We have collected the most important news from the world of cybersecurity for the week.
- Ministry of Internal Affairs with the support of FAC.C.T. eliminated the Jewelry Team group.
- Unidentified persons leaked customer data of a number of large stores in the Russian Federation.
- Fracturiser malware found in mods for Minecraft.
- Researchers have created a robot to extract content RAM.
Ministry of Internal Affairs with the support of FAC.C.T. eliminated the group Jewelry Team
Experts of the information security company FAC.C.T. (former Group-IB) figured out a group of scammers Jewelry Team, which stole money from Russians through the popular BlaBlaCar travel companion search service.
FAC.C.T. specialists helped the Ministry of Internal Affairs to identify and detain a group of fraudsters “Jewelry Team”. For a year and a half, attackers stole money from Russians who decided to use the popular travel companion search service: https://t.co/RMJ4KlznwU pic.twitter.com/eQZW7ww88C
— FACCT (@F_A_C_C_T_) June 5, 2023
According to the investigation, since September 2021, members of the group have been posting fake ads on behalf of drivers. Subsequently, communication with users was transferred to the messenger, where they were sent links to a phishing resource, ostensibly to make an advance payment.
As a result, the fraudsters received not only a “deposit” in the amount of 500 to 1,500 rubles, but also bank card data. The group tried to withdraw more than 3 million rubles from one of the users, but the bank blocked this transfer.
The researchers suggested that the Jewelry Team was created in January 2021 by people from the HAUNTED FAMILY scam team, or that it was its independent division.
In total, FAC.C.T. discovered three dozen phishing sites set up to receive advance payments.
The Ministry of Internal Affairs announced the liquidation of the group in May. Criminal proceedings have been opened on the fact of embezzlement of funds. The alleged leader of the Jewelry Team was sent under house arrest, one of his accomplices is under house arrest, the other is in jail.
Unknown persons leaked customer data of a number of large stores in Russia
Within a week, the data of users of several large Russian stores appeared in the public domain. This was reported by the Telegram channel “Information Leaks”.
The databases of Auchan and Tvoy Dom retail chains were the first to leak into the network for 7.8 million and more than 713,000 lines, respectively.
Then the attackers leaked dumps with customer data of the chain of clothing stores Gloria Jeans, mattress store “Ascona” and online bookstore book24.ru for 2-4 million lines.
Later they posted databases of the online bookstore Bookvoed (6.8 million lines), the online clothing store TVOE (2.2 million lines), the online store Leroy Merlin (5.1 million lines) and the site of culinary recipes ” We eat at home” (more than 535,000 lines).
Most of the merged files contained:
- First Name Last Name;
- login;
- telephone;
- email address;
- hashed passwords;
- floor;
- Date of Birth;
- loyalty card number;
- delivery or pickup address;
- IP address;
- date of account creation and last login.
A number of companies including Auchan, Gloria Jeans, “Eksmo-AST” (Book24) and Asconaconfirmed the incident and launched an internal investigation.
Presumably, the information was leaked by the attackers responsible for the leak of Sberbank and other Russian companies.
In the near future they promised to publish new data.
Fracturiser malware found in mods for Minecraft
Fracturiser, a self-propagating malware that attacks systems running Windows and Linux, has been found in a number of Minecraft mods. This was reported by representatives of the CurseForge platform.
We are looking into an incident where a malicious user uploaded projects to the platform. This is relevant only to Minecraft users and we have banned all accounts involved.
CurseForge itself is not compromised in any way! Please follow the thread below for more information 👇
— CurseForge (@CurseForge) June 7, 2023
It was on it, according to the initial version, that compromised developer accounts were placed. The site Bukkit.org also suffered from the attack. In turn, the creators of the Prism Launcher utility assumedthat we are talking about the exploitation of a vulnerability in the Overwolf platform.
Some of the malicious copies are embedded in popular modpacks, including Better Minecraft with over 4.6 million downloads.
The first information about the infection of plug-ins and mods appeared yet in the middle of April.
The Fracturiser malware is capable of:
- spread to all JAR files on the system to infect other mods not downloaded from CurseForge or BukkitDev;
- steal cookies and login information from a number of browsers;
- replace cryptocurrency addresses in the clipboard with hackers’ wallets;
- steal Discord, Microsoft and Minecraft credentials.
Representatives of CurseForge blocked all accounts related to the attacks. However, they emphasized that none of their administrators were hacked.
Users were urged to immediately stop downloading and updating mods for the game, as well as change passwords from all accounts.
To facilitate the search for indicators of compromise, incident investigators published scripts. CurseForge released management to eradicate the infection.
Researchers have created a robot to extract the contents of RAM
Red Balloon Security employees Ang Cui and Yuanzhe Wu submitted a cryomechanical robot capable of extracting the contents of DDR3 RAM using low temperature.
This attack is called Cold Boot Attack and is achieved due to the effect of saving data in dynamic and static RAM after turning off the power.
A device costing less than $1,000 literally freezes one RAM chip. To read the data, the extracted physical memory is placed in FPGA.
“With this approach, you get the code, all the data, the stack, and all the physical memory,” the developers said.
The researchers believe that if they use a more expensive FPGA-based memory readout platform (costing about $10,000), their method is applicable to sophisticated attacks on DDR4 and DDR5.
You can counter Cold Boot Attack by encrypting physical memory.
Twitter names new likely BreachForums leader
Until the end of June, the hacker forum BreachForums, which was closed by the US intelligence services in March, may resume work under the leadership of the hacker group ShinyHunters. This was stated in the Vx-underground community without indicating the source of the information.
BreachedForum will resume its activities later this month.
It has new administration. It will be lead by the infamous ShinyHunters group.
— vx-underground (@vxunderground) June 2, 2023
ShinyHunters has been known since 2020 and was noted for organizing resonant leaks from T-Mobile and AT&T with losses of tens of millions of dollars.
In the summer of 2022, the security forces arrested one of the members of the group, Frenchman Sebastian Raul. Later, two of his accomplices were detained in Morocco. At the moment, all of them have been extradited to the United States, where they are awaiting trial.
According to expertsAmerican intelligence agencies may be behind the resumption of BreachForums.
Attackers created a Telegram bot to make money on fake search for intimate photos
Experts of Kaspersky Lab discovered in Telegram chatbot, which is allegedly based on the ChatGPT 4.0 code and allows you to find leaked intimate photos.
Users are prompted to verify romantic partners by sending a link to their social media profile or phone number.
The service then simulates the search process and reports “a page found in the database”. The latter, according to the authors of the bot, consists of more than 10 million photos and videos.
As a result, the customer receives screenshots with a hidden image and the estimated date of the materials drain.
For a one-time removal of the blur, the authors of the bot demand to pay 399 rubles, for unlimited access to the database – 990 rubles. However, in fact, the user simply loses money and does not receive any photos.
Also on Cryplogger:
What to read on the weekend?
We analyze what is fraught with the provision of services to users from Russia for Binance.
Found a mistake in the text? Select it and press CTRL+ENTER
Cryplogger Newsletters: Keep your finger on the pulse of the bitcoin industry!