By Deeba Ahmed
Czech Republic Police Expose 'Fake Bankers' Gang in $8.7 Million Vishing Operation.
This is a post from HackRead.com Read the original post: Multimillion-Dollar Vishing Scam Busted: Czech-Ukrainian Gang Arrested

Europol Warns of Growing Vishing Trend as Criminals Exploit Phone Calls for Massive Financial Gains

Ukrainian and Czech police under the supervision of Europol have dismantled a criminal gang that stole millions of dollars from bank customers in Czechia through vishing scams. According to Europol’s press release, the police also arrested ten suspects (aged 18-29) in connection with the multimillion-dollar fraud ring.

A joint investigation was initiated by Europol that led to the arrest of four individuals in Czechia and six in Ukraine in April 2023. Those arrested from Ukraine were later extradited to Czechia.

During the crackdown, investigators seized SIM cards, mobile phones, and computer equipment from the suspects’ vehicles, call centers, residences, and offices located in Czechia (Domazlice, Rokycany, and Plzen) and Ukraine (Dnipropetrovsk). Some of the suspects had a history of drug offences, violent crimes, and document forgery.

The criminal organization, based in Ukraine, conducted vishing attacks against Czech victims. They operated from call centers in Ukraine and called bank customers using spoofed phone numbers, posing as bank security officers. This scamming method is called vishing (created by combining voice and phishing).

The targets were told that their bank account was hacked and lured into revealing their banking data, such as credit card numbers, login credentials, and other details. Scammers also made phone calls pretending to be a police official to confirm the hacking.

After gaining trust, the scammers persuaded their victims to transfer funds from their “compromised” bank accounts to “safe” bank accounts, which the scammers owned. Through these scams, the fraudsters made approximately $8.7 million (€8 million) from victims in Czechia alone.

The Czech Republic police uncovered this scam. In November 2021, they contacted Eurojust to launch an investigation. Europol then formed a joint investigation team in June 2022, comprising Europol’s European Cybercrime Centre (EC3) officials and the Czech and Ukrainian investigators. The agency organized five meetings to facilitate judicial cooperation between the authorities.

The police called the gang’s activities one of the **“most extensive series of frauds committed through fake bankers.”** Currently, Europol is conducting analytical work and providing digital forensic support for the confiscated equipment.

Image via Czech Republic police

Vishing fraud has become more widespread and popular lately. It usually involves someone pretending to be from a reputable organization, institution, or government agency and deceiving people into disclosing confidential, personal data.

The severity of vishing scams is highlighted by the September 2023 incident when the notorious ALPHV (BlackCat) ransomware gang exploited vishing to deceive an MGM Resorts employee, enabling them to breach the company’s security and compromise its network.

To protect yourself from such scams, always be cautious of unsolicited phone calls, note the caller’s phone number, and tell them you will call back and quickly verify their identity by calling the organization.

Don’t believe any caller if they have basic information about you because it could be taken from social media. Lastly, keep your credit/ debit card PIN or online banking password private because bank representatives would never ask for this information.

****_RELATED ARTICLES_****

1.  **Police Dismantle SIM Swapping Gang in Spain**
2.  **48 DDoS-hiring Services Busted by FBI in Major Sweep**
3.  **Cisco Breach – Employee’s Google Account was Hacked**
4.  **The Types of Phishing Attacks and How to Dodge All of Them**
5.  **SpyNote Spyware Using SMS Phishing Against Banking Customers**

Multimillion-Dollar Vishing Scam Busted: Czech-Ukrainian Gang Arrested

By Deeba Ahmed
Intel CPU Vulnerability Impacts Multi-Tenant Virtualized Environments.
This is a post from HackRead.com Read the original post: Google Reveals ‘Reptar’ Vulnerability Threatening Intel Processors

Google has discovered a new security vulnerability in Intel CPUs that could let attackers execute code on vulnerable systems. The vulnerability has been named “Reptar” by Google and affects numerous Intel CPUs, including those utilized in cloud computing environments.

****What is Reptar Vulnerability?****

Reptar is a side-channel vulnerability tracked as CVE-2023-23583. It allows attackers to leak information from a vulnerable system and use it to steal sensitive data such as credit card numbers, passwords, etc.

The vulnerability was discovered by Google’s Information Security Engineering team, which notified Intel and industry partners about the issue, and mitigations were rolled out before its public disclosure.

****How Was Reptar Discovered?****

According to Google’s blog post, a company’s security researcher discovered it in the way the CPU interprets redundant prefixes, and if successfully exploited, it allows attackers to bypass the CPU’s security boundaries.

For your information, prefixes allow users to change how instructions behave by disabling/enabling different features. Those prefixes that don’t make sense or conflict with other prefixes are called redundant prefixes. Such prefixes are generally ignored.

****How does Reptar work?****

Reptar works by exploiting an issue in the way speculative execution is handled by Intel CPUs. Speculative execution is a technique that allows CPUs to execute instructions before being fully validated. Although this technique is time-saving, it can make CPUs vulnerable to side-channel attacks.

The Reptar vulnerability is a serious risk to multi-tenant virtualized environments, where the exploit causes the host machine to crash on a guest machine, resulting in a denial of service to other guest machines connected to the same host. In addition, it could lead to privilege escalation or information disclosure.

