PSA: Your Site Isn’t Hacked By This Bitcoin Scam, Keep the Money

On January 19th, 2023, a member of the Wordfence Threat Intelligence team received an email from their personal blog, claiming the site had been hacked, and we received two reports from Wordfence users who received the same message. The email claimed that the site had been hacked due to a vulnerability on the site. The email went on to demand about $3,000 worth of Bitcoin to prevent the malicious actor from damaging the site’s reputation. This is of course only a scare tactic, and not a true cause for concern. The site was not actually hacked.

This campaign appears to have begun on or around January 18, 2023, and while our data on it is light, the campaign is ongoing. The messages are being sent by a threat actor or a bot they control to submit the message through a contact form on a website. As we do not have data on emails submitted directly through a contact form, this attack campaign is likely to be significantly more prolific than the numbers we have available.

The message in question, which can be seen below in its email form, is a scare tactic that is used to trick victims into paying to prevent a leak of sensitive data, damage to the website, or whatever other potential consequences the vague threat may conjure up in the site owner’s mind.

From: Manie Hedin
Subject: Your Site Has Been Hacked

Message Body:
Your Site Has Been Hacked


We have hacked your website https://.com and extracted your databases.

How did this happen?

Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.

What does this mean?

We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your https://.com was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.

How do I stop this?

We are willing to refrain from destroying your site’s reputation for a small fee. The current fee is $3000 in bitcoins (0.14 BTC).

The amount(approximately): $3000 (0.14 BTC)
The Address Part 1: bc1qe4xvhksgapl3p76mm
The Address Part 2: fz7thdnmkeuxry08kjhcn

So, you have to manually copy + paste Part1 and Part2 in one string made of 42 characters with no space between the parts that start with “b” and end with “n” is the actually address where you should send the money to.

Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment within 72 hours after receiving this message or the database leak, e-mails dispatched, and de-index of your site WILL start!

How do I get Bitcoins?

You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM.

What if I don’t pay?

If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers.

This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we will stop what we were doing and you will never hear from us again!

Please note that Bitcoin is anonymous and no one will find out that you have complied.

While this extortion campaign may not pose any real danger, it is still important to take website security seriously. WordPress core, themes, and plugins need to be updated with the latest security updates to patch known vulnerabilities. Even with everything updated, there may be vulnerabilities that are not publicly known and do not have an available patch. For this reason, a website security solution that includes a web application firewall (WAF) that can block common exploits, such as Wordfence, should be implemented.

Cyber Observables
While this extortion campaign is still in its early stages, there are some observables that can be used to identify and block these extortion attempts.

Email Address

Bitcoin Address

IP Addresses

In this post, we discussed an emerging extortion campaign where emails are being sent to site owners through contact forms. This campaign does not pose an actual threat to the website, but serves as a reminder to keep websites updated and implement a website security solution.


Inside a scammers’ lair: Ukraine busts 40 in fake bank call-centre raid

It looks like the sort of meeting room you might find in startups all over the world: diffuse lighting from windows down one wall, alongside a giant poster cityscape of New York’s Brooklyn Bridge, with the Manhattan skyline towering behind it.

The difference in this case is that that the computer workstations around the room are there for a different sort of “entrepreneurial” venture, and the room is empty not because no one showed up for work, but because the “employees” were in the process of being arrested.

This picture comes from the Ukraine Cyber Police, who raided a fraudulent call center just before New Year, where they say the three founders of the scam, plus 37 “staff”, were busted for allegedly operating a large-scale banking fraud.

Playbook + gift of gab = scam
You’re probably familiar with the scamming script they’re said to have used, and you probably know friends or family who have been pestered by scammers of this sort.

Some of you may even have acquaintances who were ripped off this way, because these scammers are well versed in gaining the trust of their victims.

Typically, the scammers try to convince you that your bank account is under attack from fraudsters (technically, that part is true – the caller is the attacker), and patiently offer to help you “secure” your account and “recover” lost or at-risk funds.

The scammers aim to turn people’s general awareness of banking scams into an excuse, a reason, a playbook, if you like, for carrying out a scam of their own.

