Tag Archive for: Cyber

Happy 12th Birthday, KrebsOnSecurity.com!


KrebsOnSecurity.com celebrates its 12th anniversary today! Maybe “celebrate” is too indelicate a word for a year wracked by the global pandemics of COVID-19 and ransomware. Especially since stories about both have helped to grow the audience here tremendously in 2021. But this site’s birthday also is a welcome opportunity to thank you all for your continued readership and support, which helps keep the content here free to everyone.

More than seven million unique visitors came to KrebsOnSecurity.com in 2021, generating some 12 million+ pageviews and leaving almost 8,000 comments. We also now have nearly 50,000 subscribers to our email newsletter, which is still just a text-based (non-HTML) email that goes out each time a new story is published here (~2-3 times a week).

Back when this site first began 12 years ago, I never imagined it would attract such a level of engagement. Before launching KrebsOnSecurity, I was a tech reporter for washingtonpost.com. For many years, The Post’s website was physically, financially and editorially separate from what the dot-com employees affectionately called “The Dead Tree Edition.” When the two newsrooms finally merged in 2009, my position was eliminated.

Happily, the blog I authored for four years at washingtonpost.com — Security Fix — had attracted a sizable readership, and it seemed clear that the worldwide appetite for in-depth news about computer security and cybercrime would become practically insatiable in the coming years.

Happier still, The Post offered a severance package equal to six months of my salary. Had they not thrown that lifeline, I doubt I’d have had the guts to go it alone. But at the time, my wife basically said I had six months to make this “blog thing” work, or else find a “real job.”

God bless her eternal patience with my adopted occupation, because KrebsOnSecurity has helped me avoid finding a real job for a dozen years now. And hopefully they let me keep doing this, because at this point I’m certainly unqualified to do much else.

I’d be remiss if I didn’t take this opportunity to remind Dear Readers that advertisers do help keep the content free here to everyone. For security and privacy reasons, KrebsOnSecurity does not host any third-party content on this site — and this includes the ad creatives, which are simply images or GIFs vetted by Yours Truly and served directly from krebsonsecurity.com.

That’s a long-winded way of asking: If you regularly visit KrebsOnSecurity.com with an ad blocker, please consider adding an exception for this site.

Thanks again, Dear Readers. Please stay safe, healthy and alert in 2022. See you on the other side!

NY Man Pleads Guilty in $20 Million SIM Swap Theft

A 24-year-old New York man who bragged about helping to steal more than $20 million worth of cryptocurrency from a technology executive has pleaded guilty to conspiracy to commit wire fraud. Nicholas Truglia was part of a group alleged to have stolen more than $100 million from cryptocurrency investors using fraudulent “SIM swaps,” scams in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s online identities.

Truglia admitted to a New York federal court that he let a friend use his account at crypto-trading platform Binance in 2018 to launder more than $20 million worth of virtual currency stolen from Michael Terpin, a cryptocurrency investor who co-founded the first angel investor group for bitcoin enthusiasts.

Following the theft, Terpin filed a civil lawsuit against Truglia with the Los Angeles Superior court. In May 2019, the jury awarded Terpin a $75.8 million judgment against Truglia. In January 2020, a New York grand jury criminally indicted Truglia (PDF) for his part in the crypto theft from Terpin.

A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can legitimately request a SIM swap when their mobile device has been damaged or lost, or when they are switching to a different phone that requires a SIM card of another size.

Nicholas Truglia, holding bottle. Image: twitter.com/erupts

But fraudulent SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone controlled by the scammers. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many financial institutions and online services rely on text messages to send users a one-time code for multi-factor authentication.

Compounding the threat, many websites let customers reset their passwords merely by clicking a link sent via SMS to the mobile phone number tied to the account, meaning anyone who controls that phone number can reset the passwords for those accounts.

Reached for comment, Terpin said his assailant got off easy.

“I am outraged that after nearly four years and hundreds of pages of evidence that the best the prosecutors could recommend was a plea bargain for a single, relatively minor count of the unauthorized use of a Binance exchange account, when all the evidence points toward Truglia being one of two masterminds of a wide-ranging criminal conspiracy to steal crypto from me and others,” Terpin told KrebsOnSecurity.

Terpin said public court records already show Truglia bragging about stealing his funds and using it to finance a lavish lifestyle.

“He at the very least withdrew 100 bitcoin (worth $1.6 million at the time and nearly $5 million today) from my theft into his wallet at a separate, US-based exchange, and then moved or spent it,” Terpin said. “The fact is that the intentional theft of $24 million, whether taken at the point of a gun in a bank or through a SIM card swap, is a major felony. Truglia should be prosecuted to the fullest extent of the law.”

Nicholas Truglia, showing off a diamond-studded Piaget watch while aboard a private jet. Image: twitter.com/erupts.

Terpin also is waging an ongoing civil lawsuit against 18-year-old Ellis Pinsky, who’s accused of working with Truglia as part of a SIM swapping crew that has stolen more than $100 million in cryptocurrency. According to Terpin, Pinsky was 15 when he took part in the $24 million 2018 SIM swap, but he returned $2 million worth of cryptocurrency after being confronted by Terpin’s investigators.

“On the surface, Pinsky is an ‘All American Boy,’” Terpin’s civil suit charges. “The son of privilege, he is active in extracurricular activities and lives a suburban life with a doting mother who is a prominent doctor.”

“Despite their wholesome appearances, Pinsky and his other cohorts are in fact evil computer geniuses with sociopathic traits who heartlessly ruin their innocent victims’ lives and gleefully boast of their multi-million-dollar heists,” the lawsuit continues. “Pinsky is reputed to have used his ill-gotten gains to purchase multi-million-dollar watches and is known to go on nightclub sprees at high end clubs in New York City, and Truglia rented private jets and played the part of a dashing playboy with young women pampering him.”

Pinksy could not be immediately reached for comment. But a review of the latest filings in the lawsuit show that Pinsky’s attorneys stopped representing him because he no longer had the funds to pay for their services. The most recent entry in the New York Southern District’s docket asks the court to give Pinsky additional time to seek counsel, and hints that barring that he may end up representing himself.

Ellis Pinsky, in a photo uploaded to his social media profile.

Truglia is still being criminally prosecuted in Santa Clara, Calif., the home of the REACT task force, which pursues SIM-swapping cases nationwide. In November 2018, REACT investigators and New York authorities arrested Truglia on suspicion of using SIM swaps to steal approximately $1 million worth of cryptocurrencies from Robert Ross, a San Francisco father of two who later went on to found the victim advocacy website stopsimcrime.org.

According to published reports, Truglia and his accomplices also perpetrated SIM swaps against the CEO of the blockchain storage service 0Chain; hedge-funder Myles Danielson, vice president of Hall Capital Partners; and Gabrielle Katsnelson, the co-founder of the startup SMBX.

Truglia is currently slated to be sentenced in April 2022 for his guilty plea in New York. He faces a maximum sentence of up to 20 years in prison.

