Login
On Dec. 18, 2013, KrebsOnSecurity broke the news that U.S. retail giant Target was battling a wide-ranging computer intrusion that compromised more than 40 million customer payment cards over the previous month. The malware used in the Target breach included the text string “Rescator,” which also was the handle chosen by the cybercriminal who was selling all of the cards stolen from Target customers. Ten years later, KrebsOnSecurity has uncovered new clues about the real-life identity of Rescator.
Rescator, advertising a new batch of cards stolen in a 2014 breach at P.F. Chang’s.
Shortly after breaking the Target story, KrebsOnSecurity reported that Rescator appeared to be a hacker from Ukraine. Efforts to confirm my reporting with that individual ended when they declined to answer questions, and after I declined to accept a bribe of $10,000 not to run my story.
That reporting was based on clues from an early Russian cybercrime forum in which a hacker named Rescator — using the same profile image that Rescator was known to use on other forums — claimed to have originally been known as “Helkern,” the nickname chosen by the administrator of a cybercrime forum called Darklife.
KrebsOnSecurity began revisiting the research into Rescator’s real-life identity in 2018, after the U.S. Department of Justice unsealed an indictment that named a different Ukrainian man as Helkern.
It may be helpful to first recap why Rescator is thought to be so closely tied to the Target breach. For starters, the text string “Rescator” was found in some of the malware used in the Target breach. Investigators would later determine that a variant of the malware used in the Target breach was used in 2014 to steal 56 million payment cards from Home Depot customers. And once again, cards stolen in the Home Depot breach were sold exclusively at Rescator’s shops.
On Nov. 25, 2013, two days before Target said the breach officially began, Rescator could be seen in instant messages hiring another forum member to verify 400,000 payment cards that Rescator claimed were freshly stolen.
By the first week of December 2013, Rescator’s online store — rescator[.]la — was selling more than six million payment card records stolen from Target customers. Prior to the Target breach, Rescator had mostly sold much smaller batches of stolen card and identity data, and the website allowed cybercriminals to automate the sending of fraudulent wire transfers to money mules based in Lviv, Ukraine.
Finally, there is some honor among thieves, and in the marketplace for stolen payment card data it is considered poor form to advertise a batch of cards as “yours” if you are merely reselling cards sold to you by a third-party card vendor or thief. When serious stolen payment card shop vendors wish to communicate that a batch of cards is uniquely their handiwork or that of their immediate crew, they refer to it as “our base.” And Rescator was quite clear in his advertisements that these millions of cards were obtained firsthand.
The new clues about Rescator’s identity came into focus when I revisited the reporting around an April 2013 story here that identified the author of the OSX Flashback Trojan, an early Mac malware strain that quickly spread to more than 650,000 Mac computers worldwide in 2012.
That story about the Flashback author was possible because a source had obtained a Web browser authentication cookie for a founding member of a Russian cybercrime forum called BlackSEO. Anyone in possession of that cookie could then browse the invite-only BlackSEO forum and read the user’s private messages without having to log in.
BlackSEO.com VIP member “Mavook” tells forum admin Ika in a private message that he is the Flashback author.
The legitimate owner of that BlackSEO user cookie went by the nickname Ika, and Ika’s private messages on the forum showed he was close friends with the Flashback author. At the time, Ika also was the administrator of Pustota[.]pw — a closely-guarded Russian forum that counted among its members some of the world’s most successful and established spammers and malware writers.
For many years, Ika held a key position at one of Russia’s largest Internet service providers, and his (mostly glowing) reputation as a reliable provider of web hosting to the Russian cybercrime community gave him an encyclopedic knowledge about nearly every major player in that scene at the time.
The story on the Flashback author featured redacted screenshots that were taken from Ika’s BlackSEO account (see image above). The day after that story ran, Ika posted a farewell address to his mates, expressing shock and bewilderment over the apparent compromise of his BlackSEO account.
In a lengthy post on April 4, 2013 titled “I DON’T UNDERSTAND ANYTHING,” Ika told Pustota forum members he was so spooked by recent events that he was closing the forum and quitting the cybercrime business entirely. Ika recounted how the Flashback story had come the same week that rival cybercriminals tried to “dox” him (their dox named the wrong individual, but included some of Ika’s more guarded identities).
“It’s no secret that karma farted in my direction,” Ika said at the beginning of his post. Unbeknownst to Ika at the time, his Pustota forum also had been completely hacked that week, and a copy of its database shared with this author.
A Google translated version of the farewell post from Ika, the administrator of Pustota, a Russian language cybercrime forum focused on botnets and spam. Click to enlarge.
Ika said the two individuals who tried to dox him did so on an even more guarded Russian language forum — DirectConnection[.]ws, perhaps the most exclusive Russian cybercrime community ever created. New applicants of this forum had to pay a non-refundable deposit, and receive vouches by three established cybercriminals already on the forum. Even if one managed to steal (or guess) a user’s DirectConnection password, the login page could not be reached unless the visitor also possessed a special browser certificate that the forum administrator gave only to approved members.
In no uncertain terms, Ika declared that Rescator went by the nickname MikeMike on DirectConnection:
“I did not want to bring any of this to real life. Especially since I knew the patron of the clowns – specifically Pavel Vrublevsky. Yes, I do state with confidence that the man with the nickname Rescator a.k.a. MikeMike with his partner Pipol have been Pavel Vrublevsky’s puppets for a long time.”
Pavel Vrublevsky is a convicted cybercriminal who became famous as the CEO of the Russian e-payments company ChronoPay, which specialized in facilitating online payments for a variety of “high-risk” businesses, including gambling, pirated Mp3 files, rogue antivirus software and “male enhancement” pills.
As detailed in my 2014 book Spam Nation, Vrublevsky not-so-secretly ran a pharmacy affiliate spam program called Rx-Promotion, which paid spammers and virus writers to blast out tens of billions of junk emails advertising generic Viagra and controlled pharmaceuticals like pain relief medications. Much of my reporting on Vrublevsky’s cybercrime empire came from several years worth of internal ChronoPay emails and documents that were leaked online in 2010 and 2011.
Pavel Vrublevsky’s former Facebook profile photo.
In 2014, KrebsOnSecurity learned from a trusted source close to the Target breach investigation that the user MikeMike on DirectConnection — the same account that Ika said belonged to Rescator — used the email address “zaxvatmira@gmail.com.”
At the time, KrebsOnSecurity could not connect that email address to anything or anyone. However, a recent search on zaxvatmira@gmail.com at the breach tracking service Constella Intelligence returns just one result: An account created in November 2010 at the site searchengines[.]ru under the handle “r-fac1.”
A search on “r-fac1” at cyber intelligence firm Intel 471 revealed that this user’s introductory post on searchengines[.]ru advertised musictransferonline[.]com, an affiliate program that paid people to drive traffic to sites that sold pirated music files for pennies apiece.
According to leaked ChronoPay emails from 2010, this domain was registered and paid for by ChronoPay. Those missives also show that in August 2010 Vrublevsky authorized a payment of ~$1,200 for a multi-user license of an Intranet service called MegaPlan.
ChronoPay used the MegaPlan service to help manage the sprawling projects that Vrublevsky referred to internally as their “black” payment processing operations, including pirated pills, porn, Mp3s, and fake antivirus products. ChronoPay employees used their MegaPlan accounts to track payment disputes, order volumes, and advertising partnerships for these high-risk programs.
Borrowing a page from the Quentin Tarantino movie Reservoir Dogs, the employees adopted nicknames like “Mr. Kink,” “Mr. Heppner,” and “Ms. Nati.” However, in a classic failure of operational security, many of these employees had their MegaPlan account messages automatically forwarded to their real ChronoPay email accounts.
A screen shot of the org chart from ChronoPay’s MegaPlan Intranet system.
When ChronoPay’s internal emails were leaked in 2010, the username and password for its MegaPlan subscription were still working and valid. An internal user directory for that subscription included the personal (non-ChronoPay) email address tied to each employee Megaplan nickname. That directory listing said the email address zaxvatmira@gmail.com was assigned to the head of the Media/Mp3 division for ChronoPay, pictured at the top left of the organizational chart above as “Babushka Vani and Koli.”
[Author’s note: I initially overlooked the presence of the email address zaxvatmira@gmail.com in my notes because it did not show up in text searches of my saved emails, files or messages. I rediscovered it recently when a text search for zaxvatmira@gmail.com on my Mac found the address in a screenshot of the ChronoPay MegaPlan interface.]
The nickname two rungs down from “Babushka” in the ChronoPay org chart is “Lev Tolstoy,” which the MegaPlan service showed was picked by someone who used the email address v.zhabukin@freefrog-co-ru.
ChronoPay’s emails show that this Freefrog email address belongs to a Vasily Borisovich Zhabykin from Moscow. The Russian business tracking website rusprofile[.]ru reports that Zhabykin is or was the supervisor or owner of three Russian organizations, including one called JSC Hot Spot.
[Author’s note: The word “babushka” means “grandma” in Russian, and it could be that this nickname is a nod to the ChronoPay CEO’s wife, Vera. The leaked ChronoPay emails show that Vera Vrublevsky managed a group of hackers working with their media division, and was at least nominally in charge of MP3 projects for ChronoPay. Indeed, in messages exposed by the leaked ChronoPay email cache, Zhabykin stated that he was “directly subordinate” to Mrs. Vrublevsky].
JSC Hot Spot is interesting because its co-founder is another ChronoPay employee: 37-year-old Mikhail “Mike” Shefel. A Facebook profile for Mr. Shefel says he is or was vice president of payment systems at ChronoPay. However, the last update on that profile is from 2018, when Shefel appears to have legally changed his last name.
Archive.org shows that Hot Spot’s website — myhotspot[.]ru — sold a variety of consulting services, including IT security assessments, code and system audits, and email marketing. The earliest recorded archive of the Hot Spot website listed three clients on its homepage, including ChronoPay and Freefrog.
ChronoPay internal emails show that Freefrog was one of its investment projects that facilitated the sale of pirated Mp3 files. Rusprofile[.]ru reports that Freefrog’s official company name — JSC Freefrog — is incorporated by a thinly-documented entity based in the Seychelles called Impex Consulting Ltd., and it is unclear who its true owners are.
However, a search at DomainTools.com on the phone number listed on the homepage of myhotspot[.]ru (74957809554) reveals that number is associated with eight domain names.
Six of those domains are some variation of FreeFrog. Another domain registered to that phone number is bothunter[.]me, which included a copyright credit to “Hot Spot 2011.” At the annual Russian Internet Week IT convention in Moscow in 2012, Mr. Shefel gave a short presentation about bothunter, which he described as a service he designed to identify inauthentic (bot) accounts on Russian social media networks.
Interestingly, one of r-fac1’s first posts to Searchengines[.]ru a year earlier saw this user requesting help from other members who had access to large numbers of hacked social media accounts. R-fac1 told forum members that he was only looking to use those accounts to post harmless links and comments to the followers of the hacked profiles, and his post suggested he was testing something.
