Kategorie

An Indian national has pleaded guilty in the U.S. over charges of stealing more than $37 million by setting up a website that impersonated the Coinbase cryptocurrency exchange platform. Chirag Tomar, 30, pleaded guilty to wire fraud conspiracy, which carries a maximum sentence of 20 years in prison and a $250,000 fine. He was arrested on December 20, 2023, upon entering the country. "Tomar and Newsroomhttp://www.blogger.com/profile/[email protected]

As a Linux administrator or security practitioner, you understand DNS's essential role in network security. Attacks and unauthorized access pose threats against DNS connections, so robust security protocols must be implemented to safeguard them. Zero-Trust DNS provides greater security, control, and flexibility over DNS traffic.

You’re probably familiar with the term “critical assets”. These are the technology assets within your company's IT infrastructure that are essential to the functioning of your organization. If anything happens to these assets, such as application servers, databases, or privileged identities, the ramifications to your security posture can be severe.  But is every technology asset considered The Hacker Newshttp://www.blogger.com/profile/[email protected]

China has established a massive new state-backed semiconductor fund worth 344 billion yuan or $47 billion aiming to ramp up its chip industry, according to the National Enterprise Credit Information Publicity System, a government-run credit information agency.

This aggressive move is seen as a countermeasure against US efforts to limit China’s access to advanced chip technology.

Christened the China Integrated Circuit Investment Fund Phase III, the investment in this phase is the largest yet and was registered on May 24. This phase dwarfed its previous two phases registered in 2014 and 2019 with investments of 138.7 billion yuan and 204 billion yuan respectively.

The Ministry of Finance holds a 17% stake in the fund followed by a subsidiary of the state-owned National Development Bank at 10.5% and a Shanghai municipal government investment company at 9%.

The fund also lists seventeen other entities as investors including five of China’s largest banks, including Bank of China, Industrial and Commercial Bank of China, China Construction Bank, Agricultural Bank of China, and Bank of Communications — each holding a six percent stake.

The China Integrated Circuit Investment Fund, also known as “Big Fund,” was launched under the “Made in China 2025” initiative in 2015 as a financing vehicle to promote high-tech industrial development.

The “Big Fund” has already provided financial support to two of China’s major chip manufacturers — Semiconductor Manufacturing International Corporation and Hua Hong Semiconductor, according to a Reuters report.

The investment fund is also expected to finance the High Bandwidth Memory (HBM) industry and other key AI semiconductor fields, as per Chinese corporate information service, Qichacha.

While specific targets remain undisclosed, the fund in the third phase is expected to focus on AI-related semiconductors and manufacturing equipment. The fund also aims to support R&D projects and assist major Chinese semiconductor companies in transitioning from international to domestic suppliers for key materials like chemicals, industrial gasses, and silicon wafers. This move will minimize China’s reliance on foreign suppliers and potentially weaken the effectiveness of future US restrictions.

This move comes as the US tightens export controls on advanced chips and fabrication tools to hinder China’s tech advancements.

In October 2022, the US implemented comprehensive export controls to curb China’s military modernization by restricting access to advanced AI chips that use US technology. Again in 2023, the Bureau of Industry and Security updated these rules to address loopholes that compromised their effectiveness.

“Today’s updated rules will increase the effectiveness of our controls and further shut off pathways to evade our restrictions. These controls maintain our clear focus on military applications and confront the threats to our national security posed by the PRC Government’s military-civil fusion strategy,” Secretary of Commerce Gina M. Raimondo said in a statement in 2023. “As we implement these restrictions, we will keep working to protect our national security by restricting access to critical technologies, vigilantly enforcing our rules, while minimizing any unintended impact on trade flows.”

The threat actors behind the CatDDoS malware botnet have exploited over 80 known security flaws in various software over the past three months to infiltrate vulnerable devices and co-opt them into a botnet for conducting distributed denial-of-service (DDoS) attacks. "CatDDoS-related gangs' samples have used a large number of known vulnerabilities to deliver samples," the QiAnXin XLab team Newsroomhttp://www.blogger.com/profile/[email protected]

IT outsourcing market continues to demonstrate strong growth globally – such services are becoming increasingly popular. But along with the advantages, such as saved time and resources, delegating non-core tasks creates new challenges in terms of information security. By providing third-party companies (service providers or contractors) with access to their infrastructure, businesses increase the risk of trusted relationship attacks – T1199 in the MITRE ATT&CK classification.

In 2023, trusted relationship cyberattacks ranked among the top three most frequently used attack vectors. In such attacks, attackers first gain access to the service provider’s network, and then, if they manage to obtain active credentials for connecting to the target organization’s network, infiltrate the target infrastructure. In most cases, contractors are small- and medium-sized businesses that are less protected than large enterprises. This is also why IT service providers attract the attention of attackers.

Trusted relationship vector is attractive for attackers because it allows them to carry out large-scale attacks with significantly less effort than other vectors. Attackers only need to gain access to the service provider’s network to expose all its clients to cyberrisk, regardless of their size or industry. Moreover, attackers using legitimate connections often go unnoticed, as their actions within the affected organization’s infrastructure look like the actions of the service provider’s employees. According to 2023 statistics, only one in four affected organizations identified an incident as a result of detecting suspicious activity (launch of hacker tools, malware, network scanners, etc.) in their infrastructure, while the rest discovered they had been infiltrated via a third party only after data leakage or encryption.

How access is set up between the target organization and the service provider

Any way of connecting a contractor to the systems of a target organization – even the most secure way – is a potential point of entry for intruders. However, the customer company often gives the service provider quite a lot of access to its systems, including:

• allocating various systems for conducting operations;
• issuing accesses for connecting to the infrastructure;
• creating domain accounts.

Most often, communication between the service provider and the client takes place via VPN connections and Remote Desktop Protocol (RDP) services. Access is set up using a certificate or a login/password pair, and in rare cases multi-factor authentication is added. Having compromised the service provider’s infrastructure, intruders can obtain user accounts or certificates issued by the target organization, and thereby connect to their systems.

Many companies resort to using remote management utilities such as AnyDesk or Ammyy Admin. Most of these utilities allow automatic access by login/password, but they are vulnerable to brute-force attacks. In addition, if misconfigured, these utilities allow connections from any IP addresses/systems if you have valid credentials.

Access to the internal infrastructure can also be organized using SSH or RDP protocols and an allowlist of IP addresses. With this method, there’s no need to connect to a VPN, but the security risks grow significantly (for example, the possibility of brute-force attacks).

At the same time, organizations find it difficult to monitor service providers’ compliance with security policies. For example, contractors may store credentials for connecting to the target organization’s network in plain text in public directories or in corporate information systems such as Jira or Confluence, which the client’s security service may not be aware of.

How attackers gain access to a service provider’s network

In our incident investigations, we continuously note the use of various initial attack vectors to gain access to the infrastructures of IT outsourcing companies. Let’s consider the three most popular ones, which make up more than 80% of all initial attack vectors.

The most common method of initial compromise is exploiting vulnerabilities in applications accessible from the internet. Thus, to penetrate the infrastructure, attackers most often used vulnerabilities in Microsoft Exchange, Atlassian Confluence, CMS Bitrix, and Citrix VDI.

The second most popular method is the use of compromised credentials. In every third incident where this vector was used, attackers bruteforced passwords for services accessible from the external network: RDP, SSH, and FTP. In other cases, they used data that was stolen before the incident began.

