Cross-Platform Crypto Scams

Jun 20 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that doesn’t know who it hates more, cybercriminals or Just Stop Oil (Just Spoil? πŸ‘€) πŸ—ΊοΈπŸ—ΏπŸŽ¨πŸ€―πŸ€¬ #StoneHenge

Today’s hottest cybersecurity news stories:

  • β›” Don’t answer the call! Markopolo scams w/ β€˜meeting software’ πŸ‘₯

  • πŸ‘²πŸ» Beware! Chinese-speakers targeted w/ malicious VPN installers πŸ“₯

  • πŸ₯› Don’t cry over spilt milk! Mailcow flaw discovered and patched πŸ„πŸ©Ή

Users: marko πŸ€“

Hackers: polo 😈😈😈

πŸš¨πŸš€ Beware of Cross-Platform Crypto Scams! πŸš€πŸ’Έ

Meet the Scammer: markopolo πŸŽ­πŸ‘Ύ A threat actor, alias markopolo, has been identified for targeting digital currency users with info-stealing malware. This large-scale scam spreads across social media platforms.

Fake Apps & Malware πŸš¨πŸ› οΈ

  • Malicious Software: Vortax and 23 other apps

  • Malware Deployed: Rhadamanthys, StealC, and Atomic macOS Stealer (AMOS)

  • Target: Cryptocurrency users

Social Media Deception πŸ•΅οΈβ€β™‚οΈπŸ“²

  • Platforms: Dedicated Medium blog with AI-generated articles and a verified X (formerly Twitter) account

  • Method: Promoting Vortax, requiring a RoomID to download, leading to malware deployment

Campaign Tactics πŸ› οΈπŸ”„

Techniques: Shared hosting and C2 infrastructure

Strategy: Quickly abandon detected scams and pivot to new lures

Infostealer Threats πŸ”“πŸ“‰

  • Recent Target: Snowflake

  • Cloud Storage Abuse: Enea revealed SMS scammers using cloud storage services (Amazon S3, Google Cloud, etc.) to host phishing pages

How It Works 🧩⚠️

  1. Links Distributed via SMS: Appearing authentic, bypassing firewalls

  2. Redirection: Links lead to static websites with embedded spam URLs

  3. Final Stage: Users are redirected to phishing pages, compromising personal and financial info

Security Reminder πŸ›‘οΈπŸ“’

Stay Vigilant: Always verify app sources, avoid suspicious links, and update security software to protect against these evolving threats!

Stay safe in the digital world! πŸŒπŸ›‘οΈ

Don’t scream in to the Void Arachne 😱😱😱

🚨🐍 Void Arachne Targets Chinese-Speaking Users! πŸ‰

New Threat Cluster Alert! βš οΈπŸ•΅οΈβ€β™‚οΈ Chinese-speaking users are under attack by a new threat activity cluster called Void Arachne, using malicious MSI files to deliver the Winos 4.0 command-and-control (C&C) framework.

Malicious Software πŸš¨πŸ’»

  • MSI Files: Disguised as VPNs and popular software (Google Chrome, LetsVPN, QuickVPN, Telegram language pack)

  • Additional Bait: Compromised MSI files embedded with nudifiers, deepfake porn generators, AI voice and facial tech

Distribution Tactics πŸ“’πŸ“§

SEO Poisoning & Social Media πŸŽ£πŸ“±

  • SEO Poisoning: Links to malware via black hat SEO

  • Social Media: Distributed on Chinese-language-themed Telegram channels

  • Messaging Platforms: Promoting fake software links

Infection Process 🚨🦠

  1. ZIP Archives: Links lead to adversary-controlled infrastructure

  2. Firewall Modification: Installers modify firewall rules for malware traffic

  3. Second-Stage Payload: Decrypts and executes additional malware

  4. Persistence: Sets up VBS for continuous presence

Winos 4.0 Capabilities πŸŒπŸ”§

Advanced Backdoor πŸšͺπŸ”’

  • File Management: Full control over files

  • DDoS Attacks: Using TCP/UDP/ICMP/HTTP

  • Surveillance: Webcam control, screenshot capture, microphone recording, keylogging

  • Remote Shell Access: Full command access to infected systems

  • Plugin-Based: 23 components for 32- and 64-bit systems, expandable via external plugins

Security Evasion πŸ›‘οΈπŸ”

  • Detection Avoidance: Identifies and bypasses security software common in China

  • Main Orchestrator: Loads plugins, clears logs, downloads additional payloads

Exploiting VPN Demand 🚧🌐

  • Great Firewall of China: Increased public interest in VPNs to bypass censorship

  • Threat Actor Interest: High exploitation of VPN software to evade government controls

Stay Safe Online! πŸ›‘οΈπŸ“±

  • Verify Software Sources: Download only from trusted sites

  • Be Cautious: Avoid suspicious links and messages

  • Update Security: Keep your devices and software up-to-date

Stay vigilant and protect your digital life! πŸŒπŸ”’

🎣 Catch of the Day!! 🌊🐟🦞

Stay ahead of the curve with! πŸš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." πŸ€“πŸ’‘ That’s us, alright! 🀡 How about you? Visionary AI executive, much? πŸ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business πŸ€–πŸ‘©β€πŸ’»πŸŒ

Rest assured, the process is very straightforward.

You simply:

πŸ†• Sign Up & Create Campaign

πŸ“Š Define your audience, budget, and message to captivate your audience.

πŸš€ Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯

πŸ•΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. πŸ“ˆ Elevate your marketing game and stay informed with! 🌟 Simples! 🦦

Presspool.aiΒ πŸ“°πŸŠπŸ€– may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters πŸ˜‰

It’s not a moo point 😬😬😬

πŸ“§πŸš¨ Mailcow Vulnerabilities Alert! πŸš¨πŸ“§

Security Flaws in Mailcow! πŸ›‘οΈπŸ„ Two vulnerabilities in the Mailcow open-source mail server suite could allow attackers to execute arbitrary code. All versions before 2024-04 are affected.

Disclosed Vulnerabilities πŸ•΅οΈβ€β™‚οΈπŸ”

Moderate Severity βš οΈπŸ”“

  • CVE-2024-30270 (CVSS 6.7): Path traversal in "rspamd_maps()" allowing file overwrite by "www-data" user, leading to arbitrary command execution.

  • CVE-2024-31204 (CVSS 6.8): Cross-site scripting (XSS) via exception handling, allowing malicious script injection into admin panel.

How They Work πŸ› οΈπŸ”§

Path Traversal πŸ›£οΈπŸ› οΈ

  • Impact: Execution of arbitrary commands

  • Β Method: Overwrites files modifiable by "www-data" user

Cross-Site Scripting πŸ–₯️πŸ’₯

  • Impact: Session hijacking and privileged actions

  • Method: Malicious scripts injected via unsanitized exception details

Combined Attack Scenario πŸš¨πŸ”—

An attacker can craft an HTML email with a CSS background image from a remote URL to trigger XSS. If an admin views this email while logged into the admin panel, arbitrary code can be executed on the server.

Theoretical Attack Example πŸ§©πŸ’£

  • Step 1: Send HTML email with remote URL

  • Step 2: Admin views email while logged in

  • Result: XSS payload executes, leading to arbitrary code execution

Responsible Disclosure πŸ“πŸ”’

  • Reported by: SonarSource on March 22, 2024

  • Patch Released: April 4, 2024 (version 2024-04)

What to Do πŸ›‘οΈπŸ”§

Update Mailcow:Β Ensure you are running the latest version (2024-04) to protect against these vulnerabilities.

Stay secure and keep your systems updated! πŸŒπŸ”’

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles