The name ShinyHunters is currently quite well-known due to a number of high-profile hacks (Odido in the Netherlands this year was huge). Their brand has a significant value right now.
Because ShinyHunters published they hacked Canvas on their own website.
They also redirected the canvas login pages to a ShinyHunters message, whilst this could be done by another group/person, its unlikely.
You can also validate PGP keys and TOX accounts, etc via their website.
This happens every day, and there doesn't seem to be anything interesting about this case. It's how most situations are resolved. There are money transmitters that specialize in ransoms. They "do" sanctions checks that are about as good as you suspect they are.
Like other commenters have pointed out, it's literally a business. Most trade on reputation, so there actually is an incentive for them to take their money and abide by their agreements. Otherwise, they would have to start from scratch with a fresh identity and rebuild the rep to command their prices.
The same group has a reputation to uphold (i.e., that of 'honourable' criminals), so they just move on to the next target, who will, incidentally, know that they are absolutely true to their word. (This is why paying off ransomware hackers is being made illegal in a number of countries.)
A different group? Certainly. I wouldn't want to be in the shoes of the infosec guys at Canvas right now.
Sure. In all likelihood ShinyHunters will 'gracefully' point out the weak spots leveraged in the system of the 'customer' upon receiving payment to prevent this happening again next week.
They have a rather strong incentive to keep this a happily-ever-after ending for Instructure and any other target who pays up. It's all taught in Maffia 101.
They can always just hack them again but with a different method this time.
The ransom doesn't bind them from hacking the company multiple times. It just obligates them to destroy the data they collected from this attack.
As a matter of kindness and good business they'll probably wait a few months or a year or so before poking around again but they'll almost certainly continue poking at Instructure's systems.
Data exfil ransom attacks are a business first and foremost. They don't permanently halt or destroy the original infra and their goal is to get a payout for their labor and move on. Maybe the come back around in the future with another, different attack, maybe they don't.
They made their money and made it big in the news as having complied with the ransom payout, no reason to hurt their reputation trying to double dip. Plenty of other soft targets to poke.
On the one side you have white hat hackers and pen-testers who you pay a contract or salary to prod your system. If you really piss them off (i.e. by stiffing them of their pay) some might just steal your data and threaten to leak it unless you pay them.
On the other side are black hat hackers who will drive by your system and if they find a way to break in they'll offer to keep your data private for a ransom fee. And maybe if you have some charisma, decent pay, and/or a good repertoire you might recruit them on/convert them into white hats for your org.
It sounds a bit like the Dutch Tikkie with the QR codes and instant transfer. Of course, in the EU most bank wires are already free when using SEPA, and often nearly instant as well. This Tikkie thing is a way to easily create a payment request for people who can't be arsed to simply carry cash (and raise the country's resilience to system failure in the process).
Brazilian living in NL, experienced in both. I think biggest difference is Tikkie doesn't give you an easy identifier. Great for privacy, but being able to send money to your email/phone number makes a difference for some real time use cases. QR code helps, but it is not the same.
Since last year, all EU banks have to support SEPA Instant Transfer, both receiving & sending, at the same price as a usual transfer (Instant Payments Regulation 2024/886)
If only https://en.wikipedia.org/wiki/EPC_QR_code supported a sepa instant bit so that one could just show a qr code, scan it with whatever payer banking app and authorize the sepa instant payment.
This is what Ideal/Wero does. Because this is the standard for webshops in the Netherlands (and rapidly expanding to the whole EU) the only gap left to fill was that of consumer-to-consumer transfers with just a QR code to scan. Tikkie I mentioned above solves that well enough in the Netherlands, although that bank-run app is horribly laden with stupid ads and deals you can't seem to turn off.
even this "ascii" (i expected raw text but still got html+css) was hardly readable for me, had to reach to the reader view, finally readable, ohh... looks much like ai-generated, why did i spend so much time jumping over obstacles...
