Previously undetected cryptocurrency scams have been leveraging a constellation of over 1,000 fraudulent websites to lure users into bogus reward schemes since at least January 2021.
“This massive campaign has likely resulted in thousands of people being scammed around the world,” said the Trend Micro researcher said in a report published last week, linking it to a Russian-speaking threat actor called “Impulse Team.”
This scam works via advanced fee deception which involves tricking victims into believing they have won a certain amount of cryptocurrency. However, in order to claim their bounty, victims need to pay a small amount of money to open an account on their website. “
The chain of compromise starts with a direct message propagated via Twitter to entice potential targets to visit the bait site. The account responsible for sending the message has been closed.
The message urges recipients to register for an account on the website and apply the promo code specified in the message to win a cryptocurrency prize of 0.78632 bitcoins (about $20,300).
But once an account is set up on the fake platform, users are asked to activate the account by making a minimum deposit of 0.01 bitcoins (about $258) to confirm their identity and complete the withdrawal.
“While relatively large, the amount required to activate an account pales in comparison to what users will get in return,” the researchers wrote. “However, as expected, recipients never get anything in return when they pay the activation amount.”
A public Telegram channel that records every payment made by victims indicates that the illicit transactions have earned the perpetrators a little over $5 million between December 24, 2022 and March 8, 2023.
Trend Micro says it has found hundreds of domains associated with this scam, with some of them active since 2016. All of the fake websites belong to affiliates of a “crypto scam project” codenamed Impulse that has been advertised on Russian cybercrime forums since February 2021.
Like ransomware-as-a-service (RaaS) operations, these ventures require affiliate actors to pay a fee to join the program and share a percentage of the revenue with the original author.
To provide legitimacy operations, threat actors are believed to have created a similar version of an anti-fraud tool known as ScamDoc, which provides trust scores for different websites, in a plausible attempt to deliver cryptocurrencies. service as trustworthy.
Trend Micro says it also found private messages, online videos and ads on other social networks such as TikTok and Mastodonindicates that affiliates use various methods to advertise fraudulent activity.
“Threat actors streamline operations for affiliates by providing hosting and infrastructure so they can run these fraudulent sites themselves,” the researchers said. “Affiliates can then concentrate on other aspects of operations, such as running their own advertising campaigns.”
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
News of the fake giveaway scam coincides with a new wave of cryptocurrency theft attacks orchestrated by dubbed threat actors Pink Drain who are known to impersonate journalists to seize control of victims’ Discord and Twitter accounts and promote fake crypto schemes.
According to statistics collected by ScamSnifferPink Drainer managed to compromise 2,307 accounts on June 11, 2023, to steal over $3.29 million worth of digital assets.
The findings also come weeks after Akamai dismantled a newly named Romanian cryptojacking campaign DIOCT (formerly Mexals) which uses the Golang-based Secure Shell (SSH) worm module and a new LAN spreader for propagation.
“The main purpose of r77 is to hide the presence of other software on the system by hooking up important Windows APIs, making it an ideal tool for cybercriminals looking to carry out sneak attacks,” the researchers said.
“By leveraging the r77 rootkit, malicious crypto miner creators can avoid detection and continue their campaigns undetected.”
Please note that the r77 rootkit is also included SeroXena new variant of the Quasar remote administration tool that sells for only $30 for a monthly license or $60 for a lifetime bundle.