We give thanks this week to the good people at Interpol along with fraud investigators from 30 countries around the world for bringing us HAECHI-III – a cybercrime busting operation that has resulted in almost 1000 arrests and seizure of approximately $130 million in virtual assets.
HAECHI-III is (as the name suggests) the third iteration of a coordinated law enforcement operation aimed at international cybercrime operations. Almost a year ago to date, we reported on HAECHI-II, which led to a similar number of arrests but only bagged around $27 million of illicit funds. The greater return this time round was a result of targeting voice phishing, romance scams, sextortion, investment fraud, and money laundering associated with illegal online gambling. The cops also leveraged financial experts to help them identify money mules and money laundering activities.
Among the 1600 or so cases closed thanks to the operation was one that involved call center scammers in Austria and India impersonating Interpol officers and duping victims out of over $150,000. Victims of a business email correspondence (BEC) scam in Ireland were also thankful for the return of €1.2 million as one of HAECHI-III’s many successes.
Aside from the arrests and asset seizures, authorities also seized or blocked 2800 bank and virtual-asset accounts linked to financial crimes during the 5-month operation, which ran from June to November 2022.
This week’s bad news concerns users of Amazon, Paypal, Steam and Roblox in 111 countries who are being targeted with info-stealers by Russian-speaking cybercrime gangs.
A new report claims that almost 900,000 devices were infected and over 50 million account passwords stolen by the gangs in the first seven months of 2022. Mainly using info-stealers like Raccoon and Redline, the gangs use Telegram groups as a means to coordinate their criminal activities, including generating malicious content and aiding communication between members.
Info-stealers target caches in browsers like Chrome, Firefox and Edge to steal saved account passwords, bank card details and crypto wallet information from infected machines. The stolen data is then sold on darknet markets or used directly by the cybercriminals themselves for account takeover or online fraud.
According to the researchers, the first seven months of 2022 saw around $6 million worth of data and bank card details stolen by 34 active Telegram groups. The Russian-speaking cybercriminals’ top targets were users in the United States, Brazil, India, and Germany. The most frequently stolen data was PayPal account credentials and Amazon account credentials. However, a five-fold increase in the theft of passwords for gaming services provided by Steam, Roblox and EpicGames was also reported.
Info-stealers typically require some social engineering of the victim – often in the form of downloading and running suspicious software including fake AV software, fake video player or other “software updates”, and free or cracked apps. A recent info-stealer campaign delivering RedLine used a fake version of popular GPU utility MSI Afterburner to infect victims.
Aside from being cautious and avoiding downloading software from unknown sources, users are advised to use password managers rather than storing credentials in browsers and to regularly clear browser cookies.
While we’re on the subject of info-stealers, users of Facebook business accounts have been the targets of a cybercrime campaign conducted through social media site LinkedIn and messaging software WhatsApp, it was reported this week.
A Vietnamese-linked operation dubbed ‘Ducktail’ is believed to be responsible for luring Facebook business account owners into downloading and launching malware capable of stealing credentials and allowing the attackers to hijack their accounts. Facebook business accounts have high privileges and access to the Business Manager panel can give an attacker control over settings, permissions and financial details, including credit card numbers.
The report says that the threat actors behind Ducktail used these compromised accounts to run their own Facebook ad campaigns at the victim’s expense. It is thought that so far the operation has caused around $600,000 worth of losses to businesses.
Initially reported in June of this year, the info-stealing malware used in the operation was delivered to victims via lures on LinkedIn related to brands and products relevant to the victim. In the latest activity reported this week, victims have reportedly also been targeted through WhatsApp and Telegram.
Once the target accepts and launches the Ducktail malware, it steals stored session cookies and interacts with a number of Facebook API endpoints to collect access tokens, 2FA codes, IP addresses and geolocation data that allows the threat actors to impersonate the victim and log in from their own devices. Independent research from Zscaler also identified a phishing campaign last month aimed at the same targets.
Facebook account managers are encouraged to review the roles and permissions associated with their accounts and to follow the recommendations here.