Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta, T-Mobile and Twilio.

Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including **LastPass**, **MailChimp**, **Okta**, **T-Mobile** and **Twilio**.

A visual depiction of the attacks by the SMS phishing group known as Scattered Spider, and Oktapus. Image: Amitai Cohen twitter.com/amitaico.

The five men, aged 20 to 25, are allegedly members of a hacking conspiracy dubbed “**Scattered Spider**” and “**Oktapus**,” which specialized in SMS-based phishing attacks that tricked employees at tech firms into entering their credentials and one-time passcodes at phishing websites.

The targeted SMS scams asked employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other phishing messages advised employees about changes to their upcoming work schedule.

These attacks leveraged newly-registered domains that often included the name of the targeted company, such as twilio-help\[.\]com and ouryahoo-okta\[.\]com. The phishing websites were normally kept online for just one or two hours at a time, meaning they were often yanked offline before they could be flagged by anti-phishing and security services.

The phishing kits used for these campaigns featured a hidden Telegram instant message bot that forwarded any submitted credentials in real-time. The bot allowed the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.

In August 2022, multiple security firms gained access to the server that was receiving data from that Telegram bot, which on several occasions leaked the Telegram ID and handle of its developer, who used the nickname “**Joeleoli**.”

The Telegram username “Joeleoli” can be seen sandwiched between data submitted by people who knew it was a phish, and data phished from actual victims. Click to enlarge.

That Joeleoli moniker registered on the cybercrime forum **OGusers** in 2018 with the email address **joelebruh@gmail.com**, which also was used to register accounts at several websites for a Joel Evans from North Carolina. Indeed, prosecutors say Joeleoli’s real name is **Joel Martin Evans**, and he is a 25-year-old from Jacksonville, North Carolina.

One of Scattered Spider’s first big victims in its 2022 SMS phishing spree was **Twilio**, a company that provides services for making and receiving text messages and phone calls. The group then used their access to Twilio to attack at least 163 of its customers. According to prosecutors, the group mainly sought to steal cryptocurrency from victim companies and their employees.

“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts,” said **Akil Davis**, the assistant director in charge of the FBI’s Los Angeles field office.

Many of the hacking group’s phishing domains were registered through the registrar **NameCheap**, and FBI investigators said records obtained from NameCheap showed the person who managed those phishing websites did so from an Internet address in Scotland. The feds then obtained records from Virgin Media, which showed the address was leased for several months to **Tyler Buchanan**, a 22-year-old from Dundee, Scotland.

A Scattered Spider phishing lure sent to Twilio employees.

As first reported here in June, Buchanan was arrested in Spain as he tried to board a flight bound for Italy. The Spanish police told local media that Buchanan, who allegedly went by the alias “**Tylerb**,” at one time possessed Bitcoins worth $27 million.

The government says much of Tylerb’s cryptocurrency wealth was the result of successful **SIM-swapping** attacks, wherein crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.

According to several SIM-swapping channels on Telegram where Tylerb was known to frequent, rival SIM-swappers hired thugs to invade his home in February 2023. Those accounts state that the intruders assaulted Tylerb’s mother in the home invasion, and that they threatened to burn him with a blowtorch if he didn’t give up the keys to his cryptocurrency wallets. Tylerb was reputed to have fled the United Kingdom after that assault.

A still frame from a video released by the Spanish national police, showing Tyler Buchanan being taken into custody at the airport.

Prosecutors allege Tylerb worked closely on SIM-swapping attacks with **Noah Michael Urban**, another alleged Scattered Spider member from Palm Coast, Fla. who went by the handles “**Sosa**,” “**Elijah**,” and “**Kingbob**.”

Sosa was known to be a top member of the broader cybercriminal community online known as “**The Com**,” wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate networks.

In January 2024, KrebsOnSecurity broke the news that Urban had been arrested in Florida in connection with multiple SIM-swapping attacks. That story noted that Sosa’s alter ego Kingbob routinely targeted people in the recording industry to steal and share “grails,” a slang term used to describe unreleased music recordings from popular artists.

FBI investigators identified a fourth alleged member of the conspiracy – **Ahmed Hossam Eldin Elbadawy**, 23, of College Station, Texas — after he used a portion of cryptocurrency funds stolen from a victim company to pay for an account used to register phishing domains.

The indictment unsealed Wednesday alleges Elbadawy controlled a number of cryptocurrency accounts used to receive stolen funds, along with another Texas man — **Evans Onyeaka Osiebo**, 20, of Dallas.

Members of Scattered Spider are reputed to have been involved in a September 2023 ransomware attack against the **MGM Resorts** hotel chain that quickly brought multiple MGM casinos to a standstill. In September 2024, KrebsOnSecurity reported that a 17-year-old from the United Kingdom was arrested last year by U.K. police as part of an FBI investigation into the MGM hack.

Evans, Elbadawy, Osiebo and Urban were all charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft. Buchanan, who is named as an indicted co-conspirator, was charged with conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.

