Archives: Cybercrime Alerts

Cybercrime Alerts news and reviews

TAX REFUNDS can sometimes mean a windfall of cash, however members of the public are being warned to be vigilant when contacted on the matter. It comes as HM Revenue and Customs (HMRC) has warned that some people are being targeted by scammers with offers of fake tax refunds

Since the end of December 2019, HMRC has seen the emergence of email scams targeting a number of UK universities.

These include Cambridge, Heriot Watt, Edinburgh, Aberdeen, St Andrews, Plymouth and Wolverhampton.

In the scam emails, the fraudster posing as HMRC says the student is owed money, and asks them to enter their details on a website in order to get the refund.

A spokesperson for HMRC said: “Fraudsters can use a range of methods to target students, most commonly by sending fake tax refunds to students’ university email addresses.

“Depending on the details a criminal is able to obtain from a student, they could steal money, set up direct debits, make purchases for valuable goods on online sites or even take control of their computer – being able to access functions such as their webcam.

“HMRC will never tell taxpayers about a tax refund by asking them to click on a link. One way to safely claim a refund is to log into your personal tax account.”

HMRC issued the following advice:

  • Genuine organisations like banks and HMRC will never contact you out of the blue to ask for your Pin, password or bank details
  • Do not give out private information, reply to text messages, download attachments or click on links in emails you were not expecting
  • Forward suspect emails claiming to be from HMRC to phishing@hmrc.gov.uk and texts to 60599
  • Check gov.uk for information on how to avoid and report scams and to recognise genuine HMRC contact
  • If you think you have received an HMRC-related phishing or bogus email or text message, you can check it against examples published on gov.uk
  • Contact your bank immediately if you believe you have submitted card details to a scammer and report to Action Fraud if you suffer financial loss

 

 

 

 

This is a fairly new email that is being circulated. Do not open the link as it is an attempt to obtain your financial data

“Attn: Beneficiary

REF: FLP-IP/2422-FM10089/0877
RE: Internet Crime Victim Restitution

INTENDED ONLY FOR: (VICTIM,S EMAIL)

Our records indicate that you are eligible to receive restitution for one or more of the internet fraud schemes you,ve been a victim of. See
necessary case details below. The perpetrator and their group of co-offenders had over 2000 aliases originating from Russia, Nigeria,
Ghana, London and many more masking their original identities.

Our records indicate that you have been a victim of fraud because your contact details were found on several devices belonging to the
perpetrator. Following court orders, this makes you eligible to receive restitution for damages caused by their crimes.  Being that
(SUBJECT) operated on an international scale and victimized thousands of individuals and companies of several nationalities, we determined that the investigation had to be kept private and away from public media to maintain unitary judgment and integrity in international relations. Because this was a private investigation, all victims (Including Yourself) were represented by a professional
court-appointed public defender.

(European Law Firm) with over 10 years of experience on similar case. After having consistently pursued the (SUBJECTS) case for two years,
successfully  secured restitution payments of GBP 1,455,000.00 for each victim. Restitutions are ordered to be paid immediately. To start
receiving your restitution benefits, contact the (Law Firm) at: consultantslawfirmsmailbox   (at) ediffmail.com      Note that all entries must
be claimed no later than 30th of January, 2020. Be sure to quote your reference number in all correspondences.

Sincerely Yours.
Christopher Wray
FBI: Internet Relations
Internet Crime Complaint Center (IC3)”

A hacking tool that was able to give full remote control of a victim’s computer to cybercriminals has been taken down as a result of an international law enforcement operation targeting the sellers and users of the Imminent Monitor Remote Access Trojan (IM-RAT).

The investigation, led by the Australian Federal Police (AFP), with international activity coordinated by Europol and Eurojust, resulted in an operation involving numerous judicial and law enforcement agencies in Europe, Colombia and Australia.

Coordinated law enforcement activity has now ended the availability of this tool, which was used across 124 countries and sold to more than 14 500 buyers. IM-RAT can no longer be used by those who bought it.

Search warrants were executed in Australia and Belgium in June 2019 against the developer and one employee of IM-RAT.

Subsequently, an international week of actions was carried out this November, resulting in the takedown of the Imminent Monitor infrastructure and the arrest at this stage of 13 of the most prolific users of this Remote Access Trojan (RAT). Over 430 devices were seized and forensic analysis of the large number of computers and IT equipment seized continues.

Actions were undertaken this week in the framework of this operation in the following countries: Australia, Colombia, Czechia, the Netherlands, Poland, Spain, Sweden and the United Kingdom.

