IT NEWS

UniCC, the largest site on the dark web that sells credit card and debit card information, will close up shop for good, taking its affiliate site, LuxSocks, with it, too. According to Elliptic, a company that offers risk solutions for cryptoassets, the unknown UniCC administrators have made an estimated $358M USD in cryptocurrency for selling stolen credit card details.

A little bit about UniCC

UniCC opened shop in 2013, and specialized in credit card fraud and the sale of card details to criminals, collectively called carding. As you may already know, once online criminals get hold of your card details, they can use these to conduct unauthorized transactions. Such details can also be resold for cash, used in identity theft or the making of a synthetic identity, or used to further cash out cryptocurrencies gained from other online crimes.

The underground market accepts cryptocurrency payments of Bitcoin, Litecoin, Ether, and Dash.

And so, after nearly a decade of being active, administrators have announced their “retirement” on a carding forum. The announcement is in both Russian and English.

“Our team retires,” the announcement reads. After expressing their appreciation to clients, partners, and colleagues, they then proceed to shoot down potential gossip on why they suddenly decided to close shop: “…we are not young and our health do [sic] not allow to work like this any longer.” They then ended their piece with a warning, which is the final nail to the coffin: “We ask you to be smart and not follow any fakes tied to our comeback and other things.”

UniCC has filled the void left in the underground carding market after Joker’s Stash, deemed one of the founders of the carding industry in the dark web, voluntarily pulled the plug in February 2021. It’s believed that the administrator behind Joker’s Stash came away a “Bitcoin billionaire”.

Sunsetting and mixed feelings

UniCC and Joker’s Stash aren’t the only carding markets that have voluntarily exited this illicit industry.

“Right now it seems to be happening more,” said Professor David Décary-Hétu, a criminologist at the University of Montreal, in a BBC interview, “Markets gracefully exit and say, ‘We’ve made enough money, and before we get caught, we’re just going to retire and go into the sunset.”

Eight months after Joker’s Stash went caput, White House Market (WHM), a darknet marketplace, shut down. Then in November 2021, Cannazon, the largest marketplace for buying marijuana-based products, shut after a DDoS attack. Then to round off the year, ToRReZ Market, a site selling illegal products, closed in December 2021.

According to research conducted by the BBC, Europol, and European Monitoring Centre for Drugs and Drug Addiction (EMCDDA), there are at least five known reasons why markets in the dark web close.

Voluntary retirement, or “sunsetting”, is second to “exit scam”, which is where the market admins pull the rug from under their clients and partners and run away with the money. That’s exactly what happened recently with Arbix Finance.

While this wave of sunsetting may sound like great news to a lot of us, law enforcement have mixed feelings about it.

Alex Hudson, the Head of Darknet Intelligence at the National Crime Agency (NCA), is quoted by the BBC as saying: “I always celebrate anybody who perhaps realises that they’re in an occupation, which is criminalised and decided not to enhance that further. If there is a regret, it’s that we do need to hold them accountable for it and they need to understand that they will still be held accountable.”

The post Infamous dark net carding site UniCC to close appeared first on Malwarebytes Labs.

Brave indeed is the soul who decides to take on Nintendo with scam-filled behaviour online. The console legends have a long history of crunching down on fraud, as well as gaming past-times some would consider to be harmless.

Whether you create fan-made games, offer up plundered ROMs for use in emulators, or even just want to rent out some titles: Nintendo has almost certainly made the news.

This is before we even get to the Switch hacker improbably named Bowser who had to pay Nintendo $4.5 million as a result of said hacking.

It’s dangerous to hack alone

In a nutshell: perilous is the path of Nintendo fandom, and activities Nintendo may strongly disagree with. The company has always come down particularly hard on scams and hardware fakeouts, because it simply does not want people tampering with physical devices. The crown jewels are the online services and digital products, and Nintendo doesn’t want bogus consoles or cartridges mixing and matching with the real thing.

Last year, a big Nintendo story was the breach of around 300,000 Nintendo accounts. Suspected reasons for the spill included phishing and/or credential stuffing, with a fair bit of probable password reuse thrown in for good measure. There’s also the famous 2017 breach where files dating back to the 80s were accessed via the use of VPNs.

At this point, we can safely say two things. One: Nintendo absolutely does not want to entertain phishers, or bogus Nintendo websites. That path leads to bad experiences for Nintendo customers. Two: Nintendo absolutely does not want to entertain unofficial hardware, or suspicious device sales. This is another path filled with knock-off devices or tampered game cartridges.

The end result is that combining fake sites (which may or may not be phishing) with unofficial hardware sales will draw Nintendo’s attention extremely quickly.

Nintendo impersonations, phantom products?

For that reason, Nintendo has published a warning in relation to a fake site. A rough translation follows:

We have confirmed the existence of a fake site that impersonates the Nintendo homepage. These fake sites have nothing to do with us.

The fake site uses our logo illegally, making it look as if it is operated by us, and you can purchase our products such as Nintendo Switch at a significantly discounted price. If you purchase a product on a fake site, you may be scammed by fraudulent acquisition of personal information. Please be careful not to mistake it for our website, and do not purchase products from fake websites.

Nintendo usually holds on to lots of additional data where hacks or scams are concerned, likely because they are spending a lot of time investigating behind the scenes. This is how you eventually end up with people in front of judges.

Sadly, this sometimes makes it a bit tricky to figure out the who, what, when, where, and of course, why of any given situation. As Nintendo hasn’t released any information with regards to the fake site, it’s tricky to add much beyond what’s already been said.

Sounding out the scam

This definitely sounds like bogus device sales…if those devices even exist. It may well just be a fake store selling absolutely nothing at all, but that captures victims’ payment details. It’s possible the site in question also asks visitors to log in with their Nintendo accounts too. We simply don’t know.

The announcement on social media and the press release appear to (currently) be aimed at Japanese consumers only, so impact from this site may be more limited than usual. The release also points people to nintendo(dot)co(dot)jp as the official site, and doesn’t mention other regional variations.

For some semblance of completeness, there’s also Nintendo(dot)co(dot)uk, Nintendo-europe(dot)com, and Nintendo(dot)com for the US. I imagine there’s almost certainly more, but those tend to be the main first ports of call. If you haven’t set up two factor authentication on your Nintendo account then now is the perfect time to do it. The Princess may well be in another castle, but we don’t have to say the same thing about your login details.

The post Nintendo warns of imitation websites and suspicious hardware appeared first on Malwarebytes Labs.

In 2017, the largest ransomware attack ever recorded hit the world, infecting more than 230,000 computers across more than 150 countries in just 24 hours. And it could have been solved with a patch that was released nearly two months prior.

This was the WannaCry ransomware attack, and its final, economic impact—in ransoms paid but also in downtime and recovery efforts—has been estimated at about $4 billion. All of it could have been avoided if every organization running a vulnerable version of Windows 7 had patched that vulnerability, as Microsoft recommended. But that obviously didn’t happen.

Why is that?

In today’s episode of Lock and Code with host David Ruiz, we speak with cybersecurity professional Jess Dodson about why patching is so hard to get right for so many organizations, and what we could all do to better improve our patching duties.

According to Dodson, the problem of patching isn’t just a problem of resources—time, staffing, funding—but also of mindset. For some organizations, refusing to patch almost brings with it a bizarre sense of pride, Dodson said.

“I was having a chat to a fellow security professional who was doing some work for an organization where they were boasting about servers being up for 1,000 days. That’s not something to be proud of. I don’t get the whole idea of being proud of your uptime.t That just means you haven’t done any updates on that thing for three years.”

Jess Dodson

Tune in to hear all this and more on this week’s Lock and Code podcast by Malwarebytes Labs.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Why we don’t patch, with Jess Dodson: Lock and Code S03E02 appeared first on Malwarebytes Labs.

