In this post, first we’ll discuss the researchers’ main findings. Then we’ll explore what it all means practically speaking — and whether you should be concerned about someone roasting your smartphone through a wireless charger.

The main idea behind the VoltSchemer attacks

The Qi standard has become the dominant one in its field: it’s supported by all the latest wireless chargers and smartphones capable of wireless charging. VoltSchemer attacks exploit two fundamental features of the Qi standard.

The first is the way the smartphone and wireless charger exchange information to coordinate the battery charging process: the Qi standard has a communication protocol that uses the only “thing” connecting the charger and the smartphone — a magnetic field — to transmit messages.

The second feature is the way that wireless chargers are intended for anyone to freely use. That is, any smartphone can be placed on any wireless charger without any kind of prior pairing, and the battery will start charging immediately. Thus, the Qi communication protocol involves no encryption — all commands are transmitted in plain text.

It is this lack of encryption that makes communication between charger and smartphone susceptible to man-in-the-middle attacks; that is, said communication can be intercepted and tampered with. That, coupled with the first feature (use of the magnetic field), means such tampering  is not even that hard to accomplish: to send malicious commands, attackers only need to be able to manipulate the magnetic field to mimic Qi-standard signals.

To illustrate the attack, the researchers created a malicious power adapter: an overlay on a regular wall USB socket. Source

And that’s exactly what the researchers did: they built a “malicious” power adapter disguised as a wall USB socket, which allowed them to create precisely tuned voltage noise. They were able to send their own commands to the wireless charger, as well as block Qi messages sent by the smartphone.

Thus, VoltSchemer attacks require no modifications to the wireless charger’s hardware or firmware. All that’s necessary is to place a malicious power source in a location suitable for luring unsuspecting victims.

Next, the researchers explored all the ways potential attackers could exploit this method. That is, they considered various possible attack vectors and tested their feasibility in practice.

VoltSchemer attacks don’t require any modifications to the wireless charger itself — a malicious power source is enough. Source

1. Silent commands to Siri and Google Assistant voice assistants

The first thing the researchers tested was the possibility of sending silent voice commands to the built-in voice assistant of the charging smartphone through the wireless charger. They copied this attack vector from their colleagues at Hong Kong Polytechnic University, who dubbed this attack Heartworm.

The general idea of the Heartworm attack is to send silent commands to the smartphone’s voice assistant using a magnetic field. Source

The idea here is that the smartphone’s microphone converts sound into electrical vibrations. It’s therefore possible to generate these electrical vibrations in the microphone directly using electricity itself rather than actual sound. To prevent this from happening, microphone manufacturers use electromagnetic shielding — Faraday cages. However, there’s a key nuance here: although these shields are good at suppressing the electrical component, they can be penetrated by magnetic fields.

Smartphones that can charge wirelessly are typically equipped with a ferrite screen, which protects against magnetic fields. However, this screen is located right next to the induction coil, and so doesn’t cover the microphone. Thus, today’s smartphone microphones are quite vulnerable to attacks from devices capable of manipulating magnetic fields — such as wireless chargers.

Microphones in today’s smartphones aren’t protected from magnetic field manipulation. Source

The creators of VoltSchemer expanded the already known Heartworm attack with the ability to affect the microphone of a charging smartphone using a “malicious” power source. The authors of the original attack used a specially modified wireless charger for this purpose.

2. Overheating a charging smartphone

Next, the researchers tested whether it’s possible to use the VoltSchemer attack to overheat a smartphone charging on the compromised charger. Normally, when the battery reaches the required charge level or the temperature rises to a threshold value, the smartphone sends a command to stop the charging process.

However, the researchers were able to use VoltSchemer to block these commands. Without receiving the command to stop, the compromised charger continues to supply energy to the smartphone, gradually heating it up — and the smartphone can’t do anything about it. For cases such as this, smartphones have emergency defense mechanisms to avoid overheating: first, the device closes applications, and if that doesn’t help it shuts down completely.

Using the VoltSchemer attack, researchers were able to heat a smartphone on a wireless charger to a temperature of 178°F — approximately 81°C. Source

Thus, the researchers were able to heat a smartphone up to a temperature of 81°C (178°F), which is quite dangerous for the battery — and in certain circumstances could lead to its catching fire (which could of course lead to other things catching fire if the charging phone is left unattended).

3. “Frying” other stuff

Next, the researchers explored the possibility of “frying” various other devices and everyday items. Of course, under normal circumstances, a wireless charger shouldn’t activate unless it receives a command from the smartphone placed on it. However, with the VoltSchemer attack, such a command can be given at any time, as well as a command to not stop charging.

Now, take a guess what will happen to any items lying on the charger at that moment! Nothing good, that’s for sure. For example, the researchers were able to heat a paperclip to a temperature of 280°C (536°F) — enough to set fire to any attached documents. They also managed to fry to death a car key, a USB flash drive, an SSD drive, and RFID chips embedded in bank cards, office passes, travel cards, biometric passports and other such documents.

Also using the VoltSchemer attack, researchers were able to disable car keys, a USB flash drive, an SSD drive, and several cards with RFID chips, as well as heat a paperclip to a temperature of 536°F — 280°C. Source

In total, the researchers examined nine different models of wireless chargers available in stores, and all of them were vulnerable to VoltSchemer attacks. As you might guess, the models with the highest power pose the greatest danger, as they have the most potential to cause serious damage and overheat smartphones.

Should you fear a VoltSchemer attack in real life?

Protecting against VoltSchemer attacks is fairly straightforward: simply avoid using public wireless chargers and don’t connect your own wireless charger to any suspicious USB ports or power adapters.

While VoltSchemer attacks are quite interesting and can have spectacular results, their real-world practicality is highly questionable. Firstly, such an attack is very difficult to organize. Secondly, it’s not exactly clear what the benefits to an attacker would be — unless they’re a pyromaniac, of course.

