Cryptocurrency Exchange Scams, the Fall of a Phishing Giant, and Other Cybersecurity Events

We have compiled the most significant cybersecurity news of the week.

Google’s Recommendations Featured an Ad for a Cryptocurrency-Stealing “Exchange”

Malefactors created a phishing version of the legitimate decentralized OTC platform Whales Market for cryptocurrency trading and promoted it in Google’s search results. This was highlighted by Bleeping Computer.

The search engine ad is marked as “sponsored,” making it more noticeable.

Hovering over the link displays the correct URL https://whales[.]market, but clicking it redirects the user through several sites to https://app.whaless[.]market/ with an extra “s” in the name.

Visually, the phishing version fully replicates the legitimate platform, but any data entered or assets sent through it fall into the hands of the attackers.

Google has not commented on the situation.

Europol Announced the Takedown of the Prominent Phishing Service LabHost

Law enforcement from 19 countries dismantled the infrastructure of the PhaaS platform LabHost. As part of the operation, 37 individuals were arrested, including the service’s developer.

?19 countries have joined forces to take down one of the world’s largest phishing-as-a-service platform. #LabHost has been shut down after a year-long investigation led by @metpoliceuk.

Read how Europol supported this investigation ⤵https://t.co/H1s7J0jp9Z

— Europol (@Europol) April 18, 2024

LabHost supported over 170 online phishing services and hosted more than 40,000 malicious domains. The number of registered users exceeded 10,000.

Subscriptions to the services cost users from $179 per month.

Since 2021, cybercriminals have used the tools offered to attack banks and other companies in the US. During its operation, the LabHost team earned £1 million ($1.17 million) and stole data from at least 480,000 credit cards, 64,000 PINs, and 1 million passwords for various online accounts.

The platform’s unique feature was the ability to interact with victims in real-time, specifically requesting 2FA/MFA codes to bypass account protection.

Police have notified LabHost users of impending investigations against them.

BreachForums Suspends Operations Again Due to Cyberattack

The server infrastructure of the hacker forum BreachForums was attacked by the groups R00TK1T and Cyber Army of Russia.

Breached Forum Suspended: Diverse Claims Arise ?

As many in the cybersecurity community may already be aware, the infamous Breached Forum has been suspended. Currently, there are no official reports of law enforcement action against the domain or its operators. The forum’s… pic.twitter.com/ovurPaiZ2b

— FalconFeeds.io (@FalconFeedsio) April 16, 2024

In a public statement, they promise to leak data of all forum participants, including IPs, emails, and other confidential information.

The administrator of BreachForums, known as Baphomet, confirmed the domain’s block and initiated an investigation into the incident, without guaranteeing the safety of user data.

The previous breach of the forum occurred last summer.

US law enforcement shut down BreachForums in March 2023. Its creator and administrator, Conor Brian Fitzpatrick (Pompompurin), was sentenced to 20 years of supervised release. At the end of June, the FBI gained control over the forum’s backup domain on the clear web.

Hackers Breached OpenMetadata, Asking for Monero

Microsoft experts discovered five vulnerabilities in the OpenMetadata platform, through which unknown cybercriminals attempt to access Kubernetes clusters to install cryptominers.

During the reconnaissance phase, the attackers gather information about network and hardware configurations, OS versions, and active users. Upon confirming access, they download a cryptominer from a remote server in China.

The hackers justify their actions by citing the high cost of housing in China and their desire to buy a car. They also offer to clean the system in exchange for Monero sent to their wallet.

The attacks have been ongoing since early April. Microsoft recommends users check OpenMetadata clusters for suspicious activity and update them to the latest version.

Scheme to Steal Telegram Accounts via Image Sites Discovered

Malefactors created a network of over 300 image sites to steal Telegram accounts. This was reported to ForkLog by experts from Solar AURA.

Each resource is dedicated to a specific theme: Korean dramas, memes, pizza, or pornographic images. Users can access these sites through search results. In such cases, they are redirected to a phishing page mimicking a Telegram channel, often named “You’ll Like It.”

When attempting to join the community, the victim is taken to a page with a QR code or a login form for Telegram. Through this, attackers gain access to the account.

The malicious campaign began in December 2023. At the time of writing, all phishing resources identified by experts have been blocked.

Telegram, Signal, and WhatsApp Removed from China’s App Store

Apple has agreed to remove several apps, including the messengers WhatsApp, Telegram, Signal, Line, and Threads, from the App Store at the request of Chinese authorities. This was reported by The Wall Street Journal.

According to the publication’s sources, the reason was political content, including “questionable” mentions of the Chinese leader. However, an Apple representative denied this information.

“We are obliged to comply with the laws of the countries in which we operate, even if we disagree with them,” the company added.

Also on ForkLog:

• The FBI estimated the damage from the Akira ransomware at $42 million.
• 72 people linked to the JPEX bitcoin exchange were arrested in Hong Kong.
• A jury found a participant in the Mango Markets attack guilty.
• The X account of the Spider-Man actor was hacked to promote a crypto scam.
• Durov discussed his bitcoins, Telegram’s IPO, and possible government surveillance.
• A Nebraska resident was accused of cryptojacking worth $1 million.
• Elon Musk proposed implementing fees on X to combat bots.
• Trust Wallet developers warned of an iOS vulnerability.
• Buterin commented on the use of the Railgun mixer.
• The IRS predicted an increase in cryptocurrency-related crimes.
• The Solana team released an update to address network congestion.
• A researcher warned about the scam protocol Leaper Finance.

What to Read Over the Weekend?

Exploring whether truth has a chance of survival in the era of artificial intelligence.