Robinhood fixed an account-creation flaw that hackers abused to send convincing phishing emails from its own system to some users over the weekend.
The post Hackers Abuse Robinhood Signup Process to Deliver Phishing Emails appeared first on TechRepublic.
This week on the Lock and Code podcast…
A dreadful thing happens far too often whenever an older adult falls for a scam: They get blamed for it. Not the scammers who lied and cheated their victim out of money. Not law enforcement for failing to recover funds. Not even the Big Tech companies that could have the most important role in protecting people online—and which, it turns out, knowingly bring in revenue every year from fraud.
Instead, it is the older adults themselves whose stories are often shirked aside because of a mix of ageism and denial. Allegedly left behind by technology, only an octogenarian would hand their password over in a phishing scheme, or open an email attachment from a stranger, or send money to a fake charity online. Everyone else, everyone else believes, is too savvy for the same.
The data disagrees.
When Malwarebytes studied this last year, it found that, depending on the type of scam—especially for things like “sextortion”—younger individuals were far more likely to report falling victim. Further, digging into data from the US Federal Trade Commission revealed entirely separate patterns. For example, while Americans between the ages of 80 and 89 reported the highest median loss due to fraud in 2024, they also made up the smallest share of their population to report a loss at all. And in 2025, that same group represented the smallest share of reported identity theft, a crime far more likely to be reported by people between 30 and 39.
Questions about who reports what crimes at what rate are valid to explore, but it’s important to see the big picture: Americans lost at least $15.9 billion to fraud last year. Protecting older adults is actually about protecting everyone, and that’s because modern scams don’t arrive only where people over 70 spend time. They arrive where we all are, which is online. They come through endless text messages, they slide into social media DMs, and they prey on things any of us can be—a widow, a divorcee, or simply a lonely person.
According to Marti DeLiema, Assistant Professor at the University of Minnesota’s School of Social Work, scams and fraud are now the most common form of organized crime globally, rivaling weapons trafficking, drug trafficking, human trafficking, and sex trafficking. In 2024 alone, she said, the FTC estimated that older adults in the US had as much as $81.5 billion stolen from them. And the tools meant to fight back—broad consumer awareness campaigns, embedded warning messages at the point of transaction, the training of bank tellers and retail clerks—are nowhere near keeping pace.
So what actually works? And who, if anyone, is doing the work?
Today, on the Lock and Code podcast with host David Ruiz, we speak with DeLiema about who is really susceptible to financial fraud, why victims often describe a scam as a form of betrayal trauma, and why the companies best positioned to stop scam messages from reaching consumers may be the ones least motivated to do so.
“This is not a technical capability problem at all. This is a conflict of incentives.”
Tune in today to listen to the full conversation.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)
Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.
Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.
Explore how to solve multi-tenancy identity challenges in modern finance with secure IAM strategies, improving access control and compliance.
The post Solving the Multi-Tenancy Identity Crisis in Modern Finance appeared first on Security Boulevard.
The Dutch Ministry of Finance took parts of its infrastructure offline, including the treasury banking portal, after detecting a cyberattack two weeks earlier.
The Dutch Ministry of Finance disclosed a cyberattack detected on March 19 after a third-party alert. Attackers breached some internal systems, the incident impacted a “portion of the employees”.
The security breach is currently under investigation. Authorities clarified that systems used to manage tax operations were not impacted, limiting the scope of disruption.
“The Ministry of Finance’s ICT security detected unauthorized access to systems for a number of primary processes within the policy department on Thursday, March 19.” reads the statement issued by Dutch Ministry of Finance. “Following the alert, an immediate investigation was launched, and access to these systems has been blocked as of today. This affects the work of a portion of the employees.”
The Ministry pointed out that services for citizens and businesses, including tax, customs, and benefits, remain unaffected.
“Services to citizens and businesses provided by the Tax and Customs Administration, Customs, and Benefits have not been affected.” continues the report.
The Dutch Ministry of Finance did not disclose technical details about the attack, and no cybercrime group has claimed responsibility so far.
