Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild.
Tracked as CVE-2023-23529, the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution.
The iPhone maker said the

Device Security / Zero Day

Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild.

Tracked as **CVE-2023-23529**, the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution.

The iPhone maker said the bug was addressed with improved checks, adding it's "aware of a report that this issue may have been actively exploited." An anonymous researcher has been credited with reporting the flaw.

It's not immediately clear as to how the vulnerability is being exploited in real-world attacks, but it's the second actively abused type confusion flaw in WebKit to be patched by Apple after CVE-2022-42856 in as many months, which was closed in December 2022.

WebKit flaws are also notable for the fact that they impact every third-party web browser that's available for iOS and iPadOS owing to Apple's restrictions that require browser vendors to use the same rendering framework.

Also addressed by the company is a use-after-free issue in the Kernel (CVE-2023-23514) that could permit a rogue app to execute arbitrary code with the highest privileges.

Credited with reporting the issue are Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero. Apple said it resolved the vulnerability with improved memory management.

Separately, the latest macOS update also plugs a privacy defect in Shortcuts that a malware-laced app can take advantage of to "observe unprotected user data." The problem, Apple noted, was fixed with improved handling of temporary files.

Users are advised to update to iOS 16.3.1, iPadOS 16.3.1, macOS Ventura 13.2.1, and Safari 16.3.1 to mitigate potential risks. The updates are available for the following devices -

*   iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
*   Macs running macOS Ventura, macOS Big Sur, and macOS Monterey

Apple remediated a total of 10 zero-days spanning its software in 2022, nine of which were disclosed as actively exploited by threat actors. Four of those flaws were discovered in WebKit.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Patch Now: Apple's iOS, iPadOS, macOS, and Safari Under Attack with New Zero-Day Flaw

Categories: News
Tags: android 14

Tags:  developer preview

Tags:  apps

Tags:  malware

Tags:  download

We take a look at what the Android 14 developer preview means for Android security moving forward.



(Read more...)




The post Android 14 developer preview highlights multiple security improvements appeared first on Malwarebytes Labs.

Android developers have been given a taste of what’s to come in the next big step up in mobile land, thanks to Android 14 waiting on the horizon. The developer preview is a great way for those most familiar with the mobile operating system to see which changes they’ll enjoy and what ones they’ll have to endure.

As it happens, there’s quite a few security changes coming down the pipeline and developers will now be busy testing their apps. Not only are alarm permissions, system broadcasts, and language support experiencing alterations, but a wealth of security features will help ensure your device is as safe as can be.

**Out with the old, in with the new**

The biggest change is that old apps are on the way out. After a certain point, you will no longer be able to install them. These kinds of changes have been threatening to land for some time now, so developers will surely have been aware of this coming.

As Ars Technica notes, the current backward compatibility system allowed for older apps to still install but at the risk of malware developers simply targeting older Android versions.

Android 14, on the other hand, is simply bringing down the curtain and those old apps won’t install anymore. Now, don’t panic too much. Your favourite apps are almost certainly safe, especially if you’re still using them on a daily basis because there’s a strong chance they’re still being maintained and updated.

By “old apps”, we’re talking Android 6 and earlier which is a grand total of 8 years+. Given that apps not updated for two years have already started to be hidden from view on the Play store, there is a tiny chance you’ll be impacted by this. If you’re a side-loading hobbyist with a passion for ancient apps, then maybe this could cause you a few headaches. For most people, this is one of those changes you simply won’t notice. It’s a smart piece of house cleaning by Google and one which makes sense.

**The first of what could be many security changes**

Additional security features and alterations mentioned on the Android Developers Google blog are as follows:

**Safer dynamic code loading**

> Dynamic code loading (DCL) introduces outlets for malware and exploits, since dynamically downloaded executables can be unexpectedly manipulated, causing code injection. Apps targeting Android 14 require dynamically loaded files to be marked as read-only.

Malware authors being hampered from malicious code injection can only be a good thing so this is good to see.

**Runtime receivers**

> Apps targeting Android 14 must indicate if dynamic Context.registerReceiver() usage should be treated as "exported" or "unexported", a continuation of the manifest-level work from previous releases.

**Safer implicit intents**

> To prevent malicious apps from intercepting intents, apps targeting Android 14 are restricted from sending intents internally that don't specify a package.

Both of the above have the intent of locking down data from other apps or the system itself. As Bleeping Computer points out, rogue apps and other malicious activities on an Android will have a much more difficult time if trying to intercept pieces of information intended for somewhere else.

A full rundown of what’s to expect (so far) can be seen on the official site. It’s worth noting that a complete reveal of what Android 14 will contain is not likely to be seen for some time yet, so all of this is subject to change to some degree.

**Keeping your phone safe**

This is all good news for the future, but what can you do in the here and now to keep harm at arm’s length?

*   **Update your apps, and your device**. Keep your Android device up to date, and allow your apps to update automatically. Depending on your version, you should be able to tell your device to update when connected to your Wi-Fi as opposed to taking a bite out of your roaming data.
*   **Enable your lock screen**. Whether you’re using a pattern, a PIN, a password, or even your thumbprint, it should be at the top of your list. Pay attention to how long your phone is unlocked before it reverts to the lock screen. This is a valuable window for criminals should you leave your phone unattended.
*   **Enable the “find my phone” service**. This, combined with the lock screen, will help keep your data safe in cases where you need to delete all data from the device remotely.
*   **Install security tools on your phone**. This will help provide you with maximum protection from rogue links, bad apps, and more.
*   **Only download from official stores**. Bad things do end up on there, but it’s still safer than allowing installations from unknown sources via third party websites.
*   **Always read the reviews**. You'll not only gain insight into what the app is doing, but you'll also make sure that the apps you’re using are still supported. This will keep you away from potentially exploitable software which has long since fallen into disrepair. Remember: there’s a two year expiry on abandoned apps before they’re removed from the Play store, so not everything put out to pasture will vanish right away.

Stay safe out there!

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Android 14 developer preview highlights multiple security improvements

By Deeba Ahmed
Aabquerys use the typosquatting technique to encourage downloading malicious components, as it has been cleverly named to make it sound like the legitimate NPM module Abquery. 
This is a post from HackRead.com Read the original post: Typosquatting: Legit Abquery Package Duped with Malicious Aabquerys

ReversingLabs has published an advisory to share details of a **malicious package** discovered in the PyPI (Python Package Index) while performing a routine inspection of open-source repositories.

Researchers Lucija Valentic and Karlo Zanki noted that the malicious package, dubbed Aabquerys, was discovered in the open-source **JavaScript NPM repository** and can download second and third-stage malware payloads onto infected systems.

**Typosquatting – A Growing Threat**

Aabquerys use the **typosquatting technique** to encourage downloading malicious components, as it has been cleverly named to make it sound like the legitimate NPM module Abquery. The malicious package contained two files, one of which was obfuscated through a JavaScript obfuscator.

_Since you are here, remember _“_**it’s Google.com, not ɢoogle.com**.”_

“In the case of aabquerys, the obfuscated code in question was easily de-obfuscated. That revealed a file with clearly malicious behaviour,” the **advisory/blog post** read.

Valentic and Zanki assert that it is a critical issue since open-source codes are viewable by everyone, so it is essential to investigate the attempt to disguise or hide such functionality on an open-source module.

**Aabquerys Package Analysis**

Aabquerys could download second and third-stage malware payloads onto infected devices from a remote server. It also contains an Avast proxy binary (wscproxy.exe) vulnerable to DLL sideloading attacks.

The third stage payload is identified as Demon.bin, which boasts conventional RAT functionalities generated using a post-exploitation, open-source C2 framework called **Havoc**, authored by C5pider.

Infection chain

A concerning issue is that the author of Aabquerys has published various versions of Aabquerys, namely aabquery and nvm jquery, which could be earlier versions of Aabquerys.

After its discovery, the Aabquerys package was promptly removed from the **NPM repository**. Nevertheless, the findings highlight the growing threat of malicious packages hidden in open-source repositories like PyPI, GitHub, and NPM that can have lasting adverse consequences for the software supply chain.

