Posts Tagged: Coronavirus


16
May 20

U.S. Secret Service: “Massive Fraud” Against State Unemployment Insurance Programs

A well-organized Nigerian crime ring is exploiting the COVID-19 crisis by committing large-scale fraud against multiple state unemployment insurance programs, with potential losses in the hundreds of millions of dollars, according to a new alert issued by the U.S. Secret Service.

A memo seen by KrebsOnSecurity that the Secret Service circulated to field offices around the United States on Thursday says the ring has been filing unemployment claims in different states using Social Security numbers and other personally identifiable information (PII) belonging to identity theft victims, and that “a substantial amount of the fraudulent benefits submitted have used PII from first responders, government personnel and school employees.”

“It is assumed the fraud ring behind this possesses a substantial PII database to submit the volume of applications observed thus far,” the Secret Service warned. “The primary state targeted so far is Washington, although there is also evidence of attacks in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming and Florida.”

The Secret Service said the fraud network is believed to consist of hundred of “mules,” a term used to describe willing or unwitting individuals who are recruited to help launder the proceeds of fraudulent financial transactions.

“In the state of Washington, individuals residing out-of-state are receiving multiple ACH deposits from the State of Washington Unemployment Benefits Program, all in different individuals’ names with no connection to the account holder,” the notice continues.

The Service’s memo suggests the crime ring is operating in much the same way as crooks who specialize in filing fraudulent income tax refund requests with the states and the U.S. Internal Revenue Service (IRS), a perennial problem that costs the states and the U.S. Treasury hundreds of millions of dollars in revenue each year.

In those schemes, the scammers typically recruit people — often victims of online romance scams or those who also are out of work and looking for any source of income — to receive direct deposits from the fraudulent transactions, and then forward the bulk of the illicit funds to the perpetrators.

A federal fraud investigator who spoke with KrebsOnSecurity on condition of anonymity said many states simply don’t have enough controls in place to detect patterns that might help better screen out fraudulent unemployment applications, such as looking for multiple applications involving the same Internet addresses and/or bank accounts. The investigator said in some states fraudsters need only to submit someone’s name, Social Security number and other basic information for their claims to be processed.

Elaine Dodd, executive vice president of the fraud division at the Oklahoma Bankers Association, said financial institutions in her state earlier this week started seeing a flood of high-dollar transfers tied to employment claims filed for people in Washington, with many transfers in the $9,000 to $20,000 range.

“It’s been unbelievable to see the huge number of bogus filings here, and in such large amounts,” Dodd said, noting that one fraudulent claim sent to a mule in Oklahoma was for more than $29,000. “I’m proud of our bankers because they’ve managed to stop a lot of these transfers, but some are already gone. Most mules seem to have [been involved in] romance scams.”

While it might seem strange that people in Washington would be asking to receive their benefits via ACH deposits at a bank in Oklahoma, Dodd said the people involved seem to have a ready answer if anyone asks: One common refrain is that the claimants live in Washington but were riding out the Coronavirus pandemic while staying with family in Oklahoma. Continue reading →


30
Apr 20

How Cybercriminals are Weathering COVID-19

In many ways, the COVID-19 pandemic has been a boon to cybercriminals: With unprecedented numbers of people working from home and anxious for news about the virus outbreak, it’s hard to imagine a more target-rich environment for phishers, scammers and malware purveyors. In addition, many crooks are finding the outbreak has helped them better market their cybercriminal wares and services. But it’s not all good news: The Coronavirus also has driven up costs and disrupted key supply lines for many cybercriminals. Here’s a look at how they’re adjusting to these new realities.

FUELED BY MULES

One of the more common and perennial cybercriminal schemes is “reshipping fraud,” wherein crooks buy pricey consumer goods online using stolen credit card data and then enlist others to help them collect or resell the merchandise.

Most online retailers years ago stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia. These restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe — derisively referred to as “reshipping mules” — to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.

A screen shot from a user account at “Snowden,” a long-running reshipping mule service.

But apparently a number of criminal reshipping services are reporting difficulties due to the increased wait time when calling FedEx or UPS (to divert carded goods that merchants end up shipping to the cardholder’s address instead of to the mule’s). In response, these operations are raising their prices and warning of longer shipping times, which in turn could hamper the activities of other actors who depend on those services.

That’s according to Intel 471, a cyber intelligence company that closely monitors hundreds of online crime forums. In a report published today, the company said since late March 2020 it has observed several crooks complaining about COVID-19 interfering with the daily activities of their various money mules (people hired to help launder the proceeds of cybercrime).

“One Russian-speaking actor running a fraud network complained about their subordinates (“money mules”) in Italy, Spain and other countries being unable to withdraw funds, since they currently were afraid to leave their homes,” Intel 471 observed. “Also some actors have reported that banks’ customer-support lines are being overloaded, making it difficult for fraudsters to call them for social-engineering activities (such as changing account ownership, raising withdrawal limits, etc).”

