Category: Alvosec

Fake cryptocurrency apps

Fake cryptocurrency exchange apps

The most well-known example of a fake cryptocurrency exchange app is probably the one of Poloniex. Prior to the launch of their official mobile trading app in July 2018, Google Play was already listing several fake Poloniex exchange apps, which were intentionally designed to be functional. Many users that downloaded those fraudulent apps had their Poloniex login credentials compromised, and their cryptocurrencies were stolen. Some apps even went a step further requesting the login credentials of users Gmail accounts. It is important to highlight that only accounts without two-factor authentication (2FA) were compromised.

The following steps can help protect you against such scams.

• Check the exchange’s official website to verify if they indeed offer a mobile trading app. If so, use the link provided on their website.
• Read the reviews and ratings. Fraudulent apps often have many bad reviews with people complaining about getting scammed, so make sure to check them before you download. However, you should also be skeptical of apps that present perfect ratings and comments. Any legitimate app has its fair share of negative reviews.
• Check the app developer information. Look for whether a legitimate company, email address, and website are provided. You should also perform an online search on the information provided to see if they are really related to the official exchange.
• Check the number of downloads. The download count should also be considered. It is unlikely that a highly popular cryptocurrency exchange would have a small number of downloads.
• Activate 2FA on your accounts. Although not 100% secure, 2FA is much harder to bypass and can make a huge difference in protecting your funds, even if your login credentials are phished.

Fake cryptocurrency wallet apps

There are many different types of fake apps. One variation seeks to obtain personal information from users such as their wallet passwords and private keys.

In some cases, fake apps provide previously generated public addresses to users. So they assume funds are to be deposited into these addresses. However, they do not gain access to the private keys and thus do not have access to any funds that are sent to them.

Such fake wallets have been created for popular cryptocurrencies such as Ethereum and Neo and, unfortunately, many users lost their funds. Here are some preventive steps that can be taken to avoid becoming a victim:

• The precautions highlighted in the exchange app segment above are equally applicable. However, an additional precaution you can take when dealing with wallet apps is to make sure brand new addresses are generated when you first open the app, and that you are in possession of the private keys (or mnemonic seeds). A legitimate wallet app allows you to export the private keys, but it is also important to ensure the generation of new key pairs is not compromised. So you should use a reputable software (preferably open source).

• Even if the app provides you a private key (or seed), you should verify whether the public addresses can be derived and accessed from them. For example, some Bitcoin wallets allow users to import their private keys or seeds to visualize the addresses and access the funds. To minimize the risks of keys and seeds being compromised, you may perform this on an air-gapped computer (disconnected from the internet).

Cryptojacking apps

Cryptojacking has been a hot favorite amongst cybercriminals due to the low barriers to entry and low overheads required. Furthermore, it offers them the potential for long-term recurring income. Despite their lower processing power when compared to PCs, mobile devices are increasingly becoming a target of cryptojacking.

Apart from web-browser cryptojacking, cybercriminals are also developing programs that appear to be legitimate gaming, utility or educational apps. However, many of these apps are designed to secretly run crypto-mining scripts in the background.

There are also cryptojacking apps that are advertised as legitimate third-party miners, but the rewards are delivered to the app developer instead of the users.

To make things worse, cybercriminals have become increasingly sophisticated, deploying lightweight mining algorithms to avoid detection.

Cryptojacking is incredibly harmful to your mobile devices as they degrade performance and accelerates wear and tear. Even worse, they could potentially act as Trojan horses for more nefarious malware.

The following steps can be taken to guard against them.

• Only download apps from official stores, such as Google Play. Pirated apps are not pre-scanned and are more likely to contain cryptojacking scripts.
• Monitor your phone for excessive battery draining or overheating. Once detected, terminate apps that are causing this.
• Keep your device and apps updated so that security vulnerabilities get patched.
• Use a web browser that guards against cryptojacking or install reputable browser plug-ins, such as MinerBlock, NoCoin, and Adblock.
• If possible, install mobile antivirus software and keep it updated.

Free giveaway and fake crypto-miner apps

These are apps that pretend to mine cryptocurrencies for their users but don’t actually do anything apart from displaying ads. They incentivize users to keep the apps open by reflecting an increase in the user’s rewards over time. Some apps even incentivize users to leave 5-star ratings in order to get rewards. Of course, none of these apps were actually mining, and their users never received any rewards.