Erin West, deputy district attorney for Santa Clara County, told KrebsOnSecurity that SIM swapping remains a major problem. But she said many of the victims they’re now assisting are relatively new cryptocurrency investors for whom a SIM swapping attack can be financially devastating.

“Originally, the SIM swap targets were the early adopters of crypto,” West said. “Now we’re seeing a lot more of what I would call normal people trying their hand at crypto, and that makes a lot more people a target. It makes people who are unfamiliar with their personal security online vulnerable to hackers whose entire job is to figure out how to part people from their money.”

West said REACT continues to train state and local law enforcement officials across the country on how to successfully investigate and prosecute SIM swapping cases.

“The good news is our partners across the nation are learning how to conduct these cases,” she said. “Where this was a relatively new phenomenon three years ago, other smaller jurisdictions around the country are now learning how to prosecute this crime.”

All of the major wireless carriers let customers add security against SIM swaps and related schemes by setting a PIN that needs to be provided over the phone or in person at a store before account changes should be made. But these security features can be bypassed by incompetent or corrupt mobile store employees.

For some tips on how to minimize your chances of becoming the next SIM swapping victim, check out the “What Can You Do?” section at the conclusion of this story.

Microsoft Patch Tuesday, December 2021 Edition

Microsoft, Adobe, and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that is already being actively exploited. But this month’s Patch Tuesday is overshadowed by the “Log4Shell” 0-day exploit in a popular Java library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw.

Log4Shell is the name picked for a critical flaw disclosed Dec. 9 in the popular logging library for Java called “log4j,” which is included in a huge number of Java applications. Publicly released exploit code allows an attacker to force a server running a vulnerable log4j library to execute commands, such as downloading malicious software or opening a backdoor connection to the server.

According to researchers at Lunasec, many, many services are vulnerable to this exploit.

“Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable,” Lunasec wrote. “Anybody using Apache Struts is likely vulnerable. We’ve seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach. An extensive list of responses from impacted organizations has been compiled here.”

“If you run a server built on open-source software, there’s a good chance you are impacted by this vulnerability,” said Dustin Childs of Trend Micro’s Zero Day Initiative. “Check with all the vendors in your enterprise to see if they are impacted and what patches are available.”

Part of the difficulty in patching against the Log4Shell attack is identifying all of the vulnerable web applications, said Johannes Ullrich, an incident handler and blogger for the SANS Internet Storm Center. “Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon,” Ullrich said. “Treat it as such.” SANS has a good walk-through of how simple yet powerful the exploit can be.

John Hultquist, vice president of intelligence analysis at Mandiant, said the company has seen Chinese and Iranian state actors leveraging the log4j vulnerability, and that the Iranian actors are particularly aggressive, having taken part in ransomware operations that may be primarily carried out for disruptive purposes rather than financial gain.

“We anticipate other state actors are doing so as well, or preparing to,” Hultquist said. “We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time. In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting.”

Researcher Kevin Beaumont had a more lighthearted take on Log4Shell via Twitter:

“Basically the perfect ending to cybersecurity in 2021 is a 90s style Java vulnerability in an open source module, written by two volunteers with no funding, used by large cybersecurity vendors, undetected until Minecraft chat got pwned, where nobody knows how to respond properly.”

A half-dozen of the vulnerabilities addressed by Microsoft today earned its most dire “critical” rating, meaning malware or miscreants could exploit the flaws to gain complete, remote control over a vulnerable Windows system with little or no help from users.

The Windows flaw already seeing active exploitation is CVE-2021-43890, which is a “spoofing” bug in the Windows AppX installer on Windows 10. Microsoft says it is aware of attempts to exploit this flaw using specially crafted packages to implant malware families like Emotet, Trickbot, and BazaLoader.

Kevin Breen, director of threat research for Immersive Labs, said CVE-2021-43905 stands out of this month’s patch batch.

“Not only for its high CVSS score of 9.6, but also because it’s noted as ‘exploitation more likely’,” Breen observed.

Microsoft also patched CVE-2021-43883, an elevation of privilege vulnerability in Windows Installer.

“This appears to be a fix for a patch bypass of CVE-2021-41379, another elevation of privilege vulnerability in Windows Installer that was reportedly fixed in November,” Satnam Narang of Tenable points out. “However, researchers discovered that fix was incomplete, and a proof-of-concept was made public late last month.”

Google issued five security fixes for Chrome, including one rated critical and three others with high severity. If you’re browsing with Chrome, keep a lookout for when you see an “Update” tab appear to the right of the address bar. If it’s been a while since you closed the browser, you might see the Update button turn from green to orange and then red. Green means an update has been available for two days; orange means four days have elapsed, and red means your browser is a week or more behind on important updates. Completely close and restart the browser to install any pending updates.

Also, Adobe issued patches to correct more than 60 security flaws in a slew of products, including Adobe Audition, Lightroom, Media Encoder, Premiere Pro, Prelude, Dimension, After Effects, Photoshop, Connect, Experience Manager and Premiere Rush.

Standard disclaimer: Before you update Windows, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.

Additional reading:

SANS ISC listing of each Microsoft vulnerability patched today, indexed by severity and affected component.

Inside Ireland’s Public Healthcare Ransomware Scare

The consulting firm PricewaterhouseCoopers recently published lessons learned from the disruptive and costly ransomware attack in May 2021 on Ireland’s public health system. The unusually candid post-mortem found that nearly two months elapsed between the initial intrusion and the launching of the ransomware. It also found affected hospitals had tens of thousands of outdated Windows 7 systems, and that the health system’s IT administrators failed to respond to multiple warning signs that a massive attack was imminent.

PWC’s timeline of the days leading up to the deployment of Conti ransomware on May 14.

Ireland’s Health Service Executive (HSE), which operates the country’s public health system, got hit with Conti ransomware on May 14, 2021. A timeline in the report (above) says the initial infection of the “patient zero” workstation happened on Mar. 18, 2021, when an employee on a Windows computer opened a booby-trapped Microsoft Excel document in a phishing email that had been sent two days earlier.

Less than a week later, the attacker had established a reliable backdoor connection to the employee’s infected workstation. After infecting the system, “the attacker continued to operate in the environment over an eight week period until the detonation of the Conti ransomware on May 14, 2021,” the report states.

According to PWC’s report (PDF), there were multiple warning signs about a serious network intrusion, but those red flags were either misidentified or not acted on quickly enough:

  • On Mar. 31, 2021, the HSE’s antivirus software detected the execution of two software tools commonly used by ransomware groups — Cobalt Strike and Mimikatz — on the Patient Zero Workstation. But the antivirus software was set to monitor mode, so it did not block the malicious commands.”
  • On May 7, the attacker compromised the HSE’s servers for the first time, and over the next five days the intruder would compromise six HSE hospitals. On May 10, one of the hospitals detected malicious activity on its Microsoft Windows Domain Controller, a critical “keys to the kingdom” component of any Windows enterprise network that manages user authentication and network access.
  • On 10 May 2021, security auditors first identified evidence of the attacker compromising systems within Hospital C and Hospital L. Hospital C’s antivirus software detected Cobalt Strike on two systems but failed to quarantine the malicious files.
  • On May 13, the HSE’s antivirus security provider emailed the HSE’s security operations team, highlighting unhandled threat events dating back to May 7 on at least 16 systems. The HSE Security Operations team requested that the Server team restart servers.