Rounding out the top three is targeted phishing. Attackers continue to refine their multi-step schemes and social engineering methods, often using attached documents and archives containing malware to penetrate the network.

Attack development

By investigating incidents related to trusted relationship attacks, we have identified the most interesting attacker tactics and techniques. We present them here in the order they appear in the attack process. In the incidents we worked on, attackers can be divided into two groups according to the tactics and techniques used: let’s call them Group A and Group B.

No. Event Description 1 Gaining access to service providers In most cases, the hack started by exploiting vulnerabilities in software accessible from the internet (Initial Access, Exploit Public-Facing Application, T1190). 2 Establishing persistence in the service provider’s infrastructure Attackers in Group A exclusively used the Ngrok tunneling utility at this stage. They installed it in the service provider’s infrastructure as a service. Only the Windows segment was compromised (Persistence, technique Create or Modify System Process: Windows Service, T1543.003). Attackers in Group B initially used backdoors for persistence, which were later used to load and launch Ngrok or the remote management utility AnyDesk. As a result, both Windows and Linux segments were compromised. The attackers used the following backdoors:

• Cobint, installed as a service, for the Windows segment (Persistence, Create or Modify System Process: Windows Service, T1543.003);
• FaceFish, installed via the LD_PRELOAD environment variable, for the Linux segment (Persistence, Hijack Execution Flow: Dynamic Linker Hijacking, T1574.006).

In some incidents, Ngrok persistence was achieved through the task scheduler. 3 Actions after compromising credentials for connecting to target organizations Group A, having discovered credentials for connecting to the service provider’s clients’ VPN tunnel, penetrated their infrastructure on the same day: the attackers connected to systems allocated to the contractor via the RDP protocol using accounts allocated for the contractor’s employees (Initial Access, Valid Accounts: Domain Accounts, T1078.002), established persistence using the Ngrok utility (probably in case of losing access to the VPN), and returned to the new victims’ infrastructure after several months. Up to three months could have passed between initial access to the target organization and attack discovery. Group B established persistence in the service provider’s infrastructure and returned after several months to carry out attacks on their clients. Up to three months could have passed between initial access to the contractor and attack discovery 4 Actions of attackers in the systems allocated to the service provider in the target organization The systems allocated to the service provider in the target organization became the entry point for the attackers. During incident investigations, traces of launch of numerous utilities were found on these systems:

• for network exploration: Soft Perfect Network Scanner, Advanced IP Scanner, LAN Search Pro, Fscan (Discovery, Network Service Discovery, T1046);
• for domain exploration: BloodHound, PowerView, adPEAS, CrackMapExec (Discovery, Account Discovery: Domain Account, T1087.002; Discovery, Remote System Discovery, T1018);
• for password extraction: Mimikatz, SecretsDump, Lsassy (Credential Access, OS Credential Dumping, T1003);
• for remote command execution: WMIExec, PsExec (Execution, Windows Management Instrumentation, T1047; Execution, System Services: Service Execution, T1569.002).

5 Lateral movement in the target organization’s network For lateral movement within the target organization’s network, the attackers used the RDP protocol (Lateral Movement, Remote Services: Remote Desktop Protocol, T1021.001). 6 Data collection from workstations and servers of the target organization In some incidents, attackers from both groups collected data from workstations and servers (Collection, Data from Local System, T1005), packed them into archives (Collection, Archive Collected Data: Archive via Utility, T1560.001) and uploaded them to external file-sharing resources (Exfiltration, Exfiltration Over Web Service, T1567). 7 Fulfilling attack objectives In most cases, the attackers launched ransomware in the target organization’s infrastructure (Impact Data, Encrypted for Impact, T1486). It’s worth noting that group policies or remote creation of Windows services were often used to distribute ransomware files in the infrastructure. Less frequently, distribution and execution were carried out manually.

Attackers use tunneling utilities (Command and Control, Protocol Tunneling, T1572) or remote access software (Command and Control, Remote Access Software, T1219) for several reasons:

Firstly, this eliminates the need for a VPN, which is necessary to connect to the system in the target infrastructure via the RDP protocol, as contractor’s employees do. Attackers are often active during non-working hours, and correctly configured monitoring can alarm the security personnel upon detecting VPN connections at odd hours from suspicious IP addresses (for example, those belonging to public anonymization services). If such activity is detected, then the corresponding accounts will most likely be blocked, and, as a result, the attackers will lose access to the infrastructure.

With tunneling and remote access utilities, attackers can gain a secure foothold in the target system. AnyDesk allows you to register this software as a service. We’ve seen several options for establishing persistence through the Ngrok utility:

Launch type Commands As a service ngrok.exe service run –config ngrok.yml Manually ngrok.exe config add-authtoken <TOKEN>
ngrok.exe tcp 3389 As a task ngrok.exe tcp 3389 (authentication data was set manually before establishing persistence by executing the following command: ngrok.exe config add-authtoken <TOKEN>)

Secondly, the use of such utilities is convenient for attackers. The presence of a backdoor in the network provides them with unhindered access to the internal infrastructure; however, it’s not always comfortable to interact with the compromised system in this way, so attackers turn to utilities. By forwarding the RDP port through Ngrok or connecting via AnyDesk, the attacker is able to interact with the compromised system more easily.

Thirdly, such utilities are quite difficult to track. Ngrok and AnyDesk are legitimate utilities; they are not detected by antivirus tools as malware and are often used for legitimate purposes. In addition, they allow attackers to hide the IP address of the connection source in the compromised system.

For example, with a regular RDP connection, in the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational.evtx log, we will see connection events (ID 21) or reconnection events (ID 25), where the attacker’s IP address will be indicated in the connection source field (external IP address if the system is accessible from the internet, or internal IP address of another compromised system). In the case of an RDP connection through a tunneling utility, the source connection value in the log will be ::%16777216 – it doesn’t carry any information about the connecting system. In most cases, this artifact will merely indicate a connection through a tunneling utility.

AnyDesk creates its own logs. Among them, the most useful for incident investigation are connection_trace.txt and ad.trace/ad_svc.trace, as they are named in Windows. The connection_trace.txt log allows you to quickly identify connections to the analyzed system and their type (User, Token, Password). If the attackers used AnyDesk and the log indicates a Token and Password connection type, it can be concluded that the attacker set up automatic connection by password and, with AnyDesk running, can reconnect to the system at any time. The ad.trace/ad_svc.trace log contains debugging information, which allows you to determine the IP address from which the connection was made. However, it’s worth noting that attackers often delete AnyDesk logs, making it nearly impossible to detect traces of their connections.

Fulfilling attack objectives

The ultimate goals of attacks on service providers and target organizations can vary. For example:

• Establish persistence in the contractor’s infrastructure and remain undetected for as long as possible in order to gain access to their clients’ infrastructure.
• Remain undetected for as long as possible in order to obtain confidential information (industrial espionage).
• Exfiltrate as much data as possible and deploy ransomware or a wiper in the organization’s infrastructure to paralyze its activities. We observed this scenario in most attacks on target organizations.

Conclusion and advice

Practice shows that attackers, remaining undetected, usually stayed in the target organization’s infrastructure for up to three months and managed to gain control over critical servers and hosts in various network segments. Only after this did they proceed to encrypt the data. This is enough time for the information security department to detect the incident and respond to the attackers’ actions.