“Good afternoon,” r-fac1 wrote on Dec. 20, 2010. “I’m looking for people with their own not-recently-registered accounts on forums, (except for search) Social networks, Twitter, blogs, their websites. Tasks, depending on your accounts, post text and a link, sometimes just a link. Most often the topic is chatter, relaxation, discussion. Posting my links in your profiles, on your walls. A separate offer for people with a large set of contacts in instant messengers to try to use viral marketing.”
Neither Mr. Shefel nor Mr. Zhabykin responded to requests for comment.
Mr. Zhabykin soon moved on to bigger ventures, co-founding a cryptocurrency exchange based in Moscow’s financial center called Suex. In September 2021, Suex earned the distinction of becoming the first crypto firm to be sanctioned by the U.S. Department of the Treasury, which effectively blocked Suex from the global financial system. The Treasury alleged Suex helped to process millions in criminal transactions, including the proceeds of numerous ransomware attacks.
“I don’t understand how I got mixed up in this,” Zhabykin told The New York Times in 2021. Zhabykin said Suex, which is registered in the Czech Republic, was mostly a failure and had conducted only a half dozen or so transactions since 2019.
The Russian business tracking service Rusprofile says Zhabykin also is the owner of a company based in the United Kingdom called RideWithLocal; the company’s website says it specializes in arranging excursions for extreme sports, including snowboarding, skiing, surfing and parasailing. Images from the RideWithLocal Facebook page show helicopters dropping snowboarders and skiers atop some fairly steep mountains.
A screenshot from the Facebook page of RideWithLocal.
Constella Intelligence found a cached copy of a now-deleted LinkedIn profile for Mr. Zhabykin, who described himself as a “sporttech/fintech specialist and mentor.”
“I create products and services worldwide, focusing on innovation and global challenges,” his LinkedIn profile said. “I’ve started my career in 2002 and since then I worked in Moscow, different regions of Russia, including Siberia and in Finland, Brazil, United Kingdom, Sri Lanka. Over the last 15 years I contributed to many amazing products in the following industries: sports, ecology, sport tech, fin tech, electronic payments, big data, telecommunications, pulp and paper industry, wood processing and travel. My specialities are Product development, Mentorship, Strategy and Business development.”
Rusprofile reports that Mikhail Borisovich Shefel is associated with at least eight current or now-defunct companies in Russia, including Dengi IM (Money IM), Internet Capital, Internet Lawyer, Internet 2, Zao Hot Spot, and (my personal favorite) an entity incorporated in 2021 called “All the Money in the World.”
Constella Intelligence found several official documents for Mr. Shefel that came from hacked Russian phone, automobile and residence records. They indicate Mr. Shefel is the registrant of a black Porsche Cayenne (Plate:X537SR197) and a Mercedes (Plate:P003PX90). Those vehicle records show Mr. Shefel was born on May 28, 1986.
Rusprofile reveals that at some point near the end of 2018, Shefel changed his last name to Lenin. DomainTools reports that in 2018, Mr. Shefel’s company Internet 2 LLC registered the domain name Lenin[.]me. This now-defunct service sold physical USSR-era Ruble notes that bear the image of Vladimir Lenin, the founding father of the Soviet Union.
Meanwhile, Pavel Vrublevsky remains imprisoned in Russia, awaiting trial on fraud charges levied against the payment company CEO in March 2022. Authorities allege Vrublevsky operated several fraudulent SMS-based payment schemes. They also accused Vrublevsky of facilitating money laundering for Hydra, the largest Russian darknet market. Hydra trafficked in illegal drugs and financial services, including cryptocurrency tumbling for money laundering, exchange services between cryptocurrency and Russian rubles, and the sale of falsified documents and hacking services.
In 2013, Vrublevsky was sentenced to 2.5 years in a Russian penal colony for convincing one of his top spammers and botmasters to launch a distributed denial-of-service (DDoS) attack against a ChronoPay competitor that shut down the ticketing system for the state-owned Aeroflot airline.
Following his release, Vrublevsky began working on a new digital payments platform based in Hong Kong called HPay Ltd (a.k.a. Hong Kong Processing Corporation). HPay appears to have had a great number of clients that were running schemes which bamboozled people with fake lotteries and prize contests.
KrebsOnSecurity sought comment on this research from the Federal Bureau of Investigation (FBI) and the U.S. Secret Service, both of which have been involved in the Target breach investigation over the years. The FBI declined to comment. The Secret Service declined to confirm or dispute any of the findings, but said it is still interested in hearing from anyone who might have more information.
“The U.S. Secret Service does not comment on any open investigation and won’t confirm or deny the accuracy in any reporting related to a criminal manner,” the agency said in a written statement. “However, If you have any information relating to the subjects referenced in this article, please contact the U.S. Secret Service at mostwanted@usss.dhs.gov. The Secret Service pays a reward for information leading to the arrest of cybercriminals.”
As with any major holiday or special occasion, Valentine’s Day is unfortunately not immune to scammers looking for an opportunity to exploit unsuspecting individuals. Their deceitful acts can break hearts and bank accounts. In this article, we spotlight some common Valentine’s Day scams, offer tips on how to protect yourself and navigate this romantic day with confidence and caution.
Valentine’s Day is a time when love is in the air. It’s a time to express your feelings for that special someone in your life, or perhaps even embark on a new romantic journey. But while you’re busy planning that perfect dinner or choosing the ideal gift, there’s an unromantic side to the day that you should be aware of – the potential for scams.
Scammers, always looking for new ways to trick people into parting with their money, use the heightened emotions of Valentine’s Day to their advantage. They prey on the unwary, the love-struck, and even the lonely – anyone who might let their guard down in the quest for love or the pursuit of the perfect gift. And in our increasingly digital world, these unscrupulous individuals have more ways than ever to reach potential victims.
→ Dig Deeper: AI Goes Dating: McAfee Study Shows 1 in 3 Men Plan to Use Artificial Intelligence to Write Love Letters this Valentine’s Day
Knowledge is power, as the saying goes, and that’s certainly true when it comes to protecting yourself from scams. By understanding the types of scams that are common around Valentine’s Day, you can be better prepared to spot them – and avoid falling victim.
One of the most common Valentine’s Day scams is the romance scam. Scammers, often posing as potential love interests on dating websites or social media, manipulate victims into believing they are in a romantic relationship. Once they have gained their victim’s trust, they ask for money – perhaps to pay for a flight so they can meet in person, or because of a sudden personal crisis. These scams can be emotionally devastating, and they can also result in significant financial loss.
→ Dig Deeper: Fraudulent Adult Dating Services Turn 10 Years Old, Still Evolving
Another popular scam around Valentine’s Day involves online shopping. With many people seeking the perfect gift for their loved ones, scammers set up fake websites that appear to sell everything from jewelry to concert tickets. After making a purchase, the unsuspecting victim either receives a counterfeit product or, in some cases, nothing at all. Additionally, these sites may be designed to steal credit card information or other personal data.
Phishing scams are also common. In these scams, victims receive emails that appear to be from a legitimate company – perhaps a florist or a candy company – asking them to confirm their account information or to click on a link. The goal is to steal sensitive information, such as credit card numbers or login credentials.
While the existence of these scams is unquestionably concerning, the good news is that there are steps you can take to protect yourself. Valentine’s Day should be a celebration of love, not a source of stress and worry.
One of the most important is to be aware that these scams exist and to be cautious when interacting with unfamiliar people or websites. If something seems too good to be true, it probably is.
When shopping online, make sure the website you are using is secure, and consider using a credit card, which offers greater protection against fraud compared to other forms of payment. Be wary of emails from unknown sources, especially those that ask for personal information or urge you to click on a link.
For shopping scams, it’s recommended to do research on any unfamiliar online retailer before making a purchase. Look for reviews or complaints about the retailer on independent consumer websites. If the website is offering items at a price that seems too good to be true, it likely is. Also, consider the website’s URL. A URL that begins with ‘https://’ indicates that the website encrypts user information, making it safer to input sensitive information than on websites with ‘http://’ URLs.
Forewarned is forearmed, and having advanced strategies to detect and avoid scams is also a strong line of defense. When it comes to online dating, be sure to thoroughly vet any potential romantic interests. This involves doing a reverse image search of profile photos, which can quickly reveal if a picture has been stolen from another online source. Additionally, be aware of red flags such as overly-flattering messages or requests to move the conversation to a private email or messaging app.
McAfee Pro Tip: If you’re considering using one of these for a bit of dating beyond a dating app or simply to stay connected with family and friends, the key advice is to do your homework. Look into their security measures and privacy policies, especially because some have faced security issues recently. For more information, take a look at this article on video conferencing to ensure you can keep hackers and uninvited guests away when you’re chatting.
If you come across a scam or fall victim to one, it’s crucial to report it to the appropriate authorities. This helps law enforcement track down scammers and alert others to the scam. In the U.S., you can report scams to the Federal Trade Commission through their website. If the scam involves a financial transaction, also report it to your bank or credit card company. They may be able to help recover your funds or prevent further losses.
Additionally, take steps to protect yourself after falling victim to a scam. This could involve changing passwords, monitoring your financial accounts for unusual activity, or even freezing your credit. It can also be beneficial to alert your friends and family to the scam, both to protect them and to gain their support and assistance in dealing with the aftermath of the scam.
→ Dig Deeper: How To Report An Online Scam
The unfortunate reality is that scammers are ever-present and always looking for new ways to exploit unsuspecting victims. However, by being informed, cautious, and proactive, you can significantly decrease your chances of falling victim to a Valentine’s Day scam. Whether you’re looking for love or shopping for the perfect gift, remember to always prioritize your safety and security.
And if you do encounter a scam, take comfort in knowing that you’re not alone and there are resources available to help. McAfee’s blogs and reports are just some of them. By reporting scams to the authorities, you’re doing your part to help stop scammers in their tracks and protect others from falling victim. Remember, Valentine’s Day is a day for celebrating love, not for worrying about scammers. Stay safe, stay informed, and don’t let a scammer ruin your Valentine’s Day.
Remember to always stay vigilant. Protect your heart and your bank account, and make sure your Valentine’s Day is filled with love and happiness, not regret and frustration. Don’t let scammers break your heart or your bank account – on Valentine’s Day or on any other day.
The post Valentine’s Alert: Don’t Let Scammers Break Your Heart or Your Bank Account appeared first on McAfee Blog.
When KrebsOnSecurity broke the news on Oct. 20, 2023 that identity and authentication giant Okta had suffered a breach in its customer support department, Okta said the intrusion allowed hackers to steal sensitive data from fewer than one percent of its 18,000+ customers. But today, Okta revised that impact statement, saying the attackers also stole the name and email address for nearly all of its customer support users.
Okta acknowledged last month that for several weeks beginning in late September 2023, intruders had access to its customer support case management system. That access allowed the hackers to steal authentication tokens from some Okta customers, which the attackers could then use to make changes to customer accounts, such as adding or modifying authorized users.
