A drugs trafficker helped investigators smash his own organised crime group by sending a photograph of his dog on encrypted communications platform EncroChat showing his partner’s phone number on the animal’s tag.

Danny Brown, 55, operated on EncroChat under the handle ‘throwthedice’.

He sent an image of his pet, named ‘Bob’, to co-conspirator Stefan Baldauf, 62, as they worked on a plot to send 448 kilos of MDMA worth £45m to Australia.

National Crime Agency investigators zoomed in on the phone number and used it – among many other tactics in a painstaking investigation – to prove Brown was part of the conspiracy.

Bob was present when Brown was eventually arrested.

Brown and Baldauf also sent accidental selfies of themselves on Encrochat – giving investigators more proof they were involved in the plan, which saw the drugs hidden in the arm of an industrial digger and shipped to Australia.

The OCG members sent the 40-tonne Doosan digger down under on the pretence of selling it.

They organised an online auction to make the excavator’s arrival in Australia look legitimate. But they rigged it by agreeing a pre-arranged bid with the intended recipients.

The auction provided the OCG a nervous moment when other potential buyers registered their interest in the digger.

OCG member Leon Reilly, 50, messaged Brown on EncroChat: “There are six people watching it.”

Brown replied: “F***ing hell, that’s not good is it.”

Brown, Baldauf and Reilly were convicted in June at Kingston Crown Court of drugs trafficking with three other men.

Today, Brown was jailed for 26 years, Baldauf for 28 and Reilly for 24.

The trio and their conspirators plotted in late 2019 and early 2020 to send the drugs, which were 77.5% pure, to Australia where MDMA’s street value is much higher than in the UK.

EncroChat was taken down in 2020.

The NCA led Operation Venetic – the UK law enforcement response to the takedown – which provided investigators with messages offenders had sent thinking the platform was safe from global law enforcement attention.

EncroChat users’ real names did not appear on phone messages – instead, they all used a ‘handle’ which investigators needed to attribute to real world suspects.

In one message, Brown, of Kings Hall Road, Bromley, Kent, sent a photo to his crime group of his television which showed his reflection in it.

And Baldauf, of Midhurst Road, Ealing, London, sent a picture of a brass door sign with his face visible in the reflection.

The OCG bought the excavator, a Doosan DX420, for 75,000 Euros.

Reilly, who used a UK address of Tudor Way, Hillingdon, Uxbridge, but was from Dunbeacon in Bantry, Co Cork, Ireland, arranged for the digger to be moved from Leeds by his company ‘Mizen Equipment’.

The digger was safely housed in an industrial unit in Grays, Essex.

Accomplice Tony Borg, 44, of Southwark Path, Basildon, Essex, took delivery of the machine at an industrial unit in Grays, Essex, and worked on it.

Philip Lawson, 61, of Wraysbury Road, Staines-upon-Thames, designed the hide and arranged a welder to cut open an arm of the digger and seal the Class A behind a lead lining.

Lawson bought a powerful welding machine and arranged for a sign-making company to make some stickers to cover the markings once it had been repainted.

It is believed the drugs were hidden inside the digger on 19 December 2020.

In the days before and after, the OCG members’ Encro phones were in frequent contact with each other and also used the same cell sites at certain times.

Mizen Equipment paid a haulage firm £1,600 to move the digger to Southampton Docks and it took from 24 January to 13 March to arrive in Brisbane, Australia.

Australian Border Force officers x-rayed the digger, removed the drugs, sealed the arm and installed a tracker and listening device before letting it move onto its intended destination – an auction house in Sydney.

The digger was moved to a small site west of Sydney in May 2020 and Lawson forwarded the Australian OCG a drawn diagram of exactly where the drugs were hidden and how the digger should be opened.

On 18 May two men from the Australian OCG spent two days trying to find the drugs before realising something was wrong.

EncroChat messages show the six UK men launched their own investigation and held meetings to find out who had stolen the drugs.

On 15 June 2020 Brown and Baldauf were arrested together in Putney, south west London. Brown was in possession of his Encro phone.

In Baldauf’s car was an iPhone with messages on it showing that he told people his Encro handle was ‘Boldmove’.

After being charged, the offenders repeatedly tried to get the case kicked out of court arguing the EncroChat evidence was inadmissible.

