Web Fraud 2.0


11
Jan 16

A Look Inside Cybercriminal Call Centers

Crooks who make a living via identity theft schemes, dating scams and other con games often run into trouble when presented with a phone-based challenge that requires them to demonstrate mastery of a language they don’t speak fluently. Enter the criminal call center, which allows scammers to outsource those calls to multi-lingual men and women who can be hired to close the deal.

Some of these call centers are Web-based, allowing customers to upload information about their targets to a service that initiates the call to a bank, credit provider, shipping company or dating scam victim (for more on the role played by call centers in dating schemes, see last week’s story, Fraudsters Automate Russian Dating Scams). Other call centers require customers to supply information about the target and the needed service via Jabber instant message. This post focuses on Web-based call services.

In the call service pictured below, we can see one user ordering a $250 radio-controlled toy Ford Mustang as a gift for someone’s kid for the holidays. The customer of the call service specifies the American Express card account to be used for the transaction, and requests that the order be expedited to a reshipping mule who will forward the goods to Russia. The status of the transaction indicates that this particular order was successfully placed on Jan. 7, 2016.

A customer of this crooked call center is ordering a holiday gift for someone's kid.

A customer of this crooked call center is ordering a holiday gift for someone’s kid.

One of the cybercrime underground’s oldest call center services — CallMeBaby — serves a variety of swindles but specializes in helping criminals cash out dating scams. It charges $10 for each call in English, and $12 for calls in German, French, Italian, Spanish, Portuguese and Polish. Here’s an ad for the four-year-old service, which features an illustration of a blonde woman chatting with President Obama:

An underground ad for a call service run by a cybercrook who uses the nickname "Sparta"

An underground ad for a call service run by a cybercrook who uses the nickname “Sparta.”

CallMeBaby advertises the availability of a male and female to impersonate anyone in the above-supported languages, and operates between the hours of 17:00 to 03:00 Moscow time (business hours in America). Continue reading →


10
Dec 15

The Role of Phony Returns in Gift Card Fraud

On any given day, there are thousands of gift cards from top retailers for sale online that can be had for a fraction of their face value. Some of these are exactly what they appear to be: legitimate gift cards sold through third-party sites that specialize in reselling used or unwanted cards. But many of the more steeply discounted gift cards for sale online are in fact the product of merchandise return fraud, meaning consumers who purchase them unwittingly help thieves rob the stores that issued the cards.

giftcardsThis type of scam mainly impacts brick-and-mortar retailers that issue gift cards when consumers return merchandise at a store without presenting a receipt. Last week I heard from KrebsOnSecurity reader Lisa who recently went online to purchase a bunch of steeply discounted gift cards issued by pet supply chain Petco.

Lisa owns two Rottweilers that both eat a good chunk of their weight each month in dog food, so Lisa said she felt like she’d really hit on a bargain when she found a $165 Petco gift card for sale at a popular online gift card retailer for $120 (a nearly 30 percent discount on the value).

“When I went to Petco to get my monthly supply of dog food and snacks for my Rotties, I used my merchandise card and the manager shared with me that folks are stealing merchandise from one Petco store and returning the items to another without a receipt and then selling the cards to places like raise.com and cardpool.com at a discounted price,” Lisa recounted.

Petco’s official policy is that for returns more than 60 days after the purchase — or if the receipt is unavailable — the value of the goods returned will be refunded to a merchandise card. Lisa said she bought the Petco card from raise.com, but she said the company never disclosed that the card was a merchandise return card — a fact that was printed on the front of the card she received.

“I feel really bad now because my purchase of these cards may have contributed to unlawful activities,” Lisa said. “Even though I saved $40+, Petco actually lost money as a result.”

Neither Raise nor Petco responded to requests for comment. But a look at the available Petco cards for sale via one gift card tracking site — giftcardgranny.com — shows Petco cards routinely sell for at least 25 percent off their value.