This insidious RAT, once installed undetected, gave cybercriminals free rein to the victim’s machine. The hackers were able to disable anti-virus and anti-malware software, carry out commands such as recording keystrokes, steal data and passwords and watch the victims via their webcams. All that could be done without a victim’s knowledge.

This RAT was considered a dangerous threat due to its features, ease of use and low cost. Anyone with the nefarious inclination to spy on victims or steal personal data could do so for as little as US$25.
Victims are believed to be in the tens of thousands, with investigators having already identified evidence of stolen personal details, passwords, private photographs, video footage and data.

Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3), said: ‘We now live in a world where, for just US$25, a cybercriminal halfway across the world can, with just a click of the mouse, access your personal details or photographs of loved ones or even spy on you. The global law enforcement cooperation we have seen in this case is integral to tackling criminal groups who develop such tools. It is also important to remember that some basic steps can prevent you falling victim to such spyware: we continue to urge the public to ensure their operating systems and security software are up to date.’

Daniela Buruiana, National Member for Romania at Eurojust and Chair of its Cybercrime Team, said: ‘The cybercriminals selling and using the IM-RAT affected the computers of tens of thousands of victims worldwide. We would like to thank all the judicial and law enforcement authorities involved for the excellent results achieved in this operation. These authorities have shown an extremely high level of commitment and legal and technical expertise. Effective cooperation and coordination among all the relevant actors are vital in overcoming the obstacles to investigations due to the global scale and technical sophistication of this type of crime.’

Avoiding RAT-ing

The public and businesses can follow simple steps to help protect themselves from such malware, including:

  • Update your software, including anti-virus software;
  • Install a good firewall;
  • Don’t open suspicious e-mail attachments or URLs – even if they come from people on your contact list; and
  • Create strong passwords.

Be aware that there are fake WeTransfer emails being sent, one of which was referred to Safe Communities Portugal this morning. In this case the senders address was: sales (at) cargoonelogistics-com.ga. The email invited the recipient to click on a download link which was based in Russia. An obvious fake.

WeTransfer recommend to check the following if you receive such an email which could be an attempt to steal your login details or install malware on your machine.

  • Is the layout different from the layout you usually see when you open a WeTransfer mail? If so, don’t use the download button or link.
  • Does the download button take you to our domain (https://wetransfer.com)? If not, the files are hosted somewhere else and never safe to download.
  • Check the address mentioned in the body of the email. If the transfer isn’t from someone you know or an obvious fake, don’t use the download link.
  • Check the sender’s address. We always send our service-related emails from “…@wetransfer.com”. If the email is sent from a different address, don’t open the download link.
  • Please note that emails from “…@wetransfer.com” are no guarantee that we’ve actually sent you this email. So stay aware even if we seem to be the sender.
  • Check the address the email was sent to. We only ever send a transfer email to your own email address. Not to “undisclosed recipients” or to other addresses. So finding a “Bcc” definitely means we did not send you this email.

More information from WeTransfer here

The group of Russian hackers allegedly behind one of the worst cyber bank frauds of the last decade was unmasked on Thursday, with its leader indicted in America and the full scale of purported crimes revealed in remarkable detail.

The Moscow-based unit was identified as Evil Corp and dubbed “the world’s most harmful cyber crime group” as British and American officials revealed the results of an investigation into the group and its activities that has lasted a decade.

Maksim Yakubets, 32, was accused of being the group’s leader and was indicted over two separate hacking schemes. A $5 million reward was announced by the US State Department for any information that leads to his arrest.

Customers of nearly 300 organisations in 43 different countries have been targeted by the group, with financial losses in UK alone assessed to be worth hundreds of millions of pounds.

Evil Corp was accused of ruthlessly exploiting online vulnerabilities, tricking people into clicking on internet links that would install viruses, scanning for bank account details and then creating wires transfers to “money mules” working with the hackers.

Victims ranged from small businesses and schools to individuals saving for retirement and even religious groups, including some Franciscan sisters in America who lost tens of thousands of dollars.

The US Treasury announced sanctions against 17 individuals linked to Evil Corps, including Yakubets, the baby-faced Russian alleged to have hidden behind the moniker ‘Aqua’ online whose image is now on “wanted by the FBI” posters. Seven entities were also sanctioned.

Yakubets was accused by the US Treasury of working with the Russian spying agency FSB in 2017, including “acquiring confidential documents through cyber-enabled means” for the Russian state. He was also said to have been trying to get a license to work on classified material with the FSB last year.

