Jun 28 2023
Welcome to Gone Phishing, your daily cybersecurity newsletter that’s the Wagner mutiny to cybercrime’s Vladimir Putin 🪆
Today’s hottest cyber security stories:
Android-based Anatsa banking trojan sweeps Europe and the U.S. 👀
EncroChat shutdown leads to 6,558 arrests and €900m seized 😳
Trans supporting hacktivists target U.S. gov’t in Fort Worth data leak 🙄
Actually, tell a lie. The cybersecurity firm (ThreatFabric) that blew the whistle on this latest campaign was Dutch while the targeted nations were actually the U.S., the U.K., Germany, Austria, and Switzerland. But come on, that headline was too good to pass up 😂
So, what’s new? Well, there’s a new Android-based malware campaign that’s using the known Anatsa bank trojan and it’s draining accounts in numerous countries around the globe.
This isn’t the first time Android users have been targeted by this particularly insidious trojan which has been updated with new capabilities and can now target even more banking apps.
Device-Takeover Fraud (DTO) 💀
Here’s what ThreatFabric had to say in a threat analysis report published on Monday: "The actors behind Anatsa aim to steal credentials used to authorise customers in mobile banking applications and perform Device-Takeover Fraud (DTO) to initiate fraudulent transactions.”
DTO attacks are amongst the worst you could hope to come across for obvious reasons. And as well as the nature of the attacks, the sheer scale of them is similarly hair-whitening.
30k installations to date!
ThreatFabric claims that Anatsa-infected Google Play Store dropper apps have accrued over 30,000 installations to date. Not good.
Additionally, this updated version can now take over nearly 600 different banking apps and commit fraud right on an infected device.
The countries most at risk of Anatsa attacks are the U.S., Italy, Germany, the U.K., France, the U.A.E., Switzerland, South Korea, Australia, and Sweden. Also present in the list are Finland, Singapore, and Spain.
Under the radar
"Since transactions are initiated from the same device that targeted bank customers regularly use, it has been reported that it is very challenging for banking anti-fraud systems to detect it," ThreatFabric noted.
The names of the apps are as follows:
All Document Reader & Editor (com.mikijaki.documents.pdfreader.xlsx.csv.ppt.docs)
All Document Reader and Viewer (com.muchlensoka.pdfcreator)
PDF Reader – Edit & View PDF (lsstudio.pdfreader.powerfultool.allinonepdf.goodpdftools)
PDF Reader & Editor (com.proderstarler.pdfsignature)
PDF Reader & Editor (moh.filemanagerrespdf)
This story will have more jaws swinging than a 90s rave. Lol, so what happened?
Well, yesterday Europol made an announcement revealing the dismantling of EncroChat encrypted messaging service in July 2020 resulted in 6,558 arrests across the globe, along with the confiscation of €900 million in illegal criminal profits.
According to the law enforcement agency, a collaborative investigation launched by French and Dutch authorities managed to intercept and examine more than 115 million encrypted conversations conducted on the messaging platform.
These conversations involved a minimum of 60,000 users.
Now, almost three years later, the info has led to:
Arrests of 6,558 suspects, including 197 high-value targets
7,134 years of imprisonment of convicted criminals
Confiscation of €739.7 million in cash
Freeze of €154.1 million frozen in assets or bank accounts
Seizure of 30.5 million pills of chemical drugs
Seizure of 103.5 tonnes of cocaine, 163.4 tonnes of cannabis, and 3.3 tonnes of heroin
Seizure of 971 vehicles, 83 boats, and 40 planes
Seizure of 271 estates or homes
Seizure of 923 weapons, as well as 21,750 rounds of ammunition and 68 explosives
Damn, son. Not a bad take, eh?
Murder was the charge 🐶
EncroChat was an encrypted phone network that was used by organised crime groups to plot drug deals, money laundering, extortion, and even murders.
Good riddance to bad rubbish, we say. Let’s hear it for Europol and the Dutch and French authorities!
The Dutch are smashing it this week, huh?
This is straight up cyber terrorism, folks!
Last Friday, a hacking group named SiegedSec bragged on Telegram that it stole about 500,000 files from the government of the city of Fort Worth,Texas, which has more than 935,000 residents.
“Texas happens to be one of the largest states banning gender affirming care, and for that, we have made Texas our target,” the group said.
“Now you may think, ‘SiegedSec! What if the F.B.I comes after you???’ And to that we say, "GOOD LUCK, WE'RE BEHIND 7 PROXIES!" Enjoy.
Here’s hoping these smug idiots get what’s coming to them. Regardless of your political views on the subject of ‘gender affirming care’, this approach is petulant and, most importantly, undemocratic.
They’ll get caught, though. No matter how many proxies they have. Mark my words. And if you doubt me. Well, I can’t wait to say FBI told you so 😏
So long and thanks for reading all the phish!