Feds Charge Five Men in ‘Scattered Spider’ Roundup – Krebs on Security
Federal prosecutors in Los Angeles this week unveiled criminal charges against five men accused of being part of a hacking group that carried out dozens of cyber intrusions into major U.S. technology companies between 2021 and 2023, including include final pass, mail chimpanzee, Octa, T-Mobile and twillio.
Visual depiction of attacks by SMS phishing groups known as Scatterspider and Oktapus. Image: amitaico twitter.com/amitaico.
The five men, aged between 20 and 25, are said to be members of a group called “scatter spider” and”octopus”, specializes in SMS-based phishing attacks that trick employees of technology companies into entering their credentials and one-time passwords on phishing websites.
The targeted SMS scam asked employees to click on a link and log into a website that mimicked their employer Okta’s authentication page. Some SMS phishing messages tell employees that their VPN credentials are about to expire and need to be changed; other phishing messages advise employees to change their upcoming work schedule.
These attacks exploit newly registered domain names, which often contain the name of the target company, e.g. twilio-help[.]com and uriyahuokta[.]com. Phishing websites are often online for only one to two hours at a time, which means they are often taken offline before being flagged by anti-phishing and security services.
The phishing kits used in these campaigns feature hidden Telegram messaging bots that instantly forward any submitted credentials. The bot allowed the attacker to use a phished username, password and one-time code to log into the real employer’s website as the employee.
In August 2022, multiple security companies gained access to the servers that received data from the Telegram bot. The bot repeatedly leaked the Telegram ID and handle of its developer, who used the nickname “Joe Leoli”.
The Telegram username “Joeleoli” can be seen sandwiched between information submitted by someone who knew it was phishing and phishing information from actual victims. Click to enlarge.
Joeleoli’s moniker registered on cybercrime forum OG user Email address in 2018 joelebruh@gmail.comit was also used to create accounts on several websites for Joel Evans from North Carolina. In fact, prosecutors say Joe Leoli’s real name is Joel Martin Evansa 25-year-old from Jacksonville, North Carolina.
One of the first big victims of the 2022 SMS phishing craze is Scattered Spider twillioa company that provides services for making and receiving text messages and phone calls. The group subsequently used its access to Twilio to attack at least 163 customers. According to prosecutors, the group primarily sought to steal cryptocurrency from victim companies and their employees.
“The defendants allegedly defrauded unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions of dollars from their cryptocurrency accounts.” explain Akil DavisAssistant Director in Charge of the FBI’s Los Angeles Field Office.
Many of the phishing domain names of this hacker group are registered through registrars. cheap nameFBI investigators said that records obtained from NameCheap showed that the people managing these phishing sites were operating from Internet addresses in Scotland. The FBI later obtained records from Virgin Media that showed the address had been rented for several months Tyler Buchanan22, from Dundee, Scotland.
A decentralized spider web phishing lure sent to Twilio employees.
as First reported in JuneBuchanan was arrested in Spain while trying to board a flight to Italy. Spanish police told local media that Buchanan’s alias was “Teleb”, at one point owned $27 million worth of Bitcoin.
Government Says Much of Taylorb’s Cryptocurrency Wealth Is the Result of Success SIM card exchange In the attack, the scammers transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim, including one-time passwords for authentication or password reset links sent via text message.
According to multiple SIM swapping channels on Telegram that Tylerb frequented, rival SIM swappers hired thugs to invade his home in February 2023. and threatened to burn him to death. Taylorb is said to have fled the UK after the attack.
Stills from video released by Spain’s National Police show Tyler Buchanan being detained at the airport.
Prosecutors accuse Tylerb of working closely with SIM swap attacks Noah Michael Urbananother alleged Scattered Spider member from Palm Coast, Florida, who holds the handle.”Sousa,” “Elijah,” and”Kim Bob”.
Sosa is known to be a senior member of the broader cybercrime community known as “Come” in which hackers loudly brag about high-profile exploits and hacks that almost always start with social engineering — tricking people via phone calls, emails or text messages into revealing credentials that allow remote access to corporate networks.
January 2024, KrebsOnSecurity Break the news Urban was arrested in Florida for multiple SIM swapping attacks. The report noted that Sosa’s alter ego Kingbob often targeted people in the recording industry for stealing and sharing the “Holy Grail,” a slang term used to describe unreleased music recordings by popular artists.
FBI investigators identified a fourth alleged member of the conspiracy— Ahmed Hossam Eldin ElbadawiA 23-year-old from College Station, Texas, used some of the cryptocurrency funds stolen from victim companies to pay for accounts used to register phishing domains.
The indictment unsealed Wednesday alleges that Elbadawi, along with another Texas man, controlled multiple cryptocurrency accounts used to receive stolen funds — Evans Onyaka Osigbo20, Dallas.
It is said that members of the Scattered Spiders were involved in Ransomware attacks in September 2023 be opposed to MGM Resorts The hotel chain quickly crippled several MGM casinos. September 2024, KrebsOnSecurity report Last year, a 17-year-old boy from the UK was arrested by British police as part of the FBI’s investigation into the MGM hack.
Evans, Elbadawi, Osigbo and Urban were each charged with one count of conspiracy to commit wire fraud, one count of conspiracy and one count of aggravated identity theft. Buchanan was named as an indicted co-conspirator and charged with conspiracy to commit wire fraud, conspiracy, wire fraud and aggravated identity theft.
Ministry of Justice Press release Provides that, if convicted, each defendant faces a statutory penalty of up to 20 years in federal prison for conspiracy to commit wire fraud, up to 5 years in federal prison for conspiracy, and a statutory penalty of up to 20 years in federal prison for aggravated status crimes. Theft with a mandatory penalty of two consecutive years’ imprisonment. Buchanan also faces up to 20 years in prison on the wire fraud charge.
Further reading:
2024-11-21 20:13:08