Connect with us

Technology

New Harry Potter-named malware strikes, revealing global espionage campaign

Published

on

New Harry Potter-named malware strikes, revealing global espionage campaign

A new malware has been detected by security researchers that is suspected of conducting espionage. Hackers infect devices by impersonating government agencies, usually tax agencies such as the Internal Revenue Service (IRS). Once the malicious software is on a PC, it can gather intelligence (collecting personal data, passwords and more), download additional malicious software and upload data to the hacker’s server. It does all this while using Google Sheets to avoid suspicion and store data.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

Illustration of computer being hacked by malware (Kurt “CyberGuy” Knutsson)

It all starts with a fake email

The hackers behind the malware, called “Voldemort,” have cleverly designed it to avoid getting caught. Just like the name Voldemort spelled trouble in J.K. Rowling’s Harry Potter series, it’s causing issues in the cybersecurity world, too.

The cyberattack kicks off when you receive an email that looks like it’s from a government tax agency. According to Proofpoint, the hackers behind this campaign have been impersonating tax agencies in various countries, including the U.S. (IRS), the U.K. (HM Revenue & Customs), France (Direction Générale des Finances Publiques), Germany (Bundeszentralamt für Steuern), Italy (Agenzia delle Entrate) and, as of Aug. 19, India (Income Tax Department) and Japan (National Tax Agency). Each email lure was customized and written in the language of the tax authority being impersonated.

Advertisement

Proofpoint analysts found that the hackers tailored their phishing emails to match the target’s country of residence based on publicly available information rather than the organization’s location or the language suggested by the email address. For example, some targets in a European organization received emails impersonating the IRS because they were linked to the U.S. in public records. In some cases, the hackers mixed up the country of residence when the target shared a name with a more prominent individual.

The email also tries to mimic the email of the government agency. For example, the U.S. folks were sent fake emails using “no_reply_irs[.]gov@amecaindustrial[.]com.”

New Harry Potter-named malware strikes, revealing global espionage campaign

Email that tries to mimic the email of a government agency (Proofpoint) (Kurt “CyberGuy” Knutsson)

The attack cleverly unfolds on your device

In the fake email, hackers impersonating the government warn you about changes in the tax rates and tax systems and ask you to click a link to read a detailed guide. Clicking on the link brings you to a landing page, which uses Google AMP Cache URLs to redirect you to a page with a “Click to view document” button.

After you click the button, the hackers check if you’re using a Windows device. If you are, you’ll be redirected to another page. When you interact with that page, it triggers a download that looks like a PDF file in your PC’s download folder, but it’s actually an LNK or ZIP file hosted on an external server.

When you open the file, it runs a Python script from another server without actually downloading the script to your computer. This script collects system information to profile you, while a fake PDF opens to hide the malicious activity.

Advertisement
New Harry Potter-named malware strikes, revealing global espionage campaign

Download that looks like PDF file in your PC’s download folder (Proofpoint) (Kurt “CyberGuy” Knutsson)

Voldemort uses Google Sheets to store data

Once the malware has successfully infected your Windows device, it can:

  • Ping: Check if it’s still connected to its control server
  • Dir: Get a list of files and folders on your system
  • Download: Send files from your system to the control server
  • Upload: Put files from the control server onto your system
  • Exec: Run specific commands or programs on your system
  • Copy: Copy files or folders on your system
  • Move: Move files or folders around on your system
  • Sleep: Pause its activity for a set time
  • Exit: Stop running on your system

The malware uses Google Sheets as its command center, where it gets new instructions and stores stolen data. Each infected device sends its data to specific cells in the Google Sheet, marked by unique IDs to keep everything organized.

Voldemort interacts with Google Sheets through Google’s API, using an embedded client ID, secret and refresh token stored in its encrypted settings. This method gives the malware a reliable way to communicate without raising suspicion since Google Sheets is widely used in businesses, making it hard for security tools to block it.

HOW TO RECOGNIZE AND AVOID BEING A VICTIM OF VACATION RENTAL SCAMS

4 ways to protect yourself from malware attacks

Hackers are releasing increasingly sophisticated malware, but that doesn’t mean you’re defenseless. Below are some tips to help protect yourself from such attacks.

1) Read sensitive emails carefully: The best way to spot fake emails that deliver malware is to check them carefully. While hackers may be tech-savvy, their language skills often aren’t perfect. For example, in the screenshots above, you can see typos like “Taxplayers” instead of “Taxpayers.” Government agencies don’t usually make these kinds of mistakes.