In any case, this fraud scheme is hardly specific to Petco. Cards from Petsmart, a competitor that also offers merchandise return cards, generally sell at 20 percent off their value. Clothier H&M’s cards average about 30 percent off.

Contrast these discounts with those for gift cards from restaurants, fuel stations and other businesses that generally don’t have to deal with customer returns and you’ll notice two interesting patterns: For starters, the face value of the cards from merchants that don’t take customer returns are far more likely to be even amounts, such as $50, $25 and $40. The percentage off the face value also tends to be much lower — between 3 and 15 percent. For example, see the discount percentage and value of cards from Starbucks and Chevron.

“Twenty-five percent off is really high, and there aren’t many that offer that high of a discount,” said Damon McCoy, an assistant professor of computer science at New York University and an expert on fraud involving stored value cards. “Normally, it is around 5 percent to 15 percent.” Continue reading →


7
Dec 15

When Undercover Credit Card Buys Go Bad

I recently heard from a source in law enforcement who had a peculiar problem. The source investigates cybercrime, and he was reaching out for advice after trying but failing to conduct undercover buys of stolen credit cards from a well-known underground card market. Turns out, the cybercrime bazaar’s own security system triggered a “pig alert” and brazenly flagged the fed’s transactions as an undercover purchase placed by a law enforcement officer.

Law enforcement officials and bank anti-fraud specialists sometimes purchase stolen cards from crime forums and “carding” markets online in hopes of identifying a pattern among all the cards from a given batch that might make it easy to learn who got breached: If all of the cards from a given batch were later found to be used at the same e-commerce or brick-and-mortar merchant over the same time period, investigators can often determine the source of the card breach, alert the breached company and stem the flow of stolen cards.

Of course, such activity is not something the carding shops take lightly, since it tends to cut into their criminal sales and revenues. So it is that one of the more popular carding shops — Rescator — somehow enacted a system to detect purchases from suspected law enforcement officials. Rescator and his crew aren’t shy about letting you know when they think you’re not a real criminal. My law enforcement source said he’d just placed a batch of cards into his shopping cart and was preparing to pay for the goods when the carding site’s checkout page was replaced with this image:

A major vendor of stolen credit cards tries to detect suspicious transactions by law enforcement officials. When it does, it triggers this "pig detected" alert.

A major vendor of stolen credit cards tries to detect suspicious transactions by law enforcement officials. When it does, it triggers this “pig detected” alert.

The shop from which my source attempted to make the purchase — called Rescator — is the same carding store that was the first to move millions of cards on sale that were stolen in the Target and Home Depot breaches, among others. I’ve estimated that although Rescator and his band of thieves stole 40 million credit and debit card numbers from Target, they only likely managed to sell between 1 and 3 million of those cards. Even so, at a median price of $26.85 per card and the median loss of 2 million cards, that’s still more than $50 million in revenue. It’s no wonder they want to keep the authorities out. Continue reading →


13
Nov 15

JPMorgan Hackers Breached Anti-Fraud Vendor G2 Web Services

Buried in the federal indictments unsealed this week against four men accused of stealing tens of millions of consumer records from JPMorgan Chase and other brokerage firms are other unnamed companies that were similarly victimized by the accused. One of them, identified in the indictments only as “Victim #12,” is an entity that helps banks block transactions for dodgy goods advertised in spam. Turns out, the hackers targeted this company so that they could more easily push through payments for spam-advertised prescription drugs and fake antivirus schemes.

g2webAccording to multiple sources, Victim #12 is none other than Bellevue, Wash. based G2 Web Services LLC, a company that helps banks figure out if a website is fraudulent or is selling contraband. G2 Web Services has not responded to multiple requests for comment.

In the final chapters of my book, Spam Nation: The Inside Story of Organized Cybercrime, I detailed the work of The International AntiCounterfeiting Coalition (IACC), a non-profit organization dedicated to combating product counterfeiting and piracy.

