SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data.

****SUMMARY****

*   **Sophisticated Phishing Tool**: Russian cybercriminals created a WordPress plugin, PhishWP, to mimic legitimate payment pages and steal sensitive data like credit card details, CVVs, and 3DS OTPs.

*   **Real-Time Data Exploitation**: PhishWP transmits stolen information directly to attackers via Telegram, enabling immediate unauthorized use or sale on the dark web.

*   **Advanced Features**: The plugin offers customizable fake checkout pages, browser profiling, 3DS code pop-ups, and auto-response emails to deceive users and bypass security measures.

*   **Global Impact**: Multi-language support and obfuscation features allow attackers to launch targeted phishing campaigns worldwide, leading to financial losses and data breaches.

*   **Mitigation Strategies**: Users are urged to implement phishing protection tools, maintain vigilance, and adopt proactive cybersecurity measures to combat these threats effectively.

Online transactions have become an integral part of our lives in the digital age. We rely on the Internet for everything from shopping and banking to social interactions. However, this convenience comes at a price as cybercriminals exploit users’ trust to obtain sensitive data.

The cybersecurity firm SlashNext has discovered one such threat. According to their research, which was shared with Hackread.com ahead of its publication on Monday, Russian cybercriminals have created a new WordPress plugin, PhishWP, to create fake payment pages. Instead of processing payments, they steal credit card numbers, expiration dates, CVVs, and billing addresses.

PhishWP creates deceptively realistic online payment pages that mimic legitimate services like Stripe. These fake pages lure unsuspecting users into entering their credit card details, expiration dates, CVV codes, and even the crucial one-time passwords (OTPs) used for 3D Secure authentication. 

In its blog post, SlashNext outlined an attack scenario where an attacker creates a fake e-commerce website using PhishWP and replicates Stripe payment pages. Users are directed to a fake checkout page, where a 3DS code pop-up requests an OTP, which users unknowingly provide. The plugin transmits collected information to the attacker’s Telegram account, allowing them to exploit data for unauthorized purchases or sell it on dark web marketplaces.

This means that the sophisticated plugin goes beyond simply collecting data; it integrates with platforms like Telegram, enabling real-time transmission of stolen information directly to the attackers, maximizing the potential for immediate exploitation.

Furthermore, the plugin leverages advanced techniques like 3DS code harvesting, where it tricks victims into entering OTPs via pop-ups, effectively bypassing security measures designed to verify cardholder identity. 

To enhance its effectiveness, PhishWP offers several key features, including customizable checkout pages that closely resemble legitimate payment interfaces, browser profiling capabilities to create attacks as per the specific user environments, and auto-response emails that create a false sense of security in victims. By combining these features with multi-language support and obfuscation options, attackers can launch highly targeted and evasive phishing campaigns on a global scale.

Screenshot from the Russian hacker forum (Via SlashNext)

Researchers note that PhishWP is a powerful tool that allows cybercriminals to conduct phishing attacks with utmost sophistication, causing significant financial losses and personal data breaches.

To mitigate these risks, it is essential to use reliable security measures, such as browser-based phishing protection tools, which provide real-time defence against malicious URLs and prevent users from visiting compromised websites. Vigilance and proactive security measures can reduce your vulnerability to these sophisticated attacks to a great extent.

Mr. Mayuresh Dani, Manager, Security Research at Qualys Threat Research Unit, commented on the latest development stating _“_WordPress plugins like PhishWP pose significant risks by mimicking payment interfaces to steal user information, including credit card details and 3DS codes. Data is sent to attackers via Telegram, making PhishWP a highly effective information stealer when victims input valid details._“_

1.  **US Marshals Service Data Sold on Russian Hacker Forum**
2.  **New Rockstar 2FA Phishing Kit Targets Microsoft 365 Accounts**
3.  **Military Satellite Access Sold on Russian Hacker Forum for $15K**
4.  **Android Botnet Nexus Being Rented Out on Russian Hacker Forum**
5.  **Network access to Pakistan’s top fed agency sold on Russian forum**

New PhishWP Plugin on Russian Forum Turns Sites into Phishing Pages

A fake Telegram Premium app delivers information-stealing malware, in a prime example of the rising threat of adversaries leveraging everyday applications, researchers say.

Source: Boris Kozlov via Alamy Stock Photo

A new advanced Android spyware threat called "FireScam" is using a fake Telegram Premium application to drop an infostealer on victims' phones that is able to track, monitor, and collect sensitive data on its victims.

Researchers at Cyfirma behind a new FireScam analysis said the campaign is part of a wider trend of threat actors finding success disguising malware as legitimate applications and services. In this case, they are abusing Firebase, a legitimate cloud platform widely used by developers of Google mobile and Web applications.

"By capitalizing on the widespread usage of popular apps and legitimate services like Firebase, FireScam exemplifies the advanced tactics used by modern malware to evade detection, execute data theft, and maintain persistent control over compromised devices," the report explained. "By exploiting the popularity of messaging apps and other widely used applications, FireScam poses a significant threat to individuals and organizations worldwide."

The infection routine starts with a phishing site hosted on the GitHbub\[dot\]io domain, dressed up to look like the RuStore app store, the report said. The site delivers a malicious version of Telegram Premium, which then steals data from the targeted Android device, including notifications, messages, and more, and sends it to a Firebase Realtime Database endpoint.

Related:China's Salt Typhoon Adds Charter, Windstream to Telecom Victim List

Once installed, FireScam uses regular checks and analysis, command-and-control communications (C2), and data storage to maintain persistence and deliver additional malware, as needed, the report added.

"The FireScam malware campaign reveals a worrying development in the mobile threat landscape: malware targeting Android devices is becoming increasingly sophisticated," Eric Schwake, director of cybersecurity strategy at Salt Security, said in a statement. "Although using phishing websites for malware distribution is not a new tactic, FireScam's specific methods — such as masquerading as the Telegram Premium app and utilizing the RuStore app store — illustrate attackers' evolving techniques to mislead and compromise unsuspecting users."

**Solutions for Stopping Spyware Like FireScam**

With these threats becoming increasingly sophisticated, it's important for cyber defenders to focus on anomalous app activity, according to a statement from Stephen Kowski, field CTO at SlashNext Email Security+.