A Justice Department press release states that if convicted, each defendant would face a statutory maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, up to five years in federal prison for the conspiracy count, and a mandatory two-year consecutive prison sentence for aggravated identity theft. Buchanan would face up to 20 years in prison for the wire fraud count as well.

Further reading:

The redacted complaint against Buchanan (PDF)

Charges against Urban and the other defendants (PDF).

Feds Charge Five Men in ‘Scattered Spider’ Roundup

In a sign of the times, a backdoor malware whose ancestors date back to 2005 has morphed to target Linux systems.

Source: Imagebroker via Alamy Stock Photo

Two well-documented Chinese backdoors have recently been modified to operate on Linux systems.

The advanced persistent threat (APT) "Gelsemium" is a decade old now, and the new malware tied to the group, Wolfsbane and Firewood, can trace their lineage back to 2005. Throughout its history, Gelsemium has focused on information gathering from Windows systems. Now, it has adjusted its tooling to operate just as effectively in Linux environments.

This, experts say, is merely the latest manifestation of a long-brewing trend.

"The Linux malware landscape is certainly accelerating," says Jason Soroko, senior fellow at Sectigo. "The increase does make sense, as organizations have heavily adopted Linux for their back office server needs, both on premises and in the cloud. Adversaries are developing cross-platform malware to maximize their reach."

**The Wolfsbane & Firewood Backdoors**

The first public sample of the first new backdoor, dubbed Wolsbane, was uploaded to VirusTotal on March 6, 2023, from Taiwan, with later uploads coming from the Philippines and Singapore (historically, Gelsemium has targeted entities in the Middle East and East Asia).

Contextual evidence suggests that the malware's authors have been exploiting vulnerabilities in Java Web applications to access public-facing Apache Tomcat servers. And a deeper look inside reveals unmistakable overlaps with Gelsevirine, a Windows backdoor known to be used by Gelsemium. In essence, the Wolfsbane malware was a Linux port of Gelsevirine, featuring a modified Beurk Experimental Unix RootKit to hide its various malicious activities.

Alongside Wolfsbane, though not definitively attributable to Gelsemium, was a second Linux-ported backdoor, Firewood. An addition to its varied and typical backdoor capabilities, it possesses a kernel-level rootkit. 

Most interestingly, Firewood appears to be the latest evolution of "Project Wood," a phylum of a backdoor that traces back generations to a program first compiled in January 2005. The latest manifestation of Project Wood before Firewood, NSPX30, was reported earlier this year.

**What Explains the Surge in Linux Cyber Threats?**

Cyber threats rise across the board every year, but the particular rise in Linux-based threats stands out. 

Since at least 2020, vendors have tracked double- and triple-digit year-over-year increases in Linux attacks. In its annual "Global Threat Report," Elastic Security has regularly found that the Linux threat landscape vastly outpaces that of macOS, more closely resembling Windows in terms of sheer volume of attacks. In 2023, for example, it found that 54% of endpoint attacks affected Linux-based devices, compared with just 39% for Windows.

Over the past 12 months, around 32% of malware infections have targeted Linux, according to Jake King, Elastic's head of threat and security intelligence. "While steadily increasing, we are seeing greater volumes of attacks and, in some cases, with greater levels of sophistication. The XZ/Liblzma backdoor discovered by researchers earlier this year shows the desire of adversaries to compromise Linux hosts, likely for a variety of reasons, growing in sophistication to supply chain compromise," he says.

The rising threats to Linux may be attributable to an increasing adoption of Linux in enterprise environments, as Soroko alluded to, or the generally improving state of Windows security — the explanation ESET went with in its blog post — or an explanation even simpler.

"One of the reasons for growing observations can always be targeted to adversarial focus changing, but it is also likely that security tooling and telemetry for Linux hosts are improving at a pace whereby attacks are identified earlier, with a greater level of context," King suggests. For example, "A growing trend for threat observations this year was Impaired Defenses for Linux, showing that adversaries are specifically looking to bypass security tools native to Linux or disable third-party security tools. This is important, as it shows we're exposing many attacks that would have previously gone undetected years ago."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Chinese APT Gelsemium Deploys 'Wolfsbane' Linux Variant

The DOJ proposes tough proposals in its antitrust lawsuit against Google, including selling the Chrome browser, limiting search…

The DOJ proposes tough proposals in its antitrust lawsuit against Google, including selling the Chrome browser, limiting search deals, and restructuring its operations to limit monopoly.

As part of its antitrust lawsuit against Google, the U.S. Department of Justice (DOJ) has proposed major changes that could entirely change the tech giant’s business structure and its role on the Internet.

The DOJ’s latest filing seeks the divestiture of key Google assets, including its Chrome browser, and calls for structural changes that could impact Android and its search operations. Google has strongly criticized the proposals, framing them as a threat to innovation, security, and consumer choice.