In 2011, G2 Web Services landed a contract to help the IACC conduct “test buys” at sites with products that were being advertised via spam. The company would identify which banks (mostly in Asia) were processing payments for these sites, and then Visa and MasterCard would rain down steep fines on the banks for violating their contracts with the credit card companies. The idea was to follow the money from schemes tied to cybercrime, deter banks from accepting funds from fraudulent transactions, and make it difficult for spammers to maintain stable credit card processing for those endeavors.

Prosecutors say the ringleader of the cybercrime gang accused of breaking into JPMC, Scottrade, E-Trade and others is 31-year-old Gery Shalon, a resident of Tel Aviv and Moscow. Investigators allege Shalon and his co-conspirators monitored credit card transactions processed through their payment processing business to attempt to discern which, if any, were undercover transactions made on behalf of credit card companies attempting to identify unlawful merchants. The government also charges that beginning in or about 2012, Shalon and his co-conspirators hacked into the computer networks of Victim-12 (G2 Web Services).

Shalon and his gang allegedly monitored Victim-12’s detection efforts, including reading emails of Victim-12 employees so they could take steps to evade detection.

“In particular, through their unlawful intrusion into Victim-12’s network, Shalon and his co-conspirators determined which credit and debit card numbers Victim-12 employees were using the make undercover purchases of illicit goods in the course of their effort to detect unlawful merchants,” Shalon’s indictment explains. “Upon identifying those credit and debit card numbers, Shalon and his co-conspirators blacklisted the numbers from their payment processing business, automatically declining any transaction for which payment was offered through one of those credit or debit card numbers.” Continue reading →


9
Nov 15

Ransomware Now Gunning for Your Web Sites

One of the more common and destructive computer crimes to emerge over the past few years involves ransomware — malicious code that quietly scrambles all of the infected user’s documents and files with very strong encryption.  A ransom, to be paid in Bitcoin, is demanded in exchange for a key to unlock the files. Well, now it appears fraudsters are developing ransomware that does the same but for Web sites — essentially holding the site’s files, pages and images for ransom.

Image: Kaspersky Lab

Image: Kaspersky Lab

This latest criminal innovation, innocuously dubbed “Linux.Encoder.1” by Russian antivirus and security firm Dr.Web, targets sites powered by the Linux operating system. The file currently has almost zero detection when scrutinized by antivirus products at Virustotal.com, a free tool for scanning suspicious files against dozens of popular antivirus products.

Typically, the malware is injected into Web sites via known vulnerabilities in site plugins or third-party software — such as shopping cart programs. Once on a host machine, the malware will encrypt all of the files in the “home” directories on the system, as well backup directories and most of the system folders typically associated with Web site files, images, pages, code libraries and scripts.

The ransomware problem is costly, hugely disruptive, and growing. In June, the FBI said it received 992 CryptoWall-related complaints in the preceding year, with losses totaling more than $18 million. And that’s just from those victims who reported the crimes to the U.S. government; a huge percentage of cybercrimes never get reported at all.

ONE RECENT VICTIM

On Nov. 4, the Linux Website ramsomware infected a server used by professional Web site designer Daniel Macadar. The ransom message was inside a plain text file called “instructions to decrypt” that was included in every file directory with encrypted files:

“To obtain the private key and php script for this computer, which will automatically decrypt files, you need to pay 1 bitcoin(s) (~420 USD),” the warning read. “Without this key, you will never be able to get your original files back.”

Macadar said the malware struck a development Web server of his that also hosted Web sites for a couple of longtime friends. Macadar was behind on backing up the site and the server, and the attack had rendered those sites unusable. He said he had little choice but to pay the ransom. But it took him some time before he was able to figure out how to open and fund a Bitcoin account.

“I didn’t have any Bitcoins at that point, and I was never planning to do anything with Bitcoin in my life,” he said.

According to Macadar, the instructions worked as described, and about three hours later his server was fully decrypted. However, not everything worked the way it should have.

