Category Archives: Scams

Criminal groups promising salaries averaging $360,000 per year to accomplices

New research from Digital Shadows reveals that criminal groups are promising salaries averaging the equivalent of $360,000 per year to accomplices who can help them target high-worth individuals, such as company executives, lawyers and doctors with extortion scams. These salary promises can be higher still for those with network management, penetration testing and programming skills – with one threat actor willing to pay the equivalent of $768,000 per year, with add-ons and a final salary … More

The post Criminal groups promising salaries averaging $360,000 per year to accomplices appeared first on Help Net Security.

Historical OSINT – Profiling a Portfolio of Fake Visa Application Scam Domains

It's been a while since I last posted a quality update profiling a versatile currently circulating malicious and fraudulent spam campaign profiling and highlighting the fraudulent and malicious activities of the cybercriminals behind the campaign. In this post I'll profile a currently circulating Fake Visa Application fraudulent campaign enticing users into submitting their personal details for

Historical OSINT – Profiling a Rogue and Malicious Domain Portfolio of OEM-Pirated Software

In a cybercrime-ecosystem dominated by fraudulent and malicious releases cybercriminals continue relying on fraudulent and potentially-malicious affiliate-based type of revenue-sharing schemes for the purpose of serving fraudulent and malicious software to thousands of unsuspecting users including OEM-powered pirated software to millions of users globally. In this post I'll profile a currently 

Historical OSINT – Profiling a Typosquatted Facebook and Twitter Impersonating Fraudulent and Malicious Domains Portfolio

With cybercriminals continuing to populate the cybercrime ecosystem with hundreds of malicious released including a variety of typosquatted domains it shouldn't be surprising that hundreds of thousands of users continue falling victim to fraudulent and malicious malware and exploits serving schemes. In this post I'll profile a currently active fraudulent and malicious typosquatted domain

Historical OSINT – Global Postal Express Re-Shipping Mule Recruitment Scam Spotted in the Wild

Continuing the series of post detailing the activities of currently circulating malicious and fraudulent spam campaigns successfully targeting potential money mule recruiters I've recently came across to Global Postal Express which basically: "We Provide best in service global logistics through our people by building lasting relationships with the commitment to prioritize our customer needs to

Historical OSINT – Re-Shipping Money Mule Recruitment “Your Shipping Panel LLC” Scam Domain Portfolio Spotted in the Wild

The time has come to profile a recently intercepted and currently active malicious and fraudulent re-shipping money mule recruitment fraudulent campaign successfully enticing users into interacting with the rogue and bogus content potentially risk-forwarding the risk of the fraudulent transaction to the unsuspecting user. Sample malicious URL: hxxp://yourshippingpanel.com Sample Mailing

Using Gmail "Dot Addresses" to Commit Fraud

In Gmail addresses, the dots don't matter. The account "bruceschneier@gmail.com" maps to the exact same address as "bruce.schneier@gmail.com" and "b.r.u.c.e.schneier@gmail.com" -- and so on. (Note: I own none of those addresses, if they are actually valid.)

This fact can be used to commit fraud:

Recently, we observed a group of BEC actors make extensive use of Gmail dot accounts to commit a large and diverse amount of fraud. Since early 2018, this group has used this fairly simple tactic to facilitate the following fraudulent activities:

  • Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit
  • Register for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks
  • File 13 fraudulent tax returns with an online tax filing service
  • Submit 12 change of address requests with the US Postal Service
  • Submit 11 fraudulent Social Security benefit applications
  • Apply for unemployment benefits under nine identities in a large US state
  • Submit applications for FEMA disaster assistance under three identities

In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account. Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account. Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior.

This isn't a new trick. It has been previously documented as a way to trick Netflix users.

News article.

Slashdot thread.

Email authentication use growing steadily in every industry sector

U.S. federal government agencies and many major enterprises have made significant strides to thwart the spread of fake emails, a major cybersecurity attack vector. But many organizations remain susceptible because they’re still not using readily available open standards-based technologies that prevent these fakes from reaching end-user inboxes. Valimail’s “Email Fraud Landscape, Q4 2018” indicates that the fight against fake email is advancing around the world — but email fraud remains a widespread and pernicious problem. … More

The post Email authentication use growing steadily in every industry sector appeared first on Help Net Security.

