Just a friendly reminder that phishing scams which spoof the boss and request W-2 tax data on employees are intensifying as tax time nears. The latest victim shows that even cybersecurity experts can fall prey to these increasingly sophisticated attacks.

On Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company got caught in a phisher’s net.

Alexandria, Va.-based Defense Point Security (recently acquired by management consulting giant Accenture) informed current and former employees this week via email that all of the data from their annual W-2 tax forms — including name, Social Security Number, address, compensation, tax withholding amounts — were snared by a targeted spear phishing email.

“I want to alert you that a Defense Point Security (DPS) team member was the victim of a targeted spear phishing email that resulted in the external release of IRS W-2 Forms for individuals who DPS employed in 2016,” Defense Point CEO George McKenzie wrote in the email alert to employees. “Unfortunately, your W-2 was among those released outside of DPS.”

W-2 scams start with spear phishing emails usually directed at finance and HR personnel. The scam emails will spoof a request from the organization’s CEO (or someone similarly high up in the organization) and request all employee W-2 forms.

Defense Point did not return calls or emails seeking comment. An Accenture spokesperson issued the following brief statement:  “Data protection and our employees are top priorities. Our leadership and security team are providing support to all impacted employees.”

The email that went out to Defense Point employees Thursday does not detail when this incident occurred, to whom the information was sent, or how many employees were impacted. But a review of information about the company on LinkedIn suggests the breach letter likely was sent to around 200 to 300 employees nationwide (if we count past employees also).

Among Defense Point’s more sensitive projects is the U.S. Immigration and Customs Enforcement (ICE) Security Operations Center (SOC) based out of Phoenix, Ariz. That SOC handles cyber incident response, vulnerability mitigation, incident handling and cybersecurity policy enforcement for the agency.

Fraudsters who perpetrate tax refund fraud prize W-2 information because it contains virtually all of the data one would need to fraudulently file someone’s taxes and request a large refund in their name. Scammers in tax years past also have massively phished online payroll management account credentials used by corporate HR professionals. This year, they are going after people who run tax preparation firms, and W-2’s are now being openly sold in underground cybercrime stores.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

ANALYSIS

I find it interesting that a company which obviously handles extremely sensitive data on a regular basis and one that manages a highly politicized government agency would not anticipate such attacks and deploy some kind of data-loss prevention (DLP) technology to stop sensitive information from leaving their networks.

Thanks to their mandate as an agency, ICE is likely a high risk target for hacktivists and nation-state hackers. This was not a breach in which data was exfiltrated through stealthy means; the tax data was sent by an employee openly through email. This suggests that either there were no DLP technical controls active in their email environment, or they were inadequately configured to prevent information in SSN format from leaving the network.

This incident also suggests that perhaps Defense Point does not train their employees adequately in information security, and yet they are trusted to maintain the security environment for a major government agency. This from a company that sells cybersecurity education and training as a service to others.

DON’T BE THE NEXT VICTIM

While there isn’t a great deal you can do to stop someone at your employer from falling for one of these W-2 phishing scams, here are some steps you can take to make it less likely that you will be the next victim of tax refund fraud:

-File before the fraudsters do it for you – Your primary defense against becoming the next victim is to file your taxes at the state and federal level as quickly as possible. Remember, it doesn’t matter whether or not the IRS owes you money: Thieves can still try to impersonate you and claim that they do, leaving you to sort out the mess with the IRS later.

-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.

-File form 14039 and request an IP PIN from the government. This form requires consumers to state they believe they’re likely to be victims of identity fraud. Even if thieves haven’t tried to file your taxes for you yet, virtually all Americans have been touched by incidents that could lead to ID theft — even if we just look at breaches announced in the past year alone.

–Consider placing a “security freeze” on one’s credit files with the major credit bureaus. See this tutorial about why a security freeze — also known as a “credit freeze,” may be more effective than credit monitoring in blocking ID thieves from assuming your identity to open up new lines of credit. While it’s true that having a security freeze on your credit file won’t stop thieves from committing tax refund fraud in your name, it would stop them from fraudulently obtaining your IP PIN.

–Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. Instructions for doing that are here.

