Category Archives: FBI

DHS and FBI published a joint alert on SamSam Ransomware

The US Department of Homeland Security (DHS) and the FBI issued a joint alert on SamSam attacks targeting critical infrastructure.

The US Department of Homeland Security (DHS) and the FBI published a joint alert on the activity associated with the infamous SamSam ransomware.

The SamSam hackers extorted over 200 organizations, including public institutions, municipalities, and hospitals, they have caused over $30 million in losses.

In March 2018, computer systems in the City of Atlanta were infected by ransomware, the cyber attack was confirmed by the City officials.

The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.

One of the latest attacks hit the port of San Diego in September,  the incident impacted the processing park permits and record requests, along with other operations.

In February, SamSam ransomware infected over 2,000 computers at the Colorado Department of Transportation (DOT), the DOT has shut down the infected workstations.

In August, Sophos security firm published a report the SamSam ransomware, its experts tracked Bitcoin addresses managed by the crime gang and discovered that crooks had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

A few days ago, the U.S. DoJ charged two Iranian men, Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27), over their alleged role in creating and spreading the infamous SamSam ransomware.

According to the joint report, most of the victims were located in the United States.

“The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally.” reads the alert.

“Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.”

SamSam actors leverage vulnerabilities in Windows servers to gain persistent access to the target network and make lateral movements to infect other hosts on the network.

According to the report, attackers used the JexBoss Exploit Kit to compromise JBoss applications. Threat actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks, they use brute force attacks and stolen login credentials.

After obtaining access to the victim’s network, attackers escalate privileges then they drop and execute the malware.

“After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.” continues the alert.

According to the experts, attackers used stolen RDP credentials that were bought from darknet marketplaces. and used in attacks within hours of purchasing the credentials.

The alert also technical details and the following recommendations to mitigate the threat:

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

Pierluigi Paganini

(Security Affairs – SamSam ransomware, hacking)

The post DHS and FBI published a joint alert on SamSam Ransomware appeared first on Security Affairs.

A week in security (November 26 – December 2)

Last week on Malwarebytes Labs, we took a look at our cybersecurity predictions for 2019, we explained why Malwarebytes participated in AV testing and how we took part in an joint take down of massive ad fraud botnets, warned that ESTA registration websites still lurk in paid ads on Google, discussed what 25 years of webcams have brought us, and reported about the Marriott breach that impacted 500 million customers.

Other cybersecurity news:

  • LinkedIn violated data protection by using 18 million email addresses of non-members to buy targeted ads on Facebook. (Source: TechCrunch)
  • Researchers created fake “master” fingerprints to unlock smartphones. (Source: Motherboard)
  • Uber slapped with £385K ICO fine for major breach. (Source: InfoSecurty Magazine)
  • Rogue developer infects widely-used NodeJS module to steal Bitcoins. (Source: The Hacker News)
  • When the FBI (and not the fraudsters) make a fake FedEx website. (Source: Graham Cluley)
  • Microsoft warns about two apps that installed root certificates then leaked the private keys. (Source: ZDNet)
  • Social media scraping app Predictim banned by Facebook and Twitter. (Source: NakedSecurity)
  • Tech support scam: Call centers shut down by Indian police in collaboration with Microsoft. (Source: TechSpot)
  • Germany detects new cyberattack targeting politicians, military, and embassies. (Source: DW)
  • It’s time to change your password again as Dell reveals attempted hack. (Source: Digital Trends)

Stay safe, everyone!

The post A week in security (November 26 – December 2) appeared first on Malwarebytes Labs.

Feds charge 2 Iranian hackers behind SamSam ransomware attacks

By Waqas

The United States Department of Justice has charged two Iranian nationals with allegedly developing and using SamSam ransomware against their targets in the United States and Canada to carry out computer hacking and extortion scheme from Iran. Both Mohammad Mehdi Shah Mansouri, 27 and Faramarz Shahi Savandi, 34 have been charged with six counts together with one count of conspiracy […]

This is a post from Read the original post: Feds charge 2 Iranian hackers behind SamSam ransomware attacks

Gang sentenced for installing card skimmers on gas pumps & stealing data

By Carolina

On Wednesday, a group of ten individuals including the head of the group received a total of 30 years sentence. The group was involved in installation of card skimmers on gas pumps across five states in the US including main cities of Northeast Ohio. Through card skimmers, credit card detail of thousands of people was […]

This is a post from Read the original post: Gang sentenced for installing card skimmers on gas pumps & stealing data

FBI Takes Down a Massive Advertising Fraud Ring

The FBI announced that it dismantled a large Internet advertising fraud network, and arrested eight people:

A 13-count indictment was unsealed today in federal court in Brooklyn charging Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko with criminal violations for their involvement in perpetrating widespread digital advertising fraud. The charges include wire fraud, computer intrusion, aggravated identity theft and money laundering. Ovsyannikov was arrested last month in Malaysia; Zhukov was arrested earlier this month in Bulgaria; and Timchenko was arrested earlier this month in Estonia, all pursuant to provisional arrest warrants issued at the request of the United States. They await extradition. The remaining defendants are at large.

