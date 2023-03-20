Comment on this story Comment Gift Article Share

FBI targets notorious cybercrime market with teen’s arrest

The FBI arrested a 19-year-old New York man whom agents accused of running one of the most notorious underground marketplaces for criminals to buy and sell stolen personal information, phone takeovers and harassment.

In court documents, an FBI special agent said Conor Brian Fitzpatrick had admitted operating BreachForums under the screen name Pompompurin, though he had by Friday only been charged with one count of conspiracy to commit access device fraud, which often refers to the use of stolen credit card or other information.

Pompompurin has a years-long history of causing online havoc. In 2021, the hacker claimed responsibility for breaching an FBI portal that the agency uses to communicate with law enforcement partners and sending phony emails.

It’s not clear if the court documents noting Fitzpatrick’s arrest were meant to remain sealed; some are currently inaccessible on the federal courts’ record system, and prosecutors haven’t announced Fitzpatrick’s arrest.

BreachForums has only been around for a year. It sprung up to take the place of RaidForums, another English-language forum that had a similar design and was seized by the FBI in 2022. BreachForums has amassed thousands of users, with Pompompurin vouching for some of them and adjudicating disputes.

Among the items for sale, there have been millions of email addresses and phone numbers associated with Twitter accounts. Most recently, hackers claimed to offer sensitive information from a D.C. health service breach that included members of Congress.

In postings on the site Friday, users noted that Pompompurin had not been heard from in two days and wished him well. Word of Fitzpatrick’s arrest spread quickly after Bloomberg News first reported on his arrest.

The federal prosecutor on the case could not be reached for comment, and most of the information about the case came in a two-page FBI affidavit filed after the arrest in Peekskill, N.Y.

Fitzpatrick, who court records said had been released on a $300,000 bond, could not be reached for comment.

Cybercrime ecosystem

The trade in stolen data has made criminal hacking an easy road to profit with relatively little risk, since arrests are rare. Phone account takeovers, which can make use of corrupt telecommunication employees or hacks of the big companies, have drawn less public and congressional scrutiny. However, hackers have used the tactic to steal millions of dollars from cryptocurrency and bank accounts where phone numbers are used for authentication.

The rarity of prosecutions has allowed small-time, teenage criminals to amass more money, which makes it easier for them to buy access inside companies and to hire thugs for harassment in the real world.

“Pom and a few people like himself are intellectually capable of bringing this disorganized crime scene to the next level and closer towards something that looks like proper organized crime,” said a security expert familiar with the investigation. They asked not to be named because administrators of BreachForums have targeted such professionals in the past.

Equally alarming are ties abroad.

In the past, most highly skilled foreign hackers had avoided dealing with Americans, deciding that it wasn’t worth overcoming language and cultural barriers to reach the less-talented crowd in American circles, the expert said. Administrators and top-rated participants in RaidForums and BreachForums have won enough money and respect to change that, leading to more international exchanges of information, they said.

The keys

Group calls on government to “immediately” do education campaign about voting system guidelines

As election officials and voting machine companies prepare for the deprecation of voting machines guidelines known as VVSG 1.0 later this year, the National Association of State Election Directors (NASED) has asked the U.S. Election Assistance Commission to “immediately undertake a comprehensive messaging and education campaign directed at voters, federal and state legislators, election officials, and members of the media” explaining what that move will mean.

“The EAC and all their public communications must be unambiguous: voting systems certified to the VVSG 1.0 will remain federally certified after November 15, 2023, and jurisdictions can continue using and purchasing those systems consistent with state or territorial laws and regulations,” NASED wrote in the letter

It warned that the EAC “must help us proactively educate the public now,” before misinformation about the guidelines spreads.

In a joint statement provided to The Cybersecurity 202, EAC Chairwoman Christy McCormick, Vice Chair Ben Hovland, Commissioner Donald Palmer, and Commissioner Thomas Hicks said the commission is “firmly committed to combating election misinformation.” The statement later added that the “EAC is finalizing materials to assist election officials with communications about deprecation of voting systems in their jurisdictions and reassuring the public that our voting systems are secure and accurate.”

The statement also reiterated that enacting the VVSG 2.0 guidelines are key to boosting election security, and that they are “designed to help election officials rise to the ever-changing challenges of election administration.”

The statement also said that the EAC works with stakeholders like NASED. “We appreciate NASED’s engagement on the VVSG Lifecycle Policy throughout the development process and have been responsive to their feedback and concerns,” it said.

“The EAC welcomes continued engagement from stakeholders through appropriate channels as we move toward the first VVSG 2.0 certified systems,” the statement added.

India severs Punjab mobile internet for second day in search of Sikh fugitive

Indian authorities cut mobile internet and text messaging services to Punjab for a second day in a row in efforts to locate a Sikh separatist, impacting the lives of some 27 million people, our colleagues Gerry Shih, Karishma Mehrotra and Shams Irfan report.

The ban was put into effect to locate Sikh separatist Amritpal Singh and is considered one of India’s broadest reaches of technological control in years.

“Singh, a 30-year-old preacher, has been a popular figure within a separatist movement that seeks to establish a sovereign state in Punjab called Khalistan for followers of the Sikh religion,” our colleagues write. “He rocketed to nationwide notoriety in February after his supporters stormed a police station to free one of his jailed supporters.”

The Khalistan movement is outlawed in India and officials consider it a national security threat, our colleagues write. The movement has sympathizers within Punjab, which is majority Sikh.

Our colleagues spoke with Punjab residents affected by the move to cut mobile internet services, which began Saturday and was extended into Sunday. “My entire business is dependent on internet,” said Mohammad Ibrahim, who accepts payments via QR code at his clothing shops and also sells garments online. “Since yesterday, I’ve felt crippled.”

Google fixes Pixel vulnerability that reverses edited screenshots

A flaw in the official Google Pixel screenshot editor tool that caused screenshots edits to become undone has been patched, but users who shared screenshots with sensitive information before the patch might be at risk, Abner Li from 9to5Google reports.

The flaw, dubbed “aCropalypse,” was first reported to Google in early January. It was discovered by reverse engineering security researchers Simon Aarons and David Buchanan. It allows people to uncrop and unredact screenshots originating in Markup, Google’s built-in screenshot editing app, Li writes.

The error stemmed from the cropped image being saved in the same file location as the uncropped image; however, Google’s software didn’t delete the latter before rewriting over the new image, leaving a portion of the original file data trailing behind.

The issue was fixed in a March 2023 security patch, the report says. However, depending on the site or platform the images were posted to, it may be possible for malicious individuals to exploit some images sent around with cropped sensitive data before the patch was rolled out.

Global cyberspace