Still, every dark cloud has a silver lining: Intel 471 noted many cybercriminals appear optimistic that the impending global economic recession (and resultant unemployment) “will make it easier to recruit low-level accomplices such as money mules.”

Alex Holden, founder and CTO of Hold Security, agreed. He said while the Coronavirus has forced reshipping operators to make painful shifts in several parts of their business, the overall market for available mules has never looked brighter.

“Reshipping is way up right now, but there are some complications,” he said.

For example, reshipping scams have over the years become easier for both reshipping mule operators and the mules themselves. Many reshipping mules are understandably concerned about receiving stolen goods at their home and risking a visit from the local police. But increasingly, mules have been instructed to retrieve carded items from third-party locations.

“The mules don’t have to receive stolen goods directly at home anymore,” Holden said. “They can pick them up at Walgreens, Hotel lobbies, etc. There are a ton of reshipment tricks out there.”

But many of those tricks got broken with the emergence of COVID-19 and social distancing norms. In response, more mule recruiters are asking their hires to do things like reselling goods shipped to their homes on platforms like eBay and Amazon.

“Reshipping definitely has become more complicated,” Holden said. “Not every mule will run 10 times a day to the post office, and some will let the goods sit by the mailbox for days. But on the whole, mules are more compliant these days.”

GIVE AND TAKE

KrebsOnSecurity recently came to a similar conclusion: Last month’s story, “Coronavirus Widens the Money Mule Pool,” looked at one money mule operation that had ensnared dozens of mules with phony job offers in a very short period of time. Incidentally, the fake charity behind that scheme — which promised to raise money for Coronavirus victims — has since closed up shop and apparently re-branded itself as the Tessaris Foundation.

Charitable cybercriminal endeavors were the subject of a report released this week by cyber intel firm Digital Shadows, which looked at various ways computer crooks are promoting themselves and their hacking services using COVID-19 themed discounts and giveaways.

Like many commercials on television these days, such offers obliquely or directly reference the economic hardships wrought by the virus outbreak as a way of connecting on an emotional level with potential customers.

“The illusion of philanthropy recedes further when you consider the benefits to the threat actors giving away goods and services,” the report notes. “These donors receive a massive boost to their reputation on the forum. In the future, they may be perceived as individuals willing to contribute to forum life, and the giveaways help establish a track record of credibility.”

Brian’s Club — one of the underground’s largest bazaars for selling stolen credit card data and one that has misappropriated this author’s likeness and name in its advertising — recently began offering “pandemic support” in the form of discounts for its most loyal customers.

Continue reading →


24
Apr 20

Unproven Coronavirus Therapy Proves Cash Cow for Shadow Pharmacies

Many of the same shadowy organizations that pay people to promote male erectile dysfunction drugs via spam and hacked websites recently have enjoyed a surge in demand for medicines used to fight malaria, lupus and arthritis, thanks largely to unfounded suggestions that these therapies can help combat the COVID-19 pandemic.

A review of the sales figures from some of the top pharmacy affiliate programs suggests sales of drugs containing hydroxychloroquine rivaled that of their primary product — generic Viagra and Cialis — and that this as-yet-unproven Coronavirus treatment accounted for as much as 25 to 30 percent of all sales over the past month.

A Google Trends graph depicting the incidence of Web searches for “chloroquine” over the past 90 days.

KrebsOnSecurity reviewed a number of the most popular online pharmacy enterprises, in part by turning to some of the same accounts at these invite-only affiliate programs I relied upon for researching my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door.

Many of these affiliate programs — going by names such as EvaPharmacy, Rx-Partners and Mailien/Alientarget — have been around for more than a decade, and were major, early catalysts for the creation of large-scale botnets and malicious software designed to enslave computers for the sending of junk email.

Their products do not require a prescription, are largely sourced directly from pharmaceutical production facilities in India and China, and are shipped via international parcel post to customers around the world.

In mid-March, two influential figures — President Trump and Tesla CEO Elon Muskbegan suggesting that hydroxychloroquine should be more strongly considered as a treatment for COVID-19.

The pharmacy affiliate programs immediately took notice of a major moneymaking opportunity, noting that keyword searches for terms related to chloroquine suddenly were many times more popular than for the other mainstays of their business.

“Everyone is hysterical,” wrote one member of the Russian language affiliate forum gofuckbiz[.]com on Mar. 17. “Time to make extra money. Do any [pharmacy affiliate] programs sell drugs for Coronavirus or flu?”

The larger affiliate programs quickly pounced on the opportunity, which turned out to be a major — albeit short-lived — moneymaker. Below is a screenshot of the overall product sales statistics for the previous 30 days from all affiliates of PharmCash. As we can see, Aralen — a chloroquine drug used to treat and prevent malaria — was the third biggest seller behind Viagra and Cialis.

Recent 30-day sales figures from the pharmacy affiliate program PharmCash.

In mid-March, the affiliate program Rx-Partners saw a huge spike in demand for Aralen and other drugs containing chloroquine phosphate, and began encouraging affiliates to promote a new set of product teasers targeting people anxiously seeking remedies for COVID-19.

