FBI takes down Russian-Based Hacker Platform; Arrests suspected Russian Site Administrator


A Russian-based cyber platform known as DEER.IO was shut down by the FBI today, and its suspected administrator – alleged Russian hacker Kirill Victorovich Firsov – was arrested and charged with crimes related to the hacking of U.S. companies for customers’ personal information.

DEER.IO was a Russian-based cyber platform that allowed criminals to purchase access to cyber storefronts on the platform and sell their criminal products or services.  DEER.IO started operations as of at least October 2013, and claimed to have over 24,000 active shops with sales exceeding $17 million. The platform was shut down pursuant to a seizure order issued by the Southern District of California Court.

FBI agents arrested Firsov, a Russian cyber hacker, on March 7 in New York City. Firsov not only managed the DEER.IO platform, he also advertised it on other cyber forums, which catered to hackers. Firsov is next scheduled to appear on April 16, 2020, before U.S. Magistrate Judge Allison H. Goddard.

According to a federal complaint, DEER.IO virtual stores offered for sale a variety of hacked and/or compromised U.S. and international financial and corporate data, Personally Identifiable Information (PII), and compromised user accounts from many U.S. companies. Individuals could also buy computer files, financial information, PII, and usernames and passwords taken from computers infected with malicious software (malware) located both in the U.S. and abroad. Law enforcement found no legitimate business advertising its services and/or products through a DEER.IO storefront. Store operators and customers accessed the storefront via the Internet.  Specifically, in this case, the FBI made purchases from DEER.IO storefronts hosted on Russian servers.

Soffe Men’s 3 Pack-USA Poly Cotton Military Tee

The DEER.IO platform offered a turnkey online storefront design and hosting platform, from which cybercriminals could advertise and sell their products (such as harvested credentials and hacked servers) and services (such as assistance performing a panoply of cyber hacking activities). The DEER.IO online stores were maintained on Russian-controlled infrastructure. The DEER.IO platform provided shop owners with an easy-to-use interface that allowed for the automated purchase and delivery of criminal goods and services.

Once shop access was purchased via the DEER.IO platform, the site then guided the newly-minted shop owner through an automated set-up to upload the products and services offered through the shop and configure crypto-currency wallets to collect payments for the purchased products and/or services.

As of 2019, a cybercriminal who wanted to sell contraband or offer criminal services through DEER.IO could purchase a storefront directly from the DEER.IO website for 800 Rubles (approximately $12.50) per month. The monthly fee was payable by Bitcoin or a variety of online payment methods such as WebMoney, a Russian based money transfer system similar to PayPal.

A cybercriminal who wanted to purchase from storefronts on the DEER.IO platform could use a web browser to navigate to the DEER.IO domain, which resolved to DEER.IO storefronts. DEER.IO contained a search function, so individuals could search for hacked accounts from specific companies or PII from specific countries, or the user could navigate through the platform, scanning stores advertising a wide array of hacked accounts or cyber-criminal services for sale. Purchases were also conducted using cryptocurrency, such as Bitcoin, or through the Russian-based money transfer systems.

On or about March 4, 2020, the FBI purchased approximately 1,100 gamer accounts from the DEER.IO store ACCOUNTS-MARKET.DEER.IS for under $20 in Bitcoin. Once payment was complete, the FBI obtained the gamer accounts, including the user name and password for each account. Out of the 1,100 gamer accounts, 249 accounts were hacked Company A accounts. Company A confirmed that if a hacker gained access to the user name and password of a user account, that hacker could use that account. A gamer account provides access to the user’s entire media library. The accounts often have linked payment methods, so the hacker could use the linked payment method to make additional purchases on the account. Some users also have subscription-based services attached to their gamer accounts.

On or about March 5, 2020, the FBI purchased approximately 999 individual PII accounts from the DEER.IO store SHIKISHOP.DEER.IS for approximately $170 in Bitcoin.  On that same date, the FBI purchased approximately 2,650 individual PII accounts from the DEER.IO store SHIKISHOP.DEER.IS for approximately $522 in Bitcoin. From those identities, the FBI identified names, dates of birth and U.S. Social Security numbers for multiple individuals who reside in San Diego County, including G.V. and L.Y.

“There is a robust underground market for hacked stolen information, and this was a novel way to try to market it to criminals hoping not to get caught,” said U.S. Attorney Robert Brewer. “Hackers are a threat to our economy, and our privacy and national security, and cannot be tolerated.”

FBI Special Agent in Charge Omer Meisel stated, “Deer.io was the largest centralized platform, which promoted and facilitated the sale of compromised social media and financial accounts, personally identifiable information (PII) and hacked computers on the internet. The seizure of this criminal website represents a significant step in reducing stolen data used to victimize individuals and businesses in the United States and abroad.  The FBI will continue to be at the forefront of protecting Americans from foreign and domestic cyber criminals.”

