Introduction

While Russia began its invasion of Ukraine, several Ukraine defense and foreign ministry websites, banks and many others were taken down in a large, distributed denial of service (DDoS) attack all over Ukraine. This is consistent with tactics used in the past by Russia when it comes to cyber attacks as seen before in 2014 with Crimea, 2008 in Georgia and 2007 in Estonia. DDoS attacks are not the only cyberattacks being seen so far either. A new data wiping malware was found on hundreds of devices in Ukraine as well as in Ukraine contractors in Latvia and Lithuania. This malware was soon named the Hermetic Wiper.

Digital Signature Information of the Hermetic Wiper malware (photo: twitter @ESETresearch)

Hermetic Wiper

It was found that one sample of the Hermetic Wiper malware had been compiled in December, suggesting that the attack had been in preparation for at least 2 months. The malware has a digital signature issued to Hermetica Digital Ltd, hence where the name Hermetic Wiper comes from. It turns out that Hermetica Digital Ltd is a small business of a video game designer in Cyprus who says he had no part of the attack and never applied for a digital certificate or knew that one was granted for his company. Although the malware was compiled in December the digital certificate was issued back in April 2021, which could lead to further analysis of the timeline for the invasion of Ukraine. However, it is also just as possible that the certificate was bought recently on the black market for this campaign from cyberspies who routinely steal identities.

The wiper itself uses a common malware wiper technique of abusing legitimate drivers to corrupt data and reboot the device. A ransomware now named Party Ticket was also deployed along with Hermetic Wiper. Party Ticket is believed to be a decoy to distract targets while devices are wiped by Hermetic Wiper. The ransomware program also consists of various mentions of the USA government and Biden.

Folder and Function names of the Ransomware (Photo: https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/)

What’s Next

Cyberattacks continue to occur and worsen as not just Ukraine websites but some Russians one too are  going down from DDoS attacks with cyberactivist groups taking credit and Ukraine creating their own cyberattack IT groups. The United States and their allies are now warning organizations, businesses and governments the importance of strengthening their cyber defenses as much as possible in case the cyberattacks continue beyond Ukraine as already seen with traces of Hermetic Wiper in Latvia and Lithuania. Concerns have also been raised about just how devastating a cyberwar could be between USA and Russia if the USA were to get fully involved with capabilities listed to include shutting off power, tampering and stopping or speeding up trains, disrupting internet connections and many more devastating cyberattack effects.

References

Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n

— ESET research (@ESETresearch) February 23, 2022

https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/

https://www.sentinelone.com/blog/a-cisos-guide-to-the-security-impact-of-the-attacks-on-ukraine/

https://voi.id/en/technology/138937/hermetica-owner-from-cyprus-didnt-know-his-server-was-used-in-malicious-malware-attack-in-ukraine

https://www.digitalshadows.com/blog-and-research/russia-invades-ukraine-what-happens-next/

https://www.abc.net.au/news/2022-02-24/ukraine-cyber-attacks-looming-full-scale-russian-invasion/100856586

White House Denies Mulling Massive Cyberattacks Against Russia

Preamble

To start off, I believe that some definitions are in order, as understanding some of the concepts FritzFrog utilizes helps paint the picture of what exactly it does. Firstly, P2P is the short form of peer-to-peer; which refers to a type of network, where two or more systems are connected (Computerworld). Peers on a peer-to-peer network, can communicate with each other; more explicitly, they can transfer and relay data to and from one another (Oxford). Botnet bears a similar meaning, in the sense that it is a type of network of systems (Trend Micro). However, each system in a botnet is infected to some degree, and any of these infected systems can be become the point of control for the attacker (Trend Micro). A P2P botnet is the amalgamation of these two concepts. It is a network of intertwined systems that can communicate between each other, and any one of them can become the point of control without the need for an overlying control point. From this, we can see why it’s called the FritzFrog, as much like a frog, control can jump from place to place. Additionally, we can begin to understand how it is still in circulation, as the removal of it from one system, doesn’t effect it as a whole, and finding the location of the current commander is not impossible, but rather complicated. Not to mention the developers of it are able to adapt it as time progresses, to help it remain undetected.

What does FritzFrog do?

FritzFrog attempts to connect to SSH servers, and if it can connect, it drops payloads onto said system; it also adds its own SSH key to the list of keys (Guardicore). One of the main things installed on these systems is something known as a netcat client. This (unfortunately) is not a virtual cat for the infected user to enjoy, but rather it takes whatever it has seen in the terminal, and sends it to the FritzFrog server. In addition to this, it attempts to run a Monero cryptominer (The Hacker News). This is what can be assumed to be FritzFrog’s main goal, as Monero is a decentralized, and untraceable currency. Switching topics, in FritzFrog’s inception it used brute force to infect a total of 500 systems, and is currently infecting 500 per day as of January 2022 as per The Hacker News’ article. According to Guardicore, it used to mask itself as ifconfig, and nginx (which are common Linux software/tools), but now it has changed slightly, and tries to appear as apache2, and php-fpm. It is quite clear that it aims itself to infect servers running Linux, as they often have a reasonable amount of computing power due to numerous machines attached. The earlier mention of it creating a SSH key, now becomes relevant once again as we begin to talk about why it is so tricky to detect. In order to evade detection it utilizes SSH to connect to hosts (as previously mentioned), it is fileless (which is why it needs/wants its SSH key on the system), and it uses a proprietary P2P protocol (Guardicore). The evolution does not stop at changing what mask it wears on systems, as it has also implemented a secure copy protocol feature, and it can even detect high-end machines (The Hacker News). This, quite blatantly, adds more backing to the fact that its sole-purpose is to mine cryptocurrency, rather than to steal information or destroy systems. It seems to be hard to detect, but Guardicore has provided a script to aid in the detection of this malware.

Who is it attacking?

Currently, the aim seems to be large scale entities, rather than small ones. There have been many universities, colleges, healthcare institutions, and others attacked so far (The Hacker News, Guardicore). A disproportionate amount of the infected systems are in China, but other countries such as the United States, and Russia have been also been successfully attacked (The Hacker News). Most likely it inadvertently attacks large institutions (especially universities and colleges), as they normally use SSH, and Linux systems for their servers. Considering it masks itself as common Linux software, adds some sort of proof to this claim. It may also potentially attempt to target individual systems, but this remains to be seen on a large scale. In general though, it seems that it attacks whoever and wherever it can, showing no remorse for any system (unless of course, it can’t be used to mine crypto).

Conclusion

FritzFrog is a dangerous malware, and its aim is to mine cryptocurrency on infected machines. The developers are highly skilled, and the P2P botnet’s progress, from inception to now, are proof of this. It inadvertently attacks large scale institutions, and can easily detect systems that are capable of mining crypto. In times like these, we must have trust in the SSH servers we connect to.

Citations

• Sharma, Ax. “FritzFrog malware attacks Linux servers over SSH to mine Monero” Bleeping Computer, www.bleepingcomputer.com/news/security/fritzfrog-malware-attacks-linux-servers-over-ssh-to-mine-monero/. Accessed 18 February 2022.
• Harpaz, Ophir. “FritzFrog: A New Generation Of Peer-To-Peer Botnets” Guardicore, www.guardicore.com/labs/fritzfrog-a-new-generation-of-peer-to-peer-botnets/. Accessed 18 February 2022.
• Lakshmanan, Ravie. “FritzFrog P2P Botnet Attacking Healthcare, Education and Government Sectors” The Hacker News, thehackernews.com/2022/02/fritzfrog-p2p-botnet-attacking.html. Accessed 18 February 2022.
• “Botnet” Trend Micro Incorporated, www.trendmicro.com/vinfo/us/security/definition/botnet. Accessed 18 February 2022.
• “peer-to-peer” Oxford Learner’s Dictionaries, www.oxfordlearnersdictionaries.com/definition/english/peer-to-peer. Accessed 18 February 2022.
• Cope, James. “What’s a Peer-to-Peer (P2P) Network?” Computerworld, www.computerworld.com/article/2588287/networking-peer-to-peer-network.html. Accessed 18 February 2022.
• “Netcat (nc) Command with Examples” Linuxize,  linuxize.com/post/netcat-nc-command-with-examples/. Accessed 18 February 2022.
• “Monero Means Money” Monero, https://www.getmonero.org/. Accessed 18 February 2022.

NFT hype will hijack your PC and webcam

With the rapid development of the Internet and computers, more and more novel things have appeared in our lives. We no longer read newspapers but read news on the Internet. People don’t need to go to the mall to shop. We only need to place an order in the online store and wait for our package delivery to home. In recent years, something called NFT (Non-fungible token) has also appeared and is well known. More and more hackers have started to focus on NFT, trying to get private information or money from it.

What is NFT?

Both Non-fungible tokens (NFT) and fungible tokens (FT) are cryptocurrencies. They all use blockchain as a digital database. But FT is a native currency. It is fungible by another identical one with the same value, such as 10-dollar cash can be exchanged for ten 1-dollar coins. It will be also work in FT. Now the most famous FT is Bitcoin. NFT has different. That is unique and indivisible, which means all NFTs are different—NFT used to buy and sell the form of image, video, or another form of digital artwork. Virtual real estate sold for millions of dollars a few months ago, which belongs to the NFT. In a sense, NFT plays the role of a patent office, helping each unique thing to be copyrighted and helping it identify patents.[2][3]

How the hacker makes that work？ 
New things can easily attract people’s attention. Hackers have also exploited this vulnerability to create many links, emails or files that look to be related to NFTs. When they are downloaded and opened, the Trojan virus has been installed on your computer, through which the hacker can quickly get all the things he wants, including information and money. For example, the hacker included a suspicious excel file in this case. In fact, this excels file contained a Trojan virus called BitRAT. [1]

What is the danger of this kind of attack?

BitRAT is a remote access trojan (RAT). It can upload and download files, monitor screens, listen to your microphone. And get your keylogging. That means if your computer has this virus, the attacker will know everything about you. You will no longer have any privacy. [1]

As a popular one now, NFT has good room for future appreciation, and at the same time, it does not require the user has high computer technology. It is easy to attract the attention of ordinary people. but They usually know very little about how hackers attack. [1]

Conclusion

As new things appear, people start to recognize them, learn them, and then use them. At the same time, hackers are also trying to make it work for themselves. To help them get the attacker’s private information, password, money, or something else. [1]

The Cybersecurity researchers at Fortinet gave us some advice to help us not give hackers a chance to create holes in your computers, such as not downloading or opening untrusted files or links. [1]

References:

1. https://www.zdnet.com/article/hackers-are-using-nft-lures-to-trick-victims-into-downloading-intrusive-trojan-malware/
2. https://www.forbes.com/advisor/investing/nft-non-fungible-token/
3. https://www.cnn.com/2021/03/17/business/what-is-nft-meaning-fe-series/index.html

An emerging social engineering attack combines aspects of both misinformation and cyberattacks compromising data integrity: deepfakes.

Deepfake is a term that combines the words “deep learning” and “fakes,” which refers to synthetic videos, images, and audio recordings generated through deep learning AI techniques. While there is a positive side to the deepfake when accompanied with consent of the person depicted, In the wrong hands, deepfakes can cause considerable damage.

How could deepfakes compromise security?

Deepfake attackers attempt to impersonate a person or persons of authority to spread misinformation or manipulate others into providing access to confidential  data and funds.

In March 2021, the FBI released a warning about the rising threat of synthetic content. The FBI warns that attackers use deepfake technology to create highly realistic spearphishing messages. It is expected that attackers will supplement voice spearphishing attacks with audio deepfakes aimed at persuading a specific individual to share or allow access to personal or corporate information. Additionally, the FBI warned about Business Identity Compromise (BIC)- a new cyberattack vector that evolves from Business Email Compromise(BEC). BIC uses audio deepfakes to create “synthetic corporate personas” or impersonates existing employees to elicit fraudulent funds transfers.

More recently, the FBI issued another warning about an increase in fraudsters exploiting virtual meeting platforms. Some schemes involve impersonating company executives using deepfake technology in video meetings by hijacking their video meeting accounts. The rise of video conferencing during the pandemic has given cybercriminals a new avenue to trick employees into wiring company funds.

Deepfakes as a threat to organizations

An employee of a UK CEO was defrauded into transferring US$243,000 to a Hungarian supplier’s bank account by a voice fake in 2019. It is believed that the threat actors used commercial voice-generating software to carry out the attack. This was the first known example of a deepfake being used in a scam.

In 2021, A manager at the bank received a phone call from one of the bank’s directors asking for a $35 million transfer to fund the acquisition. In reality, it was not the director who called. It was a deepfake of the director’s voice.  By the time the bank became aware of the error, the funds had already been lost.

Deepfake technology is becoming more accessible and easier to use, posing greater risks to organizations. Millions of dollars have already been scammed with audio deepfakes, and the deepfake technology is expected to get more sophisticated. Moreover, deepfakes are not limited to spearphishing attacks or BICs. There have already been video deepfakes that bypass facial recognition technology, and they will soon be able to bypass voice recognition technology as well. With technology that can fool authentication factors, such as biometrics, there is a much greater risk of security compromise. Organizations should update their security protocols as the potential risk grows.

