In 2018, KrebsOnSecurity unmasked the creators of Coinhive — a now-defunct cryptocurrency mining service that was being massively abused by cybercriminals — as the administrators of a popular German language image-hosting forum. In protest of that story, forum members donated hundreds of thousands of euros to nonprofits that combat cancer (Krebs means “cancer” in German). This week, the forum is celebrating its third annual observance of that protest to “fight Krebs,” albeit with a Coronavirus twist.

On March 26, 2018, KrebsOnSecurity published Who and What is Coinhive, which showed the founder of Coinhive was the co-creator of the German forum pr0gramm[dot]com (not safe for work).  I undertook the research because Coinhive’s code at the time was found on tens of thousands of hacked Web sites, and Coinhive seemed uninterested in curbing widespread abuse of its platform.

Pr0gramm’s top members accused KrebsOnSecurity of violating their privacy, even though all of the research published about them was publicly available online. In protest, the forum’s leaders urged members to donate money to medical research in a bid to find a cure for Krebs (i.e. “cancer”). They ended up raising more than a quarter-million dollars worth of donations from members.

Last year’s commemoration of the protest fundraiser — dubbed “Krebsaction” by Pr0gramm — raised almost $300,000 for anti-cancer research groups. Interestingly, Coinhive announced it was shutting down around the same time as that second annual fundraiser.

This year’s Krebsaction started roughly three days ago and so far has raised more than 150,000 euros (~$165,000), with many Pr0gramm members posting screenshots of their online donations. The primary beneficiary appears to be DKMS, a German nonprofit that works to combat various blood cancers, such as leukemia and lymphoma.

This year, however, Pr0gramm’s administrators exhorted forum members to go beyond just merely donating money to a worthy cause, and encouraged them to do something to help those most affected by the COVID-19/Coronavirus pandemic.

“This year pr0gramm-members shall not only donate but do a good act in terms of corona (and prove it), for example bring food to old people, bring proof of volunteering and such stuff,” reads the Pr0gramm image kicking off this year’s Krebsaction.  The message further states, “Posts mit geringem Einsatz können wir nicht akzeptieren,” which translates roughly to “Posts with little effort we cannot accept.”

Federal investigators in Russia have charged at least 25 people accused of operating a sprawling international credit card theft ring. Cybersecurity experts say the raid included the charging of a major carding kingpin thought to be tied to dozens of carding shops and to some of the bigger data breaches targeting western retailers over the past decade.

In a statement released this week, the Russian Federal Security Service (FSB) said 25 individuals were charged with circulating illegal means of payment in connection with some 90 websites that sold stolen credit card data.

The FSB has not released a list of those apprehended, but the agency’s statement came several days after details of the raids were first leaked on the LiveJournal blog of cybersecurity blogger Andrey Sporov. The post claimed that among those apprehended was the infamous cybercriminal Alexey Stroganov, who goes by the hacker names “Flint” and “Flint24.”

According to cyber intelligence firm Intel 471, Stroganov has been a long-standing member of major underground forums since at least 2001. In 2006, Stroganov and an associate Gerasim Silivanon (a.k.a. “Gabrik“) were sentenced to six years of confinement in Russia, but were set free just two years into their sentence. Intel 471 says Selivanon also was charged along with Stroganov in this past week’s law enforcement action.

“Our continuous monitoring of underground activity revealed despite the conviction, Flint24 never left the cybercrime scene,” reads an analysis penned by Intel 471.

“You can draw your own conclusions [about why he was released early],” Sporaw wrote, suggesting that perhaps the accused bribed someone to get out of jail before his sentence was up.

Flint is among the biggest players in the crowded underground market for stolen credit card data, according to a U.S. law enforcement source who asked to remain anonymous because he was not authorized to speak to the media. The source described Flint’s role as that of a wholesaler of credit card data stolen in some of the biggest breaches at major Western retailers.

“He moved hundreds of millions of dollars through BTC-e,” the source said, referring to a cryptocurrency exchange that was seized by U.S. authorities in 2017. “Flint had a piece of almost every major hack because in many cases it was his guys doing it. Whether or not his marketplaces sold it, his crew had a role in a lot of the big breaches over the last ten years.”