“There’s a  decryption script that puts the data back, but somehow it ate some characters in a few files, adding like a comma or an extra space or something to the files,” he said.

Macadar said he hired Thomas Raef — owner of Web site security service WeWatchYourWebsite.com — to help secure his server after the attack, and to figure out how the attackers got in. Raef told me his customer’s site was infected via an unpatched vulnerability in Magento, a shopping cart software that many Web sites use to handle ecommerce payments.

CheckPoint detailed this vulnerability back in April 2015 and Magento issued a fix yet many smaller ecommerce sites fall behind on critical updates for third-party applications like shopping cart software. Also, there are likely other exploits published recently that can expose a Linux host and any associated Web services to attackers and to site-based ransomware. Continue reading →


5
Nov 15

TalkTalk, Script Kids & The Quest for ‘OG’

So you’ve got two-step authentication set up to harden the security of your email account (you do, right?). But when was the last time you took a good look at the security of your inbox’s recovery email address? That may well be the weakest link in your email security chain, as evidenced by the following tale of a IT professional who saw two of his linked email accounts recently hijacked in a bid to steal his Twitter identity.

Screen Shot 2015-10-24 at 10.08.01 AMEarlier this week, I heard from Chris Blake, a longtime KrebsOnSecurity reader from the United Kingdom. Blake reached out because I’d recently written about a character of interest in the breach at British phone and broadband provider TalkTalk: an individual using the Twitter handle “@Fearful“.

Blake proceeded to explain how that same Fearful account had belonged to him for some time until May 2015, when an elaborate social engineering attack on his Internet service provider (ISP) allowed the current occupant of the account to swipe it out from under him.

On May 11, Blake received a text message on his mobile stating that his Microsoft Outlook account password had been changed. A minute later, he got another text from Microsoft saying his two-factor authentication (texted login codes to his phone) had been removed. After that, he could no longer log in to his Outlook account because someone had changed his password and removed his recovery email address (changing it to a free and disposable yopmail.com account).

Minutes after that, someone tweeted out the message from his account: “This twitter account is officially operated by Elliott G.” The tweet prior to that one mentions Blake by name and is a response to an inquiry to the Microsoft Store before the account was taken. The alias on Blake’s @Fearful account was changed to “Glubz”.

Blake said it took some time to figure out how the miscreant had hijacked his Twitter and Outlook accounts. Turns out, the recovery email address that he’d supplied for his Outlook account was to an email address at his local ISP, and the attacker executed the first step in the hijack by tricking a customer service employee at the ISP into redirecting his messages.

The attacker, apparently another person with a British accent, called Blake’s ISP pretending to be Blake and said he was locked out of his inbox. Could the ISP please change the domain name system (DNS) settings on his domain and associated mail account?

According to Blake, an investigation into the incident at the ISP shows that the customer service rep asked the caller to verify any other email addresses associated with Blake’s ISP account, and after some waiting the support employee actually read off a few of them. Seconds later, the attacker sent an email to the support person that spoofed one of those email addresses. After that, Blake’s ISP complied with the request, changing the DNS settings on his account to settings that the caller supplied for an account at Namecheaphosting.com.

OG IS A THING

With all of the access to other accounts that one’s inbox affords, the attacker in this case could have done some serious damage and cost Blake a lot of money. So why was he only interested in Blake’s Twitter account?

Short usernames are something of a prestige or status symbol for many youngsters, and some are willing to pay surprising amounts of money for them. Known as “OG” (short for “original” and also “original gangster”) in certain circles online, these can be usernames for virtually any service, from email accounts at Webmail providers to social media services like Instagram, Snapchat, Twitter and Youtube. People who traffic in OG accounts prize them because they can make the account holder appear to have been a savvy, early adopter of the service before it became popular and before all of the short usernames were taken.

“I didn’t realize this was even a thing until all this happened,” Blake said of the demand for OG accounts. “It wasn’t until the day after my email accounts were hacked that I realized it was really my Twitter account he was after.”