In its initial incident reports about the breach, Okta said the hackers gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta’s customer base.
But in an updated statement published early this morning, Okta said it determined the intruders also stole the names and email addresses of all Okta customer support system users.
“All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor),” Okta’s advisory states. “The Auth0/CIC support case management system was also not impacted by this incident.”
Okta said that for nearly 97 percent of users, the only contact information exposed was full name and email address. That means about three percent of Okta customer support accounts had one or more of the following data fields exposed (in addition to email address and name): last login; username; phone number; SAML federation ID; company name; job role; user type; date of last password change or reset.
Okta notes that a large number of the exposed accounts belong to Okta administrators — IT people responsible for integrating Okta’s authentication technology inside customer environments — and that these individuals should be on guard for targeted phishing attacks.
“Many users of the customer support system are Okta administrators,” Okta pointed out. “It is critical that these users have multi-factor authentication (MFA) enrolled to protect not only the customer support system, but also to secure access to their Okta admin console(s).”
While it may seem completely bonkers that some companies allow their IT staff to operate company-wide authentication systems using an Okta administrator account that isn’t protected with MFA, Okta said fully six percent of its customers (more than 1,000) persist in this dangerous practice.
In a previous disclosure on Nov. 3, Okta blamed the intrusion on an employee who saved the credentials for a service account in Okta’s customer support infrastructure to their personal Google account, and said it was likely those credentials were stolen when the employee’s personal device using the same Google account was compromised.
Unlike standard user accounts, which are accessed by humans, service accounts are mostly reserved for automating machine-to-machine functions, such as performing data backups or antivirus scans every night at a particular time. For this reason, they can’t be locked down with multifactor authentication the way user accounts can.
Dan Goodin over at Ars Technica reckons this explains why MFA wasn’t set up on the compromised Okta service account. But as he rightly points out, if a transgression by a single employee breaches your network, you’re doing it wrong.
“Okta should have put access controls in place besides a simple password to limit who or what could log in to the service account,” Goodin wrote on Nov. 4. “One way of doing this is to put a limit or conditions on the IP addresses that can connect. Another is to regularly rotate access tokens used to authenticate to service accounts. And, of course, it should have been impossible for employees to be logged in to personal accounts on a work machine. These and other precautions are the responsibility of senior people inside Okta.”
Goodin suggested that people who want to delve further into various approaches for securing service accounts should read this thread on Mastodon.
“A fair number of the contributions come from security professionals with extensive experience working in sensitive cloud environments,” Goodin wrote.
One of the cybercrime underground’s more active sellers of Social Security numbers, background and credit reports has been pulling data from hacked accounts at the U.S. consumer data broker USinfoSearch, KrebsOnSecurity has learned.
Since at least February 2023, a service advertised on Telegram called USiSLookups has operated an automated bot that allows anyone to look up the SSN or background report on virtually any American. For prices ranging from $8 to $40 and payable via virtual currency, the bot will return detailed consumer background reports automatically in just a few moments.
USiSLookups is the project of a cybercriminal who uses the nicknames JackieChan/USInfoSearch, and the Telegram channel for this service features a small number of sample background reports, including that of President Joe Biden, and podcaster Joe Rogan. The data in those reports includes the subject’s date of birth, address, previous addresses, previous phone numbers and employers, known relatives and associates, and driver’s license information.
JackieChan’s service abuses the name and trademarks of Columbus, OH based data broker USinfoSearch, whose website says it provides “identity and background information to assist with risk management, fraud prevention, identity and age verification, skip tracing, and more.”
“We specialize in non-FCRA data from numerous proprietary sources to deliver the information you need, when you need it,” the company’s website explains. “Our services include API-based access for those integrating data into their product or application, as well as bulk and batch processing of records to suit every client.”
As luck would have it, my report was also listed in the Telegram channel for this identity fraud service, presumably as a teaser for would-be customers. On October 19, 2023, KrebsOnSecurity shared a copy of this file with the real USinfoSearch, along with a request for information about the provenance of the data.
USinfoSearch said it would investigate the report, which appears to have been obtained on or before June 30, 2023. On Nov. 9, 2023, Scott Hostettler, general manager of USinfoSearch parent Martin Data LLC shared a written statement about their investigation that suggested the ID theft service was trying to pass off someone else’s consumer data as coming from USinfoSearch:
Regarding the Telegram incident, we understand the importance of protecting sensitive information and upholding the trust of our users is our top priority. Any allegation that we have provided data to criminals is in direct opposition to our fundamental principles and the protective measures we have established and continually monitor to prevent any unauthorized disclosure. Because Martin Data has a reputation for high-quality data, thieves may steal data from other sources and then disguise it as ours. While we implement appropriate safeguards to guarantee that our data is only accessible by those who are legally permitted, unauthorized parties will continue to try to access our data. Thankfully, the requirements needed to pass our credentialing process is tough even for established honest companies.
USinfoSearch’s statement did not address any questions put to the company, such as whether it requires multi-factor authentication for customer accounts, or whether my report had actually come from USinfoSearch’s systems.
After much badgering, on Nov. 21 Hostettler acknowledged that the USinfoSearch identity fraud service on Telegram was in fact pulling data from an account belonging to a vetted USinfoSearch client.
“I do know 100% that my company did not give access to the group who created the bots, but they did gain access to a client,” Hostettler said of the Telegram-based identity fraud service. “I apologize for any inconvenience this has caused.”
Hostettler said USinfoSearch heavily vets any new potential clients, and that all users are required to undergo a background check and provide certain documents. Even so, he said, several fraudsters each month present themselves as credible business owners or C-level executives during the credentialing process, completing the application and providing the necessary documentation to open a new account.
“The level of skill and craftsmanship demonstrated in the creation of these supporting documents is incredible,” Hostettler said. “The numerous licenses provided appear to be exact replicas of the original document. Fortunately, I’ve discovered several methods of verification that do not rely solely on those documents to catch the fraudsters.”
“These people are unrelenting, and they act without regard for the consequences,” Hostettler continued. “After I deny their access, they will contact us again within the week using the same credentials. In the past, I’ve notified both the individual whose identity is being used fraudulently and the local police. Both are hesitant to act because nothing can be done to the offender if they are not apprehended. That is where most attention is needed.”
JackieChan is most active on Telegram channels focused on “SIM swapping,” which involves bribing or tricking mobile phone company employees into redirecting a target’s phone number to a device the attackers control. SIM swapping allows crooks to temporarily intercept the target’s text messages and phone calls, including any links or one-time codes for authentication that are delivered via SMS.
Reached on Telegram, JackieChan said most of his clients hail from the criminal SIM swapping world, and that the bulk of his customers use his service via an application programming interface (API) that allows customers to integrate the lookup service with other web-based services, databases, or applications.
“Sim channels is where I get most of my customers,” JackieChan told KrebsOnSecurity. “I’m averaging around 100 lookups per day on the [Telegram] bot, and around 400 per day on the API.”
JackieChan claims his USinfoSearch bot on Telegram abuses stolen credentials needed to access an API used by the real USinfoSearch, and that his service was powered by USinfoSearch account credentials that were stolen by malicious software tied to a botnet that he claims to have operated for some time.
This is not the first time USinfoSearch has had trouble with identity thieves masquerading as legitimate customers. In 2013, KrebsOnSecurity broke the news that an identity fraud service in the underground called “SuperGet[.]info” was reselling access to personal and financial data on more than 200 million Americans that was obtained via the big-three credit bureau Experian.
The consumer data resold by Superget was not obtained directly from Experian, but rather via USinfoSearch. At the time, USinfoSearch had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the USinfoSearch data, and vice versa.
When Court Ventures was purchased by Experian in 2012, the proprietor of SuperGet — a Vietnamese hacker named Hieu Minh Ngo who had impersonated an American private investigator — was grandfathered in as a client. The U.S. Secret Service agent who oversaw Ngo’s capture, extradition, prosecution and rehabilitation told KrebsOnSecurity he’s unaware of any other cybercriminal who has caused more material financial harm to more Americans than Ngo.
JackieChan also sells access to hacked email accounts belonging to law enforcement personnel in the United States and abroad. Hacked police department emails can come in handy for ID thieves trying to pose as law enforcement officials who wish to purchase consumer data from platforms like USinfoSearch. Hence, Mr. Hostettler’s ongoing battle with fraudsters seeking access to his company’s service.
These police credentials are mainly marketed to criminals seeking fraudulent “Emergency Data Requests,” wherein crooks use compromised government and police department email accounts to rapidly obtain customer account data from mobile providers, ISPs and social media companies.
Normally, these companies will require law enforcement officials to supply a subpoena before turning over customer or user records. But EDRs allow police to bypass that process by attesting that the information sought is related to an urgent matter of life and death, such as an impending suicide or terrorist attack.
In response to an alarming increase in the volume of fraudulent EDRs, many service providers have chosen to require all EDRs be processed through a service called Kodex, which seeks to filter EDRs based on the reputation of the law enforcement entity requesting the information, and other attributes of the requestor.
For example, if you want to send an EDR to Coinbase or Twilio, you’ll first need to have valid law enforcement credentials and create an account at the Kodex online portal at these companies. However, Kodex may still throttle or block any requests from any accounts if they set off certain red flags.
Within their own separate Kodex portals, Twilio can’t see requests submitted to Coinbase, or vice versa. But each can see if a law enforcement entity or individual tied to one of their own requests has ever submitted a request to a different Kodex client, and then drill down further into other data about the submitter, such as Internet address(es) used, and the age of the requestor’s email address.
In August, JackieChan was advertising a working Kodex account for sale on the cybercrime channels, including redacted screenshots of the Kodex account dashboard as proof of access.
Kodex co-founder Matt Donahue told KrebsOnSecurity his company immediately detected that the law enforcement email address used to create the Kodex account pictured in JackieChan’s ad was likely stolen from a police officer in India. One big tipoff, Donahue said, was that the person creating the account did so using an Internet address in Brazil.
“There’s a lot of friction we can put in the way for illegitimate actors,” Donahue said. “We don’t let people use VPNs. In this case we let them in to honeypot them, and that’s how they got that screenshot. But nothing was allowed to be transmitted out from that account.”
Massive amounts of data about you and your personal history are available from USinfoSearch and dozens of other data brokers that acquire and sell “non-FCRA” data — i.e., consumer data that cannot be used for the purposes of determining one’s eligibility for credit, insurance, or employment.
Anyone who works in or adjacent to law enforcement is eligible to apply for access to these data brokers, which often market themselves to police departments and to “skip tracers,” essentially bounty hunters hired to locate others in real life — often on behalf of debt collectors, process servers or a bail bondsman.
There are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone. And the harsh reality is that all it takes for hackers to apply for access to data brokers (and abuse the EDR process) is illicit access to a single police email account.
