Thursday, November 26, 2020

Major Nigerian Phishing and BEC Actors, SSGToolz and CeeCeeBossTMT, Arrested by Nigerian Police and Interpol

 An Interpol headline on November 25, 2020 announces "Three arrested as INTERPOL, Group-IB and the Nigeria Police Force disrupt prolific cybercrime group" however the article does not name the suspects.  The Interpol article says the three are "believed to be members of a wider organized crime group responsible for distributing malware, carrying out phishing campaigns and extensive Business Email Compromise scams."  Interpol's Craig Jones says the year-long investigation was known as "Operation Falcon."

The Nigerian Police actually did a press release about the trio on November 19th.  From that we find photos of the three criminals and more information about their crimes and names. The leader of the trio, Onuegwu Ifeanyi, is known online as SSGToolz.  According to the Nigerian Police, he "specializes in creating, designing, and selling phishing links and hosting malware on websites used by the gang for phishing and hacking purposes.  He collects charges running into several millions of naira from other fraudsters he mentors and improves their phishing capabilities."
Onwuka Emmanuel Chidiebere, also known as Ceeceeboss TMT, graduated from Imo State University and specializes in Business Email Compromise (BEC) and hacking. His laptop had over 50,000 email accounts with passwords harvested from various individuals and businesses worldwide.
CeeCeeBoss TMT recruited the third of the trio, Ikechukwu Ohanedozie, who was known as Dozzy. A medical school student also from Imo State, Dozzy's job was sorting out the email accounts and doing research "to determine financial strengths of prospective victims and pass the information to Ceeceeboss.
SSGToolz was not at all discrete with his work, creating his own domain for his tools, appropriately named ssgtoolz[.]net.  From there we see that he also used the gmail account ssgtoolz@gmail.com, which was associated with the creation of 85 domain names.

Some of these domain names were used to anchor other types of fraud, for example "c-clh[.]com" was confirmed to be hosting malware on 17JUL2020 and 19JUL2020, and as recently as 22SEP2020, which VirusTotal says was detected as Andromeda, Fareit, or Lokibot by various anti-virus vendors.

He also used this domain to host phish, such as "www.hainanbank.com.cn.c-clh[.]com" 

According to the ZoneCruncher tool from Zetalytics, At least 76 domains of his domains were observed resolving in their Passive DNS systems.  Many of them were "look alike" domains, likely used for sending malicious email.  Some xamples of these would include: 

agogpharrna[.]com (the "rn" supposed to look like an "m" to imitate agogpharma) 
iescornputers[.]com (the "rn" supposed to look like an "m" for iescomputers) 
tataintiernational[.]com (an extra "i" to imitate tatainternational) 
owenscorming[.]com (an "m" instead of an "n" for OwensCorning) 

Others seem more targeted as general "technical" phish, such as "server-update-mail-verification[.]com" which he registered 12JUN2019, or "itbackupserver[.]com" registered the same day.


CeeCeeBossTMT liked to boast of his wealth on Instagram, although he gave God Almighty all the thanks for the proceeds of his crime.  He also liked to imply that his hard work in the music studio was somehow the source of his wealth, rather than the millions he stole from innocent victims around the world.


Gotta admit, I'm thinking of finding that green track suit and shoes combo for myself.  What do you think?  Also, can anyone tell me which South African airport that top left shot was taken in?

The "TMT" coincides with his TMT Liquor Store, which he frequently tags in his posts.  TMT Liquor shares their WhatsApp Number, +234 901 069 2587 on their Instagram Bio @tmtliquorstore.

We look forward to hearing more about how these three are tied into the larger infrastructure of cybercrime in Nigeria.  If you have more information, please do reach out!



Sunday, November 15, 2020

ENISA: Top 15 Threats: Spam, Phishing, and Malware!

Part One of this post, describing the many components of "The Enisa Cybersecurity Threat Landscape" went over ENISA's Year in Review, the emphasis on Cyber Threat Intelligence, Sector specific threats, Research Topics, and Emerging Trends.  This is "Part Two" where we review the 16 documents that ENISA released to cover their "Top 15 Cyber Threats" report. In particular, we look at the Top 5.

ENISA's Top 15 Threats report starts with this summary document: 


The list of the Top 15 Threats is an annual list from ENISA, with only slight changes in positions for the various threats since last year. Malware remains in the Number 1 spot, and Web-based attacks remains Number 2. Phishing actually increased from 4th to 3rd position. Spam also rose this year, from 6th to 5th position. The threat making the greatest movement was Identity Theft, jumping from 13th to 7th position!
    
  A full report from ENISA is available for each of the topics below. Click to access each one. I'll only comment on a few in this blog post!
    1. Malware
    2. Web-based Attacks
    3. Phishing
    4. Web Application Attacks
    5. Spam 
    6. DDOS 
    7. Identify Theft
    8. Data Breach 
    9. Insider Threat
    10. Botnets
    11. Physical manipulation, damage, theft and loss
    12. Information Leakage 
    13. Ransomware
    14. Cyber espionage
    15. Cryptojacking 

#1 Cyber Threat - Malware


ENISA ranks Malware as the #1 threat again, pointing out several troubling trends.  Detection of malware on Business-owned Windows computers went up 13% from the previous year, and 71% of malware infections had spread from one infected user to another.  46.5% of malware delivered by email used a ".docx" file extension, indicating that our continued unsafe business practice of sharing Word documents by email continues to put our organizations and our employees at risk!  Another change was that 67% of malware was delivered via an encrypted HTTPS connection -- the "increased safety" of having encrypted web pages has also greatly increased our difficulty in understanding when an employee is receiving malware by visiting a webpage.

The number one malware family in this reporting period was Emotet, which targeted US-based businesses 71% of the time and UK targets 24% of the time.  

An increasing number of banking trojans were also seen that targeted the Android operating system.  Top families included Asacub, SVPeng, Agent, Faketoken, and HQWar.

 The so-called File-less Malware was also a significant attack method, often using Windows Management Instrumentation or PowerShell scripts to perform complex attacks more or less "at the command line" rather than by downloading a Windows PE Executable.

For C2-based malware, a growing trend in having Russian-based Command & Control servers was observed, with the likelihood of a Russian-host going up 143% from the previous reporting period.  these malware families included Emotet, JSECoin, XMRig, CryptoLoot, Coinhive, Trickbot, Lokibot, and AgentTesla (according to MalwareBytes, quoted in the report.)