****Background of the Lawsuit****

The DOJ first filed its antitrust lawsuit against Google **in October 2020**, accusing the company of abusing its dominance in the search engine market to squash competition. The case focuses on Google’s search distribution agreements with major partners, such as Apple, Mozilla, and smartphone manufacturers, which allegedly back its **monopoly** by making Google Search the default on browsers and devices.

The DOJ argues that these practices harm competition by blocking rival search engines from gaining a foothold in the market. Central to the case is the allegation that Google’s actions prevent fair competition and innovation, ultimately harming consumers.

****What the DOJ Proposes****

Hackread.com analysed the DoJ’s **latest filing (PDF)**. Here’s what the Department has outlined and proposed to end Google’s dominance:

*   **Divestiture of Chrome and Possibly Android**: The DOJ suggests that Google sell its Chrome browser and its Android operating system to limit its control over internet access points.
*   **Search Choice Screens**: The proposal requires Google to implement choice screens, where users select their preferred search engine on devices like Google Pixel phones. This design must be approved by a newly proposed “Technical Committee.”
*   **Data Sharing Requirements**: Google would be required to share search data and innovations with competitors, including foreign companies.
*   **Ban on Default Search Agreements**: The DOJ aims to prohibit Google from entering into agreements with partners like Apple or Mozilla to make Google Search the default engine.

The DOJ has framed these measures as necessary to ensure fair competition and restore balance to the digital marketplace.

****Google’s Response****

In response, Google has strongly pushed back against the DOJ’s proposals, describing them as extreme, radical interventionist agenda, and harmful to consumers. In a **blog post** published November 11, 2024, Google argued that the proposals would:

*   **Compromise Privacy and Security**: Divesting Chrome and Android could lead to increased risks for user data and diminish the security features Google has built into these platforms.
*   **Stifle Innovation**: Google warned that the measures could chill investment in cutting-edge technologies, particularly in artificial intelligence, where the company is a global leader.
*   **Hurt Partners and Developers**: Google claims the proposals would harm partners like Mozilla, whose Firefox browser relies on revenue from Google’s search placement agreements.
*   **Introduce Overregulation**: Google criticized the creation of a Technical Committee with broad powers to oversee its operations as an unprecedented overreach.

Google maintains that its dominance in the search market is due to offering “the industry’s highest quality search engine,” not through unfair practices. The company plans to submit its own proposals and continue its legal battle into the next year.

> DOJ had a chance to propose remedies related to the issue in this case: search distribution agreements. Instead, DOJ chose to push a radical interventionist agenda that would harm Americans and America’s global technology leadership. https://t.co/QslGbUyklR
> 
> — News from Google (@NewsFromGoogle) November 21, 2024

****Industry-Wide Implications****

If the DOJ’s proposals are implemented, the tech industry could see a major change in power dynamics and business practices:

*   **Impact on Browser and Operating System Markets**: Forcing Google to sell Chrome and potentially Android would create opportunities for competitors, but it might also disrupt the user experience for millions who rely on Google’s integrated ecosystem.
*   **Search Market Competition**: Measures like search choice screens could pave the way for smaller search engines to gain traction, but critics argue that such interventions may confuse users and lead to inferior experiences.
*   **AI Development**: Google’s claims about reduced AI investment could have far-reaching consequences for advancements in automation, machine learning, and related industries.
*   **Global Technology Leadership**: The case raises concerns about U.S. competitiveness in technology, as the remedies could weaken one of the nation’s largest and most influential tech companies.

Nevertheless, the DOJ’s proposals mean a straightforward measure to limit one of the most powerful companies in the world, but the battle is far from over. Google has vowed to contest the measures, and the case will likely drag on for months if not years.

This legal battle will also challenge how we balance competition and innovation in the tech world. Its outcome could change how we use technology and online search for years to come.

1.  **ChatGPT’s Training Methods Challenged in Lawsuit**
2.  **Google Incognito: New Disclaimer Reveals Data Tracking**
3.  **$4B lawsuit claims Google tracked iPhone users’ activities**
4.  **DuckDuckGo says Google Incognito searches are not private**
5.  **HP Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk**

DOJ Proposes Breaking Up Google: Calls for Sale of Chrome Browser

The Threat Source Newsletter is back! William Largent discusses bidirectional communication in the SOC, and highlights new Talos research including the discovery of PXA Stealers.

Thursday, November 21, 2024 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

Bidirectional communication is foundational to a well-built team regardless of environment. It’s critical in information security to be able to drive a conversation up the ladder and down and not lose the critical elements. One of the most difficult challenges that cyber security teams face is making sure that everyone that is in a decision-making space is aware of the highly technical challenges that the evolving threat landscape dictates. Navigating the challenges that come in continually evolving the team and it’s tools to defend is often a much greater challenge. I’m going to help you with those conversations. In both directions. By talking about drumming. I know, I don’t have the pro wrestling takes that Jon came to the table with, so you’re going to have to run with me Constant Reader.  

