Latest news with #MassJacker
Forbes
13-05-2025
- Forbes
Be Careful What You Search For — Crypto Hackers Are Watching
When you think of cybercriminal actors watching you, maybe phishing threats such as Hello Pervert, where the attacker claims to know where you live and has proof to back it up, spring to mind. Or how about the ransomware gang that has been found to install employee monitoring software to watch victims at work? Recent reports even suggested that a quarter of Americans think someone is spying on their smartphone usage. But I'm more concerned with the hackers who watch what you are searching for in order to launch targeted attacks. I wrote about one such attack campaign on March 16, where MassJacker threat actors used people searching for pirated software as a means to get them to download malware. The latest attacks, however, involve crypto hackers exploiting people looking for help with their wallets and striking while they are at their most vulnerable. Here's what you need to know about the FreeDrain campaign that security experts have warned is operating at an industrial scale. FreeDrain might not have made it onto the list of the world's most prolific cybercrime actors, but I can't help but think it's only a matter of time. Threat intelligence researchers initiated their investigation on May 12, 2024, following a plea for assistance from an individual who had discovered that 8 BTC, equivalent to approximately $500,000 at the time, had been stolen from their cryptocurrency wallet. Initially, it appeared to be a run-of-the-mill phishing attack, albeit employing a highly ranked search engine result to kickstart the attack. It soon became apparent it was far from the norm. Welcome to the vast and coordinated world of weaponized searches and crypto theft known as FreeDrain. A joint report by Tom Hegel at SentinelOne's Sentinel Labs team alongside Kenneth Kinion and Sreekar Madabushi from Valadin, has confirmed that FreeDrain is 'an industrial-scale, global cryptocurrency phishing operation that has been stealing digital assets for years.' The security researchers found that simple queries for help, such as asking how to get a specific crypto wallet balance, for example, produced multiple malicious links on major search sites, although not always on page one, but 'often within the first few result pages.' By following those links that the investigators knew were not legitimate websites, they encountered live phishing pages immediately. The attack chain, it seems, was a pretty straightforward one as these things go: How the crypto hackers were able to pull off this search engine manipulation is as fascinating as it is concerning. 'We identified several indexed URLs pointing back to high-ranking lure pages,' the report said, 'and traced them to massive comment spam campaigns.' This isn't new; it's something called spamdexing that has been used to game SEO for years. The FreeDrain campaign, however, appeared to put it to very good use. 'We found a Korean university photo album page with a single image uploaded over a decade ago,' the researchers said, 'buried under 26,000 comments, nearly all of them containing spam links.' The end result was more than 200,000 unique malicious URLs in search results, and 38,000 FreeDrain subdomains hosting the phishing pages. I've said it before, and I will say it again: be careful what you search for. More importantly, be careful where some of those searches take you. If you want help concerning a particular crypto wallet, go to the vendor site directly and seek that help there.
Forbes
27-04-2025
- Business
- Forbes
Fake Crypto Attacks— What You Need To Know
Beware the fake crypto scammers. Advanced persistent threat groups affiliated with nation-states are hot hacking news right now. The FBI has just confirmed a $10 million reward for information about individuals belonging to the Chinese Salt Typhoon cyber-espionage group. But China isn't the only player in the state-hacking game; a new report suggests that North Korea and, potentially, Russia could have joined forces in a new and highly dangerous fake crypto security threat. Here's what you need to know. When it comes to crypto and matters of cybersecurity, there are generally two things that spring immediately to mind: ransomware payments and cryptocurrency theft. Perhaps the best-known types of the latter involve cryptojacking attacks, such as the recent MassJacker malware that resulted in a be careful what you search for warning. According to an April 24 report from Silent Push, one nation-state-affiliated group, Contagious Interview, is behind a campaign using three separate fake cryptocurrency consulting companies to distribute three malware families to unsuspecting victims. The malware trio will, ultimately, perform the same task: install infostealers to harvest system information, including browser data, passwords, and files, as well as silently drop remote access software onto the device for persistent access. Oh yes, and there's a tool to connect to cryptocurrency wallets as well. Worried yet? You should be, so take note of what is known about the campaign. 'Our team found that the use of fake job offers to distribute malware, such as BeaverTail, InvisibleFerret, and OtterCookie, enables remote access and data theft,' the report said. The aptly named Contagious Interview group was found to be heavily leaning on AI-generated images to create employee profiles for the three companies concerned, and I recommend you read the full report for all the details. 'As part of the crypto attacks,' the researchers said, 'the threat actors are heavily using GitHub, job listings and freelancer websites.' Silent Push threat analysts said that they are continuing to track the Contagious Interview attackers as they believe they pose a threat to individuals. The fake crypto campaigns could also, Silent Push concluded, 'provide some corporate risk due to the malware they deploy and the credentials they acquire from devices.'
