By Deeba Ahmed
Styx has quickly gained traction as a hub for various illicit activities, following the recent seizure of the Genesis dark web market.
This is a post from HackRead.com Read the original post: New Dark Web Market Styx: Focuses on Money Laundering, Identity Theft

The emergence of Styx serves as evidence that despite the efforts of authorities to take down Dark Web marketplaces, new markets and platforms will continue to surface.

Recently, the seizure of the prominent Dark Web marketplace Genesis’s Clearnet domain **was reported**. Now, another equally notorious marketplace has emerged, known as Styx.

Resecurity’s cybersecurity researchers have identified Styx as a new **Dark Web** market that specializes in a wide range of illegal services, including identity theft, financial fraud, and money laundering.

This article will delve into the details of Styx, including how it works, what it sells, and the need for enhanced security measures to safeguard against its illicit activities.

Styx, which was announced in 2022, was officially launched in January 2023. It has quickly gained popularity among cybercriminals, and it has established an escrow module to enable secure transactions.

Styx users have access to a wide array of illegal services through the portal, including data dumps, stolen or fake IDs, DDoS, cash-out services, banking trojans, SIM cards, anti-fraud filters, and 2FA/MFA bypass solutions.

The marketplace also has a dedicated section for Trusted Sellers, which may be vendors vetted by marketplace administrators. However, details on how Styx operates are scarce, but researchers believe that it finds potential buyers through Telegram contacts and utilizes automated bots for security.

One of Styx’s main attractions is the availability of stolen online banking credentials, e-commerce and cryptocurrency accounts, and stolen credit card data. It also offers tools for committing VCC/virtual credit card and **digital bank fraud**.

Some vendors even sell personally identifiable information (PII), including stolen social security numbers (SSNs) and business, SSNs, and ID data of victims based in various countries such as the USA, UK, Canada, the Netherlands, and others.

Additionally, Styx offers fake IDs, forged documents, tools for committing money laundering for scammers and business email compromise (BEC), cybercrime and digital frauds, and email/telephone flooding services at varying prices ranging from $4 to $150 per day.

According to Resecurity’s **report**, the platform also hosts cash-out shops that offer “clean” funds through PayPal and Apple Pay business accounts with merchant terminals.

Notably, money laundering is one of the site’s specialities, with known vendors offering this service for individual users starting from $15,000 and for businesses starting from $75,000, with Verta keeping a 50% share of the laundered amount.

Researchers have also identified a group of trending cash-out vendors that charge commissions based on the exact BIN of the card and brand of gift card.

Screenshots from the marketplace (Credit: Resecurity)

Styx has quickly gained traction as a hub for various illicit activities, following the seizure of Genesis. This underscores the need for e-commerce systems, digital banks, and payment portals to enhance their **know-your-customer (KYC)** checks and implement stringent fraud protections to safeguard against data breaches and illicit activities.

As Styx and other similar **Dark Web marketplaces** continue to operate, it is crucial for organizations and individuals to prioritize cybersecurity measures to protect sensitive information and mitigate the risks associated with illegal online activities.

1.  Russian Dark Web Market Hydra Seized
2.  How Dutch Police Seized Hansa Dark Web Market
3.  Dark web AlphaBay market resurfaces after 4 years
4.  Moderator for Alphabay market sentenced to 11 years
5.  179 Dark Web vendors arrested, 500kg of drugs seized

New Dark Web Market Styx: Focuses on Money Laundering, Identity Theft

By Waqas
If you have received a password reset or "update your password" email from Adobe recently, you are not alone.
This is a post from HackRead.com Read the original post: Adobe Reset User Passwords as Precaution Against Data Breach Risks

Adobe has sent password reset emails to users informing them that the company has changed the password associated with their Adobe ID, which may have been compromised in data breaches from other online sources. services.

Adobe, a leading software company known for its popular creative applications, has recently sent out an email to its users urging them to change their passwords. The email, which emphasizes the importance of privacy, explains that **Adobe** has taken proactive measures to protect user information after detecting events that may have put personal data at risk.

The email states that Adobe has reset the password for the account associated with the users’ Adobe ID, as it may have been compromised in data breaches from other online services. This is a precautionary step taken by Adobe to ensure the security of user accounts and prevent any potential unauthorized access.

The email also advises users to change their passwords on any other websites where they may have used the same username or password as their Adobe ID. This is a crucial reminder of the importance of using different credentials for each website to enhance account security and prevent unauthorized access to multiple accounts **in case of a data breach**.