Advertisement

2) Check email domain: Verify that the email domain matches the organization it claims to represent. For example, an email from the IRS should come from an address ending in “@irs.gov.” Be cautious of slight misspellings or variations in the domain.

3) Invest in data removal services: Hackers target you based on your publicly available information. That could be anything from your leaked info through a data breach to the information you provided to an e-commerce shop. Check out my top picks for data removal services here.

4) Have strong antivirus software: If you have strong antivirus software installed on your device, it can protect you when you receive these types of scam emails or accidentally open the attachment or click a link. The best way to protect yourself from clicking malicious links that install malware that may get access to your private information is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

SUBSCRIBE TO KURT’S YOUTUBE CHANNEL FOR QUICK VIDEO TIPS ON HOW TO WORK ALL OF YOUR TECH DEVICES

Kurt’s key takeaway

While researchers can’t say for sure, many of the techniques used by the malware are similar to those employed by hackers suspected of espionage. Even if this assessment turns out to be incorrect, the scale and sophistication of the attack are concerning. Anyone without technical knowledge could easily fall victim and lose personal data and money. This attack specifically targets Windows users, which also raises questions about Microsoft’s security framework.

Advertisement

What measures do you think organizations should implement to better protect individuals from malware attacks? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels:

Answers to the most asked CyberGuy questions:

Advertisement

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.

Advertisement
Continue Reading
Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Technology

Trump is hawking tokens for a crypto project he still hasn’t explained

Published

on

Trump is hawking tokens for a crypto project he still hasn’t explained

After a disclaimer that nothing we’d hear tonight is financial or legal advice, followed by a 40-minute interview with former President Donald Trump — which touched on the apparent attempt on his life at a Florida golf course, the border, the “evil forces” conspiring against him, and his granddaughter’s foreign language skills — and subsequent conversations with Trump’s sons and associates, the X Space dedicated to announcing Trump’s “crypto platform” more or less got to the point.

The goal of World Liberty Financial, Trump’s new decentralized finance project, is to drive “the mass adoption of stablecoins and decentralized finance,” according to a statement posted on its X account earlier this month. But over the course of the lengthy “announcement” on Monday night, neither Trump nor any of his business partners explained how exactly that would work.

Finally, more than two hours into the stream, Corey Caplan — the co-founder of the decentralized lending platform Dolomite, who is working as an adviser for Trump’s project — said World Liberty Financial would “sell and otherwise distribute governance tokens called WLFI.” The token sales will be limited to “certain persons who would be eligible to participate in transactions that are exempt from registration under US federal securities law,” meaning only accredited investors under Regulation D and Regulation S can buy the token. Three people with knowledge of the project told the New York Times that World Liberty Financial has been pitched as a borrowing and lending platform.

Earlier in the stream, a bevy of Trump relatives and associates described World Liberty Financial as a way of helping the “huge, approachable class of people who have either been debanked … or they just don’t have a bank that they can go to, and they don’t have a bank that will listen to them.”

The details started to emerge a little over an hour and a half into the announcement, when two of Trump’s other business partners — Chase Herro and Zak Folkman — revealed some details of the “crypto platform” Trump and his sons have been teasing for over a month. World Liberty Financial will “onboard as many people through simple products where they can actually start to earn yield on their assets,” said Folkman, the co-founder of Dough Finance, a crypto platform that was hacked earlier this year.

Advertisement

“I think crypto is one of those things we have to do whether we like it or not”

Trump first announced the project in August. “For too long, the average American has been squeezed by the big banks and financial elites. It’s time we take a stand—together. #BeDefiant,” he posted on Truth Social. Aside from a link to a Telegram channel, the post included no other details about the platform or what it entailed. The uncertainty around the announcement has let opportunists — and hackers — take advantage of Trump’s fans. Earlier this month, hackers breached the X accounts of Tiffany Trump and Lara Trump, on which they posted links to a fake World Liberty Financial website announcing that the venture had launched.

Donald Trump Jr. and real estate developer and landlord Steve Witkoff, both of whom are also involved in World Liberty Financial, framed the project as a way of helping underserved and unbanked communities.

“If you want to borrow money today, you have to be almost anointed. You have to be a member of the privileged class,” said Witkoff, who in 2017 purchased the Fontainebleau Resort Las Vegas for $600 million.

Don Jr., who described himself as “still a neophyte” in the crypto space, said decentralized finance can help people who have been excluded from traditional financial markets. The announcement played up a popular fear among the crypto crowd: being debanked, potentially as punishment for political dissent.