Eight members of the REvil ransomware group have been arrested in Russia and will be pressed with criminal charges.

Russia’s intelligence bureau, the FSB, announced on Friday that it had conducted an operation together with the Interior Ministry in Moscow, St. Petersburg, and the regions of Moscow, Leningrad and Lipetsk to detain the gang members.

In total, the FSB raided 25 homes of 14 members of the group and seized more than 426 million rubles ($5.6 million) including $600,000 in cryptocurrency; €500,000; computer equipment, the crypto wallets that were used to perpetrate crimes, and 20 luxury cars that were purchased with illicitly obtained money.

Eight of the suspects have been indicted. They are suspected of committing a crime stipulated under Part 2 of Article 187 of Russia’s Criminal Code (‘Illegal Circulation of Payments’).

US input

The FSB began the investigation after receiving information from US agencies about a criminal group and its involvement in attacks on foreign high-tech companies, by implanting malware, encrypting data and extorting money for its decryption. Based on the information provided, the FSB managed to identify all members of the REvil gang, document their illegal activities, and establish their participation in “illegal circulation of means of payment.”

The question about whether the arrests are a direct result of the pressure the Biden administration has been applying on Russian President Vladimir Putin to move against ransomware groups operating in Russia will probably never receive an official Russian answer. The United States government hasn’t indicate how it planned to respond to attacks emanating from Russia, but in July 2021 Biden hinted at digital retaliation if Russian cooperation was not forthcoming.

A Kremlin statement back then said Putin told Biden that Russia had not received any requests from the relevant US departments in the last month, and said that Russia was ready to jointly stop crime.

Now it looks like that might have happened, and hopefully not for the last time. There are many other ransomware groups believed to be based in the CIS.

REvil

We have talked about REvil here many times. Among other articles, you can find a threat spotlight from 2019, and a detailed report about REvil’s supply chain attack against Kaseya. That one even made it into the three most significant cyberattacks of 2021.

According to the FSB, as a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the REvil gang now ceases to exist after their information infrastructure used for criminal purposes was neutralized.

A lot of writing and speculation has been done about REvil’s origin, whether the gang would come back after a part of their infrastructure was shut down, or when affiliates were arrested. So, if you ask us whether this will be the end of REvil, it’s hard to give a definitive answer.

But whether the gang reopens operations under the same name, or whether it spawns a new organization under new management, the result will be the same. The infection methods, the extortion tactics, and the merciless attacks will undoubtedly continue.

Stay safe, everyone!

The post REvil ransomware gang busted by Russian Federal Security Service appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Ransomware cyberattack forces New Mexico jail to lock down
• Some Android users can disable 2G now and why that is a good thing
• Phishers on the prowl with fake parking meter QR codes
• Update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one
• Software engineer hacked webcams to spy on girls—Here’s how to protect yourself
• FIFA 22 phishers tackle customer support with social engineering
• Ransomware targets Edge users
• Intimate photo hacker spared from jail, said he “liked the detective work”
• The Facebook Pixel Hunt aims to unravel Facebook’s tracking methods. Will you join?
• How to share your Wi-Fi password safely
• Night Sky: the new corporate ransomware demanding a sky high ransom
• Attackers are mailing USB sticks to drop ransomware on victims’ computers

Stay safe!

The post A week in security (January 10 – 16) appeared first on Malwarebytes Labs.

The Electronic Frontier Foundation (EFF) has happily informed people that Google has quietly pushed a new feature to its Android operating system allowing users to optionally disable 2G at the modem level in their phones.

This is beneficial because 2G uses weak encryption between the tower and device that can be cracked in real time by an attacker to intercept calls or text messages.

What is 2G?

Knowing that some countries are already preparing for 6G, you will understand that 2G, which is short for second generation, is an outdated communication standard. Another name for the 2G network that you may be familiar with is GSM (global system for mobile communications). 2G was set up in 1991 and in 2017 some providers started closing down their 2G networks. However, some carriers think that closing down 2G is not the best idea and continue their operations.