Furthermore, **Adobe** encourages users to enable two-factor authentication for their Adobe account, which adds an extra layer of security by requiring users to provide a verification code in addition to their password when logging in. Guidelines on setting up two-factor authentication can be found on Adobe’s website.

Adobe’s proactive approach to notifying users and taking necessary steps to protect their personal information is commendable. Data breaches have become a common occurrence in today’s digital landscape, and it is crucial for users to take steps to safeguard their accounts and personal data.

Adobe’s password reset email (Image credit: Hackread.com)

Changing passwords regularly, using unique credentials for each website, and enabling additional security measures like two-factor authentication are essential practices to protect against **potential data breaches**.

Nevertheless, Adobe’s recent email urging users to change their passwords serves as a timely reminder of the importance of account security and taking proactive measures to protect personal information online. Users are encouraged to follow the guidelines provided by Adobe to ensure the security of their accounts and prevent any potential unauthorized access.

1.  Ubisoft Issues Internal Password Reset
2.  Slack breach: Company resets users passwords
3.  Dell resets customer passwords amid data breach
4.  Streaming Giant Plex Issues Mass Password Reset
5.  Apple approved malware masked as Adobe Flash Player

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Adobe Reset User Passwords as Precaution Against Data Breach Risks

By Deeba Ahmed
Watch out for a new YouTube phishing scam and ignore any email from YouTube that claims to provide details about "Changes in YouTube rules and policies | Check the Description."
This is a post from HackRead.com Read the original post: Beware of new YouTube phishing scam using authentic email address

YouTube is investigating and warning users of a new phishing scam that has been using its authentic no-reply@youtube.com email address to lure users into giving away their login credentials.

YouTube, one of the world’s largest video-sharing platforms with billions of users, has become a target for phishing attacks. Scammers have found a new way to **trap YouTubers** through the platform’s Share Video by Email feature, which sends out phishing emails that look authentic. YouTube has become aware of this trend and is warning users to be cautious.

In a recent tweet, YouTube revealed details about a phishing scam where emails are being sent from an authentic YouTube account. The malicious email appears to be sent directly from YouTube, with the email address **no-reply@youtube.com**.

Social media content creator Kevin Breeze alerted YouTube about the new phishing scam and **tweeted** that it is not a spoofed email but rather an abuse of the video-sharing system. This suggests that scammers are exploiting the platform’s sharing system to send these emails.

The phishing email content is similar to those seen in **previous phishing scams**, containing a YouTube video and a message informing users about YouTube’s new monetization policy and new rules.

The email also includes a **Google Drive** link that has a password to open it. To instil urgency, users are told they have only 7 days to review and respond, otherwise their YouTube access will be restricted.

If users open the document and enter the required information, they may actually lose access to their YouTube account because it will be hijacked by scammers. This is especially concerning as most YouTube users log in using their Gmail accounts. If their YouTube account gets hijacked, their **Gmail data will also be stolen**.

> ⚠️ heads up: we’re seeing reports of a phishing attempt showing no-reply@youtube.com as the sender
> 
> be cautious & don’t download/access any file if you get this email (see below)
> 
> while our teams investigate, try these tips to stay safe from phishing: https://t.co/x9Ysnm9SSm https://t.co/MNQtrB7zbx
> 
> — TeamYouTube (@TeamYouTube) April 4, 2023

To stay safe, users are advised to be cautious and vigilant. They should avoid responding to messages sent by unknown senders, review emails carefully even if they are sent from the company’s official email address, and enable two-factor authentication.

In a comment to Hackread.com, **Vonny Gamot**, Head of EMEA at online protection company, McAfee said “Although the sender address appears to look legitimate, there are some tell-tale signs that the email is a scam. The 7-day countdown is a classic tactic from cybercriminals who often try to create a sense of urgency in a bid to make people act quickly without double-checking.”

Vonny emphasised that “You should never feel pressured into acting and always hover over any links before clicking on them to ensure the URL is correct as secure websites begin with “HTTPS,” not just “HTTP.”

“That extra “s” in HTTPS stands for “secure,” which means that it uses a secure protocol for transmitting sensitive information like passwords and credit card numbers. It often appears as a little padlock icon in the address bar of your browser,” Vonny added. “If ever in doubt over the legitimacy of an email or link, don’t engage with it and go direct to the source.”

Additionally, users are encouraged to use the **best antivirus software** to protect their devices against malware. YouTube may also need to temporarily disable the Share Video by Email feature to prevent exploitation by hackers.

