Musk’s New X Verification System Gives Rise to Dark Web Sales of Stolen Accounts

Dark web forums and marketplaces are increasingly selling access to hijacked X accounts verified with specialized tags only given to paying customers.

Researchers at the cybersecurity company CloudSEK said they have noticed the phenomenon since Tesla CEO Elon Musk took over the company and changed the social media site’s verification system.

When Musk took over, he changed Twitter’s relatively arcane merit-based verification process and made it so anyone could simply purchase verification on X. He also rolled out other changes that allowed organizations to verify themselves with different colored checkmarks.

Government organizations and NGOs can get gray check marks while companies can get gold. Anyone else can purchase blue verifications. All three require paid monthly subscriptions.

“Dark web forums and marketplaces have a dedicated section where social media sales are extensively observed. Recently, there has been a surge of posts where threat actors were selling accounts with Twitter Gold verification,” the researchers said.

They added that the amount of shops and service providers today is “humongous” and can be found with simple searches on Google, Facebook and Telegram.

The cybercriminals behind these efforts offer a range of prices for different X accounts. They get the accounts through several different methods. For accounts acquired through information-stealing malware, hackers sell access based on the company being exploited, the number of followers and the region the account is based in.

There have been several recent examples of high-profile X accounts being taken over by hackers. This week, an account belonging to Google-owned cybersecurity firm Mandiant began hawking cryptocurrency scams, and another blockchain security firm had its account hijacked on Thursday night. On Tuesday, a Canadian senator had their X account taken over to spread a scam.

Read: https://therecord.media/gold-account-verification-system-darkweb

Ottawa Judge Says Police Must Return Phones of Suspected Pedophiles after 175 million Passcode Guesses

How many times should forensic investigators be allowed to guess the password of a locked cell phone belonging to a suspected pedophile?

That was the question that confronted an Ottawa judge recently when he was asked to rule on an application by the Ottawa Police Service to retain three cell phones from the suspect for two more years.

The police seized the phones in October 2022 with a warrant obtained based on information about a Google account user uploading images of child pornography. The contents of the three phones were all protected by complex, alpha-numeric passcodes.

Ontario Superior Court Justice Ian Carter heard that police investigators tried about 175 million passcodes in an effort to break into the phones during the past year.

The problem, the judge was told, is that over 44 potential passcodes exist for each phone. It means, Carter said, that even though 175 million passcodes were attempted, those efforts represented “an infinitesimal number” of potential answers.

“The Crown is asking for an order to find a needle in a very large haystack,” he said.

Court heard that forensic investigators used “brute force” dictionary attacks in an attempt to break into the phones and view their contents. The method employs specialized software and a dictionary of passwords.

The passcode dictionary features English-language words combined with numbers, and others that employ “leet speak,” a system of modified spelling that replaces letters with related numbers or special characters.

Those who use leet speak — it’s popular with gamers and hackers — would typically change “alert” to “@lert” and “fear” to “f34r.” More advanced leet speak replaces all of a word’s letters with numbers or symbols.

It takes about eight days to test 30 million passcodes from an existing password dictionary, court heard, but success depends entirely on whether the sought-after passcode is included in the dictionary.

Read:https://ottawacitizen.com/news/local-news/police-must-return-phones-after-175-million-passcode-guesses-judge-says

YouTube Channels Compromised in Lumma Stealer Software Attack

Fortinet’s FortiGuard Labs has uncovered a new cyber threat where YouTube channels are exploited to distribute the Lumma Stealer malware through cracked software. Malicious actors use YouTube videos disguised as content related to cracked applications, leading users to installation guides with hidden malicious URLs. This attack stands out due to the attackers’ evasion technique, leveraging open-source platforms like GitHub and MediaFire to bypass traditional web filter blacklists. By utilizing these platforms, the attackers can avoid detection and effectively spread the malware.

The attackers employ specially crafted installation ZIP files that effectively exploit users’ intentions to install applications, enticing them to click on the malicious files without suspicion. To enhance their tactics, they utilize a private .NET loader equipped with environment checks, anti-virtual machine measures, and anti-debugging functions. Lumma Stealer, a well-known threat targeting sensitive information such as user credentials, system details, browser data, and extensions, has been actively promoted on the dark web and Telegram channels since 2022, with a significant increase in activity observed in December.

In October 2023, researchers raised an alarm about a new threat known as Stream-Jacking, which involves spreading the Redline malware during live streams to pilfer cryptocurrency funds. This issue gains greater significance considering that in 2020, Google took strong action by deleting two million channels and 51 million videos due to the escalating prevalence of malware and cryptocurrency-related scams. Despite these measures, it is imperative for users to remain cautious, especially when dealing with applications from unknown sources, and prioritize the use of legitimate and secure software to mitigate the risks associated with evolving threats such as Lumma Stealer, which threat actors constantly equip with new malicious capabilities.