The office extends its appreciation to the New York Division of U.S. Customs and Border Protection operating at John F. Kennedy International Airport and to private sector cyber-security company Black Echo LLC, which provided assistance throughout the investigation.

Report cyber crimes by filing a complaint with the FBI’s Internet Crime Complaint Center, by calling your local FBI office or 1800 CALL FBI.

DEFENDANT                                    Case Number20MJ1029

Kirill Victorovich Firsov                    Age: 28

SUMMARY OF CHARGE

Unauthorized Solicitation of Access Devices, 18 USC Sec. 1029(a)(6)(A)

Maximum Penalty: Ten years in prison, $250,000 fine, restitution.

FBI.gov (March 2020) FBI Takes Down a Russian-Based Hacker Platform; Arrests Suspected Russian Site Administrator

Trend Micro: Coronavirus Used in Malicious Campaigns


(Developing Story) The coronavirus disease (COVID-19) is being used in a variety of malicious campaigns including email spam, BEC, malware, ransomware, and malicious domains, Trend Micro has reported.

As the number of those afflicted continue to surge by thousands, campaigns that use the disease as a lure likewise increase. Trend Micro researchers are periodically sourcing for samples on coronavirus-related malicious campaigns. This report also includes detections from other researchers.

Trend Micro:

The mention of current events for malicious attacks is nothing new for threat actors, who time and again use the timeliness of hot topics, occasions, and popular personalities in their social engineering strategies.

We analyzed coronavirus-related malware and spam attacks that our customers encountered globally in the first quarter (Q1) of 2020, from January to the present. We then categorized them according to region, namely the Asia Pacific Region (APAC), Latin America Region (LAR), North American Region (NABU), and Europe, Middle East, & Africa Region (EMEA).

The data came from our Smart Protection Network mechanism and are detected based on heuristic patterns. The number of spam corresponds to spam emails with the word “coronavirus” in the subject. The malware count is composed mostly of the accompanying malware files in these spam messages.

Figure 1. Coronavirus-related malware and spam attacks in Q1 2020 (Global)

As seen in the chart above, customers in the EMEA region had the most attacks at around 130,000 for both malware and spam. APAC saw around 28,000 attacks for both. NABU has over 21,000 for malware and over 22,000 for spam, while LAR has over 18,000 for malware and 19,000 for spam.

Figure 2. Countries with the most coronavirus-related malware and spam attacks in Q1 2020 (EMEA)

For EMEA, customers in the UK received almost a third of all malware and spam attacks for the region at over 41,000 for both. Next is France at almost 24,000 for malware and almost 23,000 for spam. Italy, one of the countries most affected by the coronavirus, has been hit by over 11,000 spam and malware cases, making it the country in EMEA that has seen the third-most coronavirus-related campaigns.

Read more at Trend Micro.

Trendmicro.com (March 2020) Developing Story: Coronavirus Used in Malicious Campaigns

Hill Air Force Base has announced its first confirmed COVID-19 case


A Hill Air Force Base member is being treated and evaluated by health care professionals following the first confirmed case of COVID-19 we have at the base.

“This is our first confirmed case,” said Col Jon Eberlan, 75th Air Base Wing commander. “The continued safety and well-being of the installation is my top priority. We are working with our base medical staff and off-base health care agencies to ensure we mitigate the effects of COVID-19 using established Centers for Disease Control and Prevention and Defense Department guidelines.”

Hill AFB declared a public health emergency on March 19 and is in Health Protection Condition Bravo to reflect the current situation posed by COVID-19 and the risk of exposure to personnel.

Hill AFB officials are working closely with the Utah Department of Health to coordinate prevention and response efforts in the local area. We are regularly providing installation personnel and their families with up-to-date information on appropriate measures to prevent potential spread of the virus, as well as any impact to local activities.

We encourage all Air Force personnel and their families to continue to practice social distancing and proper hygiene as the best way to prevent the spread of the virus. This includes washing hands with soap and water for at least 20 seconds or using an alcohol-based hand sanitizer that contains at least 60% alcohol. People should not shake hands, and routinely disinfect all commonly used surfaces. Also, avoid touching eyes, nose and mouth with unwashed hands and avoid close contact with those who are sick.

“We are encouraging all personnel to follow Force Health Protection guidelines to safeguard our community to prevent widespread outbreak, and adhere to travel advisories and restrictions,” Eberlan said.

Hill AFB leadership will continually monitor the situation and provide additional information as it becomes available.

