More stories

  • in

    Wizard Spider hackers hire cold callers to scare ransomware victims into paying up

    Researchers have exposed the inner workings of Wizard Spider, a hacking group that pours its illicit proceeds back into the criminal enterprise.

    On Wednesday, PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups.According to the cybersecurity firm, Wizard Spider, likely Russian in origin, runs an infrastructure made up of a “complex set of sub-teams and groups, [..] has huge numbers of compromised devices at its command and employs a highly distributed professional workflow to maintain security and a high operational tempo.” Today’s more sophisticated cybercriminal operations, whether purely for profit or working for state interests — as with many advanced persistent threat (APT) groups — often operate business-style models. This includes hiring top talent and creating a financial framework to deposit, transfer, and launder proceeds. In Wizard Spider’s case, this also means pouring some of its profits back into development with investments in tools and software, and paying for new hires. The report suggests that the group commands “hundreds of millions of dollars in assets.” “The group’s extraordinary profitability allows its leaders to invest in illicit research and development initiatives,” the researchers say. “Wizard Spider is fully capable of hiring specialist talent, building new digital infrastructure, and purchasing access to advanced exploits.” PRODAFT says that Wizard Spider focuses on compromising enterprise networks and “has a significant presence in almost every developed country in the world, and many emerging economies as well.” Victims have included defense contractors, enterprise firms, supply chain vendors, hospitals, and critical utility providers. Wizard Spider’s attacks tend to start through spam and phishing using QBot and the SystemBC proxy. The group may also infiltrate businesses through compromised email threads between employees in Business Email Compromise (BEC) schemes. Once there’s a crack in the door, the group will deploy Cobalt Strike and will attempt to grab domain administrator privileges. The Conti ransomware strain is deployed, machines and hypervisor servers are encrypted, and a ransomware demand is made. Victims are managed through a locker control panel.
    PRODAFT
    Wizard Spider also uses virtual private networks (VPNs) and proxies to hide their tracks. However, the group has also invested in some unusual tools, including VoIP systems and employees tasked with cold-calling individuals and scaring them into paying up after a security incident.This is a tactic employed in the past by a handful of other ransomware groups including Sekhmet, Maze, and Ryuk. Coveware suspects that this kind of ‘call center’ work may be outsourced by cybercriminals, as the templates and scripts used are often “basically the same.”Another tool of note is the Wizard Spider cracking station. This custom kit stores cracked hashes and runs crackers to try and secure domain credentials and other forms of common hashes. The station also updates the team on cracking status. As of now, there are 32 active users. Several intrusion servers were also discovered containing a cache of tactics, techniques, exploits, cryptocurrency wallet information, and encrypted .ZIP files containing notes made and shared by attack teams. “The Wizard Spider team has shown itself capable of monetizing multiple aspects of its operations,” PRODAFT says. “It is responsible for an enormous quantity of spam on hundreds of millions of devices, as well as concentrated data breaches and ransomware attacks on high-value targets.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    Singapore sets up cybersecurity assessment, certification centre

    Written by

    Eileen Yu, Contributor

    Eileen Yu
    Contributor

    Eileen Yu began covering the IT industry when Asynchronous Transfer Mode was still hip and e-commerce was the new buzzword. Currently an independent business technology journalist and content specialist based in Singapore, she has over 20 years of industry experience with various publications including ZDNet, IDG, and Singapore Press Holdings.

    Full Bio

    Singapore has set up a facility to assess and certify systems for their cybersecurity robustness. Manufacturers and developers will be able to have their products tested and certified at the new centre, through which the government hopes to drive the testing, inspection, and certification (TIC) sector for cybersecurity.The SG$19.5 million ($13.99 million) National Integrated Centre for Evaluation (NICE) will facilitate vulnerability assessment of software and hardware products, physical hardware attacks, and security measures, said Cyber Security Agency of Singapore (CSA) and Nanyang Technological University (NTU), which jointly launched the facility on Wednesday. They noted that access to security evaluation facilities were difficult, due largely to high equipment cost and deep expertise typically required to carry out cybersecurity evaluation, at the highest assurance levels. 

