Law enforcement has seized one of the largest marketplaces for selling stolen account credentials. 

The website’s infrastructure has been taken over by the police, according to the US Department of Justice (DoJ). A seizure warrant affidavit unsealed on Thursday outlined Slilpp’s past activities. In operation since at least 2012, the marketplace — with domains on both the clear and dark web — offered stolen credentials for services including PayPal, Wells Fargo, Amazon, Chase, Capital One, and more.  These included usernames and passwords, mobile phone accounts, and e-commerce accounts.  The DoJ says that over 80 million credentials were available for purchase from over 1,400 victim organizations worldwide. Law enforcement from the US, Germany, the Netherlands, and Romania was involved in the confiscation of servers supporting the platform’s infrastructure and various domain names.  Slilpp buyers would allegedly use these credentials to perform banking theft and fraud, such as wire transfers from victims to accounts owned by them. 

“To date, over a dozen individuals have been charged or arrested by US law enforcement in connection with the Slilpp marketplace,” the DoJ says.  According to Acting Assistant Attorney General Nicholas McQuaid, Slilpp allegedly caused “hundreds of millions of dollars in losses to victims worldwide” — and at least $200,000 in losses in the US alone. However, the “full extent” of the marketplace’s role in the credential theft economy is “not known.” “The department will not tolerate an underground economy for stolen identities, and we will continue to collaborate with our law enforcement partners worldwide to disrupt criminal marketplaces wherever they are located,” McQuaid commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A cyber espionage campaign is targeting the foreign ministry of a country in the European Union with the aid of a previously undocumented form of malware which provides a secret backdoor onto compromised Windows systems.
Uncovered by cybersecurity researchers at ESET, the tools are designed to steal sensitive documents and other files by secretly exfiltrating them via Dropbox accounts controlled by the attackers.
Dubbed Crutch by its developers, this malware campaign has been active from 2015 through to 2020 and researchers have linked it to the Turla hacking group, due to similarities with previously uncovered Turla campaigns such as Gazer. The working hours of the group also coincide with UTC+3, the timezone which Moscow sits in. The UK’s National Cyber Security Centre (NCSC) is among those which has attributed Turla – also known as Waterbug and Venomous Bear – to Russia. 
The newly detailed Crutch campaign appears tailored towards very specific targets with the aim of stealing sensitive documents. ESET hasn’t revealed any specifics about the target, aside from that it was a ministry of foreign affairs in an EU country. This targeting fits in with previous Turla campaigns.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)   
However, Crutch isn’t a first-stage payload and is only deployed after cyber attackers have already compromised the target network – something which similar campaigns to this have achieved by using specially crafted spear-phishing attacks.
Once Crutch is installed as a backdoor on the target system it communicates with a hardcoded Dropbox account which it uses to retrieve files while remaining under the radar because Dropbox is able to blend into normal network traffic.

Analysis of the backdoor indicates that it has repeatedly been updated and changed over the years in order to maintain effectiveness while also keeping hidden.
“The main malicious activity is exfiltration of documents and other sensitive files. The sophistication of the attacks and technical details of the discovery further strengthen the perception that the Turla group has considerable resources to operate such a large and diverse arsenal,” said Matthieu Faou, malware researcher at ESET.
However, despite the persistent nature of the attack by what’s regarded as a sophisticated hacking operation, there’s still some relatively simple security measures that organisations can apply to avoid falling victim to this or many other forms of cyber attack.
“During this investigation, we noticed that attackers were able to move laterally and compromise additional machines by reusing admin passwords,” said Fauo.
“I believe that limiting lateral movement possibilities would greatly make the life of attackers harder. It means preventing users being able to run as admin, using two factor authentication on admin accounts and using unique and complex passwords,” he added.
READ MORE ON CYBERSECURITY More

Image: Mozilla

With the release of Firefox 79 last week, Mozilla silently added a new feature to Enhanced Tracking Protection (ETP) — Firefox’s internal component that blocks invasive user-tracking techniques.
According to Mozilla, Firefox 79 can now block a new technique called “redirect tracking.”
Online advertisers and web analytics companies have recently begun adopting this new technique after Firefox, Chrome, Brave, and other browsers have recently included privacy protections inside their code to block user tracking and user fingerprinting scripts.
More specifically, this technique was developed to circumvent browsers that prevent advertisers from using third-party cookies to track users.
Third-party cookies allowed an advertiser to drop a cookie file inside the user’s browser from its allocated ad slot. As the user navigated across the web, the advertiser would read the user’s local cookie from within ad slots on different sites — allowing the advertiser to track the user’s movements across the web.

