Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label money extortion. Show all posts

Crypto Scammer Monkey Drainer Shuts Down Criminal Operations

Cyber threats are not new in the crypto space. The industry has been witnessing advanced cyber security attacks since its inception and even recorded more during the 2022 crypto winter, especially in the DeFi Sector. 

According to Yahoo Finance, the cryptocurrency sector suffered a massive loss of nearly $50 billion last year due to various hacking incidents. Numerous groups have been involved in these nefarious activities, including the notorious North Korean Lazarus group and the infamous Monkey Drainer.

However, in a recent turn of events, the Monkey Drainer group has announced that they will be retiring from scamming in the cryptocurrency industry and switching their focus to another sector. Additionally, the group said that they will destroy all the devices and files they use to carry out their operations and will not return to the sector. 

In their message, Monkey Drainer advised other cybercriminals not to go after easy money and suggested that if they want to be successful, they should operate in a large group. They also recommended a new competitor called Venom Drainer to young cybercriminals who want to continue in this line of work.  

Interestingly, Venom Drainer emerged just a day before Monkey Drainer's announcement, indicating that they plan to replace them with a newer group. 

PeckShieldAlert, a company that monitors security incidents on blockchain networks, reported on Twitter that the scammers tried to hide their money by putting 200 ETH, worth $330,000, into Tornado Cash. 

However, Monkey Drainer still had 840 ETH coins worth $1.4 million left in their main wallet after the deposit. 

DeFi, short for Decentralized Finance, is a type of financial system that is built using a new technology called blockchain. This system does not rely on banks or other traditional financial institutions to work. Instead, it's decentralized and allows people to access financial services like lending, borrowing, trading, and investing without needing a middleman.  

This sector has become popular in recent years and has attracted billions of dollars in investment. It also offers people new opportunities to access financial services in a more transparent and decentralized way.  

Here are some things to be careful about when investing in cryptocurrency: 

1. Watch out for phishing attacks, where hackers pretend to be a trustworthy crypto company to trick you into giving them access to your digital assets. 

2. Be cautious of new and untested trading platforms, as some of them may be fraudulent. 

3. Be careful when using third-party software to manage your digital assets, as they can expose you to additional cybersecurity risks. 

4. Look out for crypto-malware, a type of malicious software that allows hackers to access your computer and mine cryptocurrencies without your knowledge. 

5. Keep your private key safe, as this is what you use to access your digital assets. If hackers get access to your private key, they can take your cryptocurrency without your permission. 

6. Cryptocurrencies are not regulated, which means that there is no agency in charge of their production or management. Be wary of unregulated exchanges, as they may attract hackers and scammers. 

Cryptocurrency is still a new concept, and it can be confusing even for experienced investors. Keep in mind that cryptocurrency is not as safe as traditional assets, and it comes with additional risks.  

PSPCL's Scam Alert: Scammers Attempting to Extort Money

In a brand-new online scam, scammers are now attempting to extort money from victims by posing as workers of Punjab State Power Corporation Limited (PSPCL) and demanding that they pay past-due bills. Several business organizations cautioned their members against this trick when PSPCL issued a public notice about it. 

Customers are being warned by PSPCL that they risk losing their electrical service if they do not promptly pay a specified sum.

President of the United Cycle and Parts Manufacturers Association (UCPMA), DS Chawla, provided additional details about the scam, stating that "Any innocent individual who falls for the scam and agrees to make a payment is then asked to download an app by the scammer. As soon as the program is downloaded, hackers take the user's private data, including their online banking passwords and debit and credit card details, so they can steal money from their accounts. We have sent the PSPCL public notice to our members and urged that they utilize either the PSPCL official mobile app or website to pay their bills or the cash counters at department offices in order to avoid falling for any such scams."

According to Dinesh Kalra, "President of Ludhiana Business Forums. Phishing assaults are getting more prevalent every day, and while this attempt to pose as PSPCL workers is new, it has the potential to harm a large number of individuals. However, we also ask PSPCL and Punjab police to track down and prosecute the perpetrators of this scam."