In a statement to the Dutch House of Representatives, Minister of Finance Eelco Heinen said that, due to a forensic investigation, the Dutch Ministry of Finance has taken several systems offline, including the treasury banking portal, which has affected about 1,600 public entities that cannot access balances or key functions. Funds remain accessible and payments continue via normal channels, with essential services handled manually. Heinen added that enhanced security measures are in place, while investigations involve the NCSC, forensic experts, police, and the Data Protection Authority.
“Due to the ongoing forensic investigation and for security reasons, several systems have been temporarily taken offline, including the digital treasury banking portal. As a result, approximately 1,600 public institutions that hold funds with the Ministry of Finance are currently unable to view the balance of their treasury accounts digitally.” reads the statement. “Participants in treasury banking include ministries, agencies, legal entities with statutory tasks, educational institutions, social funds, and local governments. Additionally, it is temporarily not possible for participants to request loans, deposits, or credit, modify intraday limits, or generate reports via the portal.”
Participants retain full access to funds, and payments continue normally via standard banking channels, with essential services supported manually if needed. The duration of the disruption is still unknown. Enhanced security and monitoring are in place, while investigations involve the National Cyber Security Centre, forensic experts, police cybercrime units, and the Data Protection Authority.
In October 2024, the Dutch police blamed a state actor for the recent data breach that exposed officers’ contact details, the justice minister told lawmakers. The incident took place on September 26, 2024, and the police have reported the security breach to the Data Protection Authority.
Threat actors broke into a police system and gained access to work-related contact details of multiple officers. The attackers had access to names, emails, phone numbers, and some private information belonging to police officers.
Dutch intelligence agencies believe it is highly likely that a state actor was behind the data breach.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Dutch Ministry of Finance)
Cryptocurrency is a speculative asset, a payment system, and critical infrastructure all at once. Explore why this "Shimmer" problem creates an unstable security model where users bear 100% of the risk.
The post SEC Rules – Crypto IS A Security – Sometimes appeared first on Security Boulevard.
This article is the result of a collaboration with The Sunday Times. You can find their corresponding piece here.
On the last Friday in December, a German businessman in his mid-40s allegedly met a small aircraft on a dusty runway in remote Western Australia. The following evening in Perth, seven hours’ drive south, he and another man were arrested and charged with trafficking a commercial quantity of a controlled drug.
Police said a search of their hotel rooms uncovered 200kg of cocaine, packed in suitcases in single one-kilogram blocks, along with night vision goggles, aviation equipment and a hardware cryptocurrency wallet.
It was the culmination of a three-month Australian Federal Police (AFP) investigation codenamed “Operation Mirkwood”. Authorities estimated the street value of the drugs to be AUD $65 million and AFP Inspector Chris Colley said an “organised crime syndicate” was likely responsible for the scheme.
The German businessman was Oliver Andreas Herrmann, a 44-year-old champion marathon runner and the director of multiple companies with diverse interests spanning various jurisdictions.
Herrmann and the other man who was charged are due to face court again in May. They have not yet entered a plea and the presumption of innocence applies. Herrmann, who has no known convictions, had not responded to multiple requests for comment as of publication.
The Sunday Times reported in January that Herrmann has “close financial ties” to Christy Kinahan, the 67-year-old founder of the eponymous international drug cartel who is wanted by authorities around the world. Last month it reported that Herrmann “acted as Kinahan’s representative on the ground” in Indonesia and quoted a source who said Herrmann once introduced him to the cartel leader.
“Kinahan was Oliver’s boss,” the source told The Sunday Times. “He was afraid of him. Kinahan was always shouting at him.”
Bellingcat and The Sunday Times have previously reported on the US-sanctioned Kinahan Organised Crime Group, using Kinahan’s own Google Maps profile to plot his movements over five years and identify the cartel leader’s business associates.
That investigation revealed that the normally elusive crime boss – known as the “Dapper Don” – posted hundreds of reviews under the alias Christopher Vincent, disclosing his precise locations across three continents, including in Dubai where he lives in hiding. Bellingcat contacted Kinahan but did not receive a response.