"Real-time mobile app scanning and continuous monitoring are crucial safeguards, as these attacks often bypass traditional security measures by exploiting user trust and legitimate distribution channels," Kowski wrote. "The key to protecting against such threats is implementing security solutions that can detect suspicious permission requests and unauthorized app behaviors before sensitive data is compromised."

Related:EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets

Schwake added that protecting application programming interfaces (APIs) can also help protect users from increasingly convincing phishing lures.

"Real-time mobile-app scanning and continuous monitoring are crucial safeguards, as these attacks often bypass traditional security measures by exploiting user trust and legitimate distribution channels," Kowski wrote. "The key to protecting against such threats is implementing security solutions that can detect suspicious permission requests and unauthorized app behaviors before sensitive data is compromised."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

FireScam Android Spyware Campaign Poses 'Significant Threat Worldwide'

An Android information stealing malware named FireScam has been found masquerading as a premium version of the Telegram messaging app to steal data and maintain persistent remote control over compromised devices.
"Disguised as a fake 'Telegram Premium' app, it is distributed through a GitHub.io-hosted phishing site that impersonates RuStore – a popular app store in the Russian Federation,"

FireScam Android Malware Poses as Telegram Premium to Steal Data and Control Devices

Researchers at Cyfirma have discovered FireScam, an Android malware disguised as 'Telegram Premium' that steals data, monitors activity, and infiltrates devices. Learn about its distribution, functionality, and the impact on user privacy.

****SUMMARY****

*   **FireScam Malware:** FireScam disguises itself as a “Telegram Premium” app to target Android users via phishing websites mimicking trusted app stores.

*   **Malicious Capabilities:** It steals sensitive data, monitors apps, tracks device activity, and ensures persistence through advanced permissions.

*   **Evasion Techniques:** FireScam uses obfuscation, restricted access, and sandbox detection to bypass traditional security measures.

*   **Exploitation Methods:** Social engineering and phishing tactics exploit user trust, leading to identity theft and financial fraud.

*   **Defense Recommendations:** Experts advise using antivirus software, performing regular updates, and monitoring app behavior for enhanced mobile security.

The rapid adoption of mobile applications has provided threat actors with a valuable opportunity to exploit innocent users given the increasing number of incidents involving embedding of malware in these apps, observed cybersecurity researchers at Cyfirma. 

According to their investigation, shared with Hackread.com, FireScam is the latest example of information-stealing malware veiled as a legitimate application to target Android devices. It leverages social engineering tactics and phishing techniques to compromise users’ devices and steals sensitive data like login credentials, financial information, and personal messages, posing a significant threat to user privacy, researchers noted in the blog post.

FireScam primarily spreads through phishing websites designed to mimic popular app stores. In this case, the malware is disguised as a “Telegram Premium” app and distributed via a GitHub.io-hosted phishing website resembling RuStore, a prominent app store in the Russian Federation. This deceptive strategy capitalizes on user trust in established app stores, luring them into downloading the malicious APK file. 

Fake Telegram Premium (Via Cyfirma)

The dropper, once installed on the victim’s device, grants permissions to query and list installed applications, access external storage, delete and install applications, and update without user consent. It declares itself as its designated owner and restricts app updates, preventing other installers from updating it, and ensuring device persistence.

FireScam possesses extensive malicious functionalities designed to steal sensitive user data and monitor device activities. It exfiltrates sensitive data, including notifications, messages, and app data, to a Firebase Realtime Database endpoint, and actively monitors notifications across various apps, capturing sensitive information and tracking user activities. Moreover, it intercepts USSD responses, compromising financial data like account balances and mobile transaction details.

The malware actively monitors the clipboard, content shared between apps, and device state changes. It can also track user activity within e-commerce apps, including purchases or refunds and primarily targets messaging apps, capturing content and exfiltrating it to remote servers. It monitors screen activity and uploads important events to its command-and-control server.

Regarding evasion, FireScam uses advanced obfuscation techniques, restricted access control for dynamic receivers, and sandbox detection mechanisms to evade detection. It can also receive and execute commands via Firebase Cloud Messaging notifications for remote control.

Its continuous monitoring of device activities allows attackers to exploit user behaviour for malicious purposes like phishing attacks, identity theft, and financial fraud. The malware’s presence can compromise the confidentiality and integrity of sensitive data, affecting individuals and organizations, especially those handling sensitive information. This highlights the need for using reliable antivirus software, performing regular software updates, and exercising vigilance online.

Stephen Kowski, Field CTO at SlashNext Email Security+, told Hackread.com, _“_Cybercriminals exploit trusted brands like Telegram’s premium name. FireScam’s persistence relies on permission manipulation and Firebase Cloud Messaging. Advanced mobile threat detection, real-time app scanning, and continuous monitoring are critical to countering such sophisticated attacks that exploit user trust and legitimate channels._“_

1.  **DroidBot Android Spyware Targeting Banking, Crypto Users**
2.  **Android Malware Ajina.Banker Steals 2FA Codes via Telegram**
3.  **GSMS Stealer Hits Android Users via Malicious Apps and Ads**
4.  **8 Apps on Google Play Store Contain Android/FakeApp Trojan**
5.  **Octo2 Malware Uses Fake NordVPN App to Infect Android Devices**

New FireScam Infostealer Spyware Hits Android via Fake Telegram Premium

PRESS RELEASE

DETROIT & TOKYO--(BUSINESS WIRE)-- VicOne, a leading automotive cybersecurity solutions provider, announced today it will co-host the zero-day vulnerability discovery contest, "Pwn2Own Automotive 2025," with Zero Day Initiative (ZDI). The event will take place from Wednesday, January 22 to Friday, January 24, 2025, at Tokyo Big Sight, West Hall, as part of the “17th AUTOMOTIVE WORLD 2025 – Advanced Automotive Technology Expo.” This will be the second Pwn2Own Automotive contest, following its highly successful debut in January 2024 where 49 zero-day vulnerabilities were discovered.

Pwn2Own Automotive helps build a foundation for automotive cybersecurity by strengthening cybersecurity measures and promoting the prevention of cyber incidents through the discovery of zero-day vulnerabilities. This event addresses growing concerns about vulnerabilities and increased attack risks with the growing adoption of software-defined vehicles (SDVs).

Through ZDI, the contest enables world-class security researchers to conduct real-world testing of the latest automotive technologies. By identifying zero-day vulnerabilities before they can circulate and become real-world cyber-attacks, the event facilitates swift countermeasures, helping prevent cyber threats and enhancing the overall security of automotive vehicles and products.

