User Location Tracking

FTC Stops Data Brokers from Unlawful User Location Tracking


Data Brokers Accused of Illegal User Tracking

The US Federal Trade Commission (FTC) has filed actions against two US-based data brokers for allegedly engaging in illegal tracking of users' location data. The data was reportedly used to trace individuals in sensitive locations such as hospitals, churches, military bases, and other protected areas. It was then sold for purposes including advertising, political campaigns, immigration enforcement, and government use.

Mobilewalla's Allegations

The Georgia-based data broker, Mobilewalla, has been accused of tracking residents of domestic abuse shelters and protestors during the George Floyd demonstrations in 2020. According to the FTC, Mobilewalla allegedly attempted to identify protestors’ racial identities by tracing their smartphones. The company’s actions raise serious privacy and ethical concerns.

Gravy Analytics and Venntel's Accusations

The FTC also suspects Gravy Analytics and its subsidiary Venntel of misusing customer location data without consent. Reports indicate they used this data to “unfairly infer health decisions and religious beliefs,” as highlighted by TechCrunch. These actions have drawn criticism for their potential to exploit sensitive personal information.

Unlawful Data Collection Practices

The FTC revealed that Gravy Analytics collected over 17 billion location signals from more than 1 billion smartphones daily. The data was allegedly sold to federal law enforcement agencies such as the Drug Enforcement Agency (DEA), the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI).

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, stated, “Surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk. This is the FTC’s fourth action this year challenging the sale of sensitive location data, and it’s past time for the industry to get serious about protecting Americans’ privacy.”

FTC's Settlements

As part of two settlements announced by the FTC, Mobilewalla and Gravy Analytics will cease collecting sensitive location data from customers. They are also required to delete the historical data they have amassed about millions of Americans over time.

The settlements mandate that the companies establish a sensitive location data program to identify and restrict tracking and disclosing customer information from specific locations. These protected areas include religious organizations, medical facilities, schools, and other sensitive sites.

Additionally, the FTC’s order requires the companies to maintain a supplier assessment program to ensure consumers have provided consent for the collection and use of data that reveals their precise location or mobile device information.

Woman Charged in Electric Ireland Customer Information Breach

An Irish national utility service provider, Electric Ireland, is investigating a significant data breach involving customer information. This breach, first reported last year, has led to arrests and an ongoing investigation by the Garda National Cyber Crime Bureau (GNCCB) and the Garda National Economic Crime Bureau (GNECB). The incident has raised concerns about the misuse of personal and financial data and potential risks for affected customers.

Details of the Data Breach

Electric Ireland disclosed that an employee of a company working on its behalf may have inappropriately accessed data from approximately 8,000 residential customer accounts. The compromised information includes personal and financial details, potentially exposing customers to fraud. While the company has not released the names of affected customers, it is actively identifying and contacting individuals who may be at risk. The breach has left many customers concerned about identity theft and financial security.

Electric Ireland has apologized for the breach and is providing guidance to impacted customers. Those not contacted by the company are advised to remain cautious and avoid taking immediate action until they receive official communication. In addition, Electric Ireland has encouraged customers to report any fraudulent activity related to their accounts and to consult their banks for potential security measures.

Investigative Efforts by Authorities

The Garda National Cyber Crime Bureau and GNECB are at the forefront of the investigation. The GNCCB specializes in analyzing digital evidence and has collaborated with international agencies like Europol, Interpol, and the FBI in similar cases. During the probe, investigators discovered evidence on the phone of a Nigerian national allegedly linked to the breach. Further scrutiny led to a focus on his girlfriend and her associates, indicating a wider network of individuals potentially involved in the unauthorized access of data.

The GNECB, which handles financial crime cases, is assessing the fraud's extent and coordinating with Electric Ireland to mitigate the impact on customers. Despite limited details from the authorities, the case highlights the growing challenges of safeguarding sensitive data in an increasingly digital landscape.

Company Response and Customer Guidance

In addition to addressing the data breach, Electric Ireland is dealing with separate issues of overcharging due to incorrect tariff rates and smart meter data errors. The company has issued apologies for these errors and is offering credit notes to affected customers. Regulatory authorities are reviewing the matter to ensure compliance and prevent similar occurrences in the future.

Electric Ireland remains committed to transparency and is collaborating with Garda Síochána to resolve the breach. Customers are urged to stay vigilant, monitor their financial accounts, and report any suspicious activities to the company and their banks.

US Telecoms Warned of Chinese Cyber Espionage Threat

 


The White House recently brought together U.S. telecommunications executives to discuss a cyberespionage campaign attributed to Chinese-backed hackers. The attacks have been described by experts as the "worst telecom hack in U.S. history," compromising major telecom providers and targeting national security intelligence.

According to reports, the FBI said several breaches had occurred at telecommunications companies where attackers made off with sensitive data including call records and communications that the hackers could access due to government-mandated backdoors. The intrusion, according to reports, was done by a group code-named Salt Typhoon that has connections to China's Ministry of State Security. It is said to have engaged in espionage activities against officials from U.S. presidential campaigns.

The key telecom providers like AT&T, Verizon, and Lumen have been listed as victims of this cyberattack. Recently, T-Mobile has also revealed that its networks have been breached, though it claimed no customer data was compromised. The hackers did not only target U.S. companies but also stretched their reach to allied nations whose identities remain undisclosed.

Senator Mark Warner, chair of the Senate Intelligence Committee, called these attacks some of the most serious he's seen. He reported that the FBI had informed fewer than 150 people - mostly in Washington - whose communications were compromised. Some telecom companies are still working to get the attackers out of their networks, showing just how persistent these intrusions are. 


