Always strive to learn something useful. --Sophocles

*sigh*

Sextortion spam isn't new. "I've implanted spyware on your device and I have video of you watching dirty videos and doing unspeakable things! Pay me a bitcoin or I'll send it to everyone on your contact list!" sort of stuff.

Well, they've upped their game a bit with the recent massive data leaks. They're now correlating email addresses to leaked passwords - which are sometimes included - and tying to Google Street View for a photo of your house, cropped with AI to remove watermarks.

According to the comments, they're not very accurate with the geolocation and frequently get a neighbor's house, or in the case of Mike Rowe's parents (the dude from Dirty Jobs), trying to target a 91-y/o.

You can report incidents of this if you're repeatedly targeted to the FBI.

https://krebsonsecurity.com/2024/09/sextortion-scams-now-include-photos-of-your-home/

They were caught selling, without permission, the constant location data of you, me, everyone in the USA with a mobile phone to aggregators who then sold it on to more people, again, without our permission.

From the article: "The FCC’s findings against AT&T, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Location data for Sprint customers found its way to 86 third-party entities, and to 75 third-parties in the case of T-Mobile customers." Note that the discovery and scope of the investigation was before and during the T-Mobile/Sprint merger.

SO. Let's break this down. Krebs provides a link to the FCC web site that lists the formal announcement of the fines. In which, it includes the specific breakdown per carrier. In this case, Verizon, my carrier, was fined almost $47 million dollars US.

I asked Microsoft's Bing AI Co-Pilot to do a little math for me.

In 2023, Verizon Wireless reported net profit of $76.7 billion dollars US. I wanted to know how long it would take, in seconds, for Verizon to make that much money. Now, this is net profit. Here's Bing's response:

... it would take Verizon Wireless approximately 18,879 seconds (or about 5 hours and 14 minutes) to earn $46 million from their annual revenue of $76.7 billion

Five and a quarter hours. That's 1/32nd of a WEEK. An utterly insignificant rounding error.

The percentage of the fine versus 2023 gross profit? 0.058% One-seventeenth of ONE PERCENT of their profit. There's a reason why it's called gross profit.

Oh, and just how much was their gross profit? $79.087 billion USD. So it cost them $3 billion in people, equipment, trucks, tower rentals, FCC airwave licenses, etc. to generate $76bUSD in net profit. I should take a look at their stock ticker over the last few years, I expect it ain't going down.

I'm in the wrong line of work.

https://krebsonsecurity.com/2024/04/fcc-fines-major-u-s-wireless-carriers-for-selling-customer-location-data/

I had never heard of this, apparently it's been going on for some time.

The man, Tim, worked for a First Nations tribe in Alberta as a buyer. It was almost the end of the fiscal year and they needed to spend some money before the year was out, so he and another work partner ordered $2,000 worth of children's playground stuff off of Amazon.

Then things got weird.

Shortly after placing the order, he gets contacted by a woman in Ontario, accusing him of hacking her Walmart card and ordering this gear. Which he had not done.

Then the Royal Canadian Mounted Police get involved and tell him he needs to come down to the station and answer some questions pertaining to an investigation. Which he says he'd be happy to do. He provides printouts of the orders in question, showing HIS credit cards, etc. And then he's threatened with arrest, his wife is harassed by the RCMP, and he is ultimately arrested. Because of the arrest, he loses his job.

The equipment arrives at his house with an additional oddity: a phone number in Mexico.

Here's what happened. An expert in "search engine optimization" in Turkey apparently stole the woman's credit card, or may have bought it from one of the numerous black market exchanges where you can buy such. He placed an ad on Amazon, where Tim bought the gear from him. The Turkey turkey never owned the equipment. He buys the gear from Walmart, using the stolen credit card, has it shipped to Tim. I have no idea where the Mexico phone number came into play, perhaps another layer of money laundering?

And Tim gets charged with a money fraud charge and can't get a job. Apparently in Canada, being charged with a crime - but not having been convicted - is enough to really mess with your employment opportunities.

Tim had a court date, but the Crown prosecution services decided to issue a stay on the case and defer prosecution, saying we're not going to prosecute at this time, but might at a later date. Apparently they have one year to bring the case back to trial, during which Tim is left hanging in limbo. Commentors on the Krebs article said it is likely that the case will be dismissed at the end of the year period, I don't know if this will erase the arrest mark on Tim's record.

Tim did nothing wrong, except getting caught in a fraud scheme. So be very careful buying things on Amazon if it is not 'Shipped by Amazon'.

*sigh*

https://krebsonsecurity.com/2024/01/canadian-man-stuck-in-triangle-of-e-commerce-fraud/

Sacramento is probably not the only one doing this, but it's one that we know about. Several law enforcement agencies sell ALPR information (automatic license plate readers) to most anyone who wants it, and in some cases, it goes to states who claim it's illegal to travel out of state for an abortion!

Of course, if you fly, you won't be driving your car. Or if you do drive, spend the night at a hotel and take a cab. Don't drive your own car to the clinic.

