Cyber-Crimes – Page 8 – Law Enforcement, Military, and Terrorism News

Romanian Hackers Sentenced

Bayrob Group members Bogdan Nicolescu and Radu Miclaus were both convicted on wire fraud, money laundering, and identity theft charges. In December 2019, Nicolescu was sentenced to 20 years and Miclaus to 18 years in prison.

Members of Bayrob Criminal Enterprise Infected Thousands of Computers with Malware, Stole Millions of Dollars

The hackers were like modern-day John Dillingers, brazenly committing their crimes and repeatedly escaping law enforcement’s grasp.

But like Dillinger and most other criminals, they eventually slipped up, and the FBI and its international partners were waiting for them after years of tracking their activities.

Auction Fraud Gets Law Enforcement’s Attention

In 2007, an Ohio woman wired thousands of dollars to an eBay seller thinking she was buying a used car. The car never arrived. When she went to her local police department, the listing did not appear on the officers’ computers.

That’s because the woman was on a fraudulent version of the online auction site that mimicked the real one—a result of having unknowingly downloaded malicious software, known as malware, to her computer.

And to thousands of other victims just like her, the website and transactions looked legitimate. But buyers who thought they were wiring money across town were, in fact, sending money to hackers halfway across the world.

Shop Amazon Gift Cards. Any Occasion. No Expiration.

The hackers, known as the Bayrob Group, laundered the money via money mules, making it difficult to track. (Money mules are criminal accomplices who, often unwittingly, move criminal money through their own bank accounts.) Additionally, if a user on an infected machine went to the “Help” section of the site, they were met with the hackers’—not eBay’s—customer service.

The Bayrob hackers also blocked websites like ic3.gov—the FBI’s Internet Crime Complaint Center—where a user might have gone for help. And before smartphones were so common, the infected computer may have been a victim’s only access to the Internet.

The would-be car buyer, along with many other victims, lost her money because wiring funds lacks the consumer protection of a credit card. Agents estimate each victim lost between $8,000 and $11,000.

“At the time, this was really cutting edge,” said Special Agent Ryan Macfarlane, who worked this case out of the FBI’s Cleveland Field Office. “These guys did a very good job of staying current with the technologies in the cyber-criminal underground.”

Following the Money and the Malware

The Bayrob hackers were frustratingly nimble and good at covering their tracks. They used multiple layers of proxy servers to hide their location. Those proxy servers communicated with the “command and control” servers that talked to the thousands of computers the malware had infected.

But as the hackers gained more victims, more partners joined the investigation. The FBI worked with numerous law enforcement agencies around the world on this case, as well as with companies such as AOL, eBay, and Symantec.

Beginning in 2012, the Bayrob Group began to diversify its criminal business as technology advanced. They continued to spread their malware via spam and social media, but they also got into cryptocurrency mining and selling credit card numbers on the Darknet.

“They had all of these infected systems, and they tried to use as many ways as possible to make money from them,” Macfarlane said.

Mistake Yields a Break in the Case

A break finally came when a Bayrob participant accidentally logged into his personal email instead of his criminal one. AOL, who was investigating his abuse of their network, connected the two accounts. That personal account led to online profiles in Romania and on social media—essentially the first action tying one of the suspects to the crimes.

That small mistake helped set investigators, in partnership with the Romanian National Police, on a path toward discovering the identities of all three hackers. And after much further investigation, including undercover buys from the group on Darknet marketplace Alphabay, the FBI had enough evidence to work with Romanian authorities on the arrests.

By the time the hackers were arrested in 2016, the Bayrob Group had become one of the top senders of malicious email.

“We were essentially taking down this entire infrastructure and arresting the three individuals at one time,” Macfarlane said. “And the Romanian National Police were key partners in this effort. They stuck with us year after year. We couldn’t have done this without them.”

A third member of the group, Tiberiu Danet, pleaded guilty to similar charges. He was sentenced in January to 10 years in prison.