It looks like an impressive piece of police work.

Details of the forensics that led to the arrests.

Smashing Security #106: Google Maps, Fed phishing, and Grinch bots

Smashing Security #106: Google Maps, Fed phishing, and Grinch bots

How are scammers stealing your money through Google Maps? Why did the FBI create a fake FedEx website? And how are US senators hoping to stop Grinch bots ruining Christmas?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

And don’t miss our special bonus interview about passwords with Rachael Stockton of LastPass.

FBI & Google shut down largest-ever Ad fraud scheme ‘3VE’

By Waqas

8 suspects behind 3VE have also been identified. Last year in August, the Federal Bureau of Investigation organized a secret meet-up between cybersecurity and digital advertising experts in its Manhattan federal building. This included Google and nearly 20 tech firms while there were nearly 30 attendees at the meeting. The agenda of the meeting was to […]

This is a post from Read the original post: FBI & Google shut down largest-ever Ad fraud scheme ‘3VE’

Malwarebytes helps take down massive ad fraud botnets

On November 27, the US Department of Justice announced the indictment of eight individuals involved in a major ad fraud case that cost digital advertisers millions of dollars. The operation, dubbed 3ve, was the combination of the Boaxxe and Kovter botnets, which the FBI—in collaboration with researchers in the private sector, including one of our own at Malwarebytes—was able to dismantle.

The US CERT advisory indicates that 3ve was controlling over 1.7 million unique IP addresses between both Boaxxe and Kovter at any given time. Threat actors rely on different tactics to generate fake traffic and clicks, but one of the most common is to infect legitimate computers and have them silently mimic a typical user’s behavior. By doing so, fraudsters can generate millions of dollars in revenue while eroding trust in the online advertising business.

This criminal enterprise was quite sophisticated in that it had many evasion techniques that not only made it difficult to detect the presence of ad fraud, but also clean up affected systems. Kovter in particular is a unique piece of malware that goes to great lengths to avoid detection and even trick analysts. Its fileless nature to maintain persistence has also made it more challenging to disable.

Malwarebytes, along with several other companies, including Google, Proofpoint, and ad fraud detection company White Ops, was involved in the global investigation into these ad fraud botnets. We worked with our colleagues at White Ops, sharing our intelligence and samples of the Kovter malware. We were happy to be able to leverage our telemetry, which proved to be valuable for others to act upon.

Even though cybercriminal enterprises can get pretty sophisticated, this successful operation proves that concerted efforts between both the public and private sectors can defeat them and bring perpetrators to justice.

The full report on 3ve, co-authored by Google and White Ops, with technical contributions from Proofpoint and others, can be downloaded here.

The post Malwarebytes helps take down massive ad fraud botnets appeared first on Malwarebytes Labs.

Secret Charges Against Julian Assange Revealed Due to “Cut-Paste” Error

Has Wikileaks founder Julian Assange officially been charged with any unspecified criminal offense in the United States? — YES United States prosecutors have accidentally revealed the existence of criminal charges against Wikileaks founder Julian Assange in a recently unsealed court filing in an unrelated ongoing sex crime case in the Eastern District of Virginia. Assistant US Attorney Kellen

Facebook says recent data breach wasn’t ‘related to the midterms’

Even though the number of users affected by Facebook's most recent hack was lowered to 29 million, from 50 million, it's still safe to say the attack was worse than originally thought. That's because we now know that the breach, which Facebook revealed a couple of weeks ago, exposed very detailed information of 14 million of those users, including their username, birthdate, gender, location, relationship status, religion, hometown, self-reported current city, education, work, the devices they used to access Facebook and the last 10 places they checked into (or were tagged in) on the site. The attackers, whose identities Facebook won't reveal because of an ongoing FBI investigation, were also able to view which people/Pages were followed by these 14 million users, as well as their 15 most recent searches on Facebook.

Fin7 and the Perfect Phish

For the past twenty years, one of the main pieces of advice our industry gave to people regarding their email was "don't open attachments from people you don't know."  But what if your JOB is opening attachments from people you don't know?

On August 1st, the US Attorney for the Western District of Washington, Annette Hayes, and the FBI Seattle Special Agent in Charge, Jay Tabb, along with main Justice's head of the Computer Crimes and Intellectual Property Section (CCIPS), Deputy Attorney General Downing, gave a fascinating press conference about the FIN7 or Carbanak Group case.  (The link shows the 31 minute press conference on YouTube, where closed captioning is available.)

As AG Downing explained it, the FIN7 group would use a combination of emails and telephone calls to encourage people involved in catering or group reservations to open their malicious emails.  Imagine that your job is booking hotel rooms for group travel, or handling large catering deliveries for business meetings from your restaurant.  A new potential customer calls and says "I'd like to book forty hotel rooms for our sports team that is coming to play in a tournament in your town next month.  What email should I send the details to?"  Or "We're having an event at my office and need to order lunch for sixty people.  I know that I could use the online order form, but would you mind if I just sent you an email with the details?"  (I've done the latter myself when ordering FIFTY pizzas from Dominos!)

