Tag: Infecting | SpinSafe

Hackers are infecting Macs with malware using calendar invites and meeting links — don’t fall for this

February 29, 2024/in Computer Security

Getting an email with a calendar link for a meeting has become commonplace, but you may want to think twice before clicking on one. That’s because hackers have begun using calendar invites and meeting links to infect unsuspecting users with Mac malware.

As reported by Krebs On Security, cybercriminals are now abusing the popular scheduling tool Calendly in their scams. Like with other malware campaigns, this one uses social engineering to find potential targets but instead of draining their bank accounts, it goes after cryptocurrency.

Still, the hackers behind this campaign could pivot to go after other types of accounts by using a different Mac malware strain. Here’s everything you need to know about how this scam works as well as how to protect yourself and your Apple devices from Mac malware.

From meeting invite to malware infection

Krebs On Security got a first-hand look into this scam after one of the site’s readers explained how they were targeted and fell for it.

In this campaign, the hackers behind it are impersonating cryptocurrency investors who are asking to schedule a video call. However, this lure could easily be adapted to go after other groups of potential victims.

The attack itself began when the reader was approached via Telegram by a scammer that wanted to invest in their startup. Everything seemed above board though and they then shared their Calendly profile with the scammer.

When it was time for the meeting, the reader clicked on the meeting link and nothing happened. They then contacted the scammer who explained that there was an issue with the video platform. Fortunately though, their IT people had created a different meeting link.

While this is certainly the kind of thing that should raise suspicions, the reader didn’t think twice and clicked on the link. However, instead of opening a videoconferencing app, a message appeared on their Mac saying the video service was experiencing technical difficulties. The message also referenced a script that could be run as a temporary solution to fix these issues.

By running the script, the reader unknowingly infected their Mac with a dangerous trojan designed to siphon off personal and financial data from their…

Source…

Trickbot malware scumbag gets five years for infecting hospitals, businesses • The Register

January 25, 2024/in Computer Security

A former Trickbot developer has been sent down for five years and four months for his role in infecting American hospitals and businesses with ransomware and other malware, costing victims tens of millions of dollars in losses.

Vladimir Dunaev, of Amur Oblast in Russia, was sentenced in the US yesterday after pleading guilty on November 30 to two counts: conspiracy to commit computer fraud, and conspiracy to commit wire fraud.

Between June 2016 and June 2021, Dunaev worked as a developer for the criminal gang, providing “specialized services and technical abilities,” according to his plea agreement [PDF].

These special skills included recruiting other coders, buying and managing servers used to deploy and operate the Windows nasty Trickbot, encrypting the malware to avoid detection by security software, spamming and phishing potential victims, and then laundering stolen funds. He also added support for stealing information out of victims’ browsers, such as their online account credentials.

“For instance, Dunaev developed browser modifications for several widely used open-source browsers, such as FireFox and Chrome, using open-source codebases for each browser called FireFox Nightly and Chromium,” the court documents say. “These modifications facilitated and enhanced the remote access obtained by Trickbot by allowing actors to steal passwords, credentials, and other stored information.”

Dunaev also confessed to writing code used to steal secrets from infected computers. Between October 2018 and February 2021 alone, the crew defrauded victims out of more than $3.4 million, the court documents claim.

According to the UK National Crime Agency, the gang has extorted at least $180 million (£145 million) from people and organizations worldwide.

In 2021, Dunaev was extradited to America from South Korea. The original indictment charged Dunaev and six others for their alleged roles in developing, deploying, managing and profiting from Trickbot.

In June, one of the six suspects — Trickbot malware admin Alla Witte — pleaded guilty to conspiracy to commit computer fraud and was sentenced to two years and eight months in prison.

Trickbot, which started as a banking…

Source…

Black Hat Hacker Exposes Real Identity After Infecting Own Computer With Malware

July 18, 2023/in Computer Security

A threat actor infected their own computer with an information stealer, which has allowed Israeli threat intelligence company Hudson Rock to uncover their real identity.

Using the online moniker ‘La_Citrix’, the threat actor has been active on Russian speaking cybercrime forums since 2020, offering access to hacked companies and info-stealer logs from active infections.

La_Citrix, Hudson Rock says, has been observed hacking into organizations and compromising Citrix, VPN, and RDP servers to sell illicit access to them.

The hacker, the cybersecurity firm says, was careless enough to infect their own computer with an information stealer and to sell access to the machine without noticing.

This allowed Hudson Rock to explore the cybercriminal’s computer, which had been used to perpetrate intrusions at hundreds of companies. The computer contained employee credentials at almost 300 organizations, and the browser stored corporate credentials used to perform hacks.

According to Hudson Rock, La_Citrix was employing information stealers to exfiltrate corporate credentials that were then used to access organizations’ networks without authorization.

Further analysis of the threat actor’s computer also helped the cybersecurity firm discover their real identity and their location.

Advertisement. Scroll to continue reading.

“Data from La_Citrix’s computer such as ‘Installed Software’ reveals the real identity of the hacker, his address, phone, and other incriminating evidence such as ‘qTox’, prominent messenger used by ransomware groups, being installed on the computer,” Hudson Rock notes.

The threat intelligence company, which notes that it has knowledge of thousands of hackers who accidentally infected their own computers with malware, says it will forward the uncovered evidence to the relevant law enforcement authorities.

“This is not the first time we’ve identified hackers who accidentally got compromised by info-stealers, and we expect to see more as info-stealer infections grow exponentially,” the company notes.

Source…

Google wins court order against Pakistani gang accused of infecting computers with botnet

May 1, 2023/in Internet Security

This court order doesn’t just apply to domain name registrars or hosting providers but covers blocking network traffic

Google has won a court order to force ISPs to filter botnet traffic. A US court recently unsealed a restraining order against a cybercriminal gang operating out of Pakistan that came on the back of a formal legal complaint from Google.

The tech giant reportedly collected evidence about the cybergang and accused it of ripping off Google product names, icons, and trademarks to push their malware distribution service. According to the report, the allegations also include running “pay-per-install” services for alleged software bundles that deliberately injected malware onto victims’ computers and operating a botnet to steal, collect, and collate personal data from hundreds of thousands of victims in the US.

Loosely known as CryptBot, the cybergang is alleged to have plundered browser passwords, illicitly-snapped screenshots, cryptocurrency account data, and other personally identifiable information.

“The Defendants are responsible for distributing a botnet that has infected approximately 672,220 CryptBot victim devices in the US in the last year. At any moment, the botnet’s extraordinary computing power could be harnessed for other criminal schemes,” the court order said.

“Defendants could, for example, enable large ransomware or distributed denial-of-service attacks on legitimate businesses and other targets. Defendants could themselves perpetrate such a harmful attack, or they could sell access to the botnet to a third party for that purpose,” it added.

The defendant group didn’t show up in court to argue their case. The court favoured a temporary restraining order and said that the criminal enterprise is defrauding users and injuring Google. It also authorised Google to identify network providers…

Source…

Tag Archive for: Infecting

This court order doesn’t just apply to domain name registrars or hosting providers but covers blocking network traffic