Instagram Account Hacking Scams Overview

Hacking into someone’s Instagram account was – and remains – a dream for quite a few people out there. Moral aspect of this, well, I won’t discuss that in that article, but the scammers definitely aim at exploiting this gray-zone wish. Quite a few websites popped up recently, offering the ability to hack the password of any Instagram account in just a few clicks.

Upon opening the site and entering the username in question, the user will see the alleged hacking process. Some of the sites talk about performing a brute force attack (which is fairly realistic), while others are “injecting commands” or “RCE injections“. For anyone who is at least remotely familiar with how these things work, these sites look as nothing but ridiculous lies.

List of scam hacking websites (updating)

But the ending of all this is even more interesting. The site shows the alleged “Hack successful” page, but then a pop-up message appears saying that the account is well-protected. For hacking it, the user should click the button and follow the instructions. And this is where the main course of this scam kicks in.

In my observation, the button on several different websites redirected me to a payment page of a shady commercial spyware; each scam appears to promote a different one. Buying the spyware should allegedly help with accessing this Instagram account. However, other people, particularly from North America, report about the click throwing them to other, much less safe sites. Among them are notification spam sites, websites that offer to download some sketchy software, or even outright phishing pages.

Promoting Through Hacked Legitimate Websites

The way these scams are promoted is also worth attention. They primarily target Google search results for queries like “Instagram hacking” or “Hack Instagram account”. But the search engine will never let the exact hacker page get to the top of results. What they do instead is inject corresponding keywords into files and directories of legit and well-established websites. That practice is also known as SEO poisoning, however, in this case, we see the modernized variant of one. This does not in fact require any hacking; the sites of choice should have the indexing of uploaded documents enabled, so the keyword spam will get into Google search index.

Once the user clicks on what looks like a result from a well-established site, they are getting redirected to one of the scam pages from the list above. Among the sites infested with such documents are mostly ones of government organizations. There are also several GitHub pages that Google may display, but all of them are taken down at the moment. Government sites, as usual, have much less snappy moderation, so I expect these poisoned results to hold up for some time. In the past, other fraudsters used the same exact practice to redirect people searching for Roblox money generator cheats to fake tech support pages.

Is Instagram Hacking Any Real?

In fairness, it is really possible to hack someone’s account, not only on Instagram, but on pretty much any website. Of course, I am not talking about dodgy sites I’ve mentioned above. With a fair amount of social engineering, OSINT, brute force or even phishing, one can get access to almost anything. All these methods, complemented with phishing and infostealer malware injection, form the basis for modern cyberattacks.

The ways to secure your account against such tricks are simple and are repeated in different places dozens of times. Set secure passwords, multi-factor authentication, login notifications to your devices, change passwords once in a 2-3 months, and chances of getting hacked will decrease by orders of magnitude.

How to Avoid Scam Instagram Account Hacking Pages?

To be sure about online services you have stumbled upon, regardless of their purpose, consider using Domain Checker. This free service checks websites for safety through the selection of characteristics, and will clearly show whether you may or may not trust the site.

But to have an on-the-move online security, opt for using GridinSoft Anti-Malware, that has the same exact website checking system built into Online Security module. Such protection will stop any malicious sites from opening even before they can harm you.

The post Fake Instagram Hacking Services appeared first on Gridinsoft Blog.

The most popular sources of such hacking tools are torrent distributions and websites with hacked software. Let me explain, what hacked software is, what risks its use entails, and whether it is profitable to use it compared to licensed software.

What is HackTool:Win32/Crack

HackTool:Win32/Crack is a generic detection that Microsoft Defender attributes to a piece of code that bypasses the license check. It is worth clarifying that it rarely refers to a stand-alone program but to a modified element of a benign app. Win32/Crack means a change in the program files or a part of it aimed at disabling the license verification mechanism.

Win32/Crack is often distributed via torrents or websites dedicated to cracked software that has its licensing system tweaked or disabled. It can be either a separate file or embedded into the executable file of the target program. By its nature, HackTool:Win32/Crack does not pose a direct threat to the system, even though the thing it does is illegal. The Defender’s detection of such tools is compulsory to fight piracy.