In a multi-tenant virtualized environment, multiple tenants share the same physical hardware, so if one tenant is infected with Reptar, the attacker has access to the other tenants’ data through the same vulnerability.

Aubrey Perin, Lead Threat Intelligence Analyst at Qualys, a Foster City, Calif.-based provider of disruptive cloud-based IT, security and compliance solutions commented on the issue stating, “Unmitigated, this bug could be serious as an attacker could start testing to see if there is any order to the seemingly random outputs. As it stands, it sounds more like an oddity that could be used to take systems down.”

Mr Perin further explained that “Without reviewing the catalogue of patches, it’s hard to say that it’s atypical of the bugs usually found. In this case, where it can cause crashes, security teams should definitely prioritize the patch implementation to eliminate the risk of failure.”

“Researchers do find vulnerabilities all the time, often for bounty, and it benefits users when responsible disclosure practices are followed. Google is a very good practitioner of responsible disclosure, and you can often find references to the researcher or organization who disclosed the vulnerability in the notes associated with patches,” he added.

****Intel’s Response****

Intel has released an advisory to confirm the issue, explaining that the issue was discovered in some Intel processors caused by an error in the CPU’s handling of redundant prefixes. The company has released a patch for the issue. It was assigned a CVSS score of 8.8 and declared a High-security vulnerability.

This CPU vulnerability impacts several Intel desktop, mobile, and server CPUs., including 10th Generation Intel® Core™ Processor Family, 3rd Generation Intel® Xeon® Processor Scalable Family, Intel® Xeon® D Processor, and 11th Generation Intel® Core Processor Family, and CPUs used in cloud computing environments, etc.

The company is working on a long-term fix. In the meantime, it is advising users to patch their devices immediately.

****_RELATED ARTICLES_****

1.  **Intel Responds to ‘Downfall’ Attack with Firmware Updates**
2.  **Plundervolt: A new attack on Intel processors threatening SGX data**
3.  **High severity Intel chip flaw left cars, medical, IoT devices vulnerable**

Google Reveals ‘Reptar’ Vulnerability Threatening Intel Processors

By Deeba Ahmed
The Ddostf Botnet was initially identified in 2016.
This is a post from HackRead.com Read the original post: Ddostf Botnet Resurfaces in DDoS Attacks Against MySQL and Docker Hosts

Researchers claim that the Chinese Ddostf botnet is specifically designed for launching DDoS attacks and that the threat actors are operating a DDoS-for-hire service.

AhnLab Security Emergency Response Center (ASEC) researchers have shared alarming **details** of a new campaign targeting MySQL servers and Docker hosts with DDoS malware.

AhnLab noted that attacks targeting MySQL servers on Windows systems have increased sharply, and vulnerable servers are infected with the Chinese botnet Ddostf, **discovered** in 2016.

Researchers claim that this malware is specifically designed for launching DDoS attacks and that the threat actor is operating a **DDoS-for-hire service**.

According to the AESC blog post, threat actors scan for exploitable MySQL servers. After compromising the servers, threat actors install the Ddostf DDoS botnet to launch distributed denial-of-service (DDoS) attacks against other servers.

**MySQL servers** are a common target in such campaigns because of their widespread use in Windows and Linux environments. Although MS-SQL is a preferred database service for Windows users, MySQL servers are also commonly used on Windows, which makes the systems running them a prime target for cybercriminals.

Based on data from AhnLab’s Smart Defense (ASD) logs, most malware targeting vulnerable MySQL servers were **Gh0st RAT** variants, but instances of **AsyncRAT** were also observed and recently, there’s been an uptick in the use of the Ddostf botnet.

Ddostf is a powerful malware that copies itself with a random name in the %SystemRoot% directory and registers as a service before decrypting the encrypted C2 server URL string to connect to the attackers’ server. It can collect system data and transfer it to the C2 server. Then it waits for specific commands (e.g., SYN, UDP, and HTTP GET/POST floods) to launch the **DDoS attacks**.

The botnet is unique because it can connect to a new address from the C2 server and execute commands there for a limited time. This helps the Ddostf botnet operator to infect multiple systems and sell DDoS attacks as a service. Ddostf can target Linux and Windows systems because of supports both ELF and PE formats and can achieve persistence. 

Attackers first scan for publicly accessible systems using port 3306/TCP and after accessing the server (those with known vulnerabilities or weak credentials), they use brute-force or dictionary attacks on the system.

If the system has signs of poor credential management, attackers can gain access to administrator account credentials. If the system runs an **unpatched version with vulnerabilities**, attackers can exploit them to execute commands without needing these processes. Unlike MS-SQL, which entails direct OS command execution methods, MySQL relies on UDFs (User-Defined Functions) that can allow threat actors to execute commands.

They can also install malicious UDF DLLS on infected MySQL servers and execute commands. Like CLR Stored Procedure WebShell work, these DLLs can provide threat actors complete control of the infected system. In the case of the Ddostf DDoS bot, attackers use the UDF malware as a tool to install it on poorly managed MySQL servers.

Database servers get frequently targeted because of poorly managed account credentials. Administrators must use strong passwords apart from applying the latest patches to protect their servers. Firewalls can be used to restrict access to external actors, and a DDoS mitigation service can help protect against **large-scale attacks**.

