FBI Warning: Crypto Fraudsters Disguise NFT Developers

18 September 2023 8 minutes Author: Newsman

The FBI has identified a threat: NFT developers are being targeted by crypto fraudsters

The US Federal Bureau of Investigation (FBI) is warning about crypto fraudsters masquerading as legitimate non-fungible token (NFT) developers to steal cryptocurrency and other digital assets from unsuspecting users.

But first, let’s learn a little about who crypto-scammers and NFT developers are

  • Crypto scammers are criminals who use cryptocurrency to demand a ransom in exchange for unlocking data or devices they have encrypted. They usually target organizations or individuals, and they can choose different ways to launch their attacks.

  • NFT (Non-Fungible Tokens) developers create digital assets that have unique ownership and cannot be replaced by other assets. As NFTs gain popularity, fraudsters can use this theme for their attacks.

Usually, crypto fraudsters demand a ransom in cryptocurrency (most often Bitcoin) and try to keep their actions anonymous. The Federal Bureau of Investigation (FBI) and other law enforcement agencies may conduct investigations and joint operations to identify and apprehend crypto fraudsters.

In these fraudulent schemes, criminals either gain direct access to NFT developers’ social media accounts or create similar accounts to promote “exclusive” new NFT releases, often using deceptive advertising campaigns that create a sense of urgency.

“The links provided in these ads are phishing links that direct victims to a fake website that appears to be a legitimate extension of a specific NFT project,” the FBI said in a statement last week.

The copycat websites encourage potential targets to connect their cryptocurrency wallets and purchase NFTs so that the attackers can pump funds and NFTs into wallets they control.

“The content stolen from victims’ wallets is often processed through a series of cryptocurrency mixers and exchangers to obscure the path and final destination of the stolen NFTs,” the agency said.

To reduce the risks associated with such scams, users are encouraged to do their due diligence and check social media accounts and websites to verify their legitimacy.

The development comes nearly five months after the FBI warned of a surge in bogus cryptocurrency investment schemes called hog-smashing (or shā zhū pán) that could lead to $2 billion in losses by 2022.

This includes a category called CryptoRom, in which criminals use fictitious identities on dating apps and social media platforms to develop romantic relationships and build trust with victims before presenting the idea of trading cryptocurrencies.

Operators are known to engage in an initial conversation within the app through which they make initial contact with the target. Soon after, the chat moves to a private messaging app such as Telegram or WhatsApp, where they encourage them to use fraudulent cryptocurrency websites or apps and make significant investments.

“Criminals instruct victims in the investment process, show them false returns and encourage victims to invest more,” the FBI said. “When victims try to withdraw their money, they are told they have to pay a fee or taxes. Victims cannot get their money back, even if they pay the fees or taxes imposed.”

Social engineering attacks focused on romance have also seen a modification in recent months, with Sophos finding that threat actors are using artificial intelligence-based generative tools to give more credibility to conversations with victims on messaging apps and convince them to download sketchy apps on the Apple App Store and Google Play Store.

“These apps can bypass Apple and Google’s pre-review by altering remote content associated with the apps after they are approved and published in stores,” the cybersecurity firm said.

“Simply by changing a pointer in the remote code, an application can be switched from a secure interface to a rogue one without further verification by Apple or Google, unless a complaint is filed.”

Malware uses stealth techniques to bypass Google Play Store scanners

Attackers use a technique called versioning to avoid detection by the Google Play Store malware and target Android users.

“Campaigns using versioning typically target user credentials, data, and finances,” Google’s Cybersecurity Action Team (GCAT) said in an August 2023 Threat Horizons report shared with The Hacker News.

Although version control is not a new phenomenon, it is hidden and difficult to detect. In this method, a developer releases an initial version of an app to the Play Store that passes Google’s review before publication, but is later updated with malware.

This is achieved by sending an update from an attacker-controlled server to place malicious code on the end-user’s device using a method called dynamic code loading (DCL), effectively turning the application into a backdoor.

