Cisco Talos

January 22, 2019

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

This post was originally published on this siteTwo of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned. Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains registered through GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing […]
February 18, 2019

A Deep Dive on the Recent Widespread DNS Hijacking Attacks

This post was originally published on this siteThe U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy. This post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful cyber espionage campaign back to a cascading series […]
April 8, 2019

A Year Later, Cybercrime Groups Still Rampant on Facebook

This post was originally published on this siteAlmost exactly one year ago, KrebsOnSecurity reported that a mere two hours of searching revealed more than 100 Facebook groups with some 300,000 members openly advertising services to support all types of cybercrime, including spam, credit card fraud and identity theft. Facebook responded by deleting those groups. Last week, a similar analysis led to the takedown of 74 cybercrime groups operating openly on Facebook with more than 385,000 members. Researchers at Cisco Talos discovered the groups using the same sophisticated methods I employed last year — running a search on Facebook.com for terms […]
July 15, 2019

Is ‘REvil’ the New GandCrab Ransomware?

This post was originally published on this siteThe cybercriminals behind the GandCrab ransomware-as-a-service (RaaS) offering recently announced they were closing up shop and retiring after having allegedly earned more than $2 billion in extortion payments from victims. But a growing body of evidence suggests the GandCrab team have instead quietly regrouped behind a more exclusive and advanced ransomware program known variously as “REvil,” “Sodin,” and “Sodinokibi.” “We are getting a well-deserved retirement,” the GandCrab administrator(s) wrote in their farewell message on May 31. “We are a living proof that you can do evil and get off scot-free.” However, it now […]