I’m going to choose drumming to outline an easy way to identify some complex issues and talk about them in both directions and drumming is a little easier to identify for non-musicians and FAR less contentious than a spicy guitar opinion. Ok, so let’s start with a simple concept.  

 Sounds difficult. Is difficult.    
Sounds difficult. Is easy.   
Sounds easy. Is difficult.     
Sounds easy. Is easy.  

 Sounds difficult. Is difficult. This one is easy – Tomas Haake from Meshuggah playing Bleed is a perfect example. Polyrhythms, stamina, speed, interdependence, and complexity. This sounds difficult. It is difficult. Only the criminally insane attempt to learn how to play this song.  

Sounds easy. Is easy. Take Phil Rudd and pick any AC/DC song from Back in Black. The perfect example of sounds easy, is easy. Perfectly in the pocket.  

Sounds easy. Is difficult. This one is harder and will cause someone to wellackshully and I assure you I do not care. I’m going to give two examples, Jeff Porcaro of Toto playing Rosanna and Vinnie Colaiuta playing Seven Days with Sting. Both of these songs are immensely easy to listen to and don’t seem like there’s anything challenging going on. Until you try to play along, then you cry and examine all the choices you’ve made in life.  

Sounds difficult. Is easy. This is going to be a sticky situation, but I’d say that you could throw on anything by Travis Barker and Dave Lombardo. Bring it haters. I’m not saying that they are bad drummers – simply that what they do sounds more difficult than it is.  

Ok William, but how does this help me at all?  

When you have information security meetings with people in your organization take a second as you look at the agenda, and your conversation in specific, and think about the groupings above and determine what kind of drumming you are hearing. Depending on your environment and team the topics will fall naturally into these categories – it can be patch and vulnerability management,  EOL devices that need to be replaced, endpoint detection and response, deciding what traffic is actionable and defining that in your SIEM, forensic analysis, threat hunting, event response, the conversations are as malleable as the threat landscape.  

It’s easy to isolate the things in your environment that are very difficult to defend AND take a skilled defender and complex tooling to defend. Those conversations flow with either junior analysts or C-Level executives. This is the “Sounds difficult. Is difficult.” type of conversation. Ditto the “Sounds easy. Is easy.” conversations are easy to have in either direction. The most difficult topics to convey fall into the “Sounds difficult. Is easy.” or “Sounds easy. Is difficult.” In my experience these conversations are usually much easier to deliver in one direction and much more difficult in the other. Jazz guys enjoy the nuance of Colaiuta and can’t wrap their minds around Lombardo while metalheads love him and don’t want to be bothered by ghost notes. By taking a moment to dissect your topic and determine where you are going to run into the “Sounds difficult. Is easy.” or the “Sounds easy. Is difficult.” situation it will allow you to prepare for those more challenging conversations so that you can craft a narrative to best capture the nuance that might be lost in a highly technical conversation with a C-Level exec, or the motivation for waiting for the next financial quarter for new tooling that the analysts really need.  

I’m not going to lie - you can prepare this way and things can still fall on deaf ears, they can still underestimate the lift required because people are fallible but if you prepare just a bit and know your audience you can drag your C-Level into a discussion on polyrhythm and pull your junior analyst up with a little Vinnie Colaiuta and make them all feel like Phil Rudd.   

**The one big thing **

Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. PXA Stealer targets victims’ sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software. PXA Stealer also has the capability to decrypt the victim’s browser master password and uses it to steal the stored credentials of various online accounts. 

**Why do I care? **

Harvested credentials can allow attackers direct access to your environment without the need to exploit vulnerabilities or face any of your defensive architecture – they can just log in. Cisco Talos Incident Response has observed an increasing number of engagements where this is the case.  

**So now what? **

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against PXA Stealer.   

**Top security headlines of the week **

Attackers are continuing to upload hundreds of malicious packages to the open-source node package manager (NPM) repository in an attempt to infect the devices of developers that rely on these libraries. (Ars Tecnica) 

Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that it's director Jen Easterly will step down from her position on President-elect Donald Trump's Inauguration Day. (Dark Reading) 

Palo Alto Networks has released a patch to fix a critical vulnerability in some instances of its firewall management interfaces. PAN observed threat activity exploiting an unauthenticated remote command execution vulnerability against firewall management interfaces. (Bleeping Computer,  Dark Reading)   

**Can’t get enough Talos? **

*   Unwrapping the emerging Interlock ransomware attack 
*   Talos Takes on Interlock 
*   November Patch Tuesday release contains three critical remote code execution vulnerabilities 
*   It's Taplunk! Talos and Splunk threat researchers meet to put the security world to rights 

**Upcoming events where you can find Talos **

 CyberCon Romania

(Nov 21-22)    
Bucharest, Romania 

 Martin Lee from Cisco Talos will speak on a panel discussion Maintaining Resilience for a Secure Cyber Infrastructure.  

misecCON (Nov. 22)    
Lansing, Michigan 

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting. 