What sales person is NOT GOING TO OPEN THAT ATTACHMENT?  Right.  Every single one will do so!  Here's the flow of the attack that was shared at the Press Conference:

Depiction of one of the schemes used by cybercrime group FIN7.
(Image from FBI Seattle FBI Office)
Although the schemes I suggested sound complex, some of the emails shared during the press conference were quite simple:

Spear-phishing Email Image from

Spear-phishing Email Image from

Three criminals were arrested in this scheme, each on their own indictment.  The first two were actually arrested in January 2018, but their arrest and information about their case remained secret as law enforcement continued to hunt for additional members of the FIN7 team.

Also appearing at the press conference were representatives from Visa and Master Card. Marie Russo, SVP of Cards and Franchise at MasterCard.  Marie praised their participation in the NCFTA (the National Cyber Forensics Training Alliance) who offers a service that helps send stolen credit card information to the . Dan Schott, Senior Director of Visa. Both Ms. Russo and Mr. Schott talked about their proactive means of identifying crime trends and coordinated with banks.  Mr. Schott reminded that every Visa card service in the United States offers "Transaction Alerts" that will notify you when your card is used in a transaction. (Unfortunately Schott also quoted the mythical $600 Billion annual cost of cybercrime.)  

Is This Joker's Stash?

We don't know.  Although many of the victim companies have been anonymized, the indictment does reveal that "Victim-1" was the Emerald Queen Hotel and Casino (EQC) in Pierce County, Washington, "Victim-3" was Chipotle Mexican Grill, Victim-5 was the Boeing Employee Credit Union, Victim-6 was Jason's Deli, Victim-8 was Red Robin Gourmet Burgers and Brews, Victim-9 was Sonic Drive-in, and Victim-10 was Taco John's.  Trend Micro has previously published that FIN7 was also involved in breaches at Trump Hotels, Whole Foods, Saks Fifth Avenue and Lord & Taylor.  That latter group of cards is known to have been trafficked on the criminal card market "Joker's Stash", and TrendMicro actually equates the groups.  Their April 2, 2018 press release, "Bank Card Data of Five Million Stolen in Saks and Lord & Taylor Data Breach," begins with the sentence:  "A hacking syndicate known as JokerStash (also identified as Fin7 and Carbanak) announced the sale of five million payment cards on the dark web last March 28.

Trend Micro (click for full article)
Brian Krebs was one of the journalists who has written extensively about Joker's Stash.  In this image from his blog post "Will the Real Joker's Stash Come Forward", he shares an image of the card "base" "FIRETIGERRR" associated with the Sonic Drive-In databreach, showing a screenshot of the September 26, 2017 announcement on Joker's Stash about the availability of 5 million credit cards:

Image result for joker's stash carbanka
Sonic Drive-In cards being sold on Joker's Stash (image from

The indictments do not make the ties between FIN7 and Joker's Stash quite so strongly.  For example, in the Hladyr indictment:

"between approximately March 24, 2017 and April 18, 2017, FIN7 harvested payment data from point-of-sale devices at certain Victim-3 restaurant locations.  FIN7 stole millions of payment card numbers, many of which have been offered for sale through vending sites, including but not limited to, Joker's Stash, thereby attempting to generate millions of dollars of illicit profits.

Three Ukrainian mastermind arrested

Three Ukrainians, Fedor Gladyr (age 33), Andrey Kolpakov (age 30), and Dmytro Fedorov (age 44) were arrested in the current round of actions, although prosecutors made it clear that there will be more arrests in the future.  They also make clear that the top leader of this scheme  has not yet been arrested.

Fedorov is said to have been the first to be arrested, in January 2018, in Poland.  A KyivPost article in February about a 44-year old Ukrainian hacker being detained in Poland on an Interpol warrant is certainly about him ==> "Ukrainian Hacker detained, Faces 30 years in Prison."  

It is unknown how or if this is related to the Spanish Police arrest of "Dennis-K" said at the time to be the leader of the Carbanak Group when he was arrested on March 26, 2018 in Alacante, Spain.  (A YouTube video about that arrest (in Spanish) is available as "Detenido hacker 1000 millones (Denis-K)"  The Times of London called Denis-K a 30-year old Russian-born Ukrainian citizen, living in Spain, whose malware used in cyber attacks in more than 40 countries, and who owned two million dollar houses.  At the time, Europol said this was the end of a 5-year cybercrime spree that had stolen $1.2 Billion. This does NOT seem to be the same person, despite the age match and the "K" last name, as the US case states that Kolpakov was arrested in "late June" in Lepe, Spain.