Is Hacktool:Win32/Crack Dangerous?

Although Win32/Crack is not dangerous, a lot of them come with other malware embedded in the same executable file. Particularly greedy authors of such software do this to monetize their effort. Such “bonuses” can include infostealers and more severe malware like ransomware. As a result, instead of saving money, the user pays a higher price, in the form of stolen confidential data or encrypted files.

How does Win32/Crack Work?

There are two different types of software cracking: by making the program believe it has a proper activation and by disabling this check completely. Both have pros and cons, and both are illegal to perform and use. Let’s have a closer look at how this works.

The methods of software cracking below are listed exclusively for educational purposes. I discourage using unlicensed software, due to both legal dangers and malware hazards. These hacking approaches are here to make a clear understanding of what exactly Windows Defender means as Win32/Crack.

Disabling the license check

One way to protect software from unauthorized use is by including a check license function in its startup procedures. Essentially, the software program is a set of instructions, represented as a series of bytes, executed by the CPU. During reverse engineering, the checkLicense section is identified and decompiled. A programmer may patch the binary by replacing specific bytes to bypass the check license requirement.

The patched bytes typically satisfy the check license requirement by writing values into registers or memory addresses or returning a particular status code. After patching the binary, the handyman manipulates the check license function, and the software program is considered “cracked”. However, with most apps now checking keys on their servers, this method is becoming less common.

Embedding the key

Such a crack approach emulates an online key verification process and results positively without a real internet connection. Often, in the instructions for using the app, one of the points is “deny the application access to the Internet”. This is because the license will be deactivated once the app connects to the server and uncovers that it is fake. These days, most cracks are not dependent on the connection and allow you to enter any text instead of the key.

This is how a spoofed product activation looks like (screenshot is not ours!)

This is how a spoofed product activation looks like (screenshot is not ours!)

This is how a spoofed product activation looks like (screenshot is not ours!)

In the real world, things are more complicated now, as the software will “phone home” and see if those keys are any good. This can be bypassed by sniffing/decrypting HTTPS traffic and finding the Web request that asks if the key is valid. From there, it can be intercepted, thus never letting the request reach its final destination and replying with your own (fake) response.

Handyman can make this or log and copy an already valid response. The program will believe it got the go-ahead from the server and continue operating as normal. In that case, you can/need to modify the binary so that it always thinks the answer from the server is positive. Another trick of this grade is to run a fake HTTP server that always replies positively and redirects the check.

Is it a False Positive?

In most cases, HackTool:Win32/Crack is not a false positive, with just a few exceptions. As I said at the beginning, it detects specific changes done to the program file. Windows Defender can mistakenly detect HackTool:Win32/Crack if there are changes in the program’s code that could be interpreted as signs of a crack. For instance, if a program uses code strings, jumpers, or calls typical for Win32/Crack, the antivirus might incorrectly classify it as one. In such cases, I recommend you check the file using our free online checker.

How to Remove Malware Related to HackTool:Win32/Crack?

I’d emphasize once again – do not use pirated software at all for your safety. In addition to being illegal, pirated software is a breeding ground for malware. Once a user adds any malware or potentially unwanted software to the antivirus exceptions, it can take on a life of its own.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post HackTool:Win32/Crack appeared first on Gridinsoft Blog.

MITRE Reports About NERVE Being Hacked

MITRE, known to the cybersecurity community for its MITRE ATT&CK database, published a notice about suspicious activity on April 19. This activity generally took place in their NERVE environment, with only a few detailes disclosed at the moment. The organization mentions that no network elements of MITRE or its partners were compromised.

In a separate statement, that appeared shortly after the official text note, the CTO of the organization claims that hackers managed to leverage one of the Ivanti Connect Secure vulnerabilities. Executive specifically emphasized that they took all the actions the government and Ivanti offered to patch the flaw. That, however, was not enough.

What is NERVE?

NERVE is the abbreviation for Networked Experimentation, Research and Virtualization Environment – a rather self-explaining name. Launched back in 2017, it offers a shared space for all the activities mentioned in its naming. At the moment, however, the service is offline, and will likely stay unavailable for some time into the investigation.

