Login
An employee at Elon Muskβs artificial intelligence company xAIΒ leaked a private key on GitHub that for the past two months could have allowed anyone to query private xAI large language models (LLMs) which appear to have been custom made for working with internal data from Muskβs companies, including SpaceX, Tesla and Twitter/X, KrebsOnSecurity has learned.
Image: Shutterstock, @sdx15.
Philippe Caturegli, βchief hacking officerβ at the security consultancy Seralys, was the first to publicize the leak of credentials for an x.ai application programming interface (API) exposed in the GitHub code repository of a technical staff member at xAI.
Caturegliβs post on LinkedIn caught the attention of researchers at GitGuardian, a company that specializes in detecting and remediating exposed secrets in public and proprietary environments. GitGuardianβs systems constantly scan GitHub and other code repositories for exposed API keys, and fire off automated alerts to affected users.
GitGuardianβs Eric Fourrier told KrebsOnSecurity the exposed API key had access to several unreleased models of Grok, the AI chatbot developed by xAI. In total, GitGuardian found the key had access to at least 60 fine-tuned and private LLMs.
βThe credentials can be used to access the X.ai API with the identity of the user,β GitGuardian wrote in an email explaining their findings to xAI. βThe associated account not only has access to public Grok models (grok-2-1212, etc) but also to what appears to be unreleased (grok-2.5V), development (research-grok-2p5v-1018), and private models (tweet-rejector, grok-spacex-2024-11-04).β
Fourrier found GitGuardian had alerted the xAI employee about the exposed API key nearly two months ago β on March 2. But as of April 30, when GitGuardian directly alerted xAIβs security team to the exposure, the key was still valid and usable. xAI told GitGuardian to report the matter through its bug bounty program at HackerOne, but just a few hours later the repository containing the API key was removed from GitHub.
βIt looks like some of these internal LLMs were fine-tuned on SpaceX data, and some were fine-tuned with Tesla data,β Fourrier said. βI definitely donβt think a Grok model thatβs fine-tuned on SpaceX data is intended to be exposed publicly.β
xAI did not respond to a request for comment. Nor did the 28-year-old xAI technical staff member whose key was exposed.
Carole Winqwist, chief marketing officer at GitGuardian, said giving potentially hostile users free access to private LLMs is a recipe for disaster.
βIf youβre an attacker and you have direct access to the model and the back end interface for things like Grok, itβs definitely something you can use for further attacking,β she said. βAn attacker could it use for prompt injection, to tweak the (LLM) model to serve their purposes, or try to implant code into the supply chain.β
The inadvertent exposure of internal LLMs for xAI comes as Muskβs so-called Department of Government Efficiency (DOGE) has been feeding sensitive government records into artificial intelligence tools. In February, The Washington Post reported DOGE officials were feeding data from across the Education Department into AI tools to probe the agencyβs programs and spending.
The Post said DOGE plans to replicate this process across many departments and agencies, accessing the back-end software at different parts of the government and then using AI technology to extract and sift through information about spending on employees and programs.
βFeeding sensitive data into AI software puts it into the possession of a systemβs operator, increasing the chances it will be leaked or swept up in cyberattacks,β Post reporters wrote.
Wired reported in March that DOGE has deployed a proprietary chatbot called GSAi to 1,500 federal workers at the General Services Administration, part of an effort to automate tasks previously done by humans as DOGE continues its purge of the federal workforce.
A Reuters report last month said Trump administration officials told some U.S. government employees that DOGE is using AI to surveil at least one federal agencyβs communications for hostility to President Trump and his agenda. Reuters wrote that the DOGE team has heavily deployed Muskβs Grok AI chatbot as part of their work slashing the federal government, although Reuters said it could not establish exactly how Grok was being used.
Caturegli said while there is no indication that federal government or user data could be accessed through the exposed x.ai API key, these private models are likely trained on proprietary data and may unintentionally expose details related to internal development efforts at xAI, Twitter, or SpaceX.
βThe fact that this key was publicly exposed for two months and granted access to internal models is concerning,β Caturegli said. βThis kind of long-lived credential exposure highlights weak key management and insufficient internal monitoring, raising questions about safeguards around developer access and broader operational security.β
On April 9, Twitter/X began automatically modifying links that mention βtwitter.comβ to read βx.comβ instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links β such as fedetwitter[.]com, which until very recently rendered as fedex.com in tweets.
