Security Brief: CICYBER Week of December 20, 2021
Updated: Jan 8
Week of Monday, December 20, 2021 | Issue 57
Patrianna Napoleon and Marina Tovar, Counterintelligence & Cyber (CICYBER) Team
Facebook Phishing Scam
Date: December 20, 2021
Parties involved: Meta; Defendants
The event: Meta, the owner of Facebook, WhatsApp, and Instagram, has filed a federal lawsuit against more than one hundred cyber groups who created approximately 39,000 phishing websites impersonating Meta to mislead users into divulging their login credentials. Meta is seeking $500,000 USD from the cyber groups that appear in the lawsuit. The websites were disguised as login pages for Facebook, Instagram, and WhatsApp. The defendants appear in the lawsuit as “Does 1-100”, which refers to 100 fictitious parties the plaintiff wants to take action against if any cyber group creates a phishing website. The defendants began the operation in March 2021 by using a relay service to redirect internet traffic to fake websites, establish an accurate location of the phishing website, and mask their identity. Meta has collaborated with online service providers to detect phishing websites. Phishing websites contain clickjacking, a strategy of tricking users into clicking on something different than they intend, such as when a user sees a “Claim your price” button on its screen, and when clicking, it will confirm a payment or install a Remote Access Trojan (RAT). The RAT or malware installed allows hackers to gather data or modify computer functions without being noticed.
Analysis & Implications:
Meta’s lawsuit very likely intends to deter future threats from threat actors by demonstrating its willingness to prosecute threat actors who harm Meta’s interests. Meta very likely filed this lawsuit as a precedent for the company to rapidly react if any specific threat actor undertakes any of the actions listed on the lawsuit. The lawsuit is unlikely to deter phishing scams but will likely prevent amateur hackers from engaging in attacks due to potential legal consequences, as they are more likely to make mistakes.
Phishing websites will very likely utilize clickjacking techniques to increase the likelihood of the user falling victim to a scam. By clicking any link on the phishing website, malicious programs containing a RAT will likely be installed on the target's computer allowing the hackers access to user networks. Upon gaining access to an individual’s personal network, hackers will almost certainly retrieve the victim's data for profit.
Malicious actors will almost certainly continue to create phishing campaigns to obtain user login credentials, likely forcing Meta to improve their detect and deterrence methods, such as their anti-spam filter, to counteract these campaigns. Hackers will likely use this data to send phishing emails to access targets’ systems and retrieve additional data, like bank account data or website login credentials for financial gain. Hackers will very likely profit from this information by selling it to other threat actors, increasing their profit. Cybercriminals will likely blackmail victims to give them additional money in exchange for not sharing their data with other malicious actors, increasing their financial burden.
Date: December 22, 2021
Location: Massachusetts, US
Parties involved: RideShare; Prosecuted Hacker
The event: A former RideShare employee believed to be the leader of an 18-member cybercriminal team has pleaded guilty to a delivery account fraud scheme. The cybercriminals stole data like names, driver’s licenses, and social security numbers to create fraudulent rider identities to bypass RideShare’s facial recognition features to sign up, sell, and rent the identities to individuals. The cybercriminals sold the information on the dark web to further expand their financial gains. The hackers obtained up to $200,000 USD without being flagged for fraudulent activity by collaborating with other cybercriminals who rated the hacker's driving with positive surveys and ratings. The cybercriminals who bought the fake identities used social engineering techniques to convince users of their legitimacy as RiderShare riders. Social engineering is a wide range of malicious activities that aim to manipulate the victim into making security mistakes or provide the hacker with sensitive information. RideShare has not made any official statement on recommendations for riders to follow.
Analysis & Implications:
The likely lack of preventative measures implemented by RiderShare will likely allow more impersonation incidents to occur. Hackers will likely successfully impersonate victims due to the extensive data gathered and the use of social engineering techniques. Impersonation will likely benefit the threat actors by allowing them to access the victim’s bank information.
Once hackers have accessed the networks, they will very likely conduct malware or ransomware attacks to further expand their financial gain by demanding a ransom to the victim for the encrypted files. Hackers will very likely post the stolen information on a dark web forum to blackmail the victim to ensure the ransom is paid. This twofold method will likely ensure the hacker will receive the ransom, likely increasing the chance of them replicating this methodology in future attacks due to its proven effectiveness.
The Counterterrorism Group (CTG) is a subdivision of the global consulting firm Paladin 7. CTG has a developed business acumen that proactively identifies and counteracts the threat of terrorism through intelligence and investigative products. Business development resources can now be accessed via the Counter Threat Center (CTC), emerging Fall 2021. The CTG produces W.A.T.C.H resources using daily threat intelligence, also designed to complement CTG specialty reports which utilize analytical and scenario-based planning. Innovation must accommodate political, financial, and cyber threats to maintain a level of business continuity, regardless of unplanned incidents that may take critical systems offline. To find out more about our products and services visit us at counterterrorismgroup.com.
 Does 1 through 100, Word Reference, April 2014, https://forum.wordreference.com/threads/does-1-through-100.2821974/
 Taking Legal Action Against Phishing Attacks, Meta, December 2021, https://about.fb.com/news/2021/12/taking-legal-action-against-phishing-attacks/
 Clickjacking: Definición y ejemplo de defensa y ataque, Ethical Hacking Group, February 2021, https://blog.ehcgroup.io/2021/02/10/16/45/18/10630/clickjacking-definicion-y-ejemplo-de-defensa-y-ataque/hacking/ehacking/ (Translated by Marina Tovar)
 ¿Qué son los Troyanos de Acceso Remoto (RATS) y cómo detenerlos?, Revelock, March 2019, https://www.revelock.com/es/blog/troyanos-de-acceso-remoto-rats-que-son-y-c%C3%B3mo-pararlos (Translated by Marina Tovar)
 Rideshare account hacker faces up to 22 years in prison, Bleeping Computer, December 2021, https://www.bleepingcomputer.com/news/legal/rideshare-account-hacker-faces-up-to-22-years-in-prison/
 What is Social Engineering?, Kaspersky, https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineering