The FBI warns hijackers masquerading as it support or finding law firms to be excellent targets. Wisconsin City reports hackers stole data from 67,000 residents. A Texas city refuses to pay a ransom . 3 2 1 1 0 backup strategy, a timely reminder. And finally, summer travel surge brings a wave of sophisticated scams. Targeting vacationers. This is cybersecurity today, and I'm your host, Jim Love.
The FBI is warning US law firms about a sophisticated scam where cyber criminals call employees pretending to be their own IT department and then trick them into installing remote access software that leads to multimillion dollar extortion demands. The Luna Moth Criminal Group, also known as Silent Ransom Group, has been targeting law firms since 2023 using a technique called callback phishing, but their latest evolution involves calling victims directly instead of waiting for them to call back.
The FBI explained in an advisory that SRG will then direct the employee to join a remote access session, either through an email it sends to them, or navigating to a webpage. And once the employee grants access to their device, they're told that work needs to be done overnight. The scam works because it exploits trust and authority.
Criminals posing as internal IT staff create fake help desk websites that look legitimate and use real remote access tools like Any Desk or Splash Top that companies actually use. And since these are legitimate programs, security software won't flag them as malicious. Luna Moth has been active since 2022, and previously worked with the Notorious Conti ransomware gang before branching out on their own.
In March alone, researchers identified at least 37 fake domains registered by the group designed to impersonate targeted organizations iT support portals. The financial stakes are enormous. According to cybersecurity firm, Eclectic Iq, Luna Moth demands ransoms ranging from 1 million to $8 million depending on the size of the company. They threaten to publish stolen data on public leak sites if the firms don't pay.
The FBI noted that lawyers are prime targets likely due to the highly sensitive nature of the legal industry data, The attack leaves few digital fingerprints because criminals use legitimate tools through the process. Once they gain access, they quickly escalate privileges and use programs like WIN SCP or our clone to steal files, often working overnight to avoid detection.
Red flags include unsolicited calls from people claiming to be IT support emails about fake subscription services, requiring phone calls to cancel, and any requests to install remote access software during unscheduled maintenance windows. The FBI is urging organizations hit by Luna Moth to report incidents and share details like ransom notes, phishing emails, and even phone numbers used by attackers to help track the group's evolving tactics.
the city of Sheboygan, Wisconsin has notified nearly 67,000 people that a ransomware attack in October exposed their social security numbers, state IDs and license plate numbers contradicting earlier claims that no sensitive data was stolen. Hackers breached the city's systems on October 31st, 2024, with the Chort ransomware gang claiming responsibility in November, and sharing screenshots of stolen files while demanding payment.
However, city officials initially said there was no evidence that sensitive information had been compromised. That changed after a cybersecurity investigation concluding on May 14th confirmed that personal data was indeed stolen during the attack. The city filed official breach notifications with regulators on Friday, more than seven months after the incident.
Sheboygan has about 50,000 residents, meaning the breach impacted more people than actually live in the city, likely including visitors, contractors, or people who interact with city services from neighboring areas.
The short ransomware group emerged in November, 2024 and has since claimed attacks on government institutions, including Kuwaits Agricultural Authority, a Georgia Public School, and New York's Hartwick College, which confirmed that more than 4,800 people were affected in a separate October attack. The city is providing one year of identity protection services to affected individuals and reported the incident to law enforcement.
Sheboygan joins several other Wisconsin government bodies targeted by ransomware gangs over the past two years, and the incident highlights a common problem in ransomware attacks. Initial assessments often underestimate the scope of data theft leading to delayed and revised breach notifications. Months after the fact. And while Sheboygan appears not to have paid the ransom.
They didn't say that directly, but there are indications, including the fact that they say they've contacted law enforcement and were following their guidance. But the city of Abilene, Texas let a ransomware deadline expire Tuesday without paying Russian hackers who claim to have stolen 477 gigabytes of municipal data, setting the stage for a potential public release of very sensitive information. The Qilin ransomware group gave Abilene until May 27th to pay an undisclosed ransom amount.
After breaching the city's systems, city officials have refused to negotiate a stance that typically leads to stolen data being published on dark web leak sites. This attack comes at a particularly sensitive time for Abilene. It was recently selected as the first location for Project Stargate, the largest AI investment in US history, involving $500 billion in data center construction. The timing has cybersecurity experts concerned about future targeting.
The city of Abilene is now on the map because of the data center and so it will have a lot of value to these attackers, especially nation states. The Qilin group typically publishes proof of theft samples before releasing complete dataset, either through temporary websites, dark web posts, or direct communication with victims. The group's previous attacks have exposed everything from personal records to internal communications.