While it was years in the making, putting a stop to these prolific thieves was worth the time and effort for the investigators—even when the hackers were as elusive as a gangster on the run.

“We stuck with it because these guys weren’t stopping,” Macfarlane said. “They continued to evolve, and they were becoming a bigger and bigger threat.”

Protecting Yourself Online

Although many of the victims had no way of knowing their computers were compromised, there are steps you can take to protect yourself and your devices, such as making sure your antivirus and operating systems are always up to date. Also be careful of what you click on, even if it’s coming from someone you know.

“A lot of people don’t think that someone they know will be compromised,” said FBI Special Agent Stacy Diaz, who also worked on the case. “These hackers know how social networks work, and they use those relationships to grow their network.”

FBI.gov (February, 2020) Romanian Hackers Sentenced

Help a veteran in need by donating here.

ALERT: Ransomware Impacting Pipeline Operations

The Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday responded to a cyber-attack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility.

A cyber threat actor used a Spearphishing Link [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to its OT network.

The threat actor then deployed commodity ransomware to Encrypt Data for Impact [T1486] on both networks. Specific assets experiencing a Loss of Availability [T826] on the OT network included human machine interfaces (HMIs), data historians, and polling servers. Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View [T829] for human operators.

The attack did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations. Although the victim’s emergency response plan did not specifically consider cyberattacks, the decision was made to implement a deliberate and controlled shutdown to operations.

This lasted approximately two days, resulting in a Loss of Productivity and Revenue [T828], after which normal operations resumed. CISA is providing this Alert to help administrators and network defenders protect their organizations against this and similar ransomware attacks.

The technical details stated that the victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.

Cell Phones and Accessories

The threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks. Assets impacted on the organization’s OT network included HMIs, data historians, and polling servers and because the attack was limited to Windows-based systems, PLCs responsible for directly reading and manipulating physical processes at the facility were not impacted.

The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process and all OT assets directly impacted by the attack were limited to a single geographic facility.

US-Cert.gov (February, 2020) Alert (AA20-049A)- Ransomware Impacting Pipeline Operations

Help a veteran in need by donating here.

2019 Internet Crime Report Released

Internet-enabled crimes and scams show no signs of letting up, according to data released by the FBI’s Internet Crime Complaint Center (IC3) in its 2019 Internet Crime Report.

Data Reflects an Evolving Threat and the Importance of Reporting

Internet-enabled crimes and scams show no signs of letting up, according to data released by the FBI’s Internet Crime Complaint Center (IC3) in its 2019 Internet Crime Report. The last calendar year saw both the highest number of complaints and the highest dollar losses reported since the center was established in May 2000.

IC3 received 467,361 complaints in 2019—an average of nearly 1,300 every day—and recorded more than $3.5 billion in losses to individual and business victims. The most frequently reported complaints were phishing and similar ploys, non-payment/non-delivery scams, and extortion. The most financially costly complaints involved business email compromise, romance or confidence fraud, and spoofing, or mimicking the account of a person or vendor known to the victim to gather personal or financial information.

Donna Gregory, the chief of IC3, said that in 2019 the center didn’t see an uptick in new types of fraud but rather saw criminals deploying new tactics and techniques to carry out existing scams.

“Criminals are getting so sophisticated,” Gregory said. “It is getting harder and harder for victims to spot the red flags and tell real from fake.”

Soffe Men’s 3 Pack-USA Poly Cotton Military Tee

While email is still a common entry point, frauds are also beginning on text messages—a crime called smishing—or even fake websites—a tactic called pharming.

“You may get a text message that appears to be your bank asking you to verify information on your account,” said Gregory. “Or you may even search a service online and inadvertently end up on a fraudulent site that gathers your bank or credit card information.”

Individuals need to be extremely skeptical and double check everything, Gregory emphasized. “In the same way your bank and online accounts have started to require two-factor authentication—apply that to your life,” she said. “Verify requests in person or by phone, double check web and email addresses, and don’t follow the links provided in any messages.”

