May 30, 2025 • 13 mins
In this episode of Cybersecurity Today, host Jim Love covers critical updates in the world of cyber threats. The FBI warns of hijackers posing as IT support to infiltrate law firms, a Wisconsin city reveals a ransomware attack affecting 67,000 residents, and a Texas city refuses to pay a ransom, risking the public release of sensitive data. The episode also highlights the 3-2-1-1-0 backup strategy as a defense against ransomware and reports on sophisticated scams targeting summer travelers. Additionally, Jim previews tomorrow’s discussion on scammers targeting vulnerable groups.
00:00 Introduction and Headlines
00:29 FBI Warns of IT Support Scams Targeting Law Firms
03:18 Ransomware Attack on Sheboygan, Wisconsin
05:24 Texas City Refuses Ransom Payment
07:05 Understanding the 3-2-1-1-0 Backup Strategy
09:37 Summer Travel Scams on the Rise
12:55 Conclusion and Upcoming Topics
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
The FBI warns hijackers masqueradingas it support or finding law
firms to be excellent targets.
Wisconsin City reports hackersstole data from 67,000 residents.
A Texas city refuses to paya ransom . 3 2 1 1 0 backup
strategy, a timely reminder.
And finally, summer travel surgebrings a wave of sophisticated scams.
(00:23):
Targeting vacationers.
This is cybersecurity today,and I'm your host, Jim Love.
The FBI is warning US law firms abouta sophisticated scam where cyber
criminals call employees pretendingto be their own IT department and
then trick them into installingremote access software that leads to
multimillion dollar extortion demands.
(00:45):
The Luna Moth Criminal Group, alsoknown as Silent Ransom Group, has been
targeting law firms since 2023 usinga technique called callback phishing,
but their latest evolution involvescalling victims directly instead
of waiting for them to call back.
The FBI explained in an advisory thatSRG will then direct the employee
(01:08):
to join a remote access session,either through an email it sends to
them, or navigating to a webpage.
And once the employee grants accessto their device, they're told that
work needs to be done overnight.
The scam works because itexploits trust and authority.
Criminals posing as internal IT staffcreate fake help desk websites that
(01:29):
look legitimate and use real remoteaccess tools like Any Desk or Splash
Top that companies actually use.
And since these are legitimateprograms, security software
won't flag them as malicious.
Luna Moth has been active since2022, and previously worked with
the Notorious Conti ransomware gangbefore branching out on their own.
(01:52):
In March alone, researchers identifiedat least 37 fake domains registered
by the group designed to impersonatetargeted organizations iT support portals.
The financial stakes are enormous.
According to cybersecurity firm,Eclectic Iq, Luna Moth demands ransoms
ranging from 1 million to $8 milliondepending on the size of the company.
(02:16):
They threaten to publish stolen data onpublic leak sites if the firms don't pay.
The FBI noted that lawyers are primetargets likely due to the highly
sensitive nature of the legal industrydata, The attack leaves few digital
fingerprints because criminals uselegitimate tools through the process.
(02:37):
Once they gain access, they quicklyescalate privileges and use programs like
WIN SCP or our clone to steal files, oftenworking overnight to avoid detection.
Red flags include unsolicited callsfrom people claiming to be IT support
emails about fake subscription services,requiring phone calls to cancel, and any
(02:58):
requests to install remote access softwareduring unscheduled maintenance windows.
The FBI is urging organizations hitby Luna Moth to report incidents
and share details like ransom notes,phishing emails, and even phone
numbers used by attackers to helptrack the group's evolving tactics.
the city of Sheboygan, Wisconsinhas notified nearly 67,000 people
(03:23):
that a ransomware attack in Octoberexposed their social security
numbers, state IDs and license platenumbers contradicting earlier claims
that no sensitive data was stolen.
Hackers breached the city's systemson October 31st, 2024, with the Chort
ransomware gang claiming responsibilityin November, and sharing screenshots of
(03:44):
stolen files while demanding payment.
However, city officials initially saidthere was no evidence that sensitive
information had been compromised.
That changed after a cybersecurityinvestigation concluding on May 14th
confirmed that personal data wasindeed stolen during the attack.
The city filed official breachnotifications with regulators on Friday,
(04:07):
more than seven months after the incident.
Sheboygan has about 50,000 residents,meaning the breach impacted more
people than actually live in the city,likely including visitors, contractors,
or people who interact with cityservices from neighboring areas.
The short ransomware group emerged inNovember, 2024 and has since claimed
(04:29):
attacks on government institutions,including Kuwaits Agricultural Authority,
a Georgia Public School, and New York'sHartwick College, which confirmed
that more than 4,800 people wereaffected in a separate October attack.
