Amir Hossein Golshan, 25, of Los Angeles, was sentenced to 96 months in prison for perpetrating multiple cybercrime schemes, including one involving SIM swapping.

Between April 2019 and February 2023, Golshan caused roughly $740,000 in losses to hundreds of victims, as a result of various online scams and unauthorized access to digital accounts.

According to court documents, Golshan took over victims’ social media accounts, impersonated Apple support, and engaged in Zelle payment fraud schemes.

To take control of victims’ social media accounts, he used a technique called SIM swapping, in which he convinced mobile phone carriers to transfer the victims’ numbers to SIM cards in his possession.

This allowed Golshan to obtain two-factor authentication codes sent via text messages and access the victims’ accounts.

In addition to taking over the owners’ accounts, Golshan targeted their friends, tricking them into sending him money.

In one instance, after taking control over an influencer’s Instagram account, he asked the victim’s friends to send him thousands of dollars via PayPal, Zelle, and other online payment platforms. He also locked the victim out of the account, demanding $2,000 for returning access to the account.

He also defrauded individuals by advertising fake and non-existent Instagram services, demanding fees of several hundred dollars. Using the SIM swapping and Zelle schemes, he received approximately $82,000 in payments from roughly 500 victims.

By impersonating Apple support, Golshan gained access to victims’ iCloud accounts, to steal NFTs, cryptocurrency, and other digital property. In total, he defrauded five individuals of between $2,000 and $389,000 each.

In addition to the prison sentence, Golshan was ordered to pay over $1.2 million in restitution. In July, he pleaded guilty to using SIM swapping against three victims.

Related: Former Navy IT Manager Sentenced to Prison for Hacking, Selling PII

Related: Nigerian Man Sentenced to 8 Years in US Prison for $8 Million BEC Scheme

Related: British Twitter Hacker Sentenced to Prison in US

https://www.securityweek.com/los-angeles-sim-swapper-sentenced-to-8-years-in-prison/

All hacktivists should be treated as if they are malicious hackers because the distance between hacking/activism, malevolence, and damage has become too small and too vague.

In legal terms, hacking is fundamentally the circumvention of system controls to obtain unauthorized access to that or another system. It is prohibited by the Computer Fraud and Misuse Act (CFAA). There are three basic types of hacker: malicious, ethical, and hacktivist. 

All three can be treated differently by the CFAA. The rules, even if not always the practice, are reasonably understood for the first two. The primary difference is intent and damage: if the intent is good, and damage is avoided, the (ethical) hacker may be excused prosecution. If the intent is to steal from the victim and/or damage is inflicted, the (malicious) hacker will be prosecuted.

Where does this leave the hacktivist? The word derives from hacking (illegal under CFAA) and activism (a term often associated with a desire to effect change for the better via civil disobedience). It combines the concepts of illegal actions and good intention, it usually results in at least some damage — and has always been a problem area for both public opinion and legal consequences.

This is not just an academic problem. All things in cyber evolve quickly; and in times of heightened geopolitical tensions, they evolve very rapidly. Hacktivism is evolving. It is important for both the law and cyber defenders to understand the current and potential activity of hacktivism to better understand how it should be treated. 

There is no legal definition of hacktivism in the US. However, in a paper (Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy) presented to the World Affairs Council in 1999, Dorothy Denning described hacktivism as “the convergence of hacking with activism, where ‘hacking’ is used here to refer to operations that exploit computers in ways that are unusual and often illegal, typically with the help of special software (‘hacking tools’).” Hacktivism is most likely illegal if it involves hacking into another person’s computer.

The US National Counterintelligence Strategy takes a similar view. “State adversaries [including Russia and China] such as Cuba, Iran, and North Korea; non-state actors such as Lebanese Hizballah, ISIS, and al-Qa’ida; as well as, transnational criminal organizations and ideologically motivated entities such as hacktivists, leaktivists, and public disclosure organizations, also pose significant threats.” 

It is also worth considering the military acronym MICE, originally used to recognize potential spies but generally able to detect anyone who may become a threat: the motivations of Money, Ideology, Compromise (as in coercion), and Ego. As more elements of this acronym apply, so the likelihood of becoming a spy (or a threat generally) increases. But it provides a mixed result on whether hacktivists should be considered a threat. They are not generally motivated by money but are certainly driven by ideology. They are not generally coerced into their actions but are probably egocentric. 

This difficulty in classifying hacktivists as moral or immoral people is further confused by Denning’s linkage to ‘influencing foreign policy’, which helps explain why there can be no easy international consensus on hacktivism: friends influence foreign policy for good purposes, foes do so for bad purposes. Much of the hacktivism conducted by the IT Army of Ukraine against Russia is considered moral by the western allies, but immoral by Russia. Much of the election interference conducted by Russian trolls in both the US and Europe is considered immoral in the west, but ideologically moral by the perpetrators.

