AI Detects Scams, YouTube Faces Challenges in Russia, and Other Cybersecurity Events

We have compiled the most significant cybersecurity news of the week.

Google to Integrate AI for Fraud Prevention in Chrome

Google is testing an AI-based fraud protection feature in the Chrome Canary browser. This was noted by user Leopeva64.

It looks like Chrome will also use AI to detect scams, there’s a new flag in Canary that suggests this:https://t.co/uQb84zbqeW pic.twitter.com/7CyK5y4gtO

— Leopeva64 (@Leopeva64) December 19, 2024

The new flag analyzes web pages for potential scams. It is expected to become part of Chrome’s enhanced protection, warning users in real-time about visiting dangerous sites or downloading malicious software.

Google is still testing AI-based security and privacy features.

Major Cyberattack Cripples Ukraine’s State Registries

Ukraine’s Justice Minister Olga Stefanishina reported the largest targeted attack by Russian hackers on state registries. On December 19, the ministry reported a “massive failure at the network infrastructure level.”

Affected systems include:

• Unified State Register of Legal Entities and Individual Entrepreneurs;
• Real Estate Rights Register;
• Civil Status Acts Register.

As a result of the cyberattack, the Ministry of Justice’s website and some services of the “Diia” platform are down.

Recovery efforts will take about two weeks. The ministry will thoroughly analyze the incident to prevent similar intrusions in the future.

Russia Tightens YouTube Restrictions

On December 18 and 19, Russian users reported increased YouTube restrictions affecting home internet providers and mobile operators. This is evidenced by data from «Сбой.рф» and Downdetector.

According to Google’s internal statistics, YouTube traffic in Russia on December 18 was 20% lower than on December 17. Compared to July 24, the date when the large-scale slowing of YouTube in the country began, the decline is nearly 70%.

A Google representative told RBC that the company is aware of the situation, but it “is not the result of any technical issues or actions on their part.”

Roskomnadzor explained the service slowdown as a result of Google ceasing support for its equipment in Russia. In a conversation with TASS, the agency clarified that it reserves the right to use certain “tools to motivate the company” to comply with local laws.

According to a report from the Ministry of Digital Development, half of YouTube’s traffic has “already moved to Russian video hosting platforms.” Experts suggest this may be preparing the public for a complete service block.

Crypto Investors Targeted by Malicious Microsoft VSCode Extensions

Researchers at Reversing Labs discovered 18 malicious Visual Studio Code extensions on the VSCode marketplace, which download disguised PowerShell payloads for attacks on developers and cryptocurrency projects.

? New #ThreatResearch: RL has discovered a malicious #npm package that bears a striking resemblance to previously seen malicious #VSCode extensions. https://t.co/HLNH9unQiw

— ReversingLabs (@ReversingLabs) December 18, 2024

Among the malicious packages:

• EVM.Blockchain-Toolkit;
• VoiceMod.VoiceMod;
• ZoomVideoCommunications.Zoom;
• ZoomINC.Zoom-Workplace;
• Ethereum.SoliditySupport;
• ZoomWorkspace.Zoom;
• ethereumorg.Solidity-Language-for-Ethereum;
• VitalikButerin.Solidity-Ethereum;
• SolidityFoundation.Solidity-Ethereum;
• EthereumFoundation.Solidity-Language-for-Ethereum;
• SOLIDITY.Solidity-Language;
• GavinWood.SolidityLang;
• EthereumFoundation.Solidity-for-Ethereum-Language.

To enhance the legitimacy of the extensions for users, attackers add fake reviews and increase installation counts.

Experts have not fully explored the functionality of the second-stage payload. To minimize risk, they published a list of compromise indicators.

Meanwhile, Sonatype analysts tracked malicious versions of popular npm packages @rspack/core, @rspack/cli, and Vant, which install cryptocurrency miners for Monero on victims’ computers.

US Charges Russian with Developing LockBit Ransomware

The US Department of Justice charged 51-year-old Russian and Israeli citizen Rostislav Panev, considered a key developer in the LockBit ransomware gang.

According to investigators, since 2019, the suspect was behind the creation of the malware and maintaining its infrastructure. Panev received around $10,000 in cryptocurrency monthly from LockBit’s main administrator Dmitry Khoroshev. In total, from June 2022 to February 2024, over $230,000 in illicit funds were transferred to his wallet.

Since his arrest in August, Panev awaits extradition from Israel to the US. During a search, authorities found administrator credentials for a darknet repository on his computer, where the source code for several versions of the LockBit builder was stored.

Additionally, in the US, Romanian citizen Daniel Cristian Hulea received a 20-year sentence for attacks using the NetWalker ransomware.

The suspect claimed to have received ~1595 BTC (about $21.5 million at the time of ransom payment) from victims. This amount was confiscated from him. Hulea is also required to pay $14.9 million in restitution.

60 months in US prison will be served by Ukrainian citizen Mark Sokolovsky, who hacked a victim’s computer using the rented Raccoon infostealer. Previously, as part of a plea agreement, he agreed to pay a $23,975 fine and at least $910,844 in restitution.

Spyware Use by Serbian Authorities Against Activists Uncovered

Serbian police and intelligence services organized a surveillance campaign against journalists, environmentalists, and other activists using the NoviSpy Android malware, produced by the Israeli company Cellebrite. This was reported by human rights organization Amnesty International.

? NEW: Serbian authorities have used highly invasive spyware, including NSO Group’s Pegasus, as well as digital forensic tools to target activists & journalists during periods of detention or routine police interviews, @Amnesty investigation reveals. https://t.co/mPRPUh2PNL

— Amnesty Tech (@AmnestyTech) December 16, 2024

According to their information, authorities infected target devices during detentions or police interrogations. The malware allowed access to contact lists, calls, and messages, as well as remotely enabling audio and video recording on the phone.

Human rights defenders also found that UFED, another Cellebrite software, was used for initial smartphone unlocking.

Spyware developers are reviewing the report’s claims and promise to revoke Serbia’s license if unauthorized use is confirmed.

Also on ForkLog:

• German regulator orders World to delete user data.
• Ilya Lichtenstein admits sole responsibility for Bitfinex hack.
• Tornado Cash co-founder demands charges be dropped.
• North Korean hackers stole $1.34 billion in crypto assets in 2024.
• Uzbek teenager detained for cryptocurrency exchange in Telegram.
• 25 financial institutions support P2P restrictions in Ukraine.
• Quantum computers will crack Bitcoin in five years — opinion.
• Bybit to halt withdrawals for French users.
• Ledger owners receive phishing emails about false data breach.
• 792 suspects arrested for Bitcoin fraud in Nigeria.
• Hackers stole another $5.4 million from LastPass breach victims.
• Australian woman kidnapped Saudi royal for Bitcoin theft.
• Dangerous Bitcoin wallet trojan code released publicly.
• Uber passengers in the US lost $300,000 in cryptocurrency theft.
• 10 million Russian AI users at risk.

Weekend Reading Suggestions

We discuss whether it’s possible to reduce the risk of USDT being blocked in a wallet.