For the second time, the FBI has warned the food and agriculture sector about the risk of ransomware attacks.
The post FBI warns food and agriculture to brace for seasonal ransomware attacks appeared first on Malwarebytes Labs.

The Federal Bureau of Investigation (FBI) recently released a Private Industry Notification warning agriculture cooperatives (also known as “farmers’ co-ops”) of the looming danger of well-timed ransomware attacks. The agency warns that during the critical planting and harvesting seasons, attacks could result in the theft of proprietary information, and operational disruption leading to financial losses and even food shortages.

This is the second time the FBI has warned the food and agriculture sector. In September 2021, the agency revealed that ransomware threat actors were ramping up attacks as the sector adopted more smart technologies.

“Since 2021, multiple agricultural cooperatives have been impacted by a variety of ransomware variants,” the agency said, “Initial intrusion vectors included known but unpatched common vulnerabilities and exploits and secondary infections from the exploitation of shared network resources or compromise of managed services.”

The FBI is concerened that threat actors might think agricultural cooperatives have an extra incentive to pay ransoms because some phases of their work are so time-sensitive.

**After-effects of ransomware attacks against the FA sector**

Attacks against organizations at the root of the food supply chain can cause significant downstream disruption.

During the same month as the FBI’s initial warning, in September 2021, BlackMatter ransomware hit Iowa’s NEW Cooperative, demanding a ransom of $5.9 million. The company was forced to take affected devices offline to stop the threat from spreading, and the ransomware gang was reportedly able to steal 1,000GB of data, including financial documents, employee data, and source code for a farming technology platform.

Two days after the NEW Cooperative attack, Crystal Valley Cooperative, a major farmer’s co-op in Minnesota, was hit by a still-unnamed ransomware strain. This stopped the group from processing major payment cards and caused its phone system some downtime.

In the last decade, the agriculture sector has been through a rapid technological transformation as traditional farm machinery—such as tractors—have joined the Internet of Things (IoT).

In a recent Lock and Code podcast about the vulnerability of agricultural technology, podcast host Davd Ruiz interviewed Sick Codes, a hacker who has taken a deep dive into the security of John Deere and other agricultural equipment manufacturers.

He told us that while the industry is beginning to think about the cybersecurity of its devices and systems, many vendors still struggle with the basics like where they store data and how to make it safe, leaving it open to easy exploitation. In one example of what might be possible, Sick explained that threat actors might be able to “game” the market for corn prices by intercepting unencrypted data about the crop as it moves from tractor fleets into the cloud:

> If somebody is to catch that data on the way out, they will be able to predict the price of corn. And corn is a commodity. It fluctuates daily. So actually if you have all that data, you’d be out to make serious money.

The FBI has taken stock of ransomware gangs that have hit organizations within the food and agriculture sector: BlackByte, BlackMatter, Conti, HelloKitty (aka Five Hands), LockBit, Sodinokibi (aka REvil), and SunCrypt.

**FBI recommendations**

The agency advises the sector to focus on protecting its networks, systems, and applications as threat actors can and will exploit vulnerabilities in them. It also offered some guidance on how to protect against ransomware attacks, including:

*   **Regularly back up data** to an offline, air-gapped location where it can’t be reached by attackers.
*   **Patch software** and firmware as soon as security updates become available.
*   **Segment networks** to slow down attackers, make finding them easier, and limit their damage.
*   **Use multi-factor authentication (MFA)** whenever possible.
*   **Use strong passwords** and avoid reusing them.

More guidelines can be found in the agency’s Private Industry Notification on the subject.

For a glimpse of the current state of cybersecurity in an Internet-connected agriculture sector, listen to our Lock and Code podcast below:

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

FBI warns food and agriculture to brace for seasonal ransomware attacks

Law enforcement believes that these hackers duping major tech companies are teenagers. But they are causing severe harm.
The post Hackers fool major tech companies into handing over data of women and minors to abuse appeared first on Malwarebytes Labs.

Posted: April 28, 2022 by

Some major tech companies have unwittingly opened harassment and exploitation opportunities to the women and children who they have pledged to protect. This happened because they provided information in response to emergency data requests from legitimate law enforcement accounts that hackers had compromised. This finding came from four federal law enforcement agencies and a couple of industry investigators.

Although the data provided was limited, it was enough for the hackers to work on and use to target and harass specific women or sexually extort minors. In some instances, the data was used to pressure victims to create and share more sexually explicit material or—in one sinister case—carve the perpetrator’s name into their skin and share photos of it.

Typically, no company is under any legal obligation to respond to emergency data requests as these don’t include court orders. However, it is accepted practice that tech companies comply with such requests as a sign of “good faith.”

