- NordVPN and TechRadar uncover three global cybercrime campaigns
- Legacy FCKeditor flaw exploited to hijack more than 1,300 domains; Crypto Deposit Scam Deceives Victims into Paying Fake “Fees”
- Chinese-speaking actor runs more than 800 fraudulent e-commerce sites offering time-sensitive, too-good-to-be-true deals
A number of large, global, interconnected cybercriminal operations have been found to be abusing existing software, people’s trust in digital platforms and the desire to get rich quick, to target people with malware and wire fraud.
A new research report, jointly released by NordVPN’s Threat Intelligence research unit and TechRadar’s security team, revealed that the first campaign revolved around existing software called FCKeditor, an older web-based rich text editor that runs in a browser.
It is a mini version of Microsoft Word integrated into a website, and it was widely used in early CMS platforms, forums, and admin panels in the early 2000s and 2010s.
Article continues below
Even though FCKeditor is no longer maintained, many major websites still actively use it and are being hunted by cybercriminals. In February 2024, TechRadar reported of “dozens of educational websites” exploited in this way to poison search engine results, offer phishing sites to victims and engage in all manner of fraudulent activities.
At the time, a security researcher alias @g0njxa discovered that the websites of MIT, Columbia University, University of Barcelona, Auburn University, University of Washington, Purdue, Tulane, Central University of Ecuador and the University of Hawaii were all targeted. In addition to academic sites, the campaign also targeted government and business websites, such as the Virginia government site, Austin, Texas, the Spanish government website and Yellow Pages Canada.
FCKeditor is no longer maintained and is vulnerable to CVE-2009-2265, a group of directory traversal vulnerabilities that allow remote attackers to create executable files in arbitrary directories. According to NordVPN and TechRadarMalicious actors recently used this flaw to compromise more than 1,300 high-value domains, including government, public, corporate websites, high-value brands, and research institutions.
After taking control of the sites, the scammers used them as launching pads to distribute malware or redirect traffic to fake e-commerce sites and phishing pages.
Crypto phishing
The second threat is a “highly organized” phishing and fraud campaign that tricks people into making fraudulent payments. It starts with an email alerting the victim of a large crypto deposit (usually 15 bitcoins) to a new wallet on an exchange. The victim is given a link and login credentials which, if used, leads to a fake wallet or exchange website displaying the “funds”.
The victim is then tricked into paying “gas fees” (transaction fees) or “taxes” in order to withdraw the crypto. The money they give in this way is then lost to the attackers, probably forever.
NordVPN’s investigation discovered more than 100 active domains used in this campaign.
“This is social engineering on an elite scale,” said Domininkas Virbickas, director of product at NordVPN. “Criminals are exploiting the allure – and confusion – of cryptocurrency to reinvent old scams in new digital forms. »
Hundreds of fake e-commerce sites
The third campaign is even larger: more than 800 fraudulent e-commerce domains, across all kinds of categories – from fashion to automotive to health products.
Attributed to a single Chinese-speaking threat actor, the network is built using WordPress, WooCommerce, and Elementor and offers limited-time deals that are too good to be true. Victims, eager not to miss this unique opportunity, let their guard down and end up making payments without ever getting what they paid for.
“These ’boutiques’ lure victims with unrealistic offers, creating urgency and circumventing consumer skepticism. Indicators of Chinese origin include untranslated Chinese characters and network-localized file artifacts. NordVPN linked the sites via shared digital footprints and discovered consistent hosting under the Spaceship, Inc. registrar,” says Domininkas Virbickas.
“This network demonstrates the industrialization of online fraud,” Virbickas added. “Automation and template-based site creation now allows individual actors to operate entire fraudulent ecosystems that imitate legitimate online retail. »
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
