AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 01/24/2022

FSB detains administrator of UniCC carding forum

The Russian Federal Security Service (FSB) has arrested the administrator of the UniCC carding forum and one of the members of the Infraud cybercrime cartel. The suspect was identified as Andrey Sergeevich Novak and was detained for two months on charges of computer crimes and money laundering. Three other suspects, identified as Kirill Samokutyaev, Konstantin Vladimirovich Bergman, and Mark Avramovich Bergman, were also detained and subsequently placed under house arrest. Prior to his arrest, Novak was known on underground cybercrime forums under nicknames such as Faxtrod, Faaxxx, and Unicc, and was the administrator of UniCC, a forum where threat actors gathered to buy or sell stolen payment card data. On January 12, the site announced that it would voluntarily close down, citing the administrators’ intention to retire, and advised users to withdraw their funds within ten days. At the time, blockchain analysis company Elliptic estimated that the site’s staff had made at least $358 million in cryptocurrency from the sale of stolen cards since 2013 when it launched.


Microsoft warns of large ‘Upgrade’ phishing campaign

Microsoft is warning that its security intelligence service is seeing a phishing campaign currently targeting hundreds of organisations. An app named “Upgrade” abuses OAuth request links, and Microsoft said its machine learning technology picked up on this suspicious behaviour. Users are asked to grant consent to “Upgrade” which would then read their emails as well as write them, and create inbox rules like forwarding all or specific messages to another account to exfiltrate data. OAuth or Open Authorisation is an open standard access delegation method that lets websites share information without revealing users’ passwords. 


Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes

In yet another instance of software supply chain attack, dozens of WordPress themes and plugins hosted on a developer’s website were backdoored with malicious code in the first half of September 2021 with the goal of infecting further sites. The backdoor gave the attackers full administrative control over websites that used 40 themes and 53 plugins belonging to AccessPress Themes, a Nepal-based company that boasts of no fewer than 360,000 active website installations. “The infected extensions contained a dropper for a web shell that gives the attackers full access to the infected sites,” security researchers from JetPack, a WordPress plugin suite developer, said in a report published this week. “The same extensions were fine if downloaded or installed directly from the WordPress[.]org directory.”


Kids won’t stop launching DDoS attacks against their schools

The cybercrime unit of the UK National Crime Agency (NCA) is stepping up a program designed to educate children about the ramifications of DDoS attacks. As explained in a post on the NCA website, the initiative is informed by recent research that suggests kids as young as nine are guilty of launching DDoS attacks against their school networks, websites and other services. According to the report, the volume of such attacks has risen sharply during the pandemic, presumably causing disruption to online learning activities. The Cyber Choices campaign identifies potential offenders by tracking searches associated with cybercrime made by kids on school computers. These mischief-makers are presented with an alert warning against criminal activity and funnelled towards the Cyber Choices website, which hosts a range of educational materials.


Dark Souls 3 exploit could let hackers take control of your entire computer

A dangerous remote code execution (RCE) exploit found in Dark Souls 3 could let a bad actor take control of your computer, according to a report from Dexerto. The vulnerability only puts PC gamers who play online at risk and may potentially affect Dark Souls, Dark Souls 2, and the upcoming Elden Ring. The exploit was seen in action during The__Grim__Sleeper’s Twitch stream of Dark Souls 3 online. At the end of the stream (1:20:22), The__Grim__Sleeper’s game crashes, and the robotic voice belonging to Microsoft’s text-to-speech generator suddenly starts criticizing his gameplay. The__Grim__Sleeper then reports that Microsoft PowerShell opened by itself, a sign that a hacker used the program to run a script that triggered the text-to-speech feature.


Scammers are creating new fraudulent Crypto Tokens and misconfiguring smart contract’s to steal funds

2021 saw an all-time high in crypto-related crimes, with scammers getting ahold of  $14 billion in cryptocurrency. The rise in fraud and scams correlates to the immense growth of activity within cryptocurrencies worldwide. Recent company announcements and developments show an increased interest in cryptocurrencies. For example, PayPal is considering a launch of its own cryptocurrency, Facebook has rebranded to Meta, and MasterCard announced that partners on its network can enable their consumers to buy, sell and hold cryptocurrency using a digital wallet. In addition, Disney wants to build a metaverse, Nike bought an NFT company, Starbucks customers can now use the new Bakkt app to pay for drinks and goods at the chain’s coffee shops with converted Bitcoin. Furthermore, Microsoft is building its Metaverse, Visa confirmed conducting a pilot with Crypto.com to accept cryptocurrency for settling transactions on its payment network. Adidas joined the metaverse via NFT, and Grayscale announced Metaverse is a $1T industry. Funds are flowing towards crypto, and thus it’s no wonder hackers are targeting cryptocurrencies.

Related Posts