Read: https://www.hackread.com/youtube-channels-hacked-lumma-stealer-software/

Uncovering the Compromise: SEC’s Official X Account Used to Post Fake Bitcoin News

Gary Gensler, the chair of the United States Securities and Exchange Commission (SEC), revealed that the official X account of the SEC was compromised, resulting in the unauthorized publication of a post. The @SECGov account confirmed the compromise.

An SEC spokesperson stated that there was unauthorized access and activity on the @SECGov account by an unknown party for a brief period shortly after 4 pm ET. The unauthorized access has been terminated, and the SEC will collaborate with law enforcement and government partners to investigate the incident and determine the appropriate steps to address the unauthorized access and any related misconduct.

Upon learning about the compromise of the SEC’s account, US Senator Bill Hagerty took to X to express his belief that Congress should launch an investigation into the incident. Hagerty, a Tennessee Republican, emphasized the need for accountability, drawing a parallel to how the SEC would hold a public company responsible for a significant market-moving error. He described the situation as unacceptable. Notably, this is not the first high-profile account compromise in recent days. Mandiant, a prominent cybersecurity firm currently owned by Google, experienced a similar incident.

The SEC account compromise is one of the largest Twitter hijacks since 2020. Hackers tricked Twitter employees, gaining control of users’ profiles. They posted scam messages on high-profile accounts, including those of Joe Biden, Barack Obama, Jeff Bezos, Elon Musk, and Kim Kardashian. The scam accumulated nearly $120,000 before being removed, and the hackers were eventually identified and arrested within two weeks.

Read: https://www.wired.com/story/sec-x-account-compromise/

Victim of SIM-Swapping Attack Sues Anonymous Crypto Wallet Holder

In a groundbreaking case, Ryan Dellone, a healthcare worker from California, is suing the anonymous holder of a cryptocurrency wallet that contains his stolen funds. Dellone lost $100,000 in a SIM-swapping attack in 2021. The case is unique as it is the first where a federal court has recognized the use of information included in a bitcoin transaction as a means to notify the defendant of the lawsuit. Dellone’s lawyer, Ethan Mora, identified a bitcoin wallet that was the final destination of the stolen crypto.

Mora is pursuing a novel legal strategy that allows Dellone to serve notice of the civil suit to that bitcoin address without knowing the identity of his attackers or anything about the account holder. This strategy could force the government to divulge information about their case, or else explain to a judge why Dellone shouldn’t be able to recover his stolen funds without further delay. If Dellone gets a default judgment against the bitcoin address, the money could be seized by cryptocurrency exchanges if the thieves ever tried to move it or spend it.

A federal judge granted permission to serve notice of his lawsuit directly to the suspected hackers’ bitcoin address using a short message attached to a bitcoin transaction. This method could allow more victims to stake legitimate legal claims to their stolen funds. However, most victims will never see their stolen funds. Sometimes federal investigators manage to seize or freeze crypto assets associated with specific crimes and criminals. In those cases, the government will eventually make an effort to find, contact, and in some cases remunerate known victims.

Read: https://krebsonsecurity.com/2024/01/heres-some-bitcoin-oh-and-youve-been-served/


How to Guard Against Crypto Wallet Drains: $300 Million Stolen in 2023

Over $300 million USD was drained from crypto wallets in 2023 – that’s the estimate via a report from ScamSniffer.

While there were occasional breaches of wallet providers supply chains, like Atomic Wallet and Ledger Connect, most of these are via spearphishing attacks, SIM swaps and even nameserver hijacks.

This article from our Domainsure unit breaks down the report and provides ways for wallet providers, DAOs, DeFi platforms and exchanges to protect their customers in the face of these attacks.

How to Prevent Crypto Wallet Drains: $300 Million Stolen in 2023

Elsewhere Online:

Comcast Xfinity Data Breach: Personal Information of 36 Million Customers Exposed in Massive Security Incident
Read: https://www.cpomagazine.com/cyber-security/massive-comcast-xfinity-data-breach-impacts-36-million-customers/

Congress Pushes for Tech Companies to Pay for AI Data
Read: https://www.wired.com/story/congress-senate-tech-companies-pay-ai-training-data/

23andMe Points Finger at Customers in Data Breach Lawsuit
Read: https://www.cpomagazine.com/cyber-security/23andme-responds-to-data-breach-lawsuit-by-blaming-customers-for-re-using-passwords/

Pikabot Malware: The New Face of Black Basta Attacks
Read: https://www.darkreading.com/cyberattacks-data-breaches/pikabot-malware-qakbot-replacement-black-basta-attacks

SEC Officially Approves Bitcoin ETF Proposals — For Real This Time. Trading Starts Today
Read: https://www.investors.com/news/sec-officially-approves-bitcoin-etf-proposals-for-real-this-time/

Previously on #AxisOfEasy