ENISA says that 94% of all malware deliveries were via email during 2019, quoting from the EC3 Internet Organised Crime Threat Assessment.   Many such attacks were enabled by employee behavior and gained extended reach due to vulnerabilities in Windows, several of which allowed Remote Code Execution, making malware attacks "wormable" and able to spread throughout the enterprise, often due to poor patch management.

Proposed actions in this report include the need for better in-bound screening, including the ability to decrypt and inspect SSL/TLS traffic as it comes into the network, including web, email, and mobile applications.  Security policies must also be updated to include what processes and escalations must occur "post-detection" in the case of an infection.  Log monitoring must be improved.  

One suggestion that I strongly agree with -- "Organizations need to disable or reduce access to PowerShell functions" -- so much malware this year, especially ransomware, would be stopped cold in its tracks if PowerShell were not so prevalently deployed and enabled in our organizations!  

Although it is not mentioned by ENISA, my favorite document for understanding PowerShell threats is "The art and science of detecting Cobalt Strike" from our friends at Talos Intelligence!  More than any other attack platform, Cobalt Strike is being abused by malicious actors in order to fully compromise domains, often for the purpose of exfiltrating and encrypting for ransomware.

Please refer to the full report for additional recommendations.

#2 Cyber Threat - Web-Based Attacks


Web-Based Attacks are broken into four main vectors by ENISA.  Drive-by downloads, Watering hole attacks, Form-jacking, and Malicious URLs. 

As noted in part one, due to the age of the reporting window (January 2019 to April 2020) some of the particular attacks noted are more historical and of less keen interest by this time, however a couple trends are worth calling attention to.

"MageCart" attacks continue to be a prominent method for acquiring financial credentials.  Because of the vast popularity of a small handful of online "checkout" systems, many organized crime groups are investing heavily in hackers who have "nation-state" level capabilities in order to create new zero day attacks into these systems.  Shoppers are basically defenseless as their order information is transparently transmitted to criminals while they shop at even the largest and most prominent "trust-worthy" online vendors. 

In addition to browser vulnerabilities that can make watering hole attacks quite successful, attackers are also attacking popular web browser extensions, which often have less rigorous security updates than the base browser products themselves.

Content Management Systems also present an enormous footprint of vulnerability as platforms such as WordPress provide millions of vulnerable websites that can be used at will by hackers to host both phishing sites and malware payload files.

#3 Cyber Threat - Phishing


Phishing has historically been email-based crime that lures a target to an illicit website via a social engineering email.  It is the key to $26 Billion in losses due to Business Email Compromise, as well as to a growing number of scams linked to the COVID-19 Pandemic.  In the FIRST MONTH of the COVID-19 Pandemic, ENISA reports that phishing attacks increased 667%!  As previously mentioned, these dangerous emails are now very likely to contain a trojaned Microsoft Office family document.  

ENISA warns that phishing URLs are now being seen more frequently delivered via SMS, WhatsApp, and Social Media platforms, expanding beyond the original email platform.

While phishing historically targeted financial institutions, ENISA says that webmail became the leading target of phishing in Q1 of 2019, with Microsoft 365 services being particularly targeted.

User education and user reporting remains a critical strategy, especially as ENISA says that 99% of phishing emails require human interaction in order to be effective.

The most effective means to combat phishing continues to be the implementation of 2FA. If a phisher cannot gain access to an account with simple userid and password, many schemes would be immediately blocked.

From a financial perspective, wiring money should ALWAYS require out of band confirmation.  The cost of not getting the confirmation is simply too high, with some Business Email Compromise attacks costing tens of millions of dollars!

#5 Cyber Threat - Spam 


As the ENISA report on Spam menions, after 41 years of dealing with spam, "nothing compared with the spam activity seen this year with the COVID-19 pandemic!"

During the reporting period, Emotet, Necurs, and Gamut were some of the top spamming families.

Some other findings: 
85% of all emails exchanged in April of 2019 were spam, a 15-month high.
13% of data breaches could be traced back to malicious spam.
83% of companies were unprotected against email-based brand impersonation (DMARC)
42% of CISOs reported dealing with at least one spam-based security incident.

To bring this category up to date, we noticed that ENISA was fond of the Quarterly Spam & Phishing reports from Kaspersky.  Please find below links to the 2020 Q1, Q2, and Q3 reports from Kasperky, which will technically be part of NEXT year's ENISA reporting:

Kaspersky found that throughout the third quarter, spam was at least 48.9% of all email sent, a slight decline from Q2, however the portion of spam containing malicious emails was up significantly.  Kaspersky identified 51 Million malicious attachments in that quarter, with 8.4% of them being the keylogger commonly known as Agent Tesla (Kaspersky uses the name "Trojan-PSW.MSIL.Agensla.gen"). Microsoft Office documents exploiting CVE-2017-11882 were the second most common.

They also noted 103 million phishing attacks, with the top targeted sectors being Online Stores (19.2%) and Global Web Portals (14.48%) which would include Office365.  Only 10.8% of the phishing attacks observed by Kaspersky targeted banks!


My favorite spam campaign here was the "FTC Official Personal Data Protection Fund" which claimed that the Federal Trade Commission had found that the recipient was a victim of "personal data leakage" and they were eligible to be compensated for that loss, if they just filled out a simple form on their website (which harvested personal data, including credit card and social security number.) 


The ENISA Cybersecurity Threat Landscape

 ENISA, the European Union Agency for CyberSecurity, met on October 6, 2020 to review their current recommendations and get any last minute changes.  On October 20, 2020, they released a huge batch of reports that many folks seem to have not seen.  We wanted to take a moment to give you the guided tour and strongly recommend the consumption of these report.  Each publication is available "flip book" style on the ENISA website, and also as a downloadable PDF.

