Malware - NEWS POLITE

NFTs Worth Over $27,000 Stolen Via Malware Wrapped in Google Ads, Victim Loses Life Savings

NFTs nearly $30,000 (roughly Rs. 24 lakh) have reportedly been stolen from an NFT influencer, who goes by the pseudonym ‘NFT God’ on Twitter. The influencer has claimed that his wallet full of digital collectibles was drained in a hack attack. Valuable NFTs worth nearly $30,000 (roughly Rs. 24 lakh) were drained out of his wallet, after he engaged with a sponsored advertisement on Google’s search engine, that replicated an open-source video streaming software which the victim was searching for in the first place.

Along with the costliest Mutant Ape Yacht Club (MAYC) NFT, a bunch of other NFTs amounting to ETH 19 amounting upto over Rs. 24 lakh have been reported stolen, as per Etherscan.

The verified Twitter account of ‘NFT God’, that has over 91,000 followers, mostly from the crypto community, posted about the incident warning others against being scammed.

“My Twitter was hacked. I pop open the OpenSea bookmark of my ape and there it is. A completely different wallet listed as the owner. I knew at that moment it was all gone. Everything. All my crypto and NFTs ripped from me,” the influencer tweeted.

Last night my entire digital livelihood was violated.

Every account connected to me both personally and professionally was hacked and used to hurt others.

Less importantly, I lost a life changing amount of my net worth

— NFT God (@NFT_GOD) January 15, 2023

The hack took place on January 15, according to the influencer.

Last week, cybersecurity firm Cyble had sounded a warning against malware that was hunting for phishing victims via Google ads. The name of this malware was dubbed “Rhadamanthys Stealer” by the company.

“Rhadamanthys stealer spreads by using Google Ads that redirect the user to phishing websites that mimic popular software such as Zoom, AnyDesk etc. It can also spread via spam email containing an attachment for delivering the malicious payload. The TAs behind this campaign also created a highly convincing phishing webpage impersonating legitimate websites to trick users into downloading the stealer malware The link to these phishing websites spreads through Google ads,” Cyble had said in its report. Google is yet to issue a statement related to the claims of the NFT influencer.

While sharing details of his ordeal with his followers on Twitter, the victim claimed that he made an error during setting up his Ledger account on his new computer, that may have given access to his social networking accounts and digital wallets to the hacker.

“I go to set up my Ledger with it and I make a critical mistake. I set it up as a hot wallet instead of a cold wallet,” he noted.

Hot wallets are connected to the Internet making them more susceptible to hacking attempts, whereas cold wallets are ones that store crypto tokens offline, but their drawback is that they could be lost or damaged by the holders.

As per a CoinTelegraph report, most of the stolen ETH were sent to a decentralised exchange called FixedFloat via multiple wallets.

This is not the first instance, where Google ads have been used in conjunction with phishing malware. In October 2022, Binance CEO Changpeng Zhao had also warned crypto investors against malicious actors targeting them via Google.

Google displays phishing sites when users search CMC. This affects users adding smart contract addresses to MetaMask using these phishing sites. We are trying to contact Google for this, and in the meantime alerting users about this through social channels. pic.twitter.com/3q4860Jl4H

— CZ :large_orange_diamond: Binance (@cz_binance) October 27, 2022

In September, Google Play Store analytics had revealed that two apps — Mister Phone Cleaner and Kylhavy Mobile Security were infected with a malware called SharkBot that was capable of stealing cookies from accounts and while bypassing authentication methods that require user input, such as fingerprints.

Affiliate links may be automatically generated – see our ethics statement for details.

Check out our Latest News and Follow us at Facebook

Original Source

Self-Spreading Malware Attacking Gamers, Stealing Credentials via YouTube: Kaspersky

A self-spreading malware is said to be attacking gamers via YouTube videos. As per a report by Kaspersky, this is caused by an unusual malicious bundle, which includes malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality. Its main payload is the widespread RedLine stealer — one of the most common Trojans used to steal passwords and credentials from browsers. The report also says that the bundle is available on underground hacker forums for a small price tag.

