Malware – Law Enforcement, Military, and Terrorism News

Trend Micro: Coronavirus Used in Malicious Campaigns

(Developing Story) The coronavirus disease (COVID-19) is being used in a variety of malicious campaigns including email spam, BEC, malware, ransomware, and malicious domains, Trend Micro has reported.

As the number of those afflicted continue to surge by thousands, campaigns that use the disease as a lure likewise increase. Trend Micro researchers are periodically sourcing for samples on coronavirus-related malicious campaigns. This report also includes detections from other researchers.

Trend Micro:

The mention of current events for malicious attacks is nothing new for threat actors, who time and again use the timeliness of hot topics, occasions, and popular personalities in their social engineering strategies.

We analyzed coronavirus-related malware and spam attacks that our customers encountered globally in the first quarter (Q1) of 2020, from January to the present. We then categorized them according to region, namely the Asia Pacific Region (APAC), Latin America Region (LAR), North American Region (NABU), and Europe, Middle East, & Africa Region (EMEA).

The data came from our Smart Protection Network mechanism and are detected based on heuristic patterns. The number of spam corresponds to spam emails with the word “coronavirus” in the subject. The malware count is composed mostly of the accompanying malware files in these spam messages.

Figure 1. Coronavirus-related malware and spam attacks in Q1 2020 (Global)

As seen in the chart above, customers in the EMEA region had the most attacks at around 130,000 for both malware and spam. APAC saw around 28,000 attacks for both. NABU has over 21,000 for malware and over 22,000 for spam, while LAR has over 18,000 for malware and 19,000 for spam.

Figure 2. Countries with the most coronavirus-related malware and spam attacks in Q1 2020 (EMEA)

For EMEA, customers in the UK received almost a third of all malware and spam attacks for the region at over 41,000 for both. Next is France at almost 24,000 for malware and almost 23,000 for spam. Italy, one of the countries most affected by the coronavirus, has been hit by over 11,000 spam and malware cases, making it the country in EMEA that has seen the third-most coronavirus-related campaigns.

Read more at Trend Micro.

Trendmicro.com (March 2020) Developing Story: Coronavirus Used in Malicious Campaigns

Romanian Hackers Sentenced

Bayrob Group members Bogdan Nicolescu and Radu Miclaus were both convicted on wire fraud, money laundering, and identity theft charges. In December 2019, Nicolescu was sentenced to 20 years and Miclaus to 18 years in prison.

Members of Bayrob Criminal Enterprise Infected Thousands of Computers with Malware, Stole Millions of Dollars

The hackers were like modern-day John Dillingers, brazenly committing their crimes and repeatedly escaping law enforcement’s grasp.

But like Dillinger and most other criminals, they eventually slipped up, and the FBI and its international partners were waiting for them after years of tracking their activities.

Auction Fraud Gets Law Enforcement’s Attention

In 2007, an Ohio woman wired thousands of dollars to an eBay seller thinking she was buying a used car. The car never arrived. When she went to her local police department, the listing did not appear on the officers’ computers.

That’s because the woman was on a fraudulent version of the online auction site that mimicked the real one—a result of having unknowingly downloaded malicious software, known as malware, to her computer.

And to thousands of other victims just like her, the website and transactions looked legitimate. But buyers who thought they were wiring money across town were, in fact, sending money to hackers halfway across the world.

Shop Amazon Gift Cards. Any Occasion. No Expiration.

The hackers, known as the Bayrob Group, laundered the money via money mules, making it difficult to track. (Money mules are criminal accomplices who, often unwittingly, move criminal money through their own bank accounts.) Additionally, if a user on an infected machine went to the “Help” section of the site, they were met with the hackers’—not eBay’s—customer service.

The Bayrob hackers also blocked websites like ic3.gov—the FBI’s Internet Crime Complaint Center—where a user might have gone for help. And before smartphones were so common, the infected computer may have been a victim’s only access to the Internet.

The would-be car buyer, along with many other victims, lost her money because wiring funds lacks the consumer protection of a credit card. Agents estimate each victim lost between $8,000 and $11,000.

“At the time, this was really cutting edge,” said Special Agent Ryan Macfarlane, who worked this case out of the FBI’s Cleveland Field Office. “These guys did a very good job of staying current with the technologies in the cyber-criminal underground.”

Following the Money and the Malware

The Bayrob hackers were frustratingly nimble and good at covering their tracks. They used multiple layers of proxy servers to hide their location. Those proxy servers communicated with the “command and control” servers that talked to the thousands of computers the malware had infected.

