A new threat actor has been observed by Zscaler distributing remote access Trojans (RATs) via online meeting lures
Monthly Archives: March 2024
“Phantom hacker” scams targeting seniors are on the rise
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
“Phantom hacker” scams — tech support-style scams that trick people into transferring money by falsely claiming their computer or online security is compromised — are on the rise, and “significantly impacting senior citizens, who often lose their entire bank, savings, retirement or investment accounts to such crime”, CNBC reports. Notably, as of August 2023, damages stemming from tech support scams surged by 40%, compared to the corresponding period in 2022, a recent FBI public advisory reveals (specifics on the total financial impact, however, weren’t disclosed). 50% of people targeted were over 60 years old, accounting for 66% of the total financial damages.
Financial predation: exploiting seniors’ savings
Ample financial resources, technological unfamiliarity, and a generally trusting nature collectively makes the elderly a prime target for phantom hacker scams. “Older adults have generally amassed a larger nest egg than younger age groups, and therefore pose a more lucrative target for criminals. Older adults are also particularly mindful of potential risks to their life savings,” Gregory Nelsen, FBI Cleveland special agent in charge, said in a statement. “These scammers are cold and calculated,” he added. “The criminals are using the victims’ own attentiveness against them”. Additionally, older adults may be less familiar with the intricacies of technology and cybersecurity, making them more susceptible to manipulation and deception. And, due to the generally polite and trusting nature of seniors, scammers can have an easier time establishing rapport and gaining the trust needed to pull off their scams.
Deceptive tactics: understanding phantom hacker scams
Understanding how phantom hacker scams operate is crucial for safeguarding yourself against deceptive tactics and financial exploitation. In phantom hacker scams, scammers pretend to be computer technicians from reputable companies like Microsoft, Apple, Google, or antivirus software providers like Norton or McAfee. They then claim there’s a serious issue with your computer or online security, like a virus or hacking threat, suggesting that your financial accounts are also at risk from these supposed issues. The scammer convinces you to transfer your money to a “safe” account they control in order to protect your funds — often while masquerading as bank representatives or government officials, so as to lend the scam credibility. Yet, the threat was never real, and the scammers unjustly end up with your money. Shockingly, roughly 19,000 people reported experiencing tech-support scams in the first half of 2023, with losses adding up to over $542 million — this is compared to roughly 33,000 total complaints and $807 million in losses in 2022.
Protecting against phantom hackers: tips for seniors
Be cautious of — and never click on — unsolicited calls, emails, computer pop-ups, or links in emails and text messages claiming to be from tech support, financial institutions, or government agencies. Instead, verify the legitimacy of the contact by independently researching the organization and contacting them through official channels if necessary. If you’re ever unsure about a message’s legitimacy, don’t hesitate to reach out to a trusted family member, friend, or tech-savvy individual for guidance. Age-inclusive communities containing people of all ages and from all walks of life can be particularly beneficial to seniors as they provide access to a diverse range of perspectives and expertise, fostering collaboration and support in navigating potential scams and enhancing overall cybersecurity awareness and protection. Similarly, never download software from someone you don’t know or trust, especially if they reached out to you unsolicited. Never share sensitive information — such as Social Security numbers, bank account details, or passwords — over the phone, email, or online unless you initiated the contact and are certain of the recipient’s identity.
Cybersecurity best practices
Keep your devices, including computers, smartphones, and tablets, updated with the latest software patches and security updates, while also using reputable antivirus and antimalware software to protect against threats. This proactive approach toward cybersecurity works to patch known security flaws and detect and remove malicious software, thereby reducing the risk of falling prey to phantom hacking attempts. Also, consider installing a firewall to add an extra layer of protection to your devices and networks — this is basically a barrier between your internal network (e.g., your computer or home network) and external networks, like the internet. A good firewall serves as a gatekeeper, allowing only trusted connections while blocking suspicious or harmful ones, thus protecting you from phantom hacking attempts.
Knowledge is power: empowering seniors with cybersecurity awareness
It’s also useful to stay up-to-date with the latest scams and cybersecurity threats targeting seniors by reading trusted sources, such as, government websites, cybersecurity blogs, or newsletters. While you may first require some initial guidance to navigate these sources, once you become familiar with them, you’ll find it easy and empowering to stay updated on the latest threats and best practices for online safety, ensuring you can navigate the digital world with confidence and security. Additionally, community centers or senior centers may also offer workshops focused on online safety, providing valuable opportunities for seniors to enhance cybersecurity knowledge.
Phantom hacking is a threat seniors need to understand and remain vigilant against. By staying informed and implementing strong cybersecurity measures, seniors can protect themselves from falling prey to these deceptive schemes and enjoy a safer online experience.
US Sanctions Predator Spyware Maker Intellexa
The US Treasury has designated individuals and entities associated with Predator spyware developer, Intellexa
USN-6676-1: c-ares vulnerability
Vojtěch Vobr discovered that c-ares incorrectly handled user input from
local configuration files. An attacker could possibly use this issue to
cause a denial of service via application crash.
rust-routinator-0.13.2-1.fc39
FEDORA-2024-1f5908a311
Packages in this update:
rust-routinator-0.13.2-1.fc39
Update description:
from changelog:
Fix the RTR listener so that Routinator won’t exit if an incoming RTR
connection is closed again too quickly. (#937, reported by Yohei
Nishimura, Atsushi Enomoto, Ruka Miyachi; Internet Multifeed Co., Japan.
Assigned CVE-2024-1622.)
rust-routinator-0.13.2-1.fc38
FEDORA-2024-28a151028a
Packages in this update:
rust-routinator-0.13.2-1.fc38
Update description:
from changelog:
Fix the RTR listener so that Routinator won’t exit if an incoming RTR
connection is closed again too quickly. (#937, reported by Yohei
Nishimura, Atsushi Enomoto, Ruka Miyachi; Internet Multifeed Co., Japan.