It is also unknown how or if this is related to the Ukrainian Police's arrest of members of the COBALT game earlier this year.  Europol says that COBALT and CARBANAK are the same group.  It is believed by this author that the current FBI action in Seattle is targeting CUSTOMERS of the malware author group known as Cobalt/Carbanak.  Hopefully this will get sorted out in the near future.  

(Related stories:  

The superseding indictment of Fedor Gladyr
Fedor Gladyr, aka das, aka Fyodor, aka AronaXus, "served as a high-level systems administrator for FIN7 who maintained servers and communications channels used by the organization.  For example, FIN7 members requested Gladyr grant them access to servers used by FIN7 to facilitate the malware scheme.  He also played a management role in the scheme by delegating tasks and by providing instruction to other members of the scheme.  Gladyr used Jabber and HipChat to communicate with his teams.  The team used a JIRA server, usually used to track long software development projects, to communicate about the infiltration of their victims. As a few examples:

07SEP2016 - Gladyr opens an "issue" for Victim-6 for his conspirators to upload files of internal credentials for the company network.
JAN2017 - Dmytro Fedorov opens an "issue" for Victim-7 credentials to be posted.
05APR2017 - Fedorov opens an "issue" for Victim-9 credentials to be posted.

Some of the malicious infiltration of the victim networks came by emailing those malware-laden requests for quotes to companies.  Some examples include:

08AUG2016 - Victim-1, email from
08AUG2016 - Victim-1, email from
25AUG2016 - Victim-6, email from 
21&23FEB2017 - Victim-2 two emails
24-25MAR2017 - Victim-3 six emails 
05APR2017 - Victim-9 emails from 
11APR2017 - Victim-4 email from 
10MAR2017 - Victim-5 email 
27MAR2017 - Victim-8 email from 
25MAY2017 - Victim-4 email from (Subject: "takeout order")
12JUN2017 - Victim-10 email from (Attachment:

In the case of Victim-1, firewall logs indicate that between August 8,  2016 and August 31, 2016, there were at least 3,639 communications between their organization and "" addresses hosted on an IP address in Russia.

Not all of the emails were the "customer wanting a quote" type.  On 21FEB2017, pen-testers working for the scheme sent emails purporting to be to Victim-2.  The email contained a Microsoft Word attachment and alleged that an important filing was due and that the details for the filing were in the attached document.

Sometimes the stolen information targeted not only the business accounts, but also the personal information of the victims.  One FIN7 member posted a Victim-2 employee's information to their JIRA server, showing screenshots from the employee's computer and including a text file with userids and passwords of their personal email account, LinkedIn account, and personal investment and banking accounts.

Once inside an organization, it was trivial for the FIN7 "pen-testers" to expand.  Some documents posted in JIRA included userids and passwords for more than 1,000 employees, and in the case of Victim 3, point-of-sale malware was planted on many cash register computers nationwide, including 33 locations just in the Western District of Washington.

Victim-8 had an associated JIRA "issue" posted that included screenshots and usernames and passwords for the point-of-sale software management solution used by their restaurant chain.   Hundreds of userids and passwords for employees in at least 798 different locations were also stolen from Victim-8 and posted in the JIRA server.

Kolpakov indictment
Andrey Kolpakov, aka santisimo, aka sanisimoz, aka AndreyKS, participated in the scheme from at least September 2015 until June 20, 2018.  In communications to and from Kolpakov, someone in the group referred to Fedir Hladyr and an individual still at large were the "main directors" of the group.  That other individual was also called the "chief manager" of the team.  Kolpakov was introduced to new recruits to the team as their supervisor.  Kolpakov and Dmytro Fedorov had discussions about how to trigger the phishing emails, and which file types would be most effective.  Kolpokov explained to Fedorov on 18SEP2017 that they now had a means to deploy a malware file without requiring the recipient to double-click on it.  Kolpakov's account on the JIRA server was frequently the one that uploaded stolen data in response to the "issues" created by Gladyr.  Many of the uploads mentioned in the Kolpakov indictment are about the particulars of exfiltrated files from password management systems, infrastructure management systems, and in one case an "employee only" web page that the team had altered to gather passwords. Team members regularly communicated on the JIRA server about recommendations for attack vectors to be used against targeted infrastructure.

Dmytro Fedorov Indictment
Dmytro Fedorov's account on the JIRA server was involved in technical exploitation details.  For example, in response to an "issue" created for Victim-7,  Fedorov posted the results of data created by network mapping tools, including IP addresses and network, that helped to explain to the team what addresses should be targeted for further exploitation.

According to his indictment, Fedorov "served as a high-level pen-tester (one tasked with finding vulnerabilities that an attacker may exploit) who managed other pen-testers responsible for breaching the security of victims' computer systems. He specifically created and managed "issues" on the FIN7 JIRA server related to intrusions of multiple companies, including Victim-7 (an automotive retail and repair chain) and Victim-9 (Sonic Drive-Ins).
Fedorov's communications on Jabber seem to indicate that he was controlling the data exfiltration panels associated with malware planted on victim company computers and point-of-sale terminals.  