Let's get started!

https://www.enisa.europa.eu/publications/year-in-review 

This is the 8th Year In Review for ENISA and their reporting just keeps getting better!  This year the main components of the report break down into topics like this: 

  • The Year In Review
  • Cyber Threat Intelligence Overview 
  • Sectoral and Thematic Threat Analysis 
  • Main Incidents in the EU and WorldWide
  • Research Topics
  • Emerging Trends
  • List of Top 15 Threats 

The Year In Review 


This report has a few key sections.  The first that we'll cover is the "Ten Main Trends" that were observed during the reporting period: 

  1. Attack surface in cybersecurity continues to expand as we are entering a new phase of the digital transformation 
  2. There will be a new social and economic norm after the COVID-19 pandemic even more dependent on a secure and reliable cyberspace.
  3. The use of social media platforms in targeted attacks is a serious trend and reaches different domains and types of threats.
  4. Finely targeted and persistent attacks on high-value data (e.g. intellectual property and state secrets) are being meticulously planned and executed by state-sponsored actors
  5. Massively distributed attacks with a short duration and wide impact are used with multiple objectives such as credential theft
  6. The motivation behind the majority of cyberattacks is still financial 
  7. Ransomware remains widespread with costly consequences to many organisations
  8. Still many cybersecurity incidents go unnoticed or take a long time to be detected
  9. With more security automation, organizations will invest more in preparedness using Cyber Threat Intelligence as its main capability
  10. The number of phishing victims continues to grow since it exploits the human dimension being the weakest link.
Another key section in this area was the "What To Expect" which broke the topic into three areas -- Nation States, Cyber Offenders, and Cyber Criminals.  The reader is invited to view the full report, but I did want to mention that with regards to Nation States, ENISA describes the coming year as an "Uncontrolled cyber-arms race" with a free-for-all of nation states trying to buy up and acquire the best attack tools for the "cyberspace warfare domain" possibly through sponsored agents who may not present as the purchasing nation.

In the area of What to Expect From Cyber Criminals ... BEC - Business Email Compromise, and BPC - Business PROCESS Compromise are expected to continue, along with malware targeting Managed Service Providers.  They predict that "Deep Fakes Used for Fraud" may be a rising trend.  I'm not sold on this concept as being a 2021 reality, but it is certainly something to watch for.

I also wanted to call attention to the prediction that Cyberbullying is likely to greatly increase as a growing number of adolescents are spending a much greater time online, possibly with limited parental oversight of their activities, as Mom and Dad are busy working from home as well!

Cyber Threat Intelligence Overview 


In this area, training resource links are offered, however the report begins by calling attention to the great gap between higher performing CTI practices and the training and tools available to the average user.  While praising existing frameworks, such as MITRE: ATT&CK, they also point out the short-comings in addressing specialized sector-specific systems, emerging systems, and cloud-computing and managed service threats.

The call is made to spend more emphasis on PREVENTION, DETECTION, and MITIGATION rather than the current near-total obsession with IOCs and APT-naming. Some sectors are especially trailing in the CTI area due to the specialty nature of their equipment and practices.  ALL SECTORS need to be greatly improving their capabilities in PDR (to use the more common Prevent, Detect, Respond term that I still prefer.)  The report calls attention to the fact that trailing sectors are often dealing with limited trust between organizations.  The more isolated your organization is from its peers, the more likely that your sector is struggling in this way.  Improved information sharing is a key.  To quote the report: "one should note that the deficiencies described are not due to a lack of CTI knowledge per se but rather to the lengthy cross- and intra-sector communication and coordination cycles for exchanging CTI knowledge."  A related quote => "Existing offerings concentrate on operational and tactical CTI, while strategic CTI is mostly offered independently."

Results are shared of a "Comprehensive CTI Survey" conducted by ENISA.  Some key findings include: 
  • CTI is still primarily a MANUAL PROCESS in most organizations.
  • Much CTI data is still primarily being passed through spreadsheets and email.
  • CTI Requirements are becoming more defined and beginning to take significant guidance from business needs and executive input.
  • CTI from Public Sources combined with observations from internal network and system monitoring is a popular model
  • Open-source information, enriched by threat feeds from CTI vendors is a "clear upwards trend" indicating more focus on internal CTI production.
  • Threat Detection is described as the main use for CTI, with IOCs being a base, but more interest in TTPs in the area of threat behavior and adversary tactics.
  • Only 4% of respondents felt they could measure the effectiveness of their CTI programs!  OUCH!  Machine learning was ranked especially low, with most saying the skill of the analysts was the best predictor of success!
Several areas of interest in the "Next Steps" section to me included:
-  an emphasis on coordinating CTI requirements.  While the report called for this at the EU-member state level, I would say that SECTORS should be working together to determine appropriate CTI requirements and encouraging a sector-wide improvement through collaboration.  
- development of a CTI Maturity model and Threat Hierarchies model.
- ensuring that CTI is taking into account the geopolitical world state and not just the state of bits and bytes.


Please refer to the full report for more details!  

Sectoral and Thematic Threat Analysis 


This report begins by describing the difficulty of measuring and categorizing differences by sector. I must confess to being disappointed by the lack of insights in this particular report.  As sectors shifted to the cloud during the COVID-19 Pandemic, much of the "targeting" became less sector-targeting and more "target of opportunity" focused. 

While most attack trends were "stable" there were some "cross-sector" attack types described as "Increasing" ... specifically Web Application Attacks, Phishing, and Malware.

The only sector actually that was called out as being at significantly greater risk than others based on incident trends was "Health/Medical" where increases in Malware, Insider Threat, and Web Application Attacks were all marked as Increasing.

After a lack-luster "trends" report, all of two pages long, the remainder of the report focuses on Threats to Emerging Technologies, where there are some interesting observations regarding 5G Mobile communications, Internet-of-Things (IoT), and Smart Cars.

The reader is invited to visit the report for more details.

Main Incidents in the EU and WorldWide

Unfortunately, with the official timeline of this report being January 2019 through April 2020, many of the "main incidents" here are quite dated.  Good to cover them for historical documentation, but not really worth re-hashing them at this time. Significant data breaches included the 770 million email addresses stolen from MEGA (the cloud data storage service in New Zealand run by "Kim Dot Com".) They also mention breaches such as ElasticSearch, Canva, Dream Market, Verifications.io, and a couple big MongoDB breaches.

The most targeted services, according to this report, are Digital Services, Government Administration, Tech Industry, Financial Institutions, and Healthcare entitites.  In the area of Digital Services, we know that the primary use is to take the email address/password pairs and use them to attempt password replay attacks attempting to use the same pair against many additional online properties.  ENISA refers to those as "credential stuffing" attacks and indicates that "companies experience an average of 12 credential-stuffing attacks each month!" 

