Spain arrests hacker, FCC Robocallers, Ransoms decrease 35% - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines - Episode Summary

Title: Cyber Security Headlines
Host: CISO Series
Episode: Spain arrests hacker, FCC Robocallers, Ransoms decrease 35%
Release Date: February 6, 2025

1. Spain Arrests Hacker Responsible for Cyber Attacks

Timestamp: [00:11 - 00:27]

Spanish military agencies, in collaboration with local police, apprehended a suspect accused of orchestrating 40 cyber attacks targeting critical organizations and universities across the United States and Spain. The hacker infiltrated internal systems to access and exfiltrate sensitive data, including personal information of employees and customers.

Notable Quote:

“The suspect accessed internal data and used Breach Forum to sell and leak the data,” – Sean Kelly [00:16]

During the raid, authorities seized multiple computers, electronic devices, and 50 cryptocurrency accounts. The compromised data included sensitive information from NATO, the US Military, Spain's Guardia Sevilla, and the Ministry of Defense. Under Spanish law, the hacker faces up to 20 years in prison.

2. FCC Addresses Illicit Robocalls Mimicking Its Operations

Timestamp: [00:27 - 02:25]

The Federal Communications Commission (FCC) has proposed a significant fine of nearly $4.5 million against voice over IP Telcos, including Telnex, for their role in enabling scammers to conduct robocalls impersonating FCC officials. These fraudulent calls targeted FCC staff and their families with messages from a fictitious FCC fraud prevention team.

Notable Quotes:

“The FCC was alerted to the issue,” – Sean Kelly [01:10]
“Illegal robocalls will be a top priority at the FCC,” – Brendan Carr, FCC Head [01:26]

The FCC’s initiative received bipartisan support, emphasizing the agency's commitment to cracking down on such scams. Telnex has appealed the fine, asserting that they acted promptly by ceasing the robocalls upon being notified.

3. Ransomware Payments Drop by 35% in 2024

Timestamp: [02:25 - 02:47]

According to a report by Chainalysis, ransomware payments saw a significant decline of 35% year-over-year in 2024, totaling $813.5 million compared to 2023's $1.25 billion. This reduction is attributed to enhanced law enforcement efforts, better international cooperation, and a growing trend of victims refusing to pay ransoms.

Notable Quote:

“The drop is attributed to increased law enforcement actions, improved international collaboration and growing refusal by victims to pay,” – Sean Kelly [02:19]

The report highlights the disruption of major ransomware gangs, including the Lockbit takedown and Black Cat’s exit scam. Additionally, there was a notable shift in attacker tactics, with the emergence of new ransomware strains and faster ransom negotiations, often commencing within hours of data exfiltration.

4. Thailand Restricts Resources to Curb Myanmar-Based Scams

Timestamp: [02:47 - 03:18]

In an effort to combat online fraud, Thailand has cut off the supply of fuel, internet, and electricity to three cities in Myanmar known for hosting criminal syndicates engaged in scamming activities. This decisive action follows appeals from Chinese authorities for more stringent measures against cross-border telecom fraud along the Thailand-Myanmar border.

Notable Quotes:

“China attaches great importance to combating... vicious cases along the Thailand Myanmar border,” – Chinese Foreign Ministry [03:05]
“China and Thailand have pledged to set up a coordination center in Bangkok this month to combat cyber scams,” – Sean Kelly [03:14]

The move aims to dismantle the infrastructure supporting large-scale online fraud operations, reflecting strengthened international cooperation to tackle cybercrime.

5. New Crypto-Stealing Campaign Targets Mobile Apps

Timestamp: [04:03 - 04:47]

Kaspersky researchers uncovered a new cyber campaign named Sparkcat, which infects Android and iOS applications available on Google and Apple app stores. The malicious software incorporates a deceptive SDK that masquerades as an analytics module but instead harbors a Java component designed to extract victim recovery phrases.

