Tag Archives: sextortion

27th July 2018 Resource updates

Updates to Cryptocurrency/Crypto-mining News and Resources 

John Leyden for The Register: Criminal mastermind injects malicious script into Ethereum tracker. Their message? ‘1337’ – “The Etherscan incident could have been far worse. Rather than a cheeky pop-up, a more mendacious mind might just have easily used the same flaw to run a crypto-mining scam.”

SecureList (Kaspersky): A mining multitool – “Symbiosis of PowerShell and EternalBlue for cryptocurrency mining… The creators of PowerGhost …  started using fileless techniques to establish the illegal miner within the victim system. It appears the growing popularity and rates of cryptocurrencies have convinced the bad guys of the need to invest in new mining techniques – as our data demonstrates, miners are gradually replacing ransomware Trojans.”

Graham Cluley: Mind your company’s old Twitter accounts, rather than allowing them to be hijacked by hackers  – “DEFUNCT FOX TV SHOW HAS ITS TWITTER ACCOUNT COMPROMISED BY CRYPTOCURRENCY SCAMMERS.” “…it appears that hackers seized control of the moribund Twitter account and gave it a new lease of life promoting cryptocurrency scams.

Updates to Tech support scams resource page

ZDnet: US makes an example of Indian call center scam artists with stiff sentences – “The worst offenders have been thrown behind bars for up to 20 years… a number of call centers were established in Ahmedabad, India, in which operators impersonated the IRS and USCIS… in order to threaten US victims with arrest, prison, fines, and deportation unless they paid money they apparently owed.”

Updates to Chain Mail Check

An excellent article has just been published by my ESET colleague Lysa Myers. Companies actually compound the phishing problem when they send poorly thought-out messages that are indistinguishable from phishing messages, both to their own staff and to customers (some banks are particularly culpable here). As a result, recipients of such messages are conditioned into accepting without suspicion messages that don’t conform to good practice, and are more susceptible to being taken in by phishing messages. Hook, line, and sinker: How to avoid looking ‘phish-y’  In addition, Lysa points out an issue I hadn’t really considered: “An increasingly common scenario is phishy-looking emails sent by Software as a Service (SaaS) apps like those for fax or shipping services, human resource or accounting portals, collaboration tools, newsletters or even party planners.”

Another colleague (and long-time friend), Bruce P. Burrell, expands on the story I referred to briefly here – Sextortion and leaked passwords – with this article: I saw what you did…or did I? – “It might seem legit but there are several reasons why you should not always hit the panic button when someone claims to have your email password.” Not just a rehash of the news story, but the precursor to what I expect to be a very useful second article with advice from a seasoned security researcher.

Updates to Mac Virus

[update:  for ESET – Fake banking apps on Google Play leak stolen credit card data – “Fraudsters are using bogus apps to convince users of three Indian banks to divulge their personal data”]

Catalin Cimpanu: Chrome Extensions, Android and iOS Apps Caught Collecting Browsing Data – “An investigation by AdGuard, an ad-blocking platform, has revealed a common link between several Chrome and Firefox extensions and Android & iOS apps that were caught collecting highly personal user data through various shady tactics.”

Pierluigi Paganini: CSE Malware ZLab – APT-C-27 ’s long-term espionage campaign in Syria is still ongoing. After ESET’s Lukas Stefanko revealed the existence of a repository containing Android applications, researchers from CSE Cybsec Z-Lab identified spyware that was “part or the arsenal of a APT group tracked as APT-C-27, aka Golden Rat Organization.” In recent years the group has been focusing its activities in Syria. Here’s the ZLAB Malware Analysis Report.

The Hacker News: iPhone Hacking Campaign Using MDM Software Is Broader Than Previously Known – “India-linked highly targeted mobile malware campaign, first unveiled two weeks ago, has been found to be part of a broader campaign targeting multiple platforms, including windows devices and possibly Android as well.”

Sophos: Red Alert 2.0: Android Trojan targets security-seekers – “A malicious, counterfeit version of a VPN client for mobile devices targets security-minded victims with a RAT.”

David Bisson for Tripwire: Exobot Android Banking Trojan’s Source Code Leaked Online -“Bleeping Computer said it received a copy of the source code from an unknown individual in June. In response, it verified the authenticity of the code with both ESET and ThreatFabric…Exobot is a type of malware that targets Android users via malicious apps. Some of those programs made their way onto the Google Play Store at one point.”

David Harley

Advertisements

Sextortion & leaked passwords revisited

A rather different type of extortion, originally published on Chainmailcheck, but reproduced here with some additional commentary.

Here’s an interesting article by Brian Krebs: Sextortion Scam Uses Recipient’s Hacked Passwords

The scammer claims to have made a video of the intended victim watching porn, and threatens to send it to their friends unless payment is made. Not particularly novel: the twist with this one is that it “references a real password previously tied to the recipient’s email address.” Krebs suggests that the scammer is using a script to extract passwords and usernames from a known data breach from at least ten years ago.

The giveaway is that very few people are likely to be using the same password now – and it’s unlikely that there are that many people receiving the email who might think that such a video could have been made. Still, it seems that some people have actually paid up, and it’s possible that a more convincing attack might be made sending a more recent password to a given email address, and perhaps using a different type of leverage.

[Commentary from Sophos here.]

Additional commentary from me since the Chainmailcheck article:

In a related *thread on Reddit, one comment indicated that there have also been attempts to log on to accounts associated with the same user using the leaked password, which I’d say amounts to a good reason for:

(a) Not using the same password across multiple accounts in general (though some people use a ‘throwaway’ password on ‘throwaway’ accounts where a later breach wouldn’t actually matter).

(b) Checking other accounts where you might have duplicated a password. It’s perfectly possible in such a case that the password is no longer current on the email account where the extortion mail was received, but not on other accounts, perhaps used less often.

One slightly disturbing feature of that Reddit thread is that it was sparked by an extortionate email to an admin account where the password given by the scammer was still current. Fortunately, the company concerned seems to have taken appropriate actions on seeing the email, but it’s a salutary reminder that administrators are not always any better at routine security measures than the rest of us.

*Hat tip to ESET’s Aryeh Goretsky for bringing it to my attention.

David Harley