A classy and large-scale cybercrime marketing campaign, named GreedyBear, has been uncovered for stealing at the least 1,000,000 {dollars} from cryptocurrency customers. The analysis, carried out by cybersecurity agency Koi Safety and shared with Hackread.com, reveals a extremely organised operation that goes far past typical on-line scams.
As an alternative of specializing in a single sort of assault, the criminals behind GreedyBear are utilizing a coordinated mixture of malicious browser extensions, malicious software program, and faux web sites. This technique permits them to assault from a number of angles on the similar time, making their operation extremely efficient.
How They Do It: Three Assault Strategies
One of many essential methods GreedyBear operates is thru malicious browser extensions. The group has created over 150 faux extensions for the Firefox market, pretending to be standard crypto wallets like MetaMask, TronLink, Exodus, and Rabby Pockets.
The attackers use a intelligent trick referred to as “Extension Hollowing” to evade safety checks. They first add innocent extensions and, after constructing credibility with faux optimistic critiques, they hole out the extensions by altering their names and icons and injecting malicious code, all whereas conserving the optimistic assessment historical past.
The second technique includes nearly 500 malicious packages, or executables, discovered on websites providing pirated software program. These dangerous packages embody credential stealers, that are designed to steal your login info, and ransomware, which locks your recordsdata and calls for a fee. The number of these instruments exhibits the group isn’t just a one-trick pony however has a variety of strategies to focus on victims.
Thirdly, the group has arrange dozens of faux web sites that appear to be reputable crypto companies or pockets restore instruments. These websites are designed to trick customers into coming into private info and pockets particulars.
The Core Discovering
A key element Koi Safety’s analysis has revealed is that each one of those assaults, the faux extensions, the malware, and the rip-off web sites, are all linked to a single central server (185.208.156.66). This central hub permits the attackers to handle their large-scale operation with nice effectivity.
Researchers be aware that this marketing campaign, which began as a smaller effort often called Cunning Pockets, has now grown into a serious multi-platform risk, with indicators that it might quickly develop to different browsers like Chrome and Edge.
Researchers additionally famous that one of these large-scale, automated crime is probably going made potential by new AI instruments, making it sooner and simpler than ever for criminals to launch assaults. This new actuality implies that counting on previous safety strategies is now not sufficient to remain secure on-line.
