Welcome to this week’s edition of the Threat Source newsletter. 

This is the way the world ends 
This is the way the world ends 
This is the way the world ends 
Not with a bang but a whimper. – T.S. Eliot 

So this is how Summer Camp 2025 ends, not with a bang but a whimper. We’ve put the summer behind us and are moving on to the next phase of the year, where we all put our noses down and grind from here to the holiday season. Happy Grind Season 2025.

As you know, threat research never takes a day off, but I’m going to step in and remind you all to look at your calendars. Decide, here and now, to take some time before that holiday season so that you can take care of your mental health, because mental health is health.

This is doubly important if you lead a team of people. Take a minute and make sure that they are going to do the same. Ensure your entire team is taking care of themselves. In the end, you will all be better for it. 

Since we are on the subject of mental health, I don’t know if anyone else has read this paper (Psychopathia Machinalis: A Nosological Framework for Understanding Pathologies in Advanced Artificial Intelligence), but I found it truly fascinating. It’s one of the things we, as security practitioners, need to be cognizant of as we go forward with our AI tooling and efforts to protect against AI threats.  

“As artificial intelligence (AI) systems attain greater autonomy and complex environmental interactions, they begin to exhibit behavioral anomalies that, by analogy, resemble psychopathologies observed in humans.”  

The behavior of an evolving AI, and the psychosis it could present, is a touch-point to the long-standing problematic internal employee. This creates an interesting dynamic for defense and strategies within the evolving internal landscape.  

I think understanding this presented framework can go a long way in identifying the types of behaviors that lead to malicious activity — not unlike understanding employee behavior. Stay ahead of the curve and prepare for not only a hallucinated package from an internal AI tool but perhaps a revelation that leads to new and interesting malicious behaviors.

The one big thing 

In the latest episode of The Talos Threat Perspective, we explore three vulnerabilities that Talos researchers uncovered (and helped to fix) this year which highlight how attackers are pushing past the boundaries defenders rely on. One lived in the security chip within Dell laptops’ firmware, another in Microsoft Office for macOS permissions and the third in small office/home routers. 

Why do I care? 

These aren’t just isolated issues. The Dell vulnerability showed that even a clean Windows reinstall isn’t always enough to kick out an attacker. The Office for macOS issue demonstrated how adversaries can “borrow” sensitive permissions like microphone access from trusted apps. And compromised routers allowed attackers to blend in with legitimate ISP traffic, making malicious connections hard to spot. Each case reveals current attacker creativity levels. 

So now what? 

Take a closer look at the research:

• Watch the full Talos Threat Perspective episode here: TTP Ep14: Persistence, Privilege & Camouflage 
• Read Philippe’s blog on the Dell firmware vulnerabilities: Revault: When your SOC turns against you

Top security headlines of the week 

TransUnion says hackers stole 4.4 million customers’ personal information 
TransUnion is one of the largest credit reporting agencies in the United States, and stores the financial data of more than 260 million Americans. They confirmed that the stolen PII includes customers’ names, dates of birth, and Social Security numbers. (TechCrunch) 

Google warns that mass data theft hitting Salesloft AI agent has grown bigger 
Google is advising users of the Salesloft Drift AI chat agent to consider all security tokens connected to the platform compromised following the discovery that unknown attackers used some of the credentials to access email from Google Workspace accounts. (Ars Technica) 

High-severity vulnerability in Passwordstate credential manager  
Passwordstate is urging companies to promptly install an update fixing a high-severity vulnerability that hackers can exploit to gain administrative access to their vaults. (Ars Technica) 

JSON config file leaks Azure ActiveDirectory credentials 
A publicly accessible configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD), potentially allowing cyberattackers to authenticate directly via Microsoft’s OAuth 2.0 endpoints and infiltrate Azure cloud environments. (Dark Reading)

WhatsApp zero-day exploited in attacks targeting Apple users 
Tracked as CVE-2025-55177 (CVSS score of 5.4), an attacker could have exploited the issue to trigger the processing of content from arbitrary URLs, on the victims’ devices, WhatsApp’s advisory reads. (SecurityWeek)

Can’t get enough Talos?

Cisco: 10 years protecting Black Hat 
Cisco works with other official providers to bring the hardware, software and engineers to build and secure the Black Hat USA network: Arista, Corelight, Lumen, and Palo Alto Networks.