The message displayed when one visits goodrtwitter.com, which Twitter/X displayed as goodrx.com in tweets and messages.
A search at DomainTools.com shows at least 60 domain names have been registered over the past two days for domains ending in βtwitter.com,β although research so far shows the majority of these domains have been registered βdefensivelyβ by private individuals to prevent the domains from being purchased by scammers.
Those include carfatwitter.com, which Twitter/X truncated to carfax.com when the domain appeared in user messages or tweets. Visiting this domain currently displays a message that begins, βAre you serious, X Corp?β
Update: It appears Twitter/X has corrected its mistake, and no longer truncates any domain ending in βtwitter.comβ to βx.com.β
Original story:
The same message is on other newly registered domains, including goodrtwitter.com (goodrx.com), neobutwitter.com (neobux.com), roblotwitter.com (roblox.com), square-enitwitter.com (square-enix.com) and yandetwitter.com (yandex.com). The message left on these domains indicates they were defensively registered by a user on Mastodon whose bio says they are a systems admin/engineer. That profile has not responded to requests for comment.
A number of these new domains including βtwitter.comβ appear to be registered defensively by Twitter/X users in Japan. The domain netflitwitter.com (netflix.com, to Twitter/X users) now displays a message saying it was βacquired to prevent its use for malicious purposes,β along with a Twitter/X username.
The domain mentioned at the beginning of this story β fedetwitter.com β redirects users to the blog of a Japanese technology enthusiast. A user with the handle βamplest0eβ appears to have registered space-twitter.com, which Twitter/X users would see as the CEOβs βspace-x.com.β The domain βametwitter.comβ already redirects to the real americanexpress.com.
Some of the domains registered recently and ending in βtwitter.comβ currently do not resolve and contain no useful contact information in their registration records. Those include firefotwitter[.]com (firefox.com), ngintwitter[.]com (nginx.com), and webetwitter[.]com (webex.com).
The domain setwitter.com, which Twitter/X until very recently rendered as βsex.com,β redirects to this blog post warning about the recent changes and their potential use for phishing.
Sean McNee, vice president of research and data at DomainTools, told KrebsOnSecurity it appears Twitter/X did not properly limit its redirection efforts.
βBad actors could register domains as a way to divert traffic from legitimate sites or brands given the opportunity β many such brands in the top million domains end in x, such as webex, hbomax, xerox, xbox, and more,β McNee said. βIt is also notable that several other globally popular brands, such as Rolex and Linux, were also on the list of registered domains.β
The apparent oversight by Twitter/X was cause for amusement and amazement from many former users who have migrated to other social media platforms since the new CEO took over. Matthew Garrett, a lecturer at U.C. Berkeleyβs School of Information, summed up the Schadenfreude thusly:
βTwitter just doing a βredirect links in tweets that go to x.com to twitter.com instead but accidentally do so for all domains that end x.com like eg spacex.com going to spacetwitter.comβ is not absolutely the funniest thing I could imagine but itβs high up there.β
What does a hacker want with your social media account? Plenty.Β
Hackers hijack social media accounts for several reasons. Theyβll dupe the victimβs friends and followers with scams. Theyβll flood feeds with misinformation. And theyβll steal all kinds of personal informationβnot to mention photos and chats in DMs. In all, a stolen social media account could lead to fraud, blackmail, and other crimes.Β
Yet you have a strong line of defense that can prevent it from happening to you: multi-factor authentication (MFA).Β
MFA goes by other names, such as two-factor authentication and two-step verification. Yet they all boost your account security in much the same way. They add an extra step or steps to the login process. Extra evidence to prove that you are, in fact, you. Itβs in addition to the usual username/password combination, thus the βmulti-factorβ in multi-factor authentication.Β Β
Examples of MFA include:Β
With MFA, a hacker needs more than just your username and password to weasel their way into your account. They need that extra piece of evidence required by the login process, which is something only you should have.Β
This stands as a good reminder that you should never give out the information you use in your security questionsβand to never share your one-time security codes with anyone. In fact, scammers cobble up all kinds of phishing scams to steal that information.Β
Major social media platforms offer MFA, although they might call it by other names. As youβll see, several platforms call it βtwo-factor authentication.βΒ Β