The trouble is, compromised credentials to law enforcement email accounts show up for sale with alarming frequency on the Telegram channels where JackieChan and their many clients reside. Indeed, Donahue said Kodex so far this year has identified attempted fake EDRs coming from compromised email accounts for police departments in India, Italy, Thailand and Turkey.
When we come across the term Artificial Intelligence (AI), our mind often ventures into the realm of sci-fi movies like I, Robot, Matrix, and Ex Machina. We’ve always perceived AI as a futuristic concept, something that’s happening in a galaxy far, far away. However, AI is not only here in our present but has also been a part of our lives for several years in the form of various technological devices and applications.
In our day-to-day lives, we use AI in many instances without even realizing it. AI has permeated into our homes, our workplaces, and is at our fingertips through our smartphones. From cell phones with built-in smart assistants to home assistants that carry out voice commands, from social networks that determine what content we see to music apps that curate playlists based on our preferences, AI has its footprints everywhere. Therefore, it’s integral to not only embrace the wows of this impressive technology but also understand and discuss the potential risks associated with it.
→ Dig Deeper: Artificial Imposters—Cybercriminals Turn to AI Voice Cloning for a New Breed of Scam
AI, a term that might sound intimidating to many, is not so when we understand it. It is essentially technology that can be programmed to achieve certain goals without assistance. In simple words, it’s a computer’s ability to predict, process data, evaluate it, and take necessary action. This smart way of performing tasks is being implemented in education, business, manufacturing, retail, transportation, and almost every other industry and cultural sector you can think of.
AI has been doing a lot of good too. For instance, Instagram, the second most popular social network, is now deploying AI technology to detect and combat cyberbullying in both comments and photos. No doubt, AI is having a significant impact on everyday life and is poised to metamorphose the future landscape. However, alongside its benefits, AI has brought forward a set of new challenges and risks. From self-driving cars malfunctioning to potential jobs lost to AI robots, from fake videos and images to privacy breaches, the concerns are real and need timely discussions and preventive measures.
AI has made it easier for people to face-swap within images and videos, leading to “deep fake” videos that appear remarkably realistic and often go viral. A desktop application called FakeApp allows users to seamlessly swap faces and share fake videos and images. While this displays the power of AI technology, it also brings to light the responsibility and critical thinking required when consuming and sharing online content.
→ Dig Deeper: The Future of Technology: AI, Deepfake, & Connected Devices
Yet another concern raised by AI is privacy breaches. The Cambridge Analytica/Facebook scandal of 2018, alleged to have used AI technology unethically to collect Facebook user data, serves as a reminder that our private (and public) information can be exploited for financial or political gain. Thus, it becomes crucial to discuss and take necessary steps like locking down privacy settings on social networks and being mindful of the information shared in the public feed, including reactions and comments on other content.
McAfee Pro Tip: Cybercriminals employ advanced methods to deceive individuals, propagating sensationalized fake news, creating deceptive catfish dating profiles, and orchestrating harmful impersonations. Recognizing sophisticated AI-generated content can pose a challenge, but certain indicators may signal that you’re encountering a dubious image or interacting with a perpetrator operating behind an AI-generated profile. Know the indicators.
With the advent of AI, cybercrime has found a new ally. As per McAfee’s Threats Prediction Report, AI technology might enable hackers to bypass security measures on networks undetected. This can lead to data breaches, malware attacks, ransomware, and other criminal activities. Moreover, AI-generated phishing emails are scamming people into unknowingly handing over sensitive data.
→ Dig Deeper: How to Keep Your Data Safe From the Latest Phishing Scam
Bogus emails are becoming highly personalized and can trick intelligent users into clicking malicious links. Given the sophistication of these AI-related scams, it is vital to constantly remind ourselves and our families to be cautious with every click, even those from known sources. The need to be alert and informed cannot be overstressed, especially in times when AI and cybercrime often seem to be two sides of the same coin.
As homes evolve to be smarter and synced with AI-powered Internet of Things (IoT) products, potential threats have proliferated. These threats are not limited to computers and smartphones but extend to AI-enabled devices such as voice-activated assistants. According to McAfee’s Threat Prediction Report, these IoT devices are particularly susceptible as points of entry for cybercriminals. Other devices at risk, as highlighted by security experts, include routers, and tablets.
This means we need to secure all our connected devices and home internet at its source – the network. Routers provided by your ISP (Internet Security Provider) are often less secure, so consider purchasing your own. As a primary step, ensure that all your devices are updated regularly. More importantly, change the default password on these devices and secure your primary network along with your guest network with strong passwords.
Having an open dialogue about AI and its implications is key to navigating through the intricacies of this technology. Parents need to have open discussions with kids about the positives and negatives of AI technology. When discussing fake videos and images, emphasize the importance of critical thinking before sharing any content online. Possibly, even introduce them to the desktop application FakeApp, which allows users to swap faces within images and videos seamlessly, leading to the production of deep fake photos and videos. These can appear remarkably realistic and often go viral.
Privacy is another critical area for discussion. After the Cambridge Analytica/Facebook scandal of 2018, the conversation about privacy breaches has become more significant. These incidents remind us how our private (and public) information can be misused for financial or political gain. Locking down privacy settings, being mindful of the information shared, and understanding the implications of reactions and comments are all topics worth discussing.
Awareness and knowledge are the best tools against AI-enabled cybercrime. Making families understand that bogus emails can now be highly personalized and can trick even the most tech-savvy users into clicking malicious links is essential. AI can generate phishing emails, scamming people into handing over sensitive data. In this context, constant reminders to be cautious with every click, even those from known sources, are necessary.
→ Dig Deeper: Malicious Websites – The Web is a Dangerous Place
The advent of AI has also likely allowed hackers to bypass security measures on networks undetected, leading to data breaches, malware attacks, and ransomware. Therefore, being alert and informed is more than just a precaution – it is a vital safety measure in the digital age.
Artificial Intelligence has indeed woven itself into our everyday lives, making things more convenient, efficient, and connected. However, with these advancements come potential risks and challenges. From privacy breaches, and fake content, to AI-enabled cybercrime, the concerns are real and need our full attention. By understanding AI better, having open discussions, and taking appropriate security measures, we can leverage this technology’s immense potential without falling prey to its risks. In our AI-driven world, being informed, aware, and proactive is the key to staying safe and secure.
To safeguard and fortify your online identity, we strongly recommend that you delve into the extensive array of protective features offered by McAfee+. This comprehensive cybersecurity solution is designed to provide you with a robust defense against a wide spectrum of digital threats, ranging from malware and phishing attacks to data breaches and identity theft.
The post AI & Your Family: The Wows and Potential Risks appeared first on McAfee Blog.
Okta, a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit, KrebsOnSecurity has learned. Okta says the incident affected a “very small number” of customers, however it appears the hackers responsible had access to Okta’s support platform for at least two weeks before the company fully contained the intrusion.
In an advisory sent to an undisclosed number of customers on Oct. 19, Okta said it “has identified adversarial activity that leveraged access to a stolen credential to access Okta’s support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.”
Okta explained that when it is troubleshooting issues with customers it will often ask for a recording of a Web browser session (a.k.a. an HTTP Archive or HAR file). These are sensitive files because they can include the customer’s cookies and session tokens, which intruders can then use to impersonate valid users.
“Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens,” their notice continued. “In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”
The security firm BeyondTrust is among the Okta customers who received Thursday’s alert from Okta. BeyondTrust Chief Technology Officer Marc Maiffret said that alert came more than two weeks after his company alerted Okta to a potential problem.
Maiffret emphasized that BeyondTrust caught the attack earlier this month as it was happening, and that none of its own customers were affected. He said that on Oct 2., BeyondTrust’s security team detected that someone was trying to use an Okta account assigned to one of their engineers to create an all-powerful administrator account within their Okta environment.
When BeyondTrust reviewed the activity of the employee account that tried to create the new administrative profile, they found that — just 30 minutes prior to the unauthorized activity — one of their support engineers shared with Okta one of these HAR files that contained a valid Okta session token, Maiffret said.
“Our admin sent that [HAR file] over at Okta’s request, and 30 minutes after that the attacker started doing session hijacking, tried to replay the browser session and leverage the cookie in that browser recording to act on behalf of that user,” he said.
Maiffret said BeyondTrust followed up with Okta on Oct. 3 and said they were fairly confident Okta had suffered an intrusion, and that he reiterated that conclusion in a phone call with Okta on October 11 and again on Oct. 13.
In an interview with KrebsOnSecurity, Okta’s Deputy Chief Information Security Officer Charlotte Wylie said Okta initially believed that BeyondTrust’s alert on Oct. 2 was not a result of a breach in its systems. But she said that by Oct. 17, the company had identified and contained the incident — disabling the compromised customer case management account, and invalidating Okta access tokens associated with that account.
Wylie declined to say exactly how many customers received alerts of a potential security issue, but characterized it as a “very, very small subset” of its more than 18,000 customers.
The disclosure from Okta comes just weeks after casino giants Caesar’s Entertainment and MGM Resorts were hacked. In both cases, the attackers managed to social engineer employees into resetting the multi-factor login requirements for Okta administrator accounts.
In March 2022, Okta disclosed a breach from the hacking group LAPSUS$, which specialized in social-engineering employees at targeted companies. An after-action report from Okta on that incident found that LAPSUS$ had social engineered its way onto the workstation of a support engineer at Sitel, a third-party outsourcing company that had access to Okta resources.
Okta’s Wylie declined to answer questions about how long the intruder may have had access to the company’s case management account, or who might have been responsible for the attack. However, she did say the company believes this is an adversary they have seen before.
“This is a known threat actor that we believe has targeted us and Okta-specific customers,” Wylie said.
Update, 2:57 p.m. ET: Okta has published a blog post about this incident that includes some “indicators of compromise” that customers can use to see if they were affected. But the company stressed that “all customers who were impacted by this have been notified. If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.”
Update, 3:36 p.m. ET: BeyondTrust has published a blog post about their findings.
Update, Oct. 24, 10:20 a.m. ET: 1Password and Cloudflare have disclosed compromises of their Okta authentication platforms as a result of the Okta breach. Both companies say an investigation has determined no customer information or systems were affected. Meanwhile, an Okta spokesperson told TechCrunch that the company notified about 1 percent of its customer base (~170 customers), so we are likely to see more such disclosures in the days and weeks ahead.
As healthcare integrates increasingly digital processes into its operations, the need for robust security measures increases. For many of us, visiting our healthcare provider involves filling out forms that are then transferred into an Electronic Health Record (EHR) system. We put our trust in these healthcare institutions, expecting them to take the necessary steps to store our sensitive data securely. However, with a significant rise in medical data breaches, a whopping 70% increase over the past seven years, it has become more important to understand how these breaches occur and how we can protect ourselves.