Former Facebook Chief Security Officer (CSO) turned consultant Alex Stamos said in an interview with Bloomberg:

> “I know that emergency data requests get used in real life-threatening emergencies every day. It is tragic that this mechanism is being abused to sexually exploit children.”

When victims refuse, they are subjected to swatting, doxxing, and other harassment techniques.

People close to the issue revealed that Apple, Alphabet (Google’s parent company), Discord, Meta (Facebook’s parent company), and Twitter were the companies who complied with the bogus requests. The data that was handed over varies per company but generally includes the name, IP address, email address, and physical address.

Law enforcement and investigators consider the tactic of exploiting legitimate channels as “the newest criminal tool” to acquire data from tech companies. This is unsettling in several ways. First, attackers can successfully impersonate police officers by compromising their agency’s email systems. Second, there is no way for tech companies to identify if such requests are fraudulent or not. Third, victims can’t protect themselves from such attacks unless they completely delete their accounts.

This tactic has become prevalent in recent months.

According to Stamos:

> “Police departments are going to have to focus on preventing account compromises with multi-factor authentication and better analysis of user behavior, and tech companies should implement a confirmation callback policy as well as push law enforcement to use their dedicated portals where they can better detect account takeovers.”

Many believe that the perpetrators of these attacks are teenagers based in the US and also abroad. This is potentially based on their methods of retaliation against victims who resist them.

Unit 221b’s Chief Research Officer Allison Nixon told Bloomberg that law enforcement and the cybersecurity industry must prioritize threats led by underage perpetrators.

“We are now witnessing their transition to organized crime, and all the real world violence and sexual abuse that comes with it,” Nixon said. They are causing serious harm, so “we need to start treating them like adults,” she said—a sentiment echoed by many in the cybersecurity industry.

**RELATED ARTICLES**

February 17, 2021 - The audio-chat app Clubhouse is the latest rage in the social media landscape. What is it, and can we trust it?

Hackers fool major tech companies into handing over data of women and minors to abuse

Call of Duty cheats can expect a whole new world of embarrassment as a new anti-cheating feature called Cloaking is introduced.
The post Call of Duty cheats can expect embarrassment with new anti-cheat feature appeared first on Malwarebytes Labs.

Posted: April 28, 2022 by

In-game cheats are about to have an even harder time of things in triple AAA titles such as Call of Duty. Activision’s “Ricochet” software – a kernel level driver anti-cheat system – has added another twist to the tale of how players are protected via a new system called “Cloaking”.

**Making all new punishments fit the crime**

Anti-cheat software typically sniffs out people breaking the rules and penalises them. Ricochet adds some perks into the mix for people who aren’t cheating, whenever someone up to no good joins a gaming session.

As an example, if I’m using an aim-bot to assist me in scoring cheap kills and I join your Call of Duty server, I won’t just be instantly kicked out. Two things will happen:

1.  Mitigations are deployed to help regular players not lose unfairly to cheaters like me, running round with aim-bots and wall hacks.. The already existing “Damage Shield” disables critical damage applied to non-cheating individuals. This means I can do everything in my power to win, but it almost certainly won’t be enough thanks to the second thing that happens.
2.  The new feature called “Cloaking” kicks in, which combined with the Damage Shield will scupper my chances of victory forever. This is because, hilariously, all other players vanish from view. I can’t see their characters, their bullets, or even hear the noises they make. Essentially, I’ll be twirling around in an empty space, firing bullets that do no damage. The best is yet to come. From the FAQ:

“Legitimate players, however, can see cheaters impacted by Cloaking and can dole out in-game punishment. Similar to Damage Shield, Cloaking gives legitimate players a leg up on cheaters.”

**That’s nothing to brag about: Shaming cheater out of gaming**

Exploiters in games traditionally love bragging rights. Anything to score a cheap win is acceptable, and bragging rights arising from _that_ is one of the reasons people continue to do it.

Many common anti-cheat methods exist which involve loading up tools prior to game launch, seeing if anything is running which shouldn’t be, and then simply preventing a cheater from joining in the first place.

From experience, people just load up another game and try it there instead until they’re allowed in.

This system is a curious remix of more typical anti-cheat tactics. Not only are the developers accepting that cheats will eventually end up in a session somehow, they’re also obtaining valuable game data in real-time as to how the cheats react to this approach.

Can you imagine the embarrassment when other players in the session upload incredibly funny clips of cheaters helplessly spinning into walls and firing guns at lamp posts to YouTube or stream it on Twitch? It’s possible the threat of this alone will deter some people from that level of social shaming. Nobody’s cool factor can survive an encounter like that.

**No stopping the ban train**

Conscious of controversy surrounding anti-cheat tools, the developers have reassured players several times. The Ricochet system only operates when playing, and it isn’t always _running_ when playing. It also shuts down when the game is closed.

I don’t know for sure how many anti-cheat tools actually do run outside of a game being active. I suspect it’s not many, but it is good to see an organisation being very clear about what additional software needed to run a game does (and does not) do.

With 54,000 new account bans added to the 90,000 in March, the gamble seems to have paid off. We can expect to see more slightly weird and unusual approaches to shutting down cheaters in games. Letting them run free in a gaming hamster maze while both regular players and developers observe at their expense? This is simply too good an opportunity to pass up.

**RELATED ARTICLES**

Call of Duty cheats can expect embarrassment with new anti-cheat feature

Scammers are disguising their phishing page as a donation hub for Ukrainian refugees.
The post Fake USA for UNHCR site wants your Ukraine donations in Bitcoin appeared first on Malwarebytes Labs.

Since Russia began invading Ukraine in late February, many organizations have set up donation pages to aid the most heavily affected: Families who were forced out of their homes due to bombings and children separated from grown-ups who decided to stay and take arms.

We’ve also seen a considerable amount of scams preying on those who want to bring help to the helpless. During these times of struggle, donation and phishing scams abound, too.

**There’s a spam campaign encouraging you to donate to or support Ukraine**

Our email honeypot snagged dozens of samples belonging to a campaign that spoofed an email that receivers were meant to believe came from the United Nations or United Humanitarian.

Our Threat Intelligence Team took a closer look and found that the actual senders are work email addresses of individuals linked to legitimate services in Bangladesh. The emails appeared to be compromised.

    Hello
    
    We stand with our friends and colleagues in Ukraine during this heinous assault on their freedom, their independence and their lives. We are actively supporting our resilient team and are doing what we can to insure their safety, click on the Link to see more updates or photos and videos of the invasions from Russian. Donate and Support Ukrainian now to save lives.
    
    Visit: {redacted URL}
           {redacted URL}
    
    Thanks for your support.
    Regards
    UNITED HUMANITARIAN

Clicking the links in the email body, or copying and pasting them to your browser, opens this legitimate looking website:

We inspected the URL using a domain registrant and found it was created on April 19 2022, two days before we started receiving the spam emails.

**Be extra vigilant with “mirrored” sites**

The scam page looks slick, professional, and not what you may expect from a bogus donation portal. There’s a good reason for this. The entire site has been copied from _unrefugees.org_ using HTTrack, a free website copier.

_This is inside the code of the fake refugee website helping Ukraine families flee. Website copiers can make a fake site a spitting image of its original counterpart._

_Unrefugees.org_ is the USA for UNHCR (United Nations High Commissioner for Refugees). It is a Washington-based, not-for-profit organization whose mission is to provide food, shelter, and medical care to those fleeing their homes due to conflict, persecution, or violence.

While the fake site mirrors the legitimate site perfectly, it has one major exception: They switched out the genuine donation page for one of their own. The real site allows you to donate monthly via credit card, Google Pay, or PayPal. Donations made to the fake site, however, are made through Bitcoin.

_This is the form donors would have to fill in._

We checked multiple sources for information on the Bitcoin address provided. It doesn’t appear in scam databases or fraud reports and has neither sent nor received funds. This, combined with the site now failing to resolve, hopefully means the scammers got nowhere with their phishing attempt.

**How to tell if a donation site is what it says it is**

It’s very difficult to know at a glance which sites are real. This is especially true where donations are concerned. However, there are tools available to check.

You can check for registered charities online in most cases, and the genuine site is listed here against the BBB (Better Business Bureau) record. You can find similar types of checks in other countries.

There are very good reasons for making speedy donations. Even so, taking the time to ensure the site you’re donating to is the real deal is the best course of action for both you and the people you’ll be helping.

Stay safe out there!

Fake USA for UNHCR site wants your Ukraine donations in Bitcoin

NAS device vendors are dealing with several severe vulnerabilities in Netatalk, the open-source implemenation of AFP.
The post QNAP customers urged to disable AFP to protect against severe vulnerabilities appeared first on Malwarebytes Labs.

MacOS users that have a network-attached storage (NAS) device made by QNAP are being advised to disable the Apple Filing Protocol (AFP) on their devices until some severe vulnerabilities have been fixed. But QNAP is not the only vendor that needed to fix these vulnerabilities. Others have already done so, or have taken more drastic measures.

Taiwanese corporation QNAP has asked customers to disable the AFP file service protocol on its NAS appliances while it creates fixes for multiple, critical Netatalk vulnerabilities.

The vulnerabilities most urgently in need of mitigation or a fix are: CVE-2022-0194, CVE-2022-23121, CVE-2022-23122 and CVE-2022-23125. All of them are remote code execution (RCE) vulnerabilities, and all of them have a CVSS severity score of 9.8 out of 10.