Additionally, the contest fosters innovation by recognizing the achievements of security researchers and offering over $1 million USD in total prizes. This incentivizes further research and development while providing hands-on experience that nurtures talent in the cybersecurity industry, ultimately contributing to an improved global cybersecurity landscape.

About Pwn2Own 2025 Automotive

Participants in "Pwn2Own Automotive 2025" will compete by earning points in four categories:

*   In-vehicle infotainment (IVI) systems
    
*   Electric vehicle (EV) chargers, and
    

Each contestant must demonstrate the ability to execute arbitrary code on the target devices or OS in their chosen category. They are allowed up to three attempts per target during the contest. Successful challenges earn points, and the participant or team with the highest points at the end of the contest is awarded the prestigious title of "Master of Pwn."

To qualify, the vulnerabilities targeted must be previously unknown, undisclosed, and unreported (according to the contest rules). Only the first participant to successfully complete a challenge in each category is eligible for a monetary reward. The order of the challenges is determined randomly through a draw.

“Through ZDI, we conduct research to address real-world cyberattack scenarios in the automotive sector. Hosting this contest in collaboration with VicOne, who has unmatched expertise and experience in automotive cybersecurity, is a key step in demonstrating our security research expertise within the automotive industry and the research community,” said

Brian Gorenc, VP of Threat Research at VicOne’s parent company, Trend Micro.

“Together with ZDI, VicOne is contributing to building a safer future for software-defined vehicles (SDVs). By discovering zero-day vulnerabilities, this event enables security researchers to uncover unknown, unpublished, and unreported vulnerabilities, facilitating early risk identification and mitigation within the automotive industry. Such efforts are critically important for the global automotive sector, especially as the evolution of SDVs accelerates,” said Max Cheng, CEO of VicOne

Registration Deadline

The deadline to register for the contest is 5:00 PM (JST) on January 16, 2025.

To complete registration, participants must submit a white paper detailing the vulnerability testing procedures and execution methods. Remote participation online is also available.

For more information about Pwn2Own Automotive and the contest rules, visit: https://www.zerodayinitiative.com/Pwn2OwnAuto2025Rules.html

VicOne and Partners at CES 2025

In addition, VicOne will be showcasing its award-winning comprehensive portfolio of cutting edge cybersecurity software and services for the whole automotive industry at the Las Vegas Consumer Electronics Show (CES), one of the most powerful tech events in the world (7-10 January 2025). Together with partners like P3 digital services, a leading provider of In-Vehicle Infotainment (IVI) systems, VicOne offers a safe and secure IVI environment for Android Automotive OS, with content protection for driver and all the vehicle’s passengers.

For more information about VicOne’s automotive cyber security portfolio please visit https://vicone.com/.

About VicOne

With a vision to secure the vehicles of tomorrow, VicOne delivers a broad portfolio of cybersecurity software and services for the automotive industry. Purpose-built to address the rigorous needs of automotive manufacturers, VicOne solutions are designed to secure and scale with the specialized demands of the modern vehicle. As a Trend Micro subsidiary, VicOne is powered by a solid foundation in cybersecurity drawn from Trend Micro's 30+ years in the industry, delivering unparalleled automotive protection and deep security insights that enable our customers to build secure as well as smart vehicles. For more information, visit: www.vicone.com.

VicOne and Zero Day Initiative (ZDI) to Lead Pwn2Own Automotive

Your messages going back years are likely still lurking online, potentially exposing sensitive information you forgot existed. But there's no time like the present to do some digital decluttering.

If you're worried about possible expansions of government surveillance and access to your information, or simply want to do some digital purging so you're not saddled with old data, there are a bunch of concrete steps you can take to protect your digital privacy. Just as archeologists study carefully preserved tombs and ancient trash heaps to gain insight into historic communities, your long-forgotten digital footprint could be more revealing and sensitive than you realize. And while you can't control everything—particularly information stolen in breaches or gathered by data brokers—you probably have a digital attic full of old data that you can delete or download and save offline. First stop? Old message histories.

Chats are a good place to start your digital decluttering. Their real-time nature makes it easy to forget that if you don't have auto-delete turned on for a chat (or if a platform doesn't offer it), all of those “be there in 10 minutes,” “wait, what color is this dress???” and “welp, I have covid” messages are still knocking around years later. If you sent them on an end-to-end encrypted platform like Signal or WhatsApp, they only exist on your device and the devices of the other person or people you were chatting with. That means that for governments or bad actors to read them, they would need direct control of your device—a good level of protection, though not foolproof.

Crucially, though, messages that you sent on regular web apps like Slack, Facebook Messenger for most of its history, and Google Chat/Hangouts/Gchat are sitting on a cloud server somewhere. And while they're probably stored in an encrypted form to protect against theft, the platform itself has the keys to decrypt your data and would be able to comply with government requests for it, no matter how old the information is. Sure, all of those “u up?"s may not seem significant now, but years and years of chat histories can paint a very detailed picture of your life, associations, political beliefs, and past movements and activity.

“Doing a good digital cleaning from time to time is a great habit, especially with social media and old chat messages,” says Kenn White, security principal at the database developer MongoDB and director of the Open Crypto Audit Project. “Who you were five or 10 years ago is probably very different than who you are today, so it's worth asking yourself, ‘Do I really need those seven-year-old inside jokes and sarcastic posts? Do I need to keep old group chat messages and carry them forward to every new phone I get?’”

Some programs like Apple's Messages make it easy to auto-delete your chat histories after a set period of time. On iOS, go to **Settings** > **Apps** > **Messages** and then scroll and tap **Keep Messages**. Then choose whether to keep messages forever, for one year, or for 30 days before auto-deleting.

On the free version of Slack, data older than a year is automatically deleted. The company keeps data forever on paid plans, unless the administrator sets up rolling deletion. This is useful if you have an active Slack with your friends, but most people who use Slack at work don't make decisions about administrative policies and can't control deletion. Keep this in mind for any communication you do on an employer's platforms. You may be able to go through and delete messages or files one by one, but you likely won't have the access to make policy decisions about automatic or batch deletion.