The city is providing one year ofidentity protection services to
affected individuals and reportedthe incident to law enforcement.
(04:51):
Sheboygan joins several otherWisconsin government bodies targeted
by ransomware gangs over the past twoyears, and the incident highlights a
common problem in ransomware attacks.
Initial assessments often underestimatethe scope of data theft leading to
delayed and revised breach notifications.
Months after the fact.
(05:13):
And while Sheboygan appearsnot to have paid the ransom.
They didn't say that directly, but thereare indications, including the fact that
they say they've contacted law enforcementand were following their guidance.
But the city of Abilene, Texas let aransomware deadline expire Tuesday without
paying Russian hackers who claim to havestolen 477 gigabytes of municipal data,
(05:36):
setting the stage for a potential publicrelease of very sensitive information.
The Qilin ransomware group gaveAbilene until May 27th to pay
an undisclosed ransom amount.
After breaching the city's systems, cityofficials have refused to negotiate a
stance that typically leads to stolen databeing published on dark web leak sites.
(05:58):
This attack comes at a particularlysensitive time for Abilene.
It was recently selected as the firstlocation for Project Stargate, the largest
AI investment in US history, involving$500 billion in data center construction.
The timing has cybersecurity expertsconcerned about future targeting.
The city of Abilene is now on themap because of the data center and so
(06:22):
it will have a lot of value to theseattackers, especially nation states.
The Qilin group typically publishesproof of theft samples before releasing
complete dataset, either throughtemporary websites, dark web posts,
or direct communication with victims.
The group's previous attacks haveexposed everything from personal
(06:43):
records to internal communications.
The incident highlights the growingthreat to small municipalities that may
lack robust cybersecurity defenses, butstill handle sensitive residential data.
Cybersecurity experts recommendall organizations develop incident
response plans and assume attacksare inevitable rather than possible.
(07:05):
A timely reminder about backing up data.
Cybersecurity experts are pushinga new standard called the 3 2 1 1 0
Strategy, and if you can explain whatthose numbers mean and you follow
them, your organization might be alittle safer from ransomware attacks.
The strategy sounds complex, butbreaks down really Simply maintain
(07:26):
three copies of critical data.
Store them on two different media types.
Keep one copy offsite, maintain oneoffline or air gapped, backup, and ensure
zero errors through regular testing.
Each number addresses a specific failurepoint that basic backups leave wide open.
(07:47):
The Final Zero is a critical reminder.
Backups must be validated according toGlass Almanac analysis of the strategy.
Too many organizations discovertheir backup files are corrupted
only when they desperately need torestore them to an actual emergency.
And the strategy's powerlies in its layered defense.
(08:08):
Ransomware can infect networkconnected backups, but it
can't touch offline copies.
Natural disasters might destroylocal data centers, but they
leave cloud storage intact.
Human error might corrupt onebackup version, but it won't affect
properly isolated and tested copies.
Each layer targets specific threats.
(08:28):
The three ensures redundancy.
Two, prevent single points of failure.
One protects against localdisasters, and the second one
stops network based attacks.
And of course, zero catchescorruption before it matters.
Traditional single backup approachesthat many companies still use leave
multiple vulnerabilities exposed.
(08:50):
A USB drive and a prayer won't protectagainst sophisticated attacks that
specifically target backup systems.
A cloud only strategy willfail when internet connections
go down during emergencies.
The evolution towards 3 2, 1 10 reflects the reality that data
volumes are exploding while threatsare becoming more sophisticated,
(09:11):
today's distributed, always connectedenvironments require distributed,
always protected backup strategies.
The bottom line is, if downtime costsyour organization thousands of dollars
per hour, spending hundreds on properbackup infrastructure isn't just smart.
It's essential survival planningin an environment where redundancy
means the difference between businesscontinuity and catastrophic loss.
(09:37):
And finally, cyber criminals are gearingup for the summer travel season with an
unprecedented wave of sophisticated scams.
Registering over 7,500 fake traveldomains in just the first three
months of 2025, while targeting 86major brands across the industry.
A new threat report from pre-crime labsrevealed that scammers have dramatically
(10:00):
expanded beyond simple phishing emails.
Now using AI powered chatbots, fakemobile apps, and even invitation
only booking platforms to trapunsuspecting travelers planning their
summer getaways, hotels and vacationrentals bore the brunt of the attack
accounting for 82% of malicious domains.
(10:20):
While airlines represented less than 20%,the researchers found that over 95% of new
hotel related domains were suspected to befraudulent, highlighting the massive scale
of the threat facing summer travelers.