This new phishing scam is a reminder that even the most popular and trusted platforms are not immune to cyber threats. It’s important for users to be aware and take steps to protect themselves from these types of attacks.

1.  How to detect phishing images in emails
2.  Google: Cookie stealer malware targeting YouTubers
3.  YouTube Tutorial Videos Spread Vidar, Raccoon Malware
4.  Increasing demand for stolen YouTube logins on dark web
5.  Google Drive caused 50% of malicious Office Doc downloads

Beware of new YouTube phishing scam using authentic email address

By Habiba Rashid
According to documents analyzed by Jeremiah Fowler, Z2U sells malware and other malicious services to customers under the guise of online trading.
This is a post from HackRead.com Read the original post: Z2U Market Leak Exposes Access to Illicit Services and Malware

The discovery came after Z2U exposed a cloud database containing 600,000 customers’ records.

Recently, vpnMentor’s cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database that contained over 600,000 customer records. The database was owned by Z2U, a China-based platform.

The data was analysed by Fowler who noticed images of individuals holding their credit cards, passports, or other government-issued identification documents. It indicates a typical case of a company exposing the KYC data of its customers.

In addition to personal information, it contained records of bank transaction payments, user logins, emails and passwords, software license keys, customer support history, and refunds requested due to frozen accounts.

Z2U claims to be a platform that creates a reliable trade environment between gamers. However, the documents seen by Fowler indicate that the company sells everything from aged Facebook and Instagram accounts to access to HBO, Netflix, and Disney+. Even more concerning is that Fowler confirmed seeing documents that reveal Z2U allegedly offers viruses, malware, and other malicious applications through its platform.

A leaked image shows a virus being sold to hack WhatsApp (Image credit: vpnMentor)

While Z2U claims not to sell stolen, hacked, or cracked accounts, it is unclear how the verification process is performed other than buyers requesting refunds when the account is no longer working or suspended.

According to vpnMentor’s report, the database contained records from users worldwide, and access was closed a week after Fowler sent the notice translated into Chinese.

The risks of the data being publicly exposed are significant. The images of individuals holding their identity documents and credit cards with their faces clearly visible were required by Z2U’s verification process and should have never been publicly exposed. This information puts users at significant risk of identity theft and fraudulent charges.

In addition to personally identifiable information and payment information, the images show that a wide range of other accounts or access to paid services were sold on Z2U’s platform, bypassing the validation processes put in place to prevent malicious or fraudulent activity on other social media platforms.

Many refund requests were marked “Seller Refused to Provide Refund.” Buyers who purchase accounts from secondary or potentially illicit marketplaces run the risk of not having their money returned or actually getting access to the account or goods they thought they were purchasing.

Fowler suspects that the records were attachments to and from customer support. He also saw video files where users filmed their screens to show login issues or payment problems. Z2U claims to have over one million positive reviews and even offers an affiliate program, but many mixed reviews exist, both positive and negative, on independent review websites and Reddit.

The database was hosted on a server based in China, and many of the documents and file names were in Chinese. Many of the account login email addresses for sale used Russian email accounts with the.ru domain extension. It is well-known that Russian cybercriminals are actively engaged in identity theft, online scams, and other malicious activities.

In conclusion, the discovery of the Z2U database raises many ethical and security concerns. While the company claims not to sell stolen, hacked, or cracked accounts, the verification process remains unclear, and the refund requests for frozen accounts suggest otherwise. The images of individuals holding their identification documents and credit cards expose them to significant risks of identity theft and fraudulent charges.

1.  US and China Exposed Most Databases in 2021
2.  Data of millions of Americans exposed from PC in China
3.  Leaky Server Exposed 579 GB of Users’ Website Activity
4.  Leaky server exposes fake Amazon product review scam
5.  “BreedReady” database of 1.8m Chinese women exposed online

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Z2U Market Leak Exposes Access to Illicit Services and Malware

By Waqas
The FBI and European authorities have seized Genesis Market’s clearnet domains as part of the ongoing Operation Cookie…
This is a post from HackRead.com Read the original post: Genesis Market’s Clearnet domain seized; Dark Web site still online

The FBI and European authorities have seized Genesis Market’s clearnet domains as part of the ongoing Operation Cookie Monster.

Genesis is one of the largest marketplaces on the dark web while its presence on clearnet is also quite significant. In the latest, clearnet domains belong to Genesis marketplace have been seized by the FBI under the ongoing Operation Cookie Monster.

