Fla Man Charged in SIMSwapping Spree is Key Suspect in Hacker Groups Oktapus Scattered Spider Krebs on Security
pOn Jan 9 2024 US authorities arrested a 19yearold Florida man charged with wire fraud aggravated identity theft and conspiring with others to use SIMswapping to steal cryptocurrency Sources close to the investigation tell KrebsOnSecurity the accused was a key member of a criminal hacking group blamed for a string of cyber intrusions at major US technology companies during the summer of 2022ppA graphic depicting how 0ktapus leveraged one victim to attack another Image credit Amitai Cohen of WizppProsecutors say Noah Michael Urban of Palm Coast Fla stole at least 800000 from at least five victims between August 2022 and March 2023 In each attack the victims saw their email and financial accounts compromised after suffering an unauthorized SIMswap wherein attackers transferred each victims mobile phone number to a new device that they controlledppThe government says Urban went by the aliases Sosa and King Bob among others Multiple trusted sources told KrebsOnSecurity that SosaKing Bob was a core member of a hacking group behind the 2022 breach at Twilio a company that provides services for making and receiving text messages and phone calls Twilio disclosed in Aug 2022 that an intrusion had exposed a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentialsppShortly after that disclosure the security firm GroupIB published a report linking the attackers behind the Twilio intrusion to separate breaches at more than 130 organizations including LastPass DoorDash Mailchimp and Plex Multiple security firms soon assigned the hacking group the nickname Scattered SpiderppGroupIB dubbed the gang by a different name 0ktapus which was a nod to how the criminal group phished employees for credentials The missives asked users to click a link and log in at a phishing page that mimicked their employers Okta authentication page Those who submitted credentials were then prompted to provide the onetime password needed for multifactor authenticationppA booking photo of Noah Michael Urban released by the Volusia County Sheriffpp0ktapus used newlyregistered domains that often included the name of the targeted company and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule The phishing sites used a Telegram instant message bot to forward any submitted credentials in realtime allowing the attackers to use the phished username password and onetime code to log in as that employee at the real employer websitepp0ktapus often leveraged information or access gained in one breach to perpetrate another As documented by GroupIB the group pivoted from its access to Twilio to attack at least 163 of its customers Among those was the encrypted messaging app Signal which said the breach could have let attackers reregister the phone number on another device for about 1900 usersppAlso in August 2022 several employees at email delivery firm Mailchimp provided their remote access credentials to this phishing group According to an Aug 12 blog post the attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and financeppOn August 25 2022 the password manager service LastPass disclosed a breach in which attackers stole some source code and proprietary LastPass technical information and weeks later LastPass said an investigation revealed no customer data or password vaults were accessedppHowever on November 30 2022 LastPass disclosed a far more serious breach that the company said leveraged data stolen in the August breach LastPass said criminal hackers had stolen encrypted copies of some password vaults as well as other personal informationppIn February 2023 LastPass disclosed that the intrusion involved a highly complex targeted attack against a DevOps engineer who was one of only four LastPass employees with access to the corporate vault In that incident the attackers exploited a security vulnerability in a Plex media server that the employee was running on his home network and succeeded in installing malicious software that stole passwords and other authentication credentials The vulnerability exploited by the intruders was patched back in 2020 but the employee never updated his Plex softwareppAs it happens Plex announced its own data breach one day before LastPass disclosed its initial August intrusion On August 24 2022 Plexs security team urged users to reset their passwords saying an intruder had accessed customer emails usernames and encrypted passwordsppA review of thousands of messages that Sosa and King Bob posted to several public forums and Discord servers over the past two years shows that the person behind these identities was mainly focused on two things Simswapping and trading in stolen unreleased rap music recordings from popular artistsppIndeed those messages show SosaKing Bob was obsessed with finding new grails the slang term used in some cybercrime discussion channels to describe recordings from popular artists that have never been officially released It stands to reason that King Bob was SIMswapping important people in the music industry