AVAR

(Dec 4-6)    
Chennai, India 

 Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.  

**Most prevalent malware files from Talos telemetry over the past week  **

SHA 256: c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a  

MD5: 3bc6d86fc4b3262137d8d33713ed6082  

Typical Filename: 8c556f0a.dll  

Claimed Product: N/A  

Detection Name: Gen:Variant.Lazy.605353  

 SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a 

MD5: 200206279107f4a2bb1832e3fcd7d64c 

Typical Filename: lsgkozfm.bat 

Claimed Product: N/A 

Detection Name: Win.Dropper.Scar::tpd   

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  

MD5: 71fea034b422e4a17ebb06022532fdde  

Typical Filename: VID001.exe  

Claimed Product: N/A  

Detection Name: RF.Talos.80  

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66  

MD5: 8b84d61bf3ffec822e2daf4a3665308c  

Typical Filename: RemComSvc.exe  

Claimed Product: N/A  

Detection Name: W32.3A2EA65FAE-95.SBX.TG

Bidirectional communication via polyrhythms and shuffles: Without Jon the beat must go on

Four of the arrested individuals of the cybercriminal gang, known for hacking MGM and Caesars, are American, all of whom could face up to 27 years in prison for the charges against them.

Source: Gregg Vignal via Alamy Stock Photo

Today the Department of Justice (DoJ) unsealed criminal charges against five individuals who belong to the hacking group "Scattered Spider," which is the cybercriminal group known for recruiting young people and carrying out high-profile cyberattacks, including last year's offensives against MGM Resorts and Caesar's Palace in Las Vegas.

The defendants allegedly targeted employees of companies across the United States via phishing messages, using the harvested employee credentials to log in to systems and steal private company data, including intellectual property, and personal identifying information, such as account credentials, names, email addresses, and telephone numbers. The indictment also says the group gained unauthorized access to individuals' cryptocurrency accounts and wallets, and stole millions of dollars of virtual currency.

Four of the defendants are American, ranging from 20 to 25 years old; the eldest, Joel Martin Evans, aka "joeleoli," of Jacksonville, N.C., made his first appearance in court yesterday after being arrested the day before by the FBI. All four of them are charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft.

The fifth individual, Tyler Robert Buchanan, 22, is located in the United Kingdom and is facing charges of conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.

"These individuals, and other actors that they have collaborated with, have caused so much pain and financial harm to organizations across North America through their disruptive intrusions," Charles Carmakal, Mandiant Consulting CTO at Google Cloud, wrote in an emailed statement to Dark Reading. "We hope this sends a message to the other actors they collaborate with that they aren't immune to consequences."

If convicted, each of the defendants would face a statutory maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, up to five years for conspiracy, and two years for aggravated identity theft. Buchanan would face an additional 20 years for the wire fraud count.

Scattered Spider Cybercrime Members Face Prison Time

Consolidating endpoint management boosts cybersecurity while keeping an Oklahoma-based nonprofit focused on community mental health.

Source: Everything Possible via Alamy Stock Photo

At the center of community care, a lifeline for mental health is making a lasting impact — strengthened by technology that ensures security without compromising compassion.

Mental-health center Family and Children's Services (FCS), based in Tulsa, Oklahoma, has helped transform the lives of members of its local community with programs to support their well-being, including child abuse and trauma support, as well as counseling for families and those suffering from substance abuse and addiction. The organization is more than 100 years old, serves more than 150,000 people each year, and offers services in more than 50 schools. It also more than doubled its staff in recent years and now has 1,500 employees who provide a variety of services, many that have moved online since the start of the pandemic.

These changes created a challenge for FCS CIO Brent Harris, who was responsible for protecting a rapidly growing organization with a sprawling IT environment and a boom in the number of endpoints in use. At the beginning of the pandemic lockdown in 2020, FCS distributed approximately 2,000 iPads and other devices to clients so that clinicians could offer teletherapy and telemedicine services. That brought the total number of devices that needed to be managed to around 3,500.

FCS was willing to spend on its core mission — serving the community's mental health needs — so most of its headcount growth was in its clinical staff. But Harris still had to manage with the same number of IT staff to keep costs down. Automation was key to solving this challenge.

"We needed a way to automate, to buy back time instead of trying to solve problems with manpower," Harris says. "We try to solve problems with technology."

**Piloting an Endpoint Management Platform**

The IT staff needed visibility into which software packages were on each device and whether the devices were being patched properly. The legacy system in use didn't give Harris the confidence that his team had that insight.

"Devices were on the network that we didn't see, and software was on someone's device that shouldn't be there that we didn't pick up on," Harris says. "Most of the things we found we found manually."

When FCS deployed Tanium as part of a pilot, the endpoint management platform immediately found devices that the legacy system had missed, Harris says. A tragic incident in the community shortly after illustrated the importance of having endpoint management technology with an accurate view of the environment.