Hill.Af.mil (March 2020) Hill AFB announces first confirmed COVID-19 case

Justice Department Files Its First Enforcement Action Against COVID-19 Fraud

The Department of Justice announced today that it has taken its first action in federal court to combat fraud related to the coronavirus (COVID-19) pandemic.


Federal Court Issues Temporary Restraining Order Against Website Offering Fraudulent Coronavirus Vaccine

The Department of Justice announced today that it has taken its first action in federal court to combat fraud related to the coronavirus (COVID-19) pandemic.  

The enforcement action filed today in Austin against operators of a fraudulent website follows Attorney General William Barr’s recent direction for the department to prioritize the detection, investigation, and prosecution of illegal conduct related to the pandemic.

As detailed in the civil complaint and accompanying court papers filed on Saturday, March 21, 2020, the operators of the website “coronavirusmedicalkit.com” are engaging in a wire fraud scheme seeking to profit from the confusion and widespread fear surrounding COVID-19.  

Information published on the website claimed to offer consumers access to World Health Organization (WHO) vaccine kits in exchange for a shipping charge of $4.95, which consumers would pay by entering their credit card information on the website.  

In fact, there are currently no legitimate COVID-19 vaccines and the WHO is not distributing any such vaccine.  In response to the department’s request, U.S. District Judge Robert Pitman issued a temporary restraining order requiring that the registrar of the fraudulent website immediately take action to block public access to it.

“The Department of Justice will not tolerate criminal exploitation of this national emergency for personal gain,” said Assistant Attorney General Jody Hunt of the Department of Justice’s Civil Division.  “We will use every resource at the government’s disposal to act quickly to shut down these most despicable of scammers, whether they are defrauding consumers, committing identity theft, or delivering malware.”

“Attorney General Barr has directed the department to prioritize fraud schemes arising out of the coronavirus emergency,” said U.S. Attorney John F. Bash of the Western District of Texas.  “We therefore moved very quickly to shut down this scam.  We hope in the future that responsible web domain registrars will quickly and effectively shut down websites designed to facilitate these scams.  My office will continue to be aggressive in targeting these sorts of despicable frauds for the duration of this emergency.”

“At a time when we face such unprecedented challenges with the COVID-19 crisis, Americans are understandably desperate to find solutions to keep their families safe and healthy,” said Special Agent in Charge Christopher Combs of the FBI’s San Antonio Field Office.  “Fraudsters who seek to profit from their fear and uncertainty, by selling bogus vaccines or cures, not only steal limited resources from our communities, they pose an even greater danger by spreading misinformation and creating confusion.  During this difficult time, protecting our communities from these reprehensible fraud schemes will remain one of the FBI’s highest priorities.”

The United States filed today’s announced action to shutter the website immediately while an investigation of the website and its operators continues.  In so doing, the government is employing a federal statute that permits federal courts to issue injunctions to prevent harm to potential victims of fraudulent schemes.

The Department of Justice recommends that Americans to take the following precautionary measures to protect themselves from known and emerging scams related to COVID-19:

  • Independently verify the identity of any company, charity, or individual that contacts you regarding COVID-19.
  • Check the websites and email addresses offering information, products, or services related to COVID-19. Be aware that scammers often employ addresses that differ only slightly from those belonging to the entities they are impersonating.  For example, they might use “cdc.com” or “cdc.org” instead of “cdc.gov.”
  • Be wary of unsolicited emails offering information, supplies, or treatment for COVID-19 or requesting your personal information for medical purposes. Legitimate health authorities will not contact the general public this way.
  • Do not click on links or open email attachments from unknown or unverified sources. Doing so could download a virus onto your computer or device.
  • Make sure the anti-malware and anti-virus software on your computer is operating and up to date.
  • Ignore offers for a COVID-19 vaccine, cure, or treatment. Remember, if a vaccine becomes available, you won’t hear about it for the first time through an email, online ad, or unsolicited sales pitch.
  • Check online reviews of any company offering COVID-19 products or supplies. Avoid companies whose customers have complained about not receiving items.
  • Research any charities or crowdfunding sites soliciting donations in connection with COVID-19 before giving any donation. Remember, an organization may not be legitimate even if it uses words like “CDC” or “government” in its name or has reputable looking seals or logos on its materials.  For online resources on donating wisely, visit the Federal Trade Commission (FTC) website.
  • Be wary of any business, charity, or individual requesting payments or donations in cash, by wire transfer, gift card, or through the mail. Don’t send money through any of these channels.
  • Be cautious of “investment opportunities” tied to COVID-19, especially those based on claims that a small company’s products or services can help stop the virus. If you decide to invest, carefully research the investment beforehand.  For information on how to avoid investment fraud, visit the U.S. Securities and Exchange Commission (SEC) website.