The results of our incident investigations indicate that in the overwhelming majority of cases, antivirus solutions detected malicious activity, but the antivirus verdicts were not paid due attention. Therefore, if you have an in-house incident response team, keep them alert through training and cyberexercises; if you don’t have one, subscribe to incident response services from a provider who can guarantee the necessary service level via appropriate SLA.

Attacks through trusted relationships are quite difficult to detect because:

• Connections to the target organization’s VPN from the service provider’s network in the early stages are initiated from legitimate IP addresses.
• Attackers use legitimate credentials to connect to systems within the target organization’s infrastructure (and otherwise).
• Attackers increasingly use legitimate tools in their attacks.

Nevertheless, it is possible to detect these attacks by following certain rules. We’ve put together recommendations for service providers and their clients that will help detect trusted relationship attacks early on or avoid them altogether.

If you’re an IT service provider:

• Ensure proper storage of credentials issued for connecting to your clients’ infrastructure.
• Set up logging of connections from your infrastructure to the clients’ one.
• Promptly install software updates or use additional protection measures for services at the network perimeter.
• Implement a robust password policy and multi-factor authentication.
• Monitor the use of legitimate tools that could be exploited by attackers.

If your organization uses the services of IT outsourcing companies:

• When allowing service providers into your infrastructure, give them time-limited access to necessary hosts only.
• Monitor VPN connections: which account was authorized, at what time, and from which IP address.
• Implement a robust password policy and multi-factor authentication for VPN connections.
• Limit the privileges of accounts issued to service providers, applying the principle of least privilege.
• Apply the same information security requirements to third parties connecting to the internal infrastructure as to hosts in the internal network.
• Identify situations where chains of different accounts are used to access systems within the infrastructure. For example, if service provider’s employees connect to the VPN using one account and then authenticate via RDP using another account.
• Monitor the use of remote access and tunneling utilities or other legitimate tools that could be used by attackers.
• Ensure the detection of the following events within the network perimeter: port scanning, bruteforcing domain account passwords, bruteforcing domain and local account names.
• Pay special attention to activity within your infrastructure outside of working hours.
• Back up your data and ensure that your backups are protected as strictly as your primary assets.

Key MITRE ATT&CK tactics and techniques used in trusted relationship attacks Tactic Technique Technique ID Initial Access Exploit Public-Facing Application T1190 Initial Access Trusted Relationship T1199 Initial Access Valid Accounts: Domain Accounts T1078.002 Persistence Create or Modify System Process: Windows Service T1543.003 Persistence Hijack Execution Flow: Dynamic Linker Hijacking T1574.006 Persistence Scheduled Task/Job: Scheduled Task T1053.005 Credential Access OS Credential Dumping T1003 Discovery Network Service Discovery T1046 Discovery Account Discovery: Domain Account T1087.002 Discovery Remote System Discovery T1018 Lateral Movement Remote Services: Remote Desktop Protocol T1021.001 Collection Data from Local System T1005 Collection Archive Collected Data: Archive via Utility T1560.001 Command and Control Protocol Tunneling T1572 Command and Control Remote Access Software T1219 Exfiltration Exfiltration Over Web Service T1567 Impact Data Encrypted for Impact T1486

The tech world lost a legend earlier this month — and it happened the same week that his life-long vision was finally realized. 

I’m talking about C. Gordon Bell, the computer scientist who helped usher in the age of the personal computer. He designed the first microcomputer in 1965 — the DEC PDP-8 — among countless other achievements in the field of computing. Bell died May 17 of pneumonia at his home in Coronado, CA. He was 89. 

Bell’s lifelogging vision

Late in his career, Bell was inspired by Vannevar Bush’s hypothetical “Memex” system, which Bush described in a 1945 Atlantic Monthly articled, “As We May Think.” From that inspiration, Bell became the world’s biggest advocate and practitioner of a concept called lifelogging.

Bell launched his lifelogging MyLifeBits project in 1998. The idea was to enter all digital content from one’s life and work. From the project page: He aimed to capture digital versions of “a lifetime’s worth of articles, books, cards, CDs, letters, memos, papers, photos, pictures, presentations, home movies, videotaped lectures, voice recordings, phone calls, IM transcripts, television, and radio.” (Bell famously wore two cameras around his neck, which snapped photographs at regular intervals.) Then, he would use custom-built software to retrieve any fact, any captured idea, any name, any event on demand. 

MyLifeBits was part of Bell’s research at Microsoft. He joined Microsoft Research in 1995 and worked there until 2015 when he was named a researcher emeritus.

The death of lifelogging

Eight years ago, I interviewed Bell for Computerworld and, based on what he told me, I proclaimed in the headline: “Lifelogging is dead (for now).” What killed lifelogging, according to Bell, was the smartphone. He stopped his lifelogging experiment when the iPhone shipped in 2007.

Smartphones, he correctly predicted, would gather vastly more data than any previous device could, given their universality and ability to capture not only pictures and user data, but also sensor data. Suddenly, we had access to vastly more data, but no software capable of processing it into a cohesive and usable lifelogging system. 

He also correctly predicted that, in the future, lifelogging could return when we had better batteries, cheaper storage and — the pièce de résistance — artificial intelligence (AI) to help capture, organize and present the massive amounts of data. With AI, data doesn’t have to be tagged, filed specifically, or categorized. And it can respond meaningfully with natural language interaction. 

At the time, I wrote something I still believe: “I think we’ll find that everybody really does want to do lifelogging. They just don’t want more work, information overload or new data management problems. Once those problems are solved by better hardware and advanced AI, lifelogging and the photographic memory it promises will be just another background feature of every mobile device we use.” 

Don’t look now, but we’ve arrived at that moment. 

Suddenly: A new wave of lifelogging AI

Bell did his lifelogging research at Microsoft, so it’s especially poignant that within a few days of Bell’s death, Microsoft announced incredible lifelogging tools. (Company execs didn’t use the “L” word, but that’s exactly what they announced.)

During a special May 20 event preceding the Microsoft Build 2024 conference, the company introduced its Recall feature for Copilot+ PCs, which will run Windows 11 and sport Qualcomm’s new Snapdragon X Elite chips. (They have a neural processing unit (NPU) that makes Recall possible, according to Microsoft.)

Here’s how it works: Recall takes a screenshot of the user’s screen every few seconds. (Users can exempt chosen applications from being captured. Private browsing sessions aren’t captured, either. And specific screenshots, or all captures within a user-designated time frame, can be deleted.)

The screen-grabs are encrypted and stored locally, and the content can then be searched — or the user can scroll through it all chronologically. The secret sauce here, obviously, is that AI is processing all the data, identifying text, context, images and other information from the captures; it can later summarize, recall and generally use your screenshots to answer questions about what you’ve been doing, and with whom. The goal is to provide you with a digital photographic memory of everything that happens on your device.

Microsoft’s Recall feature is lifelogging, pure and simple. AI makes this lifelogging tool feasible at scale for the first time ever.

(Copilot+ PCs start shipping on June 18, 2024, according to Microsoft.) 

One week before Microsoft’s announcement, and mere days before Bell’s passing, Google announced lifelogging tools of its own. During a video demonstration of Project Astra, where visual AI identifies and remembers objects in the room and performs other neat tricks via a Pixel phone, the woman showing off the technology picked up AI glasses and continued with her Astra session through the glasses. 