The report indicates that 84% of cyber attacks "rely on social engineering" and that 71% of the organizations with malware activity have seen the malware spread from one employee to another. 

Groups that are depicted in the report as "Most active actors" don't really align with what we've seen from other sources, but are listed as: 
  • TURLA - attacking Microsoft Exchange serveres
  • APT27 - mentions attacks against government SharePoint servers in the Middle East 
  • Vicious Panda - targeting Mongolian government entities
  • Gamaredon - spear-phished the Ministry of Defence in Ukraine in December 2019
The report indicates that ENISA believes most cyber attacks originate from Organized Crime groups.

The Top Five motivations for attackers are: Financial, Espionage, Disruption, Political, and Retaliation.

The Top Five "Most Desired Assets" by Cyber Criminals are listed as: 
  1. Industrial property and Trade secrets
  2. State/Military classified information
  3. Server infrastructure
  4. Authentication Data
  5. Financial Data 
I won't detail is here, but the report also has advice on "What changed in the landscape with the COVID-19 Pandemic?" and refers to several previous publications from ENISA for that topic.

Research Topics


ENISA says that "apart from basic cybersecurity hygiene and training, investing in research and innovation is the most viable option for defenders." Some of the key areas that they are encouraging research to be performed are: 

  • Better understanding of the human dimension of security - (I know so many great researchers in this space, from UAB's own Nitesh Saxena, to UAB's Ragib Hasan and his current survey on "User Preferences in Authentication" to Carnegie Mellon's Lorrie Cranor and the IIIT Delhi PreCog lab run by Ponnurangam "PK" Kumaraguru.) 
  • Cybersecurity research and innovation - with a special focus on building "test labs and cyber ranges" that better reflect real world deployments. 
  • 5G Security 
  • EU Research and Innovation Projects on Cybersecurity 
  • Rapid dissemination of CTI methods and content 

Emerging Trends


This report begins by pointing out that COVID-19 has initiated "new and profound changes in the physical world and in cyberspace" and pointing out that "cybersecurity risks will become harder to assess and interpret due to the growing complexity of the threat landscape, adversarial ecosystem and expansion of the attack surface."

The Emerging Trends are given as three trend lists -- Ten Cybersecurity Challenges; Five Trends with cyber threats; and Ten emerging trends in attack vectors.  As I've said a few times, go check out the report for the full details, but a few really caught my eye, which I'll comment on below:

Cybersecurity Challenge 1 - Dealing with systemic and complex risks.  The interconnectedness of our systems and networks means that a risk introduced in one part of the environment can quickly spread throughout our organizations.  The demands of reducing complexity and increasing ease of management has unfortunately caused many organizations to create flat network structures where a single Active Directory domain may touch every resource in the environment and where network segmentation has become almost non-existent.

Unfortunately many of the other "emerging trends" in the cybersecurity challenges are seem more like wishful thinking than an emerging trend.  Reducing unintentional errors, automation of CTI ingestion, Reducing alarm fatigue and false positives, and cloud migration protections are all things we would love to see, but calling them an "emerging trend" strikes me as premature.  A few that I definitely agree with however include the role of CTI and the lack of a skilled workforce.

Cyber Threat Intelligence (CTI) is needed to help with the WHY, the HOW, and the WHAT questions.  The report points out "the value proposition of any CTI capability or program is to improve the preparedness of the organization to protect its critical assets from unknown threats." Anticipating the unknown requires a deeper understanding of both threat and adversary - not just in the form of specific Indicators of Compromise (IOCs) but in the form of TTPs - based on the Tactics, Techniques and Procedures - as evidenced by observations made both from open source intelligence (OSINT) but also through same sector and cross-sector intelligence sharing is going to be a key to hardening and preparing the organization to address forth-coming attacks instead of constantly reacting to known attacks.

Just as we see in the US, a shortage in cybersecurity skills is hitting the EU hard. 70% of firms say that lack of skills is hampering investment in new technologies, and 46% of firms report difficulty filling vacancies in cybersecurity due to a lack of skilled applicants.  In the US, I constantly refer students to the Cybersecurity Supply/Demand Heatmap maintained by Cyberseek.org.  Currently they are showing 521,617 cybersecurity vacancies just in the United States!

The final "Emerging Trends" area - Ten Emerging Trends in Attack Vectors -  has a few that I wanted to call attention to as well.  I'll share the list and comment on a few:
  1. Attacks will be massively distributed with a short duration and a wider impact
  2. Finely targeted and persistent attacks will be meticulously planned with well-defined and long-term objectives
  3. Malicious actors will use digital platforms in targeted attacks
  4. The exploitation of business processes will increase
  5. The attack surface will continue expanding 
  6. Teleworking will be exploited through home devices
  7. Attackers will come better prepared 
  8. Obfuscation techniques will sophisticate 
  9. The automated exploitation of unpatched systems and discontinued applications will increase
  10. Cyber threats are moving to the edge 
A key thread that flows through many of these trends is that attacks will move to new less defended "soft spots."   The report mentions banking trojans being downloaded from the Google Play store, attacks against routers, switches and firewalls rather than servers, and attacks being presented through apps that are skating on the edge between personal and business apps, such as SMS, WhatsApp, SnapChat and various messaging platforms, as well as gaming and streaming apps that may be present on devices being used to "work from home."

List of Top 15 Threats 

The next post will address the ENISA "Top 15 Threats


Saturday, November 07, 2020

US Victims of Indian Call Center Scams Send Cash to Money Mules Across the Country

 On November 6, 2020, the US Attorney in the Eastern District of Virginia announced the sentence for a husband and wife, Chirag Choksi and Shachi Majmudar, both 36 years old.  This pair had involved themselves in the money laundering side of an international scam ring that preys on the elderly via call centers located in India.  Chirag will serve 78 months in prison while his wife Shachi will serve 14 months in prison.  

I've had the pleasure of presenting my research on Indian Call Centers at a meeting the Federal Trade Commission hosted in Washington DC last year.  The scope of these networks and the absolute impunity with which they operate should be a cause of national shame in India.  In 2019, according to the Consumer Sentinel Network Data Book 2019, assembled by the Federal Trade Commission, reported 647,472 "Imposter Scams" with total losses of $667 Million, primarily to the elders who are most deserving of our protection.  (These scams are increasing rapidly.  In 2017 there were 461,476 Imposter Scam complaints, in 2018 there 549,732 complaints.)

