U.S. and Dutch Authorities Dismantle 39 Domains Linked to BEC Fraud Network - Related to fraud, firms, tentacles, network, victimize

GrubHub data breach impacts customers, drivers, and merchants

​Food delivery organization GrubHub disclosed a data breach impacting the personal information of an undisclosed number of consumers, merchants, and drivers after attackers breached its systems using a service provider account.

"Our investigation found that the intrusion originated with an account belonging to a third-party service provider that provided support services to Grubhub," the business expressed on Monday.

"We immediately terminated the account’s access and removed the service provider from our systems altogether."

In response to this incident, the organization hired external forensic experts to assess the breach's impact, rotated passwords to prevent further unauthorized access, and added additional anomaly detection mechanisms across its internal services.

The follow-up investigation found no evidence that the attackers accessed other sensitive personal and financial information, including Grubhub Marketplace customer passwords, merchant login information, full payment card numbers, bank account details, Social Security numbers, or driver's license numbers.

"The unauthorized individual accessed contact information of campus diners, as well as diners, merchants and drivers who interacted with our customer care service," GrubHub stated.

"The unauthorized party also accessed hashed passwords for certain legacy systems, and we proactively rotated any passwords that we believed might have been at risk.

While the attackers didn't access Grubhub Marketplace account passwords, the firm urged end-customers to always use unique passwords to minimize risks.

A Grubhub spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Grubhub is a food-ordering and delivery platform with over 375,000 merchants and 200,000 delivery partners in more than 4,000 cities nationwide.

In December, it agreed to pay $25 million to settle FTC charges and stop engaging in unlawful practices, including not telling consumers the full delivery cost, deceiving drivers about how much money they'd earn, and listing restaurants on its platform without their consent.

A in the recent past patched security vulnerability in the 7-Zip archiver tool was exploited in the wild to de...

The [website] Justice Department has charged a Canadian man with stealing roughly $65 million after explo...

Brazilian Windows people are the target of a campaign that delivers a banking malware known as Coyote...

Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organizations being compromised. The campaigns are tied to focused abuse of identity and access management firm Okta, which gained the threat actors the 0ktapus moniker, by researchers.

“The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from customers of the targeted organizations,” wrote Group-IB researchers in a recent findings. “These customers received text messages containing links to phishing sites that mimicked the Okta authentication page of their organization.”.

Impacted were 114 US-based firms, with additional victims of sprinkled across 68 additional countries.

Roberto Martinez, senior threat intelligence analyst at Group-IB, mentioned the scope of the attacks is still an unknown. “The 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time,” he mentioned.

The 0ktapus attackers are believed to have begun their campaign by targeting telecommunications companies in hopes of winning access to potential targets’ phone numbers.

While unsure exactly how threat actors obtained a list of phone numbers used in MFA-related attacks, one theory researchers posit is that 0ktapus attackers began their campaign targeting telecommunications companies.

“[A]ccording to the compromised data analyzed by Group-IB, the threat actors started their attacks by targeting mobile operators and telecommunications companies and could have collected the numbers from those initial attacks,” researchers wrote.

Next, attackers sent phishing links to targets via text messages. Those links led to webpages mimicking the Okta authentication page used by the target’s employer. Victims were then asked to submit Okta identity credentials in addition to a multi-factor authentication (MFA) codes employees used to secure their logins.

In an accompanying technical blog, researchers at Group-IB explain that the initial compromises of mostly software-as-a-service firms were a phase-one in a multi-pronged attack. 0ktapus’ ultimate goal was to access organization mailing lists or customer-facing systems in hopes of facilitating supply-chain attacks.

In a possible related incident, within hours of Group-IB publishing its investigation late last week, the firm DoorDash revealed it was targeted in an attack with all the hallmarks of an 0ktapus-style attack.

In a blog post DoorDash revealed; “unauthorized party used the stolen credentials of vendor employees to gain access to some of our internal tools.” The attackers, , went on to steal personal information – including names, phone numbers, email and delivery addresses – from consumers and delivery people.

