Information Technology

A rise in cheap, easy-to-use malware means it’s easier than ever for cyber criminals to steal cryptocurrency. Cryptocurrency has long been a popular target for organised cyber criminals, whether they’re stealing it outright from cryptocurrency exchanges, or demanding it as an extortion payment in ransomware attacks. But the growing value of cryptocurrency means it has quickly become a key target for cyber criminals and they’re increasingly launching attacks which aim to steal cryptocurrency from the wallets of individual users. Research by Chainalysis warns that cryptocurrency users are increasingly under threat from malware including information stealers, clippers – which allow attackers to replace text the user has copied, redirecting cryptocurrency to their own wallets – and trojans, all of which can be purchased for what’s described as “relatively little money” on cyber criminal forums. For example, a form of info stealer malware called Redline is advertised on Russian cyber crime forums at $150 for a month’s subscription or $800 for ‘lifetime’ access. For a cyber criminal looking to steal cryptocurrency, it’s sadly highly likely they’ll make back the money paid for the malware within a handful of attacks. The illicit service also provides users with a tool which allows attackers to encrypt the malware so it’s more difficult for anti-virus software to detect, increasingly the likelihood of attacks successfully stealing cryptocurrency from compromised victims. “The proliferation of cheap access to malware families like Redline means that even relatively low-skilled cybercriminals can use them to steal cryptocurrency,” warns the report. 

Overall, the malware families in the report have received 5,974 transfers from victims in 2021, up from 5,449 in 2020 – although that’s down significantly on 2019 which saw more that 7,000 transfers.SEE: A winning strategy for cybersecurity (ZDNet special report)But Redline is just one example of malware being designed to steal cryptocurrency and there’s a growing market in this space. Of the incidents tracked, Crypobot, an infostealer was the most prolific theft of cryptocurrency wallets and account credentials, stealing almost half a million dollars in cryptocurrency in 2021.  In addition to this, success in stealing cryptocurrency from users could easily push more ambitious cyber criminals to target organisations and even cryptocurrency exchanges, meaning that the threat of cyber criminals targeting crypto wallets and credentials is something organisations need to consider. “The cybersecurity industry has been dealing with malware for years, but the usage of these malicious programs to steal cryptocurrency means cybersecurity teams need new tools in their toolbox,” says the blog post. “Likewise, cryptocurrency compliance teams already well-versed in blockchain analysis must educate themselves on malware in order to ensure these threat actors aren’t taking advantage of their platforms to launder stolen cryptocurrency,” it said. MORE ON CYBERSECURITY More

A vulnerability in Multichain systems has led to the theft of at least $3 million, reports suggest. 

Multichain, previously known as Anyswap, is a cross-blockchain router protocol designed to allow users to swap and exchange digital tokens across chains while reducing fees and streamlining the overall process. However, chaos now reigns in the ecosystem due to a cybersecurity incident caused by a vulnerability in the network, as first reported by Vice.  Dedaub reported the vulnerability to Multichain. The company said in a blog post dated January 17 that the critical flaw impacted WETH, PERI, OMT, WBNB, MATIC, and AVAX swaps, but assured users at the time that “all assets on both V2 Bridge and V3 Router are safe [and] all cross-chain transactions can be done safely as usual.” In the same breath, the company urged users to log in to their accounts and remove any approvals relating to these tokens as quickly as possible or funds could be at risk.  Technical details of the vulnerability are yet to be disclosed.  On Wednesday, Multichain said that users who had not revoked WETH approval had been exploited. 

