Pig Butchering Is Even Worse Than You Think

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by the Cyber Initiative at the Hewlett Foundation and this week's edition is brought to you by enterprise browser maker Island.

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Spotify:

A harrowing new UN report describes how hundreds of thousands of trafficked people are forced into working in online scam operations.

These operations cover the gamut from online fraud such as romance scams and fake cryptocurrency investment schemes to illegal gambling. They take place in online scam centres known as "boiler rooms" or "pig-butchering farms".

The human toll is staggering. The report says that at least 120,000 people across Myanmar and 100,000 in Cambodia are thought to be forced to work on online scams. The report cites Myanmar's military coup, ongoing violence and breakdown in the rule of law as significant factors in the proliferation of boiler rooms in the country.

The report describes the Philippines, Thailand and Laos as transit or destination countries "where at least tens of thousands of people" have been involved. Police operations in the Philippines rescued over 1,000 people in May of this year and another 2,700 people in June from this kind of forced labour.

The workers are lured to the online scam centres by the promise of an attractive job with a high salary, regular bonuses, free accommodation and food. Unlike previously documented trafficking, which usually involved low-skilled work, the report says the profile of these victims is quite different:

Many of the victims are well-educated, sometimes coming from professional jobs or with graduate or even post-graduate degrees, computer-literate and multilingual. Victims come from across the ASEAN region (from Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam), as well as mainland China, Hong Kong and Taiwan, South Asia, and even further afield from Africa and Latin America.

Once they arrive at the country in which the online scam centre is located, these workers often have their passports taken and they are placed in gated compounds. They are forced to work by threat of force. Per the report:

Reports commonly describe people being subjected to torture, cruel and degrading treatment and punishments including the threat or use of violence (as well as being made to witness violence against others) most commonly beatings, humiliation, electrocution and solitary confinement, especially if they resist orders or disobey compound rules or if they do not meet expected scamming targets. Reports have also been received of sexual violence, including gang rape as well as trafficking into the sex sector, most usually as punishment, for example for failing to meet their targets.

Traffickers also levy debts on the migrants, claiming costs for travel, quarantine, training and living costs and also performance-related fines.

The COVID-19 pandemic and associated response measures had a drastic impact on activities across the region. These events left large numbers of migrant workers unemployed and prompted people worldwide to spend more time online. This increased the pool of potential targets.

The PRC in particular has been hard hit by these scams. Per Catalin Cimpanu at Risky Business News:

With a large portion of call centre workers being Chinese nationals, China has been one of the most impacted countries by the "boiler room" and "pig butchering" epidemic…

A Chinese film named "No More Bets" was this summer's highest-grossing movie on China's internal market. The film follows the adventures and inhumane treatment a Chinese programmer goes through after being lured to work for one of these call centres — showing how prevalent these scams and recruitment schemes have become across China.

In June this year China's ambassador to Myanmar asked the military junta to crack down on the online scam centres operating in Myanmar's north. Results include about 300 people in total being arrested in four different actions.

These scams are thought to generate billions of dollars each year, and of course, the people who lose money to these scams are another set of victims. Many of the scams are long-term efforts that build rapport with a victim over time to encourage them to invest money in a non-existent asset.

This is a complex problem, and the report recognises that weak rule of law, poor governance, corruption and the Covid-19 pandemic all play a part in the rise of the forced online scam issue.

There is an important role for internet companies to play here. As the report notes, "the prominent role of social media and other digital platforms is an inherent — and striking — feature of these online scam operations". Online platforms are used to both recruit unwitting workers and to cultivate targets.

The UN report names Boo, Facebook, Grindr, Hinge, Instagram, Lazada, Line, LinkedIn, Meet Me, Muslima, OkCupid, Omi, Shopee, Skout, Telegram, TikTok, Tinder, WeChat, WhatsApp, and Wink as the networks used by scammers to defraud people. It also says advertisements to recruit workers were placed on social media such as Facebook, Instagram and Tinder.

We think governments should ask what these platforms can do to mitigate these crimes, both in worker recruitment and scams. Platform efforts won't solve this problem, but given its scale, even an incremental improvement could potentially stop thousands of people from being scammed or forced to work in an online scam centre.

