A previously undetected cryptocurrency scam has been using over 1,000 fraudulent websites to trick users into bogus reward schemes since at least January 2021.
“Thousands of people around the world have likely been scammed by this massive campaign,” Trend Micro researchers said in a report released last week, referring to the Russian-language name “Impulse Team.” I pointed out the connection with the speaking attacker.
“The scam works by an upfront payment scam that tricks victims into believing they have won a certain amount of cryptocurrency. You have to pay.”
The compromise chain begins with a direct message propagated via Twitter to lure potential targets to a decoy site. The account responsible for sending the messages has since been closed.
The message urges recipients to sign up for an account on the website and apply the promotional code specified within the message to win a cryptocurrency reward worth 0.78632 bitcoins (approximately $20,300). increase.
However, once accounts were set up on the fake platform, users were asked to activate their accounts by making a minimum deposit of 0.01 bitcoin (approximately $258) in order to verify their identities and complete their withdrawals. You can
“Although relatively large, the amount required to activate an account is paltry compared to the rewards that users receive,” the researchers noted. “But, as expected, recipients get nothing in return for paying the activation amount.”
From December 24, 2022 to March 8, 2023, the illicit transaction profited the perpetrators over $5 million, according to a public Telegram channel that records all payments made by victims. is shown to have resulted in
Trend Micro has unearthed hundreds of domains associated with this scam, some of which have been active as far back as 2016. All of the fake websites belong to the affiliate “Scam Crypto Project” codenamed Impulse and have been promoted on Russian cybercrime forums since February 2021. .
Similar to ransomware as a service (RaaS) operations, this business requires affiliate actors to pay a fee to join the program and share a portion of the proceeds with the original creators.
To lend legitimacy to this operation, the attackers are believed to have created a similar version of a known anti-fraud tool known as ScamDoc, which assigns trust scores to various websites, in an attempt to disguise a sketchy cipher. I’m here. as a reliable service.
Trend Micro said it also encountered ads on private messages, online videos, and other social networks such as TikTok and Mastodon, indicating that affiliates use a wide range of methods to advertise their fraudulent activities. Stated.
“Threat actors streamline their affiliates’ operations by providing hosting and infrastructure, allowing them to operate these fraudulent websites independently,” the researchers said. “Affiliates will be able to focus on other aspects of their operations, such as running their own advertising campaigns.”
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
News of the fake gift scam is the latest in a cryptocurrency theft attack orchestrated by a threat actor called the Pink Drainer to pretend to be a journalist, gain control of victims’ Discord and Twitter accounts, and promote a fake crypto scheme. It is the same time as the waves.
According to statistics collected by ScamSniffer, Pink Drainer has compromised 2,307 accounts and stolen over $3.29 million worth of digital assets as of June 11, 2023.
The findings follow several weeks after Akamai uncovered a new Romanian cryptojacking campaign named Diicot (formerly Mexals) that used a Golang-based Secure Shell (SSH) worm module and a new LAN spreader for propagation. was announced later.
And last month, Elastic Security Labs detailed how it used an open-source rootkit called r77 to deploy the XMRig cryptocurrency miner in several Asian countries.
“r77’s primary purpose is to hide the presence of other software on the system by hooking critical Windows APIs, making it an ideal tool for cybercriminals looking to carry out stealth attacks.” researchers say.
“The r77 rootkit allowed the creators of malicious cryptocurrency miners to evade detection and continue their campaigns undetected.”
It’s worth pointing out that the r77 rootkit is also embedded in SeroXen, an early variant of the Quasar remote administration tool. SeroXen retails for just $30 for a monthly license and $60 for a lifetime bundle.