1.  **Typosquatting: 700 libraries in Ruby repository trojanized**
2.  **Typosquatting: Malicious packages swap out crypto addresses**
3.  **Typosquatting: Official Python repositories plagued with malware**

Typosquatting: Legit Abquery Package Duped with Malicious Aabquerys

By Deeba Ahmed
An APT group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time.
This is a post from HackRead.com Read the original post: Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm

However, the APT group has failed to cause any harm to the Singapore-based cybersecurity giant.

An advanced persistent threat (**APT**) group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time. This attempt has also failed. The attack occurred in June 2022, whereas the first one occurred in March 2021.

**Incident Details**

According to Group-IB, they detected and blocked **malicious phishing emails** that targeted their employees. Group-IB’s team detected malicious activity on June 20, 2022, and its XDR solution triggered an alert after blocking the emails sent to two of its employees.

Screenshot of the alerts in Group IB- Managed XDR

Further **investigation** revealed that the Tonto Team threat actors posed as an employee from a legitimate firm and used a fake email created with a free email service called GMX Mail. The phishing emails were the initial phase of the attack. Attackers used them to deliver malicious MS Office documents created using the **Royal Road Weaponizer**.

Moreover, the actors used their own developed Bisonal.DoubleT backdoor, along with a new downloader that Group-IB researchers named TontoTeam.Downloader (aka QuickMute).

**How Did the Attack Occur?**

Attackers created a Rich Text Format (RTF) file with the Royal RTF Weaponizer. It is worth noting that this weaponizer is mainly used by **Chinese APT** (Advanced Persistent Threat) groups.

The file allowed attackers to create malicious RTF exploits with decoy content for Microsoft Equation Editor vulnerabilities tracked as **CVE-2017-11882**, **CVE-2018-0802**, and **CVE-2018-0798**. The decrypted payload, a malicious PE32 format EXE file, could be classified as a Bisonal DoubleT backdoor.

**Bisonal. Backdoor FunctionalitiesDoubleT**

Static analysis of the Bisonal.DoubleT sample was conducted and compared with its old version discovered in 2020. Similar strings were identified, and researchers also detected traces of a C2 server communication.

Additionally, they conducted a dynamic comparison analysis of the sample from 2022 and other samples of the same malware family. Researchers concluded that this backdoor could collect information about the compromised host, such as the proxy server address, system language encoding, the account name for the file currently running, hostname, time since system boot, and local IP address.

It encourages remote access to a compromised device, and the attacker can easily execute various commands. It can stop a specified process, obtain a list of processes, download files from the control server and run them, and create a file on the disk using the local language encoding.

**Tracking the Tonto Team**

The Tonto Team is also referred to as Karma Panda, HeartBeatm, Bronze Huntley, CactusPete, and Earth Akhlut. It is a cyberespionage group, possibly from China.

This APT group has mainly targeted military, government, finance, energy, education, technology, and healthcare organizations since 2009. Initially, it targeted companies in South Korea, Taiwan, and Japan and later expanded its operations to the USA.

The group frequently used **spear-phishing attacks** and delivered malicious attachments created using the RTF exploitation toolkit to drop backdoors, such as ShadowPad, Dexbia, and Bisonal.

1.  **Leading Cybersecurity Firm Kaspersky Hacked**
2.  **Google buys cybersecurity firm Mandiant for $5b**
3.  **Cybersecurity firm exposes 5B data breach records**
4.  **User data stolen in Stormshield cybersecurity breach**
5.  **Cybersecurity firm CloudSEK blames rival over breach**

Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm

CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget.

