BYOK was envisioned to reduce the risk of using a cloud service provider processing sensitive data, yet there are several deficiencies.

Let’s start with some basics: Your data can, and should, be encrypted at rest and in motion.

Data can be encrypted on the client side or on the server side. In the security realm, we have well-known best practices, which include defense in depth (i.e., not relying on a single security protective measure), and security by obscurity, which really isn’t security.

Here's what the cloud industry is doing, along with some underlying gaps. Most cloud service providers (CSPs) offer bring your own key (BYOK) in one way or another. Amazon Web Services, for instance, supports the following key management service (KMS) options:

*   **KMS only:** Customer-managed keys (CMKs) stored in the KMS.

*   **KMS with customer key store and CMK:** Again, managed by the customer and stored in the cloud hardware security module (HSM ).

*   **KMS with third-party HSM:** Customer-provided KMS with a direct connection to the KMS.

The keys are retained in the volatile KMS memory, meaning once the data encryption keys (DEKs) are decrypted, they are accessible within the CSP environment without requiring the key encrypting key (KEK) for each decryption or encryption.

In all implementation options listed, the data encryption keys are generated by the CSP's KMS and may or may not be exportable. The DEK is used to encrypt defined scopes of data (e.g., per bucket, day, file, etc.) and these DEKs are encrypted with the KEK.

**BYOK Benefits and Risks**

BYOK is meant to provide cloud customers more control over their hosted data. In reality, when BYOK is used, it actually works more like share your own key (SYOK), since once the key is provided to the CSP, customers have no control over the key use. The only benefit of SYOK, in my view, is ensuring the key randomness if you don't trust their random number generator. Otherwise, you may as well let the CSP generate the key.

BYOK is also offered by some CSPs in another model and connects to the customer’s hardware, which stores and controls the KEK. There are several outstanding issues with this model.

The DEKs may still be accessible to the service provider, purposely or otherwise, in addition to a malicious actor capable of succeeding in breaching the CSP's protective measures technically, or via social engineering, thus gaining access to the DEKs, whether in memory, cache, log files, or a malicious codebase. Retaining the KEK in memory is a double-edged sword, since you're effectively performing SYOK for better performance. But then why not just perform SYOK, in that case?

Another issue is that the service provider may not use the customer KEK to secure the DEK. And the CSP architecture, code, and various offerings may have security lapses that allow interception points. Even if DEKs are decrypted on the fly, which isn't usually supported or recommended, a communication issue could bring your business to a grinding halt, preventing existing data from being decrypted and new DEKs from being encrypted.

Trust is also a key element when working with a CSP. Trust should stem from certifications and third-party audits. Reference customers using the CSP for their sensitive data or production may also be an important factor in strengthening this trust. You also have to decide if you trust the CSP's authentication and authorization security. Even with federated security, that doesn't mean there aren't additional authentication and privilege escalation means.

In short: BYOK does not solve the problem nor reduce the risk!

**What Else Can We Do?**

Most CSPs offer customers self-service capabilities to revoke, rotate, and otherwise control the KEK. Enhanced security may be achieved by protecting the data prior to moving or granting the CSP access to it. But this is rarely beneficial and mostly recommended for securing PII/PHI or other strongly regulated data.

The most important factor is to consider all ingress and egress routes, including APIs and file transfers, as well as various privileged access needs. This also extends to authentication and authorization that uses role- or attribute-based access control to ensure non-repudiation, data sanitation, and industry best practices like zero trust**.**

****The Bottom Line****

My goal here is to raise awareness, not to reflect negatively on CSPs. But BYOK, for the most part, is snake oil. It’s often misunderstood as a panacea to working in the cloud while not requiring trust for the CSP.

SYOK is worthless. If you assume the CSP cannot generate sufficiently random keys for the KEK, why rely on it for the DEK? It's important to ensure there’s a well-designed security architecture in place that is constantly reassessed, tested, and monitored.

Bring Your Own Key — A Placebo?

Amazon Web Services (AWS) has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources.
The issue relates to a confused deputy problem, a type of privilege escalation where a program that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action.
The shortcoming was reported

Amazon Web Services (AWS) has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources.

The issue relates to a confused deputy problem, a type of privilege escalation where a program that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action.

The shortcoming was reported by Datadog to AWS on September 1, 2022, following which a patch was shipped on September 6.