Intel 471’s analysis seemed to support that conclusion, noting that Flint worked closely with other major carding shops that were not his, and that he associated with a number of cybercrooks who regularly bought stolen credit cards in batches of 100,000 pieces at once.

Top denizens of several cybercrime forums who’ve been tracking the raids posited that Stroganov and others were busted because they had a habit of violating the golden rule for criminal hackers residing in Russia or in a former Soviet country: Don’t target your own country’s people and/or banks.

A longtime moderator of perhaps the cybercrime underground’s most venerated Russian hacking forum posted a list of more than 40 carding sites thought to be tied to the group’s operations that are no longer online. Among them is MrWhite[.]biz, a carding site whose slick video ads were profiled in a KrebsOnSecurity post last year.

KNOW YOUR FRAUDSTER

Nearly all of the carding sites allegedly tied to this law enforcement action — including those with such catchy names as BingoDumps, DumpsKindgom, GoldenDumps, HoneyMoney and HustleBank — were united by a common innovation designed to win loyalty among cybercriminals who buy stolen cards or “dumps” in bulk: Namely, a system that allowed buyers to get instant refunds on “bad” stolen cards without having to first prove that the cards were canceled by the issuing bank before they could be used for fraud.

Most carding sites will offer customers a form of buyer’s insurance known as a “checker,” which is an automated, à la carte service customers can use after purchasing cards to validate whether the cards they just bought are still active.

These checking services are tied to “moneyback” guarantees that will automatically refund the purchase price for any cards found to be invalid shortly after the cards are bought (usually a window of a few minutes up to a few hours), provided the buyer agrees to pay an added fee of a few cents per card to use the shop’s own checking service.

But many cybercrooks have long suspected some checkers at the more popular carding sites routinely give inaccurate results that favor the card shop (i.e., intentionally flagging some percentage of inactive cards as valid). So, the innovation that Flint’s gang came up with was a policy called “Trust Your Client” or “TYC,” which appears to be a sly dig on the banking industry’s “know your customer” or KYC rules to help fight fraud and money laundering.

With TYC, if a customer claimed a card they bought was declined for fraudulent transaction attempts made within six hours of purchase, the carding shop would refund the price of that card — no questions asked. However, it seems likely these shops that observed TYC ran their own checkers on the back-end to protect themselves against dishonest customers.

Want to learn more about how carding shops work and all the lingo that comes with them? Check out my behind-the-scenes profile of one major fraud store — Peek Inside a Professional Carding Shop.

Many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now.

For example, the official U.S. Census Bureau website https://my2020census.gov carries a message that reads, “An official Web site of the United States government. Here’s how you know.” Clicking the last part of that statement brings up a panel with the following information:

The text I have a beef with is the bit on the right, beneath the “This site is secure” statement. Specifically, it says, “The https:// ensures that you are connecting to the official website….”

Here’s the deal: The https:// part of an address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and cannot be read by third parties.

However, the presence of “https://” or a padlock in the browser address bar does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

In other words, while readers should never transmit sensitive information to a site that does not use https://, the presence of this security feature tells you nothing about the trustworthiness of the site in question.

Here’s a sobering statistic: According to PhishLabs, by the end of 2019 roughly three-quarters (74 percent) of all phishing sites were using SSL certificates. PhishLabs found this percentage increased from 68% in Q3 and 54% in Q2 of 2019.

“Attackers are using free certificates on phishing sites that they create, and are abusing the encryption already installed on hacked web sites,” PhishLabs founder and CTO John LaCour said.

The truth is anyone can get an SSL certificate for free, and that’s a big reason why most phishing sites now have them. The other reason is that they help phishers better disguise their sites as legitimate, since many Web browsers now throw up security warnings on non-https:// sites.

KrebsOnSecurity couldn’t find any reliable information on how difficult it may be to obtain an SSL certificate for a .gov site once one has a .gov domain, but it is apparently not difficult for just about anyone to get their very own .gov domain name.

