CyberSecurity news
FlagThis - #cryptotheft
|
@cyberpress.org
//
A joint investigation by SentinelLABS and Validin has exposed a massive cryptocurrency phishing operation named "FreeDrain." This industrial-scale network has been siphoning digital assets for years by exploiting weaknesses in free publishing platforms. FreeDrain utilizes aggressive SEO manipulation, free-tier web services like gitbook.io, webflow.io, and github.io, along with sophisticated layered redirection techniques to lure unsuspecting victims. The operation's primary goal is to steal cryptocurrency wallet login credentials and seed phrases, often resulting in rapid fund exfiltration.
FreeDrain operators achieve high search engine rankings by creating over 38,000 malicious subdomains on trusted platforms, including Amazon S3 and Azure Web Apps. These subdomains host lure pages that often feature AI-generated content and screenshots of legitimate wallet interfaces. When users search for wallet-related queries, they are redirected through comment-spammed URLs and custom redirector domains to highly convincing phishing clones. These phishing pages frequently include live chat widgets manned by real human operators who encourage victims to submit their credentials. Researchers believe the operators are based in the UTC+05:30 timezone (Indian Standard Time) and work standard weekday hours. The sophistication of FreeDrain lies in its scale, automation, and ability to avoid traditional phishing email delivery vectors. Victims are funneled from benign-seeming search queries directly to malicious pages ranked at the top of major search engines. Validin first became aware of FreeDrain on May 12, 2024, after a victim reported losing approximately 8 BTC (around $500,000 at the time) to a phishing site. Recommended read:
References :
Bill Toulas@BleepingComputer
//
A new wave of sophisticated cyberattacks is targeting individuals and organizations, with the threat actor known as ELUSIVE COMET exploiting a little-known Zoom feature to steal millions in cryptocurrency. The attacks leverage Zoom's remote control functionality, initially designed for accessibility, to gain unauthorized access to victims' computers during seemingly legitimate business calls. ELUSIVE COMET, identified by the Security Alliance, has incorporated this feature into their social engineering attacks, targeting individuals within the cryptocurrency community, impersonating venture capital firms, podcast hosts, and even Bloomberg Crypto representatives.
The attack unfolds with attackers contacting potential victims via Twitter DMs or email, inviting them to participate in Zoom video conferences. During screen sharing, the attackers request remote control access while simultaneously changing their display name to "Zoom" to mimic a system notification. If victims, often distracted, grant permission, the attackers gain full control of the computer, enabling them to install malware, exfiltrate sensitive data, or steal cryptocurrency. One notable victim, Jake Gallen, CEO of NFT platform Emblem Vault, reportedly lost around $100,000 and control of his accounts after his computer was compromised using this technique. Security experts are advising users to disable the Zoom remote control feature if it is not needed, as well as the entire Zoom accessibility suite. Trail of Bits, a cybersecurity research firm whose CEO was also targeted, recommends a multi-layered defense strategy. This includes aggressive machine learning prevention settings, mandatory upgrades to the latest macOS versions, hardware security keys for Google Workspace accounts, company-wide password management, and a preference for Google Meet over Zoom due to its stronger security features. Organizations can also deploy Privacy Preferences Policy Control (PPPC) profiles to prevent exploitation of this vulnerability. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A new cybersecurity threat has emerged, with cheap Chinese Android phones being shipped with pre-installed malware disguised as popular messaging apps like WhatsApp and Telegram. These trojanized applications contain cryptocurrency clippers, malicious programs designed to replace copied wallet addresses with those controlled by the attackers. This allows the theft of cryptocurrency during transactions without the user's knowledge. The campaign, active since June 2024, targets low-end devices, often mimicking premium brands like Samsung and Huawei, with models such as "S23 Ultra," "Note 13 Pro," and "P70 Ultra." At least four of the affected models are manufactured under the SHOWJI brand.
These counterfeit phones often spoof their technical specifications, falsely displaying that they are running the latest Android version and have improved hardware to avoid detection. According to researchers at Doctor Web, the infected devices ship with modified versions of WhatsApp that operate as clippers. These malicious programs quietly swap out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat. Victims remain unaware as the malware displays the correct wallet address on the sender’s screen but delivers the wrong one to the receiver, and vice versa, until the money disappears. The attackers have expanded their reach beyond WhatsApp and Telegram, with researchers identifying nearly 40 fake applications, including crypto wallets like Trust Wallet and MathWallet, and even QR code readers. The malware is injected using a tool called LSPatch, allowing modifications without altering the core app code, which helps evade detection and survive updates. Doctor Web reports that the malware hijacks the app update process to retrieve an APK file from a server under the attacker's control and searches for strings in chat conversations that match cryptocurrency wallet address patterns. Recommended read:
References :
Graham Cluley@Graham Cluley
//
Noah Urban, a 20-year-old from Palm Coast, Florida, has pleaded guilty to charges related to cryptocurrency thefts, conspiracy, wire fraud, and identity theft. Urban, known online as "King Bob," was a key member of the notorious Scattered Spider hacking gang. The charges stem from two federal cases, one in Florida and another in California. Urban's activities involved orchestrating sophisticated attacks, including SIM swapping, to steal hundreds of thousands of dollars in cryptocurrency from investors. He was arrested in January 2024, and during the raid, he reportedly attempted to wipe his computer and social media history in an effort to destroy evidence.
