Blog 

Even the Scammers get Scammed!

Ha ha! I guess it is true there is no honor among thieves! In the past 12 months—the period the research covers—criminals on the forums have lost more than $2.5 million to other scammers, the analysis says.

Serves them right...

-Stu

 

 

https://www.wired.com/story/cybercrime-hackers-scams-forums/

 

 

Scammers Are Scamming Other Scammers Out of Millions of Dollars

On cybercrime forums, user complaints about being duped may accidentally expose their real identities.

 

 

Nobody is immune to being scammed online—not even the people running the scams. Cybercriminals using hacking forums to buy software exploits and stolen login details keep falling for cons and are getting ripped off thousands of dollars at a time, a new analysis has revealed. And what’s more, when the criminals complain that they are being scammed, they’re also leaving a trail of breadcrumbs of their own personal information that could reveal their real-world identities to police and investigators.

 

Hackers and cybercriminals often gather on specific forums and marketplaces to do business with each other. They can advertise upcoming work they need help with, sell databases of people’s stolen passwords and credit card information, or tout new security vulnerabilities that can be used to break into people’s devices or systems. However, these deals often don’t go to plan.

 

The new research, published today by cybersecurity firm Sophos, examines these failed transactions and the complaints people have made about them. “Scammers scamming scammers on criminal forums and marketplaces is much bigger than we originally thought it was,” says Matt Wixey, a researcher with Sophos X-Ops who studied the marketplaces.

 

Wixey examined three of the most prominent cybercrime forums: the Russian-language forums Exploit and XSS, plus the English-language BreachForums, which replaced RaidForums when it was seized by US law enforcement in April. While the sites operate in slightly different ways, they all have “arbitration” rooms where people who think they’ve been scammed or wronged by other criminals can complain. For instance, if someone purchases malware and it doesn’t work, they may moan to the site’s administrators.

 

The complaints sometimes lead to people getting their money back, but more often act as a warning for other users, Wixey says. In the past 12 months—the period the research covers—criminals on the forums have lost more than $2.5 million to other scammers, the analysis says. Some people complain about losing as little as $2, while the median scams on each of the sites ranges from $200 to $600, according to the research, which is being presented at the BlackHat Europe security conference.

 

The scams come in multiple forms. Some are simple, others are more sophisticated. Frequently, there are “rip-and-run” scams, Wixey says, where the buyer doesn’t pay for what they’ve received or the seller gets the money but doesn’t send across what they sold. (These are often known as “rippers.”) Other types of scams involve faked data or security exploits that don’t work: One person on BreachForums claimed a seller tried to send them Facebook data that was already public.

 

 

In one extreme incident on the Exploit forum, an account posted a lengthy complaint that they had provided someone with a Windows kernel exploit and hadn’t been paid the $130,000 they had agreed for it. The buyer said they would pay once they had tested the software but never stumped up the cash. “At each stage, he gave different excuses for delaying the payment,” a translated version of the complaint says.

 

In some scams, multiple accounts or people appeared to work together, the research says. A user with a good reputation can introduce one person to another. This accomplice then directs the victim to a scam website. In one instance, Wixey says, a user wanted to buy a fake copy of the NFT-focused game Axie Infinity. “They wanted a fake copy of it with the intent of basically siphoning off legitimate user’s funds,” Wixey says. “They bought this fake copy from someone else, and the fake copy contained a backdoor which then stole the stolen cryptocurrency.” The scammer was essentially being scammed through their own scam.

 

While it shouldn’t be a surprise that criminals often try to con each other—there’s no honor among cybercriminals, after all—the research shows how prevalent it is. In 2017, security firm Digital Shadows pointed out a database that had been created to name and shame known rippers. Similarly, in 2021, the firm found that some administrators on cybercrime forums are scamming their own customers. In the past decade, there have been thousands of complaints about criminals scamming each other, according to threat intelligence firm Analyst1. Meanwhile, a previous analysis from TrendMicro concluded that while forums and marketplaces have rules, they don’t deter scammers. “The perpetrators are typically those who go for quick profits over reputation,” the firm’s 2019 research says.