When accessed, the marketplace’s domain displays a banner stating that the website is inaccessible because the FBI has executed a seizure warrant. 

Although the marketplace administrator(s) have not been identified or caught yet, it is evident that authorities have only seized clearnet domains while its main dark web domain remains online, which suggests that they have not been able to take down the entire Genesis infrastructure.

Regardless, it is still too early to make any assumptions or predictions about what might happen next.

The Dark Web domain of the Genesis market is still online and shows no seizure notice.

**How Did the Seizure Happen?**

According to the FBI, the seizing was carried out with the collaboration of multiple organizations from the private and public sectors, and international law enforcement agencies.

The seizure notice displayed on the domain also had a message for the site visitors, which read:

“Been active on Genesis Market? In contact with Genesis Market administrators? Email us, we’re interested,” followed by an official email address.

The bureau noted that around two dozen partners were on board for this operation. The seizure was followed by a worldwide applicable search and arrest operation. A federal court in the Eastern District of Wisconsin had issued the seizure warrant.

It is currently unclear who was operating this marketplace as they have maintained a low profile over the years, indicating they have sufficient operational security know-how.

That’s what the Genesis market’s homepage shows right now

**Why Genesis Market Seizure a Big Blow?**

Genesis Market was established in late 2017 and played a vital role to fill the gap especially after the seizure of Hansa and AlphaBay marketplace by the Dutch police.

By 2020, Genesis had become the world’s most popular marketplace for buying stolen credentials, cookies, and device fingerprints. Considered the largest platform in the world for illicit activities, Genesis Market offered stolen credentials for corporate and consumer accounts.

This market provided access to an extensive range of services with accounts from Gmail, Netflix, Facebook, PayPal, WordPress, Amazon, Zoom, eBay, Cloudflare, Reddit, Spotify, Twitter, and LinkedIn. Therefore, it is understandable that seizing such a thriving platform will be a huge blow to its users.

The seizure of Genesis marketplace should not come as a surprise. This development came just a month after the FBI arrested PomPomPurin (aka Pompompurin, aka Pom), the owner and admin of popular hacker and cybercrime forum Breach Forums, a hacker forum that surfaced as an alternative to the popular and now-seized Raidforums.

**How did Genesis Market operate?**

The market operators used information stealers to collect login credentials with fingerprint data, such as time zones, IP addresses, cookies, device information, etc.

The operators earned profits from renting the account identities via bots, including stolen accounts, and browser plug-ins that imported the login and fingerprint data of the compromised account to let attackers assume the real owner’s digital identity. As per the account type, buyers paid up to $10 to get access to an account for a specific period.

1.  Dark web data center in former NATO bunker seized
2.  Finnish language dark web market Sipulimarket seized
3.  Hive Ransomware’s Servers and Dark Web Site Seized
4.  179 Dark Web vendors arrested, 500kg of drugs seized
5.  Dark Web child abuse gang busted; 15TB of files seized

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Genesis Market’s Clearnet domain seized; Dark Web site still online

By Deeba Ahmed
Rorschach ransomware boasts advanced encryption technology and can spread automatically on the machine if executed on a domain controller. 
This is a post from HackRead.com Read the original post: New Strain of Rorschach Ransomware Targeting US- Firms

Researchers state that Rorschach ransomware has been labelled as the fastest-ever ransomware due to its unparalleled evasion techniques, which have never been seen before.

Check Point Research has shared details of previously undocumented ransomware, dubbed Rorschach, which they regard as the fastest-ever ransomware discovered so far. Researchers noticed that an unnamed US-based organization is one of the victims of Rorschach.

It’s not surprising that new strains of ransomware are emerging, given the increasing number of ransomware attacks and the constant development of new evasion techniques by cybercriminals. Recently, researchers discovered a new ransomware strain called **Cylance** that targets both Linux and Windows devices.

**Highly Effective, Evasive, and Fast-Encrypting Ransomware**

An exclusive feature of Rorschach ransomware is its effective, fast hybrid-cryptography scheme, which makes it the fastest ransomware out there, even faster than LockBit.

Calling it a Speed Demon, Check Point researchers wrote that in a controlled encryption speed assessment, the ransomware encrypted 220,000 files in four and a half minutes. In contrast, LockBit encrypted the same number of files in seven minutes.

Rorschach ransomware boasts advanced encryption technology and can spread automatically on the machine if executed on a domain controller. 

