‘Trusted seller’ vends fake Trezor wallets stealing crypto: Kaspersky

May 16, 2023 Coin Telegraph

Cryptocurrency users are once again reminded about the importance of using only authentic hardware wallets.

Amid the rising popularity of hardware cryptocurrency wallets, the Russian cybersecurity firm Kaspersky has reminded users about the importance of using authentic crypto devices.

Kaspersky’s cyber incident expert Stanislav Golovanov on May 10 reported on an issue with fake hardware wallets impersonating major wallet firm Trezor.

According to the blog post, the fake wallet allowed fraudsters to steal Bitcoin (BTC) via a replaced microcontroller, which enabled attackers to take over control of the user's private keys.

The victim reportedly purchased a tampered hardware wallet that posed as Trezor’s advanced crypto wallet Trezor Model T. The fake wallet appeared to be exactly the same as a genuine Trezor Model T wallet, providing a standard set of wallet functions.

“When handling the wallet, nothing felt suspicious either: all the functions worked as they should, and the user interface was no different from the original one,” Golovanov wrote.

The fake wallet was tampered from the inside, though. According to the Kaspersky team, attackers managed to access users' crypto assets by replacing the inner firmware. “The actual mechanism of the theft remains unclear,” Golovanov noted, adding that the issue was caused by a “typical supply chain attack.”

*Genuine Trezor Model T (on the left) wallet versus a fake one (on the right). Source: Kaspersky*

To prevent supply chain attacks, Kaspersky’s cybersecurity experts advised users to only buy hardware wallets directly from the official vendor. The firm noted that the victim bought the fake Trezor wallet through a “trusted seller through a popular classifieds website.”

Kaspersky didn’t immediately respond to Cointelegraph’s request to comment on exactly which reseller was involved in the incident.

The issue described by Kaspersky isn’t something new for the crypto community. In 2022, Trezor publicly addressed security incidents involving tampered Trezor Model T devices.

According to Trezor's blog post, the described issue was mostly present on Trezor Model T wallets, with all devices being obtained from vendors on the Russian market. The firm wrote:

“Some internal components had been replaced, allowing the malicious actors to spoof the device’s behavior and make its security features redundant.”

According to Trezor’s official website, the firm currently has about 50 officially authorized resellers across the world. The sellers are located in many jurisdictions, including countries like Canada, the United States, Singapore, India, Israel, Belarus, Ukraine and others. There are currently no authorized Trezor wallet resellers in Russia, according to the website.

In addition to security measures related to supply chain, Trezor also advises its users to follow steps to authenticate their Trezor wallets, providing official guides for Model One and Model T.

Trezor’s software also signals any potential firmware issues through alerting the issue on the app screen.

*Warning on unofficial firmware on Trezor Suite. Source: Trezor*

“We would like to point out that we have a warning system in the Trezor Suite that alerts users if their device uses an unofficial,” a spokesperson for Trezor told Cointelegraph.

Magazine: $3.4B of Bitcoin in a popcorn tin — The Silk Road hacker’s story

Crypto phishing attacks up by 40% in one year: Kaspersky

April 15, 2023 Coin Telegraph

Coin Telegraph

Russian cybersecurity and anti-virus provider Kaspersky detected 5,040,520 crypto phishing attacks in the year as compared to 3,596,437 in 2021.

When it comes to cryptocurrency-related cyberattacks, bad actors have seemingly reduced the use of traditional financial threats such as banking PC and mobile malware, and instead have shifted their focus to phishing.

Russian cybersecurity and anti-virus provider Kaspersky revealed that cryptocurrency phishing attacks witnessed a 40% year-on-year increase in 2022. The company detected 5,040,520 crypto phishing attacks in the year as compared to 3,596,437 in 2021.

A typical phishing attack involves reaching out to investors via fake websites and communication channels that mimic the official companies. Users are then prompted to share personal information such as private keys, which ultimately provides attackers with unwarranted access to crypto wallets and assets.

While Kaspersky could not predict if the trend would increase in 2023, phishing attacks continue the momentum in 2023. Most recently, in March, hardware cryptocurrency wallet provider Trezor issued a warning against attempts to steal users’ crypto by tricking investors into entering their recovery phrase on a fake Trezor site.

In a survey conducted by Kaspersky in 2022, one out of seven respondents admitted to being affected by cryptocurrency phishing. While phishing attacks predominantly involve giveaway scams or fake wallet phishing pages, attackers continue to evolve their strategies.

According to Kaspersky, “crypto still remains a symbol of getting rich quick with minimal effort,” which attracts scammers to innovate their techniques and stories to lure in unwary crypto investors.

Arbitrum investors were recently exposed to a phishing link via its official Discord server. A hacker reportedly hacked into the Discord account of one of Arbitrum’s developers, which was then used to share a fake announcement with a phishing link.

