Category: Alvosec

We are excited to announce that we have become Block Producer on XPR Network ⚛️ ecosystem. We have learned a lot through the process of becoming a Block Producer and right now we are ready to contribute to the XPR ecosystem.

Security is our priority

We are primarily focused to provide greater security for the ecosystem itself and for all Proton users. As you may already know Alvosec is part of HackerOne since 2017, where thousands of hackers have tried to break our systems. Through similar platforms we gained knowledge and experience to develop a strategy against early stage attacks. Our mission in Proton chain will be to advise in implementing stronger security practices and raise security awareness for entire community. We have already launched a honeypot that will trap attackers and monitor their activities to enhance network security.

For more: https://alvosec.com/block-producer/

Giving back to the community

We believe in giving back and helping out the community, therefore our plan is to publish articles to increase awareness of cybersecurity. Also we will publish general articles to guide users how to use Proton services properly.

Digital marketing campaign will be launched triannually, all of our work will be transparent and available to all Proton users to share with others.

#1 Position in Google with keyword: block producer security

Node specification

Alvosec is using an enterprise server equipped with the latest Intel® Core™ i7-8700, 64 GB of RAM and NVMe storage devices to guarantee the best performance and redundancy.

Performance on Aloha EOS:

You support us, we support you

You can vote for Alvosec in the WebAuth.com and earn daily staking rewards, variable APR. We are grateful to all our voters.

In a broader sense, any kind of manipulation linked to behavioral psychology can be considered social engineering. However, the concept is not always related to criminal or fraudulent activities. In fact, social engineering is being widely used and studied in a variety of contexts, in fields like social sciences, psychology, and marketing.

When it comes to cybersecurity, social engineering is performed with ulterior motives and refers to a set of malicious activities that attempt to manipulate people into making bad moves, such as giving up personal or confidential information that can be later used against them or their company. Identity fraud is a common consequence of these types of attacks and in many cases leads to significant financial losses.

Social engineering is often presented as a cyber threat, but the concept exists for a long time, and the term may also be used in relation to real-world fraudulent schemes, which usually involve impersonation of authorities or IT specialists. However, the emergence of the internet made it much easier for hackers to perform manipulative attacks on a wider scale and, unfortunately, these malicious activities are also taking place in the context of cryptocurrencies.

How does it work?

All types of social engineering techniques rely on the weaknesses of human psychology. Scammers take advantage of emotions to manipulate and trick their victims. People’s fear, greed, curiosity, and even their willingness to help others are turned against them through a variety of methods. Among the multiple sorts of malicious social engineering, phishing is certainly one of the most common and well-known examples.

Phishing

Phishing emails often mimic correspondence from a legitimate company, such as a national bank chain, a reputable online store, or an email provider. In some cases, these clone emails will warn users that their account either needs to be updated or has shown unusual activity, requiring them to provide personal information as a way to confirm their identity and regularize their accounts. Out of fear, some people promptly click the links and navigate to a fake website in order to provide the required data. At this point, the information will be in the hands of the hackers.

Scareware

Social engineering techniques are also applied to spread the so-called Scareware. As the name suggests, scareware is a type of malware designed to scare and shock users. They typically involve the creation of false alarms that attempt to trick victims into installing a fraudulent software that looks legitimate, or into accessing a website that infects their system. Such a technique often relies on users’ fear of having their system compromised, convincing them to click on a web banner or popup. The messages usually say something like: “Your system is infected, click here to clean it.”

Baiting

Baiting is another social engineering method that causes trouble for many inattentive users. It involves the use of baits to lure victims based on their greed or curiosity. For instance, scammers may create a website that offers something for free, like music files, videos, or books. But in order to access these files, users are required to create an account, providing their personal information. In some cases, there is no need for an account because the files are directly infected with malware that will penetrate the victim’s computer system and collect their sensitive data.

Baiting schemes may also occur in the real world through the use of USB sticks and external hard drives. Scammers may intentionally leave infected devices on a public place, so any curious person that grabs it to check the content ends up infecting their personal computer.

Social engineering and cryptocurrencies

A greedy mentality can be quite dangerous when it comes to financial markets, making traders and investors particularly vulnerable to phishing attacks, Ponzi or pyramid schemes, and other types of scams. Within the blockchain industry, the excitement that cryptocurrencies generate attracts many newcomers to the space in a relatively short period of time (especially during bull markets).

Even though many people do not fully understand how cryptocurrency works, they often hear about the potential of these markets to generate profits and end up investing without doing appropriate research. Social engineering is particularly concerning for the rookies as they are frequently trapped by their own greed or fear.

On the one hand, the eager to make quick profits and earn easy money eventually leads newcomers to chase false promises of giveaways and airdrops. On the other hand, the fear of having their private files compromised may drive users to pay a ransom. In some cases, there is no real ransomware infection, and users are tricked by a false alarm or message created by hackers.

How to prevent social engineering attacks

As mentioned, social engineering scams work because they appeal to human nature. They usually use fear as a motivator, urging people to act immediately in order to protect themselves (or their system) from an unreal threat. The attacks also rely on human greed, luring victims into various types of investment scams. So it is important to keep in mind that if an offer looks too good to be true, it probably is.

