briankrebs

@briankrebs@infosec.exchange

Independent investigative journalist. Covers cybercrime, security, privacy. Author of 'Spam Nation,' a NYT bestseller. Former Washington Post reporter, '95-'09. Twitter: https://infosec.exchange/@briankrebs Linkedin: https://www.linkedin.com/in/bkrebs/

This profile is from a federated server and may be incomplete. Browse more on the original instance.

briankrebs, to random

Krebs, why do you write so much about SIM-swappers? Why don't you write more about real criminals instead of these skids all the time?

https://arstechnica.com/tech-policy/2024/01/sim-swapping-ring-stole-400m-in-crypto-from-a-us-company-officials-allege/

briankrebs, to random

5 Signs Your Kid Might Be a Criminal SIM-Swapper

-Instead of finding weed seeds in their desk drawer, you discover a bag of T-Mobile SIM cards.

-They are suddenly wearing a watch that costs more than you make in a year.

-All of their online avatars are anime characters, and all their love interests are e-girls.

-They are constantly checking the price of bitcoin.

-A surge in odd deliveries to your home, like pizza or swat teams you didn't order.

#themoreyouknow

briankrebs,

I realize this list reads as satire, and that was kind of the point. But the fact that all of these things are valid and true almost 100 percent of the time really bongs your noggin when you think about how willfully clueless so many parents of these thugs are.

briankrebs,

Parenthetically, I'd argue that anyone who gets SIM-swapped or swatted should civilly sue the parents of the kids responsible. 9 times out of 10, these SIM-swappers come from very well off families, and they are not stealing to put food on the table.

briankrebs, to random

Today's story is a wild ride. I hope you all get a chance to read it, because it's frankly just crazy. And a little long. But worth it, I promise.

On Jan. 9, 2024, U.S. authorities arrested a 19-year-old Florida man charged with wire fraud, aggravated identity theft, and conspiring with others to use SIM-swapping to steal cryptocurrency. Sources close to the investigation tell KrebsOnSecurity the accused was a key member of a criminal hacking group blamed for a string of cyber intrusions at major U.S. technology companies during the summer of 2022.

https://krebsonsecurity.com/2024/01/fla-man-charged-in-sim-swapping-spree-is-key-suspect-in-hacker-groups-oktapus-scattered-spider/

briankrebs,

Here's a teaser from the middle of the story:

"The Justice Department says Urban went by went by the nicknames “Sosa,” “Elijah,” and “King Bob.” A review of thousands of messages that these users posted to several public forums and Discord servers over the past two years shows that the person behind these identities was mainly focused on two things: Sim-swapping, and trading in stolen, unreleased rap music recordings from popular recording artists.

Indeed, those messages show Sosa/King Bob was obsessed with finding new “grails,” the slang term used in some cybercrime discussion channels to describe recordings from popular artists that have never been officially released. It stands to reason that King Bob was SIM-swapping important people in the music industry to obtain these files, although there is little to support this conclusion from the public chat records available.

“I got the most music in the com,” King Bob bragged in a Discord server in November 2022. “I got thousands of grails.”

King Bob’s chats show he was particularly enamored of stealing the unreleased works of his favorite artists — Lil Uzi Vert, Playboi Carti, and Juice Wrld. When another Discord user asked if he has Eminem grails, King Bob said he was unsure.

“I have two folders,” King Bob explained. “One with Uzi, Carti, Juicewrld. And then I have ‘every other artist.’ Every other artist is unorganized as fuck and has thousands of random shit.”

briankrebs, to random

@bowreality Yes, it works very well. There are semi-frequent updates, and applying those usually requires a restart for the network to work again.

briankrebs, to random

If you've ever wondered why some Wi-Fi is free (like in hotels), it's because typically data about your browsing is sold to countless ad companies that will happily buy it.

Had to use the hotel WiFi recently on a trip, and after clicking "agree" to their terms of service, the Little Snitch firewall on my Mac went bonkers. I must have denied 20-30 outbound requests to advertising networks. It still worked, though, so I'm guessing I didn't manage to block all of it.

briankrebs,

@baishen @Pagan_Animist IDK. But I suspect even if you pay you have to agree to some that still sells all your browsing data.

briankrebs,

@_dm All I know is after I connected to the hotel Wifi and accepted their terms, I had a ton of firewall prompts from Little Snitch. I didn't investigate where the prompts came from or how they appeared.

briankrebs,

@DrSeltsam One appears to have been Captive Network Assistant on the Mac.

briankrebs,

@bontchev Looking at my logs, it appears I blocked 35 outgoing connections in Little Snitch that were launched by the Mac application Captive Network Assistant.

briankrebs,

@DrSeltsam Never said anyone was trying to change what I did in the browser. Just sharing what I observed.

briankrebs,

@gmcgath Normally I would. In this case, it was that or miss my ride and flight.

