Bitcoin thieves use malicious QR code readers to steal $45,000 this month

Bitcoin thieves use malicious QR code readers to steal $45,000 this month

Payments in cryptocurrency are not limited to extortionists who provide you their Bitcoin (BTC) wallets in their ‘contact info’.Adapting to the growing popularity, merchants around the world have added payment options that accept bitcoin or other types of cryptocurrency.

Last week, security researcher Harry Denley, exposed nine websites advertising fake Bitcoin-to-QR code generators:

• bitcoin-barcode-generator[.]com
• bitcoinaddresstoqrcode[.]com
• bitcoins-qr-code[.]com
• btc-to-qr[.]com
• create-bitcoin-qr-code[.]com
• free-bitcoin-qr-codes[.]com
• freebitcoinqrcodes[.]com
• qr-code-bitcoin[.]com
• qrcodebtc[.]com

All BTC to QR Code websites have an identical interface and claim that, if you enter your Bitcoin address, the QR code will be instantly generated. “A super practical way to get a scannable code to send Bitcoin transactions” – or an easy way for cyber thieves to make a quick buck.

The programs that should convert your actual Bitcoin address into a QR code for easier fund transfers, actually generate a QR code corresponding to five different bitcoin wallets of the perp, the investigation reveals.

So far, the fake QR code generators have managed to scam victims out of 7 BTC ($45,000). What makes the hoax so puzzling is that cryptocurrency users have the ability to generate a QR code through their wallet, however, they opted to rely on bogus online code generators instead. Since this functionality can be found in both virtual cryptocurrency wallets and some exchange points, it’s recommended to stay away from these online tools and websites — they do nothing but steal your funds.

Interestingly enough, the above websites are hosted on three separate servers, anchoring an additional 450 suspicious websites boasting keywords such as COVID-19, cryptocurrencies and Gmail.

While most of the discovered domains are offline, some point to bitcoin transaction accelerators that vow to speed up your bitcoin transfers if you pay 0.001 BTC (6 USD). Four of the domains are listed below:

• bitcoin-transaction-accelerator[.]com
• transaction-accelerator[.]com
• bitcoin-tx-transaction-accelerator[.]com
• viabtc-transaction-accelerator[.]com

The bitcoin addresses of these accelerators have gathered over 15 BTC so far, which rounds up to $100,000.

read more

ProtonVPN Discloses VPN Vulnerability in iOS

VPN services are available to iOS users, but they don’t seem to work as intended due to a bug in iOS that doesn’t allow all network connections to route through the VPN service as soon as it starts.ProtonVPN found a vulnerability in iOS 13.3.1 that directly affects all VPN connections, no matter which application initializes the private tunnel. The issue persists in the latest iOS 13.4 version as well.

Most companies follow a responsible disclosure program, which means they first notify the developers of the affected app or the makers of a hardware component about an issue, giving them time to fix it. In this case, Apple was given 90 days before the vulnerability was made public. The company has yet to issue a fix, but they are working on options for mitigation.

As it turns out, when a user initializes a VPN connection, iOS doesn’t close all network connections, allowing them to remain online. At some point, the connection is reinitialized through the VPN, but it’s entirely up to the OS, and users have no choice.

While it might not seem like a big deal, imagine you’re trying to use a VPN, but its full functionality is crippled because of communications from other components, such as the messaging applications or the notification service.

“The VPN bypass vulnerability could result in users’ data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays),” says ProtonVPN in the notice.

“The more common problem is IP leaks. An attacker could see the users’ IP address and the IP address of the servers they’re connecting to,” the company said. “Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server. Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common.”

All VPN apps are affected by this vulnerability, as it’s impossible to kill the connections kept open by the OS. The only temporary solution is to run the VPN app, turn Airplane Mode on and off, then hope that all connections will then be rerouted through the tunnel. It’s impossible to say that it’s going to be completely effective, though.

read more

Pay me or I’ll cough: Bad actors bully email recipients with new Covid-19 extortion scam

Cyber criminals hit a new low this month, proving once again that they’ll go to any lengths to extort their victims. This time around, it’s not just about ruining your reputation and disclosing a ‘dirty little secret’ to your friends and family. Scammers have gift-wrapped the traditional extortion email in a desperate attempt to make you pay up.The bargaining chip

If old gimmicks don’t pay off, new phishing emails are leveraging the Coronavirus pandemic. How? The scammer demands payment in Bitcoin, or else he will infect your family members with Coronavirus. Seems like threat actors have transitioned to bioterrorism overnight, claiming that “No matter how smart you are, believe me, if I want to affect, I can.”

