Interpol take down… who was caught?

Aug 10 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that brings the smoke to cybercrime ????????????

Today’s hottest cyber security stories:

  • ???? Interpol takes down 16shop phishing-as-a-service (PaaS) platform ????

  • ???? Report exposes Vice Society's collaboration with Rhysida ransomware ????

  • ????Weak Kubernetes (K8s) clusters exploited by malware for crypto-mining ⛏️

Are you taking the phish? ????????

???? Big Win Against Cybercrime: Interpol and Cybersecurity Firms Unite to Dismantle 16shop Phishing Platform! ????️

???? Interpol, in collaboration with cybersecurity experts, has achieved a major breakthrough by apprehending the mastermind behind the notorious 16shop phishing-as-a-service (PhaaS) platform. This joint operation not only resulted in the arrest of the platform operator but also led to the shutdown of the 16shop platform.

???? Phishing-as-a-service platforms are dangerous hubs that equip cybercriminals with everything they need for phishing attacks – from email distribution tools to ready-made phishing kits targeting prominent brands. These platforms pose a serious threat as they empower even inexperienced criminals to execute attacks with minimal effort.

???? Group-IB, supporting Interpol's efforts, reveals that 16shop's phishing kits targeted Apple, PayPal, American Express, Amazon, Cash App, and more. The platform created a staggering 150,000 phishing pages, affecting victims primarily in Germany, Japan, France, the USA, and the UK.

???? At least 70,000 users across 43 countries fell victim to 16shop's phishing campaigns, leading to the theft of personal information, account credentials, ID cards, credit card details, and phone numbers.

????‍♂️ The operation resulted in the arrest of the platform's 21-year-old operator in Indonesia, followed by the capture of two facilitators – one in Japan and another in Indonesia. Private sector collaboration played a pivotal role in pinpointing the operator's identity and location.

???? The takedown also exposed a US-based company hosting 16shop's servers, which intriguingly revealed an Indonesian registration.

???? During the arrests, electronic devices and luxury vehicles were seized from the operator's possession, and the apprehension of the admin appeared to have led to the identification and capture of the accomplices.

???? This victory marks a significant step in the ongoing battle against cybercrime, showcasing the effectiveness of international cooperation in safeguarding digital landscapes. Stay vigilant and informed to stay safe from such threats! ????️????

I came across ZZZ money club during the crypto market bull run when everyone’s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.

Make sure you’re on the Rhysida phishtory ????

???? Cybersecurity Alert: Similarities Unveiled between Rhysida & Vice Society Ransomware Groups! ????️‍♂️

???? Tactical parallels between ransomware gangs Rhysida and Vice Society have been unveiled, with both targeting education and healthcare sectors. Although Rhysida was first seen in May 2023, a correlation emerged between its appearance and Vice Society's disappearance.

???? Israeli cybersecurity firm Check Point found that Vice Society, known as Storm-0832, exploited existing ransomware tools from criminal forums for attacks, and even practised data extortion without encryption. Rhysida, on the other hand, employs phishing and Cobalt Strike techniques.

???? Most Rhysida victims hail from the U.S., U.K., Italy, Spain, and Austria. The ransomware spreads through RDP and PowerShell, using tools like PsExec for deployment and SystemBC for control. Both groups erase logs and change passwords to avoid detection.

???? Interestingly, both gangs favour the education sector, accounting for 32% (Rhysida) and 35% (Vice Society) of their targets. Notably, Vice Society's activities ceased around Rhysida's emergence.

???? The tie between the two is further established by shared tactics like using AnyDesk for remote management and deploying PortStarter, linked mainly to Vice Society. Check Point warns that despite the shift, ransomware actors' methods remain distressingly consistent.

????️ Top Tips:

???? Takeaway: Vigilance is key! Stay updated on emerging threats to protect your data. ????️????.

????️ Extra, Extra! Read all about it ????️

Each fortnite, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ???? Daily Dough: Bite-sized investing ideas, wisdom, news, and trends you need to grow your dough!

  • ???? ProductivityGlide: A bite-sized email for your most productive day yet!

  • ???? AI Marketing School: The latest AI Marketing tools, techniques, and news delivered biweekly.

Let us know what you think!

Crypto-mine how you go, eh?

⚠️ Beware: Exploited Kubernetes Clusters – A Breeding Ground for Crypto Miners & Backdoors! ????????

???? Cloud security firm Aqua reveals a concerning trend – malicious actors are exploiting exposed Kubernetes (K8s) clusters for deploying cryptocurrency miners and backdoors.

FYI Kubernetes is an open-source container orchestration system for automating software deployment, scaling, and management. Originally designed by Google, the project is now maintained by the Cloud Native Computing Foundation.

???? Most impacted are small to medium-sized organisations, with some larger ones in finance, aerospace, automotive, industrial, and security sectors. Shockingly, over 350 entities, including projects and individuals, possess these vulnerable clusters. 60% of them are actively targeted by crypto-mining campaigns.

????️ The trouble stems from misconfigurations: anonymous high-privileged access and running kubectl proxy with risky flags. Security experts Michael Katchinskiy and Assaf Morag highlight the potential danger, as clusters house sensitive assets like customer data, financial records, and more.

???? Exposed clusters contain valuable environment variables and keys, providing hackers entry points to infiltrate deeper, access source code, and even execute malicious changes.

???? Disturbingly, ongoing crypto-mining campaigns like Dero, RBAC Buster, and TeamTNT's Silentbob are thriving amidst this security gap.

???? Organizations must address these issues urgently, reinforcing their grasp on Kubernetes security. Size doesn't matter when it comes to safeguarding data! ????️????

That’s all for today, folks!

So long and thanks for reading all the phish!

Recent articles