briankrebs,

@bontchev That's as good as guess as any I came up with. All I know is Little Snitch is one badass program.

briankrebs,

@bontchev It seems to me if your guess is correct, then it would probably most likely happen on a system that hadn't ever had Little Snitch installed AND never had connected to a captive portal before. But I don't think that's true in this case.

briankrebs,

@bontchev @Gen_X It all happened immediately after I approved their terms for the captive portal. and the Portal page that sits on top of other windows had a loading icon that kept spinning until I declined all the third-party sites. I didn't have any other browsers open or tabs or anything like that.

briankrebs,

@Gen_X @bontchev You're right, you don't, but most people probably don't realize that. Either way, all the requests went out immediately.

briankrebs, (edited ) to random

New, from me:

Authorities in Australia, the United Kingdom and the United States this week levied financial sanctions against a Russian man accused of stealing data on nearly 10 million customers of the Australian health insurance giant Medibank. 33-year-old Aleksandr Ermakov allegedly stole and leaked the Medibank data while working with one of Russia's most destructive ransomware groups, but little more is shared about the accused. Here's a closer look at the activities of Mr. Ermakov's alleged hacker handles.

https://krebsonsecurity.com/2024/01/who-is-alleged-medibank-hacker-aleksandr-ermakov/

tl;dr: Ermakov appears to have been a top member of the rapacious REvil ransomware group. He also runs an IT consulting business w/ a guy I identified in Dec. 2023 as Rescator, the hacker handle that sold tens of millions of payment cards stolen from Target and Home Depot in 2013 and 2014.

briankrebs,

BTW if you look closely at the ransomware affiliate program ad shown here you will see Gustav Dore (allegedly Ermakov) warns people against sharing information with law enforcement, researchers, or Krebs.

briankrebs, to random

Google continues to struggle with cybercriminals running malicious ads on its search platform to trick people into downloading booby-trapped copies of popular free software applications. The malicious ads, which appear above organic search results and often precede links to legitimate sources of the same software, can make searching for software on Google a dicey affair.

h/t @th3_protoCOL for the image

https://krebsonsecurity.com/2024/01/using-google-search-to-find-software-can-be-risky/

briankrebs,

@moelassus does your ad blocker block sponsored ads from appearing above search results?

th3_protoCOL, to random

themed around the gaming app "parsec"

Initial fake site: parsecus[.]net

Malware downloaded from: parsecworks[.]com

Digitally signed malware "parsec-windows.exe"

Both the distribution site and download url are hosted on 93.190.143.252

Google displaying malware ads above the true website for parsec
Screenshot of virus total, 3/63 vendors are detecting the file
Malware with a digital signature from SSL.com, signed 2 days prior on the 19th

briankrebs,

@th3_protoCOL Outstanding! Thank you. Mind if I reference these in a story?

briankrebs, to random

Virustotal can be so frustrating if you just have a normal user account. Just know that a clean bill of health from VT is by no means an indicator that a piece of software is safe.

E.g., this file is known bad, from a deceptive download. But it comes out clean when scanned by dozens of antivirus and security tools.

https://www.virustotal.com/gui/file/5ac959e5dee9884512f4a34623bbad2c08be427669015b917a750f7cbfbb0a75/detection

However, the community notes that I can see all convict this thing as doing bad things that trip multiple triggers for malware. e.g.:

https://www.filescan.io/reports/5ac959e5dee9884512f4a34623bbad2c08be427669015b917a750f7cbfbb0a75/d3103e51-6d2c-4d62-a5fa-906ea549bd7f/overview

image/png

briankrebs,

@ucblockhead That's awesome. I refer to my story about Chet Faliszek's experience owning donotreply.com as often as possible. The Post has made it hard to find but it's still in archive.org:

https://web.archive.org/web/20120607185400/http://voices.washingtonpost.com/securityfix/2008/03/they_told_you_not_to_reply.html

I think Chet is here on Mastodon somewhere.

briankrebs,

It appears the same crooks are behind most of the domains historically and current at 212.113.106[.]176 (Austria). Here's a list. Again, the theme seems to be phishing people in the tech space who are developers. Clicking the link below will download a .csv (text) file showing the domains historically at that IP.

https://krebsonsecurity.com/wp-content/uploads/2024/01/212-113.106.176.csv

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • InstantRegret
  • mdbf
  • ethstaker
  • magazineikmin
  • GTA5RPClips
  • rosin
  • thenastyranch
  • Youngstown
  • osvaldo12
  • slotface
  • khanakhh
  • kavyap
  • DreamBathrooms
  • JUstTest
  • Durango
  • everett
  • tester
  • cisconetworking
  • Leos
  • cubers
  • modclub
  • ngwrru68w68
  • tacticalgear
  • anitta
  • provamag3
  • normalnudes
  • lostlight
  • All magazines
    •