By then it was too late. At just after midnight Ireland time on May 14, the attacker executed the Conti ransomware within the HSE. The attack disrupted services at several Irish hospitals and resulted in the near complete shutdown of the HSE’s national and local networks, forcing the cancellation of many outpatient clinics and healthcare services. The number of appointments in some areas dropped by up to 80 percent.”

Conti initially demanded USD $20 million worth of virtual currency in exchange for a digital key to unlock HSE servers compromised by the group. But perhaps in response to the public outcry over the HSE disruption, Conti reversed course and gave the HSE the decryption keys without requiring payment.

Still, the work to restore infected systems would take months. The HSE ultimately enlisted members of the Irish military to bring in laptops and PCs to help restore computer systems by hand. It wasn’t until September 21, 2021 that the HSE declared 100 percent of its servers were decrypted.

As bad as the HSE ransomware attack was, the PWC report emphasizes that it could have been far worse. For example, it is unclear how much data would have been unrecoverable if a decryption key had not become available as the HSE’s backup infrastructure was only periodically backed up to offline tape.

The attack also could have been worse, the report found:

  • if there had been intent by the Attacker to target specific devices within the HSE environment (e.g. medical devices);
  • if the ransomware took actions to destroy data at scale;
  • if the ransomware had auto-propagation and persistence capabilities, for example by using an exploit to propagate across domains and trust-boundaries to medical devices (e.g. the EternalBlue exploit used by the WannaCry and NotPetya15 attacks);
  • if cloud systems had also been encrypted such as the COVID-19 vaccination system

The PWC report contains numerous recommendations, most of which center around hiring new personnel to lead the organization’s redoubled security efforts. But it is clear that the HSE has an enormous amount of work ahead to grow in security maturity. For example, the report notes the HSE’s hospital network had over 30,000 Windows 7 workstations that were deemed end of life by the vendor.

“The HSE assessed its cybersecurity maturity rating as low,” PWC wrote. “For example, they do not have a CISO or a Security Operations Center established.”

PWC also estimates that efforts to build up the HSE’s cybersecurity program to the point where it can rapidly detect and respond to intrusions are likely to cost “a multiple of the HSE’s current capital and operation expenditure in these areas over several years.”

One idea of a “security maturity” model.

In June 2021, the HSE’s director general said the recovery costs for the May ransomware attack were likely to exceed USD $600 million.

What’s remarkable about this incident is that the HSE is publicly funded by the Irish government, and so in theory it has the money to spend (or raise) to pay for all these ambitious recommendations for increasing their security maturity.

That stands in stark contrast to the healthcare system here in the United States, where the single biggest impediment to doing security well continues to be lack of making it a real budget priority. Also, most healthcare organizations in the United States are private companies that operate on razor-thin profit margins.

I know this because in 2018 I was asked to give the keynote at an annual gathering of the Healthcare Information Sharing and Analysis Group (H-ISAC), an industry group centered on sharing information about cybersecurity threats. I almost didn’t accept the invitation: I’d written very little about healthcare security, which seemed to be dominated by coverage of whether healthcare organizations complied with the letter of the law in the United States. That compliance centered on the Health Insurance Portability and Accountability Act (HIPPA), which prioritizes protecting the integrity and privacy of patient data.

To get up to speed, I interviewed over a dozen of the healthcare security industry’s best and brightest minds. A common refrain I heard from those interviewed was that if it was security-related but didn’t have to do with compliance, there probably wasn’t much chance it would get any budget.

Those sources unanimously said that however well-intentioned, it’s not clear that the “protect the data” regulatory approach of HIPPA was working from an overall threat perspective. According to HealthcareIT News, more than 40 million patient records have been compromised in incidents reported to the federal government in 2021 so far alone.

During my 2018 talk, I tried to emphasize the primary importance of being able to respond quickly to intrusions. Here’s a snippet of what I told that H-ISAC audience:

“The term ‘Security Maturity’ refers to the street smarts of an individual or organization, and this maturity generally comes from making plenty of mistakes, getting hacked a lot, and hopefully learning from each incident, measuring response times, and improving.

Let me say up front that all organizations get hacked. Even ones that are doing everything right from a security perspective get hacked probably every day if they’re big enough. By hacked I mean someone within the organization falls for a phishing scam, or clicks a malicious link and downloads malware. Because let’s face it, it only takes one screw up for the hackers to get a foothold in the network.

Now this is in itself isn’t bad. Unless you don’t have the capability to detect it and respond quickly. And if you can’t do that, you run the serious risk of having a small incident metastasize into a much larger problem.

Think of it like the medical concept of the ‘Golden Hour:’ That short window of time directly following a traumatic injury like a stroke or heart attack in which life-saving medicine and attention is likely to be most effective. The same concept holds true in cybersecurity, and it’s exactly why so many organizations these days are placing more of their resources into incident response, instead of just prevention.”

The United States’ somewhat decentralized healthcare system means that many ransomware outbreaks tend to be limited to regional or local healthcare facilities. But a well-placed ransomware attack or series of attacks could inflict serious damage on the sector: A December 2020 report from Deloitte says the top 10 health systems now control 24 market share and their revenue grew at twice the rate of the rest of the market.

In October 2020, KrebsOnSecurity broke the story that the FBI and U.S. Department of Homeland Security had obtained chatter from a top ransomware group which warned of an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” Members associated with the Russian-speaking ransomware group known as Ryuk had discussed plans to deploy ransomware at more than 400 healthcare facilities in the United States.

Hours after that piece ran, I heard from a respected H-ISAC security professional who questioned whether it was worth getting the public so riled up. The story had been updated multiple times throughout the day, and there were at least five healthcare organizations hit with ransomware within the span of 24 hours.

“I guess it would help if I understood what the baseline is, like how many healthcare organizations get hit with ransomware on average in one week?” I asked the source.

“It’s more like one a day,” the source confided.

In all likelihood, the HSE will get the money it needs to implement the programs recommended by PWC, however long that takes. I wonder how many U.S.-based healthcare organizations could say the same.

Canada Charges Its “Most Prolific Cybercriminal”

A 31-year-old Canadian man has been arrested and charged with fraud in connection with numerous ransomware attacks against businesses, government agencies and private citizens throughout Canada and the United States. Canadian authorities describe him as “the most prolific cybercriminal we’ve identified in Canada,” but so far they’ve released few other details about the investigation or the defendant. Helpfully, an email address and nickname apparently connected to the accused offer some additional clues.

Matthew Philbert, in 2016.

Matthew Philbert of Ottawa, Ontario was charged with fraud and conspiracy in a joint law enforcement action by Canadian and U.S. authorities dubbed “Project CODA.” The Ontario Provincial Police (OPP) on Tuesday said the investigation began in January 2020 when the U.S. Federal Bureau of Investigation (FBI) contacted them regarding ransomware attacks that were based in Canada.