Similarly, you may want to go through your chats on Android or iOS and delete old SMS conversations. Meta's Messenger now offers auto-delete options, but for your existing chats, you have to go down the list on desktop or in the Messenger mobile app and delete chats one by one. Meta's other chat platforms, Instagram Chat and WhatsApp, are similar, except that WhatsApp has been end-to-end encrypted since 2016 instead of adding the protection recently.

Consider whether you've spent time chatting on other social platforms as well. X, for example, has been through a lot of changes since Elon Musk bought Twitter more than two years ago and took the company private again. Musk promised that he would add end-to-end encryption to DMs on X, and eventually debuted an opt-in encryption feature with the paid tier of the platform, but the company doesn't definitively say that the tool offers full end-to-end encryption and it isn't open source for vetting. You can delete individual messages or go through your chat list and delete whole DM conversations if you want to pare down the data you're keeping on the platform.

If you've had Gmail for a long time, the messenger service “Google Talk,” once colloquially known as “Gchat,” may have a special place in your heart. And perhaps, over the years, you went through the saga in which Gchat—which was once known for interoperability with platforms like AIM—became the siloed Google chat platform Hangouts, and then transformed again into what is now called Google Chat. Your chats on this platform through the years are still hanging around, but they're not all in the same place.

The crucial thing to understand is that Gchat was fully integrated with Gmail and wasn't a separate platform, so your chat histories all saved in your mail archive. To find them now, open Gmail and **search for the phrase in:chats** (using no quotation marks). Hundreds or thousands of chats from May 2013 and earlier may pop up. They must be deleted directly from Gmail. After May 2013, Google migrated Gchat users to Hangouts, and that history has come forward into what is now Google Chat, so you can delete whole chats or individual messages there.

“Messages sent and received with history on in Google Talk from before May 2013 (the time when Google Hangouts launched) are stored in Gmail under the ‘in:chats’ label. Those messages are not available in Google Chat and can be deleted directly from Gmail only,” Google spokesperson Ross Richendrfer tells WIRED. “In terms of Hangouts data—which was merged with Chat—core Chat controls (including deletion) will work.”

There are lots of other chat apps to consider, too, where old messages may still be lurking. Think about Skype chat or GroupMe. And there's one other complicating factor when you declutter your messages: Most deletion features only delete data from your account, and the messages live on in the accounts of the person or people you were chatting with. To do a total digital detox you need to recruit your community to delete their message archives as well.

Additionally, you may feel sentimental about burning your letters (aka deleting all of your old chats). If you're sad about hitting that trash icon, consider downloading chat histories with your closest friends or other loved ones and storing them on an encrypted external hard drive before deleting them from the cloud. This way, you don't have to give up that slice of life completely, but the data isn't controlled by other entities anymore.

“Some apps, including Signal, give one the ability to set a ‘self-destruct’ time on messages, perhaps in hours or weeks. This is worth considering to reduce your exposure, particularly if you travel outside the country, are politically active, or in any way have a higher public profile,” MongoDB's White says. “It's easy to dismiss the potential of attacks on our personal data and physical safety as something that's only a concern for some James Bond–type scenarios, but the hard truth is that threats exist in many forms, both online and in person.”

Hey, Maybe It's Time to Delete Some Old Chat Histories

From "spying" air fryers to 3 million rogue toothbrushes, here are the strangest stories about internet-connected home goods in 2024.

The holidays are upon us, which means now is the perfect time for gratitude, warmth, and—because modern society has thrust it upon us—gift buying.

It’s Bluey and dig kits and LEGOs for kids, Fortnite and AirPods and backpacks for tweens, and, for an adult you particularly love, it’s televisions, air fryers, e-readers, vacuums, dog-feeders, and more, which all seemingly require a mobile app to function.

“The Internet of Things” is the now-accepted term to describe countless home products that connect to the internet so that they can be controlled and monitored from a mobile app or from a web browser on your computer. The benefits are obvious for shoppers. Thermostats can be turned off during vacation, home doorbells can be answered while at work, and gaming consoles can download videogames as children sleep on Christmas Eve.

And while some of these internet-connected smart devices can sound a little dumb—cue the $400 “smart juicer” that a Bloomberg reporter outperformed with her bare hands—there are legitimate cybersecurity risks at hand. Capable of collecting data and connecting to the internet, smart devices can also fall victim to leaking that data to hackers online.

As we enter the new year, Malwarebytes Labs is looking back at some of the strangest, scariest, and most dumbfounding smart device stories this past year. Read on and enjoy.

****The million-car track hack****

The latest vehicles filling up the local car lot might not strike you as “smart devices,” but upon closer inspection, these cars, SUVs, trucks, and minivans absolutely are. Replete with cameras and sensors that can track location, speed, distance travelled, seatbelt use, and even a driver’s eye movements, modern vehicles are, as many have described them, “smartphones on wheels.”

For years, the cybersecurity of these particularly mobile mobiles (sorry) was passable.

When a group of security researchers hacked into a Jeep Cherokee’s steering and braking systems in 2014, they were building off earlier research that required the hacker’s laptop to be physically connected to the Jeep itself—a comforting reality when imagining shadowy cybercriminals wresting control from a driver while sat behind a computer console hundreds of miles away. And while the security researchers were able to eventually hack the Jeep Cherokee without a physical connection, the work involved was still robust.

But early this year, a separate group of security researchers revealed that they could remotely lock, unlock, start, turn off, and geolocate more than a million Kia vehicles by knowing nothing more than the vehicle’s license plate number. The researchers could also activate a vehicle’s horn, lights, and camera.

The vulnerability wasn’t in the vehicles themselves, but in Kia’s online infrastructure (Kia fixed the vulnerability before the researchers published their findings).

In short, the researchers posed as Kia _dealers_ when using an online Kia web portal and, by entering the Vehicle Identification Number—which could be revealed separately through license plate numbers—they could assign certain features like remote start and geolocation to a new account, which the security researchers controlled.

While the vulnerability did not provide access to any of the vehicles’ steering systems or acceleration or braking, it still posed an enormous privacy and security risk, said researcher Sam Curry in speaking to the outlet Wired:

> “If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car. If we hadn’t brought this to Kia’s attention, anybody who could query someone’s license plate could essentially stalk them.”

****Whispering sweet nothings into your air fryer****

There’s a modern urban legend that our smartphones listen to our in-person conversations to deliver eerily relevant ads, and while there’s no proof this is true, there are certainly a few stories that raise nearby suspicions.

Take, for instance, the case of the nosy air fryers.

On November 5, a UK consumer rights group named “Which?” published research into several categories of smart devices—TVs, smart watches, etc.—and what they discovered about three models of air fryers surprised many.

In testing the Xiaomi Mi Smart Air Fryer, the Cosori CAF-LI401S, and the self-titled Aigostar, the researchers discovered that the associated air fryer mobile apps for Android requested a startling amount of information:

> “\[As\] well as knowing customers’ precise location, all three products wanted permission to record audio on the user’s phone, for no specified reason.”

The connected app for the Xiaomi air fryer “connected to trackers from Facebook, Pangle (the ad network of TikTok for Business), and Chinese tech giant Tencent (depending on the location of the user).” When creating an account for the Aigostar air fryer, the connected app asked users to divulge their gender and date of birth, without stating why that was necessary. The request, however, could be declined. The Aigostar app, like the Xiaomi app, sent personal data to servers in China, but this data sharing practice was clarified in the companies’ privacy policies, the researchers wrote.

The companies in the report pushed back on the characterizations from Which?, with a Xiaomi representative clarifying that “the permission to record audio on Xiaomi Home app is not applicable to Xiaomi Smart Air Fryer which does not operate directly through voice commands and video chat.” A representative for Cosori expressed frustration that the researchers at Which? did not share “specific test reports” with the company, as well.

The truth, then, may be somewhere in the middle. The air fryer mobile apps in question may request more information than necessary to function, but that could also be because the apps are trying to service the needs of many different types of products all at once.

****A toothbrush tall tale****

Let’s play a game of telephone: A Swiss newspaper interviews a cybersecurity expert about a _hypothetical_ cyberattack and, days later, dozens of news outlets report that hypothetical as the truth.

This story did happen, and it would be far more disturbing if it wasn’t also tinged with a hint of humor, and that’s because the tall-tale-turned-“truth” involved a massive cyberattack launched by… toothbrushes.

In February, a Swiss newspaper article included an anecdote about a “Distributed Denial-of-Service” attack, or DDoS attack. DDoS attacks involve sending loads of connection requests (like regular internet traffic) to a certain webpage as a way to briefly overwhelm that web page and take it down. But the interesting thing about DDoS attacks is that they don’t require a laptop or a smartphone to make those requests—all they need is a device that can connect to the internet.

In the Swiss newspaper’s account, those devices were 3 million toothbrushes. Translated from the article’s original language in German, it read:

> “She’s at home in the bathroom, but she’s part of a large-scale cyberattack. The electric toothbrush is programmed with Java, and criminals have, unnoticed, installed malware on it—like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused.”

The article, which noted that the whole scenario could’ve been ripped out of “Hollywood,” contextualized why the attack was so scary: It “actually happened.”

But it most assuredly had not.

The article had no details about the attack, so there was no company named, no toothbrush model specified, and no response from any organization. But none of that mattered as countless news outlets aggregated the original article, because what _did_ matter was the virality of the whole affair. There was a device that seemingly everyone agreed had no reason to connect to the internet, and—would you look at that—it led to major consequences.

In reality, the consequences were to the truth.

This holiday season, let’s do better than the silliest, most needless IoT devices, and let’s connect to what matters instead.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Connected contraptions cause conniption for 2024 

In the last newsletter of the year, Thorsten recalls his tech-savvy gift to his family and how we can all incorporate cybersecurity protections this holiday season.

Thursday, December 19, 2024 14:02

Welcome to the final Threat Source newsletter of 2024. 

Watching "Die Hard" during the Christmas season has become a widely recognized tradition for many, despite ongoing debates about its classification as a Christmas movie. I know it isn't everyone's cup of tea. Whether you like the movie or not, let me share a story about what didn't quite go as planned in my family last year.  

When  some celebrities had their social media accounts compromised, I saw it as the perfect opportunity to introduce my family to the world of multi-factor authentication (MFA) for their online accounts. Our home IT setup is diverse— With Linux, Macs, Windows; Androids, iOS, we needed something cross-platform. Also, we needed a user-friendly solution as we have both standard users and IT experts (never underestimate your users). From my professional standpoint, I decided to go “all in” with hardware tokens - they work cross platform and "survive" one or the other OS installs from scratch. Providing two for each person was mandatory in case one got lost, which had happened to me already. So it wasn't a cheap exercise. In my defense, this was before the side-channel attack EUCLEAK was discovered, which has since expanded to affect more products as noted in the first release. 

In the spirit of John McClane : “Now I know what a TV dinner feels like.” 

The kids found the gift "boring" and almost a year later, the adoption rate is still only 30%. Fortunately, my wife had the foresight to prepare real presents for the family, saving Christmas Eve from being a "bad guys win" scenario. (Only John Thor can drive somebody that crazy.) 

I share this anecdote not to discourage you, but to help you avoid making the same mistake and risking your celebrations. Unless everyone gathered around the Christmas tree is an infosec professional, it might not be the time to go "Yippee-ki-yay Mr Falcon" with tech gifts.  

However, spending time with loved ones is a great opportunity to discuss the trends and importance of cybersecurity. We've been highlighting compromised credentials for a long time, as seen in our previous posts \[here\], \[here\], \[here\] and \[here\]. For the fourth consecutive time in over a year, the most observed means of gaining initial access was the use of valid accounts, making it clear identity-based attacks are becoming more prevalent, and wont be gone anytime soon. 

 Advocate for the use of a password managers—there are paid versions with family plans on one end, and excellent open-source alternatives on the other. Avoid storing credentials in browsers, as they can be extracted by info-stealers. Consider using passkeys where possible. According to the fido alliance, more than 20% of the world's top 100 websites support passkeys already. If passkeys are not yet enabled for one of your services? Any MFA is better than none. Even using "just" TOTP in a software container is a significant improvement over just a password. 

But it's not just about enabling MFA. As Martin wrote last week, we need to close the gap by communicating and understanding the the threat landscape. When it comes to stolen credentials, share resources like https://haveibeenpwned.com/ or https://sec.hpi.de/ilc/?lang=en with your loved ones so they can check if their email has been part of a breach.   

If you decide not to bother your friends & famliy (though I strongly believe Mbappe, Sweeny and Odenkirk would have preferred a more secure account) with Account/Password Hygiene, there are some more work related recommendations in Hazel’s “How are attackers trying to bypass MFA” 

Whichever is your idea of Christmas, then, like Argyle said, "I gotta be here for New Year's!"  