As it happens, the guy who is currently squatting on Blake’s @Fearful Twitter account — a young wanna-be hacker who uses the nickname “Glubz” — is very publicly in the business of selling hijacked OG accounts. In the screen shot below, we can see Glubz on the script kiddie-friendly online community Hackforums promoting his “OG Store,” in which he sells “Snapchats,” Email accounts and “Youtubes” for $10-$40 apiece, payable via Bitcoin or PayPal. The bottom of the message includes a link to Glubz’s personal site — elliottg[dot]net (also hosted at Namecheaphosting.com). Continue reading →


29
Sep 15

ATM Skimmer Gang Firebombed Antivirus Firm

It’s notable whenever cybercime spills over into real-world, physical attacks. This is the story of a Russian security firm whose operations were pelted with Molotov cocktail attacks after exposing an organized crime gang that developed and sold malicious software to steal cash from ATMs.

molotovThe threats began not long after December 18, 2013, when Russian antivirus firm Dr.Web posted a writeup about a new Trojan horse program designed to steal card data from infected ATMs. Dr.Web received an email warning the company to delete all references to the ATM malware from its site.

The anonymous party, which self-identified as the “International Carders Syndicate,” said Dr.Web’s ATM Shield product designed to guard cash machines from known malware “threatens activity of Syndicate with multi-million dollar profit.”

The threat continued:

“Hundreds of criminal organizations throughout the world can lose their earnings. You have a WEEK to delete all references about ATM Skimmer from your web resource. Otherwise syndicate will stop cash-out transactions and send criminal for your programmers’ heads. The end of Doctor Web will be tragic.”

In an interview with KrebsOnSecurity, Dr.Web CEO Boris Sharov said the company did not comply with the demands. On March 9, 2014, someone threw a Molotov cocktail at the office of a third-party company that was distributing Dr.Web’s ATM Shield product. Shortly after that, someone attacked the same office again. Each time, the damage was minimal, but it rattled company employees nonetheless.

Less than two weeks later, Dr.Web received a follow-up warning letter:

“Dear Dr.Web, the International carder syndicate has warned you about avoidance of interference (unacceptable interference) in the ATM sphere. Taking into account the fact that you’ve ignored syndicate’s demands, we employed sanctions. To emphasis the syndicate’s purpose your office at Blagodatnaya st. was burnt twice.

If you don’t delete all references about atmskimmer viruses from your products and all products for ATM, the International carder syndicate will destroy Doctor Web’s offices throughout the world, In addition, syndicate will lobby the Prohibition of usage of Russian anti-viruses Law in countries that have representation offices of the syndicate under the pretext of protection against Russian intelligence service.”

After a third attack on the St. Petersburg office, a suspect who was seen running away from the scene of the attack was arrested but later released because no witnesses came forward to confirm he was the one who threw the bomb.

Meanwhile, Sharov said Dr.Web detected two physical intrusions into its Moscow office.

“This is an office where we have much more security than any other, but also many more visitors,” he said. “We had been on high alert after the fire bombings, and we’ve never had intrusions before and never had them after this. But during that period, we had three attempts to enter the perimeter and to do something bad, but I won’t go into details about that.”

Sharov said Dr.Web analysts believe the group that threatened the attacks were not cyber thieves themselves but instead an organized group of programmers that had sold — but not yet delivered — a crimeware product to multiple gangs that specialize in cashing out hacked ATM cards.

“We think this group got very nervous by the fact that we had published exactly what they’d done, and it was very untimely for them, they were really desperate,” Sharov said. “We believe our reports came out just after development of the ATM Trojan had finished but before it was released to customers.” Continue reading →


28
Sep 15

With Stolen Cards, Fraudsters Shop to Drop

A time-honored method of extracting cash from stolen credit cards involves “reshipping” scams, which manage the purchase, reshipment and resale of carded consumer goods from America to Eastern Europe — primarily Russia. A new study suggests that some 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year, and identifies some choke points for disrupting this lucrative money laundering activity.