Why should I not use 2G?

You should avoid using 2G since it doesn’t use strong encryption and, over the years, many vulnerabilities have been found.

The encryption between the tower and the device is so weak that it can be cracked in real time by an attacker to intercept calls or text messages. In fact, the attacker can do this passively without ever transmitting a single packet.

Another major problem is that there is no authentication of the tower to the phone, which means that anyone can impersonate a real 2G tower, and a device using the 2G protocol will happily use it without questioning.

Cell-site simulators

Cell-site simulators, also known as Stingrays or IMSI catchers, are devices that pretend to be legitimate cell-phone towers, tricking devices within a certain range into connecting to the simulator rather than a tower.

Cell-site simulators operate by conducting a general search of all cell phones within range, in violation of basic constitutional protections.  Law enforcement use cell-site simulators to pinpoint the location of phones with greater accuracy than phone companies. Cell-site simulators can also log IMSI numbers (International Mobile Subscriber Identifiers are numbers which identify a mobile subscriber by their SIM card) of all of the mobile devices within a given area. Some cell-site simulators may have advanced features allowing law enforcement to intercept communications or even alter the content of communications.

3G, 4G, and 5G deployments fix the worst vulnerabilities in 2G that allow for cell-site simulators to eavesdrop on SMS text messages and phone calls. It’s not that they don’t have vulnerabilities, it’s just that they are a big step forward.

Who can disable 2G?

For now, only the newest Android models will have the option to disable 2G. These users can disable 2G right now by going to Settings > Network & Internet > SIMs > Allow 2G and turning that setting off. On older Android phones, these steps may or may not work. Unfortunately due to limitations of old hardware, Google was only able to implement this feature on newer phones.

The EFF urged Apple to support this feature as well, and has started a Twitter campaign to nudge Apple along. The EFF also strongly encouraged Google, Apple, and Samsung to invest more resources into radio security so they can better protect smartphone owners.

Completely abandoning 2G is not an option yet, since many people still rely on it as the main mobile technology, especially in rural areas. That’s why brand-new, top-of-the-line phones on the market today still support 2G technology. But they should at least offer those users that do not depend on it, the option to disable 2G. The first step has been made, so let’s keep things moving.

Stay safe, everyone!

The post Some Android users can disable 2G now and why that is a good thing appeared first on Malwarebytes Labs.

Five days after the new year, the Metropolitan Detention Center (MDC) in Bernalillo County, New Mexico suddenly went on lockdown. The reason? A ransomware cyberattack has knocked the jail’s internet connection offline, rendering most of their data systems, security cameras, and automatic doors unusable. Prisoners were confined in their cells while MDC technicians struggled to get everything back up and running again.

This attack forced the facility to suspend all prison visits, including from family members and lawyers, which the facility claimed was for the safety of everyone involved. And according to a public defender who represents some of the inmates, the facility’s response to the attack also threatened the prisoners’ constitutional rights.

No, the Metropolitan Detention Center was not targeted

According to a 7-page emergency notice, the entire Bernalillo County was attacked by unknown ransomware threat actors on the 5th of January, Wednesday, between midnight and 5:30AM local time. While the MDC itself isn’t the target, the after effects of the attack have spread within the facility just the same. County Internet systems were said to be compromised with staff having limited access to email. This greatly affects MDC staff, because the facility’s structure and location prevents them from using cellular data, which is usually a good alternative if the county experiences an internet outage.

On top of this, several databases within MDC have been confirmed to be corrupted by the attack. Two important systems, namely the facility’s Incident Tracking System (ITS), a system where incident reports are created and stored, and the Offender Management System (OMS), a system housing prisoner account data, were rendered inaccessible and were suspected to be corrupted.

“One of the most concerning impacts of the cyber attack is that MDC is unable to access facility cameras,” per the notice, “As of this evening, January 5th, there was no access to cameras within the facility.”

