- 扫描 ID:
- ab3d7351-e176-4696-8ec6-ddfed104f598已完成
- 提交的 URL:
- https://krebsonsecurity.com/
- 报告完成时间:
链接 · 找到 24 个
从页面中识别出的传出链接
链接 | 文本 |
---|---|
https://www.radware.com/lp/ciso-guide-to-stopping-bad-bots/?utm_source=krebsonsecurity&utm_medium=banner&utm_campaign=GBL_2024_OnlineAds_CISOsGuideBadBots_Krebs | |
http://twitter.com/briankrebs | |
https://www.linkedin.com/in/bkrebs/ | |
https://resources.prodaft.com/fin7-cybercrime-gang | FIN7 |
https://x.com/FalconFeedsio/status/1665690661377691649 | in June 2023 on Twitter/X |
https://x.com/TLP_R3D/status/1665777020767293447 | first posited a connection between observed scanning activity and Araneida |
https://www.hhs.gov/sites/default/files/china-based-threat-actor-profiles-tlpclear.pdf | an August 2023 report |
https://en.wikipedia.org/wiki/Google_Assistant | Google Assistant |
https://en.wikipedia.org/wiki/Google_Forms | Google Forms |
https://www.tripwire.com/state-of-security/google-forms-used-call-back-phishing-scam | wrote in a December 2023 post |
JavaScript 变量 · 找到 11 个
在页面窗口对象上加载的全局 JavaScript 变量是在函数外部声明的变量,可以从当前范围内的代码中的任何位置访问
名称 | 类型 |
---|---|
onbeforetoggle | object |
documentPictureInPicture | object |
onscrollend | object |
_wpemojiSettings | object |
$ | undefined |
jQuery | function |
pullquote | object |
pullQuoteOpts | function |
arrOptions | object |
twemoji | object |
控制台日志消息 · 找到 2 条
记录到 Web 控制台的消息
类型 | 类别 | 记录 |
---|---|---|
log | other |
|
warning | other |
|
HTML
页面的原始 HTML 正文
<!DOCTYPE html><!--[if IE 7]>
<html class="ie ie7" lang="en-US">
<![endif]--><!--[if IE 8]>
<html class="ie ie8" lang="en-US">
<![endif]--><!--[if !(IE 7) | !(IE 8) ]><!--><html lang="en-US"><!--<![endif]--><head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width">
<link rel="profile" href="http://gmpg.org/xfn/11">
<!--[if lt IE 9]>
<script src="https://krebsonsecurity.com/wp-content/themes/kos-mar2021/js/html5.js" type="text/javascript"></script>
<![endif]-->
<title>Krebs on Security – In-depth security news and investigation</title>
<meta name="robots" content="max-image-preview:large">
<link rel="dns-prefetch" href="//fonts.googleapis.com">
<link rel="alternate" type="application/rss+xml" title="Krebs on Security » Feed" href="https://krebsonsecurity.com/feed/">
<link rel="alternate" type="application/rss+xml" title="Krebs on Security » Comments Feed" href="https://krebsonsecurity.com/comments/feed/">
<script type="text/javascript">
window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/krebsonsecurity.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.2.2"}};
/*! This file is auto-generated */
!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){p.clearRect(0,0,i.width,i.height),p.fillText(e,0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(t,0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(p&&p.fillText)switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s("\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!s("\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!s("\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!s("\ud83e\udef1\ud83c\udffb\u200d\ud83e\udef2\ud83c\udfff","\ud83e\udef1\ud83c\udffb\u200b\ud83e\udef2\ud83c\udfff")}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(e=t.source||{}).concatemoji?c(e.concatemoji):e.wpemoji&&e.twemoji&&(c(e.twemoji),c(e.wpemoji)))}(window,document,window._wpemojiSettings);
</script><script src="https://krebsonsecurity.com/wp-includes/js/wp-emoji-release.min.js?ver=6.2.2" type="text/javascript" defer=""></script>
<style type="text/css">
img.wp-smiley,
img.emoji {
display: inline !important;
border: none !important;
box-shadow: none !important;
height: 1em !important;
width: 1em !important;
margin: 0 0.07em !important;
vertical-align: -0.1em !important;
background: none !important;
padding: 0 !important;
}
</style>
<link rel="stylesheet" id="colorbox-theme1-css" href="https://krebsonsecurity.com/wp-content/plugins/jquery-lightbox-for-native-galleries/colorbox/theme1/colorbox.css?ver=1.3.14" type="text/css" media="screen">
<link rel="stylesheet" id="wp-block-library-css" href="https://krebsonsecurity.com/wp-includes/css/dist/block-library/style.min.css?ver=6.2.2" type="text/css" media="all">
<link rel="stylesheet" id="classic-theme-styles-css" href="https://krebsonsecurity.com/wp-includes/css/classic-themes.min.css?ver=6.2.2" type="text/css" media="all">
<style id="global-styles-inline-css" type="text/css">
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}body .is-layout-flow > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-constrained > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width: var(--wp--style--global--content-size);margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignwide{max-width: var(--wp--style--global--wide-size);}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
.wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;}
:where(.wp-block-columns.is-layout-flex){gap: 2em;}
.wp-block-pullquote{font-size: 1.5em;line-height: 1.6;}
</style>
<link rel="stylesheet" id="contact-form-7-css" href="https://krebsonsecurity.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.8.2" type="text/css" media="all">
<link rel="stylesheet" id="publisho-style-css" href="https://krebsonsecurity.com/wp-content/themes/kos-mar2021/style.css?subver=1.2&ver=6.2.2" type="text/css" media="all">
<style id="publisho-style-inline-css" type="text/css">
.themonic-nav .current-menu-item > a, .themonic-nav .current-menu-ancestor > a, .themonic-nav .current_page_item > a, .themonic-nav .current_page_ancestor > a {
background: #cc6600;
}
.themonic-nav ul.nav-menu, .themonic-nav div.nav-menu > ul {
border-bottom: 5px solid #cc6600;
}
#site-navigation .topheadmenu a {
background: rgba(0, 0, 0, 0);
}
.themonic-nav li a:hover {
background: #cc6600;
}
.themonic-nav li:hover {
background: #cc6600;
}.wrapper .flexslider {margin: 0 0 30px;}.frontp .btm-wrap {
border-top: 1px solid #e9e9e9;
}
.entry-summary {
border-top: none;
}.frontp .btm-wrap { margin-bottom: 30px;}.site { font-size:14px;}.site { font-family:'Roboto', arial ;}
</style>
<link rel="stylesheet" id="publisho-custom-style-css" href="https://krebsonsecurity.com/wp-content/themes/kos-mar2021/custom.css?subver=1.2&ver=6.2.2" type="text/css" media="all">
<!--[if lt IE 9]>
<link rel='stylesheet' id='publisho-ie-css' href='https://krebsonsecurity.com/wp-content/themes/kos-mar2021/css/ie.css?ver=20160606' type='text/css' media='all' />
<![endif]-->
<link rel="stylesheet" id="fontawesome-css-css" href="https://krebsonsecurity.com/wp-content/themes/kos-mar2021/fonts/font-awesome.min.css?ver=6.2.2" type="text/css" media="all">
<link rel="stylesheet" id="publisho_custom_fonts-css" href="//fonts.googleapis.com/css?family=Roboto%3Aregular%2Citalic%2C500%26subset%3Dlatin%2C" type="text/css" media="screen">
<script type="text/javascript" src="https://krebsonsecurity.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.4" id="jquery-core-js"></script>
<script type="text/javascript" src="https://krebsonsecurity.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.0" id="jquery-migrate-js"></script>
<script type="text/javascript" src="https://krebsonsecurity.com/wp-content/plugins/jquery-lightbox-for-native-galleries/colorbox/jquery.colorbox-min.js?ver=1.3.14" id="colorbox-js"></script>
<link rel="https://api.w.org/" href="https://krebsonsecurity.com/wp-json/"><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://krebsonsecurity.com/xmlrpc.php?rsd">
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://krebsonsecurity.com/wp-includes/wlwmanifest.xml">
<meta name="generator" content="WordPress 6.2.2">
<!-- JavaScript Pull-Quotes plugin v2.2 -->
<link rel="stylesheet" href="https://krebsonsecurity.com/wp-content/plugins/jspullquotes/resources/jspullquotes-core.css" type="text/css">
<link rel="stylesheet" href="https://krebsonsecurity.com/wp-content/plugins/jspullquotes/resources/jspullquotes-default.css" type="text/css">
<script type="text/javascript" src="https://krebsonsecurity.com/wp-content/plugins/jspullquotes/resources/jspullquotes.js"></script>
<script type="text/javascript">
var arrOptions = new Array("1", "1", "right", "1", "1", "blockquote", "pullquote", "pullquote pqRight");
pullQuoteOpts(arrOptions);
</script>
<!-- end pull-quote additions -->
<!-- jQuery Lightbox For Native Galleries v3.1.3 | http://www.viper007bond.com/wordpress-plugins/jquery-lightbox-for-native-galleries/ -->
<script type="text/javascript">
// <![CDATA[
jQuery(document).ready(function($){
$(".gallery").each(function(index, obj){
var galleryid = Math.floor(Math.random()*10000);
$(obj).find("a").colorbox({rel:galleryid, maxWidth:"95%", maxHeight:"95%"});
});
$("a.lightbox").colorbox({maxWidth:"95%", maxHeight:"95%"});
});
// ]]>
</script>
<style type="text/css" id="custom-background-css">
body.custom-background { background-color: #ffffff; }
</style>
<link rel="me" href="https://twitter.com/briankrebs"><meta name="twitter:widgets:link-color" content="#000000"><meta name="twitter:widgets:border-color" content="#000000"><meta name="twitter:partner" content="tfwp">
<meta name="twitter:card" content="summary"><meta name="twitter:title" content="Krebs on Security"><meta name="twitter:site" content="@briankrebs"><meta name="twitter:description" content="In-depth security news and investigation">
</head>
<body class="home blog custom-background custom-background-white single-author frontp hfeed">
<div id="page" class="site">
<!-- <div class="publisho-top-mobile-nav clear"></div> -->
<div class="themonic-logo themonic-ad3"><div class="a-statement">Advertisement</div><a href="https://www.radware.com/lp/ciso-guide-to-stopping-bad-bots/?utm_source=krebsonsecurity&utm_medium=banner&utm_campaign=GBL_2024_OnlineAds_CISOsGuideBadBots_Krebs">
<img src="/b-rad/17.png">
</a></div>
<div class="themonic-logo themonic-ad6"><div class="a-statement">Advertisement</div><a href="https://www.radware.com/lp/ciso-guide-to-stopping-bad-bots/?utm_source=krebsonsecurity&utm_medium=banner&utm_campaign=GBL_2024_OnlineAds_CISOsGuideBadBots_Krebs">
<img src="/b-rad/18.png">
</a></div>
<nav id="site-navigation" class="themonic-nav" role="navigation">
</nav><!-- #site-navigation -->
<div class="clear"></div>
<header id="masthead" class="site-header" role="banner">
<div class="desktop-social">
<div class="socialmedia">
<a href="http://twitter.com/briankrebs" target="_blank"><i class="fa fa-twitter"></i></a>
<a class="rss" href="https://krebsonsecurity.com/feed/" target="_blank"><i class="fa fa-rss"></i></a>