The overall result of these confused considerations is that hacktivism is illegal, should be considered a cybersecurity threat, but is not necessarily automatically reprehensible in the manner of malicious hackers delivering ransomware. This leaves open the question of whether the law should treat hacktivists any differently to hackers.

Pieter Arntz, malware analyst at Malwarebytes, considers the relativist view. “What is considered good and bad often boils down to which side one supports. Before the [Ukraine war], both Ukrainian and Russian groups were labeled as cybercriminals. However, with Ukrainians targeting Russia and Russians focusing on Ukraine and its allies (including us), it’s natural for us to perceive those attacking us as the ‘bad’ actors, while those we root for are seen as ‘good’.” The context is important.

Nick Hyatt, cyber practice leader at Optiv, agrees with the importance of context. “Not all crimes are the same, so I think it’s important that context be included when considering how the law should handle attackers. If you remove political motivation from the incident, how does it stack up in severity? On the one hand you have a hacktivist that broke into a government’s email server, stole data, and released it for moral purposes. On the other, you have a ransomware syndicate that encrypts a company’s environment, exfiltrates data, and then holds them for dual ransom. Is one more severe than the other? One actor didn’t ask for money, the other did. Does that put the crime into a different classification?”

The argument is valid, but perhaps not comprehensive. Both Edward Snowden and Julian Assange could be considered hacktivists. Any system damage was minimal in comparison to, say, NotPetya and WannaCry – but the political damage was immense. There is no legal forgiveness just because this was hacktivism.

Nevertheless, Callie Guenther, senior manager of cyber threat research at Critical Start, agrees that context is important – not so much to the law, but to the penalty. “If both [hackers and hacktivists] commit the same crime, like unauthorized access or data theft, the law should treat the actions consistently. However, legal systems might consider the intent or motivation behind a crime when determining penalties.”

There is a potential route toward such an approach found in the DoJ’s declaration that it would not prosecute good faith research under the CFAA.

Melissa Bischoping, director of endpoint security research at Tanium, has a more direct opinion. For her, ‘hacker’ is a neutral term (see Hacker Conversations for various discussions on this), while ‘hacktivism’ is not. “Hacker is a descriptor much like ‘woodworker’ or ‘artist’, ” she said. “It describes a mentality, personality type, and a set of common interests – but in itself is not inherently illegal and shouldn’t be treated as such under the law. Hackers are human beings. Hacktivism is a form of cybercrime, and people engaged in it are criminals, not just ‘hackers’.”

Criminals? Yes, technically. But Robert Leong, senior director and head of product management for HCL BigFix, summarizes the popular view: “Hacktivists generally have some kind of social or political objective, and seek things like societal change and/or political policy prescription changes. They also tend to limit themselves to ‘non-violent kinds of cyber actions, such as DoS attacks or virtual sit-ins, website defacement, Google bombs, website parodies, and IP theft. They tend to eschew actual destruction and/or actions that would result in physical or cyber violence.”

Where their actions may be illegal, he points out that attorney generals, juries and judges are able to grant leniency when it is warranted. “So, for example, if a hacktivist were to hack a goods manufacturer for knowingly using child slave labor, we as a society may agree that their cause is just and although they are performing illegal activities, we would likely treat them more leniently because we agree with their motives if not their methodologies.

Eli Nussbaum, MD at Conversant Group, cautions that definitions and opinions change. “Hacktivism has, at times, been used to describe activists who legally use technology to peacefully advance their political, moral, and ethical agenda. Most often though, hacktivism describes activity that more closely resembles terrorism or other types of criminal hacker activity as it is legally defined,” he says. “Hackers and hacktivists are criminals who weaponize coding for their benefit. While their ideology may be different, the outcome for victims is similar… there is no tangible difference between hackers and hacktivists in any legal sense.”

Like ‘hacktivism’, ‘cyberwar’ is another word that is difficult to define (see What is Cyberwar?). The concepts may seem to be far apart – but the reality may be different.

One of the purposes of kinetic war is to effect regime change – and nobody would suggest that kinetic war is ‘good’ (regardless of relativism). But one of the purposes of hacktivism is also to effect regime change (refer again to the Russian trolls disseminating false information at the time of US elections). Does this imply that hacktivism includes an element of cyberwar? That would certainly chime with Bischoping’s view that ‘people engaged in it are criminals and not just ‘hackers’.’ 

The current war in Ukraine also demonstrates how dangerously close hacktivism can get to cyberwar. Non-Ukrainian operatives within the IT Army of Ukraine are sometimes considered to be hacktivists purposed with disrupting the economy of the Russian state. Note that the US definition of cyberwar requires human death or the disruption of critical industries to the extent that human death may be an expected outcome. So long as hacktivists do not cause death, they are technically not engaged in cyberwar.