Shifts in Business Email Compromise

Business email compromise (BEC), or email account compromise, has been a major concern for years. In 2019, IC3 recorded 23,775 complaints about BEC, which resulted in more than $1.7 billion in losses.

These scams typically involve a criminal spoofing or mimicking a legitimate email address. For example, an individual will receive a message that appears to be from an executive within their company or a business with which an individual has a relationship. The email will request a payment, wire transfer, or gift card purchase that seems legitimate but actually funnels money directly to a criminal.

In the last year, IC3 reported seeing an increase in the number of BEC complaints related to the diversion of payroll funds. “In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period,” the report said. The change instead routes an employee’s paycheck to a criminal.

The Importance of Reporting

“Information reported to the IC3 plays a vital role in the FBI’s ability to understand our cyber adversaries and their motives, which, in turn, helps us to impose risks and consequences on those who break our laws and threaten our national security,” said Matt Gorham, assistant director of the FBI’s Cyber Division. “It is through these efforts we hope to build a safer and more secure cyber landscape.” Gorham encourages everyone to use IC3 and reach out to their local field office to report malicious activity.

Rapid reporting can help law enforcement stop fraudulent transactions before a victim loses the money for good. The FBI’s Recovery Asset Team was created to streamline communication with financial institutions and FBI field offices and is continuing to build on its success. The team successfully recovered more than $300 million for victims in 2019.

Besides stressing vigilance on the part of every connected citizen, the IC3’s Donna Gregory also stressed the importance of victims providing as much information as possible when they come to IC3. Victims should include every piece of information they have—any email addresses, account information they were given, phone numbers scammers called from, and other details. The more information IC3 can gather, the more it helps combat the criminals.

In 2019, the Recovery Asset Team was paired with the Money Mule Team under the IC3’s Recovery and Investigative Development Team. This effort brings together law enforcement and financial institutions to use the data provided in IC3 complaints to gain a better view of the networks and methods of cyber fraudsters and identify the perpetrators.

The new effort allowed IC3 to aggregate more than three years of reports to help build a case against an active group of criminals who were responsible for damaging crimes that ranged from cryptocurrency theft to online extortion. The ensuing investigation by the FBI’s San Francisco Field Office resulted in the arrest of three people.

Read the full 2019 Internet Crime Report.

To stay up to date on common online scams and frauds or report a crime, visit ic3.gov.

FBI.gov (February, 2020) 2019 Internet Crime Report Released

Ohio Resident Charged with Operating Darknet-Based Bitcoin “Mixer,” which Laundered Over $300 Million

An Ohio man was arrested for his operation of Helix, a Darknet-based cryptocurrency laundering service.

“Helix” Laundered Bitcoin From Numerous Darknet Markets

An Ohio man was arrested for his operation of Helix, a Darknet-based cryptocurrency laundering service.

In the three-count indictment unsealed Feb. 11 in the District of Columbia, Larry Harmon, 36, of Akron, Ohio, was charged with money laundering conspiracy, operating an unlicensed money transmitting business and conducting money transmission without a D.C. license.

According to the indictment, Harmon operated Helix from 2014 to 2017. Helix functioned as a bitcoin “mixer” or “tumbler,” allowing customers, for a fee, to send bitcoin to designated recipients in a manner that was designed to conceal the source or owner of the bitcoin. Helix was linked to and associated with “Grams,” a Darknet search engine also run by Harmon.

Harmon advertised Helix to customers on the Darknet as a way to conceal transactions from law enforcement.

Shop Amazon Gift Cards. Any Occasion. No Expiration.

“Helix allegedly laundered hundreds of millions of dollars of illicit narcotics proceeds and other criminal profits for Darknet users around the globe,” said Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division. “This indictment underscores that seeking to obscure virtual currency transactions in this way is a crime, and that the Department can and will ensure that such crime doesn’t pay.”