Astra is capturing video, which AI can process in real time or refer back to later. It feels like the AI tool is watching, thinking and remembering — which, of course, it isn’t. And it’s trivial for AI to spin out a text log of every single thing it sees, identifying objects and people along the way. AI could then retrieve, summarize, process and help you make instant sense of everything you saw. 

Bell wore cameras around his neck to capture snapshots. It couldn’t be more obvious that glasses capturing video to be processed by generative AI is vastly superior for lifelogging. 

Google this month also announced another powerful lifelogging tool, which I first told you about in September. It’s called NotebookLM. The AI-enhanced note-taking application beta is free to try if you’re in the United States. The idea is that you take all your notes in the application, and upload all content that comes your way, including text, pictures, audio files, Google Docs and PDFs. 

At any point, you can interrogate your own notebook with natural language queries, and the results will come back in a way that will be familiar if you’re a user of the major genAI chatbots. In fact, NotebookLM is built on top of Google’s PaLM 2 and Gemini Pro models. 

Like the better chatbots, NotebookLM will follow its display of results with suggested actions and follow-up questions. It will also organize your information for you. You can invite others into specific notes, and collaborate.

NotebookLM is the lifelogging system Gordon Bell spent nine years trying to build. But his ideas were too far ahead of the technology.

The previous two weeks will go down in history as the most momentous thus far in the life of the lifelogging ideas since Vannevar Bush described his Memex concept in 1945. Of course, in the AI era, lifelogging won’t be called lifelogging, and the ability to lifelog effectively will be seen as something of a banality — you know, like the PC and the many other digital gifts midwifed into existence by Gordon Bell. 

I told you lifelogging was dead, until we got the AI tools. And now we have them.

Americans, it seems, are of several minds about the hottest of hot topics this year: artificial intelligence. They’re torn between curiosity about the benefits to society and concern about its effects on their lives.

A new study from global consultancy Public First found that, while the most common emotion cited was curiosity (39%), an almost equal number (37%) said they were worried about AI. Last year, 42% cited curiosity and 32% were worried, according to the study, which was based on four nationally representative polls of adults across the US and the UK, and conducted in partnership with the Information Technology & Innovation Foundation’s Center for Data Innovation.

While awareness of AI is growing quickly, day-to-day usage is still quite low, said Jonathan Dupont, partner at Public First, in a webinar about the research. In fact, 51% of Americans said that AI is growing faster than expected, up from 42% in 2023.

ChatGPT, he said, “is now definitely a consumer brand.”

However, people’s emotions are mixed when it comes to concrete benefits for themselves and society, Dupont said: “The lowest thing they rated was actually increasing wages for workers, which suggests they think it might benefit society as a whole, but possibly cause unemployment concerns. They’re less convinced about it translating into actual day to day benefits for ordinary people.”

AI at work

Although only 28% or American workers said they have used an LLM (large language model) chatbot at work, 68% of those who had done so found them helpful or very helpful, and 38% said they have become an essential tool. Overall, this group accounted for 19% of workers.

Age and gender made a big difference: Males aged 18-34 were by far the biggest users at 33%, while only 16% of females in that age group regularly use LLM chatbots at work. Almost half (48%) of workers using LLMs said they had figured out how to use the tools on their own, although this, too, varied by age. Workers under 55 preferred to explore the technology on their own, while those aged 55 or over expressed a desire for formal AI training.

Respondents expected that required job skills will change, according to the study. They saw an increased need for the ability to persuade and inspire people, for critical thinking and problem solving, and for creativity. However, they felt that research, writing well, coding or programming, graphic design, and data analysis will decline in importance with the rise of AI.

Critically, 59% believed it likely that AI will increase unemployment.

But, said Alec Tyson, associate director of research at Pew Research Center, in the workplace, how and where AI is used will affect its acceptance.

“Large majorities would oppose using AI to make a final hiring decision,” he said, an illustration of a broader concern about what’s essentially human. What are humans good for in the areas, whether it’s work or medicine? Your relationship with the primary care doctor that has traditionally been high contact is something close to essentially human; there’s a lot of resistance to using AI to fill those roles. There’s more openness, maybe not outright enthusiasm, but more openness to use AI to help.”

Lee Rainie, director, Imagining the Digital Future Center at Elon University, pointed to two categories of people at the extremes of concerns about AI adoption. “One is creative people themselves,” he said. “I think by instinct they’re innovators in many cases and they’re trying to cut at the edge but I think they see an existential threat more acutely than a lot of other groups here, and watching the legal situation play out, their reactions to AI are going to be very much determined by whether they have autonomy, whether they get paid, what’s disclosed about how the language models are used.”

The second group is people who are suffering in some way. If AI is going to help somebody, he said, there’s not a lot of hesitation about its use.

What jobs can AI automate?

Job loss caused by AI is also a concern. When asked to assign a score from 0 to 10 on how likely respondents felt it was that an AI could do their job as well as they could in the next 20 years, predictions were all over the map. Fully 22% said that robots or AI could not do their job, scoring the prospect at 0. At the other end of the scale, 14% said AI or robots could definitely do their job. In the middle, 14% rated the notion a 5. The average score was 4.7.

The top four occupations at risk, according to respondents, were machine operators (46%), customer service agents (42%), warehouse workers who pick and pack goods (41%), and graphic designers (40%). At the bottom of the list were nurses and care workers, each at 10%.

Overall, however, only 28% thought their jobs would disappear entirely. Others expected they would have other responsibilities (30%), oversee the AI (25%), or spend fewer hours on the job (27%).

Vinous Ali, managing director at Public First, also noted that fears about unemployment vary. “I think the most interesting thing is it’s actually those with degrees, those who are higher and more educated, who feel that their jobs could be at risk, rather than those who have a high school diploma,” she said. “And I think that’s a really interesting difference to previous changes in the workplace.

“I think the top-ranking job that seemed to be highly automated was computer programmer, so this is a real difference, and it’s a real break with the past. And so it’ll be interesting to see how that develops.”

Bottom line

Because AI is so new, there are limitations to the conclusions that can be drawn from the study, Dupont said.

“This is still very much in the abstract for a lot of people, and this is still the future. Polls are always more accurate when you’re asking people about everyday concrete experiences and things they actually are using on a day-to-day basis.

“It’s very easy to push a polling question or make people say, ‘AI is going to be the most amazing thing in the world or AI is going to be terrifying.’ And I think the general picture is, most people have very mixed views, and they don’t know. And it depends how it’s implemented.”

“A poll is a great snapshot in time,” added Ali. “And we’ve worked really hard to make the findings as robust as possible, but clearly, there are limitations when adoption rates are so low, and there are ways that you can work around that. But this is why it’s a tracker poll. … Who knows where we’ll be in a year’s time.”

The complete study is available on the Public First website.

Unknown threat actors are abusing lesser-known code snippet plugins for WordPress to insert malicious PHP code in victim sites that are capable of harvesting credit card data. The campaign, observed by Sucuri on May 11, 2024, entails the abuse of a WordPress plugin called Dessky Snippets, which allows users to add custom PHP code. It has over 200 active installations. Newsroomhttp://www.blogger.com/profile/[email protected]

Unknown threat actors are abusing lesser-known code snippet plugins for WordPress to insert malicious PHP code in victim sites that are capable of harvesting credit card data. The campaign, observed by Sucuri on May 11, 2024, entails the abuse of a WordPress plugin called Dessky Snippets, which allows users to add custom PHP code. It has over 200 active installations.

