OneCoin crypto-scam lawyer found guilty of worldwide $400m fraud

By Lisa Vaas

A Florida lawyer who boasted of making “50 by 50” – as in, $50m by the age of 50 – is now facing a potential 50+ years behind bars for money laundering and lying to banks about funds flowing from OneCoin, a cryptocoin Ponzi scheme that started in Bulgaria but spread like a money-sucking fungus around the world.

Mark Scott, 51, a former equity partner at the law firm Locke Lord LLP, was convicted in Manhattan Federal Court on Thursday for laundering about $400 million from the massive international OneCoin fraud.

It’s not just an alleged mega-fraud; it’s also led to mega-busts, and its founder – The Missing Cryptoqueen, who talked millions of people into her scheme – has blinked out of sight. Bulgarian Ruja Ignatova was last spotted around October 2017: around the time that the US filed a secret warrant for her arrest. Her brother, Konstantin Ignatov, took over the reins, was arrested at Los Angeles International Airport in March 2019, signed a plea deal, and is facing up to 90 years in jail (though maximum sentences are rarely handed out).

Pop some corn and pull up a chair: you can tune in to the true crime saga from the BBC here as reporter Jamie Bartlett presents “a story of greed, deceit and herd madness.”

As far as the other OneCoin shysters go, most of them have been arrested or, like Ignatova, disappeared. A slew of OneCoin reps were pitching their scam – what they called “the next Bitcoin” – in a Mumbai exurb in April 2017 when financial cops busted in, raided the meeting, and jailed 18 of them, ultimately seizing more than $2 million in investor funds. As The Atlantic tells it, they’d already moved at least $350m in allegedly scammed funds through a German payment processor.

Read more at https://nakedsecurity.sophos.com/2019/11/25/onecoin-crypto-scam-lawyer-found-guilty-of-worldwide-400m-fraud/

Ad-blocking companies block ‘unblockable’ tracker

By Danny Bradbury

Ad-blocking companies have figured out a way to block the unblockable – a pernicious tracker technique that hides advertising networks from your browser in plain sight.

Whenever your browser visits a website supporting third-party advertisers, the site shows it tracking pixels or IFRAME tags that cause it to make extra requests. These requests go to ad companies that use various techniques to identify your browser and track it across multiple sites.

Ad-blocking companies are in a constant battle with the advertisers to block these trackers.

The latest weapon in this fight exploits a long-established web concept called a CNAME record. CNAME stands for Canonical Name. It’s an alias that the owner of a domain (say, example.com) can use to describe a subdomain (like innocent.example.com). You could set the CNAME for ads.example.com to resolve to an entirely different domain, like dedicated-tracker.eviladcompany.com. When your browser reaches out to innocent.example.com, it’ll send a query to the name server, which will look up the second domain instead.

That’s a problem for people that don’t want advertisers to track them. Ad-blocking software tends to trust cookies sent by the same domain that you’re visiting. If innocent.example.com sends you a cookie, it could contain session information that helps the site remember who you are. Blocking it would break the site’s functionality.

So, companies that use CNAMEs to hide third-party trackers behind their own domains can fool ad blockers into waving through cookies from their advertising friends.

Read more at https://nakedsecurity.sophos.com/2019/11/25/ad-blocking-companies-block-unblockable-tracker/

Russia to ban sale of devices that don’t come with “Russian software”

By John E Dunn

The Russian Government’s campaign to control how its citizens use the internet seems to be gathering steam.

Earlier this month, the country passed a controversial new ‘sovereign internet’ law that requires the country’s ISPs to set up deep packet inspection of all internet traffic and ready themselves for the imposition of a separate Domain Name System (DNS) under Government control.

Last week the country’s Parliament passed what might turn out to be an even more significant order – from July 2020 all computing devices sold in Russia will be required to come pre-loaded with what is loosely described as “Russian software”.

According to the BBC, bill co-author and MP Oleg Nikolaev explained that:

[People] might think that there are no domestic alternatives available. And if, alongside pre-installed applications, we will also offer the Russian ones to users, then they will have a right to choose.

…and it will also “provide domestic companies with legal mechanisms to promote their programs for Russian users”, according to a translation of the press release.

The law covers all devices including mobiles, desktop and laptop computers and smart TVs which today ship with Russian language versions of the same apps used elsewhere in the world.

According to sources, in future these applications will be joined by mysterious new Russian Government-approved applications. These will probably include a browser, a search engine, a messaging app, and possibly others which have yet to be specified.

Read more at https://nakedsecurity.sophos.com/2019/11/25/russian-bans-sale-of-devices-that-dont-come-with-russian-software/

Hacker gets 4 years in jail for NeverQuest banking malware

By Lisa Vaas

A Russian hacker has been sentenced to four years in US prison for using the NeverQuest banking Trojan to infect the computers of unwitting victims, steal their login information for online banking accounts, and use it to wipe out their accounts.

The US Attorney’s Office for the Southern District of New York announced the sentencing of Stanislav Vitaliyevich Lisov on Thursday.

According to the Justice Department (DOJ), NeverQuest has been used by cybermuggers to try to weasel millions of dollars out of victims’ bank accounts.

Nasty and complex

It’s a nasty piece of work. Researchers have determined that NeverQuest’s origins lie in an evolving threat family called Vawtrack, also known as Snifula, Catch or Grabnew.

Once NeverQuest slips onto a victim’s computer, it wakes up when the system logs onto an online banking website. Then, it transfers the victim’s login credentials, including their username and password, back to a command and control server. That lets the malware’s administrators remotely control a victim’s computer and log into their financial accounts, transfer money to accounts that the crook’s control, change the login credentials, write online checks, and purchase goodies from online vendors at their victims’ expense.

Read more at https://nakedsecurity.sophos.com/2019/11/25/russian-hacker-gets-4-years-in-jail-for-neverquest-banking-malware/

Iran’s APT33 sharpens focus on industrial control systems

By Danny Bradbury

Iran’s elite hacking group is upping its game, according to new evidence delivered at a cybersecurity conference this week. The country’s APT33 cyberattack unit is evolving from simply scrubbing data on its victims’ networks and now wants to take over its targets’ physical infrastructure by manipulating industrial control systems (ICS), say reports.

APT33, also known by the names Holmium, Refined Kitten, or Elfin, has focused heavily on destroying its victims’ data in the past. Now though, the group has changed tack according to Ned Moran, principal program manager at Microsoft, who spoke at the CYBERWARCON conference in Arlington, Virginia on Thursday. Moran, who is also a fellow with the University of Toronto’s Citizen Lab focusing on security and information technologies, focuses on identifying and disrupting state-sponsored attackers in the Middle East.

The APT33 group is closely associated with Shamoon malware that wipes data from its targets’ systems. Experts have also warned of other tools in the group’s arsenal, including a data destruction tool called StoneDrill and a piece of backdoor software called TURNEDUP.

Moran said that APT33 used to use ‘password spraying’ attacks, in which it would try a few common passwords on accounts across lots of organizations. More recently, though, it has refined its efforts, ‘sharpening the spear’ by attacking ten times as many accounts per organization while shrinking the number of organization’s it targets. It has also focused heavily on ICS manufacturers, suppliers and maintainers, Moran said.

Read more at https://nakedsecurity.sophos.com/2019/11/22/irans-apt33-sharpens-focus-on-industrial-control-systems/