May 26 - June 1, 2022 | Issue 10 - Counterintelligence/Cyber (CICYBER)
Keanna Grelicha, Emma Hoskins, Marina Tovar, CICYBER Team
Justin Maurina, Editor; Demetrios Giannakaris, Senior Editor
Date: May 29, 2022
Location: New York, USA
Parties involved: US; Australia; United Kingdom (UK); France; Italy; Kosovo; Serbia; Infraud Organization; Infraud members
The event: John Telusma, a former member of a transnational cybercrime organization called Infraud Organization, was sentenced to four years in prison for selling and using stolen credit and debit card information obtained via malware attacks on bank accounts. Telusma used Infraud’s website and carding portal to sell the information through cashouts to people. This service allowed him to pass on the information for cash transfers and drop them between users while conducting identity fraud and other illicit services with counterfeit documents.
Analysis & Implications:
A lack of security measures on the victim's bank accounts very likely allowed Infraud members like Telusma to steal information through malware attacks. Victims very likely did not have additional measures of two-factor authentication (2FA) like pins or facial recognition to stop the bypass of the login credentials phase of account entry. Without extra security, the successful harvesting of account data will very likely incentivize Infraud members to perform future operations of the same scale. The likely increase of illicit services amounting to malware attacks will very likely result in additional joint operations to shut down cyber-criminals and very likely provide victims with the knowledge of security measures like 2FA.
Without reporting these events, individuals will very likely be unaware of fraudulent activities within their bank accounts unless they consistently monitor their financial statements. Minimal account monitoring could very likely allow for undetected illicit services leading to financial complications of large debt attached to one’s account that will very likely decrease the chances of qualifying for credit cards and loans. If the incidents go unreported by the victims within the bank’s timeline, the victim will very likely need to declare bankruptcy or remain in debt.
Date: May 30, 2022
Parties involved: Whatsapp; Indian Whatsapp users; Unknown threat actor(s)
The event: Unknown threat actors are conducting a hacking campaign targeting Whatsapp users through mobile call scams. The threat actors call the victims with a phone number with the (+405) or (+67) prefix, keeping the victims in a conversation while triggering the Whatsapp registration process in the backend, allowing them to log out from the user’s Whatsapp account remotely. The threat actors will remotely log in to the victim’s Whatsapp account and receive the One Time Password (OTP) to their devices as the users’ line is occupied with the call. The OTP scam affects Whatsapp users in India but could extend worldwide by using other phone numbers.
Analysis & Implications:
The lack of specialized knowledge required for this attack and its low cost will very likely allow cybercriminals with limited resources to implement similar attacks. Cybercriminals will very likely expand on the original methodology to improve the attack’s success rate to remain undetected and expand their victim scope. Improved techniques, like upgraded disguise on the initial call, could likely pose a more substantial threat to victims due to the lack of detection and immediate response they could provide to reduce the associated damages. The victims’ hacked devices could likely suffer a data breach as threat actors will likely surf the system and gather data stored in their devices.
Accessing the victim’s accounts very likely allows the threat actors to access data stored in chats like login credentials. This data could very likely be at risk of fraudulent activity like account takeovers by impersonating the victim and scamming their contacts with malicious links or sending messages requesting money for a fake emergency. If the victim’s contacts press the malicious link, their devices will likely be infected with malware, likely allowing them remote access to gather data like bank credentials. Misuse of the victim's bank credentials could very likely result in large purchases, likely leading the victim to a complicated short-term financial situation.
The Counterterrorism Group (CTG)
 “Fraud” by Nick Youngson licensed under Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0)
 New Yorker imprisoned for role in carding group behind $568M damages, Bleeping Computer, May 2022, https://www.bleepingcomputer.com/news/security/new-yorker-imprisoned-for-role-in-carding-group-behind-568m-damage
 “OTP is a mobile-generated passcode specifically for the user that it needs to manually type when introducing their login credentials to keep their accounts safe.” Tokens and Passcodes, DUO, 2022, https://duo.com/product/multi-factor-authentication-mfa/authentication-methods/tokens-and-passcodes
 Experts warn of a new ongoing WhatsApp OTP scam that could allow attackers to hijack users’ accounts through phone calls, Security Affairs, May 2022, https://securityaffairs.co/wordpress/131807/hacking/whatsapp-otp-scam.html