In a security advisory, QNAP says it has fixed the Netatalk vulnerabilities for QTS 4.5.4.2012 build 20220419 and later, but it is still working to release security updates for all affected QNAP operating system versions. Given the severity of the vulnerabilities, keep an eye for updates.

**AFP and Netatalk**

A NAS device is a storage server connected to a computer network, storing data that can be accessed by a wide variety of devices, including Windows, macOS, and other systems. In real life this usually means they are used as an external hard-drive that can be accessed over an intranet or the Internet.

AFP is a proprietary network protocol, and part of the Apple File Service (AFS), that offers file services for macOS and the classic Mac OS. Many types of NAS devices support AFP so that macOS systems can access the data on them.

Netatalk is a free, open-source implementation of AFP that allows the Unix-like operating systems (that frequently power NAS devices) to serve as a file server for macOS systems.

Version 3.0 of Netatalk was released in July 2012. On  22nd of March 2022 the Netatalk team at Sourceforge announced Netatalk 3.1.13 with a new feature and several security updates.

**Not just QNAP**

Given the popularity of Netatalk, QNAP isn’t the only vendor that needs to deal with these vulnerabilities.

Another popular NAS device vendor, Synology, had issued Disk Station Manager version 7.1 to deal with the vulnerabilities. The update is expected to be available in all regions shortly but you can download it from the company’s website now if you want.

Western Digital removed Netatalk from its firmware, released on January 10, 2022. The company says that users can continue to access local network shares and perform Time Machine backups via SMB, a different file-sharing protocol.

TrueNAS says it fixed the vulnerabilities in TrueNAS Core 12.0-U8.1 on April 14, 2022.

**Mitigation**

Until an update has been made available, QNAP advises uses of affected devices to disable AFP and install security updates as soon as they become available.

To disable AFP on your QTS or QuTS hero NAS device, you will have to go to **Control Panel** > **Network & File Services** > **Win/Mac/NFS/WebDAV** > **Apple Networking** and select **Disable AFP (Apple Filing Protocol)**.

Stay safe, everyone!

QNAP customers urged to disable AFP to protect against severe vulnerabilities

Onyx ransomware destroys files larger than 200MB leaving victims with tough questions about paying ransoms.
The post Onyx ransomware destroys files, and also the criminal circle of trust appeared first on Malwarebytes Labs.

Some ransomware authors seem to be further whittling down their tenuous circle of trust style agreement with victims even further. Word has spread of a new Onyx ransomware operation which is quite a bit more destructive than those impacted would be hoping for.

The ransomware in question overwrites files larger than 200MB. Anything important is lost to the void forever, and only files smaller than this will be recovered should the victims pay up. This is not only very bad, but could also inspire other groups to do much the same thing. The message is loud and clear: ransomware authors simply don’t care about playing “fair” anymore.

**Trending towards destruction**

It used to be that ransomware authors tended to stick to somewhat peculiar honour among thieves style rules. If your ransomware operation gets a reputation for not decrypting files once payment has been made, people are less likely to pay up. Hand the files back, and you’ll get word of mouth spreading that you do, in fact, play fair – in a manner of speaking.

As ransomware operations evolved, more aspects have been added to what were once fairly straightforward acts. Regular attacks became “double threats”. That is to say, data is stolen before encryption takes place. If the company under fire refuses to pay a ransom, the ransomware authors come back and threaten to leak the stolen files.

This is a threat heaped upon a threat, but you’ve still got that code of honour rumbling away in the background. Pay up and they give the files back, right?

**2020: We paid up and they did not give the files back**

Ransomware gangs were already wavering on that whole “We’re still mostly trustworthy” thing back in 2020. Maze, Sodinokibi, Conti and many more started publishing stolen data even if the ransom had been paid out. As the article notes, there is a “fraying of promises” from ransomware groups to delete data once the payment takes place. Some folks used to argue that paying these groups was a last ditch resort, but a resort nonetheless and better than losing all of your data. Evidence strongly starts to suggest around this time that paying up offers little to no benefit, with no guarantees whatsoever.

**2021: No guarantees whatsoever**

It’s 2021, and we’ve already hit the “Only 8% of people who pay the ransom actually get their data back” part of this slide towards a realm where ransomware authors pretty much do what they feel like. The study explains that more organisations are deciding to pay up – despite data being returned to victims as good as flatlining. Whether you pay the original asking price, or negotiate down, or even pay by the first deadline date: it doesn’t seem to matter. The answer to “will my data be leaked anyway” may as well be viewed in a Magic 8 ball.

