Let me remind you that we also wrote that GPT-4 Tricked a Person into Solving a CAPTCHA for Them by Pretending to Be Visually Impaired, and also that New hCaptcha bypass method may not affect Cloudflare’s security.

Discord CAPTCHA Created by AI Confuses Users

According to Vice Motherboard journalists, several people immediately complained on social networks about the strange object Yoko, which was required to be found among other photos to enter Discord.

At the same time, other users found that they were asked to find images of a puzzle cube, which was also created by artificial intelligence and did not look too much like a real-life object. In addition, all the objects in the task look like they came straight from the Uncanny Valley.

CAPTCHAs for Discord are provided by hCaptcha, and Discord representatives told reporters that the technology that generates these prompts “is the property of a third party partner and Discord does not directly determine what will be presented to users”. In turn, representatives of hCaptcha explained that what happened was “a short test that a small number of people saw.” Since hundreds of millions of users use the technology in total, even this “brief test” resulted in the tweets shown above.

The publication notes that hCaptcha positions itself as a privacy-focused alternative to reCAPTCHA. According to a 2018 blog post, hCaptcha prompts are self-generated by clients who need “high-quality, human-generated annotations for their machine learning needs.”

That is, hCaptcha makes money both from clients like Discord who buy professional and enterprise subscriptions to run CAPTCHA services, and from clients who create prompts. In fact, hCaptcha uses its own CAPTCHA for machine learning systems and generative adversarial networks.

And this is not the first time that people have noticed the appearance of strange images in hCaptcha services and note that the company apparently trains AI with the help of users. So, two months ago, a Reddit user noticed that Discord asked him to find among the images of people playing hockey and golf, football players, which was clearly created by artificial intelligence. In March, another Reddit user complained that Discord’s CAPTCHA had become almost unsolvable.

Journalists summarize that the work of hCaptcha is a prime example of the problems that arise with machine learning systems. The first is that AI systems require significant human input. For example, as a rule, indexing and categorization of images is transferred to outsourcers from developing countries, whose work is extremely poorly paid. Another problem is data drift: the longer machine learning systems work, the more data they need. Ultimately, they begin to use data that they themselves have generated for self-learning. And systems that train for a long enough time on themselves eventually come to the point that they issue requests for the definition of incomprehensible objects, like Yoko.

The post CAPTCHA in Discord Asks Users to Find Non-Existent Objects Created by AI appeared first on Gridinsoft Blog.

STOP/Djvu spreads in Discord, features RedStealer

According to the latest notifications, STOP/Djvu ransomware is getting spread through the malicious spam messages in Discord. Users who pretend to send something useful and want to share a 7zip file with malware. It is ciphered, but the password is very simple – 1234. That is a pretty typical action when users share something on social networks. However, inside this package, there is an executable file of Djvu malware – probably the .vveo and .vvew variants. The threat landscape touches users from Argentina, Vietnam, Turkey, and Brazil.

New campaign spreading on Discord, distributing STOP ransomware and RedLine stealer. The file is shared as an encrypted 7zip attachment. The malware is further protected by AceCrypter and has an embedded (invalid) AVG certificate.

— Avast Threat Labs (@AvastThreatLabs) August 2, 2022

The exact file is additionally disguised – to lull the vigilance and avoid the detection of some basic anti-malware tools. It has an invalid AVG certificate embedded and AceCrypter protection, making it possible to pass the certificate-based check-ups. Such a tactic is pretty new for STOP/Djvu ransomware. Earlier, they were masking their malware by a specific repacking that required special database signatures to counteract. Is the certificate just an experimental feature or a new approach – only crooks know?

Spreading model is also worth a separate note. Before, the Djvu gang was reportedly creating fake one-day sites with torrent downloading of popular content. Popular films, sitcoms, and new games always have a suitable disguise. However, it is a common case for the group which applies a Ransomware-as-a-service scheme. One distribution team may test this spreading approach.

STOP/Djvu ransomware comes with RedLine stealer

Again, the supplementary spyware is not new for Djvu ransomware. Earlier versions of this malware were carrying the legendary Azorult spyware, which appeared in 2016. Since its adoption in 2020, STOP/Djvu group has stealthily grabbed the victims’ credentials to sell them later on the Darknet. RedLine is younger – it is active since 2020 – and has several unique features that possibly make it more desirable for the developers. Again, whether such a change is temporal or not is unclear – Azorult and RedLine have similar functionality. The worst part is that victims should still change all their passwords after the attack. Otherwise, they may uncover their accounts in social networks as a part of a botnet.

What is STOP/Djvu ransomware?

This ransomware family is worth saying several words about. After appearing in 2017, this ransomware quickly gained a large share of the ransomware arena. It aims at individual users and asks for $450-$900 for file decryption. This ransomware uses an AES-256 cipher in CFB mode and the RSA algorithm. There are several possible solutions to decrypt the files after the STOP/Djvu ransomware attack, but most rely on exploiting the offline keys. The situations when your files are ciphered with online keys are likely unsolvable – unless you pay the ransom or have your files backed up. There is also the possibility of getting your files back after the gang dissolution – but such an occasion has a pretty low possibility. STOP/Djvu gang is running for too long to cease to exist; in the worst-case scenario, it will just decrease its activity.

The post Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer appeared first on Gridinsoft Blog.

Explaining the Discord virus

Discord virus is only the name of a spamming campaign that takes place on this communication platform. The exact type of malware you can get through these tricks may vary in an extensive range. Nonetheless, the fraudsters’ method to fool you cannot be named original. There are two well-distinguishable ways – thick and gentle. A thick method is used in massive attacks. The possible victim receives a malicious link with a clickbait text from an unknown user. Because all such messages are suspicious, Discord additionally shows you the notification that it is dangerous to click the links and open the files received from unknown users. Nonetheless, the most careless people may be caught even in such an easy trap.

Gentle method requires a server, where the fraudster makes an image of a typical user interested in a theme of discussion. Then he sends the same message as in the thick method but adds something attractive for other participants. Such a distribution requires social engineering skills, time, and patience. But the trust level of users is much higher, and in the case of large (200+ active participants), server virus distributors may hit the jackpot.

Important details: how the trust is established

You will barely distinguish a malware distributor among other users when he tries to commit a malicious link stuffing. And it is hard even to predict such behavior because of the specific audience present in Discord. This platform is generally used by gamers, programmers, and similar categories of users. They often need to deal with self-made programs, dubious applications, or other stuff, which often causes a hysterical reaction to antivirus tools. Hence, the requirement to disable the anti-malware software at the moment of program start or adding this app to the white list does not look suspicious.

But there are several moments which are not obvious for a new or not experienced user but can easily be refuted by advanced ones. A lot of Discord virus cases were conducted with sending a “free patch for Discord which will enable Nitro features without purchasing”. People who know how the Discord subscription model works will surely figure out this fake. Data about the account’s privileges are kept on a server handled by the developers of this program. You have paid for Discord Nitro is approved by the corresponding incoming payment. And there is no way to change this data and enable the feature for your account by cracking the client version of the application.

N.B. There are also several other variants of malware distribution in Discord, you can read about them here.

How dangerous the Discord virus is?

Not as dangerous as, for example, ransomware. This way of malware distribution is not anonymous. It will be straightforward for cyber police to track a user who spreads some dangerous malware. However, it is still nothing pleasant in coin miner, spyware, adware¹ or any other malicious thing. Be very careful when making use of software that an unknown person recommends. The same instructions are for unnatural links, pretending to be downloading ones for some useful software.

The post What is Discord virus? Investigating a new online fraud appeared first on Gridinsoft Blog.