Author: Jerry

Evil Corp has launched a new strain called Macaw Locker Ransomware to evade US sanctions which in the past has prevented victims from making ransom payments. Evil Corp, which has gone under a number of monikers such as Indrik Spider and the Dridex gang, is a veteran of the cybercrime world. It has been active since 2007, usually as an affiliate to other cybercrime outfits.

As time passed, Evil Corp began to shift to their own attacks by creating their own malware. At their peak, their signature strain was a banking trojan known as Dridex us in phishing attacks.

As ransomware attacks took over the cybercrime scene as the most profitable hacking vehicle, Evil Corp launched BitPaymer, delivered via the Dridex malware to compromised corporate networks.

The gang’s success and notoriety lead to them being sanctioned by the US government in 2019.

Due to these sanctions, ransomware negotiation firms will no longer facilitate ransom payments for operations attributed to Evil Corp.

To bypass the restrictions, Evil Corp created a plethora of limited-use ransomware strains and operations under names like WastedLocker, Hades, Phenoix Locker, and PayloadBin.

 

Macaw Loader Ransomware Analysis

Last week, SaferNet reported that Olympus and Sinclair broadcasting group has their operations disrupted by a ransomware attack.

For Sinclair, this mean several broadcasts needed to be canceled, old shows were rerun, and newscasters had to report their stories with whiteboards and paper.

It was unknown what strain caused these attacks at the time, with most sources pointing to Black Matter Ransomware. However, it is now understood that the strain was Evil Corp’s new strain, Macaw Locker Ransomware

Emsisoft CTO Fabian Wosan explained in a conversation with researchers at Bleeping Computer that he made the discovery based on a code analysis of Macaw Locker Ransomware versus other strains in Evil Corp’s ransomware family.

It is currently believed that Sinclair and Olympus are the only victims of Macaw Locker Ransomware thus far.

Sources also shared the private Macaw Locker Ransomware victim pages for two attacks, where the threat actors demand a 450 bitcoin ransom, or $28 million, for one attack and $40 million for the other victim.

It is unknown what company is associated with each ransom demand.

The Macaw Locker ransomware will encrypt victims’ files and append the .macaw extension to the file name when conducting attacks.

While encrypting files, the ransomware will also create ransom notes in each folder named macaw_recover.txt. For each attack, the ransom note contains a unique victim negotiation page on the Macaw Locker Ransomware’s Tor site and an associated decryption ID, or campaign ID, as shown below.

The gang’s dark web negotiation site contains a brief introduction to what happened to the victim, a tool to decrypt three files for free, and a chatbox to negotiate with the attackers.

Now that Macaw Locker Ransomware has been exposed as an Evil Corp variant, we will likely see the threat actors rebrand their ransomware again.

As stated by researchers at Bleeping computer, “This constant cat-and-mouse game will likely never end until Evil Corp stops performing ransomware attacks or sanctions are lifted.”

Both of these events are unlikely.

 

Hackers are using malicious Android apps, dubbed UltimaSMS, to trick users into signing up for a fraudulent SMS subscription service. The service eventually charges them hefty sums on their phone bills.

Jakub Vavra from Avast, who was one of the first to research the campaign, dubbed the apps UltimaSMS because the first app he discovered using this tactic was called Ultima Keyboard Pro.

“The fake apps I found feature a wide range of categories such as custom keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games, among others,” Vavra wrote in a blog post Monday.

The UltimaSMS campaign, which started in May, is compromised of roughly 151 apps that have at one point in their lifetime been on the Google Play Store. Collectively, the apps have been downloaded 10.5 million times.

Google has removed flagged apps from the store, but it is likely there are many more hidden within, Vavra noted. Google has had a storied history with malicious apps making their way onto the Play Store for months at a time.

All of the UltimaSMS offerings are “essentially copies of the same fake app used to spread the premium SMS scam campaign,” Vavra explained, which he said likely indicates that one bad actor or group is behind the entire campaign.

Vavra observed that the apps advertised seem legitimate, but upon closer inspection, there is something more suspicious. For instance, they tend to include generic privacy policy statements and feature basic developer profiles including generic email addresses, as well as numerous negative reviews that identify them as fraudulent.

Citing insights from mobile marketing intelligence firm Sensor Tower, he said the campaign appears to be global, ensnaring users from more than 80 countries.