But what this research clearly demonstrates is how inherently dangerous wireless chargers can be — especially the more powerful models. So, if you’re not completely sure of the reliability and safety of a particular wireless charger, you’d be wise to avoid using it. While wireless charger hacking is unlikely, the danger of your smartphone randomly getting roasted due to a “rogue” charger that no longer responds to charging commands isn’t entirely absent.

January 2023: LockBit attack on the UK’s Royal Mail

The year kicked off with the LockBit group attacking Royal Mail, the UK’s national postal service. The attack paralyzed international mail delivery, leaving millions of letters and parcels stuck in the company’s system. On top of that, the parcel tracking website, online payment system, and several other services were also crippled; and at the Royal Mail distribution center in Northern Ireland, printers began spewing out copies of the LockBit group’s distinctive orange ransom note.

The LockBit ransom note that printers at the Royal Mail distribution center began printing in earnest. Source

As is commonly the case with modern ransomware attacks, LockBit threatened to post stolen data online unless the ransom was paid. Royal Mail refused to pay up, so the data ended up being published.

February 2023: ESXiArgs attacks VMware ESXi servers worldwide

February saw a massive automated ESXiArgs ransomware attack on organizations through the RCE vulnerability CVE-2021-21974 in VMware ESXi servers. Although VMware released a patch for this vulnerability back in early 2021, the attack left more than 3000 VMware ESXi servers encrypted.

The attack operators demanded just over 2BTC (around $45,000 at the time of the attack). For each individual victim they generated a new Bitcoin wallet and put its address in the ransom note.

Ransom demand from the original version of ESXiArgs ransomware. Source

Just days after the attack began, the cybercriminals unleashed a new strain of the cryptomalware, making it far harder to recover encrypted virtual machines. To make their activities more difficult to trace, they also stopped giving out ransom wallet addresses, prompting victims to make contact through the P2P messenger Tox instead.

March 2023: Clop group widely exploits a zero-day in GoAnywhere MFT

In March 2023, the Clop group began widely exploiting a zero-day vulnerability in Fortra’s GoAnywhere MFT (managed file transfer) tool. Clop is well-known for its penchant for exploiting vulnerabilities in such services: in 2020–2021, the group attacked organizations through a hole in Accelon FTA, switching in late 2021 to exploiting a vulnerability in SolarWinds Serv-U.

In total, more than 100 organizations suffered attacks on vulnerable GoAnywhere MFT servers, including Procter & Gamble, the City of Toronto, and Community Health Systems — one of the largest healthcare providers in the U.S.

Map of GoAnywhere MFT servers connected to the internet. Source

April 2023: NCR Aloha POS terminals disabled by BlackCat attack

In April, the ALPHV group (aka BlackCat —  after the ransomware it uses) attacked NCR, a U.S. manufacturer and servicer of ATMs, barcode readers, payment terminals, and other retail and banking equipment.

The ransomware attack shut down the data centers handling the Aloha POS platform — which is used in restaurants, primarily fast food — for several days.

NCR Aloha POS platform disabled by the ALPHV/BlackCat group. Source

Essentially, the platform is a one-stop shop for managing catering operations: from processing payments, taking online orders, and operating a loyalty program, to managing the preparation of dishes in the kitchen and payroll accounting. As a result of the ransomware attack on NCR, many catering establishments were forced to revert to pen and paper.

May 2023: Royal ransomware attack on the City of Dallas

Early May saw a ransomware attack on municipal services in Dallas, Texas — the ninth most populous city in the U.S. Most affected were IT systems and communications of the Dallas Police Department, and printers on the City of Dallas network began churning out ransom notes.

The Royal ransom note printed out through City of Dallas network printers. Source

Later that month, there was another ransomware attack on an urban municipality: the target this time was the City of Augusta in the U.S. state of Georgia, and the perpetrators were the BlackByte group.

June 2023: Clop group launches massive attacks through vulnerability in MOVEit Transfer

In June, the same Clop group responsible for the February attacks on Fortra GoAnywhere MFT began exploiting a vulnerability in another managed file transfer tool — Progress Software’s MOVEit Transfer. This vulnerability, CVE-2023-34362, was disclosed and fixed by Progress on the last day of May, but as usual, not all clients managed to apply the patches quickly enough.

This ransomware attack — one of the largest incidents of the year — affected numerous organizations, including the oil company Shell, the New York City Department of Education, the BBC media corporation, the British pharmacy chain Boots, the Irish airline Aer Lingus, the University of Georgia, and the German printing equipment manufacturer Heidelberger Druckmaschinen.

The Clop website instructs affected companies to contact the group for negotiations. Source

July 2023: University of Hawaii pays ransom to the NoEscape group

In July, the University of Hawaii admitted to paying off ransomwarers. The incident itself occurred a month earlier when all eyes were fixed on the attacks on MOVEit. During that time, a relatively new group going by the name of NoEscape infected one of the university departments, Hawaiian Community College, with ransomware.

Having stolen 65GB of data, the attackers threatened the university with publication. The personal information of 28,000 people was apparently at risk of compromise. It was this fact that convinced the university to pay the ransom to the extortionists.

NoEscape announces the hack of the University of Hawaii on its website. Source

Of note is that university staff had to temporarily shut down IT systems to stop the ransomware from spreading. Although the NoEscape group supplied a decryption key upon payment of the ransom, the restoration of the IT infrastructure was expected to take two months.

August 2023: Rhysida targets the healthcare sector

August was marked by a series of attacks by the Rhysida ransomware group on the healthcare sector. Prospect Medical Holdings (PMH), which operates 16 hospitals and 165 clinics across several American states, was the organization that suffered the most.