<a class="rss" href="https://www.linkedin.com/in/bkrebs/" target="_blank"><i class="fa fa-linkedin"></i></a>
</div>
</div>
<div class="themonic-logo responsive-img-container">
<a href="https://krebsonsecurity.com/" title="Krebs on Security" rel="home"><img src="https://krebsonsecurity.com/wp-content/uploads/2021/03/kos-27-03-2021.jpg" alt="Krebs on Security"></a>
</div>
<div class="mobile-social">
<div class="socialmedia">
<a href="http://twitter.com/briankrebs" target="_blank"><i class="fa fa-twitter"></i></a>
<a class="rss" href="https://krebsonsecurity.com/feed/" target="_blank"><i class="fa fa-rss"></i></a>
<a class="rss" href="https://www.linkedin.com/in/bkrebs/" target="_blank"><i class="fa fa-linkedin"></i></a>
</div>
</div>
<!-- <div class="publisho-mobile-nav clear"></div> -->
<nav id="site-navigation" class="themonic-nav" role="navigation">
<a class="assistive-text" href="#content" title="Skip to content">Skip to content</a>
<div id="menu-top" class="nav-menu"><ul>
<li class="current_page_item"><a href="https://krebsonsecurity.com/">Home</a></li><li class="page_item page-item-2"><a href="https://krebsonsecurity.com/about/">About the Author</a></li>
<li class="page_item page-item-645"><a href="https://krebsonsecurity.com/cpm/">Advertising/Speaking</a></li>
</ul></div>
</nav><!-- #site-navigation -->
<div class="clear"></div>
</header><!-- #masthead -->
<div id="main" class="wrapper">
<div id="primary" class="site-content">
<div id="content" role="main">
<article id="post-69811" class="post-69811 post type-post status-publish format-standard has-post-thumbnail hentry category-sunshine category-breadcrumbs category-neer-do-well-news category-comingstorm tag-acunetix tag-altug-sara tag-altugsara321gmail-com tag-araneida-scanner tag-bilitro-yazilim tag-domaintools tag-fin7 tag-invicti-security tag-matt-sciberras tag-neil-roseman tag-ori0nbusinessprotonmail-com tag-silent-push tag-u-s-department-of-health-and-human-services tag-zach-edwards">
<header class="entry-header">
<h2 class="entry-title">
<a href="https://krebsonsecurity.com/2024/12/web-hacking-service-araneida-tied-to-turkish-it-firm/" title="Permalink to Web Hacking Service ‘Araneida’ Tied to Turkish IT Firm" rel="bookmark">Web Hacking Service ‘Araneida’ Tied to Turkish IT Firm</a>
</h2>
<div class="clear"></div>
<div class="btm-wrap">
<div class="below-title-meta">
<div class="adt">
<span class="date updated">December 19, 2024</span>
</div>
<div class="adt-comment">
<span><a class="link-comments" href="https://krebsonsecurity.com/2024/12/web-hacking-service-araneida-tied-to-turkish-it-firm/#comments">3 Comments</a></span>
</div> <div class="clear"></div>
</div><!-- below title meta end -->
</div>
</header><!-- .entry-header -->
<div class="entry-content">
<p>Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of <strong>Acunetix</strong>, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity traced to an information technology firm based in Turkey.</p>
<div id="attachment_69895" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-69895" decoding="async" class=" wp-image-69895" src="https://krebsonsecurity.com/wp-content/uploads/2024/12/araneida-scanner.png" alt="" width="749" height="562" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/12/araneida-scanner.png 1126w, https://krebsonsecurity.com/wp-content/uploads/2024/12/araneida-scanner-768x576.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/12/araneida-scanner-782x587.png 782w" sizes="(max-width: 749px) 100vw, 749px"><p id="caption-attachment-69895" class="wp-caption-text">Araneida Scanner.</p></div>
<p>Cyber threat analysts at <strong>Silent Push</strong> said they recently received reports from a partner organization that identified an aggressive scanning effort against their website using an Internet address previously associated with a campaign by <a href="https://resources.prodaft.com/fin7-cybercrime-gang" target="_blank" rel="noopener">FIN7</a>, a notorious Russia-based hacking group.</p>
<p>But on closer inspection they discovered the address contained an HTML title of “<strong>Araneida Customer Panel</strong>,” and found they could search on that text string to find dozens of unique addresses hosting the same service.</p>
<p>It soon became apparent that Araneida was being resold as a cloud-based service using a cracked version of Acunetix, allowing paying customers to conduct offensive reconnaissance on potential target websites, scrape user data, and find vulnerabilities for exploitation.</p>
<p>Silent Push also learned Araneida bundles its service with a robust proxy offering, so that customer scans appear to come from Internet addresses that are randomly selected from a large pool of available traffic relays.</p>
<p>The makers of Acunetix, Texas-based application security vendor <strong>Invicti Security</strong>, confirmed Silent Push’s findings, saying someone had figured out how to crack the free trial version of the software so that it runs without a valid license key.</p>
<p>“We have been playing cat and mouse for a while with these guys,” said <strong>Matt Sciberras</strong>, chief information security officer at Invicti.</p>
<p>Silent Push said Araneida is being advertised by an eponymous user on multiple cybercrime forums. The service’s Telegram channel boasts nearly 500 subscribers and explains how to use the tool for malicious purposes.</p>
<p>In a “Fun Facts” list posted to the channel in late September, Araneida said their service was used to take over more than 30,000 websites in just six months, and that one customer used it to buy a Porsche with the payment card data (“dumps”) they sold.</p>
<div id="attachment_69898" style="width: 668px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-69898" decoding="async" loading="lazy" class=" wp-image-69898" src="https://krebsonsecurity.com/wp-content/uploads/2024/12/araneida-tg.png" alt="" width="658" height="273"><p id="caption-attachment-69898" class="wp-caption-text">Araneida Scanner’s Telegram channel bragging about how customers are using the service for cybercrime.</p></div>
<p>“They are constantly bragging with their community about the crimes that are being committed, how it’s making criminals money,” said <strong>Zach Edwards</strong>, a senior threat researcher at Silent Push. “They are also selling bulk data and dumps which appear to have been acquired with this tool or due to vulnerabilities found with the tool.”</p>
<p>Silent Push also found a cracked version of Acunetix was powering at least 20 instances of a similar cloud-based vulnerability testing service catering to Mandarin speakers, but they were unable to find any apparently related sales threads about them on the dark web.</p>
<p>Rumors of a cracked version of Acunetix being used by attackers surfaced <a href="https://x.com/FalconFeedsio/status/1665690661377691649" target="_blank" rel="noopener">in June 2023 on Twitter/X</a>, when researchers <a href="https://x.com/TLP_R3D/status/1665777020767293447" target="_blank" rel="noopener">first posited a connection between observed scanning activity and Araneida</a>.</p>
<p>According to <a href="https://www.hhs.gov/sites/default/files/china-based-threat-actor-profiles-tlpclear.pdf" target="_blank" rel="noopener">an August 2023 report</a> (PDF) from the <strong>U.S. Department of Health and Human Services</strong> (HHS), Acunetix (presumably a cracked version) is among several tools used by <a href="https://krebsonsecurity.com/2020/09/chinese-antivirus-firm-was-part-of-apt41-supply-chain-attack/" target="_blank" rel="noopener">APT 41</a>, a prolific Chinese state-sponsored hacking group. <a href="https://krebsonsecurity.com/2024/12/web-hacking-service-araneida-tied-to-turkish-it-firm/#more-69811" class="more-link">Continue reading <span class="meta-nav">→</span></a></p>
</div><!-- .entry-content -->
<footer class="entry-meta">
</footer>
</article><!-- #post -->
<div id="between_article_ad" class="themonic-ad5"><a href="https://www.radware.com/lp/ciso-guide-to-stopping-bad-bots/?utm_source=krebsonsecurity&utm_medium=banner&utm_campaign=GBL_2024_OnlineAds_CISOsGuideBadBots_Krebs">
<img src="/b-rad/16.png">
</a></div> <article id="post-69474" class="post-69474 post type-post status-publish format-standard has-post-thumbnail hentry category-sunshine category-latest-warnings category-neer-do-well-news category-web-fraud-2-0 tag-650-203-0000 tag-coinbase tag-daniel-from-google tag-gemini-ai tag-google-assistant tag-google-docs tag-google-forms tag-google-photos tag-graham-cluely tag-junseth tag-minecraft tag-swancoin tag-trezor">
<header class="entry-header">
<h2 class="entry-title">
<a href="https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad-click/" title="Permalink to How to Lose a Fortune with Just One Bad Click" rel="bookmark">How to Lose a Fortune with Just One Bad Click</a>
</h2>
<div class="clear"></div>
<div class="btm-wrap">
<div class="below-title-meta">
<div class="adt">
<span class="date updated">December 18, 2024</span>
</div>
<div class="adt-comment">
<span><a class="link-comments" href="https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad-click/#comments">37 Comments</a></span>
</div> <div class="clear"></div>
</div><!-- below title meta end -->
</div>
</header><!-- .entry-header -->
<div class="entry-content">
<div id="attachment_69859" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-69859" decoding="async" loading="lazy" class=" wp-image-69859" src="https://krebsonsecurity.com/wp-content/uploads/2024/12/thumb-mobile.png" alt="" width="749" height="441"><p id="caption-attachment-69859" class="wp-caption-text">Image: Shutterstock, iHaMoo.</p></div>
<p><strong>Adam Griffin</strong> is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real <strong>Google</strong> phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click “yes” to a Google prompt on his mobile device.</p>
<p>Griffin is a battalion chief firefighter in the Seattle area, and on May 6 he received a call from someone claiming they were from Google support saying his account was being accessed from Germany. A Google search on the phone number calling him — <strong>(650) 203-0000</strong> — revealed it was an official number for <a href="https://en.wikipedia.org/wiki/Google_Assistant" target="_blank" rel="noopener">Google Assistant</a>, an AI-based service that can engage in two-way conversations.</p>
