Cybersecurity experts at Palo Alto Networks discovered a virus called ComboJack while monitoring an email phishing campaign that targeted customers in Japan and the United States.
The virus steals Bitcoin, Ethereum, Monero and Litecoin. But not only cryptocurrency is the goal of ComboJack. It is also intended for fraudulent transactions with digital payment systems, the list of which includes Yandex.Money and WebMoney.
The potential victim is asked to open the attached file, after which the embedded RTF file with the CVE-2017-8759 exploit is automatically launched. It is he who frees up the hands of scammers and provides the ability to enter code and run PowerShell commands, which are used to execute the ComboJack script.
The program withdraws money by replacing the destination address of the crypto transaction with the address of the criminal’s wallet. The victims of the virus are users who do not check the destination address of transactions before approving them.
“The tactic is based on the fact that wallet addresses are usually long and difficult to remember. Most users prefer to copy such a string to the clipboard to prevent possible errors,” Palo Alto Networks experts write in the report.
The virus “lives” due to a vulnerability that Microsoft fixed in early fall last year. In order to protect themselves, users are advised to reinstall the system software.
The fact that such schemes still work suggests that users are still too trusting, which is successfully exploited by scammers.
According to https://researchcenter.paloaltonetworks.com
You May Also Like
Fake Trezor One hardware wallets flood the market
Hardware wallet maker TREZOR is warning that one of its models, the Trezor One, has been cloned and resold on secondary markets. The manufacturer of the Trezor One imitation devices is not known to the company, but they are very similar to the original ones.
Hackers took over the official Twitter page and made it fake
The Twitter page of the television series "Almost Human" of the American television network Fox was compromised, after which scammers turned it into a fake Twitter profile of TRON founder Justin Sun with the tag @Almost Human FOX in order to defraud naive users of money.