Employees report 23,000 phishing incidents annually, costing $4.3 million to investigate

Account takeover-based (ATO) attacks now comprise 20 percent of advanced email attacks, according to Agari’s Q1 2019 Email Fraud & Identity Deception Trends report. ATO attacks are dangerous because they are more difficult to detect than traditional attacks – compromised accounts seem legitimate to email filters and end users alike because they are sent from a real sender’s email account. “Credential phishing was already a huge risk for organizations because of the potential for data … More

The post Employees report 23,000 phishing incidents annually, costing $4.3 million to investigate appeared first on Help Net Security.

83% of global respondents experienced phishing attacks in 2018

Proofpoint analyzed data from tens of millions of simulated phishing attacks sent over a one-year period, along with nearly 15,000 cybersecurity professional survey responses, to provide an in-depth look at state of global phishing attacks. Overall, 83 percent of global infosecurity respondents experienced phishing attacks in 2018, up from 76 percent in 2017, and nearly 60 percent saw an increase in employee detection following security awareness training. In addition, more organizations were affected by all … More

The post 83% of global respondents experienced phishing attacks in 2018 appeared first on Help Net Security.

Microsoft remains the most impersonated brand, Netflix phishing spikes

Although Microsoft remains the top target for phishers, Netflix saw an incredible surge in Dec., making it the second most impersonated brand in Q4 2018, according to Vade Secure. Microsoft remains the #1 impersonated brand, receiving more than 2.3 times the number of phishing URLs than Netflix. One credential can provide hackers with a single entry point to all of the apps under the Office 365 platform—as well as the files, data, contacts, etc. stored … More

The post Microsoft remains the most impersonated brand, Netflix phishing spikes appeared first on Help Net Security.

A week in security (December 31, 2018 – January 6, 2019)

Last week on Labs, we looked back at 2018 as the year of data breaches, homed in on pre-installed malware on mobile devices, and profiled a malicious duo, Vidar and GandCrab.

Other cybersecurity news

  • 2019’s first data breach: It took less than 24 hours. An unauthorized third-party downloaded 30,000 details of Australian public servants in Victoria. It was believed that a government employee was phished prior to the breach. (Source: CBR Online)
  • Dark Overlord hackers release alleged 9/11 lawsuit documents. The hacker group known as The Dark Overlord (TDO) targeted law firms and banks related to the 9/11 attack. TDO has a history of releasing stolen information after receiving payment for its extortions. (Source: Sophos’ Naked Security Blog)
  • Data of 2.4 million Blur password manager users left exposed online. 2.4 million users of the password manager, Blur, were affected by a data breach that happened in mid-December of last year and publicly revealed on New Year’s Eve. No passwords stored in the managers were exposed. (Source: ZDNet)
  • Hacker leaked data on Angela Merkel and hundreds of German lawmakers. A hacker leaked sensitive information, which includes email addresses and phone numbers, of Angela Merkel, senior German lawmakers, and other political figures on Twitter. The account was suspended following this incident. (Source: TechCrunch)
  • Hackers seize dormant Twitter accounts to push terrorist propaganda. Dormant Twitter accounts are being hacked and used to further push terrorist propaganda via the platform. It’s easy for these hackers to guess the email addresses of these accounts since Twitter, by default, reveals partly-concealed addresses which clue them in. (Source: Engadget)
  • MobSTSPY spyware weaseled its way into Google Play. Another spyware app made its way into Google Play and onto the mobile devices of thousands of users. The malware steals SMS messages, call logs, contact lists, and other files. (Source: SC Magazine UK)
  • Apple phone phishing scams getting better. A new phone-based scam targeting iPhone users was perceived to likely fool many because the scammer’s fake call is lumped together with a record of legitimate calls from Apple Support. (Source: KrebsOnSecurity)
  • Staying relevant in an increasingly cyber world. Small- to medium-sized businesses may not have the upper hand when it comes to hiring people with talent in cybersecurity, but this shouldn’t be an organization’s main focus. Dr. Kevin Harris, program director of cybersecurity for the American Military University, advised that employers must focus on giving all their employees “cyber skills.” (Source: Federal News Network)
  • Adobe issues emergency patch following December miss. Adobe released an out-of-band patch to address critical vulnerabilities in Acrobat and Reader. (Source: Dark Reading)

Stay safe, everyone!