<p>At the same time, he received an email that came from a google.com email address, warning his Google account was compromised. The message included a “Google Support Case ID number” and information about the Google representative supposedly talking to him on the phone, stating the rep’s name as “Ashton”<strong> </strong>— the same name given by the caller.</p>
<p>Griffin didn’t learn this until much later, but the email he received had a real google.com address because it was sent via <a href="https://en.wikipedia.org/wiki/Google_Forms" target="_blank" rel="noopener">Google Forms</a>, a service available to all <strong>Google Docs</strong> users that makes it easy to send surveys, quizzes and other communications.</p>
<div id="attachment_69865" style="width: 499px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-69865" decoding="async" loading="lazy" class=" wp-image-69865" src="https://krebsonsecurity.com/wp-content/uploads/2024/12/gsid19472345.png" alt="" width="489" height="833"><p id="caption-attachment-69865" class="wp-caption-text">A phony security alert Griffin received prior to his bitcoin heist, via Google Forms.</p></div>
<p>According to tripwire.com’s <strong>Graham Cluely</strong>, phishers will use Google Forms to create a security alert message, and then change the form’s settings to automatically send a copy of the completed form to any email address entered into the form. The attacker then sends an invitation to complete the form to themselves, not to their intended victim.</p>
<p>“So, the attacker receives the invitation to fill out the form – and when they complete it, they enter their intended victim’s email address into the form, not their own,” Cluely <a href="https://www.tripwire.com/state-of-security/google-forms-used-call-back-phishing-scam" target="_blank" rel="noopener">wrote in a December 2023 post</a>. “The attackers are taking advantage of the fact that the emails are being sent out directly by Google Forms (from the google.com domain). It’s an established legitimate domain that helps to make the email look more legitimate and is less likely to be intercepted en route by email-filtering solutions.”</p>
<p>The fake Google representative was polite, patient, professional and reassuring. Ashton told Griffin he was going to receive a notification that would allow him to regain control of the account from the hackers. Sure enough, a Google prompt instantly appeared on his phone asking, “Is it you trying to recover your account?”</p>
<div id="attachment_69818" style="width: 520px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-69818" decoding="async" loading="lazy" class="size-full wp-image-69818" src="https://krebsonsecurity.com/wp-content/uploads/2024/12/griffin-gar.png" alt="" width="510" height="889"><p id="caption-attachment-69818" class="wp-caption-text">Adam Griffin clicked “yes,” to an account recovery notification similar to this one on May 6.</p></div>
<p>Griffin said that after receiving the pop-up prompt from Google on his phone, he felt more at ease that he really was talking to someone at Google. In reality, the thieves caused the alert to appear on his phone merely by stepping through Google’s account recovery process for Griffin’s Gmail address.</p>
<p>“As soon as I clicked yes, I gave them access to my Gmail, which was synched to <strong>Google Photos</strong>,” Griffin said.</p>
<p>Unfortunately for Griffin, years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet. Armed with that phrase, the phishers could drain all of his funds.</p>
<p>“From there they were able to transfer approximately $450,000 out of my Exodus wallet,” Griffin recalled.</p>
<p>Griffin said just minutes after giving away access to his Gmail account he received a call from someone claiming to be with Coinbase, who likewise told him someone in Germany was trying to take over his account.</p>
<p>Griffin said a follow-up investigation revealed the attackers had used his Gmail account to gain access to his Coinbase account from a VPN connection in California, providing the multi-factor code from his Google Authenticator app. Unbeknownst to him at the time, Google Authenticator by default also makes the same codes available in one’s Google account online.</p>
<p>But when the thieves tried to move $100,000 worth of cryptocurrency out of his account, Coinbase sent an email stating that the account had been locked, and that he would have to submit additional verification documents before he could do anything with it. <a href="https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad-click/#more-69474" class="more-link">Continue reading <span class="meta-nav">→</span></a></p>
</div><!-- .entry-content -->
<footer class="entry-meta">
</footer>
</article><!-- #post -->
<div class="themonic-ad2"><div class="a-statement">Advertisement</div></div> <article id="post-69725" class="post-69725 post type-post status-publish format-standard has-post-thumbnail hentry category-sunshine category-breadcrumbs category-russias-war-on-ukraine category-web-fraud-2-0 tag-binance tag-blaven-technologies tag-chainalysis tag-cloudflare tag-cryptomus tag-ctv-news tag-fintrac tag-icon-tech-sro tag-investigative-journalism-foundation tag-mezhundarondnaya-ibu-sro tag-peter-german tag-pq-hosting tag-rcmp tag-richard-sanders tag-vira-krychka tag-ws-management-and-advisory-corporation-ltd tag-xeltox-enterprises">
<header class="entry-header">
<h2 class="entry-title">
<a href="https://krebsonsecurity.com/2024/12/how-cryptocurrency-turns-to-cash-in-russian-banks/" title="Permalink to How Cryptocurrency Turns to Cash in Russian Banks" rel="bookmark">How Cryptocurrency Turns to Cash in Russian Banks</a>
</h2>
<div class="clear"></div>
<div class="btm-wrap">
<div class="below-title-meta">
<div class="adt">
<span class="date updated">December 11, 2024</span>
</div>
<div class="adt-comment">
<span><a class="link-comments" href="https://krebsonsecurity.com/2024/12/how-cryptocurrency-turns-to-cash-in-russian-banks/#comments">30 Comments</a></span>
</div> <div class="clear"></div>
</div><!-- below title meta end -->
</div>
</header><!-- .entry-header -->
<div class="entry-content">
<p>A financial firm registered in Canada has emerged as the payment processor for dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services aimed at Russian-speaking customers, new research finds. Meanwhile, an investigation into the Vancouver street address used by this company shows it is home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which are physically located there.</p>
<p><img decoding="async" loading="lazy" class="aligncenter wp-image-69766" src="https://krebsonsecurity.com/wp-content/uploads/2024/12/happycanada.png" alt="" width="650" height="397"></p>
<p><strong>Richard Sanders</strong> is a blockchain analyst and investigator who advises the law enforcement and intelligence community. Sanders spent most of 2023 in Ukraine, traveling with Ukrainian soldiers while mapping the shifting landscape of Russian crypto exchanges that are laundering money for narcotics networks operating in the region.</p>
<p>More recently, Sanders has focused on identifying how dozens of popular cybercrime services are getting paid by their customers, and how they are converting cryptocurrency revenues into cash. For the past several months, he’s been signing up for various cybercrime services, and then tracking where their customer funds go from there.</p>
<p>The 122 services targeted in Sanders’ research include some of the more prominent businesses advertising on the cybercrime forums today, such as:</p>
<p>-abuse-friendly or “bulletproof” hosting providers like anonvm[.]wtf, and <a href="https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/" target="_blank" rel="noopener">PQHosting</a>;<br>
-sites selling aged email, financial, or social media accounts, such as verif[.]work and <a href="https://krebsonsecurity.com/2023/06/service-rents-email-addresses-for-account-signups/" target="_blank" rel="noopener">kopeechka[.]store</a>;<br>
-anonymity or “proxy” providers like crazyrdp[.]com and rdp[.]monster;<br>
-anonymous SMS services, including anonsim[.]net and smsboss[.]pro.</p>
<div id="attachment_69768" style="width: 758px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-69768" decoding="async" loading="lazy" class=" wp-image-69768" src="https://krebsonsecurity.com/wp-content/uploads/2024/12/verif-work.png" alt="" width="748" height="462" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/12/verif-work.png 1253w, https://krebsonsecurity.com/wp-content/uploads/2024/12/verif-work-768x474.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/12/verif-work-782x483.png 782w" sizes="(max-width: 748px) 100vw, 748px"><p id="caption-attachment-69768" class="wp-caption-text">The site Verif dot work, which processes payments through Cryptomus, sells financial accounts, including debit and credit cards.</p></div>
<p>Sanders said he first encountered some of these services while investigating Kremlin-funded disinformation efforts in Ukraine, as they are all useful in assembling large-scale, anonymous social media campaigns.</p>
<p>According to Sanders, all 122 of the services he tested are processing transactions through a company called <strong>Cryptomus</strong>, which says it is a cryptocurrency payments platform based in Vancouver, British Columbia. Cryptomus’ website says its parent firm — <strong>Xeltox Enterprises Ltd. </strong>(formerly certa-pay[.]com) — is registered as a money service business (MSB) with the <strong>Financial Transactions and Reports Analysis Centre of Canada</strong> (FINTRAC).</p>
<p>Sanders said the payment data he gathered also shows that at least 56 cryptocurrency exchanges are currently using Cryptomus to process transactions, including financial entities with names like <strong>casher[.]su</strong>, <strong>grumbot[.]com</strong>, <strong>flymoney[.]biz, obama[.]ru</strong> and <strong>swop[.]is</strong>.</p>
<p>These platforms are built for Russian speakers, and they each advertise the ability to anonymously swap one form of cryptocurrency for another. They also allow the exchange of cryptocurrency for cash in accounts at some of Russia’s largest banks — <em>nearly all of which are currently sanctioned by the United States and other western nations</em>.</p>