For the second time in the past nine months, Google has inadvertently but nonetheless correctly helped to identify the source of a large credit card breach — by assigning a “This site may be hacked” warning beneath the search results for the Web site of a victimized merchant.

A little over a month ago, KrebsOnSecurity was contacted by multiple financial institutions whose anti-fraud teams were trying to trace the source of a great deal of fraud on cards that were all used at a handful of high-end restaurants around the country.

Two of those fraud teams shared a list of restaurants that all affected cardholders had visited recently. A bit of searching online showed that nearly all of those establishments were run by Select Restaurants Inc., a Cleveland, Ohio company that owns a number of well-known eateries nationwide, including Boston’s Top of the Hub; Parker’s Lighthouse in Long Beach, Calif.; the Rusty Scupper in Baltimore, Md.; Parkers Blue Ash Tavern in Cincinnati, Ohio; Parkers’ Restaurant & Bar in Downers Grove, Illinois; Winberie’s Restaurant & Bar with locations in Oak Park, Illinois and Princeton and Summit, New Jersey; and Black Powder Tavern in Valley Forge, PA.

Knowing very little about this company at the time, I ran a Google search for it and noticed that Google believes the site may be hacked (it still carries this message). This generally means some portion of the site was compromised by scammers who are trying to abuse the site’s search engine rankings to beef up the rankings for “spammy” sites — such as those peddling counterfeit prescription drugs and designer handbags.

The “This site may be hacked” advisory is not quite as dire as Google’s “This site may harm your computer” warning — the latter usually means the site is actively trying to foist malware on the visitor’s computer. But in my experience it’s never a good sign when a business that accepts credit cards has one of these warnings attached to its search engine results.

Case in point: I experienced this exact scenario last summer as I was reporting out the details on the breach at CiCi’s Pizza chain. In researching that story, all signs were pointing to a point-of-sale (POS) terminal provider called Datapoint POS. Just like it did with Select Restaurants’s site, Google reported that Datapoint’s site appeared to be hacked.

Select Restaurants did not return messages seeking comment. But as with the breach at Cici’s Pizza chains, the breach involving Select Restaurant locations mentioned above appears to have been the result of an intrusion at the company’s POS vendor — Geneva, Ill. based 24×7 Hospitality Technology. 24×7 handles credit and debit card transactions for thousands of hotels and restaurants, including more than 200 Buffalo Wild Wings franchises nationwide.

On Feb. 14, 24/7 Hospitality sent a letter to customers warning that its systems recently were hacked by a “sophisticated network intrusion through a remote access application.” Translation: Someone guessed or phished the password that we use to remotely administer point-of-sale systems at its customer locations. 24×7 said the attackers subsequently executed the PoSeidon malware variant, which is designed to siphon card data when cashiers swipe credit cards at an infected cash register (for more on PoSeidon, check out POS Providers Feel Brunt of PoSeidon Malware).

KrebsOnSecurity obtained a copy of the letter (PDF) that 24/7 Hospitality CEO Todd Baker, Jr. sent to Select Restaurants. That missive said even though the intruders apparently had access to all of 24/7 customers’ payment systems, not all of those systems were logged into by the hackers. Alas, this was probably little consolation for Select Restaurants, because the letter then goes on to say that the breach involves all of the restaurants listed on Select’s Web site, and that the breach appears to have extended from late October 2016 to mid-January 2017.

ANALYSIS

From my perspective, organized crime gangs have so completely overrun the hospitality and restaurant point-of-sale systems here in the United States that I just assume my card may very well be compromised whenever I use it at a restaurant or hotel bar/eatery. I’ve received no fewer than three new credit cards over the past year, and I’d wager that in at least one of those cases I happened to have used the card at multiple merchants whose POS systems were hacked at the same time.

But no matter how many times I see it, it’s fascinating to watch this slow motion train wreck play out. Given how much risk and responsibility for protecting against these types of hacking incidents is spread so thinly across the entire industry, it’s little wonder that organized crime gangs have been picking off POS providers for Tier 3 and Tier 4 merchants with PoSeidon en masse in recent years.