Recently, LabCorp, a medical testing company, announced a breach affecting approximately 7.7 million customers, exposing their names, addresses, birth dates, balance, and credit card or bank account information. This breach occurred due to an issue with a third-party billing collections vendor, the American Medical Collection Agency (AMCA). Not long before this, Quest Diagnostics, another company collaborating with AMCA, experienced a similar breach, affecting 11.9 million users.
Medical data is, by nature, nonperishable, making it a highly valuable asset for cybercriminals. This means that while a credit card number or bank account detail can be changed if compromised, medical information remains constant, maintaining its value over time. This also suggests that once procured, this information can be used for various malicious activities, from identity theft to extortion.
Realizing that the healthcare industry is riddled with various security vulnerabilities is crucial. Unencrypted traffic between servers, the ability to create admin accounts remotely, and the disclosure of private information are all shortcomings that these cybercriminals can exploit. With such access, they can permanently alter medical images, use medical research data for extortion, and much more. According to the McAfee Labs Threats Report, the healthcare sector witnessed a 210% increase in publicly disclosed security incidents from 2016 to 2017, resulting from failure to comply with security best practices or address vulnerabilities in medical software.
→ Dig Deeper: How to Safeguard Your Family Against A Medical Data Breach
While the onus lies on healthcare institutions to ensure the security of patients’ data, there are several steps that individuals can take on their own to safeguard their privacy. These steps become particularly pivotal if you think your personal or financial information might have been compromised due to recent breaches. In such instances, following certain best practices can significantly enhance your personal data security.
One such measure is placing a fraud alert on your credit. This effectively means that any new or recent requests will be scrutinized, making it challenging for fraudulent activities to occur. Additionally, the fraud alert enables you to access extra copies of your credit report, which you can peruse for any suspicious activities.
Another effective step you can consider is freezing your credit. Doing so makes it impossible for criminals to take out loans or open new accounts in your name. However, to execute this effectively, remember that credit needs to be frozen at each of the three major credit-reporting agencies – Equifax, TransUnion, and Experian.
Moreover, vigilance plays a critical role in protecting your personal data. Regularly checking your bank account and credit activity can help you spot any anomalies swiftly, allowing you to take immediate action.
McAfee Pro Tip: To lock or to freeze? That is the question. Credit lock only offers limitations in accessing an account. A credit freeze generally has more security features and financial protections guaranteed by law and the three major credit bureaus, so you’ll have more rights and protection if identity theft, fraud, scams, and other cybercrimes occur with a credit freeze compared to a credit lock. Learn more about the difference between credit freeze and credit lock here.
Identity theft protection services offer an additional layer of security to protect your personal as well as financial information. They actively monitor your accounts, provide prompt alerts for any suspicious activities, and help you recover losses if things go awry. An identity theft protection service like McAfee Identity Theft Protection can be beneficial. Remember, however, that even with such a service, you should continue practicing other security measures, as they form part of a comprehensive approach to data security.
These services work in the background to ensure constant protection. However, choosing a reputable and reliable identity theft protection service is essential. Do thorough research before committing and compare features such as monitoring services, recovery assistance, and insurance offerings. This step can help protect you not only during medical data breaches but also on other digital platforms where your personal information is stored.
If you suspect your personal data has been compromised, you should check your bank account and credit activity frequently. Regular monitoring of your accounts empowers you to stop fraudulent activity. Many banks and credit card companies provide free alerts—through an email or text message—whenever a new purchase is made, an unusual charge is noticed, or your account balance drops to a particular level.
Besides, you should also consider utilizing apps or online services provided by banks and credit companies to keep an eye on your accounts. Such tools can help you track your financial activity conveniently and take instant action if any suspicious activity is spotted. Regularly updating your contact information with banks and credit companies is also important, as it ensures you receive all alerts and updates on time.
→ Dig Deeper: Online Banking—Simple Steps to Protect Yourself from Bank Fraud
Increased digitization in the healthcare sector has brought convenience and improved patient services. However, it also presents attractive targets for cybercriminals eager to exploit vulnerabilities for personal gain. Medical data breaches are concerning due to their potential long-term impacts, so it’s critical to protect your personal information proactively.
While healthcare institutions must shoulder the primary responsibility to safeguard patient information, users are far from helpless. By placing a fraud alert, freezing your credit, using identity theft protection services like McAfee Identity Theft Protection, and maintaining vigilance over your financial activity, you can form a comprehensive defense strategy to protect yourself against potential breaches.
The post 4 Tips to Protect Your Information During Medical Data Breaches appeared first on McAfee Blog.
Earlier this week, KrebsOnSecurity revealed that the darknet website for the Snatch ransomware group was leaking data about its users and the crime gang’s internal operations. Today, we’ll take a closer look at the history of Snatch, its alleged founder, and their claims that everyone has confused them with a different, older ransomware group by the same name.
According to a September 20, 2023 joint advisory from the FBI and the U.S. Cybersecurity and Infrastructure Security Administration (CISA), Snatch was originally named Team Truniger, based on the nickname of the group’s founder and organizer — Truniger.
The FBI/CISA report says Truniger previously operated as an affiliate of GandCrab, an early ransomware-as-a-service offering that closed up shop after several years and claims to have extorted more than $2 billion from victims. GandCrab dissolved in July 2019, and is thought to have become “REvil,” one of the most ruthless and rapacious Russian ransomware groups of all time.
The government says Snatch used a customized ransomware variant notable for rebooting Microsoft Windows devices into Safe Mode — enabling the ransomware to circumvent detection by antivirus or endpoint protection — and then encrypting files when few services are running.
“Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog,” the FBI/CISA alert reads. It continues:
“Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network moving laterally across the victim’s network with RDP for the largest possible deployment of ransomware and searching for files and folders for data exfiltration followed by file encryption.”
New York City-based cyber intelligence firm Flashpoint said the Snatch ransomware group was created in 2018, based on Truniger’s recruitment both on Russian language cybercrime forums and public Russian programming boards. Flashpoint said Truniger recruited “pen testers” for a new, then-unnamed cybercrime group, by posting their private Jabber instant messenger contact details on multiple Russian language coding forums, as well as on Facebook.
“The command requires Windows system administrators,” Truniger’s ads explained. “Experience in backup, increase privileges, mikicatz, network. Details after contacting on jabber: truniger@xmpp[.]jp.”
In at least some of those recruitment ads — like one in 2018 on the forum sysadmins[.]ru –the username promoting Truniger’s contact information was Semen7907. In April 2020, Truniger was banned from two of the top Russian cybercrime forums, where members from both forums confirmed that Semen7907 was one of Truniger’s known aliases.
[SIDE NOTE: Truniger was banned because he purchased credentials to a company from a network access broker on the dark web, and although he promised to share a certain percentage of whatever ransom amount Truniger’s group extracted from the victim, Truniger paid the access broker just a few hundred dollars off of a six-figure ransom].
According to Constella Intelligence, a data breach and threat actor research platform, a user named Semen7907 registered in 2017 on the Russian-language programming forum pawno[.]ru using the email address tretyakov-files@yandex.ru.
That same email address was assigned to the user “Semen-7907” on the now defunct gaming website tunngle.net, which suffered a data breach in 2020. Semen-7907 registered at Tunngle from the Internet address 31.192.175[.]63, which is in Yekaterinburg, RU.
Constella reports that tretyakov-files@yandex.ru was also used to register an account at the online game stalker[.]so with the nickname Trojan7907.
There is a Skype user by the handle semen7907, and which has the name Semyon Tretyakov from Yekaterinburg, RU. Constella also found a breached record from the Russian mobile telephony site tele2[.]ru, which shows that a user from Yekaterinburg registered in 2019 with the name Semyon Sergeyvich Tretyakov and email address tretyakov-files@ya.ru.
The above accounts, as well as the email address semen_7907@mail.ru, were all registered or accessed from the same Yekaterinburg Internet address mentioned previously: 31.192.175.63. The Russian mobile phone number associated with that tele2[.]ru account is connected to the Telegram account “Perchatka,” (“glove” in Russian).
Reached via Telegram, Perchatka (a.k.a. Mr. Tretyakov) said he was not a cybercriminal, and that he currently has a full-time job working in IT at a major company (he declined to specify which).
Presented with the information gathered for this report (and more that is not published here), Mr. Tretyakov acknowledged that Semen7907 was his account on sysadmins[.]ru, the very same account Truniger used to recruit hackers for the Snatch Ransomware group back in 2018.
However, he claims that he never made those posts, and that someone else must have assumed control over his sysadmins[.]ru account and posted as him. Mr. Tretyakov said that KrebsOnSecurity’s outreach this week was the first time he became aware that his sysadmins[.]ru account was used without his permission.
Mr. Tretyakov suggested someone may have framed him, pointing to an August 2023 story at a Russian news outlet about the reported hack and leak of the user database from sysadmins[.]ru, allegedly at the hands of a pro-Ukrainian hacker group called CyberSec.
“Recently, because of the war in Ukraine, a huge number of databases have been leaked and finding information about a person is not difficult,” Tretyakov said. “I’ve been using this login since about 2013 on all the forums where I register, and I don’t always set a strong password. If I had done something illegal, I would have hidden much better :D.”
[For the record, KrebsOnSecurity does not generally find this to be the case, as the ongoing Breadcrumbs series will attest.]
A Semyon Sergeyvich Tretyakov is listed as the composer of a Russian-language rap song called “Parallels,” which seems to be about the pursuit of a high-risk lifestyle online. A snippet of the song goes:
“Someone is on the screen, someone is on the blacklist
I turn on the timer and calculate the risks
I don’t want to stay broke And in the pursuit of money
I can’t take these zeros Life is like a zebra –
everyone wants to be first Either the stripes are white,
or we’re moving through the wilds I won’t waste time.”
Mr. Tretyakov said he was not the author of that particular rhyme, but that he has been known to record his own rhythms.
“Sometimes I make bad beats,” he said. “Soundcloud.”
The FBI/CISA alert on Snatch Ransomware (PDF) includes an interesting caveat: It says Snatch actually deploys ransomware on victim systems, but it also acknowledges that the current occupants of Snatch’s dark and clear web domains call themselves Snatch Team, and maintain that they are not the same people as Snatch Ransomware from 2018.
Here’s the interesting bit from the FBI/CISA report:
“Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.”
Avid readers will recall a story here earlier this week about Snatch Team’s leaky darknet website based in Yekaterinburg, RU that exposed their internal operations and Internet addresses of their visitors. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord.
Snatch Team claims to deal only in stolen data — not in deploying ransomware malware to hold systems hostage.
Representatives of the Snatch Team recently answered questions from Databreaches.net about the claimed discrepancy in the FBI/CISA report.
“First of all, we repeat once again that we have nothing to do with Snatch Ransomware, we are Security Notification Attachment, and we have never violated the terms of the concluded transactions, because our honesty and openness is the guarantee of our income,” the Snatch Team wrote to Databreaches.net in response to questions.
But so far the Snatch Team has not been able to explain why it is using the very same domain names that the Snatch ransomware group used?