The hackers claimed to have stolen 1TB of corporate documents and a 1.3 TB SQL database containing 500,000 social security numbers, passports, driver’s licenses, patient medical records, as well as financial and legal documents. The cybercriminals demanded a 50BTC ransom (then around $1.3 million).

Ransom note from the Rhysida group. Source

September 2023: BlackCat attacks Caesars and MGM casinos

In early September, news broke of a ransomware attack on two of the biggest U.S. hotel and casino chains — Caesars and MGM — in one stroke. Behind the attacks was the ALPHV/BlackCat group, mentioned above in connection with the assault on the NCR Aloha POS platform.

The incident shut down the companies’ entire infrastructure — from hotel check-in systems to slot machines. Interestingly, the victims responded in very different ways. Caesars decided to pay the extortionists $15 million, half of the original $30 million demand.

MGM chose not to pay up, but rather to restore the infrastructure on its own. The recovery process took nine days, during which time the company lost $100 million (its own estimate), of which $10 million was direct costs related to restoring the downed IT systems.

Caesars and MGM own more than half of Las Vegas casinos

October 2023: BianLian group extorts Air Canada

A month later, the BianLian group targeted Canada’s flag carrier, Air Canada. The attackers claim they stole more than 210GB of various information, including employee/supplier data and confidential documents. In particular, the attackers managed to steal information on technical violations and security issues of the airline.

The BianLian website demands a ransom from Air Canada Source

November 2023: LockBit group exploits Citrix Bleed vulnerability

November was remembered for a Citrix Bleed vulnerability exploited by the LockBit group, which we also discussed above. Although patches for this vulnerability were published a month earlier, at the time of the large-scale attack more than 10,000 publicly accessible servers remained vulnerable. This is what the LockBit ransomware took advantage of to breach the systems of several major companies, steal data, and encrypt files.

Among the big-name victims was Boeing, whose stolen data the attackers ended up publishing without waiting for the ransom to be paid. The ransomware also hit the Industrial and Commercial Bank of China (ICBC), the largest commercial bank in the world.

The LockBit website demands a ransom from Boeing

The incident badly hurt the Australian arm of DP World, a major UAE-based logistics company that operates dozens of ports and container terminals worldwide. The attack on DP World Australia’s IT systems massively disrupted its logistics operations, leaving some 30,000 containers stranded in Australian ports.

December 2023: ALPHV/BlackCat infrastructure seized by law enforcement

Toward the end of the year, a joint operation by the FBI, the U.S. Department of Justice, Europol, and law enforcement agencies of several European countries deprived the ALPHV/BlackCat ransomware group of control over its infrastructure. Having hacked it, they quietly observed the cybercriminals’ actions for several months, collecting data decryption keys and aiding BlackCat victims.

In this way, the agencies rid more than 500 organizations worldwide of the ransom threat and saved around $68 million in potential payouts. This was followed in December by a final takeover of the servers, putting an end to BlackCat’s operations.

The joint law enforcement operation to seize ALPHV/BlackCat infrastructure. Source

Various statistics about the ransomware group’s operations were also made public. According to the FBI, during the two years of its activity, ALPHV/BlackCat breached more than a thousand organizations, demanded a total of more than $500 million from victims, and received around $300 million in ransom payments.

How to guard against ransomware attacks

Ransomware attacks are becoming more varied and sophisticated with each passing year, so there isn’t (and can’t be) one killer catch-all tip to prevent incidents. Defense measures must be comprehensive. Focus on the following tasks:

• Train employees in cybersecurity awareness.
• Implement and refine data storage and employee access
• Back up important data regularly and isolate it from the network.
• Install robust protection on all corporate devices.
• Monitor suspicious activity on the corporate network using an Endpoint Detection and Response (EDR)
• Outsource threat search and response to a specialist company if your in-house information security lacks the capability.

An attack they dubbed KeyTrap, which exploits the vulnerability, can disable a DNS server by sending it a single malicious data packet. Read on to find out more about this attack.

How KeyTrap works and what makes it dangerous

The DNSSEC vulnerability has only recently become public knowledge, but it was discovered back in December 2023 and registered as CVE-2023-50387. It was assigned a CVSS 3.1 score of 7.5, and a severity rating of “High”. Complete information about the vulnerability and the attack associated with it is yet to be published.

Here’s how KeyTrap works. The malicious actor sets up a nameserver that responds to requests from caching DNS servers – that is, those which serve client requests directly – with a malicious packet. Next, the attacker has the caching-server request a DNS record from their malicious nameserver. The record sent in response is a cryptographically-signed malicious one. The way the signature is crafted causes the attacked DNS server trying to verify it to run at full CPU capacity for a long period of time.

According to the researchers, a single such malicious packet can freeze the DNS server for anywhere from 170 seconds to 16 hours – depending on the software it runs on. The KeyTrap attack can not only deny access to web content to all clients using the targeted DNS server, but also disrupt various infrastructural services such as spam protection, digital certificate management (PKI), and secure cross-domain routing (RPKI).

The researchers refer to KeyTrap as “the worst attack on DNS ever discovered”. Interestingly enough, the flaws in the signature validation logic making KeyTrap possible were discovered in one of the earliest versions of the DNSSEC specification, published as far back as… 1999. In other words, the vulnerability is about to turn 25!

The origins of KeyTrap can be traced back to RFC-2035, the DNSSEC specification published in 1999

Fending off KeyTrap

The researchers have alerted all DNS server software developers and major public DNS providers. Updates and security advisories to fix CVE-2023-50387 are now available for PowerDNS, NLnet Labs Unbound, and Internet Systems Consortium BIND9. If you are an administrator of a DNS server, it’s high time to install the updates.