The Scam: Law Enforcement Impersonation

Indian Call Centers placed "robocalls" blasting them primarily to seniors in the United States which played a recorded message indicating that the recipient had been charged with a crime and needed to immediately call a certain number to avoid arrest.  When the number was called, the US-based number was routed via a Voice Over IP (VOIP) gateway to call center workers in India who would fraudulently identify themselves as a law enforcement officer and threaten immediate arrest if the caller did not follow their directions.  The caller was instructed to go to their bank, withdraw as much cash as the fake law enforcement officer was able to determine they could get, and then send the money by Federal Express, UPS, or the US Postal Service to a US-based address.

The Money Mules: Choksi and Shachi

There were actually three defendants in this indictment, but they are only a tiny part of the overall scam.  Chirag Janakbhai Choksi and Shachi Naishadh Mamjudar worked for a money mule recruiter, Shehzadkhan Khandakhan Pathan.  Pathan ran mules that he had recruited in many locations, including at least New Jersey, Minnesota, California, Indiana, Texas, and Illinois, although not all have been identified and charged yet.  The criminal complaint against Pathan remains sealed, which makes it likely more charges are forthcoming.  In each location, money mules of Indian origin were waiting to pick up packages of cash.  Chirag and Shachi were the Minnesota Money Mules.

The Money Mules would pick up the bulk cash shipments from their destinations, presenting counterfeit identification documents that used fictitious names in order to hide their identity.  In order to keep their lucrative position in the mule network, mules were required to quickly respond to pick-up orders.  They were also required to video themselves opening the package and counting the cash to ensure that they weren't skimming more of the money than they were allowed.  

Shachi was primarily the assistant, which is why she got a lesser sentence.  She would log in to FedEx or USPS to track the delivery of the packages, so that Chirag would know when he was clear to do a pick-up run.  She would also videotape Chirag as he opened the packages and counted the money.  She would also frequently be the person who went to the bank to deposit the cash into accounts belonging to other members of the conspiracy.

9594 Grey Widgeon Place, Eden Prairie, MN

In one example from the indictment, Chirag was instructed to go to 9594 Grey Widgeon Place in Eden Prairie, Minnesota to retrieve a package containing $8,500 in cash that had been sent to "Aldo Ronald."  The FedEx tracking number confirms the package was signed for by someone at that address, and that the package was shipped from Chesterfield, Virginia, where the victim resided.


Strangley, that 1600 square foot duplex claims to have seven current residents, according to WhitePages.com, including Shachi!




According to their Facebook pages, Shachi moved to Minneapolis, Minnesota in 2013.  (The "moved" actually says 2016, but she says in her comments "I actually moved here in 2013, Facebook is just acting weird.")  Sadly for the family, the parents who are now headed to prison, posted photos of their newborn baby in January 2019. 

The Mule Recruiter: Shehzadkan Pathan

The co-conspirator, Shehzadkhan Khandakhan Pathan, goes by the name Shehzad Khan on Facebook and, like his Facebook friend Chirag, is from Ahmedabad, India. He was arrested by the FBI in Houston, Texas on January 16, 2020 and taken into custody by the US Marshall's Service.

Shehzadkhan Khan Pathan

This structure was VERY familiar to me, as it works in exactly the same way as the case we documented in 2016 in our blog post Major Call Center Scam Network Revealed - 56 Indicted.
In fact the similarities are extreme.  In that case, the primary call centers involved included a major group in Ahmedabad India, but had money mule "runners" all over the United States, who not only handled financial transactions, but also sought out victim candidates!  

Not only are the cases STRUCTURALLY  similar, but Pathan SEEMS to be linked to one of the key players in that network on Facebook.  Pathan's Facebook friend "Hardik Dave" who is likely Hardik Patel, also from Ahmedabad, from the previous case.  Although Hardik's friends marked as private, but has several interactions on his Facebook page from "Hitesh Patel" who was at the core of the 2016 case.  In that case, Ahmedabad call center companies including Call Mantra, Sharma BPO, Worldwide Solutions, and Zoriion Communications were involved in the scams.

A superseding indictment relating to Pathan was announced June 17, 2020, and names several additional co-conspirators. 

In addition to Chirag and Shachi, the new indictment includes: 
  • Pradipsinh Dharmendrasinh Parmar
  • Sumer Kantilal Patel 
  • Jayeshkumar Prabhudas Deliwala
In the new indictment we learn that the  "conspirators regularly communicated using WhatsApp Messenger." We also learn additional details about the scam calls:

"The messages told the recipients that they had some sort of serious legal problem. Often the purported problem related to potential criminal charges for the victim, tax problems, or THE RISK OF LOSING A FEDERAL BENEFITS PROGRAM SUCH AS SOCIAL SECURITY PAYMENTS." (emphasis added)

We also learn that a number of the victims had recently applied for a loan, making them aware that the victim now had cash available!  

Pathan, the recruiter, provided the counterfeit identity documents, including fake drivers licenses, and alerted his mule network where the package was being delivered and which identity they should use to retrieve the package.  After they had the cash, Pathan would let them know how much they could keep and give them details of what bank account they should deposit the additional funds into. In some cases the funds were sent via wire transfer, and Pathan would alert his money mules via WhatsApp where the money had been wired and which identity documents they would need to present in order to pick up the money from the bank account where they had been deposited.

More Mules: Parmar, Patel

Both Pradipsinh Dharmendrasinh Parmar and Sumer Kantilal Patel were money mules like Chirag.  They are charged with retrieving and signing for packages of cash, photographing or videoing themselves opening the packages and counting the cash, receiving and using counterfeit identification bearing their likeness but the name of another person, and picking up money transfers via Western Union, MoneyGram, and Walmart to Walmart, and resending portions of that amount to other locations. 

Pradispsinh Parmar is also Facebook friends with Pathan, and also from Ahmedabad, India.  His Facebook page says he lives in Spotswood, New Jersey.  HIS Facebook friend Sumer Patel is not friends with any of the other co-conspirators and may be a name coincidence as he seems to be in Brisbane, Australia.
Pradispsinh Parmar

Parmar, for example, picked up a package containing $20,000 cash sent to the name of "Neon Fredo" at 55 Stratford Village, Lancaster, Pennsylvania.  