#CertiKSkynetAlert

We are seeing reports that a phishing link has been posted in the @arbitrum Discord Server.

Do not click on any links until the team has confirmed they’ve regained control of the server.#Phishing #Discord

Stay vigilant! pic.twitter.com/XoqHmOXGeV
— CertiK Alert (@CertiKAlert) March 25, 2023

Cointelegraph accessed the phishing link to find that it redirects users to a blank website with the text “Astaghfirullah,” which translates to “I seek forgiveness in God.“ According to Wiktionary, the term can also be used to express disbelief or disapproval.

Magazine: Crypto audits and bug bounties are broken: Here’s how to fix them

Massive supply chain attack targeting small number of crypto companies: Kaspersky

April 4, 2023 Coin Telegraph

Coin Telegraph

Crowdstrike and Kaspersky found an infection in a communications app that delivered a backdoor, but deployed it only a few times.

A supply chain attack installed a backdoor in computers around the world but has only been deployed in fewer than ten computers, cybersecurity company Kaspersky has reported. The deployments showed a particular interest in cyptocurrency companies, it added.

Cybersecurity company Crowdstrike reported on March 29 that it has identified malicious activity on the 3CX softphone app 3CXDesktopApp. The app is marketed to corporate clients. The malicious activity detected included “beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.”

Kaspersky said it suspected the involvement of the North Korea-linked threat actor Labyrinth Chollima. 3CX said of the infection:

“This appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware.”

Kaspersky was already investigating a dynamic link library (DLL) found in one of the infected 3CXDesktopApp .exe file, it said. The DLL in question had been used to deliver the Gopuram backdoor, although it was not the only malicious payload deployed in the attack. Gopuram has been found to coexist with the AppleJeus backdoor attributed to the North Korean Lazarus group, Kaspersky added.

Infected 3CX software has been detected around the world, with highest infection figures in Brazil, Germany, Italy and France. Gopuram has been deployed in fewer than ten computers, however, in a display of “surgical precision,” Kaspersky said. It had found a Gopuram infection in a Southeast Asian cryptocurrency company in the past.

If you are looking for a comprehensive overview of the current #3CX supply chain attack, I created a diagram that shows the attack flow!I'll update as soon as the analysis progresses. Stay tuned for the MacOS edition! #cybersecurity #infosec #supplychainattack #3CXpocalypse pic.twitter.com/ANVLCgExmU
— Thomas Roccia (@fr0gger_) March 31, 2023

The 3CX app is used by over 600,000 companies, including several major brands, Kapersky said, citing the maker. The infected app had DigiCert certification.

Magazine: 4 out of 10 NFT sales are fake: Learn to spot the signs of wash trading

Kaspersky ranks cryptojackers among top malware threats in Africa

September 3, 2021 Coin Telegraph

Coin Telegraph

Some of the most common methods of duping crypto investors include false advertisements claiming to sell mining equipment and fake websites posing as crypto exchanges.

Russian cybersecurity firm Kaspersky has detected more than 1,500 fraudulent entities targeting potential crypto investors and miners just in the first half of 2021.

Kaspersky’s research shows that 0.60% of users from South African countries have already been targeted by malicious crypto miners. The report also suggests that the most common methods of duping unwary users involved false advertisements claiming to sell mining equipment and fake websites posing as crypto exchanges.

Kaspersky’s data based on anonymized statistics revealed that 0.85% of crypto investors from Kenya and 0.71% Nigerians were targets of crypto-miner malware, while investors from Ethiopia (3.68%) and Rwanda (3.22%) faced the most number of threats in this regard. Bethwel Opil, Africa’s enterprise sales manager at Kaspersky, warned that the low percentages do not mean that the threat is insignificant:

“Crypto-miner malware has been identified as one of the top 3 malware families rife in South Africa, Kenya and Nigeria at present, which we believe emphasises that as cryptocurrency continues to gain momentum, more users will likely be targeted.”

The report also suggests that the most common methods of duping unwary crypto investors involve false advertisements claiming to sell mining equipment and fake websites posing as crypto exchanges.

These fraudulent platforms require users to make an upfront payment under the pretext of advanced payment or verification, after which the scammers stop responding. Cybercriminals also make use of phishing platforms to gain access to users’ private keys of their crypto wallets. Alexey Marchenko, head of content filtering methods development at Kaspersky, said:

“Both those who want to invest or mine cryptocurrency and simply the holders of such funds can find themselves on the fraudsters’ radar.”

Back in June 2021, South Africas Intergovernmental Fintech Working Group (IFWG) established a roadmap for defining the continent’s regulatory framework for handling crypto assets.

The IFWG also highlighted the inherent risk and volatility of investing in cryptocurrency and shared 25 regulatory recommendations against Anti-Money Laundering, terror financing and market manipulation.

Kaspersky Lab