Advertisement

“There was a time period where the Trumps, we could’ve picked up the phone and called and CEO of any bank,” Don Jr. said. “We went from being people who would have been the elite in that world to just being, like, totally canceled.” It’s possible that cancellation has more to do with Trump’s history of lying about his wealth or running a scammy for-profit college than it does with his political views.

Despite claims that World Liberty Financial will put “the power of finance back in the hands of the people,” initial reports suggested that its founding token would mostly be distributed to people involved in the project. A white paper obtained by CoinDesk said 70 percent of WLFI would be held by the founding members, team, and service providers.

During the stream, however, Caplan chastised the “fake news media” reports of how the token would be distributed and said approximately 63 percent of the tokens will be sold to the public, while 20 percent would be “reserved for team compensation.”

World Liberty Financial appears to be part of a broader Trump outreach campaign to the crypto community. Trump headlined this year’s Bitcoin Conference in Nashville, Tennessee, where he said he’d never sell the US’s Bitcoin holdings but stopped short of promising to create a strategic Bitcoin reserve. He’s also released four NFT collections, which netted him at least $7.2 million, according to August financial disclosure forms.

It’s evident that Trump, who disappeared from the stream after the first 40 minutes, is the face of a product he knows almost nothing about. He had little to say about cryptocurrency aside from some vague comments about the “very hostile environment” the Securities and Exchange Commission has created for the crypto community — and an admission that politicians know that embracing crypto could help them win voters.

Advertisement

“You’re going to be happy, and you’re going to love your crypto, and as long as you have crypto, you’re happy,” Trump said early in the stream. “I think crypto is one of those things we have to do whether we like it or not.”

Continue Reading

Technology

Tile’s new AirTag competitors now double as panic buttons

Published

on

Tile’s new AirTag competitors now double as panic buttons

Tile, one of the leading makers of Bluetooth item finders, has just added a twist — its newest trackers can now send SOS alerts that notify friends, family, and possibly even emergency services.

The 2024 Tile Pro, Tile Mate, Tile Slim, and Tile Sticker are the first new products since Life360 bought the company nearly three years ago, and many facets are unchanged: they should each ring slightly louder and have slightly better water resistance, but the credit card, key fob, and sticker configurations are all roughly the same size and weight. There’s no mention of UWB signals for precision tracking, unlike Apple’s AirTags and Samsung’s SmartTag 2. The Tile Pro is once again the only model that offers a user-replaceable battery.

All but the Tile Sticker now offers an extra 100 feet of quoted Bluetooth range, though, at 350 feet for the Tile and Mate and a full 500 feet for the Pro, and that better connectivity could come in handy if you’re triggering the new emergency alerts.

Tiles could already ring your phone if you double-tap the button; now, a triple tap can optionally send an “SOS Alert” instead. It’ll start a discreet 15-second countdown, after which it’ll send text messages and push notifications to your emergency contacts and even contact Tile’s emergency dispatch center — if you pay for the company’s $14.99 a month Life360 Gold subscription.

The SOS Alerts are a preexisting feature of Life360’s app that you’re basically just remotely triggering over Bluetooth with the Tile’s button instead, so you’ve got to pair your phone with the app and keep it nearby if you want it to work.

Advertisement

It’s also not clear if Life360 will automatically send an ambulance or have a dispatcher call you first, as the company’s website contradicts itself on that point. Tile spokesperson Kelley Garnier says it differs on a case-by-case basis, but either way, a Life360 dispatcher should act immediately.

Continue Reading

Technology

Sextortion scams evolve with Google Maps images to intimidate victims

Published

on

Sextortion scams evolve with Google Maps images to intimidate victims

Scammers often rely on fear to steal your hard-earned money. No matter the scam, whether it’s a Microsoft call scam or government impersonation, they all attempt to scare you by claiming that something is seriously wrong with you or your devices and that only they can fix it. The latest sextortion scams targeting many in the U.S. are no exception.

These bad actors contact you via email, claiming to have compromising photos or videos of you in private situations, and demand money to delete them. What’s new is that these scammers now include images of your home to make their threats seem more convincing.

I’ve received emails from many people sharing how these scammers targeted them. Below is a breakdown of the evolved sextortion scam and tips on how to stay protected.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)

Advertisement

How the scam works

It starts when you get an email from a scammer claiming they recorded you while you were watching adult content. They use your name and include a photo of your house or a nearby street to make it seem real.