The U.S. General Services Administration (GSA), which oversees the issuance of .gov domains, recently made it a tiny bit more difficult to do so — by requiring all applications be notarized — but this seems a small hurdle for scam artists to clear.

Regardless, it seems the federal government is doing consumers a disservice with this messaging, by perpetuating the myth that the presence of “https://” in a link denotes any kind of legitimacy.

“‘Https’ does not mean that you are at the correct website or that the site is secure,” LaCour said. “It only indicates that the connection is encrypted. The server could still be misconfigured or have software vulnerabilities. It is good that they mention to look for ‘.gov’. There’s no guarantee that a .gov website is secure, but it should help ensure that visitors are on the right website.”

I should note that this misleading message seems to be present only on some federal government Web sites. For instance, while the sites for the GSA, the Department of Labor, Department of Transportation, and Department of Veterans Affairs all include the same wording, those for the Commerce Department and Justice Department are devoid of the misleading text, stating:

“This site is also protected by an SSL (Secure Sockets Layer) certificate that’s been signed by the U.S. government. The https:// means all transmitted data is encrypted — in other words, any information or browsing history that you provide is transmitted securely.”

Other federal sites — like dhs.gov, irs.gov and epa.gov — simply have the “An official website of the United States government” declaration at the top, without offering any tips about how to feel better about that statement.

In December 2018, KrebsOnSecurity looked at how dozens of U.S. political campaigns, cities and towns had paid a shady company called Web Listings Inc. after receiving what looked like a bill for search engine optimization (SEO) services rendered on behalf of their domain names. The story concluded that this dubious service had been scamming people and companies for more than a decade, and promised a Part II to explore who was behind Web Listings. What follows are some clues that point to a very convincing answer to that question.

Since at least 2007, Web Listings Inc. has been sending snail mail letters to domain registrants around the world. The missives appear to be an $85 bill for an “annual search engine listing” service. The notice does disclose that it is in fact a solicitation and not a bill, but wording of the notice asserts the recipient has already received the services in question.

The mailer references the domain name web-listings.net, one of several similarly-named domains registered sometime in 2007 or later to a “James Madison,” who lists his address variously as a university in New Britain, Connecticut or a UPS Store mailbox in Niagara Falls, New York.

Some others include: weblistingservices.com, webservicescorp.net, websiteservicescorp.com, web-listingsinc.com, weblistingsinc.net, and weblistingsreports.net. At some point, each of these domains changes the owner’s name from James Madison to “Mark Carter.” As we’ll see, Mark is a name that comes up quite a bit in this investigation.

A Twitter account for Web Listings Inc. has posts dating back to 2010, and points to even more Web Listings domains, including weblistingsinc.org. Cached versions of weblistingsinc.org at archive.org show logos similar to the one featured on the Web Listings mailer, and early versions of the site reference a number of “business partners” in India that also perform SEO services.

Searching the Internet for some of these Web listing domains mentioned in the company’s Twitter account brings up a series of press releases once issued on behalf of the company. One from May 2011 at onlineprnews.com sings the praises of Weblistingsinc.info, weblistingsinc.org and web-listings.net in the same release, and lists the point of contact simply as “Mark.”

Historic WHOIS registration records from Domaintools [an advertiser on this blog] say Weblistingsinc.org was registered in Nov. 2010 to a Mark Scott in Blairgowrie, Scotland, using the email address clientnews@reputationmanagementfor.com.

Reputationmanagementfor.com bills itself as an online service for “fighting negative and incorrect content on the internet,” which is especially interesting for reasons that should become clearer in a few paragraphs. The site says Mark Scott, 46, is an employee of Reputationmanagementfor.com, and that he is also involved with two other companies:

-GoBananas, a business that sets up group outings, with a focus on bachelor and bachelorette parties;

-HelpMeGo.to, a entity in Scotland that did online marketing and travel tourism both in Scotland (via sites like Scotland.org.uk and marketinghotelsonline.co.uk) and on India’s coastal Kerala state where HelpMeGo.to employed a number of people involved in the SEO business. Helpmego.to now simply redirects to GoBananas.