    Located on NTU Smart Campus, NICE would provide this access to evaluators and developers as well as house a team of research and technical staff with the expertise to use the equipment. NTU’s deputy president and provost professor Ling San said: “The rising threat of cyberattacks makes it vital that institutions, companies, and agencies stay one step ahead of cyberthreats. Properly evaluating hardware to ensure they are designed with security in mind, rather than added on as an afterthought, is the first step in keeping our cyber-physical systems safe.”CSA’s chief executive and commissioner of cybersecurity David Koh added that it was important to ensure new emerging technologies were securely designed, as Singapore moved towards a digital future. Internet of Things (IoT) and increasing use of cyber-physical systems had led to the growth of devices and hardware components, such as communication points and sensors. Citing forecasts from Business Insider Intelligence, CSA said there would 64 billion IoT devices worldwide by 2025.”These components present themselves as potential entry points for hackers and malicious actors,” the agency said. “End-users have little means to assess if these components are secure and need to rely on independent experts to perform such security evaluation.”It added that NICE would support Singapore’s push for greater security evaluation by providing a central platform on which to test and certify products. The centre also would facilitate research and development in advanced security evaluation techniques. In addition, Singapore Accreditation Council (SAC) would work closely with CSA and NiCE to develop relevant accreditation programmes. These would include SAC’s IT testing programmes that enabled accredited TIC companies to assure the accuracy and consistency of their test reports and certificates that facilitated CSA’s initiatives, such as the Cybersecurity Labelling Scheme (CLS).As of end-April, more than 200 products had been submitted for labelling under this scheme. To further streamline the labelling process, CSA on Wednesday also unveiled a new initiative, dubbed “CLS-Ready”. This would enable security functionalities enabled by CLS-Ready hardware to bypass the need to be tested again at the end-device level. For example, manufacturers could use a chip that was certified CLS-Ready in their end-user device, saving them time and cost when testing their device against CLS Level 4. By using a CLS-Ready chip, these devices would not need to go through another round of CLS Level 4 testing, as the core security mechanism in the chip already would have been assured as CLS-Ready, CSA explained.Manufacturers applying for CLS-Ready labels would have to submit an application with supporting evidence and assessment report by an approved lab. These labels would remain valid as long as the devices were supported with security updates, up to a maximum of five years. To encourage adoption, CSA said application fees for CLS-Ready labels would be waived until October 2022.First introduced in October 2020, the labelling scheme was expanded in January last year to include all consumer IoT devices such as smart lights, smart door locks, smart printers, and IP cameras. The scheme, which initially applied only to Wi-Fi routers and smart home hubs, rates devices according to their level of cybersecurity features. While voluntary, the initiative aimed to motivate manufacturers to develop more secure products, moving beyond designing such devices to optimise functionality and cost, as well as enable consumers to identify products with better security features, CSA said.CLS assesses and rates smart devices into four levels based on the number of asterisks, each indicating an additional tier of testing and assessment the product has gone through. Level one, for instance, indicates a product has met basic security requirements such as ensuring unique default passwords and providing software updates, while a level four product has undergone structured penetration tests by approved third-party test labs and fulfilled level three requirements.RELATED COVERAGE More

  • in

    WA Health: No breaches of unencrypted COVID data means well managed and secure system

