Search This Blog

Showing posts with label FTC. Show all posts

Ongoing Bitcoin Scams Show Power of Social Engineering Triggers

Over the last seven months, the number of Bitcoin scams has increased dramatically. The scams began around October 2020 and are still going on today. “Since October 2020, reports have skyrocketed, with approximately 7,000 people reporting losses of more than $80 million on these scams,” the FTC reported on May 17, 2021. 

It explains two different types of scams: The first is to entice victims to phoney websites that appear to be legitimate and offer investment opportunities and the second is essentially a celebrity scam, in which the alleged celebrity claims to triple every bitcoin investment instantly. Elon Musk's name is often used as a celebrity in the latter scam. He is used to lend legitimacy to the scam because of his business acumen and involvement in cryptocurrencies. 

The BBC reported on May 13, 2021, that a schoolteacher had lost £9,000 (nearly $12,750) after being duped into visiting a fake website. The study didn't say how she was tricked, but the website was a parody of the BBC. According to a fake news article, “Tesla buys $1.5 billion in bitcoin, plans to give $750 million of it away”, only the second half of the headline is incorrect. Tesla did, in fact, purchase $1.5 billion in bitcoin in February 2021, citing the need for “more versatility to further diversify and optimize returns on our cash.” 

Grammatical pedants may have seen a red flag in the fake BBC website's use of the word "giveaway" (generally a noun) instead of "give away" (the correct form for an action). Scams are known for grammatical and typographical mistakes, but the fake website is otherwise very convincing. The teacher invested £9,000 with the expectation of receiving £18,000 in return but got nothing. 

A month before, the BBC reported on a Twitter-based scam that resulted in a much larger loss. The real Elon Musk tweeted “Dojo 4 Doge” on February 22, 2021. Using the handle with the name Elon Musk on Twitter, a scammer offered a once-in-a-lifetime chance to send up to 20 bitcoin and earn double. The victim fell for it and submitted 10 bitcoins, which he promptly lost – about £497,000 (nearly $700,000).

Bitdefender, a security company, recently reported on two email campaigns with similar themes. In two separate campaigns, tens of thousands of fraudulent Tesla-related emails were sent. Both campaigns have the same pitch: send Elon Musk some bitcoin and he'll give you back twice as much. The first campaign makes use of a PDF attachment, apart from the PDF's post, which reads, "Our marketing department here at Tesla HQ came up with an idea: to hold a special giveaway event for all crypto fans out there," there is nothing malicious about it. The PDF contains instructions on how to send bitcoin and earn twice the sum in return. “ELON MUSK 5,000 B T C GIVEAWAY!” is a popular subject line for emails. 

Other emails, on the other hand, are personalized, including the user's username. Nearly 80% of the emails in this campaign seem to have been sent from IP addresses in Germany. According to the researchers, “11% of the fraudulent emails hit users in the United Kingdom, 79.26% in Sweden, and 9.22% in the United States.” 

The second campaign consists of a simple email containing details about the fraudulent giveaway and a Bitcoin Address QR Code that can be scanned by participants. The email reads, "If you want to participate in the giveaway, it's very simple! All you have to do is send any amount of Bitcoin (BTC) to our official donation address for this case (between 0.1 BTC and 50 BTC), and once we receive your transaction, we will immediately send back (2x) to the address from which you sent the BTC.” 

On the other hand, Bitdefender states that “at the moment, one of the perps' crypto wallets reveals 31 transactions totaling 1965.21 dollars.” All of these bitcoin scams show that it's almost impossible to keep users from falling for good social engineering – whether it's a scam or a phishing assault. In this scenario, the campaigns hit all the right notes: believability, celebrity endorsement, urgency, and most importantly, greed.

OpenBullet Exploited for Credential Stuffing


Credential stuffing, a form of access-related cybercrime, is on the rise and shows no signs of slowing down. Between January 2018 and December 2019, there were 88 billion credential stuffing attacks, according to an Akamai survey.

Credential stuffing is a form of cyberattack in which compromised account credentials are used to obtain unauthorized access to user accounts through large-scale automatic login requests directed towards a web application, usually consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach). Credential stuffing attacks, unlike credential hacking, do not try to brute force or guess any passwords. Using standard web automation software like Selenium, cURL, PhantomJS, or tools built especially for these types of attacks like Sentry MBA, SNIPR, STORM, Blackbullet, and Openbullet, the intruder easily automates the logins for a significant number (thousands to millions) of previously discovered credential pairs. 

Since many users repeat the same username/password combination across different pages, credential stuffing attacks are likely. According to one poll, 81 percent of users have reused a password across two or more sites, and 25% of users use the same password across a number of their accounts. 

OpenBullet is a free web-testing tool that allows users to make particular requests on specific web pages. The open-source tool is available on GitHub and can be used for a variety of activities, including data scraping and sorting, automatic penetration testing, and Selenium unit testing. 

For legitimate reasons, such as penetration testing, the app allows users to try several "login:password" variations as credential brute-force attacks on various websites. Cybercriminals, on the other hand, will use it to find legitimate passwords on various websites for nefarious purposes.