Notable Quotes:

“Attackers take over the accounts and are able to pivot to other services through SSO,” – Sean Kelly [05:42]

The Sparkcat malware leverages Optical Character Recognition (OCR) modules tailored to the system's language settings to locate and extract sensitive recovery phrases, enabling attackers to access and control victims' crypto wallets without needing their passwords. Kaspersky reported that 28 apps were infected, with over 242,000 downloads on Google Play alone. Users are advised to delete affected apps and securely store their recovery phrases.

6. Targeted Attacks on Microsoft Accounts in the Education Sector

Timestamp: [05:04 - 05:54]

Abnormal Security researchers identified a phishing campaign targeting approximately 150 organizations, predominantly within the education sector. These attacks exploit Microsoft Active Directory Federation Services (ADFS) to gain unauthorized access to both on-premise and cloud systems.

Notable Quotes:

“The campaign uses a spoofed phishing email that appears to be from the organization's IT help desk,” – Sean Kelly [05:23]

Victims receive emails requesting urgent updates, which direct them to counterfeit Microsoft ADFS login pages mimicking their specific Multi-Factor Authentication (MFA) setups. Once credentials and MFA codes are entered, attackers can commandeer accounts and extend their reach through Single Sign-On (SSO) integrations. Experts recommend transitioning to modern identity platforms and enhancing phishing-resistant MFA solutions to mitigate such risks.

7. Man Sentenced for $50 Million Internet Scam

Timestamp: [05:59 - 06:50]

Ellen Giltman, a 59-year-old Californian, was sentenced to seven years in prison for her role in a sophisticated internet scam that defrauded over 70 individuals out of approximately $50 million. Between 2012 and 2020, Giltman orchestrated a network of at least 150 fake websites impersonating legitimate financial institutions.

Notable Quotes:

“Victims were lured by the promise of high return investment opportunities,” – Sean Kelly [06:30]

Using search advertisements, victims encountered these fraudulent sites and were subsequently contacted via provided phone numbers or emails. Giltman posed as legitimate FINRA brokers, setting up fake investment transactions and transferring funds to various global bank accounts. Many victims were older adults misled into diverting their retirement savings. In addition to her prison sentence, Giltman has been ordered to forfeit around $100,000.

8. Abandoned AWS Cloud Storage Poses Significant Risks

Timestamp: [06:58 - 07:49]

Watchtower researchers discovered approximately 150 abandoned Amazon Web Services (AWS) S3 buckets that were previously utilized for software deployment and updates. These unused buckets attracted around eight million file requests over two months from entities in the US, UK, and Australia, including Fortune 100 companies, banking institutions, and cybersecurity firms.

Notable Quotes:

“If we had been threat actors, we could have responded to any of these requests with malicious software updates,” – Sean Kelly [07:33]

The researchers registered these unused buckets using their original names and enabled logging to monitor incoming requests. This influx of requests presents a significant security threat, as malicious actors could potentially distribute harmful software updates to gain unauthorized access to the requesting organizations' AWS environments or virtual machines. AWS swiftly sinkholed the identified S3 buckets, but the broader issue of abandoned cloud services remains a persistent cybersecurity risk.

Conclusion

This episode of Cyber Security Headlines provided an in-depth analysis of recent cybersecurity incidents and trends, highlighting the ongoing efforts to combat cybercrime through international cooperation, law enforcement actions, and advancements in security technologies. From high-profile arrests and significant fines to emerging threats in cloud security and mobile applications, the discussions underscored the dynamic and evolving nature of the cybersecurity landscape.

For more detailed coverage of these stories and additional cybersecurity news, visit CISOseries.com.