Many retailers long ago stopped allowing direct shipments of consumer goods from the United States to Russia and Eastern Europe, citing the high rate of fraudulent transactions for goods destined to those areas. As a result, fraudsters have perfected the reshipping service, a criminal enterprise that allows card thieves and the service operators essentially split the profits from merchandise ordered with stolen credit and debit cards.

Source: Drops for Stuff research paper.

Source: Drops for Stuff research paper.

Much of the insight in this story comes from a study released last week called “Drops for Stuff: An Analysis of Reshipping Mule Scams,” which has multiple contributors (including this author). To better understand reshipping scheme, it helps to have a quick primer on the terminology thieves use to describe different actors in the scam.

The “operator” of the reshipping service specializes in recruiting “reshipping mules” or “drops” — essentially unwitting consumers in the United States who are enlisted through work-at-home job scams and promised up to $2,500 per month salary just for receiving and reshipping packages.

In practice, virtually all drops are cut loose after approximately 30 days of their first shipment — just before the promised paycheck is due. Because of this constant churn, the operator must be constantly recruiting new drops.

The operator sells access to his stable of drops to card thieves, also known as “stuffers.” The stuffers use stolen cards to purchase high-value products from merchants and have the merchants ship the items to the drops’ address. Once the drops receive the packages, the stuffers provide them with prepaid shipping labels that the mules will use to ship the packages to the stuffers themselves. After they receive the packaged relayed by the drops, the stuffers then sell the products on the local black market.

The shipping service operator will either take a percentage cut (up to 50 percent) where stuffers pay a portion of the product’s retail value to the site operator as the reshipping fee. On the other hand, those operations that target lower-priced products (clothing, e.g.) may simply charge a flat-rate fee of $50 to $70 per package. Depending on the sophistication of the reshipping service, stuffers can either buy shipping labels directly from the service — generally at a volume discount — or provide their own [for a discussion of ancillary criminal services that resell stolen USPS labels purchased wholesale, check out this story from 2014].

The researchers found that reshipping sites typically guarantee a certain level of customer satisfaction for successful package delivery, with some important caveats. If a drop who is not marked as problematic embezzles the package, reshipping sites offer free shipping for the next package or pay up to 15% of the item’s value as compensation to stuffers (e.g., as compensation for “burning” the credit card or the already-paid reshipping label).

However, in cases where the authorities identify the drop and intercept the package, the reshipping sites provide no compensation — it calls these incidents “acts of God” over which it has no control.

“For a premium, stuffers can rent private drops that no other stuffers will have access to,” the researchers wrote. “Such private drops are presumably more reliable and are shielded from interference by other stuffers and, in turn, have a reduced risk to be discovered (hence, lower risk of losing packages).” Continue reading →


23
Sep 15

Bidding for Breaches, Redefining Targeted Attacks

A growing community of private and highly-vetted cybercrime forums is redefining the very meaning of “targeted attacks.” These bid-and-ask forums match crooks who are looking for access to specific data, resources or systems within major corporations with hired muscle who are up to the task or who already have access to those resources.

A good example of this until recently could be found at a secretive online forum called “Enigma,” a now-defunct community that was built as kind of eBay for data breach targets. Vetted users on Enigma were either bidders or buyers — posting requests for data from or access to specific corporate targets, or answering such requests with a bid to provide the requested data. The forum, operating on the open Web for months until recently, was apparently scuttled when the forum administrators (rightly) feared that the community had been infiltrated by spies.

The screen shot below shows several bids on Enigma from March through June 2015, requesting data and services related to HSBC UK, Citibank, Air Berlin and Bank of America:

Enigma, an exclusive forum for cyber thieves to buy and sell access to or data stolen from companies.

Enigma, an exclusive forum for cyber thieves to buy and sell access to or data stolen from companies.