Cybersecurity Research Organizations Under Attack

Hack of one of the MITRE subdivisions appears to me directly related to the recent hack of the US Cybersecurity and Insfrastructure Security Agency (CISA). They have a similar purpose, and even the flaw that led to the compromise is the same – Ivanti Connect Secure got quite an ill fame over the last year. But what is the purpose of hacking into cybersecurity agencies?

By nature, such organizations work with a lot of data from companies. This data includes info about network architecture, software they use, potential vulnerabilities they have, and so on. NERVE, aside from that, offers a development space for network engineers, meaning that compromising one can lead to a huge supply chain attack. All this is a desired target for adversaries – not for profit, but for unique reconnaissance data that will make the future attacks more successful.

NERVE hack confirms that no corporations are resilient against cyber attacks, not even the ones that live off cybersecurity. All the disruption in ”commercial” cybercrime does not affect state-sponsored threat actors. They are in fact more active than ever, and are not likely to be bothered by law enforcement agencies. I reckon we will see more and more attacks like that in the near future.

The post MITRE NERVE Hacked, Service Taken Offline appeared first on Gridinsoft Blog.

Hewlett Packard Enterprise Hacked

A post on the infamous BreachForums published on February 1 offers to purchase an extensive database, leaked from Hewlett Packard Enterprise (HPE) internal network. The seller, known under the name IntelBroker, claims hacking into the network and obtaining the said data. That means the company has suffered a new security breach, or the hacker was present in the network for quite some time.

As it usually happens with Darknet forum posts offering to buy leaked information, there are several screenshots attached as evidence. Among the leaked data types, hacker claims CI/CD access, system logs, config files, access tokens, HPE StoreOnce files and access passwords. Albeit being representative to the types of data claimed in the leak, the screenshots do not include any data that allows identifying the time frame, e.g. there is no way to find how old this breach is.

As I’ve mentioned in the introduction, HPE knows about the data posted on the forum and investigates the case. At the same time, representatives of the company do not have any evidence of a cyberattack or a security breach over the last time.

Data Leak, But No Ransomware

The fact that the attack that leaked extensive amounts of data may sound absurd, considering that there is typically a ransomware deployment that finalizes the attack. Though, such an approach is not new: adversaries may practice leak-only attacks to speed up the overall process or avoid possible detection. In some cases, this works as the way to get at least something from the attack, when the security manages to block malware.

Still, there is a positive part of this story – no customer data appears to be involved. Both what is claimed and things that appear on the screenshots are purely internal data. And this is good not only to the HPE customers, as the company itself has much less headache notifying the ones whose data have been leaked.

Any Relation to HPE Corporate Email Accounts Breach?

Despite the company’s representative saying that no cyberattacks were detected, there apparently was one that can be a culprit. Back in mid-January 2024, HPE reported that their corporate email accounts were hacked by APT29, a threat actor related to Russian SVR. The breach itself took place in May 2023, with the fact of the adversary having access to the environment acknowledged on December 12, 2023.

Why can this data be sourced from this old breach? The official company note regarding the case mentions a selection of data categories, which matches with what we see in the BreachForums post. More specifically, the company talked about hackers accessing several mailboxes of employees of their cybersecurity, go-to-market, business segment and several others. Logs, configs and access tokens is a normal occurrence in those emails, though there could have also been access to customer data. Nonetheless, that won’t be much of a surprise if the ongoing investigation will lead to the past APT29 hack.

The post Hewlett Packard Enterprise Hacked, Darknet Forum Sales Data appeared first on Gridinsoft Blog.

X/Twitter Crypto Scams From Verified Accounts

Today, we are witnessing an unpleasant trend: hackers increasingly target verified Twitter accounts. To be more specific, this refers to individuals who are part of government or business organizations. Usually, these accounts are distinguished by ‘gold’ and ‘gray’ checkmarks, which indicates that this account belongs to a reputable company or person. Crooks hijack such accounts to promote cryptocurrency scams, phishing websites, and platforms equipped with crypto drainers.

