Cybersecurity Wins: December 2018
Cybersecurity news can be grim — a seemingly endless litany of new phishing campaigns, social engineering attacks, and massive data breaches. (Did we mention the massive data breaches?) And let’s not even get started on the ongoing investigations into possible election meddling and the hacking of voter databases and political groups.
Given that, it’s always encouraging to recognize the successes in the fight against cyber theft, cyber espionage, and social engineering. It might seem like the “good guys” are fighting a losing battle, but many cybercriminals are being brought to justice. Here’s a quick summary of notable cybersecurity wins from the last few months of 2018.
Ad Fraud Botnet Shut Down, 8 Indicted
A massive global digital ad botnet, dubbed “3ve,” was shut down by the US Federal Bureau of Investigation (FBI) following collaborative work with leading tech organizations. Eight men were indicted in late November; at the time of this writing, three have been arrested and are awaiting extradition to the US, with the rest currently at large.
“At its peak, 3ve involved about 1.7 million PCs infected with malware, an array of servers that could generate mountains of fake traffic with bots, roughly 5,000 counterfeit websites created to impersonate legitimate web publishers, and over 60,000 accounts with digital advertising companies to help fraudsters receive ad placements and get paid,” according to Buzzfeed.
The investigation began in early 2017, a collaborative effort involving the FBI and digital advertising and cybersecurity experts like Google, bot-detection firm White Ops, and Proofpoint (our parent company). Proofpoint researchers played an instrumental role in providing malware samples and identifying infrastructure used in the fraud.
2 Indicted in SamSam Ransomware Scheme
In late November, two Iranian men were indicted on allegations that they developed and released the SamSam ransomware used against numerous municipal and healthcare computer systems, including the crippling March attack on the city of Atlanta, Ga. US Assistant Attorney General Brian Benczkowski described the efforts as “an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail.”
Though the men, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, reportedly acted from within Iran, the US Justice Department’s indictment did not allege official government connections. The two are thought to have collected more than $6 million from 200+ victims while causing more than $30 million in total losses.
Android Ad Fraudster Arrested
A Russian citizen wanted by the US federal government was arrested in Bulgaria in November, accused of ad fraud resulting in at least $7 million in damages. Alexander Zhukov, 38, is awaiting extradition to the US, where he could face up to 20 years in prison. The ad fraud scheme “used bots to mimic user behavior on a network of 125 Android apps connected to front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, and Bulgaria,” according to Engadget.
For five years in a row, we've been named a Leader in the Gartner Magic Quadrant for Security Awareness Computer-Based Training
Ukraine Police Pull Double-Duty as RAT Catchers
Police in Ukraine arrested an as yet unnamed 42-year-old man in connection with the long-running DarkComet remote access trojan (RAT). Once installed, the RAT can be used to spy on a compromised computer, logging keystrokes, taking screenshots, stealing passwords, installing additional malware, and more.
The man is charged with infecting 2,000 users across 50 countries. According to ZDNet, the man likely used a residential ISP to host the DarkComet command-and-control server on a home computer, making him easier to apprehend.
3 Arrested for Ripping Off Retailers
Three men alleged to be high-ranking members of the FIN7 international hacking group have been arrested and charged with stealing millions of consumer credit and debit card numbers. The group targeted more than 100 retailers, focusing on companies in the restaurant, gaming, and hospitality industries.
To steal the credit card numbers, the criminals breached the companies using malware delivered through phishing and other social engineering attacks. In addition to sending phishing emails with malware-laden attachments, the group would call employees on the phone and encourage them to open the attachments, according to Jay Tabb, head of the FBI’s Seattle field office.
SIM-Swappers Stole $14 Million in Cryptocurrency
In September, two men were arrested on suspicion of stealing $14 million from a California-based cryptocurrency company. The hack is thought to have been accomplished through using a SIM swap attack to take control of an employee’s phone, then using the stolen identity to access and divert the cryptocurrency.
US Secret Service agents were able to track the stolen cellphone account to a hotel room in Oklahoma City, Okla., where they arrested Fletcher Robert Childers, 23, and Joseph Harris, 21. According to court documents, the suspect had been sending “taunting emails” to the company and laundering the cryptocurrency through a variety of exchanges.
Hotel Hacker Arrested for Selling Stolen Data
Shanghai police arrested a man in September for attempting to sell customer data stolen from a large China-based hotel chain. The data, offered for sale on the dark web in August, consisted of over 500 million records, including login credentials, credit card details, and other personally identifiable information (PII).
The hotel chain said that the hacker had failed to sell the data. According to ZDNet, the attacker also “attempted to blackmail the hotel into paying for its own data by leveraging public pressure surrounding the public disclosure of the hack.”
Subscribe to the Proofpoint Blog