A user can import prebuilt configuration files or configs into OpenBullet, one for each website to be checked. It also has a modular editor for making changes to configurations as desired. This is a required function since websites also make minor changes to the way users link to them in order to combat automatic tools like OpenBullet. OpenBullet's GitHub profile, for example, has a note that the tool should not be used for credential stuffing on websites that the user does not own. 

The Federal Trade Commission (FTC) released an advisory in 2017 advising businesses about how to combat credential stuffing, including requiring safe passwords and preventing attacks.

Amid COVID-19 Pandemic and Scams, FTC Alarms Public

Amid the coronavirus epidemic and panic among the public, FTC (Federal Trade Commission) has urged the public to stay aware of the hackers that might try to attack their devices during these vulnerable times. FTC has generated a list of hacking tricks and strategies that the hackers use to attack susceptible users amid the coronavirus epidemic. Cybersecurity has become FTC's primary concern on its 2nd alert notification about various ways the hackers are using to launch cyberattacks for their profits because of the coronavirus outbreak.

According to cybersecurity experts, in one of the latest incidents, hackers are sending users fake emails claiming that they have the necessary supplies of groceries or that they have the cures for coronavirus. In another widespread episode, hackers sent users fake WHO advisory about the 'safety tips to follow to prevent yourself from COVID-19.' According to FTI's caution, if the users download information using the given links or open any websites via these phishing emails, malware gets installed in the systems. The hackers can steal critical personal information and also control the target's access. "Last month, we alerted you to Coronavirus scams we saw at the time. Earlier this month, we sent warning letters to seven sellers of scam Coronavirus treatments. So far, all of the companies have made significant changes to their advertising to remove unsupported claims. But scammers don't take a break," says FTC on its website.

But all of this is just a needle in the haystack. The hackers are also targeting victims via false claims of refund and relief organizations by asking the users donations. "Other scammers have used real information to infect computers with malware. For example, malicious websites used the real Johns Hopkins University interactive dashboard of Coronavirus infections and deaths to spread password-stealing malware," said FTC.

How to stay safe?
Follow these simple steps to prevent yourself from frauds and scams: 

  • Keep your smartphones and computers updated. 
  • Use 2 step verification for all your accounts and back up your data. 
  • Research online before making donations, don't trust frauds claiming to be any health organization. Avoid wired transactions. 
  • Avoid calls by scammers and hang up immediately. 
  • Don't forward and share unverified information, even if it comes from trusted individuals.

Facebook Now Cracking Down On Third-Party Apps in the Wake of the Cambridge Analytica Scandal

Almost a year after the Cambridge Analytica Scandal, last March, wherein the data of around 87 million users' was gathered and imparted to the Trump-affiliated campaign research firm without their assent Facebook is taking action against certain third-party applications that gulp up enormous amounts of user data in the wake of the Cambridge Analytica scandal.

Facebook said in a blog post that it will never again permit applications with 'minimal utility,' like personality quizzes, to operate on the platform.

Eddie O'Neil, head of platform at Facebook, said in the post, 'As part of our ongoing commitments to privacy and security, we are making updates to our platform...our Facebook Platform Policies are being updated to include provisions that apps with minimal utility, such as personality quizzes, may not be permitted on the platform.

'The update also clarifies that apps may not ask for data that doesn't enrich the in-app, user experience,' he added later.

Be that as it may, as The Verge called attention to the fact that the issue didn't exactly originate from quiz applications, but instead Facebook's lax policies around user data management and how developers had the capacity to collect data from "friends of friends".

It comes as Facebook on Wednesday revealed that it hopes to take on a one-time charge between $3 billion and $5 billion identified with a settlement with the Federal Trade Commission. As last March, the FTC opened an investigation concerning Facebook's data dealings after the Cambridge Analytica scandal first came into light.

While O'Neill stated, 'Going forward, we will periodically review, audit and remove permissions that your app has not sued, developers can submit for App Review to re-gain access to expired permissions.'

What's more, presently, Facebook expects to keep developer from getting to user information on the off chance that it identifies that a user hasn't opened the app in the previous 90 days.

Facebook expecting fine of $5 billion over privacy issues

Facebook said that they are keeping $5 billion aside as it is expected to be fined by the Federal Trade Commission for privacy violations. 

The social media website disclosed the amount in its first quarter earnings for 2019, stating that it is estimating a one-time fine of $3 billion to $5 billion, but the matter is unresolved and the negotiation is ongoing. 

“In the first quarter of 2019, we reasonably estimated a probable loss and recorded an accrual of $3.0 billion in connection with the inquiry of the FTC into our platform and user data practices, which accrual is included in accrued expenses and other current liabilities on our condensed consolidated balance sheet,” the company writes in its earnings statement. 

“We estimate that the range of loss in this matter is $3 billion to $5 billion. The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.”

Facebook is negotiating with the regulator for months over a violation of 2011 privacy consent decree. 

According to the decree, the company promised a series of measures to protect its users’ privacy after an investigation found that its handling of data had harmed consumers.

However, the company came under fire once again last year, and F.T.C opened the case after the Cambridge Analytica fiasco in which personal information of nearly 50 million users were breached. 

Meanwhile, the F.T.C. declined to comment.