iOS users beware!

Jun 02 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s still going at it like Pacino. Take that De Niro, Al’s even older! #WhosTheDaddy

Welcome to our weekly segment. It goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it. This week it’s Stripe and WooCommerce

Calling all WordPress Users that run a store with WooCommerce and Stripe

A security vulnerability was discovered in the Stripe extension for WooCommerce, but fair play to the Woo tang clan, a patch has already been deployed to address it.

What do you need to do?

According to WooCommerce, if your store is hosted on WordPress.com, the extension is in the process of being updated or has already been updated to remove the vulnerability. 

The version number should be displayed in the description column next to the plugin name. If you have version 7.4.1 or higher, no further action is needed.

If not, what are you waiting for? Get updating!

Hope you enjoyed our tweak of the week. 🎶She’s the Freak of the Week 🎶 Remember that one? Pepperidge Farms remembers.

For more info, check this out.

Now on to today’s hottest cyber security stories:

  • iOS users beware! New zero-click hack is the root of all evil 😁

  • Free malware builder for Invicta Stealer promoted on Facebook 🙈

  • Crypto hacks fell 70% in Q1 of 2023 🎉🎉🎉

CHECK YOUR root-privilege!

A stealthy and mischievous advanced persistent threat (APT) has set its sights on iOS devices, launching an extravagant mobile campaign called Operation Triangulation back in 2019.

According to well-known cybersecurity company, Kaspersky, the APT infects its targets by exploiting zero-click tricks within the iMessage platform, giving the malware the audacity to frolic around with root privileges, seizing total control over the device and its precious user data.

From Russia with Love

In a stroke of genius (or perhaps madness), the Russian cybersecurity sleuths stumbled upon traces of compromise after meticulously creating offline backups of the targeted devices. Sherlock Holmes would be proud!

It all starts with an innocent iOS device receiving an iMessage that comes bearing an attachment (the exploit).

The exploit is a zero-click wonder, meaning it gets the party started as soon as the message slides into the device's DMs, without the need for any user interaction.

And it’s cleverly programmed to fetch additional goodies, like payloads for the lofty privilege escalation, and then unleashes the pièce de résistance—a final-stage malware from a remote server.

Kaspersky labelled it a "fully-featured APT platform." Boss music starts playing

The sneaky implant, equipped with its VIP root privileges, takes on the role of an information harvester. It skillfully gathers all the juicy, sensitive tidbits it can find and even dabbles in running code downloaded as plugin modules from the server. It's a true multitasker, this one!

Sounds like a roots manoeuvre 😂 Geddit? Dw we’re old

And as if that weren't enough, the spyware goes incognito, quietly shipping off private information to remote servers like a secret agent on a covert mission.

From microphone recordings to photos from instant messengers, geolocation data, and even the most trivial activities of the infected device's owner, nothing escapes its nosy grip, as explained by the Kaspersky researchers.

So, dear iOS users, beware of this APT, as it's determined to turn your devices into a playground for its mischievous exploits.

Stay vigilant, keep your guard up, and protect your digital kingdom from this tech-savvy trickster!

FACEBOOK? OK BOOMER 😂

I mean get with the times guys. You couldn't have put out a TikTok? Or surely an IG campaign. Nope, had to be Facebook. Just kidding Facebook, we actually love you. Because we’re boomers lol.

So, what’s the 411?

Cyble Research and Intelligence Labs (CRIL) researchers have spotted Invicta Stealer being advertised on Facebook to find prospective buyers.

A GitHub post claims that malware developers are offering a free stealer builder. While running builder, users are asked to input a Discord webhook/server URL, which serves as the C2.

Attackers also own a YouTube channel where they show a tutorial with detailed steps on how to create the Invicta Stealer executable using a builder tool available in the Github repository.

Targets of infection

Invicta Stealer targets different products such as Discord, crypto wallets (e.g., Neon, Zcash, VERGE, WalletWasabi), browsers (e.g., Chromium, Yandex, Vivaldi, Opera Neon), steam, and KeyPass password manager.

Method of attack

For initial infection, a spam email is used with a fake HTML page mimicking an authentic refund invoice from GoDaddy.

Opening the HTML page redirects users to a Discord URL, then download a file named Invoice[.]zip.

The zip file includes a shortcut file, INVOICE_MT103[.]Ink. When opened, the .lnk file triggers a PowerShell script.

Next, the PowerShell script downloads the Invicta Stealer, which is disguised as Invoice_MT103_Payment[.]exe.

Experts have spotted an increase in the use of the Invicta Stealer owing to the active promotion of the builder.

Facebook ad campaigns work, guys. We knew that. And now the hackers do too.

A LITTLE BITCOIN LESS LOST IN THE ETHER, EH?

Now, for some good news to kickstart the weekend. Long-time readers will know how rare positive stories are in the crime-infested world of cybersecurity journalism and how, as such, we celebrate the good times. So here it is.

According to a recent report from TRM Labs, there has been a remarkable 70% decrease in global crypto hacking activities.

In the first three months of 2023, approximately $400 million was lost in nearly 40 cryptocurrency attacks.

However, this figure marks a significant decline of 70% compared to the same period in 2022.

The value of stolen cryptocurrency assets due to hacking incidents experienced a substantial surge last year, with the industry suffering losses amounting to $3.7 billion.

This represented a 58% increase from the $2.3 billion that cybercriminals pilfered from investors and exchanges in 2021, as revealed by a report from Immunefi, a web3 security testing platform.

Therefore, it is undoubtedly encouraging to witness a decline in these numbers in 2023.

The reduced incidence of crypto hacking incidents is a positive trend for the industry, fostering greater security and trust among cryptocurrency users.

Enjoy your weekends, folks, and may the cyber-odds be ever in your favour.

So long and thanks for reading all the phish!

Cyber Dawgs top picks from the week, he's your Dawg, he got you.

MONDAY: Phishing up 356% in 2022

TUESDAY: 90 Organisations hit by Capita breach

WEDNESDAY: SONOS One Hacked

THURSDAY: How to hack a toothbrush

footer graphic cyber security newsletter

Recent articles