Parmar also picked up a MoneyGram of $820 sent from a victim to the name of Larry A Lauzon, in North Carolina.  (Because he had the reference number, it was not necessarily picked up in that location.)

Patel similarly received Walmart-to-Walmart funds, including funds sent from Texas to "Caleb N Cranstone" in Virginia. 

Deliwala received and distributed a set of 20 counterfeit identification documents.

Charges in the case include: 

18 U.S. Code § 1341 - Mail fraud
18 U.S. Code § 1343 - Wire fraud
18 U.S. Code § 1349 - Attempt and conspiracy
18 U.S. Code § 982 - Criminal forfeiture

Friday, October 16, 2020

Trickbot on the Ropes Part 2: The QQAAZZ Money Laundering Ring

While shutting down the technical aspects of malware is critical (see Trickbot on the Ropes Part 1), the real disincentive to the criminals is when you hit them hard in the money.  That was the objective of Europol's Operation 2BaGoldMule case against QQAAZZ.   Working with partners in 16 countries, including Latvia, Bulgaria, the United Kingdom, Spain, and Italy, Europol helped to coordinate search warrants being executed at 40 different residences in support of criminal proceedings in the United States, Portugal, and the UK, and Spain.

Europol put out a two-part InfoGraphic as part of their story on the arrests, "20 Arrests in QQAAZZ Multi-Million Money Laundering Case":

 


Infographic: https://www.europol.europa.eu/publications-documents/operation-2bagoldmule

The criminals behind the QQAAZZ money laundering ring received funds from botnet operators, and "tumbled" the funds through a variety of shell companies and crypto-currencies to produce "clean money" keeping a 40% to 50% cut of the funds for themselves.

The U.S. Department of Justice says that QQAAZZ-controlled bank accounts received funds stolen via banking trojans including Dridex, Trickbot, and GozNym malware.  The DOJ action came in two rounds, with the first indictment being unsealed back in October 2019 naming these individuals: 

Aleksejs Trofimovics
a/k/a Aleksejs Trofimovich, Alexey Trofimovich, Aleko Stoyanov Angelov 
Ruslans Nikitenko 
a/k/a Krzysztof Wojciech Lewko, Milen Nikolchev Nikolov, Rafal Zimnoch 
Arturs Zaharevics
a/k/a Piotr Ginelli, Arkadiusz Szuberski 
Deniss Ruseckis
a/k/a Denis Rusetsky, Sevdelin Sevdalinov Atanasov 

These individuals used a collection of shell companies to open a large number of bank accounts in Portugal.  In 2018, I sat in a meeting in London with a handful of the largest banks in the UK and heard for the first time as they shared information with one another that it was a "common" thing that when someone had their bank account hit by Trickbot, a wire transfer would be sent to Portugal!

According to the indictment, Ruslans Nikitenko used his shell company Selbevulte LDA to open accounts at eleven banks in Portugal.  He used the company Colossal Devotion LDA to open accounts at nine additional banks.  Arturs Zaharevics created the shell company Cardinal Gradual Real Estate Unipessoal LDA and used it to open accounts at ten banks in Portugal.  Dennis Ruseckis created Flamingocloud LDA and used it to open accounts at thirteen banks in Portugal!

According to the October 2019 Indictment, more than $1.1 Million USD in wire attempts were made just for the transactions shown below, although in more than half of the cases, the funds were able to be blocked or recovered.

DateVictim BankWire AttemptBeneficiary
07MAR2017Schwab  $75000Aktrofi Services
20SEP2017BOA  $84900Aktrofi Services
26OCT2017JPMorgan Chase  $98780Privelegioasis
29NOV2017American Express $121360Selbevulte
30NOV2017BB&T $72000Privelegioasis
08MAR2018USAA $29500Flamingocloud
08MAR2018USAA $29500Colossal Devotion
21MAR2018BOA $49000Colossal Devotion
10APR2018JPMorgan Chase $59426Cardinal Gradual
10APR2018JPMorgan Chase $59426Cardinal Gradual
10APR2018JPMorgan Chase $59426Cardinal Gradual
30AUG2018PNC $99693Selbevulte
14NOV2018BOA $56202Aktrofi Services
14NOV2018BOA $112921Deinis Gorenko
14NOV2018BOA $45830Deinis Gorenko
06DEC2018    JPMorgan Chase $114652Flamingocloud












In between that indictment and the current one, there was a bit more publicity back in May 2020 when "Plinofficial", a Russian scam-rapper, whose real name was Maksim Boiko, was arrested by the FBI when he landed at the Miami airport, as was covered by the BBC and others at the time. 

In the more recent action, the indictment of the US Western District of Pennsylvania was just unsealed, having been filed on 29SEP2020.  This indictment names an additional group of money launderers:

  • Nika Nazarovi - of Georgia - aka Nika Utiashvili, Mihail Atanasov, Stefan Trifonov Zhelyazkov
  • Martins Ignatjevs - of Latvia - aka Yodan Angelov Stoyanov, Aleksander Tihomirov Yanev, Svetlin Iliyanov Asenov 
  • Aleksandre Kobiashvili - of Georgia - aka Antonios Nastas, Ognyan Krasimirov Trifonov
  • Dmitrijs Kuzminovs - of Latvia - aka Parush Gospodinov
  • Valentins Sevecs - of Latvia - aka Marek Jaswilko, Rafal Szczytko
  • Dmitrijs Slapins - of Latvia 
  • Armens Vecels - of Latvia 
  • Artiom Capacli - of Bulgaria
  • Ion Cebanu  - of Romania
  • TOmass Trescinkas - of Latvia 
  • Ruslans Sarapovs - of Latvia 
  • Silvestrs Tamenieks - of Latvia 
  • Abdelhak Hamdaoui  - of Latvia 
  • Petar Iliev - of Belgium 

it says that "in total, cybercriminals attempted to transfer tens of millions of dollars to QQAAZZ-controlled accounts, and QQAAZZ successfully laundered millions of dollars stolen from victims around the world."

The indictment breaks the criminals into three tiers: 

Leaders 
Mid-level Managers 
and Money Mules 

In the September 2020 indictment, some of the victim companies, whose bank accounts were used to wire money to European shell companies created by those named above, included: 

  1. a technology company in Windsor, CT 
  2. an Orthodox Jewish Synagogue in Brooklyn, NY 
  3. a medical device manufacturer in York, Pennsylvania
  4. an individual in Montclair, NJ 
  5. an architecture firm in Miami, FL 
  6. an individual in Acworth, GA
  7. an automative parts manufacturer in Livonia, MI 
  8. a homebuilder in Skokie, IL 
  9. an individual in Carollton, TX 
  10. an individual in Villa Park, CA.  
Dozens of additional US victims are identified, but it is unknown the total number of victims whose funds were stolen, or attempted to be stolen through these schemes. 