A maximum-severity security flaw has been disclosed in the TP-Link Archer C5400X gaming router that could lead to remote code execution on susceptible devices by sending specially crafted requests. The vulnerability, tracked as CVE-2024-5035, carries a CVSS score of 10.0. It impacts all versions of the router firmware including and prior to 1_1.1.6. It has&nbsp

A maximum-severity security flaw has been disclosed in the TP-Link Archer C5400X gaming router that could lead to remote code execution on susceptible devices by sending specially crafted requests. The vulnerability, tracked as CVE-2024-5035, carries a CVSS score of 10.0. It impacts all versions of the router firmware including and prior to 1_1.1.6. It has&nbspNewsroomhttp://www.blogger.com/profile/[email protected]

The CIA triad '' no relation to the Central Intelligence Agency '' is an information security framework for protecting information. It examines the confidentiality, integrity, and availability of an organization's data, giving users a valuable tool for assessing and implementing systems or finding weaknesses.

A year ago, GoDaddy didn’t have a single large language model running with its backend systems. Today, the internet domain registry and web hosting firm has more than 50, some of them dedicated to client-side automation products while others are being readied for pilot projects aimed at creating internal efficiencies for employees.

The first of the company’s generative AI initiatives was to build an AI bot that could automate the creation of company design logos, websites, and email and social media campaigns for the small businesses it serves. Then, earlier this year, it launched an AI customer-facing chatbot, GoDaddy Airo. With a culture of experimentation, GoDaddy has moved to formalize the way it documents more than 1,000 AI experiments to help drive innovation. Because “innovation without some kind of hypothesis and some kind of measurement is novelty,” said GoDaddy’s CTO Charles Beadnall.

Beadnall has led the GoDaddy engineering team’s pivot to building AI solutions; he spoke to Computerworld about those efforts, and challenges. The following are excerpts from that interview:

Tell us about your AI journey and how others can learn from your experience. “We’ve been focused on AI for a number of years. We’ve used different variants of it. AI’s a big term and it’s got lots of different subcomponents: machine learning, generative AI, etc. But what we’ve been focused on over the past several years is building out a common data platform across all of our businesses, such that we have inputs coming from our different interfaces and businesses so that we can understand customer behavior better. That’s really enabled us, along with a culture of experimentation, to really leverage generative AI in a way that we can measure the benefits to our customers and to our bottom line, and do that in a way that we continue to iterate against it.

srcset="https://b2b-contenthub.com/wp-content/uploads/2024/05/Charles-Beadnall_GoDaddy-2.webp?quality=50&strip=all 850w, https://b2b-contenthub.com/wp-content/uploads/2024/05/Charles-Beadnall_GoDaddy-2.webp?resize=300%2C200&quality=50&strip=all 300w, https://b2b-contenthub.com/wp-content/uploads/2024/05/Charles-Beadnall_GoDaddy-2.webp?resize=768%2C512&quality=50&strip=all 768w, https://b2b-contenthub.com/wp-content/uploads/2024/05/Charles-Beadnall_GoDaddy-2.webp?resize=150%2C100&quality=50&strip=all 150w, https://b2b-contenthub.com/wp-content/uploads/2024/05/Charles-Beadnall_GoDaddy-2.webp?resize=252%2C168&quality=50&strip=all 252w, https://b2b-contenthub.com/wp-content/uploads/2024/05/Charles-Beadnall_GoDaddy-2.webp?resize=126%2C84&quality=50&strip=all 126w, https://b2b-contenthub.com/wp-content/uploads/2024/05/Charles-Beadnall_GoDaddy-2.webp?resize=720%2C480&quality=50&strip=all 720w, https://b2b-contenthub.com/wp-content/uploads/2024/05/Charles-Beadnall_GoDaddy-2.webp?resize=540%2C360&quality=50&strip=all 540w, https://b2b-contenthub.com/wp-content/uploads/2024/05/Charles-Beadnall_GoDaddy-2.webp?resize=375%2C250&quality=50&strip=all 375w" width="850" height="567" sizes="(max-width: 850px) 100vw, 850px">

GoDaddy CTO Charles Beadnall

GoDaddy

“We’re all about delivering results, ether to our business and our bottom line or to our customers, and so we want to have a measurable hypothesis or what it is that generative AI will deliver to those. That’s something we’ve been building out over the past several years with common data platforms, a culture of experimentation and now leveraging generative AI in practice.”

How important is it to have measurable deliverables with AI deployments? “Ultimately, if you don’t know what it is you’re going to expect to deliver and have some way of measuring it — it may be successful, but you won’t know that it is. It’s been really important for us to have that controlled A/B test, such that we launch a new feature and measure the results against that. So, if you don’t have some form of data you can measure, whether that’s purchase conversion or product activation or something of that nature…, you won’t really know whether they’re having the intended benefit.”

Do you have to create new data lakes or clean up your data repositories before implementing generative AI? I’ve often heard the refrain, garbage in, garbage out. “There is definitely significant implications here. It’s definitely a concern people need to be aware of. The majority of the quality assurance is being performed by the large language model vendors.

“What we’ve done is built a common gateway that talks to all the various large language models on the backend, and currently we support more than 50 different models, whether they’re for images, text or chat, or whatnot. That gateway is really responsible both for implementing the guardrails…, but also to evaluate the responses back from the LLMs to determining if we’re seeing some kind of pattern that we need to be aware of showing it’s not working as intended.

“Obviously, this space is accelerating superfast. A year ago, we had zero LLMs and today we have 50 LLMs. That gives you some indication of just how fast this is moving. Different models will have different attributes and that’s something we’ll have to continue to monitor. But by having that mechanism we can monitor with and control what we send and what we receive, we believe we can better manage that.”

Why do you have 50 LLMs? “This space is moving at a rapid pace with different LLMs leapfrogging each other in cost, accuracy, reliability and security. The large majority of these are in use in sandbox and test environments with only a very small number currently run in production behind Airo. Some of these will be dropped and never make it to production and others will be deprecated as newer models prove more accurate or more cost effective.”

Can you tell me about this gateway. How does it work and did you build it, or did you get it through a vendor? “It’s something we built and it’s going on a year now. We built it to manage the uncertainty of the technology.

“It started out with our initial push into the space as a way to coordinate among the different LLMs. If you think about it logically, a year ago there was one vendor [OpenAI] but it was clear this was going to be a very exciting space. There were going to be a lot of companies that wanted to get into this space, and so we don’t know who’s going to win. And, I think it’s probably a more nuanced discussion of who’s going to win for what. It may be that one model is better for images and another is better for chat. Still another model is better for text. This is going to evolve in such as way that vendors are going to leapfrog each other. So the gateway is a way for us to be somewhat agnostic to the underlying model that we’re using and adapt quickly in changes to cost and changes in accuracy on that path.”

How did you approach training your workforce on AI, and perhaps more importantly, how did you get them to engage with the technology? “I think that’s been surprisingly easy. We had a business unit that came up with our first use case for it, which is helping customers build content for their site and find the right domain name to put on that site. That’s something that a lot of customers get stuck on initially, because it takes a lot of mental cycles to figure out what domain name you’re going to pick, what content you’re going to put on your site — and if you want to start selling product, you have to create descriptions of those items. So, it’s a customer need that we wanted to address.