<div id="attachment_69745" style="width: 761px" class="wp-caption aligncenter"><a href="https://krebsonsecurity.com/wp-content/uploads/2024/12/flymoney.png" target="_blank" rel="noopener"><img aria-describedby="caption-attachment-69745" decoding="async" loading="lazy" class="wp-image-69745" src="https://krebsonsecurity.com/wp-content/uploads/2024/12/flymoney.png" alt="" width="751" height="430" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/12/flymoney.png 1399w, https://krebsonsecurity.com/wp-content/uploads/2024/12/flymoney-768x440.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/12/flymoney-782x448.png 782w" sizes="(max-width: 751px) 100vw, 751px"></a><p id="caption-attachment-69745" class="wp-caption-text">A machine-translated version of Flymoney, one of dozens of cryptocurrency exchanges apparently nested at Cryptomus.</p></div>
<p>An analysis of their technology infrastructure shows that all of these exchanges use Russian email providers, and most are directly hosted in Russia or by Russia-backed ISPs with infrastructure in Europe (e.g. Selectel, Netwarm UK, Beget, Timeweb and DDoS-Guard). The analysis also showed nearly all 56 exchanges used services from <strong>Cloudflare</strong>, a global content delivery network based in San Francisco.</p>
<p>“Purportedly, the purpose of these platforms is for companies to accept cryptocurrency payments in exchange for goods or services,” Sanders told KrebsOnSecurity. “Unfortunately, it is next to impossible to find any goods for sale with websites using Cryptomus, and the services appear to fall into one or two different categories: Facilitating transactions with sanctioned Russian banks, and platforms providing the infrastructure and means for cyber attacks.”</p>
<p>Cryptomus did not respond to multiple requests for comment.</p>
<h2>PHANTOM ADDRESSES?</h2>
<p>The Cryptomus website and its FINTRAC listing say the company’s registered address is <strong>Suite 170, 422 Richards St. in Vancouver, BC.</strong> This address was the subject of <a href="https://theijf.org/msb-cluster-investigation" target="_blank" rel="noopener">an investigation published in July</a> by <strong>CTV National News </strong>and the <strong>Investigative Journalism Foundation (IJF)</strong>, which documented dozens of cases across Canada where multiple MSBs are incorporated at the same address, often without the knowledge or consent of the location’s actual occupant.</p>
<div id="attachment_69744" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-69744" decoding="async" loading="lazy" class=" wp-image-69744" src="https://krebsonsecurity.com/wp-content/uploads/2024/12/ijf-ctv.png" alt="" width="749" height="496" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/12/ijf-ctv.png 1020w, https://krebsonsecurity.com/wp-content/uploads/2024/12/ijf-ctv-768x509.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/12/ijf-ctv-782x518.png 782w" sizes="(max-width: 749px) 100vw, 749px"><p id="caption-attachment-69744" class="wp-caption-text">This building at 422 Richards St. in downtown Vancouver is the registered address for 90 money services businesses, including 10 that have had their registrations revoked. Image: theijf.org/msb-cluster-investigation.</p></div>
<p>Their inquiry found 422 Richards St. was listed as the registered address for at least 76 foreign currency dealers, eight MSBs, and six cryptocurrency exchanges. At that address is a three-story building that used to be a bank and now houses a massage therapy clinic and a co-working space. But they found none of the MSBs or currency dealers were paying for services at that co-working space.</p>
<p>The reporters found another collection of 97 MSBs clustered at an address for a commercial office suite in Ontario, even though there was no evidence these companies had ever arranged for any business services at that address.</p>
<p><strong>Peter German</strong>, a former deputy commissioner for the <strong>Royal Canadian Mounted Police</strong> who authored two reports on money laundering in British Columbia, told the publications it goes against the spirit of Canada’s registration requirements for such businesses, which are considered high-risk for money laundering and terrorist financing.</p>
<p>“If you’re able to have 70 in one building, that’s just an abuse of the whole system,” German said.</p>
<p>Ten MSBs registered to 422 Richard St. had their registrations revoked. One company at 422 Richards St. whose registration was revoked this year had a director with a listed address in Russia, the publications reported. “Others appear to be directed by people who are also directors of companies in Cyprus and other high-risk jurisdictions for money laundering,” they wrote.</p>
<p>A review of <a href="https://krebsonsecurity.com/wp-content/uploads/2024/12/fintrac-msbs.csv" target="_blank" rel="noopener">FINTRAC’s registry</a> (.CSV) shows many of the MSBs at 422 Richards St. are international money transfer or remittance services to countries like Malaysia, India and Nigeria. Some act as currency exchanges, while others appear to sell merchant accounts and online payment services. Still, KrebsOnSecurity could find no obvious connections between the 56 Russian cryptocurrency exchanges identified by Sanders and the dozens of payment companies that FINTRAC says share an address with the Cryptomus parent firm Xeltox Enterprises. <a href="https://krebsonsecurity.com/2024/12/how-cryptocurrency-turns-to-cash-in-russian-banks/#more-69725" class="more-link">Continue reading <span class="meta-nav">→</span></a></p>
</div><!-- .entry-content -->
<footer class="entry-meta">
</footer>
</article><!-- #post -->
<article id="post-69721" class="post-69721 post type-post status-publish format-standard hentry category-other tag-adam-barnett tag-cve-2024-49112 tag-cve-2024-49138 tag-fortra tag-immersive-labs tag-ldap tag-lightweight-directory-access-protocol tag-microsoft-patch-tuesday-december-2024 tag-rapid7 tag-rob-reeves tag-tenable tag-tyler-reguly tag-windows-common-log-file-system-clfs-driver">
<header class="entry-header">
<h2 class="entry-title">
<a href="https://krebsonsecurity.com/2024/12/patch-tuesday-december-2024-edition/" title="Permalink to Patch Tuesday, December 2024 Edition" rel="bookmark">Patch Tuesday, December 2024 Edition</a>
</h2>
<div class="clear"></div>
<div class="btm-wrap">
<div class="below-title-meta">
<div class="adt">
<span class="date updated">December 10, 2024</span>
</div>
<div class="adt-comment">
<span><a class="link-comments" href="https://krebsonsecurity.com/2024/12/patch-tuesday-december-2024-edition/#comments">11 Comments</a></span>
</div> <div class="clear"></div>
</div><!-- below title meta end -->
</div>
</header><!-- .entry-header -->
<div class="entry-content">
<p><strong>Microsoft</strong> today released updates to plug at least 70 security holes in <strong>Windows</strong> and Windows software, including one vulnerability that is already being exploited in active attacks.</p>
<p><img decoding="async" loading="lazy" class="aligncenter wp-image-56287" src="https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate.png" alt="" width="749" height="527" srcset="https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate.png 841w, https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate-768x541.png 768w, https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate-782x550.png 782w, https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate-100x70.png 100w" sizes="(max-width: 749px) 100vw, 749px"></p>
<p>The zero-day seeing exploitation involves <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-49138" target="_blank" rel="noopener">CVE-2024-49138</a>, a security weakness in the <strong>Windows Common Log File System</strong> (CLFS) driver — used by applications to write transaction logs — that could let an authenticated attacker gain “system” level privileges on a vulnerable Windows device.</p>
<p>The security firm <strong>Rapid7</strong> notes there have been a series of zero-day elevation of privilege flaws in CLFS over the past few years.</p>
<p>“Ransomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one,” wrote <strong>Adam Barnett</strong>, lead software engineer at Rapid7. “Expect more CLFS zero-day vulnerabilities to emerge in the future, at least until Microsoft performs a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws.”</p>
<p>Elevation of privilege vulnerabilities accounted for 29% of the 1,009 security bugs Microsoft has patched so far in 2024, according to a year-end tally by <strong>Tenable</strong>; nearly 40 percent of those bugs were weaknesses that could let attackers run malicious code on the vulnerable device. <a href="https://krebsonsecurity.com/2024/12/patch-tuesday-december-2024-edition/#more-69721" class="more-link">Continue reading <span class="meta-nav">→</span></a></p>
</div><!-- .entry-content -->
<footer class="entry-meta">
</footer>
</article><!-- #post -->
<article id="post-69698" class="post-69698 post type-post status-publish format-standard has-post-thumbnail hentry category-neer-do-well-news tag-aleksandr-ermakov tag-boriselcin tag-daryna-antoniuk tag-intel-471 tag-mikhail-lenin tag-mikhail-matveev tag-mikhail-shefel tag-rescator tag-shtazi-it tag-sugarlocker tag-wazawaka">
<header class="entry-header">
<h2 class="entry-title">
<a href="https://krebsonsecurity.com/2024/12/u-s-offered-10m-for-hacker-just-arrested-by-russia/" title="Permalink to U.S. Offered $10M for Hacker Just Arrested by Russia" rel="bookmark">U.S. Offered $10M for Hacker Just Arrested by Russia</a>
</h2>
<div class="clear"></div>
<div class="btm-wrap">
<div class="below-title-meta">
<div class="adt">
<span class="date updated">December 4, 2024</span>
</div>
<div class="adt-comment">
<span><a class="link-comments" href="https://krebsonsecurity.com/2024/12/u-s-offered-10m-for-hacker-just-arrested-by-russia/#comments">14 Comments</a></span>
</div> <div class="clear"></div>
</div><!-- below title meta end -->
</div>
</header><!-- .entry-header -->
<div class="entry-content">
<p>In January 2022, KrebsOnSecurity identified a Russian man named <strong>Mikhail Matveev</strong> as “<strong>Wazawaka</strong>,” a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrested Matveev and charged him with creating malware used to extort companies.</p>
<div id="attachment_63686" style="width: 758px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-63686" decoding="async" loading="lazy" class=" wp-image-63686" src="https://krebsonsecurity.com/wp-content/uploads/2023/05/fbiwanted-matveev.png" alt="" width="748" height="734" srcset="https://krebsonsecurity.com/wp-content/uploads/2023/05/fbiwanted-matveev.png 804w, https://krebsonsecurity.com/wp-content/uploads/2023/05/fbiwanted-matveev-768x754.png 768w, https://krebsonsecurity.com/wp-content/uploads/2023/05/fbiwanted-matveev-782x767.png 782w" sizes="(max-width: 748px) 100vw, 748px"><p id="caption-attachment-63686" class="wp-caption-text">An FBI wanted poster for Matveev.</p></div>