Those named in the two indictments received funds to shell company bank accounts including at least 147 accounts opened at banks in Portugal, as well as Germany, Spain, and the United Kingdom. 

The indictment provides a partial list of the funds transfers which occurred between US-based victims and accounts controlled by these criminals. 




In order to accomplish this, members of the QQAAZZ cash-out system advertised their services on "exclusive, underground, Russian-speaking, online cybercriminal forums."   Some of these advertisements on a single forum cost as much as $10,000 per year!  

Some of the online monikers used by QQAAZZ members in these forums included: 

qqaazz            globalqqaazz            markdevido 
richrich          donaldtrump55         manuel           krakadil                     
kalilinux         ritchie                      totala              totala22 

These forum exchanges helped to establish relationships between the malware gangs and the money launderers.  For example, QQAAZZ members using the name "richrich" chatted with members of the GozNym malware crime group about being a "drop handler" in the UK and Europe and having many accounts that could be used for money laundering, including an account in the name "Yaromu Gida" at a bank in Turkey.  That account received $176,500 in funds stolen from the medical device manufactuer in the Western District of Pennsylvania. 

"DonaldTrump55" provided bank account information for a drop belonging to Ruslans Nikitentko at a bank in Portugal opened using a counterfeit Polish identity card in the name Krzysztof Wojciech Lewko.  The account later received $121,360 from a US victim. 





Trickbot On The Ropes: Microsoft's Case Against Trickbot

 Trickbot is having a truly bad time this month!  While as of today, Trickbot binaries are being delivered by Emotet, there is every sign that they are struggling.   Emotet's daily activities are best documented by a team of researchers using the collective identity "Cryptolaemus" and sharing news of IOCs and URLs on their website: https://paste.cryptolaemus.com/.  With no activity from October 6th to 12th, there was every indication a "change" was coming, and beginning on 14OCT2020, researchers such as our friends at @CofenseLabs and @Malware_Traffic are both reporting that Trickbot is now being delivered by the Emotet spam-sending botnet.  

This post examines Microsoft's case against Trickbot. However, there are also reports of U.S. Cyber Command taking a role in disrupting Trickbot, as reported by the Washington Post and security journalist Brian Krebs. In the "take-down" attempt, as described by Krebs, the bot began propagating to other bots that its new controller IP address should be "127.0.0.1:1" - which would result in the bot-infected computer stopping communication with the criminals.  There was also an attempt to flood the criminals with millions of fake "stolen credentials" hoping to confuse their ability to sort out "true victims."  As Krebs also reported, the fabulous Trickbot C&C tracker at FEODOTracker is reporting many live C&C addresses for Trickbot.  (Also see Trickbot On the Ropes Part 2: the QQAAZZ Money Laundering Ring.) 

The Microsoft Trickbot Case

On October 12, 2020, Microsoft announced "New action to combat ransomware ahead of U.S. election" describing Trickbot as malware that "has infected over a million computing devices around the world since late 2016." By filing a lawsuit in the U.S. District Court for the Eastern District of Virginia, Microsoft received permission for a Temporary Restraining Order (TRO).  The Digital Crimes Unit (much love, guys!) worked with the FS-ISAC, ESET, Symantec, the Microsoft Defender team, NTT, and Lumen's Black Lotus Lab and others to lay out their case. 

The legal documents surrounding the case are on the Microsoft website: NoticeOfPleadings.com/trickbot/

Microsoft and the FS-ISAC bring the case with a 60 page complaint, demonstrating harm to their respective customers in the Eastern District of Virginia, and demanding that "John Doe 1" and "John Doe 2" appear in court for a Jury Trial.

They charge them with violations of: 

  • The Copyright Act - 17 USC § § 101 
  • The Computer Fraud and Abuse Act 18 USC § 1030
  • The Electronic Communications Privacy Act 18 USC § 2701
  • Trademark Infringement under the Lanham Act 15 USC § 1114
  • False Designation of Origin under the Lanham Act 15 USC § 1125(a)
  • Trademark Dilution under the Lanham Act 15 USC § 1125(c) 
  • Common Law Trespasses to Chattels 
  • Unjust Enrichment 
  • and Conversion 
To do so, Microsoft asked the court to force hosting providers to suspend services and block and monitor traffic for the customers who were using particular IP addresses within their organizations.  The list included: 

  • Input Output Flood, LLC of Las Vegas, for IP addresses: 
    • 104.161.32[.]103, .105, .106, .109, and .118.
  • Hosting Solution Ltd (Hurricane Electric of Fremont, California) for IP address:
    •  104.193.252[.]221.
  • Nodes Direct Holdings of Jacksonville Florida for IP addresses: 
    • 107.155.137[.]7, .19, and .28,
    • 162.216.0[.]163, 
    • 23.239.84[.]132, .136
  • Virtual Machine Solutions, LLC of Los Angeles, California for IP addresses: 
    • 107.174.192[.]162 and 
    • 107.175.184[.]201
  • Hostkey USA of New York for IP address: 
    • 139.60.163[.]45 
  • Fastlink Network Inc, of Los Angelese for IP address: 
    • 156.96.46[.]27
  • Green Floid LLC for IP addresses: 
    • 195.123.241[.]13 and .55 
  • Twinservers Hosting of Nashua, New Hampshire for IP address: 
    • 162.247.155[.]165  

Each team made significant contributions to the effort, and most have published their own Trickbot blogs, which I link below, with regards to the case, their most important function was to provide professional analysis in the form of a Declaration in Support of Motion for TRO: 