“During the course of this investigation, OPP investigators determined an individual was responsible for numerous ransomware attacks affecting businesses, government agencies and private individuals throughout Canada as well as cyber-related offenses in the United States,” reads an OPP statement.

“A quantity of evidentiary materials was seized and held for investigation, including desktop and laptop computers, a tablet, several hard drives, cellphones, a Bitcoin seed phrase and a quantity of blank cards with magnetic stripes,” the statement continues.

The U.S. indictment of Philbert (PDF) is unusually sparse, but it does charge him with conspiracy, suggesting the defendant was part of a group. In an interview with KrebsOnSecurity, OPP Detective Inspector Matt Watson declined to say whether other defendants were being sought in connection with the investigation, but said the inquiry is ongoing.

“I will say this, Philbert is the most prolific cybercriminal we’ve identified to date in Canada,” Watson said. “We’ve identified in excess of a thousand of his victims. And a lot of these were small businesses that were just holding on by their fingernails during COVID.”

A DARK CLOUD

There is a now-dormant Myspace account for a Matthew Philbert from Orleans, a suburb of Ottawa, Ontario. The information tied to the Myspace account matches the age and town of the defendant. The Myspace account was registered under the nickname “Darkcloudowner,” and to the email address dark_cl0ud6@hotmail.com.

A search in DomainTools on that email address reveals multiple domains registered to a Matthew Philbert and to the Ottawa phone number 6138999251 [DomainTools is a frequent advertiser on this site]. That same phone number is tied to a Facebook account for a 31-year-old Matthew Philbert from Orleans, who describes himself as a self-employed “broke bitcoin baron.”

Mr. Philbert did not respond to multiple requests for comment.

According to cyber intelligence firm Intel 471, that dark_cl0ud6@hotmail.com address has been used in conjunction with the handle “DCReavers2” to register user accounts on a half-dozen English-language cybercrime forums since 2008, including Hackforums, Blackhatworld, and Ghostmarket.

Perhaps the earliest and most important cybercrime forum DCReavers2 frequented was Darkode, where he was among the first two-dozen members. Darkode was taken down in 2015 as part of an FBI investigation sting operation, but screenshots of the community saved by this author show that DCReavers2 was already well known to the Darkode founders when his membership to the forum was accepted in May 2009.

DCReavers2 was just the 22nd account to register on the Darkode cybercrime forum.

Most of DCReavers’s posts on Darkode appear to have been removed by forum administrators early on (likely at DCReavers’ request), but the handful of posts that survived the purge show that more than a decade ago DCReavers2 was involved in running botnets, or large collections of hacked computers.

“My exploit pack is hosted there with 0 problems,” DCReaver2 says of a shady online provider that another member asked about in May 2010.

Searching the Web on “DCreavers2” brings up a fascinating chat conversation allegedly between DCReavers2 and an individual in Australia who was selling access to an “exploit kit,” commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities for the purposes of installing malware of the customer’s choosing.

In that 2009 chat, indexed by the researchers behind the website exposedbotnets.com, DCReavers2 uses the Dark_Cl0ud6 email address and actually shares his real name as Matthew Philbert. DCReavers2 also says his partner uses the nickname “The Rogue,” which corresponds to a former Darkode administrator who was the second user ever registered on the forum (see screenshot above).

In that same conversation, DCReavers2 discusses managing a botnet built on ButterFly Bot. Also known as “Mariposa,” ButterFly was a plug-and-play malware strain that allowed even the most novice of would-be cybercriminals to set up a global operation capable of harvesting data from thousands of infected PCs, and using the enslaved systems for crippling attacks on Web sites. The ButterFly Bot kit sold for prices ranging from $500 to $2,000.

An advertisement for the ButterFly Bot.

The author of ButterFly Bot — Slovenian hacker Matjaz “Iserdo” Skorjanc — was Darkode’s original founder back in 2008. Arrested in 2010, Skorjanc was sentenced to nearly five years in prison for selling and supporting Mariposa, which was used to compromise millions of Microsoft Windows computers.

Upon release from prison, Skorjanc became chief technology officer for NiceHash, a cryptocurrency mining service. In December 2017, $52 million worth of Bitcoin mysteriously disappeared from NiceHash coffers. In October 2019, Skorjanc was arrested in Germany in response to a U.S.-issued international arrest warrant for his extradition.

The indictment (PDF) tied to Skorjanc’s 2019 arrest also names several other alleged founding members of Darkode, including Thomas “Fubar” McCormick, a Massachusetts man who was allegedly one of the last administrators of Darkode. Prosecutors say McCormick also was a reseller of the Mariposa botnet, the ZeuS banking trojan, and a bot malware he allegedly helped create called “Ngrbot.” The U.S. federal prosecution against Skorjanc and McCormick is ongoing.

At the time the FBI dismantled Darkode in 2015, the Justice Department said that out of 800 or so crime forums worldwide, Darkode was the most sophisticated English-language forum, and that it represented “one of the gravest threats to the integrity of data on computers in the United States and around the world.”

Some of Darkode’s core members were either customers or sellers of various “locker” kits, which were basically web-based exploits that would lock the victim’s screen into a webpage spoofing the FBI or Justice Department and warning that victims had been caught accessing child sexual abuse material. Victims who agreed to pay a “fine” of several hundred dollars worth of GreenDot prepaid cards could then be rid of the PC locker program.

A 2012 sales thread on Darkode for Rev Locker.

In many ways, lockers were the precursors to the modern cybercrime scourge we now know as ransomware. The main reason lockers never took off as an existential threat to organizations worldwide was that there is only so much money locker users could reasonably demand via GreenDot cards.

But with the ascendance and broader acceptance of virtual currencies like Bitcoin, suddenly criminal hackers could start demanding millions of dollars from victims. And it stands to reason that a great many Darkode members who were never caught have since transitioned from lockers, exploit kits and GreenDot cards to doing what every other self-respecting cybercrook seems to be involved with these days: Locking entire companies and industries for ransomware payments.

One final observation about the Philbert indictment: It’s good to see the Canadian authorities working closely with the FBI on important cybercrime cases. Indeed, this investigation is remarkable for that fact alone. For years I’ve been wondering aloud why more American cybercriminals don’t just move to Canada, because historically there has been almost no probability that they will ever get caught — let alone prosecuted there. With any luck, this case will be the start of something new.

Who Is the Network Access Broker ‘Babam’?

Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves. More commonly, that access is purchased from a cybercriminal broker who specializes in acquiring remote access credentials — such as usernames and passwords needed to remotely connect to the target’s network. In this post we’ll look at the clues left behind by “Babam,” the handle chosen by a cybercriminal who has sold such access to ransomware groups on many occasions over the past few years.

Since the beginning of 2020, Babam has set up numerous auctions on the Russian-language cybercrime forum Exploit, mainly selling virtual private networking (VPN) credentials stolen from various companies. Babam has authored more than 270 posts since joining Exploit in 2015, including dozens of sales threads. However, none of Babam’s posts on Exploit include any personal information or clues about his identity.