 

Arguably, the most organized scam that Sophos’ Wixey spotted stemmed from an investigation into the Genesis marketplace, which has been online since 2017 and sells hotel login details, cookies, and access to data from compromised systems. When researching Genesis, Sophos discovered a faked version of the website appearing high in Google’s search results. “This is a really bizarre case,” Wixey says. “It was a really basic WordPress template and it asked for money, whereas the real Genesis is invitation only.”

 

As well as not looking like the official Genesis market, the faked version showed other weird behaviors: It linked out to another cybercrime website, the Bitcoin address people could make payments to changed when someone clicked the copy and paste button on the website, and it was also being advertised on Reddit. These signs, Wixey says, hinted the fake could be a “coordinated” effort. Armed with details from the fake Genesis website—including portions of the text and cryptocurrency addresses—the researchers discovered 20 websites that all appear to be connected and run by the same group or individual. The websites all look the same and were registered between August 2021 and June 2022—eight of them are still live. 

 

Almost all of these websites, Wixey says, imitate defunct criminal marketplaces and try to get people to pay to access them. The scam appears to work, too. The researcher says the Bitcoin addresses the scam sites pay into have collectively received $132,000, although he is cautious to say the money may all have come from the false websites. Sophos appeared to find one threat user who may be behind the sites—an actor going by the handle “waltcranston.” Among several pieces of information linking the handle to the sites, someone with the username claimed to have created the fake marketplaces on another forum.
 

 

Despite not being able to fully confirm that waltcranston is behind the network of fake sites, Wixey says that criminals complaining about being scammed and trying to resolve their disputes through arbitration can be a potential rich source of intelligence for investigators. 

 

Because those complaining about scams need to post evidence to back up their claims, they often share screenshots containing more personal information than they may have intended. Sophos says it saw a “treasure trove” of data, including cryptocurrency addresses, transaction IDs, email addresses, victims’ names, some malware source code, and other information. All these details may help to uncover more information about the people behind the usernames or provide clues about how they operate.

 

In one scamming complaint, a user shared a screenshot that showed someone’s Telegram usernames, email addresses, Jabber chat names, plus Skype and Discord usernames. In others, IP addresses and countries where users may be situated are displayed. Screenshots reveal the software people use, as well as the websites they visit and details about their computer setup. In some instances, Wixey saw details of victims that the cybercriminals had targeted.

 

Criminals, by the nature of what they’re doing, are usually very cautious about sharing anything that may identify them. Real names are not used; they often will use anonymization services such as Tor. “They typically employ pretty good operational security, but with scam reports, that’s not so much the case,” Wixey says. “So much of this stuff is just not available anywhere else on these marketplaces.” Going forward, the data could prove a useful tool for tracking down some of the criminals. “It’s certainly a starting point,” Wixey says.

 

 

Created byStu Wise · Dec 8, 2022 ·  0 ·  0 · open 

Top exploits used by ransomware gangs are VPN bugs, but RDP still reigns supreme

The important things to get out of this:

 

1. Make sure you access RDP login only after passing a VPN credential challenge.

 

2. Make sure to block those SPAM emails from your user community so they don't get sucked in to handing over credentials, or inadvertently running keylogger programs on their workstation.
 

 

3. Although they compromised one big player VPN server appliance there are thousands of others that aren't.
 

-Stu

 

 

The top three most popular intrusion methods include unsecured RDP endpoints, email phishing, and the exploitation of corporate VPN appliances.

 

RDP — number one on the list

 At the top of this list, we have the Remote Desktop Protocol (RDP). Reports from CovewareEmsisoft, and Recorded Future clearly put RDP as the most popular intrusion vector and the source of most ransomware incidents in 2020.

 

"Today, RDP is regarded as the single biggest attack vector for ransomware," cyber-security firm Emsisoft said last month, as part of a guide on securing RDP endpoints against ransomware gangs.

 

Statistics from Coveware, a company that provides ransomware incident response and ransom negotiation services, also sustain this assessment; with the company firmly ranking RDP as the most popular entry point for the ransomware incidents it investigated this year.

 

Further, data from threat intelligence company Recorded Future, also puts RDP firmly at the top.

 

"Remote Desktop Protocol (RDP) is currently by a wide margin, the most common attack vector used by threat actors to gain access to Windows computers and install ransomware and other malware," Recorded Future threat intel analyst Allan Liska wrote in a report published last week about the danger of ransomware to the US election infrastructure.

