The U.S. Justice Department announced on Thursday the successful seizure and dismantling of Rydox, a notorious online marketplace for trafficking stolen personal information and cybercrime tools. In a coordinated operation with international law enforcement agencies, three individuals allegedly responsible for administering the site were arrested.
Since its inception in 2016, Rydox has been linked to over 7,600 illicit sales, generating significant profits by selling sensitive data such as credit card details, login credentials, and personally identifiable information (PII). Authorities reported that the platform offered 321,372 cybercrime products to a user base of more than 18,000 registered buyers, earning over $230,000 in revenue.
This operation involved multiple law enforcement agencies, including:
Authorities apprehended two Kosovo nationals, Ardit Kutleshi (26) and Jetmir Kutleshi (28), in Kosovo. Both suspects will be extradited to the Western District of Pennsylvania to face charges including identity theft and money laundering. A third individual, Shpend Sokoli, was arrested in Albania and will face prosecution in his home country.
As part of the operation, law enforcement seized the domain Rydox.cc and its associated servers located in Kuala Lumpur, Malaysia. Additionally, U.S. authorities confiscated approximately $225,000 in cryptocurrency linked to the defendants, effectively dismantling the infrastructure supporting Rydox’s operations.
Eric Olshan, U.S. Attorney for the Western District of Pennsylvania, emphasized the importance of international collaboration in tackling cybercrime networks. “The harms can be devastatingly local,” Olshan stated, underlining how these crimes, though orchestrated globally, impact individuals and communities directly. He reiterated the Justice Department’s commitment to holding cybercriminals accountable.
Rydox has long symbolized the darker side of digital innovation, where stolen data is exploited for illicit profit. By providing a marketplace for cybercrime tools and sensitive information, it enabled thousands of buyers to commit fraudulent activities that affected both individuals and organizations.
The successful takedown of Rydox marks a significant victory in the fight against global cybercrime. It highlights the importance of multinational efforts in addressing online criminal networks. However, it also serves as a reminder of the persistent threats posed by similar platforms.
The arrests and dismantling of Rydox send a strong message to cybercriminals: no one is beyond the reach of international law enforcement agencies. This operation underscores the commitment of global authorities to combat cybercrime and protect victims from its devastating consequences.
According to a report issued by the United Nations Office for Drugs and Crime, dated October 7, criminal networks across Southeast Asia are increasingly turning to the messaging platform Telegram for conducting comprehensive illegal activities. It says Telegram, due to big channels and seemingly insufficient moderation, becomes the attraction of the underworld for organised crime and its resultant transformation in the ways of operating global illicit operations.
An Open Market for Stolen Data and Cybercrime Tools
The UNODC report clearly illustrates how Telegram has become a trading platform for hacked personal data, including credit card numbers, passwords, and browser histories. Cybercriminals publicly trade on the large channels of Telegram with very little interference. In addition, it has various software and tools designed to conduct cybercrime such as fraud using deepfake technology and malware used for copying and collecting users' data. Moreover, money laundering services are provided in unauthorised cryptocurrency exchanges through Telegram.
An example was an ad to be placed on Telegram stating that it was moving USDT cryptocurrency, stolen and with $3 million daily transactions, to cash in on criminal organisations involved in transnational organised crime in Southeast Asia. According to reports, these dark markets are growing increasingly omnipresent on Telegram through which vendors aggressively look to reach criminal organisations in the region.
Southeast Asia: A hub of fraud and exploitation
According to the UNODC reports, this region in Southeast Asia has become an important base for international fraudulent operations. Most criminal activities within the region relate to Chinese syndicates located within heavily fortified locations and use trafficked individuals forced into labour. It is estimated that the industry generates between $27.4 billion and $36.5 billion annually.
The move comes as scrutiny of Telegram and its billionaire founder, Russian-born Pavel Durov, is intensifying. Durov is facing legal fallout in France after he was charged with abetting crime on the platform by allowing the distribution of illegal content after he tightened his regulations in France. The case has sparked debates on the liability of tech companies for the crimes happening on their platform, and the line between free speech and legal accountability.