    # Exploit Title: Cross Site Scripting in CKSource's CKEditor5 35.4.0# Google Dork: N/A# Date: February 09, 2023# Exploit Author: Manish Pathak# Vendor Homepage: https://cksource.com/# Software Link: https://ckeditor.com/ckeditor-5/download/# Version: 35.4.0# Tested on: Linux / Web# CVE : CVE-2022-48110CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting(XSS) vulnerability via Full Featured CKEditor5 Widget as the editor failsto sanitize user provided data.An attacker can execute arbitrary script in the browser in the context ofthe affected site. This can allow the attacker to steal cookie-basedauthentication credentials and launch other attacks.CKEditor5 version 35.4.0 is tested & found to be vulnerable.Documentation avaiable athttps://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html#securitySecurity Docs Says """The HTML embed feature does not currently executecode in <script> tags. However, it will execute code in the on* andsrc="javascript:..." attributes."""Payload:<div class="raw-html-embed">    <script>alert(456)</script></div>

CVE-2022-48110: CKSource CKEditor5 35.4.0 Cross Site Scripting ≈ Packet Storm

An unknown threat actor created malicious game modes for the Dota 2 multiplayer online battle arena (MOBA) video game that could have been exploited to establish backdoor access to players' systems.
The modes exploited a high-severity flaw in the V8 JavaScript engine tracked as CVE-2021-38003 (CVSS score: 8.8), which was exploited as a zero-day and addressed by Google in October 2021.
"Since V8

Game Hacking / Cyber Threat

An unknown threat actor created malicious game modes for the Dota 2 multiplayer online battle arena (MOBA) video game that could have been exploited to establish backdoor access to players' systems.

The modes exploited a high-severity flaw in the V8 JavaScript engine tracked as CVE-2021-38003 (CVSS score: 8.8), which was exploited as a zero-day and addressed by Google in October 2021.

"Since V8 was not sandboxed in Dota, the exploit on its own allowed for remote code execution against other Dota players," Avast researcher Jan Vojtěšek said in a report published last week.

Following responsible disclosure to Valve, the game publisher shipped fixes on January 12, 2023, by upgrading the version of V8.

Game modes are essentially custom capabilities that can either augment an existing title or offer completely new gameplay in a manner that deviates from the standard rules.

While publishing a custom game mode to the Steam store includes a vetting process from Valve, the malicious game modes discovered by the antivirus vendor managed to slip through the cracks.

These game modes, which have since been taken down, are "test addon plz ignore," "Overdog no annoying heroes," "Custom Hero Brawl," and "Overthrow RTZ Edition X10 XP." The threat actor is also said to have published a fifth game mode named Brawl in Petah Tiqwa that did not pack any rogue code.

Embedded inside "test addon plz ignore" is an exploit for the V8 flaw that could be weaponized to execute custom shellcode.

The three others, on the other hand, take a more covert approach in that the malicious code is designed to reach out to a remote server to fetch a JavaScript payload, which is also likely to be an exploit for CVE-2021-38003 since the server is no longer reachable.

In a hypothetical attack scenario, a player launching one of the above game modes could be targeted by the threat actor to achieve remote access to the infected host and deploy additional malware for further exploitation.

It's not immediately known what the developer's end goals were behind creating the game modes, but they are unlikely to be for benign research purposes, Avast noted.

"First, the attacker did not report the vulnerability to Valve (which would generally be considered a nice thing to do)," Vojtěšek said. "Second, the attacker tried to hide the exploit in a stealthy backdoor."

"Regardless, it's also possible that the attacker didn't have purely malicious intentions either, since such an attacker could arguably abuse this vulnerability with a much larger impact."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Create Malicious Dota 2 Game Modes to Secretly Access Players' Systems

The WP Google Review Slider WordPress plugin before 11.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

CVE-2023-0259

The cyberwar to attack Russia has never really stopped, despite a decreasing interest from the West.

Almost a year ago, Russia invaded Ukraine.

Due to the unprovoked aggression by Russia, worldwide condemnation was quickly followed by a call to arms to help Ukraine, both on the ground and in cyberspace. #OpRussia was born.

A year on, you'd be forgiven for thinking that #OpRussia had died down. What happened to it? What did it achieve?

First, let's look at the numbers and the participants. While it's hard to pin down exactly how many people are active in the cyberwarfare aspect of the conflict, estimates range from 150,000 to 400,000, based on the number of subscribers to various Telegram channels. Count active subscribers to the various Discord channels and active reactions to such posts, however, and you get closer to 200,000 — many of which are found in the IT army Telegram channel, the main repository for target listing and action in the ongoing cyberwarfare.