****_RELATED ARTICLES_****

1.  **Who Killed the Mozi IoT Zombie Botnet – India or China?**
2.  **Chinese APT Posing as Cloud Services to Spy on Cambodia**
3.  **Dark.IoT & Custom Botnets Exploit Zyxel Flaw in DDoS Attacks**
4.  **How Chinese Hackers Stole Signing Key to Breach Outlook Accounts**
5.  **Chinese Scammers Exploit Cloned Websites in Vast Gambling Network**

Ddostf Botnet Resurfaces in DDoS Attacks Against MySQL and Docker Hosts

By Deeba Ahmed
Yet another day, another instance of a Google service being exploited for spreading malware infections.
This is a post from HackRead.com Read the original post: ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims

According to eSentire, the ALPHV ransomware gang is employing the Nitrogen malware in the ongoing attacks.

Cybersecurity experts at eSentire, a leading global cybersecurity solutions provider, have published details of an ongoing attack campaign from Russian-speaking affiliates of the notorious **ALPHV (aka BlackCat)** ransomware gang.

According to eSentire’s Threat Response Unit (TRU) researchers, key targets in this campaign are public entities and corporations in the Americas and Europe. Over the last three weeks, these affiliates have breached a manufacturer, a law firm, and a warehouse provider within eSentire’s customer network, apart from other firms. However, eSentire’s security research team thwarted and neutralized these attacks.

Researchers noted that ALPHV/BlackCat threat actors gain initial access to their target’s IT networks through three methods. These include exploiting stolen or compromised login credentials to gain unauthorized access, exploiting vulnerabilities in remote management/monitoring tools to access IT systems, and browser-based attacks in which users are tricked into visiting malicious websites that deliver malware or malicious links in emails or social media posts.

Furthermore, they observed that BlackCat affiliates have expanded their attack tactics substantially to include malvertising. In this campaign, the attackers place **deceptive Google ads** promoting popular software like Advanced IP Scanner, WinSCP, Slack, or Cisco AnyConnect to trick business professionals into visiting certain websites.

In reality, these attacker-controlled websites deliver Nitrogen malware under the guise of authentic software. They lure users by placing malicious ads at the top of search results for keywords relevant to businesses, for instance, ‘ **cloud backup solutions**.’

They can also use the name of a fictional company to lure their targets into clicking on the ads. These cyberattacks seem to be part of a larger campaign involving malicious ads for WinSCP placed on both Google and Bing search results by ALPHV/BlackCat affiliates.

“The malvertising attacks they shut down in the past three weeks on behalf of the law firm and manufacturer are a continuation of a June 2023 campaign, where an affiliate of the ALPHV/BlackCat Ransomware gang was observed using malicious ads to distribute the Nitrogen malware, which led to the ALPHV/BlackCat ransomware” eSentire’s **blog post** revealed. 

Nitrogen is an initial-access malware **discovered** in June 2023. It uses obfuscated Python libraries and DLL sideloading to evade detection and hide its attack path after infection.

After getting installed, it lets attackers gain a foothold in the targeted entity’s IT environment. Attackers can then infiltrate deeper and launch malware of their choice. In the ongoing campaign, victims are typically infected with ALPHV/BlackCat ransomware, eSentire TRU’s senior threat intelligence researcher Keegan Keplinger noted.

For your information, the ALPHV/BlackCat ransomware gang is known for its $100 million **MGM Resorts breach**. Its attack tactics have evolved from experienced ransomware operators such as the Colonial Pipeline attack fame **DarkSide**, REvil, and BlackMatter. Some of its prominent affiliates include Scatted Spider, FIN7, and UNC2565. 

The BlackCat/ALPHV ransomware presents a significant threat to businesses and unsuspecting users. The severity is underscored by the FBI’s release of Indicators of Compromise (IoC) **last year** (PDF).

Considering that ransomware operators are now exploiting **social media and Google Ads** to reach a wider audience, business owners should remain cautious of unexpected ads or too-good-to-be-true offers.

Always verify the legitimacy of the company offering the ad before clicking on it. Never download software from unknown/unverified sources, and use a reputable anti-malware program.

****_RELATED ARTICLES_****

1.  **Hackers use Google Ads to steal $50 million of Bitcoin**
2.  **Google Ads Malware Wipes NFT Influencer’s Crypto Wallet**
3.  **Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack**
4.  **Fake Brave browser website dropped malware, thanks to Google Ads**
5.  **Ad-blocker Chrome extension AllBlock injected ads in Google searches**

ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims

By Waqas
Apart from displaying these messages, the packages performed no other actions. This indicates that these aren't malicious per se.
This is a post from HackRead.com Read the original post: New Protestware Uses npm Packages to Call for Peace in Gaza and Ukraine

Protestware is a controversial form of activism. Some people believe that it is a necessary evil to draw attention to important issues. Others believe that it is a harmful and unethical practice.

Cybersecurity researchers at ReversingLabs, a prominent software supply chain security provider, have discovered a new wave of Protestware involving **npm packages** hiding scripts that bring attention to the humanitarian crisis in two conflict-ridden regions- Ukraine and the Gaza Strip.