<p>Matveev, a.k.a. “Wazawaka” and “<strong>Boriselcin</strong>” worked with at least three different ransomware gangs that extorted hundreds of millions of dollars from companies, schools, hospitals and government agencies, U.S. prosecutors allege.</p>
<p>Russia’s interior ministry last week issued <a href="https://t.me/mvd39/5931" target="_blank" rel="noopener">a statement</a> saying a 32-year-old hacker had been charged with violating domestic laws against the creation and use of malicious software. The announcement didn’t name the accused, but the Russian state news agency <em>RIA Novosti</em> <a href="https://ria.ru/20241129/sud-1986456557.html" target="_blank" rel="noopener">cited</a> anonymous sources saying the man detained is Matveev.</p>
<p>Matveev did not respond to requests for comment. <strong>Daryna Antoniuk</strong> at <em>TheRecord</em> <a href="https://therecord.media/wazawaka-mikhail-matveev-reportedly-arrested-russia" target="_blank" rel="noopener">reports</a> that a security researcher said on Sunday they had contacted Wazawaka, who confirmed being charged and said he’d paid two fines, had his cryptocurrency confiscated, and is currently out on bail pending trial.</p>
<p>Matveev’s hacker identities were remarkably open and talkative on numerous cybercrime forums. Shortly after <a href="https://krebsonsecurity.com/2022/01/who-is-the-network-access-broker-wazawaka/" target="_blank" rel="noopener">being identified as Wazawaka by KrebsOnSecurity in 2022</a>, Matveev <a href="https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/" target="_blank" rel="noopener">published multiple selfie videos on Twitter/X</a> where he acknowledged using the Wazawaka moniker and mentioned several security researchers by name (including this author). More recently, Matveev’s X profile (@ransomboris) <a href="https://x.com/LucasKatashi/status/1716815224874140121" target="_blank" rel="noopener">posted</a> a picture of a t-shirt that features the U.S. government’s “Wanted” poster for him.</p>
<div id="attachment_69704" style="width: 597px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-69704" decoding="async" loading="lazy" class="size-full wp-image-69704" src="https://krebsonsecurity.com/wp-content/uploads/2024/12/matveev-wanted-tshirt.png" alt="" width="587" height="815"><p id="caption-attachment-69704" class="wp-caption-text">An image tweeted by Matveev showing the Justice Department’s wanted poster for him on a t-shirt. image: x.com/vxunderground</p></div>
<p>The golden rule of cybercrime in Russia has always been that as long as you never hack, extort or steal from Russian citizens or companies, you have little to fear of arrest. Wazawaka claimed he zealously adhered to this rule as a personal and professional mantra.</p>
<p>“Don’t shit where you live, travel local, and don’t go abroad,” Wazawaka wrote in January 2021 on the Russian-language cybercrime forum Exploit. “Mother Russia will help you. Love your country, and you will always get away with everything.” <a href="https://krebsonsecurity.com/2024/12/u-s-offered-10m-for-hacker-just-arrested-by-russia/#more-69698" class="more-link">Continue reading <span class="meta-nav">→</span></a></p>
</div><!-- .entry-content -->
<footer class="entry-meta">
</footer>
</article><!-- #post -->
<article id="post-69531" class="post-69531 post type-post status-publish format-standard has-post-thumbnail hentry category-sunshine category-latest-warnings category-comingstorm tag-chenlun tag-and-mobile-anti-abuse-working-group tag-anti-phishing-working-group tag-coalition-against-unsolicited-commercial-email tag-icann tag-interisle-consulting tag-internet-corporation-for-assigned-names-and-numbers tag-john-levine tag-malware tag-messaging tag-new-gtlds tag-phishing tag-spam tag-u-s-postal-service">
<header class="entry-header">
<h2 class="entry-title">
<a href="https://krebsonsecurity.com/2024/12/why-phishers-love-new-tlds-like-shop-top-and-xyz/" title="Permalink to Why Phishers Love New TLDs Like .shop, .top and .xyz" rel="bookmark">Why Phishers Love New TLDs Like .shop, .top and .xyz</a>
</h2>
<div class="clear"></div>
<div class="btm-wrap">
<div class="below-title-meta">
<div class="adt">
<span class="date updated">December 3, 2024</span>
</div>
<div class="adt-comment">
<span><a class="link-comments" href="https://krebsonsecurity.com/2024/12/why-phishers-love-new-tlds-like-shop-top-and-xyz/#comments">10 Comments</a></span>
</div> <div class="clear"></div>
</div><!-- below title meta end -->
</div>
</header><!-- .entry-header -->
<div class="entry-content">
<p>Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) — such as <strong>.shop</strong>, <strong>.top</strong>, <strong>.xyz</strong> — that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds. Meanwhile, the nonprofit entity that oversees the domain name industry is moving forward with plans to introduce a slew of new gTLDs.</p>
<div id="attachment_68142" style="width: 758px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-68142" decoding="async" loading="lazy" class=" wp-image-68142" src="https://krebsonsecurity.com/wp-content/uploads/2024/07/phishtrap.png" alt="" width="748" height="457" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/07/phishtrap.png 776w, https://krebsonsecurity.com/wp-content/uploads/2024/07/phishtrap-768x469.png 768w" sizes="(max-width: 748px) 100vw, 748px"><p id="caption-attachment-68142" class="wp-caption-text">Image: Shutterstock.</p></div>
<p>A <a href="https://interisle.net/insights/cybercrimesupplychain2024" target="_blank" rel="noopener">study</a> on phishing data released by <strong>Interisle Consulting</strong> finds that new gTLDs introduced in the last few years command just 11 percent of the market for new domains, but accounted for roughly 37 percent of cybercrime domains reported between September 2023 and August 2024.</p>
<p>Interisle was sponsored by several anti-spam organizations, including the <strong>Anti-Phishing Working Group</strong> (APWG), the <strong>Coalition Against Unsolicited Commercial Email</strong> (CAUCE), and the <strong>Messaging, Malware, and Mobile Anti-Abuse Working Group</strong> (M3AAWG).</p>
<p>The study finds that while <strong>.com</strong> and <strong>.net</strong> domains made up approximately half of all domains registered in the past year (more than all of the other TLDs combined) they accounted for just over 40 percent of all cybercrime domains. Interisle says an almost equal share — 37 percent — of cybercrime domains were registered through new gTLDs.</p>
<p>Spammers and scammers gravitate toward domains in the new gTLDs because these registrars tend to offer cheap or free registration with little to no account or identity verification requirements. For example, among the gTLDs with the highest cybercrime domain scores in this year’s study, nine offered registration fees for less than $1, and nearly two dozen offered fees of less than $2.00. By comparison, the cheapest price identified for a .com domain was $5.91.</p>
<p>Currently, there are around 2,500 registrars authorized to sell domains by the <strong>Internet Corporation for Assigned Names and Numbers</strong> (ICANN), the California nonprofit that oversees the domain industry.</p>
<div id="attachment_69689" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-69689" decoding="async" loading="lazy" class=" wp-image-69689" src="https://krebsonsecurity.com/wp-content/uploads/2024/12/interisle-top-xyz.png" alt="" width="749" height="503" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/12/interisle-top-xyz.png 862w, https://krebsonsecurity.com/wp-content/uploads/2024/12/interisle-top-xyz-768x516.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/12/interisle-top-xyz-782x525.png 782w" sizes="(max-width: 749px) 100vw, 749px"><p id="caption-attachment-69689" class="wp-caption-text">The top 5 new gTLDs, ranked by cybercrime domains reported. Image: Interisle Cybercrime Supply Chain 2014.</p></div>
<p>Incredibly, despite years of these reports showing phishers heavily abusing new gTLDs, ICANN is shuffling forward on a plan to introduce even more of them. ICANN’s proposed <a href="https://newgtldprogram.icann.org/en/application-rounds/round2" target="_blank" rel="noopener">next round envisions</a> accepting applications for new gTLDs in 2026.</p>
<p><strong>John Levine </strong>is author of the book “The Internet for Dummies” and president of CAUCE. Levine said adding more TLDs without a much stricter registration policy will likely further expand an already plentiful greenfield for cybercriminals.</p>
<p>“The problem is that ICANN can’t make up their mind whether they are the neutral nonprofit regulator or just the domain speculator trade association,” Levine told KrebsOnSecurity. “But they act a lot more like the latter.” <a href="https://krebsonsecurity.com/2024/12/why-phishers-love-new-tlds-like-shop-top-and-xyz/#more-69531" class="more-link">Continue reading <span class="meta-nav">→</span></a></p>
</div><!-- .entry-content -->
<footer class="entry-meta">
</footer>
</article><!-- #post -->
<article id="post-69605" class="post-69605 post type-post status-publish format-standard has-post-thumbnail hentry category-sunshine category-ddos-for-hire category-neer-do-well-news category-ransomware category-comingstorm tag-att tag-boxfan tag-buttholio tag-connor-riley-moucka tag-cyb3rph4nt0m tag-john-erin-binns tag-judische tag-kiberphant0m tag-naver tag-proman557 tag-reverseshell tag-shi-bot tag-snowflake tag-south-korea tag-telekomterrorist tag-vars_secc tag-verizon tag-waifu">
<header class="entry-header">
<h2 class="entry-title">
<a href="https://krebsonsecurity.com/2024/11/hacker-in-snowflake-extortions-may-be-a-u-s-soldier/" title="Permalink to Hacker in Snowflake Extortions May Be a U.S. Soldier" rel="bookmark">Hacker in Snowflake Extortions May Be a U.S. Soldier</a>
</h2>
<div class="clear"></div>
<div class="btm-wrap">
<div class="below-title-meta">
<div class="adt">
<span class="date updated">November 26, 2024</span>
</div>
<div class="adt-comment">
<span><a class="link-comments" href="https://krebsonsecurity.com/2024/11/hacker-in-snowflake-extortions-may-be-a-u-s-soldier/#comments">40 Comments</a></span>