Tales from the Black Hat NOC 
How do you build and defend a network where attacks are not just expected, but a part of the curriculum? Hazel sits down with Jessica Oppenheimer to learn more.

Static Tundra exposed 
A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide.

Upcoming events where you can find Talos 

• BlueTeamCon (Sept. 4 – 7) Chicago, IL 
• LABScon (Sept. 17 – 20) Scottsdale, AZ 
• VB2025 (Sept. 24 – 26) Berlin, Germany

Most prevalent malware files from Talos telemetry over the past week 

SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610
MD5: 85bbddc502f7b10871621fd460243fbc
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details
Typical Filename: N/A
Claimed Product: Self-extracting archive
Detection Name: Win.Worm.Bitmin-9847045-0 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201  

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
MD5: 8c69830a50fb85d8a794fa46643493b2   
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 
Typical Filename: AAct.exe   
Claimed Product: N/A   
Detection Name: PUA.Win.Dropper.Generic::1201 

SHA 256: 186aa2c281ca7bb699ce0b48240b7559a9ac5b0ba260fb78b81ec53249548f62 
MD5: bfc168a01a2b0f3cd11bf4bccd5e84a1 
VirusTotal: https://www.virustotal.com/gui/file/186aa2c281ca7bb699ce0b48240b7559a9ac5b0ba260fb78b81ec53249548f62 
Typical Filename: PDFSkills_Updater.exe 
Claimed Product: PDF Skills 
Detection Name: Win64.Application.Agent.W2MG0A 

SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08  
MD5: 906282640ae3088481d19561c55025e4  
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08  
Typical Filename: AAct_x64.exe  
Claimed Product: N/A  
Detection Name: PUA.Win.Tool.Winactivator::1201

Cisco Talos Blog – ​Read More

August was a busy month at ANY.RUN. We expanded our list of connectors with Microsoft Sentinel and OpenCTI, added Linux Debian (ARM) support to the SDK, and strengthened detection across hundreds of new malware families and techniques. With fresh signatures, rules, and product updates, your SOC can now investigate faster, detect more threats in real time, and keep defenses sharp against the latest campaigns. 

Let’s dive into the details now. 

Product Updates 

New Connectors: Bringing Threat Intelligence into Your Existing Stack 

We continue to expand ANY.RUN connectors so teams can work with familiar tools while boosting threat visibility. Our goal is simple: reduce setup friction and deliver fresh, high-fidelity IOCs directly into your workflows; no extra tools, no complex scripts, no wasted analyst time. 

Microsoft Sentinel 

ANY.RUN now delivers Threat Intelligence (TI) Feeds directly to Microsoft Sentinel via the built-in STIX/TAXII connector. That means: 

• Effortless setup: Connect TI Feeds with your custom API key 

• Enhanced automation: Sentinel’s playbooks automatically correlate IOCs with your logs, trigger alerts, and even block IPs. 

• Cost efficiency: Maximize your existing Sentinel setup, cut false positives, and reduce breach risks with high-fidelity indicators. 

• Rich context: Every IOC links back to a sandbox session with full TTPs for faster investigations and informed responses. 

• Faster detection: Fresh IOCs stream into Sentinel in real time, accelerating threat identification before impact. 

• Seamless interoperability: TI Feeds work natively within your Sentinel environment, so no workflows need to change. 

Investigations become faster and responses more precise with IOCs enriched by full sandbox context. Unlike static or delayed threat feeds, ANY.RUN’s TI Feeds are powered by real-time detonations of fresh malware samples observed across attacks on 15,000+ organizations worldwide. The data is updated continuously and pre-processed by analysts to ensure high fidelity and near-zero false positives, so your SOC can act on threats that truly matter. 

OpenCTI 

For SOC teams using Filigran’s OpenCTI, ANY.RUN now provides dedicated connectors that bring interactive analysis and fresh threat intelligence directly into your workflows. Instead of juggling multiple tools, analysts can analyze files, enrich observables, and track emerging threats inside the OpenCTI interface they already use. 

• Interactive Sandbox: Automate analysis of suspicious files and URLs to quickly understand their threat level, TTPs, and collect IOCs.  

• Threat Intelligence Lookup: Enrich observables with threat context based on fresh live attack data.  

• Threat Intelligence Feeds: Stay updated on the active threats with filtered, actionable network IOCs from the latest malware samples. 

You can connect any combination of these connectors based on their specific needs and licenses.  

View documentation on GitHub → 

SDK Update: Linux Debian (ARM) Support 

We’ve expanded our software development kit (SDK) to include Linux Debian 12.2 (ARM, 64-bit) in the Linux connector. This addition ensures that analysts can now automate malware analysis for ARM-based threats alongside Windows, Linux x86, and Android, all from the same SDK. 

With this update, your team can: 

• Submit ARM samples for automated analysis and retrieve detailed reports. 

• Collect IOCs, IOBs, and IOAs from Debian (ARM) environments in real time. 

• Integrate ARM analysis seamlessly into SIEM, SOAR, or XDR workflows without extra tools. 

ARM-based malware is rapidly expanding across IoT, embedded systems, and cloud servers. By adding Debian ARM support, the SDK gives SOCs earlier visibility into these threats and helps reduce costs by keeping all environments under one automated process. 

Explore ANY.RUN’s SDK on GitHub 

Threat Coverage Update 

In August, our team continued to expand detection capabilities to help SOCs stay ahead of evolving threats: 

• 104 new signatures were added to strengthen detection across malware families and techniques. 

• 14 new YARA rules went live in production, boosting accuracy and enabling deeper hunting capabilities. 

• 2,124 new Suricata rules were deployed, ensuring better coverage for network-based attacks. 

These updates mean analysts get faster, more confident verdicts in the sandbox and can enrich SIEM, SOAR, and IDS workflows with fresh, actionable IOCs. 

New Behavior Signatures 

In August, we introduced a new set of behavior signatures to help SOC teams detect obfuscation, persistence, and stealthy delivery techniques earlier in the attack chain. These detections are triggered by real actions, not static indicators, giving analysts deeper visibility and faster context during investigations. 

This month’s coverage includes new families and techniques across stealers, lockers, loaders, and RATs: 

• MixShell 

• CVE-2025-8088 

• MystroDX 

• UpCrypter 

• Noodlophile 

• BlueLocker 

• CyberStealer 

• CVE-2025-50154 

• Raven 

• ArcStealer 

• Firewood 

• DogeStealer 

• CMIMAI 

• HoaxCalls 

• RedHook 

• ApolloShadow 

• NovaBlight 

• FSOCIETY 

• SUFUZAN 

• BYT3R 

• Cephalus 

• Hoptodesk (registry) 

• Hoptodesk (files) 

• Aspia 

• CyberVolkV2 

• Empire 

• Asiak 

• Noct 

• Cyborg 

• XtinyLoader 

• DarkRoad 

• ROKRAT 

• Raspberry Robin 

• ClickFix 

YARA Rule Updates 

In August, we released 14 new YARA rules into production to help analysts detect threats faster, improve hunting accuracy, and cover a wider range of malware families and evasion tactics. Key additions include: 

• YANO – Stealer detection 

• BABEL – Obfuscation coverage 

• DNGuard – Packer/obfuscator detection 

New Suricata Rules 

We also added 2,124 targeted Suricata rules to help SOC teams catch data exfiltration and phishing campaigns more reliably. Highlights include: 

• Salty2FA exfiltration activity (sid:85002719): Detects emerged phishkit’s pattern of retrieving stolen credentials 

• Salty2FA TLD domain chain (sid:85002796): Tracks Salty2FA infrastructure by usage of domain names in .*.com & .ru TLD-zones in specific order 

• Rhadamanthys stage-payload HTTP request (sid:85002618): Identifies stealer activity by specific web request for additional payload 

Other Updates 

• Updated extractor – improved parsing for modern samples 

• Updated Lumma rule – enhanced detection for new campaign variants (sample) 

About ANY.RUN  

ANY.RUN supports over 15,000 organizations across banking, manufacturing, telecom, healthcare, retail, and tech, helping them build faster, smarter, and more resilient cybersecurity operations.  

Our cloud-based Interactive Sandbox enables teams to safely analyze threats targeting Windows, Linux, and Android systems in under 40 seconds; no complex infrastructure required. Paired with TI Lookup, YARA Search, and Threat Feeds, ANY.RUN empowers security teams to accelerate investigations, reduce risk, and boost SOC efficiency. 

The post Release Notes: Fresh Connectors, SDK Update, and 2,200+ New Detection Rules  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Open any website, and the first thing you’ll likely see is a pop-up notification about the use of cookies. You’re usually given the option to accept all cookies, accept only necessary ones, or flatly reject them. Regardless of your choice, you probably won’t notice a difference, and the notification disappears from the screen anyway.

