California man steals $50 million using fake investment sites, gets 7 years - Related to 2024, accounts, heartsender, marketplace, investment

California man steals $50 million using fake investment sites, gets 7 years

A 59-year-old man from Irvine, California, was sentenced to 87 months in prison for his involvement in an investor fraud ring that stole $50 million between 2012 and October 2020.

Allen Giltman and other fraudsters used over 150 fraudulent sites impersonating financial institutions that advertised various investment opportunities (primarily certificates of deposit with higher than average rates of return to lure victims in) and solicited money from investors.

These investment scam websites were promoted via Google and Microsoft Bing ads, targeting phrases like "best CD rates" or "highest cd rates."

, the scammers impersonated Financial Industry Regulatory Authority (FINRA) broker-dealers, claiming to be employed by the financial institutions they spoofed on the scam sites. This allowed them to trick over 70 victims who sought investment opportunities into wiring roughly $50 million.

"After discovering one of the fraudulent websites, victims would contact an individual via telephone or email as directed on the sites. As alleged in the Information, this individual was Giltman. During his communications with victims of the fraud scheme, Giltman impersonated real FINRA broker-dealers by using their names and FINRA CRD numbers," the [website] Justice Department revealed in a Tuesday press release.

"Giltman would then provide the victims with applications and wiring instructions for the purchase of a CD. The funds wired by the victims would then be moved to various domestic and international bank accounts, including accounts in Russia, the Republic of Georgia, Hong Kong, and Turkey. None of the victims received a CD after wiring the funds."

Throughout the scheme, Giltman and his co-conspirators used various tactics to hide their true identities, including virtual private networks (VPNs), prepaid phone and encrypted apps to communicate with their targets, prepaid gift cards to register web domains, and fake invoices to explain the large wire transfers they received from their victims.

In addition to the 87-month prison term, Giltman was sentenced to 3 years of supervised release and ordered to forfeit assets seized when arrested in 2020.

Giltman pleaded guilty to his involvement in this long-running and large-scale Internet-based investor fraud scheme in January 2022.

In July 2021, the FBI's Criminal Investigative Division and the Securities and Exchange Commission warned investors that fraudsters were impersonating registered investment professionals such as brokers and advisers.

The FBI's alert followed a similar fraud warning issued by FINRA about scams involving phishing sites that impersonate brokers and falsified SEC or FINRA registration documents.

Fake travel reservations are exacting more pain from the travel weary, already dealing with the mise...

[website] turns 15 years old today! Maybe it’s indelicate to celebrate the birthday of a c...

Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant ...

Police dismantles HeartSender cybercrime marketplace network

​Law enforcement authorities in the United States and the Netherlands have seized 39 domains and associated servers used by the HeartSender phishing gang operating out of Pakistan.

Also known as Saim Raza and Manipulators Team, the group has operated online cybercrime marketplaces for over a decade, selling hacking and fraud-enabling tools like phishing kits, malware, and spamming services to "transnational organized crime groups."

Despite temporarily reduced activity after infosec journalist Brian Krebs exposed their operations, the gang used multiple branded shops (promoted on YouTube) across many domains to distribute takedown risks and saturate the underground market to deter competition.

The Cybercrime Team of the East Brabant police unit in the Netherlands started investigating their activity at the end of 2022. Investigators from the United States later joined in a joint action dubbed 'Operation Heart Blocker.'

.S. Justice Department, their operations have resulted in over $3 million in losses to victims in the United States alone, with HeartSender datasets containing data stolen from millions worldwide.

"Not only did Saim Raza make these tools widely available on the open internet, it also trained end people on how to use the tools against victims by linking to instructional YouTube videos on how to execute schemes using these malicious programs, making them accessible to criminal actors that lacked this technical criminal expertise. The group also advertised its tools as 'fully undetectable' by antispam software," DOJ mentioned.

"The transnational organized crime groups and other cybercrime actors who purchased these tools primarily used them to facilitate business email compromise schemes wherein the cybercrime actors tricked victim companies into making payments to a third party. These tools were also used to acquire victim user credentials and utilize those credentials to further these fraudulent schemes."

Authorities in the United States and the Netherlands have not introduced whether Operation Heart Blocker has resulted in any charges or arrests.

HeartSender seizure banner (BleepingComputer).

​The Netherlands police also provide a web-based tool for checking whether your data was found in seized HeartSender datasets.

This week, authorities from eight countries also shut down Cracked and Nulled, two of the largest hacking forums with over 10 million consumers.

The joint action, dubbed Operation Talent, also led to the arrest of two suspects in Valencia, Spain, and the seizure of 17 servers and 12 domains used by the two cybercrime platforms (including cracked[.]io, cracked[.]to, and nulled[.]to).