In the course of its campaign, the attacker compromised 5,441 MFA codes, Group-IB reported.

“Security measures such as MFA can appear secure… but it is clear that attackers can overcome them with relatively simple tools,” researchers wrote.

“This is yet another phishing attack showing how easy it is for adversaries to bypass supposedly secure multifactor authentication,” Roger Grimes, data-driven defense evangelist at KnowBe4, wrote in a statement via email. “It simply does no good to move people from easily phish-able passwords to easily phish-able MFA. It’s a lot of hard work, resources, time, and money, not to get any benefit.”.

To mitigate 0ktapus-style campaigns, the researchers recommended good hygiene around URLs and passwords, and using FIDO2-compliant security keys for MFA.

“Whatever MFA someone uses,” Grimes advised, “the user should be taught about the common types of attacks that are committed against their form of MFA, how to recognize those attacks, and how to respond. We do the same when we tell people to pick passwords but don’t when we tell them to use supposedly more secure MFA.”.

The payment card giant MasterCard just fixed a glaring error in its domain name server settings that...

A in recent times patched security vulnerability in the 7-Zip archiver tool was exploited in the wild to de...

As the gateways to corporate networks, VPNs are an attractive target for attackers seeking access to...

U.S. and Dutch Authorities Dismantle 39 Domains Linked to BEC Fraud Network

[website] and Dutch law enforcement agencies have showcased that they have dismantled 39 domains and their associated servers as part of efforts to disrupt a network of online marketplaces originating from Pakistan.

The action, which took place on January 29, 2025, has been codenamed Operation Heart Blocker.

The vast array of sites in question peddled phishing toolkits and fraud-enabling tools and was operated by a group known as Saim Raza since at least 2020, which is also known as HeartSender.

These offerings were then used by transnational organized crime groups to target several victims in the United States as part of various business email compromise (BEC) schemes, leading to losses totaling over $3 million.

"The Saim Raza-run websites operated as marketplaces that advertised and facilitated the sale of tools such as phishing kits, scam pages, and email extractors, often used to build and maintain fraud operations," the [website] Department of Justice (DoJ) expressed.

"Not only did Saim Raza make these tools widely available on the open internet, it also trained end clients on how to use the tools against victims by linking to instructional YouTube videos on how to execute schemes using these malicious programs, making them accessible to criminal actors that lacked this technical criminal expertise."

The tools advertised on the marketplaces also made it possible to harvest victim user credentials, which were subsequently put to use to further the fraudulent schemes, the DoJ added.

In a coordinated statement, Dutch police officials noted the criminal group sold various programs to facilitate digital fraud, which could be employed by cybercriminals to send phishing emails at scale or steal login credentials. The service is estimated to have had thousands of end-clients prior to its shutdown.

The cybercrime entity, also referred to as The Manipulaters, was first exposed by independent security journalist Brian Krebs in May 2015, with a research from DomainTools last year identifying operational security lapses indicating that several systems associated with the threat actors have been compromised by stealer malware.

"Though lacking the technical sophistication many other large cybercrime vendors have, their most notable characteristic is being one of the earliest phishing-focused cybercrime marketplaces to horizontally integrate their business model while also spreading their operations across several separately branded shops," the corporation noted.

"Evidence hints at that new members have joined and at least one early member of The Manipulaters left the group. They appear to have a physical presence in Pakistan, including Lahore, Fatehpur, Karachi, and Faisalabad."

The development follows the takedown of online criminal marketplaces such as Cracked, Nulled, Sellix, and StarkRDP as part of a coordinated law enforcement operation dubbed Talent towards the end of January 2025.

A Mirai botnet variant dubbed Aquabot has been observed actively attempting to exploit a medium-severity security flaw impacting Mitel phones in order......

​Mizuno USA, a subsidiary of Mizuno Corporation, one of the world's largest sporting goods manufacturers, confirmed in data breach notification letter......