Bear in mind, though, that the DNSSEC logic issues that have made KeyTrap possible are fundamental in nature and not easily fixed. Patches released by DNS software developers can only go some way toward solving the problem, as the vulnerability is part of standard, rather than specific implementations. “If we launch [KeyTrap] against a patched resolver, we still get 100 percent CPU usage but it can still respond,” said one of the researchers.

Practical exploitation of the flaw remains a possibility, with the potential result being unpredictable resolver failures. In case this happens, corporate network administrators would do well to prepare a list of backup DNS servers in advance so they can switch as needed to keep the network functioning normally and let users browse the web resources they need unimpeded.

Malvertising

To the great surprise of many (even InfoSec experts), cybercriminals have been making active use of legitimate paid advertising for a number of years now. In one way or another they pay for banner ads and search placements, and employ corporate promotion tools. There are many examples of this phenomenon, which goes by the name of malvertising (malicious advertising). Usually, cybercriminals advertise fake pages of popular apps, fake promo campaigns of famous brands, and other fraudulent schemes aimed at a wide audience. Sometimes threat actors create an advertising account of their own and pay for advertising, but this method leaves too much of a trail (such as payment details). So a different method is more attractive to them: stealing login credentials and hacking the advertising account of a straight-arrow company, then promoting their sites through it. This has a double payoff for the cybercriminals: they get to spend others’ money without leaving excess traces. But the victim company, besides a gutted advertising account, gets one problem after another — including potentially being blocked by the advertising platform for distributing malicious content.

Downvoted and unfollowed

A variation of the above scheme is a takeover of social networks’ paid advertising accounts. The specifics of social media platforms create additional troubles for the target company.

First, access to corporate social media accounts is usually tied to employees’ personal accounts. It’s often enough for attackers to compromise an advertiser’s personal computer or steal their social network password to gain access not only to likes and cat pics but to the scope of action granted by the company they work for. That includes posting on the company’s social network page, sending emails to customers through the built-in communication mechanism, and placing paid advertising. Revoking these functions from a compromised employee is easy as long as they aren’t the main administrator of the corporate page — in which case, restoring access will be labor-intensive in the extreme.

Second, most advertising on social networks takes the form of “promoted posts” created on behalf of a particular company. If an attacker posts and promotes a fraudulent offer, the audience immediately sees who published it and can voice their complaints directly under the post. In this case, the company will suffer not just financial but visible reputational damage.

Third, on social networks many companies save “custom audiences” — ready-made collections of customers interested in various products and services or who have previously visited the company’s website. Although these usually can’t be pulled (that is, stolen) from a social network, unfortunately it’s possible to create malvertising on their basis that’s adapted to a specific audience and is thus more effective.

Unscheduled circular

Another effective way for cybercriminals to get free advertising is to hijack an account on an email service provider. If the attacked company is large enough, it may have millions of subscribers in its mailing list.

This access can be exploited in a number of ways: by mailing an irresistible fake offer to email addresses in the subscriber database; by covertly substituting links in planned advertising emails; or by simply downloading the subscriber database in order to send them phishing emails in other ways later on.

Again, the damage suffered is financial, reputational, and technical. By “technical” we mean the blocking of future incoming messages by mail servers. In other words, after the malicious mailouts, the victim company will have to resolve matters not only with the mailing platform but also potentially with specific email providers that have blocked you as a source of fraudulent correspondents.

A very nasty side effect of such an attack is the leakage of customers’ personal data. This is an incident in its own right — capable of inflicting not only reputational damage but also landing you with a fine from data protection regulators.

Fifty shades of website

A website hack can go unnoticed for a long time — especially for a small company that does business primarily through social networks or offline. From the cybercriminals’ point of view, the goals of a website hack vary depending on the type of site and the nature of the company’s business. Leaving aside cases when website compromise is part of a more sophisticated cyberattack, we can generally delineate the following varieties.

First, threat actors can install a web skimmer on an e-commerce site. This is a small, well-disguised piece of JavaScript embedded directly in the website code that steals card details when customers pay for a purchase. The customer doesn’t need to download or run anything — they simply pay for goods or services on the site, and the attackers skim off the money.

Second, attackers can create hidden subsections on the site and fill them with malicious content of their choosing. Such pages can be used for a wide variety of criminal activity, be it fake giveaways, fake sales, or distributing Trojanized software. Using a legitimate website for these purposes is ideal, just as long as the owners don’t notice that they have “guests”. There is, in fact, a whole industry centered around this practice. Especially popular are unattended sites created for some marketing campaign or one-time event and then forgotten about.

The damage to a company from a website hack is broad-ranging, and includes: increased site-related costs due to malicious traffic; a decrease in the number of real visitors due to a drop in the site’s SEO ranking; potential wrangles with customers or law enforcement over unexpected charges to customers’ cards.

Hotwired web forms

Even without hacking a company’s website, threat actors can use it for their own purposes. All they need is a website function that generates a confirmation email: a feedback form, an appointment form, and so on. Cybercriminals use automated systems to exploit such forms for spamming or phishing.

The mechanics are straightforward: the target’s address is entered into the form as a contact email, while the text of the fraudulent email itself goes in the Name or Subject field, for example, “Your money transfer is ready for issue (link)”. As a result, the victim receives a malicious email that reads something like: “Dear XXX, your money transfer is ready for issue (link). Thank you for contacting us. We’ll be in touch shortly”. Naturally, the anti-spam platforms eventually stop letting such emails through, and the victim company’s form loses some of its functionality. In addition, all recipients of such mail think less of the company, equating it with a spammer.