I hate ALPRs. I first saw one in Texas at a mall. A police car was doing a very slow crawl through the parking lot, and when he passed, I saw the cameras mounted on his car. Makes me want to install some infrared LEDs in my license plate frame that will bloom-out the ALPR cameras. It's one thing when they're "looking for stolen vehicles", but when that information is being kept pretty much indefinitely - as it usually is - stitching a car's whereabouts by time stamp can reveal a HUGE amount of information about a person.

https://news.yahoo.com/sacramento-sheriff-sharing-license-plate-133000119.html

Along the lines of third-party SWATting or calling in bomb threats for friends to get people out of tests, a year ago we saw a few incidents of Violence-as-a-Service. In this particular case, this asshole hired himself out to go to people's homes and literally crash a car into them, throw Molotov cocktails at them, or discharge firearms into them. For money. Then post videos of him doing these acts on to Telegram channels and brag about the acts.

In the words of Jay and Silent Bob, 'Bunch of savages in this town, Silent Bob.'

At least this guy will have a long time to reflect on how much of an idiot he is.

https://krebsonsecurity.com/2023/10/nj-man-hired-online-to-firebomb-shoot-at-homes-gets-13-years-in-prison/

Term: DDoS. Stands for Distributed Denial of Service, used to be the first D wasn't there. You get a bot net of compromised computers and servers (they've unknowingly downloaded malware that give the baddies remote control of the computer without the owner knowing it) to target one IP address or web site and bombard it with connection requests, which makes it unable to handle legitimate requests and proverbially crushes the target, making it unusable. Frequently used as a blackmail tool.

The UK National Crime Agency (NCA) has been setting up fake DDoS sites. These are also known as Booter or Stresser sites. Booter meaning it boots everyone off the site when the attack hits, Stresser because they try to claim they're providing a service for people to see how robust their hardware is under heavy load. When people register for the site, they receive a proverbial knock on the door of their email in the form of an email that says (my words) "Hello, we're the police. What you signed up to do is a crime, and we're collecting your information. If you're not in the UK, we're sending your information to the nation in which you live. Have a nice day."

Now, this isn't going to stop a serious jerk as they're going to be using disposable email addresses, a VPN and multiple proxy services to hide their identity and location. But it will stop casual tricksters trying to impress their friends and the like. And it will make it a bit more difficult for serious jerks to find new DDoS services.

https://krebsonsecurity.com/2023/03/uk-sets-up-fake-booter-sites-to-muddy-ddos-market/

Amongst your first thoughts might have been along the line of 'Finnish hacker? Who cares!' Oh, just read on! Almost guaranteed laugh to come.

This is a great story. So this dweeb did all the usual horrible stuff: DDoSes, SWATting, breaking into corporate computers and such. His gang had an exploit that let them get into servers running Cold Fusion, and that got them into some places they probably shouldn't have gotten in to because it brought high level attention to his activities.. And then he did a VERY bad thing.

He broke into a Finnish psychotherapy practice and stole patient treatment records. Stuff that is considered utmost sacrosanct - notes between a therapist and their patients.

He threatened to dump them on the dark web if the practice didn't pay a ransom demand. They didn't pay. He actually went and published them. The ransom demand was in six figures. After the practice stopped talking to him, he tried extorting individual patients for 500 Euros. He apparently didn't have any luck with that, and then released the records.

Except he had one very major operational security fail. Somehow he screwed up and included his computer's HOME DIRECTORY IN THE DUMP!

Oops. Major faux pas.

This gave investigators all sorts of information on him concerning not only him personally, but additional crimes that he'd committed and the tools that he had used.

He was arrested Friday morning around 7am when "authorities in Courbevoie responded to a domestic violence report". He'd been out drinking, brought a woman home, they got into a fight, neighbors called the cops. A roommate or someone let the police in and found him sleeping. When they woke him and asked him for ID, he claimed to be Romanian. Police were "Yeah, pull the other one, it's got bells on it" and started pulling up photos of foreign criminals that were wanted, and found out who he was.

He had previously been convicted in court of FIFTY THOUSAND cybercrimes, but as he was 17 at the time, he was given a two year suspended sentence and had to pay 6500 Euros in restitution.

He's been on the run since October of last year after failing to show up for a court appearance and was charged in absentia. For some reason I don't think a two year suspended sentence is in his future, perhaps something a bit more stiff.

https://krebsonsecurity.com/2023/02/finlands-most-wanted-hacker-nabbed-in-france/

Last month, Amazon lost control of 256 IP addresses for three hours due to BGP security flaws. This enabled cybercrooks to take over credentialing authentication and steal $234,000 in cryptocurrency from an exchange called Celer Bridge. 32 accounts were victimized.

https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/


In the UK, three men were arrested after a community resident reported suspicious activity. Found in their car was a fake police uniform, an imitation firearm, a real taser and baseball bat. Their intent: "...pay a surprise visit to a 19-year-old hacker known by the handles “Discoli,” “Disco Dog,” and “Chinese.” In December 2020, Discoli took credit for hacking and leaking the user database for OGUsers, a forum overrun with people looking to buy, sell and trade access to compromised social media accounts."