Given the way that interfaces and menus can vary and get updated over time, your best bet for setting up MFA on your social media accounts is to go right to the source. Social media platforms provide the latest step-by-step instructions in their help pages. A simple search for βmulti-factor authenticationβ and the name of your social media platform should readily turn up results.Β
For quick reference, you can find the appropriate help pages for some of the most popular platforms here:Β
Another important reminder is to check the URL of the site youβre on to ensure itβs legitimate. Scammers set up all kinds of phony login and account pages to steal your info. Phishing scams like those are a topic all on their own. A great way you can learn to spot them is by giving our Phishing Scam Protection Guide a quick read. Itβs part of our McAfee Safety Series, which covers a broad range of topics, from romance scams and digital privacy to online credit protection and ransomware.Β Β
In many ways, your social media account is an extension of yourself. It reflects your friendships, interests, likes, and conversations. Only you should have access to that. Putting MFA in place can help keep it that way.Β
More broadly, enabling MFA across every account that offers it is a smart security move as well. It places a major barrier in the way of would-be hackers who, somehow, in some way, have ended up with your username and password.Β
On the topic, ensure your social media accounts have strong, unique passwords in place. The one-two punch of strong, unique passwords and MFA will make hacking your account tougher still. Wondering what a strong, unique password looks like? Hereβs a hint: a password with eight characters is less secure than you might think. With a quick read, you can create strong, unique passwords that are tough to crack.Β
Lastly, consider using comprehensive online protection software if you arenβt already. In addition to securing your devices from hacks and attacks, it can help protect your privacy and identity across your travels onlineβboth on social media and off.Β Β Β
The post How to Protect Your Social Media Passwords from Hacks and Attacks appeared first on McAfee Blog.
Authored by: Vallabh Chole and Yerko Grbic
On July 23rd, 2023, Elon Musk announced that the social networking site, Twitter was rebranding as βXβ. The news propelled Twitter and X to gain headlines and become the top trending topics on popular social media platforms.Β
Scammers pounced on this opportunity and started renaming various hacked YouTube and other social media accounts to βtwitter-xβ and βtwitter fundβ to promote scam links with new X branding.Β
Figure 1. Twitter-X-themedΒ YouTube Live Stream by scammerΒ
Β
Figure 2. Twitter X Crypto ScamΒ
Β
This type of scam has been active for some time and uses an innovative approach to lure victims. To make this scam more authentic, attackers target famous Influencers with sponsorship emails that contain password-stealingΒ malware as email attachments. When password stealer malware is executed, the influencerβs session cookies (unique access tokens) are stolen and uploaded to attacker-controlled systems.Β
Figure 3. Malware Flow ChartΒ Β
Β
After the influencerβs account has been compromised, the scammer starts to rename channels, in this case to βTwitter CEOβ and then the scammers start to live stream an Elon Musk video on YouTube. They post web links for new scam sites in chat, and target YouTube accounts with a large number of subscribers. On other social media platforms, such as Instagram and Twitter, they use compromised accounts to follow users and post screenshots with captions, such as βThanks Mr.Elonβ. If we look for these terms on Instagram, we observe thousands of similar posts. Compromised accounts are also used to post videos for software/game applications, which are malware masquerading as legitimate software or games. These videos demonstrate how to download and execute files, which are common password-stealing malware, and distributed through compromised social media accounts.
Β McAfee+Β provides all-in-one online protection for yourΒ identity, privacy, and security. With McAfee+, youβll feel safer online because youβllΒ have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites.
Figure 4. McAfee WebAdvisor detectionΒ
Β
Below is a detection heatmap for scam URLβs targeting twitter-x and promoting crypto scams.Β Β Β
Figure 5. Scam URL Detection HeatmapΒ
Β
Figure 6. Password stealer HeatmapΒ
Β
| Scam Siteβ―Β | Crypto Typeβ―Β | Walletβ―Β | Β |
| twitter-x[.]orgΒ | ETHβ―Β | 0xB1706fc3671115432eC9a997F802aC79CD7f378aΒ | Β |
| twitter-x[.]orgΒ | BTCβ―Β | 1KtgaAjBETdcXiAdGsXJMePT4AEGWqtsugΒ | Β |
| twitter-x[.]orgΒ | USDTβ―Β | 0xB1706fc3671115432eC9a997F802aC79CD7f378aΒ | Β |
| twitter-x[.]orgΒ | DOGEβ―Β | DLCmD43eZ6hPxZVzc8C7eUL4w8TNrBMw9JΒ | Β |
Β
The post Scammers Follow the Rebranding of Twitter to X, to Distribute Malware appeared first on McAfee Blog.