**2022: Oh no, my circle of trust**

In 2022, any pretence of expectations or trust from ransomware authors has sailed into the mist, never to return. Ransomware is now too big and too unwieldy, to make any real sense of expected operation. What we can expect is for extortion to continue even after the ransom has been paid. As the article notes, a combination of RaaS (Ransomware as a Service) being fairly short lived and affiliates mostly doing their own thing regardless of main group expectations means it’s pretty much a free for all.

One eye-opening statistic is that 83% of successful attacks were double or triple threat attempts. When ransomware groups threaten to lock files forever, but also threaten to leak files already exfiltrated, and _also_ claim they’ll increase the ransom and tell all business affiliates if you don’t pay up: what _do_ you do in that situation?

**Trust me, they say, as they disintegrate your files**

It’s very hard to believe at that point that a criminal enterprise with so many fingers in so many pies is simply going to leave you alone if you pay up. There’s too much data up for grabs, and too many more ways for them to profit from it. It’s reaching the stage where it simply does not matter if you pay at all, which naturally enough begs the question: Why do it?

You can’t plan your data recovery and incident negotiations around the toss of a coin, but that’s where we’re currently at. There’s no easy answer for this problem, but relying on ransomware authors to do the right thing continues to recede into the distance. Smash and grab tactics may well end up morphing into smash, with grabbing optional.

Onyx ransomware destroys files, and also the criminal circle of trust

We take a look at a wave of compromised facebook pages claiming your account is going to be closed in 12 hours.
The post Facebook phishers threaten users with Page Recovery Help Support appeared first on Malwarebytes Labs.

We’ve seen multiple hijacked profiles on Facebook recently claiming to be account recovery services. These bogus account recovery services aren’t here to help. They’re actually just trying to scare users into falling for phishing attempts.

The people behind these scams target Facebook pages belonging to musicians, products, and businesses of all kinds. In what may be a peculiar coincidence, quite a few of the accounts we looked at belonged to spa/beauty treatment small businesses.

Once the page has been taken over, the hijacker changes the name, profile picture, and more to look like it’s a support page.

Here’s a typical list of some of these compromised accounts:

_That’s a lot of support_

As you can see, there’s no real rhyme or reason to the hijacks. Just a big list of random pages ready to get up to mischief.

**With great power comes great transparency**

The dates of the pages being altered can be seen via Facebook’s “Page transparency” popup. The majority of those we’ve observed appear to have been hijacked in the last month or so. If you’re not familiar with this popup, it’s all about providing a fuller picture of what a page is all about.

When was it created? How many times has the name changed? Has it merged with another page? Which country does it operate out of? This is what the transparency box looks like:

_Transparency report_

**How do scammers go phishing?**

Businesses on Facebook have a dedicated page for their organisation, containing information, updates, and posts about the latest happenings. These pages are operated by one or more Admins, using their personal accounts. Should any of those users suffer an account compromise, the business page may become vulnerable as a result. The compromiser is able to set about changing the business page to suit their needs.

Let’s assume an account responsible for a page has just been compromised. The people behind this have made significant alterations to the page description and layout. Instead of a portal advertising the latest gardening tools or hair fashion, it’s now claiming to help you recover lost Facebook pages.

Potential victims are linked to a notification on the compromised account’s page via messaging. These pages are also easy to stumble upon while searching for content in Facebook itself – this is how a relative first brought it to my attention. A rather dire warning lies in wait for anyone viewing it:

_It’s account blocking time_

> _Your account will be deactivated. This is because someone has reported you with non-compliance with the terms of service. If you are the original owner of this account, re-verify your account to avoid blocking. Click here \[URL removed\]_
> 
> _If you do not confirm within 12 hours, our system will automatically block your account and you will not be able to use it._
> 
> _Thanks,_
> 
> _Bruce,_
> 
> _Security Support Specialist_

Well, that’s alarming. Thanks, Bruce, if it _is_ your real name (it is not). Here”s another example of a compromised page:

_Searching for hits_

Note the attempt at some form of keyword/search spam at the bottom, in an effort to be as visible to users as possible.

**Landing on the phish**

No matter which compromised warning page you land on, they all want you to visit a phishing page. These differ from account to account, but the landing pages are all pretty much the same. Here’s one example:

_Phishy behaviour_

Note that the page here isn’t even HTTPs.

We can’t say for sure what they’re doing with the stolen accounts, but once they have them, spam and malicious messaging would be the best bet. They’ll likely be used to compromise more accounts down the line. If any stolen accounts have access to business pages, no doubt they’ll create more fake recovery pages too. Whatever they’re up to, it won’t be anything good.

While drafting this blog, we became aware of research already published by Abnormal Security. The research covers similar tactics: hijacking business pages to phish. The fraudulent activity covered there includes fake emails, and a longer time limit (48 hours to respond, instead of just 12), and its well worth reading.