How to protect PR and marketing assets from cyberattacks

Since the described attacks are quite diverse, in-depth protection is called for. Here are the steps to take:

• Conduct cybersecurity awareness training across the entire marketing department. Repeat it regularly;
• Make sure that all employees adhere to password best practices: long, unique passwords for each platform and mandatory use of two-factor authentication — especially for social networks, mailing tools, and ad management platforms;
• Eliminate the practice of using one password for all employees who need access to a corporate social network or other online tool;
• Instruct employees to access mailing/advertising tools and the website admin panel only from work devices equipped with full protection in line with company standards (EDR or internet security, EMM/UEM, VPN);
• Urge employees to install comprehensive protection on their personal computers and smartphones;
• Introduce the practice of mandatory logout from mailing/advertising platforms and other similar accounts when not in use;
• Remember to revoke access to social networks, mailing/advertising platforms, and website admin immediately after an employee departs the company;
• Regularly review email lists sent out and ads currently running, together with detailed website traffic analytics so as to spot anomalies in good time;
• Make sure that all software used on your websites (content management system, its extensions) and on work computers (such as OS, browser, and Office), is regularly and systematically updated to the very latest versions;
• Work with your website support contractor to implement form validation and sanitization; in particular, to ensure that links can’t be inserted into fields that aren’t intended for such a purpose. Also set a “rate limit” to prevent the same actor from making hundreds of requests a day, plus a smart captcha to guard against bots.

Complicating matters is the heightened uncertainty about the identity of your virtual conversational partner, and the disconcerting possibility of digital stalking.

In fact, we recently commissioned a report on digital stalking to ascertain the reality of these risks and concerns. We engaged with over 21,000 participants to cast light on the alarming prevalence of digital abuse experienced by those in pursuit of love.

Revelations from the survey

As per our survey findings, 34% of respondents believe that googling or checking social media accounts of someone they’ve just started dating is a form of “due diligence”. While seemingly harmless, 23% reported encountering some form of online stalking from a new romantic interest, suggesting that some individuals may take a swift Google search a bit too far.

Furthermore, and somewhat alarmingly, over 90% of respondents expressed a willingness to share or consider sharing passwords that grant access to their location. While seemingly innocuous on the surface, there can loom there specter of stalkerware: silent software capable of continuously tracking user whereabouts and spying on messages.

How to protect yourself? Tips from the experts

We’ve compiled advice from leading online security, dating, and safety experts to help you navigate the waters of love safely this Valentine’s Day!

Enhanced password safety measures

• Create complex passwords using a mix of letters, numbers, and symbols.
• Never reuse passwords across different sites and apps; keep them private.
• Use two-factor authentication for an added layer of security.
• Change your password immediately if you’ve shared it with someone you’ve been dating but are no longer in touch with.
• Use a password manager to keep all your passwords strong and safe.

Proactive verification techniques of online dating profiles

• Run a reverse-image search for that profile; if it appears on multiple pages under various names, it’s likely a catfisher.
• Look for inconsistencies in daters’ stories and profile details.
• Be wary of sudden, intense expressions of love, or requests for money.
• Use video calls to verify a dater’s identity before meeting in person.

Maximizing online dating profile security:

• Conduct your own privacy audit of your social media accounts to understand what’s publicly visible.
• Customize your privacy settings to control who can see your posts and personal information.
• Regularly review your friends/followers list to ensure you know who has access to your information.

Strategic sharing guidelines:

• Avoid posting details that could disclose your location, workplace, or routines.
• Think twice before sharing emotionally charged or intimate content.
• Be mindful of metadata or other identifiable clues in photos (like geotags) that can reveal your identity, location, or details you’d rather keep private.
• Set personal boundaries on the type of information you share early on in a relationship; only reveal personal details gradually as trust builds over time.
• Listen to your instincts – if something feels off, take a step back and give yourself a moment.
• Consider how the data you share could be used to piece together a profile or compromise your physical safety.

Comprehensive safety plan for offline meetings:

• Choose well-lit, public places for initial meetings.
• Avoid sharing or displaying personal items that might reveal your address or sensitive information.
• Arrange your own transportation to and from the meeting place.
• Have a check-in system with a friend or family member.

As we embrace the possibilities for romance and connection in the digital age, let’s not forget the importance of our safety and wellbeing. By implementing these strategies, you can confidently explore the world of online dating while safeguarding both your digital and physical self. For more details, please take a look at our safe dating guide. And our premium security solution with identity protection and privacy features can help you keep calm and carry on… dating!

There are three reasons why this situation might occur:

1. A hacking attempt. Hackers have somehow learned, guessed, or stolen your password and are now trying to use it to access your account. You’ve received a legitimate message from the service they are trying to access.
2. Preparation for a hack. Hackers have either learned your password or are trying to trick you into revealing it, in which case the OTP message is a form of phishing. The message is fake, although it may look very similar to a genuine one.
3. Just a mistake. Sometimes online services are set up to first request a confirmation code from a text message, and then a password, or authenticate with just one code. In this case, another user could have made a typo and entered your phone/email instead of theirs — and you receive the code.

As you can see, there may be a malicious intent behind this message. But the good news is that at this stage, there has been no irreparable damage, and by taking the right action you can avoid any trouble.

What to do when you receive a code request

Most importantly, don’t click the confirmation button if the message is in the “Yes/No” form, don’t log in anywhere, and don’t share any received codes with anyone.

If the code request message contains links, don’t follow them.

These are the most essential rules to follow. As long as you don’t confirm your login, your account is safe. However, it’s highly likely that your account’s password is known to attackers. Therefore, the next thing to do is change the password for this account. Go to the relevant service by entering its web address manually — not by following a link. Enter your password, get a new (this is important!) confirmation code, and enter it. Then find the password settings and set a new, strong password. If you use the same password for other accounts, you’d need to change the password for them, too — but make sure to create a unique password for each account. We understand that it’s difficult to remember so many passwords, so we highly recommend storing them in a dedicated password manager.

