We round up the week’s most important cybersecurity news.
- Trezor users fell victim to a mass phishing campaign.
- Hackers hid a Monero miner in pirated macOS software.
- A YouTube video caused Pixel smartphones to reboot.
- The Dota 2 developer baited and caught more than 40,000 cheaters.
Trezor users fall victim to a mass phishing campaign
Starting February 27, attackers have targeted Trezor hardware wallet users via email and SMS messages about a purported data breach. Security researcher Mich noted this.
? @Trezor
⚠ /supports-tresor.buzz
⚠ /private-tresor-support.ink
⚠ /supports-tresor.buzz☣ AS22612 [198.54.115.46]
? @Namecheap
? Namecheap@ActorExpose @bunnymaid @CryptoPhishing @CryptoScamDB @JAMESWT_MHT @JCyberSec_ @sniko_ @nullcookies @Spam404#fraud #scam pic.twitter.com/AuoJwvCIWW— Mich (@dubstard) February 28, 2023
Phishing messages purportedly from the company urge recipients to click the link to protect their device.
A fake site displays a warning that user assets may be at risk. After pressing the Start button, a seed phrase is requested supposedly to restore access to the account. In reality the attackers gain access to the funds in the wallet this way.
Developers at Trezor have acknowledged the phishing campaign and urged users to stay vigilant. They also said they found no evidence of a recent data breach in their internal systems.
? Beware of the active phishing scam!
The attackers contact the victims via phone call, SMS and/or email to say that there’s been a security breach or suspicious activity on their Trezor account.
➡️ Please ignore these messages as they are not from Trezor. ⬅️
More info in?? pic.twitter.com/nzfSzfwcZ1
— Trezor (@Trezor) February 28, 2023
Postal addresses and phone numbers of Trezor customers were apparently obtained by the attackers via a marketing list stolen in a MailChimp breach in March 2022.
Data thieves attacked cloud services under the guise of a crypto miner
Sysdig researchers uncovered a large-scale hacking campaign, SCARLETEEL, targeting cloud services.
⚔ Sysdig TRT just uncovered a nasty cloud attack. SCARLETEEL began with a compromised container & ended with privilege escalation into an #AWS account to steal proprietary software. Read more on the attack & takeaways to help you stay safe in the cloud: https://t.co/fME8ASYyrt
— Sysdig (@sysdig) February 28, 2023
In compromised cloud environments, attackers deployed cryptominers. However, experts say the cryptojacking attack is a mere sideshow compared with the real goals: stealing proprietary software.
According to Sysdig, the hackers used a vulnerable public service in a self-managed Kubernetes cluster hosted on Amazon Web Services. They installed the XMRig miner and a credential-extraction script.
The obtained data later helped attackers create backdoor users and groups for propagation in the company’s cloud environment.
Hackers hid a Monero miner in pirated macOS software
Malicious versions of some macOS programs, distributed including through pirated torrents, were found to be infected with a hidden Monero miner, according to researchers at Jamf Threat Labs.
Check out our latest blog post authored by @mattbenyo on a family of #malware Jamf Threat Labs has been following that resurfaced and has been operating undetected, despite an earlier iteration being a known quantity to the #security community. https://t.co/PrY6nZfJ6S
— Jamf (@JamfSoftware) February 23, 2023
They found a The Pirate Bay forum user nicknamed wtfisthat34698409672, who has published malicious apps since 2019, including Adobe Photoshop, Logic Pro X, Final Cut Pro and others.
The latest version of the malware contains a special script that terminates malicious processes when the system utility Activity Monitor starts, allowing it to stay hidden longer.
Apple said they are aware of the problem and are working on updates to effectively block the malware.
YouTube video rebooted Pixel smartphones
Reddit users noted that Pixel devices powered by Google Tensor processors reboot when trying to watch a 4K HDR clip from the movie ‘Alien’.
A discussion participant under the nickname OGPixel5 identified the issue on Google Pixel 6, 6a and 7. Others added that after this crash mobile service stops working and to re-enable it you need to reboot the device again, but manually.
They speculated that something in the video format triggers the phones’ error. The exact cause remains unknown.
According to ArsTechnica, Google has already remotely fixed the bug, without releasing any update or patch.
The Dota 2 developer nabbed more than 40,000 cheaters with a lure
Valve created a special patch honeypot, through which it identified and blocked more than 40,000 cheaters in Dota 2.
Cheaters Will Never Be Welcome in Dotahttps://t.co/D0keeCjKIF
— DOTA 2 (@DOTA2) February 21, 2023
Developers added a data-section in the game client that ordinary players did not read, but that triggered when using third-party cheating tools and exploits aimed at locating internal data.
This wave of bans was among the most widespread in history. Valve added that after the cleanup they closed the hole exploited by cheaters.
BidenCash carders exposed data for 2.1 million bank cards
The BidenCash operators freely posted on a hacker forum a file containing information on 2.1 million compromised bank cards.
The recent release of 2.1M compromised credit cards by card shop BidenCash underscores the importance of leveraging threat intel to prevent card fraud.
Read more about BidenCash and the evolving state of the illicit credit card marketplace: https://t.co/RMcR6IK8QW
— Flashpoint (@FlashpointIntel) March 2, 2023
According to Flashpoint researchers, the dump includes:
- cardholder name and address;
- full card number;
- expiration date;
- CVV number;
- bank name.
The expiration date on about 70% of the leaked cards expires in 2023. 50% of the cards belong to individuals or entities from the US, with another about 5% stolen from users in China and the United Kingdom.
Mostly card data was obtained from web skimmers — malicious scripts attackers embed on checkout pages of online stores.
BidenCash ranks among the top five carding shops by card count.
Although the freely available dump is among the largest in the past year, researchers believe that the expiration dates of most of the disclosed cards will soon pass, or financial institutions already know about the related fraud.
Also on ForkLog:
- In TikTok viral video featuring «Bitcoin Scammer No. 1» from Colombia.
- The attacker sent out phishing emails to The Sandbox users.
- Bitzlato warned about AML tags on Bitcoin withdrawals from the platform.
- MyAlgo wallet users were asked to withdraw funds due to a breach.
- The SEC accused a former FTX top executive of defrauding investors.
- The LaunchZone token dropped by 82% as a result of the hack.
- In Bali, a Russian blogger had $284,000 stolen in cryptocurrency.
- The Solana network was restarted after a bug in validators’ software update.
- The Oasis platform confiscated assets stolen during the Wormhole hack.
What to read this weekend?
In the Cryptorium educational section we explain why deepfakes are dangerous and how to spot them.