**Keeping your Facebook account safe**

*   Enable two-factor authentication on your account.
*   Consider using a password manager. It will help you use a different and difficult password for every online account you have. Better still, if the password manager has the ability to match the page you’re on with the one you’re trying to log into, it won’t work if the site is a phish.
*   Set up login alerts so you get notified if anyone tries to login to your account from a new device.
*   Don’t believe random warnings of account loss. You can always reach out to contact Facebook support directly if you’re unsure.
*   If you need to report that your own account has been compromised, you can send Facebook a message directly about your problem. Facebook also provides a variety of information related to specific situations here.

Pressuring people into handing over logins “or else” is a pressure tactic that’s been around forever. Making them “confirm” in 12 hours or less is one of the tighter time limits we’ve seen. Don’t panic, contact support, and go about your day. Those dire warnings of account loss and removal are almost certainly going to be a lot of phishy nonsense.

Facebook phishers threaten users with Page Recovery Help Support

It seems we're never short of Bitcoin scams banking on the popularity of Elon Musk. Here's another one of them.
The post Elon Musk-themed cryptocurrency scam uses fake Medium as the promotion site appeared first on Malwarebytes Labs.

So Elon Musk is buying Twitter, and you can be sure that scammers are making the most of this news.

As Elon Musk spends most of the week in the headlines, so pop up Elon Musk-themed scams—and it looks like they may be ramping up.

We witnessed a flurry of replies from the man himself in response to someone making a comment.

_“Oh. Wait a minute….”_

Sadly, it isn’t him but rather an army of bots, all bearing the same current profile picture of the Tesla CEO as his official Twitter account.

All of the URLs in their responses are shortened. No matter which one a user clicks, they all lead to the same website. You may be surprised when you see what it is.

_“Wait a minute…!”_

Musk must have taken the leap into longform blogging and is now a Medium author. He’s also off to a flying start with fewer than 5,326 claps on his first post. However, pulling at the page threads reveals more than the creator may have been bargaining for.

The page claims that Musk is doing an “official” ETH (Ethereal) and BTC (Bitcoin) giveaway. This giveaway aims to hand out a significant amount of BTC, ETH, and DOGE (Dogecoin) to winning participants. Appealing—if you’re a big cryptocurrency user.

Everything about the page is intended to convince the visitor that it’s all genuine, down to the numerous comments from “Medium users” saying they received their funds.

_Comments from supposed giveaway participants. All are, of course, fake._

We checked all of the profiles in the replies. With one exception—an account seemingly posting spam blogs—all of them lead to the official Medium front page, 404 pages, or suspended profiles.

This isn’t very reassuring. When we checked out the three links for the “giveaways,” it gets worse. Here’s a familiar face:

    Tesla 100 000 ETH Giveaway!
    
    To verify your address, just send from 0.5 to 100 ETH to the address below and get from 5 to 1000 ETH back!

Regular readers will recognize this design, as it’s similar to the landing page we covered concerning a fictional space marathon Tesla giveaway.

While this setup throws ETH and DOGE into the mix, it’s notable that the maximum donation suggested through BTC has increased. In contrast, the fake marathon giveaway asked visitors to send between 0.02 to 1 BTC.

Donations via DOGE and ETH coins are no joke either. For the former, it asks for amounts between 2,000 and 100,000 DOGE coins, hoping to get 20,000 to 1,000,000 back. That’s worth $276 to $13,801, with participants wishing to receive between $2,769 and $13,846 (based on rates at time of writing).

For the latter, it asks for between 0.5 to 100 ETH coins with a promised return of 5 to 1,000 ETH. That’s between $1,425 and $285,045 with a significant return of $14,252 to an extraordinary $2,850,458 (based on rates at time of writing).

We don’t know if whoever runs these sites is also responsible for the space marathon, but the giveaway page seems easy to reuse as a template. Scammers on this one appear to be a lot more ambitious than the space marathon people ever were.

The BTC address flags up across several spam or warning databases. One particular report is interesting, in which it claimed the address was involved in ransomware and appeared to be from a victim who claims to have recovered their money in “less than 48 hours”.

_Created with GIMP_

The report says:

    Good work deserves recommendation... i lost over 2.3 BTC on Instagram bitcoin scam.. Right about 2 weeks after my ordeal with them I tried using the recommendation from someone on one of the comment section {redacted}. I was able to get all my money back in less than 48 hours. Contact {redacted} to recover all your stolen bitcoins free of charge.

Visiting the URL in the comment opens a non-HTTPs site claiming it is the Internet Crime Complaint Center (IC3), asking visitors to submit their name, address, phone number, email, transaction date, and “proof of payment”.