How to protect Against Deepfake Attacks

Employee Training

Strengthen your first line of defence against deepfakes by training staff to spot them

Trust but Verify

To detect an attack before it can cause any harm, implement protocols that specify verification procedures for suspicious communications

Automated Detection

Automated detection can also be achieved with the same algorithms used to create deepfakes

Response Strategy

Deepfakes should be handled in incident response plans, and stakeholders need to know how to respond when they are attacked

References

https://www.entrepreneur.com/article/414109

https://www.forbes.com/sites/glenngow/2021/05/02/the-scary-truth-behind-the-fbi-warning-deepfake-fraud-is-here-and-its-serious-we-are-not-prepared/?sh=5834dbeb3179

https://www.pcmag.com/news/fbi-dont-fall-for-this-money-transfer-video-chat-scam?amp=true

https://www.accdocket.com/deepfakes-get-deeper-security-risks-heighten

https://www.pandasecurity.com/en/mediacenter/technology/deepfake-fraud/#:~:text=Deepfakes%20are%20videos%2C%20images%20or,been%20manipulated%20by%20AI%20technology.&text=This%20has%20become%20a%20growing,of%20misinformation%20and%20fraud%20scams

https://builtin.com/cybersecurity/deepfake-phishing-attacks

How the attack is carried out

Attackers distribute RedLine Stealer, a piece of malware that sets out to steal user information. They have developed a fake website that appears to be a carbon copy of Microsoft’s official Windows 11 installer page. However, the “Download Now” button beneath the “Get Windows 11” banner links to a rogue installation housed on Discord’s content delivery network (CDN). The bundle, which consists of one executable and many DLL files, is only a few megabytes in size when downloaded. When the user tries to extract the contents of the compressed bundle, something unusual happens. The.EXE file accounts for the majority of the file’s 735MB size. The malware can access data like location, security software usernames, and device configurations, as well as upload and download files and run commands. In the year 2021, a similar incident occurred. Attackers utilized a similar spoof technique to set up a Discord webpage with a similar but misspelled name to deceive users into downloading a harmful installer posing as Discord’s own. HP believes that the DNS servers, malware, and domain registrar were all employed in the same way as the Windows 11 attack.

Why Discord ?

The discord platform is been chosen because of the popularity of this platform, gamers will likely be excellent targets for malware. Hackers are increasingly focusing their efforts on Discord. The nefarious few that spread malware prefer to target consumers of popular online services, and with Discord’s 140 million active users and over 300 million registered users, the chatting software is a tempting target. The most common aim for Discord malware is the theft of users’ personal information, which is accomplished through stealer malware and remote access Trojans (RATs). Harmful files might go unnoticed for months, posing a serious threat to other users. There are also password-hijacking malware families, adware, and fake Android apps designed to steal bank information or intercept transactions. Even chatbot APIs are being used to exploit malware that competes for control of channels, as well as some that harvest was stolen data and store it on private servers.

How to protect yourself

We all know that no one can be completely safe from these attacks. Discord is doing everything it can, to protect users from malware, but no amount of effort will be adequate to stop these attacks. However, you may avoid this by not clicking on every link you see, not joining servers you’re unfamiliar with, and disabling the “Allow direct messages from server members” option, which allows you to ban DMs (Direct Messages) from individuals in that server who aren’t on your friend’s list. However, Discord provides a list of security tips to keep you safe from spam and hacking while using the service. Setting strong passwords is one of the recommendations, as it makes them less likely to be compromised. People can also safeguard themselves by scanning for phishing scams. It is possible to detect bogus communications by paying close attention to the sender’s email address.

Reference:

https://www.pcgamer.com/devious-malware-hosted-on-discord-pretends-to-be-windows-11-installer/

https://discord.com/safety/360043857751-Four-steps-to-a-super-safe-account

Cities: Skylines is a video game that allows players to design and manage cities. The game is available for many different gaming platforms, including PC, XBOX, Nintendo Switch and Play-Station 4 (1). Cities: Skylines is one of three city-building games created by the Finnish video game developers Colossal Order (2). The game developers allow the community to create “mods” for other users to download. A game mod (short for modification) is an add-on that alters the game in some way.

On Monday a “modder” (someone who creates game mods) was banned from the gaming platform Steam for accusations of hiding malware in their mods. The user goes by the name “Chaos” or “Holy Water” (3). Chaos is accused of hiding a software auto-updater in some of their game mods. The auto-updater would allow Chaos to deliver more malware to infected computers without the consent of the user (3, 4). The malicious mods are an example of a Trojan horse because the malicious software is hidden inside something that seems innocent otherwise.

