Jun 26 2023
Welcome to Gone Phishing, your daily cybersecurity newsletter that works harder to keep you cyber-safe than the clean-up crew at Glastonbury #Godspeed 😩
Today’s hottest cyber security stories:
UK Twitter hacker PlugwalkJoe gets five years 👮♂️🚔👨⚖️
Global hack blamed on Russian cybercriminals. 2.5m+ affected 😲
Top 5 data breaches of 2023… So far 💀
Hey, hey! Ho, ho! PlugwalkJoe has got to go… to jail. Well, it was good while it lasted. Presumably. So who is PlugwalkJoe (real name: Joseph James O'Connor) and why is he being perp-walked to a five stretch in a U.S. jail cell (don’t drop the soap, Joe).
He’s no Jesse James 😂
Well, long story short: he participated in the rather infamous Twitter hack of July, 2020 wherein a band of cyber miscreants managed to infiltrate Twitter’s backend (stop it!), hijack 130 popular accounts and ultimately perpetrate a crypto scam that netted them about $120,000 in illegal profits. Naughty, naughty.
And that’s not all our Joe was up to. Indeed, according to the U.S. Department of Justice (DoJ): "In other instances, the co-conspirators sold access to Twitter accounts to others.”
"O'Connor communicated with others regarding purchasing unauthorised access to a variety of Twitter accounts, including accounts associated with public figures around the world."
FYI, O’Connor was handed the sentence on Friday in the Southern District of New York, a little over a month after he pleaded guilty to the criminal schemes. He was arrested in Spain in July 2021. The wheels of justice sure move slow, huh?
Having successfully stolen the cryptocurrencies, the gang engaged in a spot of money laundering which Johnny Law didn’t take too kindly to either.
Bit by Bitcoin
"After stealing and fraudulently diverting the stolen cryptocurrency, O'Connor and his co-conspirators laundered it through dozens of transfers and transactions and exchanged some of it for Bitcoin using cryptocurrency exchange services," the DoJ said.
"Ultimately, a portion of the stolen cryptocurrency was deposited into a cryptocurrency exchange account controlled by O'Connor."
O'Connor said his crimes were "stupid and pointless." Hmm, stupid: sure. Pointless? The point was money, Joe. But you got caught.
He also faces three years of supervised release after serving his jail term. He has also been ordered to forfeit $794,000.
Crime simply doesn’t pay, folks.
Remember MOVEit? Second story on the link. Well, it’s back. Although it never really went away. This nasty bit of malware has gone global and experts are beginning to point the finger squarely in Russia’s direction. So, what’s the latest?
Genworth Financial, a US insurance provider, found itself in the thick of it when it discovered that a whopping 2.5 million of its policyholders and customers had their data snooped on.
As if that weren't enough, California's public pension fund also joined the party, with 769,000 of its members falling victim to the illusive hackers' antics.
Not wanting to miss out, consulting giants PwC and Ernst & Young got in on the action, frantically investigating their own exposure to the hacking extravaganza.
This data breach was no ordinary one—it spanned far and wide, ranking amongst the biggest breaches in recent memory, all thanks to a single piece of software (read: malware).
Genworth Financial confessed that the hackers managed to get their hands on sensitive customer information, including Social Security numbers and more.
Meanwhile, the California Public Employees' Retirement System announced that over 750,000 of its members had their Social Security numbers swiped.
The cold war continues
While the victim organisations were tight-lipped about directly pointing fingers at the Russian cybercriminals, they did reveal that the hackers exploited a popular file-transfer software called MOVEit.
Federal officials, however, wasted no time assigning blame and pointed the finger at a Russian group named CLOP.
Slow CLOP for the feds, working tirelessly to find a way to blame Russia 😂 Just kidding!
1. T-Mobile: May 2023 (and January 2023)
T-Mobile makes the list twice. Firstly, in January 2023, T-Mobile discovered that more than 37 million customers had their personal information (names, emails, and birthdays) stolen. More birthday presents, at least. Sorry. Then, in May, a hack revealed the PINs, full names, and phone numbers of over 800 customers. PINs? That’s bad.
2. Yum Brands (KFC, Taco Bell, & Pizza Hut): April 2023
Yum suffered an attack in January which they announced in May which saw corporate data and employee info stolen. The attack resulted in the company closing down almost 300 locations in the UK back in January
3. ChatGPT: March 2023
Of course ChapGPT was going to make the list. “In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time” Sure.
4. Chick-fil-A: March 2023
The fried chicken restaurant noticed unusual login activity and determined the cyber attack happened within the first few months of 2023. The hacker used email addresses and passwords from a third-party to get into the system and acquire info like membership numbers, names, emails, addresses, and more.
5. Activision: February 2023
The video game publisher behind the Call of Duty franchise (and Tony Hawk’s Pro Skater back in the day) Activision, said they suffered a data breach back in December. The hacker used an SMS phishing attack on an HR employee to gain access to employee data, including their emails, cell phone numbers, salaries, and work locations.
As Axl Rose screamed last night atop the Pyramid stage: “You in the jungle, baby!” Certainly true with regard to cyberattacks, let me tell you. As you were, folks 😉
So long and thanks for reading all the phish!