But in February 2016, Babam joined Verified, another Russian-language crime forum. Verified was hacked at least twice in the past five years, and its user database posted online. That information shows that Babam joined Verified using the email address “operns@gmail.com.” The latest Verified leak also exposed private messages exchanged by forum members, including more than 800 private messages that Babam sent or received on the forum over the years.

In early 2017, Babam confided to another Verified user via private message that he is from Lithuania. In virtually all of his forum posts and private messages, Babam can be seen communicating in transliterated Russian rather than by using the Cyrillic alphabet. This is common among cybercriminal actors for whom Russian is not their native tongue.

Cyber intelligence platform Constella Intelligence told KrebsOnSecurity that the operns@gmail.com address was used in 2016 to register an account at filmai.in, which is a movie streaming service catering to Lithuanian speakers. The username associated with that account was “bo3dom.”

A reverse WHOIS search via DomainTools.com says operns@gmail.com was used to register two domain names: bonnjoeder[.]com back in 2011, and sanjulianhotels[.]com (2017). It’s unclear whether these domains ever were online, but the street address on both records was “24 Brondeg St.” in the United Kingdom. [Full disclosure: DomainTools is a frequent advertiser on this website.]

A reverse search at DomainTools on “24 Brondeg St.” reveals one other domain: wwwecardone[.]com. The use of domains that begin with “www” is fairly common among phishers, and by passive “typosquatting” sites that seek to siphon credentials from legitimate websites when people mistype a domain, such as accidentally omitting the “.” after typing “www”.

A banner from the homepage of the Russian language cybercrime forum Verified.

Searching DomainTools for the phone number in the WHOIS records for wwwecardone[.]com  — +44.0774829141 — leads to a handful of similar typosquatting domains, including wwwebuygold[.]com and wwwpexpay[.]com. A different UK phone number in a more recent record for the wwwebuygold[.]com domain — 44.0472882112 — is tied to two more domains – howtounlockiphonefree[.]com, and portalsagepay[.]com. All of these domains date back to between 2012 and 2013.

The original registration records for the iPhone, Sagepay and Gold domains share an email address: devrian26@gmail.com. A search on the username “bo3dom” using Constella’s service reveals an account at ipmart-forum.com, a now-defunct forum concerned with IT products, such as mobile devices, computers and online gaming. That search shows the user bo3dom registered at ipmart-forum.com with the email address devrian27@gmail.com, and from an Internet address in Vilnius, Lithuania.

Devrian27@gmail.com was used to register multiple domains, including wwwsuperchange.ru back in 2008 (notice again the suspect “www” as part of the domain name). Gmail’s password recovery function says the backup email address for devrian27@gmail.com is bo3*******@gmail.com. Gmail accepts the address bo3domster@gmail.com as the recovery email for that devrian27 account.

According to Constella, the bo3domster@gmail.com address was exposed in multiple data breaches over the years, and in each case it used one of two passwords: “lebeda1” and “a123456“.

Searching in Constella for accounts using those passwords reveals a slew of additional “bo3dom” email addresses, including bo3dom@gmail.com.  Pivoting on that address in Constella reveals that someone with the name Vytautas Mockus used it to register an account at mindjolt.com, a site featuring dozens of simple puzzle games that visitors can play online.

At some point, mindjolt.com apparently also was hacked, because a copy of its database at Constella says the bo3dom@gmail.com used two passwords at that site: lebeda1 and a123456.

A reverse WHOIS search on “Vytautas Mockus” at DomainTools shows the email address devrian25@gmail.com was used in 2010 to register the domain name perfectmoney[.]co. This is one character off of perfectmoney[.]com, which is an early virtual currency that was quite popular with cybercriminals at the time. The phone number tied to that domain registration was “86.7273687“.

A Google search for “Vytautas Mockus” says there’s a person by that name who runs a mobile food service company in Lithuania called “Palvisa.” A report on Palvisa (PDF) purchased from Rekvizitai.vz — an official online directory of Lithuanian companies — says Palvisa was established in 2011 by a Vytautaus Mockus, using the phone number 86.7273687, and the email address bo3dom@gmail.com. The report states that Palvisa is active, but has had no employees other than its founder.

Reached via the bo3dom@gmail.com address, the 36-year-old Mr. Mockus expressed mystification as to how his personal information wound up in so many records. “I am not involved in any crime,” Mockus wrote in reply.

A rough mind map of the connections mentioned in this story.

The domains apparently registered by Babam over nearly 10 years suggest he started off mainly stealing from other cybercrooks. By 2015, Babam was heavily into “carding,” the sale and use of stolen payment card data. By 2020, he’d shifted his focus almost entirely to selling access to companies.

A profile produced by threat intelligence firm Flashpoint says Babam has received at least four positive feedback reviews on the Exploit cybercrime forum from crooks associated with the LockBit ransomware gang.

The ransomware collective LockBit giving Babam positive feedback for selling access to different victim organizations. Image: Flashpoint

According to Flashpoint, in April 2021 Babam advertised the sale of Citrix credentials for an international company that is active in the field of laboratory testing, inspection and certification, and that has more than $5 billion in annual revenues and more than 78,000 employees.

Flashpoint says Babam initially announced he’d sold the access, but later reopened the auction because the prospective buyer backed out of the deal. Several days later, Babam reposted the auction, adding more information about the depth of the illicit access and lowering his asking price. The access sold less than 24 hours later.

“Based on the provided statistics and sensitive source reporting, Flashpoint analysts assess with high confidence that the compromised organization was likely Bureau Veritas, an organization headquartered in France that operates in a variety of sectors,” the company concluded.

In November, Bureau Veritas acknowledged that it shut down its network in response to a cyber attack. The company hasn’t said whether the incident involved ransomware and if so what strain of ransomware, but its response to the incident is straight out of the playbook for responding to ransomware attacks. Bureau Veritas has not yet responded to requests for comment; its latest public statement on Dec. 2 provides no additional details about the cause of the incident.

Flashpoint notes that Babam’s use of transliterated Russian persists on both Exploit and Verified until around March 2020, when he switches over to using mostly Cyrillc in his forum comments and sales threads. Flashpoint said this could be an indication that a different person started using the Babam account since then, or more likely that Babam had only a tenuous grasp of Russian to begin with and that his language skills and confidence improved over time.

Lending credence to the latter theory is that Babam still makes linguistic errors in his postings that suggest Russian is not his original language, Flashpoint found.

“The use of double “n” in such words as “проданно” (correct – продано) and “сделанны” (correct – сделаны) by the threat actor proves that this style of writing is not possible when using machine translation since this would not be the correct spelling of the word,” Flashpoint analysts wrote.

“These types of grammatical errors are often found among people who did not receive sufficient education at school or if Russian is their second language,” the analysis continues. “In such cases, when someone tries to spell a word correctly, then by accident or unknowingly, they overdo the spelling and make these types of mistakes. At the same time, colloquial speech can be fluent or even native. This is often typical for a person who comes from the former Soviet Union states.”