Combi Security 

Although the current indictments only name ten victim companies, the documentation presented by the US Attorney's office makes it clear that more than 100 companies were attacked by FIN7 hackers working for Combi Security.

FIN7 Attacked at least 3600 locations of 100+ US businesses
If you wanted to have a team of the best hackers available, one option is recruiting people from the dark corners of the Internet, whose names and locations you may not know, and who may have been involved in every sort of trouble.  The other option would be to stand up a cyber security company with offices in Moscow and Haifa, Israel, and advertise for the best trained White Hat hackers to come work for your Penetration Testing (Pen-Testing) team.  FIN7 did the latter.  Using hackers who applied in their real name, showed credentials and certifications, and were in some cases formerly the employees of their respective governments, Combi Security told their hackers that they had been hired to hack various companies, and then those hackers got to work penetrating systems.

Job ads found on a Ukrainian job board indicate that Combi Security had between 21-80 employees.
Google-translation of the ad:

Combi Security is one of the leading international companies in the field of information security. Its headquarters are located in Moscow and Haifa.
We are a team of leading professionals in the field of information security for various organizations working around the world.Our main specialization is a comprehensive audit of projects of any complexity, the supply of software and hardware.
Our main mission is to ensure the security of your activities, minimize the risks of using information technology. Every appeal to us for help is considered with the utmost thoroughness on an individual basis, offering an optimal solution within the framework of the tasks set and the specific needs expressed. offered their website in Russian, English, and Hebrew:

Their "Contacts" page listed three addresses and telephone numbers:

  • Moscow , Presnenskaya naberezhnaya, 10, block C, tel. +7 (495) 3083827
  • Haifa , 15-A Palyam St. (36 HaAtzmaut St) tel. +9 (724) 6328732
  • Odessa , ul.Uspenskaya, 65 of office 23, 65011 phone. + 38 (048) 7002409
What services did they claim to provide?  Below is their "The Services" page (Google-translated to English), retrieved from's Wayback machine entry for

The services

A qualitatively working security service guarantees an indispensable stability in the operation of your technologies.
Thanks to the active assistance of our technical experts, all the irregularities in the operation of your devices will certainly be detected, analyzed and eliminated. With our professional support, the disrupted monitoring of the security system will turn into a stable process, managed in accordance with established principles and rules.
We provide services:
Penetration test (Pentest)
  • Technological penetration test.
    This penetration test is conducted to identify existing vulnerabilities in the elements of the IT infrastructure, practical demonstration of the possibility of using vulnerabilities (by the example of the most critical ones) and the formation of recommendations for the removal of identified vulnerabilities.
    A penetration test can be conducted for the perimeter of the corporate network (external test) and for internal resources (internal test). Work can be conducted with notification to administrators and users of the system under test, or without it. During internal testing, both the auditor's laptop and the customer's standard workplace can be used.
    In the testing process, both tools and manual analysis methods are used.
  • Socio-technical penetration test.
    This penetration test is conducted using social engineering techniques. The main purpose of the test is to identify the level of awareness of the Customer's personnel about the requirements for information security. In the process of testing, the response of users and personnel responsible for information security to the organizational methods of penetration used by attackers is determined.
    Methods of social engineering are often used by intruders and are directed, as a rule, to end users. As a result of a successful attack, an attacker can gain control over workstations, obtain confidential Customer documents, use the Customer's resources to organize attacks on the systems of other companies, send out spam, etc.
    The organizational aspects of information security are an important part of the protection system and, often, ordinary users are the weakest link. The given service will allow to reveal those organizational aspects of information security, on which the Customer should pay attention first of all.
    The results obtained during the provision of this service can form the basis for the development of the Security Awareness Program, which is maximally focused on the problem areas identified during the testing. This service can also be useful for checking the effectiveness of the current Customer Awareness Program.
  • Integrated penetration test.
    Complex penetration test is closest to the real actions of intruders. Using various technical and socio-engineering methods, auditors try to bypass existing protective mechanisms in order to fulfill the tasks set by the Customer (increasing privileges, gaining access to confidential information, modifying data from DBMS, etc.).
    During testing, the approaches described in the sections "Technological penetration test" and "Sociotechnical penetration test" are used, and the security of the customer's wireless networks is assessed.
The result of the work will be a report containing :
  • Methods of testing.
  • Conclusions for management, containing an overall assessment of the level of security.
  • Description of the identified deficiencies of the ISMS.
  • Description of the testing process with information on all identified vulnerabilities and the results of their operation.
  • Recommendations for the elimination of identified vulnerabilities.
Controlling the level of security
Due to the rapid detection of vulnerabilities and the introduction of changes to the network infrastructure, the results of a one-time verification of the level of security of the corporate network quickly lose their relevance. The need for new inspections arises after several months, and in companies with a dynamically developing IT infrastructure and a large-scale representation on the Internet, this period can be weeks or even days.
The emergence of new vulnerabilities, the change in the structure of the network perimeter, the modification of the settings of servers, network equipment and security equipment, all this requires in-depth analysis on the effect on the resistance to external unauthorized influences.
In this regard, Combi Security Company offers to your attention services aimed at constant monitoring of the state of information security. These include:

  • Monitoring the perimeter security of the corporate network
  • Designing and implementing a security management system
  • Development of corporate security policy
Evaluation of the level of security
Penetration testing works are aimed at overcoming existing protective mechanisms, but not at a deep assessment of the level of security of a specific information system or technology. The penetration approach of the black box analysis often prevents the auditor from detecting some vulnerabilities that are easily detected by other methods, for example, by analyzing firewall settings.
The work to assess the level of security is aimed at a deep assessment of one or another aspect of information security, or a comprehensive analysis of the entire ISMS in general.
Combi Security offers the following services to assess the level of security of various aspects of information security:

  • Integrated audit of information security
  • Assessing the security of Web applications
  • Analysis of application security on mobile platforms
  • Assessing the security of wireless networks
  • The effectiveness of the awareness-raising program in the field of information security
 Raising awareness of users
 Preparing for audit in accordance with international standards, for example ISO 27001
Consultations of experts in the field of it- security.
In addition to these services, sometimes there is a need for solving non-standard tasks. If you did not find something that will help you solve the problem before you, you can contact the experts of Combi Security. Perhaps our specialists have already dealt with similar problems.
Our company offers only those services that we can really carry out with very high quality, services where we can fully utilize the rich practical experience of our specialists.

Operation Wire Wire: the South Florida Cases Part 2

The Second South Florida case is linked to the first because this entire conspiracy also is part of the work of Roda Taher, AKA Ressi, AKA Rezi, the top recruiter in the first case.  However, in this 30 count indictment, the only one NOT named is Roda Taher.

Rezi recruited Eliot Pereira and Melissa Rios, below, who each in turn recruited others.

Defendant #1:  Eliot Pereira, b.1993 - opened "Eliot Products & Arts, Inc." and recruited and managed mules.
Defendant #2: Natalie Armona - opened "Armona Furniture Design Concept & Textile" and recruited and managed multiple mules and recruiters, including defendants #5, #8, #9, #10, and #12.
Defendant #3: Melissa Rios, b. 1996 - opened "Taihan Fiberoptics, Inc." and recruited #2
Defendant #4: Bryant Ortega, b. 1996 - opened "Bryant Tech Deals" and recruited and managed multiple mules, including Defendant #7. (4631 West 9th Court, Hialeah, FL 33012)
Defendant #5: Angelo Santa Cruz, b. 1994 - opened "ASC Worldwide, Inc" and recruited and managed multiple mules, including Defendants #6 & #11.
Defendant #6: Alexis Fernandez Cruz, b. 1992 - opened "Alexis Universal, Inc."
Defendant #7: Roberto Carlos Gracia, b. 1994 - opened RCG Deals, Inc.
Defendant #8: Jose E. Rivera, b. 1989 - opened Rivera Worldwide, Inc.
Defendant #9: Angeles De Jesus Angulo, b. 1996 - opened Angeles Premier Trades, Inc.
Defendant #10: Jennifer Ruiz, b. 1994 - opened Josette Quality, Inc.
Defendant #11: Yirielkys Pacheco Fernandez, b. 1984 - opened YF Nationwide, Inc.
Defendant #12: Sebastian Loayza, b. 1994 - opened Sure Trades, Inc.

This case starts off with a criminal complaint from the Miami office of the United States Secret Service.

It begins with his overview of the case, which is worth quoting here:

"Federal law enforcement agents have been investigating numerous business email compromise and spear phishing scams wherein various fraudsters targeted employees with access to company finances and tricked them into making wire transfers to bank accounts thought to belong to trusted partners -- except in fact, the accounts were shell companies controlled by the fraudsters.

Different people played different roles in the scheme.  Some of the co-conspirators hacked into and took control over certain victim companies' business email accounts without the knowledge or consent of the true email account holders, or created email accounts similar to, but slightly different from, real business email accounts.  Using the sham or compromised email accounts, the fraudsters then sent emails soliciting payments, claiming that funds were owed, and representing that payments for services rendered by the victim companies should be redirected to different accounts.

Other co-conspirators, known as money mules, opened shell companies and bank accounts into which the funds were fraudulently transferred, and then withdrew the fraud proceeds in cash, or wired the fraud proceeds into their foreign and domestic bank accounts.  Several money mules progressed to recruiting and managing other mules."

Natalie Armona may have been a good choice for Melissa to recruit based on her work.  Here's a Facebook post of hers from last year!  But by the dates, she had been in the money mule business quite a while before landing this job as a Junior Processor at a lending firm.