“The apps have been most downloaded by users in the Middle East, such as Egypt, Saudi Arabia, Pakistan, followed by users in the U.S. and Poland,” Vavra explained.

The hackers behind UltimaSMS are spreading their campaign with “numerous catchy video advertisements” posted on advertising channels of social-media sites like Facebook, Instagram and TikTok, Vavra explained.

If an Android user falls for the trick and installs one of the apps, it checks their location, International Mobile Equipment Identity (IMEI), and phone number to determine which country area code and language to use for the scam, according to the post.

“Once the user opens the app, a screen, localized in the language their device is set to, prompts them to enter their phone number, and in some cases email address, to gain access to the app’s advertised purpose,” Vavra wrote.

Once the user enters the details, the app subscribes him or her to a premium SMS service that sends texts to a short-coded number — each text results in a charge for the user. These charges can total upwards of $40 per month depending on the country and mobile carrier.

And, instead of unlocking the apps’ advertised features, the apps will either display further SMS subscriptions options or stop working altogether, he explained.

“The sole purpose of the fake apps is to deceive users into signing up for premium SMS subscriptions,” Vavra wrote.

Vavra points out that some of the apps actually describe their intention in the fine print, though many don’t, “meaning many people who submitted their phone numbers into the apps might not even realize the extra charges to their phone bill are connected to the apps,” he explained.

The apps collect premium SMS charges from subscribers typically to the maximum limit possible for their particular country, according to Vavra. Sometimes carriers will alert users of the excessive charges, but they also may go unnoticed for weeks or months, Vavra wrote.

An on-going phishing and spearphishing campaign is currently taking place, aiming to steal Office 365. The phishing emails appear as if they come from major brands, including Kaspersky.

According to a Kaspersky post from Monday, two phishing kits identified as “Iamtheboss” and “MIRCBOOT’ are being used together by multiple threat actors to send fake fax notifications.

“The phishing e-mails are usually arriving in the form of ‘fax notifications’ and lure users to fake websites collecting credentials for Microsoft online services,” according to the post.

One phishing campaign tracked by cybersecurity researchers abuses an Amazon service called Amazon Simple Email Service (SES). SES is designed to let developers deliver email from apps. The campaign relies on a stolen SES token used by a third-party contractor during the testing of the website 2050.earth.

The 2050.earth site is a Kaspersky project that features an interactive map illustrating what futurologists predict to be the future impact of technology on the planet. The stolen SES token is tied to Kaspersky and SES because the 2050.earth site is hosted on the Amazon infrastructure.

“These emails have various sender addresses, including but not limited to [email protected]. They are sent from multiple websites including Amazon Web Services infrastructure,” the security bulletin warned. The company said the stolen SES token was only abused in a limited capacity relative to an otherwise large-scale campaign abusing multiple brands.

It’s unclear what other brands, and how many, are impacted by the ongoing campaigns. It is believed that other non-Kaspersky SES tokens are involved

The company said the SES token was immediately revoked when it was identified as being stolen and abused.

The theft caused no damage, according to the advisory. “No server compromise, unauthorized database access or any other malicious activity was found at 2050.earth and associated services,” it said.

Office 365 credentials are a very common target for phishing attacks. In March, a phishing scam targeted executives in the insurance and financial sectors in an attempt to harvest Office 365 credentials to launch business email compromise (BEC) attacks.

Hackers abusing SES tokens are trying to give their emails a sense of legitimacy, by identifying themselves as coming from trusted companies.

Analysis showed that the phishing campaigns are relying on a phishing kit that Kaspersky researchers have named “Iamtheboss,” used in conjunction with another phishing kit known as “MIRCBOOT.”

The MIRCBOOT phishing kit was previously used in a large-scale phishing-as-a-service (PhaaS) campaign called BulletProofLink, which Microsoft previously discovered.

BulletProofLink provides phishing kits, email templates, hosting, and other tools that let users customize campaigns and develop their own phishing ploys. They then use the PhaaS platform to help with phishing kits, email templates, and the hosting services needed to launch attacks.

An on-going phishing and spearphishing campaign is currently taking place, aiming to steal Office 365. The phishing emails appear as if they come from major brands, including Kaspersky.