Ubiquiti Developer Charged With Extortion, Causing 2020 “Breach”

In January 2021, technology vendor Ubiquiti Inc. [NYSE:UI] disclosed that a breach at a third party cloud provider had exposed customer account credentials. In March, a Ubiquiti employee warned that the company had drastically understated the scope of the incident, and that the third-party cloud provider claim was a fabrication. On Wednesday, a former Ubiquiti developer was arrested and charged with stealing data and trying to extort his employer while pretending to be a whistleblower.

Federal prosecutors say Nickolas Sharp, a senior developer at Ubiquiti, actually caused the “breach” that forced Ubiquiti to disclose a cybersecurity incident in January. They allege that in late December 2020, Sharp applied for a job at another technology company, and then abused his privileged access to Ubiquiti’s systems at Amazon’s AWS cloud service and the company’s GitHub accounts to download large amounts of proprietary data.

Sharp’s indictment doesn’t specify how much data he allegedly downloaded, but it says some of the downloads took hours, and that he cloned approximately 155 Ubiquiti data repositories via multiple downloads over nearly two weeks.

On Dec. 28, other Ubiquiti employees spotted the unusual downloads, which had leveraged internal company credentials and a Surfshark VPN connection to hide the downloader’s true Internet address. Assuming an external attacker had breached its security, Ubiquiti quickly launched an investigation.

But Sharp was a member of the team doing the forensic investigation, the indictment alleges.

“At the time the defendant was part of a team working to assess the scope and damage caused by the incident and remediate its effects, all while concealing his role in committing the incident,” wrote prosecutors with the Southern District of New York.

According to the indictment, on January 7 a senior Ubiquiti employee received a ransom email. The message was sent through an IP address associated with the same Surfshark VPN. The ransom message warned that internal Ubiquiti data had been stolen, and that the information would not be used or published online as long as Ubiquiti agreed to pay 25 Bitcoin.

The ransom email also offered to identify a purportedly still unblocked “backdoor” used by the attacker for the sum of another 25 Bitcoin (the total amount requested was equivalent to approximately $1.9 million at the time). Ubiquiti did not pay the ransom demands.

Investigators say they were able to tie the downloads to Sharp and his work-issued laptop because his Internet connection briefly failed on several occasions while he was downloading the Ubiquiti data. Those outages were enough to prevent Sharp’s Surfshark VPN connection from functioning properly — thus exposing his Internet address as the source of the downloads.

When FBI agents raided Sharp’s residence on Mar. 24, he reportedly maintained his innocence and told agents someone else must have used his Paypal account to purchase the Surfshark VPN subscription.

Several days after the FBI executed its search warrant, Sharp “caused false or misleading news stories to be published about the incident,” prosecutors say. Among the claims made in those news stories was that Ubiquiti had neglected to keep access logs that would allow the company to understand the full scope of the intrusion. In reality, the indictment alleges, Sharp had shortened to one day the amount of time Ubiquiti’s systems kept certain logs of user activity in AWS.

“Following the publication of these articles, between Tuesday, March 30, 2021 and Wednesday March 31, [Ubiquiti’s] stock price fell approximately 20 percent, losing over four billion dollars in market capitalization,” the indictment states.

Sharp faces four criminal counts, including wire fraud, intentionally damaging protected computers, transmission of interstate communications with intent to extort, and making false statements to the FBI.

News of Sharp’s arrest was first reported by BleepingComputer, which wrote that while the Justice Department didn’t name Sharp’s employer in its press release or indictment, all of the details align with previous reporting on the Ubiquiti incident and information presented in Sharp’s LinkedIn account. A link to the indictment is here (PDF).

The Internet is Held Together With Spit & Baling Wire

A visualization of the Internet made using network routing data. Image: Barrett Lyon, opte.org.

Imagine being able to disconnect or redirect Internet traffic destined for some of the world’s biggest companies — just by spoofing an email. This is the nature of a threat vector recently removed by a Fortune 500 firm that operates one of the largest Internet backbones.

Based in Monroe, La., Lumen Technologies Inc. [NYSE: LUMN] (formerly CenturyLink) is one of more than two dozen entities that operate what’s known as an Internet Routing Registry (IRR). These IRRs maintain routing databases used by network operators to register their assigned network resources — i.e., the Internet addresses that have been allocated to their organization.

The data maintained by the IRRs help keep track of which organizations have the right to access what Internet address space in the global routing system. Collectively, the information voluntarily submitted to the IRRs forms a distributed database of Internet routing instructions that helps connect a vast array of individual networks.

There are about 70,000 distinct networks on the Internet today, ranging from huge broadband providers like AT&T, Comcast and Verizon to many thousands of enterprises that connect to the edge of the Internet for access. Each of these so-called “Autonomous Systems” (ASes) make their own decisions about how and with whom they will connect to the larger Internet.

Regardless of how they get online, each AS uses the same language to specify which Internet IP address ranges they control: It’s called the Border Gateway Protocol, or BGP. Using BGP, an AS tells its directly connected neighbor AS(es) the addresses that it can reach. That neighbor in turn passes the information on to its neighbors, and so on, until the information has propagated everywhere [1].

A key function of the BGP data maintained by IRRs is preventing rogue network operators from claiming another network’s addresses and hijacking their traffic. In essence, an organization can use IRRs to declare to the rest of the Internet, “These specific Internet address ranges are ours, should only originate from our network, and you should ignore any other networks trying to lay claim to these address ranges.”

In the early days of the Internet, when organizations wanted to update their records with an IRR, the changes usually involved some amount of human interaction — often someone manually editing the new coordinates into an Internet backbone router. But over the years the various IRRs made it easier to automate this process via email.

For a long time, any changes to an organization’s routing information with an IRR could be processed via email as long as one of the following authentication methods was successfully used:

-CRYPT-PW: A password is added to the text of an email to the IRR containing the record they wish to add, change or delete (the IRR then compares that password to a hash of the password);

-PGPKEY: The requestor signs the email containing the update with an encryption key the IRR recognizes;

-MAIL-FROM: The requestor sends the record changes in an email to the IRR, and the authentication is based solely on the “From:” header of the email.

Of these, MAIL-FROM has long been considered insecure, for the simple reason that it’s not difficult to spoof the return address of an email. And virtually all IRRs have disallowed its use since at least 2012, said Adam Korab, a network engineer and security researcher based in Houston.

All except Level 3 Communications, a major Internet backbone provider acquired by Lumen/CenturyLink.

“LEVEL 3 is the last IRR operator which allows the use of this method, although they have discouraged its use since at least 2012,” Korab told KrebsOnSecurity. “Other IRR operators have fully deprecated MAIL-FROM.”

Importantly, the name and email address of each Autonomous System’s official contact for making updates with the IRRs is public information.

Korab filed a vulnerability report with Lumen demonstrating how a simple spoofed email could be used to disrupt Internet service for banks, telecommunications firms and even government entities.