This stage — changing your passwords — is not so urgent. There’s no need to do it in a rush, but also don’t postpone it. For valuable accounts (like banking), attackers may try to intercept the OTP if it’s sent via text. This is done through SIM swapping (registering a new SIM card to your number) or launching an attack via the operator’s service network utilizing a flaw in the SS7 communications protocol. Therefore, it’s important to change the password before the bad guys attempt such an attack. In general, one-time codes sent by text are less reliable than authenticator apps and USB tokens. We recommend always using the most secure 2FA method available; a review of different two-factor authentication methods can be found here.

What to do if you’re receiving a lot of OTP requests

In an attempt to make you confirm a login, hackers may bombard you with codes. They try to log in to the account again and again, hoping that you’ll either make a mistake and click “Confirm”, or go to the service and disable 2FA out of annoyance. It’s important to keep cool and do neither. The best thing to do is go to the service’s site as described above (open the site manually, not through a link) and quickly change the password; but for this, you’ll need to receive and enter your own, legitimate OTP. Some authentication requests (for example, warnings about logging into Google services) have a separate “No, it’s not me” button — usually, this button causes automated systems on the service side to automatically block the attacker and any new 2FA requests. Another option, albeit not the most convenient one, would be to switch the phone to silent or even airplane mode for half-an-hour or so until the wave of codes subsides.

What to do if you accidentally confirm a stranger’s login

This is the worst-case scenario, as you’ve likely allowed an attacker into your account. Attackers act quickly in changing settings and passwords, so you’ll have to play catch-up and deal with the consequences of the hack. We’ve provided advice for this scenario here.

How to protect yourself?

The best method of defense in this case is to stay one step ahead of the criminals: si vis pacem, para bellum. This is where our security solution comes in handy. It tracks leaks of your accounts linked to both email addresses and phone numbers, including on the dark web. You can add the phone numbers and email addresses of all your family members, and if any account data becomes public or is discovered in leaked databases, Kaspersky Premium will alert you and give advice on what to do.

Included in the subscription, Kaspersky Password Manager will warn you about compromised passwords and help you change them, generating new uncrackable passwords for you. You can also add two-factor authentication tokens to it or easily transfer them from Google Authenticator in a few clicks. Secure storage for your personal documents will safeguard your most important documents and files, such as passport scans or personal photos, in encrypted form so that only you can access them.

Moreover, your logins, passwords, authentication codes and saved documents will be available from any of your devices — computer, smartphone or tablet — so even if you somehow lose your phone, you’ll lose neither your data nor access, and you’ll be able to easily restore them on a new device. And to access all your data, you only need to remember one password — the main one — which isn’t stored anywhere except in your head and is used for banking-standard AES data encryption.

With the “zero disclosure principle”, no one can access your passwords or data — not even Kaspersky employees. The reliability and effectiveness of our security solutions have been confirmed by numerous independent tests, with one recent example being our home protection solutions having received the highest award — Product of the Year 2023 — in tests run by the independent European laboratory AV-Comparatives.

What a crypto (wallet) drainer is

A crypto drainer — or crypto wallet drainer — is a type of malware that’s been targeting crypto owners since it first appeared just over a year ago. A crypto drainer is designed to (quickly) empty crypto wallets automatically by siphoning off either all or just the most valuable assets they contain, and placing them into the drainer operators’ wallets.

As an example of this kind of theft, let us review the theft of 14 Bored Ape NFTs with a total value of over $1 million, which occurred on December 17, 2022. The scammers set up a fake website for the real Los Angeles-based movie studio Forte Pictures, and contacted a certain NFT collector on behalf of the company. They told the collector that they were making a film about NFT. Next, they asked the collector if they wanted to license the intellectual property (IP) rights to one of their Bored Ape NFTs so it could be used in the movie.

According to the scammers, this required signing a contract on “Unemployd”, ostensibly a blockchain platform for licensing NFT-related intellectual property. However, after the victim approved the transaction, it turned out that all 14 Bored Ape NFTs belonging to them were sent to the malicious actor for a paltry 0.00000001 ETH (about US¢0.001 at the time).

What the request to sign the “contract” looked like (left), and what actually happened after the transaction was approved (right). Source

The scheme relied to a large extent on social engineering: the scammers courted the victim for more than a month with email messages, calls, fake legal documents, and so on. However, the centerpiece of this theft was the transaction that transferred the crypto assets into the scammers’ ownership, which they undertook at an opportune time. Such a transaction is what drainers rely on.

How crypto drainers work

Today’s drainers can automate most of the work of emptying victims’ crypto wallets. First, they can help to find out the approximate value of crypto assets in a wallet and identify the most valuable ones. Second, they can create transactions and smart contracts to siphon off assets quickly and efficiently. And finally, they obfuscate fraudulent transactions, making them as vague as possible, so that it’s difficult to understand what exactly happens once the transaction is authorized.

Armed with a drainer, malicious actors create fake web pages posing as websites for cryptocurrency projects of some sort. They often register lookalike domain names, taking advantage of the fact that these projects tend to use currently popular domain extensions that resemble one another.

Then the scammers use a technique to lure the victim to these sites. Frequent pretexts are an airdrop or NFT minting: these models of rewarding user activity are popular in the crypto world, and scammers don’t hesitate to take advantage of that.

These X (Twitter) ads promoted NFT airdrops and new token launches on sites that contain the drainer. Source

Also commonplace are some totally unlikely schemes: to draw users to a fake website, malicious actors recently used a hacked Twitter account that belonged to a… blockchain security company!

X (Twitter) ads for a supposedly limited-edition NFT collection on scam websites. Source

Scammers have also been known to place ads on social media and search engines to lure victims to their forged websites. In the latter case, it helps them intercept customers of real crypto projects as they search for a link to a website they’re interested in. Without looking too closely, users click on the “sponsored” scam link, which is always displayed above organic search results, and end up on the fake website.