According to a Kaspersky post from Monday, two phishing kits identified as “Iamtheboss” and “MIRCBOOT’ are being used together by multiple threat actors to send fake fax notifications.

“The phishing e-mails are usually arriving in the form of ‘fax notifications’ and lure users to fake websites collecting credentials for Microsoft online services,” according to the post.

One phishing campaign tracked by cybersecurity researchers abuses an Amazon service called Amazon Simple Email Service (SES). SES is designed to let developers deliver email from apps. The campaign relies on a stolen SES token used by a third-party contractor during the testing of the website 2050.earth.

The 2050.earth site is a Kaspersky project that features an interactive map illustrating what futurologists predict to be the future impact of technology on the planet. The stolen SES token is tied to Kaspersky and SES because the 2050.earth site is hosted on the Amazon infrastructure.

“These emails have various sender addresses, including but not limited to [email protected]. They are sent from multiple websites including Amazon Web Services infrastructure,” the security bulletin warned. The company said the stolen SES token was only abused in a limited capacity relative to an otherwise large-scale campaign abusing multiple brands.

It’s unclear what other brands, and how many, are impacted by the ongoing campaigns. It is believed that other non-Kaspersky SES tokens are involved

The company said the SES token was immediately revoked when it was identified as being stolen and abused.

The theft caused no damage, according to the advisory. “No server compromise, unauthorized database access or any other malicious activity was found at 2050.earth and associated services,” it said.

Office 365 credentials are a very common target for phishing attacks. In March, a phishing scam targeted executives in the insurance and financial sectors in an attempt to harvest Office 365 credentials to launch business email compromise (BEC) attacks.

Hackers abusing SES tokens are trying to give their emails a sense of legitimacy, by identifying themselves as coming from trusted companies.

Analysis showed that the phishing campaigns are relying on a phishing kit that Kaspersky researchers have named “Iamtheboss,” used in conjunction with another phishing kit known as “MIRCBOOT.”

The MIRCBOOT phishing kit was previously used in a large-scale phishing-as-a-service (PhaaS) campaign called BulletProofLink, which Microsoft previously discovered.

BulletProofLink provides phishing kits, email templates, hosting, and other tools that let users customize campaigns and develop their own phishing ploys. They then use the PhaaS platform to help with phishing kits, email templates, and the hosting services needed to launch attacks.

SqurrelWaffle, a new malware loader, is firing out malware-loaded Microsoft Office documents to deliver Qakbot malware and the penetration-testing tool Cobalt Strike. Cisco Talos researchers said in a post last week they learned of the campaign in mid-September, when they spotted SquirrelWaffle in the initial stage of the infection chain.

The SquirrelWaffle campaign uses stolen email threads to appear as replies within those threads – A tactic identical to how Emotet malware spreads.

“The campaigns themselves feature several similar characteristics to the campaigns previously seen associated with established threats like Emotet,” Cisco Talos researchers explained.

“Due to the prevalence of these campaigns, organizations should be aware of SQUIRRELWAFFLE and the way it could be used by attackers to further compromise corporate networks,” they advised.

The SquirrelWaffle emails contain hyperlinks to malicious ZIP archives hosting the infected files on hacker-controlled web servers.

Most of the messages – 76 percent – are written in English. But the language used in the reply message shifts to match what was used in the original email thread, “demonstrating that there is some localization taking place dynamically,” Cisco Talos said. Besides English, the top five languages being used also include French, German, Dutch and Polish.

SquirrelWaffle isn’t quite as prolific as Emotet, at least not yet. However, the campaign has been growing steadily, as seen in the graph from Cisco Talos below.

“While the volume associated with these campaigns is not yet reaching the same level seen previously with threats like Emotet, it appears to be fairly consistent and may increase over time as the adversaries infect more users and increase the size of their botnet,” Cisco Talos predicted.

Researches noted that the malicious documents were crafted using some kind of automated builder. For example, in the recent campaigns, “the Microsoft Excel spreadsheets were crafted to make static analysis with tools like XLMDeobfuscator less effective,” they said.

The earliest files were submitted to public malware repositories on Sept. 10. Three days later, the campaign volume began to ramp up and “has been characterized by daily spam runs observed since then,” according to the writeup.

There are more signs that automation plays a part in the campaign.

