This week’s topics range from how many phish take the bait, to jail times for Twitter hackers.
In between we find a US warning on a new virus from China… that this time will make your computer ill, a burglar alarm system that will soon be leaving the UK, just how bad the leaky Amazon A3 bucket scenario has become and how you can do your own forensic investigation on what the big four might be holding on you.
We think you will find this week’s snippets interesting and personally relevant as you work with your DAML creations.
Phishing campaigns, from first to last victim, take an average of 21 hours.
A mixed team of security researchers from Google, PayPal, Samsung, and Arizona State University spent an entire year analyzing the phishing landscape and how users interact with phishing pages. In a mammoth project that involved analyzing 22,553,707 user visits to 404,628 phishing pages, the research team has been able to gather some of the deepest insights into how phishing campaigns work.
“We find that the average phishing attack spans 21 hours between the first and last victim visit, and that the detection of each attack by anti-phishing entities occurs on average nine hours after the first victim visit.”
Researchers said that 7.42% of the victims entered credentials in the phishing forms, and eventually suffered a breach or fraudulent transaction on their account.
On average, crooks would attempt to breach user accounts and perform fraudulent transactions 5.19 days after the user visited the phishing site, on average, and victim credentials would end up in public dumps or criminal portals after 6.92 days after the user visited the phishing page. Researchers analyzed more than 400,000 phishing sites and said that the vast majority of phishing campaigns weren’t really that effective with just a handful of phishing operators/campaigns accounting for most of the victims.
“We found that the top 10% largest attacks in our dataset accounted for 89.13% of targeted victims and that these attacks proved capable of effectively defeating the ecosystem’s mitigations in the long term.”
The full academic study, entitled “Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale,” is available for download as a PDF at usenix.org/system/files/sec20fall_oest_prepub.pdf
US: Rite Aid Used Facial Recognition in Hundreds of Stores for 8 Years
Reuters this week published a deep investigation into the use of facial recognition technology by Rite Aid, which the drugstore chain deployed to 200 stores over the last eight years.
The tech was installed largely in low-income neighborhoods in New York and Los Angeles, alarming civil liberties advocates. Of further concern was that Rite Aid outsourced some of its technology from a company with links to the Chinese government.
Rite Aid stopped using facial recognition following Reuters inquiries, but the breadth, focus, and duration of its implementation is still alarming.
A Huge Nintendo Leak Sends Fans Reeling
The leak itself occurred two weeks ago, but Motherboard has a great dive into the ripples caused by the so-called gigaleak, a trove of historical Nintendo source code, prototypes, emails, and more.
The contents of the gigaleak are compelling enough on their own, but so are the tensions its release has caused, especially given Nintendo’s litigious reputation.
Incognito Mode May Not Work the Way You Think It Does
David Nield: Perhaps the easiest way to think about incognito mode is that as soon as you close the incognito window, your web browser forgets the session ever happened: Nothing is kept in your browsing history, and any cookies that have been created (those little bits of data that log some of your actions online) are promptly wiped.
Cookies are what keep items in your Amazon shopping cart even if you forget about them for days, for example, and they also help sites to remember if you’ve visited them before.
This sort of anonymity is what incognito mode is good at—it’s like starting again with a blank slate, for better or for worse. Try loading up Twitter or Gmail, and these sites won’t automatically log you in as they normally do. For the same reason, incognito mode can sometimes be a handy way of accessing more free articles from a paywalled site (the site won’t instantly identify you as someone who’s been before, although many paywalled sites use other methods to figure that out).
That means if you’re signed into Facebook, for example, Facebook might well be able to see what you’re up to on other sites and adjust its advertising accordingly, even in incognito mode. Blocking third-party cookies in your browser can stop this to some extent (Chrome even offers you the option when you open incognito mode), but such is the reach of ad networks and tracking technologies that it’s difficult to stop it entirely.
Google has already been in trouble for this practice, though it’s not alone. If you sign in to Google while using incognito mode, then your searches are once again being logged and associated with your account, assuming that’s how your Google account preferences are set up—and Google is potentially also using its ad network and tracking technologies on other sites to keep tabs on you there too.
Even if you don’t sign in anywhere, the websites that you visit can use various clues—your IP address, your device type, your browser—to figure out who you might be, and to tie this to other information that might already be associated with you. Certain browsers are fighting back against this type of tracking, called “fingerprinting,” but it still goes on.
Incognito mode doesn’t hide your browsing from your internet service provider and it doesn’t wipe out files you’ve downloaded. In other words, you need to think of it as a way of hiding your online activities from the particular browser on the particular device you’re using, and from the other people using that device. When it comes to everything else, there are no guarantees.
The limits of incognito mode highlight just how hard it is to stay invisible on the web. To keep any tracking down to an absolute minimum, you need to pick a browser focused on privacy, use services like the DuckDuckGo search engine that don’t mine your data, and if you can, deploy a reliable VPN program whenever you connect to the web.
SubStack Did a Good Ol’ Fashioned Email "Oops"
Who among us! This week, newsletter platform SubStack sent an email out to subscribers with an update to its privacy policy. Unfortunately, for a “small percentage” of users it forgot to BCC, leading to a potentially explosive reply-all apocalypse.
“We are so sorry this happened—and we are aware of the irony,” the company said in an apologetic tweet. (Anecdotally, the people on those lists showed remarkable restraint.)
US: Government Warns of a New Strain of Chinese ‘Taidoor’ Computer Virus
Intelligence agencies in the US have released information about a new variant of 12-year-old computer virus used by China’s state-sponsored hackers targeting governments, corporations and educational facilities.
“[The] FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation,” the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) said in a joint advisory.
The Malware first seen in 2012, is not new, but the new variation and its resurgent use is. “Taidoor is installed on a target’s system as a service dynamic link library (DLL) and consists of two files,” the agencies said. “The first file is a loader, which is started as a service. The loader (ml.dll) decrypts the second file (svchost.dll), and executes it in memory, which is the main Remote Access Trojan (RAT).”
In addition to executing remote commands, Taidoor comes with features that allow it to collect file system data, capture screenshots, and carry out file operations necessary to exfiltrate the gathered information.
CISA recommends that users and administrators keep their operating system patches up-to-date, disable File and Printer sharing services, enforce a strong password policy, and exercise caution when opening email attachments.
A Researcher Dropped Two Tor Browser Vulnerabilities
Millions of people rely on the Tor for anonymity, and it remains a good bet for most use cases. But security researcher Neal Krawetz this week dropped two apparent zero-day vulnerabilities in the browser. He also plans to disclose three more, one of which could reveal Tor server IP addresses.
Krawetz said he went public with the security issues because the Tor Project has been unresponsive when he’s tried to report problems responsibly in the past.
Amazon Pulls Brilliant Alexa Feature In U.K. And Pays Out Users
Barry Collins: Amazon has mysteriously withdrawn Alexa’s burglar-detecting Guard feature in the U.K. and paid compensation to customers who had enabled the feature.
Alexa Guard is a clever use of Amazon’s smart speakers, which listens for alarms or the sound of breaking glass, tipping off customers that there may be an emergency when they are away from home.
Alexa Guard was introduced in the U.S. in 2019 and had started to appear in the device options for Echo speaker owners in the U.K. recently. However, Amazon has quickly pulled the feature, according to users on Reddit, claiming it should never have been offered to U.K. customers.
“We are getting in touch regarding your sign-up for Alexa Guard on 27 July 2020,” an email to one customer reads, “Unfortunately, Alexa Guard is not available in the U.K. and it should not have been possible for our customers in the U.K. to sign up. This was a technical issue which has been fixed.”
UK: Doctor Fox has sprung a leak
Shaun Nichols: Former UK trade minister and current Conservative MP Dr. Liam Fox has been named as the source of hacked trade documents released during last year’s British elections.
“There is an ongoing criminal investigation into how the documents were acquired, and it would be inappropriate to comment further at this point, but as you would expect, the Government has very robust systems in place to protect the IT systems of officials and staff.”
A report from Reuters cited two anonymous sources who say that the 58 year-old Fox, who has since stepped down, had an email account (reportedly his personal one) taken over by Russian hackers, who then used it to obtain and release documents about Anglo-American trade talks.
According to Reuters, one of Fox’s email accounts was taken over via a spear phishing attack and accessed a number of times between July 12 and October 21st of 2019. The report notes that it’s unclear if the hack occurred while Fox was still actively serving as a member of Prime Minister Boris Johnson’s cabinet at the time (he stepped down from the role on July 24 of that year.)
Last month, Foreign Secretary Dominic Raab warned that Kremlin-backed APT operations were not only trying to affect UK elections, but also steal vital research on Covid-19 treatments. “It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic,” Raab said of the attack.
Ransomware gang publishes tens of GBs of internal data from LG and Xerox
Catalin Cimpanu: The operators of the Maze ransomware today published tens of GB of internal data from the networks of enterprise business giants LG and Xerox following two failed extortion attempts. The hackers leaked 50.2 GB they claim to have stolen from LG’s internal network, and 25.8 GB of Xerox data.
If a victim refuses to pay the fee to decrypt their files and decides to restore from backups, the Maze gang creates an entry on a “leak website” and threatens to publish the victim’s sensitive data in a second form ransom/extortion attempt.
The victim is then given a few weeks to think over its decision, and if victims don’t give in during this second extortion attempt, the Maze gang will publish files on its portal.
LG and Xerox are at this last stage, after apparently refusing to meet the Maze gang’s demands.
Both companies ran Citrix ADC servers that at one point or another were left unpatched and vulnerable online - according to Internet scans. The servers were vulnerable to the CVE-2019-19781 vulnerability, “Maze’s favorite vector of compromise.”
There’s a hole in my bucket dear Liza, a hole.
Truffle Security says its automated search tools found 4,000 open Amazon S3 buckets that included data companies would not want public, things like login credentials, security keys, and API keys. The exposed data was so common, they were able to count an average of around 2.5 pieces of ‘secret’ data in each file they analyzed. In some cases, more than 10 secrets were found in a single file. These included SQL Server passwords, Coinbase API keys, MongoDB credentials, and logins for other AWS buckets that actually were configured to ask for a password.
“It’s probably fair to assume authenticated buckets contain more secrets than unauthenticated ones, due to the implied higher security bar authentication provides. This means attackers can likely use the first round of buckets to find keys that unlock an additional round of buckets and expose more keys, which could expose more buckets, etc,” explained the Truffle team. “We did not use any of these keys or explore this possibility for obvious reasons, but this makes this type of attack ‘wormable’, i.e., one bucket can lead to another bucket, and so on, magnifying the impact of the leak.”
ES: 2gether reveals cyberattack in which roughly €1.2 million in cryptocurrency was stolen from investment accounts.
Founded in 2017, 2gether offers a cryptocurrency trading platform within the Eurozone for buying and selling without additional fees. The organization’s native coin is the 2GT token, which is – or, at least, was – due to be issued during 2020 following a pre-sale in Spain. However, on July 31 at 6.00 pm CEST, the trading platform suffered a cyberattack on its servers.
The unknown threat actors reportedly behind the attack made off with €1.183 million in cryptocurrency in investment accounts, which equates to 26.79% of overall funds.
US: Google Bans Ads Linking to Hacked Political Content
Google has taken steps to prevent interference in the 2020 US Presidential election, by blocking ads that contain hacked political content.
The move appears designed to prevent a re-run of the lead-up to the last election, when damaging materials were leaked online by Russian hackers and then published and republished by third-party sites to the detriment of the Democratic Party.
Since 2018 Twitter has banned politically related hacked content on its platform.
The Google Ads “Hacked political materials” policy will be launched on September 1, 2020 and applies to ads covered by the tech giant’s US election ads policy.
It said the rules apply to the following: “Ads that directly facilitate or advertise access to hacked material related to political entities within scope of Google’s elections ads policies. This applies to all protected material that was obtained through the unauthorized intrusion or access of a computer, computer network, or personal electronic device, even if distributed by a third party.”
Google will allow “discussion of or commentary on” any hacked content as long as the ad or landing page doesn’t allow direct access to it. Any entity violating the policy will be notified seven days before their account is suspended.
US: Robocall Legal Advocate Leaks Customer Data
Brian Krebs: A California company that helps telemarketing firms avoid getting sued for violating a federal law that seeks to curb robocalls has leaked the phone numbers, email addresses and passwords of all its customers, as well as the mobile phone numbers and other data on people who have hired lawyers to go after telemarketers.
The Blacklist Alliance provides technologies and services to marketing firms concerned about lawsuits under the Telephone Consumer Protection Act (TCPA), a 1991 law that restricts the making of telemarketing calls through the use of automatic telephone dialing systems and artificial or prerecorded voice messages. The TCPA prohibits contact with consumers — even via text messages — unless the company has “prior express consent” to contact the consumer.
With statutory damages of $500 to $1,500 per call, the TCPA has prompted a flood of lawsuits over the years. From the telemarketer’s perspective, the TCPA can present something of a legal minefield in certain situations, such as when a phone number belonging to someone who’d previously given consent gets reassigned to another subscriber.
Blacklist’s own Website until late last week leaked reams of data to anyone with a Web browser. Thousands of documents, emails, spreadsheets, images and the names tied to countless mobile phone numbers all could be viewed or downloaded without authentication from the domain theblacklist.click. The directory included all 388 Blacklist customer API keys, as well as each customer’s phone number, employer, username and password (scrambled with the relatively weak MD5 password hashing algorithm).
The irony of this data leak is that marketers who constantly scrape the Web for consumer contact data may not realize the source of the information, and end up feeding it into automated systems that peddle dubious wares and services via automated phone calls and text messages. To the extent this data is used to generate sales leads that are then sold to others, such a leak could end up causing more legal problems for The Blacklist’s customers.
Robocalls are permitted for political candidates, but beyond that if the recording is a sales message and you haven’t given your written permission to get calls from the company on the other end, the call is illegal.
NetWalker Ransomware As a Service (RaaS) Makes $25m in Five Months According to McAfee Security Report
The ransomware works via an affiliate model, whereby operators build custom versions of the malware where distributors (affiliates) are invited to deploy it, receiving an 80% cut of the profits.
By monitoring Bitcoin addresses under the control of NetWalker actors, McAfee was able to spot the equivalent of 2,795 bitcoins flowing to the attackers between March 1 and July 27, 2020.
“Even though we do not have complete visibility into the BTC flow before NetWalker started ramping up, one thing is certain, this quarter alone it has been highly successful at extorting organizations for large amounts of money,” the McAfee report noted.
Attacks typically start with spear-phishing emails, Tomcat and WebLogic server exploits, and by compromising RDP endpoints protected by weak passwords, it claimed.
The group uploads stolen data to dedicated pages for each corporate victim that refuses to to pay the ransom.
Hold your own forensic investigation on GAFA
Wonder what Google, Amazon, Facebook or Apple might have stock-piled on you? Here’s how you can find out. Do this from a laptop or desktop computer, not your phone.
Google: Visit Google Takeout at takeout(dot)google(dot)com
Here, select the categories for the data you would like to download.
Amazon: Visit the Request My Data portal. You’ll need to log into your Amazon account.
From the drop-down menu, click Request All Your Data, and submit the request.
Facebook: On Facebook(dot)com, click the arrow pointing downward in the top-right corner.
Click Settings & Privacy > Settings. In the left column, click Your Facebook Information.
Then, follow the steps to request a copy of your Facebook data.
Apple: Visit privacy(dot)apple(dot)com and log in with your Apple ID credentials.
Click Request a Copy of Your Data, to access the data portal.
Apparently people are most shocked by the breadth and depth of the collection that Facebook amasses on them. You have been warned!
Meetup Critical Flaws Allow ‘Group’ Takeover, Payment Theft
A popular online social service, Meetup, has fixed several critical flaws in its website. If exploited, the flaws could have enabled attackers to hijack any Meetup “group,” access the group’s member details and even redirect Meetup payments to an attacker-owned PayPal account.
Meetup is a service with a user base of over 35 million users, used to organize online groups with events for people with similar interests. These events are either for free, or participants can register for a fee using PayPal. While events are typically in person, in light of the ongoing pandemic, many events have moved to virtual settings.
“Checkmarx found several ‘more-common’ API security issues like lack of resources and rate-limiting and excessive data exposure, as well as some serious cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities on Meetup.com that could put users at risk,” said researchers with Checkmarx, in research disclosed last week at Black Hat USA 2020.
strong textZoom Just Made A Major China Move Amid TikTok Ban Fearsstrong text
Kate O’Flaherty: Video conferencing platform Zoom has confirmed it will suspend all direct sales to mainland China from August 23 as it looks to distance itself from the country amid growing scrutiny of firms such as TikTok in the U.S.
Zoom made the announcement today (August 3) that it would move to a partner-only model in China in an email seen by Reuters. Bizconf Communications, Suiri Zhumu Video Conference, and Systec Umeet were listed as the partners that can offer Zoom’s commercial services to customers in China.