Moreover, this is a highly configurable malware equipped with novel functionalities that make it stand out among other ransomware strains. It features a “high level of customization” and has “technically unique features that have not been seen before in ransomware,” Check Point’s researchers Jiri Vinopal, Dennis Yarizadeh, and Gil Gekker explained in their **report**.

“In fact, Rorschach is one of the fastest ransomware strains ever observed, in terms of the speed of its encryption.”

Furthermore, the ransomware is equipped with safeguards to bypass analysis and defence mechanisms, which it achieves via direct system calls. This is the first ransomware that can make direct system calls. Until now, only malware families had this feature. 

**Is Rorschach Linked with another Ransomware?**

Although it seems inspired by several other ransomware, Rorschach is neither linked to any other malware family nor affiliated with another ransomware group. However, researchers did observe similarities between Rorschach and **Babuk ransomware** source codes.

It is worth noting that Babuk’s source code was **leaked** in September 2021. The ransom notes used in Rorschach-based campaigns are inspired by DarkSide and Yanluowang.

Ransom note (Image: Checkpoint)

**How is Rorschach Executed?**

The ransomware execution mainly relies on three files. First, Cortex XDR Dump Service Tool (cy.exe) is executed, which side-loads with loader and injector file (winutils.dll). This DLL file then loads the ransomware (config.ini) in the memory. It also gets injected into notepad.exe.

Rorschach uses multiple processes and uses falsified arguments to stop some processes, clear Windows event logs, delete shadow backups and volumes, and disable Windows firewalls.

Infection chain of Rorschach Ransomware (Image: Checkpoint)

When the ransomware is executed on a domain controller, it generates a group policy that lets it automatically infect other devices on that domain. It checks for the infected device language and terminates if a language from the CIS countries, e.g., Russia, is detected.

1.  LockBit Ransomware Hits SpaceX Contractor
2.  IRS tax forms W-9 email scam drops Emotet malware
3.  CISA to Start Issuing Early-Stage Ransomware Alerts
4.  ALPHV ransomware claims it has hacked Amazon’s Ring
5.  Rilide Malware – Crypto Stealer Hits Chromium Browsers

New Strain of Rorschach Ransomware Targeting US- Firms

By Owais Sultan
Let's code, kids!
This is a post from HackRead.com Read the original post: How to Teach Your Child Coding: A Gift for Their Digital Future

As we progress through the digital age, coding is rapidly gaining traction as a logic-based skill that can fuel creativity in both kids and teens. Another beauty of technology is that children have access to an array of resources, such as coding apps, websites, online courses, games, and more.

However, teaching coding to kids and teens using traditional methods can be quite challenging. Parents and educators are increasingly opting for age-appropriate, engaging, and enjoyable ways to teach coding.

This approach helps young learners develop the skills required in the programming world. Keep reading this post to discover five exciting ideas to make coding fun for kids and teens.

**Innovative Approaches to Teach Coding to Kids**

Many programming concepts will be entirely new to young learners. As such, it’s essential to introduce each concept incrementally. Recent research indicates that students across all age groups retain information more effectively when they learn in a fun and engaging manner. This insight opens the door to discovering new methods for teaching coding to children.

If the learning process becomes dull, it can quickly dampen the student’s interest, regardless of the subject matter. Before teaching coding, convey to your child the excitement and enjoyment they may find in programming.

The prospect of building websites, games, animations, apps, and more will pique their curiosity about coding. Here are some tips to make learning coding a fun and immersive experience for kids and teens:

**1\. Leverage Toys for Skill Development**

One of the most effective ways to enhance kids’ creativity is by introducing them to toys like Legos, Mechanix, and others. Depending on the child’s age, you can engage them in the design and creation process of these toys. This approach will bolster their logical, observational, creative, and reasoning abilities, paving the way for learning the basics of programming.

**2\. Explore Coding through Minecraft**

Getting kids and teens involved in Minecraft serves as an excellent motivator for learning to code. Widely accessible on gaming consoles and desktops, Minecraft introduces young learners to various coding elements in an enjoyable manner. The game employs a straightforward structure to craft objects, making it an engaging learning tool.

**3\. Utilize Websites and Apps for Coding Instruction  
**

Presently, numerous websites and applications offer block-based coding lessons to kids and teenagers. Popular platforms like Thunkable and code.org provide tailored learning experiences, allowing you to select the most suitable resource for your needs.

These websites are specifically designed to teach children by integrating visual code blocks into entertaining projects. The combination of vibrant graphics and block code helps make the coding process more approachable and less daunting.