According to the Kaspersky report, the malicious bundle is merely a few hundred dollars, which is a small price tag for malware. The RedLine stealer can steal usernames, passwords, cookies, bank card details, and autofill data from Chromium- and Gecko-based browsers, data from cryptowallets, instant messengers, and FTP/SSH/VPN clients. In addition, RedLine can download and run third-party programs, execute commands, and open links in the default browser.

Alongside the stealer, there are other files in the bundle that facilitate self-propagation of the malware. In the process, the YouTube channels are hacked and videos with malware are posted. “These videos advertise cheats and cracks and provide instructions on hacking popular games and software,” the report said.

The games for which cheats and cracks are mentioned in the videos include APB Reloaded, CrossFire, DayZ, Dying Light 2, F1 22, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Osu!, Point Blank, Project Zomboid, Rust, Sniper Elite, Spider-Man, Stray, Thymesia, VRChat, and Walken. The report cited Google as saying that the hacked channels were quickly terminated for violation of the company’s Community Guidelines.

Once accessed, the malicious bundle unpacks and runs three executable files. The first is the RedLine stealer, and the second is a miner. The report says that the main target audience is gamers who are likely to have video cards installed in their systems. These cards can be used for mining. The third executable file ensures automatic startup and runs the first of the batch files. These batch files run three other malicious files, which are responsible for the bundle’s self-distribution.

Buying an affordable 5G smartphone today usually means you will end up paying a “5G tax”. What does that mean for those looking to get access to 5G networks as soon as they launch? Find out on this week’s episode. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Check out our Latest News and Follow us at Facebook

Original Source

Emotet Botnet Found Infecting Google Chrome to Steal Credit Card Information: All Details

The Emotet botnet — used by criminals to distribute malware around the world — has begun attempting to steal credit card information from unsuspecting users, according to security researchers. The malware targets the popular Google Chrome browser, then sends the exfiltrated information to command-and-control servers. The resurgence of the Emotet botnet comes over a year after Europol and international law enforcement agencies shut down the botnet’s infrastructure in January 2021, and used the botnet to deliver software to remove the malware from infected computers.

Cybersecurity platform Proofpoint spotted a new Emotet module bring dropped on June 6, in the form of a credit card stealer. The malware only targets Google Chrome — one of the most widely used browers across platforms. While the module was dropped from one server, the credit card information — including card numbers and expiration dates — collected from Chrome is then uploaded to a different command-and-control (C2) server, according to the researchers.

On June 6th, Proofpoint observed a new #Emotet module being dropped by the E4 botnet. To our surprise it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader. pic.twitter.com/zy92TyYKzs

— Threat Insight (@threatinsight) June 7, 2022

Emotet was initially created as banking trojan in 2014, but later evolved into the TA542 threat group — also known as Mummy Spider — which was used to deliver malware to steal data, spy on and attack other devices on the same network. It was used to drop other notorious malware onto victims computers. In 2020, Check Point Research had flagged the use of the botnet to infect Japanese users with a coronavirus-themed email campaign. In January 2021, a six-nation enforcement team shut down the prolific network and disabled the infrastructure.

However, cybersecurity platform Deep Instinct states that new variants of the Emotet botnet had emerged in the fourth quarter of 2021, with massive phishing campaigns against Japanese businesses in February and March 2022, expanding to new regions in April and May. The Emotet botnet was also allegedly helped by another notorious group that created the Trickbot malware.

According to Deep Instinct, Emotet detections increased more than 2,700 percent in Q1 2022 compared to Q4 2021. Forty-five percent of malware was using a Microsoft Office attachment. Meanwhile, Emotet has begun using Windows PowerShell scripts and almost 20 percent of malware were taking advantage of a 2017 Microsoft Office security flaw.