Loading summary

Transcript83 lines

[00:00]
CISO Series Host
From the CISO series. It's Cybersecurity Headlines.
[00:07]
Sean Kelly
These are the cybersecurity.
[00:08]
News Anchor
Headlines for Thursday, February 6, 2025.
[00:12]
Sean Kelly
I'm Sean Kelly.
[00:13]
News Anchor
Spain arrests hacker of U.S. and Spanish.
[00:16]
Sean Kelly
Military agencies Spanish police arrested a suspect.
[00:19]
News Anchor
For allegedly conducting 40 cyber attacks targeting critical organizations and universities.
[00:25]
Sean Kelly
The police said the suspect accessed internal.
[00:27]
News Anchor
Data and personal info of employees and customers and used Breach Forum to sell and leak the data. Data leaks for NATO, the US Military and Spain's Guardia Seville and Ministry of Defense were listed as most successfully sold. During a raid of the suspect's residence, police found and seized multiple computers, electronic devices and 50 cryptocurrency accounts. The hacker could face a maximum sentence of 20 years in prison under Spanish law. Robocallers called the FCC pretending to be from the FCC the Federal Communications Commission has voted to propose finding voice over IP Telco Telnics nearly $4.5 million after scammers took advantage of their service.
[01:11]
Sean Kelly
The FCC was alerted to the issue.
[01:13]
News Anchor
On February 6th of last year after several staff and their family members received robocalls to their work and personal numbers with a message claiming to be from an imaginary FCC fraud prevention team.
[01:25]
Sean Kelly
The calls went on for about a.
[01:26]
News Anchor
Day before being shut down. FCC head Brendan Carr said he was pleased with the bipartisan support for the fine and cracking down on illegal robocalls will be a top priority at the fcc. Telnex has appealed the proposed fine and said it acted responsibly by stopping the.
[01:43]
Sean Kelly
Robocalls as soon as it was alerted.
[01:47]
News Anchor
Ransomware payments decreased 35% year over year, according to a new report from Chainalysis. In 2024, ransomware attackers racked up $813.5 million in victim payments, a 35% decrease from 2023's record setting year of 1.25 billion do billion. The drop is attributed to increased law enforcement actions, improved international collaboration and growing refusal by victims to pay.
[02:14]
Sean Kelly
The report highlighted ransomware gang disruption, including the Lockbit takedown in February of 2024.
[02:19]
News Anchor
And Black Cat's apparent exit scam following.
[02:22]
Sean Kelly
The attack on Change Healthcare. While Lockbit has rebranded and made a.
[02:26]
News Anchor
Comeback, payments to the group fell by nearly 80% in the second half of last year compared to the first. Chainalysis observed many attackers shifting tactics with new ransomware strains and also getting quicker, with ransom negotiations often beginning within hours of data exfiltration. Thailand cuts power supply to Myanmar scam.
[02:47]
Sean Kelly
Hubs On Wednesday, Thailand cut off the.
[02:50]
News Anchor
Supply of fuel, Internet and electricity to three cities in Myanmar where criminal syndicates have set up hubs devoted to online fraud. Last week, Chinese authorities called on the Thai government to do more to stop.
[03:01]
Sean Kelly
Scamming activity in Myanmar. The Chinese Foreign Ministry said Wednesday that.
[03:05]
News Anchor
China attaches great importance to combating, quote, the recent string of cross border telecom fraud and other vicious cases along the Thailand Myanmar border.
[03:14]
Sean Kelly
End quote China and Thailand have reportedly.
[03:17]
News Anchor
Pledged to set up a coordination center.
[03:19]
Sean Kelly
In Bangkok this month to combat cyber scams. And now we'd like to thank today's episode sponsor Threat Locker Threat Locker is.
[03:29]
News Anchor
A global leader in Zero Trust Endpoint Security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit threatlocker.com that's T H R E A T L O c k e r.com mobile apps found using OCR.
[04:04]
Sean Kelly
To steal Crypto Researchers at Kaspersky have.
[04:07]
News Anchor
Identified a new campaign called Sparkcat, infecting Android and iOS apps on Google and Apple app stores. An SDK on infected apps utilizes a malicious Java component called Spark disguised as an analytics module. The malicious components load different OCR modules depending on the language of the system, that attempt to locate and extract victim recovery phrases that can be used by attackers to load crypto wallets on their own devices without knowing the password.
[04:35]
Sean Kelly
According to Kaspersky, there are 28 infected.
[04:37]
News Anchor
Android and iOS apps, with many still available in their respective app stores.
[04:42]
Sean Kelly
The infected apps were downloaded over 242,000 times on Google Play alone, Kaspersky said.