The only known reprieve at that time had been the immediate restoration of the automatic doors in the afternoon. Staff would no longer have to manually lock and unlock facility doors using keys.

A breach in the system could result in unforseen problems

This ransomware cyberattack has pushed Bernalillo County into potentially violating a settlement agreement [PDF] from a two-decade old lawsuit, which is why it filed an emergency notice to the federal court. This agreement requires county jails to improve conditions within the facility and address complaints like overcrowding. This also includes providing inmates with regular access to telephones and other communications devices (e.g. tablets). But because the attack affected their internet connection—rendering inmates unable to use such devices—and because jail staff decided to keep inmates confined to their cells, the county has found itself unable to fulfill conditions in the settlement.

The county has already reached out to federal law enforcement to assist in addressing the ransomware attack. For now, Bernalillo County has taking steps to mitigate the effects of the attack.

We’ve entered 2022 with many of us only hoping that we’d have less ransomware attacks. But as we already know, what we hope for doesn’t always equate to reality. Ransomware has been a top threat for years now. Unless organizations take a serious stance on cybersecurity, there is no way we can (at least) slow these attacks down.

The post Ransomware cyberattack forces New Mexico jail to lock down appeared first on Malwarebytes Labs.

QR codes come and go as a threat. The last time we wrote about them they were causing problems at gas stations, and by sheer chance this latest outing shares vehicular related subject matter. Law enforcement in the US is sounding the alarm regarding parking meters.

A quick refresher

QR (Quick Response) codes are square barcodes, scanned by your smartphone to perform a variety of tasks. If you use authentication apps on your mobile, you’ve almost certainly had to scan one to set up 2FA for websites you use. Similarly, these codes can be found in the street, covid tests, in businesses, or pretty much anywhere else you can think of.

On this occasion, they’ve been spotted in relation to a parking meter scam looking to snag payment details.

Sound the QR alarm

This particular attack seems to have been happening over a period of at least a few weeks, with multiple law enforcement Twitter accounts referencing it like so: 

The so-called “pay to park” scam involves bogus QR code stickers being placed onto parking meters, urging people to pay using the code. At first, I wasn’t sure if they were placing bogus stickers over genuine payment QR code notices or if it involved fake notices too. However, this article includes a photograph of the scam in action.

It’s a genuine “pay by app parking” notice printed onto something, with the bogus QR code sticker placed on the bottom right hand corner. This is some opportunistic work slotting it into the overall design and making it look like it’s supposed to be there.

From scan to phish

When scanned, potential victims are directed to a fake “quick pay parking” website. From there, payment detail harvesting is but a few clicks and entry forms away. There’s no word as to what level of personal details are taken with the card, but at a bare minimum, we’d expect things like name, address, date of birth. This means anyone who’s fallen for it will need to keep a close eye on other forms of correspondence, as it could easily serve as a launchpad for further phishing or social engineering attempts. If payment details have been handed over, victims will need to cancel those payment details before the scammers can go on any spending sprees.

The site referenced in the article is now down, but we can’t say for sure if other bogus codes all direct to the same site or a variety of phishy links. The City of Houston states that it doesn’t use QR codes for parking payments. However, this isn’t an easy thing to communicate to a large mass of people. Additionally, the pandemic has made this technology one of the “go-to” bits of tech gaining more widespread use. As a result, many folks wouldn’t find a QR code asking for payment to be particularly odd.

The muddled convenience of guesswork

QR codes occupy a weird space in daily life. They’re a genuinely useful way of doing what you need to do in a pandemic with minimal fuss. The downside is you’re utterly reliant on technology to scan the code, with no idea what lurks beneath till you’ve done it.

Scammers here are relying on the convenience of paying by code. If you’re in a hurry to be somewhere, it’s still advisable to slow down and cast some healthy suspicion on QR codes presenting themselves for duty. If in doubt, contact whoever maintains the parking service you’re using and see if that code is indeed genuine. It’ll probably save you a lot of additional time and effort down the line.