Today, we dive a little deeper into the cookie jar: what cookies are for, what types exist, how attackers can intercept them, what the risks are, and how to stay safe.

What are cookies?

When you visit a website, it sends a cookie to your browser. This is a small text file that contains data about you, your system, and the actions you’ve taken on the site. Your browser stores this data on your device and sends it back to the server every time you return to that site. This simplifies your interaction with the site: you don’t have to log in on every single page; sites remember your display settings; online stores keep items in your cart; streaming services know at which episode you stopped watching — the benefits are limitless.

Cookies can store your login, password, security tokens, phone number, residential address, bank details, and session ID. Let’s take a closer look at the session identifier.

A session ID is a unique code assigned to each user when they sign in to a website. If a third party manages to intercept this code, the web server will see them as a legitimate user. Here’s a simple analogy: imagine you can enter your office by means of an electronic pass with a unique code. If your pass is stolen, the thief — whether they look like you or not — can open any door you have access to without any trouble. Meanwhile, the security system will believe that it’s you entering. Sounds like a scene from a crime TV show, doesn’t it? The same thing happens online: if a hacker steals a cookie with your session ID, they can sign in to a website you were already signed in to, under your name, without needing to enter a username and password; sometimes they can even bypass two-factor authentication. In 2023, hackers stole all three of the YouTube channels of the famous tech blogger Linus Sebastian – “Linus Tech Tips” and two other Linus Media Group YouTube channels with tens of millions of subscribers — and this is exactly how they did it. We’ve already covered that case in detail.

What types of cookies are there?

Now let’s sort through the different cookie varieties. All cookies can be classified according to a number of characteristics.

By storage time

• Temporary, or session cookies. These are only used while you’re on the website. They’re deleted as soon as you leave. They’re required for things like keeping you signed in as you navigate from page to page, or remembering your selected language and region.
• Persistent cookies. These remain on your device after you leave the site. They spare you the need to accept or decline cookie policies every time you visit. They typically last for about a year.

It’s possible for session cookies to become persistent. For example, if you check a box like “Remember me”, “Save settings”, or some such on a website, the data will be saved in a persistent cookie.

By source

• First-party cookies. These are generated by the website itself. They allow the website to function properly and visitors to get a proper experience. They may also be used for analytics and marketing purposes.
• Third-party cookies. These are collected by external services. They’re used to display ads and collect advertising statistics, among other things. This category also includes cookies from analytics services like Google Analytics and social media platforms. These cookies store your sign-in credentials, allowing you to like a page or share content on social media with a single click.

By importance

• Required, or essential cookies. These support core website features, such as selling products on an e-commerce platform. In this case, each user has a personal account, and essential cookies store their login, password, and session ID.
• Optional cookies. These are used to track user behavior and help tailor ads more precisely. Most optional cookies belong to external parties and don’t affect your ability to use all of the site’s features.

By storage technology

• These cookies are stored in text files in the browser’s standard storage. When you clear your browser data, they’re deleted, and after that, the websites that sent them will no longer recognize you.
• There are two special subtypes: supercookies and evercookies, which store data in a non-standard way. Supercookies are embedded in website headers and stored in non-standard locations, which allows them to avoid being deleted by the browser’s cleanup function. Evercookies can be restored using JavaScript even after being deleted. This means they can be used for persistent and difficult-to-control user tracking.

The same cookie can fall into multiple categories: for example, most optional cookies are third-party, while required cookies include temporary ones responsible for the security of a specific browsing session. For more details on how and when all these types of cookies are used, read the full report on Securelist.

How session IDs are stolen through session hijacking

Cookies that contain a session ID are the most tempting targets for hackers. Theft of a session ID is also known as session hijacking. Let’s examine some of the most interesting and widespread methods.

Session sniffing

Session hijacking is possible by monitoring or “sniffing” the internet traffic between the user and the website. This type of attack happens on websites that use the less secure HTTP protocol instead of HTTPS. With HTTP, cookie files are transmitted in plain text within the headers of HTTP requests, meaning they’re not encrypted. A malicious actor can easily intercept the traffic between you and the website you’re on, and extract cookies.

These attacks often occur on public Wi-Fi networks, especially if not protected by either the WPA2 or WPA3 protocols. For this reason, we recommend exercising extreme caution with public hotspots. It’s much safer to use mobile data. If you’re traveling abroad, it’s a good idea to use an Kaspersky eSIM Store.