"There was an event in our community where there was an active shooter, not at Family and Children's Services, but at a healthcare facility that a lot of us were familiar with," Harris says. "A lot of people in our agency had worked there in the past or had friends there, and so it really hit near home."

FCS needed a reliable employee notification system to ensure that the healthcare provider was prepared if a similar situation were to unfold. FCS was looking for a guarantee that everyone would receive information — such as employee notifications and software updates — pushed out by the system onto their individual devices.

"We would push it out to 1,000 endpoints and then get a report that said 796 of them received it, and we would have to manually go try to figure out where there were gaps," Harris says. "Tanium is far better at doing that. And in this case, you know, it's really life or death. If that scenario were to ever occur, we need to make sure that 100% of the devices on the network have the agent installed and it's running."

A trial run is an essential part of evaluating which technologies to purchase and deploy because it can help illuminate how well the solution meets the organization's needs, Harris says.

"We were able to do a pilot, and we were pretty convinced within a matter of days and weeks, not months, that this tool was going to be a very important part of our technology stack going forward," he adds.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

How a Mental Health Nonprofit Secures Endpoints for Compassionate Care

The company gave details for the first time on its approach to combating organized criminal networks behind the devastating scams.

Years into the escalating, multibillion-dollar global crisis of pig butchering scams, social media giant Meta released information for the first time on Thursday about its approach to combating the forced-labor compounds that fuel scam activity on its platforms and across the web.

The company says that for more than two years it has been focused on collaborating with global law enforcement and other tech companies to address the underlying problem of organized crime syndicates driving scam activity in Southeast Asia and the United Arab Emirates.

Meta says that so far this year it has done takedowns of more than 2 million accounts connected to scam compounds in Myanmar, Laos, Cambodia, the Philippines, and the UAE. The company has also been collaborating with external experts, including tech companies, NGOs, and coalitions working to counter online scams. As pig butchering scams generate significant revenue for criminals, though, and spread around the world, Meta notes that it has focused on working with law enforcement to directly track criminal syndicates.

“This is a highly adversarial space where we expect well-resourced and persistent criminal organizations to constantly evolve their tactics (both online and offline) in response to detection and enforcement to try and reconstitute across the internet,” a Meta spokesperson wrote in a statement. The company declined to share how many accounts it had removed prior to this year.

Longtime pig butchering researchers say that Meta has been slow to publicly and directly acknowledge the problem and the role its many platforms play in connecting scammers with potential victims. They emphasize that Meta’s services are far from the only platforms that scammers use to reach victims. But platforms like Facebook and Instagram are recognizable and trusted around the world, so it is inevitable, the researchers say, that scammers will gravitate to them. And Meta has warned its users broadly about investment and romance scams.

“I'm glad that Meta is finally starting to talk about this work, but in the research community, we feel like we've been trying to get their attention for a long time and collaborate with them and they often aren't engaging with us,” says Ronnie Tokazowski, a longtime pig butchering researcher and cofounder of the nonprofit Intelligence for Good.

Since roughly 2020, when the earliest pig butchering scams started to emerge, more than 200,000 people have been trafficked and held in compounds—mostly in Myanmar, Cambodia, and Laos—where they are forced to play the role of an online scammer. If they refuse, the criminals who own the scam compounds, which are typically connected to Chinese organized crime, often beat or torture them. People have been trafficked from more than 60 countries around the world—often after seeing online ads promising them jobs that are too good to be true.

The forced scammers are compelled to send thousands of online messages to potential victims around the world on a daily basis. They are tasked with building relationships, often with the lure of friendship or romance, and eventually persuade their victims to send them money as part of lucrative “investment opportunities.” Individually, victims have lost hundreds of thousands of dollars, while the pig butchering criminal enterprises have collectively conned people out of around $75 billion in recent years.

“These scams can start on dating apps, text message, email, social media, or messaging apps, then ultimately move to scammer-controlled accounts on crypto apps or scam websites masquerading as investment platforms,” Meta writes in its report. “In addition to disrupting scam centers, teams across Meta are constantly rolling out new product features to help protect people on our apps from known scam tactics at scale.”

Pig butchering scams drive toward financial theft, but they start with either one-to-one cold communication between scammers and potential victims or contact that originates from social media groups or other communal forums. For example, Gary Warner, director of intelligence at the cybersecurity firm DarkTower, says that he tracks thousands of Facebook groups dedicated to luring people into cryptocurrency investment scams as well as groups that purport to be community dating resources where scammers are lurking.

Online moderation of scammers is a difficult and longstanding issue for Big Tech. As is the case with many types of inauthentic content, some pig butchering activity can skirt tech company standards—even when they are doing a large number of account takedowns—because the content isn’t explicit enough to meet the criteria for removal.

"So much of what is on platform is clearly the prelude to pig butchering, but Meta says it ‘doesn't violate community standards,’” Warner says.

Meta emphasizes, though, that in addition to its account takedowns and monitoring for scam activity on its platforms, the company is focused on working to directly combat scam compounds using its policies around dangerous organizations and individuals, as well as wider safety policies.