Google search ads with links to scam websites containing crypto drainers. Source

Then, the unsuspecting crypto owners are handed a transaction generated by the crypto drainer to sign. This can result in a direct transfer of funds to the scammers’ wallets, or more sophisticated scenarios such as transferring the rights to manage assets in the victim’s wallet to a smart contract. One way or another, once the malicious transaction is approved, all the valuable assets get siphoned off to the scammers’ wallets as quickly as possible.

How dangerous crypto drainers are

The popularity of drainers among crypto scammers is growing rapidly. According to a recent study on crypto drainer scams, more than 320,000 users were affected in 2023, with total damage of just under $300 million. The fraudulent transactions recorded by the researchers included around a dozen — worth more than a million dollars each. The largest value of loot taken in a single transaction amounted to a little over $24 million!

Curiously, experienced cryptocurrency users fall prey to scams like this just like newbies. For example, the founder of the startup behind Nest Wallet was recently robbed of $125,000 worth of stETH by scammers who used a fake website promising an airdrop.

How to protect against crypto drainers

• Don’t put all your eggs in one basket: try to keep only a portion of your funds that you need for day-to-day management of your projects in hot crypto wallets, and store the bulk of your crypto assets in cold wallets.
• To be on the safe side, use multiple hot wallets: use one for your Web3 activities — such as drop hunting, use another to keep operating funds for these activities, and transfer your profits to cold wallets. You’ll have to pay extra commission for transfers between the wallets, but malicious actors would hardly be able to steal anything from the empty wallet used for airdrops.
• Keep checking the websites you visit time and time again. Any suspicious detail is a reason to stop and double-check it all again.
• Don’t click on sponsored links in search results: only use links in organic search results – that is, those that aren’t marked “sponsored”.
• Review every transaction detail carefully.
• Use companion browser extensions to verify transactions. These help identify fraudulent transactions and highlight what exactly will happen as a result of the transaction.
• Finally, be sure to install reliable security on all devices you use to manage crypto assets.

How protection from crypto threats works in Kaspersky solutions

By the way, Kaspersky solutions offer multi-layered protection against crypto threats. Be sure to use comprehensive security on all your devices: phones, tablets, and computers. Kaspersky Premium is a good cross-platform solution. Check that all basic and advanced security features are enabled and read our detailed instructions on protecting both hot and cold crypto wallets.

We recently discovered a new campaign of this kind targeting Apple computers running newer versions of macOS (13.6 and later) and leveraging certain Domain Name System (DNS) features for downloading malicious payloads. Victims are offered to download cracked versions of popular apps for free. So what’s in store for those who give in to temptation?

Fake activation

After downloading a disk image purportedly containing the cracked app, the victim is prompted to copy two files to the Applications folder: the app itself, and a so-called “activator”. If you just copy and launch the app, it won’t run. According to the manual, the cracked app must be “activated” first. Our analysis found that the activator doesn’t do anything sophisticated: it simply removes several bytes from the beginning of the application executable to make it functional. In other words, the cybercriminals have modified a pre-cracked app to prevent it from running unless it’s “activated” first. To no one’s surprise, the activator has a nasty side-effect: it asks for admin permissions when it runs, and uses those to install a downloader script in the system. The script then downloads from the web a further payload — a backdoor that requests commands from its operators every now and then.

Installation manual, activator window, and prompt for administrator password

Linking via DNS

To download the malicious script, the activator employs a tool that’s both exotic and innocent-looking: the Domain Name System (DNS). We wrote about DNS and Secure DNS earlier, but we left out an interesting technical feature of the service. Each DNS record not only links the internet name of a server with its IP address, but can also contain a free-form text description of the server — called a TXT record. This is what the malicious actors exploited by embedding snippets of malicious code within TXT records. The activator downloads three TXT records belonging to a malicious domain and assembles a script from these.

Although seemingly complicated, the setup has a number of advantages. To start with, the activator does nothing particularly suspicious: any web application requests DNS records — this is how any communication session has to begin. Secondly, the malicious actors can easily update the script to modify the infection pattern and the final payload by editing the TXT records of the domain. And finally, removing malicious content from the Web is no easy task due to the distributed nature of the Domain Name System. Internet service providers and companies would find it hard to even detect the violation of their policies because each of these TXT records is just a snippet of malicious code that poses no threat in and of itself.

The final boss

The periodically-running download script allows the attackers to update the malicious payload and perform whatever actions they want on the victim’s computer. At the time of our analysis, they showed interest in stealing crypto. The backdoor automatically scans the victim’s computer for Exodus or Bitcoin wallets, and replaces these with trojanized versions. An infected Exodus wallet steals the user’s seed phrase, and an infected Bitcoin wallet — the encryption key that’s used to encrypt private keys. The latter gives the attackers the ability to sign transfers on behalf of the victim. This is how one can try to save a few dozen dollars on pirated apps — only to lose a vastly larger amount in crypto.

Protecting yourself against an attack on crypto wallets

This isn’t novel but still true: to keep away from this threat and avoid becoming a victim, download apps from official marketplaces only. Before downloading an app from a developer’s website, make sure it’s the genuine item and not from one of many phishing sites.

If you’re thinking of downloading a cracked version of an app, think again. “Scrupulous and trustworthy” pirating sites are about as rare as elves and unicorns.

No matter how highly you think of your computer literacy, caution, and attention to detail, be sure to use comprehensive security on all your devices: phones, tablets, and computers. Kaspersky Premium is a good cross-platform solution. Check that all basic and advanced security features are enabled. As for crypto owners, in addition to the above, we suggest reading our detailed instructions on protecting both hot and cold crypto wallets.