But as the hackers gained more victims, more partners joined the investigation. The FBI worked with numerous law enforcement agencies around the world on this case, as well as with companies such as AOL, eBay, and Symantec.

Beginning in 2012, the Bayrob Group began to diversify its criminal business as technology advanced. They continued to spread their malware via spam and social media, but they also got into cryptocurrency mining and selling credit card numbers on the Darknet.

“They had all of these infected systems, and they tried to use as many ways as possible to make money from them,” Macfarlane said.

Mistake Yields a Break in the Case

A break finally came when a Bayrob participant accidentally logged into his personal email instead of his criminal one. AOL, who was investigating his abuse of their network, connected the two accounts. That personal account led to online profiles in Romania and on social media—essentially the first action tying one of the suspects to the crimes.

That small mistake helped set investigators, in partnership with the Romanian National Police, on a path toward discovering the identities of all three hackers. And after much further investigation, including undercover buys from the group on Darknet marketplace Alphabay, the FBI had enough evidence to work with Romanian authorities on the arrests.

By the time the hackers were arrested in 2016, the Bayrob Group had become one of the top senders of malicious email.

“We were essentially taking down this entire infrastructure and arresting the three individuals at one time,” Macfarlane said. “And the Romanian National Police were key partners in this effort. They stuck with us year after year. We couldn’t have done this without them.”

A third member of the group, Tiberiu Danet, pleaded guilty to similar charges. He was sentenced in January to 10 years in prison.

While it was years in the making, putting a stop to these prolific thieves was worth the time and effort for the investigators—even when the hackers were as elusive as a gangster on the run.

“We stuck with it because these guys weren’t stopping,” Macfarlane said. “They continued to evolve, and they were becoming a bigger and bigger threat.”

Protecting Yourself Online

Although many of the victims had no way of knowing their computers were compromised, there are steps you can take to protect yourself and your devices, such as making sure your antivirus and operating systems are always up to date. Also be careful of what you click on, even if it’s coming from someone you know.

“A lot of people don’t think that someone they know will be compromised,” said FBI Special Agent Stacy Diaz, who also worked on the case. “These hackers know how social networks work, and they use those relationships to grow their network.”

FBI.gov (February, 2020) Romanian Hackers Sentenced

Help a veteran in need by donating here.

Malware stealing payment card details identified with support of private partner

An INTERPOL-coordinated cyber operation against a strain of malware targeting e-commerce websites has identified hundreds of compromised websites and led to the arrest of three individuals running the malicious campaign in Indonesia.

The malware, known as a JavaScript-sniffer, targets online shopping websites.

When a website is infected, the malware steals the customers’ payment card details and personal data such as names, addresses and phone numbers, sending the information to Command and Control (C2) servers controlled by the cyber-criminals.

Data provided to INTERPOL through a partnership with cybersecurity firm Group-IB on the scope and range of this malware helped identify hundreds of infected e-commerce websites worldwide. Group-IB also supported the investigation with digital forensics expertise helping to identify the suspects.

Under Operation Night Fury, INTERPOL’s ASEAN Cyber Capability Desk disseminated Cyber Activity Reports to the affected countries, highlighting the threat to support their national investigations. In particular, the intelligence detected C2 servers and infected websites located in six countries in the Association of Southeast Asian Nations (ASEAN) region.

At the request of the Indonesian National Police, the ASEAN Desk provided technical and operational support that resulted in the arrest of three individuals suspected of commanding the C2 servers in the country.

The investigation revealed the suspects were using the stolen payment card details to purchase electronic good and other luxury items, and then reselling them for a profit.

“Strong and effective partnerships between police and the cybersecurity industry are essential to ensure law enforcement worldwide has access to the information they need to address the scale and complexity of today’s cyber threat landscape,” said Craig Jones, INTERPOL’s Director of Cyber-crime.

“This successful operation is just one example of how law enforcement is working with industry partners, adapting and applying new technologies to aid investigations, and ultimately reduce the global impact of cyber-crime,” Jones said.

In Singapore, authorities identified and took down two of the C2 servers. Investigations in other ASEAN countries are ongoing, with INTERPOL continuing to support police in locating C2 servers and infected websites and identifying the cyber-criminals involved.

Interpol.int. (2020). INTERPOL supports arrest of cybercriminals targeting online shopping websites. [Accessed 28 Jan. 2020].

Help me maintain this blog by donating here.