Cybersecurity firm Kaspersky Lab has hired Igor Prosvirnin, a former bulletproof hosting provider operating under the moniker "Prospero." Prosvirnin and his company were notorious for harboring criminal operations, including malware distribution and spam campaigns, despite repeated takedown attempts. Kaspersky claims Prosvirnin will work on improving their anti-spam technologies, leveraging his expertise on the inner workings of these illicit operations. This move has generated significant controversy due to Prosvirnin's history, raising concerns about Kaspersky's judgment and potential conflicts of interest.
Malicious actors are exploiting the popularity of game mods and cracks on GitHub by distributing seemingly legitimate files laced with malware. These compromised files often contain infostealers like RedLine, which can siphon off sensitive data like browser credentials, cryptocurrency wallets, and Discord tokens. The attackers employ social engineering tactics, using typosquatting and impersonating legitimate projects to trick users into downloading their malicious versions. This widespread campaign impacts numerous popular games, leaving many gamers vulnerable to data theft. The scam operates through a network of interconnected accounts, making it difficult to fully eradicate and emphasizing the importance of downloading software only from trusted sources.
Hacker News commenters largely corroborated the article's claims, sharing personal experiences and observations of malicious GitHub repositories disguised as game modifications or cracked software. Several pointed out the difficulty in policing these repositories due to GitHub's scale and the cat-and-mouse game between malicious actors and platform moderators. Some discussed the technical aspects of the malware used, including the prevalence of simple Python scripts and the ease with which they can be obfuscated. Others suggested improvements to GitHub's security measures, like better automated scanning and verification of uploaded files. The vulnerability of less tech-savvy users was a recurring theme, highlighting the importance of educating users about potential risks. A few commenters expressed skepticism about the novelty of the issue, noting that distributing malware through seemingly innocuous downloads has been a long-standing practice.
Google's Threat Analysis Group (TAG) observed multiple Russia-aligned threat actors, including APT29 (Cozy Bear) and Sandworm, actively targeting Signal users. These campaigns primarily focused on stealing authentication material from Signal servers, likely to bypass Signal's robust encryption and gain access to user communications. Although Signal's server-side infrastructure was targeted, the attackers needed physical access to the device to complete the compromise, significantly limiting the attack's effectiveness. While Signal's encryption remains unbroken, the targeting underscores the lengths to which nation-state actors will go to compromise secure communications.
HN commenters express skepticism about the Google blog post, questioning its timing and motivations. Some suggest it's a PR move by Google, designed to distract from their own security issues or promote their own messaging platforms. Others point out the lack of technical details in the post, making it difficult to assess the credibility of the claims. A few commenters discuss the inherent difficulties of securing any messaging platform against determined state-sponsored actors and the importance of robust security practices regardless of the provider. The possibility of phishing campaigns, rather than Signal vulnerabilities, being the attack vector is also raised. Finally, some commenters highlight the broader context of the ongoing conflict and the increased targeting of communication platforms.
The FBI and Dutch police have disrupted the "Manipulaters," a large phishing-as-a-service operation responsible for stealing millions of dollars. The group sold phishing kits and provided infrastructure like bulletproof hosting, allowing customers to easily deploy and manage phishing campaigns targeting various organizations, including banks and online retailers. Law enforcement seized 14 domains used by the gang and arrested two individuals suspected of operating the service. The investigation involved collaboration with several private sector partners and focused on dismantling the criminal infrastructure enabling widespread phishing attacks.
Hacker News commenters largely praised the collaborative international effort to dismantle the Manipulaters phishing gang. Several pointed out the significance of seizing infrastructure like domain names and bulletproof hosting providers, noting this is more effective than simply arresting individuals. Some discussed the technical aspects of the operation, like the use of TOX for communication and the efficacy of taking down such a large network. A few expressed skepticism about the long-term impact, predicting that the criminals would likely resurface with new infrastructure. There was also interest in the Dutch police's practice of sending SMS messages to potential victims, alerting them to the compromise and urging them to change passwords. Finally, several users criticized the lack of detail in the article about how the gang was ultimately disrupted, expressing a desire to understand the specific techniques employed by law enforcement.
A phishing attack leveraged Google's URL shortener, g.co, to mask malicious links. The attacker sent emails appearing to be from a legitimate source, containing a g.co shortened link. This short link redirected to a fake Google login page designed to steal user credentials. Because the initial link displayed g.co, it bypassed suspicion and instilled a false sense of security, making the phishing attempt more effective. The post highlights the danger of trusting shortened URLs, even those from seemingly reputable services, and emphasizes the importance of carefully inspecting links before clicking.