Although some scammers are sophisticated, other attackers make noticeable mistakes. Some phishing emails, and even scareware banners, often contain syntax mistakes or misspelled words and are only effective against those who don’t pay enough attention to grammar and spelling – so keep your eyes open.

In order to avoid becoming a victim of social engineering attacks, you should consider the following security measures:

• Educate yourself, family and friends. Teach them about the common cases of malicious social engineering and inform them about the main general security principles.
• Be cautious with email attachments and links. Avoid clicking on ads and websites of unknown source;
• Install a trustworthy antivirus and keep your software applications and operating system up to date;
• Make use of multifactor authentication solutions whenever you can to protect your email credentials and other personal data.
• For businesses: consider preparing your employees to identify and prevent phishing attacks and social engineering schemes.

Closing thoughts

Cybercriminals are constantly looking for new methods to deceive users, aiming to steal their funds and sensitive information, so it is very important to educate yourself and the ones around you. The internet provides a haven for these types of scams, and they are particularly frequent in the cryptocurrency space. Be cautious and stay alert to avoid falling for social engineering traps.

Furthermore, anyone that decides to trade or invest in cryptocurrency should do prior research and make sure to have a good understanding of both the markets and the working mechanisms of blockchain technology.

Source

A dusting attack refers to a relatively new kind of malicious activity where hackers and scammers try to gain access to the funds of users by sending tiny amounts of coins to their wallets. The transactional activity of these wallets is then tracked down by the attackers, who perform a combined analysis of different addresses to deanonymize the person or company behind each wallet.

Similar attack occurred in the summer of 2019, when hundreds of thousands of dust transactions were made within Litecoin wallets.

Example of dusting attack:

Fortunately, the source of the attack was identified before any harm was done. They later came forward to state their intention was to advertise their mining pool to the Litecoin community. Despite the harmless outcome, the incident did highlight the ease with which such attacks can be executed – particularly as attempts like the one on Litecoin can happen to any public blockchain.

Generally, attackers have recognized that a large proportion of cryptocurrency users pay very little attention to the almost microscopic amounts of funds they hold in dust.

Once they have dusted a wallet, they will then track data on the activity of the affected accounts in an attempt to uncover what organizations or individuals they are associated with. Hackers may then be able to use that information in phishing scams.

Warning! Never click on suspicious links, especially if contain unknown URL in MEMO.

Pretty Good Privacy (PGP) is an encryption system used for both sending encrypted emails and encrypting sensitive files. Since its invention back in 1991, PGP has become the de facto standard for email security.

The popularity of PGP is based on two factors. The first is that the system was originally available as freeware, and so spread rapidly among users who wanted an extra level of security for their email messages. The second is for using public-key cryptography, or asymmetric cryptography, which is a cryptographic system that uses pairs of keys. Each pair consists of a public key (which may be known to others) and a private key (which may not be known by anyone except the owner).

Symmetric encryption is a type of encryption where only one key (a secret key) is used to both encryption and decryption. Example of symmetric encryption you can see here.

Generate a PGP Keypair

In our case we will be using GnuPG, also available for windows users. In our case default environment is Linux. So open the console and run:

gpg –full-generate-key

It will prompt with following options:

Please select what kind of key you want:
  (1) RSA and RSA (default)
  (2) DSA and Elgamal
  (3) DSA (sign only)
  (4) RSA (sign only)
 (14) Existing key from card

We have selected RSA and RSA (default).

Now, it prompts for the size of the key between 1024 and 4096.

We will chose 4096 bits long.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits

Now, it will prompt for the validity of the key.

Please specify how long the key should be valid.
        0 = key does not expire
     <n>  = key expires in n days
     <n>w = key expires in n weeks
     <n>m = key expires in n months
     <n>y = key expires in n years
Key is valid for? (0)

Zero (0) is the default meaning that our key pair will never expire. You can hit enter to select 0. Confirm that everything is correct.

Now, enter the name, email address, and comment. Name can be the name of a person, product, or company. You can leave the comment blank.

GnuPG needs to construct a user ID to identify your key.
Real name:

Let’s see the info structure that is available publicly:

Name: Your name Comment: (Ethical hacker) Email: <your@mail.com>

After validating information a prompt will open for the passphrase, enter the strong passphrase, and hit enter.

Now we can export public key:

pub   rsa4096 2017-02-02 [SC]
uid           [ unknown] alvosec <info@alvosec.com>
sub   rsa4096 2017-02-02 [E]

Take key ID and run:

gpg –export -a <key-id> > public.key

Or you can run with armor option to create ascii output:

gpg –output alvosec-pgp.asc –armor –export info@alvosec.com

Secure Your PGP Key

Important! If you fail to back up or otherwise secure your key, any hardware failure will lead to complete loss of your key pairs.

Consider creating revocation certificate that is used to mark your key as invalid – in case you lost your secret key, or that your key has been compromised. You can simply run:

gpg –output revoke.asc –gen-revoke <key-id>

After you get:

sec  rsa4096/4B0403CFC4FE5A8D 2017-02-02 alvosec <info@alvosec.com>

Create a revocation certificate for this key? (y/N)

Press y and you are done. Enjoy using PGP keys, you can also send us your first message using PGP key-pairs, here is our public key.

The rise in popularity of cryptocurrencies has encouraged cybercriminals to find innovative ways to attack markets, users and any structure where cryptocurrencies are stored. In simple words, if an attacker is able to exploit some area of a chain, smart contract, exchange or illegitimately withdraw cryptocurrency, it would be deemed as a hack or stealing. Scammers around the world took home a record of $14 billion in cryptocurrency in 2021.

More than €3 million was stolen in the Ledger phishing scam

Phishing scams don’t make up a huge percentage of bitcoin scams, but the Ledger phishing scam was notable. Ledger provides hardware wallets, devices on which users store cryptocurrency. After user email addresses were leaked in a data breach (disclosed in July 2020), a subsequent October phishing scam targeted customers involved in the breach.

Emails sent to victims contained a link leading to a phishing site that looked like the legitimate Ledger website. In turn, the website contained a link that actually downloaded malware capable of draining the victim’s Ledger wallet. Chainalysis has identified more than €3 million worth of stolen funds related to the scheme. Source

Begging of our investigation

After we identified that cloned and fake Telegram group is trying to steal private keys from different wallets, we began our investigation.

At first stage we gathered all available information from their infrastructure, all related domains, servers, emails, DNS, hosting accounts and the rest of what we thought it’s valuable for further analysis. At second stage we tried to establish communication with them. As you may already know, they are not hard to find and if you don’t find them, they will find you.

List of all domains that were related to this organized fraud.

While communicating with them, we used some of social engineering tricks, where we pretended to have a problem with our wallet. They immediately responded with their scam website and instructed us to enter our 12 words phrase or private key in order to solve problem with wallet.

Here is an example of fraudulent website.

We continued with our pretending that something went wrong and we were not able to proceed, because their shitty website is keep redirecting us on Google, so we gave them a potential ‘solution’ for our ‘problem’.

This (legit) Google URL silently redirected them on our page, where we captured their information. Locations were different from Nigeria, USA etc. Not to mention how mad they were after realizing that they didn’t open Google.com but Alvosec.com. One of them even used abusive language against us. : )

Chatting with them was kinda boring, so we went for real action. By analyzing their websites we again found valuable information, access logs, vulnerabilities, easy access to their mostly used shared hosting accounts.

Done, we had enough and didn’t want to waste more time on them, so we bulk reported all confirmed scam websites. We were positively surprised, most of the reported websites were shut down and the one from the group was suspended only after three hours hxxp://allvalidationconnect.com/ .

Never click on suspicious or malicious links, when you click on unverified links or download suspicious apps you increase the risk of exposure to malware.

This Telegram group is fake and we are hoping that it will be soon suspended. The only real one and official is this one – https://t.me/protonxpr

End of investiagation

Most of the time reporting abusive domain name(s) is complicated, so we are planning to automate process of bulk reporting. If anyone is interesting, there are already interesting projects for reporting https://phish.report/ and https://www.abuseipdb.com/bulk-report.

Remember, there are more sophisticated attacks, scams out there, so act responsibly and carefully.

If you want to report a domain name, email address or IP address involved in abusive activity, here are some tips to follow to make this process easier.

Always submit full information such as domain name, full email – forward as attachment (.eml), IP addresses. Don’t submit chat messages from Discord, Telegram etc., unless there is some valuable information that can improve our future investigations.

All reports send on this email: report@alvosec.com.

Many businesses are responsible for maintaining large amounts of confidential data, including customer records, medical records, financial reports, sensitive documents, and much more. It’s very common for these types of information to be transmitted via email or other services. So how can you ensure confidential data transmitted via email is kept private? How can you ensure the integrity of transmitted data?

Businesses need to ensure confidentiality, data integrity, message authentication (proof of origin), and non-repudiation (proof of content and its origin). Read on to learn more about signing and verifying authenticity of the signed file.

GnuPG offers three options for signing data:

–detach-sign

Create binary or ASCII-armored detached signature from input

–clearsign

Wrap input in plaintext signature

–sign

Encode input into binary or ASCII-armored output with an integrated signature

Let’s take a simple example of how to sign a document.

gpg –clearsign file.txt

Signed file is saved as file.txt.asc and this is the content:

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

I want to sign this message!
—–BEGIN PGP SIGNATURE—–

iQIzBAEBCgAdFiEEar1XMrK21wy…
—–END PGP SIGNATURE—–

Then you need to verify signed file:

gpg –verify file.txt.asc

You will see something like this:

gpg: Signature made Wed 26 Jan 2022 07:55:37 AM CET
gpg: Good signature from “alvosec info@alvosec.com”

A signed document has limited usefulness. Other users must recover the original document from the signed version, and even with clearsigned documents, the signed document must be edited to recover the original. Therefore, there is a third method for signing a document that creates a detached signature. A detached signature is created using the –detach-sig option.

gpg –detach-sign -o sig.gpg file.pdf

Both the document and detached signature are needed to verify the signature. The –verify option can be to check the signature.

gpg –verify sig.gpg file.pdf