Armona's TD Bank account 

The complaint begins by telling the story of Natalie ARMONA, who opened a business, Armona Furniture Design Concept & Textile Inc., incorporating the business in Florida using her home address and opening a business checking account at TD Bank.  She was the sole signatory, and used her true social security number on the account.  The account was opened on December 9, 2106 and received its first wire December 14, 2016, from a scammed medical center (Victim Company A).  After taking out her commission in cash ($5,500) using her true Florida drivers license number as identity confirmation, Armona wired the rest of the money to "Flame Land International Limited" in Hong Kong.

On December 21, 2016, Armona's TD Bank account received an ACH for $724,395. Armona again paid herself first, withdrawing $10,508 in person.  Three wires went out.  $288,301 to "Caplan Sp Zoo" in Warszawa, Poland.  $194,110 to the same.  $94,218 to "Baolifeng Intl Trading Limited" in Shenzhen, China.  Armona paid herself twice more, once for $5,500 and once for $9400.  On December 27, 2016, she dipped three more times, for $800, $3800, and $9900.

Armona's SunTrust Bank account 

On December 9, 2016, Armona Furniture opened a SunTrust Bank account.  On December 30th she got an inbound ACH of $35,170 from a Pennsylvania sign company.  Also on December 30th, she got an incoming wire from Kukutula Development Company LLC in Koloa, Hawaii in the amount of $59,850.  On January 3, 2017, Armona withdrew $35,170.  On January 13, 2017, SunTrust closed the account for fraud with a balance of $59,850.

ASC WorldWide

A collaborating witness told the Miami Electronic Crimes Task Force that he had been recruited by Armona and had opened a shell company in the name ASC WorldWide, with accounts at TD Bank and Suntrust Bank.  Among other activities, he used email-based scams to cause $80,000 to be wired.

After a few successful jobs, the suspect said that Armona told him he could earn extra money by recruiting others into the scam.  He agreed to allow the USSS to record his emails, phone calls, and any text or WhatsApp communications involving others in the scheme.

The Ortega Case 

Although Bryant is not credited with recruiting Natalie Armona, the two are Facebook friends.  Bryant's profile also suggests that he may have had access to Personal Information, as an agent at a Health Insurance organization.  His cover photo indicates he's a fan of money!

The same USSS agent who did Armona's case also swore out the affidavit of criminal complaint against Bryant Ortega.  Ortega opened a TD Bank account for his new corporation, Bryant Tech Deals, which matched his home address of 2160 NW 111 Avenue, Sunrise, Florida 33322.  Bryant Tech Deals also opened a SunTrust account.  Both accounts were opened on February 13, 2017 and on March 6, 2017 the SunTrust account received an inbound wire of $283,750.50.  On March 7th, three withdrawals were made.  $500 from an ATM, $5600 over-the-counter, and $8400, also over-the-counter.  Ortega's true Florida drivers license was shown as proof of identify for the in-person withdrawals. Also on March 7, 2017, $94,110 was wired to "Huge Elite Limited" in Shanghai, China. After paying himself three more times the following day ($400 ATM, $800 at the counter, and $6200 at the counter), another wire of $128,705 went to Huge Elite Limited.  On March 9, 2017, an additional  $33,000 was wired out to "Lofty Ease Limited" in Shanghai, China.
(Ortega was arrested Jan 25, 2018)

The Pereira Case 

The third case, Feb 23, 2018, has an affidavit from Miami's FBI office from an agent who previously served as a Computer Scientist in the Philadelphia office! Pereira ran several schemes against companies by impersonating their officers, including Fakhoury Law Group (Troy, Michigan), High Tech Lending (San Diego, California), Gaumer Company (Houston, Texas), Park Corporation (Cleveland, Ohio), and Zija International (Lehi, Utah.)  Each of those companies received fraudulent emails, claiming to be from an executive of their own company, ordering that wires be sent to accounts controlled by "OS Fly Tech Incorporated."   Pereira hired an unnamed middle man to set up additional corporate accounts at Bank of America, Wells Fargo, SunTrust Bank, and Regions Bank.  The Middleman says that Pereira was working with an unknown male who he called "Rezi."  This would be the same person that Cynthia Rodriguez was working for (see Operation Wire Wire: The South Florida Cases, Part 1) Roda Taher.  Pereira and Rezi gave one of their mules an email to use.

As shown above, nearly $1M in wires were sent to company accounts at Bank of America, SunTrust Bank,  TD Bank, and Wells Fargo Bank in September and October of 2016.  Pereira and his middleman communicated through WhatsApp and Email.  (954.554.5501 / / )

The Big Picture 

Roda Taher, AKA Ressi, AKA Rezi, was the manager and supervisor of a criminal organization in the Southern District of Florida and elsewhere.  He recruited all of the defendants in this case, encouraged them to open shell accounts and receive illegally transferred funds, some of which they directly wired to China, Poland, and elsewhere.