As part of the same operation, the FBI also seized domains used by StarkRDP ([website], a Windows RDP virtual hosting provider promoted on both hacking forums and run by the same suspects, and SellIX ([website] and [website], a financial processor used by Cracked members.

The [website] Justice Department says Cracked ran 28 million ads for cybercrime tools and generated roughly $4 million in revenue, impacting 17 million victims in the United States, while Nulled listed 43 million ads for hacking tools and generated around $1 million in annual revenue.

Multiple state-sponsored groups are experimenting with the AI-powered Gemini assistant from Google to increase productivity and to conduct research on......

Google noted it blocked over [website] million policy-violating Android apps from being ......

In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly ......

Google Bans 158,000 Malicious Android App Developer Accounts in 2024

Google expressed it blocked over [website] million policy-violating Android apps from being ,000 bad developer accounts that attempted to publish such harmful apps.

The tech giant also noted it prevented [website] million apps from getting excessive or unnecessary access to sensitive user data during the time period by working with third-party app developers.

Furthermore, Google Play Protect, a security feature that's enabled by default on Android devices to flag novel threats, identified 13 million new malicious apps from outside of the official app store.

"As a result of partnering closely with developers, over 91% of app installs on the Google Play Store now use the latest protections of Android 13 or newer," Bethel Otuteye and Khawaja Shams from the Android Security and Privacy Team, and Ron Aquino from Google Play Trust and Safety noted.

In comparison, the business blocked [website] million and [website] million risky apps from being , respectively.

Google also stated the developers' use of the Play Integrity API – which allows them to check if their apps have been maliciously modified or are running in potentially compromised environments – has seen a 80% lower usage of their apps from unverified and untrusted findings on average.

In addition, the firm's efforts to automatically block sideloading of potentially unsafe apps in markets like Brazil, Hong Kong, India, Kenya, Nigeria, Philippines, Singapore, South Africa, Thailand, and Vietnam has secured 10 million devices from no less than 36 million risky installation attempts, spanning over 200,000 unique apps.

Complementing these initiatives, Google this week introduced it's introducing a new "Verified" badge for consumer-facing VPN apps that have successfully completed a Mobile Application Security Assessment (MASA) audit. Google originally unveiled this plan in November 2023.

"This new badge is designed to highlight apps that prioritize user privacy and safety, help clients make more informed choices about the VPN apps they use, and build confidence in the apps they ultimately download," it mentioned.

If anything, the findings show that protecting the Android and Google Play ecosystem is a continuous effort, as new malware strains continue to find their way to mobile devices.

The most recent example is Tria Stealer, which has been found primarily targeting Android clients in Malaysia and Brunei. The campaign is believed to be ongoing since at least March 2024.

Distributed via personal and group chats in Telegram and WhatsApp in the form of APK files, the malicious apps request sensitive permissions that enable the harvesting of a wide range of data from apps like Gmail, Google Messages, Microsoft Outlook, Samsung Messages, WhatsApp, WhatsApp Business, and Yahoo! Mail.

There is some evidence to suggest that the malware is the work of an Indonesian-speaking threat actor, owing to the presence of artifacts written in the Indonesian language and the naming convention of the Telegram bots used for hosting command-and-control (C2) servers.

"Tria Stealer collects victims' SMS data, tracks call logs, messages (for example, from WhatsApp and WhatsApp Business), and email data (for example, Gmail and Outlook mailboxes)," Kaspersky showcased. "Tria Stealer exfiltrates the data by sending it to various Telegram bots using the Telegram API for communication."

The stolen information is then used to hijack personal messaging accounts such as WhatsApp and Telegram, and impersonate victims in an effort to request money transfers from their contacts to bank accounts under their control, and further perpetuate the scam by distributing the malware-laced APK file to all their family and friends.

The fact that Tria Stealer is also able to extract SMS messages indicates that the operators could also use the malware to steal one-time passwords (OTPs), potentially granting them access to various online services, including banking accounts.

Kaspersky showcased the campaign exhibits some similarities with another activity cluster that distributed a piece of malware dubbed UdangaSteal in 2023 and early 2024 targeting Indonesian and Indian victims using wedding invitation, package delivery, and customer support lures. However, there is no evidence at this stage to tie the two malware families to the same threat actor.

The FBI and authorities in The Netherlands this week seized dozens of servers and domains for a hugely popular spam and malware dissemination service ......

Italy's data protection watchdog has blocked Chinese artificial intelligence (AI) firm DeepSeek's service within the country, citing a lack of informa......

BeyondTrust has revealed it completed an investigation into a recent cybersecurity incident that targeted some of the corporation's Remote Support SaaS in......