to obtain these files although there is little to support this conclusion from the public chat records availableppI got the most music in the com King Bob bragged in a Discord server in November 2022 I got thousands of grailsppKing Bobs chats show he was particularly enamored of stealing the unreleased works of his favorite artists Lil Uzi Vert Playboi Carti and Juice Wrld When another Discord user asked if he has Eminem grails King Bob said he was unsureppI have two folders King Bob explained One with Uzi Carti Juicewrld And then I have every other artist Every other artist is unorganized as fuck and has thousands of random shitppKing Bobs posts on Discord show he quickly became a celebrity on Leakedcx one of most active forums for trading buying and selling unreleased music from popular artists The more grails that users share with the Leakedcx community the more their status and access on the forum growsppThe last cache of Leaked dot cx indexed by the archiveorg on Jan 11 2024ppAnd King Bob shared a large number of his purloined tunes with this community Still others he tried to sell Its unclear how many of those sales were ever consummated but it is not unusual for a prized grail to sell for anywhere from 5000 to 20000ppIn midJanuary 2024 several Leakedcx regulars began complaining that they hadnt seen King Bob in a while and were really missing his grails On or around Jan 11 the same day the Justice Department unsealed the indictment against Urban Leakedcx started blocking people who were trying to visit the site from the United StatesppDays later frustrated Leakedcx users speculated about what could be the cause of the blockageppProbs blocked as part of king bob investigation i think wrote the user Plsdontarrest Doubt he only hacked US artistsppl which is why its happening in multiple countriesppOn Sept 21 2022 KrebsOnSecurity told the story of a Foreshadow the nickname chosen by a Florida teenager who was working for a SIMswapping crew when he was abducted beaten and held for a 200000 ransom A rival SIMswapping group claimed that Foreshadow and his associates had robbed them of their fair share of the profits from a recent SIMswapppIn a video released by his abductors on Telegram a bloodied battered Foreshadow was made to say they would kill him unless the ransom was paidppAs I wrote in that story Foreshadow appears to have served as a holder a term used to describe a lowlevel member of any SIMswapping group who agrees to carry out the riskiest and least rewarding role of the crime Physically keeping and managing the various mobile devices and SIM cards that are used in SIMswapping scamsppKrebsOnSecurity has since learned that Foreshadow was a holder for a particularly active SIMswapper who went by Elijah which was another nickname that prosecutors say Urban usedppppShortly after Foreshadows hostage video began circulating on Telegram and Discord multiple known actors in the SIMswapping space told everyone in the channels to delete any previous messages with Foreshadow claiming he was fully cooperating with the FBIppThis was not the first time Sosa and his crew were hit with violent attacks from rival SIMswapping groups In early 2022 a video surfaced on a popular cybercrime channel purporting to show attackers hurling a brick through a window at an address that matches the spacious and upscale home of Urbans parents in Sanford FlppBrickings are among the violenceasaservice offerings broadly available on many cybercrime channels SIMswapping and adjacent cybercrime channels are replete with job offers for inperson assignments and tasks that can be found if one searches for posts titled If you live near or IRL job short for in real life jobppA number of these classified ads are in service of performing brickings where someone is hired to visit a specific address and toss a brick through the targets window Other typical IRL job offers involve tire slashings and even driveby shootingsppSosa was known to be a top member of the broader cybercriminal community online known as The Com wherein hackers boast loudly about highprofile exploits and hacks that almost invariably begin with social engineering tricking people over the phone email or SMS into giving away credentials that allow remote access to corporate internal networksppSosa also was active in a particularly destructive group of accomplished criminal SIMswappers known as Star Fraud Cyberscoops AJ Vicens reported last year that individuals within Star Fraud were likely involved in the highprofile Caesars Entertainment an MGM Resorts extortion attacksppALPHV an established ransomwareasaservice operation thought to be based in Russia and linked to attacks on dozens of entities claimed responsibility for Caesars and MGM attacks in a note posted to its website earlier this month Vicens wrote Experts had said the attacks were the work of a group tracked variously as UNC 3944 or Scattered Spider which has been described as an affiliate working with ALPHV made up of people in the United States and Britain who excel at social engineeringppIn February 2023 KrebsOnSecurity published