The case involves 30 distinct financial transactions:
202SEP2016Eliot Pereira$89,630 from OS Fly Tech's Wells Fargo account to China
330NOV2016Melissa Rios$13,844 from Tiahan Fiberoptics Inc's TD Bank account to Huzhou Nanmei Textile
423DEC2016Natalie Armona$288,301 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
423DEC2016Natalie Armona$194,110 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
523DEC2016Natalie Armona$288,301 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
623DEC2016Natalie Armona$94,218 from Armona Furniture's TD Bank account to Baolifeng Intl. Trading Limited in Shenzhen China
712JAN2017Natalie Armona$44,618 from Armona Furniture's TD Bank account to Hangzhou Jieenda Textile Co Ltd in China
807MAR2017Bryant Ortega$94,110 from Bryant Tech Deal's SunTrust account to Huge Elite Limited in Shanghai, China
908MAR2017Bryant Ortega$128,705 from Bryant Tech Deal's SunTrust account to Huge Elite Limited in Shanghai, China
1008MAR2017Bryant Ortega$6,200 from Bryant Tech Deal's SunTrust account
1128MAR2017Bryant Ortega$179,302 from Bryant Tech Deal's SunTrust account to Lofty Ease Limited in Shanghai, China
1214APR2017Roberto Carlos Garcia$3,500 from RCG Deals Inc's Bank of America account
1317APR2017Roberto Carlos Garcia$112,000 from RCG Deals Inc's Bank of America account to KT and G Corp
1417APR2017Roberto Carlos Garcia$7,000 from RCG Deals Inc's Bank of America account
1517APR2017Roberto Carlos Garcia$3,000 from RCG Deals Inc's Bank of America account
1628APR2017Jennifer Ruiz$39,841 from Josette Quality Inc's TD Bank account to Huzhou Nanmei Textile Co. Ltd.
1728APR2017Jennifer Ruiz$3,400 from Josette Quality Inc's TD Bank account
1804MAY2017Roberto Carlos Garcia$100 from RCG Deals Inc's Bank of America account
1926OCT2017Angelo Santa Cruz$88,950 from ASC Worldwide's Chase Bank account to Niche Holding Ltd.
2026OCT2017Angelo Santa Cruz$7,000 from ASC Worldwide's Chase Bank account
2101NOV2017Alexis Fernandez Cruz$8,600 from Alexis Universal Inc's TD Bank account
2207NOV2017Angelo Santa Cruz$96,500 from ASC Worldwide's TD Bank account to Zhejiang Oudi Machine Co. Ltd.
2307NOV2017Angelo Santa Cruz$8,500 from ASC Worldwide's TD Bank account
2409NOV2017Alexis Fernandez Cruz$8,500 from Alexis Universal Inc's SunTrust Bank account
2521NOV2017Yirielkys Pacheco Fernandez$34,810 from YF Nationwide Inc's Chase Bank account to Nantong Gomaa International Co. Ltd.
2606DEC2017Yirielkys Pacheco Fernandez$88,528 from YF Nationwide Inc's Chase Bank account
2730NOV2017Jose E. Rivera$54,210 from Rivera Worldwide Inc's Bank of America account to Zhejiang Senhuang Trading in Zhejiang, China
2830NOV2017Jose E. Rivera$6,100 from Rivera Worldwide Inc's Bank of America account
2903JAN2018Angeles De Jesus Angulo$79,400 from Angeles Premier Trades Inc's Wells Fargo Bank account to Farstar International Ltd
3003JAN2018Angeles De Jesus Angulo$8,600 from Angeles Premier Trades Inc's Wells Fargo Bank account

Altogether, this group is charged with laundering more than $5,000,000.

The case is scheduled to be heard in Jury Trial beginning on June 25, 2018 before Judge Marcia G. Cooke in Miami, Florida.

Tomorrow (June 13, 2018) two of the defendants are meeting to change their plea.  Jennifer Ruiz and Yirielkys Pacheco Fernandez have decided they may not want the 20 year sentence that all of them are facing as part of a conspiracy to commit money laundering at this level!

Hector ‘Sabu’ Monsegur to be sentenced while Hammond sits in prison

A common cry in Anonymous circles is ‘Free Jeremy Hammond; Fuck Sabu’. Jeremy Hammond is currently serving a ten-year prison sentence for his involvement in the Stratfor hack. Sabu (real name Hector Xavier Monsegur) will be sentenced tomorrow for his role in Lulzsec and many other hacks. He is expected, on FBI request, to walk […]

FBI indicts five members of the Chinese military for hacking US companies

Eric Holder yesterday announced: “Today, we are announcing an indictment against five officers of the Chinese People’s Liberation Army for serious cybersecurity breaches against six American victim entities.” The five officers are known by the aliases UglyGorilla, Jack Sun, Lao Wen, hzy_1hx and KandyGoo. They are members of the PLA’s military unit 61398 (you may […]

Worldwide crackdown on BlackShades RAT users

First official indications emerged at the Reuters Cybersecurity Summit (although there have been rumblings in hacker circles for a couple of weeks now). This was last Wednesday. The FBI executive assistant director Robert Anderson, appointed in March to oversee ‘all FBI criminal and cyber investigations worldwide, international operations, critical incident response, and victim assistance’, announced: […]