Earlier this May, ESET discovered a screen recording app called “iRecorder – Screen Recorder” that remained harmless for almost a year after it was first uploaded to the Play Store, before being maliciously modified to secretly monitor its users .

Another example of malware using the DCL method is SharkBot, which has repeatedly appeared on the Play Store under the guise of security and utility programs.

This Android file manager has infected thousands of devices with the SharkBot malware

SharkBot is a financial Trojan that initiates unauthorized money transfers from compromised devices using the Automated Transfer Service (ATS) protocol.

Android banking fraud malware known as SharkBot has reared its head again in the official Google Play Store, posing as file managers to bypass app market restrictions.

According to an analysis published this week, Romanian cybersecurity firm Bitdefender reports that the majority of users who have downloaded fraudulent programs are located in the UK and Italy.

SharkBot, first discovered in late 2021 by Cleafy, is a persistent mobile threat that spreads through both the Google Play Store and other third-party app stores.

One of the main goals of the Trojan is to initiate money transfers from compromised devices using a technique called an Automatic Transfer System (ATS), in which a transaction initiated through a banking application is intercepted to exchange the recipient’s account for an account controlled by the actor. background.

It is also capable of serving a fake login overlay when users try to open legitimate banking apps, stealing credentials in the process.

Often, such apps offer seemingly innocuous features, masquerading as antivirus software and cleaners to infiltrate the Google Play Store. But they also act as droppers that, once installed on a device, can deliver malware.

Програми дроппера, які зараз видалено, наведено нижче –

  • X-File Manager (com.victorsoftice.llc) – over 10,000 downloads

  • FileVoyager (com.potsepko9.FileManagerApp) – 5000+ downloads

  • LiteCleaner M (com.ltdevelopergroups.litecleaner.m) – over 1000 downloads

LiteCleaner M is still available for download from a third-party app store called Apksos, which also contains a fourth SharkBot artifact called “Phone AID, Cleaner, Booster” (com.sidalistudio.developer.app).

The X-File Manager app, which was only available to users in Italy, received more than 10,000 downloads before it was removed. Given that Google is relentless in cracking down on abuse of permissions, the threat’s choice to use File Manager as bait is not surprising.

Dropper apps that appear in the storefront have limited functionality that, when installed by victims, download the full version of the malware to attract less attention.

This is because Google’s Developer Program Policy limits permission to install external packages (REQUEST_INSTALL_PACKAGES) to several categories of apps: web browsers, instant messaging apps that support attachments, file managers, enterprise device management, backup and restore, and migration devices

Invariably, this permission is abused to download and install malware from a remote server. Some of the bank programs targeted include Bank of Ireland, Bank of Scotland, Barclays, BNL, HSBC UK, Lloyds Bank, Metro Bank and Santander.

“The program [i.e. the dropper] performs an anti-emulator check and targets users in the UK and Italy by checking whether the ISO matches the ISO of the IT or GB SIM card,” Bitdefender researchers said.

Users who have installed the above programs are advised to immediately remove them and change their bank account passwords. Users are also advised to enable Play Store Protect and read app ratings and reviews carefully before downloading them.

“In an enterprise environment, version control demonstrates the need for defense-in-depth principles, including but not limited to restricting app installation sources to trusted sources such as Google Play or managing enterprise devices through a mobile device management (MDM) platform,” the company said.

The findings come after ThreatFabric discovered that malware distributors were using a bug in Android to pass off malicious apps as benign by “corrupting app components” so that the app as a whole would remain valid, KrebsOnSecurity reported.

“Actors can publish multiple apps to the store at the same time under different developer accounts, but only one acts as malicious, while the other is a backup that will be used after removal,” the Dutch cybersecurity company said in June.

“This tactic helps actors sustain very long campaigns by minimizing the time it takes to publish another dropper and continue the spread campaign.”

To reduce any potential risks, Android users are advised to use trusted sources to download apps and enable Google Play Protect to receive alerts when a potentially harmful program (PHA) is detected on their device.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.