Happy World Social Media Day! Todayβs a day about celebrating the life-long friendships youβve made thanks to social media. Social media was invented to help users meet new people with shared interests, stay in touch, and learn more about world. Facebook, Twitter, Instagram, Reddit, TikTok, LinkedIn, and the trailblazing MySpace have all certainly succeeded in those aims.Β
This is the first World Social Media Day where artificial intelligence (AI) joins the party. AI has existed in many forms for decades, but itβs only recently that AI-powered apps and tools are available in the pockets and homes of just about everyone. ChatGPT, Voice.ai, DALL-E, and others are certainly fun to play with and can even speed up your workday.Β Β
While scrolling through hilarious videos and commenting on your friendsβ life milestones are practically national pastimes, some people are making it their pastime to fill our favorite social media feeds with AI-generated content. Not all of it is malicious, but some AI-generated social media posts are scams.Β Β
Here are some examples of common AI-generated content that youβre likely to encounter on social media.Β
Have you scrolled through your video feed and come across voices that sound exactly like the current and former presidents? And are they playing video games together? Comic impersonators can be hilariously accurate with their copycatting, but the voice track to this video is spot on. This series of videos, created by TikToker Voretecks, uses AI voice generation to mimic presidential voices and pit them against each other to bring joy to their viewers.1 In this case, AI-generated voices are mostly harmless, since the videos are in jest. Context clues make it obvious that the presidents didnβt gather to hunt rogue machines together.Β
AI voice generation turns nefarious when itβs meant to trick people into thinking or acting a certain way. For example, an AI voiceover made it look like a candidate for Chicago mayor said something inflammatory that he never said.2 Fake news is likely to skyrocket with the fierce 2024 election on the horizon. Social media sites, especially Twitter, are an effective avenue for political saboteurs to spread their lies far and wide to discredit their opponent.Β
Finally, while it might not appear on your social media feed, scammers can use what you post on social media to impersonate your voice. According to McAfeeβs Beware the Artificial Imposters Report, a scammer requires only three seconds of audio to clone your voice. From there, the scammer may reach out to your loved ones with extremely realistic phone calls to steal money or sensitive personal information. The report also found that of the people who lost money to an AI voice scam, 36% said they lost between $500 and $3,000.Β
To keep your voice out of the hands of scammers, perhaps be more mindful of the videos or audio clips you post publicly. Also, consider having a secret safe word with your friends and family that would stump any would-be scammer.Β Β
Deepfake, or the alteration of an existing photo or video of a real person that shows them doing something that never happened, is another tactic used by social media comedians and fake news spreaders alike. In the case of the former, one company founded their entire business upon deepfake. The company is most famous for its deepfakes of Tom Cruise, though itβs evolved into impersonating other celebrities, generative AI research, and translation.3Β Β
When you see videos or images on social media that seem odd, look for a disclaimer β either on the post itself or in the posterβs bio β about whether the poster used deepfake technology to create the content. A responsible social media user will alert their audiences when the content they post is AI generated.Β Β
Again, deepfake and other AI-altered images become malicious when they cause social media viewers to think or act a certain way. Fake news outlets may portray a political candidate doing something embarrassing to sway voters. Or an AI-altered image of animals in need may tug at the heartstrings of social media users and cause them to donate to a fake fundraiser. Deepfake challenges the saying βseeing is believing.βΒ
ChatGPT is everyoneβs favorite creativity booster and taskmaster for any writing chore. It is also the new best friend of social media bot accounts. Present on just about every social media platform, bot accounts spread spam, fake news, and bolster follower numbers. Bot accounts used to be easy to spot because their posts were unoriginal and poorly written. Now, with the AI-assisted creativity and excellent sentence-level composition of ChatGPT, bot accounts are sounding a lot more realistic. And the humans managing those hundreds of bot accounts can now create content more quickly than if they were writing each post themselves.Β
In general, be wary when anyone you donβt know comments on one of your posts or reaches out to you via direct message. If someone says youβve won a prize but you donβt remember ever entering a contest, ignore it.Β
With the advent of mainstream AI, everyone should approach every social media post with skepticism. Be on the lookout for anything that seems amiss or too fantastical to be true. And before you share a news item with your following, conduct your own background research to assert that itβs true.Β
To protect or restore your identity should you fall for any social media scams, you can trust McAfee+. McAfee+ monitors your identity and credit to help you catch suspicious activity early. Also, you can feel secure in the $1 million in identity theft coverage and identity restoration services.Β
Social media is a fun way to pass the time, keep up with your friends, and learn something new. Donβt be afraid of AI on social media. Instead, laugh at the parodies, ignore and report the fake news, and enjoy social media confidently!Β
1Business Insider, βAI-generated audio of Joe Biden and Donald Trump trashtalking while gaming is taking over TikTokβΒ Β
2The Hill, βThe impending nightmare that AI poses for media, electionsβΒ
3Metaphysic, βCreate generative AI video that looks realβΒ
The post Be Mindful of These 3 AI Tricks on World Social Media Day appeared first on McAfee Blog.