Their claim is even more unbelievable because the Snatch Team members told Databreaches.net they didn’t even know that a ransomware group with that name already existed when they initially formed just two years ago.
This is difficult to swallow because even if they were a separate group, they’d still need to somehow coordinate the transfer of the Ransomware group’s domains on the clear and dark webs. If they were hoping for a fresh start or separation, why not just pick a new name and new web destination?
“Snatchteam[.]cc is essentially a data market,” they continued. “The only thing to underline is that we are against selling leaked information, sticking to the idea of free access. Absolutely any team can come to us and offer information for publication. Even more, we have heard rumors that a number of ransomware teams scare their clients that they will post leaked information on our resource. We do not have our own ransomware, but we are open to cooperation on placement and monetization of dates (sic).”
Maybe Snatch Team does not wish to be associated with Snatch Ransomware because they currently believe stealing data and then extorting victim companies for money is somehow less evil than infecting all of the victim’s servers and backups with ransomware.
It is also likely that Snatch Team is well aware of how poorly some of their founders covered their tracks online, and are hoping for a do-over on that front.
The victim shaming site operated by the Snatch ransomware group is leaking data about its true online location and internal operations, as well as the Internet addresses of its visitors, KrebsOnSecurity has found. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord.
First spotted in 2018, the Snatch ransomware group has published data stolen from hundreds of organizations that refused to pay a ransom demand. Snatch publishes its stolen data at a website on the open Internet, and that content is mirrored on the Snatch team’s darknet site, which is only reachable using the global anonymity network Tor.
The victim shaming website for the Snatch ransomware gang.
KrebsOnSecurity has learned that Snatch’s darknet site exposes its “server status” page, which includes information about the true Internet addresses of users accessing the website.
Refreshing this page every few seconds shows that the Snatch darknet site generates a decent amount of traffic, often attracting thousands of visitors each day. But by far the most frequent repeat visitors are coming from Internet addresses in Russia that either currently host Snatch’s clear web domain names or recently did.
The Snatch ransomware gang’s victim shaming site on the darknet is leaking data about its visitors. This “server status” page says that Snatch’s website is on Central European Summer Time (CEST) and is powered by OpenSSL/1.1.1f, which is no longer supported by security updates.
Probably the most active Internet address accessing Snatch’s darknet site is 193.108.114[.]41, which is a server in Yekaterinburg, Russia that hosts several Snatch domains, including snatchteam[.]top, sntech2ch[.]top, dwhyj2[.]top and sn76930193ch[.]top. It could well be that this Internet address is showing up frequently because Snatch’s clear-web site features a toggle button at the top that lets visitors switch over to accessing the site via Tor.
Another Internet address that showed up frequently in the Snatch server status page was 194.168.175[.]226, currently assigned to Matrix Telekom in Russia. According to DomainTools.com, this address also hosts or else recently hosted the usual coterie of Snatch domains, as well as quite a few domains phishing known brands such as Amazon and Cashapp.
The Moscow Internet address 80.66.64[.]15 accessed the Snatch darknet site all day long, and that address also housed the appropriate Snatch clear-web domains. More interestingly, that address is home to multiple recent domains that appear confusingly similar to known software companies, including libreoff1ce[.]com and www-discord[.]com.
This is interesting because the phishing domains associated with the Snatch ransomware gang were all registered to the same Russian name — Mihail Kolesnikov, a name that is somewhat synonymous with recent phishing domains tied to malicious Google ads.
Kolesnikov could be a nod to a Russian general made famous during Boris Yeltsin’s reign. Either way, it’s clearly a pseudonym, but there are some other commonalities among these domains that may provide insight into how Snatch and other ransomware groups are sourcing their victims.
DomainTools says there are more than 1,300 current and former domain names registered to Mihail Kolesnikov between 2013 and July 2023. About half of the domains appear to be older websites advertising female escort services in major cities around the United States (e.g. the now-defunct pittsburghcitygirls[.]com).
The other half of the Kolesnikov websites are far more recent phishing domains mostly ending in “.top” and “.app” that appear designed to mimic the domains of major software companies, including www-citrix[.]top, www-microsofteams[.]top, www-fortinet[.]top, ibreoffice[.]top, www-docker[.]top, www-basecamp[.]top, ccleaner-cdn[.]top, adobeusa[.]top, and www.real-vnc[.]top.
In August 2023, researchers with Trustwave Spiderlabs said they encountered domains registered to Mihail Kolesnikov being used to disseminate the Rilide information stealer trojan.
But it appears multiple crime groups may be using these domains to phish people and disseminate all kinds of information-stealing malware. In February 2023, Spamhaus warned of a huge surge in malicious ads that were hijacking search results in Google.com, and being used to distribute at least five different families of information stealing trojans, including AuroraStealer, IcedID/Bokbot, Meta Stealer, RedLine Stealer and Vidar.
For example, Spamhaus said victims of these malicious ads would search for Microsoft Teams in Google.com, and the search engine would often return a paid ad spoofing Microsoft or Microsoft Teams as the first result — above all other results. The malicious ad would include a logo for Microsoft and at first glance appear to be a safe and trusted place to download the Microsoft Teams client.
However, anyone who clicked on the result was whisked away instead to mlcrosofteams-us[.]top — yet another malicious domain registered to Mr. Kolesnikov. And while visitors to this website may believe they are only downloading the Microsoft Teams client, the installer file includes a copy of the IcedID malware, which is really good at stealing passwords and authentication tokens from the victim’s web browser.
Image: Spamhaus
The founder of the Swiss anti-abuse website abuse.ch told Spamhaus it is likely that some cybercriminals have started to sell “malvertising as a service” on the dark web, and that there is a great deal of demand for this service.
In other words, someone appears to have built a very profitable business churning out and promoting new software-themed phishing domains and selling that as a service to other cybercriminals. Or perhaps they are simply selling any stolen data (and any corporate access) to active and hungry ransomware group affiliates.
The tip about the exposed “server status” page on the Snatch darkweb site came from @htmalgae, the same security researcher who alerted KrebsOnSecurity earlier this month that the darknet victim shaming site run by the 8Base ransomware gang was inadvertently left in development mode.
That oversight revealed not only the true Internet address of the hidden 8Base site (in Russia, naturally), but also the identity of a programmer in Moldova who apparently helped to develop the 8Base code.
@htmalgae said the idea of a ransomware group’s victim shaming site leaking data that they did not intend to expose is deliciously ironic.
“This is a criminal group that shames others for not protecting user data,” @htmalgae said. “And here they are leaking their user data.”
All of the malware mentioned in this story is designed to run on Microsoft Windows devices. But Malwarebytes recently covered the emergence of a Mac-based information stealer trojan called AtomicStealer that was being advertised through malicious Google ads and domains that were confusingly similar to software brands.
Please be extra careful when you are searching online for popular software titles. Cracked, pirated copies of major software titles are a frequent source of infostealer infections, as are these rogue ads masquerading as search results. Make sure to double-check you are actually at the domain you believe you’re visiting *before* you download and install anything.
Stay tuned for Part II of this post, which includes a closer look at the Snatch ransomware group and their founder.
Further reading:
@HTMalgae’s list of the top Internet addresses seen accessing Snatch’s darknet site
Ars Technica: Until Further Notice Think Twice Before Using Google to Download Software
Bleeping Computer: Hackers Abuse Google Ads to Spread Malware in Legit Software
The password manager service LastPass is now forcing some of its users to pick longer master passwords. LastPass says the changes are needed to ensure all customers are protected by their latest security improvements. But critics say the move is little more than a public relations stunt that will do nothing to help countless early adopters whose password vaults were exposed in a 2022 breach at LastPass.
LastPass sent this notification to users earlier this week.
LastPass told customers this week they would be forced to update their master password if it was less than 12 characters. LastPass officially instituted this change back in 2018, but some undisclosed number of the company’s earlier customers were never required to increase the length of their master passwords.
This is significant because in November 2022, LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users.
Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.
KrebsOnSecurity last month interviewed a victim who recently saw more than three million dollars worth of cryptocurrency siphoned from his account. That user signed up with LastPass nearly a decade ago, stored their cryptocurrency seed phrase there, and yet never changed his master password — which was just eight characters. Nor was he ever forced to improve his master password.
That story cited research from Adblock Plus creator Wladimir Palant, who said LastPass failed to upgrade many older, original customers to more secure encryption protections that were offered to newer customers over the years.
For example, another important default setting in LastPass is the number of “iterations,” or how many times your master password is run through the company’s encryption routines. The more iterations, the longer it takes an offline attacker to crack your master password.
Palant said that for many older LastPass users, the initial default setting for iterations was anywhere from “1” to “500.” By 2013, new LastPass customers were given 5,000 iterations by default. In February 2018, LastPass changed the default to 100,100 iterations. And very recently, it upped that again to 600,000. Still, Palant and others impacted by the 2022 breach at LastPass say their account security settings were never forcibly upgraded.
Palant called this latest action by LastPass a PR stunt.
“They sent this message to everyone, whether they have a weak master password or not – this way they can again blame the users for not respecting their policies,” Palant said. “But I just logged in with my weak password, and I am not forced to change it. Sending emails is cheap, but they once again didn’t implement any technical measures to enforce this policy change.”
Either way, Palant said, the changes won’t help people affected by the 2022 breach.
“These people need to change all their passwords, something that LastPass still won’t recommend,” Palant said. “But it will somewhat help with the breaches to come.”
LastPass CEO Karim Toubba said changing master password length (or even the master password itself) is not designed to address already stolen vaults that are offline.
“This is meant to better protect customers’ online vaults and encourage them to bring their accounts up to the 2018 LastPass standard default setting of a 12-character minimum (but could opt out from),” Toubba said in an emailed statement. “We know that some customers may have chosen convenience over security and utilized less complex master passwords despite encouragement to use our (or others) password generator to do otherwise.”
A basic functionality of LastPass is that it will pick and remember lengthy, complex passwords for each of your websites or online services. To automatically populate the appropriate credentials at any website going forward, you simply authenticate to LastPass using your master password.
LastPass has always emphasized that if you lose this master password, that’s too bad because they don’t store it and their encryption is so strong that even they can’t help you recover it.
But experts say all bets are off when cybercrooks can get their hands on the encrypted vault data itself — as opposed to having to interact with LastPass via its website. These so-called “offline” attacks allow the bad guys to conduct unlimited and unfettered “brute force” password cracking attempts against the encrypted data using powerful computers that can each try millions of password guesses per second.
A chart on Palant’s blog post offers an idea of how increasing password iterations dramatically increases the costs and time needed by the attackers to crack someone’s master password. Palant said it would take a single high-powered graphics card about a year to crack a password of average complexity with 500 iterations, and about 10 years to crack the same password run through 5,000 iterations.
Image: palant.info
However, these numbers radically come down when a determined adversary also has other large-scale computational assets at their disposal, such as a bitcoin mining operation that can coordinate the password-cracking activity across multiple powerful systems simultaneously.
