The Good
This week brings another welcome victory for law enforcement. This time around we focus on darknet market site CanadaHQ (Canadian Headquarters) and individuals connected to the site. CanadianHQ was notorious for trading in spamming services, phishing kits, stolen credentials and access to compromised computers before it was taken offline.
The CRTC (Canadian Radio-television and Telecommunications Commission) provided an update this past week stating that four suspects involved with the site, including the creator of the market, had been handed penalties for violating Canada’s Anti Spam Legislation (CASL) totaling $300,000.
The CRTC indicated that these individuals were responsible for sending “emails mimicking well-known brands in order to obtain personal data including credit card numbers, banking credentials, and other sensitive information”. The individuals charged in violation of the CASL are:
- Chris Tyrone Dracos (aka “Poseidon”)
- Marc Anthony Younes (aka “CASHOUT00” and “Masteratm”)
- Souial Amarak (aka “Wealtyman” and “Supreme”)
- Moustapha Sabir (aka “La3sa”)
It is alleged that Dracos was the creator and primary administrator of the market. As such, he received the harshest penalty with a fine of $150,000. The three remaining individuals were given fines of $50,000 each. Chief Compliance Officer of the CRTC, Steven Harron, indicated that this was one of the more “challenging and complex” cases they had worked on under the Canada Anti-Spam Legislation.
However, there is indication of a broader scope to these actions as CRTC also indicate they have “identified a number of other vendors…actions will be taken against them in the near future”. It sounds like we can look forward to more of these efforts and resulting market closures in the future.
The Bad
The FBI on Tuesday released a new PSA (public service announcement) around the ongoing tactics used by scammers and cybercriminals. PSA I-020122-PSA focuses on the exploitation of security weaknesses on job recruitment websites. Scammers use these to post fraudulent job postings with the intention of extracting personal information or money from would-be applicants. According to the FBI, on average, victims are duped out of almost $3000 a time.
While the tactic is hardly new, it continues to pay rich dividends for cybercriminals precisely because many employment-oriented networking sites fail to use strong security verification measures. Scammers have exploited such weaknesses to post fake job offerings on legitimate company pages alongside genuine job postings. Users of such sites are left to determine the real from the fake for themselves, with predictably unfortunate outcomes.
Similarly, scammers reproduce genuine job postings on other sites, changing the contact details to capture interested job seekers. They even go so far as to spoof the identity of legitimate company employees, conduct fraudulent interviews, and even make fake job offers to victims in their quest to gather as much PII as possible. The PII is then later sold or used in additional scams.
The PSA provides several further examples of these tactics in use over the past three years, and they go on to outline how the scams also impact the reputation of businesses that are repeatedly scammed. The PSA contains a set of recommendations for both companies and job seekers to assist in curtailing the impact or damage caused via this tactic and to avoid falling victim to such scams. We encourage all to read and review the PSA for further guidance.
The Ugly
This week saw one of the UK’s largest food and snack companies, Leicester-based KP Snacks (aka Kenyon Produce), provide further details around last Friday’s ransomware attack. On Wednesday, the company informed partners that as a result of the attack, it was unable to “safely process orders or dispatch goods”.
According to reports, the Conti ransomware group, which is developed and maintained by the same team that brings us Trickbot, was behind the attack. The operators are said to have breached KP Foods’ internal network and gained access to sensitive files such as employee details, credit card statements, birth certificates and financial documents, exfiltrating the data before encrypting it.
The Conti leaks site listed KP Snacks with the usual countdown timer for payment, which is due to “expire” around February 6th. It is not known at this time whether the company is negotiating with the attackers, but per their official statement they have initiated their “cybersecurity response plan and engaged a leading forensic information technology firm and legal counsel to assist” them in their investigation. The company has also said that “it is unknown when this will be resolved”.
Once again, such attacks only highlight the need for companies to deploy security solutions that can truly prevent ransomware attacks, while also ensuring all staff are given good cybersecurity awareness training on a regular basis. The ransom amount is only part of the cost of failure here, and often not even the most significant part at that.