The post A week in security (December 31, 2018 – January 6, 2019) appeared first on Malwarebytes Labs.

126 Arrests: The Emergence of India’s Cyber Crime Detectives Fighting Call Center Scams

The Times of India reports that police have raided a call center in Noida Sector 63 where hundreds of fraud calls were placed every day to Americans and Canadians resulting in the theft of $50,000 per day.

 The scammers had rented four floors of a building being operated by two scammers from Gurgaon, Narendra Pahuja and Jimmy Ashija. Their boss, who was not named by the police, allegedly operates at least five call centers. In the raid this week, 126 employees were arrested and police seized 312 workstations, as well as Rs 20 lakh in cash (about $28,500 USD).

Times of India photo 


Noida police have been cooperating very well with international authorities, as well as Microsoft, leading to more than 200 people arrested in Noida and "scores" of fake call centers shut down, including four in Sector 63.  (In a case just last month, another call center was said to have stolen from 300 victims, after using online job sites Shine.com and VintechJobs.com to recruit young money seekers by having them work conducting the scams. )

In the current scam, callers already had possession of the victim's Social Security Number and full name.  This information was used to add authority to their request, which got really shady really fast.  The victim was instructed to purchase Apple iTunes Gift Cards, or Google Play Gift Cards, scratch the numbers, and read them to the call center employee.  The money was laundered through a variety of businesses in China and India before cashing out to bank accounts belonging to Pahuja and Ashija.

 Go to Tweet
Noida police are advancing in their Cyber Crime skills!

As more and more cyber crime enterprises spring up in India, the assistance of their new Centers for Cyber Crime Investigation thtat are becoming more critical to stopping fraud against Americans:

We applaud the Center for Cyber Crime Investigation in Noida


The US Embassy was quick to acknowledge the support of the newest cyber crime partners of the United States after their action at the end of November:

US Embassy to India thanks the Noida and Gurgaon Police for their help!
Another recent Times of India story from November 30, 2018, "Bogus Call Centres and Pop-up Virus Alerts - a Global Cyber Con Spun up in NCR" [NCR = National Capital Region] had more details of this trend, including this graphic:


That's at least 50 call centers shutdown just in these two regions, but with this weeks' 126 arrests being the culmination of an on-going investigation, receiving data from both the FBI and Microsoft.

Local news of India reported the names of some of the gang members held in the November 29-30th action in their story नोएडा: बड़ी कंपनियों में नौकरी दिलाने के नाम पर करते थे धोखाधड़ी, 8 गिरफ्तार (Noida: Fraud, 8 arrested for giving fake jobs in the name of big companies).

Sontosh Gupta, who was the ring leader, was previously employed by an online job site, but then created his own site,  vintechjobs (dot) com, which he used to attract call center employees, many of whom were duped into serving as his scammer army without ever being compensated for their work!

Others arrested then included Mohan Kumar, Paritosh Kumar, Jitendra Kumar, Victor, Himanshu, Ashish Jawla, and Jaswinder.

During that same two day raid, police swept through at least sixteen other call centers, according to this New York Times story, "That Virus Alert on Your Computer? Scammers in India May Be Behind It"
Ajay Pal Sharma, the senior superintendent of police, told the NYT that 50 of his officers swept through eight different call centers in Gautam Budh Nagar as part of the case.  Microsoft's Digital Crimes Unit told the Times that with 1.2 million people generating $28 Billion in India working for call centers, it isn't hard to disguise the shady callers among the legitimate businesses.

The problem is not unique to Delhi and the National Capital Region suburbs that are the current focus.  Back in July, Mumbai was in the headlines, as a massive IRS-imitating Call Center ring was broken up with the help of more great cyber crime investigators from India:

Madan Ballal, Thane Crime Branch, outside Mumbai
Police Inspector Madan Ballal had his story told as the focus of an article in Narratively, "This Indian Cop Took Down a Massive IRS Call-Center Scam".