One particularly active member, shown in the screen shot above and the one below using the nickname “Demander,” posts on Jan. 10, 2015 that he is looking for credentials from Cisco and that the request is urgent (it’s unclear from the posting whether he’s looking for access to Cisco Corp. or simply to a specific Cisco router). Demander also was searching for services related to Bank of America ATMs and unspecified data or services from Wells Fargo.

More bids on Enigma forum for services.

More bids on Enigma forum for services, data, and access to major corporations.

Much of the information about Enigma comes from Noam Jolles, a senior intelligence expert at Diskin Advanced Technologies. The employees at Jolles’ firm are all former members of Shin Bet, a.k.a. the Israel Security Agency/General Security Service — Israel’s counterespionage and counterterrorism agency, and similar to the British MI5 or the American FBI. The firm’s namesake comes from its founder, Yuval Diskin, who headed Shin Bet from 2005 to 2011.

“On Enigma, members post a bid and call on people to attack certain targets or that they are looking for certain databases for which they are willing to pay,” Jolles said. “And people are answering it and offering their merchandise.”

Those bids can take many forms, Jolles said, from requests to commit a specific cyberattack to bids for access to certain Web servers or internal corporate networks.

“I even saw bids regarding names of people who could serve as insiders,” she said. “Lists of people who might be susceptible to being recruited or extorted.”

Many experts believe the breach that exposed tens of millions user accounts at AshleyMadison.com — an infidelity site that promises to hook up cheating spouses — originated from or was at least assisted by an insider at the company. Interestingly, on June 25, 2015 — three weeks before news of the breach broke — a member on a related secret data-trading forum called the “Gentlemen’s Club” solicits “data and service” related to AshleyMadison, saying “Don’t waste time if you don’t know what I’m talking about. Big job opportunity.”

On June 26, 2015, a forum member named "Diablo" requests data and services related to AshleyMadison.com.

On June 26, 2015, a “Gentlemen’s Club” forum member named “Diablo” requests data and services related to AshleyMadison.com.

Cybercrime forums like Enigma vet new users and require non-refundable deposits of virtual currency (such as Bitcoin). More importantly, they have strict rules: If the forum administrators notice you’re not trading with others on the forum, you’ll soon be expelled from the community. This policy means that users who are not actively involved in illicit activities — such as buying or selling access to hacked resources — aren’t allowed to remain on the board for long. Continue reading →


21
Aug 15

Extortionists Target Ashley Madison Users

People who cheat on their partners are always open to extortion by the parties involved. But when the personal details of millions of cheaters get posted online for anyone to download — as is the case with the recent hack of infidelity hookup site AshleyMadison.com — random blackmailers are bound to pounce on the opportunity.

An extortion email sent to an AshleyMadison user.

An extortion email sent to an AshleyMadison user.

According to security firms and to a review of several emails shared with this author, extortionists already see easy pickings in the leaked AshleyMadison user database.

Earlier today I heard from Rick Romero, the information technology manager at VF IT Services, an email provider based in Milwaukee. Romero said he’s been building spam filters to block outgoing extortion attempts against others from rogue users of his email service. Here’s one that he blocked this morning (I added a link to the bitcoin address in the message, which shows nobody has paid into this particular wallet yet):

Hello,

Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.

If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value $225 USD) to the following address:

1B8eH7HR87vbVbMzX4gk9nYyus3KnXs4Ez [link added]

Sending the wrong amount means I won’t know it’s you who paid.

You have 7 days from receipt of this email to send the BTC [bitcoins]. If you need help locating a place to purchase BTC, you can start here…..

The individual who received that extortion attempt — an AshleyMadison user who agreed to speak about the attack on condition that only his first name be used — said he’s “loosely concerned” about future extortion attacks, but not especially this one in particular.

“If I put myself in [the extortionist’s] shoes, the likelihood of them disclosing stuff doesn’t increase their chance of getting money,” said Mac. “I just not going to respond.” Continue reading →