However, the owners of scam compounds have been quick to adopt new technologies into their operations, partly to make their scamming more efficient, but likely also to evade law enforcement and technology clampdowns. In recent months, researchers have spotted pig butchering scammers using artificial intelligence tools, integrating deepfakes into their campaigns, and using malware to expand their capabilities. For example, scammers are now able to easily generate understandable content in many languages using AI translation tools for both the scripts and messages they send potential victims, as well as job advertisements luring prospective workers into scam compounds.

Meta says one recent scam compound that it took action against, which was targeting Japanese and Chinese speakers, followed a tip from OpenAI threat researchers who had spotted the criminal operation using ChatGPT to translate messages that could be used in pig butchering.

A “cluster” of accounts that all appeared to come from Cambodia were spotted translating and generating comments using ChatGPT, OpenAI spokesperson Liz Bourgeois tells WIRED. The comments generated using AI would be shared on social media and appeared to be linked to scam activity. Bourgeois says OpenAI banned the accounts and reported the social media activity to Meta.

Meta Finally Breaks Its Silence on Pig Butchering

The US Department of Justice has taken down PopeyeTools, a major online marketplace used by cybercriminals to sell…

The US Department of Justice has taken down PopeyeTools, a major online marketplace used by cybercriminals to sell stolen credit card information, hacking tools, and more. Learn about the three individuals charged in connection with this operation and how authorities are working to combat cybercrime.

The US Department of Justice (DoJ) has seized and shut down PopeyeTools, a notorious online marketplace that facilitated a wide range of illegal activities, and arrested three alleged administrators of the website.

PopeyeTools was operational since at least 2016, and functioned as a hub for cybercriminals, offering stolen financial data, tools for carrying out fraud, and even tutorials on how to commit these crimes.

The three men charged, Abdul Ghaffar (Pakistan), Abdul Sami (Pakistan), and Javed Mirza (Afghanistan), face up to 10 years in prison each for access device fraud charges levied against them. This move is part of the department’s “all-tools” approach to **combating cybercrime**.

The investigation was conducted by the FBI (Federal Bureau of Investigation). The DoJ’s actions, according to its **press release**, included seizing control of the PopeyeTools website itself, pressing criminal charges against the alleged administrators, and obtaining judicial authorization to seize $283,000 in cryptocurrency from an account controlled by Sami.

PopeyeTools, boasting the motto “We Believe in Quality Not Quantity,” built its reputation by allegedly offering validated stolen credit card information and other tools that facilitated fraudulent transactions. This “quality” came at a price, with individual sets of stolen payment card data and personal information selling for around $30 each.

Its Live Fullz section provided unauthorized payment card data and PII, while other sections included fresh bank logs, leads, scam pages, and guides. To attract members, PopeyeTools promised to refund or replace invalid credit cards and customers could check the validity of bank account, credit card, or debit card numbers offered through the website.

The website catered to a large audience, according to the Justice Department’s press release, selling stolen information to at least 227,000 individuals and generating over $1.7 million in revenue. PopeyeTools even offered customer support, including services to verify the validity of stolen financial data before purchase.

The dismantling of platforms like PopeyeTools is certainly a significant blow to cybercrime activities, demonstrating the DoJ’s commitment to disrupt criminal operations and protect the public from financial fraud.

1.  **WT1SHOP Cybercrime Market Seized**
2.  **Finnish Dark Web Marketplace PIILOPUOTI Seized**
3.  **NetWire Malware Site and Server Seized, Admin Arrested**
4.  **SSNDOB Cybercrime Marketplace Seized in Intl. Operation**
5.  **LockBit Ransomware Gang Domains Seized in Global Operation**

Operation Shipwrecked: US Seizes PopeyeTools Marketplace, Charges 3

Five alleged members of the notorious Scattered Spider hacking group have been charged with executing a sophisticated phishing…

Five alleged members of the notorious Scattered Spider hacking group have been charged with executing a sophisticated phishing scheme that netted them millions of dollars in stolen cryptocurrency and sensitive company data.

The United States govemnet has confirmed arresting and charging five individuals allegedly linked to the **Scattered Spider group** (aka 0ktapus and UNC3944). This notorious hacking collective is accused of masterminding a sophisticated phishing scheme that targeted employees across the United States.

The feds unsealed the charges against the five defendants on November 20, revealing a scheme that relied on mass text message campaigns. According to the US Justice Department’s **press release**, investigators identified four defendants the citizens of the United States and one from the United Kingdom.

*   **Joel Martin Evans (25) – United States**
*   **Noah Michael Urban (20) – United States**
*   **Evans Onyeaka Osiebo (20) – United States**
*   **Tyler Robert Buchanan (22) – United Kingdom**
*   **Ahmed Hossam Eldin Elbadawy (23) – United States**

As previously **reported by Hackread.com**, the gang targeted cryptocurrency users and investers along with the Federal Communications Commission (FCC) employees with phishing messages warning them about account deactivation and linked them to phishing websites that resembled legitimate ones.