But real life and technical distinctions are difficult to rationalize. In September 2023, Karim Khan, KC, prosecutor at the International Criminal Court, issued a statement on the nature of ‘hybrid’ war. “Cyber warfare does not play out in the abstract,” he wrote. “Rather, it can have a profound impact on people’s lives. Attempts to impact critical infrastructure such as medical facilities or control systems for power generation may result in immediate consequences for many, particularly the most vulnerable.”

It can be seen as a warning to hacktivists operating in or for Ukraine. “Cyber operations are sometimes employed as part of a so-called ‘hybrid’ or ‘gray zone’ strategy,” he continued. “Such strategies aim to exploit ambiguity and operate in the area between war and peace, legal and illegal, with the perpetrators often hidden behind proxy actors.”

Notably, the IT Army of Ukraine immediately responded on its Telegram channel: “IT Army supports this idea and will steadfastly adhere to every letter of international legislation that will regulate cyber warfare.”

The relevance to understanding the nature of hacktivism is that it would only take an error of judgment or coding to transform a hacktivist (generally considered to be a lesser criminal) into a perpetrator of cyberwar (generally considered to be a major criminal). 

Just as nation states can deliver a destructive wiper in the guise of criminals using a defective ransomware (evading the accusation of cyberwar), so can they deliver various activities (fake information, social disruption) disguised as hacktivists (again evading any charge of indulging in cyberwar).

It is worth noting the reported comment from Putin at the time of Russian interference in the 2016 election. Many in the US were calling Russian activity an act of cyberwar; but Putin supposedly retorted, “They got up today and read that something is going on internationally. If they are feeling patriotic, they will start contributing, as they believe, to the justified fight against those speaking ill of Russia.”

Putin was effectively saying, ‘This was not the Russian state but Russian hacktivists and therefore not an act of cyberwar (since it caused neither death nor damage to critical infrastructure).’

The proximity of hacktivism and cyberwar may also largely underlie the Red Cross warning of October 4, 2023: “Civilian hackers risk exposing themselves, and people close to them, to military operations… This means that the computers and digital infrastructure they use risk becoming military objectives, meaning that they are at risk of being attacked. Likewise, in the adversary’s eyes, and depending where the hacker sits, they may be attacked – by bullet, missile, or cyber operation.”

What may start as hacktivism can easily escalate into cyberwar, which could lead to further kinetic warfare beyond the immediate confines of the existing conflict. The hacktivist can no longer be viewed as a simple innocent indulging in civil disobedience.

Fifteen or more years ago, hacktivism was largely confined to DDoS attacks and political or social messages left on defaced websites. It might have been technically illegal but was considered more an annoyance than a dangerous activity. It was not necessarily something that required millions of dollars spent in defense, but was primarily something that should be considered in risk analysis by companies operating in areas that might engender social or ethical objections.

A watershed may be traced to the DDoS attacks by the Syrian Electronic Army (SEA) in 2012 against major US banks. The group was not known to be state affiliated. The damage was not physical but economic, by disrupting business. SEA claimed the attacks were in retaliation for US support for the rebels in the Syrian Civil War. Thus far the group could be considered hacktivists; but within a couple of years its activities were indistinguishable from any standard hacking gang (including, allegedly, an attack against the water distribution system of Haifa in Israel). 

The propensity for hacktivism to expand beyond the confines of the civil disobedience description of activism raises a significant question: can cyber defenders continue to downplay the threat from hacktivists?

Bischoping believes there could be a difference in the defense against ethical hackers, but that hacktivists should be considered the same as malicious hackers. “The focus of security defenders when it comes to ethical hackers,” she said, “is to ensure that any research is being done in accordance with acceptable use and responsible disclosure policies, and preferably coordinated with security teams to reduce alert fatigue.”

Apart from this, the general opinion is that all hackers should be deterred equally. “From a cybersecurity standpoint, defenses should be universal. However,” she adds, “understanding the motivations can help in predicting potential targets or the nature of the attack.”

Here the risk analysis of potential attackers comes into play. However: “Defenders generally don’t have the luxury of knowing motive. We look on the outside, but we cannot look on their heart,” comments Leong. These days, it is difficult to distinguish a criminal gang from a nation state (it could even be nation state hackers moonlighting as criminals). Even with suspected hacktivists, “Our role as defenders tends to be limited to stopping or limiting the success of their attacks, given we don’t know their motives.”

But he does suggest that prior warnings from hacktivists could have a beneficial effect. “This should prompt our internal moral compass so that we do due diligence in investigating the claims, and if our organization is indeed guilty, then we need to take action.”

Understanding hacktivism may seem an academic exercise since a hacktivist uses hacking and is at least legally a criminal under the CFAA. All criminals should be kept out of or cleared from corporate networks.

But should the type of criminal be relevant to the defender? Opinions differ. Malcolm Harkins, chief security and trust officer at Epiphany Systems, has told SecurityWeek, “Running security is managing exploitability. If I over-focus on the nature of the perpetrator, I’m wasting time, because I have no ability to affect the actor.”