“The URL structure of the SQUIRRELWAFFLE distribution servers appears somewhat tied to the daily campaigns, and rotates every few days,” according to the analysis.

Cisco Talos gave the example of the table, shown below, which depicts variance in the URL landing pages seen over a period of several days.

MediaMarket has become a victim of a Hive Ransomware attack with an initial ransom demand of $240 million. The attack has caused IT systems to shut down and physical store operations to be disrupted across Europe.

MediaMarkt has been operating since 1979 across 13 countries. The electronics manufacturer employs approximately 53,000 employees and has a total sales of €20.8 billion.

The company was hit by the Hive Ransomware attack on Sunday evening which rolled into Monday morning. The attack encrypted servers and workstations and led to the shutdown of IT systems to prevent the attack’s spread.

While online sales are still possible, cash registers cannot accept credit cards or print receipts at affected stores. The systems outage is also preventing returns due to the inability to look up previous purchases.

Screenshots posted on Twitter of alleged internal communications state that 3,100 servers were affected in this attack.

Reporters at BleepingComputer that the strain involved was Hive Ransomware, and that the demand was a stunning $240 million.

Ransomware gangs commonly demand large ransoms at the beginning to allow room for negotiation and usually receive a fraction of the initial demand. However, in the attack on MediaMarkt, it is believed the amount was almost immediately lowered.

While it is not clear if unencrypted data has been stolen as part of the attack, Hive ransomware is known to steal files and publish them on their ‘HiveLeaks’ data leak site if a ransom is not paid.

Reporters reached out to MediaMarkt today and received the following statement:

“The MediaMarktSaturn Retail Group and its national organizations became the target of a cyberattack. The company immediately informed the relevant authorities and is working at full speed to identify the affected systems and repair any damage caused as quickly as possible. In the stationary stores, there may currently be limited access to some services.

MediaMarktSaturn continues to be available to its customers via all sales channels and is working intensively to ensure that all services will be available again without restriction as soon as possible.

The company will provide information on further developments on the topic.”

Behind Hive Ransomware

Hive Ransomware is a newcomer to the Ransomware world, having launched in June 2021. However, it is has already gained a reputation for striking out at several healthcare providers and multinational companies.

The Hive Ransomware operators breach organizations using malware-ridden phishing campaigns.

Once the gang gains access to a network, they will spread laterally through a network while stealing unencrypted files to be used in extortion demands.

Once the threat actors eventually gain admin access on a Windows domain controller, they deploy Hive Ransomware throughout the network to encrypt all devices.

The Hive Ransomware gang are known to seek out and delete backups prior to encryption. This is to kneecap the victim and prevent them from using backups to escape the Ransomware attack.

Unlike other strains that operate on just Windows, Hive Ransomware comes in different flavors used to encrypt Linux and FreeBSD servers, commonly used to host virtual machines.

While many ransomware outfits follow a ‘code of honor’ type system in which they will not encrypt healthcare institutions, nursing homes, government agencies, and other essential services, Hive Ransomware is known to target anybody.

This has meant their reputation has spread like wildfire, just as their attacks do.

In August, this was shown when Hive ransomware attacked the non-profit Memorial Health System, which forced staff to work with paper charts and disrupted scheduled surgeries.

Recently, SaferNet covered the stories of regular individuals and their brushes with cybercrime. We all have stories like these, which can make them the most impactful. Today, we’ll look at more in Part 2.

These stories were collected from around the web, including Heimdall Security, Telegraph UK, NY Times, Reddit, Buzzfeed, Medium, The Atlantic, Reader’s Digest, and various blogs.

Note: Names and some locations of the stories shown here have been changed to respect the individual’s privacy.

An individual in the UK loses money to a TV license phishing scam:

“When Jerry Tack received an email saying the TV license needed paying, he didn’t think twice about it.

Nothing seemed suspicious about the website he clicked on, so he entered his bank details – and began a chain of events that would lose him £9,900.

Jerry, from Hampshire, was among thousands contacted in what police called a “particularly nasty” fraud.

But the banks say they cannot reimburse customers who have mistakenly authorized payments to fraudsters.”

An American Woman Gets Hacked and Cyberstalked:

“When I first read the email from my hacker, I couldn’t stop screaming. I didn’t know what to do; I was in a state of complete shock and terror. I had sensed something was wrong, but this was my horrifying confirmation.