The group directed recipients to provide confidential information, including login credentials, and sometimes employees were sent two-factor authentication requests sent to their mobile phones.

Once clicked, the links led to phony websites that mimicked real company login pages. Unsuspecting victims, believing they were accessing official company portals, unintentionally gave away their login credentials.

Using this stolen information, the Scattered Spider crew allegedly gained unauthorized access to corporate computer systems. Once inside, they stole a treasure trove of sensitive data, including intellectual property and proprietary information, as well as personal information from hundreds of thousands of individuals, according to United States Attorney Martin Estrada.

The group also, allegedly, used the stolen credentials they also gained unauthorized access to numerous individuals’ cryptocurrency accounts and wallets, stealing millions of dollars’ worth of virtual currency from victim company intrusions and leaked data sets.

It is worth noting that Scattered Spider was also behind the **cyberattack on MGM Resorts** International in September 2023 in which it collaborated with the ALPHV ransomware group, also known as BlackCat.

“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts,” stated the FBI’s Los Angeles Field Office’s Assistant Director in Charge, Akil Davis.

Authorities say the group operated from September 2021 to April 2023 and caused significant financial losses, not just to targeted companies but also to individual victims who lost their hard-earned cryptocurrency. It is worth noting that cryptocurrency custodian Fortress Trust lost $15 million in customer funds **due to a phishing attack** on third-party vendor, Retool, supposedly launched by the same group. 

If convicted, the defendants face a maximum sentence of 20 years in federal prison for a conspiracy to commit wire fraud case, up to five years for the conspiracy count, and a mandatory two-year consecutive sentence for aggravated identity theft.

**William Wright**, CEO of Closed Door Security, highlighted Scattered Spiders’ sophisticated tactics in targeting MGM Resorts, including tracking an employee on LinkedIn and exploiting IT helpdesk processes to reset a password. This was followed by an MFA fatigue attack, granting system access. Wright emphasized the need for organizations to test their networks and train employees to counter such advanced social engineering threats.

1.  **FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet**
2.  **Goldoon Botnet Hiy D-Link Devices, Exploits 9-Year-Old Flaw**
3.  **LockBit Ransomware Gang Domains Seized in Global Operation**
4.  **Operator of Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US**
5.  **4 Arrested as Operation Endgame Disrupts Ransomware Botnets**

US Charges 5 Suspected MGM Hackers from Scattered Spider Gang

MIAMI, Florida, 21st November 2024, CyberNewsWire

**MIAMI, Florida, November 21st, 2024, CyberNewsWire**

Halo Security, a leader in external attack surface management and penetration testing, has announced the launch of its new Slack® app, empowering cybersecurity teams to receive real-time alerts on newly discovered assets, vulnerabilities, and other essential security updates directly within the Slack collaboration software.

This new integration allows Halo Security’s customers to seamlessly incorporate important security notifications into their existing Slack workflows, improving response time and enhancing collaboration across security and IT teams. Previously, Halo Security offered Slack alerts through a Zapier integration, but this new, direct integration delivers a more streamlined experience, giving customers greater control with minimal configuration.

Halo Security’s platform offers comprehensive external attack surface management, encompassing asset discovery, risk and vulnerability assessment, and penetration testing in a single, user-friendly dashboard. Built by a team of experienced penetration testers, security engineers, and reformed hackers, Halo Security provides organizations with an attacker’s perspective to help identify and address vulnerabilities. With the new Slack integration, customers are notified as soon as new issues and vulnerabilities are detected, unknown assets or open ports are discovered, and new technologies appear on their websites, helping teams stay ahead of emerging threats without being overwhelmed by irrelevant alerts.

> “Organizations need real-time, customized alerts for emerging security threats, but too many notifications can lead to alert fatigue,” said Ben Tyler, CTO of Halo Security. “Our direct Slack integration is easily configurable, giving customers precise control over which alerts they receive and allowing them to focus on the most critical issues directly within their existing workflows.”

**How to Get Started with Halo Security’s Slack Integration**

Halo Security customers can activate the Slack app today directly from their accounts. New users interested in trying the Halo Security platform can sign up for a 7-day free trial at halosecurity.com.

**About Halo Security**

Halo Security is a comprehensive external attack surface management platform that provides asset discovery, risk assessment, and penetration testing in a single, easy-to-use dashboard. Founded by cybersecurity experts with backgrounds at McAfee, Intel, Kenna Security, OneLogin, and WhiteHat Security, Halo Security delivers a unique attacker-based approach to help organizations safeguard against potential threats. Users can learn more at halosecurity.com.

Slack is a registered trademark and service mark of Slack Technologies, Inc.

**Contact**

**VP of Marketing**  
**Nicholas Hemenway**  
**Halo Security**  
**\[email protected\]**

Latest News