They were convicted by a jury.

Lawson was sentenced to 23 years; Murray to 24; and Borg to 15.

Gordon Meilack, 63, of Kingsway, Camberley, Surrey and Piotr Malinowski, 39, of De’Arn Gardens, Mitcham, London, were cleared of involvement in the conspiracy.

Two men were charged with offences relating to the Australian conspiracy following work between the NCA and Australian Federal Police. They are in the Australian judicial system.

Chris Hill, NCA operations manager, said: “These men thought they were safe on EncroChat but my officers did a superb and painstaking job of building the evidence against them through a mixture of traditional and modern detective skills.

“Brown and Baldauf’s accidental selfies and the photo of Bob the dog were the cherry on the cake in proving who was operating those handles.

“But the OCG went to enormous lengths, even rigging an auction, in a bid to transfer the drugs to Australian conspirators.

“The NCA works with partners at home and abroad to protect the public from the dangers of Class A drugs which wreak so much misery on communities in the UK.”

Source: https://www.nationalcrimeagency.gov.uk/news/operation-venetic-pet-dog-and-accidental-selfies-help-convict-international-drugs-traffickers

The Spanish National Police have arrested 55 members of the ‘Black Panthers’ cybercrime group, including one of the organization’s leaders based in Barcelona.

The gang was operating four specialized activity cells dedicated to social engineering, vishing (voice phishing), phishing, and carding, having a very organized structure.

The arrested leader coordinated the cells and recruited new members and money mules.

“The criminal group consisted of a network structure, made up of interconnected and perfectly defined action cells, whose division of tasks dealt with knowledge, accessibility to stolen information, and experience,” reads the police’s announcement.

The ultimate goal of the gang was to perform SIM swapping attacks, which is to port a target’s phone number to the attacker’s device. By porting the number, the attackers now gain access to the victim’s text messages and can use it to bypass 2FA protection on their bank accounts and empty them.

For the SIM swapping, the fraudsters used a combination of phishing, vishing, and call forwarding to impersonate the identities of their targets when talking to mobile service provider customer support agents.

In some cases, the scammers even acted as service technicians for local reseller offices of the targeted telecom firms, stealing the account credentials of their employees.

“This gave them access to the database of the telephone operators themselves and allowed them to obtain the personal data of the victims, making duplicate SIM cards themselves.” – Policía National.

Once they got access to the bank accounts of their targets, they made multiple transfers to a network of “money mules” located on the Levantine coast.

According to the investigators’ estimates, ‘Black Panthers’ managed to defraud at least 100 victims before their arrest, stealing 250,000 euros ($260,000) in the process.

The police’s investigation also revealed that the ‘Black Panther’ gang had an active presence on the dark web, where their “carding” cell bought ID and credit card numbers using cryptocurrency.

The crooks used the purchased info to buy various luxury products from online shops and then resell them as second-hand items to unsuspecting buyers, effectively laundering the money.

During the police raids in seven homes, 45 SIM cards, 11 mobile phones, four laptops, a hardware cryptocurrency wallet, and plenty of documentation relating to the crimes were found and confiscated.

Source: Police arrest 55 members of ‘Black Panthers’ SIM Swap gang (bleepingcomputer.com)

The Russian invasion of Ukraine began on February 20, 2022. By mid-March it was clear the cyber-war had begun, and the attacks have been consistent ever since. Prior to this, on March 1, 2022, Wordfence reported on an attack campaign on Ukrainian university websites. In response, we deployed our real-time threat intelligence to all sites running Wordfence with a .ua top-level domain (TLD). In the following months, we have continued to monitor the situation, and to block attack attempts aimed at Ukrainian websites.

Based on the data we have tracked, it has become clear that most of the attacks being levied against Ukrainian entities since the initial campaign are fairly routine, though regularly increasing in quantity. While there are some more sophisticated attacks, the vast majority of what we are seeing is routine spam content and defacements. These types of attacks are often perpetrated by lesser-skilled actors probing for easily exploitable random web targets with simple scripts. What we are seeing does not indicate the highly skilled and coordinated attacks that would be seen from larger criminal organizations or nation-state attackers.

Today’s post will focus on the quantitative threat landscape targeting Ukrainian websites that we’ve monitored in 2022, while next week we will follow-up with an article diving deeper into the attack data and exploits we are seeing targeting Ukrainian domains.