John Hultquist, VP of intelligence analysis at Mandiant, says, “It absolutely matters. You can’t do risk assessments if you don’t care who the attacker is… We sometimes forget to ask, who are the bad guys and what capabilities do they have – when will they attack and when will they not attack? Am I even at risk of these people?”

We may still have the luxury of distinguishing between different types of attacker, but frankly we do not have the luxury of treating them differently. The age of hacking innocence has gone. We may still have some lingering sympathy for the social activist within the hacktivist, but as Miguel Clarke, cybersecurity and GRC evangelist at Armor Defense (and former supervisory special agent at the FBI) points out, there are better ways to protest. 

“You can have a personal blog, you can run a YouTube video blog, you can podcast,” he comments. “All of these can maximize the advantages of cyber without breaking the laws of cyber.” He believes that defenders should defend, while the courts should be charged with navigating the flexibility of the legal system, allowing ‘intent’ to possibly mitigate punishment where applicable.

In short, with legal alternatives, all hacktivists should be treated as if they are malicious hackers because the distance between hacking/activism, malevolence, and damage is too small and too vague.

Related: Hacktivists Leak Data Allegedly Stolen From Russian Energy Giant Transneft

Related: Belarus Hacktivists Target Railway in Anti-Russia Effort

Related: Hacktivist Attacks Declined 95 Percent Since 2015: IBM

Related: Hacktivist Drama ‘Mr. Robot’ to End With 4th Season in 2019

https://www.securityweek.com/hacktivism-whats-in-a-name-it-may-be-more-than-you-expect/

È in corso una campagna di phishing che cita e utilizza i loghi di Uffici e Centri Nazionali di Polizia di Stato, Europol e Agenzia per la Cybersicurezza al fine di indurre le vittime a credere di essere state indagate per pedopornografia, invitandola a fornire giustificazioni entro 48 h, pena l’arresto.

La Polizia Postale, che ha diramato l’annuncio, ricorda a tutti i cittadini che nessuna Forza di Polizia, o altra Autorità dello Stato, contatta i cittadini, tramite e-mail o messaggi, per richiedere chiarimenti su presunte condotte criminali.

“Lo scopo della truffa, spiegano le forze dell’ordine, è carpire i vostri dati personali per scopi illeciti”.

Anche ACN avverte: “Utilizzate false email con la firma del vicedirettore generale Ciardi”

Anche l’Agenzia per la Cybersicurezza Nazionale ha emanato oggi un comunicato attraverso la propria pagina Linkedin per confermare l’ondata di attacchi phishing.

“E’ in corso una massiva campagna di phishing attraverso false email e messaggi social realizzati indicando nel testo il nome del Vice Direttore Generale dell’Agenzia per la Cybersicurezza Nazionale Nunzia Ciardi e di altri rappresentanti delle forze dell’ordine“, si legge nel post. “I falsi messaggi utilizzano i loghi di Europol, Polizia e ACN e prospettano alla vittima una inesistente indagine penale nei suoi confronti; il tutto allo scopo di causare agitazione nel destinatario, inducendolo a ricontattare i truffatori ed esponendosi in tal modo a successive richieste di pagamenti in denaro o comunicazione di propri dati personali”.

L’Agenzia per la Cybersicurezza Nazionale raccomanda di diffidare da simili messaggi. “Nessuna Istituzione, tantomeno le forze di polizia contatterebbero i cittadini, attraverso email o messaggi, per richiedere loro pagamenti in denaro o comunicazioni di dati personali, dietro minaccia di procedimenti o sanzioni penali“, conclude il post.

Phishing: la situazione critica in Italia

Nel nostro Paese la sicurezza (quella virtuale) va sempre di più peggiorando. Secondo i dati dell’ultimo rapporto Clusit, in Italia nel primo semestre del 2023 gli attacchi informatici sono cresciuti del 40%.

Secondo il rapporto 2023 sui dati del 1° semestre 2023 e gli incidenti di cyber più significativi avvenuti a livello globale e in Italia nei primi sei mesi dell’anno e il confronto con i 4 anni precedenti, la media mensile, dopo aver registrato nei primi anni di analisi un valore abbastanza contenuto, passa da 15,7 attacchi al mese rilevati nel 2022 a ben 22 attacchi al mese nel primo semestre 2023. Tale tasso di crescita, si legge, è uno dei principali elementi di preoccupazione per il nostro Paese: in tutto il 2022 erano stati rilevati 188 attacchi, che costituivano già un record negativo per il nostro Paese, segnando una crescita del 169%, quando a livello mondiale si registrava una (già grave) impennata del 21% anno su anno.

Aumenta anche il dato degli attacchi di tipo phishing e ingegneria sociale, che – diversamente da quanto rilevato nel 2022 – in Italia risulta incidere in maniera maggiore rispetto al resto del mondo (14% vs 8,6% globale), indice di una forte necessità di sensibilizzazione e aumento della consapevolezza rispetto alle minacce cyber da parte degli utenti che hanno quotidianamente a che fare con i sistemi informatici.