Zoom has already pulled back in China. In May it confirmed there would be no new free user registrations in the country and enterprise customers would be restricted to those signing up through authorized sales reps.
In June, Zoom was criticized after banning three users organizing memorials to mark the Tiananmen Square massacre at the request of Beijing. It reversed the decision, but Forbes’ Thomas Brewster reported how the firm was still going to help China block accounts of users in the country.
It had also been in trouble when researchers found Zoom routed data through China—although the video conferencing firm quickly made changes to address this.
Also in June, Justice Department Assistant Attorney General John Demers, Hawley and Blumenthal said in a letter that they were “extremely concerned” Zoom and TikTok had potentially disclosed private American information to the Chinese Communist Party (CCP) and censored content on the CCP’s behalf.
“As tens of millions of Americans turn to Zoom and TikTok during the COVID-19 pandemic, few know that the privacy of their data and their freedom of expression is under threat due to the relationship of these companies to the Chinese government,” the senators wrote. “Of particular concern, both Zoom and TikTok have sought to conceal and distract from their meaningful ties to China, holding themselves out as American companies.”
But the two companies are very different. TikTok (which is earmarked for a sale to Microsoft) is currently owned by a Chinese company with its HQ in Beijing, ByteDance. Meanwhile, Zoom is based in Silicon Valley, and while its CEO Eric Yuan was born in China, he is now a U.S. citizen.
Even so, the senators were also concerned about a Citizen Lab report which alleged that Zoom “appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software.”
The issue is of course political, as Ian Thornton-Trump, former Canadian forces intelligence operator and CISO for threat intelligence firm Cyjax says. “In recent congressional testimony several witnesses attested to China’s continued aggressive innovation and intellectual property theft. My view is this, in part is political pandering and all linked to the deteriorating relationship between China and the U.S.”
So, a sensible move by Zoom, but will it help prevent growing scrutiny in the U.S., where the focus is growing on all firms perceived to have a link—however tenuous—with China?
US: Havenly Breach Hits Over 1.3 Million Accounts
Phil Muncaster: Havenly has become the latest online firm to suffer a serious breach of customer data after hackers published the information for free on the dark web.
Notorious dark web trader ShinyHunters was spotted last week posting the data of nearly 1.4 million accounts online.
They’re said to be part of a much bigger 386 million record trove including data from customers of Dave, Promo and HomeChef, which has been previously disclosed.
According to breach notification site HaveIBeenPwned, the data from Havenly customers includes email addresses, names, phone numbers, geographic locations and passwords stored as SHA-1 hashes.
However, an email to customers from the interior design company last week failed to mention the compromise of personal data at all, instead focusing on the fact that no financial details were disclosed.
IL: Promo Data Breach Hits 14.6 Million User Accounts
An Israeli marketing video firm this week announced a major breach of user data which appears to have impacted over 14 million accounts.
Promo, which describes itself as “the world’s #1 marketing video maker,” revealed in an online notice that a vulnerability in a third-party service was to blame for the incident, which also affected customers of its Slidely business.
“The exposed data includes first name, last name, email address, IP address, approximated user location based on the IP address, gender, as well as encrypted, hashed and salted password to the Promo or Slidely account,” said Promo.
“Although your account password was hashed and salted (a method used to secure passwords with a key), it’s possible that it was decoded.”
In fact, this does seem to be the case, after dark web traders were spotted selling the haul, including 1.4 million cracked passwords.
FI: The Data that Remains: Testing Android Phones after Factory Resets
Juho Pörhönen: one of the hazards of giving a mobile phone a second life is that data from the previous user could be discoverable by later owners.
Second-Hand Android Devices Hold Onto Data After Factory Reset. During a test of 100 Android devices, 19 percent of the sample (19/100), with ten of those phones containing non-critical data (SMS and call logs from the carrier). More concerning, however, was that on eight phones, we recovered critical personal data. One phone had critical corporate data.
“Analysis of Data Remanence After Factory Reset, and Sophisticated Attacks on Memory Chips”
For our next analysis, we wanted to expand a recognized Cambridge study on Android’s factory reset performance.
Using a sample of 68 phones, we focused again on the most popular models circulating on the European market.