The travel industry success is alsoa magnet for cyber criminal activity.
The report notes scammers are particularlytargeting high value vacations such as
(10:45):
religious pilgrimages like India's MahaCU Mela, and upcoming Hajj pilgrimage,
as well as luxury resort bookings.
The scams have become increasinglysophisticated with criminals creating
fake travel, buddy job opportunities,fraudulent Airbnb coaching schemes
promising easy money, and evencryptocurrency coins disguised as
(11:07):
legitimate travel company launches.
Some scammers registered 17identical domains on the same day
using AI generation algorithms.
Airlines like Emirates, latam andIndigo saw the highest targeting volumes
with criminals creating fake loyaltyprograms, betting scams, disguised as fair
(11:27):
prediction, games and replica websites, soconvincing they mirror legitimate airline
branding down to the smallest detail.
Perhaps most concerning is theemergence of special membership
programs requiring private groupinvitations designed to make victims
feel they're accessing exclusive deals.
These invite only platformseliminate random signups.
(11:50):
Ensure only targeted victimsaccess the scams and make
detection nearly impossible.
The distribution of the threat spansthe globe with the United States
accounting for the largest number ofregistered malicious domains, 1,301,
followed by Iceland, India, and China.
Many scammers use trusted domainextensions like.com and.org to build
(12:12):
credibility while others exploiturgency with extensions like dot,
live, dot shop, and even.today.
Red flags for summer Travelers includedeals that seem too good to be true during
peak season, websites with broken links orrelevant content, and any booking platform
requesting unusual personal information.
(12:34):
Or upfront payments for serviceslike cleaning or concierge assistance
as travel demand peaks this summer,cybersecurity experts recommend booking
only through verified websites, avoidingclicking invitation codes from unknown
sources and using unique passwordsfor each travel booking platform.
(12:55):
That's our show.
You can reach me ateditorial@technewsday.ca, or on LinkedIn,
or if you're watching this on YouTube,just leave a comment under the video.
Tomorrow on cybersecurity today,we'll have a unique discussion
about the scammers who target theold and other vulnerable groups.
It's with Aaron West from anorganization called Operation
(13:16):
Shamrock that's helping fight back.
The show is availableearly Saturday morning.
I hope you can join us then or wheneveryou listen to long form podcasts.
I'm your host, Jim Love.
Thanks for listening.
The FBI warns hijackers masqueradingas it support or finding law
firms to be excellent targets.
Wisconsin City reports hackersstole data from 67,000 residents.
A Texas city refuses to paya ransom . 3 2 1 1 0 backup
strategy, a timely reminder.
And finally, summer travel surgebrings a wave of sophisticated scams.
(00:23):
Targeting vacationers.
This is cybersecurity today,and I'm your host, Jim Love.
The FBI is warning US law firms abouta sophisticated scam where cyber
criminals call employees pretendingto be their own IT department and
then trick them into installingremote access software that leads to
multimillion dollar extortion demands.
(00:45):
The Luna Moth Criminal Group, alsoknown as Silent Ransom Group, has been
targeting law firms since 2023 usinga technique called callback phishing,
but their latest evolution involvescalling victims directly instead
of waiting for them to call back.
The FBI explained in an advisory thatSRG will then direct the employee
(01:08):
to join a remote access session,either through an email it sends to
them, or navigating to a webpage.
And once the employee grants accessto their device, they're told that
work needs to be done overnight.
The scam works because itexploits trust and authority.
Criminals posing as internal IT staffcreate fake help desk websites that
(01:29):
look legitimate and use real remoteaccess tools like Any Desk or Splash
Top that companies actually use.
And since these are legitimateprograms, security software
won't flag them as malicious.
Luna Moth has been active since2022, and previously worked with
the Notorious Conti ransomware gangbefore branching out on their own.
(01:52):
In March alone, researchers identifiedat least 37 fake domains registered
by the group designed to impersonatetargeted organizations iT support portals.
The financial stakes are enormous.
According to cybersecurity firm,Eclectic Iq, Luna Moth demands ransoms
ranging from 1 million to $8 milliondepending on the size of the company.
(02:16):
They threaten to publish stolen data onpublic leak sites if the firms don't pay.
The FBI noted that lawyers are primetargets likely due to the highly
sensitive nature of the legal industrydata, The attack leaves few digital
fingerprints because criminals uselegitimate tools through the process.
(02:37):
Once they gain access, they quicklyescalate privileges and use programs like
WIN SCP or our clone to steal files, oftenworking overnight to avoid detection.
