Notices by BrianKrebs (briankrebs@infosec.exchange), page 5

Okay, if Cloudflare says the President is a Russian asset, I'm out.

Honestly, I don't know how Zelenksy didn't punch the cheetoh that whole time. That man has remarkable restraint.

I have never been so embarrassed for our country. What a thug. "World War III," he says over and over, echoing Putin's sabre rattling throughout his invasion. Even sitting in the White House, Trump is echoing the Kremlin line.

What's even more despicable is that the spineless, gutless GOP will say nothing about this indefensible show of gutlessness and cowardice by their leader. Imagine that: Being afraid of cowards makes you one.

Hey, cool! I was quoted in a WSJ story today about tax-related ID theft. I'm told this link should work w/out the paywall, in case you wanted to know more about how to get an IP PIN to prevent crooks from claiming a tax return in your name.

https://www.wsj.com/personal-finance/taxes/tax-identity-theft-ip-pin-irs-ab021643?st=oWLJHp&reflink=desktopwebshare_permalink

Yes, this still happens to ~500,000 people a year. It doesn't matter if you are owed a refund or not, and most people only find out someone has already filed in their name when the victim goes to file their return and it gets rejected as already filed.

I'm trying to understand why one of the worst bulletproof hosting providers out there today -- Russia-based Prospero OOO -- is now getting transit to the larger internet via the antivirus and security firm Kaspersky Lab?

https://www.cidr-report.org/cgi-bin/as-report?as=AS200593

Prospero (AS200593) has been tied to multiple bulletproof hosting providers advertising on Russian cybercrime forums that say they will ignore all abuse complaints. It operates an insane amount of phishing domains at any given time, and it's been connected with ransomware C2s and distribution of ransom-adjacent malware operations like SocGholish and GootLoader. But don't take my word for it. Have a look at just the recent stuff:

https://urlscan.io/search/#page.asn%3Aas200593

https://www.virustotal.com/gui/search/as200593

https://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/

I understand that Kaspersky Lab (AS209030) provides DDoS protection as one of its services, and its networks do indeed seem to include several large banks (Alfa Bank, and the Russian police, e.g.). But if that's really what this is, that's almost worse than Kaspersky just letting these providers transit their network.

At least 21 employees of the U.S. Digital Service, which was renamed DOGE last month, resigned their positions yesterday in a letter to Trump's chief of staff.

"On Jan. 21st, we completed 15-minute interviews with individuals wearing White House visitor badges. Several of these interviewers refused to identify themselves, asked questions about political loyalty, attempted to pit colleagues against each other, and demonstrated limited technical ability. This process created significant security risks."

"We will not use our skills as technologists to compromise core government systems, jeopardize Americans' sensitive data, or dismantle critical public services. We will not lend our expertise to carry out or legitimize DOGE's actions."

https://s3.documentcloud.org/documents/25544180/usds-resignation-letter.pdf

Martin is in good company these days. Here's Dan Bongino, a former Secret Service agent turned conservative talk show host who was just named as deputy director of the FBI.

This is the US Attorney for the District of Columbia taking a shot at the Associated Press (presumably over their refusal to call The Gulf of Mexico by another name), while calling the Justice Department "President Trump's lawyers," which I'm sure isn't infuriating at all to a lot of decent people at the DOJ. Just incredible.

I keep getting financial industry people reaching out about this story to say how much fraud they are now seeing from peoples' payment card data being phished and loaded onto mobile wallets just by also phishing a one-time code out of victims.

One thing I think a lot of people are missing with this type of fraud is that while it is ideal for the phishers to coax that one-time code out of victims at the same time they are phishing the card data, it doesn't have to be that way.

What I'm getting at here is that this method of turning phished data into mobile wallets essentially allows card data that was previously only good for online transactions (i.e. it was stolen from an ecommerce vendor) to be "enriched" at any point going forward and turned into a mobile wallet.

In other words, the phishing of the one-time code sent by the victim's bank in response to a request to link their card to a mobile wallet can happen out of band, well after the fact, and under any pretext.

This apparently just happened.

