IM RAT spy tool seller raided, busted, kicked offline

Imminent Methods – a marketplace where hackers could buy spyware for as little as $25 – has been taken down after an international investigation that’s led law enforcement to nine countries as they seek out the people who sell, buy and use its tool.

The UK’s National Crime Agency (NCA) said last week that 14,500 buyers picked up the tool, which is called the Imminent Monitor Remote Access Trojan (IM RAT).

Once a crook covertly slips the tool onto a targeted computer, IM RAT gives them full access, enabling them to turn off anti-virus software, steal data or passwords, record keystrokes, and eavesdrop on their victims via their webcams.

The Australian Federal Police (AFP) led the operation, with the North West Regional Organised Crime Unit (NWROCU) leading the UK investigation and the NCA supporting it. The action started a week ago, on 25 November, with 21 search warrants executed in the UK alone. The UK warrants – all of which were for suspected users of the RAT – led to nine arrests and seizure of what the NCA said was more than 100 pieces of evidence.

In total, worldwide, police executed 85 warrants arrested 14 people and seized more than 400 items.

On Friday, police took down the Imminent Methods site. Pulling the site down means that the RAT can’t be used by the crooks who bought it, the NCA said.

Phil Larratt, from the NCA’s National Cyber Crime Unit, said that the IM RAT was used by individual crooks and organized crime outfits to break the UK’s Computer Misuse Act in a number of ways: by fraud, theft and voyeurism.

Cyber criminals who bought this tool for as little as US$25 were able to commit serious criminality, remotely invading the privacy of unsuspecting victims and stealing sensitive data.

Detective Inspector Andy Milligan, from the NWROCU, said that this has been “a complex, challenging cyber investigation with international scope” that was supported by Europol and Eurojust, among other cybercrime fighters. There well may be plenty of similar tools for sale elsewhere, but at least this one – what sounds like a cyberstalker/cyberburglar’s dream – is hopefully out of the running for good.

Milligan:

The illicit use of IM RAT is akin to a cyberburglary, with criminals stealing data, including images and movies, secretly turning on webcams, monitoring keystrokes and listening in to people’s conversations via computer microphones.

What to do?

Milligan said that to protect ourselves from RATs, we should all keep our operating systems up to date, use anti-virus software, and refrain from clicking on links or attachments in suspicious emails.

What, exactly, should you look out for? Well, we recently spotted an Instagram phishing campaign that was clever and audacious: it used two-factor authentication (2FA) as a lure. Here are the tips we gave when it comes to watching out for the tricks that crooks play to get you to click on an unexpected and/or phishy-looking email:

• Sign-in link in email. Easy solution: never use them! If you need to sign in to Instagram ,for example, you don’t need a link to find it. Use the app on your phone or a bookmark you set up yourself from your browser. Yes, it’s slightly more work. No, it’s not difficult.
• Unexpected domain name. Make sure you know where your browser has taken you. If the address bar is too short to see the full URL, copy and paste the text out of it to make sure. If it looks wrong, assume it is wrong and ignore it, or take a second opinion from someone you trust. Yes, it’s slightly more work. No, it’s not difficult.
• Unreasonable request. If you suspect that someone else has been logging into your account, use that account’s official way of checking your login activity. Don’t rely on web links that could have come from anywhere. Annoyingly, each social media app does this a bit differently, but once you know where to look, you’ll never be tricked again. Yes, it’s slightly more work. No, it’s not difficult.