I believe one big reason we keep seeing the restaurant and hospitality industry being taken to the cleaners by credit card thieves is that in virtually all of these incidents, the retailer or restaurant has no direct relationships to the banks which have issued the cards that will be run through their hacked POS systems. Rather, these small Tier 3 and Tier 4 merchants are usually buying merchant services off of a local systems integrator who often is in turn reselling access to a third-party payment processing company.

As a result, very often when these small chains or solitary restaurants get hit with PoSeidon, there is no record of a breach that is simple to follow from the breached merchant back to the bank which issued the cards used at those compromised merchants. It is only by numerous financial institutions experiencing fraud from the same restaurants and then comparing notes about possible POS vendors in common among these restaurants that banks and credit unions start to gain a clue about what’s happening and who exactly has been hacked.

But this takes a great deal of time, effort and trust. Meanwhile, the crooks are laughing all the way to the bank. Another reason I find all this fascinating is that the two main underground cybercrime shops that appear to be principally responsible for offloading cards stolen in these Tier 3 and Tier 4 merchant breaches involving PoSeidon — stores like Rescator and Briansdump — both abuse my likeness in their advertisements and on their home pages. Here’s Briansdump:

Here’s the login page for the rather large stolen credit card bazaar known as Rescator:

Point-of-sale malware has driven most of the major retail industry credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a ridiculous number of point-of-sale vendors. The malware sometimes is installed via hacked remote administration tools like LogMeIn; in other cases the malware is relayed via “spear-phishing” attacks that target company employees. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).

Finally, if your credit card is compromised, try not to lose sleep over it: The chances of your finding out how that card was compromised are extremely low. This story seeks to explain why.

“Between two evils, I always pick the one I never tried before.” -Karim Baratov (paraphrasing Mae West)

The U.S. Justice Department today unsealed indictments against four men accused of hacking into a half-billion Yahoo email accounts. Two of the men named in the indictments worked for a unit of the Russian Federal Security Service (FSB) that serves as the FBI’s point of contact in Moscow on cybercrime cases. Here’s a look at the accused, starting with a 22-year-old who apparently did not try to hide his tracks.

According to a press release put out by the Justice Department, among those indicted was Karim Baratov (a.k.a. Kay, Karim Taloverov), a Canadian and Kazakh national who lives in Canada. Baratov is accused of being hired by the two FSB officer defendants in this case — Dmitry Dokuchaev, 33, and Igor Sushchin, 43 — to hack into the email accounts of thousands of individuals.

Reading the Justice Department’s indictment, it would seem that Baratov was perhaps the least deeply involved in this alleged conspiracy. That may turn out to be true, but he also appears to have been the least careful about hiding his activities, leaving quite a long trail of email hacking services that took about 10 minutes of searching online to trace back to him specifically.

Security professionals are fond of saying that any system is only as secure as its weakest link. It would not be at all surprising if Baratov was the weakest link in this conspiracy chain.

A look at Mr. Baratov’s Facebook and Instagram photos indicates he is heavily into high-performance sports cars. His profile picture shows two of his prized cars — a Mercedes (pictured above) and an Aston Martin — parked in the driveway of his single-family home in Ontario.

A simple reverse WHOIS search at domaintools.com on the name Karim Baratov turns up 81 domains registered to someone by this name in Ontario. Many of those domains include the names of big email providers like Google and Yandex, such as accounts-google[dot]net and www-yandex[dot]com.

Other domains appear to be Web sites selling email hacking services. One of those is a domain registered to Baratov’s home address in Ancaster, Ontario called infotech-team[dot]com. A cached copy of that site from archive.org shows this once was a service that offered “quality mail hacking to order, without changing the password.” The service charged roughly $60 per password.

The proprietors of Infotech-team[dot]com advertise the ability to steal email account passwords without actually changing the victim’s password. According to the Justice Department, Baratov’s service relied on “spear phishing” emails that targeted individuals with custom content and enticed the recipient into clicking a link.