Just yesterday, we wrote about the incident with the Mandiant X/Twitter account, a Google subsidiary and a prominent player in cyber threat intelligence. Thing is – they are not alone. With just a bit of difference, the same hacks-and-scams were happening to dozens of verified accounts on X. Within the 5 days of the new year alone, researchers have reported hacking three public accounts. We are talking about the nonprofit consortium “The Green Grid”, Canadian senator Amina Gerba and Brazilian politician Ubiratan Sanderson. Despite the absolute incoherence of the victims, they were united by one thing – a sudden ardent interest in cryptocurrency.

How Does Twitter Crypto Scams Work?

To start, scammers create a fake profile of a famous person. Most often, it is Elon Musk, as it is his style to promote dubious things. Next, the fake account tries convincing users to click the link. The further scenario depends on the type of fraud – either a crypto draining scam, an investment fraud, or a fake airdrop scheme. Let’s briefly check each one out.

Fake investment is an attempt by fraudsters to trick the victim into investing money. It can be a dubious cryptocurrency, artificially inflated and then dumped, thanks to which the value falls sharply. As a result, the victim loses his investment and is left with worthless coins.

Another method of fraud is crypto drainers. In short, the victim is tricked into agreeing to fraudulent transactions. The peculiarity of this method is that the victim signs a transaction that looks legitimate but allows fraudsters to withdraw money from the victim’s wallet without confirmation.

Fake airdrop scams are designed for those who want easy money. The scammers offer users the option to send any money to the specified wallet and promise to send double the amount in return. However, no one will send anything in return after the victim sends money.

Eligibility and Trust Undermined

Initially, a blue check mark was the sign of a verified Twitter account. It was obtained by providing a document proving the user’s identity. Later, anyone could get a checkmark for $8 a month, leading to a flood of scammers creating fake celebrity accounts and successful cryptocurrency scams. These days, the division of the ticks into gold, gray, and blue. The gold checkmark is given to the accounts of large companies—and the gray tick is to government organizations. The blue checkmark is given to individuals, regardless of their fame. Obviously, the first two options have caused a stir among cybercriminals.

The Black Business for Verified Twitter Accounts

According to a report from CloudSEK, a digital risk monitoring platform, a black market is thriving where compromised gray and gold X accounts are being sold. This illicit market is based on selling high-profile accounts marked with gold and gray checkmarks, indicating their verified status. Although these accounts should symbolize trust and authenticity, they are sold for $1,200 to $2,500. For example, one such account, inactive since 2016, has 28k subscribers and sold for 2500 dollars.

The process often involves hijacking dormant accounts with the potential for high follower counts and converting them into verified profiles using dubious means. In some cases, the hackers offer additional services by attaching scam accounts as affiliates to these verified profiles. This lends the scam accounts an aura of legitimacy and allows them to bypass more stringent verification processes, facilitating easier manipulation of unsuspecting victims.

Recommendations for Account Security

It is concerning that many well-known companies’ Twitter profiles have been hacked recently to spread crypto scams. This poses a risk of falling victim to such scams and the possibility of misinformation or more severe scams. Thus, knowing how to respond when encountering a hacked account and spreading questionable links is essential.

Firstly, avoiding following any links posted by such accounts is advisable. Whether they lead to a crypto drainer, fake airdrop, or investment scam page, it is best to avoid visiting them.

Secondly, you can report the hacked account to moderators. The reports menu has an option called Deceptive Identities, which will allow the system to take the necessary action.

Lastly, spread the word about the hack with your friends and subscribers. The more people are aware of this type of scam, the lower the chances they fall victim to it now or in the future.

The post Verified X/Twitter Accounts Hacked to Spread Cryptoscams appeared first on Gridinsoft Blog.

Who are Moneris and Medusa?

Moneris, a joint venture between the Royal Bank of Canada and the Bank of Montreal, is Canada’s largest payment processor. They were handling over 3.5 billion credit and debit card transactions annually. The company serves as a critical intermediary for businesses of all sizes, making its compromise a significant threat to the country’s economic stability. Sure enough, any cybersecurity incidents, as companies prefer to call ransomware attacks, will set the community abuzz.

The Medusa ransomware group is a relatively new cybercrime gang that has gained notoriety for its ruthless strategies. Criminals operate under a ransomware-as-a-service (RaaS) model, providing its hacking tools and expertise to affiliates in exchange for a share of the ransom proceeds. This approach has enabled the group to expand its reach and inflict damage on a wide range of victims.