We have now conducted an open source analysis of Herrmann’s online footprint to build a picture of the man Australian authorities accuse of trafficking drugs last Christmas. The findings paint a portrait of an avid runner and international businessman who is more accustomed to poolside video conferences than an alleged drug drop in the Australian desert.
This investigation has traced Herrmann to locations associated with the cartel. These include a building in South Africa that Kinahan reviewed on his Google Maps profile, and to the Zimbabwean capital of Harare the day before a conference that the Irish drug lord said he attended.
It also sheds light on the complex network of international firms linked to Herrmann, either directly or through his associates. One of these firms shares an address with a company that reportedly received payments ultimately destined for Christy Kinahan.
Oliver Herrmann is a German national who has referred to Munich as his “home city”. He is also a South African resident, according to the AFP, and reportedly travels on a Swiss passport. Herrmann gave his nationality as Swiss in company documents filed in Singapore, while in registration documents in the UK he said he was German. He has listed his country of residence as Indonesia and Singapore.
Corporate records indicate that Herrmann has been involved at senior levels with companies active in the fields of fintech, mining and consulting. Until recently Herrmann was on the executive board of a German “international raw materials company” whose parent company, according to its website, is to be listed on the Düsseldorf Stock Exchange. The company told Bellingcat in February that Herrmann was removed from his board position after it learned about the allegations in Australia and said he no longer had any role with the organisation.
Herrmann’s Instagram account is set to private but he has a public profile on Strava, a fitness app used for recording exercise that often includes GPS-tracked routes (see Bellingcat’s Strava activity map guide here).
An acclaimed runner who won the 2016 Munich Marathon, Herrmann regularly logged his runs on Strava. Photos posted to the account confirm he is the same person pictured in an Australian media report about his court appearance in January over the alleged drug bust.
Herrmann’s Strava account has logged more than 2,500 activities in 29 countries across Europe, Asia, Africa, South America and the Middle East between 2013 and 2023. He has also posted at least 130 photos documenting his extensive travels. They show a dedicated athlete who appears to enjoy a jet-setting lifestyle, with many featuring scenic and tropical locations.
Herrmann’s Strava account shows that, like Kinahan, he has frequently traveled to Zimbabwe. An analysis of Herrmann’s runs shows he logged almost 500 activities in Harare between February 2018 and May 2022. Meanwhile, Kinahan posted 25 Google reviews in Harare between June 2019 and September 2021.
In one of these reviews, the leader of the transnational organised crime syndicate said he spent four nights at the Amanzi Lodge hotel for a “business networking conference” that was hosted by two companies. The conference ran from October 8 to 11, 2019, according to one of the company’s social media accounts. In two photos posted online, an individual with similar features to Kinahan is seen at the event.
On October 7, the day before the conference began, Herrmann logged a run just 5.5 km from the venue where Kinahan said he stayed. Herrmann’s 2019 Strava activity in Harare suggests he spent time close to this location, near the city’s affluent suburb of Borrowdale, with dozens of runs starting and ending on the same residential road. After October 7, Herrmann’s next Strava run was recorded three days later in Dublin, Ireland.
Two of Herrmann’s runs from 2021 and 2022 take place in downtown Dubai, about 250 meters and 550 meters from the office of a sanctioned company that the US government said is owned or controlled by Christy Kinahan’s son, Daniel Kinahan.
The 2021 run starts and ends outside a five-star hotel where Daniel Kinahan was photographed. The photo in the since-deleted tweet, which was the subject of media coverage at the time, was posted three days after Herrmann’s Strava run and geotagged to Dubai. A reverse image search shows that the picture of Daniel Kinahan was taken inside the Dubai hotel.
Herrmann’s Strava profile also displays information about his business activities. A 2018 post, captioned “Office view in ZIM”, includes a photo of an open document on a laptop screen. Titled “Mining Project Teaser”, the document touts the attractiveness of Zimbabwe’s “open for business” policy for foreign investors.
On the header is “Gemini Global Pte Ltd”, a Singapore-based company of which Herrmann is the director and secretary, according to corporate records. Herrmann reportedly filed a police complaint after Gemini lent US $500,000 for an Indonesian mining project that failed in the early 2010s. More than two dozen runs logged by Herrmann begin and end at the registered address for the Singapore company.
Other locations logged on Strava appear to be linked to companies Herrmann is involved in, suggesting his frequent travel may be business-related. Some runs explicitly mention an office, including one in Singapore in 2015 and three in Dublin in 2016.
Herrmann is listed on Crunchbase as the chief financial officer of defunct Irish fintech, Leveris Limited, which reportedly collapsed in 2021 with debts of €38 million. Records from Ireland’s Companies Registration Office show he was also a director of the company. Herrmann has logged Strava runs in Minsk and Prague, other cities where Leveris had business connections.
A series of companies involved in trade, real estate and corporate finance appear to be linked to Herrmann’s domestic partner. This woman was identified through an analysis of social media posts. In the comments of an Instagram post about his Munich Marathon win, several users tagged the woman’s account. Herrmann’s Strava profile also follows a user by the same name, and includes a photo of him with an identical-looking woman during a run in France.
An analysis of the woman’s Strava account shows that multiple runs logged in different countries over six years match where Herrmann’s GPS-tracked routes start and finish. She is tagged as a companion in at least one run recorded on Herrmann’s profile.
Three videos posted to the woman’s now-deleted Instagram account show a man strongly resembling Herrmann during a hike at Cape Town’s Table Mountain, visiting Mapungubwe National Park, and on a game drive with two boys near Lake Kariba. Photos also show a boat trip and a beach outing with several children in which a man with similar features to Herrmann is seen with his back to the camera. A photo posted to the woman’s Twitter account a decade ago also shows a man who resembles Herrmann.
The woman is also tagged in an Instagram post by a Thai mining magnate whose company is listed as a shareholder of the German company that recently removed Herrmann from its board. The Thai woman’s Instagram includes photos of Herrmann and his partner going back years, including during a 2022 “business trip” in Dubai.
An open source search identified a person with the same first and last name as Herrmann’s partner involved in three companies. Corporate records show she was listed as the owner of defunct Indonesian firm PT. Gemini Nusa Land, which was involved in real estate, and previously the director of another company, also headquartered in Indonesia.
The third company is South Africa-registered 247 Capital Group, where business data provider b2bhint.com lists her as a director. These details were verified through South Africa’s official registry. A generic-looking website for the firm says it is a leading “corporate finance group” staffed by “specialist capital raising managers”. The website’s contact section lists two addresses: one is a small house on Long Island, New York; the other is a high-rise building in Johannesburg called The Leonardo.
Herrmann’s Strava profile shows he has logged two morning runs ending directly outside The Leonardo, in April and May 2022. Kinahan has also been to The Leonardo: he wrote about visiting the building and posted photos of the interior in Google reviews from September 2021.
An analysis of 247 Capital’s website using ViewDNS, a tool that examines websites, determined that it shares an IP address with three other sites. There are multiple reasons why websites can share IP addresses and it does not necessarily mean they are related. In this case, however, there is evidence that 247 Capital may be linked to the other sites.
The first is for a US-based company called Ryba LLC; the second is for an Indonesia company called PT. Sukses Dagang Bersama (abbreviated to “SDB Trading” online); and the third is a placeholder for a web developer that designed the sites for 247 Capital, Ryba LLC, and PT. Sukses Dagang Bersama.
Herrmann’s partner had not responded to requests for comment as of publication. There is no suggestion that she is involved in illegal activity.
Last year, The Sunday Times reported that a company with a mailing address at the Trump Building was the recipient of two payments totalling US $850,000. It said the funds were lodged to a company account in South Dakota and the beneficiary was listed as Adam Wood, a known associate of Kinahan who attended a 2019 aviation conference in Egypt with the cartel leader. The newspaper said these payments were part of a series of international wire transfers totalling US $1.25 million of which Kinahan was the ultimate beneficiary.
Today, The Sunday Times reveals that the payments of US $850,000 were made to Ryba LLC.