Joseph James βPlugwalkJoeβ OβConnor, a 24-year-old from the United Kingdom who earned his 15 minutes of fame by participating in the July 2020 hack of Twitter, has been sentenced to five years in a U.S. prison. That may seem like harsh punishment for a brief and very public cyber joy ride. But OβConnor also pleaded guilty in a separate investigation involving a years-long spree of cyberstalking and cryptocurrency theft enabled by βSIM swapping,β a crime wherein fraudsters trick a mobile provider into diverting a customerβs phone calls and text messages to a device they control.
Joseph βPlugwalkJoeβ OβConnor, in a photo from a Globe Newswire press release Sept. 02, 2020, pitching OβConnor as a cryptocurrency expert and advisor.
On July 16, 2020 β the day after some of Twitterβs most recognizable and popular users had their accounts hacked and used to tweet out a bitcoin scam βΒ KrebsOnSecurity observed that several social media accounts tied to OβConnor appeared to have inside knowledge of the intrusion. That story also noted that thanks to COVID-19 lockdowns at the time, OβConnor was stuck on an indefinite vacation at a popular resort in Spain.
Not long after the Twitter hack, OβConnor was quoted in The New York Times denying any involvement. βI donβt care,β OβConnor told The Times. βThey can come arrest me. I would laugh at them. I havenβt done anything.β
Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, PlugwalkJoe demanded that his real name be kept out of future blog posts here. After he was told that couldnβt be promised, he remarked that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didnβt like.
OβConnor was still in Spain a year later when prosecutors in the Northern District of California charged him with conspiring to hack Twitter. At the same time, prosecutors in the Southern District of New York charged OβConnor with an impressive array of cyber offenses involving the exploitation of social media accounts, online extortion, cyberstalking, and the theft of cryptocurrency then valued at nearly USD $800,000.
In late April 2023, OβConnor was extradited from Spain to face charges in the United States. Two weeks later, he entered guilty pleas in both California and New York, admitting to all ten criminal charges levied against him. On June 23, OβConnor was sentenced to five years in prison.
PlugwalkJoe was part of a community that specialized in SIM-swapping victims to take over their online identities. Unauthorized SIM swapping is a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the targetβs text messages and phone calls to a device they control.
From there, the attackers can reset the password for any of the victimβs online accounts that allow password resets via SMS. SIM swapping also lets attackers intercept one-time passwords needed for SMS-based multi-factor authentication (MFA).
OβConnor admitted to conducting SIM swapping attacks to take control over financial accounts tied to several cryptocurrency executives in May 2019, and to stealing digital currency currently valued at more than $1.6 million.
PlugwalkJoe also copped to SIM-swapping his way into the Snapchat accounts of several female celebrities and threatening to release nude photos found on their phones.
Victims who refused to give up social media accounts or submit to extortion demands were often visited with βswatting attacks,β wherein OβConnor and others would falsely report a shooting or hostage situation in the hopes of tricking police into visiting potentially lethal force on a targetβs address.
Prosecutors said OβConnor even swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.
In the case of the Twitter hack, OβConnor pleaded guilty to conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and conspiracy to commit money laundering.
The account β@shinji,β a.k.a. βPlugWalkJoe,β tweeting a screenshot of Twitterβs internal tools interface, on July 15, 2020.
To resolve the case against him in New York, OβConnor pleaded guilty to conspiracy to commit computer intrusion, two counts of committing computer intrusions, making extortive communications, two counts of stalking, and making threatening communications.