Simply put, they call up pretending to be an official from your own bank, using a variety of tricks to make you accept their fictitious credentials as bank staff, and then “advise” you to take a series of disastrous steps.

The scammers’ first job is to convince you that a hacker has already gained access to your account.

The crooks typically use a mix of threatening, scary and urgent language, combined with the sort of attentiveness that you probably wish more call centre staff would show.

Even if you decide to call them back (don’t do it – you’re only reconnecting to the person who just called you, which proves nothing!), you’ll almost certainly find the scammers more prompt and more helpful than you’ve experienced in a long time when calling a real support line…

…so we’re not surprised that this sort of caller makes some people feel comfortable enough to keep on listening, even if they didn’t believe a word at first.

If in doubt, don’t give it out
As you can imagine, once the crooks know you’re starting to believe their cover story, they’ll start to milk you for personal information, often by pretending that they can see it for themselves on the “banking screen” in front of them, yet somehow always coaxing you to say it out loud first.

At that point, of course, they do know the information you just let slip, and they’ll pretend to “confirm” it or to “double-check” it to keep up the pretence.

There are then many ways that the crooks can defraud you or drain your account.

Sometimes, they may simply convince you to login on a fake “security” site as they coach you through the process, including getting you to go through any 2FA (two-factor authentication) process.

The Ukrainian call centre that just got busted seems to have worked that way, with victims being “helpfully” guided through the process of “cancelling” transactions that, in fact, never happened in the first place [automated translation]:

[These scammers] called people in Kazakhstan, pretending to be employees of the security service of banks. These people were notified of suspicious transactions and told that alleged outsiders had gained access to their accounts. Under the guise of “cancelling” transactions, victims were persuaded to provide financial data.

After receiving such information, the perpetrators transferred the victims’ money to account under their own control. They also issued quick loans and appropriated the loan amount.

For the conspiracy, the participants used bank accounts located in offshore zones, and cryptocurrency wallets.

In this way, the criminals defrauded [about 18,000 people].

High and dry
In other scams – this approach, unfortunately, is widely reported in the UK – the crooks present you with a brand-new account number, based at the same bank, which they announce is your “replacement account”.

The idea is that you’re being provided with new account details in the same way that if you were to ask for a new credit card due to fraud, it too would have a brand new number, expiry date and so on.

The crooks then convince you to transfer the funds from your “old, hacked” account to this new one, leading you to believe that the account was created by the bank minutes ago, especially for the purpose of “protecting” you from an active attack.

Of course, this “new account” is just a regular account that was opened recently by accomplices of the crooks, perhaps using fraudulent documentation to pass the bank’s know-your-customer (KYC) process.

So, the account it is already directly under the control of the scammers, and the money will typically be whisked out of that “new” account even before you finish the call.

In cases like this, victims sometimes tragically find themselves left high and dry by their bank, which may claim that because they apparently willingly transferred the funds of their own accord, and properly identified themselves to the online banking system (for example by using 2FA), the funds have technically not been “stolen”, and the bank therefore has no liability.

  • What to do?
  • Never believe anyone who contacts you out of the blue and claims to be “helping” you with a fraud investigation. That person isn’t stopping a fraud, they are starting one.
  • Never use contact details given to you by the other person when cybersecurity is at stake. This cannot possibly prove anything, given that the details probably came from a scammer in the first place. All you get is a false sense of “security”.
  • Never rely on the Caller ID number that shows up on your phone. The number that appears can easily be faked. If the caller tells you to “check the number if you don’t believe them”, you can be sure they’re a scammer.
  • Never let yourself be talked into handing over personal information, especially not to “prove” your identity. After all, it’s the other person who should be proving themselves to you. Visit your bank in person if you possibly can; if you need to call or interact online, look for contact details printed on something you know you received directly from the bank, such as the back of your payment card or a recent statement.
  • Never transfer funds to another account on someone else’s say so. You bank will never call you to ask you to do this, so any call of this sort must be a scam. Worse still, you could find yourself liable for the transfer if you approve it yourself, even if you were tricked into doing so.
  • Look out for friends and family who may be vulnerable. These scammers don’t give up easily, and they can be consummate actors when playing the role of a helpful official. Make sure your friends and family know to hang up right away, and to contact you personally for advice, so they never give the scammers a chance to “vouch” for themselves.