Antimail[dot]org is another domain registered to Baratov that was active between 2013 and 2015. It advertises “quality-mail hacking to order!”:

Another email hacking business registered to Baratov is xssmail[dot]com, which also has for several years advertised the ability to break into email accounts of virtually all of the major Webmail providers. XSS is short for “cross-site-scripting.” XSS attacks rely on vulnerabilities in Web sites that don’t properly parse data submitted by visitors in things like search forms or anyplace one might enter data on a Web site.

In the context of phishing links, the user clicks the link and is actually taken to the domain he or she thinks she is visiting (e.g., yahoo.com) but the vulnerability allows the attacker to inject malicious code into the page that the victim is visiting.

This can include fake login prompts that send any data the victim submits directly to the attacker. Alternatively, it could allow the attacker to steal “cookies,” text files that many sites place on visitors’ computers to validate whether they have visited the site previously, as well as if they have authenticated to the site already.

Perhaps instead of or in addition to using XSS attacks in targeted phishing emails, Baratov also knew about or had access to other cookie-stealing exploits collected by another accused in today’s indictments: Russian national Alexsey Alexseyevich Belan.

According to government investigators, Belan has been on the FBI’s Cyber Most Wanted list since 2013 after breaking into and stealing credit card data from a number of e-commerce companies. In June 2013, Belan was arrested in a European country on request from the United States, but the FBI says he was able to escape to Russia before he could be extradited to the U.S.

The government says the two other Russian nationals who were allegedly part of the conspiracy to hack Yahoo — the aforementioned FSB Officers Dokuchaev and Sushchin — used Belan to gain unauthorized access to Yahoo’s network. Here’s what happened next, according to the indictments:

“In or around November and December 2014, Belan stole a copy of at least a portion of Yahoo’s User Database (UDB), a Yahoo trade secret that contained, among other data, subscriber information including users’ names, recovery email accounts, phone numbers and certain information required to manually create, or ‘mint,’ account authentication web browser ‘cookies’ for more than 500 million Yahoo accounts.

“Belan also obtained unauthorized access on behalf of the FSB conspirators to Yahoo’s Account Management Tool (AMT), which was a proprietary means by which Yahoo made and logged changes to user accounts. Belan, Dokuchaev and Sushchin then used the stolen UDB copy and AMT access to locate Yahoo email accounts of interest and to mint cookies for those accounts, enabling the co-conspirators to access at least 6,500 such accounts without authorization.”

U.S. investigators say Dokuchaev was an FSB officer assigned to Second Division of FSB Center 18, also known as the FSB Center for Information Security. Dokuchaev’s colleague Sushchin was an associate of FSB officer was embedded as a purported employee and Head of Information Security at a Russian financial firm, where he monitored the communications of the firm’s employees.

According to the Justice Department, some victim accounts that Dokuchaev and Sushchin asked Belan and Baratov to hack were of predictable interest to the FSB (a foreign intelligence and law enforcement service), such as personal accounts belonging to Russian journalists; Russian and U.S. government officials; employees of a prominent Russian cybersecurity company; and numerous employees of other providers whose networks the conspirators sought to exploit. Other personal accounts belonged to employees of commercial entities, such as a Russian investment banking firm, a French transportation company, U.S. financial services and private equity firms, a Swiss bitcoin wallet and banking firm and a U.S. airline.

“During the conspiracy, the FSB officers facilitated Belan’s other criminal activities, by providing him with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by U.S. and other law enforcement agencies outside Russia, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers,” the Justice Department charged in its press statement about the indictments.

“Additionally, while working with his FSB conspirators to compromise Yahoo’s network and its users, Belan used his access to steal financial information such as gift card and credit card numbers from webmail accounts; to gain access to more than 30 million accounts whose contacts were then stolen to facilitate a spam campaign; and to earn commissions from fraudulently redirecting a subset of Yahoo’s search engine traffic,” the government alleges.

Each of the four men face 47 criminal charges, including conspiracy, computer fraud, economic espionage, theft of trade secrets and aggravated identity theft.

Dokuchaev, who is alleged to have used the hacker nickname “Forb,” was arrested in December in Moscow. According to a report by the Russian news agency Interfax, Dokuchaev was arrested on charges of treason for alleging sharing information with the U.S. Central Intelligence Agency (CIA). For more on that treason case, see my Jan. 28, 2017 story, A Shakeup in Russia’s Top Cybercrime Unit.