"This attack abuses the AppSync service to assume \[identity and access management\] roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts," Datadog researcher Nick Frichette said in a report published last week.

In a coordinated disclosure, Amazon said that no customers were affected by the vulnerability and that no customer action is required.

It described it as a "case-sensitivity parsing issue within AWS AppSync, which could potentially be used to bypass the service's cross-account role usage validations and take action as the service across customer accounts."

AWS AppSync offers developers GraphQL APIs to retrieve or modify data from multiple data sources as well as automatically sync data between mobile and web applications and the cloud.

The service can also be used to integrate with other AWS services through specific roles designed to perform the necessary API calls with the required IAM permissions.

While AWS does have safeguards in place to prevent AppSync from assuming arbitrary roles by validating the role's Amazon Resource Name (ARN), the problem stems from the fact that the check could be trivially bypassed by passing the "serviceRoleArn" parameter in a lower case.

This behavior could then be exploited to provide the identifier of a role in a different AWS account.

"This vulnerability in AWS AppSync allowed attackers to cross account boundaries and execute AWS API calls in victim accounts via IAM roles that trusted the AppSync service," Frichette said.

"By using this method, attackers could breach organizations that used AppSync and gain access to resources associated with those roles."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Detail AppSync Cross-Tenant Vulnerability in Amazon Web Services

Amazon Web Services (AWS) has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources.

The issue relates to a confused deputy problem, a type of privilege escalation where a program that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action.

The shortcoming was reported by Datadog to AWS on September 1, 2022, following which a patch was shipped on September 6.

"This attack abuses the AppSync service to assume \[identity and access management\] roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts," Datadog researcher Nick Frichette said in a report published last week.

In a coordinated disclosure, Amazon said that no customers were affected by the vulnerability and that no customer action is required.

It described it as a "case-sensitivity parsing issue within AWS AppSync, which could potentially be used to bypass the service's cross-account role usage validations and take action as the service across customer accounts."

AWS AppSync offers developers GraphQL APIs to retrieve or modify data from multiple data sources as well as automatically sync data between mobile and web applications and the cloud.

The service can also be used to integrate with other AWS services through specific roles designed to perform the necessary API calls with the required IAM permissions.

While AWS does have safeguards in place to prevent AppSync from assuming arbitrary roles by validating the role's unique Amazon Resource Name (ARN), the problem stems from the fact that the check could be trivially bypassed by passing the "serviceRoleArn" parameter in a lower case.

In getting around the ARN validation, the issue could be exploited to provide the identifier of a role in a different AWS account and interact with any resource.

"This vulnerability in AWS AppSync allowed attackers to cross account boundaries and execute AWS API calls in victim accounts via IAM roles that trusted the AppSync service," Frichette said.

"By using this method, attackers could breach organizations that used AppSync and gain access to resources associated with those roles."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers also applaud abandonment of customization feature abused by scammers

Adam Bannister 25 November 2022 at 15:00 UTC

Researchers also applaud abandonment of customization feature abused by scammers

A cross-site scripting (XSS) vulnerability in ConnectWise Control, the remote monitoring and management (RMM) platform, offered attackers a powerful attack vector for abusing remote access tools.

Now patched, the stored XSS flaw was disclosed by Guardio Labs, which in July published an analysis of tech support scams, a widespread phenomenon whereby scammers abuse RMM platforms in order to create fake technical support portals and dupe victims into inadvertently installing malware.

Once installed, a remote access tool gives attackers remote control of a victim’s desktop PC or mobile device and, said the report, “is persistent, mostly undetectable, and bypasses almost all regular forms of protection. And in a show of supreme chutzpah, these scammers even manipulate this capability to bypass 2FA protection and take full control of PayPal and bank accounts”.

Read more of the latest hacking tools news

A new technical write-up documenting the ConnectWise XSS explains how attackers could easily register for a free, anonymous email account and submit fake personal details. This would give them a corporate-grade remote access agent and support portal they could customize – with no coding skills needed – to convincingly mimic famous brands.

Scammers could then call and dupe victims by, for example, sending “them a fake invoice for some service they never registered to, urgently referring them to a \[…\] fake refund service portal to enter the ‘invoice’ code (triggering the dedicated silent \[remote access tool\] installation),” wrote Nati Tal, head of Guardio Labs.

**Full control**

The stored XSS bug arose from a lack of sanitation of the resource. “Any code we maliciously inject in between the tags with some manipulations is executed as any other code in the context of the webapp – as if was authored by the official owner of the service,” explains Tal.