“Please do not transfer any of these six tokens to your accounts before revoking, otherwise, your wallets are in danger still,” the organization said. “The hack is contained for now. However, users still have to revoke the approvals for those six tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX) to avoid a future attack.” The messaging has caused confusion and despite the approval issue and lost funds, Multichain says that bridging can take place “as usual.” Losses were originally estimated to be in the range of $1.4 million. Co-founder of ZenGo Tal Be’ery said on Wednesday that the total stolen amount has likely surpassed $3 million.  One of the victims who lost approximately $1 million in tokens attempted to negotiate with a thief who posted an on-chain ‘ransom’ note. In an update Thursday morning, Be’ery noted that negotiation has now taken place, with the attacker returning the funds – minus a $150,000 “tip.” Dedaub will be publishing an advisory on the vulnerability in the future.In related news this week, cryptocurrency exchange crypto.com CEO Kris Marszalek said that a cyberattack that occurred last week impacted 400 users. The company has not disclosed how much was stolen but did say that clients were reimbursed on the same day.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A romance scammer in the United Kingdom has been jailed after trying to con 670 people. 

According to the UK’s National Crime Agency (NCA), Osagie Aigbonohan, originally from Lagos, Nigeria, used a range of fake names, dating apps, and social media networks to find and connect with potential victims who were looking for a relationship. The 41-year-old’s aliases included “Tony Eden.” While masquerading as Tony, Aigbonohan targeted a woman and built up a relationship over a period of ten months before begging her for money to help him with an incident relating to an overseas business.  The woman was told that a machinery accident at work – and the subsequent need to pay for worker funerals – had rinsed his bank account, and he needed to hire drill equipment to resume operations. This led to fraudulent transfers of £9,500 ($13,000) to various accounts held under fake identities, which eventually made their way into Aigbonohan’s personal account.  In another case, a woman who was terminally ill became a victim. “Aigbonohan continued to pursue her even after she had passed away,” the NCA says.  The crime agency estimates that at least 670 people were targeted by the romance scammer, at least eight people sent him money, and in total, approximately £20,000 ($27,200) was fraudulently obtained. 

Following an NCA investigation, Aigbonohan was arrested in July last year and was charged with fraud and money laundering. It was also discovered that Aigbonohan had overstayed his visa, was staying in the UK illegally, and was using a counterfeit driver’s license.  Southwark Crown Court has now sentenced Aigbonohan to 28 months behind bars.  “Romance fraud is a particularly callous offense, involving exploitation of an individual’s emotional needs and caring qualities, to extract money from them,” commented James Lewis of the Crown Prosecution Service (CPS). “People should be particularly vigilant over the coming month as we head towards Valentine’s Day and more people seek a partner.” UK Finance estimates that between January and November 2021, UK residents lost £18.5 million ($25.2 million) to romance scams, an increase of 12% year-over-year. In the same year, the FBI estimates that $133 million has been fraudulently taken from victims in the United States.  In other NCA news, a 32-year-old man from Nottingham was jailed earlier this month after admitting to the use of Remote Access Trojans (RATs) to spy on both children and adults. Sensitive and explicit material was also stolen from handsets infected by the malware.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore has warned of a new scam tactic targeting users of Google’s search platform, some of whom have unwittingly assumed advertisements containing fake bank hotlines to be legitimate. Victims of these scams have already lost more than S$495,000 ($367,775) since December 2021. Singapore Police Force (SPF) said these phishing ads would pop up on Google when users searched for a bank’s contact number with the intention of seeking advice for various reasons. These ads would show up amongst the first few search results and contain fake contact details for the bank, the police said in its advisory note released Wednesday. Unwitting victims who called these numbers would speak with someone impersonating as a bank employee, who then would proceed to alert them of issues with their bank account, credit or debit cards, or loans. Victims would be instructed to temporarily transfer funds to bank accounts provided by the impersonator, in order to resolve the issue or make payments for outstanding loans. 

Some victims would receive SMS messages with headers spoofing the bank’s Sender ID, so these would appear as legitimate communications from the bank. The messages would either contain instructions to reset the victim’s bank account as part of Singapore’s efforts to combat scam or state that the victim had to transfer money for early loan settlement. “Victims would only realise that they had been scammed when they contacted the bank via the authentic hotline to verify the new bank account number or when the bank contacted them to verify the reason for the large sum of money transferred,” SPF said.Since last month, at least 15 victims had lost more than S$495,000 ($367,775) to these scams, according to the police. Its latest advisory follows a spate of phishing SMS scams that affected at least 469 customers of OCBC Bank and resulted in losses of more than SG$8.5 million. Some S$2.7 million alone was lost over the recent three-day Christmas weekend and several victims reportedly lost their life savings. The bank has since promised to make full restitution of losses to all victims of the scams. 

Industry regulator Monetary Authority of Singapore (MAS) on Wednesday also introduced additional security measures that banks would have to implement, in light of the OCBC scams. These measures include the removal of hyperlinks from email or SMS messages sent to consumers and a 12-hour delay in activating mobile software tokens. Banks also would have to set up dedicated and “well-resourced” customer assistance teams to deal with customer feedback on potential fraud cases. MAS said the new measures, which should be deployed within two weeks, aimed to strengthen the security of digital banking. “MAS is also intensifying its scrutiny of major financial institutions’ fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams,” it said.RELATED COVERAGE More

Matt Damon
Image: Crypto.com
Cryto.com CEO Kris Marszalek told Bloomberg on Wednesday that the attack earlier this week hit 400 users. For what Marszalek said was a period of 13 to 14 hours, Crypto.com paused its users’ ability to withdraw funds and subsequently asked its users to reset two-factor authentication. The company informed its users they would need to sign back into their accounts and reset their two-factor authentication. Marszalek said Crypto.com’s 200 security professionals had created a “very robust” infrastructure and stated it had defence-in-depth. “There are multiple layers, and in this particular incident, some of these layers were breached,” he said. “Which resulted in about 400 accounts having unauthorised transactions.” Marszalek added the impacted users had their funds fully reimbursed on the same day, and while he would not be drawn to put a figure on the amount of funds taken, he said the company was working on a postmortem that would appear on its blog in the next few days.

“In any case, one has to remember that given the scale of the business, these numbers are not particularly material.” While Marszalek did not put a number on it, PeckShield did, claiming around $15 million was being washed through a coin tumbler. The CEO also said in other sections of the interview that he expected increasing use cases, such as blockchain gaming, to increase the number of cryptocurrency users to over one billion this year. He added the company was looking at potentially purchasing blockchain gaming companies. Related Coverage More

Where cybersecurity is concerned, governments and businesses often tout the importance of “shared responsibility”, with consumers urged to also practise good cyber hygiene to help stave off attacks and protect their own assets. A recent spate of online scams in Singapore, however, reveals that blame will be placed on individuals when possible and demonstrates that regulations sometimes are the only way to shake organisations out of complacency. People, process, and technology. How often has this trinity been preached as the three fundamentals of any successful digital adoption and the holistic approach to ensure good security posture? Which of the three, though, bears greater weight? Does technology play the biggest role in cybersecurity? Or are processes the most critical component of this equation?  When it comes to blame, it appears that significant onus is placed on consumers to safeguard their personal data and bear the consequences should they fall for online scams.  A recent series of online scams involving at least 469 customers of OCBC Bank resulted in losses of more than SG$8.5 million ($6.32 million), with S$2.7 million scammed over the recent three-day Christmas weekend alone. Several of the victims reportedly lost their life savings, including a 43-year-old man whose account was wiped of S$500,000, a 38-year-old software engineer who lost S$250,000, and 33-year-old finance executive who had her account emptied of S$68,000. 

In these cases, which first surfaced December 1 last year, scammers manipulated SMS Sender ID details to push out messages that appeared to be from OCBC. These SMS messages prompted the victims to resolve issues with their accounts, redirecting them to phishing websites and instructing them to key in their bank login details, including username, PIN, and One-Time Password (OTP).  Because OCBC’s legitimate Sender ID was successfully cloned, and spoofed, these messages appeared in the same thread as previous alerts or notifications from the bank, leading victims to believe they were legitimate.  In its statement released December 30, OCBC made clear that customers were “the first line of defence” against such scams and that once funds were moved from their account, the possibility of recovery was “very low”. The bank said it had issued its first advisory on December 23, warning the public about the scams and cautioning customers against clicking on links embedded in the SMS messages. 

