Here we are with this week’s top cybersecurity news sharing the latest arrests of cybercriminals, Google’s actions against threats actions, and the latest campaigns. Let’s check these out.
Credit Card Theft Through Realistic Checkout Forms Replaces Hackers’ Stealth Tactics
Hackers and threat actors hijack online marketplaces to steal credit cards from innocent individuals worldwide.
Threat actors add the code to display genuine-looking fake payment forms that display as a modal overlaid on the main webpage of these marketplaces and online stores. Researchers at Malwarebytes released a report on this new campaign highlighting that these models are carefully crafted and visually captivating, adding to the sophistication of the campaign.
Whenever an individual enters information into the modal, it shows a loading screen that leads to an error, redirecting the user to the original payment URL (Uniform Resource Locator). The details entered, such as the card number, expiration date, CVV, and the holder’s name, are sent to the threat actors.
If you are a frequent shopper and come across a modal, it is better to skip these and look for the original payment link on the online store.
Google Blocks Malware and Fraud Rings by Banning 173K Developer Accounts
Last year, Google banned 173,000 developer accounts to block malware and fraud rings infecting the Google Play store and Android devices.
Preventing nearly 1.5 million applications linked to multiple policy violations, Google shared that its Google Play Commerce security team was able to block transactions of fraud and abuse, saving its customers over $2 billion in losses. Google has included additional requirements for developers who wish to join the Play Store ecosystem.
Now, the developers will have to undergo a phone and email identity verification and have also collaborated with SDK (Software Development Kit) providers to minimize sensitive data access and prevent sharing of data so applications on the app store offer better privacy to all users.
Ukrainian Individual Apprehended for Selling Data of 300 Million Individuals to Russians
The Ukrainian police apprehended a middle-aged man from Netishyn who sold the personal data and sensitive information of nearly 300 million individuals, including the data of Ukrainian and European citizens.
The 36-year-old used Telegram to promote the stolen information and advertise it to buyers, asking for $500-$2000 depending on the volume of data. Ukrainian police released an announcement highlighting that the information included passport data, taxpayer numbers, driver’s licenses, financial information, and birth certificates.
The statement also shared that most buyers were Russian citizens who used prohibited currencies for the payments, leading the police right to the culprit. During the raid, the man attacked a police officer but was brought down.
The police confiscated computers, server equipment, and 36 hard drives with multiple databases. The man is facing criminal charges and now faces jail time of a minimum of 5-10 years.
Cryptbot Malware Infrastructure Takedown Initiated by Google
Google was granted a court order to take down the Cryptobot malware and info stealer after filing a lawsuit against the individuals using the malware to infect its browser and steal user data.
Nearly 18 defendants from Pakistan are charged with running malicious and fraudulent websites to trick users into downloading malicious versions of Google Chrome and Google Earth Pro. These malicious versions downloaded the Cryptbot malware on victim systems designed to steal their personal and financial information without their knowledge.
To combat the spread of Cryptbot, Google has been granted a temporary restraining order, allowing the organization to disrupt these malicious distributions.
Google will now take down domains associated with the malware that has infected nearly 670,000 systems in the past year.
Chinese Hackers Adopt New Linux Malware Variants for Espionage Purposes
Threat actors deploy malware on Linux systems in a new cyberespionage campaign using the PingPull variant and Sword2023 backdoors.
Pingpull is a RAT (Remote Access Trojan) used by the Chinese state-sponsored threat actor group Gallium that targets the government and financial organizations of Russia, Belgium, Vietnam, Australia, and the Philippines.
The Chinese threat actor is using new malware variants, targeting Nepal and South Africa, and using a previously undocumented backdoor, Sword2023. Sword2023 can upload files onto breach systems, exfiltrate information, and files, and is associated with two different C2 (Command and Control) servers.
Gallium is advancing its arsenal and shifting focus to Linux systems. Organizations should define a comprehensive security strategy to defend against this and similar threats.
Resold Corporate Routers Can Expose Networks to Hackers, Warns Security Experts
Enterprise-level networking equipment hides sensitive data that threat actors could use to breach these organizations and steal customer information.
Cybersecurity researchers at ESET purchased 18 used core routers and found that these routers still had the complete configuration data on the devices that worked adequately. Core routers can make or break a large organization as they connect to all network devices and support data communication interfaces.
Using these configuration settings and the details about the organization, a threat actor could find out how the network was set, including the connections between systems, making it easier to breach the corporate network. The routers also contained credentials to connect to other networks as a trusted party.
Organizations should ensure that all discarded or old equipment is reset to factory defaults to avoid threat actors using these against them.