Assigned CVE-2024-1622.)
rust-routinator-0.13.2-1.fc40
FEDORA-2024-d20ff4a09b
Packages in this update:
rust-routinator-0.13.2-1.fc40
Update description:
from changelog:
Fix the RTR listener so that Routinator won’t exit if an incoming RTR
connection is closed again too quickly. (#937, reported by Yohei
Nishimura, Atsushi Enomoto, Ruka Miyachi; Internet Multifeed Co., Japan.
Assigned CVE-2024-1622.)
rust-routinator-0.13.2-1.el9
FEDORA-EPEL-2024-d996eeff0f
Packages in this update:
rust-routinator-0.13.2-1.el9
Update description:
from changelog:
Fix the RTR listener so that Routinator won’t exit if an incoming RTR
connection is closed again too quickly. (#937, reported by Yohei
Nishimura, Atsushi Enomoto, Ruka Miyachi; Internet Multifeed Co., Japan.
Assigned CVE-2024-1622.)
USN-6649-2: Firefox regressions
USN-6649-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2024-1547,
CVE-2024-1548, CVE-2024-1549, CVE-2024-1550, CVE-2024-1553, CVE-2024-1554,
CVE-2024-1555, CVE-2024-1557)
Alfred Peters discovered that Firefox did not properly manage memory when
storing and re-accessing data on a networking channel. An attacker could
potentially exploit this issue to cause a denial of service.
(CVE-2024-1546)
Johan Carlsson discovered that Firefox incorrectly handled Set-Cookie
response headers in multipart HTTP responses. An attacker could
potentially exploit this issue to inject arbitrary cookie values.
(CVE-2024-1551)
Gary Kwong discovered that Firefox incorrectly generated codes on 32-bit
ARM devices, which could lead to unexpected numeric conversions or
undefined behaviour. An attacker could possibly use this issue to cause a
denial of service. (CVE-2024-1552)
Ronald Crane discovered that Firefox did not properly manage memory when
accessing the built-in profiler. An attacker could potentially exploit
this issue to cause a denial of service. (CVE-2024-1556)
BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare
There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely.
In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as company systems were taken offline. It soon emerged that BlackCat was behind the attack, which has disrupted the delivery of prescription drugs for hospitals and pharmacies nationwide for nearly two weeks.
On March 1, a cryptocurrency address that security researchers had already mapped to BlackCat received a single transaction worth approximately $22 million. On March 3, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key, and to prevent four terabytes of stolen data from being published online.
The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a “ransomware-as-service” collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid.
“But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin,” the affiliate “Notchy” wrote. “Sadly for Change Healthcare, their data [is] still with us.”
Change Healthcare has neither confirmed nor denied paying, and has responded to multiple media outlets with a similar non-denial statement — that the company is focused on its investigation and on restoring services.
Assuming Change Healthcare did pay to keep their data from being published, that strategy seems to have gone awry: Notchy said the list of affected Change Healthcare partners they’d stolen sensitive data from included Medicare and a host of other major insurance and pharmacy networks.
On the bright side, Notchy’s complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems.
BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers.
However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code.
“There’s no sense in making excuses,” wrote the RAMP member “Ransom.” “Yes, we knew about the problem, and we were trying to solve it. We told the affiliate to wait. We could send you our private chat logs where we are shocked by everything that’s happening and are trying to solve the issue with the transactions by using a higher fee, but there’s no sense in doing that because we decided to fully close the project. We can officially state that we got screwed by the feds.”
BlackCat’s website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat’s network. The FBI has not responded to requests for comment.
Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an “exit scam” on affiliates by withholding many ransomware payment commissions at once and shutting down the service.
“ALPHV/BlackCat did not get seized,” Wosar wrote on Twitter/X today. “They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice.”
Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat’s exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own.
“The affiliates still have this data, and they’re mad they didn’t receive this money, Smilyanets told Wired.com. “It’s a good lesson for everyone. You cannot trust criminals; their word is worth nothing.”
BlackCat’s apparent demise comes closely on the heels of the implosion of another major ransomware group — LockBit, a ransomware gang estimated to have extorted over $120 million in payments from more than 2,000 victims worldwide. On Feb. 20, LockBit’s website was seized by the FBI and the U.K.’s National Crime Agency (NCA) following a months-long infiltration of the group.
LockBit also tried to restore its reputation on the cybercrime forums by resurrecting itself at a new darknet website, and by threatening to release data from a number of major companies that were hacked by the group in the weeks and days prior to the FBI takedown.
But LockBit appears to have since lost any credibility the group may have once had. After a much-promoted attack on the government of Fulton County, Ga., for example, LockBit threatened to release Fulton County’s data unless paid a ransom by Feb. 29. But when Feb. 29 rolled out, LockBit simply deleted the entry for Fulton County from its site, along with those of several financial organizations that had previously been extorted by the group.
Fulton County held a press conference to say that it had not paid a ransom to LockBit, nor had anyone done so on their behalf, and that they were just as mystified as everyone else as to why LockBit never followed through on its threat to publish the county’s data. Exerts told KrebsOnSecurity LockBit likely balked because it was bluffing, and that the FBI likely relieved them of that data in their raid.
Smilyanets’ comments are driven home in revelations first published last month by Recorded Future, which quoted an NCA official as saying LockBit never deleted the data after being paid a ransom, even though that is the only reason many of its victims paid.
“If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future,” LockBit’s extortion notes typically read.
Hopefully, more companies are starting to get the memo that paying cybercrooks to delete stolen data is a losing proposition all around.