Cybersecurity Highlights: MetaMask Complaint Exposes Scammers, 90s Identity Thief Arrested, and More

We have compiled the most significant cybersecurity news of the week.

Cryptocurrency Thieves Exposed by MetaMask Complaint

Operators of phishing sites mimicking the self-destructing message service privnote.com inadvertently revealed the extent of their cybercriminal activities involving cryptocurrency wallet spoofing. This was reported by journalist Brian Krebs.

In March, they complained to MetaMask developers about their site privnote[.]co being allegedly wrongfully marked as malicious, despite evidence provided by the Ethereum wallet’s security team.

During interactions with the MetaMask support team, the perpetrators revealed several other domains they used for spoofing Privnote. 

Their analysis led cybersecurity researchers to two individuals — Andrey Sokol from Moscow and Alexander Ermakov from Kyiv. These are likely pseudonyms.

Since 2020, they have registered numerous phishing sites, including those impersonating MetaMask and stealing user credentials from various darknet marketplaces.

One such platform alone brought the perpetrators around $18,000 in cryptocurrencies from March 15 to 19, 2024.

US Resident Impersonated Another Person for 33 Years

System administrator Matthew Keirans from Iowa had been living under the name of his acquaintance, William Woods, since 1990. This was reported by The Register.

Keirans forged documents, including a Kentucky birth certificate, social security number, and an I-9 form, which he used to join the IT team at the University of Iowa hospital in 2013. Under his new identity, he opened a bank account in Colorado and repeatedly took out loans.

In 2019, the real Woods, who was homeless at the time, discovered a $130,000 loan taken out in his name. However, when he went to the bank, he could not answer the security questions to access the account. 

Woods provided a genuine social security card and a California state ID, but he was ultimately accused of identity theft himself. Under the name “Matthew Keirans,” the man spent nearly a year and a half in prison and six months in a psychiatric facility.

In 2023, the real Woods located the hospital where the perpetrator worked. The hospital administration hired a private investigator, and a DNA test confirmed the truth.

Matthew Keirans pleaded guilty. He faces up to 32 years in prison and a $1.25 million fine.

Supply Chain Attack on XZ Utils Affects Popular Linux Builds

Unknown perpetrators inserted a serious backdoor into the popular XZ Utils toolset as part of a two-year supply chain attack. On March 29, 2024, the issue was accidentally discovered by PostgreSQL developer from Microsoft, Andres Freund, who noticed unusual computer freezing.

The XZ Utils library is used for lossless data compression and working with the .xz format. The malicious code made its way into popular Linux builds, although mostly in their beta versions.

The presence of the backdoor has been confirmed by developers of Fedora, Debian, openSUSE, Kali Linux, Gentoo, and Arch Linux distributions. The Homebrew package manager and the embedded OS OpenWrt were also affected. 

GitHub banned the accounts of suspects and closed access to malicious repositories.

Users are advised to roll back the XZ Utils version to 5.4.6 or 5.4.2. Additionally, Binarly has released a public scanner to detect the implant in any Linux binary file.

250 Indian Citizens Freed from Cyber Slavery 

Indian authorities are investigating a series of kidnappings of their citizens in Cambodia for work with cybercriminals. This is reported by local media.

Indians were forced into online scams, posing as law enforcement officers or engaging in romantic correspondence to extort money from compatriots. 

The scheme came to light when a high-ranking Indian official became a victim. Police have already freed 250 people from slavery and arrested eight suspected members of the criminal syndicate.

However, at least 5,000 Indian citizens are still being held illegally in Cambodia. Preliminary estimates suggest that the large-scale scam operation has brought organizers around $60 million over the past six months.

Manual Review of Crypto Wallets to Be Introduced in Snap Store

The Snap Store, an application store for the Ubuntu operating system, has been plagued by hackers uploading fake cryptocurrency wallets to its platform for several months. One user who downloaded a counterfeit Exodus Wallet in February lost 9 BTC (approximately $490,000 at the time).

Following a series of complaints, Snap Store owner Canonical announced plans to manually review applications uploaded to the store and create a separate policy for publishing crypto wallets on the platform.

Fraudulent AI Service Ads Surge on Facebook

Perpetrators are hacking Facebook accounts to promote malicious versions of popular AI services, including Midjourney, Sora, GPT-5, and DALL-E. This was noted by experts at Bitdefender. 

The ads offer “limited access to new features,” but in reality, they download info-stealers onto users’ computers. 

Hackers are interested in saved browser credentials, cookies, cryptocurrency wallet information, and credit card details. These details are later resold on the darknet.

Russian Court to Hear Case of 160,000 Credit Card Thieves

The Russian Prosecutor General’s Office charged six individuals with illegal payment instrument trafficking and malware distribution.

The agency claims that since 2017, the defendants, as part of a hacker group, stole data from over 160,000 credit cards and other payment information from foreign online stores, which they then sold on darknet marketplaces.

The case has been sent to court.

Lazy Koala Targets Russian and Belarusian State and Financial Firms

Experts at Positive Technologies discovered a series of attacks on enterprises in several CIS countries, attributed to a new cyber group called Lazy Koala.

Their victims include state and financial companies, as well as medical and educational institutions in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. At least 867 accounts have already been compromised.

The stolen information may be used by hackers for further attacks on company structures or sold on the darknet.

Victims have been notified of the incident.

Also on ForkLog:

• The StarkNet team confirmed a blockchain failure.
• Google sued distributors of fraudulent Bitcoin apps.
• The Wormhole airdrop attracted scammers. The W token fell by 20%.
• URF meme token developers executed a rug pull of 2400 SOL.
• FixedFloat lost $2.8 million in a repeat hack.
• $25 million in stSOL is stuck in a “broken” Lido smart contract.
• Telegram bot users BONKbot and Solareum lost $520,000 due to hacks.
• PeckShield: of the $187 million stolen in March, crypto projects have returned nearly $99 million.
• A hacker called the $11 million Prisma hack “white.” However, the funds have not yet been returned.

Weekend Reading Suggestions

We explain why KYC does not guarantee service security.