To confuse matters, there are also participants in various auxiliary organizations that have flocked to the Ukrainian banner. Hacken.io — a bug bounty outfit based out of Kyiv that specializes in security of crypto tokens, extended the call to arms to its own army of hackers. While the initial callout was to find vulnerabilities in Russian infrastructure, this was walked back a few weeks later to protect Ukrainian infrastructure. Then we have Anonymous (the infamous, nebulous organization that anyone can identify with), which pushed the #OpRussia tag to prioritize attacks against Russian interests in cyberspace. On top of this, disparate hackers and entities joined the fray. For example, Network Battalion 65, a pro-Ukrainian outfit, appeared on Twitter in February 2022 and almost immediately started compromising high-profile Russian targets with alarming regularity, under the #OpRussia banner.

**The Tools and Initiatives**

A lot of high-profile initiatives were born from the drive to damage Russian interests (and, eventually, Western entities that still maintained a presence in Russia). The most popular and still actively used is Disbalancer (also called "Liberator"), a DDoS tool used to take down infrastructure targets. The barrier to entry for this tool is extremely low: simply download the flavor of your choice — Windows, Mac, or Linux — and run it, and your bandwidth is used to attack a rotating target list.

Disbalancer has had remarkable success, with an average running load of 3,000 users (still a formidable botnet), with peaks of more than 34,000 users. The tool has had more than 200,000 downloads to date. There is a rotating target list of up to a dozen targets, and Disbalancer claims to have attacked more than 700 Russian targets.

On top of this were some more esoteric efforts, such as PlayforUkraine.life, a simple Web-based game of 2048, which performed application-level DDoS in the background. This was responsible for taking down Alfabank, Russia's largest domestic bank. PlayforUkraine.life isn't active anymore and seems to have gone quiet in mid-July or August of last year.

Another such site is WasteRussianTime.today, which automatically connected two government officials with each other. As the name implies, the only outcome was wasted time and some hilarious results. The website is currently showing a 502 error and looks like it went out of action in about June or July of last year.

**The Impact and Breaches**

The one notable constant in the cyber conflict is how the Russian mythos of invulnerability has quickly evaporated (a parallel can be drawn here to its "physical" forces too). The breaches from February to August would be too numerous to list here, but for brevity I've listed the biggest ones. (For similar reasons I've also omitted DDoS takedowns, as these are now in the hundreds of targets.)

At the top of the list we have Roskomnadzor, at a whopping 900GB. It effectively is the mass surveillance department for the Russian population. This was quickly followed up byVGTRK — the Russian state broadcaster, essentially a propaganda mouthpiece for the Kremlin — that was 20 years' worth of emails and 700GB of data. Then lots of other government affiliated entities follow: Rosatom (state nuclear agency), the Central Bank of Russia, Gazprom, Petrofort, the Russian interior ministry, Transneft, SberBank, the Federal Security Service, and even the Russian Orthodox Church all get their turn. For the first six months of 2022, the Russian government was suffering a breach every three days, for a total equivalent of 20TB (!) of breached data in the first few months of the war.

This is only counting the leaks made public via various entities such as Ddossecrets.com, where most of these leaks can be found.

But then, after the first six months, things got a bit quiet. Even the most prolific actor on the scene, Network Battalion 65 — which was tearing through Russian companies since February — went dark in August 2022 and never resurfaced. In its wake, more than 20 high-profile breaches and something north of 4TB of data leaked by them alone in the space of four months.

**So, What's Happening Now, and Why Have Things Subsided?**

The cyberwar never really stopped, and the attacks rumble on at a lower rhythm, but the intensity remains. At the time of this writing, for example, atol.ru (tech company supporting automation) and ofd.ru (a cloud company) are the current targets of the IT army of Ukraine, and that's not mentioning the dozen or so rotating targets of the Disbalancer tool.