Red flags include unsolicited callsfrom people claiming to be IT support
emails about fake subscription services,requiring phone calls to cancel, and any
(02:58):
requests to install remote access softwareduring unscheduled maintenance windows.
The FBI is urging organizations hitby Luna Moth to report incidents
and share details like ransom notes,phishing emails, and even phone
numbers used by attackers to helptrack the group's evolving tactics.
the city of Sheboygan, Wisconsinhas notified nearly 67,000 people
(03:23):
that a ransomware attack in Octoberexposed their social security
numbers, state IDs and license platenumbers contradicting earlier claims
that no sensitive data was stolen.
Hackers breached the city's systemson October 31st, 2024, with the Chort
ransomware gang claiming responsibilityin November, and sharing screenshots of
(03:44):
stolen files while demanding payment.
However, city officials initially saidthere was no evidence that sensitive
information had been compromised.
That changed after a cybersecurityinvestigation concluding on May 14th
confirmed that personal data wasindeed stolen during the attack.
The city filed official breachnotifications with regulators on Friday,
(04:07):
more than seven months after the incident.
Sheboygan has about 50,000 residents,meaning the breach impacted more
people than actually live in the city,likely including visitors, contractors,
or people who interact with cityservices from neighboring areas.
The short ransomware group emerged inNovember, 2024 and has since claimed
(04:29):
attacks on government institutions,including Kuwaits Agricultural Authority,
a Georgia Public School, and New York'sHartwick College, which confirmed
that more than 4,800 people wereaffected in a separate October attack.
The city is providing one year ofidentity protection services to
affected individuals and reportedthe incident to law enforcement.
(04:51):
Sheboygan joins several otherWisconsin government bodies targeted
by ransomware gangs over the past twoyears, and the incident highlights a
common problem in ransomware attacks.
Initial assessments often underestimatethe scope of data theft leading to
delayed and revised breach notifications.
Months after the fact.
(05:13):
And while Sheboygan appearsnot to have paid the ransom.
They didn't say that directly, but thereare indications, including the fact that
they say they've contacted law enforcementand were following their guidance.
But the city of Abilene, Texas let aransomware deadline expire Tuesday without
paying Russian hackers who claim to havestolen 477 gigabytes of municipal data,
(05:36):
setting the stage for a potential publicrelease of very sensitive information.
The Qilin ransomware group gaveAbilene until May 27th to pay
an undisclosed ransom amount.
After breaching the city's systems, cityofficials have refused to negotiate a
stance that typically leads to stolen databeing published on dark web leak sites.
(05:58):
This attack comes at a particularlysensitive time for Abilene.
It was recently selected as the firstlocation for Project Stargate, the largest
AI investment in US history, involving$500 billion in data center construction.
The timing has cybersecurity expertsconcerned about future targeting.
The city of Abilene is now on themap because of the data center and so
(06:22):
it will have a lot of value to theseattackers, especially nation states.
The Qilin group typically publishesproof of theft samples before releasing
complete dataset, either throughtemporary websites, dark web posts,
or direct communication with victims.
The group's previous attacks haveexposed everything from personal
(06:43):
records to internal communications.
The incident highlights the growingthreat to small municipalities that may
lack robust cybersecurity defenses, butstill handle sensitive residential data.
Cybersecurity experts recommendall organizations develop incident
response plans and assume attacksare inevitable rather than possible.
(07:05):
A timely reminder about backing up data.
Cybersecurity experts are pushinga new standard called the 3 2 1 1 0
Strategy, and if you can explain whatthose numbers mean and you follow
them, your organization might be alittle safer from ransomware attacks.
The strategy sounds complex, butbreaks down really Simply maintain
(07:26):
three copies of critical data.
Store them on two different media types.
Keep one copy offsite, maintain oneoffline or air gapped, backup, and ensure
zero errors through regular testing.
Each number addresses a specific failurepoint that basic backups leave wide open.
(07:47):
The Final Zero is a critical reminder.
Backups must be validated according toGlass Almanac analysis of the strategy.
Too many organizations discovertheir backup files are corrupted
only when they desperately need torestore them to an actual emergency.
And the strategy's powerlies in its layered defense.
(08:08):
Ransomware can infect networkconnected backups, but it
can't touch offline copies.
Natural disasters might destroylocal data centers, but they
leave cloud storage intact.
Human error might corrupt onebackup version, but it won't affect
properly isolated and tested copies.
Each layer targets specific threats.
(08:28):
The three ensures redundancy.
Two, prevent single points of failure.
One protects against localdisasters, and the second one
stops network based attacks.
And of course, zero catchescorruption before it matters.