“Clearly identifying how AI will help us along a path, that business unit really made it a top priority and surged resources against it to come up with some of our first tests within this space. That really did help the team rally behind it to have that clear, compelling use case. We’re running these tests and getting data back and not every experiment was successful. We’re learning things along the way.

“In some ways, experiments that aren’t successful are some of the most interesting ones, because you learn what doesn’t work and that forces you to ask follow-up questions about what will work and to look at things differently. As teams saw the results of these experiments and saw the impact on customers, it’s really engaged them to spend more time with the technology and focus on customer outcomes.”

Is AI ready for creating real-world products you can sell to clients? Or is it more of an assistant, such as suggesting textual content, checking code for errors, or creating video? “We think it’s definitely ready for prime time. Now, it really depends on what the use case is. This is where I think being able to test in a way you can determine [whether it’s] ready for prime time in this particular usage scenario. But it’s definitely adding value to customer interactions, because it’s a set of steps they don’t need to take, but a majority of our customers are leveraging. There are lots of different use cases. Use cases that require deep expertise, it will continue to get better. If the customer wants assistance in completing something more routine…, that’s certainly a prime candidate for leveraging AI.”

What is GoDaddy Airo? What does it do? “It’s basically the AI enablement of our products and services. It’s our underlying AI technology built on top of our data platform, built on top of our experimentation platform and gateway we’re leveraging against our LLMs. Over time, it may turn into additional new products, but right now we’re focused on it making the products we already sell today that much better. It will evolve over time as we experiment our way into it.”

Do your clients use Airo, or do you use it and offer your clients the AI output you receive? “Basically, as soon as you buy a domain name and website, we’ll jump you directly into that experience. We’ll help you build out a site and if you upload inventory items to it, Airo will fill automatically fill that [textual] description for you. If we can get them from having an idea to having a live business online, that’s our major objective. That’s where we’ll be rewarded by our customers. That’s our focus. We do have a metric we track for improving the customer’s value and achievement. It’s still early innings there, but we are improving our customers’ ability to get their businesses up and running.”

How accurate is Airo? “It think it’s reasonably accurate. We run experiments where we have a threshold of accuracy, which is relatively high. We wouldn’t be promoting something that didn’t have significant accuracy and [was] benefiting our customers. I’d say it’s been surprisingly accurate most of the time. Again, there are permutations where we continue to learn over time, but for the core experience, so far, it’s proven to be more accurate than we would have expected.”

Where did you obtain your LLMs that power the generative AI? “The actual LLMs we’re using…are ChatGPT, Anthropic, Gemini, AWS’s Titan. So, we are leveraging a number of different models on the backend to do the genAI itself. But all the integrations into our flows and products is the work we do.”

What are some of the barriers you’ve encountered to implementing AI within your organization, and how did you address them? “We moved quickly but also thoughtfully in terms of understanding the security and privacy ramifications. That’s the area I’d say we spent a reasonable amount of time thinking through. I think the biggest barriers is having the creativity in deciding where these LLMs can be applied and how do you design the experiments to address those needs? Basically, building out the capabilities. That’s where we spend our time today with a common platform approach, which can then account for the security.

“It’s easy to spend enormous amounts of money without much benefit. So it has to be about those factors as well as the customer’s needs. Balancing those factors has been a major focus of ours.”

What’s next? “The big opportunity for us is leveraging AI in more places across the company — internally as well as to make our employee experiences more effective and efficient. There’s a lot of territory for us to cover. We’re under way in all the different avenues now. We’ve got a lot of activity going on to finalize how we augment these LLMs with our own data for more internal use cases. We’re in the thick of it right now. We’re identifying which pilot projects to launch internally.”

Recently conducted research by Kaspersky indicates an alarming rise in cyberattacks using exploits against Linux systems. Data from Kaspersky Security Network indicates a nearly 130 percent spike in attacks targeting Linux users over the same timeframe last year compared with this quarter's timeframe. Furthermore, 65 percent more CVEs (Common Vulnerabilities and Exposures) were registered over four years, which indicates an increasing trend in Linux vulnerabilities.

Marketplace fraud is nothing new. Cybercriminals swindle money out of buyers and sellers alike. Lately, we’ve seen a proliferation of cybergangs operating under the Fraud-as-a-Service model and specializing in tricking users of online marketplaces, in particular, message boards. Criminals are forever inventing new schemes for stealing personal data and funds, which are then quickly distributed to other scammers through automation and the sale of phishing tools. This article explores how these cybergangs operate, how they find and fool victims, with a special look at a campaign targeting users of several European message boards.

Ways to deceive message board users

There are two main types of message board scams.

1. The first one is when a scammer impersonates the seller and offers to ship an item to the buyer. When the buyer inquires about the terms of delivery and method of payment, the scammer (in the role of the seller) asks for the buyer’s full name, address and phone number, and for online payment. If the victim agrees, they are sent a phishing link to pay for the order (in a third-party messenger or in a dialog box on the message board itself, if the site does not block such links). As soon as the user enters their card details on the fake site, they go straight to the fraudster, who debits the available balance.
   This type of fraud is known as scam 1.0 or a buyer scam, because the attacker poses as the seller to deceive the buyer. It is considered outdated as most message board users are aware of it. Besides, the method involves waiting around for a buyer to take an interest in the item on offer.
2. Alternatively, the scammer can pose as the buyer and deceive the seller by persuading the seller to dispatch the item and collect payment by “secure transaction”. As in scam 1.0, the attackers send a phishing link to the duped seller via a third-party messenger or directly on the message board. The linked page requests payment card details. If the seller enters these, supposedly to receive payment, the attacker debits all the money from the card.
   This is known as scam 2.0 or a seller scam, because the attacker deceives the seller posing as the buyer. This type of scam is more common than the first, since fewer users are familiar with it, so the chances of finding a victim are greater. What’s more, in scam 2.0 the attacker proactively searches for victims, instead of waiting for one to appear, which speeds up the operation.

In both cases, clicking the link opens a phishing site – a near exact replica of a real trading platform or payment service with just one tiny difference: all the data you enter there will fall into cybercriminal hands. Now for a closer look at the scam 2.0 scheme targeting sellers.

How attackers choose their victims

Scammers have several criteria for selecting potential victims. Primarily they are drawn to ads that sellers have paid to promote. Such ads usually appear at the top of search results and are marked as sponsored. They attract scammers for two reasons: first, a seller who pays for promotion is more likely to have money, and second, they are probably looking for a quickish sale.

Besides the sponsored label, attackers look at the photos in the ad: if they are of professional quality, it is most likely an offer from a store. Scammers are not interested in such ads.

Lastly, attackers need sellers who use a third-party messenger and are willing to provide a phone number. This information becomes known only after contact is made.

How the victim is deceived

The main goal is to persuade the victim to click a phishing link and enter their card details. Like any buyer, the scammer opens the conversation with a greeting and an inquiry about whether the offer is still on the table. After that, the threat actor asks the seller various questions about the product, such as its condition, how long ago they purchased it, why they want to sell it, and so on. Experienced scammers ask no more than three questions to avoid arousing suspicion.

Next, the attacker agrees to buy the item, but says they cannot pick it up in person and pay in cash because, say, they are out of town (here the scammer can get creative), and then asks if delivery with “secure payment” is acceptable.