_Don’t be fooled. This is just one of the many faces of a recovery scam._

If you’ve lost funds to the relevant BTC address, we suggest contacting the official IC3 site or the closest equivalent in your region. As for the many, _many_ Elon Musk-themed Bitcoin giveaways, we advise you to ignore them.

What’s noticeable with these is that the scammers are creative in their ways to get you on board. These aren’t effort-free generic sites, and they’re just off the wall enough to make Elon Musk fans think they’re the real deal.

Stay vigilant, and stay safe!

Elon Musk-themed cryptocurrency scam uses fake Medium as the promotion site

A bank executive needs your help to move a client's inheritance. Yes, you read that right.
The post “URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance appeared first on Malwarebytes Labs.

![“URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance](https://blog.malwarebytes.com/wp-content/uploads/2022/04/GettyImages-479807743-900x506.jpg)

Posted: April 27, 2022 by

We’ve received several emails over the last couple of days which follow the classic 419 mail scam method. Titled “URGENT BUSINESS PROPOSAL!!!”, the mail reads as follows:

    Greetings,
    
    I am Mukhtar M. Hussain. I got your contact information from a reputable business/professional directory. I'm working with HSBC Berhad Malaysia as one of the Senior Vice Presidents. I am writing you this memo, because I have an urgent BUSINESS PROPOSAL for you that will benefit both of us and it’s urgent.
    
    For more details, write me on my personal contact e-mail on: {redacted}
    
    Yours Sincerely,
    
    Mukhtar Malik Hussain.

The mail the scammers want you to reply to is different to the mail it came from. They’re also trying to make the mail look more respectable by using the name of an actual person.

People naturally suspicious of the mail will go looking in search engines, and seeing this is a real person may be enough to convince them to reply. It’s worth noting that this is also a short mail by typical scam standards, but will become incredibly involved should you continue with it.

We were curious to see what the next stage of the scam was, so we replied and then waited to see what would come back. What we received was an even shorter email and a PDF attachment.

    Attention,
    
    Find attached the urgent BUSINESS PROPOSAL. I await your correspondence.
    
    Best regard,
    
    Mukhtar Malik Hussain

The PDF we received does not appear to be infected. The scammer is probably just trying their best to keep the meat of the attack away from non-curious individuals.

The document says that a bank customer died, and the bank appointed our contact to hand out the inheritance. If it’s not done in time, it goes to the Malaysian government despite them having moved the money to a “secret” account similar to Swiss banking.

Recipients have 21 days to complete the fund transfer. Despite the document hitting about 1,800 words in length, all it asks for is name in full, current address, and telephone number in order to “harmonise my records”. It’s very likely that the scammers will continue to ask for more information, including bank account number, should contact continue.

They close with the usual warning of not telling anyone:

    Please observe this instruction religiously, again note I am a family man; I have a wife and children’s I send you this mail not without a measure of fear as to what the consequences, but I know within me that nothing ventured is nothing gained and that success and riches never come easy or on a platter of gold. This is the one truth I have learnt from my private banking clients. Do not betray my confidence. If we can be of one accord, we should plan a meeting soon.
    
    So all I require from you is your consent and solemn confidentiality on this from you as it shall remain our secret forever. Deals like this take place every day in the banking world and the reason you never hear about them is because they never fail.

As good as it sounds, nothing in the mail scheme is true. You run the risk of losing all your money, or becoming a money mule, or both should you proceed.

As you’re reading this on a security site, it’s likely you’ve seen lots of these before and you’re well aware of the scam. But it doesn’t take a minute to talk to the less security-aware people in your life about this and other scams. Warn them, and help keep them safe online.

The only thing to do in this situation is report the message for spam, block the sender, and go about your day.

Stay safe!

**RELATED ARTICLES**

![Social engineering attacks: What makes you susceptible?](https://blog.malwarebytes.com/wp-content/uploads/2018/07/shutterstock_546129427-604x270.jpg)

August 2, 2018 - Cybercriminals will do what it takes to get what they want, whether that's breaching a corporate network or stealing credentials with malware. But what do we do if hackers are hacking us instead of our computers? Here's how to tell if you're susceptible to social engineering attacks, and what to do to combat them.

![A week in security (October 16 – October 22)](https://blog.malwarebytes.com/wp-content/uploads/2017/01/photodune-702886-calendar-l-604x270.jpg)

October 23, 2017 - A compilation of notable security news and blog posts from Monday, October 16 to Sunday, October 22. We talked about adware and malware in Google Play, a ransomware exclusively targeting South Korea, BYOD, a new 419 scam, cyptocurrency mining, and more.

![Nigerian scams without the Nigerians](https://blog.malwarebytes.com/wp-content/uploads/2017/09/shutterstock_180970511-604x270.jpg)

September 6, 2017 - Many in the United States are familiar with Nigerian scams, but what kind of scams are going on in non-English countries? Take a look at the Chinese version – the seminar scam.

