- NordVPN and TechRadar uncover three global cybercrime campaigns
- A legacy FCKeditor flaw was exploited to hijack over 1,300 domains; Crypto Deposit Scam Dupes Victims With Fake “Fees”
- Chinese-speaking actor runs more than 800 fraudulent e-commerce sites with urgent offers too good to be true
A number of large, interconnected global cybercriminal operations have been found to abuse legacy software, people’s trust in digital platforms and the desire to get rich quick, to attack people with malware and phishing.
A new research report, jointly published by NordVPN’s Threat Intelligence research unit and TechRadar’s security team, found that the first campaign revolves around legacy software called FCKeditor, a former web-based rich text editor that works within a browser.
It’s like a mini version of Microsoft Word embedded in a website, and was widely used in early CMS platforms, forums and admin panels, in the early 2000s and 2010s.
Article continues below.
Although FCKeditor is no longer maintained, it is still actively used by many major websites and is hunted by cybercriminals. In February 2024, TechRadar reported of “dozens of educational websites” that are abused in this way to poison search engine results, deliver phishing sites to victims, and engage in all kinds of fraudulent activities.
Back then, a security researcher alias @g0njxa found the websites of MIT, Columbia University, University of Barcelona, Auburn University, University of Washington, Purdue, Tulane, Universidad Central del Ecuador, and University of Hawai’i all attacked. In addition to university sites, the campaign also targeted government and corporate websites, such as the Government of Virginia site, Austin, Texas, the Government of Spain website, and the Canadian Yellow Pages.
FCKeditor is no longer maintained and vulnerable to CVE-2009-2265, a group of directory traversal flaws that allow remote attackers to create executable files in arbitrary directories. According to NordVPN and TechnologyRadarThreat actors have used this flaw in recent times to compromise over 1,300 high-value domains, including government, public, corporate websites, high-value brands, and research institutions.
After taking over the sites, the criminals would use them as launching pads to distribute malware or redirect traffic to fake e-commerce sites and phishing pages.
Crypto phishing
The second threat is a “highly organized” fraud and phishing campaign that tricks people into making fraudulent payments. It starts with an email alerting the victim about a large crypto deposit (usually 15 bitcoins) in a new wallet on an exchange. The victim receives a link and login credentials that, if used, lead to a fake wallet or exchange website that displays the “funds.”
The victim is then tricked into paying “gas fees” (transaction costs) or “taxes” to withdraw the crypto. The money they give this way is lost to the attackers, probably forever.
NordVPN’s investigation discovered over 100 active domains used in this campaign.
“This is social engineering on an elite scale,” said Domininkas Virbickas, chief product officer at NordVPN. “Criminals are taking advantage of the appeal (and confusion) of cryptocurrencies to reinvent old scams in new digital forms.”
Hundreds of fake e-commerce sites
The third campaign is even bigger: more than 800 fraudulent e-commerce domains, in all types of categories, from fashion to automobiles to health products.
The network, which can be traced back to a single Chinese-speaking threat actor, is built with WordPress, WooCommerce, and Elementor, and offers limited-time too-good-to-be-true deals. Victims, anxious not to miss this once-in-a-lifetime opportunity, let their guard down and end up paying without ever getting what they paid for.
“These ‘stores’ lure victims with unrealistic offers, creating urgency and preventing consumer skepticism. Indicators of Chinese origin include untranslated Chinese characters and file artifacts located throughout the network. NordVPN linked the sites through shared fingerprints and discovered consistent hosting under the Spaceship, Inc registrar.” says Domininkas Virbickas.
“This network demonstrates the industrialization of online fraud,” Virbickas added. “Automation and template-based site creation now allow individual actors to manage entire fraudulent ecosystems that mimic legitimate online retail.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