 

Some might think that RDP is today's top intrusion vector for ransomware gangs because of the current work-from-home setups that many companies have adopted; however, this is wrong and innacurate.

 

RDP has been the top intrusion vector for ransomware gangs since last year when ransomware gangs have stopped targeting home consumers and moved en-masse towards targeting companies instead.

 

RDP is today's top technology for connecting to remote systems and there are millions of computers with RDP ports exposed online, which makes RDP a huge attack vector to all sorts of cyber-criminals, not just ransomware gangs.

 

 

Today, we have cybercrime groups specialized in scanning the internet for RDP endpoints, and then carrying out brute-force attacks against these systems, in attempts to guess their respective credentials.

 

Systems that use weak username and password combos are compromised and then put up for sale on so-called "RDP shops," from where they're bought by various cybercrime groups.

 

RDP shops have been around for years, and they are not something new.

 

However, as ransomware groups migrated from targeting home consumers to enterprises last year, ransomware gangs found a readily available pool of vulnerable RDP systems on these shops -- a match made in heaven.

 

Today, ransomware gangs are the biggest clients of RDP shops, and some shop operators have even shut down their shops to work with ransomware gangs exclusively, or have become customers of Ransomware-as-a-Service (RaaS) portals to monetize their collection of hacked RDP systems themselves.

 


VPN appliances — the new RDPs

 

But 2020 has also seen the rise of another major ransomware intrusion vector, namely the use of VPN and other similar network appliances to enter corporate networks.

 

Since the summer of 2019, multiple severe vulnerabilities have been disclosed in VPN appliances from today's top companies, including Pulse Secure, Palo Alto Networks, Fortinet, Citrix, Secureworks, and F5.

 

Once proof-of-concept exploit code became public for any of these vulnerabilities, hacker groups began exploiting the bugs to gain access to corporate networks. What hackers did with this access varied, depending on each group's specialization.

 

Some groups engaged in nation-level cyber-espionage, some groups engaged in financial crime and IP theft, while other groups took the "RDP shops" approach and re-sold access to other gangs.

 

While some sparse ransomware incidents using this vector were reported last year, it was in 2020 when we've seen an increasing number of ransomware groups use hacked VPN appliances as the entry point into corporate networks.

 

Over the course of 2020, VPNs quickly rose as the hot new attack vector among ransomware gangs, with Citrix network gateways and Pulse Secure VPN servers being their favorite targets, according to a report published last week by SenseCy.

 

Per SenseCy, gangs like REvil (Sodinokibi), Ragnarok, DoppelPaymer, Maze, CLOP, and Nefilim have been seen using Citrix systems vulnerable to bug CVE-2019-19781 as an entry point for their attacks.Similarly, SenseCy says ransomware groups like REvil and Black Kingdom have leveraged Pulse Secure VPNs that have not been patched for bug CVE-2019-11510 to attack their targets.

 

 

Per Recorded Future, the latest entry on this list is the NetWalker gang, which appears to have started targeting Pulse Secure systems to deployt their payloads on corporate or government networks where these systems might be installed.

 

 

With a small cottage industry developing around hacked RDPs and VPNs on the cybercrime underground, and with tens of cyber-security firms and experts constantly reminding everyone about patching and securing these systems, companies have no more excuses about getting hacked via these vectors.

 

It's one thing to have an employee fall victim to a cleverly disguise spear-phishing email, and it's another thing not patching your VPN or networking equipment for more than a year, or using admin/admin as your RDP credentials.

 

 

 

 

 

 

 

 

 

Created byStu Wise · Aug 3, 2022 ·  0 ·  0 · open 

The new silent majority: People who don't tweet

Interesting news.

  • PEW showing the vast majority of people DON'T use Twitter.
  • Nielsen Media Research data showing although Fox News is the top rated news, 99% of people don't watch it.
  • CNN has worse numbers..CNN was in last place in total viewers
  • More people donated to charities than to political parties.

-Stu

 

from https://www.axios.com/political-polarization-twitter-cable-news-ac9699c6-260d-4141-b511-5c7193566ea1.html

Most people you meet in everyday life — at work, in the neighborhood — are decent and normal. Even nice. But hit Twitter or watch the news, and you'd think we were all nuts and nasty. 