I was out to dinner with my friends when I got a Facebook notification that somebody in another state had logged into my account and tried to change my password. Thirty minutes later, I got an email from who I assumed to be the culprit. It said if I didn’t do what was asked of me, “every photo I have of you” was going to be posted on my social accounts, which he had gained control of. I had no idea what he was talking about until I scrolled down to the very end of the email.

There were two photos of me in my bedroom taken through my webcam. I later found out he had been spying on me for over a year, from my senior year of high school to when I received that first email during my freshman year of college.

I called my mom, who contacted the police immediately. They told me they were going to catch the hacker, but that it could be a slow process.

Meanwhile, I was busy wondering how this could happen in the first place. I must have opened an email with a link in it that allowed him to place malware, or malicious software, on my computer, which granted him complete access to my laptop. He was able to trace the keystrokes on my keyboard so he could learn my passwords and see what sites I was going to, and, creepiest of all, he was able to access my webcam 24/7.

I used to keep my computer open on the floor of my bedroom to play music while I was studying, changing, going back and forth from the shower—he saw all of that.

I was convinced this was some random creepy guy from a different country. Then I found out it was someone from my high school. I went to a huge school with over 3,000 students and never had any personal communication with him, though I knew who he was. The fact that I would pass him in the hallways at the same time he was doing such a horrific thing to me is so scary.

And sadly, I wasn’t the only one he did this to. There were 12 other victims, two of whom also went to school with us. I haven’t been able to confront him, and I don’t know that I want to. He plead guilty to hacking and extortion, and a trial date has been set for next month. I’m not sure what his sentence will be.”

A woman has her video surveillance Ring setup hacked after using a leaked password:

“After a Brookhaven couple’s Ring security camera was hacked, the terrified woman said a strange man yelled that he was watching her via the camera. The doorbell company says that the camera wasn’t hacked, but that the couple used a password that had been leaked or compromised.

The woman, who didn’t want to be identified, shared the video from the incident with local TV stations and on social media. The victim said she and her boyfriend installed the camera to watch their dog, Beau, while they’re at work.

When she noticed a light on the camera, she texted her boyfriend to ask why he was watching, and he replied that he wasn’t. That’s when the stranger spoke to her through the camera: “I can see you in the bed! C’mon! Wake the [expletive] up!”

The couple found someone had hacked their account on four occasions.”

An individual in Chicago falls for a phishing email and loses $2000:

“Alison Senft of Kendall County says someone hacked into her bank account and used the Zelle payment app to steal $2,000. Then her bank told her there’s nothing they can do, and she can’t even get ahold of Zelle.

Reporters discovered the fraudsters used an email registered to a Big Ten university to carry out a phishing attack.

That stress started in late November, when she discovered someone had used the payment app Zelle to transfer $2,000 out of her Fifth Third Bank account just in time for the holidays.

“If I could find this person, I would show them my children, and say ‘This is who you’re stealing from. This is who you are taking money from,’” she said.

She filed a fraud claim, but Fifth Third Bank said the transaction appears valid and they won’t refund her, even though the recipients had a phone number with a California area code.

“Don’t know anybody there,” Senft said. “I have called Zelle, I don’t know, probably 20 times; but I cannot get in contact with a person. But Fifth Third just keeps telling me, ‘contact Zelle.’”

She did get a response when she sent a Facebook message to Zelle, from someone saying they’d look into it.

But then when she tried to follow up, she suddenly couldn’t message them, and she’s somehow blocked from commenting on their posts.

“I was so frustrated. Please just, like, let me talk to you, tell this story, and give me some sort of answer,” Senft said.”

Jim on coming across what he thought was a trusted website:

“A couple of years ago, I bought some clothes online. The company seemed trustworthy and had a HTTPS secured website. I felt safe entering my card details. When I bought my item, I received a confirmation email and got the item in the mail. Everything you would expect

A few weeks later I was woken up by my phone beeping. I had two-factor authentication and someone was making multiple attempts to log into my email.

This worried me, so I checked my banking app. I found multiple unauthorized charges. I called my bank to get my credit card shut off. This left me without any money until payday, and I had to borrow money from friends until then.