Ryba LLC’s website lists its address as the Trump Building on Wall Street in New York. Companies with this name are registered in the US, but corporate records show that none are located in New York.
The phone number on Ryba LLC’s website was linked to a New York law firm via the crowd-sourced contact book app, TrueCaller. An online search for the firm shows it has an office in the Trump Building, and searches for the Long Island address listed on 247 Capital’s website returned a hit for a lawyer who works at this firm.
The Long Island address also appeared in a small-claims court record, which named the home owner as the lawyer who works in the Trump Building. A digital copy of the deed from the Nassau County Clerk shows the lawyer bought the house 25 years ago. Bellingcat called the Clerk’s office to confirm the deed was still current.
According to the lawyer’s bio, they are an “Anti Money Laundering Specialist” who works in wealth and tax planning, trust and estate administration, and asset protection. The lawyer and the firm had not responded to requests for comment as of publication. There is no suggestion that the lawyer or firm are involved in illegal activity.
Searches on LinkedIn for staff who work for Ryba LLC returned a result for an employee who lists their current role as a senior project finance manager at the company. Their previous position, according to the profile, was head of accounting at Leveris, the Irish company where Herrmann previously served as chief financial officer.
In the photo on Herrmann’s Strava account showing the mining proposal document, a meeting notification for the employee is visible in the top right of the laptop screen. The employee’s LinkedIn account is no longer online, but their details have been saved on RocketReach, a site that aggregates professional data from online platforms.
The employee had not responded to requests for comment as of publication. There is no suggestion that they are involved in illegal activity.
Bellingcat purchased the Indonesian corporate record for PT. Sukses Dagang Bersama. Its “commissioner” is listed as Conor Fennelly, Herrmann’s former business partner and one-time chief executive of Leveris.
However, Fennelly told Bellingcat that he had “never heard of” the Indonesian company and had “no knowledge” of its operations. He also said he had no business connection to Herrmann outside of Leveris and had not been in contact with him since the Irish tech firm collapsed in 2021.
After providing a copy of the Indonesian business documents showing his listing as commissioner, Fennelly said he “didn’t authorise this” or sign paperwork taking on any role at the company. He confirmed that his name, address and passport information on the document was accurate.
“Oliver and several others at Leveris would have had that,” he said. “The company was founded [in] 2021 and interestingly this is months after Leveris went under and months after my last contact with Oliver, assuming he is the reason my name appears here.”
Fennelly said he met Herrmann through an associate at Leveris in 2016, and that Herrmann subsequently invested in the company and became its chief financial officer. Fennelly found Herrmann to be “reliable, calm, competent and trustworthy”, he said, adding that news of his arrest in Australia came as a “complete shock”. Fennelly said he believed Herrmann had been living in Zimbabwe and training as a runner.
Corporate records also show that PT. Sukses Dagang Bersama was originally established in 2013 under a different name, Maksimum Jaya Segar. A person with the same first and last names to Herrmann’s partner is listed as a director of the company from December 2017 to November 2021. Her listed address is in a residential neighbourhood west of Jakarta, where Herrmann and his partner have logged dozens of runs.
PT. Sukses Dagang Bersama was involved in the sale of an aircraft that was exported from the US to Africa last year, Federal Aviation Administration (FAA) records show. The FAA documents say the company bought the plane – a Beechcraft King Air 350 – in early 2024.
Flight tracking website ADS-B Exchange shows that the twin-turboprop aircraft arrived in Harare after the last leg of its journey on February 23, 2024. The ferry pilot who transported the aircraft posted images of the trip to Facebook, which were tagged in Harare on the same date. The plane has been active since its delivery, travelling to airports in Zimbabwe, South Africa and Botswana. Images from plane spotters in South Africa in April and May 2024 show the aircraft with Malawi registration number 7Q-YAO on its side.
Two days after the plane was delivered to Harare the pilot posted a photo of himself with three other men in front of the aircraft, captioned “Acceptance demo flight”. The pilot and one of these men have previously flown a different aircraft, a Pilatus PC-12, that has been associated with a Kinahan-linked company.
The US $850,000 payment to Ryba was linked to a dispute over the purchase of this aircraft, according to The Sunday Times.