It responded to the increasing pressure by promising cooperation with legal authorities. The head of Telegram, Durov, stated that Telegram will share the IP addresses and phone numbers of users whenever a legal request for them is required. He further promised to cancel some features on the platform that have been widely misused for illicit activities. Currently, more than a billion people worldwide are using Telegram, and it has so far not reacted publicly to the latest report from the UNODC.
A Perfect Fertile Ground for Cybercrime
For example, as personal data becomes more and more exposed to fraudulent exploitation and fraud schemes through Telegram, for instance, the Deputy Representative for Southeast Asia and the Pacific at UNODC highlighted the perils of the consumer getting to see. In this respect, Benedikt Hofmann, free access and anonymity developed an ideal setting for criminals towards the people's data and safety.
Innovation in Criminal Networks
The growth in Southeast Asia's organised crime to higher levels may indicate criminals will be armed with new, more varying technologies-most importantly malware, generative AI tools, and deepfakes-to commit sophisticated cyber-enabled fraud. In relation to innovation and adaptability, investigation by UNODC revealed over 10 specialised service providers in the region offering deep fakes technology for use in cybercrime cases.
Expanding Investigations Across Asia
Another area of concern discussed in the UNODC report is the increasing investigation by law enforcement agencies in other parts of Asia. For example, South Korean authorities are screening Telegram for its role in the commission of cybercrimes that include deepfake pornography. Meanwhile, in India, a hacker used Telegram chatbots to leak private data from Star Health, one of the country's largest insurers. This incident disclosed medical records, IDs, and even tax details. Star Health sued Telegram.
A Turning Point in Cybersecurity
The UNODC report opens one's eyes to the extent the challenge encrypted messaging presents toward the fight against organised crime. Thus, while criminal groups will continue and take full advantage of platforms like Telegram, tech companies remain on their toes about enforcing control measures over illegal activity while trying to balance concerns to address user privacy and safety.
The EasyPark-owned company informed that the data of at least 950 customers had been stolen by the hackers. The data included names, phone numbers, addresses, email addresses and parts of credit card numbers.
According to the company, the compromised information is “non-sensitive” and claims that “no combination of this stolen data can be used to perform payments.”
However, it has warned customers have been warned against phishing scams, where threat actors use stolen customer details to send them emails and text messages, that look convincing, in order to scam the target victims.
While British customers were the least affected by the breach, data of thousands of Europe-based customers are feared to be compromised. It needs to be made clear as to who is behind the data breach.
Easypark further informs that it was “reaching out to all affected customers.” Meanwhile, RingGo claims to be “UK’s number one parking app,” with over 19 million customers.
Using the company's app, drivers pay for parking using their smartphones by providing information about their vehicle, like the license plate number, and payment information, like a credit or debit card.
The Information Commissioner's Office (ICO) in the UK and the corresponding European agency have received reports from Stockholm-based EasyPark, according to a Tuesday Guardian report.
According to a statement published on the company’s website, the attack first came to light on December 10: "The attack resulted in a breach of non-sensitive customer data."
“We deeply care about our customers and want to make sure you are fully informed about this incident […] Our security team, including external security experts, is working hard to ensure effective security and privacy measures are in place[…]We are deeply sorry this happened and will continue to work hard every day to earn your trust.”
Owned by private equity firms Vitruvian Partners and Verdane, the company has operations across 4,000 cities in 23 countries, encompassing most of western Europe, the US, and Australia. Since its founding in 2001, it has expanded via several acquisitions.
The malware was first discovered by IBM’s security team, where the researchers noted that the threat actors have been preparing for the campaign since December 2022, after buying the malicious domains.
The attacks used scripts that were loaded from the attacker's server to intercept user credentials and one-time passwords (OTPs) by focusing on a particular page structure that is shared by numerous institutions.
The attackers can access the victim's bank account, lock them out by altering security settings, and carry out illicit transactions by obtaining the aforementioned information.
The attack begins when the threat actors infect the victim’s device with the malware. While IBM’s report did not specify the details of this stage, it is more likely that this is done through malvertizing, phishing emails, etc.
The malicious software inserts a new script tag with a source ('src') property pointing to an externally hosted script once the victim visits the malicious websites of the attackers.
On the victim's browser, the malicious obfuscated script is loaded to change the content of webpages, obtain login credentials, and intercept one-time passcodes (OTP).
