๐Ÿšจ Bitcoin ATM Scams Surge, Costing Victims Millions! ๐Ÿ’ธ

Sep 06 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome toย Gone Phishing, your weekly cybersecurity newsletter that thinks hackers are about as innocent as Ricky Jones ๐Ÿ˜‚๐Ÿ˜‚๐Ÿ˜‚ #NotGuilty lolย 

Patch of the Week!ย ๐Ÿฉน

First thingโ€™s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, thatโ€™s itโ€ฆ ๐Ÿ˜ณย 

Congrats to Cisco, the cybercriminals are no matchโ€ฆ for your patch! ๐Ÿฉน

Check out this freshly hatched patch ๐Ÿฃ

Cisco ahead cyber-punk, make my day ๐Ÿœ๏ธ

๐Ÿšจ Critical Cisco Flaws Patched! Update Now! โš ๏ธ

Cisco has released security updates for two critical vulnerabilities in its Smart Licensing Utility, both rated CVE-2024-20439 and CVE-2024-20440, with a CVSS score of 9.8! ๐Ÿ˜ฒ These flaws allow unauthenticated, remote attackers to elevate privileges or access sensitive information. One involves an undocumented static user credential for an admin account, while the other leverages verbose debug logs accessible through crafted HTTP requests. ๐Ÿ”“๐Ÿ“‚

These flaws are independent but only exploitable when the Cisco Smart Licensing Utility is actively running.ย Users of versions 2.0.0, 2.1.0, and 2.2.0 should update to version 2.3.0, which is not vulnerable. ๐Ÿ›ก๏ธโœจ

Cisco also patched a command injection vulnerability in its Identity Services Engineย (CVE-2024-20469, CVSS 6.0), allowing authenticated attackers to elevate privileges to root. Affected versions include Cisco ISE 3.2 (3.2P7) and 3.3 (3.3P4). Although PoC exploit code exists, there's no known malicious exploitationโ€”yet! Update now to stay safe! ๐Ÿ”’๐Ÿš€๐Ÿ’ป

Now, on to this weekโ€™s hottest cybersecurity news stories:ย 

  • ๐Ÿง Bitcoin ATM scammers Madoff with $65M in 1st 1/2 of 2024 ๐Ÿ’ฐ

  • ๐Ÿ‘จ๐Ÿปโ€๐Ÿ’ป Ironic hackers spoof GlobalProtect VPN to deliver Wikiloader ๐Ÿ‘พย 

  • ๐Ÿ‘” Job seekers beware! N. Korean hackers are coming for you ๐ŸŽฏ

Thatโ€™s a Bit of a worry ๐Ÿ‘€๐Ÿ˜ฌ๐Ÿ’€ Sorry, was that joke a Bit cryptic? ๐Ÿ˜

๐Ÿšจ Bitcoin ATM Scams Surge, Costing Victims Millions! ๐Ÿ’ธ

Bitcoin ATM scams are on the rise, with victims losing a staggering $114 million in 2023, nearly 10 times the $12 million lost in 2020, according to the Federal Trade Commission (FTC). Already, $65 million has been reported lost in just the first half of 2024. These scams are evolving, but the core tactic remains the same: tricking people into paying scammers under false pretences. ๐Ÿ’ฐ๐Ÿ“‰

๐Ÿ” How Bitcoin ATM Scams Work

Bitcoin ATMs, found in places like gas stations and grocery stores, allow users to buy and sell cryptocurrency. Scammers exploit this by contacting victims via phone, text, or online pop-ups, often impersonating bank or government officials. They convince victims that their bank accounts have been compromised and urge them to withdraw cash to secure their funds in what the scammers misleadingly refer to as โ€œsafety lockers.โ€ ๐Ÿšจ๐Ÿ“ฒ

๐Ÿ›‘ The Scam Process

Once the victim arrives at a Bitcoin ATM, scammers instruct them to deposit their cash by scanning a QR code at the machine. This code directs the funds straight into the scammer's crypto wallet, leaving the victim with nothing. The FTC reports that the median loss from these scams is around $10,000, highlighting the devastating financial impact on individuals. ๐Ÿง๐Ÿ”’

๐Ÿšจ Warnings and Regulations

The FBI flagged this scam in 2021, prompting states like Vermont and Minnesota to introduce daily transaction limits on crypto kiosks to curb these fraudulent activities. Despite these efforts, the scams continue to thrive, underscoring the importance of verifying any unexpected financial requests and never withdrawing money based on unsolicited instructions. ๐Ÿšซ๐Ÿ“ž