![A week in security (August 28 – September 3)](https://blog.malwarebytes.com/wp-content/uploads/2017/01/photodune-702886-calendar-l-604x270.jpg)

September 4, 2017 - A compilation of security news and blog posts from the 28th of August to the 3rd of September. We touched on Kronos, Locky, a 419 scam, insider threats, and more!

![The little 419 scam that could](https://blog.malwarebytes.com/wp-content/uploads/2016/07/photodune-1132955-donation-s-604x270.jpg)

July 25, 2016 - It has been six months since David and Carol Martin, a Scottish couple in the UK, received the highest National Lottery pay out made to any winner to date. And scammers have been taking advantage of it for half a year now. Don't be misled by this so-called "donation scam".

“URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance

Cyber insurance is back in the news, but this time the focus is on personal insurance. We take a look at what's on offer.
The post What’s happening in the world of personal cyber insurance? appeared first on Malwarebytes Labs.

You’ve likely only seen cybercrime insurance primarily mentioned in relation to attacks on businesses. Most commonly, it’s cited with regard to ransomware attacks in the workplace, or associated data loss. Some folks think the mere presence of insurance simply encourages more attacks, and is hurting more than it’s helping. Now we have another string to the bow to consider. Personal insurance plans are slowly becoming a more visible and talked about topic.

**A brave new world, or same-old same-old?**

I’m fascinated to see talk of personal cyber insurance, in an area dominated by business.

The plans referenced in the article are for people seeking cyber insurance in India. It provides personal cover in a manner somewhat similar to contents insurance for the items in your home. The major difference is losing your digital items due to online shenanigans, as opposed spilling orange juice on your TV.

Premiums are based on how much you have to lose, and tailoring types of cybercrime to your package needs. If you make a lot of financial transactions online, that’ll bump the cost of the plan up too.

**A transactional offering**

Some of the exclusions listed are fairly eye-catching. For example, you’ll pay a higher premium the more online transactions you engage in. Despite this, losses incurred through cryptocurrency aren’t included which could be a deal breaker for many people. The Indian Government has floated the idea of banning cryptocurrency on at least one occasion, but eventually moved to a less aggressive regulatory approach at the end of 2021.

While it makes sense that insurers will be cautious around such rapidly changing stances, it’s no real consolation to cryptocurrency fans.

Some cyber threats listed may not have realistic or obtainable legal solutions in some countries, but they will in others. For people not in the latter group, an additional insurance safety blanket might be very useful.

**A helping hand against online stalking**

There’s some solid defence against people harassing others online in the policy types mentioned. For example, expenses are covered to prosecute people found to be stalking/bullying you online. So far, so good.

This same cover which provides legal fees to prosecute stalkers _also_ provides the insured with costs against invasion of privacy.

So many examples of cyber insurance only ever focus on the technical aspects of online crime, or ransomware backups. It’s nice to see a more human aspect working its way into the mix. In some countries, the rules are fairly stacked against people and aren’t necessarily conducive to tackling online harassment. Knowing there’s a bit of backup to help with this kind of situation may itself make harassers think twice.

**From add-on to standalone**

Seeing cyber insurance as a standalone package for individuals is rather novel. In the UK at least, most—if not all—cyber offerings I’ve seen are add-on packages to regular insurance policies. For example, one major insurer offers it across all their insurance tiers and it covers the usual issues like ransom, fraud, restoration of systems, defamation and so on. Unlike the India-centric policy above, identity theft is included by default in regular, non-cyber packages.

The standalone offerings I’ve seen usually ask you to contact them to arrange a premium, as opposed to having a default one-size-fits all price. Some include monitoring customer data for breaches, including issuing alerts when necessary. Others seem to fall into more traditional areas of cover, offering to replace or repair damaged devices and recover data.

I’ve seen a few offer 24/7 cyber-helplines, credit reports, and “ransom monies” made available in ransomware cases. Some insurers have grey areas related to working from home, or just flat out refuse to cover it. All this, without the added complexity of business insurance and the question of whether it’s right to pay out to ransomware authors in the first place.

**Drawing insurance lines in the sand**

It’s a bit of a tumultuous time for insurers in the digital realm as they try to define what, exactly, is or isn’t up for coverage. Real world insurers use act of God policies, not covered by insurance. Cyber insurers are quickly coming up with their own non-coverable issues.

Then there’s the thorny problem of insurance companies themselves being juicy targets for attackers. I’m fairly certain they don’t have to look for decent cyber insurance quotes from competitors themselves. It’s still a very odd thing to think about in an industry still figuring out its role where rogues costing their customers money don’t play by the rules.