</div> <div class="clear"></div>
</div><!-- below title meta end -->
</div>
</header><!-- .entry-header -->
<div class="entry-content">
<p>Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company <strong>Snowflake</strong>, but a third suspect — a prolific hacker known as <strong>Kiberphant0m </strong>— remains at large and continues to publicly extort victims. However, this person’s identity may not remain a secret for long: A careful review of Kiberphant0m’s daily chats across multiple cybercrime personas suggests they are a U.S. Army soldier who is or was recently stationed in South Korea.</p>
<p>Kiberphant0m’s identities on cybercrime forums and on Telegram and Discord chat channels have been selling data stolen from customers of the cloud data storage company Snowflake. At the end of 2023, malicious hackers discovered that many companies had uploaded huge volumes of sensitive customer data to Snowflake accounts that were protected with nothing more than a username and password (no multi-factor authentication required).</p>
<p>After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories for some of the world’s largest corporations. Among those was <strong>AT&T</strong>, which <a href="https://krebsonsecurity.com/2024/07/hackers-steal-phone-sms-records-for-nearly-all-att-customers/" target="_blank" rel="noopener">disclosed in July</a> that cybercriminals had stolen personal information, phone and text message records for roughly 110 million people. <strong>Wired.com</strong> <a href="https://www.wired.com/story/atandt-paid-hacker-300000-to-delete-stolen-call-records/" target="_blank" rel="noopener">reported in July</a> that AT&T paid a hacker $370,000 to delete stolen phone records.</p>
<p>On October 30, Canadian authorities <a href="https://krebsonsecurity.com/2024/11/canadian-man-arrested-in-snowflake-data-extortions/" target="_blank" rel="noopener">arrested</a> <strong>Alexander Moucka, </strong>a.k.a.<strong> Connor Riley Moucka </strong>of Kitchener, Ontario, on a provisional arrest warrant from the United States, which has since indicted him on 20 criminal counts connected to the Snowflake breaches. Another suspect in the Snowflake hacks, <strong>John Erin Binns</strong>, is an American who is currently incarcerated in Turkey.</p>
<div id="attachment_69625" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-69625" decoding="async" loading="lazy" class=" wp-image-69625" src="https://krebsonsecurity.com/wp-content/uploads/2024/11/moucka-surveillance.png" alt="" width="749" height="575" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/11/moucka-surveillance.png 1137w, https://krebsonsecurity.com/wp-content/uploads/2024/11/moucka-surveillance-768x590.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/11/moucka-surveillance-782x600.png 782w" sizes="(max-width: 749px) 100vw, 749px"><p id="caption-attachment-69625" class="wp-caption-text">A surveillance photo of Connor Riley Moucka, a.k.a. “Judische” and “Waifu,” dated Oct 21, 2024, 9 days before Moucka’s arrest. This image was included in an affidavit filed by an investigator with the Royal Canadian Mounted Police (RCMP).</p></div>
<p>Investigators say Moucka, who went by the handles <strong>Judische</strong> and <strong>Waifu</strong>, had tasked Kiberphant0m with selling data stolen from Snowflake customers who refused to pay a ransom to have their information deleted. Immediately after news broke of Moucka’s arrest, Kiberphant0m was clearly furious, and posted on the hacker community <strong>BreachForums</strong> what they claimed were the AT&T call logs for <strong>President-elect</strong> <strong>Donald J. Trump</strong> and for <strong>Vice President Kamala Harris</strong>.</p>
<p>“In the event you do not reach out to us @ATNT all presidential government call logs will be leaked,” Kiberphant0m threatened, signing their post with multiple “#FREEWAIFU” tags. “You don’t think we don’t have plans in the event of an arrest? Think again.”</p>
<p>On the same day, Kiberphant0m posted what they claimed was the “data schema” from the <strong>U.S. National Security Agency</strong>.</p>
<p>“This was obtained from the ATNT Snowflake hack which is why ATNT paid an extortion,” Kiberphant0m wrote in a thread on BreachForums. “Why would ATNT pay Waifu for the data when they wouldn’t even pay an extortion for over 20M+ SSNs?”</p>
<div id="attachment_69624" style="width: 760px" class="wp-caption aligncenter"><a href="https://krebsonsecurity.com/wp-content/uploads/2024/11/kiberphant0m-nsa-schema.png" target="_blank" rel="noopener"><img aria-describedby="caption-attachment-69624" decoding="async" loading="lazy" class="wp-image-69624" src="https://krebsonsecurity.com/wp-content/uploads/2024/11/kiberphant0m-nsa-schema.png" alt="" width="750" height="239" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/11/kiberphant0m-nsa-schema.png 1417w, https://krebsonsecurity.com/wp-content/uploads/2024/11/kiberphant0m-nsa-schema-768x245.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/11/kiberphant0m-nsa-schema-782x249.png 782w" sizes="(max-width: 750px) 100vw, 750px"></a><p id="caption-attachment-69624" class="wp-caption-text">Kiberphant0m posting what he claimed was a “data schema” stolen from the NSA via AT&T.</p></div>
<p>Also on Nov. 5, Kiberphant0m offered call logs stolen from Verizon’s push-to-talk (PTT) customers — mainly U.S. government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a “SIM-swapping” service targeting Verizon PTT customers. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone company employees to divert a target’s phone calls and text messages to a device they control.</p>
<h2>MEET ‘BUTTHOLIO’</h2>
<p>Kiberphant0m joined BreachForums in January 2024, but their public utterances on Discord and Telegram channels date back to at least early 2022. On their first post to BreachForums, Kiberphant0m said they could be reached at the Telegram handle <strong>@cyb3rph4nt0m</strong>.</p>
<p>A review of @cyb3rph4nt0m shows this user has posted more than 4,200 messages since January 2024. Many of these messages were attempts to recruit people who could be hired to deploy a piece of malware that enslaved host machines in an Internet of Things (IoT) botnet.</p>
<p>On BreachForums, Kiberphant0m has sold the source code to “<strong>Shi-Bot</strong>,” a custom Linux DDoS botnet based on <a href="https://krebsonsecurity.com/tag/mirai/" target="_blank" rel="noopener">the Mirai malware</a>. Kiberphant0m had few sales threads on BreachForums prior to the Snowflake attacks becoming public in May, and many of those involved databases stolen from companies in South Korea.</p>
<p>On June 5, 2024, a Telegram user by the name “<strong>Buttholio</strong>” joined the fraud-focused Telegram channel “<strong>Comgirl</strong>” and claimed to be Kiberphant0m. Buttholio made the claim after being taunted as a nobody by another denizen of Comgirl, referring to their @cyb3rph4nt0m account on Telegram and the Kiberphant0m user on cybercrime forums.</p>
<p>“Type ‘kiberphant0m’ on google with the quotes,” Buttholio told another user. “I’ll wait. Go ahead. Over 50 articles. 15+ telecoms breached. I got the IMSI number to every single person that’s ever registered in Verizon, Tmobile, ATNT and Verifone.”</p>
<p>On Sept. 17, 2023, Buttholio posted in a Discord chat room dedicated to players of the video game <strong>Escape from Tarkov</strong>. “Come to Korea, servers there is pretty much no extract camper or cheater,” Buttholio advised.</p>
<p>In another message that same day in the gaming Discord, Buttholio told others they bought the game in the United States, but that they were playing it in Asia.</p>
<p>“USA is where the game was purchased from, server location is actual in game servers u play on. I am a u.s. soldier so i bought it in the states but got on rotation so i have to use asian servers,” they shared. <a href="https://krebsonsecurity.com/2024/11/hacker-in-snowflake-extortions-may-be-a-u-s-soldier/#more-69605" class="more-link">Continue reading <span class="meta-nav">→</span></a></p>
</div><!-- .entry-content -->
<footer class="entry-meta">
</footer>
</article><!-- #post -->
<article id="post-69568" class="post-69568 post type-post status-publish format-standard has-post-thumbnail hentry category-sunshine category-neer-do-well-news category-sim-swapping tag-ahmed-hossam-eldin-elbadawy tag-evans-onyeaka-osiebo tag-joel-martin-evans tag-joeleoli tag-kingbob tag-lastpass tag-mailchimp tag-namecheap tag-noah-michael-urban tag-ogusers tag-okta tag-oktapus tag-scattered-spider tag-sosa tag-t-mobile tag-twilio tag-tylerb">
<header class="entry-header">
<h2 class="entry-title">
<a href="https://krebsonsecurity.com/2024/11/feds-charge-five-men-in-scattered-spider-roundup/" title="Permalink to Feds Charge Five Men in ‘Scattered Spider’ Roundup" rel="bookmark">Feds Charge Five Men in ‘Scattered Spider’ Roundup</a>
</h2>
<div class="clear"></div>
<div class="btm-wrap">
<div class="below-title-meta">
<div class="adt">
<span class="date updated">November 21, 2024</span>
</div>
<div class="adt-comment">
<span><a class="link-comments" href="https://krebsonsecurity.com/2024/11/feds-charge-five-men-in-scattered-spider-roundup/#comments">9 Comments</a></span>
</div> <div class="clear"></div>
</div><!-- below title meta end -->
</div>
</header><!-- .entry-header -->
<div class="entry-content">
<p>Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including <strong>LastPass</strong>, <strong>MailChimp</strong>, <strong>Okta</strong>, <strong>T-Mobile</strong> and <strong>Twilio</strong>.</p>
<div id="attachment_61104" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-61104" decoding="async" loading="lazy" class=" wp-image-61104" src="https://krebsonsecurity.com/wp-content/uploads/2022/08/amitaico.png" alt="" width="749" height="441" srcset="https://krebsonsecurity.com/wp-content/uploads/2022/08/amitaico.png 1427w, https://krebsonsecurity.com/wp-content/uploads/2022/08/amitaico-768x452.png 768w, https://krebsonsecurity.com/wp-content/uploads/2022/08/amitaico-782x460.png 782w" sizes="(max-width: 749px) 100vw, 749px"><p id="caption-attachment-61104" class="wp-caption-text">A visual depiction of the attacks by the SMS phishing group known as Scattered Spider, and Oktapus. Image: Amitai Cohen twitter.com/amitaico.</p></div>