Telstra's Digicel Pacific Linked To Commercial Spy Operations

A Pacific Islands mobile phone operator, Digicel Pacific, has likely been used by commercial spy firms to track people and intercept their data.

These particular attacks don't require Digicel's network, but instead rely on leasing the firm’s "global titles", a type of network address which these firms need to send and receive signalling protocol messages used to exploit loopholes in the global telecommunications system. These attacks can be used to locate phones and intercept calls or texts. Intercepting texts, like a SIM swap attack, can be used to facilitate account hijacking.

Telstra, a major Australian telecommunications operator, bought Digicel Pacific in July 2022 with support from AUD$2 billion of Australian government financing. Part of the justification for this deal was to prevent the PRC from buying Digicel and using the telco to facilitate espionage in the region.

Telstra says it has been terminating Digicel's global title leases, and that only a small number remain. Clamping down on these leases is a good thing, but surveillance operators will probably find other telcos they can obtain global titles from. A Lighthouse Reports investigation into a Swiss-based phone surveillance operator, for example, found that it had leased hundreds of global titles.

This news highlights that, yes, telcos can be used to facilitate spying and that access to even just one part of a telco is useful. Access to all of a telco? Priceless.

Age Verification Could Drive Kids to Weirder Websites

A federal judge has ruled that a Texas law requiring pornography sites to implement age-verification measures was unconstitutional and temporarily blocked its implementation.

Other states including Utah, Louisiana, Mississippi, Virginia and Utah have passed similar laws.

Age verification is a simple solution to a complex problem that may well have unintended consequences. This week, the Australian government also published a plan that said age verification technology was not yet fit for purpose.

The government's approach is informed by a "Roadmap for Verification" report produced by Australia's eSafety Office. The report examines the issue holistically and includes original research into when young people first encounter pornography.

One of the more interesting findings is that children often see pornography in group chats and on social media, so dedicated sites are not the only concern when it comes to preventing underage access. It also points out there is a risk that mandatory age verification mechanisms could push children actively looking for porn towards sites that don't comply and may potentially contain riskier content.

Overall, in the short term it recommends that government and industry provide more assistance to carers so they can apply "a combination of supervision, safety discussions and the use of filters, safety settings, and parental controls".

The report does not reject age-verification technologies outright but determines most are not yet ready for widespread use. However, the report considers newer privacy-preserving age-verification technologies may be suitable and recommends testing them to see if they'll work.

It's a good report and it's clear that the eSafety Office did their homework here — it's informed by nearly 380 pages of what the office calls a "background report".

Three Reasons to be Cheerful this Week:

1. More Cyber Opportunity: Craig Newmark Philanthropies has donated USD$200k to support a cybersecurity program at historically black colleges and universities. Newmark, the founder of Craigslist has over time committed USD$100m to various cyber security efforts.
2. OT Adversary Emulation: CISA and nonprofit MITRE have teamed up to build Operational Technology (OT) capabilities into MITRE's adversary emulation Caldera platform. The goal with Caldera for OT is to give industrial control system defenders better tools to conduct security assessments.
3. BGP resilience is improving: Network analytics firm Kentik reports that two recent Border Gateway Protocol (BGP) leaks didn't cause widespread disruption. Kentik's director of internet analysis, Doug Madory, thinks that increased use of Route Origin Validation technologies like Resource Public Key Infrastructure have made BGP more resilient. In times past "large routing leaks like these" might have caused widespread internet disruption, he says. However, he adds, although the global routing system has become more resilient there is still plenty of scope for deliberate attacks to succeed (see BGP-enabled cryptocurrency thefts, for example).

Sponsor Section

In this Risky Business News sponsor interview, Tom Uren talks to Mike Fey, CEO and co-founder of Island, about the idea of an "enterprise browser." Tom and Mike discuss what an enterprise browser actually is, what problems it solves, and why browsers focused on business requirements haven't been a product category until now.

Shorts

Microsoft Figures Out Storm-0558 Key "Acquisition"

Microsoft has published the results of its investigation into how a Chinese-based threat actor known as Storm-0558 was able to acquire a Microsoft account consumer signing key and use it to access enterprise and government email accounts.

It's worth a read. The very high-level summary is that an incorrectly redacted crash dump containing the key was transferred from Microsoft's hardened production environment to its corporate network where it was snaffled by Storm-0558.