**4\. Utilize Engaging Media Resources**

There are numerous resources available today for teaching children coding, such as YouTube, TikTok, and online communities. Streaming programming videos on YouTube prompts the algorithm to suggest related coding videos for both you and your child. YouTube offers a wealth of information tailored to various learning styles for coding.

Choose the right YouTube video to help kids and teenagers grasp binary code. Videos, especially animated ones, can simplify complex coding concepts and make them enjoyable. For offline education, parents can turn to books or magazines featuring engaging imagery that sparks interest and motivates children and teens to delve into coding studies.

**5\. Embrace Learning from Children**

Recent research suggests that learning by teaching is an effective strategy for deepening one’s understanding of a concept. If your child is learning to code, encourage them to share their knowledge with someone else. You can participate by providing an opportunity for them to teach you a new coding concept. Asking questions about these concepts helps reinforce their learning and motivates them to continue learning.

**The Benefits of Learning to Code for Kids and Teenagers**

Coding involves giving instructions to a computer to perform specific tasks. By learning coding through resources like the CodeMonkey course, your children can secure a brighter future. They’ll develop logic and computational thinking skills to tackle various challenges in life. Additionally, coding fosters persistence, collaboration, and communication skills. Let’s explore how kids can benefit from learning to code:

**1\. Developing Crucial Skills**

One of the major advantages of learning to code is the enhancement of problem-solving, creativity, and logical thinking abilities. Children are provided with numerous opportunities to practice and refine these skills, which are essential for both personal growth and professional success.

**2\. Building Confidence**

As kids and teenagers learn to articulate their ideas and grasp fundamental concepts, their confidence increases. This newfound confidence enables them to develop websites and applications more effectively.

**3\. Discovering New Concepts**

Coding offers a hands-on learning approach that encourages kids and teenagers to explore and interact with their environment. This method helps them learn from their mistakes and experiment with various solutions to find the most appropriate one.

**4\. Enhancing Communication Skills**

Coding requires breaking down complex ideas into simpler forms and effectively communicating them to computers. For a computer to execute a specific task, the message must be clear and precise.

As a result, not only do children’s computer communication skills improve, but their verbal and written abilities also see growth. Strong communication skills are essential for success in life.

**Closing Thoughts**

This article aims to guide you in discovering engaging methods for teaching your child coding. By making learning enjoyable, children are more likely to retain concepts for longer periods and apply them effectively.

In today’s world, coding is a crucial aspect of childhood education. Learning to code prepares kids and teenagers for success in future careers while enhancing problem-solving capabilities and creativity.

Through coding skills, individuals can create computer software, apps, websites, games, and more. It’s vital to introduce these future skills to your child to help them stand out in a competitive environment.

Moonpreneur recognizes the demands and needs that our rapidly evolving technological landscape presents for our children. As a result, we’re on a mission to educate and inspire entrepreneurship through our comprehensive online STEM programs, which help kids master futuristic sciences such as robotics, game development, app development, advanced math, and more! Sign up for a free 60-minute robotics and coding class today!

1.  5 Ways to Ensure Your Child’s Online Safety
2.  10 Android Ed Apps That Collect Most User Data
3.  Top 6 Cell Phone Tracker Apps for Parental Control
4.  Kids breach and bypass Linux Mint screensaver lock
5.  Teen Hackers on Discord Sell Malware for Quick Cash

How to Teach Your Child Coding: A Gift for Their Digital Future

By Deeba Ahmed
The Chromium-based browsers include Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and several others.
This is a post from HackRead.com Read the original post: Rilide Malware – New Crypto Stealer Hits Chromium-Based Browsers

Riligy malware is disguised as a legitimate Google Drive extension and allows attackers to capture screenshots, monitor users’ browsing history, and inject malicious scripts to steal funds from cryptocurrency wallets.

The cybersecurity researchers at Trustwave SpiderLabs have disclosed alarming details on a new strain of Rilide malware that targets Chromium-based browsers to steal cryptocurrency funds and monitor users browsing activities.

In the newly discovered campaign, SpiderLabs researchers noticed that threat actors have created legitimate-looking Google Drive extension that hides Rilide malware.

SpiderLabs researchers believe Rilide malware is unique because of its capability of generating dialogues to trick users into giving away their 2FA keys. This is a rare feature that helps the attacker withdraw cryptocurrencies discreetly.

In addition to this, the malware also allows attackers to carry out an extensive range of activities, including capturing screenshots, monitoring users’ browsing history, and injecting malicious scripts to steal funds from cryptocurrency wallets.