    Written by

    Chris Duckett, APAC Editor

    Chris Duckett
    APAC Editor

    Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

    Full Bio

    Perth city
    Image: Getty Images
    The Auditor-General of Western Australia has once again given state authorities a whack for security weaknesses in IT systems used in the state, with a report on its Public Health COVID Unified System (PHOCUS) tabled on Wednesday. PHOCUS is used within WA to record and track and trace positive COVID cases in the state, and can contain personal information such as case interviews, phone calls, text messages, emails, legal documents, pathology results, exposure history, symptoms, existing medical conditions, and medication details. The cloud system can also draw information in from the SafeWA app on check-ins — which the Auditor-General previously found WA cops were able to access — as well as from flight manifests, transit cards, business employee and customer records, G2G border-crossing pass data, and CCTV footage. The report found WA Health only used encryption in its test environment, was not able to tell if malicious activity was occurring, and lacked a contract management plan with its vendor. “WA Health did not keep logs of user ‘view’ access to information in PHOCUS. Only ‘edits’ (changes or deletions) to information in the system were logged but WA Health did not monitor these logs for inappropriate activity,” the report said. “WA Health will not know if personal or medical information is inappropriately accessed (viewed or edited by WA Health staff or their third party vendors). “Following our audit enquiries, WA Health advised us they have now implemented a process to monitor edit access (data changes), but had not implemented a process to log view access (to detect snooping) due to perceived system performance issues.” The department also encrypted personal and medical information after the audit, increased data masking to all information in its test environment, and implemented a file upload denylist and brought a malware scanner online after the Auditor-General found potentially malicious files could be uploaded to the system. “There were no data loss prevention controls in place to prevent unauthorised sharing of personal and medical information in PHOCUS, and WA Health did not monitor documents shared with external and unauthenticated parties. Poor controls can result in unauthorised disclosure of sensitive information and reputational damage to WA Health,” the report said. Further, the report said WA Health’s third-party vendor had full access to the information in the production environment, which WA Health said was assessed and balanced against the need to build the system quickly; two administrator accounts were left over from a previous vendor; and vendor contracts lacked “important security requirements”. In response to the audit, WA Health said due to implementing four other COVID-related systems at the same time, the issues were appropriately managed and balanced development speed, quality, and resource demands. “No breach of privacy has occurred in relation to the system, continuous data cleansing and quality checking is undertaken, no inaccuracies in case status impacting management were found and no inappropriate use of the system was recorded,” the department said. “This demonstrates the robustness of PHOCUS and that the data is well managed and secure.” Related CoverageWA government allocates AU$25.5m to expand cybersecurity servicesThe Office of Digital Government’s cybersecurity unit will score additional personnel under the funding.Auditor finds WA Police accessed SafeWA data 3 times and the app was flawed at launchWA Health released SafeWA check-in information for purposes other than COVID-19 contact tracing, with six requests being made by the police despite government messaging that the information would only be used to support contact tracing.WA Auditor-General drags local governments over horrendous cyber risk managementUsage of out-of-date software came in for special treatment from the Western Australia Auditor-General, with one entity vulnerable to a 15-year vulnerability.Western Australia sets out digital to-do list in first roadmap releaseThe hard border state is running 22 projects across 12 government agencies to get it a step closer to achieving its whole-of-government digital strategy.328 weaknesses found by WA Auditor-General in 50 local government systemsThe computer systems of 50 Western Australian local government entities were probed and the result was the finding of 328 control weaknesses, with 33 considered as significant by the Auditor-General. More

  • in

    How to use the Opera VPN (and why you should)

    Written by

    Jack Wallen, Contributing Writer

    Jack Wallen
    Contributing Writer

    Jack Wallen is what happens when a Gen Xer mind-melds with present-day snark. Jack is a seeker of truth and a writer of words with a quantum mechanical pencil and a disjointed beat of sound and soul.

    Full Bio

    on May 17, 2022

    | Topic: VPN

    Once upon a time, VPNs were pieces of technology that made it possible for you to work remotely and still have access to internal files and directories (as if you were local). VPNs of today serve a much different purpose. What modern VPNs do is mask your IP address and encrypt your data.This is absolutely crucial for some users and use cases. Consider you’re working on a public wireless network and you have to transmit sensitive data over a network and you’re not exactly certain how secure that network is. What do you do? Do you just go ahead and risk transmitting that data as you normally would? 