While this dare-devilish threat is false, their efforts show that some bad actors are struggling to make a buck amid the pandemic.

Bitdefender Labs has spotted a separate version of the Covid-19 extortion stunt, where the swindler posing as your neighbor claims to have been tested positive for the virus. In this petty dry run, the perp goes on to mention that he has just a week to live, and shows his contempt by asking you to transfer money to his Bitcoin wallet.

We know you have a lot on your plate this time, and while new versions of the scam are likely to turn up in the come weeks, rest assured that we are committed to fending off any such hoaxes that might end up in your Inbox. While we focus on protecting your devices from malware and phishing attacks, you can follow some easy but effective steps to stay safe while browsing the Internet:

Change your passwords periodically – passwords are the gateway to your account and your online persona. Regularly updating your login passwords for e-commerce websites and social media accounts can help keep you safe from account takeover attacks and identity theft. A guide on how to create a strong password can be found here.
Enable two- or multi-factor authentication – This gives your online accounts an extra layer of protection.
Ignore online offers promoting Coronavirus cures, home test kits or vaccinations –numerous fake ads have been shared on social media and other platforms that were quick to dupe consumers.
Don’t click on links or download files from untrusted sources – accessing unfamiliar links or downloading files on your devices may bring a malicious payload. It’s best to keep your browsing patterns limited to what’s closer to home.

We’re going to keep doing what we’ve always done – protecting you from malicious activity.

Stay Safe!

read more

5 tips for not bungling home videoconferencing

Video Conference Rooms — Avyve

The current pandemic has turned videoconferencing into a vital tool for both work and personal communication. We explain how not to goof up in front of the boss or, worse, the mother-in-law.

Oddly enough, the choice of application is far from the most important part. Most services provide similar features, and unless you have some specific requirements, you can just use what’s on your machine already — or whatever the majority of participants use.

Most companies have their own teleconferencing standards and tend to use a certain platform, be it Skype, Google Hangouts, Zoom, or Microsoft Teams. As for the mother-in-law, the choice is likely to be even simpler. With that said, let’s get to the point: what you should consider to make your video call as smooth as possible.

1. Prepare for the videoconference in advance

Don’t connect at the last second only to discover that your cat bit through the headset cable and the camera needs a driver update to work. Sign in beforehand, check that everything is in working order, and if you encounter problems, solve them relatively stress-free. And if you’re using a laptop or smartphone, it won’t hurt to make sure that the battery is charged before the call starts.

2. Mute the microphone first thing

Remember to mute the mic when you’re not talking into it. Background sniffing and snuffling make concentrating difficult — and your colleagues have no need to hear your tech-savvy cat regurgitating that headset cable.

3. Ensure a decent connection speed

We sometimes forget how many different home devices are connected to the Internet, eating up bandwidth. And then we’re surprised when the sound gets garbled and the picture turns into a pixelated haze at the crucial moment.

Before starting an important video conference, make sure to knock bandwidth competitors off of your network. Your kid’s tablet streaming a cartoon in 4K, Windows updates, and game downloads can wait until the call ends.

A wired Ethernet connection usually beats Wi-Fi — especially if you are separated from your router by a couple of concrete walls and the ether is clogged up with your neighbors’ networks (which are suddenly also hosting important video calls, playing online games, and watching 4K streaming videos all day long).

4. Figure out the settings and features

If you are not familiar with the application you’re going to use for the call, and you have to organize the conference, spend some time studying the app’s settings. In Zoom, for example, the default settings allow call participants to share their screen without prior permission from the organizer. In open webinars, this can sometimes lead to such accidents (or pranks) as collective viewings of pornography.

If you don’t want your conference call to be disrupted in such a manner, leaving you red-faced and having to apologize, disable this channel of creative expression in advance.