The researchers have confirmed that Rilide malware targets Chromium-based browsers, including Microsoft Edge, Google Chrome, and Opera to achieve its malicious objectives.

The fact that Google Drive is being used maliciously is not surprising. A study conducted last year found that 50% of all malicious Office document downloads were from Google Drive. Another study revealed that Apple Safari was the safest browser while Google Chrome was the riskiest browser in 2022.

As for Rilide malware, during their investigation, SpiderLabs researchers detected multiple such extensions for sale in March 2022. They also noted that a portion of Rilie malware source code was recently leaked by someone on an underground hacking forum over payment issues.

This leaked code can swap cryptocurrency wallet addresses from the clipboard with the attacker’s address. Moreover, the C2 address embedded in the Rilide code can identify GitHub repositories belonging to a user named gulantin, which contains the extension’s loader.

**Attack Chain**

Researchers have detected two attack methods to install the malicious extension, Ekipa RAT and Aurora Stealer. Ekipa RAT is distributed through booby-trapped Microsoft Publisher documents, whereas fake Google Ads serve as Aurora Stealer’s distributor.

Their attack chains encourage the execution of a Rust-based loader, which can modify the browsers’ LNK shortcut file and launch the add-on using the “–load-extension” command line switch.

_Infection Chains_ (Trustwave)

Ekipa RAT can carry out targeted attacks. Conversely, Aurora, first spotted in April 2022 on Russian-speaking underground forums, is a Go-based stealer offered as a Malware-as-a-Service (Maas) tool. It can take data from different web browsers, local systems, and cryptocurrency wallets.

“The Rilide stealer is a prime example of the increasing sophistication of malicious browser extensions and the dangers they pose,” the report read.

1.  Malicious Firefox extension phish Gmail credentials
2.  Ad-blocker Chrome extension injected ads in Google
3.  Fake ChatGPT Extension Hijacks Facebook Accounts
4.  Phishing attack uses Google Drive against researchers
5.  Chrome extensions harboring Dormant Colors malware

Rilide Malware – New Crypto Stealer Hits Chromium-Based Browsers

By Deeba Ahmed
The findings are to be presented at the Usenix Security Symposium.
This is a post from HackRead.com Read the original post: WiFi Flaws Allow Network Traffic Interception on Linux, iOS, and Android

The WiFi flaw discovered by researchers from Northeastern University and KU Leuven can impact a wide range of operating systems, including Linux, iOS, and Android, leaving them vulnerable to potential interception of network traffic if exploited by hackers.

Wireless networking stacks found in a wide range of operating systems were left vulnerable due to an ambiguity in the WiFi specification, explained academics from Northeastern University and KU Leuven in a paper (PDF) titled “Framing Frames: Bypassing WiFi Encryption by Manipulating Transmit Queues.” The ambiguity can allow exposure of network traffic if exploited by threat actors.

**Research Findings**

According to researchers Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef, the issue is caused by a fundamental design flaw detected in the IEE 802.11 WiFi protocol standard. The devices impacted by this issue include those running FreeBSD, Linux, iOS, and Android. Aruba, Asus, and D-Link devices were also examined for this research.

If exploited successfully, it can allow attackers to hijack TCP connections. Additionally, they can intercept client and web traffic. Vanhoef shared these findings at the 2023 Real World Crypto (cryptography) Symposium in Tokyo, Japan. The paper is to be presented at the Usenix Security Symposium.

**Security Advice**

*   Securing your Spectrum-compatible WiFi routers
*   How To Keep Your Router, WiFi Safe From Hackers
*   Wireless Router Security: Set up a WiFi router securely

**What’s The Issue?**

Vanhoef explained the findings in a video presentation, sharing that an attack called kr00k revealed by ESET in 2019 shares similarities with the attack his team had developed as both involve similar vulnerabilities, indicating that the IEEE 802.11 WiFi standard cannot articulately handle buffered framed. 

WiFi frames contain different types of data related to network routing and traffic and include a header, body, and trailer, which allow data to move from one point to another. WiFi access points queue frames linked with different network layers and buffers them until the right network sources are available to send them. In this case, researchers noted that the WiFi specification didn’t describe how to manage the security context in buffered frames.

**How Can The Flaw Be Abused?**

Researchers wrote that attackers would exploit power-save mechanisms in endpoint devices to trick access points into exposing data frames in plaintext. Or else an all-zero key would allow them to encrypt it. Due to the power-save bit’s “unprotected nature” in a frame’s header, the issue allows an attacker to enforce queue frames for a particular client.