Cross-site scripting (XSS)

Cross-site scripting consistently ranks among the top web-security vulnerabilities, and with good reason. This type of attack allows malicious actors to gain access to a site’s data — including the cookie files that contain the coveted session IDs.

Here’s how it works: the attacker finds a vulnerability in the website’s source code and injects a malicious script; that done, all that remains is for you to visit the infected page and you can kiss your cookies goodbye. The script gains full access to your cookies and sends them to the attacker.

Cross-site request forgery (CSRF/XSRF)

Unlike other types of attacks, cross-site request forgery exploits the trust relationship between a website and your browser. An attacker tricks an authenticated user’s browser into performing an unintended action without their knowledge, such as changing a password or deleting data like uploaded videos.

For this type of attack, the threat actor creates a web page or email containing a malicious link, HTML code, or a script with a request to the vulnerable website. Simply opening the page or email, or clicking the link, is enough for the browser to automatically send the malicious request to the target site. All of your cookies for that site will be attached to the request. Believing that it was you who requested, say, the password change or channel deletion, the site will carry out the attackers’ request on your behalf.

That’s why we recommend not opening links received from strangers, and installing a Kaspersky Password Manager that can alert you to malicious links or scripts.

Predictable session IDs

Sometimes, attackers don’t need to use complex schemes — they can simply guess the session ID. On some websites, session IDs are generated by predictable algorithms, and might contain information like your IP address plus an easily reproducible sequence of characters.

To pull off this kind of attack, hackers need to collect enough sample IDs, analyze them, and then figure out the generating algorithm to predict session IDs on their own.

There are other ways to steal a session ID, such as session fixation, cookie tossing, and man-in-the-middle (MitM) attacks. These methods are covered in our dedicated Securelist post.

How to protect yourself from cookie thieves

A large part of the responsibility for cookie security lies with website developers. We provide tips for them in our full report on Securelist.

But there are some things we can all do to stay safe online.

• Only enter personal data on websites that use the HTTPS protocol. If you see “HTTP” in the address bar, don’t accept cookies or submit any sensitive information like logins, passwords, or credit card details.
• Pay attention to browser alerts. If you see a warning about an invalid or suspicious security certificate when you visit a site, close the page immediately.
• Update your browsers regularly or enable automatic updates. This helps protect you from known vulnerabilities.
• Regularly clear browser cookies and cache. This prevents old, potentially leaked cookie files and session IDs from being exploited. Most browsers have a setting to automatically delete this data when you close them.
• Don’t follow suspicious links. This is especially true of links received from strangers in a messaging app or by email. If you have a hard time telling the difference between a legitimate link and a phishing one, install a Kaspersky Premium that can alert you before you visit a malicious site.
• Enable two-factor authentication (2FA) wherever possible. [placeholder KPM] is a convenient way to store 2FA tokens and generate one-time codes. It syncs them across all your devices, which makes it much harder for an attacker to access your account after a session has ended — even if they steal your session ID.
• Refuse to accept all cookies on all websites. Accepting every cookie from every site isn’t the best strategy. Many websites now offer a choice between accepting all and accepting only essential cookies. Whenever possible, choose the “required/essential cookies only” option, as these are the ones the site needs to function properly.
• Connect to public Wi-Fi networks only as a last resort. They are often poorly secured, which attackers take advantage of. If you have to connect, avoid signing in to social media or messaging accounts, using online banking, or accessing any other services that require authentication.

Want to know even more about cookies? Read these articles:

• How to block cookies in your browser
• Privacy-Preserving Attribution technology by Mozilla
• How to tell if a website is taking your (browser) fingerprints
• How to control cookies: a real-world experiment
• The sound of online trackers

Kaspersky official blog – ​Read More

Picture this: you’re on a train chatting with a nice lady and her young child — visitors to your home city. As the train approaches the station, she reaches for her wallet, pulls out a bank card, and her face falls. “Oh no! I accidentally snaped my card!” she exclaims. “What am I going to do now? I needed to withdraw cash…” Could I transfer you some money, so you can then withdraw it for me at an ATM?”