data taken from the Telegram channels for Star Fraud and two other SIMswapping groups showing these crooks focused on SIMswapping TMobile customers and that they collectively claimed access to TMobile on 100 separate occasions over a 7month period in 2022ppThe SIMswapping groups were able to switch targeted phone numbers to another device on demand because they constantly phished TMobile employees into giving up credentials to employeeonly tools In each of those cases the goal was the same Phish TMobile employees for access to internal company tools and then convert that access into a cybercrime service that could be hired to divert any TMobile users text messages and phone calls to another deviceppAllison Nixon chief research officer at the New York cybersecurity consultancy Unit 221B said the increasing brazenness of many Com members is a function of how long it has taken federal authorities to go after guys like SosappThese incidents show what happens when it takes too long for cybercriminals to get arrested Nixon said If governments fail to prioritize this source of threat violence originating from the Internet will affect regular peopleppThe Daytona Beach NewsJournal reports that Urban was arrested Jan 9 and his trial is scheduled to begin in the trial term starting March 4 in Jacksonville The publication said the judge overseeing Urbans case denied bail because the defendant was a strong flight riskppAt Urbans arraignment it emerged that he had no fixed address and had been using an alias to stay at an Airbnb The judge reportedly said that when a search warrant was executed at Urbans residence the defendant was downloading programs to delete computer filesppWhats more the judge explained despite telling authorities in May that he would not have any more contact with his coconspirators and would not engage in cryptocurrency transactions he did so anywayppUrban entered a plea of not guilty Urbans courtappointed attorney said her client would have no comment at this timeppProsecutors charged Urban with eight counts of wire fraud one count of conspiracy to commit wire fraud and five counts of aggravated identity theft According to the government if convicted Urban faces up to 20 years in federal prison on each wire fraud charge He also faces a minimum mandatory penalty of two years in prison for the aggravated identity offenses which will run consecutive to any other prison sentence imposedpp
This entry was posted on Tuesday 30th of January 2024 0207 PM
ppThanks Krebs Couldnt happen to a nicer guyppHitler had friends that loved him What is it to be niceppWow this happened in the 386 Was he living the life over on beach sidepp386 is not near Orlandoppcase number is 323cr00180pphttpsarstechnicacomtechpolicy202401simswappingringstole400mincryptofromauscompanyofficialsallegeppIts really pathetic how all of these white bread criminals are obsessed with rap music Wannabe thugs At least every once in a while one of them does the timeppKill them all with death kyke bastardsppyeah and all the other humans too myself included of course fellow humanppIt does not make sense that people employed in tech are supplying their credentials ppThe phishing texts and sites are a ruse to cover the larger ops of the organized crime aspect of the big G FB Hyundai etc when the managers of the boiler room operations in Arizona ie the contractors who supply customer service tech support and sales to big G FB Hyundai reward their insiders with opportunities to sieze assets because of public perception that big G FB Hyundai are trustworthy and regulated NotppAlways Love the great research you do
disappointed in the lack of punishment given to people that take a lifetime of hard works savings leaving people destitute
Which 100 encourages people to be criminals So much to gain so little to lose Its wrong
See I worked 40 years saved 14 of my earning to retire While if I had been a criminal stole money and set some aside went to jail for 210 years and come out with more money than working 40 years and have time to enjoy it yeah guess Im the fool Still wont be a scumbag thiefppWhat kind of thief one is depends on ones viewpoint and gross take Once you get to the level of corporate CEO as those testifying before the US Congress today your stealing is looked at differently While stealing in the hundreds of thousands will get you Big Bubba as your cellie stealing in the billions presents you as a leader in commerce Now you are considered a respected businessman rather than a scumbag thief and people try to emulate you Why Its the same idea as what John Harington said in the 17th century about treasonppI have never considered people like zukerberg gates biden broula anything other than greedy scumbags Maybe on TV they kiss their butt but not in my houseppIll wait for the conviction and are least a twenty year sentence for this criminal and all other criminals involved Since it is multiple crimes involved then he should get a twenty year sentence for each crime and not be eligible for parole for twenty years That leniency should only happen if he testifies against