 

Why it matters: The rising power and prominence of the nation's loudest, meanest voices obscures what most of us personally experience: Most people are sane and generous — and too busy to tweet. 

 

Reality check: It turns out, you're right. We dug into the data and found that, in fact, most Americans are friendly, donate time or money, and would help you shovel your snow. They are busy, normal and mostly silent.

  • These aren't the people with big Twitter followings or cable-news contracts — and they don't try to pick fights at school board meetings.
  • So the people who get the clicks and the coverage distort our true reality. 

 

Three stats we find reassuring:

  1.  75% of people in the U.S. never tweet.
  2. On an average weeknight in January, just 1% of U.S. adults watched primetime Fox News (2.2 million). 0.5% tuned into MSNBC (1.15 million).
  3. Nearly three times more Americans (56%) donated to charities during the pandemic than typically give money to politicians and parties (21%).
Created byStu Wise · Mar 9, 2022 ·  0 ·  0 · open 

Printers Add Secret Tracking Dots

Looks like only B&W printers might be safe? -Stu

 

Experts discovered something of interest: yellow dots in a roughly rectangular pattern repeated throughout pages printed on color printers. These yellow dots, magnified 60 times, were found on a Xerox printout. (Credit: Electronic Frontier Foundation)

 

 

Here they are on an actual printed document.



They were barely visible to the naked eye, but formed a coded design. They show up better under a blue led light.  After some quick analysis, they seemed to reveal the exact date and time that the pages in question were printed: 06:20 on 9 May, 2017 – at least, this is likely to be the time on the printer’s internal clock at that moment. The dots also encode a serial number for the printer.

The Electronic Frontier Foundation (EFF) maintains a list of colour printers known to use them. The images below, captured by the EFF, demonstrate how to decode them:




A statement from Electronic Freedom Foundation sums it up well:

Some of the documents that we previously received through FOIA suggested that all major manufacturers of color laser printers entered a secret agreement with governments to ensure that the output of those printers is forensically traceable. Although we still don't know if this is correct, or how subsequent generations of forensic tracking technologies might work, it is probably safest to assume that all modern color laser printers do include some form of tracking information that associates documents with the printer's serial number.

(Added 2017) REMINDER:
IT APPEARS LIKELY THAT ALL RECENT COMMERCIAL COLOR LASER PRINTERS PRINT SOME KIND OF FORENSIC TRACKING CODES, NOT NECESSARILY USING YELLOW DOTS. THIS IS TRUE WHETHER OR NOT THOSE CODES ARE VISIBLE TO THE EYE AND WHETHER OR NOT THE PRINTER MODELS ARE LISTED HERE.


This is a partial list of printers that do this. Is yours on here?