To guard against this scam, understand that for the majority of cryptocurrencies, mining requires highly specialized hardware (ASICs), meaning it is not feasible to mine on a mobile device. Whatever amounts you mine would be trivial at best. Stay away from any such apps.

Clipper apps

Such apps alter the cryptocurrency addresses you copy and replace them with those of the attacker. Thus, while a victim may copy the correct recipient address, the one they paste to process the transaction is replaced by those of the attacker.

To avoid falling victim to such apps, here are some precautions you can take when processing transactions.

• Always double and triple check the address you are pasting into the recipient field. Blockchain transactions are irreversible so you should always be careful.
• It is best to verify the entire address instead of just portions of it. Some apps are intelligent enough to paste addresses that look similar to your intended address.

SIM swapping

In a SIM swapping scam, a cybercriminal gains access to the phone number of a user. They do this by employing social engineering techniques to trick mobile phone operators into issuing a new SIM card to them. The most well-known SIM swapping scam involved cryptocurrency entrepreneur Michael Terpin. He alleged that AT&T was negligent in their handling of his mobile phone credentials resulting in him losing tokens valued at more than 20 million US dollars.

Once cybercriminals have gained access to your phone number, they can use it to bypass any 2FA that relies on that. From there, they can work their way into your cryptocurrency wallets and exchanges.

Another method cybercriminals can employ is to monitor your SMS communications. Flaws in communications networks can allow criminals to intercept your messages which can include the second-factor pin messaged to you.

What makes this attack particularly concerning is that users are not required to undertake any action, such as downloading a fake software or clicking a malicious link.

To prevent falling prey to such scams, here are some steps to consider.

• Do not use your mobile phone number for SMS 2FA. Instead, use apps like Google Authenticator or Authy to secure your accounts. Cybercriminals are unable to gain access to these apps even if they possess your phone number. Alternatively, you may use hardware 2FA such as YubiKey or Google’s Titan Security Key.
• Do not reveal personal identifying information on social media, such as your mobile phone number. Cybercriminals can pick up such information and use them to impersonate you elsewhere. 
• You should never announce on social media that you own cryptocurrencies as this would make you a target. Or if you are in a position where everyone already knows you own them, then avoid disclosing personal information including the exchanges or wallets you use.
• Make arrangements with your mobile phone providers to protect your account. This could mean attaching a pin or password to your account and dictating that only users with knowledge of the pin can make changes to the account. Alternatively, you can require such changes to be made in person and disallow them over the phone.

WiFi

Cybercriminals are constantly seeking entry points into mobile devices, especially the ones of cryptocurrency users. One such entry point is that of WiFi access. Public WiFi is insecure and users should take precautions before connecting to them. If not, they risk cybercriminals gaining access to the data on their mobile devices. These precautions have been covered in the article on public WiFi.

Closing thoughts

Mobile phones have become an essential part of our lives. In fact, they are so intertwined with your digital identity that they can become your greatest vulnerability. Cybercriminals are aware of this and will continue to find ways to exploit this. Securing your mobile devices is no longer optional. It has become a necessity. Stay safe.

The permissions feature of XPR Network is one of the most powerful and robust tools available for all XPR accounts. A well-structured and secure permission system can be the difference between a slight inconvenience and losing access to your XPR account completely.

XPR Network has a unique authorization structure that has added security for you account. You can minimize the exposure of your account by keeping the Owner key cold, while using the key associated with your Active permission. This way, if your Active key were every compromised, you could regain control over your account with your Owner key.

In this guide, we will show you how to take the first step in taking control of your own security by ensuring that your Owner key and Active key are different from one another.

Right now, your private key may be identical for your Owner and Active permissions. To check whether or not they are, visit explorer.xprnetwork.org, search for your account name, and check the “permissions” tab.

By default XPR wallet has 2 native permissions:

• Owner: The Owner permission is the “root access” to your XPR wallet and symbolizes ownership of the account. This key is needed to make any changes to the ownership the account.
• Active: used for transferring funds, voting for producers, buying ram, etc.