It always feels like my phone experience is just a pleasant intermezzo. My banking app (ABN Amro) works, government apps (DigiD) work, everything just works, and I get security and a certain degree of distance between me and Google. I can use F-Droid to install useful apps, and incidentally use Google's app store for apps I need because the rest of the world uses them. GrapheneOS rocks.
Borrowed time. I hope not, but that's the prevailing feeling.
The article mentioned that the use of 'ASCII' within the context of those tools should not be seen as the limited character set ASCII. Personally, I would avoid mentioning ASCII at all.
The title just talks of plain text though, and plain text usually means UTF-8 encoded text these days. Plain, as in conventional, standardised, portable, and editable with any text editor. I would be surprised if someone talked about plain text as being limited to just ASCII.
This whole idea is dead on arrival because of this.
Most nations actively warn their citizens never to carry packages from someone you don't know, and never to carry packages you didn't pack (or saw opened) yourself even for people you do know. And still people agree to carry sealed packages for someone they had a few nice nights with on holiday before boarding the plane back home. That tends to end in a little room on the same airport with security/police grilling you before sending you on to the judicial system where the tough-on-drugs judge will sentence you to a couple of years of extra holiday. In a cell with rats.
There is no way to clear this legally and ethically.
Even across state lines is a big risk but carrying unknown packages into another country is astronomically stupid. You don’t get to play the “I didn’t realize” card, either, when you lie to a customs agent and claim you didn’t accept packages from anyone else.
Yeah, but bringing back a brand new Mac that I personally bought at an Apple Store for a friend won’t ever land me in jail - worst case scenario is that the friend would have to pay me back for whatever import duties the customs officials levy on the computer.
Now, carrying a random package from somebody on the Internet? There are more productive ways to get into jail than this!
A: unpacking and inspecting the packages?
B: The company assuming the risk and liability.
C: The company collecting evidence through KYC and cooperating in the case of crime?
Probably too much hassle to save some bucks when compared to a courier service, though.
A. Maybe. Are you going to ship with someone who is going to open your package and rifle through it, though? I would personally also not feel confident in my ability to check fully for hidden illicit material if I were the courier.
B. No. Absent laws indemnifying the courier, a company saying “I’ll take the heat for those drugs you’re carrying” is not a meaningful act.
C. No. This seems like more of B.
This is all surmountable if the laws allow it. I assume FedEx drivers don’t go to jail of a package unknowingly contains drugs. But I don’t know what needs to be in place for random Joe to be acting as a casual courier without taking on legal liability.
Also if you can get away with it, all drug traffickers would soon have an online order for their package so if stopped they can just say they're an innocent courier.
From a security engineering risk I don't think that would be an issue, because the same mechanism that catches malicious senders would be at play, the sender would have to identify through the app, with a payment provider and to the courier to send a package. The fake courier would have to sign up as a fake sender and be risk-exposed through the sender role.
Courier immunity does not confer much advantage compared to just signing up and having someone else send it. Except, it's true, that a trafficker could play both roles and self serve to avoid courier inspection/risk, there's some implications there for sure, but same as any job right? Pizza delivery guy could be selling drugs. It's not like transport is a niche job that might warrant specialized training and certification, it's like half the economy, tell me a commodity more central to business than oil, it can happen yes, but it isn't the end of the world if it happens on your business it's part of the trade, as long as you can deal with it, comply with the investigation, put preventive measures, and design the system with that in mind, I think it'd be ok.
Obligatory disclaimer. I am not a lawyer, this is not legal advice, just my personsal opinion on the matter
>Jade’s Instagram account suggests she thought she had been hired for a legitimate job as an “international package shipper,” with a salary of $5,000 per trip.
Her recruiter texted her: “We pay your flights, accommodation, food.”
And yet I know there used to be a business (when the Concorde was flying), where they would offer very cheap tickets on the Concorde from New York to London and back, the hitch being that you agreed to take no luggage, and your luggage allowance was taken up by the brokering company, who provided a rush courier service largely for legal/business documents and the like.
I guess this company is slightly different, I think it could be made legal.
reply