Discoli happened to be not at home, and the thugs were so obvious about not being police that they fled and got the real police notified.

Impersonating police and that fake firearm is really going to ratchet up the sentencing.

https://krebsonsecurity.com/2022/09/botched-crypto-mugging-lands-three-u-k-men-in-jail/


"A Florida teenager who served as a lackey for a cybercriminal group that specializes in cryptocurrency thefts was beaten and kidnapped last week by a rival cybercrime gang. The teen’s captives held guns to his head while forcing him to record a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life. The youth is now reportedly cooperating with U.S. federal investigators, who are responding to an alarming number of reports of physical violence tied to certain online crime communities."

Kidnapped, beaten, and forced to record a video begging for $200,000 with two pistols pressed against his head. Florida.

https://krebsonsecurity.com/2022/09/sim-swapper-abducted-beaten-held-for-200k-ransom/

Symantec 360, owned by the somewhat dubious NortonLifeLock installs a cryptominer for Ethereum and takes 15% off the top. Let's face it: that's a great business model for NLL! Free money for people who aren't smart enough to install their own miner or who just don't care!

Well, they didn't stop there.

There's a German anti-virus package called Avira that is or was available for free. They were acquired by NortonLifeLock. And now 500,000,000 Avira users are having a cryptominer being pushed on them by NLL to mine Ethereum - complete with the 15% shaved off the top back to their corporate overlord NortonLifeLock.

It's good to be the king! Or at least the corporation controlling your software!

Personally, for the PC I recommend Zone Alarm Pro. Very solid software that I've used for years, does a good job with firewall replacing Microsoft's and also with anti-virus and anti-malware. And they sell a package that lets you install it on multiple PCs for what I consider a reasonable price - I pay for my gaming laptop and my dad's rig in Phoenix.

https://krebsonsecurity.com/2022/01/500m-avira-antivirus-users-introduced-to-cryptomining/

The first one was a doozie. A guy from Nigeria - actually from Nigeria, but he was no prince, created a ransomware scheme where he tried to recruit disgruntled employees to deploy ransomware from INSIDE corporate networks for a cut of the ransom! He was a student who wanted to create his own social media company but had no money and no job, thus no resources to start the operation.

So why not kickstart the money through a crime spree!

He's been arrested by Nigerian authorities. Another problem with having no money is the inability to pay off cops to avoid arrest.

Now, here's the really funny bit. Brian Krebs, former Washington Post reporter, who now solely writes about cybercrime and computer security, wrote about this guy when he launched his scheme. His identity wasn't known at that point. Krebs' web site is Krebsonsecurity.com. This scammer accused him of defaming his operation calling him Mister Krebson. :-) I thought that was hilarious! Guy clearly didn't do his homework on the people investigating him. He apparently wasn't difficult to take down.

https://krebsonsecurity.com/2021/11/arrest-in-ransom-your-employer-email-scheme/


The second story is quite good, but I just have to ask: WHY THE [BLEEP BLANKETY-BLANK] DIDN'T YOU IDIOTS DO THIS TWENTY YEARS AGO? I knew default passwords were a bad idea then, why are you just now coming around to this idea?!!!

The UK Parliament is passing an act that will require most, not all, devices that connect to the internet to not have weak/embedded passwords. Basically, when you get a device (WiFi router, web cam, thermostat, whatever) you MUST change the password on it and it cannot be reset to a factory default password.

Why?

Aside from the fact that it's a stupid and easily-prevented security hole, a British internet provider sent out thousands of WiFi routers with the same simple password, trusting that the users would change it when they set it up. Yeah, right. So rectal haberdashers went around, using these free WiFi hotspots (once you knew what the password was and how to find hotspots where the SSID is not broadcasted) to download childporn, leading to a lot of innocent people being raided by the police because their router was insecure.

From the article:
The Product Security and Telecommunications Infrastructure Bill lays out three new rules:

-easy-to-guess default passwords preloaded on devices are banned. All products now need unique passwords that cannot be reset to factory default
-customers must be told when they buy a device the minimum time it will receive vital security updates and patches. If a product doesn't get either, that must also be disclosed
-security researchers will be given a public point of contact to point out flaws and bugs

That last item will be a pain to implement, it's something that has been clamored for in the security community for ages. There's no standard for that so the implementation is going to be very uneven if it's not codified AND regularly updated! I've seen stories on Krebs and Schnier.com where security researchers have found proof, not just evidence, that a company's network has been compromised, but they haven't been able to reach anyone in the company's IT department to report it!

There are specific exceptions to the act of certain types of devices that are exempt. Still, progress!

https://www.bbc.com/news/technology-59400762


I do some computer installation work for a couple of very small companies in my area, people who are too intimidated to replace their own router. And that's fine, I'm happy to help them, and I make a few bucks on the side. I give them a strong password, it's written down for them, and I record the password in a protected file on my phone so when I'm working with them again later, I've got records in my pocket.

For the iPhone, I use a program called mSecure. I think it cost me $5-10 to buy, it has very strong encryption. If it's not available for the Android universe, I'm sure there's something similar.