Traditional single backup approachesthat many companies still use leave
multiple vulnerabilities exposed.
(08:50):
A USB drive and a prayer won't protectagainst sophisticated attacks that
specifically target backup systems.
A cloud only strategy willfail when internet connections
go down during emergencies.
The evolution towards 3 2, 1 10 reflects the reality that data
volumes are exploding while threatsare becoming more sophisticated,
(09:11):
today's distributed, always connectedenvironments require distributed,
always protected backup strategies.
The bottom line is, if downtime costsyour organization thousands of dollars
per hour, spending hundreds on properbackup infrastructure isn't just smart.
It's essential survival planningin an environment where redundancy
means the difference between businesscontinuity and catastrophic loss.
(09:37):
And finally, cyber criminals are gearingup for the summer travel season with an
unprecedented wave of sophisticated scams.
Registering over 7,500 fake traveldomains in just the first three
months of 2025, while targeting 86major brands across the industry.
A new threat report from pre-crime labsrevealed that scammers have dramatically
(10:00):
expanded beyond simple phishing emails.
Now using AI powered chatbots, fakemobile apps, and even invitation
only booking platforms to trapunsuspecting travelers planning their
summer getaways, hotels and vacationrentals bore the brunt of the attack
accounting for 82% of malicious domains.
(10:20):
While airlines represented less than 20%,the researchers found that over 95% of new
hotel related domains were suspected to befraudulent, highlighting the massive scale
of the threat facing summer travelers.
The travel industry success is alsoa magnet for cyber criminal activity.
The report notes scammers are particularlytargeting high value vacations such as
(10:45):
religious pilgrimages like India's MahaCU Mela, and upcoming Hajj pilgrimage,
as well as luxury resort bookings.
The scams have become increasinglysophisticated with criminals creating
fake travel, buddy job opportunities,fraudulent Airbnb coaching schemes
promising easy money, and evencryptocurrency coins disguised as
(11:07):
legitimate travel company launches.
Some scammers registered 17identical domains on the same day
using AI generation algorithms.
Airlines like Emirates, latam andIndigo saw the highest targeting volumes
with criminals creating fake loyaltyprograms, betting scams, disguised as fair
(11:27):
prediction, games and replica websites, soconvincing they mirror legitimate airline
branding down to the smallest detail.
Perhaps most concerning is theemergence of special membership
programs requiring private groupinvitations designed to make victims
feel they're accessing exclusive deals.
These invite only platformseliminate random signups.
(11:50):
Ensure only targeted victimsaccess the scams and make
detection nearly impossible.
The distribution of the threat spansthe globe with the United States
accounting for the largest number ofregistered malicious domains, 1,301,
followed by Iceland, India, and China.
Many scammers use trusted domainextensions like.com and.org to build
(12:12):
credibility while others exploiturgency with extensions like dot,
live, dot shop, and even.today.
Red flags for summer Travelers includedeals that seem too good to be true during
peak season, websites with broken links orrelevant content, and any booking platform
requesting unusual personal information.
(12:34):
Or upfront payments for serviceslike cleaning or concierge assistance
as travel demand peaks this summer,cybersecurity experts recommend booking
only through verified websites, avoidingclicking invitation codes from unknown
sources and using unique passwordsfor each travel booking platform.
(12:55):
That's our show.
You can reach me ateditorial@technewsday.ca, or on LinkedIn,
or if you're watching this on YouTube,just leave a comment under the video.
Tomorrow on cybersecurity today,we'll have a unique discussion
about the scammers who target theold and other vulnerable groups.
It's with Aaron West from anorganization called Operation
(13:16):
Shamrock that's helping fight back.
The show is availableearly Saturday morning.
I hope you can join us then or wheneveryou listen to long form podcasts.
I'm your host, Jim Love.
Thanks for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
True Crime Tonight
If you eat, sleep, and breathe true crime, TRUE CRIME TONIGHT is serving up your nightly fix. Five nights a week, KT STUDIOS & iHEART RADIO invite listeners to pull up a seat for an unfiltered look at the biggest cases making headlines, celebrity scandals, and the trials everyone is watching. With a mix of expert analysis, hot takes, and listener call-ins, TRUE CRIME TONIGHT goes beyond the headlines to uncover the twists, turns, and unanswered questions that keep us all obsessed—because, at TRUE CRIME TONIGHT, there’s a seat for everyone. Whether breaking down crime scene forensics, scrutinizing serial killers, or debating the most binge-worthy true crime docs, True Crime Tonight is the fresh, fast-paced, and slightly addictive home for true crime lovers.