Reversing Labs’ cyber content lead and blog author, Peter Roberts explained that protestware is a unique kind of cyberactivism in which the actor utilizes the ‘open-source software ecosystem’ to record protests against social or political issues. They embed code into the software, which, when installed or used, triggers a message or other action that draws attention to the protestware developer’s cause.

“Application developers conceal political messages inside open source code, often designing it to display to the user after an application is installed or when it is executed,” the **blog post** read.

The same method has been used to call attention to the wars in Ukraine and Gaza. Protestware developers have created software that displays messages condemning the violence. 

In the latest campaign, two different protestware samples were found by researchers. The first one used a popular Node.js package manager npm version, **e2eakarev npm package**, version 7.1.0, published in late October 2023, by an npm user, ‘~updater.downloader.’ It claims to be a ‘free Palestine protest package,’ and has been downloaded eight times so far.

ReversingLabs researcher Lucija Valentić discovered that after installation, this package triggers a postinstall script (index.js) that first checks the location where it is launched. If it is Israel, the package displays an English-language message in the terminal, urging the reader to raise awareness for the ‘Palestinian struggle,’ support the “Boycott, Divest, Sanction (BDS) movement,” and donate to humanitarian aid. The message bears the sign “The Anonymous Protestor.” 

Another package, dubbed “@snyk/sweater-comb”, was discovered, version 2.1.1. This npm package was released in August 2023 by Snyk and included a common JavaScript library module called “es5-ext” (already used in many other applications, including Signal Messenger’s installation executable for Windows). The protestware feature was added to this package in early March 2022, as per Checkmarx’s **report**.

Screenshot: ReversingLabs

When installed, the module executes a postinstall script ‘\_postinstall.js’ that first checks the host device’s geolocation. If it is Russia, a message in the Russian language is displayed urging for peace in Ukraine. 

Tomislav Peričin, Chief Software Architect at ReversingLabs, expressed concern over the rising vulnerabilities and software supply chain attacks, stressing that political messages could escalate over time.

> _“The risks that developers and software consumers face have never been higher, including political messages. Having software perform random acts of political activism does little for the specific cause. But it does decrease the private sector’s already shaky trust in software.”_
> 
> Tomislav Peričin

Referring to the worldwide condemnation of the **Russian invasion of Ukraine**, and the resulting sanctions imposed on Russia, the message encourages readers to download the Tor browser or visit a webpage to circumvent censorship. 

Apart from displaying these messages, the packages performed no other actions. This indicates that these aren’t malicious per se.

Protestware may appear similar to ethical hacking, but it does highlight the persistent nature of risks associated with the open-source software ecosystem. Threat actors can easily manipulate users by exploiting popular applications in the name of protestware.

****_RELATED ARTICLES_****

1.  **Does Hacktivism Really Equal Terrorism?**
2.  **Anonymous hacked Russian TV with Ukraine war footage**
3.  **Anonymous sent 7m texts to Russians, hacked 400 security cams**
4.  **Ukrainian Hacktivists Trick Russian Military Wives for Personal Info**
5.  **Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App**

New Protestware Uses npm Packages to Call for Peace in Gaza and Ukraine

By Waqas
The data breach does not include passwords or financial data.
This is a post from HackRead.com Read the original post: Samsung Data Breach: Hackers Steal Data of UK Customers

As per Samsung, the data breach was a result of a vulnerability in a third-party business application.

Samsung has notified its customers in the United Kingdom that a data breach has exposed the personal information of thousands of individuals. The breach impacted customers who made purchases on the company’s UK online store between July 1, 2019, and June 30, 2020.

The company discovered the breach on November 13, 2023, and determined that an unauthorized individual exploited a vulnerability in a third-party business application to access customer data. Samsung has not disclosed the identity of the hacker.

The affected personal information may include names, addresses, phone numbers, and email addresses. Samsung has assured its customers that financial information and passwords were not accessed in this breach.

The email from Samsung to the impacted user said, “On 13 November 2023, it was determined that an unauthorized individual exploited a vulnerability in a third-party business application we use and that some personal information of certain customers who made purchases on SEUK’s eCommerce site between July 1, 2019, and June 20, 2020, was affected.”

Email sent by Samsung to UK customers – Screenshot: Michael Valentine @KwyjiboUK – via X (Twitter).

It’s worth noting that Samsung confirmed to Hackread.com that only its UK customer base was affected by the data breach. Users in the United States, Canada, South Korea, and elsewhere have no cause for concern.

Samsung has reported the incident to authorities, including the UK’s Information Commissioner’s Office, responsible for enforcing the UK General Data Protection Regulation (UK GDPR).

This data breach is separate from the one that Samsung announced in September 2022, impacting only the company’s US customers. The incident resulted in the breach of private user data, including names, dates of birth, product registration data, demographic information, and contact numbers.

The latest announcement is not an isolated incident. Samsung has a history of being targeted by hackers due to its large-scale customer base, with over 992.4 million active Samsung smartphone owners in 2020. Previously, the South Korean technology giant was hacked by Lapsus$ hackers, who leaked the company’s source code online in March 2022.

Nevertheless, the latest Samsung data breach announcement is a reminder of the importance of protecting personal information. Consumers should take steps to protect themselves from identity theft and fraud, such as using strong passwords, avoiding phishing scams, and regularly reviewing their financial statements.