Upset over how the breach was handled, affected OCBC customers expressed frustration over the lengthy time they were put on hold in their efforts to contact the bank’s hotline and have their accounts locked to stem the leaks. Several noted a lack of urgency amongst OCBC’s customer agents when told about the security breach.   In his interview with local media platform Mothership, the 43-year-old male victim added that the bank staff he corresponded with did not even appear to be aware of the ongoing scams. Noting that his account was breached on December 20, he questioned whether OCBC had done enough to alert its own staff and customers of the growing security risks when the attacks had been escalating since early-December.  Inundated with the bad press that followed, OCBC on Wednesday said all customers affected by the scams would receive “full goodwill payouts” comprising the amount they lost. This came after its previous statement on Monday that it had begun to make “goodwill payouts” since January 8, but did not specify if this applied to all customers or whether they would receive the entire amount they lost. OCBC probably sees this $8.5 million writeoff as a necessary cost in crisis management, but it will likely take much more before the bank is able to regain the trust of its customers and brand reputation. It also faces possible repercussions from industry regulator Monetary Authority of Singapore (MAS), which said it would “consider appropriate supervisory actions” after the bank conducted a “thorough” investigation to identify and plug deficiencies in its processes.  Meanwhile, MAS on Wednesday introduced several measures that banks would have to implement as a result of the phishing scams. These include the removal of hyperlinks from email or SMS messages sent to consumers, a 12-hour delay in activating mobile software tokens, and setting up a dedicated and “well-resourced” customer assistance team to deal with customer feedback on potential fraud cases. Noting that these new measures aimed to strengthen the security of digital banking in Singapore, MAS added that financial institutions should implement further safeguards, such as enforcing a cooling-off period before requests for key account changes, including a customer’s contact details. More permanent solutions also are in the works to combat SMS spoofing, including the adoption of the SMS Sender ID registry by all relevant stakeholders, MAS said.  Stronger regulatory hand needed for businesses to take security seriously These steps, in my view, are a long time coming.  Too many organisations, including banks, for far too long have adopted bad business practices that put customers at risk of security attacks. They also have been increasingly heavy-handed in the amount of personal data they demand from customers in return for access to services, including critical services. More importantly, as the number of cyber attacks and breaches continues to grow, businesses still lack a proper plan to help them more quickly respond to security incidents and stem any potential data leak.  OCBC clearly did not have a cybersecurity incident framework in place. If it did, it would have been able to better handle calls from frantic customers alerting them of the scams and more swiftly block affected accounts to stop further fraudulent transactions from taking place.   There are further questions about why the bank’s SMS header was so easily spoofed and whether it took any prior measures to prevent, or even to investigate, the phishing scams when these first surfaced.  Local law enforcements had published multiple advisory notes, including one as early as last April and another in November, about fake SMS messages with spoofed SMS headers of banks.  Did OCBC heed these alerts? Or did the bank deem it okay to ignore them since the advisory notes served as warning for consumers to take the necessary measures and be “the first line of defence”?