In addition to the prison term, OβConnor was sentenced to three years of supervised release, and ordered to pay $794,012.64 in forfeiture.
To be clear, the Twitter hack of July 2020 did not involve SIM-swapping. Rather, Twitter said the intruders tricked a Twitter employee over the phone into providing access to internal tools.
Three others were charged along with OβConnor in the Twitter compromise. The alleged mastermind of the hack, then 17-year-old Graham Ivan Clarke from Tampa, Fla., pleaded guilty in 2021 and agreed to serve three years in prison, followed by three years probation.
This story is good reminder about the need to minimize your reliance on the mobile phone companies for securing your online identity. This means reducing the number of ways your life could be turned upside down if someone were to hijack your mobile phone number.
Most online services require users to validate a mobile phone number as part of setting up an account, but some services will let you remove your phone number after the fact. Those services that do you let you remove your phone number or disable SMS/phone calls for account recovery probably also offer more secure multi-factor authentication options, such as app-based one-time passwords and security keys. Check out 2fa.directory for a list of multi-factor options available across hundreds of popular sites and services.
Social networks are constantly battling inauthentic bot accounts that send direct messages to users promoting scam cryptocurrency investment platforms. What follows is an interview with a Russian hacker responsible for a series of aggressive crypto spam campaigns that recently prompted several large Mastodon communities to temporarily halt new registrations. According to the hacker, their spam software has been in private use until the last few weeks, when it was released as open source code.
Renaud Chaput is a freelance programmer working on modernizing and scaling the Mastodon project infrastructure β including joinmastodon.org, mastodon.online, and mastodon.social. Chaput said that on May 4, 2023, someone unleashed a spam torrent targeting users on these Mastodon communities via βprivate mentions,β a kind of direct messaging on the platform.
The messages said recipients had earned an investment credit at a cryptocurrency trading platform called moonxtrade[.]com. Chaput said the spammers used more than 1,500 Internet addresses across 400 providers to register new accounts, which then followed popular accounts on Mastodon and sent private mentions to the followers of those accounts.
Since then, the same spammers have used this method to advertise more than 100 different crypto investment-themed domains. Chaput said that at one point this month the volume of bot accounts being registered for the crypto spam campaign started overwhelming the servers that handle new signups at Mastodon.social.
βWe suddenly went from like three registrations per minute to 900 a minute,β Chaput said. βThere was nothing in the Mastodon software to detect that activity, and the protocol is not designed to handle this.β
One of the crypto investment scam messages promoted in the spam campaigns on Mastodon this month.
Seeking to gain a temporary handle on the spam wave, Chaput said he briefly disabled new account registrations on mastodon.social and mastondon.online. Shortly after that, those same servers came under a sustained distributed denial-of-service (DDoS) attack.
Chaput said whoever was behind the DDoS was definitely not using point-and-click DDoS tools, like a booter or stresser service.
βThis was three hours non-stop, 200,000 to 400,000 requests per second,β Chaput said of the DDoS. βAt first, they were targeting one path, and when we blocked that they started to randomize things. Over three hours the attack evolved several times.β
Chaput says the spam waves have died down since they retrofitted mastodon.social with a CAPTCHA, those squiggly letter and number combinations designed to stymie automated account creation tools. But heβs worried that other Mastodon instances may not be as well-staffed and might be easy prey for these spammers.
βWe donβt know if this is the work of one person, or if this is [related to] software or services being sold to others,β Chaput told KrebsOnSecurity. βWeβre really impressed by the scale of it β using hundreds of domains and thousands of Microsoft email addresses.β
Chaput said a review of their logs indicates many of the newly registered Mastodon spam accounts were registered using the same 0auth credentials, and that a domain common to those credentials was quot[.]pw.
The domain quot[.]pw has been registered and abandoned by several parties since 2014, but the most recent registration data available through DomainTools.com shows it was registered in March 2020 to someone in Krasnodar, Russia with the email address edgard011012@gmail.com.
This email address is also connected to accounts on several Russian cybercrime forums, including β__edman__,β who had a history of selling βlogsβ β large amounts of data stolen from many bot-infected computers β as well as giving away access to hacked Internet of Things (IoT) devices.