For more on Dokuchaev’s allegedly checkered past (Russian news sites report that he went to work for the FSB to avoid being prosecuted for bank fraud) check out this fascinating story from Russian news outlet Vedomosti, which featured interview with the hacker Forb from 2004.

In September 2016, Yahoo first disclosed the theft of 500 million accounts that is being attributed to this conspiracy. But in December 2016, Yahoo acknowledged that a separate hack from 2013 that it attributed to a “state-sponsored actor” had jeopardized more than a billion user accounts.

The New York Times reports that Yahoo said it has not been able to glean much information about that attack, which was uncovered by InfoArmor, an Arizona security firm. Interestingly, that attack also involved the use of forged Yahoo cookies, according to a statement from Yahoo’s chief information security officer.

The one alleged member of this conspiracy who would have been simple to catch is Baratov, as he does not appear to have hidden his wealth and practically peppers the Internet with pictures of six-digit sports cars he has owned over the years.

Baratov was arrested on Tuesday in Canada, where the matter is now pending with Canadian authorities. U.S. prosecutors are now trying to seize Baratov’s black Mercedes Benz C54 and his Aston Martin DBS, arguing that they were purchased with the proceeds from cybercrime activity.

A redacted copy of the indictment is available here.

Adobe and Microsoft each pushed out security updates for their products today. Adobe plugged at least seven security holes in its Flash Player software. Microsoft, which delayed last month’s Patch Tuesday until today, issued an unusually large number of update bundles (18) to fix dozens of flaws in Windows and associated software.

Microsoft’s patch to fix at least five critical bugs in the Windows file-sharing service is bound to make a great deal of companies nervous before they get around to deploying this week’s patches. Most organizations block internal file-sharing networks from talking directly to their Internet-facing networks, but these flaws could be exploited by a malicious computer worm to spread very quickly once inside an organization with a great many unpatched Windows systems.

Another critical patch (MS17-013) covers a slew of dangerous vulnerabilities in the way Windows handles certain image files. Malware or miscreants could exploit the flaws to foist malicious software without any action on the part the user, aside from perhaps just browsing to a hacked or booby-trapped Web site.

According to a blog post at the SANS Internet Storm Center, the image-handling flaw is one of six bulletins Microsoft released today which include vulnerabilities that have either already been made public or that are already being exploited. Several of these are in Internet Explorer (CVE 2017-0008/MS17-006) and/or Microsoft Edge (CVE-2017-0037/MS17-007).

For a more in-depth look at today’s updates from Microsoft, check out this post from security vendor Qualys.

And as per usual, Adobe used Patch Tuesday as an occasion to release updates for its Flash Player software. The latest update brings Flash to v. 25.0.0.127 for Windows, Mac and Linux users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.

If you choose to keep Flash, please update it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.

Finally, Adobe also issued a patch for its Shockwave Player, which is another program you should probably ditch if you don’t have a specific need for it. The long and short of it is that Shockwave often contains the same exploitable Flash bugs but doesn’t get patched anywhere near as often as Flash. Please read Why You Should Ditch Adobe Shockwave if you have any doubts on this front.

As always, if you experience any issues downloading or installing any of these updates, please leave a note about it in the comments below.

KrebsOnSecurity recently featured the story of a Brazilian man who was peppered with phishing attacks trying to steal his Apple iCloud username and password after his wife’s phone was stolen in a brazen daylight mugging. Today, we’ll take an insider’s look at an Apple iCloud phishing gang that appears to work quite closely with organized crime rings — within the United States and beyond  — to remotely unlock and erase stolen Apple devices.

Victims of iPhone theft can use the Find My iPhone feature to remotely locate, lock or erase their iPhone — just by visiting Apple’s site and entering their iCloud username and password. Likewise, an iPhone thief can use those iCloud credentials to remotely unlock the victim’s stolen iPhone, wipe the device, and resell it. As a result, iPhone thieves often subcontract the theft of those credentials to third-party iCloud phishing services. This story is about one of those services.