Their main promotion page — still online at about-coronavirus2019[.]com — touts the potential of Aralen, generic hydroxychloroquine, and generic Kaletra/Lopinavir, a drug used to treat HIV/AIDS.

An ad promoting various unproven remedies for COVID-19, from the pharmacy affiliate program Rx-Partners.

On Mar. 18, a manager for Rx-Partners said that like PharmCash, drugs which included chloroquine phosphate had already risen to the top of sales for non-erectile dysfunction drugs across the program. Continue reading →


10
Feb 20

U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack

The U.S. Justice Department today unsealed indictments against four Chinese officers of the People’s Liberation Army (PLA) accused of perpetrating the 2017 hack against consumer credit bureau Equifax that led to the theft of personal data on nearly 150 million Americans. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.

The nine-count indictment names Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊) as members of the PLA’s 54th Research Institute, a component of the Chinese military. They are each charged with three counts of conspiracy to commit computer fraud, economic espionage and wire fraud.

The government says the men disguised their hacking activity by routing attack traffic through 34 servers located in nearly 20 countries, using encrypted communications channels within Equifax’s network to blend in with normal network activity, and deleting log files daily to remove evidence of their meanderings through the company’s systems.

U.S. Attorney General Bill Barr said at a press conference today that the Justice Department doesn’t normally charge members of another country’s military with crimes (this is only the second time the agency has indicted Chinese military hackers). But in a carefully worded statement that seemed designed to deflect any criticism of past offensive cyber actions by the U.S. military against foreign targets, Barr said the DOJ did so in this case because the accused “indiscriminately” targeted American civilians on a massive scale.

“The United States, like other nations, has gathered intelligence throughout its history to ensure that national security and foreign policy decision makers have access to timely, accurate and insightful information,” Barr said. “But we collect information only for legitimate national security purposes. We don’t indiscriminately violate the privacy of ordinary citizens.”

FBI Deputy Director David Bowdich sought to address the criticism about the wisdom of indicting Chinese military officers for attacking U.S. commercial and government interests. Some security experts have charged that such indictments could both lessen the charges’ impact and leave American officials open to parallel criminal allegations from Chinese authorities.

“Some might wonder what good it does when these hackers are seemingly beyond our reach,” Bowdich said. “We answer this question all the time. We can’t take them into custody, try them in a court of law and lock them up. Not today, anyway. But one day these criminals will slip up, and when they do we’ll be there. We in law enforcement will not let hackers off the hook just because they’re halfway around the world.”

The attorney general said the attack on Equifax was just the latest in a long string of cyber espionage attacks that sought trade secrets and sensitive data from a broad range of industries, and including managed service providers and their clients worldwide, as well as U.S. companies in the nuclear power, metals and solar products industries.

“Indeed, about 80 percent of our economic espionage prosecutions have implicated the Chinese government, and about 60 percent of all trade secret thefts cases in recent years involved some connection with China,” he said.

The indictments come on the heels of a conference held by US government officials this week that detailed the breadth of hacking attacks involving the theft of intellectual property by Chinese entities.

“The FBI has about a thousand investigations involving China’s attempted theft of U.S.-based technology in all 56 of our field offices and spanning just about every industry and sector,” FBI Director Christopher Wray reportedly told attendees at the gathering in Washington, D.C., dubbed the “China Initiative Conference.”

At a time when increasingly combative trade relations with China combined with public fears over the ongoing Coronavirus flu outbreak are stirring Sinophobia in some pockets of the U.S. and other countries, Bowdich was quick to clarify that the DOJ’s beef was with the Chinese government, not its citizenry.

“Our concern is not with the Chinese people or with the Chinese American,” he said. “It is with the Chinese government and the Chinese Communist Party. Confronting this threat directly doesn’t mean we should not do business with China, host Chinese students, welcome Chinese visitors or co-exist with China as a country on the world stage. What it does mean is when China violates our criminal laws and international norms, we will hold them accountable for it.”

A copy of the indictment is available here.

ANALYSIS

DOJ officials praised Equifax for their “close collaboration” in sharing data that helped investigators piece together this whodunnit. Attorney General Barr noted that the accused not only stole personal and in some cases financial data on Americans, they also stole Equifax’s trade secrets, which he said were “embodied by the compiled data and complex database designs used to store personal information.”

While the DOJ’s announcement today portrays Equifax in a somewhat sympathetic light, it’s important to remember that Equifax repeatedly has proven itself an extremely poor steward of the highly sensitive information that it holds on most Americans.

Equifax’s actions immediately before and after its breach disclosure on Sept 7, 2017 revealed a company so inept at managing its public response that one couldn’t help but wonder how it might have handled its internal affairs and security. Indeed, Equifax and its leadership careened from one feckless blunder to the next in a series of debacles that KrebsOnSecurity described at the time as a complete “dumpster fire” of a breach response. Continue reading →