IBM found this extra step unusual since most malware can perform web injections directly on the web page.
It is also noteworthy to mention that the malicious script uses names like cdnjs[.]com and unpkg[.]com to mimic authentic JavaScript content delivery networks (CDNs) in an attempt to avoid detection. Moreover, the script verifies the existence of particular security products before execution.
Also, the script tends to continuously mend its behaviour to the command and control server’s instructions, sending updates and receiving specific outputs that guide its activity on the victim’s device.
A "mlink" flag set by the server controls its various operational states, which include injecting phone number or OTP token prompts, displaying error warnings, or mimicking page loading as part of its data-stealing tactic.
IBM notes that nine “mlink” variable values can be combined to instruct the script to carry out certain, distinct data exfiltration activities, indicating how a wide range of commands is being supported.
According to IBM, this campaign is still a work in progress, thus the firm has urged online users to use online banking portals and apps with increased caution.
The responsibility of the attack has been claimed by ransomware gang Rhysida. The group has listed the library as their victim over its darknet forum, where it has leaked the low resolution snippets of the stolen information. The gang is offering to auction the further information for 20 Bitcoin, or about £600,000, to the highest bidder.
As a result of the attacks, the library’s operations have been disrupted for weeks. The stolen data includes images of passport photos and HMRC employment records.
In the darknet website, the listing for the British Library reads, “With just seven days on the clock, seize the opportunity to bid on exclusive, unique and impressive data. Open your wallets and be ready to buy exclusive data.”
The aforementioned listing appeared on the website on Monday, where the group has demanded the ransom to be paid till November 27.
In regards to this, Emisoft’s threat analyst, Brett Callow says that the data “auction” was effectively a “continuation of the extortion attempt” by the gang.
The cyberattack on the British Library started in late October, where the attackers stole large chunks of the library’s website.
Staff at the archive's St Pancras location have been compelled by the disruption to disable the public Wi-Fi and only accept cash payments for some transactions.
Staff at the archive's St Pancras location have been compelled by the disruption to disable the public Wi-Fi and only accept cash payments for some transactions.
The British Library released the following statement on Monday: "We are aware that some data has been exposed, after confirmation last week that this was a ransomware attack. It looks like these are from our own HR records.”
“We have no evidence that data of our users has been compromised.”
The National Cyber Security Centre (NCSC), which is affiliated with GCHQ, and the Metropolitan Police are collaborating with the library to strengthen its IT infrastructure and carry out a forensic examination.
Sir Roly Keating, chief executive of the British Library, said: “We are immensely grateful to our many users and partners who have shown such patience and support as we work to analyse the impact of this criminal attack and identify what we need to do to restore our online systems in a safe and sustainable manner.”
City’s Chief Information Officer Bill Zielinski describes that the threat actors gained access to 230 City servers, along with around 1,000 computers and more than 1,100 workstations. Following the attack, the City disabled 100 of its servers.
According to Zielinski, “As part of the remediation and restoration activity, every server, workstation and other host device was thoroughly reviewed for potential impact.”
While the City employees were supposed to issue an ‘After Action Report,’ to the Dallas City Council in regards to the ransomware attack on Wednesday, the affair was postponed when the council members spent the entire evening debating amendments to the next FY23-24 budget.
Adding to this, the council had scheduled time as 9 a.m., but the Council members did not mark their presence till 8 p.m.
Later, coming back to the original topic of discussion, the presentation displayed before the council noted that the hacker group ‘Royal Ransomware,’ was behind the attacks and was responsible for gaining illicit access to 1.169 terabytes of City data between April 7 and May 3 this year.
Dallas officials further noted that the reason behind the dysfunctional City services (that stayed for months) was in fact due to the said ransomware attack. For instance, the City was unable to provide up-to-date crime statistics until the end of July 2023. Officials currently assert that 99.9% of City operations are back online.
The Dallas Express has previously reported that hackers are suspected of stealing the personal data of over 26,000 people, including minors. However, the claims were denied by the City which claimed that no such information has been compromised. The City apparently stated, “no indication that data from residents, vendors, or employees has been leaked.”
However, in regards to the City’s response to the attacks, City Manager T.C. Broadnax said that the City did a “great job.” According to him, the City’s overall response was successful, but the messaging was poor.
