Cybersecurity Updates: Telegram Scams, Infostealer Shutdowns, and More

We have compiled the most significant cybersecurity news of the week.

Infostealers RedLine and META Cease Operations

On October 28, an international law enforcement coalition halted the operations of infostealers RedLine and META, which victimized millions of users worldwide. Over 1,200 servers operated with the malware, stealing various personal data from infected devices. The obtained information was then sold on the dark web and used for theft of money, cryptocurrencies, and further hacking attacks.

? Infostealers #Redline & #META taken down by international coalition.

?? ?? ?? ?? ?? ??

⚠️ The malware targeted millions of victims worldwide and was used to steal personal data, including usernames and passwords, addresses, phone numbers and more.

? https://t.co/Z0AZLiXGOU pic.twitter.com/4hYKTeCgrA

— Eurojust (@Eurojust) October 29, 2024

In the Netherlands, three servers were shut down and two domains were seized, while two individuals were detained in Belgium. The United States has filed charges against the alleged developer and administrator of RedLine, Russian Maxim Rudometov. He faces up to 35 years in prison for device fraud, conspiracy to commit cyberattacks, and money laundering.

Authorities also extracted information about RedLine and META clients, including IP addresses, activity timestamps, and registration details. The investigation is ongoing.

Fraudulent Groups Decline on Telegram

In late September to early October, some fraudulent groups began to withdraw from Telegram following the messenger’s increased cooperation with authorities on data exchange regarding offenders. This was noted by specialists from F.A.C.C.T.

Компания F.A.C.C.T. сообщает о росте активности киберпреступников, работающих по схеме «Мамонт». В Telegram, напротив, сейчас наблюдается спад

Детали: https://t.co/SPZXv3c3NH pic.twitter.com/FP8EVcQoo8

— F.A.C.C.T. (@F_A_C_C_T_) November 1, 2024

Changes to the Privacy Policy led a group operating under the ‘Mammoth’ scheme with over 10,000 subscribers to announce a full transition to their own platform and the launch of an anonymous onion site.

Over four weeks, the revenues of 70% of similar fraudulent groups decreased by an average of 22% — from 58 million to 45 million rubles. Additional difficulties for the perpetrators arose due to the blocking of accounts by the trading bot Crypto Bot, which they used to withdraw criminal funds.

FakeCall Trojan Intercepts Bank Calls

Researchers at Zimperium reported an advanced version of the Android trojan FakeCall, capable of intercepting user calls to banks and redirecting them to a perpetrator’s number. The ultimate goal is to steal confidential information and money from users’ accounts.

Our #zLabs team uncovered advanced FakeCall malware using voice phishing (vishing) ? to hijack calls and steal sensitive data.

Don’t let vishing compromise your business.

Learn how Zimperium’s MTD protects your enterprise in real-time: https://t.co/CPIBwQ4jiO pic.twitter.com/X1JMurrzdD

— Zimperium (@Zimperium) October 31, 2024

The malware was first noticed in April 2022. By 2023, it had learned to mimic over 20 financial organizations and conducted calls through third-party applications. 

The current version sets itself as the default call handler and can capture direct audio and video streams from infected devices. It also has enhanced protection against detection.

Germany Shuts Down DDoS Attack Platform Dstat.cc

German law enforcement seized the infrastructure of the DDoS attack review platform Dstat.cc and arrested two suspects aged 19 and 28. 

According to case materials, various cybercriminal groups, such as the Russian Killnet and Passion, used the site to demonstrate their capabilities. It also hosted reviews and recommendations for conducting various types of attacks.

The alleged administrators of Dstat.cc, according to the investigation, also managed the synthetic drug market Flight RCS. They face up to ten years in prison and fines.

Stolen Credit Card Traders Move to Threads

The social network Threads has seen a surge in advertisements for selling stolen credit cards and user credentials, reports The Register.

Cybersecurity researchers found at least 15 accounts with over 12,000 followers, where financial and personal information is published.

These pages exist for one to two months, yet adequate moderation by Meta is lacking. On the contrary, such activity is encouraged by the social network’s algorithms and promoted through advertising, experts added.

The messages from perpetrators contain: 

• names of cardholders;
• full and partial card numbers with expiration dates;
• PIN codes and CVV;
• bank identification numbers;
• names of banks and card issuers;
• social security numbers;
• IP and physical addresses;
• phones and emails;
• birth dates;
• passwords.

Meta representatives stated that they are “aware of this behavior and continue to take action against accounts and content that violate the platform’s rules.”

Also on ForkLog:

• The US Department of Justice accused the founder of Gotbit of fraud.
• Immunefi: The crypto industry lost $55.1 million in October.
• 1inch commented on the app hack and announced a refund.
• Vitalik Buterin discussed the prospects for improving the EVM.
• Circle introduced a privacy solution for ERC-20 tokens.
• Tether unveiled an AI tool for creating privacy-focused applications.
• An expert discovered a “vampire attack” on Bitcoin.

Weekend Reading Suggestions

Explore the criminal case of the founder of the Cryptex bitcoin exchange with analysts from “SHARD”.