****_RELATED ARTICLES_****

1.  **Research claims Samsung Galaxy Store apps spread malware**
2.  **Hackers can hijack Samsung phones by knowing phone number**
3.  **Hackers used Samsung website to access Sprint’s customer data**

Samsung Data Breach: Hackers Steal Data of UK Customers

By Deeba Ahmed
The vulnerabilities were discovered by cybersecurity researchers at Bitdefender.
This is a post from HackRead.com Read the original post: Google Workspace Vulnerabilities Lead to Network-Wide Breaches

Bitdefender informed Google of validated attack methods, but the tech giant won’t address them, citing misalignment with its threat model and confidence in existing security measures.

Bitdefender Labs, a Native XDR platform, has released its findings on novel attack techniques exploiting Google Workspace (formerly G Suite). According to Bitdefender’s technical report authored by Martin Zugec, threat actors can escalate a single compromised machine into a network-wide breach using previously unknown methods, leading to the deployment of ransomware or data exfiltration.

Researchers found the issues when developing their XDR sensor for Google Cloud Platform (GCP) and Google Workspace. The report, published on 15 November 2023 and shared with Hackread.com ahead of publication, highlights different pathways to achieve this escalation.

Researchers noted that from a single compromised machine, attackers could move laterally to multiple cloned machines with Google Credential Provider for Windows (GCPW) installed, evade multi-factor authentication mechanisms, and access the cloud platform with custom permissions. They can even decrypt locally stored credentials used to recover passwords to expand their attack scope beyond the Google platform.

For your information, GCPW enables remote Windows device management features without requiring a VPN connection or domain registration. It allows SSO (single-sign-on) authentication to Windows OS with Google Workspace credentials.

The GCPW uses a local ‘Gaia’ service account to authenticate users with Google Workspace credentials. This account is created when GCPW is getting installed and has escalated privileges.

The feature integrates a Credential Provider into the Local Security Authority Subsystem Service (LSASS) that performs authentication in Windows OS. This Credential Provider verifies user credentials when they unlock or log into their devices.

When a new user authenticates with GCPW, the created ‘Gaia’ account creates a new local user account for them, which is linked with their Workspace account. The user logs in using this local profile, and a refresh token is stored in their profile to prevent multiple authentication prompts.

Let’s examine the attack methods Bitdefender researchers have identified in their blog post.

****Method 1: Moving to other cloned machines with GCPW installed****

It is worth noting that the ‘Gaia’ account is created with a random password, and therefore, despite existing on all machines, each will have a unique password for ‘Gaia.’ But if a machine is created by cloning another one on which GCPW is already installed, the password would also get cloned. So, if one knows the password of a local account and all local accounts linked with the devices share the same password, one will know passwords to all these devices.

****Method 2: Gaining access to the cloud platform with custom permissions****

An adversary can exploit a vulnerability in GCPW to access the GCP with custom permissions by using the ‘Gaia’ service account and creating a service account key with custom permissions. They can use the key to authenticate with GCP.

****Method 3: Decrypting locally stored passwords****

Attackers can use the ‘Gaia’ service account to decrypt locally stored passwords using the account’s access to the Windows Credential Manager. They can use the stored credentials to authenticate with other services or applications.

These attack methods allow escalation of compromise from a single endpoint to an entire network.

Bitdefender notified Google, and the search engine giant confirmed that their discovered attack methods were valid. However, the company does not intend to address them at the moment because they do not fall into its predetermined threat model, and security measures should be enough to counter them.

Bitdefender has included detections for the attacks in GravityZone XDR to help the security community address them.

****_RELATED ARTICLES_****

1.  **Google Account Sync Vulnerability Exploited to Steal $15M**
2.  **Google Indexed Trove of Bard AI User Chats in Search Results**
3.  **Hive Ransomware is now as Hunters International, Bitdefender**
4.  **Phishers Exploiting Google Docs to Harvest Crypto Credentials**
5.  **Fantom Foundation Suffers Wallet Hack Via Google Chrome Flaw**

Google Workspace Vulnerabilities Lead to Network-Wide Breaches

By Waqas
Chinese scammers have been creating cloned versions of legitimate websites, redirecting visitors to gambling sites.
This is a post from HackRead.com Read the original post: Chinese Scammers Exploit Cloned Websites in Vast Gambling Network

The large-scale scam campaign has been ongoing for at least two years, and the cloned websites are still operational.

Online gambling is a booming industry, and the Asia-Pacific region has become the hub of gambling in the world, with China and India leading the way. However, this unexpected rise has led to a sharp incline in illegal activities such as money laundering, online scams, and fraud.

In October 2023, Hackread reported a scam campaign discovered by CloudSEK involving Chinese scammers targeting the Indian digital payment system using illegal instant loan apps. Now, an even bigger scam has come to the fore.

According to Qurium Media, a Swedish nonprofit provider of digital security solutions, Chinese scammers have been creating cloned versions of legitimate websites, redirecting visitors to gambling sites.

It all began when MindaNews discovered a Chinese clone of their website and promptly notified Qurium. For context, MindaNews is a Philippine newspaper headquartered in Davao City and serves as the news outlet for the Mindanao Institute of Journalism.

MindaNews’ clone (mmart-inn.com) was registered in China. It had been replicating the newspaper’s content (news, photos, opinion pieces) illegally after translating it into Chinese for the past two years, the most recent translation being of content from February 2023.

Original MindaNews website (left) – Fake MindaNews website (right) – (Credit: Qurium)

“Some MindaNews authors were retained in their English names, while others were translated into Chinese. However, in general, the content is the same when translated to English,” explained MindaNews in its blog post.

The company dug deeper and found more than 500 cloned websites, many of which were of academic institutions, and all were promoting gambling services based in China. 

It is important to note that in August 2023, the Chinese APT group Bronze Starlight was reported to be using stolen Ivacy VPN certificates to sign malware targeting the Southeast Asian gambling sector. However, as of now, it remains unclear if that attack campaign was related to the ongoing website cloning attack.

The cloned websites were hosted on two /24 networks operated by the US-based, Eonix Corporation-owned ServerHub and included websites from public libraries, universities, and private businesses.

All the clones were created in September 2021 and promoted a gambling platform called ‘188bet’ (520xingyun.com/from/188bet.php) through advertisements.

These ads contained a physical address in the Isle of Man, where many other gambling firms (including Kaiyun, BetVictor, Raybet, or Manbetx) were already registered. A website 520xingyun{.}com was hosting a large number of such ads.

Moreover, all the companies were registered in July 2021 through the domain registrar Gname.com Pte. LTD, employing a white-label partnership with TGP Europe and Cube Limited. Both Cube Limited and 188bet have affiliations with the Isle of Man.

These companies served as intermediaries from Asian gaming partners. Further probing revealed that TGP Europe was based in the UK and was found guilty of social responsibility failures and anti-money laundering.

Campaign overview (Credit: Qurium)

According to Qurium’s report, Gname was involved in different WIPO cases of domains used for ads. It is worth noting that 188bet has officers in Makati, Philippines, which is a standard practice. 

> _“These Chinese gambling companies are often headquartered in nearby nations like Vietnam and the Philippines due to the fact that gambling is banned in China.”_
> 
> Qurium

So far, ServerHub has not taken any action against the client for cloning hundreds of websites, as it is still investigating the claims. As the report develops, Hackread.com will monitor the situation and provide updates to readers accordingly.

****_RELATED ARTICLES_****

1.  **Domain Squatting and Brand Hijacking: A Silent Threat**
2.  **Chinese APT Posing as Cloud Services to Spy on Cambodia**
3.  **Chinese APT spying on Vietnam military with FoundCore RAT**
4.  **Hackers attack Casino’s fish tank thermometer to obtain data**
5.  **ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store**

Chinese Scammers Exploit Cloned Websites in Vast Gambling Network

By Waqas
Domain squatting can lead you to malicious websites, and it might be too late to realize what actually happened.
This is a post from HackRead.com Read the original post: Domain Squatting and Brand Hijacking: A Silent Threat to Digital Enterprises

While domain squatting opens the door to brand hijacking, it also exposes unsuspecting users and businesses to critical cybersecurity threats including phishing and malware attacks.

Domain squatting, often known as cybersquatting, involves the registration or use of a domain name to profit from a trademark belonging to someone else. For instance, a squatter might register a misspelt version of a well-known brand’s URL to misdirect their traffic – For instance, It is Google.com, not ɢoogle.com.

Similarly, brand hijacking is a form of online piracy in which an entity masquerades as a reputable brand to deceive its audience, damaging brand credibility and customer trust. According to Mimecast’s 2022 report on email security, 46% of the businesses it surveyed reported a rise in online brand spoofing and impersonation, with an average of ten incidents in 2021.

In this article, we’ll dissect these digital threats and explore strategies businesses can adopt to combat domain squatting and brand hijacking, safeguarding their online reputation.

**Understanding Domain Squatting and Brand Hijacking**

Domain squatting entails registering or buying domain names that are strikingly similar to a popular brand, intending to profit from their trademark. The squatter can create a website that visually mimics the legitimate brand’s site or can simply sit on the domain, hoping to sell it back to the rightful owner for a hefty price.

On the other hand, brand hijacking is a more deceptive practice. It involves the impersonation of a legitimate brand online to dupe users into believing they are interacting with a genuine brand. This could include creating cloned websites, leveraging phishing emails, or even exploiting social media.

Interestingly, these two practices often intersect. A domain squatter might employ brand hijacking by creating a spoofed website on the squatted domain. This synergistic exploitation escalates the damage, with the potential to tarnish the brand’s image, manipulate its customers, and eventually damage its revenue.

****The Impact of Domain Squatting and Brand Hijacking on Businesses****

The repercussions of domain squatting and brand hijacking are far-reaching and deeply damaging for businesses. Domain squatting diverts potential customers to counterfeit sites, causing a significant loss of business.

Moreover, it can inflict severe damage to a brand’s reputation as customers often struggle to differentiate between the authentic website and the squatted domain. Companies are forced to spend extensively on damage control and may also experience a drop in their SEO ranking due to the diluted web traffic.

Brand hijacking is an even greater threat, causing not only an immediate loss of customer trust but also a significant revenue dip. The legal costs associated with fighting these digital imposters can be hefty. Additionally, such attacks may lead to data theft and security breaches, increasing the potential financial burden.