Meaning, LastPass users whose vaults were never upgraded to higher iterations and whose master passwords were weak (less than 12 characters) likely have been a primary target of distributed password-cracking attacks ever since the LastPass user vaults were stolen late last year.
Asked why some LastPass users were left behind on older security minimums, Toubba said a “small percentage” of customers had corrupted items in their password vaults that prevented those accounts from properly upgrading to the new requirements and settings.
“We have been able to determine that a small percentage of customers have items in their vaults that are corrupt and when we previously utilized automated scripts designed to re-encrypt vaults when the master password or iteration count is changed, they did not complete,” Toubba said. “These errors were not originally apparent as part of these efforts and, as we have discovered them, we have been working to be able to remedy this and finish the re-encryption.”
Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI) and lecturer at UC Davis, said LastPass made a huge mistake years ago by not force-upgrading the iteration count for existing users.
“And now this is blaming the users — ‘you should have used a longer passphrase’ — not them for having weak defaults that were never upgraded for existing users,” Weaver said. “LastPass in my book is one step above snake-oil. I used to be, ‘Pick whichever password manager you want,’ but now I am very much, ‘Pick any password manager but LastPass.'”
Asked why LastPass isn’t recommending that users change all of the passwords secured by the encrypted master password that was stolen when the company got hacked last year, Toubba said it’s because “the data demonstrates that the majority of our customers follow our recommendations (or greater), and the probability of successfully brute forcing vault encryption is greatly reduced accordingly.”
“We’ve been telling customers since December of 2022 that they should be following recommended guidelines,” Toubba continued. “And if they haven’t followed the guidelines we recommended that they change their downstream passwords.”
In December 2022, KrebsOnSecurity broke the news that a cybercriminal using the handle “USDoD” had infiltrated the FBI‘s vetted information sharing network InfraGard, and was selling the contact information for all 80,000 members. The FBI responded by reverifying InfraGard members and by seizing the cybercrime forum where the data was being sold. But on Sept. 11, 2023, USDoD resurfaced after a lengthy absence to leak sensitive employee data stolen from the aerospace giant Airbus, while promising to visit the same treatment on top U.S. defense contractors.
USDoD’s avatar used to be the seal of the U.S. Department of Defense. Now it’s a charming kitten.
In a post on the English language cybercrime forum BreachForums, USDoD leaked information on roughly 3,200 Airbus vendors, including names, addresses, phone numbers, and email addresses. USDoD claimed they grabbed the data by using passwords stolen from a Turkish airline employee who had third-party access to Airbus’ systems.
USDoD didn’t say why they decided to leak the data on the 22nd anniversary of the 9/11 attacks, but there was definitely an aircraft theme to the message that accompanied the leak, which concluded with the words, “Lockheed martin, Raytheon and the entire defense contractos [sic], I’m coming for you [expletive].”
Airbus has apparently confirmed the cybercriminal’s account to the threat intelligence firm Hudson Rock, which determined that the Airbus credentials were stolen after a Turkish airline employee infected their computer with a prevalent and powerful info-stealing trojan called RedLine.
Info-stealers like RedLine typically are deployed via opportunistic email malware campaigns, and by secretly bundling the trojans with cracked versions of popular software titles made available online. Credentials stolen by info-stealers often end up for sale on cybercrime shops that peddle purloined passwords and authentication cookies (these logs also often show up in the malware scanning service VirusTotal).
Hudson Rock said it recovered the log files created by a RedLine infection on the Turkish airline employee’s system, and found the employee likely infected their machine after downloading pirated and secretly backdoored software for Microsoft Windows.
Hudson Rock says info-stealer infections from RedLine and a host of similar trojans have surged in recent years, and that they remain “a primary initial attack vector used by threat actors to infiltrate organizations and execute cyberattacks, including ransomware, data breaches, account overtakes, and corporate espionage.”
The prevalence of RedLine and other info-stealers means that a great many consequential security breaches begin with cybercriminals abusing stolen employee credentials. In this scenario, the attacker temporarily assumes the identity and online privileges assigned to a hacked employee, and the onus is on the employer to tell the difference.
In addition to snarfing any passwords stored on or transmitted through an infected system, info-stealers also siphon authentication cookies or tokens that allow one to remain signed-in to online services for long periods of time without having to resupply one’s password and multi-factor authentication code. By stealing these tokens, attackers can often reuse them in their own web browser, and bypass any authentication normally required for that account.
Microsoft Corp. this week acknowledged that a China-backed hacking group was able to steal one of the keys to its email kingdom that granted near-unfettered access to U.S. government inboxes. Microsoft’s detailed post-mortem cum mea culpa explained that a secret signing key was stolen from an employee in an unlucky series of unfortunate events, and thanks to TechCrunch we now know that the culprit once again was “token-stealing malware” on the employee’s system.
In April 2023, the FBI seized Genesis Market, a bustling, fully automated cybercrime store that was continuously restocked with freshly hacked passwords and authentication tokens stolen by a network of contractors who deployed RedLine and other info-stealer malware.
In March 2023, the FBI arrested and charged the alleged administrator of BreachForums (aka Breached), the same cybercrime community where USDoD leaked the Airbus data. In June 2023, the FBI seized the BreachForums domain name, but the forum has since migrated to a new domain.
USDoD’s InfraGard sales thread on Breached.
Unsolicited email continues to be a huge vector for info-stealing malware, but lately the crooks behind these schemes have been gaming the search engines so that their malicious sites impersonating popular software vendors actually appear before the legitimate vendor’s website. So take special care when downloading software to ensure that you are in fact getting the program from the original, legitimate source whenever possible.
Also, unless you really know what you’re doing, please don’t download and install pirated software. Sure, the cracked program might do exactly what you expect it to do, but the chances are good that it is also laced with something nasty. And when all of your passwords are stolen and your important accounts have been hijacked or sold, you will wish you had simply paid for the real thing.
In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.
Taylor Monahan is lead product manager of MetaMask, a popular software cryptocurrency wallet used to interact with the Ethereum blockchain. Since late December 2022, Monahan and other researchers have identified a highly reliable set of clues that they say connect recent thefts targeting more than 150 people. Collectively, these individuals have been robbed of more than $35 million worth of crypto.
Monahan said virtually all of the victims she has assisted were longtime cryptocurrency investors, and security-minded individuals. Importantly, none appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto heist, such as the compromise of one’s email and/or mobile phone accounts.
“The victim profile remains the most striking thing,” Monahan wrote. “They truly all are reasonably secure. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto orgs, VCs [venture capitalists], people who built DeFi protocols, deploy contracts, run full nodes.”
Monahan has been documenting the crypto thefts via Twitter/X since March 2023, frequently expressing frustration in the search for a common cause among the victims. Then on Aug. 28, Monahan said she’d concluded that the common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” the private key needed to unlock access to their cryptocurrency investments.
MetaMask owner Taylor Monahan on Twitter. Image: twitter.com/tayvano_
Armed with your secret seed phrase, anyone can instantly access all of the cryptocurrency holdings tied to that cryptographic key, and move the funds to anywhere they like.
Which is why the best practice for many cybersecurity enthusiasts has long been to store their seed phrases either in some type of encrypted container — such as a password manager — or else inside an offline, special-purpose hardware encryption device, such as a Trezor or Ledger wallet.
“The seed phrase is literally the money,” said Nick Bax, director of analytics at Unciphered, a cryptocurrency wallet recovery company. “If you have my seed phrase, you can copy and paste that into your wallet, and then you can see all my accounts. And you can transfer my funds.”
Bax said he closely reviewed the massive trove of cryptocurrency theft data that Taylor Monahan and others have collected and linked together.
“It’s one of the broadest and most complex cryptocurrency investigations I’ve ever seen,” Bax said. “I ran my own analysis on top of their data and reached the same conclusion that Taylor reported. The threat actor moved stolen funds from multiple victims to the same blockchain addresses, making it possible to strongly link those victims.”
Bax, Monahan and others interviewed for this story say they’ve identified a unique signature that links the theft of more than $35 million in crypto from more than 150 confirmed victims, with roughly two to five high-dollar heists happening each month since December 2022.
KrebsOnSecurity has reviewed this signature but is not publishing it at the request of Monahan and other researchers, who say doing so could cause the attackers to alter their operations in ways that make their criminal activity more difficult to track.
But the researchers have published findings about the dramatic similarities in the ways that victim funds were stolen and laundered through specific cryptocurrency exchanges. They also learned the attackers frequently grouped together victims by sending their cryptocurrencies to the same destination crypto wallet.
A graphic published by @tayvano_ on Twitter depicting the movement of stolen cryptocurrencies from victims who used LastPass to store their crypto seed phrases.
By identifying points of overlap in these destination addresses, the researchers were then able to track down and interview new victims. For example, the researchers said their methodology identified a recent multi-million dollar crypto heist victim as an employee at Chainalysis, a blockchain analysis firm that works closely with law enforcement agencies to help track down cybercriminals and money launderers.
Chainalysis confirmed that the employee had suffered a high-dollar cryptocurrency heist late last month, but otherwise declined to comment for this story.
Bax said the only obvious commonality between the victims who agreed to be interviewed was that they had stored the seed phrases for their cryptocurrency wallets in LastPass.
“On top of the overlapping indicators of compromise, there are more circumstantial behavioral patterns and tradecraft which are also consistent between different thefts and support the conclusion,” Bax told KrebsOnSecuirty. “I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”
LastPass declined to answer questions about the research highlighted in this story, citing an ongoing law enforcement investigation and pending litigation against the company in response to its 2022 data breach.
“Last year’s incident remains the subject of an ongoing investigation by law enforcement and is also the subject of pending litigation,” LastPass said in a written statement provided to KrebsOnSecurity. “Since last year’s attack on LastPass, we have remained in contact with law enforcement and continue to do so.”
Their statement continues:
“We have shared various technical information, Indicators of Compromise (IOCs), and threat actor tactics, techniques, and procedures (TTPs) with our law enforcement contacts as well as our internal and external threat intelligence and forensic partners in an effort to try and help identify the parties responsible. In the meantime, we encourage any security researchers to share any useful information they believe they may have with our Threat Intelligence team by contacting securitydisclosure@lastpass.com.”
On August 25, 2022, LastPass CEO Karim Toubba wrote to users that the company had detected unusual activity in its software development environment, and that the intruders stole some source code and proprietary LastPass technical information. On Sept. 15, 2022, LastPass said an investigation into the August breach determined the attacker did not access any customer data or password vaults.
But on Nov. 30, 2022, LastPass notified customers about another, far more serious security incident that the company said leveraged data stolen in the August breach. LastPass disclosed that criminal hackers had compromised encrypted copies of some password vaults, as well as other personal information.
In February 2023, LastPass disclosed that the intrusion involved a highly complex, targeted attack against a DevOps engineer who was one of only four LastPass employees with access to the corporate vault.