In September 2018, a user by the name βΡΠΈΠΏΠ°β (phonetically βZipperβ in Russian) registered on the Russian hacking forum Lolzteam using the edgard0111012@gmail.com address. In May 2020, Zipper told another Lolzteam member that quot[.]pw was their domain. That user advertised a service called βQuot Projectβ which said they could be hired to write programming scripts in Python and C++.
βI make Telegram bots and other rubbish cheaply,β reads one February 2020 sales thread from Zipper.
Quotpw/Ahick/Edgard/ΡΠΈΠΏΠ° advertising his coding services in this Google-translated forum posting.
Clicking the βopen chat in Telegramβ button on Zipperβs Lolzteam profile page launched a Telegram instant message chat window where the user Quotpw responded almost immediately. Asked if they were aware their domain was being used to manage a spam botnet that was pelting Mastodon instances with crypto scam spam, Quotpw confirmed the spam was powered by their software.
βIt was made for a limited circle of people,β Quotpw said, noting that they recently released the bot software as open source on GitHub.
Quotpw went on to say the spam botnet was powered by well more than the hundreds of IP addresses tracked by Chaput, and that these systems were mostly residential proxies. A residential proxy generally refers to a computer or mobile device running some type of software that enables the system to be used as a pass-through for Internet traffic from others.
Very often, this proxy software is installed surreptitiously, such as through a βFree VPNβ service or mobile app. Residential proxies also can refer to households protected by compromised home routers running factory-default credentials or outdated firmware.
Quotpw maintains they have earned more than $2,000 sending roughly 100,000 private mentions to users of different Mastodon communities over the past few weeks. Quotpw said their conversion rate for the same bot-powered direct message spam on Twitter is usually much higher and more profitable, although they conceded that recent adjustments to Twitterβs anti-bot CAPTCHA have put a crimp in their Twitter earnings.
βMy partners (Iβm programmer) lost time and money while ArkoseLabs (funcaptcha) introduced new precautions on Twitter,β Quotpw wrote in a Telegram reply. βOn Twitter, more spam and crypto scam.β
Asked whether they felt at all conflicted about spamming people with invitations to cryptocurrency scams, Quotpw said in their hometown βthey pay more for such work than in βwhiteβ jobsβ β referring to legitimate programming jobs that donβt involve malware, botnets, spams and scams.
βConsider salaries in Russia,β Quotpw said. βAny spam is made for profit and brings illegal money to spammers.β
Shortly after edgard011012@gmail.com registered quot[.]pw, the WHOIS registration records for the domain were changed again, to msr-sergey2015@yandex.ru, and to a phone number in Austria: +43.6607003748.
Constella Intelligence, a company that tracks breached data, finds that the address msr-sergey2015@yandex.ru has been associated with accounts at the mobile app site aptoide.com (user: CoolappsforAndroid) and vimeworld.ru that were created from different Internet addresses in Vienna, Austria.
A search in Skype on that Austrian phone number shows it belongs to a Sergey Proshutinskiy who lists his location as Vienna, Austria. The very first result that comes up when one searches that unusual name in Google is a LinkedIn profile for a Sergey Proshutinskiy from Vienna, Austria.
Proshutinskiyβs LinkedIn profile says he is a Class of 2024 student at TGM, which is a state-owned, technical and engineering school in Austria. His resume also says he is a data science intern at Mondi Group, an Austrian manufacturer of sustainable packaging and paper.
Mr. Proshutinskiy did not respond to requests for comment.
Quotpw denied being Sergey, and said Sergey was a friend who registered the domain as a birthday present and favor last year.
βInitially, I bought it for 300 rubles,β Quotpw explained. βThe extension cost 1300 rubles (expensive). I waited until it expired and forgot to buy it. After that, a friend (Sergey) bought [the] domain and transferred access rights to me.β
βHeβs not even an information security specialist,β Quotpw said of Sergey. βMy friends do not belong to this field. None of my friends are engaged in scams or other black [hat] activities.β
It may seem unlikely that someone would go to all this trouble to spam Mastodon users over several weeks using an impressive number of resources β all for just $2,000 in profit. But it is likely that whoever is actually running the various crypto scam platforms advertised by Quotpwβs spam messages pays handsomely for any investments generated by their spam.
According to the FBI, financial losses from cryptocurrency investment scams dwarfed losses for all other types of cybercrime in 2022, rising from $907 million in 2021 to $2.57 billion last year.
Update, May 25, 10:30 a.m.:Β Corrected attribution of the Austrian school TGM.
FreshRSS 