According to Farsight Security, a company that keeps historic records of which Web sites were hosted at which Internet addresses, Weblistingsinc.org was for a while hosted at the IP address 68.169.45.65 with just six other domains, including travelingalberta.com, which was a blog about traveling and living in Alberta, Canada registered to Mark Scott and the email address management@helpmego.to. Cached versions of this site from 2011 show it naming Web Listings Inc. as a business partner.

That same management@helpmego.to email address is tied to the WHOIS records for markscottblog.com, gobananas.co.uk, gobananas.com. Cached copies of markscottblog.com from 2010 at Archive.org show his profile page on blogger.com links to another blog with much the same content, images and links called internetmadness.blogspot.com.

Among the 2011 entries from the Internetmadness blog is a post promoting the wonders of benefits of Web Listings Inc.

THE COBRA/APPCO GROUP

Aha! But wait, there’s more. You see, for years Weblistingsinc.org was hosted on the same servers along with a handful of other domains that all switched Internet addresses at the same times, including gobananas.com, gobananasworld.com and the IP addresses 107.20.142.166 (17 hosts), 54.85.65.241 (6 hosts).

Most of the other domains at these IPs historically have been tied to other domains connected to Mark Scott and his various companies and business partners, including chrisniarchos.net, redwoodsadvance.net, gdsinternationalus.com, staghensscotlands.com, cobra-group.blogspot.com, the-cobra-group.com, appcogroup.co.uk, and reputationmanagementfor.com.

I found a similar pattern with domains stemming from a Crunchbase company profile on Web Listings Inc., which says the firm is based in Toronto, Canada, with the Web site webtechnologiesinc.net, and email address webtechnologiesletter@gmail.com. Historic WHOIS data from Domaintools.com says Webtechnologiesinc.net was registered in 2013 to a Marcus Ruskov in Toronto.

Information about who registered Webtechnologiesletter.com is completely hidden behind privacy protection services. But Farsight says the domain was in 2015 hosted at the Internet address 54.77.128.87, along with just 70 other domains, including the same list of domains mentioned above, chrisniarchos.net, redwoodsadvance.net, gdsinternationalus.com, et cetera.

What do all of these domains have in common? They are tied to companies for which Mark Scott was listed as a key contact. For example, this press release from 2o11 says Mark Scott is the contact person for a company called Appco Group UK which bills itself as a market leader in face-to-face marketing and sales.

“Worldwide, Appco Group has raised hundreds of millions of pounds for some of the world’s biggest charities, delivered pay-TV and broadband services, financial services, security and many other successful marketing solutions on a diverse range of products,” the press release enthuses.

The Appco Group is the re-branded name of a family of marketing and sales companies originally created under the name The Cobra Group, whose Wikipedia page states that it is a door-to-door selling and marketing company headquartered in Hong Kong. It says investigations by the media have found the company promises much larger compensation rates that employees actually receive.

“It is also criticized for being a cult, a scam and a pyramid scheme,” the entry reads.

The Cobra Group and its multifariously named direct sales and marketing companies are probably best described as “multi-level marketing” schemes; that is, entities which often sell products and/or services of dubious quality, use high-pressure sales tactics and misleading if not deceptive advertising practices, and offer little to no employee payment for anything other than direct sales.

Even the most cursory amount of time spent searching the Internet for information on some of the companies named above (Appco Group, Cobra Group, Redwoods Advance, GDS International) reveals a mountain of bad press and horrible stories from former employees.

For example, Appco salespeople became known as “charity muggers” because they were trained to solicit donations on behalf of charities from random people on the street, and because media outlets later discovered that the people running Appco kept the majority of the millions of dollars they raised for the charities.

This exhaustive breakdown on the door-to-door sales industry traces Cobra and Appco Group back to a long line of companies that simply renamed and rebranded each time a scandal inevitably befell them.

Now it makes sense why Web Listings Inc. had so many confusingly-named domain names. And this might also explain the primary role of Mr. Scott’s business — the online reputation management company reputationmanagementfor.com — in relation to the Cobra Group/Appco’s efforts to burnish its reputation online.

