Feds smash international cybercrime ring with Power of Facebook

Ad-men and G-men form potent globo force


The FBI have said that with the help of Facebook, they've taken down an international crime gang who went on an $850m botnet spree.

The ten suspects are allegedly responsible for multiple variants of the Yahos malware, which is linked to more than 11 million computer takeovers and over $850m in losses using the Butterfly botnet, which steals credit card and bank account details along with other personal data.

The feds said they'd nabbed folks from Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the UK and the US after an investigation that was aided by Facebook's security team.

Yahos targeted Facebook users between 2010 and October 2012, according to the Feds, and the social network's security systems detected the affected accounts and gave out tools to remove the threats.

The creator of the Butterfly botnet was already caught and one of that botnet's customers was the now arrested group of crooks behind the infamous Mariposa botnet. Luis Corrons Granel, a researcher at Panda Security, suggested to The Reg that it's possible that those arrests led to the cybercriminals behind Yahos.

Granel said he hadn't heard of Yahos before, but it was likely that the Butterfly botnet was being used to distribute the malware. ®

Narrower topics


Other stories you might like

  • Meta mostly fails in appeal against order from UK watchdog to sell Giphy
    Might have been a good idea to mention that Snap was sniffing around GIF biz, too, judges note, though

    Judges in the UK have dismissed the majority of an appeal made by Facebook parent Meta to overturn a watchdog's decision to order the social media giant to sell Giphy for antitrust reasons.

    Facebook acquired GIF-sharing biz Giphy in May 2020. But Blighty's Competition Markets Authority (CMA) wasn't happy with the $400 million deal, arguing it gave Mark Zuckerberg's empire way too much control over the distribution of a lot of GIFs. After the CMA launched an official probe investigating the acquisition last June, it ordered Meta to sell Giphy to prevent Facebook from potentially monopolizing access to the animated images. 

    Meta appealed the decision to the Competition Appeal Tribunal (CAT), arguing six grounds. All but one of them – known as Ground 4 – were dismissed by the tribunal's judges this week. And even then only one part of Ground 4 was upheld: the second element.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Consultant plays Metaverse MythBuster. Here's why they're wrong
    Holograms, brands, NFTs, and a 1,000-consumer survey

    Opinion Consulting giant McKinsey & Company has been playing a round of MythBusters: Metaverse Edition.

    Though its origins lie in the 1992 sci-fi novel Snow Crash, the metaverse has been heavily talked about in business circles as if it's a real thing over the last year or so, peaking with Facebook's Earth-shattering rebrand to Meta in October 2021.

    The metaverse, in all but name, is already here and has been for some time in the realm of online video games. However, Meta CEO Mark Zuckerberg's vision of it is not.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading

Biting the hand that feeds IT © 1998–2022