A LinkedIn message drew a former waitress in Minnesota into a type of intricate scam involving illegal paychecks and stolen data
Christina Chapman looked the part of an everyday American trying to make a name for herself in hustle culture.
In prolific posts on her TikTok account, which grew to more than 100,000 followers, she talked about her busy life working from home with clients in the computer business and the fantasy book she had started writing. She posted about liberal political causes, her meals and her travels to see her favorite Japanese pop band.
Yet in reality the 50-year-old was the operator of a “laptop farm,” filling her home with computers that allowed North Koreans to take jobs as U.S. tech workers and illegally collect $17.1 million in paychecks from more than 300 American companies, according to federal prosecutors.
In a June 2023 video, she said she didn’t have time to make her own breakfast that morning—“my clients are going crazy,” she said. Then she describes the açaí bowl and piña colada smoothie she bought. As she talks, at least 10 open laptops are visible on the racks behind her, their fans audibly whirring, with more off to the side.
In 2023, Christina Chapman posted a TikTok that had racks of laptops visible in the background. The Wall Street Journal highlighted the laptops in this clip of the video.
Chapman was one of an estimated several dozen “laptop farmers” that have popped up across the U.S. as part of a scam to infiltrate American companies and earn money for cash-strapped North Korea. People like Chapman typically operate dozens of laptops meant to be used by legitimate remote workers living in the U.S.
What the employers—and often the farmers themselves—don’t realize is that the workers are North Koreans living abroad but using stolen U.S. identities. Once they get a job, they coordinate with someone like Chapman who can provide some American cover—accepting deliveries of the computer, setting up the online connections and helping facilitate paychecks. Meanwhile the North Koreans log into the laptops from overseas every day through remote-access software.
Chapman fell into her role after she got a request on LinkedIn to “be the U.S. face” for a company that got jobs for overseas IT workers, according to court documents. There’s no indication that she knew she was working with North Koreans.
A detailed analysis of a multi-stage card skimming attack exploiting outdated Magento software and fake image files.
In today’s post we’re going to review a sophisticated, multi-stage carding attack on a Magento eCommerce website. This malware leveraged a fake gif image file, local browser sessionStorage data, and tampered with the website traffic using a malicious reverse-proxy server to facilitate the theft of credit card data, login details, cookies, and other sensitive data from the compromised website.
The client was experiencing some strange behaviour on their checkout page, including clients unable to input their card details normally, and orders not going through. They contacted us for assistance. Thinking this would be a straightforward case of credit card theft instead what we found was actually a fascinating and rather advanced malware which we will explore in detail in this post.
Learn how a convincing Google spoof used a DKIM replay attack to bypass email security and trick users with a fake subpoena. A real-world phishing example you need to see.
Are you willing to hack and take control of Chinese websites for a random person for up to $100,000 a month?
Someone is making precisely that tantalizing, bizarre, and clearly sketchy job offer. The person is using what looks like a series of fake accounts with avatars displaying photos of attractive women and sliding into the direct messages of several cybersecurity professionals and researchers on X in the last couple of weeks.
Large-scale phishing attacks use DoH and DNS MX records to dynamically serve fake login pages
Key Takeaways The threat actor gained initial access by a fake Zoom installer that used d3f@ckloader and IDAT loader to drop SectopRAT. After nine days of dwell time, the SectopRAT malware dropped …
DPRK IT workers exploit GitHub to pose as Asian developers, securing remote jobs to fund missile and nuclear programs.
Key findings Proofpoint identified and named two new cybercriminal threat actors operating components of web inject campaigns, TA2726 and TA2727. Proofpoint identified a new
Invitations to try a beta lead to a fake game website where victims will get an information stealer instead of the promised game
A phishing campaign is using CrowdStrike recruitment branding to deliver malware disguised as a fake application. Learn more.
In December 2024, two critical vulnerabilities in Microsoft's Windows Lightweight Directory Access Protocol (LDAP) were addressed via Microsoft’s monthly Patch Tuesday release. Both vulnerabilities were deemed as highly significant due to the widespread use of LDAP in Windows environments:
CVE-2024-49112: A remote code execution (RCE) bug that attackers can exploit by sending specially crafted LDAP requests, allowing them to execute arbitrary code on the target system.
CVE-2024-49113: A denial-of-service (DoS) vulnerability that can be exploited to crash the LDAP service, leading to service disruptions.
In this blog entry, we discuss a fake proof-of-concept (PoC) exploit for CVE-2024-49113 (aka LDAPNightmare) designed to lure security researchers into downloading and executing information-stealing malware.
Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from…
ClickFix fake browser updates are being distributed by bogus WordPress plugins. Learn about the common indicators of compromise.
GLASSBRIDGE is an umbrella group of four different companies that operate networks of inauthentic news sites and newswire services.
HYPR recently experienced a fake IT worker attempting to gain employment. We are sharing the details to bring awareness to how widespread the problem is.
Since mid-September 2024, our telemetry has revealed a significant increase in “Lumma Stealer”1 malware deployments via the “HijackLoader”2 malicious loader.
On October 2, 2024, HarfangLab EDR detected and blocked yet another HijackLoader deployment attempt – except this time, the malware sample was properly signed with a genuine code-signing certificate.
In response, we initiated a hunt for code-signing certificates (ab)used to sign malware samples. We identified and reported more of such certificates. This report briefly presents the associated stealer threat, outlines the methodology for hunting these certificates, and providees indicators of compromise.
RL found the VMConnect campaign continuing with malicious actors posing as recruiters, using packages and the names of financial firms to lure developers.
McAfee Labs recently observed an infection chain where fake CAPTCHA pages are being leveraged to distribute malware, specifically Lumma Stealer. We are observing a campaign targeting multiple countries. Below is a map showing the geolocation of devices accessing fake CAPTCHA URLs, highlighting the global distribution of the attack.
