@alkoclick Mmm.

@alkoclick Mmm. Maybe more like irrationally exuberant?

@GossiTheDog And of course, in a subhead below a sentence about allegations of sex trafficking, the NYT says Gaetz made the decision to pull out..."

Feds Charge Five Men in 'Scattered Spider' Roundup

Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta, T-Mobile and Twilio.

Two of the accused I've written about extensively already. Today's story looks at how several of these guys were caught. For example:

"The phishing kits used for these campaigns featured a hidden Telegram instant message bot that forwarded any submitted credentials in real-time.

In August 2022, multiple security firms gained access to the server that was receiving data from that Telegram bot, which on several occasions leaked the Telegram ID and handle of its developer, who used the nickname "Joeleoli."

https://krebsonsecurity.com/2024/11/feds-charge-five-men-in-scattered-spider-roundup/

#scatteredspider #fbi #simswap

I've also been thinking of telling my readers on LinkedIn that if they want to follow my rantings for the next month, they can do it over here.

I'm sick to death of people telling me I should be on this or that social network that's controlled by some billionaire wingnuts. I'm perfectly happy where I am. And I have a strong feeling that we're going to see something of a great migration here soon (fingers crossed).

Meantime, go ahead..say Bluesky one more time.

Not a great omen.

U.S. Closes Its Kyiv Embassy, Warning of ‘Significant Air Attack’

The unusual alert came a day after Ukraine used American-made ballistic missiles to strike Russian territory for the first time.

Developing scoop:

Fintech Giant Finastra Investigating Data Breach

The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world's top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.

https://krebsonsecurity.com/2024/11/fintech-giant-finastra-investigating-data-breach/

#finastra #databreach

@blogdiva I'm somewhere between "BALL!" and "SQUIRREL!" today

It's like I have the attention span of a squirrel today. I can't even

ICANN's proposal to go ahead with another round of gTLDs is a complete money grab, and another giant fraud, spam and scam turd for Internet users in general. I'm talking about tlds like .top, .work, .shop, .vip, etc.

New domains used for phishing, spam and scams account for an overwhelming share of customers of these new gTLDs, which often have rock-bottom prices -- especially for bulk registrations. Overall, new gTLDs tend to be a race to the bottom where the only way they can make a profit is to sell domains en masse, and the market for such demand skews massively towards scammers.

ICANN's proposal to ignore history and introduce another round of new gTLDs should be squashed by regulators. But it won't. Like the AI crap being crammed into everything these days whether you like it or not, ICANN is going to keep creating new gTLDs because it's been a huge cash cow for them.

https://newgtldprogram.icann.org/en/application-rounds/round2

I'm more than a little concerned that the recent election is going to pull a lot more people into investing in cryptocurrency -- most of whom probably are nowhere near as savvy as they need to be to avoid getting fleeced by scammers. I hear constantly from people who poured their savings or kids' college fund into crypto, only to see it all stolen when they clicked the wrong button or link.

You know what the typical answer is from the feds? We're drowning here. Just too many cases. These thefts are often $500K or more, and the frequency of them is rapidly increasing the monetary loss thresholds that would normally get law enforcement's attention.

Also, tons of people are now pouring money into the market, which is already vastly overpriced by almost any measure. Here are some sage words from a WSJ story today about how "investors are betting on a market melt-up:"

"One measure closely tracked by investors, the equity risk premium—or the gap between the S&P 500’s earnings yield and that of 10-year Treasurys—shrank close to zero, the lowest level since 2002, according to Dow Jones Market Data. That means the reward for owning stocks over bonds is dwindling."

“The market is awfully expensive to have a melt-up,” said Rob Arnott, the founder and chairman of Research Affiliates."

https://www.wsj.com/finance/investing/investors-are-betting-on-a-market-melt-up-3a007dd4

Tired: App demands access to all of your contacts upon account creation.

Wired: App demands near total access to your other social media apps, contacts, posts, timeline, likes, friends, settings, blah blah.

TIL that if you try to sign up for Tiktok by signing in with your existing Google account, for example, doing so requires you to allow sharing of your Twitter/X profile info (assuming you still have one) and account settings. You also give permission to the app to then follow and unfollow accounts for you, create and delete posts for you and engage with posts created by others.