Broader Attacks Increasing in Volume

As we approach the six-month mark since the initial invasion, the cyber-front remains a volatile but constant battleground. Just after the invasion officially began, there was a spike in attacks against Ukrainian websites, then things were quiet for almost a week. At that point, on March 3, 2022, a barrage of attack attempts were brought against Ukrainian websites, with these attacks not only continuing, but generally increasing as the war continued. At first, the attack attempts were close to normal levels, but quickly increased to more than 50,000 attempts per day.

In the six months leading up to February 20, 2022 there were an average of just over 52,480 attack attempts against .ua websites blocked by the Wordfence firewall per day. The average during the conflict has increased almost 50% to nearly 75,000 attack attempts blocked per day, excluding any exploits coming from blocklisted IP Addresses.

The largest spike we have seen at this point began on June 24th, and subsided on the 28th. During this spike, we blocked 1,875,045 total attack attempts. In this time, most of the attack attempts were coming from known malicious IP addresses, with a substantial number of the attempts being brute force attacks. Directory traversal, file uploads, and information disclosure rounded out the most common attack types. There are no indicators in our data that these attacks were connected, meaning it is likely that this was not a large attacking organization, but rather a concerted effort from many smaller groups and individuals.

Wordfence deployed its real-time threat intelligence, which includes an IP Blocklist, to all .ua domains on March 1, 2022. The IP blocklist is updated in real-time to block the latest active known threats and is very effective at doing so. It provides a drastic increase in protection on any sites running the Wordfence firewall due to the simple fact that an IP that targets several sites will end up on the blocklist before they can target many more. As such, we excluded this data from our attack data trends to demonstrate the general threat landscape, without the added benefit of Wordfence real-time Threat Intelligence, a feature of Wordfence Premium, Wordfence Care, and Wordfence Response, to be comparative with the attack data we saw before we made that deployment. Astonishingly, once we added the real-time IP blocklist attack data to our analysis, the percentage of attacks the Wordfence firewall blocked on all .ua domains jumped nearly 450% demonstrating the effectiveness of deploying our real-time Threat Intelligence to those domains.

The spike at the beginning of the invasion largely consisted of attacks against Ukrainian educational institutions as part of a defacement campaign. While these institutions have continued to experience attack attempts, they have not been as directly targeted since the initial attack on Universities in February. At the same time, the rate of attacks brought against educational institutions has remained higher than pre-invasion levels, with (comparatively small) spikes primarily in March, April, and July. The trend continues upward, with the average number of daily attack attempts per day nearing the 100,000 mark. Since the invasion began, we have logged 46,698,709 attack attempts against .ua domains. Of those attempts, 2,903,923 were against .edu.ua domains, and 1,903,806 were against .gov.ua domains.

A Shift In The Threat Landscape

When we first wrote about the attack on Ukrainian universities, there was one IP address, 185.193.127.179, that stood out as the primary attacking IP. The IP address was registered through Njalla, a hosting company that is run by the co-founder of Pirate Bay. After the initial attack against the universities subsided, there is no indication that this IP address has been reused in further attacks against Ukraine.

The top attacking IP currently is 62.233.50.223, which is assigned to Chang Way Technologies. The company is based in Hong Kong, but the IP address is assigned to a server located in Russia and registered to the Russian organization Sierra LLC. The IP block this address is a part of was registered to Sierra LLC on October 13, 2021. In contrast to the 104,098 attack attempts in a single day by the Njalla IP address that attacked universities in February, the Sierra LLC. IP address is only responsible for 205,223 attack attempts in 30 days, and those attempts were not targeted against a specific type of potential victim.

Despite the fact that this IP address does not appear to be targeting victims in any particular industry, the attacks coming from this address are relatively consistent. The majority of what we are seeing from this IP address is SQL injection attacks, sending a GET request to the site with the payload in a URL encoded string, as seen here.

With this string decoded, it begins to look more like a normal SQL query, though portions are using character encoding which we see here as CHR encoded strings.

When we convert this and combine the string as is the purpose of the || operator, we end with this final payload string.