For the most up-to-date information on COVID-19, consumers may visit the Centers for Disease Control and Prevention (CDC) and WHO websites. 

In addition, the public is urged to report suspected fraud schemes related to COVID-19 by calling the National Center for Disaster Fraud (NCDF) hotline (1-866-720-5721) or by e-mailing the NCDF at disaster@leo.gov.

The enforcement action taken today is being prosecuted by Assistant United States Attorneys Thomas A. Parnham, Jr. and Michael C. Galdo of the Western District of Texas, and Senior Litigation Counsel Ross S. Goldstein of the Civil Division’s Consumer Protection Branch.  The FBI’s San Antonio Field Office is conducting the investigation.

The claims made in the complaint are allegations that, if the case were to proceed to trial, the government must prove to receive a permanent injunction against the defendant.

For information about the Department of Justice’s efforts to stop COVID-19 fraud, visit www.justice.gov/coronavirus.  Additional information about the Consumer Protection Branch and its enforcement efforts may be found at www.justice.gov/civil/consumer-protection-branch.  For more information about the U.S. Attorney’s Office for the Western District of Texas, visit its website at www.justice.gov/usao-wdtx.

Justice.gov (March 2020) Justice Department Files Its First Enforcement Action Against COVID-19 Fraud

DOD partners with defense industry to mitigate impacts from COVID-19, Contractor dies


Lt. Col. Mike Andrews, Department of Defense spokesman said on Sunday, “The Department continues to aggressively partner with the defense industry to mitigate impacts from COVID-19.”

Under Secretary of Defense Ellen Lord’s Acquisition and Sustainment leaders in Industrial Policy, Defense Pricing and Contracting, Defense Logistics Agency (DLA), and the Defense Contracting Management Agency (DCMA) have made significant progress this week in addressing specific concerns outlined by defense industry leaders.

During the 4 daily COVID-19 update calls with defense industry associations leaders this week, led by Deputy Assistant Secretary of Defense for Industrial Policy Ms. Jennifer Santos, several key concerns identified by industry included 1) critical defense contractor workforce ability to continue working; 2) ensuring cash flow to the defense industrial base; and 3) getting standardized guidance out to industry.

On Friday the Department issued two memos that address all three concerns.

After working closely with the Hill and the Department of Homeland Security, Under Secretary Lord issued a Defense Industrial Base Essential Critical Infrastructure Workforce memo that defined essentiality in the Defense Industrial Base (DIB) workforce, ensuring the defense industrial base’s critical employees can continue working.

The memo also reiterated her commitment to the safety of the workforce and support of the national security mission.

In addition, on Friday Mr. Kim Herrington, Director of Defense Pricing and Contracting, issued a Deviation on Progress Payments memo, which stated that once in contracts, the progress payment rate that contracts can get paid for will increase from 80% of cost to 90% for large businesses and from 90% to 95% for small businesses.

This is an important avenue where industry cash flow can be improved.

DCMA will work on mass modifications to contracts where applicable (vs one by one) using DCMA authorities. In addition, the Department is accelerating payments through several means to prime contracts and directing prime contracts to expedite payments to subcontractors.

Vice Admiral David Lewis, DCMA Director, has worked closely with the contracting workforce and the Defense Finance and Accounting Services (DFAS) to ensure that invoices are continuing to be paid in a timely manner.

On Friday, the Acquisition and Sustainment Small Business Office reached out to defense industry small businesses, and is working with the Small Business Administration and their small business emergency loan program to help protect these companies.

The Department is fully engaged with the inter-agency to leverage the Defense Production Act to help reinforce critical elements of the DIB. It is especially important to understand that during this crisis the DIB is vulnerable to adversarial capital, we need to ensure companies stay in business without losing their technology. The Department will be discussing this in more detail next week.

Under Secretary Lord remains grateful for the productive discussions with the defense industry associations, U.S. Chamber of Commerce, Hill and State leaders. She’s especially proud of the incredible efforts of Department leaders and contracting officers across the nation who are helping ensure a secure, reliable and resilient Defense Industrial Base.”

In related news, the Department of Defense sadly reported that a Crystal City-based contractor, who worked at the Defense Security Cooperation Agency, passed away on March 21, 2020.

The individual had tested positive for COVID-19 and had been under medical treatment at a local hospital. Our condolences go out to his family, friends and co-workers and we thank the medical professionals who worked to save his life in the face of this virus.

The spaces in DSCA where the individual worked have been cleaned in accordance with CDC guidance when he tested positive and the person’s co-workers have been teleworking.

The Department remains committed to protecting our service members, their families, and our civilian co-workers.

Defense.gov (March 2020) Partnering With the U.S. Defense Industrial Base to Combat COVID-19; DOD Announces Death of Contractor