"The United States voted with Russia, North Korea, Belarus and 14 other Moscow-friendly countries Monday on a resolution condemning Russian aggression in Ukraine and calling for its occupied territory to be returned that passed overwhelmingly in the U.N. General Assembly on Monday."

https://www.washingtonpost.com/national-security/2025/02/24/united-nations-ukraine-russia-trump

What's the best thing you've read today? Mine's this, from Marisa Kabas on bsky:

"This morning at Dept of Housing and Urban Development (HUD) HQ in DC as mandatory return to office began, this video played on loop for ~5 mins on screens throughout the building, per agency source."

"Building staff couldn’t figure out how to turn it off so sent people to every floor to unplug TVs."

Spoiler: It's a video of Trump sucking on Elon's toes, with text over top that says: "Long live the real king."

https://bsky.app/profile/marisakabas.bsky.social/post/3liwlwvvq6k2s

Prominent DOGE Staffer Is Grandson Of Turncoat KGB Spy

Edward “Big Balls” Coristine happens to be the descendant of Valery Martynov, a KGB agent who spied for the US.

https://www.jacobsilverman.com/p/prominent-doge-staffer-is-grandson

I wrote about Coristine's apparent connections to the cybercrime community earlier this month:

https://krebsonsecurity.com/2025/02/teen-on-musks-doge-team-graduated-from-the-com/

Crypto exchange Bitby disclosed a breach that amounts to a loss of $1.4 billion, the largest crypto theft of all time.

https://techcrunch.com/2025/02/21/crypto-exchange-bybit-says-it-was-hacked-and-lost-around-1-4-billion/

Oh yes, this president really advocates for the working class. I'm sure whatever billionaire gets the contract to provide the mail will charge such reasonable fees.

"President Donald Trump is preparing to dissolve the leadership of the U.S. Postal Service and absorb the independent mail agency into his administration, potentially throwing the 250-year-old mail provider and trillions of dollars of e-commerce transactions into turmoil."

"Trump is expected to issue an executive order as soon as this week to fire the members of the Postal Service’s governing board and place the agency under the control of the Commerce Department and Secretary Howard Lutnick, according to six people familiar with the plans, who spoke on the condition of anonymity out of fear of reprisals."

https://www.washingtonpost.com/business/2025/02/20/trump-usps-takeover-dejoy/

I always smile when I see a RT of this post, because it basically means I have a new follower. I've had this post pinned on my profile here for some time, which is nice because it's still true!

https://infosec.exchange/@briankrebs/109880177018417627

The Google Threat Intelligence Group (GTIG) says it has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia's intelligence services.

"The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app's legitimate "linked devices" feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance. If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim's secure conversations without the need for full-device compromise."

"In remote phishing operations observed to date, malicious QR codes have frequently been masked as legitimate Signal resources, such as group invites, security alerts, or as legitimate device pairing instructions from the Signal website."

"In more tailored remote phishing operations, malicious device-linking QR codes have been embedded in phishing pages crafted to appear as specialized applications used by the Ukrainian military."

"Beyond remote phishing and malware delivery operations, we have also seen malicious QR codes being used in close-access operations. APT44 (aka Sandworm or Seashell Blizzard, a threat actor attributed by multiple governments to the Main Centre for Special Technologies (GTsST) within Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU), known commonly as the GRU) has worked to enable forward-deployed Russian military forces to link Signal accounts on devices captured on the battlefield back to actor-controlled infrastructure for follow-on exploitation."

Google says Signal, in collaboration with GTIG, has released updates for Android and iOS to mitigate these attacks. Users should update their apps immediately.

https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger

Day 5 of posting about the coup on Linkedin. I can't begin to count the number of people in infosec LI who messaged privately to say keep going, nobody's talking about this here, this is important, etc. That's been nice.

But then also a lot of times when I check these peoples' timelines on LI it's like <crickets>. So that makes me a little sad. But then I think, self, you're in a much better position to piss off infosec LI than most, and that's to be expected. And that's a good thing.

Also, there are SO many people in or on the fringe of the infosec industry that have such horrible takes on why it is okay to break the law, flout the courts, the Constitution and Congress in the name of fighting "government fraud." As if that's not just a replacement for "election fraud," which likewise hasn't materialized. Anyway, I guess they're all on record as cheering the nazi parade, so there's that.

I'm generally not engaging in conversations with these cult followers, because never argue with an idiot, right? But I also don't want the same drones cluttering up my timeline with inanities and whataboutism. So my strong inclination is to block useful idiots, but then I think well why am I even here if I'm doing that? I did block some people though and it felt good.

As you can see, I am somewhat conflicted about this project.

My efforts to keep the coup on the minds of people who follow on LinkedIn have produced mixed results. But those posts are undeniably being read by a lot of people, so that makes me happy.

Ken is a good example of the kinds of direct messages I get a lot on LinkedIn these days. Ken's profile says he's a Microsoft specialist.

Or is he...?

Ken's profile says it was created in 2007, so it's not an account that just materialized. Something in me wants to give Ken the benefit of the doubt.

This opening message from Ken is typical in that it

a) seems to be worded oddly for a native English speaker
b) suggests I'm taking money to speak out (in this case from USAID no less)
c) asserts that I am slandering the administration and
d) menacingly or vaguely promising retribution. Ken's message is somewhat confusingly worded ("I'm text to a bot"), and that caught my eye again. So I decided to take the bait.

Ken Payne
9:55 PM

How much $ do u get from USAID - indirectly ? George Mason. International studies. We know. 😂 im text to a bot. But your slanderous days are over.

Brian Krebs
10:07 PM
Hi Ken. You're a bot? Really? Tell me more. That would explain a lot.

Ken Payne
10:16 PM
No, I’m not a bot. But i thought you are. I welcome a conversation.

Brian Krebs
10:16 PM
Do you always start conversations this way?

Ken:
Is Ronald Reagan the president of?

Brian Krebs
10:17 PM
Is English your language of?

Ken Payne
10:17 PM
Testing the AI

Brian Krebs
10:18 PM
oh. I'm talking with AI?

Ken Payne
10:18 PM
We can talk any time.

Brian Krebs
10:18 PM
Apparently one of us can

Brian Krebs
10:19 PM
Well, Ken, I gotta hand it to you: You drank the Microsoft Kool-Aid, and I guess after that the Trump Kool-aid went down real easy, right?

Prove to me you're not a bot, Ken.

Ken Payne
10:20 PM

I’m him free now. U disapprove of DOGE. I support it. U are more suspicious than I.

Brian Krebs
10:21 PM
I think you either are a bot that's part of an influence campaign, or you're just not that bright. You certainly don't speak like someone who has an education, or a very good grasp of the English language.

Ken Payne
10:22 PM
I work at MSFT. but I see their sins. Perhaps Chinese intelligence influence. Dunno

Brian Krebs
10:22 PM
So Ken, how can YOU prove you're a real person?

Can I call you?
Ken, I'm starting to have real doubts about your non-botness
Ken?

Unsurprisingly, Ken didn't want to chat on the phone, or give a phone number.

Is Ken a bot? Or is Ken just another useless idiot? Either way, there sure are a lot of Kens.

One frustrating aspect of trying to write about all the incredibly reckless and risky actions taken by this administration with govt data is that by the time you're done writing, half the stuff in your story is outdated already, because they've reversed themselves, or they've been reversed. Or, and this is usually the most frequent cause: Because they've gone and done something even more colossally stupid, cruel and/or unwise.

I have not missed this aspect of reporting on the Trump administration at all. But it is absolutely true that their flood-the-zone-with-stupid approach really can become something like a mental ddos on journalists. And ofc that's intentional.

It's been truly sickening to read the news today: Trump calls Zelensky a "dictator" who took US money to go to war, making it clear as day that the US president sides with Russia in this conflict. Zelensky says the president lives in a circle of disinformation. That is plain to see, even for Trump's supporters, who live in and help cultivate that same bubble.

Meanwhile, Russian officials are offering American companies the chance to make billions by coming back to Russia. And wouldn't you know it? The White House is open to this idea. Nevermind that just two years ago Russia appropriated a good portion of the brands for the Fortune 100, and then took over their stores and sold them to Friends of Putiny.

https://www.nytimes.com/2025/02/19/world/europe/trump-russia-ukraine-putin-trump.html