    Not if security and privacy are important. If that’s the case, a VPN will be your best friend. Why you should be using a VPNAs I said earlier, a VPN not only masks your location but also encrypts the data you send from your browser. That’s an important distinction, as the Opera VPN only works within the browser. This isn’t a global VPN that masks and encrypts all data leaving either a computer or mobile device. For that, you would have to make use of another service. But given the majority of users do the majority of their work within a browser, a built-in VPN is a great option. But why should you care about masking your IP address or location? This is simple — privacy. If someone intercepts unencrypted non-anonymized data from your computer or mobile device, they could locate you. When you use a VPN, your location can be masked to look like it’s in a completely different country. Couple that with the data encryption and the big question should be, “Why have you put off using a VPN for this long?”With that said, I want to show you how to use the Opera VPN on both the mobile and desktop versions. I’ll be demonstrating this on the Android and Linux versions of the browser, but the process should be similar, regardless of what platform you use.Using the VPN on Opera mobileLet’s first take a look at how to enable the VPN on Opera mobile. To do this, open Opera on your device. From the Opera main window (Figure 1), tap the profile icon at the bottom right of the display.The Opera mobile main window as seen on Android 12.In the resulting popup, tap the gear icon in the upper left corner. You should then see the listing for the VPN (Figure 2).The VPN is currently disabled.Tap the ON/OFF slider until it’s in the ON position. And now, everything you transmit from within the Opera browser is anonymized and encrypted.Using the VPN on Opera desktopTo enable the VPN on Opera desktop, you need to click the Opera icon in the top left corner and then click Settings. In the left navigation, click Privacy & security, where you’ll see the entry for Enable VPN (Figure 3).Enabling the VPN on Opera desktop running on Pop!_OS Linux.Click the ON/OFF slider until it’s in the ON position, which will place a small VPN icon to the left of the address bar (Figure 4).With the VPN icon showing, you know the VPN is on.Testing the VPN connectionThere’s a simple way to test if the VPN connection is working. First, turn off the VPN and go to whatismyipaddress.com. The results should not only show your current IP address, but also the location of your IP address. Next, turn on the VPN and go back to the same site. You should see both a different IP address and location. With the Opera VPN off, my connection was listed correctly. With the VPN on, my connection was listed in Colima Mexico. Success!And that’s all there is to using the Opera VPN on both the mobile and desktop versions. If you value your security and privacy, you should seriously consider making use of this feature. More

  • in

    AMD, Qualcomm to offer Wi-Fi 6 and 6E, and secure Wi-Fi remote management

    Written by

    Adrian Kingsley-Hughes, Contributor

    Adrian Kingsley-Hughes
    Contributor

    Adrian Kingsley-Hughes is an internationally published technology author who has devoted over two decades to helping users get the most from technology — whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera. Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs.

    Full Bio

    AMD and Qualcomm have been in collaboration to optimize the FastConnect 6900 wireless connectivity for the Ryzen PRO line of processors aimed at business laptops.By using the 6GHz wireless band, FastConnect can improve video conferencing, reduce latency, and enhance connection reliability by using multiple Wi-Fi bands.

    But FastConnect offers more. IT administrators can now leverage the AMD Manageability Processor and make use of FastConnect’s support for almost three dozen of the most widely used Open Standard-Based (DASH) profiles to carry out remote management on AMD commercial platforms.This is a fantastic built-in ready-to-use solution for enterprise customers where hybrid working is now a big part of what IT admins have to deal with.”Out-of-band Wi-Fi remote management is an important tool for enterprise IT managers to diagnose and fix issues, even when the operating system is not running,” said Jason Banta, CVP and General Manager, OEM Client Computing AMD. “AMD Ryzen PRO 6000 Series processors with Qualcomm FastConnect 6900 enable next-generation business laptops to have the processing and connectivity tools needed to perform in modern environments, offering professional-strength remote manageability for users in the new, hybrid workplace.”The first chips to offer FastConnect will be the AMD Ryzen PRO 6000 Series processors, and these will be found in systems such as the Lenovo ThinkPad Z Series and HP EliteBook 805 Series.Along with FastConnect, these chips bring with them the power, performance, and great battery life — the features that business laptop users need.”Our collaboration with AMD reflects Qualcomm Technologies’ commitment to the mobile computing space. By optimizing FastConnect 6900 for platforms powered by AMD Ryzen 6000 Series processors, we’re bringing secure Wi-Fi remote management to AMD enterprise customers,” said Dino Bekis, vice president and general manager, Mobile Compute and Connectivity, Qualcomm Technologies, Inc. “This represents the first step in our relationship to bring superior wireless connectivity to the AMD mobile computing roadmap.”

