The action on January 29 is the provisional conclusion of complex investigations by the FBI and the Cybercrime Team of the police unit East Brabant. During the action, 39 servers and domains abroad were seized.
The criminal group behind HeartSender operated very professionally. Through many different criminal webshops, which were advertised on platforms like YouTube, they sold tools for committing digital fraud. Senders, scampages, and cookie grabbers are examples of the tools offered. A cybercriminal can use these tools to send large amounts of spam or phishing emails or to trick someone into revealing their login credentials. Additionally, cybercriminals could also purchase access to hacked infrastructure in these criminal web shops, such as cPanels (control panels of web servers), smtp servers (servers used for sending email messages), and WordPress accounts (system for managing websites). Worldwide, the group behind HeartSender had thousands of customers.
Buyers
In the investigation, the Cybercrime Team has tracked a number of buyers of the tools. Presumably, some of these buyers are Dutch. Further investigation is being conducted into these buyers. The investigation into the creators and buyers of this phishing software is not yet concluded with the seizure of the servers and domains.
Dutch Victims
In the datasets of HeartSender, millions of victim data worldwide have been found. The datasets also contain approximately 100,000 Dutch data. These include usernames and passwords that may have been abused by cybercriminals. Through www.politie.nl/checkjehack you can check whether your login credentials are present in the reviewed dataset from this investigation. You can enter your email address here. If your email address is found in the dataset, you will receive an email with tips and information on what to do next. If you hear nothing, then that email address was not among the victims of this network. In the WordPress accounts, we see that sometimes people use a different username instead of their email address. In those cases, you cannot check if your data has leaked via Check je Hack. Therefore, it is always a good idea to change your passwords regularly, and for such systems, we certainly recommend doing this preventively.
Impact
If your account details are found in the dataset, the impact can be significant. For example, if your username and password for your email account have been leaked, cybercriminals can gain access to your address book. In this way, they can send phishing emails to all your contacts from your name. Your contacts will likely trust the emails because they come from you. In this way, they may share their own data with criminals via a link in such an email. Cybercriminals can also indicate on webshops that they have forgotten their password, after which a recovery link is sent to your mailbox. This way, they can change your password for the webshop. With the stolen cPanel or WordPress accounts, criminals have access to the management system of your website or server, which can then be managed by the criminals.
What to do if you have become a victim?
Change your passwords as soon as possible and enable two-step login. Always report if you have become a victim of cybercrime! This investigation shows once again that we are able to significantly disrupt and dismantle the criminal infrastructure of cybercriminals. We are making a significant impact. But we cannot do it alone. Every report contributes to gathering valuable information that helps track down perpetrators and prevent new victims. This can be done via www.politie.nl or a police station nearby.