all others of all crews Otherwise he shoukd get max sentences for each crime that need to run consecutively so that he spends 80 years in jail Until real hard time is handed out to all high tech criminals we will be inviting high risk All companies who do not have solid security should be sued in class action law suits until people start taking security seriouslyppIntuition is not equivalent to analysis Please stop itppWe HAVE to get past sms as a 2fa method You cant trust some random under paid employee not to send criminals your sim cardppOn another note its pretty sad that these gangs pay the device and sim holder the least Your operation is impossible without them and its the most risky task I guess I shouldnt be surprised that criminals act like scumbags amongst eachotherppIronVest has a simswapping solution as well as YubiKeysppThanks for sharing this Looks like a well rounded solutionppWe HAVE to get past sms as a 2fa methodppAnd herein lies the problem Governments needs to start listening to Security Organisations and NOT CSuite when implementing legislation SMSEmail for 2FA are just another digital hurdle some code or social engineering for bad actors to bypass Physical 2FA such as hardware keys increase security dramatically but nobody is encouraged to implement it consumers or corporations alike for the sake of convenience and the dollar
If you go to https2fadirectory and see how many online entities still have ZERO 2FA implementations whatsoever youd be gob smacked The majority listed have some form of digitalsoftware based 2FA as a requirement but very few offer physicalhardware 2FA as an option
In my region not US or EU for instance take the Banking Payments and Cryptocurrencies categories as an example In each there are 14 37 and 108 entities listed respectively for a total 159 entities Of the 14 domestic Banks listed NONE offer a hardware option and 5 offer NO 2FA at all Of the 37 Payment services listed just 3 offer a hardware option and 9 have NO 2FA at all And lastly of the 108 Cryptocurrency exchanges listed only 10 offer hardware options whilst only 3 have NO 2FA at all THIS IS ABYSMAL
CSuite says its all too hard or expensive to implement Thats not good enough Their bottom line or bonuses should not factor into it it should be compulsory What about the cost to the community Financially Cybercrime only cost my country 32billion last financial year but the World Economic Forum says the global cost of online criminal acts is expected to surge to 2384 trillion by 2027 up from 844 trillion in 2022 according to data from Statista the FBI and IMF
These figures are staggering and the fact that no one is forced to do anything about it is just beyond meppTwo reasons Free market put your money where you want to even if its stupid and Profiting from criminal activity by big companies and government yeah if it wasnt for organized crime the FBIfacebookbitcoin banks wouldnt be nearly as powerful and underhanded as they are now The more crime the more powerful they become so its in their interest as a dept to keep crime rates up job security add in any 3 letter agency or IT power house MS into that But thats just my opinion at this momentppMy bank only allows for text based 2fa Wont even let me ise my yubico key Drives me crazyppSame I have online bank accounts but they are never used as I have a branch 10 minutes away if it is really important ie documents etc and they know who I am Online I use Paypal as a financial intermediary because the only way to access that is with a hardware key
If Im traveling particularly overseas I will use Privacycoms virtual credit cards Book in to a hotel with newly created virtual card Check out and destroy card Simple Any unwanted after chargesfraud go straight down the rabbit hole Good for those pesky hard to cancel trialsubscription servicesppA courtappointed attorney He was charged with stealing 800000 in the last seven months
Did the feds freeze his assets preventing him from hiring his own defense counsel I hate it when they do thatppIronVest has a simswapping solution as well as YubiKeysppGreat article I still can not believe SIM swapping is happening and that these kids that do it call themselves hackers Compared to the programmers that write malware or Pegasis they are a joke and have no skills except patience in finding a dumb employee which must not take longppAnd the DevOps Employee at Lastpass one of only 4 people to have access to the vault running 2 year old Plex software at home What a joke ppAlso never knew people paid big money for unreleased rap tracks which 95 must be horrible demos that were never even mixed or mastered was pretty interestingppNoah Michael Urban is NOT member of Scattered Spider This connection is completely artificial Unless Russians decided to show such attribution Hello Sberbank Vlad is happyppCurious why after so many highprofile sim swap success stories why is it still so seemingly easy to sim swapppIf youre saying it should be more difficult overall absolutely And less usefulppBecause the telcos do not lose money from it they merely replace the