#Emotet botnet shifted to a higher gear in T1 2022, with its activity growing more than 100-fold vs T3 2021. #ESETresearch detected its biggest campaign on March 16, targeting Japan ????????, Italy ????????, and Mexico ????????. 1/4 pic.twitter.com/NHZtLJ4BfP

— ESET research (@ESETresearch) June 7, 2022

On the other hand, ESET researchers explained that the Emotet botnet activity had grown nearly a hundred-fold compared to 2021, with the biggest campaign detected on March 16, targeting Japan, Italy and Mexico. Microsoft disabled macros in its Office software in April as a security measure, prompting the botnet to use malicious LNK files (Windows shortcuts) and distributing malware via Discord.

In order to lower the chances of being infected by the Emotet botnet, users must make sure their operating system and programs are always up to date, take regular backups of important information stored separately. The malware primarily spreads through malicious email campaigns, so users should avoid opening or clicking on links and downloading attachments from unknown senders.

Check out our Latest News and Follow us at Facebook

Original Source

EU, US, Australia Police Crack Down FluBot Mobile Scam Responsible for Hacking Several Android Phones

Police in 11 countries have taken down a mobile phone scam dubbed FluBot that spread around the world via fake text messages, Dutch and EU police said on Wednesday.

Dutch cybercops led an operation in May targeting the malware, which infects Android phones using texts which pretend to be from a parcel firm or which say a person has a voicemail waiting.

Hackers would then steal bank details from infected phones, which automatically sent messages to other mobiles in the user’s contact list, passing on the scam like a flu virus.

“To date, we have disconnected ten thousand victims from the FluBot network and prevented over 6.5 million spam text messages,” Dutch police said in a statement.

The EU’s police agency Europol said FluBot was among “the fastest-spreading mobile malware to date” and was “able to spread like wildfire due to its ability to access an infected smartphone’s contacts.”

Police had made the malware “inactive” but are still hunting the culprits, it said.

“This FluBot infrastructure is now under the control of law enforcement, putting a stop to the destructive spiral,” Europol said.

The countries involved in carrying out the investigation were Australia, the United States, Belgium, Finland, Hungary, Ireland, Romania, Spain, Sweden, Switzerland, and the Netherlands, coordinated by Europol’s cybercrime centre.

FluBot became one of the world’s most notorious cyberscams after it first emerged in December 2020, “wreaking havoc” around the world, Europol said.

The agency said the bug had compromised a “huge number of devices worldwide”, especially in Europe and the US, with “major incidents” in Spain and Finland.

Australian media said last year that FluBot was spreading “like a tsunami” with some users being bombarded by texts.

‘Very dangerous’

Details of how police took down the scam remain sketchy, with officials saying they do not want criminals to know how they busted it.

Dutch police said a cybercrime team in the eastern Netherlands had taken down FluBot by “intervening and disrupting the criminal process”, without giving more details.

Europol said the takedown did not involve removing any physical infrastructure such as servers but also refused to say more.

“The Dutch police found another way to disrupt the criminal activity,” a Europol spokeswoman told AFP.

But FluBot’s method was simple, according to Europol and the Dutch police.

It would arrive “mainly via a fake SMS on behalf of a well-known parcel delivery service” or saying the user had a voicemail to listen to.

They would then be asked to click on a link to download an app from the parcel service to track a package, or to listen to the voicemail.

But in fact FluBot would install the malware on their phones. The fake app would then ask permission to access various other applications.

Hackers could then see their victims entering passwords for banking, credit card or cryptocurrency apps and steal from them, Europol said.

What made it “very dangerous” was its ability to access a phone’s contact list and then send fake texts to other phones.

“Victims often do not know that they have installed the malware. The further spread of the malware also happens without the user of a mobile phone noticing,” Dutch police.

The scam only targeted phones with Google’s Android operating system. Apple’s iOS system was not affected.

Check out our Latest News and Follow us at Facebook

Original Source

SpiceJet Says Q4 2021 Earnings Delayed Due to Ransomware Attack on IT Systems

No-frills airline SpiceJet on Friday said the announcement of its audited standalone and consolidated financial results for the quarter and financial year ended March 31, will get delayed due to a ransomware attack on its IT systems. In a regulatory filing, SpiceJet said it has postponed its board meeting on May 30, to consider and approve the company’s March quarter and FY 22 results to a later date.

“We wish to inform you that we are expecting a delay in submission of audited standalone and consolidated financial results of the Company for the financial year ended March 31, 2022 with stock exchange… due to ransomware attack on our IT systems which has affected the completion of the audit process within the stipulated time,” the filing added.

The company is taking the corrective measures with assistance of cyber experts and authorities on the issue, it said.

“Accordingly, the board meeting of the company scheduled to be held on May 30, is being postponed and the revised date of the board meeting… will be communicated shortly,” SpiceJet said.

Several SpiceJet flights were delayed on Tuesday due to a ransomware attack on its system.

“Certain SpiceJet systems faced an attempted ransomware attack last night that has impacted our flight operations. While our IT team has to a large extent contained and rectified the situation, this has had a cascading effect on our flights leading to delays,” a SpiceJet spokesperson had said in a statement on May 25.

The airline in the statement also informed that it was in touch with experts and cybercrime authorities on the issue.

Check out our Latest News and Follow us at Facebook

Original Source

SpiceJet Faces Ransomware Attack, Passengers Left Stranded on Airport Due to Delayed Morning Departures

Hundreds of SpiceJet airlines passengers were stranded at various airports due to a ransomware attack that impacted the morning flight departures on Wednesday.

Confirming the development, a SpiceJet spokesperson informed that a ransomware attack on Tuesday night had slowed down the departure of flights today morning.

“Certain SpiceJet systems faced an attempted ransomware attack last night that impacted and slowed down morning flight departures today. Our IT team has contained and rectified the situation and flights are operating normally now,” the SpiceJet tweeted after getting numerous queries over the delay in departure.

#ImportantUpdate: Certain SpiceJet systems faced an attempted ransomware attack last night that impacted and slowed down morning flight departures today. Our IT team has contained and rectified the situation and flights are operating normally now.

— SpiceJet (@flyspicejet) May 25, 2022

Meanwhile, as the passengers stuck at airports raised concerns over the delay the ground staff informed them that ‘the server was down’. One of the passengers Renu Tilwani tweeted that a flight to Bangalore, scheduled to depart at 9.30 am, is now been reflected to depart at 1.30 pm. However, the officials are not providing details over the technical glitch, stating that they are unable to track the development.

The flight to Bangalore was scheduled to depart at 9.30 am but its estimated to depart at 1.30 pm.The official statement of spicejet airlines said,’They are not able to track .’ Not providing other details regarding the technical glitch.@JM_Scindia @aai_gwalior @flyspicejet

— Renu Tilwani (@124blessedsoul) May 25, 2022

Passengers are questioning SpiceJet on Twitter over their claims of resumption of normal operations.

Back in 2020, SpiceJet was reportedly affected by a security flaw that exposed private details of more than 1.2 million passengers, including flight information. The information was said to have been found in an unencrypted database file after a security researcher gained access to a SpiceJet system by brute forcing the password.

As reported by TechCrunch, the breach was by a security researcher who the publication is not naming, as they likely violated US computer hacking laws. The report elaborates to claim the researcher gained access to one of SpiceJet’s systems by brute-forcing what’s being termed as an “easily-guessable password.” The system contained an unencrypted backup file with private details of over 1.2 million passengers, as of last month, including a rolling month’s worth details such as name, phone number, email address, date of birth, and flight information.

Check out our Latest News and Follow us at Facebook

Original Source

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.