brand       model
Brother    HL-4200CN
Brother    HL-2700CN
Canon    Imageclass MF8170C
Canon    Color Laser Copier 1150
Canon    Color imageRUNNER C3220
Canon    Color imageRUNNER C3200N
Canon    Color imageRUNNER C3200
Canon    Color imageRUNNER C3100CN
Canon    Color imageRUNNER C2570
Canon    CLC-iR 3200-C1
Canon    CLC 5000+
Canon    CLC 4000
Canon    CLC 3002
Canon    CLC 2400
Canon    CLC 1000
Dell    5100CN
Dell    3100CN
Dell    3000CN
Epson    AcuLaser C900
Epson    AcuLaser C4000
Epson    AcuLaser C3000
Epson    AcuLaser C1900
Epson    AcuLaser C1500
Epson    AcuLaser C1100
Hewlett-Packard    Color LaserJET 9500MFP
Hewlett-Packard    Color LaserJET 9500HDN
Hewlett-Packard    Color LaserJET 9500
Hewlett-Packard    Color LaserJET 5550DTN
Hewlett-Packard    Color LaserJET 5550DN
Hewlett-Packard    Color LaserJET 5550
Hewlett-Packard    Color LaserJET 5500HDN
Hewlett-Packard    Color LaserJET 5500DN
Hewlett-Packard    Color LaserJET 5500ATN
Hewlett-Packard    Color LaserJET 5500
Hewlett-Packard    Color LaserJET 5100CN
Hewlett-Packard    Color LaserJET 4700DTN
Hewlett-Packard    Color LaserJET 4700DN
Hewlett-Packard    Color LaserJET 4700
Hewlett-Packard    Color LaserJET 4650DTN
Hewlett-Packard    Color LaserJET 4650DN
Hewlett-Packard    Color LaserJET 4650
Hewlett-Packard    Color LaserJET 4600N
Hewlett-Packard    Color LaserJET 4600HDN
Hewlett-Packard    Color LaserJET 4600DN
Hewlett-Packard    Color LaserJET 4600
Hewlett-Packard    Color LaserJET 3700N
Hewlett-Packard    Color LaserJET 3700DN
Hewlett-Packard    Color LaserJET 3700
Hewlett-Packard    Color LaserJET 3600DN
Hewlett-Packard    Color LaserJET 3550
Hewlett-Packard    Color LaserJET 3500
Hewlett-Packard    Color LaserJET 2840
Hewlett-Packard    Color LaserJET 2700N
Hewlett-Packard    Color LaserJET 2680
Hewlett-Packard    Color LaserJET 2600N
Hewlett-Packard    Color LaserJET 2550N
Hewlett-Packard    Color LaserJET 2550L
Hewlett-Packard    Color LaserJET 2550
Hewlett-Packard    Color LaserJET 2500N
Hewlett-Packard    Color LaserJET 2500L
Hewlett-Packard    Color LaserJET 2500
Hewlett-Packard    Color LaserJET 1600
Hewlett-Packard    Color LaserJET 1550L
IBM    Infoprint Color 1464 PS3
Konica    Magicolor 7300
Konica    Magicolor 5450
Konica    Magicolor 3300
Konica    Magicolor 3100
Konica    Magicolor 2450
Konica    Magicolor 2430 DL
Konica    Magicolor 2400 W
Konica    Magicolor 2350 EN
Konica    Magicolor 2350
Konica    Magicolor 2300 W
Konica    Magicolor 2300 DL
Konica    Magicolor 2210
Konica    Magicolor 2200 DL
Konica    Ikon CPP500E
Konica    Colorforce 8050
Konica    Colorforce 1501
Konica    Bizhub C350
Konica    Bizhub C252
Kyocera    Mita KM-C2230
Kyocera    FS-C8008
Kyocera    FS-C5030N
Kyocera    FS-C5020N
Kyocera    FS-C5016N
Kyocera    C2630D
Lexmark    C912
Lexmark    C910
Lexmark    C760
Lexmark    C752N
Lexmark    C752
Lexmark    C510
Panasonic    Workio KXCL-500
Ricoh    Infotec/Danka ISC 2838
Ricoh    AP 206
Ricoh    Aficio CL 7000
Ricoh    Aficio CL 6010
Ricoh    Aficio CL 3000E
Ricoh    Aficio CL 3000
Ricoh    Aficio CL 2000
Ricoh    Aficio 1232C
Ricoh    Aficio 1224C
Samsung    CLP35
Samsung    C3210
Toshiba    FC70
Toshiba    FC25Pi
Toshiba    FC25P
Toshiba    FC22i
Toshiba    FC22
Toshiba    FC15i
Toshiba    FC15
Toshiba    eStudio 3511
Toshiba    eStudio 311c
Toshiba    eStudio 310c
Toshiba    eStudio 3100c
Toshiba    eStudio 211c
Toshiba    eStudio 210c
Toshiba    eStudio 2100c
Xerox    WorkCentre M24
Xerox    Phaser 790
Xerox    DocuColor 6060
Xerox    DocuColor 5252
Xerox    DocuColor 40
Xerox    DocuColor 3535
Xerox    DocuColor 2240
Xerox    DocuColor 2045
Xerox    DocuColor 2000
Xerox    DocuColor 1632
Xerox    DocuColor 1521
Xerox    DocuColor 12
Xerox    WorkCentre Pro (all
 

Created byStu Wise · Jan 2, 2022 ·  0 ·  0 · open 

What does each messaging app gather about you

Part of managing your private information is not only understanding WHICH messaging apps gather information on you, but WHAT those apps gather.

Here are four of popular messaging apps just to compare them....

Created byStu Wise · Dec 17, 2021 ·  0 ·  0 · open