5. Look presentable

A relaxed home environment may be a pleasant change, but don’t overindulge. When video conferencing, make sure you’re wearing decent clothes (lower body as well, just in case). Don’t lie on the couch during a serious meeting, and don’t play games in the background or quietly strum your guitar while colleagues are talking. To play it safe, simply behave and look just as you would at a face-to-face meeting.

Modern technology can lend a hand by the way: Some video conference services let you hide an unsightly environment by surrounding you with a virtual background. For example, Skype and Teams can blur the background, and Zoom goes even farther and can set you against a glorious backdrop of waterfalls, glaciers, or even the aurora borealis.

Two things to consider though: (a) it can impact speed, especially if your computer is not very powerful, and (b) technology has its limits. It may try to hide your cord-chomping cat, of course, but the result might look a little weird. So, our advice is to experiment with the different settings and options, not 2 minutes before the call starts, but an hour or even a day in advance. Then you will know exactly how everything will look and avoid hair-curling moments.

read more

Cybersecurity insurance firm Chubb investigates its own ransomware attack

A notorious ransomware gang claims to have successfully compromised the infrastructure… of a company selling cyberinsurance.

The Maze ransomware group says it has encrypted data belonging to Chubb, which claims to be one of the world’s largest insurance companies, and is threatening to publicly release data unless a ransom is paid.

The announcement by the cybercrime gang was published on Maze’s website, where it lists what it euphemistically describes as its “new clients”.

Maze’s normal modus operandi is to compromise an organisation, steal its data, infect the network with its ransomware, and post a pre-announcement on its website as a warning to the corporate victim that if they do not pay a ransom their stolen data will be be published on the internet.

At the time of writing, Maze has published no proof that it has successfully infected Chubb’s systems. It has published the email addresses of its Chief Executive, Vice Chairman, and Chief Operating Officer, but this is information which could have been easily obtained through other means than hacking.

When asked to provide more information, the Maze group is currently keeping its lips sealed – presumably waiting to see if Chubb will pay a ransom.

For its part, Chubb told Bleeping Computer that – with the help of cybersecurity experts and law enforcement agencies – it was investigating whether hackers might have stolen data from a third-party service provider as it has not found any evidence that its own network has been compromised:

“We are currently investigating a computer security incident that may involve unauthorized access to data held by a third-party service provider. We are working with law enforcement and a leading cybersecurity firm as part of our investigation. We have no evidence that the incident affected Chubb’s network. Our network remains fully operational and we continue to service all policyholder needs, including claims. Securing the data entrusted to Chubb is a top priority for us. We will provide further information as appropriate.”

Whether it was Chubb or one of its external partners remains to be seen, but the mention of Chubb on Maze’s list of “new clients” was enough to prompt security researchers to explore the state of Chubb’s security – with some discovering that the company appeared to have left RDP open for anyone to access via the internet, and that the firm was using unpatched Citrix Netscaler servers (commonly exploited in past Maze ransomware attacks)

More and more companies are choosing to take out commercial cyberinsurance policies to mop up some of the costs if they are hit by ransomware and other forms of hacker attacks. For a large company selling cyberinsurance to potentially be one of the latest ransomware victims is particularly ironic, and sends a warning to all firms not to be complacent about the threat.

read more

Scammers Target U.S. Troops with Fake COVID-19 Tests

Scammers continue to piggyback on the COVID-19 Coronavirus scare with new tricks, this time targeting U.S. Army service members with phone calls requesting their personal information and promising a testing kit to check if they’re infected, according to the Military Times.The outlet, which describes itself as a trusted, independent source for news and information on the most important issues affecting service members and their families, has put out the following warning:

“If you’re a Tricare recipient and someone calls you out of the blue offering a COVID-19 test kit, hang up the phone and contact Tricare officials.”

The notice comes after the Defense Health Agency said it learned of scammers trying to steal personal information of Tricare beneficiaries using the promise of non-existent COVID-19 testing kits.

Scammers call beneficiaries directly with an offer to sell COVID-19 testing kits and even ship them to the prospective victim’s address. Operatives behind the swindle reportedly request personal information such as Social Security numbers and bank or credit card information.