“For those who seek to use Darknet-based cryptocurrency tumblers, these charges should serve as a reminder that law enforcement, through its partnerships and collaboration, will uncover illegal activity and charge those responsible for unlawful acts,” said U.S. Attorney Timothy J. Shea of the District of Columbia.

“The brazenness with which Helix operated should be the most appalling aspect of this operation to every day citizens. There are bad actors and then there are criminals who facilitate hundreds of other crimes,” said Don Fort, Chief, IRS Criminal Investigation. “The sole purpose of Harmon’s operation was to conceal criminal transactions from law enforcement on the Darknet, and because of our growing expertise in this area, he could not make good on that promise. Working in tandem with other sites, he sought to be the ‘go-to’ money launderer on the Darknet, but our investigators once again played the role of criminal disrupters, unraveling the interlinked web from one tentacle to another. We thank the Belizean authorities and other law enforcement agencies for their assistance on this case.”

Cell Phones and Accessories

“The perceived anonymity of cryptocurrency and the Darknet may appeal to criminals as a refuge to hide their illicit activity,” said Special Agent in Charge Timothy M. Dunham of the Criminal Division of the FBI Washington Field Office. “However, as this arrest demonstrates, the FBI and our law enforcement partners are committed to bringing the illegal practices of money launderers and other financial criminals to light and to justice, regardless of whether they are using new technological means to carry out their schemes.”

The indictment alleges that Helix moved over 350,000 bitcoin – valued at over $300 million at the time of the transactions – on behalf of customers, with the largest volume coming from Darknet markets. Helix partnered with the Darknet market AlphaBay to provide bitcoin laundering services for AlphaBay customers. AlphaBay was one of the largest Darknet marketplaces in operation at the time that it was seized by law enforcement in July 2017.

The charges in the indictment are merely allegations, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

The investigation was led by the IRS-CI and the FBI’s Washington Field Office with assistance from the Financial Crimes Enforcement Network. The Department of Justice’s Office of International Affairs of the Criminal Division, the U.S. Attorney’s Office for the Northern District of Ohio, IRS Field Offices of Washington, D.C.; Cincinnati, Ohio; and Oakland, California; and the FBI’s Criminal Investigative Division and Field Offices of Cleveland, Ohio — Akron Resident Agency; Newark, New Jersey; and San Francisco, California — San Jose Resident Agency and the Department of State’s Diplomatic Security Service provided essential support for the operation.

Internationally, the Belize Ministry of the Attorney General and the Belize National Police Department simultaneously executed a search warrant of a residence allegedly leased by Harmon in Belize as U.S. authorities executed warrants in the United States. U.S. law enforcement agencies, coordinated by U.S. Embassy Belmopan, assisted in the Belize action. “These actions underscore the vital importance of working closely with our law enforcement partners in Belize to make both of our countries safer and secure,” said U.S. Chargé d’Affaires, a.i. Keith Gilges.

Trial Attorneys S. Riane Harper and C. Alden Pelker of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Christopher B. Brown of the U.S. Attorney’s Office for the District of Columbia are prosecuting the case. Additional assistance has been provided by Trial Attorneys Emily Siedell and Brian Nicholson of the Criminal Division’s Office of International Affairs, former CCIPS Trial Attorney W. Joss Nichols and Assistant U.S. Attorney Daniel Riedl of the Northern District of Ohio.

Justice.gov (February, 2020) Ohio Resident Charged with Operating Darknet-Based Bitcoin “Mixer,” which Laundered Over $300 Million

DOD Has Enduring Role in Election Defense

The Defense Department plays an important role in that whole-of-government partnership, spearheaded by the NSA and Cybercom’s Election Security Group, formed in the wake of the successes of the Russia Small Group during the 2018 midterms.

Voting has begun for the 2020 presidential election primary season — but it’s not the beginning of the U.S. government’s defense against foreign interference and influence in our elections.

At the Reagan National Defense Forum in December 2019, Army Gen. Paul M. Nakasone, U.S. Cyber Command commander and director of the National Security Agency, laid out the Defense Department’s role in election security. “We began the ability for us to defend the presidential elections not today, not six months from now. We began it the day after the midterm elections,” he said, “We have not let up in terms of our ability to understand what our adversaries are doing.”