<p>The five men, aged 20 to 25, are allegedly members of a hacking conspiracy dubbed “<strong>Scattered Spider</strong>” and “<strong>Oktapus</strong>,” which specialized in SMS-based phishing attacks that tricked employees at tech firms into entering their credentials and one-time passcodes at phishing websites.</p>
<p>The targeted SMS scams asked employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other phishing messages advised employees about changes to their upcoming work schedule.</p>
<p>These attacks leveraged newly-registered domains that often included the name of the targeted company, such as <a href="https://urlscan.io/result/ca9d3120-7c5f-4502-8faf-09a94274ba71/" target="_blank" rel="noopener">twilio-help[.]com</a> and <a href="https://urlscan.io/result/d17edad8-ef65-4d25-a0eb-39b7cc4ab593/" target="_blank" rel="noopener">ouryahoo-okta[.]com</a>. The phishing websites were normally kept online for just one or two hours at a time, meaning they were often yanked offline before they could be flagged by anti-phishing and security services.</p>
<p>The phishing kits used for these campaigns featured a hidden Telegram instant message bot that forwarded any submitted credentials in real-time. The bot allowed the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.</p>
<p>In August 2022, multiple security firms gained access to the server that was receiving data from that Telegram bot, which on several occasions leaked the Telegram ID and handle of its developer, who used the nickname “<strong>Joeleoli</strong>.”</p>
<div id="attachment_69574" style="width: 758px" class="wp-caption aligncenter"><a href="https://krebsonsecurity.com/wp-content/uploads/2024/11/joeleoli-tg.png" target="_blank" rel="noopener"><img aria-describedby="caption-attachment-69574" decoding="async" loading="lazy" class="wp-image-69574" src="https://krebsonsecurity.com/wp-content/uploads/2024/11/joeleoli-tg.png" alt="" width="748" height="173" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/11/joeleoli-tg.png 1287w, https://krebsonsecurity.com/wp-content/uploads/2024/11/joeleoli-tg-768x177.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/11/joeleoli-tg-782x180.png 782w" sizes="(max-width: 748px) 100vw, 748px"></a><p id="caption-attachment-69574" class="wp-caption-text">The Telegram username “Joeleoli” can be seen sandwiched between data submitted by people who knew it was a phish, and data phished from actual victims. Click to enlarge.</p></div>
<p>That Joeleoli moniker registered on the cybercrime forum <strong>OGusers</strong> in 2018 with the email address <strong>[email protected]</strong>, which also was used to register accounts at several websites for a Joel Evans from North Carolina. Indeed, prosecutors say Joeleoli’s real name is <strong>Joel Martin Evans</strong>, and he is a 25-year-old from Jacksonville, North Carolina. <a href="https://krebsonsecurity.com/2024/11/feds-charge-five-men-in-scattered-spider-roundup/#more-69568" class="more-link">Continue reading <span class="meta-nav">→</span></a></p>
</div><!-- .entry-content -->
<footer class="entry-meta">
</footer>
</article><!-- #post -->
<article id="post-69538" class="post-69538 post type-post status-publish format-standard has-post-thumbnail hentry category-data-breaches category-latest-warnings category-neer-do-well-news category-comingstorm tag-abyss0 tag-breachforums tag-finastra tag-ke-la-com">
<header class="entry-header">
<h2 class="entry-title">
<a href="https://krebsonsecurity.com/2024/11/fintech-giant-finastra-investigating-data-breach/" title="Permalink to Fintech Giant Finastra Investigating Data Breach" rel="bookmark">Fintech Giant Finastra Investigating Data Breach</a>
</h2>
<div class="clear"></div>
<div class="btm-wrap">
<div class="below-title-meta">
<div class="adt">
<span class="date updated">November 19, 2024</span>
</div>
<div class="adt-comment">
<span><a class="link-comments" href="https://krebsonsecurity.com/2024/11/fintech-giant-finastra-investigating-data-breach/#comments">15 Comments</a></span>
</div> <div class="clear"></div>
</div><!-- below title meta end -->
</div>
</header><!-- .entry-header -->
<div class="entry-content">
<p>The financial technology firm <strong>Finastra</strong> is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.</p>
<p><img decoding="async" loading="lazy" class="aligncenter wp-image-50961" src="https://krebsonsecurity.com/wp-content/uploads/2020/03/finastra.png" alt="" width="747" height="453"></p>
<p>London-based Finastra has offices in 42 countries and reported $1.9 billion in revenues last year. The company employs more than 7,000 people and serves approximately 8,100 financial institutions around the world. A major part of Finastra’s day-to-day business involves processing huge volumes of digital files containing instructions for wire and bank transfers on behalf of its clients.</p>
<p>On November 8, 2024, Finastra notified financial institution customers that on Nov. 7 its security team detected suspicious activity on Finastra’s internally hosted file transfer platform. Finastra also told customers that someone had begun selling large volumes of files allegedly stolen from its systems.</p>
<p>“On November 8, a threat actor communicated on the dark web claiming to have data exfiltrated from this platform,” reads <a href="https://krebsonsecurity.com/wp-content/uploads/2024/11/finastra-notice.png" target="_blank" rel="noopener">Finastra’s disclosure</a>, a copy of which was shared by a source at one of the customer firms.</p>
<p>“There is no direct impact on customer operations, our customers’ systems, or Finastra’s ability to serve our customers currently,” the notice continued. “We have implemented an alternative secure file sharing platform to ensure continuity, and investigations are ongoing.”</p>
<p>But its notice to customers does indicate the intruder managed to extract or “exfiltrate” an unspecified volume of customer data.</p>
<p>“The threat actor did not deploy malware or tamper with any customer files within the environment,” the notice reads. “Furthermore, no files other than the exfiltrated files were viewed or accessed. We remain focused on determining the scope and nature of the data contained within the exfiltrated files.” <a href="https://krebsonsecurity.com/2024/11/fintech-giant-finastra-investigating-data-breach/#more-69538" class="more-link">Continue reading <span class="meta-nav">→</span></a></p>
</div><!-- .entry-content -->
<footer class="entry-meta">
</footer>
</article><!-- #post -->
<article id="post-69482" class="post-69482 post type-post status-publish format-standard has-post-thumbnail hentry category-sunshine category-data-breaches category-neer-do-well-news category-pharma-wars tag-aleksandr-ermakov tag-chronopay tag-dmitri-golubov tag-helkern tag-home-depot-breach tag-hydra-market tag-mikemike tag-mikhail-lenin tag-mikhail-shefel tag-pavel-vrublevsky tag-peter-vrublevsky tag-sprut tag-sugar-ransomware tag-target-breach">
<header class="entry-header">
<h2 class="entry-title">
<a href="https://krebsonsecurity.com/2024/11/an-interview-with-the-target-home-depot-hacker/" title="Permalink to An Interview With the Target & Home Depot Hacker" rel="bookmark">An Interview With the Target & Home Depot Hacker</a>
</h2>
<div class="clear"></div>
<div class="btm-wrap">
<div class="below-title-meta">
<div class="adt">
<span class="date updated">November 14, 2024</span>
</div>
<div class="adt-comment">
<span><a class="link-comments" href="https://krebsonsecurity.com/2024/11/an-interview-with-the-target-home-depot-hacker/#comments">21 Comments</a></span>
</div> <div class="clear"></div>
</div><!-- below title meta end -->
</div>
</header><!-- .entry-header -->
<div class="entry-content">
<p>In December 2023, KrebsOnSecurity revealed the real-life identity of <strong>Rescator</strong>, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from <strong>Target</strong> and <strong>Home Depot</strong> between 2013 and 2014. Moscow resident <strong>Mikhail Shefel</strong>, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for several new money making schemes.</p>
<div id="attachment_67207" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-67207" decoding="async" loading="lazy" class=" wp-image-67207" src="https://krebsonsecurity.com/wp-content/uploads/2024/04/shefel-fb1.png" alt="" width="750" height="572" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/04/shefel-fb1.png 942w, https://krebsonsecurity.com/wp-content/uploads/2024/04/shefel-fb1-768x585.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/04/shefel-fb1-782x596.png 782w" sizes="(max-width: 750px) 100vw, 750px"><p id="caption-attachment-67207" class="wp-caption-text">Mikhail “Mike” Shefel’s former Facebook profile. Shefel has since legally changed his last name to Lenin.</p></div>
<p>Mr. Shefel, who recently changed his legal surname to <strong>Lenin</strong>, was the star of last year’s story, <a href="https://krebsonsecurity.com/2023/12/ten-years-later-new-clues-in-the-target-breach/" target="_blank" rel="noopener">Ten Years Later, New Clues in the Target Breach</a>. That investigation detailed how the 38-year-old Shefel adopted the nickname Rescator while working as vice president of payments at <strong>ChronoPay</strong>, a Russian financial company that paid spammers to advertise fake antivirus scams, male enhancement drugs and knockoff pharmaceuticals.</p>
<p>Mr. Shefel did not respond to requests for comment in advance of that December 2023 profile. Nor did he respond to reporting here in January 2024 that he ran an IT company with a 34-year-old Russian man named <strong>Aleksandr Ermakov</strong>, who was sanctioned by authorities in Australia, the U.K. and U.S. for <a href="https://krebsonsecurity.com/2024/01/who-is-alleged-medibank-hacker-aleksandr-ermakov/" target="_blank" rel="noopener">stealing data on nearly 10 million customers of the Australian health insurance giant Medibank</a>.</p>
<p>But not long after KrebsOnSecurity reported in April that Shefel/Rescator also was behind <a href="https://krebsonsecurity.com/2024/04/who-stole-3-6m-tax-records-from-south-carolina/" target="_blank" rel="noopener">the theft of Social Security and tax information</a> from a majority of South Carolina residents in 2012, Mr. Shefel began contacting this author with the pretense of setting the record straight on his alleged criminal hacking activities.</p>