[04:48]
News Anchor
Users should delete these apps from their phone and should avoid storing recovery phrases in screenshots. Instead, the user should store the phrases in encrypted offline storage devices or password managers. Attackers target education sector to hijack Microsoft.
[05:04]
Sean Kelly
Accounts Researchers at Abnormal Security discovered the.
[05:07]
News Anchor
Campaign, which is targeting about 150 organizations, mostly in the education sector, that rely on Microsoft Active Directory federation services or ADFs to authenticate across on premise and cloud systems.
[05:21]
Sean Kelly
The campaign uses a spoofed phishing email.
[05:23]
News Anchor
That appears to be from the organization's.
[05:25]
Sean Kelly
IT help desk, telling the recipient that an important update requires immediate attention. Links direct the victims to fake Microsoft.
[05:33]
News Anchor
Ad FS login pages, which are personalized for the particular MFA setup used by the target. Once the victim enters the credentials and.
[05:41]
Sean Kelly
An MFA code, attackers take over the.
[05:43]
News Anchor
Accounts and are able to pivot to other services through sso. Experts say this risk can be mitigated.
[05:49]
Sean Kelly
By moving away from legacy AFDs to.
[05:52]
News Anchor
Modern identity platforms and upgrading to phishing.
[05:55]
Sean Kelly
Resistant MFA man sentenced to 7 years.
[05:59]
News Anchor
For a role in 50 million dollar.
[06:01]
Sean Kelly
Internet scam 59 year old Californian Ellen.
[06:05]
News Anchor
Giltman pleaded guilty to building a network of fraudulent websites.
[06:09]
Sean Kelly
According to the DOJ, between 2012 and.
[06:11]
News Anchor
2020, Giltman and others created at least 150 bogus websites posing as real financial institutions.
[06:18]
Sean Kelly
Unwitting victims came across the fraudulent sites.
[06:21]
News Anchor
Via Internet search advertisements.
[06:23]
Sean Kelly
Lured by the promise of high return investment opportunities, victims contacted Giltman using a phone number or email provided.
[06:30]
News Anchor
Giltman would then impersonate real finra broker.
[06:33]
Sean Kelly
Dealers to set up fake investment transactions.
[06:35]
News Anchor
And then moved his victims swindled funds to bank accounts around the world. Collectively, Giltman scammed over 70 people out of roughly $50 million.
[06:44]
Sean Kelly
Many victims were older adults investing in their retirement savings. Giltman has been sentenced to 87 months.
[06:50]
News Anchor
In prison and has been ordered to forfeit around $100,000. Abandoned AWS Cloud storage is a major.
[06:59]
Sean Kelly
Cyber risk Researchers from Watchtower discovered around.
[07:02]
News Anchor
150Amazon Web Services S3 buckets that were.
[07:06]
Sean Kelly
Formerly used by organizations for software deployment.
[07:09]
News Anchor
And updates but were then abandoned.
[07:11]
Sean Kelly
The researchers registered the unused buckets using.
[07:13]
News Anchor
Their original names for a total of around $400 and then enabled logging to see what requests might flow into them.
[07:20]
Sean Kelly
In a two month period, the S3.
[07:22]
News Anchor
Buckets received a staggering 8 million file.
[07:24]
Sean Kelly
Requests, including those from agencies in the US, in the UK and Australia, Fortune.
[07:29]
News Anchor
100 companies, banking institutions and cybersecurity companies.
[07:33]
Sean Kelly
Had the researchers been threat actors, they could have responded to any of these.
[07:37]
News Anchor
Requests with malicious software updates, allowing them access to requesting organizations, AWS environment or virtual machine.
[07:44]
Sean Kelly
AWS quickly sinkholed the S3 buckets that.
[07:47]
News Anchor
Watchtower identified, but the broader risk posed.
[07:50]
Sean Kelly
By abandoned cloud services still persists. And that does it for Today's cybersecurity headlines.
[07:58]
News Anchor
CISOs like to think of their job.
[07:59]
Sean Kelly
As managing risk, but once you get.
[08:01]
News Anchor
Risk to an acceptable level, when do you start prioritizing efficiency?
[08:05]
Sean Kelly
That's what we'll be trying to answer on this week's Defense In Depth Vector.
[08:09]
News Anchor
CISO Andrew Wilder joins David Spark and Jeff Belknap for the discussion.
[08:14]
Sean Kelly
If you want to get the full.
[08:15]
News Anchor
Episode, head over to cisoseries.com or search for Can a security program ever reach maintenance mode?
[08:21]
Sean Kelly
Wherever you get your podcasts, thank you.
[08:24]
News Anchor
For listening to the podcast that brings you more of the top cyber news stories and more cowbell.
[08:29]
Sean Kelly
I'm Sean Kelly.
[08:32]
CISO Series Host
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headline.

Cyber Security Headlines - Episode Summary

Title: Cyber Security Headlines
Host: CISO Series
Episode: Spain arrests hacker, FCC Robocallers, Ransoms decrease 35%
Release Date: February 6, 2025

1. Spain Arrests Hacker Responsible for Cyber Attacks

Timestamp: [00:11 - 00:27]

Notable Quote:

“The suspect accessed internal data and used Breach Forum to sell and leak the data,” – Sean Kelly [00:16]

2. FCC Addresses Illicit Robocalls Mimicking Its Operations

Timestamp: [00:27 - 02:25]

Notable Quotes:

“The FCC was alerted to the issue,” – Sean Kelly [01:10]
“Illegal robocalls will be a top priority at the FCC,” – Brendan Carr, FCC Head [01:26]

3. Ransomware Payments Drop by 35% in 2024

Timestamp: [02:25 - 02:47]

Notable Quote:

“The drop is attributed to increased law enforcement actions, improved international collaboration and growing refusal by victims to pay,” – Sean Kelly [02:19]

4. Thailand Restricts Resources to Curb Myanmar-Based Scams

Timestamp: [02:47 - 03:18]

Notable Quotes:

“China attaches great importance to combating... vicious cases along the Thailand Myanmar border,” – Chinese Foreign Ministry [03:05]
“China and Thailand have pledged to set up a coordination center in Bangkok this month to combat cyber scams,” – Sean Kelly [03:14]

The move aims to dismantle the infrastructure supporting large-scale online fraud operations, reflecting strengthened international cooperation to tackle cybercrime.

5. New Crypto-Stealing Campaign Targets Mobile Apps

Timestamp: [04:03 - 04:47]

Notable Quotes:

“Attackers take over the accounts and are able to pivot to other services through SSO,” – Sean Kelly [05:42]

6. Targeted Attacks on Microsoft Accounts in the Education Sector

Timestamp: [05:04 - 05:54]

Notable Quotes:

“The campaign uses a spoofed phishing email that appears to be from the organization's IT help desk,” – Sean Kelly [05:23]

7. Man Sentenced for $50 Million Internet Scam

Timestamp: [05:59 - 06:50]

Notable Quotes:

“Victims were lured by the promise of high return investment opportunities,” – Sean Kelly [06:30]

8. Abandoned AWS Cloud Storage Poses Significant Risks

Timestamp: [06:58 - 07:49]

Notable Quotes:

“If we had been threat actors, we could have responded to any of these requests with malicious software updates,” – Sean Kelly [07:33]

Conclusion

For more detailed coverage of these stories and additional cybersecurity news, visit CISOseries.com.