โš ๏ธ Other Rising Crypto Scams Bitcoin

ATM scams are just one piece of the larger fraud landscape. Deepfake crypto scams on platforms like YouTube, scammers impersonating journalists to drain digital wallets, and โ€œpig butcheringโ€ scamsโ€”where victims are groomed over time to invest in fake schemesโ€”are also on the rise. Notably, a former bank CEO was recently arrested for stealing millions in a fraudulent crypto investment. ๐Ÿท๐Ÿ’ฅ

๐Ÿ”‘ Stay Safe and Vigilantย 

As cryptocurrency and related technologies become more mainstream, so do the scams. It's crucial to remain vigilant, verify the legitimacy of all financial communications, and be sceptical of anyone asking you to withdraw or deposit funds in unusual ways. Protect your wallet and your peace of mind! ๐Ÿ”๐Ÿ’ก

Steal our best value stock ideas.

PayPal, Disney, and Nike all dropped 50-80% recently from all-time highs.

Are they undervalued? Can they turn around? Whatโ€™s next? You donโ€™t have time to track every stock, but should you be forced to miss all the best opportunities?

Thatโ€™s why we scour hundreds of value stock ideas for you. Whenever we find something interesting, we send it straight to your inbox.

Subscribe free to Value Investor Daily with one click so you never miss out on our research again.

Hackers: You better GlobalProtect yoโ€™self before you wreck yoโ€™self, fool! ๐Ÿ˜ˆ

๐Ÿšจ Malvertising Campaign Spoofs GlobalProtect VPN to Spread WikiLoader Malware ๐Ÿ‘พ

Cybersecurity researchers have uncovered a new malware campaign that spoofs Palo Alto Networks' GlobalProtect VPN software to deliver a variant of the WikiLoader (also known as WailingCrab) loader via a search engine optimization (SEO) campaign. This activity, observed in June 2024, marks a shift from the previously known phishing-based propagation methods used by the malware. ๐Ÿฆ ๐Ÿš€

๐Ÿ” SEO Poisoning as Initial Access

The campaign employs SEO poisoning, a tactic where attackers manipulate search engine results to lure victims into visiting malicious websites that spoof legitimate results. In this case, the attackers cloned websites and relabeled them as GlobalProtect, leveraging cloud-based Git repositories to host the fake software. When users search for GlobalProtect, they are shown Google ads that redirect them to these malicious pages, initiating the infection process. ๐Ÿ–ฅ๏ธ๐Ÿ”—

โš™๏ธ How the Malware Operates

Victims who download the fake GlobalProtect software are tricked into running an MSI installer containing an executable named "GlobalProtect64.exe." This executable is actually a renamed version of a legitimate share trading application from TD Ameritrade (now part of Charles Schwab) that is used to sideload a malicious DLL called "i4jinst.dll." This sequence ultimately leads to the execution of shellcode that downloads and launches the WikiLoader backdoor from a remote server. ๐Ÿ“ฅ๐Ÿ”’

๐Ÿ›ก๏ธ Evading Detection

To enhance its effectiveness and evade detection, the malware employs various anti-analysis techniques. It checks if it's running in a virtualized environment and terminates itself if processes related to virtual machine software are detected. Additionally, the campaign uses spoofed, compromised, and legitimate infrastructure to bolster the operational security and robustness of the loader, featuring multiple command-and-control (C2) configurations. ๐Ÿ›ก๏ธ๐Ÿšซ

โš ๏ธ Fake Error Messages and Deceptive Tactics

To further deceive victims and create an illusion of legitimacy, the installer displays a fake error message at the end of the process, claiming that certain libraries are missing from the user's Windows computer. This tactic helps mask the true nature of the malware and reduces suspicion among victims. ๐Ÿ–ฅ๏ธโš ๏ธ

๐Ÿ”„ Shift from Phishing to SEO Poisoning

The reason behind the shift from phishing emails to SEO poisoning as the malware's delivery mechanism remains unclear. Researchers from Unit 42 speculate that this could be the work of a new initial access broker (IAB) or a strategic move by existing groups in response to public disclosures of previous tactics. The malware, first documented by Proofpoint in August 2023, is known to be linked to the threat actor TA544 and has been used to deploy other malware like Danabot and Ursnif. ๐Ÿ“งโžก๏ธ๐ŸŒ