Service members are instructed to report unsolicited attempts to sell or send a COVID-19 testing kit to this link. Furthermore, service members should not physically walk into their local military hospital or clinic if they feel they may have symptoms of COVID-19. Instead, they should stay home and contact their medical provider, the notice states.

“You will be assessed and screened for potential or suspected exposure, and if necessary, an appointment with a physician will be arranged. Legitimate COVID-19 tests will be ordered by a physician after the assessment and screening,” according to the Military Times.

U.S. government agencies and police are scrambling to keep the American public safe from COVID-19 scams, including phishing emails arriving in their inbox with attachments purporting to contain vital information about the contagion and how to fight it.

The best advice right now is to refrain from making decisions over any unsolicited calls, SMS messages, or emails claiming to lend a helping hand, free masks or testing kits, or miracle cures. Opportunistic fraudsters use the anxiety created by a crisis to take advantage of their unsuspecting victims.

read more

BBB warns scammers are leveraging the Senate relief bill

For the past week, U.S. lawmakers have been discussing proposed stimulus checks to help the country through this coronavirus-induced economic crisis. The $2 trillion stimulus package that will offer help to American citizens affected by the Coronavirus outbreak unanimously passed in the Senate this Wednesday and was sent to the President for signing.The Better Business Bureau (BBB) has already issued a warning for citizens to keep an eye out for government grant scam.

What should you expect?

Fraudsters posing as government officials may contact you via telephone, email or social media posts and messages, claiming you can apply for a free grant with 100% guaranteed acceptance. If you fall for their ruse, you are asked to submit a one-time processing fee. The punchline: you’ll never see a dime of the so-called grant money they promised.

Fake checks and grant scams are old news in the swindling business. What make this particular scam stand out is that fraudsters started deploying the scheme before the newly proposed legislation became a reality.

The BBB Scam Tracker was already hit by complaints from the community.

“I received a text message stating “Government Relief Available” with a link to click. The link is tCXQ[.]site/3VeoS and had MSG:3VeoS at the bottom of the message. I knew this had to be a scam. I did not click the link because I had seen on Facebook about some scam texts being sent out. I hope these people are caught and prosecuted for trying to take advantage of people in a time of struggle”, one user described on March 25.

An earlier recipient posted a similar message on March 21, stating “A Facebook Messenger message from a personal friend started informing me about a government grant for retired people that sounded great ’cause she got her money within three weeks. I contacted the FGG & WHO agent that she worked with. Through text messages she helped me fill out a form over my cell phone which included my(winner’s as they put it) full name and address my deceased parents’ names, occupation status, age, marriage status, husband’s name, cell phone number & provider, monthly amount from Social Security and credit score and for $1,000 filing fee in a gift card I would receive $100,000 as a grant.”

Another scam description from Mar 25, says “Texted saying click here for government relief. Could be covid19 related.”

According to a separate report from March 24, “Attorney Robert Menendez Incharge 2020 contacted me through a friends Instagram account. He asked for the following information.
Full name; Mother Name; Address; Male/Female; state; married/single; cell no; age; occupation; e-mail; monthly income; attached I.D. image; do you have credit cards; what’s your credit score; etc.”

Tips to help you spot the emerging COVID-19 Grant Scam

• Understand that your government will not communicate with you directly through social media messages on Facebook, Instagram or WhatsApp.
• Do not pay any money for a free government grant. If you have to pay to claim it – you can’t really call it free. A real government agency will not ask you to pay any processing fees.
• Do your research and check if the agency contacting you exists. Contact the organization and ask if the message you received is legitimate. Cyber criminals often spoof phone numbers or email addresses, making it appear that you’re contacted by the real person.
• Scammers often impersonate real people on social media, so be wary of messages with grant-related content you receive from ‘your friend’. You can call your friend to verify if he sent the message.

Stay Safe!

read more

FBI Takes Down Russia-based Cyber Platform Selling Private Data and Contraband

The Federal Bureau of Investigation (FBI) took down the DEER.IO website, a known cybercrime platform based in Russia, along with Kirill Victorovich Firsov, its alleged administrator.When you hear of personal information stolen in data breaches and sold on the black market, it usually means that it has ended up on websites such as DEER.IO. The main difference with this website is that it was accessible to the public, which made it a lot more visible.