From security perspective it is recommended to have two different private keys.

How to change (isolate) private keys?

You can simply navigate to explorer.xprnetwork.org – log in to your account and click on wallet tab. Choose Keys and Permissions – Advanced and change active permission.

Now we have separated permissions like it shows on picture down below:

In investment circles there are several elaborate methods with which scammers try to exploit unsuspecting traders. This article exposes one such method that is frequently used in unregulated investment markets, such as the cryptocurrency market – the pump and dump scheme.

In so many words, pump and dump is an investment scam where scammers buy an inexpensive coin by market cap, advertise (or pump) it, and then sell (or dump) it once the price has risen. The inflation of the price doesn’t reflect the coin’s underlying value, which means that the price plummets once the dumping is done.

Searching for a target

The pump and dump scheme begins with scammers selecting a viable cryptocurrency to exploit or even creating a coin related to current trends. It is ideally a little-known or fresh-on-the-market cryptocurrency (usually referred to as an altcoin) with a small market cap and which the general public does not know well (or at all). Such a coin has poor liquidity – low trading volume and meager supply and demand – meaning that very few people are buying or selling it. Once an appropriate candidate is selected, the scammers purchase a large quantity of the coins. This is often coordinated in anonymous and private online chat groups. The hype phase of  such pump and dump scheme can also indicate an upcoming rug pull, as the creators drive up the price to cash out.

Pumping it up

The increase in demand spurred on by the purchases of the scammers does part of the job to inflate the price of the altcoin. To hype the coin even more, scammers aggressively promote it across social media and communication platforms. Endorsement by public personas or institutions, whether real or (as can happen) faked by the scammers, also plays an important role in the buildup of the currency.

“Whale manipulation” is an alternative pumping strategy. Instead of just promoting the altcoin, the investor makes a substantial purchase to increase its trading volume and price through their own actions. This surge functions as additional bait for the unsuspecting trader.

FOMO never rests

Now the scammers only need to rely on the greedy nature of human beings. Effortless profit sounds like a good deal, so when people see an obscure coin rapidly growing in price, they are likely to want to hop onto the charging bull. This process, termed as fear of missing out or FOMO, is well-known in investment circles. It is the basic principle that makes pump and dump work.

The best time to dump

Once a large enough number of external investors take the bait and the hype starts dying out, it’s time for the scammers to sell what they own. The currency has reached the point where the scammers believe that its selling price is at the maximum. The scammers then sell their coins at the inflated price and pocket a hefty profit.

Aftermath: Who dropped the nuke?

The increase in supply and the drop in demand that follows start to decrease the falsely-inflated price swiftly. Dumping a sizeable amount by the scammers sends the altcoin’s price plummeting. Seeing the downward spiral and recognizing that the currency has no inherent value, external investors want to sell, too, to minimize losses. But for them, it’s already too late. Everyone who missed “dump o’clock” will likely end up with worthless coins.

Avoid the scams

Pump and dump schemes are not easy to recognize. Patterns on trading charts make no distinction between a pumped coin and a coin for which the increase in price is genuine. If purchasing coins at ICO or investing into obscure altcoins, you always need to research or ask someone with higher experience and only trade what you understand.

When investing, pay attention to exceptional price jumps (everything above 80% in a day or two is usually considered suspicious) and be careful with small-market-cap cryptocurrencies. If your research on the crypto yields no good reason for the price surge, that’s often simply because there is none. Steer clear. Your investments are better placed elsewhere. To avoid the rug pull, look for liquidity and lockups in a token pool. If they seem small, it’s best to give the new token some time before investing.

If you want a safe cryptocurrency to invest in, you’re better off by selecting one of the largest cryptocurrencies around. (Source)

A criminal complaint was unsealed today in federal court in Brooklyn, New York, charging Moises Luis Zagala Gonzalez (Zagala), also known as “Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” a citizen of France and Venezuela who resides in Venezuela, with attempted computer intrusions and conspiracy to commit computer intrusions. The charges stem from Zagala’s use and sale of ransomware, as well as his extensive support of, and profit sharing arrangements with, the cybercriminals who used his ransomware programs.

Cardiologist Turns Hacker – Moises Luis Zagala Gonzalez, a cardiologist in Venezuela, is the alleged creator behind the Jigsaw v.2 and Thanos ransomware strains.