๐ŸŒ Global Reach

The disclosure of this campaign comes shortly after Trend Micro identified a similar campaign targeting users in the Middle East with backdoor malware through fake GlobalProtect VPN software. This highlights the broad and evolving threat landscape as attackers continuously adapt their strategies to bypass security measures and reach more victims globally. ๐ŸŒ๐Ÿšฉ

๐Ÿ›ก๏ธ Stay Vigilantย 

Users are advised to be cautious when downloading software and ensure they are accessing official websites. Always double-check URLs, avoid clicking on suspicious ads, and consider using reputable cybersecurity tools to detect and block malvertising threats. ๐Ÿ›ก๏ธ๐Ÿ”

Looking for a new Korea? ๐Ÿ™ƒ

๐Ÿšจ North Korean Threat Actors Use Fake Video Conferencing Apps ๐Ÿ’ป

North Korean threat actors, identified as part of the Lazarus Group (also known as Famous Chollima), have launched a new malware campaign dubbed "Contagious Interview" that leverages fake video conferencing software to compromise developer systems. This campaign, also tracked as DEV#POPPER, involves impersonating FreeConference.com with a phony application that instals malware on targeted devices. ๐Ÿ“‰๐Ÿ’ป

๐Ÿ” Spoofing Legitimate Software

Detected by Singaporean cybersecurity firm Group-IB in mid-August 2024, this campaign marks a continuation of Lazarus Group's tactics, including distributing malware through native installers for both Windows and macOS. Initially, the attackers used fictitious job interviews to lure victims into downloading and running Node.js projects containing BeaverTail, a downloader malware that deploys InvisibleFerretโ€”a cross-platform Python backdoor with capabilities for remote control, keylogging, and browser data theft. ๐Ÿ–ฅ๏ธ๐Ÿ

โš ๏ธ Recent Developments

Starting in July 2024, the malware distribution method evolved to include Windows MSI installers and macOS disk images (DMG) disguised as the legitimate MiroTalk video conferencing software. However, the latest attack wave replaced MiroTalk with FreeConference.com, using an installer named "FCCCall.msi" hosted on a malicious website, freeconference[.]io, which shares the same registrar as the fraudulent mirotalk[.]net site. ๐Ÿšจ๐Ÿ”—

๐Ÿง‘โ€๐Ÿ’ป Social Engineering Tactics

The attack often begins on job search platforms like LinkedIn, We Work Remotely (WWR), Moonlight, and Upwork, where Lazarus Group scouts for potential victims. After establishing initial contact, the attackers typically move conversations to Telegram, where they persuade job seekers to download a video conferencing app or a Node.js project under the guise of a technical task required for a job interview. ๐ŸŽฏ๐Ÿ“ฒ

๐Ÿ’ก Expanding Infection Vectors

The attackers have been diversifying their infection vectors by injecting malicious JavaScript into cryptocurrency- and gaming-related repositories, retrieving BeaverTail JavaScript code from domains like ipcheck[.]cloud and regioncheck[.]net. This approach was also noted by security firm Phylum in connection with a malicious npm package called helmet-validate, suggesting a broadening of their propagation methods. ๐Ÿ“ฆ๐Ÿ“‰

โš™๏ธ Continuous Refinement and Expansion

The emergence of CivetQ and other modular updates highlight the active development and evolving sophistication of Lazarus Group's tools. These enhancements reflect the group's ongoing commitment to refining their tactics, with no indication of slowing down as their campaign extends into late 2024. The Lazarus Group has adapted their strategies to exploit new platforms and targets, showing increased creativity and reach. ๐Ÿ› ๏ธ๐Ÿง‘โ€๐Ÿ’ป

๐Ÿ›ก๏ธ Stay Vigilant

Job seekers, developers, and companies should exercise caution when downloading software or engaging with unsolicited job opportunities. Verify the legitimacy of all communications and software downloads, particularly those involving unfamiliar platforms or requests to install additional applications during the hiring process. Ensure robust cybersecurity measures are in place to detect and mitigate these sophisticated threats. ๐Ÿ›ก๏ธ๐Ÿšซ

Thatโ€™s all for this week, folks! ๐Ÿ‘‹๐Ÿป

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตCrypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆBitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles