Looks legit doesn’t it. But it has embedded Malware. Traders, you have been warned!
Malware that specifically targets crypto traders. With hours a hacker bot gained remote access to the compromised machine, stole the email account password, attempted to login, attempted hijacking the poloniex exchange account and clearing out all crypto.
Not a bad looking web site (allcoinmarkets.com) but the top banner logos are a bit fuzzy (that should be the first red flag). The download for windows downloads a file called (CoinMarketCap.rar) The execution seems dodgy and then instead of installing anything opens a legit online trading platform tradingview.com to the Bitcoin Page (red flag 2 and 3).
In the background (Audio_Controller.exe) is placed in the startup directory and a Backdoor: Win32/Oztratz!rfn virus.
I use a HP laptop which thankfully has a light above the embedded camera. While working later the camera light came on indicating that camera port was active. Suspecting a hack attempt I disabled my internet connection within a couple of seconds. And immediately started a virus scan.
It picked up the Backdoor: Win32/Oztratz!rfn virus and required a reboot. On reboot the (Audio_Controller.exe) was indicated as suspect and I deleted it. It had already created another Backdoor: Win32/Oztratz!rfn virus which was quarantined immediately.
After killing the virus I immediately logged back into gmail and was greeted with the 2 following mails:
“Someone just used your password to try to sign in to your Google Account
Details:
Wednesday, May 18, 2016 8:10 PM (Israel Daylight Time)
Israel*
Google stopped this sign-in attempt, but you should review your recently used devices:”
Obviously in those few seconds the hacker bot had obtained my password. I immediately changed it.
Poloniex Google authenticator expired
Poloniex Security [email protected] via orbit.eternalimpact.info
Dear Poloniex member.
Your Google authenticator has been expired, please disable the old code, and reable it.
You can follow this link:
https://www.poloniex.com/2fa
Clearly the attempt was to get into the exchange account but the 2 factor authentication had stopped the attempt, the mail was a ploy to get me to disable it. If I had fallen for that the account would have been hijacked and that would have been costly.
Moral of the story, beware of dodgy software downloads and run a virus scan immediately if you suspect anything, use all the recommended password and 2fa protection measures provided and beware the open camera port on devices.
Awesome breakdown!
Have you ever thought of running a clean Linux instance for trading and crypto and a potentially-compromized primary OS that would be used for non-critical things?
Yes, that's the plan when I start using really big money.
I'm just learning at this stage so still working on a non-dedicated machine. This incident has really re-emphasized SECURITY, SECURITY, SECURITY for me!
Update
Now a phishing attempt from a "rock star" no less LOL
Bily Ocean [email protected]
to ganjalee44
Absolutely New mining Service powered by Genesis Mining. Sign up now,upgrade your hash power by using my discount coupon " miJhr2" and start - https://www.kuna.cloud/a/300745
С уважением,
Bily Ocean
[email protected]
To the trained eye it does not look legit. Don't trust anything crypto related that asks you to download, and indeed don't download anything at all on systems being used with crypto