Diminuisce la percentuale di incidenti basati su vulnerabilità note (4% vs 6% nel 2022), mentre compare una quota, seppur contenuta, di “web based attack” (1,5%). Sempre tenendo conto l’elevata quantità di situazioni dove non è stato possibile identificare la tecnica primaria dell’attacco (Unknown, 18% rispetto al 21% nel mondo), tali attacchi sono certamente presenti, ma ancora in quantità limitata.

https://www.key4biz.it/allarme-phishing-in-italia-attenzione-massima-alle-truffe-con-i-loghi-di-acn-polizia-di-stato-ed-europol/469035/

Cybercriminals hacked into the Kansas court system, stole sensitive data and threatened to post it on the dark web in a ransomware attack that has hobbled access to records for more than five weeks, officials said Tuesday.

The announcement of a “sophisticated foreign cyberattack” was confirmation of what computer security experts suspected after the state’s Judicial Branch said Oct. 12 that it was pausing electronic filings. Until now, state officials had released few details, describing it simply as a “security incident.”

Upon learning about the attack, the state disconnected its court information system from external access and notified authorities, the Judicial Branch said in a statement. That disrupted daily operations of the state’s appellate courts and all but one county. Johnson County, the state’s most populous, operates its own computer systems and had not yet switched over to the state’s new online system.

In recent weeks many attorneys have been forced to file motions the old fashioned way — on paper.

“This assault on the Kansas system of justice is evil and criminal,” the statement said. “Today, we express our deep sorrow that Kansans will suffer at the hands of these cybercriminals.”

A preliminary review indicates that the stolen information includes district court case records on appeal and other potentially confidential data, and those affected will be notified once a full review is complete, the statement said.

Analyst Allan Liska of the cybersecurity firm Recorded Future said no ransomware group leak site has published any information yet.

Judicial Branch spokesperson Lisa Taylor declined to answer questions including whether the state paid a ransom or the name of the group behind the attack, saying the statement stands on its own.

If organizations don’t pay a ransom, data usually begins to appear online within a few weeks, said analyst Brett Callow of the cybersecurity firm Emsisoft. Victims that pay get a “pinky promise” that stolen data will be destroyed, but some are extorted a second time, he said.

In the weeks since the Kansas attack, access to court records has only partially been restored. A public access service center with 10 computer terminals is operating at the Kansas Judicial Center in Topeka.

The Judicial Branch said it would take several weeks to return to normal operations, including electronic filing, and the effort involves “buttressing our systems to guard against future attacks.”

A risk assessment of the state’s court system, issued last year, is kept “permanently confidential” under state law. But two recent audits of other state agencies identified weaknesses. The most recent one, released in July, said “agency leaders don’t know or sufficiently prioritize their IT security responsibilities.”

https://www.securityweek.com/kansas-officials-blame-5-week-disruption-of-court-system-on-sophisticated-foreign-cyberattack/

Two environmentalists told a federal judge Thursday that the public was the real victim of a global computer hacking campaign that targeted those fighting big oil companies to get the truth out about global warming.

A climate scientist and the director of a fund that creates initiatives to address climate change spoke at the sentencing of an Israeli man who prosecutors said enabled the hacking of thousands of individuals and entities worldwide.

Aviram Azari, 52, of Kiryat Yam, Israel, was sentenced to six years and eight months in prison for his role in a global computer-hacking network that authorities say targeted environmentalists, companies and individuals.

“I was the target, but the public at large was the intended victim,” said Peter Frumhoff, director of science and policy and chief scientist at the Union of Concerned Scientists in Cambridge, Massachusetts.

“It is our job to tell the world the truth about a world on fire” and who “lit the flame,” said Lee Wasserman, director of the Rockefeller Family Fund.

In a release, prosecutors said Azari owned an Israeli intelligence firm from November 2014 to September 2019, earning $4.8 million after clients hired him to manage “projects” that were really hacking campaigns targeting climate change activists, individuals and financial firms, among others.

Some hacked documents were leaked to journalists, resulting in articles related to investigations by attorneys general in New York and Massachusetts over what Exxon Mobile Corp. knew about climate change and potential misstatements the company made regarding what it knew about the threat, prosecutors said.

Prosecutors said the theft of identities and personal data from victims resulted in some of them describing a “psychological assault” that left them with “anxiety, paranoia, depression, sleeplessness and fear” and the sense that their personal safety was in jeopardy.

Wasserman said he was “appalled and shaken” by the invasion into his personal and professional life.

“I found myself whispering in my own home,” he said.

“It was unnerving,” said Frumhoff, who also teaches at Harvard University.

He said the online invasion had a “completely detrimental, chilling effect on our work.”

Azari was sentenced after pleading guilty to conspiracy to commit computer hacking, wire fraud and aggravated identity theft. He has been detained since his September 2019 arrest when he traveled to the U.S. from abroad.