“Could we do better? I think, from a communication standpoint, at least, what people believe we should be communicating?[…]I would say, yeah, we can always do better,” he said.
One may also want to capture this moment and share a sneak peek of their journey with their pals, starting with clicking a little picture of their boarding pass to post on social media. However, cyber experts have advised the vacationers against this, since doing so could be a risk to their privacy, or even lead to their information getting into the wrong hands.
While modern boarding passes do not contain any outright personal details and only contain information like the person’s name, flight number and seat number, certain codes could be used by a hacker to further get hold of a victim’s information.
Josh Amishav, Founder and CEO of data breach monitoring company Breachsense, explained "Your frequent flyer number, name, and passenger name record are valuable for identity theft, enabling fraud like opening credit card accounts or making unauthorised purchases.”
"Hackers can employ social engineering techniques, pretending to be airline representatives to trick you into revealing more personal data. They can also create targeted phishing attempts using your boarding pass info, leading to clicking on malicious links or sharing sensitive data," he says.
The threat does not end here, since this is not the only way a boarding pass can be used by an unauthorized body to access a flyer’s information. Another case that comes to light is the illicit usage of contents of a lost or stolen boarding pass.
Thus, there are several measures and precautions one must keep in mind in order to protect oneself from falling prey to such cyber incidents. Here, we are listing some of those measures:
On Thursday, US cybersecurity agency CISA and US Food and Drug Administration FDA released separate advisories to alert organizations of the vulnerabilities affecting the Universal Copy Service (UCS) component used by a number of Illumina's genetic sequencing devices.
The vulnerability flaw, identified as CVE-2023-1968 enables remote access to a vulnerable device via the internet without the need for a password. If exploited, hackers may be able to compromise devices and cause them to generate false, changed, or nonexistent results.
The advisories also include a second vulnerability, CVE-2023-1966, which is rated 7.4 out of 10 for severity. The flaw might provide hackers access to the operating system level, where they could upload and run malicious programs to change settings and access private information on the impacted product.
The FDA claimed it was unaware of any actual attacks that exploited the flaws, but it did issue a warning that a hacker might use them to remotely control a device or change its settings, software, or data, as well as remotely access the user's network.
“On April 5, 2023, Illumina sent notifications to affected customers instructing them to check their instruments and medical devices for signs of potential exploitation of the vulnerability,” states the FDA in its notification.
The products from Illumina that are vulnerable include iScan, iSeq, MiniSeq, MiSeq, MiSeqDx, NextSeq, and NovaSeq. These products, which are used all around the world in the healthcare industry, are made for clinical diagnostic use when sequencing a person's DNA for different genetic diseases or research needs.
According to Illumina spokesperson David McAlpine, Illumina has “not received any reports indicating that a vulnerability has been exploited, nor do we have any evidence of any vulnerabilities being exploited.” Moreover, he declines to comment on whether the company has technical resources that could detect exploitation, nor did he specify the number of devices affected by the vulnerability.
Illumina CTO Alex Aravanis in a LinkedIn post mentions that the company detected the flaw as part of routine efforts to examine its software for potential flaws and exposures.
“Upon identifying this vulnerability, our team worked diligently to develop mitigations to protect our instruments and customers[…]We then contacted and worked in close partnership with regulators and customers to address the issue with a simple software update at no cost, requiring little to no downtime for most,” Aravanis said.
In today’s world, a cybercriminal is capable of stealing data and money with the help of a number of malwares, including keyloggers.
Snake Keylogger is a well-known example of this kind of malware. However, where did Snake Keylogger originate from, how did it operate, and how could you get rid of it? Here is all you need to know about Snake Keylogger.
In order to get an idea of Snake Keylogger, let us first understand what keyloggers are in general.
Keylogger is the kind of malicious program used in logging keystrokes. If your device is infected, the keylogger will record anything you input on the keyboard, including passwords, text messages, payment information, and just about anything else. Essentially, Snake Keylogger is a modular malware program, created by using the .NET developer platform.
With this logging, the malicious operator is able to acquire access over controlling the program, it may as well be able to see what a user is typing into his or her device and even take screenshots, giving them an opportunity to steal a great heap of data.
