Portuguese cryptocurrency users have been targeted by a new malicious software called Cryptoclippy, which is part of a broader malicious advertising campaign, according to a new report by Palo Alto Networks Unit 42.
The Cryptoclippy operators reportedly use Seo Poisoning techniques to redirect users looking for “WhatsApp Web” to fraudulent domains containing the malicious software. The executable file, based on C, is a clipper that replaces the address of the cryptocurrency copied to the exchange buffer with the address of the attacker’s wallet.
The clipper uses regular expressions to determine the type of cryptocurrency wallet address and replaces it with the corresponding cryptocurrency address of the attacker’s wallet. This is all done while making sure the address of the criminal’s wallet looks visually similar to the original.
Once the victim inserts the address from the exchange buffer for the transaction, the cryptocurrency is sent directly to the attacker, bypassing the victim.
According to estimates, the attack scheme has earned the Cryptoclippy operators approximately $983. The victims reportedly come from various industries, including production, IT services, and real estate.
The cybercriminals behind the attack use a traffic distribution system (TDS) to determine whether a user is a suitable target. The TDS checks if Portuguese is the user’s preferred browser language and directs them to a fraudulent page if so. If the user doesn’t meet the necessary criteria, they are redirected to a legitimate WhatsApp domain.
It’s important to note that the use of infected search results for delivering malicious programs was also recently adopted by Gootloader malicious operators. They first hacked a large number of legitimate sites and created a network of around 400 servers. After hacking, the hackers configure CMS to use SEO tactics to increase the compromised resource’s search result rankings. The site owners are often unaware that their resources are being used this way.
In summary, Portuguese cryptocurrency users should be cautious when searching for “WhatsApp Web” and ensure that they only use legitimate sources to avoid falling victim to Cryptoclippy and other malicious software.