Recently, I heard from a security professional whose close friend received a targeted attempt to phish his Apple iCloud credentials. The phishing attack came several months after the friend’s child lost his phone at a public park in Virginia. The phish arrived via text message and claimed to have been sent from Apple. It said the device tied to his son’s phone number had been found, and that its precise location could be seen for the next 24 hours by clicking a link embedded in the text message.

That security professional source — referred to as “John” for simplicity’s sake — declined to be named or credited in this story because some of the actions he took to gain the knowledge presented here may run afoul of U.S. computer fraud and abuse laws.

John said his friend clicked on the link in the text message he received about his son’s missing phone and was presented with a fake iCloud login page: appleid-applemx[dot]us. A lookup on that domain indicates it is hosted on a server in Russia that is or was shared by at least 140 other domains — mostly other apparent iCloud phishing sites — such as accounticloud[dot]site; apple-appleid[dot]store; apple-devicefound[dot]org; and so on (a full list of the domains at that server is available here).

While the phishing server may be hosted in Russia, its core users appear to be in a completely different part of the world. Examining the server more closely, John noticed that it was (mis)configured in a way that leaked data about various Internet addresses that were seen recently accessing the server, as well as the names of specific directories on the server that were being accessed.

After monitoring that logging information for some time, my source discovered there were five Internet addresses that communicated with the server multiple times a day, and that those address corresponded to devices located in Argentina, Columbia, Ecuador and Mexico.

He also found a file openly accessible on the Russian server which indicated that an application running on the server was constantly sending requests to imei24.com and imeidata.net — services that allow anyone to look up information about a mobile device by entering its unique International Mobile Equipment Identity (IMEI) number. These services return a variety of information, including the make and model of the phone, whether Find My iPhone is enabled for the device, and whether the device has been locked or reported stolen.

John said that as he was conducting additional reconnaissance of the Russian server, he tried to access “index.php” — which commonly takes one to a site’s home page — when his browser was redirected to “login.php” instead. The resulting page, pictured below, is a login page for an application called “iServer.” The login page displays a custom version of Apple’s trademarked logo as part of a pirate’s skull and crossbones motif, set against a background of bleeding orange flames.

John told me that in addition to serving up that login page, the server also returned the HTML contents of the “index.php” he originally requested from the server. When he saved the contents of index.php to his computer and viewed it as a text file, he noticed it inexplicably included a list of some 137 user names, email addresses and expiration dates for various users who’d apparently paid a monthly fee to access the iCloud phishing service.

“These appear to be ‘resellers’ or people that have access to the crimeware server,” my source said of the user information listed in the server’s “index.php” file.

John told KrebsOnSecurity that with very little effort he was able to guess the password of at least two other users listed in that file. After John logged into the iCloud phishing service with those credentials, the service informed him that the account he was using was expired. John was then prompted to pay for at least one more month subscription access to the server to continue.

Playing along, John said he clicked the “OK” button indicating he wished to renew his subscription, and was taken to a shopping cart hosted on the domain hostingyaa[dot]com. That payment form in turn was accepting PayPal payments for an account tied to an entity called HostingYaa LLC; viewing the HTML source on that payment page revealed the PayPal account was tied to the email address “admin@hostingyaa[dot]com.”

According to the file coughed up by the Russian server, the first username in that user list — demoniox12 — is tied to an email address admin@lanzadorx.net and to a zero-dollar subscription to the phishing service. This strongly indicates the user in question is an administrator of this phishing service.

A review of Lanzadorx[dot]net indicates that it is a phishing-as-a-service offering that advertises the ability to launch targeted phishing attacks at a variety of free online services, including accounts at Apple, Hotmail, Gmail and Yahoo, among others.

A reverse WHOIS lookup ordered from Domaintools.com shows that the admin@lanzadorx.net email is linked to the registration data for exactly two domains — hostingyaa[dot]info and lanzadorx[dot]net [full disclosure: Domaintools is currently one of several advertisers on KrebsOnSecurity].

Hostingyaa[dot]info is registered to a Dario Dorrego, one of the other zero-dollar accounts included near the top of the list of users that are authorized to access the iCloud phishing service. The site says Dorrego’s account corresponds to the email address dario@hostingyaa[dot]com. That name Dario Dorrego also appears in the site registration records for 31 other Web site domains, all of which are listed here.

