- NordVPN & TechRadar Reveal Three Global Cybercrime Campaigns
- Legacy FCKeditor flaw exploited to hijack 1,300+ domains; crypto deposit scam cheats victims of fake “fees”
- Chinese-speaking actor runs 800+ fraudulent e-commerce sites with urgent offers, too good to be true
A number of large, interconnected, global cybercriminal operations have been found to abuse legacy software, people’s trust in digital platforms and the desire to get rich quick to target people with malware and wire fraud.
A new research report, jointly released by NordVPN’s Threat Intelligence research unit and TechRadar’s security team, found that the first campaign revolves around legacy software called FCKeditor, an old web-based rich text editor that works in a browser.
It is like a mini version of Microsoft Word embedded in a website and it was widely used in the early CMS platforms, forums and admin panels back in the early 2000s and 2010s.
The article continues below
Although FCKeditor is no longer maintained, many important websites still actively use it and are hunted by cybercriminals for it. Back in February 2024, That was reported by TechRadar of “dozens of educational websites” being misused in this way to poison search engine results, deliver phishing sites to victims and engage in all manner of fraudulent activity.
At the time, a security researcher alias @g0njxa found the websites of MIT, Columbia University, Universitat de Barcelona, Auburn University, University of Washington, Purdue, Tulane, Universidad Central del Ecuador and University of Hawaiʻi, all of which were targeted. In addition to university websites, the campaign also targeted government and business websites, such as the website of the government of Virginia, Austin, Texas, the website of the government of Spain and Yellow Pages Canada.
FCKeditor is no longer maintained and is vulnerable to CVE-2009-2265, a group of directory traversal flaws that allow remote attackers to create executable files in arbitrary directories. According to NordVPN and TechRadarthreat actors have used this flaw in recent times to compromise more than 1,300 high-value domains, including public, government, corporate websites, high-value brands, and research institutions.
After taking over the sites, the crooks would use them as launchpads to distribute malware or redirect traffic to fake e-commerce and phishing sites.
Crypto Phishing
The second threat is a “highly organized” phishing and fraud campaign that tricks people into making fraudulent payments. It starts with an email alerting the victim of a large crypto deposit (usually 15 bitcoin) for a new wallet on an exchange. The victim is given a link and login credentials that, if used, lead to a fake wallet or exchange website that displays the “funds”.
The victim is then tricked into paying “gas fees” (transaction costs) or “taxes” to withdraw the crypto. The money they give this way is then lost to the attackers, probably forever.
NordVPN’s investigation revealed more than 100 active domains used in this campaign.
“This is social engineering on an elite scale,” said Domininkas Virbickas, director of product at NordVPN. “Criminals are taking advantage of the allure—and confusion—of cryptocurrency to reinvent old scams in new digital forms.”
Hundreds of fake e-commerce sites
The third campaign is even bigger – more than 800 fraudulent e-commerce domains in all sorts of categories – from fashion to cars to health products.
Traced to a single Chinese-speaking threat actor, the network is built using WordPress, WooCommerce and Elementor, offering limited-time, too-good-to-be-true deals. Victims, eager not to miss out on this unique opportunity, let their guard down and end up paying without ever getting what they paid for.
“These ‘shops’ lure victims with unrealistic offers, create urgency and circumvent consumer skepticism. Indicators of Chinese origin include untranslated Chinese characters and localized file artifacts across the network. NordVPN linked the sites through shared digital fingerprints and discovered consistent hosting under registrar Spaceship, Inc.,” says Domininkas Virbickas.
“This network demonstrates the industrialization of online fraud,” Virbickas added. “Automation and template-based website creation now allow single actors to manage entire fraudulent ecosystems that mimic legitimate online retail.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