“A script executing from this context gives an attacker full control over any element of the webapp, potentially altering any element of the page as well as connection to the backend servers,” contined Tal.

Scammers could also “abuse the hosting service itself – allowing misuse of ConnectWise hosting, identity, and certificate to serve malicious code or gain full access to admin pages even after the trial period is over.”

**‘Bold move’**

ConnectWise recently added a prominent advisory to its remote support service to alert visitors to this social engineering threat. However, Guardio Labs found that attackers could also execute code that removes this warning.

ConnectWise has since responded by removing the customization feature for trial accounts – “a bold move” that would prevent scammers from creating credible-looking Amazon or Microsoft support pages but at the cost of losing a useful feature and commercial differentiator, noted Tal. “They sure took this matter seriously which is very appreciated and will surely help make web browsing safer and the scammers’ life a bit harder,” he said.

“ConnectWise was very responsive and quickly fixed the issue” by adding sanitization to that neutralized Guardio’s exploit code, added the researcher.

Users are advised to update to version v22.6, released on August 8, 2022, or later.

YOU MIGHT ALSO LIKE Google Roulette: Developer console trick can trigger XSS in Chromium browsers

ConnectWise closes XSS vector for remote hijack scams

Attackers could gain full control of a cloud-hosted database

Attackers could gain full control of a cloud-hosted database

A vulnerability in Amazon Web Services (AWS) AppSync enabled unauthorized cross-account access to AWS resources, according to the findings of security researchers.

AppSync is a service that allows developers to create serverless GraphQL and Pub/Sub APIs. When creating GraphQL API with AppSync, developers must specify the data source that stores or has access to the data the API will interact with, such as Lambda functions, DynamoDB, RDS, and external APIs.

**Tricking AppSync**

One of the features of AppSync is to directly invoke AWS APIs such as Amazon S3. To do this, the developer must create a role that has access to the target resource. The developer then creates a “trust policy”, a JSON document that allows AppSync to assume that role.

Researchers at DataDog Security Labs were interested in seeing if they could somehow use the trust policy to trick AppSync to give them unauthorized access to other AWS accounts.

AWS protects against this kind of attack by making sure the AppSync endpoint and the target resource are in the same account.

This validation is performed through Amazon Resource Name (ARN), the unique identifier of the AWS resource.

Read more of the latest news about web security vulnerabilities

The researchers at DataDog found that they could bypass the ARN validation by simply changing the letter case of the JSON field for the ARN.

This enabled them to create AppSync data sources that could be tied to other AWS accounts. Using this loophole, they could interact with any resource associated with a role that trusts the AWS AppSync service in any account.

In a proof of concept, the researchers show how an attacker could exploit the vulnerability to obtain full control of a cloud-hosted database.

**Difficult detection**

Since the logs generated by the attack indicate all activity is coming from the AppSync service, detecting the attack would be difficult. Therefore, if the attacker knew the ARN of the AppSync role and the resources they wanted to access, the logs would indicate normal activity.

However, under normal circumstances, the attacker would need to do some brute force probing to find the target resources, which would result in an unusual amount of events in the AWS log. Administrators would also be able to detect attacks by looking for anomalous behavior, such as an AppSync service accessing an AWS resource for the first time.

Amazon patched the vulnerability in AppSync in September, while the research blog post was published this week. According to the company, there were no indications of the vulnerability having been exploited in the wild.

“\[We\] have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher. No other customer accounts were impacted,” Amazon said in a statement.

YOU MAY ALSO LIKE F5 fixes high severity RCE bug in BIG-IP, BIG-IQ devices

Vulnerability in AWS AppSync allowed unauthorized access to cloud resources

By Deeba Ahmed
Around one hundred people have been arrested by the Metropolitan Police in the United Kingdom’s biggest-ever fraud operation.…
This is a post from HackRead.com Read the original post: Police Seize iSpoof domains as UK’s largest bank call scam is disrupted

Around one hundred people have been arrested by the Metropolitan Police in the United Kingdom’s biggest-ever fraud operation. The Scotland Yard has also shut down iSpoof domains which served as a spoofing hub for scammers.

Reportedly, through that website, scammers stole tens of millions of pounds from British citizens through fake bank phone calls. The police stated that the website was used to defraud 200,000 Brits, and at least £50 million was stolen.