Shouldn’t OCBC have been the very first line of defence instead in this case? In a January 17 reply to reports on the SMS phishing scams, IMDA’s director of communications and marketing Foo Wen Dee said a pilot was launched last August to enable organisations to register SMS Sender ID headers they wished to safeguard. Doing so with SMS Sender ID protection registry would help ensure messages sent via unauthorised use of the protected SMS Sender ID would be blocked.  Foo wrote: “The success of this measure, however, requires organisations such as banks to participate in the pilot, which would include registering the SMS Sender IDs they wish to protect and choosing the approved SMS aggregators that are allowed to send SMSes on the banks’ behalf. “When the registry was initiated, some banks signed up for the registry. Other organisations such as Lazada and SingPost also signed up. We urge more businesses that use SMS Sender IDs to do so,” she said. She added that IMDA was working with telcos in Singapore to roll out other measures, including blocking commonly spoofed numbers. It’s interesting that Foo chose not to list examples of banks that participated in the pilot, when she did for organisations in other sectors.  So, did OCBC put its SMS Sender ID in the registry? And if it did, did it do so before or only after the phishing scams surfaced in December? And why was it the only bank hit, and hit so severely, by the onslaught of attacks?  These are questions that cannot afford to go unanswered, especially as Singapore is about to push its digital banking regime into full gear. The four successful bidders of the country’s digital bank licences are expected to begin operations from early-2022.  Scarred by the numerous reports of life savings wiped clean from bank accounts, with blame put on the victims, how many will rush to sign up for services offered by digital banks? If scammers are able to find holes in the systems and processes of established traditional banks such as OCBC, what more can they do with banks that run entirely on online infrastructures? Furthermore, several victims of the OCBC scams were not from vulnerable groups that were less tech-savvy and more susceptible to cyber scams. They were young, presumably already familiar with consuming online services, and professionals from both the financial and IT industries.  If even they were fooled by the cyber scammers, what hope is there for others less accustomed to digital banking services? Consumer trust plays a key role in driving adoption and, if left unaddressed following the latest series of events, may put a spanner on Singapore’s hopes of a thriving digital banking era. On a flip side, it could actually result in a new competitive advantage for new digital players, now that the trusted relationship between incumbent banks and customers may have somewhat eroded. While it remains to be seen how the industry will recover from the OCBC saga, what has become clear is the need for stronger regulations to shake companies out of inertia.  For one, MAS’ inclusion of incident response as some of the measures banks must adopt is a positive step forward.  A ZDNet report I published last week discussed the importance of cybersecurity incident response in bolstering cyber resilience and network availability. As mentioned previously, a robust incident response plan could have helped OCBC stem funds from leaking further and saved its customers, as well as the bank, from losing S$8.5 million.  There should be clear guidelines, and mandates if necessary, that ensure businesses and banks respond within a stipulated time when customers call their hotline about a potential security breach. Failure to meet this should result in financial penalties or the inability of breached organisations from renouncing liability.  Companies also should be required to release an incident report, following its investigation into the service breach, that highlights the cause of the breach and remediation steps taken to plug the security holes, if any. Where necessary, this report should include additional measures customers may need to take to better protect their personal data with the organisation. For instance, it has been two months since DBS suffered its most serious service disruption last November, during which its customers could not log into or access the bank’s online and mobile services for the bulk of two days. Few details were offered about the cause then.  Does it plan to release a report detailing its review of the incident soon? Has it at least submitted its findings to MAS? If not, how then will DBS customers be certain the bank’s processes and systems did not trigger the service disruption, and that their data and accounts are adequately secured? In addition, the implementation of security measures deemed critical to combat growing threats, such as registering and protecting SMS Sender IDs, should be mandated and enforced, rather than left as optional.  If MAS can release guidelines disallowing the marketing of crypto services to safeguard consumers against trading “on impulse”, then surely it can do the same to mandate the adoption of steps critical to protect people’s life savings? While concerns that over-regulating can stifle innovation are valid, laws and rules are necessary when there is blatant failure, on the part of businesses, to do what is required in their customers’ interest.  Yes, cybersecurity is a shared responsibility, but it doesn’t mean companies get to throw their arms up at first chance and say, “we told you so”, when customers make a mistake and fall for–to use a term breached organisations commonly point to–“increasingly sophisticated”, online scams. Equal efforts also should be made to immediately address and contain the impact of security incidents, regardless of how the breach happened. Assume breach position does not mean businesses get to skip due diligence. And the next time someone mentions the tradeoff between convenience and security, remind them about the bank accounts that were drained of life savings over one link in an SMS message.   RELATED COVERAGE More

US President Joe Biden responded forcefully to reports of a wide-ranging cyberattack on Ukrainian government systems Wednesday afternoon, telling reporters that the US would respond with its own cyberattacks if Russia continues to target Ukraine’s digital infrastructure.  “The question is if it’s something significantly short of an…invasion or major military forces coming across,” Biden said in response to a question about how the US would respond to a Russian invasion of Ukraine. “For example, it’s one thing to determine that if they continue to use cyber efforts, well, we can respond the same way, with cyber.”