We look forward to seeing you in 2025!   

**The one big thing**

At the time of writing, our Vulnerability Research Team Disclosed 207 Vulnerabilities, and had another 93 reported to the respective Vendor in 2024.  Di you know  Talos has a team which investigates software and operating system vulnerabilities in order to discover them before malicious threat actors do? Every day, they try to find vulnerabilities that have not yet been discovered, and then work to provide a fix for those before a zero-day threat could ever be executed. 

**Why do I care? **

We see threat actors exploiting known vulnerabilities constantly. Sometimes those CVEs are Years old.  

**So now what? **

Maybe you want to check for some CVEs or conduct a network security assessments.   
You can our team’s reports,roundups,spotlights and deep dives on our blog. 

**Top security headlines of the week **

 Blackhat Europe 2024 took place Dec 9-12 in London, UK. Loaded with a lot of interesting Sessions, my favorites are “Vulnerabilities in the eSIM download protocol” and “Over the Air: Compromise of Modern Volkswagen Group Vehicles” both showing how far an attack surface can possibly extend.  

Germany's Federal Office for Information Security (BSI) says it blocked communication between appr. 30.000 Android IoT Devices which were sold with BadBox malware preinstalled, and their command and control (C2) infrastructure by sinkholing DNS queries (Bleeping Computer)  

Law enforcement agencies worldwide disrupted a holiday tradition for cybercriminals: launching Distributed Denial-of-Service (DDoS) attacks. Booter and stresser websites were taken down, administrators were arrested and over 300 users were identified for planned operational activities. (Europool) 

The Willow chip is not capable of breaking modern cryptography,” Google’s director of quantum tells The Verge.

**Can’t get enough Talos? **

*   The evolution and abuse of proxy networks 
*   Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities 

**Upcoming events where you can find Talos **

  Cisco Live EMEA (February 9-14, 2025) 

Amsterdam, Netherlands 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256:**873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**MD5:** d86808f6e519b5ce79b83b99dfb9294d    
**VirusTotal:**  
https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**Typical Filename:** n/a   
**Claimed Product:** n/a    
**Detection Name:** Win32.Trojan-Stealer.Petef.FPSKK8  

**SHA256:**9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**VirusTotal:**  
https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**Typical Filename:** VID001.exe    
**Claimed Product:** n/a    
**Detection Name:** Win.Worm.Bitmin-9847045-0 

 **SHA 256:**  
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86    
**VirusTotal:** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
**Typical Filename:** endpoint.query    
**Claimed Product:** Endpoint-Collector    
**Detection Name:** W32.File.MalParent  

 **SHA256:**47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**Typical Filename:** VID001.exe   
**Claimed Product:** n/a    
**Detection Name:** Coinminer:MBT.26mw.in14.Talos 

 **SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:**  
7bdbd180c081fa63ca94f9c22c457376    
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
**Typical Filename:** IMG001.exe    
**Claimed Product:** N/A     
**Detection Name:** Trojan/Win32.CoinMiner.R174018

Welcome to the party, pal!

A free VPN app called Big Mama is selling access to people’s home internet networks. Kids are using it to cheat in a VR game while researchers warn of bigger security risks.

In the hit virtual reality game _Gorilla Tag_, you swing your arms to pull your primate character around—clambering through virtual worlds, climbing up trees and, above all, trying to avoid an infectious mob of other gamers. If you’re caught, you join the horde. However, some kids playing the game claim to have found a way to cheat and easily “tag” opponents.

Over the past year, teenagers have produced video tutorials showing how to side-load a virtual private network (VPN) onto Meta’s virtual reality headsets and use the location-changing technology to get ahead in the game. Using a VPN, according to the tutorials, introduces a delay that makes it easier to sneak up and tag other players.

While the workaround is likely to be an annoying but relatively harmless bit of in-game cheating, there’s a catch. The free VPN app that the video tutorials point to, Big Mama VPN, is also selling access to its users’ home internet connections—with buyers essentially piggybacking on the VR headset’s IP address to hide their own online activity.

This technique of rerouting traffic, which is best known as a residential proxy and more commonly happens through phones, has become increasingly popular with cybercriminals who use proxy networks to conduct cyberattacks and use botnets. While the Big Mama VPN works as it is supposed to, the company’s associated proxy services have been heavily touted on cybercrime forums and publicly linked to at least one cyberattack.

Researchers at cybersecurity company Trend Micro first spotted Meta’s VR headsets appearing in its threat intelligence residential proxy data earlier this year, before tracking down that teenagers were using Big Mama to play _Gorilla Tag_. An unpublished analysis that Trend Micro shared with WIRED says its data shows that the VR headsets were the third most popular devices using the Big Mama VPN app, after devices from Samsung and Xiaomi.

“If you’ve downloaded it, there’s a very high likelihood that your device is for sale in the marketplace for Big Mama,” says Stephen Hilt, a senior threat researcher at Trend Micro. Hilt says that while Big Mama VPN may be being used because it is free, doesn’t require users to create an account, and apparently doesn’t have any data limits, security researchers have long warned that using free VPNs can open people up to privacy and security risks.

These risks may be amplified when that app is linked to a residential proxy. Proxies can “allow people with malicious intent to use your internet connection to potentially use it for their attacks, meaning that your device and your home IP address may be involved in a cyberattack against a corporation or a nation state,” Hilt says.

"Gorilla Tag is a place to have fun with your friends and be playful and creative—anything that disturbs that is not cool with us,” a spokesperson for Gorilla Tag creator Another Axiom says, adding they use “anti-cheat mechanisms” to detect suspicious behavior. Meta did not respond to a request for comment about VPNs being side-loaded onto its headsets.

**Proxies Rising**

Big Mama is made up of two parts: There’s the free VPN app, which is available on the Google Play store for Android devices and has been downloaded more than 1 million times. Then there’s the Big Mama Proxy Network, which allows people (among other options) to buy shared access to “real” 4G and home Wi-Fi IP addresses for as little as 40 cents for 24 hours.

Vincent Hinderer, a cyber threat intelligence team manager who has researched the wider residential proxy market at Orange Cyberdefense, says there are various scenarios where residential proxies are used, both for people who are having traffic routed through their devices and also those buying and selling proxy services. “It’s sometimes a gray zone legally and ethically,” Hinderer says.