Overall, Storm-0558 took advantage of a series of five different errors — which Microsoft says they've fixed — to use the key to get unauthorised access to email. It's top-notch work from Storm-0558 to seize on these mistakes and take advantage of them.

LastPass Breach All About the Crypto

Krebs On Security has examined the possibility that password vaults stolen from LastPass last year are being cracked and used in a string of six-figure cryptocurrency thefts.

Last year a threat actor carried out a multi-stage hack to get access to LastPass customer vaults. In the first step, in August last year, a threat actor gained access to LastPass's development environment by compromising an engineer's laptop. The information gained in that attack was then used to target a second engineer whose device was compromised via Plex Media Server. This second breach allowed the attacker to download LastPass customer vault backups from cloud storage. Secrets in these vaults were still protected by the customer's master password.

Since December 2022 there have been a string of cryptocurrency thefts linked by a common modus operandi. Collectively, 150 people have lost over USD$35m in cryptocurrency. One common factor linking these thefts is that the victims were using LastPass to store their "seed phrase", essentially the private key that controls the cryptocurrency.

The theory here is that the attackers have been cracking these vaults and then stealing cryptocurrency.  It's an enticing theory and Krebs' detective story is well worth reading.

US Number Two In Phishing

Krebs also has a piece up about the disproportionate use of the ".US" country code top-level domain (ccTLD) in phishing scams. .US is second only to Mali (.ML) in ccTLDs being used for phishing.

In theory, to register a .US domain you need to have some sort of relationship with the US, such as being a citizen or resident. Other ccTLDs that restrict registrations based on nationality have very low phishing rates, so this measure should prevent phishing abuse. In practice, however, this requirement is 'satisfied' by simply ticking a (pre-filled) box on the registrar's sign up form.

Bring Your Own Identity Provider Attacks

Identity and access management company Okta says four of its customers had been affected by a recent social engineering campaign that aimed to gain control of highly privileged accounts.

In this campaign the attackers tried to convince IT help desk personnel in the targeted company to reset MFA for their Okta Super Administrators. It appears the attackers already had account passwords or were somehow able to manipulate authentication flows so that they didn't need them for these purposes.

Super admins can't masquerade as other accounts, so the attackers then configured a second identity provider controlled by them. This is a legitimate feature used in mergers and acquisitions, for example, but allows impersonation of other users by the attackers in this case. This technique was used by Russian actors in the SolarWinds incident

Okta has a suite of recommendations on how to prevent these kinds of attacks and best protect highly privileged accounts.

Patrick Gray and Adam Boileau discussed this topic in detail at the top of this week's Risky Business podcast.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at how companies often make unilateral decisions that constrain states’ behaviour, for better and worse.

From Risky Biz News:

Germany warns of Chinese APTs hijacking SOHO routers for espionage: The German government says Chinese APTs are hijacking SOHO routers, NAS devices, and smart home automation systems to conduct cyber-espionage operations.

The hacked devices are used as a giant mesh of proxies that relay and hide the origin of the attack.

Chinese cyber-espionage groups like APT15 (Vixen Panda, Ke3chang) and APT31 (Zirconium, Judgement Panda) have been observed utilising the tactic, according to a security advisory published by the German Federal Office for the Protection of the Constitution (BfV) last week. A Google Translate machine-translated version of the alert is here.

[more on Risky Business News]

GREF (APT15): A Chinese cyber-espionage group known as GREF (APT15 or Vixen Panda) has planted trojaned versions of the Signal and Telegram apps on the official Google and Samsung app stores. The two apps contained functional versions of the two apps and a copy of the BadBazaar spyware. ESET says the trojaned Telegram app was advertised in a Uyghur Telegram group and that evidence suggests it was installed by more than 14,000 users. The GREF group has a long history of targeting China's Uyghur and Turkic ethnic minorities.

Chastity cage leak: A Chinese smart sex toy company has left one of its databases exposed online and has leaked information on customers who own its male chastity devices (aka penis cages). Exposed data included email addresses, plaintext passwords, home addresses, IP addresses, and even GPS coordinates for some users. The security researcher who found the database says they reported the leak to the company and China's CERT team in June, with little success. The researcher says they went as far as to deface the vendor's homepage to inform the company about its leaky database. The company restored its website but did not secure its database. [Additional coverage in TechCrunch]