Mark Scott did not respond to multiple requests for comment sent to various email addresses and phone numbers tied to his name. However, KrebsOnSecurity did receive a response from Cobra Group founder Chris Niarchos, a Toronto native who said this was the first he’d heard of the Web Listings scam.

“Mark used to provide some services to us but my understanding was that stopped a long time ago,” Niarchos said. “He used to own a marketing company that we supplied but that contract ended maybe 12 years ago. That’s how we met. After that he did start some internet based businesses where he sold services to us as a customer at arms length. That also stopped many years ago again as we did it all in house. As far as I know he did this for many companies and we were simply a customer of his. In my dealings with him we got what we paid for but never did we have any closer relationship than that.”

USA CONNECTIONS

Two more small — possibly insignificant — but interesting things. First, if we go back and look at archived posts from markscottblog.com in 2010, we can see a number of entries where he defends the honor of Cobra Group, Appco, and other multi-level marketing programs he supports, saying they’re not scams. If we go back further to 2008 and look at Mark Scott’s profile on Blogger.com, we can see at the bottom of the page a link called “Enquiries and Emails.”

Visiting that link brings up what looks like a public shaming page of emails apparently sent to Mr. Scott from scammers trying to set him up for some kind of fake check scheme in connection with renting one of the U.K. properties listed by his various travel accommodations Web sites. Click the “Contact” tab at the top right of that page and you’ll see Travel Scotland has a U.S. phone number that potential customers here in the states can use to make reservations toll-free.

That number happens to be in Connecticut. Recall that the address listed in the ownership records for many of the Web Listings domains tied to the “James Madison/Mark Carter” identities were for an address in Connecticut.

Finally, I wanted to mention something that has stumped me (until very recently) since I began this investigation a couple of years ago. There are two unexpected domains returned when one performs a reverse search on a couple of different persistent data points in the WHOIS registration records for the Web Listings domains. See if you can spot the odd duck in this list produced by running a reverse search at Domaintools on info@web-listings.net (the contact email address shown on the mailed letter above):

Domain Name Create Date Registrar
finzthegoose.com 2010-08-03 enom, inc.
web-listings.net 2007-04-24 ENOM, INC.,ENOM, LLC
web-listingsinc.com 2015-11-06 ENOM, INC.,ENOM, LLC
weblistingservices.com 2007-04-23 ENOM, INC.,ENOM, LLC
weblistingsinc.com 2014-06-21 GODADDY.COM, LLC
weblistingsinc.net 2016-02-09 ENOM, INC.,ENOM, LLC
weblistingsreports.net 2015-11-06 ENOM, INC.,ENOM, LLC
webservicescorp.net 2007-06-03 ENOM, INC.,ENOM, LLC
websiteservicescorp.com 2007-06-03 —

Ten points if you said “finzthegoose.com.” Now let’s run a search on the phone number for Mark Carter — the phony persona behind all the Web Listings domains registered to the Niagara Falls address — +1.716-285-3575. What stands out about this list?

Domain Name Create Date Registrar
aquariumofniagara.org 2001-01-11 GODADDY.COM, LLC
web-listings.net 2007-04-24 ENOM, INC.,ENOM, LLC
web-listingsinc.com 2015-11-06 ENOM, INC.,ENOM, LLC
weblistingservices.com 2007-04-23 ENOM, INC.,ENOM, LLC
weblistingsinc.com 2014-06-21 GODADDY.COM, LLC
weblistingsinc.net 2016-02-09 ENOM, INC.,ENOM, LLC
weblistingsreports.net 2015-11-06 ENOM, INC.,ENOM, LLC
webservicescorp.net 2007-06-03 ENOM, INC.,ENOM, LLC
websiteservicescorp.com 2007-06-03 —

If you’re picking up an aquatic and marine life theme here, you’re two for two. That is actually the real phone number for the Aquarium of Niagara; the Web-Listings people just for some reason decided to list it in their WHOIS records as theirs.

