Security Weekly 33: The Thief At The Thief Bitcoin Stole, Here Could Be Your Trojan, Ten Days Without Computers
Recently, in the field of view of IS-researchers got proxy service owners for Tor, who robbed their users and extortionists. The fact is that this Tor-proxy service was often used by victims of Crypto-viruses, incapable or not ready to deal with the installation of the Tor browser. It was through this service that they went to the .onion website of the attackers. Some extortionists even pointed out in the notes about the buyback a link for direct calling through this proxy service – as they say, everything for the client. That’s only when downloading the pages of the address purse extortioners quietly changed to an outsider.
- Operators Onion.top secretly combed the dark-black pages uploaded through their portal, in search of addresses of bitcoin-purses, and then replaced them. Judging by the fact that for different pages the rules of substitution differ, they were manually set up, for each encryptor separately. The owners of the service managed to steal at least a bit more than 2.2 bitcoin.
The most interesting thing is that this scheme came out thanks to the announcement of the extortionists, who urged the victims not to use the services of the unreliable Onion.top service. Now offended blackmailers take other measures against this unprecedented insidiousness: for example, it is strongly recommended to use only the Tor browser, or they break the address of the wallet with tags so that it’s more difficult to automatically find it on the page.
Here could be your Trojan
The criminal group Zirconium has created a network of 28 fake media agencies in order to legally buy up space on ordinary advertising platforms and show ads to unsuspecting users that itself redirects them to fraudulent pages. In 2017, advertising Zirconium purchased at least a million views from desktop browsers.
Zirconium’s traffic was resold to various unscrupulous personalities for all sorts of frauds (mostly buyers indulged in fake messages about viruses, calls to update some player and other standard tricks for spreading malware and other forms of taking money away from the public). The company itself focused on creating it with the least costs and risks. Avoid detection for a long time helped by the technology of forced redirection, tuned so that it does not always work, but selectively – for a number of reasons, the mechanism calculated possible IB researchers and did not run a redirect for them.
- The group approached the issue of cost reduction creatively: it created its own advertising network and an intricate legal structure of front companies to help itself and its clients-intruders-in general, organized a whole semi-legal business model. And it went wrong!
All firms existed only on pages in social networks. They were created according to a simple, but an unbeatable pattern: each individual domains, each profile of the director in LinkedIn with stock photography at his desk, and also – some kind of a blog or Twitter with typical vanilla quotes about support, corporate philosophy and customer-oriented. The researchers found 28 front companies, 20 of which managed to prove themselves on the criminal field, and 8 more were waiting in the reserve.
Front companies Zirconium managed to establish business relations with 16 major media platforms. Money obtained by intruders comes to the account of firms with Seychelles addresses, which are connected with other network crimes. This is the digital Sopranos. It is possible that this way – organized and businesslike – looks like the future of the spread of malicious software.
Is there life after NotPetya
Malice NotPetya – long time no news, about his attack in June 2017 did not hear except that deaf. But even after half a year, the companies continue to calculate the damage, summarize and share with colleagues and the general public how they survived the crisis. To some organizations, insufficient attention to their own security cost almost the entire IT infrastructure. Recently, the logistics company Maersk, through which almost 20% of all sea shipping passes in the world, shared its pain. According to its CEO, 4,000 servers, 25,000 computers, and 2,500 applications had to be restored.
- In total, Maersk took 10 days to complete this work. And these 10 days in the company there was no electronic record, in general. At the same time, the ships continued to enter the ports every 15 minutes, and each had to unload from 10 to 20 thousand containers. And all the containers had to be accepted, checked, taken into account and found their place – without the help of computers. You can imagine what kind of smoke the yoke stood in the company at that time! But they coped well: productivity fell by only 1/5. More than a decent result. It’s a pity that this heroism was needed at all.
On the other hand, the history of Maersk is an encouraging example: if the Danes were able to do without computers, maybe not everything is lost for the rest of humanity. Maybe when our electronic slaves rise, and we have to cut down the traffic jams, the world will plunge into chaos for quite a while. And then come to the aid of modest heroes with calculators, granary books, and logarithmic rulers.