The cybercriminal's operations involved stealing victims' personal information and using it to hijack their phone numbers through SIM swap fraud. This allowed Urban and his accomplices to bypass two-factor authentication and gain unauthorized access to cryptocurrency wallets. They then transferred the cryptocurrency to their own accounts, netting significant profits. Urban's activities also extended to leaking songs from famous music artists after breaking into the accounts of music industry executives, disrupting planned album releases and causing financial and emotional strain on the artists involved. As part of his plea agreement, Urban has agreed to forfeit his jewelry, currency, and cryptocurrency assets. He will also pay US $13 million in restitution to 59 victims. Urban is expected to be sentenced within the next 75 days. He faces a potentially long prison term, which will include an additional two-year sentence for aggravated identity theft, as it cannot be served concurrently with other charges. Other suspected members of the Scattered Spider gang remain under investigation, highlighting the ongoing efforts to combat this cybercriminal syndicate. Recommended read:
References :
rohansinhacyblecom@cyble.com
//
A new Android banking trojan called Crocodilus has been discovered, targeting users in Spain and Turkey. Cybersecurity experts warn that this sophisticated malware employs advanced techniques like remote control, black screen overlays, and data harvesting through accessibility logging. Crocodilus is designed to facilitate device takeover and conduct fraudulent transactions, masquerading as Google Chrome to bypass Android 13+ restrictions.
Once installed, Crocodilus requests access to Android's accessibility services and connects to a remote server for instructions and a list of targeted financial applications. The malware steals banking and crypto credentials by displaying HTML overlays and monitors all accessibility events to capture screen contents, including Google Authenticator details. Crocodilus conceals malicious activities using a black screen overlay and muting sounds to avoid detection. Recommended read:
References :
rohansinhacyblecom@cyble.com
//
A new Android malware named Crocodilus has been discovered targeting cryptocurrency users, primarily in Spain and Turkey. Cybersecurity researchers have found that Crocodilus employs sophisticated techniques, including remote control capabilities, black screen overlays, and advanced data harvesting through accessibility logging. The malware is designed to steal banking and cryptocurrency credentials, posing a significant threat to Android users in these regions.
Crocodilus tricks users into divulging their cryptocurrency wallet seed phrases by displaying a fake warning urging them to back up their keys to avoid losing access. It also exploits accessibility features to monitor app launches, display overlays to intercept credentials, and capture screen contents, including Google Authenticator OTP codes. This allows attackers to gain full control of wallets and drain assets. The malware also features call and SMS control, device admin and persistence, social engineering, and remote commands and settings update capabilities. ThreatFabric researchers note that Crocodilus exhibits a high level of maturity for a newly discovered threat, demonstrating advanced device takeover capabilities. The malware is distributed via a proprietary dropper that bypasses Android 13 security protections and installs the malware without triggering Play Protect. Analysis of the source code suggests that the malware author is Turkish-speaking. Recommended read:
References :
Thomas Brewster,@Thomas Fox-Brewster
//
Federal agents have linked a $150 million cryptocurrency heist to the 2022 LastPass data breach. U.S. authorities have seized over $23 million in cryptocurrency related to the January 2024 theft from a Ripple crypto wallet, with investigators believing hackers who breached LastPass in 2022 were responsible. These findings align with those published by KrebsOnSecurity in September 2023, which highlighted a series of six-figure cyberheists resulting from cracked master passwords stolen from LastPass.
The U.S. Secret Service and FBI investigations support the conclusion that the same attackers behind the LastPass breach used a stolen password from the victim's online password manager to access their cryptocurrency wallet. The stolen XRP, initially valued at $150 million, is now worth $716 million. The Secret Service continues to trace the funds through various exchanges, noting that the scale and rapid dissipation of funds required multiple malicious actors, consistent with the online password manager breaches and attacks on other victims. Recommended read:
References :
Thomas Brewster,@Thomas Fox-Brewster
//
Federal investigators have linked the 2022 LastPass data breach to a $150 million cryptocurrency theft from a Ripple XRP wallet in January 2024. Authorities believe the hackers exploited stolen master passwords to gain unauthorized access to the wallet. The stolen XRP, initially valued at $150 million, is now worth an estimated $716 million due to fluctuations in the cryptocurrency market.
U.S. law enforcement has seized over $23 million in cryptocurrency connected to the theft. The U.S. Secret Service and FBI are actively investigating the case and working to recover the remaining stolen funds. Security researchers had previously identified a pattern of similar crypto heists linked to the LastPass breach, suggesting a broader impact of the password manager vulnerability. The incident highlights the significant risks associated with compromised password management systems. Recommended read:
References :
|