Assistant U.S. Attorney Juliana Murray told the judge that Azari’s victims, including those working for public interest groups and climate change advocates, were “carefully chosen” to interrupt their work.

When he spoke, Azari apologized to his victims, saying he was accepting full responsibility for his crimes and promising not to “repeat this ever again.”

Frumhoff said he hoped the investigation continues so that prosecutors can expose who paid Azari “to carry out these attacks.”

After he was sentenced, Azari was given a chance to speak again and said that he listened as victims spoke at the proceeding.

He predicted “there will come a day” when he would be able to speak more about his crimes. Until then, he added, he asked for the forgiveness of his victims.

“You don’t know everything,” he said.

https://www.securityweek.com/2-environmentalists-who-were-targeted-by-a-hacking-network-say-the-public-is-the-real-victim/

Wisconsin teenager Joseph Garrison has pleaded guilty to his involvement in a scheme to access user accounts at a fantasy sports and betting website.

According to court documents, on November 18, 2022, Garrison launched a credential stuffing attack against the betting site, obtaining access to approximately 60,000 user accounts.

The defendant and others then stole about $600,000 from approximately 1,600 victim accounts, by adding a new payment method to the accounts, depositing $5 to each account using the new payment method, and then withdrawing all victim funds.

Law enforcement searched Garrison’s home in February 2023 and discovered software typically used for credential stuffing attacks on his computer, along with approximately 700 config files for these applications.

Additionally, nearly 40 million usernames and passwords that could be used in credentials stuffing attacks were found on his computer.

While searching Garrison’s phone, the investigators said they discovered conversations about hacking the betting website and using the compromised accounts for profit, either by stealing funds or by selling the accounts to cybercriminals.

Garrison, 19, of Madison, Wisconsin, pleaded guilty to conspiracy to commit computer intrusion and faces up to five years in prison.

The US Department of Justice announced charges against Garrison on May 18. The teen surrendered on the same day, in New York, New York.

The documents presented in court do not mention the targeted website, which appears to be DraftKings. In November 2022, the site announced that roughly 68,000 user accounts had been compromised in a credential stuffing attack.

Such attacks involve the use of usernames and passwords obtained from other data breaches to log into accounts that the same individuals have on other websites and which are protected using the same credential pairs.

Related: US Announces IPStorm Botnet Takedown and Its Creator’s Guilty Plea

Related: Twitter Celebrity Hacker Pleads Guilty in US

Related: Owner of Cybercrime Website BreachForums Pleads Guilty

https://www.securityweek.com/us-teen-pleads-guilty-to-credential-stuffing-attack-on-fantasy-sports-website/

Moving to clamp down on the growing scourge of SIM-swapping and port-out fraud, the Federal Communications Commission (FCC) has unveiled new rules mandating telcos to give consumers greater control of their mobile phone accounts.

Under the new rules, wireless carriers are required to notify customers of any SIM transfer requests, a measure designed to thwart fraudulent attempts by cybercriminals. 

The FCC has also revised its customer proprietary network information and local number portability rules, making it more challenging for scammers to access sensitive subscriber information.

The new protective measures are meant to address SIM-swapping and port-out attacks widely documented in cybercriminal attacks against businesses and consumers. The attack technique is used to hijack mobile accounts, change and steal passwords, bypass MFA roadblocks and raid bank accounts.

Studies have found that major mobile carriers in the US are vulnerable to SIM-swapping with the Federal Bureau of Investigation (FBI) receiving thousands of consumer complaints every year.

In a statement announcing the crackdown, FCC chairwoman Jessica Rosenworcel said the commission has also noted the work of the Cyber Safety Review Board (CSRB) that called attention to SIM-swapping in cyber attacks against big businesses. 

“We require wireless carriers to give subscribers more control over their accounts and provide notice to consumers whenever there is a SIM transfer request, in order to protect against fraudulent requests made by bad actors,” Rosenworcel said.

“We also revise our customer proprietary network information and local number portability rules to make it harder for scam artists to make requests that get them access to your sensitive subscriber information,” she added, arguing that the new rules will improve consumer privacy and put an end to SIM scams. 

Related: Major U.S. Mobile Carriers Vulnerable to SIM Swapping Attacks

Related: The Chaos (and Cost) of the Lapsus$ Hacking Carnage

Related: Hacker Pleads Guilty to SIM Swapping Attacks, Cryptocurrency Theft

Related: FBI Received 1,600 SIM Swapping Complaints in 2021

https://www.securityweek.com/fcc-tightens-telco-rules-to-combat-sim-swapping/

An Israeli private investigator who made nearly $5 million by hacking companies and individuals has been sentenced to 80 months in prison in the United States, the Justice Department announced on Thursday. 

Authorities said the man, 52-year-old Aviram Azari, was arrested on computer hacking, wire fraud and identity theft charges when he traveled to the United States in September 2019. 