The scammer claims to have installed a spyware called “Pegasus” on your phone and has access to everything you watch. Pegasus is a spyware developed by NSO Group, a company that sells it only to government agencies and law enforcement. 

It’s super expensive and highly unlikely that a random scammer would have access to it. Even if they did, stalking people watching adult content wouldn’t be worth their time. Plus, if they have installed the spyware on your phone, they won’t need to ask you to send money.

Once the scammer has you scared, they offer to delete the so-called footage and pretend you never existed if you pay them. They usually include a QR code for a cryptocurrency wallet and ask for Bitcoin as payment. One email I saw from a victim mentioned a ransom of about $2,000.

I’ve attached a portion of the email the victim got below. I’ve blurred out any personal info to protect their identity, but you can still check out the text.

Advertisement
Sextortion scams evolve with Google Maps images to intimidate victims

Actual sextortion scam email (Kurt “CyberGuy” Knutsson)

HERE’S WHAT RUTHLESS HACKERS STOLE FROM 110 MILLION AT&T CUSTOMERS

How do scammers know your location?

The image of your home might make the scam look real, but it’s probably just a trick. One possible reason they have that info is a data breach. Your address might have been leaked in a breach and ended up on the dark web. Scammers could have gotten hold of it and used Google Maps to find a picture of your house. Another reason could be that you put up a listing for something online, like a rental or sale ad. If you’ve shared your address publicly in an online listing, scammers might have found it that way.

Sextortion scams evolve with Google Maps images to intimidate victims

Google Maps vehicle that captures images (Kurt “CyberGuy” Knutsson)

MASSIVE FREE VPN DATA BREACH EXPOSES 360 MILLION RECORDS

Protect your privacy: Blur your house on Google Maps

Google Maps is how they get access to images of your house. But you can blur your house on the platform and prevent scammers from fearmongering. You’ll need to do this from a computer since the blurring feature isn’t available in the Google Maps app on iOS or Android. Follow these steps to learn how:

  • Go to maps.google.com and type your home address into the search bar at the top-right.
  • Click on the photo of your house that shows up.
  • You’ll see a Street View image of your place. Click Report a Problem in the bottom-right corner.
  • Adjust the view so that your home and anything else you want to blur is inside the red and black box using your mouse.
  • Select the option to blur your home from the choices given.
  • Hit Submit, and Google will review your request and blur your house if they think it’s necessary.
Sextortion scams evolve with Google Maps images to intimidate victims

Google Map-blurred home (Kurt “CyberGuy” Knutsson)

4 additional steps to stay protected from sextortion scams

Here are four additional steps you can take to stay protected from sextortion scams:

Advertisement

1) Be cautious with personal information: Avoid sharing personal information like your address, phone number or other sensitive details online. Be mindful of what you post on social media and other platforms.

2) Watch out for red flags: Scammers are mostly bluffing. For instance, the Pegasus software they claim to be using is a lie. Stay informed about common scams and how they work. Knowing what to look out for can help you recognize and avoid potential threats.

3) Change passwords: If the email includes a password, make sure you are not using it anymore, and if you are, change it as soon as possible. ON ANOTHER DEVICE (i.e., your laptop or desktop), you should change your passwords for all your important accounts, such as email, banking, social media, etc.

You should do this on another device to ensure that if the scammer actually has access to your device, they aren’t recording you setting up your new password. And you should also use strong and unique passwords that are hard to guess or crack. You can also use a password manager to generate and store your passwords securely. Changing passwords should be a part of your general cybersecurity hygiene, even if you’re not affected by a data breach.

4) Use personal data removal services: Consider investing in personal data removal services that specialize in continuously monitoring and removing your personal information from various online databases and websites. 

Advertisement

I mentioned above that scammers most likely got access to your address through a data breach. A data removal service can help you remove all this personal information from the internet. Check out my top picks for data removal services here.

WORLD’S LARGEST STOLEN PASSWORD DATABASE UPLOADED TO CRIMINAL FORUM

Kurt’s key takeaway

Scammers use fear and deception to trick you into giving up your hard-earned money. By understanding how these sextortion scams work and knowing what to look out for, you can better protect yourself from falling victim. Remember, most of these scammers are bluffing and rely on exploiting your fears. Keep your personal information secure, be cautious about what you share online and always verify the legitimacy of any threatening messages you receive. If you encounter a scam, report it to the appropriate authorities and take steps to secure your accounts and devices. 

Have you ever encountered a similar scam or any other type of scam? How did you handle it? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Advertisement

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels:

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.

Advertisement

Continue Reading

Trending