Crypto-Stealing Virus Found in Torrented Movie File, Targeting Windows

Colin Muller

A package of extensive exploits found in a fake copy of a torrented movie falsifies search results and redirects cryptocurrency payments, if it can, reports the security website Bleepingcomputer.com.

The exploit suite, found in a fake copy of the movie The Girl in the Spider’s Web (garnering a 40% on Rotten Tomatoes), targets the Windows operating system only. While very robust, the exploit can only target fast-clickers, as the malicious file is not even a media playing filetype, but instead a .LNK shortcut. Bleepingcomputer cited security experts in saying that “weaponized .LNK files are common in pirated content.”

windowsLawl.png

The file opens many attack vectors. One of them produces fake ads and search results on Google and Yandex, by hijacking both Chrome and Firefox browsers to do its bidding, and downloads extensions it needs to function. It deviously redirects searches for things like “spyware” to custom, fake anti-spyware software which is in fact yet more malicious software.

Wikipedia is also targeted when users visit the site, with a fake donation box injected into the page that appears presenting bitcoin and ether addresses (neither has seemed to phish too much coin).

The exploit specifically targets crypto, too, by scanning websites for crypto addresses and replacing them with the attackers’ own addresses. The user, probably not noticing anything wrong, could then simply copy the wrong address into a transaction field. To protect themselves from these attacks, users are always advised to double check the addresses they're sending funds to.

Security in General

CryptoGlobe recently reported on the persisting vulnerability of South Korean exchanges, despite passing government-led security audits. Another report from ICORating, released only a week ago, claimed that a mere 16% of the top 135 cryptoasset exchanges got top marks on security. The majority of exchanges, the report found, had significant security oversites - including some big ones like Binance.

The overall trend of security involving cryptocurrency is that so-called “cryptojacking” - hijacking an unwitting user’s computer and using it to surreptitiously mine cryptocurrency (usually Monero) - is on the wane, while data theft targeting public and private organizations - a style of attack known as “ransomware" - is on the rise.

Businesses and other entities are often targeted by ransomware attacks by having their vital data encrypted, with attackers demanding cryptocurrency payments for the decryption keys.

Coinbase Doesn’t Want You to Get Scammed on Telegram

On Friday (April 19), cryptoasset exchange Coinbase's security team explained how various "threat actors" are trying to use Coinbase's brand to commit scams on messaging platform Telegram. 

Telegram is a free cloud-based messaging app with the ability to make voice/video calls. It is available as a web app, a mobile app (OS and Android), and a desktop app (MacOS, Windows, and Linux). In recent years, it has become the messaging platform of choice for cryptocurrency traders/investors, developers, and entrepreneurs for various reasons, such as the ability to create price bots.

In a long, detailed article published on Friday, Matt Muller, Head of Security Operations at Coinbase, started by pointing out that "Coinbase does not provide support through Telegram, nor do we have any authorized groups or channels." (In fact, "Coinbase has no official presence on Telegram," and "any usage of the Coinbase logo or brand on Telegram" should be considered a scam.)

He then went on to say that Coinbase's security team has been following the activities of "several threat actors attempting to leverage the Coinbase brand on Telegram for purposes ranging from crypto scams to account takeovers." 

In order to help users of Coinbase and other exchanges recognize "the signs that they may be talking to a scammer," Muller outlined some of the most common scam techniques on Telegram.

  • Employment Scams"Scammers on Telegram impersonate Coinbase recruiters and executives with fake career opportunities. These scams prey on job seekers, soliciting payment for training materials, mining hardware, or in some cases providing stolen financials for the purposes of money laundering. These job offers will appear very legitimate, with forged offer letters and seemingly astute interview questions. Coinbase recruiters will never contact job seekers via Telegram."
  • Giveaway Scams: "Impersonations of our executives and brand to perpetuate giveaway scams are becoming increasingly common on Telegram. One channel in particular, titled simply Coinbase, advertises a new giveaway scam almost daily."
  • Load-up Scams: "Telegram frequently hosts scammers advertising the buying or 'loading' of accounts with high limits. These scammers ask to access your Coinbase account, so they can use your verified limits to buy digital currency. While they claim to split profits with the account holder, in actuality, they use stolen credit cards and bank accounts, leaving you responsible for facilitating a financial crime. When the legitimate card or account holder reverses payments, you will be responsible for any account delinquencies caused by the fraudulent bank reversals. In many cases, the scammer will lock you out of your account, use your own payment methods without consent and steal any available digital currency."
  • Tech Support Scams: "Scams impersonating customer support take many shapes and sizes... Scammers will impersonate Coinbase or Coinbase employees, asking you to take action that results in theft of digital currency. Some scams involve fake promo offers. Many of these scams ask for remote access to your computer, something Coinbase personnel will never ask for... In other situations, the scammers pressure you into 'upgrading' or securing your Coinbase account by sending digital currency to their external address."
  • Coin Listing and ICO Scams: "Scammers on Telegram often approach project developers soliciting payment for asset listings on Coinbase and other digital asset exchanges. In addition, scams promising investment bonuses on new ICO listings are prolific."

Featured Image Credit: Photo by "geralt" via Pixabay.com