Operation Venetic: Pet dog and accidental selfies help convict international drugs traffickers

A drugs trafficker helped investigators smash his own organised crime group by sending a photograph of his dog on encrypted communications platform EncroChat showing his partner’s phone number on the animal’s tag.

Danny Brown, 55, operated on EncroChat under the handle ‘throwthedice’.

He sent an image of his pet, named ‘Bob’, to co-conspirator Stefan Baldauf, 62, as they worked on a plot to send 448 kilos of MDMA worth £45m to Australia.

National Crime Agency investigators zoomed in on the phone number and used it – among many other tactics in a painstaking investigation – to prove Brown was part of the conspiracy.

Bob was present when Brown was eventually arrested.

Brown and Baldauf also sent accidental selfies of themselves on Encrochat – giving investigators more proof they were involved in the plan, which saw the drugs hidden in the arm of an industrial digger and shipped to Australia.

The OCG members sent the 40-tonne Doosan digger down under on the pretence of selling it.

They organised an online auction to make the excavator’s arrival in Australia look legitimate. But they rigged it by agreeing a pre-arranged bid with the intended recipients.

The auction provided the OCG a nervous moment when other potential buyers registered their interest in the digger.

OCG member Leon Reilly, 50, messaged Brown on EncroChat: “There are six people watching it.”

Brown replied: “F***ing hell, that’s not good is it.”

Brown, Baldauf and Reilly were convicted in June at Kingston Crown Court of drugs trafficking with three other men.

Today, Brown was jailed for 26 years, Baldauf for 28 and Reilly for 24.

The trio and their conspirators plotted in late 2019 and early 2020 to send the drugs, which were 77.5% pure, to Australia where MDMA’s street value is much higher than in the UK.

EncroChat was taken down in 2020.

The NCA led Operation Venetic – the UK law enforcement response to the takedown – which provided investigators with messages offenders had sent thinking the platform was safe from global law enforcement attention.

EncroChat users’ real names did not appear on phone messages – instead, they all used a ‘handle’ which investigators needed to attribute to real world suspects.

In one message, Brown, of Kings Hall Road, Bromley, Kent, sent a photo to his crime group of his television which showed his reflection in it.

And Baldauf, of Midhurst Road, Ealing, London, sent a picture of a brass door sign with his face visible in the reflection.

The OCG bought the excavator, a Doosan DX420, for 75,000 Euros.

Reilly, who used a UK address of Tudor Way, Hillingdon, Uxbridge, but was from Dunbeacon in Bantry, Co Cork, Ireland, arranged for the digger to be moved from Leeds by his company ‘Mizen Equipment’.

The digger was safely housed in an industrial unit in Grays, Essex.

Accomplice Tony Borg, 44, of Southwark Path, Basildon, Essex, took delivery of the machine at an industrial unit in Grays, Essex, and worked on it.

Philip Lawson, 61, of Wraysbury Road, Staines-upon-Thames, designed the hide and arranged a welder to cut open an arm of the digger and seal the Class A behind a lead lining.

Lawson bought a powerful welding machine and arranged for a sign-making company to make some stickers to cover the markings once it had been repainted.

It is believed the drugs were hidden inside the digger on 19 December 2020.

In the days before and after, the OCG members’ Encro phones were in frequent contact with each other and also used the same cell sites at certain times.

Mizen Equipment paid a haulage firm £1,600 to move the digger to Southampton Docks and it took from 24 January to 13 March to arrive in Brisbane, Australia.

Australian Border Force officers x-rayed the digger, removed the drugs, sealed the arm and installed a tracker and listening device before letting it move onto its intended destination – an auction house in Sydney.

The digger was moved to a small site west of Sydney in May 2020 and Lawson forwarded the Australian OCG a drawn diagram of exactly where the drugs were hidden and how the digger should be opened.

On 18 May two men from the Australian OCG spent two days trying to find the drugs before realising something was wrong.

EncroChat messages show the six UK men launched their own investigation and held meetings to find out who had stolen the drugs.

On 15 June 2020 Brown and Baldauf were arrested together in Putney, south west London. Brown was in possession of his Encro phone.

In Baldauf’s car was an iPhone with messages on it showing that he told people his Encro handle was ‘Boldmove’.

After being charged, the offenders repeatedly tried to get the case kicked out of court arguing the EncroChat evidence was inadmissible.

They were convicted by a jury.

Lawson was sentenced to 23 years; Murray to 24; and Borg to 15.

Gordon Meilack, 63, of Kingsway, Camberley, Surrey and Piotr Malinowski, 39, of De’Arn Gardens, Mitcham, London, were cleared of involvement in the conspiracy.

Two men were charged with offences relating to the Australian conspiracy following work between the NCA and Australian Federal Police. They are in the Australian judicial system.

Chris Hill, NCA operations manager, said: “These men thought they were safe on EncroChat but my officers did a superb and painstaking job of building the evidence against them through a mixture of traditional and modern detective skills.

“Brown and Baldauf’s accidental selfies and the photo of Bob the dog were the cherry on the cake in proving who was operating those handles.

“But the OCG went to enormous lengths, even rigging an auction, in a bid to transfer the drugs to Australian conspirators.

“The NCA works with partners at home and abroad to protect the public from the dangers of Class A drugs which wreak so much misery on communities in the UK.”


Police arrest 55 members of ‘Black Panthers’ SIM Swap gang

The Spanish National Police have arrested 55 members of the ‘Black Panthers’ cybercrime group, including one of the organization’s leaders based in Barcelona.

The gang was operating four specialized activity cells dedicated to social engineering, vishing (voice phishing), phishing, and carding, having a very organized structure.

The arrested leader coordinated the cells and recruited new members and money mules.

“The criminal group consisted of a network structure, made up of interconnected and perfectly defined action cells, whose division of tasks dealt with knowledge, accessibility to stolen information, and experience,” reads the police’s announcement.

The ultimate goal of the gang was to perform SIM swapping attacks, which is to port a target’s phone number to the attacker’s device. By porting the number, the attackers now gain access to the victim’s text messages and can use it to bypass 2FA protection on their bank accounts and empty them.

For the SIM swapping, the fraudsters used a combination of phishing, vishing, and call forwarding to impersonate the identities of their targets when talking to mobile service provider customer support agents.

In some cases, the scammers even acted as service technicians for local reseller offices of the targeted telecom firms, stealing the account credentials of their employees.

“This gave them access to the database of the telephone operators themselves and allowed them to obtain the personal data of the victims, making duplicate SIM cards themselves.” – Policía National.

Once they got access to the bank accounts of their targets, they made multiple transfers to a network of “money mules” located on the Levantine coast.

According to the investigators’ estimates, ‘Black Panthers’ managed to defraud at least 100 victims before their arrest, stealing 250,000 euros ($260,000) in the process.

The police’s investigation also revealed that the ‘Black Panther’ gang had an active presence on the dark web, where their “carding” cell bought ID and credit card numbers using cryptocurrency.

The crooks used the purchased info to buy various luxury products from online shops and then resell them as second-hand items to unsuspecting buyers, effectively laundering the money.

During the police raids in seven homes, 45 SIM cards, 11 mobile phones, four laptops, a hardware cryptocurrency wallet, and plenty of documentation relating to the crimes were found and confiscated.

Source: Police arrest 55 members of ‘Black Panthers’ SIM Swap gang (

Ukrainian Website Threat Landscape Throughout 2022

The Russian invasion of Ukraine began on February 20, 2022. By mid-March it was clear the cyber-war had begun, and the attacks have been consistent ever since. Prior to this, on March 1, 2022, Wordfence reported on an attack campaign on Ukrainian university websites. In response, we deployed our real-time threat intelligence to all sites running Wordfence with a .ua top-level domain (TLD). In the following months, we have continued to monitor the situation, and to block attack attempts aimed at Ukrainian websites.

Based on the data we have tracked, it has become clear that most of the attacks being levied against Ukrainian entities since the initial campaign are fairly routine, though regularly increasing in quantity. While there are some more sophisticated attacks, the vast majority of what we are seeing is routine spam content and defacements. These types of attacks are often perpetrated by lesser-skilled actors probing for easily exploitable random web targets with simple scripts. What we are seeing does not indicate the highly skilled and coordinated attacks that would be seen from larger criminal organizations or nation-state attackers.

Today’s post will focus on the quantitative threat landscape targeting Ukrainian websites that we’ve monitored in 2022, while next week we will follow-up with an article diving deeper into the attack data and exploits we are seeing targeting Ukrainian domains.

Broader Attacks Increasing in Volume

As we approach the six-month mark since the initial invasion, the cyber-front remains a volatile but constant battleground. Just after the invasion officially began, there was a spike in attacks against Ukrainian websites, then things were quiet for almost a week. At that point, on March 3, 2022, a barrage of attack attempts were brought against Ukrainian websites, with these attacks not only continuing, but generally increasing as the war continued. At first, the attack attempts were close to normal levels, but quickly increased to more than 50,000 attempts per day.

In the six months leading up to February 20, 2022 there were an average of just over 52,480 attack attempts against .ua websites blocked by the Wordfence firewall per day. The average during the conflict has increased almost 50% to nearly 75,000 attack attempts blocked per day, excluding any exploits coming from blocklisted IP Addresses.

blocked attacks by date

The largest spike we have seen at this point began on June 24th, and subsided on the 28th. During this spike, we blocked 1,875,045 total attack attempts. In this time, most of the attack attempts were coming from known malicious IP addresses, with a substantial number of the attempts being brute force attacks. Directory traversal, file uploads, and information disclosure rounded out the most common attack types. There are no indicators in our data that these attacks were connected, meaning it is likely that this was not a large attacking organization, but rather a concerted effort from many smaller groups and individuals.

Wordfence deployed its real-time threat intelligence, which includes an IP Blocklist, to all .ua domains on March 1, 2022. The IP blocklist is updated in real-time to block the latest active known threats and is very effective at doing so. It provides a drastic increase in protection on any sites running the Wordfence firewall due to the simple fact that an IP that targets several sites will end up on the blocklist before they can target many more. As such, we excluded this data from our attack data trends to demonstrate the general threat landscape, without the added benefit of Wordfence real-time Threat Intelligence, a feature of Wordfence PremiumWordfence Care, and Wordfence Response, to be comparative with the attack data we saw before we made that deployment. Astonishingly, once we added the real-time IP blocklist attack data to our analysis, the percentage of attacks the Wordfence firewall blocked on all .ua domains jumped nearly 450% demonstrating the effectiveness of deploying our real-time Threat Intelligence to those domains.

Attack types in June spike

The spike at the beginning of the invasion largely consisted of attacks against Ukrainian educational institutions as part of a defacement campaign. While these institutions have continued to experience attack attempts, they have not been as directly targeted since the initial attack on Universities in February. At the same time, the rate of attacks brought against educational institutions has remained higher than pre-invasion levels, with (comparatively small) spikes primarily in March, April, and July. The trend continues upward, with the average number of daily attack attempts per day nearing the 100,000 mark. Since the invasion began, we have logged 46,698,709 attack attempts against .ua domains. Of those attempts, 2,903,923 were against domains, and 1,903,806 were against domains.

Ukrainian universities attack rates

A Shift In The Threat Landscape

When we first wrote about the attack on Ukrainian universities, there was one IP address,, that stood out as the primary attacking IP. The IP address was registered through Njalla, a hosting company that is run by the co-founder of Pirate Bay. After the initial attack against the universities subsided, there is no indication that this IP address has been reused in further attacks against Ukraine.

The top attacking IP currently is, which is assigned to Chang Way Technologies. The company is based in Hong Kong, but the IP address is assigned to a server located in Russia and registered to the Russian organization Sierra LLC. The IP block this address is a part of was registered to Sierra LLC on October 13, 2021. In contrast to the 104,098 attack attempts in a single day by the Njalla IP address that attacked universities in February, the Sierra LLC. IP address is only responsible for 205,223 attack attempts in 30 days, and those attempts were not targeted against a specific type of potential victim.

Despite the fact that this IP address does not appear to be targeting victims in any particular industry, the attacks coming from this address are relatively consistent. The majority of what we are seeing from this IP address is SQL injection attacks, sending a GET request to the site with the payload in a URL encoded string, as seen here.

SQL injection payload

With this string decoded, it begins to look more like a normal SQL query, though portions are using character encoding which we see here as CHR encoded strings.

character encoding

When we convert this and combine the string as is the purpose of the || operator, we end with this final payload string.

SQL injection decoded

This is essentially using the SQL CASE statement to iterate through options to determine if specific content exists within the database, and uses the CAST statement to convert content to a specific data type. As with many attacks, this does not mean that a SQL injection vulnerability is present, or that the desired content is in the database. This is the malicious actor fishing for information, and hoping they get something in return.

Similar to the lack of focus we are seeing with the types of attacks, there does not appear to be any primary attacker in recent attempts. While the top nine attacking IP addresses are responsible for more than 50,000 attack attempts each, there is a long tail of IP addresses responsible for just under 50,000 attacks each and slowly working down to sub-100 volumes. This is a fairly typical pattern in attack data, rather than having one attacking organization stand out above the others.

Top attacking IPs


In this post, we reviewed the data collected from attack attempts against Ukrainian domains with a .ua TLD since the beginning of the Russian invasion of Ukraine on February 20, 2022. The initial attacks we saw were very targeted around educational institutions, however the attacks we have been blocking since the initial campaign have been much more varied. Attack attempts are coming from a variety of malicious actors, in varying locations. The volume of attack attempts has remained high compared to pre-invasion levels, but with our continued protection these attempts are blocked, preventing damage to Ukrainian websites.

If you want to know more about the types of attacks we are blocking on Ukrainian websites, keep an eye on the Wordfence blog. A post next week will discuss these attacks, the vulnerabilities they are attempting to exploit, and how malicious actors can use them to damage an affected website.

Wordfence deployed Real-Time Threat Intelligence, an exclusive feature of Wordfence Premium, Wordfence Care, and Wordfence Response, to all .ua domain names regardless of their product tier. This means that all .ua domains, including those running Wordfence Free, have the latest protection against the newest threats, including vulnerabilities, IP addresses, and malware.


Google can now remove search results containing your phone number, address, or email

Helping to prevent doxxing

What just happened? You can find out a lot about a person just by Googling their name, but Google is now letting people remove more of their personal information from these results that could pose a danger, including physical addresses, phone numbers, and passwords.

Google has long allowed people to request certain sensitive, personally identifiable content be removed from its search results, such as confidential government identification, images of handwritten signatures, and bank account/credit card details.

Now, Google has expanded its list to include images of ID docs, confidential login credentials, and personal contact info (physical addresses, phone numbers, and email addresses). Additionally, Google will remove non-consensual explicit or intimate personal images, Deepfakes, images of minors, and doxxing content, which requires explicit or implicit threats or explicit or implicit calls to action for others to harm or harass.

“Research has told us there’s a larger amount of personally identifiable information that users consider as sensitive,” Michelle Chang, global policy lead for Google search, told Reuters. “They are increasingly unwilling to tolerate this content online.”

Asking Google to remove something from its search results involves sending in URLs that include your personal information and search pages that surface the links. The company will then decide if it warrants removal from the search results but warns that it will try to preserve anything newsworthy, professionally relevant, from the government (part of the public record), or is determined to be in the public interest.

Google does remind people that the information is only being removed from its search results, not from the sites hosting it, and can be surfaced through other search engines.

Google approves only about 13% of the tens of thousands of removal requests it receives each year, though it expects the removal rate to increase in light of the expanded options.


Google Crushes YouTube Cookie-Stealing Channel Hijackers

Google has caught and brushed off a bunch of cookie-stealing YouTube channel hijackers who were running cryptocurrency scams on the ripped-off channels.