These fraudulent practices can cause severe brand dilution, leading to loss of trust, which is critical for brand loyalty and growth. As Amber Johanson, Mimecast’s SVP of Global Sales Engineering, stated in an interview, “While it can take years to build strong levels of trust among your customer base, that connection can be destroyed in a matter of seconds by a single spoofed email.”

****Fighting Against Domain Squatting and Brand Hijacking****

Here are some strategies and preventive measures that businesses can rely on to prevent or limit the damage caused by these attacks:

Domain Authority, or DA, is a predictive measure by Moz that suggests a website’s likelihood of ranking on search engine results pages (SERPs). It takes into account several factors such as website age, and the quality and quantity of inbound and outbound links.

On the other hand, a backlink profile is a comprehensive catalogue of all the sites that direct web traffic back to your website, essentially serving as an indicator of your website’s credibility and influence.

Keeping an eye on these key factors is crucial, as any unanticipated shifts in DA or an upsurge of low-quality or unrelated backlinks could be warning signs of an imminent brand hijacking.

Moz, a well-known SEO tool, provides in-depth tools that enable businesses to scrutinize these vital metrics meticulously. By offering features such as DA measurement and comprehensive backlink analysis, Moz equips businesses with the necessary insights to constantly monitor the well-being of their websites.

Source: Moz

This enables quick identification and rectification of any aberrations brought on by possible hijacking or squatting attempts, thereby preserving the integrity of the brand’s online presence.

****2\. Getting Digitally Certified****

Digital certification or authentication is the process of validating the legitimacy of your brand’s online assets. In an era where mimicry is increasingly rampant, having verified digital credentials can help distinguish your brand from counterfeit replicas, instilling a sense of trust among your customers.

In the context of domain squatting and brand hijacking, getting digitally certified can serve as a proactive security measure. It equips your brand with an authenticated digital identity, which is not only difficult for hijackers to replicate but also easy for your customers to recognize.

Memcyco, a real-time website impersonation platform, offers brand protection solutions for businesses to protect themselves from impersonation attacks. Their suite of offerings includes real-time monitoring and alerting against website impersonation attempts, and warnings for customers when they unknowingly access fraudulent versions of a brand’s website.

Source: Memcyco

When it comes to digital authentication, Memcyco provides a digital watermark that reassures visitors of the site’s genuineness, fostering trust and safety. 

By investing in such preventive measures, your brand can keep a step ahead of fraudsters, fortifying its digital presence against the threats of hijacking and squatting.

****3\. Brand Monitoring****

Brand monitoring, in essence, is the continuous surveillance of your brand’s online presence to identify and respond to unauthorized brand mentions, feedback, and possible threats. This involves tracking social media interactions, online reviews, blog posts, and various other digital touchpoints to gain insights into your brand’s image.

This process helps you promptly identify unauthorized uses of your brand name or logo, counterfeit websites, or illegitimate advertisements. Doing so, enables you to respond swiftly and potentially prevent these impersonation attempts from causing significant damage to your reputation or customer trust.

****4\. Educating Your Audience****

In the battle against domain squatting and brand hijacking, consumer education can be your most potent weapon. By educating your customers to distinguish between, or to even be aware of, your authentic digital assets and fraudulent replicas, you can significantly reduce the efficacy of such cyber attacks.

Document360, a knowledge base management software, allows you to create and manage a custom knowledge base where you can share essential information about your brand and provide educational content on how to identify and report potential fraud attempts.

Source: Document360

It supports a variety of formats, including FAQs, tutorials, and guides, providing an interactive platform for your audience to learn and stay updated. This proactive step can significantly help in maintaining your brand’s integrity and customer trust.

**5\. Developing a Robust PR Strategy**

The significance of a well-planned public relations (PR) strategy can’t be understated when it comes to fortifying your brand identity and fostering trust among your audience. It allows you to maintain a consistent brand narrative and showcase your brand’s values, which in turn builds credibility and rapport with your audience. 

An effective PR strategy consistently communicates your brand’s true message and spreads awareness about the precautions taken to safeguard customer information, keeping your audience informed and alert. This can substantially reduce the chances of them falling prey to fraudulent attempts that impersonate your brand.

****6\. Taking Legal Actions****

Understanding and staying up-to-date with applicable laws is an effective strategy to combat domain squatting and brand hijacking. One such key legislation is the U.S. Anticybersquatting Consumer Protection Act (ACPA) from 1999. This law grants rights to trademark owners, enabling them to bring a lawsuit in federal court against parties who maliciously register or use a domain name mirroring their brand.

Essentially, ACPA addresses those bad actors who exploit trademarks with a calculated intention to profit through registering, using, or trading domain names that could be mistaken for established or well-known brands.

****Wrapping up****

The menace of domain squatting and brand hijacking significantly undermines the stability of businesses by attacking their brand reputation and customer confidence. The first line of defence lies in comprehending the intricacies of these unscrupulous practices and their subsequent effects.

By integrating the above-mentioned measures into your cybersecurity strategy, you can secure your digital assets and decisively counter the stealthy peril of domain squatting and brand hijacking.