This is essentially using the SQL CASE statement to iterate through options to determine if specific content exists within the database, and uses the CAST statement to convert content to a specific data type. As with many attacks, this does not mean that a SQL injection vulnerability is present, or that the desired content is in the database. This is the malicious actor fishing for information, and hoping they get something in return.

Similar to the lack of focus we are seeing with the types of attacks, there does not appear to be any primary attacker in recent attempts. While the top nine attacking IP addresses are responsible for more than 50,000 attack attempts each, there is a long tail of IP addresses responsible for just under 50,000 attacks each and slowly working down to sub-100 volumes. This is a fairly typical pattern in attack data, rather than having one attacking organization stand out above the others.

Conclusion

In this post, we reviewed the data collected from attack attempts against Ukrainian domains with a .ua TLD since the beginning of the Russian invasion of Ukraine on February 20, 2022. The initial attacks we saw were very targeted around educational institutions, however the attacks we have been blocking since the initial campaign have been much more varied. Attack attempts are coming from a variety of malicious actors, in varying locations. The volume of attack attempts has remained high compared to pre-invasion levels, but with our continued protection these attempts are blocked, preventing damage to Ukrainian websites.

If you want to know more about the types of attacks we are blocking on Ukrainian websites, keep an eye on the Wordfence blog. A post next week will discuss these attacks, the vulnerabilities they are attempting to exploit, and how malicious actors can use them to damage an affected website.

Wordfence deployed Real-Time Threat Intelligence, an exclusive feature of Wordfence Premium, Wordfence Care, and Wordfence Response, to all .ua domain names regardless of their product tier. This means that all .ua domains, including those running Wordfence Free, have the latest protection against the newest threats, including vulnerabilities, IP addresses, and malware.

Source: https://www.wordfence.com/blog/2022/08/ukrainian-website-threat-landscape-throughout-2022

Helping to prevent doxxing

What just happened? You can find out a lot about a person just by Googling their name, but Google is now letting people remove more of their personal information from these results that could pose a danger, including physical addresses, phone numbers, and passwords.

Google has long allowed people to request certain sensitive, personally identifiable content be removed from its search results, such as confidential government identification, images of handwritten signatures, and bank account/credit card details.

Now, Google has expanded its list to include images of ID docs, confidential login credentials, and personal contact info (physical addresses, phone numbers, and email addresses). Additionally, Google will remove non-consensual explicit or intimate personal images, Deepfakes, images of minors, and doxxing content, which requires explicit or implicit threats or explicit or implicit calls to action for others to harm or harass.

“Research has told us there’s a larger amount of personally identifiable information that users consider as sensitive,” Michelle Chang, global policy lead for Google search, told Reuters. “They are increasingly unwilling to tolerate this content online.”

Asking Google to remove something from its search results involves sending in URLs that include your personal information and search pages that surface the links. The company will then decide if it warrants removal from the search results but warns that it will try to preserve anything newsworthy, professionally relevant, from the government (part of the public record), or is determined to be in the public interest.

Google does remind people that the information is only being removed from its search results, not from the sites hosting it, and can be surfaced through other search engines.

Google approves only about 13% of the tens of thousands of removal requests it receives each year, though it expects the removal rate to increase in light of the expanded options.

Source: https://www.techspot.com/news/94388-google-can-now-remove-search-results-containing-phone.html

Organised crime operation used phishing and business email compromise attacks.

Police have dismantled an organised crime group linked to the Italian mafia that defrauded hundreds of victims through phishing attacks and other types of online fraud.

The joint operation was led by the Spanish National Police (Policía Nacional), with support from the Italian National Police (Polizia di Stato), Europol and Eurojust and has resulted in 106 arrests across Spain and Italy. 

According to Europol, the crime operation used phishing, SIM swapping and business email compromise (BEC) attacks and it’s estimated that this led to profits of around €10 million ($11.7 million) during last year alone. 

Described as “very well organised”, the group included a number of experts in computer crime tasked with creating phishing domains and carrying out cyber fraud. Other individuals involved in the criminal network included money mules and money-laundering experts, including experts in cryptocurrency. 

Working out of the Canary Islands, Spain, the criminals tricked victims – mostly from Italy – into sending large sums of money to bank accounts they controlled, before laundering the proceeds through money mules and shell companies. 

More at: https://www.zdnet.com/article/phishing-attacks-police-make-106-arrests-as-they-break-up-online-fraud-group/