In a Wednesday post, Ashley Shen, with Google’s Threat Analysis Group (TAG), said that TAG attributes the assaults to a group of attackers recruited from a Russian-speaking forum. Since late 2019, they’ve been luring targets with fake collaboration come-ons, including requests to purchase ads on their targets’ channels.

(The collaboration pitch is similar to how [now-shuttered] Twitter accounts have been used to catfish security researchers by setting their traps with zero days and collaboration invitations.)

The YouTube channel hijackers are financially motivated, Shen said, looking to either auction off the stolen channels or use them to broadcast cryptocurrency scams.

Cookie Monsters

In order to elbow rightful channel owners out of the way, the attackers have been targeting YouTubers with cookie theft malware.

Cookie theft, which is also called session hijacking or pass-the-cookie attack, involves a crook inserting themself between a computer and a server in order to steal what’s known as a magic cookie: a session that authenticates a user to a remote server. After stealing the cookie, an intruder can monitor and potentially capture everything from the account and can take full control of the connection.

Cookie thieves can, for example, change existing codes, modify server settings or install new programs in order to steal data, set up a back-door entry for attackers, and lock legitimate users out of their own accounts.

More at:

Phishing attacks: Police make 106 arrests as they break up online fraud group

Organised crime operation used phishing and business email compromise attacks.

Police have dismantled an organised crime group linked to the Italian mafia that defrauded hundreds of victims through phishing attacks and other types of online fraud.

The joint operation was led by the Spanish National Police (Policía Nacional), with support from the Italian National Police (Polizia di Stato), Europol and Eurojust and has resulted in 106 arrests across Spain and Italy. 

According to Europol, the crime operation used phishingSIM swapping and business email compromise (BEC) attacks and it’s estimated that this led to profits of around €10 million ($11.7 million) during last year alone. 

Described as “very well organised”, the group included a number of experts in computer crime tasked with creating phishing domains and carrying out cyber fraud. Other individuals involved in the criminal network included money mules and money-laundering experts, including experts in cryptocurrency. 

Working out of the Canary Islands, Spain, the criminals tricked victims – mostly from Italy – into sending large sums of money to bank accounts they controlled, before laundering the proceeds through money mules and shell companies. 

More at:

Apple Delays Plans to Scan Devices for Child Abuse Images After Privacy Backlash

Apple is temporarily hitting the pause button on its controversial plans to screen users’ devices for child sexual abuse material (CSAM) after receiving sustained blowback over worries that the tool could be weaponized for mass surveillance and erode the privacy of users.

“Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features,” the iPhone maker said in a statement on its website.

The announcement, however, doesn’t make it clear as to the kind of inputs it would be gathering, the nature of changes it aims to devise, or how it intends to implement the system in a way that mitigates the privacy and security concerns that could arise once it’s deployed.

The changes were originally slated to go live with iOS 15 and macOS Monterey later this year, starting with the U.S.

Full article:

Hacker returns $600M to Poly Network, is offered position as Chief Security Advisor

Last week, a hacker who stole more than $600 million in various cryptocurrencies began returning the ill-gotten gains. The hacker had exploited a weakness in the Poly Network platform of multiple blockchains to pull off the heist. At the time, he had returned almost half of the funds stolen.

This week nearly all of the crypto stolen from Poly Network has been returned, but then something bizarre happened. Instead of turning the thief, who Poly Network refers to as Mr. White Hat, over to authorities, the company hired him to be its Chief Security Advisor and gave him a $500,000 bug bounty for finding the exploit.

Poly Network said that it maintained constant communication with Mr. White Hat as he returned the crypto. He expressed concerns with the platform’s “security and overall development strategy.” The company was impressed enough with his abilities that it offered him a senior-level position at Poly Network. “We are also counting on more experts like Mr. White Hat to be involved in the future development of Poly Network since we believe that we share the vision to build a secure and robust distributed system,” Poly Network wrote in a blog post. “Also, to extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with Poly Network, we cordially invite Mr. White Hat to be the Chief Security Advisor of Poly Network.”