“If such an attack were successful, it would result in customer IP address blocks being filtered and dropped, making them unreachable from some or all of the global Internet,” Korab said, noting that he found more than 2,000 Lumen customers were potentially affected. “This would effectively cut off Internet access for the impacted IP address blocks.”

The recent outage that took Facebook, Instagram and WhatsApp offline for the better part of a day was caused by an erroneous BGP update submitted by Facebook. That update took away the map telling the world’s computers how to find its various online properties.

Now consider the mayhem that would ensue if someone spoofed IRR updates to remove or alter routing entries for multiple e-commerce providers, banks and telecommunications companies at the same time.

“Depending on the scope of an attack, this could impact individual customers, geographic market areas, or potentially the [Lumen] backbone,” Korab continued. “This attack is trivial to exploit, and has a difficult recovery. Our conjecture is that any impacted Lumen or customer IP address blocks would be offline for 24-48 hours. In the worst-case scenario, this could extend much longer.”

Lumen told KrebsOnSecurity that it continued offering MAIL-FROM: authentication because many of its customers still relied on it due to legacy systems. Nevertheless, after receiving Korab’s report the company decided the wisest course of action was to disable MAIL-FROM: authentication altogether.

“We recently received notice of a known insecure configuration with our Route Registry,” reads a statement Lumen shared with KrebsOnSecurity. “We already had mitigating controls in place and to date we have not identified any additional issues. As part of our normal cybersecurity protocol, we carefully considered this notice and took steps to further mitigate any potential risks the vulnerability may have created for our customers or systems.”

Level3, now part of Lumen, has long urged customers to avoid using “Mail From” for authentication, but until very recently they still allowed it.

KC Claffy is the founder and director of the Center for Applied Internet Data Analysis (CAIDA), and a resident research scientist of the San Diego Supercomputer Center at the University of California, San Diego. Claffy said there is scant public evidence of a threat actor using the weakness now fixed by Lumen to hijack Internet routes.

“People often don’t notice, and a malicious actor certainly works to achieve this,” Claffy said in an email to KrebsOnSecurity. “But also, if a victim does notice, they generally aren’t going to release details that they’ve been hijacked. This is why we need mandatory reporting of such breaches, as Dan Geer has been saying for years.”

But there are plenty of examples of cybercriminals hijacking IP address blocks after a domain name associated with an email address in an IRR record has expired. In those cases, the thieves simply register the expired domain and then send email from it to an IRR specifying any route changes.

While it’s nice that Lumen is no longer the weakest link in the IRR chain, the remaining authentication mechanisms aren’t great. Claffy said after years of debate over approaches to improving routing security, the operator community deployed an alternative known as the Resource Public Key Infrastructure (RPKI).

“The RPKI includes cryptographic attestation of records, including expiration dates, with each Regional Internet Registry (RIR) operating as a ‘root’ of trust,” wrote Claffy and two other UC San Diego researchers in a paper that is still undergoing peer review. “Similar to the IRR, operators can use the RPKI to discard routing messages that do not pass origin validation checks.”

However, the additional integrity RPKI brings also comes with a fair amount of added complexity and cost, the researchers found.

“Operational and legal implications of potential malfunctions have limited registration in and use of the RPKI,” the study observed (link added). “In response, some networks have redoubled their efforts to improve the accuracy of IRR registration data. These two technologies are now operating in parallel, along with the option of doing nothing at all to validate routes.”

[1]: I borrowed some descriptive text in the 5th and 6th paragraphs from a CAIDA/UCSD draft paper — IRR Hygiene in the RPKI Era (PDF).

Further reading:

Trust Zones: A Path to a More Secure Internet Infrastructure (PDF).

Reviewing a historical Internet vulnerability: Why isn’t BGP more secure and what can we do about it? (PDF)

Arrest in ‘Ransom Your Employer’ Email Scheme

In August, KrebsOnSecurity warned that scammers were contacting people and asking them to unleash ransomware inside their employer’s network, in exchange for a percentage of any ransom amount paid by the victim company. This week, authorities in Nigeria arrested a suspect in connection with the scheme — a young man who said he was trying to save up money to help fund a new social network.

Image: Abnormal Security.

The brazen approach targeting disgruntled employees was first spotted by threat intelligence firm Abnormal Security, which described what happened after they adopted a fake persona and responded to the proposal in the screenshot above.

“According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Abnormal’s Crane Hassold wrote.

Abnormal Security documented how it tied the email back to a Nigerian man who acknowledged he was trying to save up money to help fund a new social network he is building called Sociogram. In June 2021, the Nigerian government officially placed an indefinite ban on Twitter, restricting it from operating in Nigeria after the social media platform deleted tweets by the Nigerian president.

Reached via LinkedIn, Sociogram founder Oluwaseun Medayedupin asked to have his startup’s name removed from the story, although he did not respond to questions about whether there were any inaccuracies in Hassold’s report.

“Please don’t harm Sociogram’s reputation,” Medayedupin pleaded. “I beg you as a promising young man.”

After he deleted his LinkedIn profile, I received the following message through the “contact this domain holder” link at KrebsOnSecurity’s domain registrar [curiously, the date of that missive reads “Dec. 31, 1969.”]. Apparently, Mr. Krebson is a clout-chasing monger.

A love letter from the founder of the ill-fated Sociogram.

Mr. Krebson also heard from an investigator representing the Nigeria Finance CERT on behalf of the Central Bank Of Nigeria. While the Sociogram founder’s approach might seem amateurish to some, the financial community in Nigeria did not consider it a laughing matter.

On Friday, Nigerian police arrested Medayedupin. The investigator says formal charges will be levied against the defendant sometime this week.



KrebsOnSecurity spoke with a fraud investigator who is performing the forensic analysis of the devices seized from Medayedupin’s home. The investigator spoke on condition of anonymity out of concern for his physical safety.

The investigator — we’ll call him “George” — said the 23-year-old Medayedupin lives with his extended family in an extremely impoverished home, and that the young man told investigators he’d just graduated from college but turned to cybercrime at first with ambitions of merely scamming the scammers.

George’s team confirmed that Medayedupin had around USD $2,000 to his name, which he’d recently stolen from a group of Nigerian fraudsters who were scamming people for gift cards. Apparently, he admitted to creating a phishing website that tricked a member of this group into providing access to the money they’d made from their scams.

Medayedupin reportedly told investigators that for almost a week after he started emailing his ransom-your-employer scheme, nobody took him up on the offer. But after his name appeared in the news media, he received thousands of inquiries from people interested in his idea.

George described Medayedupin as smart, a quick learner, and fairly dedicated to his work.

“He seems like he could be a fantastic [employee] for a company,” George said. “But there is no employment here, so he chose to do this.”

What’s interesting about this case — and indeed likely why anyone thought this guy worthy of arrest — is that the Nigerian authorities were fairly swift to take action when a domestic cybercriminal raised the specter of causing financial losses for its own banks.

After all, the majority of the cybercrime that originates from Africa — think romance scams, Business Email Compromise (BEC) fraud, and unemployment/pandemic loan fraud — does not target Nigerian citizens, nor does it harm African banks. On the contrary: This activity pumps a great deal of Western money into Nigeria.