[embedded content]

The Daily Beast later asked White House Press Secretary Jen Psaki and she confirmed that if Russia continued to launch cyberattacks, they would be answered with a “decisive, reciprocal, and united response.”Biden’s comments come after Ukrainian officials told journalist Kim Zetter that dozens of systems within at least two government agencies were wiped during a cyberattack last week. Microsoft released a detailed blog about wiping malware, named “WhisperGate,” and said it was first discovered on January 13. In a follow-up examination of WhisperGate, security company CrowdStrike said the malware aims “to irrevocably corrupt the infected hosts’ data and attempt to masquerade as genuine modern ransomware operations.” “However, the WhisperGate bootloader has no decryption or data-recovery mechanism, and has inconsistencies with malware commonly deployed in ransomware operations,” CrowdStrike explained.

“The activity is reminiscent of VOODOO BEAR’s destructive NotPetya malware, which included a component impersonating the legitimate chkdsk utility after a reboot and corrupted the infected host’s Master File Table (MFT) — a critical component of Microsoft’s NTFS file system. However, the WhisperGate bootloader is less sophisticated, and no technical overlap could currently be identified with VOODOO BEAR operations.”Yurii Shchyhol, head of the State Service of Special Communications and Information Protection of Ukraine, told The Washington Post that one of the agencies affected by the wiper was the Motor Vehicle Insurance Bureau. The wipers were launched days after more than 70 Ukrainian government websites were defaced by groups allegedly associated with Russian secret services. While it was initially unclear whether the website defacements and the wiper attacks were coordinated, Ukrainian officials confirmed this week that they occurred at the same time. Kitsoft, the company that built about 50 of the government websites, told Zetter that it too discovered WhisperGate malware on its systems. Ukraine’s State Service for Special Communications and Protection confirmed Zetter’s reporting in a statement. Ukrainian officials floated several theories for how hackers got into their systems, theorizing that a CMS vulnerability may have been the cause. The Cyberpolice Department of the National Police of Ukraine also said hackers may have gotten in using the Log4J vulnerability or through compromised employee accounts. According to The Washington Post, Russia has brought more than 100,000 troops to its border with Ukraine. The Associated Press reported this week that Poland was also raising its nationwide cybersecurity terror threat level in response to the attacks on Ukraine.  More

ProtonMail announced on Wednesday that it will be blocking tracking pixels and hiding IP addresses as part of a new “enhanced tracking protection” feature.ProtonMail’s Lydia Pang explained in a blog post that the company believes “reading emails should be as private as our end-to-end encryption makes sending them.””Today, we’re happy to introduce enhanced tracking protection, a feature that will provide an additional layer of privacy to your inbox. Now you can read your emails without letting advertisers watch you, build a profile on you, or serve you ads based on your mail activity,” Pang said.”By default, ProtonMail on the web now protects your privacy by: Blocking tracking pixels commonly found in newsletters and promotional emails, preventing senders from spying on your mail. Hiding your IP address from third parties so your location remains private. With enhanced tracking protection, you can continue to use your ProtonMail address to subscribe to newsletters and register for online accounts everywhere while enjoying a better, more private email-reading experience.”
ProtonMail
The company said about 40% of emails sent and received daily are tracked and that email tracking has increased in recent years. Companies are able to track emails by embedding pixels in the emails sent to you. The pixels log details about your activity and ProtonMail said every time you open an email with spy pixels in them, it collects information like when you opened it, how many times you opened it, your location and IP address. “The gathered data is sent to the email sender, all without your consent. Email trackers can sometimes even expose your information to third parties, allowing them to track you across the web and connect your online activity to your email address, further shaping your invisible online profile,” Pang explained. 

“The feature is enabled by default on our web app, so you can enjoy peace of mind knowing that your emails are always protected.”ProtonMail has become well-known as one of the most privacy-focused email services available but faced backlash in September after it revealed it can be “forced to collect information on accounts belonging to users under Swiss criminal investigation.” More