Most people would agree to help. She’s a young lady with a child in a new city after all, and she’s in a tight spot. What could go wrong? And she’s not asking for money — she’s sending it to you. It seems completely harmless. The money is quickly transferred to your account, you withdraw the cash from your account from an ATM, and the woman thanks you enthusiastically before disappearing into the crowds. But a couple of weeks later the police show up at your door…

You thought you were doing a good deed, but you’ve just become an unwitting participant in a money laundering scheme. People who help criminals move stolen money through their bank accounts are called “money mules”. Today we explain how you can accidentally become a money mule, and the serious consequences you could face.

How people become money mules

A money mule is anyone whose bank account is used to move or withdraw money as part of a scam. Mules are considered expendable in any fraudulent scheme, and anyone can become one — even someone who’s never heard the term before. There are many ways people get roped into these schemes, and here are just a few of them.

The “easy-money online job” scam. Job-search chats are often filled with tasty offers: “Looking for a few people, paying $50 an hour, easy work, all you need is internet access”. The “job” involves accepting transfers from certain people, and then making payments to others. Another variation involves withdrawing cash after funds are sent to you and giving it to a random courier. They might actually pay you for this “service”, but trust us, even $50 an hour isn’t worth the potential consequences, which we’ll get into later.

“I left my card at home. Do you mind helping me out?” The young-lady-in-a-tight-spot role is easy to recast in other narratives. Instead of a young lady, there could be a young man telling you a sob story about a card he’s left somewhere and needing help to pay for a smartphone, a TV, perfume, or some other expensive item. He’ll offer to transfer you funds so you can pay for the item with your own card. You may agree to help out — especially if you get cashback from using your card. But notice the difference: if this stranger messaged you online, you’d probably just tell them to get lost. However, when you’re standing next to them at the checkout counter, the likelihood of your “helping out” is much higher.

“We’ll pay you in cash under the table”. Even employees of small, shady companies can unknowingly become money mules. These companies don’t officially hire their workers, and pay only in cash under the table. Note that if the employer has obtained money illegally, all employees working without a contract may be considered money mules and could face serious legal consequences.

There are other schemes too, which primarily target teenagers. Youngsters are asked to open a bank account and pass the account details to strangers online who’ll pay them, say, $20 or $30 for the service. Opening a new bank account takes only a few seconds, and the promised sum is a real help for any hard-up student. Unfortunately, these young victims most likely have no idea who could use their accounts or how.

What happens if you become a money mule?

Nothing good. At a minimum, a money mule is considered an active participant in a criminal scheme — even if they’re unaware of their involvement. Fraudsters constantly steal large sums of digital money from both companies and ordinary people, employing hundreds of social engineering tactics. But they need a way to cash out. And that’s where schemes to create entire networks of unsuspecting money mules come in — and they’re the ones who’ll have the police knocking on their door.

Many countries have laws against money muling. Money mules get prosecuted regardless of whether they knew where the funds came from, or that they were pawns in a grand scheme. Proving the absence of criminal intent in court can be difficult, so, despite being unaware of the third party’s illicit intentions when transferring the money, they may be slapped with fines or other penalties.

Actual punishment varies by country: for example, in the United States, if criminal intent is proven, a money mule can face up to 20 years in prison. In Germany, to avoid punishment, it’s enough to turn yourself in to the police and report the scam you’ve become involved in. In Singapore, inadvertent money laundering can lead to fines of up to $150 000, or a prison sentence of up to three years if there were clear “red flags” pointing to a scam.

How to avoid becoming a money mule

Regardless of the penalties in your country for cashing out criminal money, you need to be extremely careful to avoid unwittingly becoming a money mule. Here’s a list of rules to help you avoid unwanted problems:

• Don’t trust everyone unquestioningly. If a stranger offers to send you any amount of money for you to withdraw for a small fee, refuse.
• Always work on-the-books, and with a formal contract. Don’t agree to off-the-books cash-in-hand, and always sign a contract for any job you do.
• Keep your bank details private. Don’t open bank accounts at the request of someone else, or sell details of your existing accounts or bank cards.

Most importantly, remember that nothing’s truly free. Learn how to spot scammers with the help of read our Telegram channel — subscribe to stay up to date on all the new trends in cybersecurity.

What else to read on fraudulent schemes:

• NFC carders hide behind Apple Pay and Google Wallet
• How fraudsters bypass customer identity verification using deepfakes
• Telegram scams with bots, gifts, and crypto
• SIMulated giveaway on Instagram: the prize is your account!

Kaspersky official blog – ​Read More