The claim raises questions about whether the Kremlin is turning a blind eye to notorious computers hackers in its capital, or even leaning on their expertise to support Russia’s nefarious online activities.

The group’s willingness to boast about the proceeds of their alleged criminality online, acting like “extravagant millionaires” according to one senior UK investigator, was said to have helped result in their unmasking.

Videos released by the UK’s National Crime Agency [NCA] featured alleged members of Evil Corp showing off their sports cars and holding up traffic in Moscow as pulled doughnuts in the middle of the street.

Other videos purported to show the hackers petting the group’s lion cub and mucking about on segways.

According to UK officials, Yakubets has a customized Lamborghini supercar with a personalised number plate that translates to ‘Thief’ and spent a quarter of a million pounds on his wedding.

The announcements were the work of a pain-staking investigation from officials at America’s Justice Department, FBI, State Department and Treasury as well as Britons at the NCA and Metropolitan Police.

 

Beware this Netflix scam

A new email scam targeting Netflix members seeks to steal personal information of the company’s subscribers, potentially raising the risk of identity theft for 110 million people.

Here’s what to do. Watch for this subject line in your inbox: “Your suspension notification.”

The email message begins, “We were unable to validate your billing information for the next billing cycle of your subscription therefore we’ll suspend your membership if we do not receive a response from you within 48hours.”

The email phishing scam goes on to dangle the hook: “Obviously we’d love to have you back, simply click restart your membership to update your details and continue to enjoy all the best TV shows & movies without interruption.”

Do not click on the link, which is designed to take you to a fake website. Subscribers who click on the link and provide their personal information could put themselves at the risk of identity theft.

The phony email contains typographical and punctuation errors—“48hours,” for instance—which can be common in scams seeking to trick recipients into providing sensitive information.

But the current email scam appears to be visually accurate, with a strong semblance to a real Netflix landing page. That could make it convincing for some subscribers.

Here’s some of the information the phishing scam seeks to gather:

  • Log-in credentials: User name and password.
  • Updated personal information: Includes name, date of birth, address, and telephone number.
  • Updated billing information: Includes credit card number and details.

Responding to the email scam, Netflix issued this statement on Nov. 6:

We take the security of our members’ accounts seriously and Netflix employs numerous proactive measures to detect fraudulent activity to keep the Netflix service and our members’ accounts secure,” the company said in its statement. “Unfortunately, scams are common on the internet and target popular brands such as Netflix and other companies with large customer bases to lure users into giving out personal information.”

Here are a few steps for to take if you think you may be the target of a phishing scam.

  • Confirm the sender: Click on the downward arrow next to the sender’s name. This will show the full details.
  • Hover over links: This shows the full URLs. Check to see if they appear to be accurate.
  • Go directly to your account: Don’t click on links. Go directly to your account on the legitimate website to review your personal information and make any changes.
  • Use strong passwords: Passwords should use a combination of letters, numbers and special characters. Be sure not to reuse them on other websites. Change your passwords periodically.
  • Watch out for pressure tactics: Be cautious towards any email message that urges you to act quickly.

 

Lisbon, 18 Nov 2019 (Lusa) – Sexual crimes on the Internet against children increased by 40% in Portugal between January and October this year, the Chief Inspector of the Judicial Police (PJ) Carla Costa told Lusa news agency today.

Speaking about the European Day for the Protection of Children against Sexual Exploitation and Sexual Abuse that was marked today in Lisbon, the chief inspector of the National Unit for the Fight against Cybercrime and Technological Crime (UNC3T) said that research and Detection of sex offenders results not only from the filing of complaints but from the whole work of “prevention and monitoring” on the Internet space.

Carla Costa admitted that investigating such crimes is time consuming and “sometimes complicated” because it involves the collaboration of other entities – servants and operators – requiring the intervention of a judge to authorize certain investigations.

The chief inspector also stressed the importance of partnerships with APAV (Portuguese Association for Victim Support) and the association “Kids Safe at NET”, which has developed awareness raising activities in schools and disseminated content related to the theme.

Carla Costa acknowledged that the fact that such offenses against children were a “public crime” facilitated the opening of the investigation because it was no longer dependent on a complaint or reporting to law enforcement and judicial authorities.

PJ’s chief inspector revealed that this criminal investigation police are “conducting studies on the profiles of online sex offenders,” adding that 97% of them are male. As for the age group, it has been “diverse” so far.

On the other hand, he said, some of the sex offenders already have criminal records related to this type of crime, namely child pornography, but also other associated crime.