It appears that a Scotsman named Robert Paul Graham Scott — perhaps Mark’s older brother — was in the same line of work (SEO and advertising) and pimping the exact same companies as Mark. According to a listing at Companies House, the official ledger of corporations in the United Kingdom, Paul Scott was for four years until Sept. 2019 a director in HMGT Services Ltd. (HMGT stands for the aforementioned HelpMeGo.To business).

Paul Scott’s own Internet presence says he lives in Perth — a short distance from Mark’s hometown in Blairgowrie, Scotland. Like Mark, Paul Scott did not respond to requests for comment. But Paul Scott’s Twitter profile — @scubadog_uk — shows him tweeting out messages supporting many of the same companies and causes as Mark over the past decade.

More to the point, Paul’s Website — scubadog.co.uk — says he has an abiding interest in underwater photography, scuba diving, and all things marine-related.

Finastra, a company that provides a range of technology solutions to banks worldwide, said it was shutting down key systems in response to a security breach discovered Friday morning. The company’s public statement and notice to customers does not mention the cause of the outage, but their response so far is straight out of the playbook for dealing with ransomware attacks.

London-based Finastra has offices in 42 countries and reported more than $2 billion in revenues last year. The company employs more than 10,000 people and has over 9,000 customers across 130 countries — including nearly all of the top 50 banks globally.

Earlier today, sources at two different U.S. financial institutions forwarded a notice they received from Finastra saying the outage was expected to disrupt certain services, particularly for clients in North America.

“We wish to inform our valued customers that we are investigating a potential security breach. At 3:00 a.m. EST on March 20, 2020, we were alerted to anomalous activity on our network which risked the integrity of our data-centers,” reads the notice. “As such, and to protect our customers, we have taken quick and strict remedial action to contain and isolate the incident, while we investigate further.”

The statement continues:

“Our approach has been to temporarily disconnect from the internet the affected servers, both in the USA and elsewhere, while we work closely with our cybersecurity experts to inspect and ensure the integrity of each server in turn. Using this ‘isolation, investigation and containment’ approach will allow us to bring the servers back online as quickly as possible, with minimum disruption to service, however we are anticipating some disruption to certain services, particularly in North America, whilst we undertake this task. Our priority is ensuring the integrity of the servers before we bring them back online and protecting our customers and their data at this time.”

Finastra did not respond to requests for comment. But the company appears to have acknowledged an incident via a notice on its Web site that offers somewhat less information and refers to the incident merely as the detection of anomalous activity.

“The Finastra risk and security services team has detected anomalous activity on our systems,” wrote Tom Kilroy, Finastra’s chief operating officer. “In order to safeguard our customers and employees, we have made the decision to take a number of our servers offline while we investigate. This, of course, has an impact on some of our customers and we are in touch directly with those who may be affected.”

Once considered by many to be isolated extortion attacks, ransomware infestations have become de facto data breaches for victim companies. That’s because some of the more active ransomware gangs have taken to downloading reams of data from targets before launching the ransomware inside their systems. Some or all of this data is then published on victim-shaming sites set up by the ransomware gangs as a way to strongarm victim companies into paying up.

One reader on Twitter told KrebsOnSecurity they’d heard Finastra had sent thousands of employees home today as a result of the security breach, but that claim could not be confirmed. Considering the rapidity with which the global Coronavirus pandemic appears to be spreading, thousands of employees being sent home might not be the worst outcome here.

Interestingly, several ransomware gangs have apparently stated that they are observing a kind of moratorium on attacking hospitals and other healthcare centers while the Coronavirus epidemic rages on. Bleeping Computer’s Lawrence Abrams said he recently reached out to the operators of the Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako Ransomware infections to ask if they would continue targeting health and medical organizations during the outbreak.

Abrams said several of those gangs told him they would indeed stop attacking healthcare providers for the time being. One gang even used its victim-shaming Web site to post a “press release” on Mar. 18 stated that “due to situation with incoming global economy crisis and virus pandemic” it would be offering discounts to victims of their ransomware.

“We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus,” reads the release from the Maze ransomware gang.

This story will be updated as more details become available.