    Processors More

  • in

    Chromebook data sanitization comes to Blancco Drive Eraser

    Written by

    Adrian Kingsley-Hughes, Contributor

    Adrian Kingsley-Hughes
    Contributor

    Adrian Kingsley-Hughes is an internationally published technology author who has devoted over two decades to helping users get the most from technology — whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera. Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs.

    Full Bio

    The use of Chromebooks is exploding. During the past couple of years, they became (and continue to be) the go-to cheap hardware for people working remotely.This has resulted, however, in piles and piles of Chromebooks that need their data securely wiped, either to put them back into service or to allow them to be disposed. But sanitizing the data on Chromebooks can be a pain.

    Until now.Blancco has announced that Blancco Drive Eraser now supports Chromebook data sanitization. The new support allows a wide range of organizations — enterprises, IT Asset Disposition service providers, academic institutions, etc. — with an easy-to-use, fast, and secure data sanitization specifically for Chromebooks. Blancco Drive Eraser has been designed to decreases the amount of time needed to erase each device while still allowing the preservation of its native operating system, which speeds up the preparation of each Chromebook for reuse. Once data has been thoroughly erased, Blancco Drive Eraser then confirms that the data sanitization has been completed successfully. It provides a tamper-proof, digitally-signed certificate of erasure to support any regulatory compliance and reporting mandates.”While most students have returned to the classroom and employees are increasingly coming back to offices, the demand for Chromebooks has not waned,” said Alan Bentley, Blancco’s President of Global Strategy. “One forecast predicts nearly 30 million Chromebooks will be shipped globally in 2022 — a decrease of 21 percent from 2021 but more than double the number of units recorded in 2019,” Bentley added, “As more of these devices enter the ecosystem, and as more organizations look to be participants in the circular economy, they need a solution that allows them to quickly and safely reuse these devices. Blancco Drive Eraser now meets that need.”One of Blancco Drive Eraser’s main selling points is that it protects personally identifiable information (PII).”We are now able to give… organizations the ability to ensure device data is rendered completely unrecoverable. This capability allows them to confidently reuse or sell end-of-life devices instead of adding to the growing electronic waste crisis in our landfills,” Bentley said.Secure data sanitization for Chromebook is now available as part of Blancco Drive Eraser at no extra cost. More

  • in

    FBI: Hackers used malicious PHP code to grab credit card data

    The Federal Bureau of Investigations (FBI) is warning that someone is scraping credit card data from the checkout pages of US businesses’ websites. “As of January 2022, unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server,” the FBI said in an alert.

    It said the “unidentified cyber actors” also established backdoor access to the victim’s system by modifying two files within the checkout page. SEE: Just in time? Bosses are finally waking up to the cybersecurity threatJavaScript-based Magecart card-skimming attacks have been the main threat to e-commerce sites in recent years, but PHP code remains a major source of card skimming activity. The attackers began targeting US businesses in September 2020 by inserting malicious PHP code into the customized online checkout pages. But earlier this year, the actors changed tactics using a different PHP function.  The actors create a basic backdoor using a debugging function that allows the system to download two webshells onto the US firm’s web server, giving the attackers backdoors for further exploitation. The FBI’s recommended mitigations include changing default login credentials on all systems, monitoring requests performed against your e-commerce environment to identify possible malicious activity, segregating and segmenting network systems to limit how easily cyber criminals can move from one to another, and securing all websites transferring sensitive information by using secure socket layer (SSL) protocol.Security firm Sucuri observed that 41% of new credit card skimming malware samples in 2021 were from PHP backend credit card skimmers. This suggested that solely scanning for frontend JavaScript infections could be missing a large proportion of credit card skimming malware. As Sucuri explains, webshell backdoors give attackers full access to the website file system, often providing a full picture of the environment, including the server operating system and PHP versions, as well powerful functionality to change permissions of files and move into adjacent websites and directories. Webshells accounted for 19% of 400 new malware signatures gathered by Sucuri in 2021. The firm saw a “hugely disproportionate” rise in signatures in 2021 for PHP-based credit card stealers impacting e-commerce platforms Magento, WordPress and OpenCart.    More

  • in

    US warning: North Korea's tech workers posing as freelance developers

    Skilled software and mobile app developers from North Korea are posing as US-based remote workers to land contract work as developers in US and European tech and crypto firms. The warning comes in a new joint advisory from The US Department of State, the US Department of the Treasury, and the Federal Bureau of Investigation (FBI) outlining the role North Korean IT workers play in raising revenue for North Korea, which contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions.

