Hackers posing as journalists, sale of Turkish citizens’ data and other cybersecurity events

We’ve gathered the week’s most important cybersecurity news.

Hackers posing as journalists stole about $3 million in cryptocurrency

The Pink Drainer group, using phishing and social engineering, stole $2.9 million in Ethereum, Arbitrum and other networks. This was reported by ScamSniffer.

See more

1/ Over the past few weeks, the same scammer called ???? ??????? has hacked 7+ Discord servers and stolen $3 million in assets from nearly ~1,932 victims across multiple chains. pic.twitter.com/Ku2n2n5iPt

— Scam Sniffer (@realScamSniffer) June 9, 2023

The criminals pose as journalists from popular trade publications, including Cointelegraph and Decrypt, offering an interview. They then send a link to a malicious site allegedly for completing a KYC-check. In reality, it allows them to steal Discord or Twitter authentication tokens.

If the compromised account belongs to a well-known project or a personality with a large following, hackers use the access to promote cryptocurrency scams.

At the time of the original tweet, the victims numbered 1,932. Among them CTO OpenAI Mira Murati, musician Steve Aoki, as well as Evmos, Pika Protocol, Orbiter Finance, LiFi, Flare Network, Cherry Network and Starknet.

Meanwhile, Doctor Web found a trojan-styler Trojan.Clipper.231 in pirated Windows 10 builds distributed via an unnamed torrent tracker.

See more

⚡️⚡️ A crypto-stealer has been found in pirate Windows builds, causing more than 1.5 million rubles of damage

Our specialists detected in several unofficial Windows 10 builds a stealer Trojan.Clipper.231. This malicious app… https://t.co/yAykyCFVGI pic.twitter.com/NKanszFg99

— Dr.Web® (@Doctor_Web) June 14, 2023

The malware can replace cryptocurrency addresses copied to the clipboard with the attackers’ wallets. So far, the attackers have stolen about $19,000 in digital assets.

Data of 85 million Turkish citizens offered for sale

On the Sorgu Paneli site, unknown parties are selling access to the personal and financial data of “everyone living in Turkey.” This was reported by the local outlet FreeWebTurkey, though the original article has since been removed.

Some leak data is offered for free in exchange for forum membership registration. It includes identification numbers, phone numbers and information about family members.

For a paid premium membership, more sensitive data are offered, including full addresses, property documents and education records.

Among other things, the site found information about high-ranking government officials, including Turkish President Recep Tayyip Erdoğan and opposition leader Kemal Kılıçdaroğlu. Researchers confirmed the authenticity of the samples.

Presumably the data were stolen in a breach of the e-Government portal e-Devlet in April 2022.

Official authorities have not yet confirmed the leak. Nevertheless, the Turkish Association of Media and Legal Studies announced plans to sue the Ministry of Interior.

China to regulate wireless networks

The Chinese government is drafting a law regulating the use of wireless technologies within the country, including Bluetooth and Wi-Fi.

The document requires operators of all wireless networks to deploy data monitoring systems, “promote socialist core values” and “adhere to the correct political directions.”

In turn, users should “take steps to prevent the production, copying or distribution of unwanted information and to counter it,” as well as report to competent authorities if they receive such information.

Additionally, network operators will be required to collect information about all connections and to forward it to authorities on request.

The document does not specify whether it covers all Wi‑Fi access points or only commercial ones. It also remains unclear why Bluetooth networks are mentioned in the document.

Trend Micro finds over 150 fake cryptocurrency scam sites

The 2018-established cybercrime group Impulse Team promotes over 150 fake sites and apps for cryptocurrency fraud aimed at residents of Russia and the CIS, according to a Trend Micro report.

Victims are lured via social media, advertising on criminal forums, spam and other channels.

Criminals imitate trading operations and profits on users’ accounts to create the appearance of successful trading, but all deposits go directly to the Impulse Team wallets.

Thereafter, users are persuaded to increase investments by offering bonuses, perks, consultations and support. Withdrawals are blocked on the pretext of paying a fee, tax or fine.