Vulnerability CVE-2024-0204 in GoAnywhere MFT

Let’s start by briefly recounting the story of this vulnerability in GoAnywhere. In fact, Fortra, the company developing this solution, patched this vulnerability back in early December 2023 with the release of GoAnywhere MFT 7.4.1. However, at that time the company chose not to disclose any information about the vulnerability, limiting itself to sending private recommendations to clients.

The essence of the vulnerability is as follows. After a user completes initial setup of GoAnywhere, the product’s internal logic blocks access to the initial account setup page. Then when they attempt to access this page, they’re redirected either to the admin panel (if they’re authenticated as an administrator) or to the authentication page.

However, researchers discovered that an alternative path to the InitialAccountSetup.xhtml file can be used, which the redirection logic does not take into account. In this scenario, GoAnywhere MFT allows anyone to access this page and create a new user account with administrator privileges.

As proof of the attack’s feasibility, the researchers wrote and published a short script that can create admin accounts in vulnerable versions of GoAnywhere MFT. All an attacker needs is to specify a new account name, a password (the only requirement is that it contains at least eight characters, which is interesting in itself), and the path:

Part of the exploit code for the CVE-2024-0204 vulnerability. Highlighted in red is the alternative path to the initial account setup page that enables the creation of users with administrator privileges

In general, this vulnerability closely resembles that discovered in Atlassian Confluence Data Center and Confluence Server a few months ago; there, too, it was possible to create admin accounts in a few simple steps.

Fortra assigned vulnerability CVE-2024-0204 “critical” status, with a CVSS 3.1 score of 9.8 out of 10.

A little context is necessary here. In 2023, the Clop ransomware group already exploited vulnerabilities in Fortra GoAnywhere MFT and also similar products from other developers — Progress MOVEit, Accellion FTA, and SolarWinds Serv-U — to attack hundreds of organizations worldwide. In particular, companies such as Procter & Gamble, Community Health Systems (CHS, one of the largest hospital networks in the U.S.A.), and the municipality of Toronto suffered from the exploitation of the GoAnywhere MFT vulnerability.

How to defend against CVE-2024-0204 exploitation

The obvious way to protect against exploitation of this vulnerability is to update GoAnywhere MFT to version 7.4.1 immediately, which fixes the logic for denying access to the InitialAccountSetup.xhtml page.

If you can’t install the update for some reason, you can try one of two simple workarounds:

• Delete the InitialAccountSetup.xhtml file in the installation folder and restart the service;

or

• Replace InitialAccountSetup.xhtml with a blank file and restart the service.

You should also use an EDR (Endpoint Detection and Response) solution to monitor suspicious activity in the corporate network. If your internal cybersecurity team lacks the skills or resources for this, you can use an external service to continuously hunt for threats to your organization and swiftly respond to them.

Why Polish hackers broke into trains

Around five years ago, Poland’s Koleje Dolnośląskie (KD) rail operator bought 11 Impuls 45WE trains from domestic manufacturer Newag. Fast-forward to recent times, and after five years of heavy use it was time for a service and some maintenance: a rather complex and expensive process that a train has to undergo after clocking up a million kilometers.

To select a workshop to service the trains, KD arranged a tender. Newag was among the bidders, but they lost to Serwis Pojazdów Szynowych (SPS), which underbid them by a significant margin.

However, once SPS was done with servicing the first of the trains, they found that it simply wouldn’t start up any more — despite seeming to be fine both mechanically and electrically. All kinds of diagnostic instruments revealed that the train had zero defects in it, and all the mechanics and electricians that worked on it agreed. No matter: the train simply would not start.

Shortly after, several other trains serviced by SPS — plus another taken to a different shop — ended up in a similar condition. This is when SPS, after trying repeatedly to unravel the mystery, decided to bring in a (white-hat) hacker team.

Inside the driver’s cabin of one of the Newag Impuls trains that were investigated. Source

Manufacturer’s malicious implants and backdoors in the train firmware

The researchers spent several months reverse-engineering, analyzing, and comparing the firmware from the trains that had been bricked and those still running. As a result, they learned how to start up the mysteriously broken-down trains, while at the same time discovering a number of interesting mechanisms embedded in the code by Newag’s software developers.

For example, they found that one of the trains’ computer systems contained code that checked GPS coordinates. If the train spent more than 10 days in any one of certain specified areas, it wouldn’t start anymore. What were those areas? The coordinates were associated with several third-party repair shops. Newag’s own workshops were featured in the code too, but the train lock wasn’t triggered in those, which means they were probably used for testing.

Areas on the map where the trains would be locked. Source

Another mechanism in the code immobilized the train after detecting that the serial number of one of the parts had changed (indicating that this part had been replaced). To mobilize the train again, a predefined combination of keys on the onboard computer in the driver’s cabin had to be pressed.

A further interesting booby trap was found inside one of the trains’ systems. It reported a compressor malfunction if the current day of the month was the 21^st or later, the month was either 11^th or later and the year was 2021 or later. It turned out that November 2021, was the scheduled maintenance date for that particular train. The trigger was miraculously avoided because the train left for maintenance earlier than planned and returned for a service only in January 2022, the 1^st month, which is obviously before 11^th.

Another example: one of the trains was found to contain a device marked “UDP<->CAN Converter”, which was connected to a GSM modem to receive lock status information from the onboard computer.

The most frequently found mechanism — and we should note here that each train had a different set of mechanisms — was designed to lock the train if it remained parked for a certain number of days, which signified maintenance for a train in active service. In total, Dragon Sector investigated 30 Impuls trains operated by KD and other rail carriers. A whopping 24 of them were found to contain malicious implants of some sort.

One of the researchers next to the train. Source

How to protect your systems from malicious implants

This story just goes to show that you can encounter malicious implants in the most unexpected of places and in all kinds of IT systems. So, no matter what kind of project you’re working on, if it contains any third-party code — let alone a whole system based on it — it makes sense to at least run an information security audit before going live.