After contacting the authorities, I found out it was likely that the shopping website was a front, or was compromised. I had handed over criminals my email and banking information willingly. I felt sick.”

Paul realizes the danger of using the same password for all his online services:

“I was signed up to many online services, like video games, social media, streaming site etc. I’m not certain how my details were stolen, but I found out my credit card was no longer working with international purchases. I started getting emails that all of my monthly subscription charges couldn’t go through.

I called my bank and they told me my card had been blocked for suspicious purchases. For example, there was a charge for a Dollar General in California, but I lived in the UK, and had never traveled there.

I realized that I had used the same password for everything, so when it was compromised on one site, it was compromised everywhere. The hackers must have seen my associated email and tried it across different banks and websites.

The incident scared me into better habits. I used multiple different passwords, 2FA where possible, and a VPN. I know being 100% isn’t possible but I have peace of mind knowing I am much more secure.”

Tom from the US on being duped by a fake Amazon website:

“A while back I was looking to buy an expensive item from Amazon, but I wasn’t sure about closing the sale because the price information seemed outdated and I was unsure if the item would work with my other equipment.

I wasn’t sure how to contact the seller, and tried searching for a phone number for Amazon on their website, but couldn’t find any. So, I googled it. I found a website that seemed just like Amazons, it had the logo and website address that seemed to fit. It had a number which I called. The man who answered seemed genuine and seemed to care a lot about my situation. After a few minutes of conversation, he asked to screen share into my computer. In retrospect, this seems dumb, but I had done it with so many other companies I agreed. He said he couldn’t find the item on his database and wanted to see it on my computer.

He got into my computer. I am not very tech-savvy so I wasn’t sure what he was doing. I saw files moving across my computer, and he brought up what he said was my IP address, and told me I had a virus.

He said it would cost $200 to remove the virus. At this point, I knew the call was not legitimate. I called him out on it, but wasn’t sure how to remove his access from my computer.

I noticed a lot of the files on my desktop started being deleted rapidly. Many of these were years of memories and photos of me and my grandchildren. I panicked and pressed the shut down button to turn off the computer.

I tried using System Restore a few times but it never worked. I lost of a lot of memories and I was very hurt by what happened. I know that you shouldn’t click links on emails or on Facebook, but I didn’t know hackers and scammers could get you through a search engine”

Sandra on getting her card details stolen online twice:

“I checked my bank account one day in 2011 after receiving some alerts and couldn’t believe my eyes when I saw I was $5000 in debt on my credit card. I called my bank and they told me I had made purchases in Germany for high-end electronics, which I hadn’t.

The next time happened in 2017, where I had $11000 taken from my credit card for purchases in China – It wasn’t me again.

I thought the first time was a fluke, but after the second time, I have become much more cautious online. I now use a VPN and I’m very wary about links I click”

Mark on a series of threatening emails made against his family:

“A couple of years ago, my family and I started receiving some very threatening, blackmail emails. We even got emails from our own email accounts. The person told us that they had hacked our emails and had access to all our accounts.

They told us they could see everything we did online, including accessing adult websites, which we had not. They said they had accessed our webcam and had taken footage of us also.

They demanded thousands of dollars to not send images and our personal information around the web, but I called their bluff.

I was still worried because the person had access to our email accounts. I changed all our passwords and started using a VPN. We no longer get the threatening emails, and have more peace of mind.”

Rita on a hacker taking over her email account and using it to send phishing emails:

“A number of years ago, my email account was hacked. I believed it was because I had clicked on an email link I shouldn’t have. I also had the same password on many accounts, which meant the hacker could get into other accounts of mine.

I got alerts in work from purchases on my card and panicked. I logged into my email (the hacker hadn’t changed the password!) and noticed my ‘Sent’ list was sending what now seemed like bogus links to everybody in my contacts list. It was then I realized they had gotten into my email and from there into my other accounts.

I had to ask my boss for the remainder of the day off so I could work through things with the bank to reverse purchases. I was on the phone and went through several managers to try to get everything back.

In total, it took nearly a full week to get my accounts back, and there were a few I never did.”

Nathan taking a financial hit from what he suspects was a compromised website:

“A few years ago, I was on vacation with my fiance in Europe. One night, I got a text alert from my bank saying that my bank was charged almost $1000 for the purchase of a camera. I was suspicious of the text itself, so I call my bank. They confirmed the text was from them, and the charge really had gone through.

