Crypto Scams in App Store, Mining Botnet on 1,200 Servers and Other Cybersecurity News

We’ve gathered the week’s most important cybersecurity news.

\n\n\n\n

Yandex reports results of data-leak investigation

\n\n\n\n

The company conducted a масштабный аудит of its internal repository. It identified cases of serious violations of the company\’s policies.

\n\n\n\n\n

Among other things, the code contained contact details of some partners, specifically phone numbers and drivers\’ licenses of taxi drivers.

\n\n\n\n

The logic of several services was adjusted not algorithmically, but with crutches.

\n\n\n\n

In the \”Yandex Lavka\” service there was a manual setting that allowed tailoring recommendations of any products without labeling them as advertising.

\n\n\n\n

Certain user groups in the \”Taxi\” and \”Food\” services received prioritized support.

\n\n\n\n

Some parts of the code contained words that did not affect service operation but were offensive to people of different races and nationalities.

\n\n\n\n

One of the test algorithms for improving the assistant activation quality allowed the device\’s microphone to activate randomly for several seconds even without mentioning \’Alice\’.

\n\n\n\n

Later, the company подчеркнули that the setting worked only in the beta version for developers and was not used to listen to users.

\n\n\n\n

According to the report, most identified issues were related to attempts to manually patch the service or fix a bug.

\n\n\n\n

Yandex apologised to everyone affected by the incident.

\n\n\n\n

Popular cryptocurrency scam spotted in App Store and Google Play

\n\n\n\n

Fraudsters using the pig-butching scheme began uploading fake cryptocurrency trading apps to Apple and Google stores, according to Sophos.

\n\n\n\n

For the last two years, we’ve been tracking and reporting on #CryptoRom scams that have led to millions of dollars in victim losses. Our senior threat researcher, @jag_chandra, shares how scammers have “vastly increased their potential victim pool”: https://t.co/flUjycsqEO pic.twitter.com/AdNGNBdKtk

— Sophos (@Sophos) February 1, 2023

\n\n\n\n

Fraudsters seek victims on Facebook or Tinder, using fake profiles of allegedly successful women with photos from upscale restaurants and luxury shops.

\n\n\n\n

To men who start a conversation with them, they tell of a certain close relative who is a financial analyst and runs a special trading app. In fact, the interface only allows depositing money, after which the accounts are blocked by the scammer.

\n\n\n\n

Analysts detected malware named Ace Pro, MBM_BitScan and BitScan. As of writing, they had been removed from stores.

\n\n\n\n

According to Sophos, one of these campaigns is attributed to the Chinese group ShaZhuPan. To bypass App Store security checks, operators of the malware submit an app signed with a valid certificate. However after passing the check, the developers change the domain, connecting to the malicious server.

\n\n\n\n

HeadCrab malware has infected 1,200 servers for Monero mining

\n\n\n\n

Researchers at Aqua Security have discovered malware that infects Redis servers and links them into a botnet for mining Monero.

\n\n\n\n

🚨 Aqua Nautilus researchers have discovered a new elusive and severe threat known as HeadCrab that has compromised a large number of Redis servers.

📖 on for details of the attack and steps organizations can take to safeguard their systems.https://t.co/9pIVpyH6ZD pic.twitter.com/ucn8xqyeER

— Aqua Security (@AquaSecTeam) February 1, 2023

\n\n\n\n

According to them, since September 2021 HeadCrab has compromised at least 1,200 such servers.

\n\n\n\n

\n\n\n\n

Experts report attacks by the malware during contactless payments

\n\n\n\n

Prilex malware has learned to block contactless transactions using NFC, forcing consumers to insert their bank cards into the terminal and thereby stealing their data. This was reported by experts at the «Лаборатории Касперского».

\n\n\n\n

CONTACTLESS PAYMENT ISN’T WORKING?

The new version of #Prilex #malware, used to attack POS terminals, now can block NFC transactions.

How to stay safe? 👉 https://t.co/05E0fMkEiO pic.twitter.com/2c7xrKSSAd

— Eugene Kaspersky (@e_kaspersky) February 2, 2023

\n\n\n\n

For infecting PoS-терминалов criminals use social engineering methods. Typically they try to convince store staff that they need to update the terminal software. After which they send their own \”technical specialist\” directly to the store or arrange remote access via the AnyDesk program.

\n\n\n\n

Subsequently the attacked terminal displays an error and forces the victim to insert the card into the device, from which the attacker intercepts the data.

\n\n\n\n

\n\n\n\n

According to experts, malware operators were among the first to clone credit card transactions, even those protected by chip and PIN.

\n\n\n\n

Analysts tally the losses from the 10 largest Bitcoin ransomware attacks

\n\n\n\n

Since 2020, the 10 largest crypto ransomware attacks yielded more than $69.3 million in Bitcoin, Immunefi reports.

\n\n\n\n

The largest payment was $40 million, made by CNA Financial, a Chicago-based insurer, to the Phoenix CryptoLocker operators — 57.7% of the total.

\n\n\n\n

Also in the top 10 were JBS, CWT, Brenntag, Colonial Pipeline, Travelex, UCSF, BRB Bank, Jackson County and Maastricht University. They paid attackers between $218,000 and $11 million.

\n\n\n\n

\n\n\n\n

All payments were made in Bitcoin using ransomware families from Russia, Eastern Europe and Iran. The most common were REvil/Sodinokibi and DarkSide.

\n\n\n\n

Over 2022, 1.4 billion rows leaked from Russian company databases

\n\n\n\n

Group-IB experts estimate that in 2022, 311 databases of Russian companies were published publicly. The total number of rows contained in all published leaks exceeded 1.4 billion.

\n\n\n\n

\n\n\n\n

Victims included industrial, financial, insurance and IT companies, delivery services, mobile operators, online stores, entertainment and educational portals, restaurants, social networks, and medical institutions.

\n\n\n\n

The relevance of most published bases corresponds to 2022; most contain client names, their phone numbers, addresses, dates of birth, and in some cases passwords, passport data, order details and other sensitive information.

\n\n\n\n

Also on ForkLog:

\n\n\n\n

• DeFi-проект Orion Protocol взломали на $3 млн.
• СМИ сообщили о популярных схемах обмана россиян при обмене биткоина.
• BonqDAO и AllianceBlock пострадали от взлома на $89 млн.
• СМИ сообщили об аресте владельца Bithumb.
• В США организатор схемы криптомошенничества на $7,6 млн получил более 8 лет тюрьмы.
• Отчет: совокупные потери пользователей и инвесторов в 2022 году превысили $63,9 млрд.
• Соучредитель Bitzlato назвал объем арестованных средств и объявил о перезапуске.
• Предложения по запрету компьютерных игр в РФ опубликовали в сети.
• Эксперты CertiK вычислили предполагаемого автора фишинговой схемы Monkey Drainer.
• Глава SEC назвал три способа определения мошеннических криптопроектов.

\n\n\n\n

What to read this weekend?

\n\n\n\n

Forklog interview with «Лабораторией Касперского» on how blockchain is changing cybersecurity.

\n\n\n\n