The pilot posted a photo to Facebook before transporting the Pilatus PC-12 from South Africa to the US in 2022 after it was sold to an unrelated buyer. But three years earlier, the Pilatus PC-12 was pictured in a Twitter post by CVK Investments LLC, a company that Irish police said was associated with Kinahan.
The July 2019 post said CVK was investing in the aircraft for an “air ambulance joint-venture business in Africa”. The aircraft pictured in the post shows its serial number “342”, matching the plane in the pilot’s Facebook post. While an aircraft’s registration number can change, the serial number is assigned by the manufacturer and remains the same (see Bellingcat’s flight-tracking guide here).
The second man is an employee at Malawi’s aviation authority who is referenced in a Facebook photo as being one of the pilots during an August 2021 flight in the Kinahan-linked Pilatus PC-12.
The identity of the Malawi-registered plane was confirmed by its registration number at the time, “7Q-XRP”, visible on the control panel in the photo. The cockpit is identical to one pictured in a Google review posted by Kinahan a month later in September 2021.
The pilots had not responded to requests for comment as of publication. There is no suggestion that they are involved in illegal activity or that either of the planes has traveled to Australia.
PT. Sukses Dagang Bersama is also listed in publicly available import/export records for mining-related and narcotic products between countries including India, Nigeria, Peru, Turkey and Russia.
Records from import/export data provider 52wmb show that in one 2023 shipment from India to Nigeria, PT. Sukses Dagang Bersama is listed in the product description for a delivery of the narcotic “Pentazocine Injection”, an opioid used in medicine that is also reportedly misused and sold on the underground market in Nigeria.
Also listed in the product description field is another company, Turkoca Import Export Transit Co Ltd. This Korean-based company was sanctioned by the US in May 2022 for being part of an Iran-linked oil smuggling and money laundering network.
The product description usually contains information about the items being exported. A potential explanation for company names appearing in this section is that they are “notify parties”, which are entities such as buyers, suppliers and brokers who should be informed when the cargo arrives. PT. Sukses Dagang Bersama appears as a “notify party” in the product description for another shipment to Nigeria from a different Indian pharmaceutical company.
PT. Sukses Dagang Bersama is also listed in 2024 import records for shipments of accessories for heavy machinery to Turkey from a Peruvian company that makes mining equipment. In records from Dataontrade.com it also appears as an exporter of “spare parts” for similar machinery, this time from Turkey to Russia.
Oliver Herrmann had not responded to requests for comment as of publication. Herrmann’s lawyer said: “I am not instructed to comment on these matters.”
Emails to 247 Capital Group, Ryba LLC and PT. Sukses Dagang Bersama were not returned.
Oliver Herrmann and his co-accused, Australian man Hamish Scott Falconer, 48, appeared in Perth Magistrates Court in January. Both men have been charged with one count of trafficking a commercial quantity of cocaine.
Herrmann also faces four counts of failing to comply with an order, according to a report in The West Australian, while Falconer is also facing one count of possessing a controlled drug and one count of failing to comply with an order.
Local media reported that neither of the men applied for bail and no pleas were entered.
The Australian Federal Police said the men were arrested in Perth’s central business district on December 28 as part of an operation that began in October.
The AFP alleges that the men met at Perth Airport in November and drove to Kojonup Airport, about 250km south of Perth. Investigators said the pair departed Western Australia in the following days but later returned separately.
Falconer returned to Perth on December 26, according to police, where he hired a vehicle and transported multiple suitcases and jerry cans. Herrmann allegedly met a small aircraft at the Overlander Airstrip on December 27, returning to Perth and meeting Falconer the following day. Police said that the men bought more suitcases, before discarding them along with jerry cans in a shopping centre rubbish bin.
Police said a search of Falconer’s hotel room uncovered about 200kg of cocaine, in six suitcases, as well as electronic devices, night vision goggles and an airband VHF radio. They said they searched Herrmann’s hotel room and seized four empty suitcases, aviation navigational equipment, a hardware cryptocurrency wallet and other electronic devices.