I'm sure this is not news to a lot of people, but since I spend negligible amounts on time on either, it was to me. I'm still wondering how an attempt to create a Tiktok account with Google signin leads to an immediate prompt to share your Xitter profile. At this point in the process, I don't even have a TikTok account yet and they're already asking for permission to another account I may have. Absolutely nothing about this feels good.

This kind of shit is probably why I pinned this post so long ago:

https://infosec.exchange/@briankrebs/109880177018417627

In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for several new money making schemes.

https://krebsonsecurity.com/2024/11/an-interview-with-the-target-home-depot-hacker/

The crypto industry is patting itself on the back for a job well done.

Me: All I want to do for the next hour is play Halo, virtual snipe, and steal flags.

Microsoft: Okay sure. Oh BTW, you'll need this 56 gigabyte update first.

Me: gAAAAHAHHAH

My latest story revisits the problem of fake Emergency Data Requests (EDRs), where cybercriminals use hacked/phished police dept email accounts to request subscriber data from a range of tech/social media companies.

The FBI issued an alert this week warning about a rise in fake EDR services. I spoke w/ the CEO of Kodex, a platform that Coinbase and 59 other companies require law enforcement officials to register at in order to submit legal process.

There are 18K+ police jurisdictions in the US, and many thousands more globally, so it's unrealistic to expect tech firms to maintain an extensive rolodex. Kodex tackles the challenges of fake EDRs and subpoenas by letting tech firms see if any other customers have received requests from the same sender, and assigns each submitter a confidence rating.

An increasing number of fake EDR vendors are advertising access to Kodex law enforcement accounts, but creating an account with a legit law enforcement email is not hard: Sending from one is.

Kodex told KrebsOnSecurity that over the past 12 months it has processed a total of 1,597 EDRs, and that 485 of those requests (~30 percent) failed a second-level verification. Kodex reports it has suspended nearly 4,000 law enforcement users in the past year, including:

-1,521 from the Asia-Pacific region;
-1,290 requests from Europe, the Middle East and Asia;
-460 from police departments and agencies in the United States;
-385 from entities in Latin America, and;
-285 from Brazil.

Here's something else I learned (and the fraud possibilities in the short run here are virtually limitless):

"Donahue said one concern shared by recent prospective customers is that crooks are seeking to use phony law enforcement requests to freeze and in some cases seize funds in specific accounts.

“What’s being conflated [with EDRs] is anything that doesn’t involve a formal judge’s signature or legal process,” Donahue said. “That can include control over data, like an account freeze or preservation request.”

In a hypothetical example, a scammer uses a hacked government email account to request that a service provider place a hold on a specific bank or crypto account that is allegedly subject to a garnishment order, or party to crime that is globally sanctioned, such as terrorist financing or child exploitation.

A few days or weeks later, the same impersonator returns with a request to seize funds in the account, or to divert the funds to a custodial wallet supposedly controlled by government investigators.

“In terms of overall social engineering attacks, the more you have a relationship with someone the more they’re going to trust you,” Donahue said. “If you send them a freeze order, that’s a way to establish trust, because [the first time] they’re not asking for information. They’re just saying, ‘Hey can you do me a favor?’ And that makes the [recipient] feel valued.”

https://krebsonsecurity.com/2024/11/fbi-spike-in-hacked-police-emails-fake-subpoenas/

https://www.ic3.gov/CSA/2024/241104.pdf

Almost once a week I get a longish email from a reader who is certain they've figured out which online merchant got hacked and stuffed them with phony charges. I always reply that trying to figure out where your card may have been breached is a fool's errand -- basically, that learning the origin of most types of card fraud can be difficult even for the issuing bank to figure out. And that you're way better off just keeping a close eye on your statements. I can't believe this explainer is somehow still relevant almost 10 years later, but some things mercifully don't change that much.

Here's a look at the various forms of card fraud, how they are usually detected, and your chances of finding out.

https://krebsonsecurity.com/2015/01/how-was-your-credit-card-stolen/

This reminds me of a current situation I was talking about the other day with @nixonnixoff: In the cybercrime arena of monster cryptocurrency heists, more often than not now other criminal groups figure out who made the big score, and then target that person. That is to say, the crooks are figuring it out and acting on the information faster than the feds can.

Holy smokes. Missed this little factoid: "He says Skurka's abduction is the 171st instance of suspects using physical violence to steal bitcoins, that he's aware of."