Domain Squatting and Brand Hijacking: A Silent Threat to Digital Enterprises

By Waqas
Casio's data breach exposed a well-known secret: no one is immune to cyberattacks - It also exposes the highly vulnerable state of databases.
This is a post from HackRead.com Read the original post: Lesson from Casio’s Data Breach: Why Database Security Still a Major Challenge for Businesses?

Database security is difficult because of the large volume of attacks, zero-day exploits, human errors, and the need for continual management of security tools.

On October 12, Japanese electronics maker Casio was the victim of a data breach. A bad actor obtained files containing sensitive information from 91,921 customers in Japan and 35,049 users from 148 other countries from which the company operates. 

The compromised database belonged to a company’s educational platform known as ClassPad. Therefore, those affected were both individuals and educational institutions.

Some of the files that hackers stole amid the breach contained sensitive information such as names, email addresses, payment methods, purchase information, and regions of residence.

Cybercriminals were able to breach the company due to the weakness in its database, later discovered within the development environment.

The company is currently investigating the attack, strengthening the security of its databases, and dealing with the aftermath of the breach.

For Casio, this marks the second major data breach of this year. In August 2023, the hacker dubbed Thrax stole and leaked 1.2 million pieces of customer data. Casio’s data breach is one of many that happened this year.

The truth is, any company can be the victim of a data breach — regardless of its IT resources, size, or whether it already has been the victim of an attack. Nothing makes a business 100% immune to potential data compromise.

Aware of the possible reputational and financial consequences of a data breach, businesses already invest a lot in security to protect one of their most important assets — data. However, the number of compromised databases remains high. Why is database security still a major struggle for companies nowadays?

****Human Errors at the Heart of Most Attacks****

To compromise the database as it happened to Casio, the hacker needs to gain initial access. In their case, the mistake happened due to operational errors within the development environment.

That oversight allowed hackers to get into the database of the educational platform. 

For most companies, the culprit of a data breach is a human mistake. It’s estimated that 95% of data breaches can be attributed to it. That is, nine out of ten data breaches happen because of human error. 

Some common ways database breaches result from human errors are:

*   Poor password practices — weak and reused credentials or password sharing
*   Deleting or corrupting the records — by accident
*   Falling for phishing schemes — clicking on the link or sending credentials to the threat actor

General workforce and phishing schemes are usually highlighted when the topic of human errors and data breaches is discussed. However, anyone can make a mistake, from developers and security experts to those working in finance or marketing.

****Large Volumes of Cyber Attacks that Compromise Data****

Over the last couple of years, businesses have been up against more data breach attempts than ever before. As mentioned, Casio had been the victim of two major data breaches within the last couple of months alone.

With a larger volume of cyberattacks that attempt to compromise data, there is a higher chance that a human mistake will result in stolen data. And that vulnerability that hasn’t yet been discovered by the company will be exploited in the attack.

We’ve already read about a lot of data breaches in the news. But keep in mind that these are only the highlights.  Many hacking incidents and data compromises go unreported.

Not every company in every sector and every country has to disclose a breach. It depends on its severity and whether they have to notify the users that their personal data has been exposed in the breach.

Since not all companies disclose a breach, their users can be at greater risk of being a victim of further data theft, phishing attempts, and even identity fraud.

****Data Protection Seeks Continual Management****

As with any other cybersecurity system, database security processes and tools have to be continually managed and improved. This is another major factor that makes data security challenging for companies — where should they even start?

For example, this could mean a company has to continually update access to protect the databases of a business. 

Suppose an employee changes their role within the company or is no longer a part of the team. Their user access has to be revoked or changed to fit the new role as soon as possible.

Then, there are flaws within the software environment. Companies need to patch them up regularly to prevent databases from being accidentally exposed in an attack.

In Casio’s case, the network security settings within the development area have been disabled. This weakness, discovered too late, opened the doors to hackers.

****Shortage of IT Professionals****

Another factor that makes database security challenging is the lack of professionals within IT and cybersecurity who specialize in data security and cybersecurity. They regularly manage the security and keep the hacker far away from the databases.

Companies that have fewer professionals are at a heightened risk of errors because those who do stay in the company have to take up large workloads. There is also more pressure and stress within understaffed and overworked IT departments.

True, in this year, there has been a surge of layoffs within the tech industry. However, IT workers also leave their jobs due to stressful environments, insufficient compensation, and lack of opportunities to grow and develop within their roles.

****Database Security Is a Work in Progress****

One vulnerability within the database is enough for the hacker to compromise the data of hundreds or even billions of sensitive user records.

The severity of financial as well as reputational damage depends on the flaw that a hacker could have exploited and how skilled is the threat actor.

While there is no one ultimate solution for reducing the chance of a data breach to zero, what most companies can do is prioritize the protection of sensitive databases.

Also, they should continually strengthen database security — and seek vulnerabilities that could lead to data breaches, such as those that affected Casio this year.

1.  **Casio China Hacked, 150,000 user accounts leaked**
2.  **Casio Electronics Taiwan Website Hacked by SaMuRai Hacker**
3.  **Human Error: Casio ClassPad Data Breach Impacting 148 Countries**
4.  **Sony Data Breach via MOVEit Vulnerability Affects Thousands in US**
5.  **Okta Breach Linked to Employee’s Google Account, Affects 134 Customers**