French Authorities Have Detained a Suspect in Case of Money Laundering of €19 Million

 

This week, French authorities apprehended a suspect under suspicion of laundering more than €19 million ($21.4 million) in ransomware extortion payouts. 

Law enforcement agencies have not revealed the accused's name, which has only been recognized as a person from the Vaucluse area in southeast France, and neither the title of the ransomware organization with which he worked. 

The detention this week follows as law enforcement agencies throughout the world have started to collaborate and crackdown on ransomware activities following years of recurrent attacks, most of which have disrupted government agencies and private sector organizations on many occasions. 

This year has seen several crackdowns targeting ransomware gangs, including: 

  • February – The arrest of Egregor/Maze members in Ukraine. 

According to French radio station France Inter, participants of the Egregor ransomware cartel were apprehended in Ukraine. The existence of a law enforcement activity was already verified by sources in the threat intelligence community. The Egregor gang, reportedly began operations in September 2020, follows a Ransomware-as-a-Service (RaaS) strategy. They rent ransomware strain access, but they depend on some other cybercrime gangs to organize attacks into corporate networks and distribute the file-encrypting ransomware. 

  • March – The arrest of a GandCrab affiliate in South Korea. 

The arrest of a 20-year-old accused on allegations of spreading and infecting victims with the GandCrab ransomware was announced by South Korean national police. The accused, whose identity has not been revealed, was a client of the GandCrab Ransomware-as-a-Service (RaaS) cybercrime organization. Police described the suspect as an associate — or a distributor — who operated by obtaining copies of the GandCrab ransomware and spreading them via email to victims around South Korea. 

  • June – The arrest of a group of Ukrainian money launderers who worked with the Clop gang.

Representatives of the Clop ransomware gang, who were apprehended in Ukraine as part of an international law enforcement operation, also provided money-laundering facilities to other cybercrime organizations. The group was involved in both cyber-attacks and "a high-risk exchanger" that laundered funds for the Clop ransomware gang and other criminal groups, according to cryptocurrency exchange portal Binance. 

  • September – Sanctions against Suex, a Russian crypto-exchange used to process ransomware 

Suex, a cryptocurrency exchange incorporated in the Czech Republic but managed by Russia, was sanctioned by the US Treasury. According to a blockchain analysis company, Suex has assisted ransomware and other cybercrime organizations in laundering more than $160 million in stolen assets. Suex has aided in the processing of ransom payments to gangs like Conti, Ryuk, and Maze.

  • October – The arrest of 12 suspects behind the LockerGoga ransomware. 

According to Europol, twelve members of a ransomware cell were apprehended in Ukraine and Switzerland. The accused are suspected of orchestrating the ransomware attack that damaged Norsk Hydro in 2019, the organization was linked to 1,800 ransomware assaults in 71 countries.

  • November – The arrest of a REvil affiliate in Ukraine for the Kaseya attack. 

The US Department of Justice charged a 22-year-old Ukrainian national with coordinating the ransomware assaults against Kaseya servers on July 4th of this year.

  • December – The arrest of a Canadian citizen for the attack against an Alaskan healthcare provider. 

Since 2018, Canadian authorities had jailed an Ottawa resident on suspicion of organizing ransomware attacks on commercial companies and government agencies in Canada and the United States.

1GB of Puma Data is Now Accessible on Marketo

 

Hackers have stolen data from Puma, a German sportswear firm, and are now attempting to extort money from the corporation by threatening to expose the stolen files on a dark web page specialized in the leaking and selling of stolen data. The Puma data was posted on the site more than two weeks ago, near the end of August. 

The publication claims that the threat actors took more than 1 GB of private information, which would be sold to the highest bidder on an unlawful marketplace, according to Security Affairs analysts. This operation appears to be devoted only to the theft and sale of private information, ruling out the possibility that it is a ransomware offshoot. 

To back up their claims, the threat actors released some sample files that, based on their structure, suggest the attackers got Puma's data from a Git source code repository. The information is now available on Marketo, a dark web platform. The platform, which was launched in April of this year, is quite simple to use. 

Users can register on the marketplace, and there is a section for victim and press inquiries. Victims are given a link to a private chat room where they can negotiate. Marketo includes an overview of the company, screenshots of allegedly stolen data, and a link to a "evidence pack," also known as a proof, in each of the individual postings. They utilise a blind bidding mechanism to auction sensitive data in the form of a silent auction. Users place bids depending on how much they believe the data is worth. 

Site administrators first compile a list of potential victims, then provide proof (typically in the form of a small downloadable archive) that their network has been infiltrated. If the victimised firm refuses to cooperate with the hackers, their data is exposed on the web, either for free or for VIP members only. The website claims to compile data from a variety of hacking groups but does not cooperate with ransomware gangs.

“Right now, I can say that Puma haven’t contacted us yet,” the administrator of the dark web leak portal told The Record in a conversation last week. “The rest of the data would be released if Puma will decline the negotiations,” they added.

Golang Cryptomining Worm Offers 15% Speed Boost

 

Cybersecurity intelligence at the security firm Intezer has discovered a new Golang-based worm that is attacking Windows and Linux servers with monero crypto-mining malware. This latest form of the Monero-mining malware known as web server bugs, adds more efficiency to the mining process. 

Threat actors deploy Monero-mining malware into victims’ machines; in a switch-up of tactics, the payload binaries have capacities to speed up the mining process by 15 percent, researchers reported. (A binary payload is a set of binary files, configuration files, batch, or Shell scripts.  Even you can deploy a patch or hotfix without using an installer) 

Reportedly, the worm that has been active since early December 2020, injects XMRig malware on victim's machines that are often used for cryptocurrency mining such as monero. It attacks vulnerable servers, public-facing services such as MySQL, the open-source automation Jenkins server that uses weak passwords, and the Tomcat administration panel. It also attacks a vulnerability in Oracle WebLogic that is discovered as CVE-2020-14882. 

“CVE-2020-14882 [is a] classic path-traversal vulnerability used for exploiting vulnerable web logic servers…” Uptycs reports. “…It seemed like the attacker tried to bypass the authorization mechanism by changing the URL and performing a path traversal using double encoding on /console/images,”  

Kyung Kim, senior managing director and the head of cybersecurity for the Asia-Pacific Region at FTI Consulting, reported that a number of cybercriminals are using the Golang programming language to help them target operating systems other than Windows. 

"Golang is popular for attackers because it's multi-variate and allows a single codebase to be accumulated into all major operating systems, Rather than attacking end-users, Golang malware focuses its efforts on compromising application servers, frameworks, and web applications, which is partially why it can infiltrate systems easily without being detected," Kim told. 

‘Intezer’ is a technology-advanced cybersecurity firm that has created the world’s first cyber immune system against malicious code. The company helps in detecting variations of any threat seen in history by profiling even the slightest amount of code reuse.

Fake “Samsung UPDATES” App Deceives Millions!





Millions of Samsung users were massively misled by an “updates” app which actually has nothing to do with Samsung.  The app tried to harvest money in exchange for security updates.


The app was spotted by a group of researchers on the Google Play Store which was targeting Android users and the ones with Samsung phones in particular.

The app which has now been taken down would take the users to ad-filled pages and ask them for money in return for security updates and firmware.

Per the report shared by the malware analyst who discovered the application, the malware app was named “Updates for Samsung” and was installed by more than 10 million users.


The fake application lured the users in by claiming to make available free and paid Samsung updates whereas Samsung never actually charges for its legitimate firmware updates.

In addition the report cites that the app suggested the users a free download for a limited speed of 56KBps and took around 4 hours to get the 500MB download done with it, only to time-out at the end and fail.

Then of course the other option would be a premium annual subscription to download the updates with fast speed for around $34.99 (Rs. 2,400.76). Also, the app would pop a lot of ads and ask for payment to remove them.

In the list of all the “amazing provisions” of the aforementioned app, another was SIM card unlocking for nay network operator with the starting price of $19.99. (Rs. 1,371.73)

The name of the fake app which was maliciously designed to target the users of Samsung pretty well kept up to the expectations of the cyber-cons and got millions of installations.

The report additionally alluded to the fact that app doesn’t include any malicious code in itself and is simply a tactic which could be used by cyber-cons to fool people.