David Imbordino, the NSA election security lead, and Army Brig. Gen. William Hartman, Cybercom’s election security lead and commander of Cyber National Mission Force, co-lead the joint Election Security Group. Its purpose is to align the two organizations’ resources, efforts and actions to disrupt, deter and degrade adversaries’ ability to interfere and influence the U.S. elections.

“The biggest success out of 2018 wasn’t the 2018 midterms,” Hartman said. “The biggest success was we put in place, both organizationally and from a business practice standpoint, a focus on an enduring mission to protect the democratic process.”

The Election Security Group’s primary objectives are to generate insights on foreign adversaries that lead to improved cyber defenses and to impose costs on countries that seek to interfere. It directly supports partners, such as the Department of Homeland Security and the FBI, by collecting, declassifying and sharing vital information to enable agencies’ efforts in election security.

“[The FBI will] engage with social media companies,” Imbordino said. “That information can enable a social media company to then use their platform, where they have very unique insights that we don’t have, to mitigate and potentially unravel [malicious] social media influence campaigns.”

When NSA and Cybercom see a cyberattack happening against a certain victim, they communicate that information to appropriate government offices, which, in turn, work with private-sector partners to provide notification and enable future cyber defense.

“We look at adversary meddling in an election on two different fronts. One is covert influence, and then there’s interference,” Imbordino said. “For interference, what we’re talking about is an adversary trying to go change a vote total, targeting election infrastructure, voter rolls. Influence is more of the social media component of trying to influence public opinion.”

“It’s not enough to just know and understand what our adversaries are doing,” he continued. “The nation expects us to do something about it. Enabling our partners with the right information at the right classification level they need to take action to defend our democracy against these threats is essential and allows all of the tools of the government to be employed in this fight.”

Guiding all of Cybercom’s efforts is their underlying framework for the continuous execution of cyberspace operations, known as persistent engagement — the concept of constant contact with adversaries in cyberspace, engaging beyond DOD networks to “defend forward,” officials said, noting that persistent engagement enables Cybercom to be postured to impose cost against foreign malicious actors before they reach the homeland.

An example of persistent engagement in action is “hunt forward” operations that involve deploying defensive cyber teams around the world at the invitation of allies and partners to look for adversaries’ malicious cyber activity. These teams send insights back from these missions, enabling defense for U.S. and partner networks, and providing real-time situational awareness for Cybercom to better protect the nation from foreign attacks in cyberspace.

“In a hunt forward operation, we are able to work with partner nations and receive an invitation to execute operations in their country,” Hartman said. “These are generally countries that are in the near abroad of adversaries that we’re potentially concerned about.”

Hunt forward operations produce detailed information identifying risks and threats to critical infrastructure, networks and data. These insights will enable the U.S. to detect and defend against potential cyber threats to the upcoming 2020 elections, he explained.

If malware is discovered on hunt forward operations, Cybercom can publicize malicious software through antivirus portals, imposing costs of time, money and access on the adversary.

Another way the combined Cybercom and NSA Election Security Group enables defense is through the National Guard Bureau.

National Guard members supporting their state and local elections have the ability to share information to various organizations within the Election Security Group. The group will then use national-level intelligence to assess whether there is a foreign threat before providing that information to the National Guard, DHS and FBI.

“The primary way that we work with the states is really working by, with and through DHS and FBI, which is absolutely a critical component of how we interact,” Hartman said. “And the National Guard is present in all 50 states, three territories, and District of Columbia, which allows us to potentially look at something that may be occurring in the United States and see if we can track that activity to any foreign actor or to any foreign space.”

As election security continues to be an enduring mission of the DOD, national security officials stress the importance of allowing Americans to exercise their right to vote — a vote cast is a vote counted.

Defense.gov (February, 2020) DOD Has Enduring Role in Election Defense