one who got phished with another and carry on Till they also are named as a defendant and have some large fines imposed on them per swap big enough to appear in an annual statement per case they will not care at allppAn even more important question is why most banks still dont offer Passkeys ubikeys or authenticator apps as a much more secure type of 2FA than SMSbased 2FAppI agree yet if they jst sold Crack a couple of times they would be incarcerated to the point of be institutionalized 100 million stolen 30 months Sign me up Rather lose 30 months then entire life just to retire then die making a tenth of thatppWhere can I find his indictment Would love to read up on itppIn light of the recent arrest and charges against Noah Michael Urban for his alleged involvement in SIMswapping and cyber intrusions what steps do you believe law enforcement and cybersecurity experts should prioritize to address the growing threats posed by sophisticated hacking groups like Oktapus and Scattered Spider ppAdditionally how can authorities effectively collaborate with technology companies and online platforms to prevent and mitigate such cybercrimes in the futureppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
This entry was posted on Tuesday 30th of January 2024 0207 PM
ppThanks Krebs Couldnt happen to a nicer guyppHitler had friends that loved him What is it to be niceppWow this happened in the 386 Was he living the life over on beach sidepp386 is not near Orlandoppcase number is 323cr00180pphttpsarstechnicacomtechpolicy202401simswappingringstole400mincryptofromauscompanyofficialsallegeppIts really pathetic how all of these white bread criminals are obsessed with rap music Wannabe thugs At least every once in a while one of them does the timeppKill them all with death kyke bastardsppyeah and all the other humans too myself included of course fellow humanppIt does not make sense that people employed in tech are supplying their credentials ppThe phishing texts and sites are a ruse to cover the larger ops of the organized crime aspect of the big G FB Hyundai etc when the managers of the boiler room operations in Arizona ie the contractors who supply customer service tech support and sales to big G FB Hyundai reward their insiders with opportunities to sieze assets because of public perception that big G FB Hyundai are trustworthy and regulated NotppAlways Love the great research you do
disappointed in the lack of punishment given to people that take a lifetime of hard works savings leaving people destitute
Which 100 encourages people to be criminals So much to gain so little to lose Its wrong
See I worked 40 years saved 14 of my earning to retire While if I had been a criminal stole money and set some aside went to jail for 210 years and come out with more money than working 40 years and have time to enjoy it yeah guess Im the fool Still wont be a scumbag thiefppWhat kind of thief one is depends on ones viewpoint and gross take Once you get to the level of corporate CEO as those testifying before the US Congress today your stealing is looked at differently While stealing in the hundreds of thousands will get you Big Bubba as your cellie stealing in the billions presents you as a leader in commerce Now you are considered a respected businessman rather than a scumbag thief and people try to emulate you Why Its the same idea as what John Harington said in the 17th century about treasonppI have never considered people like zukerberg gates biden broula anything other than greedy scumbags Maybe on TV they kiss their butt but not in my houseppIll wait for the conviction and are least a twenty year sentence for this criminal and all other criminals involved Since it is multiple crimes involved then he should get a twenty year sentence for each crime and not be eligible for parole for twenty years That leniency should only happen if he testifies against all others of all crews Otherwise he shoukd get max sentences for each crime that need to run consecutively so that he spends 80 years in jail Until real hard time is handed out to all high tech criminals we will be inviting high risk All companies who do not have solid security should be sued in class action law suits until people start taking security seriouslyppIntuition is not equivalent to analysis Please stop itppWe HAVE to get past sms as a 2fa method You cant trust some random under paid employee not to send criminals your sim cardppOn another note its pretty sad that these gangs pay the device and sim holder the least Your operation is impossible without them and its the most risky task I guess I shouldnt be surprised that criminals act like scumbags amongst eachotherppIronVest has a simswapping solution as well as YubiKeysppThanks for sharing this Looks like a well rounded solutionppWe HAVE to get past sms as a 2fa methodppAnd herein lies the problem Governments needs to start listening to Security Organisations and NOT CSuite when implementing legislation SMSEmail for 2FA are just another digital hurdle some code or social engineering for bad actors to bypass Physical 2FA such as hardware keys increase security dramatically but nobody is encouraged to implement it consumers or corporations alike for the sake of convenience and the dollar