For proxy networks, Hinderer says, one end of the spectrum is where networks could be used as a way for companies to scrape pricing details from their competitors' websites. Other uses can include ad verification or people scalping sneakers during sales. They may be considered ethically murky but not necessarily illegal.

At the other end of the scale, according to Orange’s research, residential proxy networks have broadly been used for cyber espionage by Russian hackers, in social engineering efforts, as part of DDoS attacks, phishing, botnets, and more. “We have cybercriminals using them knowingly,” Hinderer says of residential proxy networks generally, with Orange Cyberdefense having frequently seen proxy traffic in logs linked to cyberattacks it has investigated. Orange’s research did not specifically look at uses of Big Mama's services.

Some people can consent to having their devices used in proxy networks and be paid for their connections, Hinderer says, while others may be included because they agreed to it in a service’s terms and conditions—something research has long shown people don’t often read or understand.

Big Mama doesn’t make it a secret that people who use its VPN will have other traffic routed through their networks. Within the app it says it “may transport other customer’s traffic through” the device that’s connected to the VPN, while it is also mentioned in the terms of use and on a FAQ page about how the app is free.

The Big Mama Network page advertises its proxies as being available to be used for ad verification, buying online tickets, price comparison, web scraping, SEO, and a host of other use cases. When a user signs up, they’re shown a list of locations proxy devices are located in, their internet service provider, and how much each connection costs.

This marketplace, at the time of writing, lists 21,000 IP addresses for sale in the United Arab Emirates, 4,000 in the US, and tens to hundreds of other IP addresses in a host of other countries. Payments can only be made in cryptocurrency. Its terms of service say the network is only provided for “legal purposes,” and people using it for fraud or other illicit activities will be banned.

Despite this, cybercriminals appear to have taken a keen interest in the service. Trend Micro’s analysis claims Big Mama has been regularly promoted on underground forums where cybercriminals discuss buying tools for malicious purposes. The posts started in 2020. Similarly, Israeli security firm Kela has found more than 1,000 posts relating to the Big Mama proxy network across 40 different forums and Telegram channels.

Kela’s analysis, shared with WIRED, shows accounts called “bigmama\_network” and “bigmama” posted across at least 10 forums, including cybercrime forums such as WWHClub, Exploit, and Carder. The ads list prices, free trials, and the Telegram and other contact details of Big Mama.

It is unclear who made these posts, and Big Mama tells WIRED that it does not advertise.

Posts from these accounts also said, among other things, that “anonymous” bitcoin payments are available. The majority of the posts, Kela’s analysis says, were made by the accounts around 2020 and 2021. Although, an account called “bigmama\_network” has been posting on the clearweb Blackhat World SEO forum until October this year, where it has claimed its Telegram account has been deleted multiple times.

In other posts during the last year, according to the Kela analysis, cybercrime forum users have recommended Big Mama or shared tips about the configurations people should use. In April this year, security company Cisco Talos said it had seen traffic from the Big Mama Proxy, alongside other proxies, being used by attackers trying to brute force their way into a variety of company systems.

**Mixed Messages**

Big Mama has few details about its ownership or leadership on its website. The company’s terms of service say that a business called BigMama SRL is registered in Romania, although a previous version of its website from 2022, and at least one live page now, lists a legal address for BigMama LLC in Wyoming. The US-based business was dissolved in April and is now listed as inactive, according to the Wyoming Secretary of State’s website.

A person using the name Alex A responded to an email from WIRED about how Big Mama operates. In the email, they say that information about free users’ connections being sold to third parties through the Big Mama Network is “duplicated on the app market and in the application itself several times,” and people have to accept the terms of conditions to use the VPN. They say the Big Mama VPN is officially only available from the Google Play Store.

“We do not advertise and have never advertised our services on the forums you have mentioned,” the email says. They say they were not aware of the April findings from Talos about its network being used as part of a cyberattack. “We do block spam, DDOS, SSH as well as local network etc. We log user activity to cooperate with law enforcement agencies,” the email says.

The Alex A persona asked WIRED to send it more details about the adverts on cybercrime forums, details about the Talos findings, and information about teenagers using Big Mama on Oculus devices, saying they would be “happy” to answer further questions. However, they did not respond to any further emails with additional details about the research findings and questions about their security measures, whether they believe someone was impersonating Big Mama to post on cybercrime forums, the identity of Alex A, or who runs the company.

During its analysis, Trend Micro’s Hilt says that the company also found a security vulnerability within the Big Mama VPN, which could have allowed a proxy user to access someone’s local network if exploited. The company says it reported the flaw to Big Mama, which fixed it within a week, a detail Alex A confirmed.

Ultimately, Hilt says, there are potential risks whenever anyone downloads and uses a free VPN. “All free VPNs come with a trade-off of privacy or security concerns,” he says. That applies to people side-loading them onto their VR headsets. “If you’re downloading applications from the internet that aren't from the official stores, there’s always the inherent risk that it isn’t what you think it is. And that comes true even with Oculus devices.”

This VPN Lets Anyone Use Your Internet Connection. What Could Go Wrong?

Stay alert to crypto scams with our guide to 2024’s top threats, including phishing, malware, Ponzi schemes, and…

Stay alert to crypto scams with our guide to 2024’s top threats, including phishing, malware, Ponzi schemes, and fake wallets. Learn how to protect your assets today!

With the increasing adoption and user base of cryptocurrencies and crypto markets also comes a growing number of scammers and frauds. There are many ways in which conmen and hackers can exploit your trust, data, and wallets. To help you prevent any threat to your privacy and finances, we have looked into the most widely used crypto scam tactics of 2024.

Before diving into the meat of the matter, it is important to note that prevention is the key to your personal and digital currency security especially those on Android devices due to the surge in malware attacks even through the Play Store. Whether you are trading daily or just keeping some crypto as an investment, take steps to prevent any possible scam. Using 2-factor authentication is crucial, and having a secure crypto wallet Android app you can trust will keep your keys safe. Keep your tech up to date, and keep yourself educated and well informed.