    ZDNet Recommends

    Hackers working for North Korea – officially known as the Democratic People’s Republic of Korea (DPRK) – have gained notoriety for sophisticated hacks on cryptocurrency exchanges during the past five years. In 2021 alone they stole over $400 million worth of cryptocurrency for the DPRK. SEE: Just in time? Bosses are finally waking up to the cybersecurity threatThe FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and Treasury last month warned that North Korea’s Lazarus Group, or APT 38, was targeting exchanges in the blockchain and cryptocurrency industry using spear-phishing campaigns and malware. Treasury also in April linked Lazarus to the $600 million heist in March from the Ronin blockchain network underpinning the play-to-earn game Axie Finity.  However, the skilled North Korean IT workers play another function for DPRK, using their access as sub-contracted developers within US and European contracting firms to enable DPRK-sponsored hacking. The US government has outlined “red flag” indicators that firms might be hiring North Korean freelance developers and tips to “protect against inadvertently hiring or facilitating the operations of DPRK IT workers.” “The DPRK dispatches thousands of highly skilled IT workers around the world to generate revenue that contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions,” the advisory states. DPRK IT workers are primarily located in the People’s Republic of China (PRC) and Russia, but some are located in Africa and Southeast Asia, the US says. “The vast majority of [DPRK IT workers] are subordinate to and working on behalf of entities directly involved in the DPRK’s UN-prohibited WMD and ballistic missile programs, as well as its advanced conventional weapons development and trade sectors. This results in revenue generated by these DPRK IT workers being used by the DPRK to develop its WMD and ballistic programs, in violation of US and UN sanctions.” Rather than engaging directly in malicious cyber activity, DPRK IT workers use privileged access within contractor roles to provide logistical support to DPRK hackers by sharing access to virtual infrastructure, facilitating sales of stolen data, and assisting in DPRK’s money laundering and virtual currency transfers.”Although DPRK IT workers normally engage in IT work distinct from malicious cyber activity, they have used the privileged access gained as contractors to enable the DPRK’s malicious cyber intrusions. Additionally, there are likely instances where workers are subjected to forced labor,” the warning notes.A tight labor market coupled with high demand for software developers in the US and Europe are working in favor of North Korean software developers, who can earn at least ten times more than a conventional North Korean laborer working in a factory or on a construction project overseas. The list of roles that DPRK tech workers specialize in reflect the hottest areas of tech in the West and globally, including mobile and web apps, building crypto exchange platforms and digital coins, mobile games, online gambling, AI-related applications, hardware and firmware development, VR and AR programming, facial and biometric recognition software, and database development. The DPRK workers often take on projects that involve virtual currency in categories spanning business, health and fitness, social networking, sports, entertainment, and lifestyle, according to the advisory.SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breachesUnsurprisingly, DPRK IT workers are using VPNs and third-country IP addresses to conceal their internet connections and avoid violating terms of service of online platforms they use. They’re also using proxy accounts to bid for work, and might use a dedicated device for banking services to evade anti-money laundering measures. And they’re using forged and stolen identity documents to hide their identity.   Red flags include: multiple logins into one account from various IP addresses linked to different countries in a short time; developers logging into multiple accounts on the same platform from one IP address; developers being logged into accounts continuously for one or more days at a time; router ports such as 3389 and other configurations associated with the use of remote desktop-sharing software; multiple developer accounts receiving high ratings from one client account in a short period; extensive budding on projects and a low number of accepted project bids; and frequent money transfers through payment platforms, especially to China-based bank accounts.       The advisory notes that DPRK IT workers employed by a US firm fraudulently charged its payment account $50,000 in 30 small installments over a matter of months. The US agencies recommend contracting firms conduct video interviews with applicants to verify their identity and to reject low-quality images as verification of identity.  More