Interest in Ukraine has sadly waned in the Western press as the conflict rumbles on. Google Trends shows that, aside form a large peak in February/March 2022 and a follow-up jump in May, interest in Ukraine in search terms has slowly decreased. The impact on the overall course of the war, however, remains unclear, and if anything proves that true cyberwar is a long way off and that the real outcome of the war will be decided in real space with guns and steel.

What Happened to #OpRussia?

Global Infotech CMS version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Global Infotech cms v 1.0 Auth by pass Vulnerability                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : http://www.globalinfotech.co                                                                                       |  | # Dork      : "intext:"Powered by : Global Infotech"                                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload = user & pass : 1'or'1'='1[+] http://127.0.0.1/aaravcscdurgcom/admin/Dashboard.aspxGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |=======================================================================================================================================

Global Infotech CMS 1.0 SQL Injection

Investment schemes are ensnaring victims with increasingly compelling narratives and believable tech.

Gallagher found that the website the scammers were using to distribute their malicious apps was set up to impersonate a real Japanese financial company and had a .com domain. It was even visible on Google as one of the top results, Gallagher says, so victims could find it if they attempted to do some basic research. “To someone who isn't particularly knowledgeable about these things, that part would be pretty convincing,” Gallagher says.

The attackers, who Sophos suspects are based in Hong Kong, developed Windows, Android, and iOS apps off of a legitimate trading service from a Russian software company. Known as MetaTrader 4, Sophos researchers have seen past examples of the platform being misused and abused for fraud. As part of joining the platform, victims had to disclose personal details including tax identification numbers and photos of government identification documents, then start moving cash into their account.

As is often the case in a wide range of scams, the attackers were distributing their iOS app using a compromised certificate for Apple's enterprise device management program. Sophos researchers have recently found pig butchering-related apps that skirted Apple's defenses to sneak into the company's official App Store, though.

The second scam Gallagher followed appears to have been run by a Chinese crime syndicate out of Cambodia. The tech for the scheme was less sleek and impressive but still expansive. The group ran a fake Android and iOS cryptocurrency trading app that impersonated the legitimate market tracking service TradingView. But the scheme had a much more developed and sophisticated social engineering arm to lure victims in and make them feel like they had a real relationship with the scammer suggesting that they invest money. 

“It starts off, ‘Hey Jane are you still in Boston?' so I messaged back, ‘Sorry, wrong number,’ and we had a standard exchange from there,” Gallagher says. The conversation started on SMS and then moved to Telegram.

The persona claimed to be a Malaysian woman living in Vancouver, British Columbia. She said that she ran a wine business and sent a photo of herself standing next to a bar, though the bar was mostly stocked with liquor, not wine. Gallagher was eventually able to identify the bar in the photo as one in the Rosewood Hotel in the Cambodian capital, Phnom Penh.

When asked, Gallagher once again said that he was a cybersecurity threat researcher, but the scammer was not deterred. He added that his company had an office in Vancouver and repeatedly tried to suggest meeting in person. The scammers were committed to the ruse, though, and Gallagher received a few audio and video messages from the woman in the photo. Eventually he even video chatted with her.

“Her English skills were pretty good, she was in a very nondescript location, it looked like a room with acoustic wall pads, kind of like an office or conference room,” Gallagher says. “She told me she was at home, and our conversation quickly steered toward whether I was going to be doing the high-frequency crypto trading with them.”

Cryptocurrency wallets associated with the scam took in roughly $500,000 in a single month from victims, according to Sophos’ monitoring. 

The researchers reported their findings on both scams to the relevant cryptocurrency platforms, tech companies, and global cybersecurity response teams, but both operations are still active and were able to continually establish new infrastructure when their apps or wallets got taken down.

Sophos is redacting all images of people from both scams in its reports, because pig butchering attacks are often staffed using forced labor, and participants may be working against their will. Gallagher says that the most sinister thing about the attacks is how their evolution and growth means more forced labor on top of more devastated and financially ruined victims. As law enforcement agencies around the world scramble to counter the threat, though, in-depth details of the mechanics of the schemes show how they work and how slippery and adaptive they can be.

Tag

#google