  • Lyons is Jason Lyons, a Senior Manager of Investigations at the DCU Malware & Cloud Crimes Team.  Lyons, who served in the Cyber CounterIntelligence unit of the U.S. Army, provides 25 pages of testimony and ten "Exhibits." Part of his testimony included the proof of 25 million Gmail, 19 million Yahoo, 11 million Hotmail, 7 million AOL, 3.5 million MSN, and 2 million Yahoo.co.uk addresses known to have been targeted by Trickbot (based on reporting from Deep Instinct)
  • Finones is Rodelio Finones, a Senior Security Software Engineer and Malware Researcher at the Microsoft DCU. He provides a 21 page testimony of his own investigation into Trickbot, 
  • Thakur is Vikram Thakur, the Technical Director of Symantec Enterprise, where he has been a major rockstar for more than a dozen years!  He provides a 20 page testimony.
  • Garlow is Kevin Garlow, Lead Information Security Engineer at LUMEN (formerly CenturyLink). His testimony includes the fact that he has identified 502 distinct IP addresses that had acted as Trickbot controllers, but that 40 of them have remained online despite more than 30 abuse notifications and that 9 of them have been sent more than 100 such notifications.  He states that "We confirmed 55 new Trickbot controller IPs in September 2020 and 99 new Trickbot controller IPs in August."  It is these long-lived "bullet-proof" controllers that Microsoft is targeting.  It is also likely that revealing whoever is paying the bills for those long-lived services may be a path to identifying John Doe 1 and John Doe 2.  Garlow's testimony that he has sent so many notices for take-down which have been ignored is a powerful part of this package!
  • Silberstein is Steven Silberstein, the CEO of the FS-ISAC.  He provides testimony to more than 500 fraud attempts against FS-ISAC member institutions over an 18 month period, with $7 Million in attempted fraud.  One FS-ISAC member had dozens of attempts in a two week period with an average fraud attempt of $268,000!  

  • Ghaffari is Kayvan M. Ghaffari, an attorney with Crowell & Moring LLP for Microsoft and the FS-ISAC.  His testimony calls out the particular web hosting companies that were hosting the machines targeted by the TRO, including Colocrossing, IOFlood, HostKey, VDI-Network, ENET-2, and King Servers, pointing out that all of these organizations have Terms of Service which are clearly violated by the Trickbot controllers.  He then attaches as exhibits more than 650 pages of similar cases and the related court documents from them.
  • Boutin is Jean-Ian Boutin, the Head of Threat Research, calls Trickbot "one of the most prolific and frequently encountered types of malware on the Internet."

Related TrickBot Blogs

ESET analyzed 125,000 malware samples and downloaded and decrypted 40,000 configuration files used by Trickbot modules, helping to map out the C&C servers by the botnet. While Trickbot can drop many "modules" these are not one-size-fits-all.  Trickbot modules were sometimes dropped in phases after an initial assessment of the network on which the bot found itself, and other times varies by the "gtag" -- the unique label used to sign the infection, thought to be related to affiliates who paid the Trickbot operators.

gtag timeline by ESET


Lumen's Black Lotus provided C2 timelines, demonstrating which IP addresses in which countries were active in which timeframes.  Indonesia, for example, hosted active C2 servers on 1,362 days!  Colombia and Ecuador, which by their count were #2 and #3 had only 652 and 637 C2 days by comparison.  They shared 95 C2 addresses in their recent Look Inside the Trickbot Botnet blog post. Many of these IP addresses are also called out in Lyons testimony as Exhibit 2.

5.152.210[.]18845.89.127[.]2796.9.77[.]56129.232.133[.]39185.172.129[.]100194.87.236[.]171
5.182.210[.]22451.77.112[.]252103.111.83[.]246131.161.253[.]190185.234.72[.]114195.123.238[.]83
5.182.211[.]12451.83.196[.]234103.12.161[.]194139.60.163[.]45185.234.72[.]35195.123.239[.]193
5.182.211[.]13851.89.215[.]186103.196.211[.]120156.96.46[.]27185.236.202[.]249195.123.240[.]18
27.147.173[.]22762.108[.]35.9103.221.254[.]102158.181.155[.]153185.25.51[.]139195.123.240[.]93
36.66.218[.]11780.210.32[.]67103.36.48[.]103176.31.28[.]85185.99.2[.]106195.123.241[.]224
36.89.182[.]22583.220.171[.]175103.76.169[.]213177.190.69[.]162185.99.2[.]115195.123.241[.]229
36.89.243[.]24185.204.116[.]117104.161.32[.]108179.127.88[.]41186.159.8[.]218195.161.62[.]25
36.91.45[.]1089.249.65[.]53104.161.32[.]118180.211.170[.]214190.136.178[.]52200.116.159[.]183
36.91.87[.]22791.200.100[.]71107.155.137[.]15181.112.157[.]42190.145.83[.]98200.116.232[.]186
36.94.33[.]10291.200.103[.]236110.93.15[.]98181.129.104[.]139190.152.182[.]150200.171.101[.]169
45.127[.]222.892.38.135[.]61112.109.19[.]178181.129.134[.]18190.214.28[.]74200.29.119[.]71
45.138.158[.]3392.62.65[.]163117.252.214[.]138181.143.186[.]42190.99.97[.]42201.231.85[.]50
45.148.10[.]17493.189.42[.]225121.100.19[.]18182.253.113[.]67192.3.246[.]216212.22.70[.]59
45.66.10[.]2296.9.73[.]73121.101.185[.]130185.14.30[.]247194.5.249[.]214220.247.174[.]12
45.89.125[.]14896.9.77[.]142122.50.6[.]122185.142.99[.]94194.5.249[.]215

Symantec's blog post "Trickbot: U.S. Court Order Hits Botnet's Infrastructure" has a great infographic about "How Trickbot Works": 


Microsoft on Trickbot's use of Covid-19 Lures

Microsoft is in a unique position to take action against malware, having visibility to so much malware-related traffic from browser telemetry, Microsoft Defender reports, and Office365 scans.  In the past year, they have evaluated 6 Trillion messages and blocked 13 Billion malicious emails that used 1.6 Billion URLs to try to infect the email recipients!

Microsoft's Digital Defense Report 2020 points out that Trickbot began using COVID-19 spam lures on March 3, 2020, and went on to become the most prominent spam botnet using COVID-19 themes.

From MS Digital Defense Report 2020 

We've long argued that if the lure is timely and controversial, people will click on it.  That seems to be the case even today as ProofPoint's @ThreatInsight has pointed out, documenting that a recent malware campaign, first seen October 6, 2020, is using President Trump's diagnosis as a lure to infect people with additional malware, using the subject line "Recent material about the president's situation" and the promise of additional details in a password-protected email attachment.