To deflect potential questions from the seller, the scammer explains the payment scheme in detail, roughly as follows:

1. I pay for the item on [name of site].
2. You get a link to receive the money.
3. You follow the link and enter your card details to receive the payment.
4. Once you receive the money, the delivery service will contact you to establish your preferred shipping method. Shipping will already be paid for. The delivery service will pack and document the item for you.

If the victim starts to quibble about the payment method, the scammer simply vanishes so as not to waste time. If the seller wants to continue negotiations on the marketplace’s official website, the attacker concludes they smell a rat and will be unlikely to click the phishing link, and so stops replying and begins the search for a new victim.

If, however, the victim clicks the link and enters their card details, the scammers siphon off all available funds. The price of the item is irrelevant: even if the amount asked for in the ad was insignificant, the attackers will steal whatever they can.

What phishing pages look like

In the scam 2.0 scheme, there are two main flavors of phishing site: some mimic the marketplace with the victim’s ad, others a secure payment service such as Twin. Below is an example of a phishing ad and the original on the official site.

Phishing ad

Original ad

As we see, the scammers have produced a near exact copy of the marketplace interface. The fake page differs from the original only in minor details. In particular, instead of the Inserent kontaktieren (“Contact advertiser”) button, the phishing page shows a Receive 150 CHF button. Clicking this button opens a page with a form for entering card details.

Phishing payment pages

If the original link opens a copy of a secure payment service, the card data entry form appears directly on this page, without additional redirections.

Cybergangs

Recently, whole groups of scammers specializing in message boards have gained widespread notoriety. Practicing both types of fraud (scam 1.0 and scam 2.0), they unite criminal masterminds, support teams, and low-level players.

We carried out an in-depth study of one such gang targeting message board users in Switzerland. Drawing on this example, we will show the internal structure and organization of activities in such structures.

A cybercriminal group may include the following roles:

• Topic starter (TS) is the team’s founder and main administrator.
• Coder is responsible for all technical components: Telegram channels, chats, bots, etc.
• Refunder is a scammer who handles tech support chats on phishing sites. They help coax the victim into entering their card details, which is the attackers’ ultimate goal. The name “refunder” comes from the fact that the victim is directed to such a “specialist” if they are unhappy about the debit and want a refund.
• Carder has the task of withdrawing money from the victim’s bank account. As a rule, having received card data, the carder uses it to pay for various goods, services, loans, etc. The process of paying for purchases with someone else’s card is called carding.
• Motivator provides moral support to scammers. Their task is to make sure the gang remains focused and doesn’t lose heart. The motivator offers podcasts and support in personal messages – a chance to discuss any problems, including personal issues unrelated to fraud. Only large operations have the funds to engage such an “employee”. The motivator works for a percentage of the stolen money.
• Marketer is responsible for ad campaigns and the design and appearance of bots and accompanying materials – mainly on dark web platforms and Telegram channels for scammers. Advertising is needed to attract new workers.
• Worker is a scammer who directly deceives victims: finds ads, responds to them, persuades the victim to follow a phishing link, etc. Workers differ from regular scammers only in that they work for a group and make use of its tools and support. As payment, workers receive the funds they steal, minus a commission. The process of defrauding victims is called work.
• Mentor is an experienced worker assigned to a newcomer.
• Consummator is a woman who encourages a man to buy gifts and scams money out of him. This role is offered to all women who join closed groups where scammers communicate with each other.

Other scammer terms worth highlighting are:

• A trusting user who has already been deceived is called a mammoth.
• The amount of money on the card whose details the victim entered on a phishing website is called logs.
• The amount debited from the victim’s card is called profit.

Groups communicate in closed groups and channels on Telegram, where they search for new workers, support bots for creating phishing links, track clicks on sent links, as well as keep statistics on each case and the profits of individual workers and the group as a whole.

Fraud-as-a-Service

Cybergangs operate under the Fraud-as-a-Service model, in which the main service consumers are workers. Organizers provide functioning services (channels/chats/bots on Telegram, phishing sites, payment processing, laundering/debiting of funds), as well as moral support and “work” manuals. In return, they take a commission from each payment.

Which countries are targeted by message board scams?

Scam 1.0 and scam 2.0 appeared several years ago, and both schemes can still be found on Russian-language message boards. But scams aimed at the Russian segment are considered old-hat among experienced scammers, since Russian users are tuned in to such schemes and there is a high risk that the attackers will be found and arrested. Therefore, scammers are switching to other countries.

The group at the center of our investigation is primarily focused on Switzerland. In their chat, the scammers cite the reason as the lower risk of getting caught and Swiss-based users’ relative unfamiliarity with this type of scam. In addition, before placing ads or responding to them, the scammers get to know the target country’s market and basic facts about it. For example, what languages and dialects are spoken there. This is to address the victim in their local tongue so as to win trust more easily. According to 2023 data, over two-thirds of the Swiss population aged 15 and older are fluent in at least two languages.

The gang under study also operates in Canada, Austria, France, and Norway.

Work manual

We analyzed the instructions that the group gives to new workers and found out how they get started. First of all, on the dark web, the worker buys accounts on message boards, which they will then scour for victims. Attackers buy accounts rather than create them, since registering on sites carries more risks. That done, the worker creates an account in a third-party messenger. This account is used for communication with the victim. Some users themselves ask for a number to make contact via messenger; in other cases, it is the worker who offers it to reduce the risk of getting banned on the marketplace. Virtual phone numbers are used for registration.

The next step is for the worker to find a proxy server that will provide anonymity and confidentiality. When connecting through this, the marketplace sees the server’s IP address and other information, which allows the attacker to hide their identity data. A proxy is generally considered good if the account is not banned immediately after registration. If a worker uses a VPN, for instance, their accounts will get banned very quickly: connecting via VPN entails a frequent change of IP address and geolocation, which is why sites often identify such accounts as bots.

Besides instructions for getting started, the manual contains templates shared by experienced gang members. The novice worker can use the templates to persuade a victim to make a deal or assuage any concerns about the proposed payment method.

The manual also contains instructions on how to bypass restrictions imposed by sites. Message boards are constantly updated to strengthen internal security, so it’s increasingly difficult for workers to use stock phrases in communicating with users. For example, in November 2023, one popular marketplace banned payments through Tripartie, a commonly used platform for secure transactions in Switzerland, and began blocking accounts for mentioning this system in chats. To get around this update, workers deliberately misspell the name Tripartie. More experienced workers use the Cyrillic alphabet to make the name of the payment system unreadable to the site’s security systems.

Monetizing stolen cards

If the seller enters their card details, the worker sends the data to the carder, who withdraws money from the card within the established limits. There are different ways to do this: by purchasing expensive devices, transferring money to an e-wallet such as PayPal, etc. The carder may also try to have a credit or loan issued in the card owner’s name, or open a deposit. To do this, they use online banks that do not require SMS verification. Some institutions may ask for a passport scan, in which case the carder uses passport data that was stolen or taken from people with no fixed abode. Although this data has nothing to do with the card owner, scammers rely on the fact that online banks do not always check that the passport and card belong to the same person.

Fraud automation with Telegram bots

To simplify the job of workers, the group deploys a phishing Telegram bot. This automates the process of creating phishing pages and communicating with victims, as well as tracking the scammers’ progress. The bot’s main page has buttons for creating a phishing link, viewing a personal profile, quick access to the group’s chats and channels, plus settings.