Much more investigating and arresting needs to be done, but it is a great sign that the problem is now receiving help from an emerging new generation of Indian Cybercrime Detectives!



Historical OSINT – Profiling a Portfolio of Active 419-Themed Scams

It's 2010 and I've recently decided to provide actionable intelligence on a variety of 419-themed scams in particular the actual malicious actors behind the campaigns with the idea to empower law enforcement and the community with the necessary data to track down and prosecute the malicious actors behind these campaigns. Related malicious and fraudulent emails known to have participated in the

"Faster payment" scam is not quite what it seems

I see a lot of "fake boss" fraud emails in my day job, but it's rare that I see them sent to my personal email address. These four emails all look like fake boss fraud emails, but there's something more going on here. From:    Ravi [Redacted] Reply-To:    Ravi [Redacted] To:    accounts@victimdomain.com Date:    23 February 2018 at 12:02

Bogus porn blackmail attempt from adulthehappytimes.com

This blackmail attempt is completely bogus, sent from a server belonging to the adulthehappytimes.com domain. From:    Hannah Taylor [bill@adulthehappytimes.com] Reply-To:    bill@adulthehappytimes.com To:    contact@victimdomail.tld Date:    31 October 2017 at 15:06 Subject:    ✓ Tiскеt ID: DMS-883-97867 [contact@victimdomail.tld] 31/10/2017 03:35:54 Maybe this will change your life Signed

Scam: "Help Your Child To Be A Professional Footballer." / info@champ-footballacademyagency.co.uk

This spam email is a scam: Subject:       Help Your Child To Be A Professional Footballer.From:       "FC Academy" [csa@sargas-tm.eu]Date:       Sun, October 8, 2017 10:30 amTo:       "Recipients" [fcsa@sargas-tm.eu]Priority:       NormalHello,Does your child desire to become a professional footballer?Our football academy are currently scouting for young football player to participate in 3-6

3 Rules for Cyber Monday


3 Rules for Cyber Monday


It’s nearly here again folks, and the clues are all there: planning the office Christmas party, your boss humming Rudolph the Red Nosed Reindeer and an armada of Amazon packages arriving.

Which brings me nicely to the topic of this blog: online shopping at work.

It’s official; we are ‘in love’ with online shopping. At this time of the year, it’s harder to resist temptation. Retailers conjure up special shopping events like Black Friday and Cyber Monday - all aimed at getting us to part with our hard earned cash. While online retailers rub their hands in anticipation of December 1st, for companies without proper web security, the online shopping season could turn out to be the nightmare before Christmas.

In a recent survey by RetailMeNot, a digital coupon provider, 86 percent of working consumers admitted that they planned to spend at least some time shopping or browsing online for gifts during working hours on Cyber Monday. That equates to a whole lot of lost productivity and unnecessary pressure on your bandwidth.

To help prevent distraction and clogged bandwidth, I know of one customer, I’m sure there are others, who is allowing his employees time to shop from their desks in their lunch breaks. He’s a smart man - productivity stays high and employees happy.

But productivity isn’t the only concern for the IT department – cyber criminals are out in force at this time of year, trying to take advantage of big hearts and open wallets with spam and phishing emails. One click on a seemingly innocent link could take your entire network down.

To keep such bad tidings at bay, here’s a web security checklist to ensure your holiday season is filled with cheer not fear.

1.  Flexible Filtering. Set time quotas to allow online shopping access at lunchtimes, or outside of core hours. Whatever you decide is reasonable, make sure your employees are kept in the loop about what you classify as acceptable usage and communicate this through an Acceptable Usage Policy.

2.  Invest in Anti-malware and Anti-spam Controls. As inboxes start to fill with special offer emails, it gets more difficult to differentiate between legitimate emails and spam. These controls will go some way towards separating the wheat from the chaff.

3.  Issue Safety Advice to Your Employees. Ask employees to check the legitimacy of a site before purchasing anything. The locked padlock symbol indicates that the purchase is encrypted and secure. In addition, brief them to be alert for phishing scams and not to open emails, or click on links from unknown contacts.