The Problem with Hackers
On June 10, Kroll’s Cyber Risk team published that there is an increasing tendency of hackers to use the Qakbot trojan, or Qbot. Cybercriminals are using Qbot to launch email thread hijacking projects which they then use to send ransomware attacks.
Based on the Kroll report, the banking trojans seem to be the most commonly used in the launch of these ransomware attacks. The criminals seek to steal financial data as elaborated analysts from Kroll, Training Alliance, and National Cyber-Forensics. They also target other industries including media, education, and academia.
The health care sector has also become vulnerable due to the rapid spread of the COVID-19 pandemic. The trojans are commonly used as the entry point by the ProLock ransomware gang members. These hackers succeed since they use highly sophisticated phishing structures that the common users do not easily detect.
Qakbot Trojan Attack Strategies
Qakbot is described as a banking trojan and it has been active for at least 10 years, according to Kroll. It primarily relies on brute force attacks, keyloggers, windows account credential theft, and authentication cookie grabbers, among many other strategies.
One of the authors of this research was Laurie Iacono. Laurie works as the vice president of Kroll’s cyber risk team. She commented on the reasons why hackers are relying on trojans like Qakbot to issue these ransomware attacks:
“The ultimate reason is to maximize their profits. Within the past 18 months, Kroll has observed multiple cases where a trojan infection is the first step of a multi-phased attack—hackers infect a system; find a way to escalate privileges, conduct reconnaissance, steal credentials (and sometimes sensitive data); and then launch a ransomware attack from an access level where it can do the most damage. They can make money on the ransom payment and potentially on the sale of stolen data and credentials;—plus the stolen data helps force infected companies to pay the ransom.”
The research’s co-author who is also the vice president of Kroll’s cyber risk department, Cole Manaster, said that there is an evolution in the way these thread hijacking attacks are deployed. He explained:
“Criminals are aware of the increasing cybersecurity training across email users and are producing more sophisticated, and authentic-looking phishing lures.”
Cybercrimes Increase Amid COVID-19
On the other hand, Iacono stated that the use of bank trojans by ransomware gangs is common. She gave an example of the Ryuk attacks that are preceded by the launch of the Emotet trojan. The DoppelPaymer attacks are another common form of attacks that normally precede Trickbot injections.
Since more workers remain at home due to the health crisis, the researchers identified:
“an uptick in attacks exploiting vulnerabilities in remote work applications such as the Citrix exploit.”
Reports emerged on May 17 that the ProLock gang is using the Qakbot banking trojan frequently to launch attacks. After launching successful attacks, the gang asks its victims for six-figure USD ransoms. These ransoms are paid in Bitcoin (BTC) to decrypt the files.
Phony SpaceX YouTube Channels Dupe Victims
Scammers have also found a haven on YouTube. The latest reports indicate that these criminals managed to con viewers into sending them a cumulative 15.31 BTC worth about $150,000. They used the usual ‘free giveaway’ trick. The crypto scammers impersonated SpaceX YouTube accounts and hosted several fictitious Bitcoin giveaways.
Several scammers hacked legitimate accounts on YouTube, according to a June 9 report on Bleeping Computer. They changed the branding and content to extensively imitate that of Elon Musk’s SpaceX channel.
The channels broadcasted archived footage of Elon as if it was happening live and urged viewers to send Bitcoin. At least 80,000 people watched the phony live event that earned the scammers 15.31 BTC since June 8. One bitcoin address got 84 donations that totaled 11.23 BTC while another one received 29 transactions for 4.08 BTC.
Musk is aware that scammers are using his name to perpetrate their heinous acts. In February, the CEO tweeted:
“the crypto scam level on Twitter is reaching new levels and users should report such fakes as soon as they see them.”
But, sending reports is not enough for various platforms. Tenable reported in February that:
“there has been a perpetual cat-and-mouse game between Twitter and cryptocurrency scammers and the latter continue to modify their tactics to get BTC from unsuspecting victims.”
Scammers know how to detect profitable trends like impersonating Musk. Thus, experts advise investors and users to do thorough background checks on any project that they want to invest their funds in.