According to the Justice Department, Azari owned and operated an Israel-based ‘intelligence firm’ named Aviram Hawk or Aviram Netz. 

Between 2014 and 2019, the company was hired by various clients to obtain intelligence on specified targets. Azari obtained the intelligence by hiring different hacking groups, including one located in India, to access online accounts and steal information, often by leveraging spear-phishing emails.

Targets included hedge funds, tech companies, journalists, and climate change activists. Investigators identified roughly 300 targets, including 100 for which successful hacking was confirmed. 

However, it’s believed that thousands of entities from around the world have been targeted as part of the scheme. 

“Some of the hacked documents that were stolen from various of the victims’ online accounts were leaked to the press, resulting in articles relating to the New York and Massachusetts Attorneys Generals’ investigations into Exxon Mobil Corporation’s knowledge about climate change and potential misstatements made by Exxon regarding what it knew about the risks of climate change,” the Justice Department said. 

In addition to the prison sentence, Azari will have to serve three years of supervised release and forfeit the $4.84 million that he made through the scheme. 

The Justice Department noted, “Victims have described the persistent and relentless targeting of them and their associates, as well as the theft of their identities and personal data, as ‘psychological assault’ that has caused them ‘anxiety, paranoia, depression, sleeplessness, and fear,’ and the victims have expressed continued concerns for their personal safety.”

Related: US Announces IPStorm Botnet Takedown and Its Creator’s Guilty Plea

Related: Administrator of Darkode Hacking Forum Sentenced to Prison

Related: Russian Man Who Laundered Money for Ryuk Ransomware Gang Sentenced

https://www.securityweek.com/israeli-man-who-made-5m-from-hacking-scheme-sentenced-to-prison-in-us/

Arkose Labs has analyzed and reported on tens of billions of bot attacks from January through September 2023, collected via the Arkose Labs Global Intelligence Network. 

Bots are automated processes acting out over the internet. Some perform useful purposes, such as indexing the internet; but the majority are Bad Bots designed for malicious ends. Bad Bots are increasing dramatically — Arkose estimates that 73% of all internet traffic currently (Q3, 2023) comprises Bad Bots and related fraud farm traffic.

The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse. These haven’t changed from Q2, other than in-product abuse replacing card testing. The biggest increases in attacks from Q2 to Q3 are SMS toll fraud (up 2,141%), account management (up 160%), and fake account creation (up 23%).

The top five targeted industries are technology (Bad Bots comprise 76% of its internet traffic); gaming (29% of traffic); social media (46%), e-commerce (65%), and financial services (45%). If a bot fails in its purpose, there is a growing tendency for the criminals to switch to human operated fraud farms. Arkose estimates there were more than 3 billion fraud farm attacks in H1 2023. These fraud farms appear to be located primarily in Brazil, India, Russia, Vietnam, and the Philippines.

The growth in the prevalence of Bad Bots is likely to increase for two reasons: the arrival and general availability of artificial intelligence (primarily gen-AI), and the increasing business professionalism of the criminal underworld with new crime-as-a-service (CaaS) offerings.

From Q1 to Q2, intelligent bot traffic nearly quadrupled. “Intelligent [bots] employ sophisticated techniques like machine learning and AI to mimic human behavior and evade detection,” notes the report (PDF). “This makes them skilled at adaptation as they target vulnerabilities in IoT devices, cloud services, and other emerging technologies.” They are widely used, for example, to circumvent 2FA defense against phishing.

Separately, the rise of artificial intelligence may or may not relate to a dramatic rise in ‘scraping’ bots that gather data and images from websites. From Q1 to Q2, scraping increased by 432%. Scraping social media accounts can gather the type of personal data that can be used by gen-AI to mass produce compelling phishing attacks. Other bots could then be used to deliver account takeover emails, romance scams, and so on. Scraping also targets the travel and hospitality sectors.

Scraping, it must be said, is a legally murky area. It is not specifically illegal; but if it defies a website’s published terms of use, it is certainly immoral. There are services that openly offer web scraping facilities. In this case, it demonstrates the relationship between CaaS, AI, and bots (here primarily scraping).

“This is a website you can use to make sure your bots aren’t getting prevented by a website,” Kevin Gosschalk, founder and CEO of Arkose Labs, told SecurityWeek, referring to a specific provider that will not mention. “You can purchase this software. It has enterprise support and so on. But it is purpose built to commit crime. That is what it does. And there are many other different websites like this, but they look like legitimate businesses. It is a good example of a product purpose built to commit fraud.”

It is also a good example of crime-as-a-service. Crime-as-a-service enables wannabe criminals who may have the intent but not the skills to engage in cybercrime. “The massive rise of CaaS has completely changed the economics for adversaries” continued Gosschalk. “It’s much cheaper to attack companies and the attacks are just better because it’s a dev shop that is doing the attacks instead of just individual cybercriminals.”