The incident highlights the growing threat to small municipalities that may lack robust cybersecurity defenses, but still handle sensitive residential data. Cybersecurity experts recommend all organizations develop incident response plans and assume attacks are inevitable rather than possible. A timely reminder about backing up data.
Cybersecurity experts are pushing a new standard called the 3 2 1 1 0 Strategy, and if you can explain what those numbers mean and you follow them, your organization might be a little safer from ransomware attacks. The strategy sounds complex, but breaks down really Simply maintain three copies of critical data. Store them on two different media types. Keep one copy offsite, maintain one offline or air gapped, backup, and ensure zero errors through regular testing.
Each number addresses a specific failure point that basic backups leave wide open. The Final Zero is a critical reminder. Backups must be validated according to Glass Almanac analysis of the strategy. Too many organizations discover their backup files are corrupted only when they desperately need to restore them to an actual emergency. And the strategy's power lies in its layered defense. Ransomware can infect network connected backups, but it can't touch offline copies.
Natural disasters might destroy local data centers, but they leave cloud storage intact. Human error might corrupt one backup version, but it won't affect properly isolated and tested copies. Each layer targets specific threats. The three ensures redundancy. Two, prevent single points of failure. One protects against local disasters, and the second one stops network based attacks. And of course, zero catches corruption before it matters.
Traditional single backup approaches that many companies still use leave multiple vulnerabilities exposed. A USB drive and a prayer won't protect against sophisticated attacks that specifically target backup systems. A cloud only strategy will fail when internet connections go down during emergencies.
The evolution towards 3 2, 1 1 0 reflects the reality that data volumes are exploding while threats are becoming more sophisticated, today's distributed, always connected environments require distributed, always protected backup strategies. The bottom line is, if downtime costs your organization thousands of dollars per hour, spending hundreds on proper backup infrastructure isn't just smart.
It's essential survival planning in an environment where redundancy means the difference between business continuity and catastrophic loss. And finally, cyber criminals are gearing up for the summer travel season with an unprecedented wave of sophisticated scams. Registering over 7,500 fake travel domains in just the first three months of 2025, while targeting 86 major brands across the industry.
A new threat report from pre-crime labs revealed that scammers have dramatically expanded beyond simple phishing emails. Now using AI powered chatbots, fake mobile apps, and even invitation only booking platforms to trap unsuspecting travelers planning their summer getaways, hotels and vacation rentals bore the brunt of the attack accounting for 82% of malicious domains.
While airlines represented less than 20%, the researchers found that over 95% of new hotel related domains were suspected to be fraudulent, highlighting the massive scale of the threat facing summer travelers. The travel industry success is also a magnet for cyber criminal activity. The report notes scammers are particularly targeting high value vacations such as religious pilgrimages like India's Maha CU Mela, and upcoming Hajj pilgrimage, as well as luxury resort bookings.
The scams have become increasingly sophisticated with criminals creating fake travel, buddy job opportunities, fraudulent Airbnb coaching schemes promising easy money, and even cryptocurrency coins disguised as legitimate travel company launches. Some scammers registered 17 identical domains on the same day using AI generation algorithms.
Airlines like Emirates, latam and Indigo saw the highest targeting volumes with criminals creating fake loyalty programs, betting scams, disguised as fair prediction, games and replica websites, so convincing they mirror legitimate airline branding down to the smallest detail. Perhaps most concerning is the emergence of special membership programs requiring private group invitations designed to make victims feel they're accessing exclusive deals.
These invite only platforms eliminate random signups. Ensure only targeted victims access the scams and make detection nearly impossible. The distribution of the threat spans the globe with the United States accounting for the largest number of registered malicious domains, 1,301, followed by Iceland, India, and China. Many scammers use trusted domain extensions like.com and.org to build credibility while others exploit urgency with extensions like dot, live, dot shop, and even.today.
Red flags for summer Travelers include deals that seem too good to be true during peak season, websites with broken links or relevant content, and any booking platform requesting unusual personal information.
Or upfront payments for services like cleaning or concierge assistance as travel demand peaks this summer, cybersecurity experts recommend booking only through verified websites, avoiding clicking invitation codes from unknown sources and using unique passwords for each travel booking platform. That's our show. You can reach me at [email protected], or on LinkedIn, or if you're watching this on YouTube, just leave a comment under the video.
Tomorrow on cybersecurity today, we'll have a unique discussion about the scammers who target the old and other vulnerable groups. It's with Aaron West from an organization called Operation Shamrock that's helping fight back. The show is available early Saturday morning. I hope you can join us then or whenever you listen to long form podcasts. I'm your host, Jim Love. Thanks for listening.