John said he was able to guess the passwords for at least six other accounts on the iCloud phishing service, including one particularly interesting user and possible reseller of the service who picked the username “Jonatan.” Below is a look at the home screen for Jonatan’s account on this iCloud phishing service. We can see the system indicates Jonatan was able to obtain at least 65 “hacked IDs” through this service, and that he pays USD $80 per month for access to it.

Here are some of the details for “Tanya,” one such victim tied to Jonatan’s account. Tammy’s personal details have been redacted from this image:

Here is the iCloud phishing page Tanya would have seen if she clicked the link sent to her via text message. Note that the victim’s full email address is automatically populated into the username portion of the login page to make the scam feel more like Apple’s actual iCloud site:

The page below from Jonatan’s profile lists each of his 60+ victims individually, detailing their name, email address, iCloud password, phone number, unique device identifier (IMEI), iPhone model/generation and some random notes apparently inserted by Jonatan:

The next screen shot shows the “SMS sent” page. It tracks which victims were sent which variation of phishing scams offered by the site; whether targets had clicked a link in the phony iCloud phishing texts; and if any of those targets ever visited the fake iCloud login pages:

Users of this phishing service can easily add a new phishing domain if their old links get cleaned up or shut down by anti-phishing and anti-spam groups. This service also advertises the ability to track when phishing links have been flagged by anti-phishing companies:

This is where the story turns both comical and ironic. Many times, attackers will test their exploit on themselves whilst failing to fully redact their personal information. Jonatan apparently tested the phishing attacks on himself using his actual Apple iCloud credentials, and this data was indexed by Jonatan’s phishing account at the fake iCloud server. In short, he phished himself and forgot to delete the successful results. Sorry, but I’ve blurred out Jonatan’s iCloud password in the screen shot here:

See if you can guess what John did next? Yes, he logged into Jonatan’s iCloud account. Helpfully, one of the screenshots in the photos saved to Jonatan’s iCloud account is of Jonatan logged into the same phishing server that leaked his iCloud account information!

The following advertisement for Jonatan’s service — also one of the images John found in Jonatan’s iCloud account — includes the prices he charges for his own remote iPhone unlocking service. It appears the pricing is adjusted upwards considerably for phishing attacks on newer model stolen iPhones. The price for phishing an iPhone 4 or 4s is $40 per message, versus $120 per message for phishing attacks aimed at iPhone 6s and 6s plus users. Presumably this is because the crooks hiring this service stand to make more money selling newer phones.

The email address that Jonatan used to register on the Apple iPhone phishing service — shown in one of the screen shots above as jona_icloud@hotmail.com — also was used to register an account on Facebook tied to a Jonatan Rodriguez who says he is from Puerto Rico. It just so happens that this Jonatan Rodriguez on Facebook also uses his profile to advertise a “Remove iCloud” service. What are the odds?

Well, pretty good considering this Facebook user also is the administrator of a Facebook Group called iCloud Unlock Ecuador – Worldwide. Incredibly, Facebook says there are 2,797 members of this group. Here’s what they’re all about:

Jonatan’s Facebook profile picture would have us believe that he is a male model, but the many selfies he apparently took of himself and left in his iCloud account show a much softer side of Jonatan:

Among the members of this Facebook group is one “Alexis Cadena,” whose name appears in several of the screenshots tied to Jonatan’s account in the iCloud phishing service:

Alexis Cadena apparently also has his own iCloud phishing service. It’s not clear if he sub-lets it from Jonatan or what, but here are some of Alex’s ads:

Coming back to Jonatan, the beauty of the iCloud service (and the lure used by Jonatan’s phishing service) is that iPhones can be located fairly accurately to a specific address. Alas, because Jonatan phished his own iCloud account, we can see that according to Jonatan’s iCloud service, his phone was seen in the following neighborhood in Ecuador on March 7, 2017. The map shows a small radius of a few blocks within Yantzaza, a town of 10,000 in southern Educador:

Jonatan did not respond to multiple requests for comment.