The continuing increase in the volume of Bad Bots suggests they remain profitable for the criminals. The arrival of gen-AI will improve the performance of Bad Bots, while the growth of CaaS will increase the number of Bad Bot operators; so, it will get worse. The only solution is Bad Bot detection and mitigation to limit the access of the bots to their human or system targets. If it is not profitable, they won’t do it.

https://www.securityweek.com/bad-bots-account-for-73-of-internet-traffic-analysis/

I fatti di cronaca li conosciamo, e il contesto pure. Non ripetiamoci. Assumiamo invece e prima di tutto un atteggiamento “laico” che non vada alla ricerca di colpe, fattacci o retroscena, ma che intenda semmai sensibilizzare quanti operano nel settore e non solo, affinché il livello di attenzione si posi sul fenomeno che ci deve far riflettere e che, nella sua portata, dovrebbe destare molta preoccupazione: il “defacing” che letteralmente significa “defacciare”.

Ma in che senso? Spieghiamolo.

Si tratta di una tecnica criminale volta alla “modifica illecita della home page di un sito web (la sua “faccia”) o la sostituzione di una o più pagine interne”. Ci si accorge di aver subìto questo tipo di attacco solo quando si vede sostituita la propria pagina principale e/o altre pagine interne con una schermata che indica l’azione compiuta da uno o più hacker, ledendo irrimediabilmente l’immagine.

<!-- ENERGIA ITALIA - 300x250 -->

Come ci si può difendere? Mantenendo aggiornato l’intero software presente sul server web, e applicando regolarmente le cd. “patch” (porzioni di software progettate per aggiornare o migliorare un programma) di sicurezza sul sistema operativo e http server.

In questo modo, eventuali e probabili vulnerabilità di sicurezza e altri generici bug verrebbero risolti. Non farlo sarebbe come lasciare la porta di casa socchiusa o con una serratura molto blanda e agilmente apribile da malintenzionati, tutti intenti a scassinarla. 

Certo che in un paradiso terrestre fatto di onestà e profonda civiltà, non sarebbe un problema nemmeno lasciarle aperte le porte. Purtroppo, in un mondo come quello di oggi, le porte non solo vanno chiuse, ma anche a tripla mandata.

Al di fuori delle metafore, ora che il problema si riconduca tutto e solo in termini di consapevolezze “sparando a mitraglia” sul contesto di contorno, ci pare forse riduttivo e anche inutile, senza nulla togliere ai profili di rilevanza, anche giuridica, che una vicenda come questa di fatto implica.

Del resto, analizzando la vicenda con sguardo laico, e astraendoci dallo stretto caso di specie, è indubbio che finiscano per sfumare molte di quelle (presunte) certezze accumulate negli anni studiando la normativa di settore, il GDPR, che attribuisce ruoli e responsabilità in casi come questo, dovendo verosimilmente comunicare ogni dettaglio sia all’Autorità e agli interessati (artt. 33 e 34 GDPR), i veri protagonisti dell’intero impianto normativo europeo.

Più in generale, tantissimi interessati si trovano oggi esposti nel dark web, e senz’altro hanno subìto un danno. Sono loro pertanto i primi danneggiati, ma allo stesso tempo l’esposizione di password deboli e farlocche vulnera il cuore della sicurezza informatica.

E restano gli hacker, nati per svelare quelle abitudini sbagliate puntando il dito su falle e mancati aggiornamenti, e nel tempo divenuti, con il boom del digitale e quindi il dilagare della criminalità informatica, sempre meno etici, specie nel momento in cui, non fanno solo azioni di minaccia, ma avanzano pure richieste di denaro.

Ecco che ci troviamo di fronte a una criminalità di natura informatica sempre più invasiva e raffinata nel senso che affina tecniche delinquenziali via via più evolute e tecnologicamente avanzate in quanto applicate in uno spazio cibernetico. Che poi non proviene da lontano —come afferma il generale Umberto Rapetto — “crollando il mito della minaccia … da chissà dove”.

Ma allora chi può ritenersi davvero al sicuro? In definitiva nessuno, stante le necessarie e relative accortezze da attuare, anche in via rimediale come dal punto di vista tecnico, per esempio, l’introduzione di: chiavi crittografiche, password più robuste (con caratteri speciali alfanumerici e segni di interpunzione) e cambiate ripetutamente, e via a seguire. Per quanto queste troppo spesso sembrino non bastare mai.

Ma soprattutto e così concludiamo, “chi è senza peccato, scagli la prima pietra”: quanti potrebbero farlo per davvero? Riflettiamoci su, perché i tempi son cambiati rapidamente, forse anche troppo in fretta per giungere a giudizi severi in grado di poter attribuire colpe anche a priori formando pregiudizi, e a riconoscere con certezza i peccatori.

https://www.key4biz.it/cyberattacchi-chi-e-senza-peccato-scagli-la-prima-pietra/467567/