Both men were charged with trafficking a commercial quantity of a controlled drug, which carries a maximum penalty of 25 years’ imprisonment.
Local media reported that Herrmann and Falconer are due to appear in court again in May.
Connor Plunkett, Peter Barth and Beau Donelly contributed to this article.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here and Mastodon here.
The post Nowhere to Run: The Online Footprint of an Alleged Kinahan Cartel Associate appeared first on bellingcat.
On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America.
Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity and often lax security awareness among users provides fertile ground for launching attacks. Gozi malware, a well-known banking Trojan, exploits this seasonal chaos to target unsuspecting users and financial institutions alike.
This year’s Black Friday activity was particularly concerning, with a notable increase in web-inject attacks. These sophisticated techniques compromised online banking sessions, enabling the theft of credentials, financial information and other sensitive data.
The campaign is not expected to stop there. With the subsequent year-end shopping rush, Gozi malware is poised to continue its onslaught. Cyber criminals are likely to capitalize on the desperation of last-minute shoppers seeking the best holiday deals, amplifying the malware’s reach and impact.
These ongoing attacks emphasize the need for vigilance and proactive security measures. Whether you’re a consumer enjoying the convenience of online shopping or a business managing increased transaction volumes, understanding the evolving tactics of cyber criminals is critical to staying ahead of the threat.
Gozi, also known as Ursnif and ISFB, is a modular banking Trojan that has been active since the mid-2000s. It is infamous for its ability to steal banking credentials, monitor user activity and execute advanced web-injects during online banking sessions. Over the years, it has evolved to include features like anti-debugging mechanisms and encrypted communication and is also used for targeted attacks on specific regions and financial institutions.
During Black Friday, our telemetry revealed the following trends:
The Black Friday spike in Gozi activity can be attributed to:
The provided script demonstrates a sophisticated web injection attack used to compromise online banking sessions. It dynamically injects malicious code into the legitimate banking page, allowing attackers to manipulate the session without the victim’s knowledge. The malicious script operates in the background to steal sensitive data, such as credentials, and is designed to evade detection by immediately removing itself from the page after execution. By blending with the legitimate page and erasing evidence, the attack becomes nearly invisible to both users and traditional security measures. This highlights the growing sophistication of web-inject attacks and underscores the need for advanced monitoring systems and robust security measures to detect and prevent such threats.
From the screenshot below, it appears that the attacker left minimal evidence, likely attempting to test the mechanism and ensure everything is functioning correctly:
We believe the web-inject is still a work in progress, with potential future updates and enhancements to the code likely.
If you’d like to learn more about Gozi malware, you can find additional information here.
As cyber criminals continue to exploit global events like Black Friday, staying vigilant is more crucial than ever. The resurgence of Gozi malware activity highlights the importance of proactive security measures for both businesses and individuals. While the current attacks are predominantly targeting North America, we suspect this campaign will soon expand to Europe, leveraging the holiday shopping season to further its impact.
While we enjoy the convenience of online shopping, it’s vital to stay aware of the ever-present cyber threats lurking in the digital landscape. By adopting robust security practices and remaining cautious, we can reduce the risks and protect ourselves against these sophisticated attacks. Cybersecurity is not just a technical challenge—it’s a shared responsibility.
Here are some recommendations to avoid Gozi malware and protect yourself from similar threats:
One of the best tools to detect Gozi malware and protect your organization is IBM Security Trusteer Pinpoint Detect. The tool uses artificial intelligence and machine learning to protect digital channels against account takeover and fraudulent transactions and detect user devices infected with high-risk malware. Learn more here.
/usbank/inj[.]php
/in/sella/sella[.]php
/in/paypal/p[.]php
/in/ebay/ebay[.]php
/in/poste/po[.]php
/in/ubibanca/ub[.]php
/in/amazon/a[.]php
/in/clienti.chebanca/ch[.]php
/in/credem/cr[.]php
frcorporateonline/inj[.]php
hsbcnet/inj[.]php
/lancher/in
The post Black Friday chaos: The return of Gozi malware appeared first on Security Intelligence.
Entrar