HN users discuss a sophisticated phishing attack using g.co shortened URLs. Several express concern about Google's seeming inaction on the issue, despite reports. Some suggest solutions like automatically blocking known malicious short URLs or requiring explicit user confirmation before redirecting. Others question the practicality of such solutions given the vast scale of Google's services. The vulnerability of URL shorteners in general is highlighted, with some suggesting they should be avoided entirely due to the inherent security risks. The discussion also touches upon the user's role in security, advocating for caution and skepticism when encountering shortened URLs. Some users mention being successfully targeted by this attack, and the frustration of banks accepting screenshots of g.co links as proof of payment. The conversation emphasizes the ongoing tension between user convenience and security, and the difficulty of completely mitigating phishing risks.
Brian Krebs's post details how a single misplaced click cost one cryptocurrency investor over $600,000. The victim, identified as "Nick," was attempting to connect his Ledger hardware wallet to what he thought was the official PancakeSwap decentralized exchange. Instead, he clicked a malicious Google ad that led to a phishing site mimicking PancakeSwap. After entering his seed phrase, hackers drained his wallet of various cryptocurrencies. The incident highlights the dangers of blindly trusting search results, especially when dealing with valuable assets. It emphasizes the importance of verifying website URLs and exercising extreme caution before entering sensitive information like seed phrases, as one wrong click can have devastating financial consequences.
Hacker News commenters largely agreed with the article's premise about the devastating impact of phishing attacks, especially targeting high-net-worth individuals. Some pointed out the increasing sophistication of these attacks, making them harder to detect even for tech-savvy users. Several users discussed the importance of robust security practices, including using hardware security keys, strong passwords, and skepticism towards unexpected communications. The effectiveness of educating users about phishing tactics was debated, with some suggesting that technical solutions like mandatory 2FA are more reliable than relying on user vigilance. A few commenters shared personal anecdotes or experiences with similar scams, highlighting the real-world consequences and emotional distress these attacks can cause. The overall sentiment was one of caution and a recognition that even the most careful individuals can fall victim to well-crafted phishing attempts.
Summary of Comments ( 24 )
https://news.ycombinator.com/item?id=43209878
Hacker News users discuss Kaspersky's acquisition of Prospero, a domain known for hosting malware and spam. Several express skepticism and concern, questioning Kaspersky's motives and the potential implications for cybersecurity. Some speculate that Kaspersky aims to analyze the malware hosted on Prospero, while others worry this legitimizes a malicious actor and may enable Kaspersky to distribute malware or bypass security measures. A few commenters point out Kaspersky's past controversies and ties to the Russian government, furthering distrust of this acquisition. There's also discussion about the efficacy of domain blacklists and the complexities of cybersecurity research. Overall, the sentiment is predominantly negative, with many users expressing disbelief and apprehension about Kaspersky's involvement.
The Hacker News post titled "Notorious Malware, Spam Host "Prospero" Moves to Kaspersky Lab" has generated several comments discussing the implications of the domain's move to Kaspersky's infrastructure.
Several commenters express skepticism and concern about Kaspersky's explanation. One commenter finds it "hard to believe" Kaspersky's claim that they haven't seen any malicious activity from the domain, given its history. They suggest that Kaspersky is either being dishonest or incompetent in their monitoring. Another commenter questions whether this is a deliberate move by Kaspersky to sinkhole the domain, but doubts it given the way the DNS records are set up, speculating it's more likely a customer leveraging Kaspersky's services.
One thread delves into the possibility of this being a reverse takeover or some kind of malicious action aimed at Kaspersky. This theory posits that perhaps someone compromised Prospero's infrastructure and deliberately pointed it to Kaspersky to damage their reputation. However, another commenter counters that this scenario is unlikely given the relative simplicity of just redirecting the domain elsewhere.
Some comments analyze the technical details of the DNS records, noting the use of Kaspersky's infrastructure for various services, suggesting a typical customer relationship. They also discuss the potential for false positives in malware detection, and how a domain previously used for malicious purposes might now be legitimately used.
A few commenters express general distrust towards Kaspersky, stemming from past allegations and controversies surrounding the company. These comments reflect a pre-existing skepticism, influencing their interpretation of this specific event. However, others argue that dismissing Kaspersky outright based on past incidents is unfair and that concrete evidence is needed before jumping to conclusions in this specific case.
The discussion also touches upon the challenges of cybersecurity and the complex nature of domain ownership and usage. It highlights the difficulty in definitively determining the intent behind such moves, as well as the potential for misinterpretations and the spread of misinformation.