In June 2021, the Scotland Yard, European law enforcement agencies, and the FBI initiated an international investigation dubbed Operation Elaborate.

Authorities now plan to contact around 70,000 victims in Briton for the investigation. These individuals fell victim to the UK’s biggest scam campaign. An extensive probe revealed that scammers paid a subscription fee to iSpoof.cc and iSpoof.me for using its technology and phone victims impersonating staff members of reputed banks like Halifax, Barclays, and NatWest.

The fraudsters tricked people into giving their bank account credentials or transferring funds. Until August, they had made 10 million fake calls through iSpoof, and around 3.5 million calls were made in the UK, out of which 350,000 calls lasted over a minute.

Authorities in the USA and Ukraine helped Scotland Yard take down this website. As per the authorities, during the campaign, scammers sometimes contacted around twenty people every minute of the day using fake identities created through iSpoof.

Seized iSpoof website (Image credit: Hackread.com)

The amount stolen from the victims is yet unknown, but authorities claim it is close to £50m. One of the victims suffered a loss of £3m, and another lost £10,000. Scammers earned around £3.2m within 20 months, investigators estimated.

For your information, the iSpoof website was set up in December 2020 to allow users to disguise their phone numbers and pretend to be a caller from a reputed organization, mainly a tax office or bank. Scammers paid the subscription fee in bitcoin.

The website had around 59,000 users who paid subscriptions worth £150 and £5,000. The service was taken offline this week, and more than 100 suspects have been arrested, most of whom were residing in London. 40% of the victims were in the USA and 35% in Britain.

A British citizen and resident of east London, Teejai Fletcher, is suspected to be the mastermind of this scam campaign. The 34-year-old suspect was charged with fraud, participating in activities of an organized criminal group, and supplying/making articles used in fraud. The suspect is in police custody and will be presented before the court in two weeks.

1.  Indian call center seized over Amazon hacking scam
2.  World’s Largest Private Torrent Site Filelist.ro Seized
3.  WT1SHOP Cybercrime Market Seized by US and Portugal
4.  179 Dark Web vendors arrested, 500kg worth of drugs seized
5.  Domain, server of DoubleVPN used by ransomware gangs seized

Police Seize iSpoof domains as UK’s largest bank call scam is disrupted

'Tis the season for swindlers and hackers. Use these tips to spot frauds and keep your payment info secure.

Black Friday attracts crowds, and crowds attract scammers, and that means you need to take extra care when shopping online over the Black Friday and Cyber Monday weekend. There'll be people out there eager to relieve you of more money than you'll save on a TV set or a gaming console.

The following precautions apply any time of year, but it's worth reminding yourself of them every time a serious holiday season comes around. In the rush to get gifts sorted, it's all too easy to miss a warning sign, or get complacent about online security.

Update All Your Software

Keeping programs and operating systems up to date is important enough that Microsoft, Apple, Google, Mozilla, and all the other big names in tech now make it difficult for anyone to lag behind with their updates—most of the time you'll be prompted regularly to install new versions of your software, and it might even happen automatically in the background without you noticing.

The biggest retail event of the year has grown into an entire month of sales that ebb and flow. Here’s how to make the most of it.

Today's browsers, apps, and OSes are adept at spotting scams as they happen, whether it's phishing emails (designed to lure you to a fake shopping or banking site) or unauthorized logins on your accounts. To make the most of this built-in security, ensure you're running the latest versions across the board, which means the latest security patches—if you've been putting off updates on your phone or your computer, then get them done ahead of Black Friday.

If you do have a laptop that's too old to run the latest versions of Windows or macOS, avoid using it if possible—you'll be safer shopping on your phone, as long as it's running the most recent Android or iOS updates. On Android, you can check for updates via **System** and **System Update** in Settings; on iOS, it's **Settings** and then **General** and **Software Update**.

Be Wary of Email and Social Media Deals

You're likely to be inundated with special offers over email and social media this Black Friday, but be careful when it comes to clicking through on deals that come from suspicious sources (stores you've never shopped at before, for example). Always check that the link you clicked sent you to the website you were expecting to visit.

There's no hard and fast way to guarantee you'll never get caught out by a dodgy link (apart from just ignoring them all completely), but you can minimize the risk: Check that the social media account or email address sending the link is genuine, head to the site in question in a separate browser window to see whether you can find the same offer advertised, and be sure the offer you're looking at is the one that was promoted.

If your browser is up to date, as we mentioned above, dangerous links should be blocked before you reach them, but we'd still recommend being wary. You'll see some great offers advertised over social media and email, but no discount is worth the risk of exposing yourself to scammers.

Make sure all your devices are updated before shopping.

Android via David Nield

Do Your Research

Wherever possible, stick to trusted stores online. All the major players have robust security procedures in place, so the chances of them (and you) getting hacked are smaller. Still, if you're buying from any site, always check you're on the store website you think you are by checking in your browser's address bar.

We're not saying you should never shop at smaller outlets, but make sure they're using HTTPS technology (indicated with a padlock in your browser's address bar). Look for contact details, an office with a physical address, and reviews left by other users (Trustpilot can be helpful here). See if they're on Twitter and Facebook—and whether those accounts are actually active.

Debit and credit card issuers will usually protect you against fraud—check their policies online if you're not sure about yours—but nevertheless, keep an eye on your bank accounts throughout the Black Friday weekend to make sure only the amounts you're expecting to be debited are going out.

Double-Check Deals

Retailers change their prices all the time—especially online—so a "big discount" you see might only apply to whatever the price was last week, not what it's been over the course of the past year. Price trackers such as CamelCamelCamel can help you work out whether you're getting a genuine bargain or just something that was already heavily reduced.

Checking out product reviews on the web is a useful way of determining how current something is and how much you should be spending on it. Are you looking at the genuine article, or just a cheap knock-off? Is the gadget you're about to buy future-proofed with the latest tech or will it be out of date in six months? And (especially on Amazon) is it being sent from your current region or the other side of the world? Who's the actual seller? Make sure you read what previous buyers have to say via the user reviews before spending your money.

Just be aware that stores also use the occasion to try and shift their remaining stock of older, less popular products. Make sure you're looking at what you're buying and not just the price drop.

CamelCamelCamel will show you previous price drops on Amazon.

CamelCamelCamel via David Nield

Protect Your Accounts

As always, keep your accounts locked down and protected on Black Friday. Use strong, unique passwords for all your accounts (a dedicated password manager or your browser's password management system can help here), and turn on two-factor authentication on every account that offers it (Microsoft, Apple, Google, Facebook, and Twitter ones all do, for a start).

While it may seem convenient to quickly set up a new shopping account with your “usual” password, it only takes one account sharing the same password to get exposed, and all the others can come tumbling down after it. If you're using the latest versions of Chrome and Safari, you'll notice you can now use a strong password suggested by your browser (the option should pop up automatically when you're in a password field).

If you're planning on shopping at outlets where you haven't purchased anything before, it's a good idea to get these accounts set up ahead of time—this means you aren't rushing when it comes to thinking up new passwords and entering potentially sensitive information into your web browser.

Guard Your Payment Info

Many places that you're shopping at on Black Friday and Cyber Monday will already have your payment info on file, but if you're entering details into a new site, again make sure the padlock symbol is showing in the address bar—the full URL should also begin “https://”, which indicates that your payment details will be encrypted in transit.

If you’re on vacation or out of town, we recommend waiting until you get back home before buying anything—or at least using the cellular data on your phone to make a connection rather than a public Wi-Fi hotspot, as it's much harder for hackers to intercept your details (or look over your shoulder as you're typing them). If you are shopping in-store, be careful to guard your PIN numbers and other sensitive details when you're surrounded by crowds—or even just one shop assistant.

As tempting as Black Friday offers might be, it's usually a good idea to shop in as few places as possible, if you can: The fewer companies that hold your payment data, the less likely you are to be victim to a data breach, and the risk of those breaches are really down to the company's security policies rather than any precautions you can take.

How to Avoid Black Friday Scams Online

The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."

CVE-2022-45868: h2database/WebServer.java at 96832bf5a97cdc0adc1f2066ed61c54990d66ab5 · h2database/h2database

qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file.

Permalink

Browse files

Fix qpress directory traversal vulnerability (PierreLvx#6)

A bad actor user can prepare the payload as:

\`\`\`
mkdir -p AAAAAAAAA/secure\_file\_priv\_dir
touch AAAAAAAAA/secure\_file\_priv\_dir/evil.so
qpress -r AAAAAAAAA payload.qp
Then edit the payload.qp in a hex editor or sed to replace AAAAAAAAA with ../../../
(example: sed -i 's/AAAAAAAAA/..\\/..\\/..\\//' payload.qp)
\`\`\`

Fix bug by checking the directory and reject the command if find the attempt to traversal

Test: see example above and try to reproduce it. Before fix you can observe
traversal. After fix - the error message(File path contains directory traversal
which is not allowed.) shown, no traversal observe.

All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the BSD-new
license.  I am contributing on behalf of my employer Amazon Web Services,
Inc.

Co-authored-by: Mikhail Chalov <mcchalov@amazon.com>

*   Loading branch information

CVE-2022-45866: Fix qpress directory traversal vulnerability (#6) · EvgeniyPatlan/qpress@ddb3120

By Deeba Ahmed
Russian hacking groups primarily using Telegram are on a password stealing spree and so far have targeted users on Amazon, Steam, and Roblox.
This is a post from HackRead.com Read the original post: 34 Russian Hacking Groups Stole 50 Million User Passwords

Group-IB security researchers have warned about an ongoing password-stealing spree initiated by Russian-speaking hacking groups. According to the Singapore-based cybersecurity giant, thirty-four groups were detected using off-the-shelf info stealers to target unsuspecting users. Here are more details of their findings.

**Russian Hackers Stealing Passwords**

Cybersecurity firm Group-IB states that the 34 Russian hacking groups are distributing information-stealing malware and offering them in stealer-as-a-service. The hackers mainly offer Redline and Racoon info stealers to steal passwords from Roblox and Steam gaming accounts.

The hackers also target users to steal PayPal and Amazon credentials, users’ payment records, and crypto wallet information. The attackers found their victims through Russian Telegram groups.

**How does the Attack Works?**

In their report shared with Hackread.com, Group-IB revealed that scammers use websites impersonating reputed companies, and victims are tricked into downloading malicious files. This is achieved by embedding links to download malware into popular games’ video reviews on YouTube, lucky draws and lotteries on social media platforms, and mining software of NFT files on various forums.

Once the info stealer invades the device, it collects data from browsers and transmits it to the attacker. The stolen data can include gaming account credentials, social media, email services, crypto-wallet info, and bank card details.

**How Many Devices Have Been Infected?**

Reportedly, within the first seven months of 2022, these groups managed to infect more than 890,000 user devices and stole over 50 million passwords. Researchers reviewed 34 Telegram groups the hackers used to launch their attacks and learned that targets are pretty extensive as they have targeted users across 111 countries. But their prime targets were countries including the following:

*   USA
*   India
*   Brazil
*   Germany
*   Indonesia

Each group has around 200 active members. So far, the stolen data comprises 16% of PayPal and 13% of Amazon passwords, which makes these the most targeted platforms in this campaign. Apart from these, hackers have targeted EpicGames, Steam, and Roblox.

Most of the groups are well-organized. Primarily they are involved in automated scam-as-a-service attacks. Researchers noted that the perpetrators are low-level cybercriminals previously involved in phishing campaigns like Classicscam.

Of the 34 groups, 23 use Redline and 8 use Raccoon and three use custom-made malware. They usually rent the malware from the dark web for as low as $150 to $200 a month. As per Group-IB’s estimate, the stolen data could be worth around $6 million.

“The popularity of schemes involving stealers can be explained by the low entry barrier. Beginners do not need to have advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and drive traffic to it. For victims whose computers become infected with a stealer, however, the consequences can be disastrous” researchers concluded.

**What is Scam-as-a-service**

Scam-as-a-service is a type of online fraud that allows criminals to easily set up and manage their own scams. By using readily available tools and services, scammers can quickly launch phishing, social engineering, and other types of attacks without having to invest in the development of their own malicious software or infrastructure.

The rise of scam-as-a-service has made it easier than ever for criminals to defraud individuals and businesses. While traditional scams require a significant investment of time and money to set up, scam-as-a-service providers make it possible for even amateur criminals to launch sophisticated attacks.

Scam-as-a-service is particularly concerning because it enables criminals toconduct their activities with relative anonymity and without having to establish a physical presence.

1.  Fake Tor Browser Installer Spreading Malware Via YouTube
2.  2K Games Help Desk Platform Hacked to Spread Info-stealer
3.  QBot Malware Exploiting Windows Calculator to hack Devices
4.  Hackers Selling US Colleges VPN Credentials on Russian Forums
5.  Ukraine Thwart Russian Industroyer 2 Malware on Energy Provider

Tag

#amazon