<p>In a series of live video chats and text messages, Mr. Shefel confirmed he indeed went by the Rescator identity for several years, and that he did operate a slew of websites between 2013 and 2015 that sold payment card data stolen from Target, Home Depot and a number of other nationwide retail chains.</p>
<p>Shefel claims the true mastermind behind the Target and other retail breaches was <a href="https://www.wired.com/2007/01/tracking-the-russian-scammers/" target="_blank" rel="noopener"><strong>Dmitri Golubov</strong></a>, an infamous Ukrainian hacker known as the co-founder of Carderplanet, among the earliest Russian-language cybercrime forums focused on payment card fraud. Mr. Golubov could not be reached for comment, and Shefel says he no longer has the laptop containing evidence to support that claim.</p>
<p>Shefel asserts he and his team were responsible for developing the card-stealing malware that Golubov’s hackers installed on Target and Home Depot payment terminals, and that at the time he was technical director of a long-running Russian cybercrime community called <a href="https://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/" target="_blank" rel="noopener">Lampeduza</a>.</p>
<p>“My nickname was MikeMike, and I worked with Dmitri Golubov and made technologies for him,” Shefel said. “I’m also godfather of his second son.”</p>
<div id="attachment_69494" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-69494" decoding="async" loading="lazy" class=" wp-image-69494" src="https://krebsonsecurity.com/wp-content/uploads/2024/11/script-cp.png" alt="" width="750" height="733" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/11/script-cp.png 780w, https://krebsonsecurity.com/wp-content/uploads/2024/11/script-cp-768x750.png 768w" sizes="(max-width: 750px) 100vw, 750px"><p id="caption-attachment-69494" class="wp-caption-text">Dmitri Golubov, circa 2005. Image: U.S. Postal Investigative Service.</p></div>
<p>A week after breaking the story about the 2013 data breach at Target, KrebsOnSecurity published <a href="https://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target/" target="_blank" rel="noopener">Who’s Selling Cards from Target?</a>, which identified a Ukrainian man who went by the nickname <strong>Helkern</strong> as Rescator’s original identity. But Shefel claims Helkern was subordinate to Golubov, and that he was responsible for introducing the two men more than a decade ago.</p>
<p>“Helkern was my friend, I [set up a] meeting with Golubov and him in 2013,” Shefel said. “That was in Odessa, Ukraine. I was often in that city, and [it’s where] I met my second wife.”</p>
<p>Shefel claims he made several hundred thousand dollars selling cards stolen by Golubov’s Ukraine-based hacking crew, but that not long after Russia annexed Crimea in 2014 Golubov cut him out of the business and replaced Shefel’s malware coding team with programmers in Ukraine. <a href="https://krebsonsecurity.com/2024/11/an-interview-with-the-target-home-depot-hacker/#more-69482" class="more-link">Continue reading <span class="meta-nav">→</span></a></p>
</div><!-- .entry-content -->
<footer class="entry-meta">
</footer>
</article><!-- #post -->
<div class="themonic-pagination"><div class="pagination"><ul><li class="current"><span class="currenttext">1</span></li><li><a href="https://krebsonsecurity.com/page/2/" class="inactive">2</a></li><li><a href="https://krebsonsecurity.com/page/3/" class="inactive">3</a></li><li><a href="https://krebsonsecurity.com/page/4/" class="inactive">4</a></li><li><a href="https://krebsonsecurity.com/page/2/" class="inactive">Next ›</a></li><a class="inactive" href="https://krebsonsecurity.com/page/239/">Last »</a></ul></div></div>
<div style="display: block; clear: both;"></div>
</div><!-- #content -->
</div><!-- #primary -->
<div id="secondary" class="widget-area" role="complementary">
<div id="sidebar_ad" class="widget themonic-ad5"><div class="a-statement">Advertisement</div><a href="https://constella.ai/hunter-deep-osint-investigations-platform/?utm_campaign=Hunter%20Investigation%20Campaign%20-%20Sept%2024&utm_source=Krebs&utm_medium=banner%20ad&utm_content=ad_1">
<img src="/b-constella/9.png">
</a></div>
<br><div class="widget themonic-ad1"><div class="a-statement">Advertisement</div></div><br>
<aside id="custom_html-2" class="widget_text widget widget_custom_html"><p class="widget-title">Mailing List</p><div class="textwidget custom-html-widget"><a href="/subscribe/">Subscribe here</a></div></aside><aside id="search-2" class="widget widget_search"><p class="widget-title">Search KrebsOnSecurity</p><form role="search" method="get" id="searchform" class="searchform" action="https://krebsonsecurity.com/">
<div>
<label class="screen-reader-text" for="s">Search for:</label>
<input type="text" value="" name="s" id="s">
<input type="submit" id="searchsubmit" value="Search">
</div>
</form></aside>
<aside id="recent-posts-3" class="widget widget_recent_entries">
<p class="widget-title">Recent Posts</p>
<ul>
<li>
<a href="https://krebsonsecurity.com/2024/12/web-hacking-service-araneida-tied-to-turkish-it-firm/">Web Hacking Service ‘Araneida’ Tied to Turkish IT Firm</a>
</li>
<li>
<a href="https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad-click/">How to Lose a Fortune with Just One Bad Click</a>
</li>
<li>
<a href="https://krebsonsecurity.com/2024/12/how-cryptocurrency-turns-to-cash-in-russian-banks/">How Cryptocurrency Turns to Cash in Russian Banks</a>
</li>
<li>
<a href="https://krebsonsecurity.com/2024/12/patch-tuesday-december-2024-edition/">Patch Tuesday, December 2024 Edition</a>
</li>
<li>
<a href="https://krebsonsecurity.com/2024/12/u-s-offered-10m-for-hacker-just-arrested-by-russia/">U.S. Offered $10M for Hacker Just Arrested by Russia</a>
</li>
</ul>
</aside><aside id="text-2" class="widget widget_text"> <div class="textwidget"><a name="subscribe2"></a></div>
</aside><aside id="categories-2" class="widget widget_categories"><p class="widget-title">Story Categories</p>
<ul>
<li class="cat-item cat-item-5"><a href="https://krebsonsecurity.com/category/sunshine/">A Little Sunshine</a>
</li>
<li class="cat-item cat-item-2240"><a href="https://krebsonsecurity.com/category/all-about-skimmers/">All About Skimmers</a>
</li>
<li class="cat-item cat-item-9085"><a href="https://krebsonsecurity.com/category/ashley-madison-breach/">Ashley Madison breach</a>
</li>
<li class="cat-item cat-item-3191"><a href="https://krebsonsecurity.com/category/breadcrumbs/">Breadcrumbs</a>
</li>
<li class="cat-item cat-item-3771"><a href="https://krebsonsecurity.com/category/data-breaches/">Data Breaches</a>
</li>
<li class="cat-item cat-item-4624"><a href="https://krebsonsecurity.com/category/ddos-for-hire/">DDoS-for-Hire</a>
</li>
<li class="cat-item cat-item-9173"><a href="https://krebsonsecurity.com/category/employment-fraud/">Employment Fraud</a>
</li>
<li class="cat-item cat-item-2151"><a href="https://krebsonsecurity.com/category/how-to-break-into-security/">How to Break Into Security</a>
</li>
<li class="cat-item cat-item-10357"><a href="https://krebsonsecurity.com/category/internet-of-things-iot/">Internet of Things (IoT)</a>
</li>
<li class="cat-item cat-item-87"><a href="https://krebsonsecurity.com/category/latest-warnings/">Latest Warnings</a>
</li>
<li class="cat-item cat-item-4071"><a href="https://krebsonsecurity.com/category/neer-do-well-news/">Ne'er-Do-Well News</a>
</li>
<li class="cat-item cat-item-9"><a href="https://krebsonsecurity.com/category/other/">Other</a>
</li>
<li class="cat-item cat-item-1306"><a href="https://krebsonsecurity.com/category/pharma-wars/">Pharma Wars</a>
</li>
<li class="cat-item cat-item-8240"><a href="https://krebsonsecurity.com/category/ransomware/">Ransomware</a>
</li>
<li class="cat-item cat-item-9635"><a href="https://krebsonsecurity.com/category/russias-war-on-ukraine/">Russia's War on Ukraine</a>
</li>
<li class="cat-item cat-item-599"><a href="https://krebsonsecurity.com/category/security-tools/">Security Tools</a>
</li>
<li class="cat-item cat-item-8298"><a href="https://krebsonsecurity.com/category/sim-swapping/">SIM Swapping</a>
</li>
<li class="cat-item cat-item-4079"><a href="https://krebsonsecurity.com/category/spam-nation/">Spam Nation</a>
</li>
<li class="cat-item cat-item-1"><a href="https://krebsonsecurity.com/category/smallbizvictims/">Target: Small Businesses</a>
</li>
<li class="cat-item cat-item-5167"><a href="https://krebsonsecurity.com/category/tax-refund-fraud/">Tax Refund Fraud</a>
</li>
<li class="cat-item cat-item-3"><a href="https://krebsonsecurity.com/category/comingstorm/">The Coming Storm</a>
</li>
<li class="cat-item cat-item-4"><a href="https://krebsonsecurity.com/category/patches/">Time to Patch</a>
</li>
<li class="cat-item cat-item-21"><a href="https://krebsonsecurity.com/category/web-fraud-2-0/">Web Fraud 2.0</a>
</li>
</ul>
</aside><aside id="media_image-2" class="widget widget_media_image"><p class="widget-title">Why So Many Top Hackers Hail from Russia</p><a href="https://krebsonsecurity.com/2017/06/why-so-many-top-hackers-hail-from-russia/"><img width="580" height="389" src="https://krebsonsecurity.com/wp-content/uploads/2017/06/computered-580x389.png" class="image wp-image-39684 attachment-medium size-medium" alt="" decoding="async" loading="lazy" style="max-width: 100%; height: auto;" srcset="https://krebsonsecurity.com/wp-content/uploads/2017/06/computered-580x389.png 580w, https://krebsonsecurity.com/wp-content/uploads/2017/06/computered-768x514.png 768w, https://krebsonsecurity.com/wp-content/uploads/2017/06/computered-940x630.png 940w, https://krebsonsecurity.com/wp-content/uploads/2017/06/computered.png 1551w" sizes="(max-width: 580px) 100vw, 580px"></a></aside> </div><!-- #secondary -->
</div><!-- #main .wrapper -->
<div id="publisho-footer" class="widget-area">
<div class="footer-widget">
</div>
<div class="footer-widget">
</div>
<div class="footer-widget">
</div>
</div>
<div class="site-wordpress">
© Krebs on Security - <a rel="me" href="https://infosec.exchange/@briankrebs">Mastodon</a> <br>
</div>
<!-- .site-info --><div class="clear"></div>
</div><!-- #page -->
<script type="text/javascript" src="https://krebsonsecurity.com/wp-content/themes/kos-mar2021/js/slicknav.js?ver=6.2.2" id="publisho-mobile-navigation-js"></script>
</body></html><!--
Performance optimized by W3 Total Cache. Learn more: https://www.boldgrid.com/w3-total-cache/
Object Caching 277/281 objects using memcached
Page Caching using memcached
Database Caching using memcached
Served from: krebsonsecurity.com @ 2024-12-21 03:33:00 by W3 Total Cache
-->