If you go to https2fadirectory and see how many online entities still have ZERO 2FA implementations whatsoever youd be gob smacked The majority listed have some form of digitalsoftware based 2FA as a requirement but very few offer physicalhardware 2FA as an option
In my region not US or EU for instance take the Banking Payments and Cryptocurrencies categories as an example In each there are 14 37 and 108 entities listed respectively for a total 159 entities Of the 14 domestic Banks listed NONE offer a hardware option and 5 offer NO 2FA at all Of the 37 Payment services listed just 3 offer a hardware option and 9 have NO 2FA at all And lastly of the 108 Cryptocurrency exchanges listed only 10 offer hardware options whilst only 3 have NO 2FA at all THIS IS ABYSMAL
CSuite says its all too hard or expensive to implement Thats not good enough Their bottom line or bonuses should not factor into it it should be compulsory What about the cost to the community Financially Cybercrime only cost my country 32billion last financial year but the World Economic Forum says the global cost of online criminal acts is expected to surge to 2384 trillion by 2027 up from 844 trillion in 2022 according to data from Statista the FBI and IMF
These figures are staggering and the fact that no one is forced to do anything about it is just beyond meppTwo reasons Free market put your money where you want to even if its stupid and Profiting from criminal activity by big companies and government yeah if it wasnt for organized crime the FBIfacebookbitcoin banks wouldnt be nearly as powerful and underhanded as they are now The more crime the more powerful they become so its in their interest as a dept to keep crime rates up job security add in any 3 letter agency or IT power house MS into that But thats just my opinion at this momentppMy bank only allows for text based 2fa Wont even let me ise my yubico key Drives me crazyppSame I have online bank accounts but they are never used as I have a branch 10 minutes away if it is really important ie documents etc and they know who I am Online I use Paypal as a financial intermediary because the only way to access that is with a hardware key
If Im traveling particularly overseas I will use Privacycoms virtual credit cards Book in to a hotel with newly created virtual card Check out and destroy card Simple Any unwanted after chargesfraud go straight down the rabbit hole Good for those pesky hard to cancel trialsubscription servicesppA courtappointed attorney He was charged with stealing 800000 in the last seven months
Did the feds freeze his assets preventing him from hiring his own defense counsel I hate it when they do thatppIronVest has a simswapping solution as well as YubiKeysppGreat article I still can not believe SIM swapping is happening and that these kids that do it call themselves hackers Compared to the programmers that write malware or Pegasis they are a joke and have no skills except patience in finding a dumb employee which must not take longppAnd the DevOps Employee at Lastpass one of only 4 people to have access to the vault running 2 year old Plex software at home What a joke ppAlso never knew people paid big money for unreleased rap tracks which 95 must be horrible demos that were never even mixed or mastered was pretty interestingppNoah Michael Urban is NOT member of Scattered Spider This connection is completely artificial Unless Russians decided to show such attribution Hello Sberbank Vlad is happyppCurious why after so many highprofile sim swap success stories why is it still so seemingly easy to sim swapppIf youre saying it should be more difficult overall absolutely And less usefulppBecause the telcos do not lose money from it they merely replace the one who got phished with another and carry on Till they also are named as a defendant and have some large fines imposed on them per swap big enough to appear in an annual statement per case they will not care at allppAn even more important question is why most banks still dont offer Passkeys ubikeys or authenticator apps as a much more secure type of 2FA than SMSbased 2FAppI agree yet if they jst sold Crack a couple of times they would be incarcerated to the point of be institutionalized 100 million stolen 30 months Sign me up Rather lose 30 months then entire life just to retire then die making a tenth of thatppWhere can I find his indictment Would love to read up on itppIn light of the recent arrest and charges against Noah Michael Urban for his alleged involvement in SIMswapping and cyber intrusions what steps do you believe law enforcement and cybersecurity experts should prioritize to address the growing threats posed by sophisticated hacking groups like Oktapus and Scattered Spider ppAdditionally how can authorities effectively collaborate with technology companies and online platforms to prevent and mitigate such cybercrimes in the futureppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