I talked for a while with my bank, but had to wait nearly a month for the transaction to reverse.

Thinking back, I had been doing research for work previous to our trip, and ended up on websites that were full of ads, and generally felt like they were sketchy. I believe I may have received a keylogger or some kind of virus from these sites that could catch my credit card information.

I am much keener on security now, I have heavily secured both my fiance and I’s computers and phones. We both use VPNs and take fewer risks online.”

A journalist from the US on falling for a classic coffee-shop scam:

“I was in a coffee shop not long ago, doing some work on my laptop. I connected to the wifi, not realising it was a fake access point set up by hackers. I ended up staying in the coffee shop for most of the day, and during that time I logged into two different bank accounts I had.

Only a few hours after leaving, the bank notified me to say one of the accounts was used to make online purchases around the country.

It was heartbreaking because I hadn’t seen the notifications when they came through initially, and by the time I realised it many purchases had been made.

It took a long time to work through the fraudulent transactions with the bank. It was a nerve-wracking and frustrating experience.”

Caleb on ignoring some transactions due to his use of Amazon:

“A while back, I saw some odd transactions of my bank account. This was during the COVID lockdown, and I had been making a lot of Amazon purchases. Because of that, I disregarded the transactions as items I bought and hadn’t arrived yet.

Over the following days, many more transactions came in – From websites ranging from womens’ cosmetics to fashion.

I realised it was a scam, and notified my bank and the police. I didn’t get a full refund, and the hacker made off with just over 500 euro.

I felt really stupid. I had been using a VPN on my phone for a long time but had stopped for a few weeks because I thought it was draining the battery. It was in that time the hacker most have got the information off my phone somehow.”

Josine on using the same password:

“I was hacked about a year ago. It was because I used the same password on multiple sites.

One of the sites was hacked, and the passwords were leaked. As far as I know, hackers sold these passwords to other hackers, along with the associated email address.

I began getting locked out of multiple accounts. Thankfully I did notice it pretty early, so I was able to recover all of the accounts.

I’ve since changed all my passwords, and have multiple. I’ve also used 3 different emails for different websites, just to be safe.”

Colin on a hacker using a script in tandem with his email and password:

“About two years ago, I got a notification from my bank that a $1299 charge had been made with BestBuy. I logged into my BestBuy account and saw the order, and it was due to ship to my address. I contacted BestBuy and they refunded my account. When they had, I changed my password and deleted my credit card information from their website.

Later on that night, I got an email saying I had a new Netflix login. I went to check out the account, and there was a new device on it I didn’t recognize. I disconnected all my devices and changed my password.

I went back to sleep and woke up to hundreds of emails – easily over 500. Every email was from a different legitimate website, mostly welcome messages. Obviously, it wasn’t me who signed up for any of them.

I used the same password for BestBuy and Netflix. I realized the hacker had gotten my details and possibly used a script to try to log into as many services as possible, many of which ended up being services I had never used so it just signed me up.

It took me days to go into every single account I had and get a unique password for each, as well as take my credit card info off the websites. For safety, I decided to cancel my card and get a new one too.”

Kevin on his girlfriend receiving a high-fidelity phishing text:

“My girlfriend and I have been saving up for a 6-month trip next year, using separate bank accounts. We live in a major city in Europe and rent makes up a large amount of our paychecks, so it can be difficult to save anything without cutting corners and being frugal at every turn.

Recently, my girlfriend got a text from her bank. She followed the link, and it took her to a high-fidelty page that looked exactly like the banks. She even asked me to look over it – We both work in IT and are very aware of scams. She entered her credentials, and the browser opened her banking app, making it seem like nothing was wrong.

A few days later, she realised 10,000 euro had been taken from her account – All her savings for the trip thus far. She was distraught, and I was angry at the hackers and myself for not picking up at it.

We went to the police and contacted the bank. The police told us they couldn’t do anything except put out a warning for others regarding the text. The bank told us they would need to investigate the issue which could take 72 hours.

We spent the next 3 days feeling extremely down and stressed. Thankfully, the bank reimbursed the money. We are even more cautious now, knowing that months, and sometimes years of worked can be wiped clean in a mistake that might only take a few seconds.”