How much money are we talking about? The financial losses from these scams dwarf other fraud categories — such as identity theft or credit card fraud. According to the FBI’s Internet Crime Complaint Center (IC3), consumers and businesses reported more than $4.2 billion in losses tied to cybercrime in 2020, and BEC fraud and romance scams alone accounted for nearly 60 percent of those losses.

Source: FBI/IC3 2020 Internet Crime Report.

If the influx of a few billion US dollars into the Nigerian economy each year from cybercrime seems somehow insignificant, consider that (according to George) the average police officer in the country makes the equivalent of less than USD $100 a month.

Ronnie Tokazowski is a threat researcher at Agari, a security firm that has closely tracked many of the groups behind BEC scams. Tokazowski maintains he has been one of the more vocal proponents of the idea that trying to fight these problems by arresting those involved is something of a Sisyphean task, and that it makes way more sense to focus on changing the economic realities in places like Nigeria.

Nigeria has the world’s second-highest unemployment rate — rising from 27.1 percent in 2019 to 33 percent in 2020, according to the National Bureau of Statistics. The nation also is among the world’s most corrupt, according to 2020 findings from Transparency International.

“Education is definitely one piece, as raising awareness is hands down the best way to get ahead of this,” Tokazowski said, in a June 2021 interview. “But we also need to think about ways to create more business opportunities there so that people who are doing this to put food on the table have more legitimate opportunities. Unfortunately, thanks to the level of corruption of government officials, there are a lot of cultural reasons that fighting this type of crime at the source is going to be difficult.”

The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle, a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family. Naturally, a great deal of phishing schemes that precede these bank account takeovers begin with a spoofed text message from the target’s bank warning about a suspicious Zelle transfer. What follows is a deep dive into how this increasingly clever Zelle fraud scam typically works, and what victims can do about it.

Last week’s story warned that scammers are blasting out text messages about suspicious bank transfers as a pretext for immediately calling and scamming anyone who responds via text. Here’s what one of those scam messages looks like:

Anyone who responds “yes,” “no” or at all will very soon after receive a phone call from a scammer pretending to be from the financial institution’s fraud department. The caller’s number will be spoofed so that it appears to be coming from the victim’s bank.

To “verify the identity” of the customer, the fraudster asks for their online banking username, and then tells the customer to read back a passcode sent via text or email. In reality, the fraudster initiates a transaction — such as the “forgot password” feature on the financial institution’s site — which is what generates the authentication passcode delivered to the member.

Ken Otsuka is a senior risk consultant at CUNA Mutual Group, an insurance company that provides financial services to credit unions. Otsuka said a phone fraudster typically will say something like, “Before I get into the details, I need to verify that I’m speaking to the right person. What’s your username?”

“In the background, they’re using the username with the forgot password feature, and that’s going to generate one of these two-factor authentication passcodes,” Otsuka said. “Then the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.’”

The fraudster then uses the code to complete the password reset process, and then changes the victim’s online banking password. The fraudster then uses Zelle to transfer the victim’s funds to others.

An important aspect of this scam is that the fraudsters never even need to know or phish the victim’s password. By sharing their username and reading back the one-time code sent to them via email, the victim is allowing the fraudster to reset their online banking password.

Otsuka said in far too many account takeover cases, the victim has never even heard of Zelle, nor did they realize they could move money that way.

“The thing is, many credit unions offer it by default as part of online banking,” Otsuka said. “Members don’t have to request to use Zelle. It’s just there, and with a lot of members targeted in these scams, although they’d legitimately enrolled in online banking, they’d never used Zelle before.” [Curious if your financial institution uses Zelle? Check out their partner list here].

Otsuka said credit unions offering other peer-to-peer banking products have also been targeted, but that fraudsters prefer to target Zelle due to the speed of the payments.

“The fraud losses can escalate quickly due to the sheer number of members that can be targeted on a single day over the course of consecutive days,” Otsuka said.

To combat this scam Zelle introduced out-of-band authentication with transaction details. This involves sending the member a text containing the details of a Zelle transfer – payee and dollar amount – that is initiated by the member. The member must authorize the transfer by replying to the text.

Unfortunately, Otsuka said, the scammers are defeating this layered security control as well.

“The fraudsters follow the same tactics except they may keep the members on the phone after getting their username and 2-step authentication passcode to login to the accounts,” he said. “The fraudster tells the member they will receive a text containing details of a Zelle transfer and the member must authorize the transaction under the guise that it is for reversing the fraudulent debit card transaction(s).”

In this scenario, the fraudster actually enters a Zelle transfer that triggers the following text to the member, which the member is asked to authorize: For example:

“Send $200 Zelle payment to Boris Badenov? Reply YES to send, NO to cancel. ABC Credit Union . STOP to end all messages.”

“My team has consulted with several credit unions that rolled Zelle out or our planning to introduce Zelle,” Otsuka said. “We found that several credit unions were hit with the scam the same month they rolled it out.”

The upshot of all this is that many financial institutions will claim they’re not required to reimburse the customer for financial losses related to these voice phishing schemes. Bob Sullivan, a veteran journalist who writes about fraud and consumer issues, says in many cases banks are giving customers incorrect and self-serving opinions after the thefts.

“Consumers — many who never ever realized they had a Zelle account – then call their banks, expecting they’ll be covered by credit-card-like protections, only to face disappointment and in some cases, financial ruin,” Sullivan wrote in a recent Substack post. “Consumers who suffer unauthorized transactions are entitled to Regulation E protection, and banks are required to refund the stolen money. This isn’t a controversial opinion, and it was recently affirmed by the CFPB here. If you are reading this story and fighting with your bank, start by providing that link to the financial institution.”

“If a criminal initiates a Zelle transfer — even if the criminal manipulates a victim into sharing login credentials — that fraud is covered by Regulation E, and banks should restore the stolen funds,” Sullivan said. “If a consumer initiates the transfer under false pretenses, the case for redress is more weak.”

Sullivan notes that the Consumer Financial Protection Bureau (CFPB) recently announced it was conducting a probe into companies operating payments systems in the United States, with a special focus on platforms that offer fast, person-to-person payments.

“Consumers expect certain assurances when dealing with companies that move their money,” the CFPB said in its Oct. 21 notice. “They expect to be protected from fraud and payments made in error, for their data and privacy to be protected and not shared without their consent, to have responsive customer service, and to be treated equally under relevant law. The orders seek to understand the robustness with which payment platforms prioritize consumer protection under law.”

Anyone interested in letting the CFPB know about a fraud scam that abused a P2P payment platform like Zelle, Cashapp, or Venmo, for example, should send an email describing the incident to BigTechPaymentsInquiry@cfpb.gov. Be sure to include Docket No. CFPB-2021-0017 in the subject line of the message.

In the meantime, remember the mantra: Hang up, Look Up, and Call Back. If you receive a call from someone warning about fraud, hang up. If you believe the call might be legitimate, look up the number of the organization supposedly calling you, and call them back.