Friend
Professional
- Messages
- 2,675
- Reaction score
- 987
- Points
- 113
30 ways to trick a profitable victim.
Researchers at Recorded Future have discovered a large-scale cyberattack that affected tens of thousands of devices around the world. As it turned out later, the hacker group Marko Polo, which specializes in fraud in the field of cryptocurrencies and online games, is behind this campaign.
Experts from Insikt Group, a division of Recorded Future, found that the main targets of the attackers were popular gamers, cryptocurrency influencers, and IT specialists. Probably, hackers immediately choose a target based on whether it is ready to suffer significant financial losses in the event of a successful attack.
Marko Polo operates according to a well-established scheme: members of the group contact potential victims through social networks, introducing themselves as HR employees or recruiters. They offer attractive jobs and direct victims to malicious sites where they download infected software.
The researchers characterize Marko Polo as a "traffic redirection team" with financial motivation. The group consists of Russian, Ukrainian, and English-speaking members, with the leadership and main operators likely based in post-Soviet countries.
During the investigation, Insikt Group discovered more than 30 different fraudulent schemes on social networks related to Marko Polo. In addition, hackers compromised over 20 builds of Zoom video conferencing software. These malicious versions are spread through spear phishing on social media, masquerading as legitimate clients, but in fact contain the Atomic macOS Stealer (AMOS) Trojan.
In addition to attacks through fake versions of Zoom, Marko Polo is engaged in hacking commercial software and injecting malicious code into files distributed via the BitTorrent protocol. The grouping is disguised as various blockchain projects, online games, office applications, and video conferencing tools.
One of the most large-scale fraudulent campaigns was called PartyWorld. As part of this scheme, attackers imitate popular games like Fortnite and Party Icon, promoting them through social networks. Users who visit the PartyWorld website receive an offer to download the game client for Windows or macOS. In fact, instead of playing, an infostealer is installed on the device.
Another campaign, called Nortex, uses a messenger, an office application, and a social network at the same time as a cover. Hackers have created a fake copy of the SendingMe Web3 project, through which, instead of the promised functionality, victims receive HijackLoader and Stealc Trojans.
Researchers estimate that the Marko Polo attacks have already leaked sensitive personal and corporate data of many users. It is assumed that the illegal income of the group is estimated at millions of dollars. Insikt Group experts found messages from victims who lost all their savings as a result of the hackers' actions.
Marko Polo is particularly dangerous due to its ability to quickly adapt to detection attempts. The group regularly changes the names of fraudulent schemes, updates the infrastructure, and modifies tactics to bypass security tools. Experts note that their flexibility not only makes Marko Polo a permanent threat, but also indicates that the group will continue to improve its methods to stay one step ahead of cybersecurity systems.
Source
Researchers at Recorded Future have discovered a large-scale cyberattack that affected tens of thousands of devices around the world. As it turned out later, the hacker group Marko Polo, which specializes in fraud in the field of cryptocurrencies and online games, is behind this campaign.
Experts from Insikt Group, a division of Recorded Future, found that the main targets of the attackers were popular gamers, cryptocurrency influencers, and IT specialists. Probably, hackers immediately choose a target based on whether it is ready to suffer significant financial losses in the event of a successful attack.
Marko Polo operates according to a well-established scheme: members of the group contact potential victims through social networks, introducing themselves as HR employees or recruiters. They offer attractive jobs and direct victims to malicious sites where they download infected software.
The researchers characterize Marko Polo as a "traffic redirection team" with financial motivation. The group consists of Russian, Ukrainian, and English-speaking members, with the leadership and main operators likely based in post-Soviet countries.
During the investigation, Insikt Group discovered more than 30 different fraudulent schemes on social networks related to Marko Polo. In addition, hackers compromised over 20 builds of Zoom video conferencing software. These malicious versions are spread through spear phishing on social media, masquerading as legitimate clients, but in fact contain the Atomic macOS Stealer (AMOS) Trojan.
In addition to attacks through fake versions of Zoom, Marko Polo is engaged in hacking commercial software and injecting malicious code into files distributed via the BitTorrent protocol. The grouping is disguised as various blockchain projects, online games, office applications, and video conferencing tools.
One of the most large-scale fraudulent campaigns was called PartyWorld. As part of this scheme, attackers imitate popular games like Fortnite and Party Icon, promoting them through social networks. Users who visit the PartyWorld website receive an offer to download the game client for Windows or macOS. In fact, instead of playing, an infostealer is installed on the device.
Another campaign, called Nortex, uses a messenger, an office application, and a social network at the same time as a cover. Hackers have created a fake copy of the SendingMe Web3 project, through which, instead of the promised functionality, victims receive HijackLoader and Stealc Trojans.
Researchers estimate that the Marko Polo attacks have already leaked sensitive personal and corporate data of many users. It is assumed that the illegal income of the group is estimated at millions of dollars. Insikt Group experts found messages from victims who lost all their savings as a result of the hackers' actions.
Marko Polo is particularly dangerous due to its ability to quickly adapt to detection attempts. The group regularly changes the names of fraudulent schemes, updates the infrastructure, and modifies tactics to bypass security tools. Experts note that their flexibility not only makes Marko Polo a permanent threat, but also indicates that the group will continue to improve its methods to stay one step ahead of cybersecurity systems.
Source