Discovered in November 2020, it has a history of stealing credentials, clipboard data, and other types of information. Snake Keylogger, a dangerous product that may be purchased on malicious markets like hacking forums, poses a threat to both individuals and companies.
Snake Keylogger usually spreads through phishing campaigns, targeting victims with malicious mail. However, it can also be transmitted via spear phishing, where specific victims are targeted for specific goals. When a Snake Keylogger is sent to a potential victim, it is enclosed in an attachment.
Once received, the user is asked to open a DOCX file. This file may contain a macro (a computer virus), that permits the launch of Snake Keylogger. In case the recipient possesses a version of Microsoft Office with security vulnerabilities, the malware tends to exploit them and infect the device. The same could be intended for PDF readers.
The malware holds the capability of gaining access to recorded data and transferring the same to the attacker, who can exploit it further. The data can either be exploited directly (by hacking bank accounts with stolen credentials) or sell the information to other threat actors in illicit marketplaces, on the dark web.
One of the other reasons why Snake Keyloggers possess threats is their ability to evade antivirus protection, which usually stands as the first line of defense for most devices. In many cases, devices only possess antivirus as their source of protection, thus if Snake Keylogger succeeds in evading the software with no other protection in place, the targeted device could easily and quickly be infected and exploited.
To avoid Snake Keylogger, one can opt for a number of measures:
Hackers stole a 2019 backup database holding the personal details of millions of users, PeopleConnect, the company behind the background check services TruthFinder and Instant Checkmate, acknowledged that they experienced a data breach.
Customers can run background checks on others using subscription-based services like TruthFinder and Instant Checkmate. Access to numerous databases containing personal data, including email addresses, physical addresses, social media profiles, arrest histories, and phone numbers, is offered.
Data for 20.22 million potential TruthFinder and Instant Checkmate users who utilized the services up to April 16th, 2019, were allegedly leaked on January 21 by a member of the Breached cybercrime and data breach forum.
When Have I Been Pwned's Troy Hunt informed PeopleConnect of the data leak, the business promptly initiated an investigation and reiterated that it intended to make the situation official? TruthFinder and Instant Checkmate received notifications from PeopleConnect stating that there had been a data breach on both sites.
"The list, which appears to cover all client accounts created between 2011 and 2019, was made, as we have confirmed, several years ago. Our organization produced the list that was published. Although our investigation is ongoing, it looks that this was an accidental list release or theft. It does not appear that any user activity, such as reports or queries on our system, was involved in the published list in question, and it does not appear that payment information, passwords that can be read or used, or other methods of breaching user accounts were involved," the data security firm told.
The business hired a cybersecurity organization from outside to look into the event, but there was no sign that their network had been compromised. PeopleConnect advises that targeted phishing attempts are to be on the lookout for and will provide more updates as new information becomes available.
Apparently, the data is related to online orders between November 2018 and October 2020. The company assured that the affected customers are being informed about the breach.
It further added that the affected data was “limited.” The company claimed that payment card information was secure and that there is no reason to believe that hackers had gained access to customer passwords.
In regards to the data breach, the chief financial officer of JD Sports, Neil Greenhalgh stated “We want to apologize to those customers who may have been affected by this incident […] Protecting the data of our customers is an absolute priority for JD.”
The hack targeted online purchases made under the JD, Size, Millets, Blacks, Scotts, and MilletSport brands. It is believed that the business discovered the attack recently, but that only historical data was accessed.
Reportedly, the company is working in collaboration with some of the “leading cyber-security experts” and is engaging with the UK’s Information Commissioner’s Office (ICO) in regard to the incident.
Mr. Greenhalgh has advised the affected customers to be “vigilant about potential scam e-mails, calls and texts.”
In recent times, numerous UK Businesses have witnessed at least one cyber-attacks. For an instance:
According to Lauren Wills-Dixon, solicitor and an expert in data privacy at law firm Gordons, businesses are needed to be prepared for potential cyber-attacks since they are among the most common targets for threat actors. The reason for the same is the large amount of customer data they have in store.
She also added that the increased use of technology by the industry “to reduce overheads and streamline operations has raised the risk even further.”
“In this new world, it's not 'if' but 'when' a cyber-attack will happen.”