The idea was to simulate the user’s real experience using our own test data and accounts, populating the device with multimedia files, SMS, contacts, email accounts, social media, etc. After that, we performed a factory reset, then a memory extraction via forensic tools. We then analyzed the results.
In the end, we were able to recover data on 14 phones (20 percent of the sample).
In conclusion, our first study suggests that many IT asset disposal facilities can fail to successfully sanitize a significant percentage of Android devices. Despite claims of phones going through data sanitization processes, previously owned devices still stored user data.
This did not seem to depend on the OS version, as data was found up to Android OS 6.0. Moral of this story? Ensure your phone is fully encrypted. Then wipe it and if you want that absolute certainty … use a hammer on it, although NIST SP 800-88 media sanitization guidelines now point out that with components getting smaller and smaller, even breaking them into small pieces may leave recoverable data.
US: Foreign Threats Loom Ahead of US Presidential Election
AP: Intelligence officials confirmed in recent days that foreign actors are actively seeking to compromise the private communications of “U.S. political campaigns, candidates and other political targets” while working to compromise the nation’s election infrastructure. Foreign entities are also aggressively spreading disinformation intended to sow voter confusion heading into the fall.
There is no evidence that America’s enemies have yet succeeded in penetrating campaigns or state election systems, but Democrat Joe Biden’s presidential campaign confirmed this week that it has faced multiple related threats.
The former vice president’s team was reluctant to reveal specifics for fear of giving adversaries useful intelligence.
US: Bitcoin Transactions Led FBI to Twitter Hackers
By Eduard Kovacs: Court documents made public last week by U.S. authorities following the announcement of charges against three individuals allegedly involved in the recent Twitter attack revealed how some of the hackers were identified by investigators.
News of the charges came shortly after Twitter revealed that the attackers gained access to its internal systems and tools, which they later used to take control of tens of high-profile accounts, by using phone spear-phishing. The hackers targeted 130 accounts, but reset the passwords for only 45 of them, many of which were used to post tweets that were part of a bitcoin scam.
The U.S. Department of Justice announced on Friday that it charged 22-year-old Nima Fazeli (aka Rolex, Rolex#0373, and Nim F) of Orlando, Florida, 19-year-old Mason John Sheppard (aka Chaewon and “ever so anxious#001”) of the United Kingdom, and 17-year-old Graham Ivan Clark (aka Kirk#5270), of Tampa, Florida.
Clark is believed to be the mastermind of the operation — he is the one who allegedly broke into Twitter’s systems. Fazeli and Sheppard are believed to have helped him sell access to Twitter accounts.
According to court documents, a user with the online moniker Kirk#5270 on the chat service Discord claimed to work for Twitter and offered to provide access to any user account. That is how he met Rolex and Chaewon, who helped him sell access to Twitter accounts, including on the OGUsers.com hacking forum, which specializes in the trading of social media and other online accounts.
In the case of Fazeli, the FBI found information on his OGUsers account in a database that was leaked earlier this year after the hacker website was breached. The FBI reached out to cryptocurrency exchange Coinbase to obtain information on a bitcoin address shared by Rolex on the OGUsers forum. Coinbase records showed that the address received funds from a user named Nim F, which had been registered with an email address that was also used to register the Rolex account on OGUsers.
In order to register the Nim F account on Coinbase, the user had to provide an ID for verification, and they provided a driver’s license with the name Nima Fazeli.
One of the Coinbase accounts registered by Fazeli had made roughly 1,900 transactions totaling approximately 21 bitcoin (worth $230,000).
The investigation showed that Fazeli apparently accessed the Discord and Coinbase accounts using the same IP addresses, which pointed to locations in Florida.
In the case of Sheppard, who also allegedly helped Clark sell access to Twitter accounts, he used the online monikers Chaewon and Mas on OGUsers and “ever so anxious#0001” on Discord.
An analysis of the leaked OGUser records led to the discovery of an email address that was also associated with a Coinbase account. Information obtained from Coinbase showed that the account belonged to one Mason Sheppard, an account that had been verified using a driver’s license in the name Mason John Sheppard from the United Kingdom. The driver’s license listed Sheppard’s address and date of birth.
A judge set Clark’s bail at $725,000 on Saturday.
David Anderson, U.S. Attorney for the Northern District of California, said Sheppard faces 45 years in prison for the charges brought against him, while Fazeli faces a statutory maximum penalty of 5 years in prison.