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
Dan Goodin at Ars Technica reported and then confirmed that the attackers exploited a known vulnerability in a Plex media server that the employee was running on his home network, and succeeded in installing malicious software that stole passwords and other authentication credentials. The vulnerability exploited by the intruders was patched back in 2020, but the employee never updated his Plex software.
As it happens, Plex announced its own data breach one day before LastPass disclosed its initial August intrusion. On August 24, 2022, Plex’s security team urged users to reset their passwords, saying an intruder had accessed customer emails, usernames and encrypted passwords.
A basic functionality of LastPass is that it will pick and remember lengthy, complex passwords for each of your websites or online services. To automatically populate the appropriate credentials at any website going forward, you simply authenticate to LastPass using your master password.
LastPass has always emphasized that if you lose this master password, that’s too bad because they don’t store it and their encryption is so strong that even they can’t help you recover it.
But experts say all bets are off when cybercrooks can get their hands on the encrypted vault data itself — as opposed to having to interact with LastPass via its website. These so-called “offline” attacks allow the bad guys to conduct unlimited and unfettered “brute force” password cracking attempts against the encrypted data using powerful computers that can each try millions of password guesses per second.
“It does leave things vulnerable to brute force when the vaults are stolen en masse, especially if info about the vault HOLDER is available,” said Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI) and lecturer at UC Davis. “So you just crunch and crunch and crunch with GPUs, with a priority list of vaults you target.”
How hard would it be for well-resourced criminals to crack the master passwords securing LastPass user vaults? Perhaps the best answer to this question comes from Wladimir Palant, a security researcher and the original developer behind the Adblock Plus browser plugin.
In a December 2022 blog post, Palant explained that the crackability of a LastPass master password depends largely on two things: The complexity of the master password, and the default settings for LastPass users, which appear to have varied quite a bit based on when those users began patronizing the service.
LastPass says that since 2018 it has required a twelve-character minimum for master passwords, which the company said “greatly minimizes the ability for successful brute force password guessing.”
But Palant said while LastPass indeed improved its master password defaults in 2018, it did not force all existing customers who had master passwords of lesser lengths to pick new credentials that would satisfy the 12-character minimum.
“If you are a LastPass customer, chances are that you are completely unaware of this requirement,” Palant wrote. “That’s because LastPass didn’t ask existing customers to change their master password. I had my test account since 2018, and even today I can log in with my eight-character password without any warnings or prompts to change it.”
Palant believes LastPass also failed to upgrade many older, original customers to more secure encryption protections that were offered to newer customers over the years. One important setting in LastPass is the number of “iterations,” or how many times your master password is run through the company’s encryption routines. The more iterations, the longer it takes an offline attacker to crack your master password.
Palant noted last year that for many older LastPass users, the initial default setting for iterations was anywhere from “1” to “500.” By 2013, new LastPass customers were given 5,000 iterations by default. In February 2018, LastPass changed the default to 100,100 iterations. And very recently, it upped that again to 600,000.
Palant said the 2018 change was in response to a security bug report he filed about some users having dangerously low iterations in their LastPass settings.
“Worse yet, for reasons that are beyond me, LastPass didn’t complete this migration,” Palant wrote. “My test account is still at 5,000 iterations, as are the accounts of many other users who checked their LastPass settings. LastPass would know how many users are affected, but they aren’t telling that. In fact, it’s painfully obvious that LastPass never bothered updating users’ security settings. Not when they changed the default from 1 to 500 iterations. Not when they changed it from 500 to 5,000. Only my persistence made them consider it for their latest change. And they still failed implementing it consistently.”
A chart on Palant’s blog post offers an idea of how increasing password iterations dramatically increases the costs and time needed by the attackers to crack someone’s master password. Palant said it would take a single GPU about a year to crack a password of average complexity with 500 iterations, and about 10 years to crack the same password run through 5,000 iterations.
Image: palant.info
However, these numbers radically come down when a determined adversary also has other large-scale computational assets at their disposal, such as a bitcoin mining operation that can coordinate the password-cracking activity across multiple powerful systems simultaneously.
Weaver said a password or passphrase with average complexity — such as “Correct Horse Battery Staple” is only secure against online attacks, and that its roughly 40 bits of randomness or “entropy” means a graphics card can blow through it in no time.
“An Nvidia 3090 can do roughly 4 million [password guesses] per second with 1000 iterations, but that would go down to 8 thousand per second with 500,000 iterations, which is why iteration count matters so much,” Weaver said. “So a combination of ‘not THAT strong of a password’ and ‘old vault’ and ‘low iteration count’ would make it theoretically crackable but real work, but the work is worth it given the targets.”
Reached by KrebsOnSecurity, Palant said he never received a response from LastPass about why the company apparently failed to migrate some number of customers to more secure account settings.
“I know exactly as much as everyone else,” Palant wrote in reply. “LastPass published some additional information in March. This finally answered the questions about the timeline of their breach – meaning which users are affected. It also made obvious that business customers are very much at risk here, Federated Login Services being highly compromised in this breach (LastPass downplaying as usual of course).”
Palant said upon logging into his LastPass account a few days ago, he found his master password was still set at 5,000 iterations.
KrebsOnSecurity interviewed one of the victims tracked down by Monahan, a software engineer and startup founder who recently was robbed of approximately $3.4 million worth of different cryptocurrencies. The victim agreed to tell his story in exchange for anonymity because he is still trying to claw back his losses. We’ll refer to him here as “Connor” (not his real name).
Connor said he began using LastPass roughly a decade ago, and that he also stored the seed phrase for his primary cryptocurrency wallet inside of LastPass. Connor chose to protect his LastPass password vault with an eight character master password that included numbers and symbols (~50 bits of entropy).
“I thought at the time that the bigger risk was losing a piece of paper with my seed phrase on it,” Connor said. “I had it in a bank security deposit box before that, but then I started thinking, ‘Hey, the bank might close or burn down and I could lose my seed phrase.'”
Those seed phrases sat in his LastPass vault for years. Then, early on the morning of Sunday, Aug. 27, 2023, Connor was awoken by a service he’d set up to monitor his cryptocurrency addresses for any unusual activity: Someone was draining funds from his accounts, and fast.
Like other victims interviewed for this story, Connor didn’t suffer the usual indignities that typically presage a cryptocurrency robbery, such as account takeovers of his email inbox or mobile phone number.
Connor said he doesn’t know the number of iterations his master password was given originally, or what it was set at when the LastPass user vault data was stolen last year. But he said he recently logged into his LastPass account and the system forced him to upgrade to the new 600,000 iterations setting.
“Because I set up my LastPass account so early, I’m pretty sure I had whatever weak settings or iterations it originally had,” he said.
Connor said he’s kicking himself because he recently started the process of migrating his cryptocurrency to a new wallet protected by a new seed phrase. But he never finished that migration process. And then he got hacked.
“I’d set up a brand new wallet with new keys,” he said. “I had that ready to go two months ago, but have been procrastinating moving things to the new wallet.”
Connor has been exceedingly lucky in regaining access to some of his stolen millions in cryptocurrency. The Internet is swimming with con artists masquerading as legitimate cryptocurrency recovery experts. To make matters worse, because time is so critical in these crypto heists, many victims turn to the first quasi-believable expert who offers help.
Instead, several friends steered Connor to Flashbots.net, a cryptocurrency recovery firm that employs several custom techniques to help clients claw back stolen funds — particularly those on the Ethereum blockchain.
According to Connor, Flashbots helped rescue approximately $1.5 million worth of the $3.4 million in cryptocurrency value that was suddenly swept out of his account roughly a week ago. Lucky for him, Connor had some of his assets tied up in a type of digital loan that allowed him to borrow against his various cryptocurrency assets.
Without giving away too many details about how they clawed back the funds, here’s a high level summary: When the crooks who stole Connor’s seed phrase sought to extract value from these loans, they were borrowing the maximum amount of credit that he hadn’t already used. But Connor said that left open an avenue for some of that value to be recaptured, basically by repaying the loan in many small, rapid chunks.
According to MetaMask’s Monahan, users who stored any important passwords with LastPass — particularly those related to cryptocurrency accounts — should change those credentials immediately, and migrate any crypto holdings to new offline hardware wallets.
“Really the ONLY thing you need to read is this,” Monahan pleaded to her 70,000 followers on Twitter/X: “PLEASE DON’T KEEP ALL YOUR ASSETS IN A SINGLE KEY OR SECRET PHRASE FOR YEARS. THE END. Split up your assets. Get a hw [hardware] wallet. Migrate. Now.”
If you also had passwords tied to banking or retirement accounts, or even just important email accounts — now would be a good time to change those credentials as well.
I’ve never been comfortable recommending password managers, because I’ve never seriously used them myself. Something about putting all your eggs in one basket. Heck, I’m so old-fashioned that most of my important passwords are written down and tucked away in safe places.
But I recognize this antiquated approach to password management is not for everyone. Connor says he now uses 1Password, a competing password manager that recently earned the best overall marks from Wired and The New York Times.
1Password says that three things are needed to decrypt your information: The encrypted data itself, your account password, and your Secret Key. Only you know your account password, and your Secret Key is generated locally during setup.
“The two are combined on-device to encrypt your vault data and are never sent to 1Password,” explains a 1Password blog post ‘What If 1Password Gets Hacked?‘ “Only the encrypted vault data lives on our servers, so neither 1Password nor an attacker who somehow manages to guess or steal your account password would be able to access your vaults – or what’s inside them.
Weaver said that Secret Key adds an extra level of randomness to all user master passwords that LastPass didn’t have.
“With LastPass, the idea is the user’s password vault is encrypted with a cryptographic hash (H) of the user’s passphrase,” Weaver said. “The problem is a hash of the user’s passphrase is remarkably weak on older LastPass vaults with master passwords that do not have many iterations. 1Password uses H(random-key||password) to generate the password, and it is why you have the QR code business when adding a new device.”
Weaver said LastPass deserves blame for not having upgraded iteration counts for all users a long time ago, and called the latest forced upgrades “a stunning indictment of the negligence on the part of LastPass.”
“That they never even notified all those with iteration counts of less than 100,000 — who are really vulnerable to brute force even with 8-character random passwords or ‘correct horse battery staple’ type passphrases — is outright negligence,” Weaver said. “I would personally advocate that nobody ever uses LastPass again: Not because they were hacked. Not because they had an architecture (unlike 1Password) that makes such hacking a problem. But because of their consistent refusal to address how they screwed up and take proactive efforts to protect their customers.”
Bax and Monahan both acknowledged that their research alone can probably never conclusively tie dozens of high-dollar crypto heists over the past year to the LastPass breach. But Bax says at this point he doesn’t see any other possible explanation.
“Some might say it’s dangerous to assert a strong connection here, but I’d say it’s dangerous to assert there isn’t one,” he said. “I was arguing with my fiance about this last night. She’s waiting for LastPass to tell her to change everything. Meanwhile, I’m telling her to do it now.”
FreshRSS 