In his view, it is now “important” to continue with prevention and various awareness-raising actions and campaigns with schools and children and young people, especially because they are “easy victims” due to their age and lack of experience.

In the meantime, it was reported today that more than 2,700 children have been sexually abused in the past three years and that by 2019 dozens of children and young people have asked for help because of a crime that occurs mainly in the family and leaves irreversible marks.

European Day for the Protection of Children against Sexual Exploitation and Sexual Abuse is a date created by the Council of Europe to remind you that on average one in five children in Europe are victims of some form of violence or sexual exploitation.

Statistical data from the Ministry of Justice show that in the last three years, between 2016 and 2018, 2,752 crimes of sexual abuse of minors were recorded by the Portuguese police authorities, and more than 5,000 cases were filed with the PJ.

According to statistics from the Ministry of Justice, 822 people have been convicted in the last three years for sexual abuse of minors, most of whom (49%) have been suspended with probation, and 31% of cases have been effectively punished. .

Reported 4th September 2019 – The exposed server contained more than 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam.

But because the server wasn’t protected with a password, anyone could find and access the database.

Each record contained a user’s unique Facebook ID and the phone number listed on the account. A user’s Facebook ID is typically a long, unique and public number associated with their account, which can be easily used to discern an account’s username.

TechCrunch verified a number of records in the database by matching a known Facebook user’s phone number against their listed Facebook ID. We also checked other records by matching phone numbers against Facebook’s own password reset feature, which can be used to partially reveal a user’s phone number linked to their account.

Some of the records also had the user’s name, gender and location by country

Researchers from McAfee have warned of the dangers of posting photos of your children online

During the last week thousands of students across the UK have received their GSCE results, following weeks of anticipation.

Many proud parents will post photos of their children online to mark the occasion, but a new study warned of the dangers of this practice.

Researchers from McAfee have revealed that 1.3 billion images of children are shared in the UK online each year – particularly following big events, such as GCSE results day.

Raj Samani, Chief Scientist and McAfee Fellow said: “Social media is an incredible tool for sharing our children’s achievements with loved ones.

“And, if your child has done really well in their GCSE’s it’s only natural to want to post about it on social media and share how proud you are.

“However, parents are clearly not giving enough consideration to what they post online and both the emotional and security risks of content posted on public social media accounts.”

McAfee’s study highlighted several dangers of posting photos of your child online.

Whether it’s sharing an image of your child in their school uniform, or tagging the college they’re heading to, all this information can be used to build a digital picture.

Worryingly, this can open your child up to all types of security risks, according to McAfee. Mr Samani added: “Parents must recognise that sharing information about, or photos of their children ultimately leaves a digital footprint.

“This can lead to future problems such as job applications or university decisions being made from what the internet says about your child, rather than his or her ability itself.

“Also, if such shared images get into the wrong hands, they can be used to gather personal information like schools, a child’s full name or even birth dates to paint a picture of who they are, which could have serious repercussions ranging from identity theft to cyberbullying.

“It’s important for parents to think twice about what they share publicly before it is too late.”

 

 

Investigators from Google’s external security team found evidence of a “continued effort” by a hacking group to break into the iPhones operating system over a period of at least two years. The unprecedented attack affected “thousands of users per week” until it was stopped in January.

Hackers used websites to place a “tracking implant” on visitors’ iPhones and, through that malicious software, remove contacts, images and other personal data.

Contacted by the BBC, Apple, the company that makes iPhones, said it would not comment on the case.

Details of the attack were disclosed in a series of publications by British cyber security expert Ian Beer, a member of Project Zero. This Google project is dedicated to finding new security vulnerabilities on the Internet.

Beer and his team found that hackers used 12 separate security holes to break into devices. Most were “bugs” (system errors) in Safari, the standard “browser” of Apple products.

Once iPhones were hacked, user data was exposed to criminals. The device’s location was updated by the minute; passwords were exposed, as were chat histories in applications like WhatsApp, Telegram, and iMessage; they accessed contacts and the Gmail database.

The hackers were able to hack “almost all versions of the latest versions of iOS 12” explained Ian Beer. This revealed that a group was making a continuous effort to break into iPhones in certain locations for a period of at least two years.”

Apple released a software fix to address the security hole in February.

If you have an iPhone, make sure your device has the latest version of the iOS operating system to ensure protection. To do this, go to “Settings” and open the “General” section. Under “Software Update” you should have iOS have iOS 12.4.1. If you do not have this version, you can upgrade by clicking “Download and Install”.