****1\. Rug Pulls and Deceptive Tech****

Unfortunately, rug pulls have become somewhat of a deception standard in the crypto world. These scam projects very often come in the form of different memecoins, like Froggy Coin earlier this year. Lately, the viral attraction Hawk Tuah Girl has been accused of a cash grab after her own memecoin crashed in one day. The best way to protect yourself and your wallet from potential scams like these is to get to know the developers and their history and check if there is a liquidity lock or a sell limit. High yields are also a common red flag.

The pump and dump method is similarly very popular for frauds. This October, the game studio Fracture Labs sued their market maker Jump Trading for fraud. Jump is suspected to have used a pump-and-dump scheme to drastically devalue their DIO gaming crypto token. The good thing is, these frauds are easily recognized through copy-pasted templates hyping them up on social media, fast and exponential growth, and usually anonymous founders.

Technology can be utilized for high-level scams as well. This September there was an attack that utilized malicious packages to extract private keys from wallet services. The researchers found that this was a PyPI malware posing as a crypto wallet and stole users’ private keys.

These kinds of hi-tech scams can be very dangerous if you are keeping large amounts of cryptocurrency but can be prevented if you utilize basic cybersecurity methods and common sense with a healthy dose of suspicion.

****2\. Phishing and Social Engineering****

Using AI to construct a just plausibly acceptable deception used for social media is another method scammers add to their arsenals. In January 2024, you might have seen ads for XRP airdrops on X or YouTube. It was very quickly confirmed by Ripple Labs’ CEO that the whole thing was a scam using deepfake videos.

The scammers were promising generous XRP drops if users would first send their own XRP “for verification”, going as far as to ask people to connect their wallets so they could empty them. The lesson here is never to trust any offers that ask you to send currency to gain more of it.

Crypto World is by no means immune to Ponzi schemes either. This year the SEC accused brothers Jonathan and Tanner Adam of organizing one such operation that ended with them misappropriating $53.9 million out of the $61.5 million they raised from 80 investors. The brothers claimed they can secure high returns for investments using their crypto trading bot which scanned for smart contracts. In reality, such a bot never existed, and the brothers used new investments to pay earlier investors, thus creating an illusion that there is money being earned. 

Similarly, scammers will work hard on social engineering scams, posing as job recruiters or customer support. There has been an increase in such phishing scams lately, as Binance saw around $46 million stolen through fake support this year. Job hunters are similarly targeted, usually through upfront fees from their “employers” that start small but get bigger as time goes on. Vigilant checks and verifications that you are talking with real people representing real companies are the key to safety with scams like these.

****3\. Ponzi and Pyramid Scheme**s**

These scams promise ridiculously high returns with little effort. You’re encouraged to “invest” in a project and recruit others to do the same. The money paid to early participants usually comes from new investors, not actual profits. Once recruitment slows, the scheme collapses, and the scammers vanish with your money. If you hear words like “guaranteed returns” or “recruit your friends,” run the other way.

****4\. Fake Initial Coin Offerings (ICOs)****

Scammers often create flashy websites and whitepapers to hype up fake crypto projects, luring investors with the promise of a “groundbreaking” cryptocurrency. People invest, and once enough funds are collected, the scammers disappear without a trace. Always research the team, verify project details, and be careful of projects that offer little more than some trendy words.

****5\. Pump-and-Dump Schemes****

Here, scammers spread hype about obscure tokens, artificially driving up the price. Once the value spikes, they sell off their holdings, leaving unsuspecting investors with worthless tokens. If you see a sudden price surge accompanied by over-the-top promotions on social media or group chats, be sceptical, it’s probably too good to be true.

****6\. Impersonation of Celebrities or Influencers****

Fake accounts of celebrities or influencers often pop up with crypto “giveaways” that ask you to send tokens with a promise to double your returns. Spoiler alert: you won’t get anything back. Always check for verified accounts, and remember, Elon Musk isn’t doubling Bitcoin just because he said so on a fake Twitter post.

****7\. Fake Wallet Apps****

Scammers create apps that look like legitimate crypto wallets. Once you deposit your tokens or enter your private keys, they steal your funds. Always download wallet apps directly from official websites or trusted app stores, and double-check reviews to ensure it’s legitimate.

****8\. Malware Attacks****

Malicious software can be hidden in downloads or fake crypto tools, quietly stealing your wallet information or mining cryptocurrency using your devices. If your computer starts slowing down for no reason, malware could be the culprit. Avoid downloading random files or apps from untrusted sources, your crypto is worth the extra caution.

****9\. Fake Airdrops****

Who doesn’t love free crypto? Scammers exploit this by promoting fake “airdrops” that ask for your private keys or require you to send a small payment to “verify” your wallet. Legitimate airdrops don’t ask for private keys or upfront payments, if they do, it’s a scam.

****10\. Cryptojacking****

With cryptojacking, scammers secretly use your computer or smartphone to mine cryptocurrency without your knowledge. You might notice slower performance, higher energy bills, or your device overheating. Keep antivirus software up to date, and avoid sketchy websites or downloads.

****11\. Romance Scams****

Scammers take advantage of people emotionally by building fake relationships online. Once trust is gained, they’ll convince you to invest in a “lucrative” crypto opportunity or send funds for a made-up emergency. If a new online “love interest” suddenly talks about crypto investments, stay alert, it might not be love.

****10\. Exchange and Account Hacks****

Unsecured exchanges and accounts are prime targets for hackers. If an exchange lacks strong security protocols, funds can be stolen overnight. Protect your investments by choosing reputable exchanges, enabling two-factor authentication (2FA), and never reusing passwords.

****12\. Fake Customer Support Scams****

Scammers impersonate support staff from well-known exchanges or wallets, claiming they need access to your account to “fix” an issue. Real support teams never ask for your passwords or private keys. Always contact customer support directly through verified channels.

****13\. “Exit Scams” by Exchanges****

Some shady exchanges lure users with attractive offers, only to shut down unexpectedly and disappear with all deposited funds. Always use established, reputable platforms with strong reviews. If an exchange is offering deals that sound too good to pass up, it might be planning to exit, along with your money.

****14\. Scam Tokens****

Scammers create tokens that look promising but serve no real purpose. They manipulate the market to attract buyers and then sell off their holdings, tanking the price. Research the team behind the token, its use case, and whether it has been audited, don’t buy based on hype alone.

****Simple Yet Vital Tips to Protect Yourself:****

*   Always research before investing.
*   Use reputable platforms and wallets.
*   Never share private keys or passwords.
*   If it sounds too good to be true, it probably is.

Tag

#android