Medusa Ransomware attempt to compromise Moneris

Moneris has confirmed the attempted ransomware attack but has assured its customers that no critical data has been compromised. The company has also stated that it has implemented measures to restore its systems and continue operations.

In response to the Medusa ransomware attack, Moneris has taken steps to mitigate the damage and protect its customers. The company has engaged cybersecurity experts to investigate the incident. It also implemented additional security protocols and communicated regularly with its customers to keep them informed.

The fallout from this breach extends beyond Moneris itself. A disruption in Moneris services lasting 90 minutes in late September caused widespread issues across the country. The company’s extensive contracts with the US military raise additional concerns. Considering the potential compromise of sensitive information related to military equipment and weapons.

Critical Financial Institutions Under Attack

Attack on Moneris seems to be one more element of a chain of attacks on critical financial infrastructure. Just a couple of days ago, another infamous ransomware group – LockBit – successfully hacked ICBS – the biggest commercial bank in the world. Such an interest in financial companies is obvious, though the trend is not less concerning.

Huge money flow, probability of handling sensitive information, having tremendous amounts of statistics – this is what attracts the hackers, and what makes these two breaches so dangerous. Even though attacks are most likely unrelated, crooks may start targeting them much more often. And while Moneris hack is mostly about disruptions of money transactions, hacks of institutional orgs like ICBS puts the global financial system at risk.

How to Protect Against Ransomware?

The incident highlights the growing sophistication and severity of ransomware attacks, targeting not just individual users but also large, well-established corporations like Moneris. The financial and reputational implications of such attacks can be devastating, making it crucial for businesses to invest in robust cybersecurity measures and maintain vigilance against evolving cyber threats. Here are some tips on how to protect against ransomware:

• Regularly backing up your data is crucial for its safety. Create an offline backup of your hard disk-stored files to protect your data. This is a copy of your data saved on a separate device not connected to your computer or network. If ransomware attacks your computer, the backup files will not be affected, and you can restore them without paying a ransom.
• It is important to keep your software up to date as software updates include crucial security patches that protect against ransomware attacks. Most software programs offer the option for automatic updates which will ensure that your software is always updated with the latest security patches.
• Train your employees. Conduct regular cybersecurity awareness training for employees to educate them about ransomware threats and safe online practices.
• Use reliable software. Install reputable antivirus and anti-malware software on your devices. Consider using additional security tools that offer real-time protection against ransomware.
• Be careful with user privileges. Follow the principle of least privilege (PoLP) to restrict user access to the minimum necessary for their roles.

The post Moneris Hacked, Medusa Ransomware Claims appeared first on Gridinsoft Blog.

What happened to Okta?

At the end of October 2023, Okta released a notification on social media about the security breach. The named reason is the lack of session token validation, which made it possible for hackers to access the computers of tech support employees. From this point, cybercriminals were able to access files sent by other customers; these files commonly contain cookies, their session tokens and the like.

This is not the first time when Okta gets into trouble with hackers. In March 2022, hackers from Lapsus cybercrime group managed to hack into the laptop of their tech support engineer. This affected a small portion of Okta customers – only ~2.5%, still a large enough number as the company is a major identity management provider. Such recurring hacks, especially within one specific division of the company, strikes its image pretty hard, to say the least.

1Password Hacked Through the Okta Hack

Despite how bad the Okta hack sounds, it is not that bad for 1Password. At the moment, the company reports about ceasing any operations related to the accounts of their employees that used Okta services. Further investigation showed that it is nothing to worry about – no accounts were compromised whatsoever.

On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing. — the report upon the situation.

Although things appear to be fine on the 1Password side, it may not be over yet. New details of the hack appear each day, even though all the key events happened almost a month ago, on September 29.

Should you be worried?

In all this situation, the best part of it is that companies do not hesitate to notice exposed customers. Actually, no 1Password user data was touched, though it is different for Okta. They were – and continue – sending emails to users whose credentials are potentially in danger with recommendation upon further actions. Hence, keep track of emails from Okta, and this will be it for keeping up to date with the situation.