As browsers now prevent advertisers from dropping this cookie, some ad tech companies came up with the bright idea of redirecting users (who interact with their ads) to one of their domains, read the cookie file, and then redirect the user to their destination effectively creating their own first-party (tracking) cookies instead of relying on third-party cookies created on other sites.
Firefox to clear cookies for ad tech companies each day
Mozilla says that going forward, it plans to clear first-party cookies every 24 hours for all known advertisers as a way to prevent redirect tracking. This way, even if advertisers employ redirect tracking, users will have a brand new identity each day, preventing companies from linking previous activity to a unique user profile.
The browser maker said this new protection is included in Enhanced Tracking Protection 2.0, the next iteration of its ETP feature. While currently only active for Firefox 79 users, Mozilla said ETP 2.0 would eventually roll out to all users within the next few weeks.
However, Mozilla says that blocking redirect tracking won’t be active for all known ad tech companies.
“Sometimes trackers do more than just track; trackers may also offer services you engage with, such as a search engine or social network,” Mozilla said, hinting at companies like Google, Microsoft, Facebook, or Twitter.
“If Firefox cleared cookies for these services we’d end up logging you out of your email or social network every day,” it said.
For these sites, Mozilla said it would clear cookies every 45 days.
Additional details about redirect tracking are available on the MDN developer network. More

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning over a huge surge in activity by the gang behind the Emotet trojan. 
Historically, the Emotet spam botnet has been linked to the distribution of banking trojans, but these days it spews malware-laden spam and then sells access to infected computers to any criminal group, including ransomware operators. 

Microsoft, Italy, and the Netherlands last month warned of a spike in Emotet malicious spam activity, which came a few weeks after France, Japan and New Zealand issued their alerts over Emotet.   
Emotet was quiet after February but came back with a vengeance in July. CISA describes Emotet as a “sophisticated trojan commonly functioning as a downloader or dropper of other malware” and “one of the most prevalent ongoing threats”. 
CISA’s assessment is understandable given that Emotet is considered to be currently the world’s largest malware botnet. 
Since August, CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have observed attackers targeting state and local governments with Emotet phishing emails. 
Emotet spreads with worm-like features via phishing email attachments or links that load a phishing attachment. After being opened, Emotet works to spread throughout a network by guessing admin credentials and using them to remotely write to shared drives using the SMB file-sharing protocol, which gives the attacker the ability to move laterally through a network.    
CISA says since July its Einstein in-house intrusion-detection system for federal and civilian executive branch networks has detected about 16,000 alerts related to Emotet activity.
Microsoft in September noticed Emotet was also using password-protected email ZIP attachments instead of Office documents to bypass email security gateways.  
The European Emotet warnings came after researchers saw the botnet dropping Trickbot to deliver ransomware and Qakbot Trojan to steal banking credentials. 
Another crafty ploy currently in use by Emotet is hijacking email threads. The Emotet group grabs an existing email chain from an infected host and answers the thread with an additional malicious document attached. More

Image: Setyaki Irham, ZDNet
A Cypriot national has been extradited to the US to face charges of hacking into review portal Ripoff Report, extorting the company, and selling access to its backend to a third-party.
The man, named Joshua Polloso Epifaniou, 21 years, and a resident of Nicosia, Cyprus, arrived in the US on Friday and is scheduled to be arraigned in front of a US court on Monday, July 20, where he’ll be formally charged.
The Ripoff Report hack
According to court documents obtained by ZDNet, US authorities believe Epifaniou used a brute-force attack to gain access to the credentials of a Ripoff Report employee in October 2016.
The Cypriot then worked with an SEO (search engine optimization) company to remove bad reviews from the Ripoff Report website for the SEO firm’s paying customers.
“Epifaniou and his co-conspirator removed at least 100 complaints from the ROR database, charging SEO Company’s ‘clients’ approximately $3,000 to $5,000 for removal of each complaint,” the US Department of Justice said in a press release on Saturday.

Investigators said that when a local Cyprus bank blocked the co-conspirator’s payments to the hacker, the two also arranged for the SEO company to issue bogus backdated invoices to justify the bank transfers for Epifaniou’s hacking.
The court documents did not identify Epifaniou’s partner, but a Fox 11 investigation claims the Cypriot hacker worked with Pierre Zarokian, the founder of Submit Express, a reputation management company.
The scheme came undone after Epifaniou emailed the Ripoff Report CEO in November 2016 and tried to extort the company while also actively removing bad reviews from its database.
According to investigators, the hacker requested a payment of $90,000 within 48 hours from the CEO, threatening otherwise to leak the Ripoff Report database online.
When he did not receive a reply from the CEO, the hacker emailed again the second day with a video showing himself accessing the exec’s account.
The FBI started an investigation into the hacks in 2017, and the Submit Express CEO was arrested in 2018 and pleaded guilty earlier this year.
Pre-2016 hacks
In addition to his Ripoff Report hack and extortion, US officials have also accused Epifaniou of hacking and extorting other websites between October 2014 and November 2016.
Victims listed by the DOJ include a free online game publisher based in Irvine, California; a hardware company based in New York, New York; an online employment website headquartered in Innsbrook, Virginia; and an online sports news website owned by Turner Broadcasting System Inc. in Atlanta, Georgia.
To extort victims, officials said Epifaniou used two techniques.
He used security bugs to hack target sites and then steal user data himself, or he bought the victim site’s user data from other hackers and then used it to extort the victim into paying a ransom. More