This would result in disconnecting and executing a DoS (denial of service) attack. The objective is to leak the frame from the access point linked to the victim’s client station. It works because, during the security context changes, most WiFi stacks didn’t appropriately dequeue/purge their transmit queues.  

The attacker can send a spoofed power-save frame with an Association or Authentication frame and successfully reset the wireless connection by making the access point respond by removing the client’s pairwise key. If the adversary uses a Wake-Up frame, the access point will send the buffered data under an undefined security context and prompt a data frame leak.

Furthermore, in a security context override attack, the access points can encrypt unqueued frames through the attacker’s chosen key, thus, rendering the encryption ineffective. Researchers have published a proof-of-concept exploit titled MacStealer. This tool tests networks to identify vulnerability to a client isolation bypass.

1.  WiFi software firm leaked millions of users’ data
2.  iPhone Wifi bug exposed devices to remote attacks
3.  Avoid being Pwned by bugs residing in the WiFi chip
4.  Flaws exposed all WiFi enabled devices to FragAttacks

WiFi Flaws Allow Network Traffic Interception on Linux, iOS, and Android

By Deeba Ahmed
Researchers warned that the campaign works through a network of fake websites that promote seemingly harmless crypto apps and other software.
This is a post from HackRead.com Read the original post: New VPN Malvertising Attack Drops OpcJacker Crypto Stealer

The primary target of the OpcJacker Crypto malware campaign are unsuspecting users in Iran who were tricked into downloading an archive file that contained the novel Opcjacker malware. 

Trend Micro cybersecurity researchers discovered a new malvertising campaign in February 2023 targeting Iranian users and distributing Opcjacker malware. They dubbed the malware Opcjacker due to its opcode configuration design and cryptocurrency-stealing capabilities.

The use of VPNs in malvertising attacks against Iranian users should not be surprising. In October 2022, Iranian hackers were spreading “**RatMilad**” Android spyware disguised as a VPN app.

**More Context**

1.  Iranian group hacking VPNs for “Fox Kitten Campaign”
2.  Phones of Iran’s protest detainees targeted with spyware
3.  VPN malvertising hits Persian speakers Baháʼí faith followers

**VPN Malvertising Attack Drops Opcjacker **

The campaign works through a network of fake websites that promote harmless-looking crypto apps and other software. In the newly analyzed sample, malvertisements were hidden inside a genuine VPN app. Users in Iran were tricked into downloading an archive file that contained the novel Opcjacker malware. 

The fake website distributing the OpcJacker crypto stealer (Credit: Trend Micro)

**How Does the Attack Work?**

Malware loads automatically by patching a legit DLL library in an installed program, which loads the next malicious DLL library. This library eventually runs the shellcode that contains the loader and runner of another malicious app. This app is different from Opcjacker as it has been assembled from data chunks stored in files of WAV, CHM, and other formats. 

**Analyzing Opcjacker**

Researchers noted that Opcjacker is a novel and interesting malware. Its configuration file has a custom file format resembling custom virtual machine code that outlines the stealer’s behaviour.

In the configuration file, researchers found numeric hexadecimal identifiers that force the malware to perform certain functions and make it difficult for researchers to identify the malware’s code flow.

“The configuration file format resembles a bytecode written in a custom machine language, where each instruction is parsed, individual opcodes are obtained, and then the specific handler is executed,” researchers wrote in the **report**.

**Opcjacker’s Capabilities and Functionalities**

In this campaign, scammers have concealed Opcjacker through a crypter called **Babadeda**. It uses the configuration file for activating the malware’s data-stealing capabilities, running arbitrary shellcode, and other executables.

The malware’s functions include capturing screenshots, keylogging, loading new modules, stealing private/sensitive user data from browsers, and hijacking cryptocurrency wallets by **replacing addresses in the clipboard**.

In addition, Opcjacker can deliver next-stage payloads like **NetSupport RAT** along with an hVNC (hidden virtual network computing) variant to allow the attacker remote access.

The infection chain

Researchers believe the campaign is financially motivated because Opcjacker can steal cryptocurrency. The malware is being distributed in the wild since at least mid-2022 in different malvertising campaigns but it is still evolving and under active development.

1.  New malvertising attack is spreading backdoor
2.  Fake Tor Browser Installers Drop Clipper Malware
3.  CISA says use ad blockers to fend off ‘malvertising’
4.  Malvertising attack affected millions of PornHub users

Source

HackRead