The post Phishers on the prowl with fake parking meter QR codes appeared first on Malwarebytes Labs.

How time flies sometimes. Microsoft yesterday released the first patch Tuesday security updates of the year 2022. The update includes fixes for six zero-day vulnerabilities and a total of 97 bugs. This includes two Remote Code Execution (RCE) vulnerabilities affecting open source libraries. None of the zero-day flaws are known to have been exploited in the wild, but one of the other vulnerabilities is feared to be a wormable one.

A severe word of warning for those running a network with a domain controller, the side effects this month are extreme. The advice is to hold of on the patch. Microsoft has a technology called Active Directory that allows workstations to authenticate with a “domain controller.” This month’s updates are causing such drastic issues with domain controllers that they can become stuck in a boot loop.

Patches that can cause problems include the following:

• KB5009624 for Server 2012 R2
• KB5009595 for Server 2012 R2
• KB5009546 for Server 2016
• KB5009557 for Server 2019

It’s unclear if Server 2022 is similarly impacted.

Along with the update comes an announcement of a new security update guide notification system.

Let’s start by taking a closer look at the zero-days. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The first two we listed below have previously been fixed by a third party and are now being incorporated into Microsoft products.

Open Source Curl RCE vulnerability

CVE-2021-22947 is regarding a vulnerability in the curl open source library which is used by Windows. The January 2022 Windows Security Updates includes the most recent version of this library which addresses this vulnerability and others. The listed one can lead to a STARTTLS protocol injection via a Man-In-The-Middle attack.

The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. More specifically, when curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple pipelined responses are cached by curl. curl would then upgrade to TLS but not flush the in-queue of cached responses and instead use and trust the responses it got before the TLS handshake as if they were authenticated.

Libarchive RCE vulnerability

CVE-2021-36976 is regarding a vulnerability in the libarchive open source library which is used by Windows. The January 2022 Windows Security Updates include the most recent version of this library which addresses the vulnerability and others. This vulnerability is described as libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).

Windows Certificate Spoofing vulnerability

CVE-2022-21836 allows an attacker to bypass a security feature. A successful attacker could bypass the Windows Platform Binary Table (WPBT) verification by using a small number of compromised certificates. Microsoft has added those certificates to the Windows kernel driver block list, driver.stl. The Windows Platform Binary Table is a fixed firmware ACPI (Advanced Configuration and Power Interface) table. It was introduced by Microsoft to allow its vendors to execute programs every time a device boots. Certificates on the driver.stl will be blocked even if present in the WPBT.

Windows Event Tracing Discretionary Access Control List Denial of Service vulnerability

CVE-2022-21839 does not provide us with a lot of details. Affected is some unknown processing of the component Event Tracing Discretionary Access Control List. The exploitability is said to be easy, and it is possible to launch the attack remotely. Required for exploitation is an authentication. A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or resource, making it inaccessible to its intended users.

Windows Security Center API RCE vulnerability

CVE-2022-21874 is a publicly disclosed RCE vulnerability in the Windows Security Center API that received a CVSS score of 7.8. This vulnerability requires user interaction to exploit, and the attack vector is local.

Windows User Profile Service Elevation of Privilege (EoP) vulnerability

CVE-2022-21919 is a publicly disclosed EoP vulnerability in the Windows User Profile Service API that has received a CVSS score of 7.0. The exploitation is known to be difficult, but the attack may be initiated remotely. The requirement for exploitation is a simple authentication.

HTTP Protocol Stack RCE vulnerability

CVE-2022-21907 is not one of the zero-days, but it stands out because it is a critical vulnerability which could allow an unauthenticated attacker to send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. While this is a vulnerability that would mostly affect servers, the fact that it requires no user interaction, there are no privileges required and it targets an elevated service makes experts believe it is wormable. There are also some questions among experts about which Windows versions are vulnerable.