Researchers identified around 170 Bitcoin- and Ethereum-wallets belonging to the group. The total amount stolen amounts to about $50 million.

In Russia, plans to create an “internal Internet”

By the end of 2023, Russia will launch a protected national Internet segment. This is reported by Vedomosti.

The entry will be allowed only with a passport and the acquisition of a personal identifier. After that, users will get access to “safe, trusted services, the providers of which comply with all applicable laws.” Law enforcement will be able to track account ownership.

“The main goal is to ensure the safety of citizens, the protection of their personal data, protection from spam campaigns, fraud and phishing sites,” — said Andrey Svintsov, deputy chair of the State Duma committee on information policy, information technologies and communications.

The deputy added that the unsecured Internet will also be kept, but responsibility for personal data and other safety aspects will lie with users themselves.

Currently, the mechanism for implementing the secure network is being discussed with “telecom operators, manufacturers of Russian chips and hardware, and software cybersecurity developers.”

Experts find multi-stage attack on Bitcoin wallets

The DoubleFinger loader trojan targeted crypto wallet owners in Europe, the United States and Latin America. This was noted by Kaspersky Lab experts.

See more

Advanced crypto threat: attackers spread the GreetingGhoul crypto stealer via a multi-stage loader DoubleFinger. More on the malware and the infection chain — in the new report.

— Kaspersky (@Kaspersky_ru) June 13, 2023

The attack begins when the victim opens a malicious PIF attachment in an email. This starts the first stage of the DoubleFinger loader.

The malware injects a program to steal passwords from crypto wallet apps — GreetingGhoul — and the Remcos Remote Access Trojan.

The first creates fake windows that overlay real crypto wallet interfaces, where the user might be tricked into entering a seed phrase. The second hunts for wallet apps on the victim’s device.

DoubleFinger uses stealth techniques and disguises itself as legitimate processes to inject into remote processes.

In the code, researchers found several Russian-language text fragments. For example, the command server URL begins with the word “Privetsvoyu” in a distorted transliteration. However, this is not sufficient to claim that the attacks are authored by Russian-speaking hackers.

Unknown continue leaking data from customers of major Russian companies

This week continued the publication of user data from major Russian online retailers. The Telegram channel “DataLeaks” reported.

In the open access are partial dumps from the bookstore chains “Chitai-Gorod” (9.8 million lines) and “Eksmo” (452,700 lines), the publisher “AST” site (~87,500 lines) and the mountain resort “Rosa Khutor” (~523,000 lines).

In fragments of the tables the data include:

• first name and last name;
• phone number;
• email address;
• hashed password;
• gender (not for all);
• birth date (not for all);
• city;
• loyalty card number (not for all);
• creation and update dates.

In total, hackers, as promised, published data of 12 large companies. Their identities are not yet known.

Also on ForkLog:

• Media: French authorities began investigating Binance.
• North Korea directed at the nuclear program half of the stolen $3 billion.
• Charges against Sam Bankman-Fried will be heard at separate hearings.
• Chainalysis: Bitcoin extortionists launder funds through mining.
• Illegal Bitcoin exchanger from Kazakhstan stashed funds on Binance.
• Hackers breached the Hashflow protocol for $600,000.
• Krypto broker FPG paused withdrawals after $15 million lost.
• In the Bitcoin-bribery case of a Moscow investigator, more than 650 BTC vanished, while the lawyer called the examination ‘dubious’ on the case.
• The court allowed Bittrex withdrawals for US-based clients.
• The Atomic Wallet hacker sent assets to the Russian exchange Garantex, damage from the attack exceeded $100 million, and the service’s leadership was summoned for questioning.
• Collateral assets of the BNB Chain hacker neared liquidation on Venus.
• In Belarus, an illegal Bitcoin exchanger was shut down with $3.5 million in proceeds.
• Sturdy Finance lost around $770,000 in an attack. The project later offered a $100,000 reward to the hacker.

What to read this weekend?

We publish a chapter from Andrey Zakharov’s book on the history of the BTC-e/WEX exchange.