 |
Crypto-Sec is a site that publishes stories and tips about cryptocurrency and cybersecurity every two weeks.
Fishing of the Week: Turbo Toad Enthusiast Loses $3,600
Tech on Ivan, a memecoin collector and X user, fell victim to a phishing attack and lost over 1 million TURBO, worth over $3,600 at the time, according to a post he made on July 11. “I’m devastated,” Ivan said.
He subsequently lost his token after receiving a phishing email with a link he clicked on. Ivan did not explain what happened after he clicked on the link, but he was likely sent to a malicious web app linked to the Drayna protocol.
According to blockchain data, he made two separate wallet leak transfers. The first one drained 863,926 TURBO ($3,113.45) and sent it to an address ending in Aece. The second one drained 152,458 TURBO ($549) and sent it to a known malicious address labeled by Etherscan as “FakePhishing 328927.”
Given that the second transfer was much smaller than the first, the “FakePhishing” address is most likely owned by the drainer software developer, while the “Aece” address is more likely owned by the person who perpetrated the scam. Drainer software developers typically charge a small amount of the stolen loot in exchange for allowing the scammer to use their service.
The user previously called the “increase quota” function on the Turbo contract, designating an unverified smart contract address ending in 1F78 as the “spender” and authorizing a large amount of tokens to be spent. The attacker later used this malicious contract to empty the tokens.
Because the user had previously authorized the malicious contract, Turbo Contract recognized it as legitimate and failed to block the attack. According to his statement, Ivan did not know that he was authorizing a malicious app to use his tokens when he initiated this transaction.
Malicious contracts only display unreadable bytecode in Etherscan, and their functionality is not available in human-readable form.
Phishing is a type of fraud where the attacker pretends to be a trusted source and tricks the victim into providing personal information or performing a desired action. In this case, the attack tricked the user into unintentionally authorizing the app to steal tokens.
Crypto users should be aware that some Web3 apps are malicious and exist with the purpose of stealing users’ tokens. Users may want to carefully check each wallet confirmation when approving a transaction and avoid approving tokens for apps that have not been proven to be trustworthy.
Many wallet apps attempt to warn users when a malicious site requests token authorization. However, these warning systems sometimes block legitimate sites as well.
White-Hat Corner: Microsoft patches another clickless Office bug
According to a July 10 report from Infosecurity Magazine, Microsoft has patched another “zero-click” security vulnerability in its Office Suite. This vulnerability could allow an attacker to run malware on a user’s computer without the user downloading any files. Instead, the user only needs to open an email to infect the device. That’s why it’s called a “zero-click” vulnerability.
The new vulnerability was discovered by Morphisec, the same security team that previously discovered zero-click vulnerabilities in Office products in June. However, unlike the other vulnerabilities, this new vulnerability only allowed zero-click attacks from “trusted senders.” If the sender was not trusted, the attack would have required the user to make a second click.
According to the report, Microsoft claimed that the new vulnerability was more complex and less exploitable than the previous one. Nevertheless, it removed the attack vector with the July 9 patch.
Also read
characteristic
Murakami’s New Exhibition Shows NFT Collapse and Monstrous Egos
characteristic
What Happened to EOS? The Community Aims for an Unexpected Comeback
If your device is infected with malware, it can be fatal. Once your device is infected, attackers often use malware to steal your keystore file and gain access to your cryptocurrency accounts. Keystore files are encrypted, so using a strong password can help protect against this threat, but some malware also includes keylogging software that can record your password as you type it.
Using a hardware wallet can help protect against this threat, as it prevents attackers from stealing keystore files that are not on your device. However, users who rely on software wallets should be aware that zero-click vulnerabilities are becoming more common. As a result, it is recommended that you do not open emails from untrusted sources, even if you do not plan to click on links or files within the email.
CEX: Evolve Bank suffers data breach
This week’s CEX report is about crypto-friendly Evolve Bank & Trust. Evolve has partnered with Juno, a crypto payments app, and previously offered debit cards to users of defunct crypto companies FTX and BlockFi.
According to an official statement from the bank, hackers breached Evolve’s database on July 8 and stole customer data. Blockchain security firm Veridise estimates that more than 33 terabytes of data were stolen.More than 155,000 accounts were affected.
2) Attackers compromised the servers of a cryptocurrency-friendly bank. @getevolved192533TB of user data was stolen.
While customer funds were not compromised, sensitive personal information for over 155,000 accounts across multiple companies was impacted by the breach. 💥 https://t.co/T4qrkFcBDo
— Veridise | Careers (@VeridiseInc) July 9, 2024
According to the bank, the cybercrime group LockBit was responsible for the attack. The group convinced Evolve employees to click on a “malicious internet link.” As a result, the attackers were able to access customer information and encrypt some of the data, preventing the bank from using it. However, the bank was able to recover most of the lost information using backups, so the only serious damage was the leak of customer data.
Evolve said the attackers offered to stop the data leak in exchange for a ransom, but the bank refused.
The attackers now have customers’ “names, Social Security numbers, bank account numbers, contact information” and other “personal information,” Evolve said. Information from customers of Evolve’s open banking partners was also compromised. The bank is still investigating to determine all the data compromised.
The bank claimed that no funds were lost as a result of the attack.
Evolve said it has taken steps to strengthen its security practices to prevent a breach like this from happening again. In the meantime, it advises customers to “remain vigilant by monitoring account activity and credit reports” and to be on the lookout for phishing attacks targeting them in the future.
These potential attacks can include phone calls or emails that pretend to be from a trusted company and ask for personal information. Evolve also suggests that customers use two-factor authentication for their online accounts, as attackers may try to use their data to access their accounts on other platforms.
Subscribe
The most interesting articles on blockchain, delivered once a week.
Christopher Locke
Some say he is a white hat hacker living in the black mining hills of Dakota, pretending to be a children’s crossing guard to avoid the NSA’s eyes. What we do know is that Christopher Locke has a pathological desire to hunt scammers and hackers.