The pandemic has fueled the use of online applications and services. And even malicious actors are well aware of it, who continue to launch cyberattacks to rob you of your information or monetary assets. This week’s headlines cover how a group of cyber adversaries conned people over a dating app in South Africa, among other significant cyber developments worldwide.
Fake Applications No Longer a Rarity
Cybersecurity researchers at Cyble Research Labs have discovered a phishing campaign targeting Android customers of Japan-based telecommunication services. The adversaries were found spreading a fake app under the brand name of a popular telecommunication provider. They were able to steal 2,900 credentials from 797 Android and 2,141 iOS users. In a typical scam, the adversaries ask users for a couple of admin permissions and make users disable any Wi-Fi they may be connected to.
The fake app directly leads to the telecommunications payment service’s official page and requires users to log in using a secret PIN. Once they get the required details, these stolen credentials reach the adversaries’ mailbox directly via Simple Mail Transfer Protocol (SMTP). Email phishing protection can still be assured, but users need to be really updated and vigilant to be able to distinguish between a fake and a genuine app.
Juniper Networks Patches Vulnerabilities
Popular networking and cybersecurity solutions provider Juniper Networks recently released over 40 advisories patching more than 70 vulnerabilities. A majority of the patched flaws were described as critical and high-severity vulnerabilities. These flaws could be easily exploited to launch denial-of-service (DoS) attacks, privilege escalation, and remote code execution attacks. The patched flaws primarily affected Juniper’s Junos OS operating system.
Anyone looking for critical severity flaws must be looking at two particular advisories, one of which addresses a dozen vulnerabilities in third-party components and dates back to 2017. The other provides fixes for an authentication bypass vulnerability in 128 Technology Session Smart Routers. Workarounds and mitigations can also be found, along with updates for some vulnerabilities. Fortunately, Juniper’s cybersecurity tools could not detect any evidence of the exploitation of any of the now patched vulnerabilities. The US Cybersecurity and Infrastructure Security Agency (CISA) advises organizations to implement Juniper’s patches as soon as possible.
Attackers Using Discord to Deploy Malware
Popular instant messaging application Discord is being actively used by adversaries to deploy malware on user devices. Over 140 million users have been affected in 2021 by these malicious files circulating on Discord. People use Discord to share texts and audio files in topic-based channels stored on its Content Delivery Network (CDN) servers. However, people don’t realize that many of these files hosted on Discord’s own CDN are malicious and spread malware.
Discord, initially introduced to gear communication among gamers, has now been widely accepted in workplaces. This oversight can cause bad traffic to enter any organization’s network using Discord for its official communications. There were 27 unique malware families reported in Discord’s CDN, which comprises four malware types. These are backdoors (e.g., AsyncRat), Spyware (e.g., Raccoon Stealer), Trojans (e.g., AgentTesla), and Password Stealers (e.g., DarkStealer). This incident hints at the growing compromise of CDNs by adversaries.
There is a Penalty for Every Cybercrime
The US Department of Justice (DoJ) recently sentenced two Eastern European men – Pavel Stassi and Aleksandr Skorodumov for providing a safe space to the threat actors’ community. Stassi and Skorodumov from Estonia and Lithuania ran a bulletproof hosting service to help adversaries quickly deploy malware. They provided a range of malware, malicious e-commerce platforms, tools, and materials to deploy malware. Fortunately, cybersecurity watchdogs could spot these threat actors on time, and now they have been sentenced to 24 and 48 months in jail, respectively.
Stassi and Skorodumov’s bulletproof hosting service housed a range of malware payloads, including Citadel, SpyEye, Zeus, and the Blackhole exploit kit. It also facilitated the creation of botnets. The accused have been in business from 2015 to 2019, along with Russian allies Aleksandr Grichishkin and Andrei Skvortsov. Reportedly, Grichishkin and Skvortsov were the founding members and managers of the hosting service, Skorodumov functioned as the lead system, and Stassi took care of general admin and marketing tasks. They helped their clients escape from the clutches of law enforcement. The four suspects pleaded guilty to one RICO conspiracy. Grichishkin and Skvortsov await their sentence, which will probably extend up to 20 years of imprisonment, considering the intensity of their crimes.
Seven Years of Compromising Data Has its Price
Popularly known as TheDearthStar, Justin Sean Johnson was recently sentenced to seven years in prison for hacking into the University of Pittsburgh Medical Center (UPMC) network and stealing their data for over seven years. In early December 2013, Johnson hacked UPMC’s network and sold the PII (Personally Identifiable Information) of tens of thousands of UPMC employees on the dark web. Other adversaries used this data to file fake 1040 tax returns. They claimed false tax refunds exceeding $1.7 million and converted them into Amazon gift cards. Apart from that, Johnson stole and sold over 90,000 data sets (non-UPMC) between 2014 and 2017.
With over 40 hospitals and 90,000 employees, UPMC is the largest healthcare provider and insurer in Pennsylvania. When Johnson broke into the human resources databases of UPMC, he stole the PII of over 65,000 employees and sold it on the dark market. He was finally penalized for his crimes in 2020, and he pleaded guilty to stealing UPMC data a year later in 2021. The compromised data of UPMC employees include their names, addresses, social security numbers, and salary details. During this time, he frequently kept visiting the UPMC database to steal the PII of employees. This is a scary scenario of an attacker constantly spying over a confidential network for years at a stretch. Such instances are evidence of cybersecurity taking a backseat and vulnerabilities in networks going unnoticed for years, thereby causing irreparable loss to the associated people.
Eight Arrested in South Africa For Conning People on Dating Apps
Finding a companion online is every person’s dream today, but there are bad guys out there who use people’s emotional vulnerability for their benefit. The South African law enforcement agencies recently arrested eight such fraudsters in Cape Town. These were eight foreign nationals who won the trust of widows and divorcees on online dating apps and stole over US$6.9 million from them. These notorious threat actors created fake profiles on dating apps and established genuine romantic relationships with the victims. They then used sob stories to extract financial ‘help’ from these unsuspecting users. They stopped texting the victims once the money was transferred to their accounts.
During the raid, the South African police also found evidence of the use of Business Email Compromise (BEC) tactics to divert funds. The USA played a significant role in the raid and arrests. It is suspected that the cyberattacks have ties to an international crime syndicate with roots outside South Africa. While the arrested eight adversaries will be penalized for committing mail and financial fraud, you must remember that thousands of such threat actors are waiting for you to fall into their trap. Hence, you must use dating applications or any online service with extreme caution by following basic cyber hygiene practices.