The alleged website administrator, Kirill Victorovich Firsov, was arrested in New York on March 7th. He’s also a suspected hacker and used every opportunity to promote the website to other interested parties. The DEER.IO platform become operational sometime around October 2013 and claimed to have made sales exceeding $17 million.

DEER.IO allowed sellers to offers a wide range of personal data, from hacks or compromised U.S. and international financial and corporate sources.

“The DEER.IO platform offered a turnkey online storefront design and hosting platform, from which cybercriminals could advertise and sell their products (such as harvested credentials and hacked servers) and services (such as assistance performing a panoply of cyber hacking activities),” reads the FBI notification.

Cybercriminals who wanted to sell contraband or offer criminal services had to pay a monthly fee of just $12.50. Starting March 4, 2020, FBI agents purchased 1,100 gamer accounts for just $20, payable in Bitcoin, and found that 249 of the accounts could be easily compromised by using only the name and password. Once inside the account, criminals had direct access to payment methods, allowing them to perform more purchases.

The agents also bought 3,649 individual PII accounts for $692 in Bitcoin. Those accounts had names, dates of birth and U.S. Social Security numbers for multiple resident of San Diego County.

While DEER.IO is just one of the services taken down by law enforcement, many are still active. People have a number of options available to them if they want to safeguard their data. At the very least, they need to enable two-factor authentication wherever possible.

Another option would be to use the Digital Identity Protection service from Bitdefender, which constantly monitors the users’ online footprint, alerting them if anything private surfaces on the Internet.

read more

LightSpy spyware targets iPhone users in Hong Kong

In January of this year, experts detected a large-scale watering-hole attack aimed at residents of Hong Kong, in which the multifunctional malware LightSpy for iOS was installed on victims’ smartphones. This is yet another reminder to anyone who thinks that Apple devices, in particular iPhones, are immune to malware; they are protected, of course, but by no means totally.

How LightSpy infects iOS devices

The malware landed on victims’ smartphones when they visited one of several websites disguised as local news resources — the attackers simply copied the code of real news outlets and created their own clones.

The sites loaded a whole bunch of exploits onto victims’ smartphones, resulting in the installation of LightSpy. Links to the fake sites were distributed through forums popular with Hong Kongers. All it took for the iPhone to get infected was one visit to a malicious page. There was no need even to tap anything.

What is LightSpy?

LightSpy malware is a modular backdoor that lets an attacker remotely execute commands on the infected device and generally run amok on the victim’s phone.

For example, the attacker can determine the smartphone’s location, get its contact list and call history, see which Wi-Fi networks the victim has connected to, scan the local network, and upload data about all detected IP addresses to its command-and-control (C&C) server. In addition, the backdoor has modules for stealing information from Keychain (iOS’s password and encryption key storage), as well as data from the WeChat, QQ, and Telegram messaging apps.

What’s interesting is that the attackers used no zero-day vulnerabilities, but so-called first-day vulnerabilities — that is, newly discovered holes for which patches have been released but included only in the latest system updates. Therefore, those iOS users who updated their devices in a timely manner could not get infected — but, of course, lots of people didn’t install the updates. The attack threatened owners of smartphones running iOS 12.1 and 12.2 (the problem affects models from iPhone 6s to iPhone X).

How to guard against LightSpy

It’s still unclear whether LightSpy will spread beyond China, but such toolkits have a habit of reaching a wider audience, so don’t assume that the problem will pass you by. Take the following precautions for greater security:

  • Install the latest version of the operating system. If you are reluctant to do so because of issues with iOS 13, never fear: In the current version (13.4), Wi-Fi bugs and other irritants have been fixed.
  • Be very careful when following links, especially links sent by strangers. Even if they appear at first glance to point to a known website, checking the address carefully does no harm.

read more

Coronavirus as a hook

E-mails imitating business correspondence with malicious attachments are nothing new. We’ve been observing them in junk traffic for the last three years at least. The more precise the fake, the higher the likelihood that the victim will not suspect anything.

Such phishing is especially dangerous for employees of companies that sell goods, because e-mails with delivery requests or orders are run-of-the-mill. Even someone trained to spot a fake can sometimes struggle to determine whether a message is phishing or a legitimate order from a client. Therefore, the number of convincing yet fake e-mails keep on growing. They are not encountered as often as traditional malicious spam, but that’s because they are designed for a specific purpose and are sent to targeted addresses.

These past few weeks, scammers have been exploiting the coronavirus outbreak to give their missives extra credibility. The e-mails often cite virus-related delivery problems, prompting the recipient to wonder what delivery they are talking about. In other cases, attackers use the pandemic to press the need to process a request urgently because their usual partners cannot deliver goods in time. Whatever the case may be, the goal is to get the victim to open a malicious attachment. Standard tricks are used as a pretext, usually involving a request to check shipping details, payment data, an order, or product availability.

Below are some specific examples of this type of phishing and the risks involved.

Delayed delivery

The scammers write that Covid-19 has caused the delivery of something to be postponed. They kindly attach the updated delivery information, along with new instructions. In particular, they ask if the delivery time is suitable, thus prompting the recipient to open the attached file, which at first glance looks like an invoice in PDF format.

But instead of an invoice, inside is an NSIS installer that executes a malicious script. The script then starts a standard cmd.exe process, and runs malicious code through it. That way, the code gets executed in the context of a legitimate process, bypassing standard defense mechanisms. The end goal is to spy on the user’s actions. Our e-mail security products detect this threat as Trojan-Spy.Win32.Noon.gen.

Rush order

The scammers claim that due to the coronavirus outbreak, their Chinese suppliers cannot meet their obligations.  It sounds convincing enough under current circumstances. To avoid disappointing their customers, they are supposedly looking to place an urgent order for some goods (unspecified in the letter) from the company where the recipient works. What business can resist such a sudden opportunity?

Surprise,surprise, the attached file contains no such order, but Backdoor.MSIL.NanoBot.baxo. When launched, it executes malicious code inside the legitimate RegAsm.exe process (again in an attempt to circumvent defense mechanisms). This results in the attackers gaining remote access to the victim’s computer.

Another rush order

This is a variation on the above. Again, scammer mentions that a fictitious Chinese supplier is having delivery problems, and inquires about pricing and delivery terms for goods listed in an attached DOC file.

A DOC file is used for a specific reason. Inside is an exploit targeting the CVE-2017-11882 vulnerability in Microsoft Word (our solutions detect it as Exploit.MSOffice.Generic). When opened, it downloads and runs Backdoor.MSIL.Androm.gen. The objective, like all backdoors, is to gain remote access to the infected system.

No time to lose!

This scheme is aimed at companies that are experiencing workflow disruptions due to the coronavirus pandemic (quite a large group and growing). The scammers press the recipient into acting, while expressing hope that the company can resume work after the coronavirus disruption.

Instead of an order, the attachment contains Trojan.Win32.Vebzenpak.ern. When launched, it executes malicious code inside the legitimate RegAsm.exe process. The goal is again to provide the attackers with remote access to the compromised machine.

How to guard against malicious e-mail attachments

To prevent cybercriminals from slipping you a Trojan or backdoor in the form of an attachment, follow these tips:

  • Carefully examine the extensions of attached files. If it’s an executable, the chances of it being unsafe are close to 100%.
  • Check if the sender company actually exists. These days, even the tiniest firms have an online footprint (for example, social media accounts). If you find nothing, do nothing; either way, it’s probably not worth doing business with such a company.
  • Check if the details in the sender field and the automatic signature match. Strangely enough, scammers often overlook this detail..
  • Remember that cybercriminals can pinch information about their “company” from open sources. So if you have doubts even though the e-mail seems to contain bona fide information, reach out to the company for confirmation that theysent the message.
  • Most importantly, make sure that your company uses a reliable security solution both at workstations and at the mail server level. And make sure that it is regularly updated and uses up-to-speed databases. If not, it can be difficult to determine whether an e-mail attachment is harmful, especially in respect of Office documents.

read more