Beginning in late 2019, Zagala began advertising a new tool online—a “Private Ransomware Builder” he called “Thanos.”  The name of the software appears to be a reference to a fictional cartoon villain named Thanos, who is responsible for destroying half of all life in the universe, as well as a reference to the figure “Thanatos” from Greek mythology, who is associated with death.  The Thanos software allowed its users to create their own unique ransomware software, which they could then use or rent for use by other cybercriminals.  The user interface for the Thanos software is shown below:

The screenshot shows, on the right-hand side, an area for “Recovery Information,” in which the user can create a customized ransom note.  Other options include a “data stealer” that specifies the types of files that the ransomware program should steal from the victim computer, an “anti-VM” option to defeat the testing environments used by security researchers, and an option, as advertised, to make the ransomware program “self-delete.” 

Rather than simply sell the Thanos software, Zagala allowed individuals to pay for it in two ways.  First, a criminal could buy a “license” to use the software for a certain period of time.  The Thanos software was designed to make periodic contact with a server in Charlotte, North Carolina that Zagala controlled for the purpose of confirming that the user had an active license. Alternatively, a Thanos customer could join what Zagala called an “affiliate program,” in which he provided a user access to the Thanos builder in exchange for a share of the profits from Ransomware attacks.  Zagala received payment both in fiat currency and cryptocurrency, including Monero and Bitcoin.

Zagala advertised the Thanos software on various online forums frequented by cybercriminals, using screen names that referred to Greek mythology.  His two preferred nicknames were “Aesculapius,” referring to the ancient Greek god of medicine, and “Nosophoros,” meaning “disease-bearing” in Greek.  In public advertisements for the program, Zagala bragged that ransomware made using Thanos was nearly undetectable by antivirus programs, and that “once encryption is done,” the ransomware would “delete itself,” making detection and recovery “almost impossible” for the victim. 

In private chats with customers, Zagala explained to them how to deploy his ransomware products—how to design a ransom note, steal passwords from victim computers, and set a Bitcoin address for ransom payments.  As Zagala explained to one customer, discussing Jigsaw: “Victim 1 pays at the given btc [Bitcoin] address and decrypts his files.”  Zagala also noted that “there is a punishment… [i]f user reboots.  For every rerun it will punish you with 1000 files deleted.”  After Zagala explained all the features of the software, the customer replied: “Sir, I really need to say this… You are the best developer ever.”  Zagala responded: “Thank you that is nice to hear[.]  Im very flattered and proud.”  Zagala had only one request: “If you have time and its not too much trouble to you please describe your experience with me” in an online review.

(Source: justice.gov)

Threat analysts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.

The choice of PDFs is unusual, as most malicious emails today arrive with DOCX or XLS attachments laced with malware-loading macro code.

However, as people become more educated about opening malicious Microsoft Office attachments, threat actors switch to other methods to deploy malicious macros and evade detection.

In a new report by HP Wolf Security, researchers illustrate how PDFs are being used as a transport for documents with malicious macros that download and install information-stealing malware on victim’s machines.

Embedded Word in PDF file

Analyzing the PDF file reveals that the .docx file is stored as an EmbeddedFile object.

This can also be detected by using Didier Stevens’ pdfid script. After Acrobat Reader is launched it will prompt a window to open file called: has been verified. However PDF, Jpeg, xlsx, .docx. The file name makes it appear that Adobe has verified the file and deemed it safe.

In picture down bellow we can see process graph, while opening PDF file.

Here we can see how this files tries to open embeded Word file inside PDF.

If we return to our PDF document and click on “Open this file” at the prompt, Microsoft Word opens. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which is then run in the context of the open document.

Since Microsoft Word does not say which server it contacted, we can use Wireshark to record the network traffic and identify the HTTP stream that was created.

Conclusion

While Office formats remain popular, this campaign shows how attackers are also using weaponized PDF documents to infect systems. Embedding files, loading remotely-hosted exploits and encrypting shellcode are just three techniques attackers use to run malware under the radar. The exploited vulnerability in this campaign (CVE-2017-11882) is over four years old, yet continues being used, suggesting the exploit remains effective for attackers.