The post 1Password Hacked Following the Okta Hack appeared first on Gridinsoft Blog.

Detection of data breach

Freecycle, a nonprofit organization that promotes sustainability through community involvement, recently discovered a severe data breach. The organization’s security team detected the breach on August 30th, 2023, several weeks after a cybercriminal had already put the stolen data up for sale on a hacking forum on May 30th. Accordingly hacker’s warning emphasized the situation’s urgency, urging affected individuals to change their passwords immediately.

After analyzing the screenshots posted by the attackers, experts concluded that the attackers had stolen the credentials of Freecycle founder and executive director Deron Beal. As a result, the attackers had gained access to sensitive information.

After detecting the data breach, the organization informed the police. The company also advised users to be cautious of phishing attacks and scams that may target them. The warning states that despite most email providers efficiently filtering spam, users may receive an increased amount of spam emails.

Consequences of data leakage

The compromise of Deron Beal’s credentials, the founder and executive director of Freecycle, is one of the most concerning aspects of this data breach. This security breach allowed the threat actor to gain full access to member information and forum posts, which could lead to further data manipulation or unauthorized actions.

The data that was stolen includes a variety of important user information, such as:

• User IDs. Each user assigned a numerical identity for identification purposes.
• Usernames. The platform uses unique identifiers that members can use to identify themselves.
• Email Addresses. The contact information used for communication and notifications.
• MD5-hashed Passwords. Passwords encrypted using the MD5 hashing algorithm. (Which is now considered relatively weak and vulnerable to attacks.)

Fortunately, no additional personal information was exposed beyond this dataset. However, compromising MD5-hashed passwords is concerning since weak passwords can be decrypted.

Freecycle response

Freecycle assured users that no personal data beyond the specified dataset was compromised. In addition, the breach has been contained, and the organization cooperates with privacy authorities.

Minimization of Data Breaches

The following tips can help reduce the risk of a data breach in your organization:

• Keeping your system updated is critical to ensure that vulnerabilities patched, and cybercriminals cannot exploit them.
• It’s highly recommended to encrypt your data as it can prevent fraudsters from taking advantage of it.
• Regularly back up your data, as it allows for quick and efficient recovery in case of any damage.
• Zero-trust model prevents cybercriminals from infiltrating and moving laterally by not trusting any entity inside or outside the network perimeter.
• To strengthen cybersecurity, all users must use multi-factor or biometric authentication.

Users who reuse passwords across multiple online services should change them immediately to prevent security breaches.

The post 7 Million Freecycle Users Exposed In a Massive Data Breach appeared first on Gridinsoft Blog.

What are cryptocurrency scams?

Crypto scams are investment frauds that can take many forms, from phishing scams to rug pulls. Since a central authority like a bank doesn’t regulate crypto’s blockchain technology, bad actors can easily exploit hopeful investors. That, actually, has made cryptocurrencies and all related topics an ideal harbor for different scams. Due to the lack of experience, people were prone to falling victims even to the least complicated schemes – leave alone tricky ones.

With time, cybercriminals become more sophisticated in their phishing techniques. Primary reason for that is the uprising of average folks’ knowledge – it just became not that easy to scam someone. They impersonate legitimate exchanges and wallets and use convincing social engineering tactics to gain unauthorized access to digital assets. These scammers use various social engineering methods to manipulate users’ emotions and create a sense of trust and urgency. It’s essential to be aware of these tactics and take the necessary measures to protect yourself.

Hot and Cold Wallets Difference

To assess the risks, let’s review the different types of wallets. First, it’s important to note that wallets do not hold the actual crypto assets. Instead, the blockchain records information about the support, while the wallet provides secure storage for the private (secret) key.

The “Hot” wallets.

A hot wallet is a cryptocurrency wallet that has constant internet access. It includes any online service that offers cryptocurrency storage, such as crypto exchanges and specialized apps. The keys in a hot wallet are stored encrypted on the server. These are online or custodial wallets offered by popular exchanges, including Binance and Coinbase.
The key can be used to sign a transaction on the blockchain anytime.

The “Cold” wallets.

In the case of a cold wallet, the keys are stored on a standalone device or as an alphanumeric sequence written on a piece of paper. A device solely for storing keys is known as a hardware wallet, while software wallets are applications designed to store keys on regular computers and smartphones.

Attack on “Hot” wallets

Many people use hot wallets to store their cryptocurrency because they are easy to create and convenient. However, cybercriminals often target hot wallets because they are frequently online and popular. Storing large amounts in hot wallets is not recommended due to their susceptibility to attacks. Although cybercriminals may use phishing techniques to attack hot wallets, their tactics are often simple and aimed at less experienced users.

A standard method in crypto phishing scams is impersonating trusted entities, like cryptocurrency exchanges or wallet providers. The scammers send emails or messages that look like they come from these legitimate organizations, using similar branding, logos, and email addresses. Their goal is to trick people into thinking they are receiving a message from a trustworthy source.

One common phishing scam targets users of hot wallets. Scammers will send emails posing as a well-known crypto exchange, asking users to confirm a transaction or verify their purse. Once the user clicks the link, they are taken to a page. Then they are asked to enter their seed phrase. A seed phrase consisting of either 12 or 24 words is required to regain access to a crypto wallet. This is the primary password for the wallet and should be kept secure. If the seed phrase is lost or given to scammers, the user risks permanently losing access to their wallet and compromising their account.

Scams that are straightforward and don’t involve software or social engineering tactics are usually aimed at people who are not tech-savvy. The form for entering a seed phrase usually looks simple, with just an input field and a logo for a cryptocurrency exchange.

Phishing attacks targeting cold wallets

Cold wallets seem to be more safe because they are not always connected to the Internet. However, it would be a mistake to assume that a hardware wallet can only be hacked by stealing or physically accessing it. As with hot wallets, scammers use social engineering techniques to access users’ funds. Recently, experts noticed an email campaign explicitly targeting hardware cold wallet owners.

A typical attack involves a crypto email campaign where the user is sent an email from a cryptocurrency exchange inviting them to participate in a giveaway of XRP tokens, the platform’s internal cryptocurrency. When the user clicks on the link, they will be directed to a blog page with a post outlining the “giveaway” rules. This post also includes a direct link for registration. Where scammers are already finding sophisticated methods to trick the user.

Fake support requests

Beware of crypto phishing scams where scammers pretend to be customer support reps from real cryptocurrency exchanges or wallet providers. They may send messages or emails to users, tricking them into believing there’s a problem with their account or a transaction that needs urgent attention. These scammers often provide a link to a fake support website or contact method, where users are asked to provide their login credentials or sensitive information. Stay vigilant, and avoid falling for these tactics.

Scammers exploit users’ trust in legitimate customer support channels by pretending to be support personnel. They also capitalize on users’ eagerness to resolve issues promptly, which leads them to reveal their private information willingly. Scammers can then use this information for malicious purposes.

How to protect users from crypto-phishing

To stay safe while using cryptocurrency, there are measures users can take. One is enabling two-factor authentication, a helpful tool to prevent phishing scams from compromising their crypto accounts.

• Use of hardware or software authenticators. Hardware authenticators, or security keys, are physical devices that generate one-time passwords and provide an extra layer of security. Software-based authenticators, such as Google Authenticator, generate time-based codes on users’ smartphones.
• Be careful with links and attachments. Phishing scammers use a trick where they display a different URL text to what the actual destination is. To avoid falling for this, users can hover over the link to check for inconsistencies and suspicious URLs that may indicate a phishing attempt.
• Scanning attachments with antivirus. To protect your device and cryptocurrency accounts from malware, always be careful when downloading and opening attachments, particularly from unknown or suspicious sources. Attachments may contain harmful software, such as keyloggers or trojans, which can jeopardize security. To reduce this risk, scanning all attachments with trustworthy antivirus software is advisable before opening them.
• Keep software updated. It is crucial to keep the operating systems, web browsers, devices, and other software up to date to ensure the security of the user’s devices. These updates may contain security patches to address known vulnerabilities and protect against new threats.