The new security update guide notification system

Notifications are sent when information is added or changed in the Security Update Guide. Based on feedback, Microsoft has been working to make signing up for and receiving Security Update Guide notifications easier. Starting today, you can sign up with any email address that you want and receive notifications at that email address. There is no longer a requirement that the email be a Live ID.

To start off, you will need to create a Security Update Guide profile by clicking “Sign in” at the top right corner of the Security Update Guide. You can use any email and password here. If this is your first time signing in, a validation email will be sent with steps to verify that you have entered a valid email address.

Other security updates

Don’t forget to look at other security updates that you may need. We have seen updates from:

• Adobe
• Android
• Cisco 
• Intel 
• SAP 
• VMWare 

Stay safe, everyone!

The post Update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one appeared first on Malwarebytes Labs.

Michael Grime, a British games programmer, has escaped jail after using stolen credentials to access several women’s personal email accounts and social media accounts in order to steal their private and intimate photos.

Grime was caught by the National Crime Agency (NCA) as part of an operation involving several agencies and the FBI. The agencies were able to link his email address to an account in WeLeakInfo[dot]com, a website that sells leaked credentials. Grime is said to have been paying $2 USD a day to access this site before it was taken down by law enforcement in early 2020.

WeLeakInfo[dot]com is marketed as a site that offers access to 12 billion user records collected from more than 10,000 data breaches. These records contain user names, email addresses, IP addresses, passwords, and phone numbers.

In November 2020, law enforcement officers raided Grime’s home and seized a PC tower, three external hard drives, and his mobile phone. Thousands of photos and videos of women either topless or nude were found on his devices, many of which were images that had never been shared publicly.

The NCA primarily identified 11 women in the UK, most of whom went to school with Grime or had known him since childhood. It isn’t specified how many women Grime victimized outside of the UK. Some of his victims are popular figures on YouTube and Only Fans.

During a Preston Crown Court hearing, Grime admitted to having access to “around 50 accounts”. In one incident, Grime, who was described as “geeky, loner, and odd”, hacked the account of one of the women’s boyfriend’s to access private photos shared between the couple.

Lisa Worsley, prosecuting, told the court that his victims “felt betrayed and sad. One woman’s first response was to delete all her social media which she found upsetting.”

“Another said her Snapchat has been unstable and would log her out three or four times a day.” That’s a red flag there.

On the defending side, the lawyer whom outlets only name as “Mr. Forbes” told the court that Grime is “socially awkward” and may be on the autistic spectrum, although Grime has never had an official diagnosis. Forbes also said that his client became obsessed with hacking and “liked the detective work”.

“Many cybercriminals rely on the fact that lots of people use the same password on multiple sites and data breaches create the opportunity for fraudsters to exploit this,” said Detective Inspector Chris McClellan from the North West Regional Organizaed Crime Unit, who carried out the warrant at Grime’s home address in November.

“He knew it was wrong,” Forbes is quoted saying, “He stopped on occassions but [sic] and deleted material and would start again. This was something over which he felt he had little to no control over.” Forbes said Grime’s arrest was a “relief” for the young programmer as Grime didn’t have to rely on his weak will to stop himself from hacking accounts and downloading photos.

Although he wasn’t imprisoned, Michael Grime was given a community order, which orders him to do unpaid community work for 80 hours over two years. He was also ordered to undergo rehabilitation for 30 days and pay £500 as compensation for each of his 11 victims.

DI McClellan advised internet users to check if their credentials and personal data have been part of a data breach by using legitimate websites like haveibeenpwned.com. If users find one or more of their accounts have been compromised due to breaches, they should make new strong passwords for each account.

“Do not reuse passwords and where possible apply Two Factor Authentication (2FA). This will help you prove you are who you say you are when you are logging into your account. Do not share the 2FA code with anyone.”

Sage words.

The post Intimate photo hacker spared from jail, said he “liked the detective work” appeared first on Malwarebytes Labs.