“Sadly I think this kind of bad behaviour is present in all modding communities… It’s why, as sad as it is for the little guy who just made an awesome mod I might never try, I tend to stick to larger, well known and trusted modders”. 

MeatSafeMurderer, Reddit

The malicious mods are “Network Extensions 3” and “Update from Github” (4). These mods are not original pieces, they are updates for pre-existing game mods, of which Chaos is not the original author (3).

Last year Chaos published an update to the popular Cities: Skylines mod Harmony. The update was designed to be incompatible with other versions of the mod. After its release, players would have no choice but to use Chaos’s version of Harmony.  In addition, most Cities: Skylines mods need Harmony to run. A large portion of players would need to download Chaos’s update (3).

Members of the Cities: Skyline Reddit page have expressed how frustrating it can be to have someone maliciously tamper with a game mod you developed (5). Reddit user MeatSafeMurderer says that this behaviour makes it difficult for small game developers to succeed. “Sadly I think this kind of bad behaviour is present in all modding communities… It’s why, as sad as it is for the little guy who just made an awesome mod I might never try, I tend to stick to larger, well known and trusted modders”. 

Events like this one instill distrust in the community, perhaps rightfully so. Events like this should remind users to be diligent with their computer security, but as MeatSafeMurderer pointed out, this distrust means that small developers will have a difficult time sharing their work.

If you are a Cities: Skyline user and are worried that you may be affected, check out this Reddit post with information on how to remove the mods from your computer.

A new Steam account has been created, claiming to be the user behind Chaos. This account claims that it is not the Chaos mods that have malware, but rather the Cities: Skyline code itself. The account name: I found Colossal Order Keylogger succinctly describes the accusations. Outside of this Steam account, no concerns have surfaced about security in the game code.

References:

1. https://www.paradoxinteractive.com/games/cities-skylines/about
2. https://www.colossalorder.fi/
3. https://threatpost.com/cities-skylines-modder-banned-over-hidden-malware/178403/
4. https://store.steampowered.com/news/app/255710/view/6047774523920146831
5. https://old.reddit.com/r/CitiesSkylines/comments/sq5k4v/important_information_about_network_extensions_3/

Last Sunday Adobe issued an extremely highly rated CVE under CVE-2022-24086 with a rating of 9.8/10 for their “Adobe Commerce” platform. The vulnerability allows anyone to execute arbitrary code execution, without any prior credentials or admin powers! The weakness found was based off input validation which is a relatively common weakness. If you’ve ever heard of SQL injection attacks, both attacks use the same general method to get code somewhere it shouldn’t be.

For quick reference, Adobe Commerce is a web platform for selling products & working through the back-end logistics. For example, an online store could use it to host their website while keeping their Amazon page up-to-date, as well as handle shipping providers. This makes it customer-facing, causing a vulnerability like this one to be even worse, since you can’t just wall it off as some internal-only application.

Thankfully, by looking into the source code of the vulnerability patch, we can get a glimmer of how this specific attack works:

        $pattern = '/{{.*?}}/';
        do {
            $result = preg_replace($pattern, '', (string)$result);
        } while (preg_match($pattern, $result));

This newly added snippet of code uses regular expressions (Regex) to look for a particular pattern in an incoming string, and remove all occurrences. The pattern is two set of curly braces, one within another, with any amount of characters (including none) between them. This specific formatting is used in YAML to embed code.

This is entirely speculation, but my guess at the mechanics behind this attack would be sending YAML queries to the Adobe Commerce backend with a carefully crafted bit of code within a set of {{}} that the backend accidentally then executed to do some further unknown function.

Unfortunately the specific attack details are still scarce due to Adobe waiting for their customers to patch before releasing how the vulnerability is acted upon. The vulnerability effects all versions up to two minor versions ago (current: 2.4.5, < 2.4.4 effected). Adobe also stated they’ve gotten reports of this vulnerability being exploited “in the wild” and have stated that there are “very limited attacks” on customers using Adobe Commerce, but gave no hard numbers.

Input Validation & RCE

How do you tell a computer what is code, and what is data? If we were trying to encode the string “print(“Hello, World!”)”, how does Python know whether or not to execute the print() function within the string? If you call print() on that string, then what happens?

A very important part of writing programs is input validation. Things as simple as checking whether a string can get parsed into a number, to complex error & RCE checking. There are other forms of input validation (such as checking for concurrent sessions for the same user) to be aware of as well. For string-based input validation, it is recommended to look for specific code-related characters & remove them from the input to ensure the string won’t get mis-read as code:

• Comment tags such as // or /* */
• Semicolons ;
• String delimiters such as ‘ or “
• Newline and null characters: \n and \0
• Braces and Bracket pairs such as <>, {} and []

When an input is mis-read as code, it allows attackers to run effectively anything they want in the worst case as shown in this CVE. It can also result in crashing or causing incorrect behaviour in a system, which I’ve seen firsthand at an internship last summer.

Examples of Similar Exploits

The classic example of improper input validation comes from XKCD:

Another recent example has been the RCE exploit in Dark Souls 3, where the game’s multiplayer has been temporarily disabled to fix the problem. Another blog post has already covered this, here:

YOU(R COMPUTER) DIED: Dark Souls 3, RCE, and CVD

Links:

• Adobe page regarding the CVE: https://helpx.adobe.com/security/products/magento/apsb22-12.html
• ZDNet Article regarding the CVE: https://www.zdnet.com/article/patch-now-adobe-releases-emergency-fix-for-exploited-commerce-magento-zero-day/
• Sansec Article Regarding the CVE: https://sansec.io/research/magento-2-cve-2022-24086
• Defeating Input Validation: https://www.secjuice.com/bypass-strict-input-validation-with-remove-suffix-and-prefix-pattern/

Introduction

On the 10^th of February police in Cataluña, Spain reported the apprehension of a criminal group that robbed bank accounts by impersonating individuals in order to duplicate their phone numbers, allowing them to bypass two-factor authentication and successfully authorize money transfers out of the accounts. Eight arrests were made and twelve bank accounts throughout Spain were frozen in connection to this operation, which is believed to have begun around March of 2021. I wanted to discuss the method with which the criminal group carried out their heists, since it highlights the futility of developing ever-improving security measures when a lapse of carelessness is enough to bypass them all.

Phishing for Personal Info            

If you want to call a bank while impersonating someone then a good place to start is, ironically enough, to first call your victim while impersonating their bank. The victims in this case would receive calls, texts or emails from someone claiming to be an advisor from their bank needing some of their personal information to resolve some non-existent issue. According to the police report, the criminals managed to deceive or intimidate people into offering bank account passwords, credit card numbers and even scans of their IDs. Which leads to the second step of the plan: impersonating the victim. Not to their bank, but to their cellular provider.

SIM Swapping

With a copy of the victim’s ID in hand, one of the criminals would tweak their appearance into an approximation of the picture on the document before entering the mobile company store. With a sob story about losing their wallet and phone, they’d deceive the store employee into transferring the victim’s phone number to a fresh SIM card under their control. And with that, they were all set to steal actual money instead of identities.

Money Heist (over the phone)

Using the banking information phished earlier, the criminals could now call the bank to initiate a money transfer out of the victim’s account. When the bank asked for additional confirmation from the victim’s phone, the message was instead sent to the criminal’s device carrying the cloned SIM card. Thus the fraudulent money transfer is successfully confirmed, despite two-factor authentication.

Conclusion

This incident is sort of mundane in the sense that it doesn’t involve the use of any new technologies or inspired techniques to carry out the crime, but that’s why it highlights the limitations to true security in the real world. Every year, new measures (like multi-factor authentication) are implemented to regularly improve security systems, but despite this there will never be a shortage of ways to maliciously exploit these systems as long as there is a human component to their function. In this case, the key to the criminal group’s success was the inattentiveness of their victims, who’s freely offered personal info made it possible to bypass every electronic security measure put in place by both the phone company and the bank (in true spirit of the principle of easiest penetration).

The lesson that I choose to learn from this story is that, more than a strong password or an onion’s worth of layers of encryption, the most important aspect of online security is attention and diligence on the part of the user. If the victims in this case had, when asked for sensitive information, taken a moment to investigate the email address online or call their bank to double-check the criminal’s identity, the malicious attempt would have failed at step one. ‘Don’t give out your password over the phone’ may not be the most inspired advice, but sometimes all it takes to stay safe is to have a second look without rushing or panicking.

Sources:

https://thehackernews.com/2022/02/spanish-police-arrest-sim-swappers-who.html

https://www.policia.es/_es/comunicacion_prensa_detalle.php?ID=11102