Techniques and Long-Term Goals

Salt Typhoon uses advanced tactics to infiltrate systems and maintain long-term access. They include vulnerability exploitation in common devices like Cisco routers and Microsoft Exchange servers. Researchers also found that this group uses legitimate tools to carry out their malicious activities, hence making it challenging to be detected.

Since at least 2020, this group has targeted not only the U.S. but also nations such as Brazil, India, and Taiwan. Their primary focus remains on gathering intelligence from telecommunications networks, government systems, and military organizations.

To mitigate such attacks, the FBI and CISA have been offering technical support to victims. U.S. Cyber Command has amplified operations aimed at disrupting the ability of Chinese cyber actors globally and, consequently, reducing the incidence and impact of such attacks.

This has also raised fears about broader objectives, including possible disruption of Western infrastructure in case tensions over Taiwan or any other issue are to rise further. According to FBI Director Christopher Wray, "China's hacking capabilities are larger than those of any other nation and present a significant challenge to our nation's cybersecurity defenses.".

In response to the growing threats, the Senate has scheduled a classified briefing in December to discuss further measures. The meeting underlines the urgent need to strengthen cybersecurity across critical sectors.


Hackers Are Sending Fake Police Data Requests To Tech Giants To Steal People's Private Data

 

The FBI has issued a warning that hackers are collecting sensitive user information, such as emails and contact details, from US-based tech firms by hacking government and police email addresses in order to file "emergency" data requests. 

The FBI's public notice filed last week is an unusual admission by the federal government regarding the threat posed by phoney emergency data requests, a legal process designed to assist police and federal authorities in obtaining information from firms in order to respond to immediate threats to people's safety or properties.

The misuse of emergency data requests is not new, and it has drawn significant attention in recent years. The FBI now warns that it noticed an "uptick" in criminal posts online advertising access to or carrying out false emergency data requests around August and is going public to raise awareness.

“Cyber-criminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies, exposing the personal information of customers to further use for criminal purposes,” reads the FBI’s advisory. 

Police and law enforcement in the United States often require some form of legal basis to seek and acquire access to private data stored on company laptops. Typically, police must provide sufficient proof of a potential crime before a U.S. court will grant a search warrant authorising them to collect that information from a private corporation. 

Police can issue subpoenas, which do not require a court appearance, requesting that businesses access restricted amounts of information about a user, such as their username, account logins, email addresses, phone numbers, and, in some cases, approximate location. 

There are also emergency requests, which allow police enforcement to gather a person's information from a firm in the event of an immediate threat and there is insufficient time to secure a court order. Federal authorities claim that some cybercriminals abuse these emergency requests.

The FBI stated in its advisory that it had spotted many public posts from known hackers in 2023 and 2024 claiming access to email accounts used by US law enforcement and several foreign governments. According to the FBI, this access was later used to issue fake subpoenas and other legal demands to corporations in the United States in search of private user data kept on their systems. 

The cybercriminals were able to pass for law enforcement by sending emails to businesses asking for user data using hacked police accounts. False threats, such as allegations of human trafficking and, in one instance, the warning that a person would "suffer greatly or die" until the company in issue returned the requested information, were mentioned in some of the requests.

The FBI claimed that because the hackers had gained access to law enforcement accounts, they were able to create subpoenas that appeared authentic and forced companies to divulge user data, including phone numbers, emails, and usernames. However, the FBI noted that not all fraudulent attempts to submit emergency data demands were successful.

FBI Cautioned Gmail Users Regarding Cookie Theft

 

The FBI has warned users of popular email providers such as Gmail, Outlook, Yahoo, and AOL regarding a surge in online criminal activity that compromises email accounts, including those secured by multifactor authentication (MFA). 

Online criminals lure people into visiting suspicious websites or clicking on phishing links, which then download malicious applications onto their computers. One of the most common tactics they employ to gain access to email accounts is cookie theft. 

These session or security cookies, often known as "remember me" cookies, store login information to make it easier to access frequently visited websites and accounts. Cookie theft enables attackers to access users' accounts without requiring their username, password, or MFA. The FBI claims that this strategy works especially well when a user selects the "Remember this device" checkbox during login.

“This problem affects all email platforms with web logins, although Gmail, Outlook, Yahoo, and AOL are the largest targets,” notes cybersecurity expert Zak Doffman. “It also impacts other types of accounts such as shopping sites and financial platforms.” Google has been warning users about cookie theft and developing new ways to prevent it. However, the threat remains significant, as fraudsters develop new techniques. 

FBI warn users

The FBI advises users to take the following precautions to secure their accounts: 

  • Clear your internet browser's cookies on a regular basis. 
  • When logging into websites, avoid choosing the "Remember Me" checkbox.
  • Do not access unsecured websites or click on dubious links.
  • Check your account settings for recent device login history on a regular basis.

Despite the flaws identified in their warning, the FBI emphasises that MFA remains one of the best actions users can take to secure their accounts. Google agrees, describing security cookies as "fundamental to the modern web" because of their utility, but conceding that they are a tempting target for hackers. 

Organisations should also implement MFA on all platforms. Amazon just executed MFA to its workplace email service, WorkMail. Though it took a long time to implement, it is a positive step towards better safety. Finally, any type of multi-factor authentication is preferable to simply typing a password. 

Users should take all necessary precautions to safeguard their accounts by combining the newest security tools with sound security practices. Report cybercrime to the FBI's Internet Crime Complaint Centre (IC3) if you believe you have been a victim. The official FBI website has more thorough advice on how to safeguard your online safety.