Home page of the bot

Clicking the button to create a phishing page lets the user select a country for which a unique link will be generated.

Button for selecting a region

Next, the worker specifies the name of the item that the victim wants to buy (if the victim is a buyer) or sell (if a seller).

Specifying item name

With this data the bot is able to create a full copy of the original ad, but on the phishing page. In addition, the worker feeds information from the ad (photo, price, description, etc.) into the bot, so that the victim feels like they are on the original page.

After filling in all the data, the bot provides phishing links in all languages for the target country, for all available message boards, and for both scam types (buyer and seller), from which the worker chooses the most suitable.

Selecting the link

Here the scammer can message the victim by email, messenger or text. The contact information is obtained from the target’s profile on the site, or is wheedled out in a private chat.

Selecting actions to perform with the ad

After a successful phishing attack, the worker can view their in-bot profile, which displays personal information: ID, handle, card balance, amount earned by the worker personally and by the group as a whole.

Personal profile data

Also inside the bot, it is possible to make direct contact with a mentor and to earn additional revenue through the “refer-a-friend” scheme.

In-bot tools

What the phishing links look like

The phishing links that the group creates with its Telegram bot are built along the same pattern:

• domain/language/action/ad number

The domain most often contains the full or partial name of the message board that the phishing page imitates, but this is not a mandatory component.

Language information may vary, as it depends on the target country. In case of Switzerland, there are the following options: en, it, fr, de.

The action is what the victim purportedly needs to do: pay for the item or receive payment. This element takes one of two values: pay (if the scammer is posing as a seller) or receive (if as a buyer).

The phishing link always ends in the ad number, identical to the original.

Examples of phishing links

Bot updates

Cybergangs are constantly tweaking and updating their Telegram bots. They add new information useful for workers and expand the arsenal of scam automation tools.

During our observation of the Telegram bot under study, information appeared about the group’s income for different periods: per day and for its entire existence, as well as information about the worker’s income per week and per month.

User profile information

The next update added detailed information about mentors and their workload. In total, the group has five mentors, who oversee more than 300 workers. At the time of posting, the scammers’ group on Telegram had more than 10,000 members.

The most experienced workers with profits in excess of 20,000 euros can become mentors. This involves submitting an application to the head mentor for consideration. Mentors receive a percentage of their mentees’ earnings. The size of the commission is set by mentors themselves, and goes up with experience.

Mentoring system

Besides the modified interface, the way in which links are created was updated, with an expanded list of platforms targeted by phishing.

Platforms for phishing

What happens after clicking a link

The link from the bot points to a phishing site, the address of which may differ from the original by just one letter. The page is a full copy of the original ad, including the site logo and name, price and description of the item of interest.

Phishing ad aimed at deceiving the buyer. For the seller, the page is the same, only instead of a Pay button there will be a Receive button.

When the victim clicks the phishing link, the worker receives a notification in the bot about this activity. The notification prompts the scammer to check if the victim is online (that is, whether they’ve opened the phishing link) and, if necessary, to start a chat. Such notifications are created to simplify the worker’s tasks and speed up the response.

Notification about a phishing link click

When the victim enters card details, the carder immediately uses them, and a notification is sent to the group’s general chat about receipt of a new payment. The message specifies the stolen amount, plus information about how much of it will go to the carder and the worker. The worker’s share is automatically credited to their account specified in the bot settings. The message from the bot also contains the name of the user who pays the worker their profit. This is so that scammers themselves do not get cheated, as there have been cases of workers, under the guise of payment, swindling money out of “colleagues” or asking to borrow a certain sum and not returning it.

Notification of payment

Late in the day, a notification is sent to the general chat about the amount earned by the entire group for the day, month and whole period of operation. The group in question was established in August 2023. It made its first profit 3 days and 17 hours later. Back then, it had 2,675 workers and receipts worth 1,458 USD.

Amount of group payments for February 2024

Profit and statistics

We compiled statistics on the group’s activities for the period February 1–4, 2024, inclusive.

Country Total logs Total profits Canada 1,084.999 CAD 0 CAD Switzerland 50,431.17 CHF 10,273 CHF France 850 EUR 0 EUR Austria 2,900 EUR 0 EUR

In four days, the group earned 10,273 CHF (roughly 11,500 USD). At the same time, from the log amounts, we see the attackers could have stolen over 50,000 USD from Swiss cards alone. Why didn’t they? The main reason is that the carder does not work with logs worth less than 300 CHF (330 USD). This is most likely because total profits received from such logs will be less than the cost of debiting them. Moreover, withdrawing money from a card carries a high risk of detection, so carders are only interested in cards holding large sums of money. Lastly, some victims may have managed to block their cards before they fell into the carder’s hands, or entered incorrect data, which would have impacted the total amount of logs.

Carder limit

Country Number of logs Switzerland 65 France 6 Austria 4 Canada 4

Looking at the number of logs received, we see the most popular country is Switzerland. France comes second. In joint third place are Austria and Canada.

Platforms Number of logs Total profits Facebook 26 0 CHF Post.ch 16 3,887 CHF Tutti.ch 16 2,434 CHF Anibis.ch 11 3,952 CHF

In terms of message boards whose users were scammed, the most popular platforms among attackers were: Facebook, Post.ch and Tutti.ch. That said, logs from Facebook earned no profits for scammers. The most profitable platform was Anibis.ch, which lies in fourth place by number of logs; Post.ch is in second place, and Tutti.ch in third.

How not to swallow workers’ bait

Although message board scams are automated and production-lined, you can take protective measures.

• Trust only official sites. Before entering card details in any form, study the site address, make sure there are no typos or extra characters in the domain, and check when it was created: if the site is just a couple of months old, it is likely to be fraudulent. Safest of all is not to follow links to enter your data, but to type in the URL in the address bar manually or open it from bookmarks.
• When buying or selling goods on message boards, do not switch to third-party messengers. Conduct all correspondence in a chat on the platform. Such platforms typically use fraud protection and forbid sending suspicious links.
• Where possible, refuse payment in advance – pay only when you receive the item in good condition.
• Do not scan QR codes sent from untrusted sources.
• Do not sell goods “with delivery” if the platform has no such option. If the buyer is located in another city, choose a delivery service yourself, giving preference to large, reputable companies.

Microsoft is calling attention to a Morocco-based cybercrime group dubbed Storm-0539 that's behind gift card fraud and theft through highly sophisticated email and SMS phishing attacks. "Their primary motivation is to steal gift cards and profit by selling them online at a discounted rate," the company said in its latest Cyber Signals report. "We've seen some examples where

Microsoft is calling attention to a Morocco-based cybercrime group dubbed Storm-0539 that's behind gift card fraud and theft through highly sophisticated email and SMS phishing attacks. "Their primary motivation is to steal gift cards and profit by selling them online at a discounted rate," the company said in its latest Cyber Signals report. "We've seen some examples where Newsroomhttp://www.blogger.com/profile/[email protected]

The transition to the cloud, poor password hygiene and the evolution in webpage technologies have all enabled the rise in phishing attacks. But despite sincere efforts by security stakeholders to mitigate them - through email protection, firewall rules and employee education - phishing attacks are still a very risky attack vector. A new report by LayerX explores the state of