Revenge porn hub taken down by Dutch police raid

A notorious hub for the sharing of revenge porn called Anon-IB has been shut down by Dutch police.

Three Dutch nationals have been arrested for stealing intimate images that they then shared on the site.

Servers containing stolen data were seized by police as it investigated who had stolen the images.

The police said any women who can be identified from its analysis of captured data will be told that their information has been stolen.

Easy to hack

Anon-IB was widely implicated in the 2014 Celebgate hack that saw nudes of more than 100 celebrities leaked online. Images of nude US female marines and underage girls were also known to be stored and traded on the forum.

Prior to being shut down, Anon-IB was one of the web’s top 10,000 most popular sites.

In a statement, Dutch police said the investigation that led to the site being closed began in March 2017. It started with a complaint by a Dutch woman who found that images from her cloud storage account had been stolen and shared online.

The suspected culprit for this hack was a 31-year-old man in Culemborg, said Dutch police. He was arrested for hacking into the online account and stealing nude photos.

The subsequent forensic analysis of the suspect’s computer and phone revealed “huge amounts” of images of the victim and other women.

Examining the cache of data led police to two other men who, between them, had intimate images stolen from “hundreds” of women.

These two men, from Groningen and Heerlen, have also been arrested. Police have confiscated stolen data from two others, also in the Netherlands, who are also believed to have traded stolen images and hacked others.

“The suspects were able to gain access to emailboxes, social media accounts and digital storage places such as clouds,” said the statement. “These were not properly secured and therefore relatively easy to hack.”

Images were often taken without victims knowing.

The investigation led police to servers hosting the stolen images that were located in the Netherlands.

Sex toy with in-built camera can be ‘easily hacked’

A wi-fi-enabled sex toy that features an in-built camera can be hacked, security researchers say.

Pen Test Partners, which tested the Siime Eye vibrator, said it was “trivial” to connect to its web interface.

This meant attackers could access intimate videos recorded by the device, as well as control other functions.

Svakom, the US firm that makes the toy, said updated versions of its software were “completely secure”.

According to firm’s website, the Siime Eye has a built-in micro camera and a hidden searchlight, which can be connected to a PC, tablet or mobile phone via wi-fi.

The firm says this allows users to “record and share” their experiences with a partner via “pictures or videos”.

Instant access

But in a blog, Pen Test Partners showed how the device could be hacked.

It said someone within range of the device could access its video stream, either by working out the user’s password, or entering the manufacturer’s default password, 88888888, if it had not been changed.

Those with more advanced knowledge could gain “complete control” over operation of the device, Pen said.

“It’s trivial to connect to the access point (AP),” it said, “[and] if you can get onto the wireless AP, you’ll have instant access to everything on this web application.

“Oh, and being a wi-fi AP means you can find users too… This part surprised us the most.”

Laptop risks

Pen Test said it had contacted Svakom several times about the issue since December but had not heard back.

A spokesperson for Svakom told the BBC there had only been vulnerabilities when using the toy with a laptop.

“We recommended our users to use the Siime Eye only on their smartphone,” they said.

“Moreover, in the instructions on the app and user manual it is clearly stated to change the password of the wi-fi to ensure privacy.”

They added: “We respect our customer’s privacy and our updated versions (more than one year old) of the Siime Eye App on both Google Play Store and Apple Store are completely secure.”

It comes weeks after Canadian firm Standard Innovation agreed to pay $3.75m (£3m) to settle privacy claims regarding some of its We-Vibe sex toys.

Some We-Vibe models collected intimate user data and sent it back to the manufacturer without the user’s consent.

Tech experts said the vibrator could also be hacked although Standard Innovation, which did not admit wrongdoing, said none of the devices’ data was accessed by outside parties.

Billion euro cyber-suspect arrested in Spain

A cyber-crime mastermind suspected of stealing about £870m (€1bn) has been arrested in Spain.

The individual is alleged to be the head of the organised crime gang that ran the Carbanak and Cobalt malware campaigns that targeted banks.

Europol said the group had been active since 2013 and infiltrated more than 100 banks in that time.

Cash was siphoned off via bank transfers or dispensed automatically through cash machines.

Luxury goods

The arrest was a “significant success” against a top cyber-crime group, Steven Wilson, head of Europol’s Cyber-Crime Centre (EC3), which co-ordinated the long-running, cross-border investigation into the group. said in a statement.

“The arrest of the key figure in this crime group illustrates that cyber-criminals can no longer hide behind perceived international anonymity,” he said.

The cyber-thieves got their malware on to bank networks by sending key staff booby-trapped phishing emails, said Europol. The gang used three separate generations of malware, each one more sophisticated than the last, to penetrate and then lurk on financial networks.

Once the machines of key staff were compromised, the gang used their remote access to banking networks to steal money in several different ways.

  • cash machines were ordered to remotely dispense money at specific times – letting mules and other gang members scoop up the notes
  • inter-bank money transfer systems were instructed to move cash into criminal accounts
  • databases were altered to increase account balances. Mules then removed the money via cash machines

    Money was laundered via crypto-currencies and payment cards, which were used to buy luxury goods including cars and houses.

    Europol, the FBI, cyber-security firms and polices forces in Spain, Romania, Belarus and Taiwan all collaborated to track down the gang, said the European policing agency.

Elon Musk fans targeted in crypto-cash scam

Fans of entrepreneur Elon Musk have been targeted in an emerging crypto-currency scam.

The scammers pose as celebrities on Twitter and claim to be giving away crypto-cash such as Bitcoin or Ether to their fans.

They ask people to send them a small amount of crypto-currency to qualify for the giveaway, but victims do not get any bitcoins back.

Twitter has not yet removed the imposter Elon Musk account.

How does the scam work?

The scammers impersonate well-known personalities on Twitter by copying their profile pictures and choosing usernames very similar to the genuine accounts.

They then post replies to popular tweets made by the genuine celebrity. This gives their nefarious messages prominence on Twitter.

Typically, the scammers ask people to send them small amounts of crypto-currency, offering to send a larger amount back as part of a giveaway.

The scam can be convincing, because at first glance it looks like the celebrity has replied to their own tweet.

However, the fake profiles can be detected as they do not have Twitter’s “verified” badge and often have no followers and have never posted before.

Amplified by bots

On Tuesday, an account posing as Elon Musk using the username @elonmuskik tweeted that the entrepreneur was going to “give away” 3,000 Ether, worth about £1.7m.

The scam was amplified by several automated accounts known as bots.

The bots had been dormant since September 2017 and had never posted before, but came to life to chat among themselves about the supposed crypto-cash giveaway.

“Sо nice! Just sent and immediately received back. You’re super fast,” one said.

The founder of the Ethereum (ETH) crypto-currency Vitalik Buterin has been targeted by the scam so many times that he has changed his username to “No I’m not giving away ETH”.

“No, I’m not giving away ETH… y’all are getting nothing,” he tweeted.

Twitter has been criticised for taking a long time to tackle the problem of bots on its platform.

It told the BBC: “We’re aware of this form of manipulation and are proactively implementing a number of signals to prevent these types of accounts from engaging with others in a deceptive manner.”

At the time of publication, the fake Elon Musk post had been up on the platform for 11 hours and remained visible.