As crypto phishing scams constantly change, users must stay current on the latest tactics and scams targeting the cryptocurrency community. Educating yourself on these techniques and staying informed about recent phishing incidents and security best practices can help keep you safe. To stay informed about phishing scams, security vulnerabilities, and how to protect your crypto assets, it’s essential to follow trustworthy sources that provide accurate information and alerts.

The post Hot and Cold Crypto Wallets Hacking appeared first on Gridinsoft Blog.

Windows Kernel Driver Signature Hacks

Microsoft has a long history of protecting its operating system from being exploited with malicious drivers. In fact, they have a continuous battle going since early 2007 – the release date of Windows Vista. In this patch, the developers implemented a mechanism that forbids unsigned drivers from running. Kernel-level drivers have access to any possible functionality of both the OS and hardware components. Further, in 2016, Microsoft created a centralised driver signature authority – Developer Portal – which is the only place to sign Windows drivers since Windows 10 1607 release. All this was done to decrease the possibility of malicious use of a signed driver.

This, however, was not suitable for all developers of benevolent software. Similar to pretty much any centralised authority, Developer Portal has a lag between sending the driver, its review, and receiving a signature. As a result, urgent processes like real-world tests or even simple debugging have become impossible. Another industry where cert forging is in use is game cheats, that circumvent anti-cheat engine protection by implementing on the same, kernel level. Once again – the system simply refuses to run the driver once it is not signed. The only way here was creating a detour, and in this case such was a free open-source utilities called HookSignTool and FuckCertVerifyTimeValidity.

How do driver certificate hacktools work?

Both of these programs have pretty much the same mechanism. They exploit one of three rules of backward compatibility for legacy drivers. Microsoft left them to make drivers signed prior to July 29, 2015 possible to use – which is essential for old programs and hardware. Those rules are:

1. System was upgraded from an earlier Windows version to Windows 10 1607
2. Drivers was signed with an end-entity cert by the cross-signed certificate authority before July 29, 2015
3. System has the Secure Boot option disabled in the BIOS.

Actually, utilities aim at exploiting the second rule. They simply spoof the driver signature with the one issued by a legit CA before the date. And while it is useful for software developers that urgently need to test something and have no time to wait for DevPortal’s reaction, it is similarly useful to cybercriminals.

During the first half of 2023, security analysts have noticed numerous examples of these utilities exploitation for signing malware that integrates into the system as kernel-level drivers. Such a deep integration, especially considering the total system acceptance of that driver, grants malicious programs with unlimited capabilities. Such malware is hard to detect with anti-malware software and, what’s even worse, particularly hard to remove without wiping the disk out.

Microsoft Keeps Dozens of Expired Certificates

To operate properly, the mentioned utilities require an expired, but non-revoked certificate installed in the system. HookSignTool offers its own one, FuckCertVerify uses a pack of leaked certs to forge the signature. And these exact certs were detected during recent cyberattacks. Deeper analysis reveals that Windows carries over a hundred exploitable certs that were expired long ago. Among them, analysts name several that were actively used in cyberattacks:

High number of Chinese certs is explained by the fact that the HookSignTool utility is made by Chinese programmers. As it carries certificates for signature forging inside of its installation package, their location is to be expected. Another interesting element there is that hackers who use these utilities appear to be Chinese as well. Such a guess comes from the language code of the malware samples from the attacks that used certificate forging utilities.

How to protect against malware with forged certificates?

Fortunately, there is a particularly easy advice, though some people may hate its very essence. Update your Windows – new patches have the certificates that appear in these attacks marked as untrusted. Microsoft cooperates with cybersecurity researchers and vendors, and any certs used in such circumstances are reported instantly. Well, delivering updates can take some time, but be sure to check your Update tab, if you want to avoid such an unpleasant thing to run on your PC.

The problem here is the fact that antivirus system can have problems with detecting such a threat. Classic antivirus programs, that does not have behaviour analysis features, will simply miss an item that has been legitimized in such a way. For that reason, an advanced solution is a must-have. For corporations, those are EDR/XDR solutions, which have behaviour analysis as their primary source of information. Home users can try GridinSoft Anti-Malware to detect and remove malicious programs even before they’re active.

The post Forged Driver Signatures Exploited In The Wild appeared first on Gridinsoft Blog.