HackerTrans
TopNewTrendsCommentsPastAskShowJobs

krebsonsecurity

no profile record

Submissions

Who runs the ransomware group 'The Gentlemen?'

krebsonsecurity.com
15 points·by krebsonsecurity·mese scorso·0 comments

comments

krebsonsecurity
·7 mesi fa·discuss
Sometimes just a little bit DNS research can yield a lot of useful results.

Looking at the passive DNS records for the domain chanceletikva.org shows it references the email address [email protected] email address is tied to multiple website registrations for a person by the name of David Margaliot, and also Shoshana Margaliot.

A search on this name in Domaintools finds the name David Margaliot tied to at least 25 domains, including ezri.org.il, which is a very odd site that features a huge image of a young child who is apparently in the hospital holding a gift wrapped box with a teddy bear. The site asks for donations but has a strange mission statement: Ezri Association promotes life-saving innovation through a surveillance drone project for emergency response teams, the establishment of an international medical knowledge database, along with other technological initiatives".

I'll probably continue the rest of this in a follow-up story.
krebsonsecurity
·2 anni fa·discuss
I interviewed some smart people about their research in story published today:

https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-...
krebsonsecurity
·2 anni fa·discuss
Thanks. I did update the story to reflect the apparent fix. I'm still trying to verify if this behavior remains in some form.
krebsonsecurity
·2 anni fa·discuss
This is the way. You don't have to protect what you don't collect. Mullvad is an excellent example of this. They don't even want you to pick a password, and they're fine if you just mail them cash as payment.
krebsonsecurity
·2 anni fa·discuss
Their earlier statement said they were aware of the CEO's history but were assured that part of his life was behind him. From that statement on March 15: “We were aware of the past affiliations with the entities named in the article and were assured they had ended prior to our work together,” the statement reads. “We’re now looking into this further. We will always put the privacy and security of our customers first and will provide updates as needed.”

https://krebsonsecurity.com/2024/03/ceo-of-data-privacy-comp...
krebsonsecurity
·2 anni fa·discuss
It's good to see others coming forward with what they know.

Previous discussion on this here: https://news.ycombinator.com/item?id=39709089

Original story: https://krebsonsecurity.com/2024/03/ceo-of-data-privacy-comp...
krebsonsecurity
·2 anni fa·discuss
Possibly useful info: A list of customer domains affected.

https://docs.google.com/spreadsheets/d/1wgKe1VrfNF8Afav1aJtM...

One caveat: This list should not be considered exhaustive or complete by any means. e.g. changing the URL slightly by incrementing or decrementing a number in the URL caused a slightly different set of customers to be listed. I didn’t have a chance to go through it all before they took it down (note to self: pillage BEFORE burning).
krebsonsecurity
·2 anni fa·discuss
The identity of the defendant has been doing this for many years and is one of the original members of the Com. The people in that scene sim-swapping artists for their music are those that have already made their stolen millions, and have long ago graduated from stealing usernames and gamertag handles.
krebsonsecurity
·3 anni fa·discuss
https://www.ftc.gov/legal-library/browse/statutes/fair-credi...

IANAL either, but it seems the losses suffered from ID fraud are only recoverable via this.
krebsonsecurity
·3 anni fa·discuss
Some of the exposure in these cases is due to the fact that you have cybercriminals who've been doing the same things for more than a decade. That is a very long time in which to make just a few key opsec mistakes, and also most RU cybercriminals back then did not take as much care to cover their tracks as they do today.
krebsonsecurity
·3 anni fa·discuss
Not sure if it's exactly the same thing as what you just mentioned, but I did write recently about criminals using paid Google ads to get their links for popular software downloads show up before even the first organic search result. And it includes the right icons and branding, and people click and are brought to a site that looks an awful lot like a site Microsoft might use to let you download Teams, and you get an information stealer program instead.

Tl;dr, there are multiple ransomware groups that are using this method to find new infostealer victims.

https://krebsonsecurity.com/2023/09/snatch-ransom-group-expo...