{"id":18799,"date":"2022-02-14T17:58:22","date_gmt":"2022-02-14T16:58:22","guid":{"rendered":"https:\/\/ekiwi-blog.de\/?p=18799"},"modified":"2022-02-14T18:34:25","modified_gmt":"2022-02-14T17:34:25","slug":"cryptokitties-cooperation-phishing","status":"publish","type":"post","link":"https:\/\/ekiwi-blog.de\/en\/18799\/cryptokitties-cooperation-phishing\/","title":{"rendered":"CryptoKitties cooperation phishing"},"content":{"rendered":"<p>Another cooperation phishing attempt, addressed to Youtubers.<\/p>\n<p><!--more--><\/p>\n<p>This week I got some emails regarding a cooperation with Cryptokitties. The same email arrived yesterday that Pierre Carding wanted to work with my little YouTube channel. The messages are always the same, there is a promise that a lot of money needs to be spent, and you will get a lot of money.<\/p>\n<p><iframe loading=\"lazy\" width=\"560\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/DW4ij-fZ3j4\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe><\/p>\n<p>I know the story, and usually this is a lame attempt to have users downloading malware. So I responded to the mail and got a link back to download a media kit. The mail server they are using is from &#8220;centrum.cz&#8221;, from what I can see, they offer some free mail addresses.<\/p>\n<p>The media kit is hosted on a Google Drive account, and it is password protected.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_1.png\" alt=\"\" width=\"974\" height=\"717\" class=\"aligncenter size-full wp-image-18800\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_1.png 974w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_1-300x221.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_1-768x565.png 768w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/p>\n<p>The download is very small, less than one Megabyte. It is a ZIP file which I only open on my Linux virtual machine. Of course, the file is password protected. This is an old trick, so antivirus software can not check the file when downloading.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_2.png\" alt=\"\" width=\"530\" height=\"277\" class=\"aligncenter size-full wp-image-18802\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_2.png 530w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_2-300x157.png 300w\" sizes=\"auto, (max-width: 530px) 100vw, 530px\" \/><\/p>\n<p>Once we have opened the small file, we can see that the size just increased massively. This is another trick called an archive bomb. In general, I always recommend uploading and check those files with services like VirusTotal.com, but checking big files is hard, since the file needs to be uploaded and these services often have a file size limit.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_3.png\" alt=\"\" width=\"466\" height=\"64\" class=\"aligncenter size-full wp-image-18804\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_3.png 466w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_3-300x41.png 300w\" sizes=\"auto, (max-width: 466px) 100vw, 466px\" \/><\/p>\n<p>OK, let us have look to the extracted files. Here we have the usual suspect, a mp4.scr file. An SCR file is nothing less than a Windows screensaver, which is nothing less than an .exe file. Once you start this file on your Windows machine, your computer will become infected.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_4.png\" alt=\"\" width=\"534\" height=\"345\" class=\"aligncenter size-full wp-image-18806\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_4.png 534w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_4-300x194.png 300w\" sizes=\"auto, (max-width: 534px) 100vw, 534px\" \/><\/p>\n<p>The upload took around 10 minutes with my fast internet connection and was no disappointment:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_5.png\" alt=\"\" width=\"735\" height=\"578\" class=\"aligncenter size-full wp-image-18808\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_5.png 735w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_5-300x236.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_5-100x80.png 100w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2022\/02\/kitties_5-80x64.png 80w\" sizes=\"auto, (max-width: 735px) 100vw, 735px\" \/><\/p>\n<p>On the bright side, 10 scanners detect, that something is very wrong. On the dark side of antivirus software, 41 of 61 did not detect anything yet, so there is a good chance that your local virus scanner will not prevent you from executing that file and infecting your system.<\/p>\n<p>So if something sounds to good to be true, it usually is.<\/p>","protected":false},"excerpt":{"rendered":"<p>Another cooperation phishing attempt, addressed to Youtubers.<\/p>\n","protected":false},"author":1,"featured_media":18810,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1552],"tags":[1910,1656],"class_list":["post-18799","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet-en","tag-internet-en","tag-phishing-en"],"_links":{"self":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/18799","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/comments?post=18799"}],"version-history":[{"count":0,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/18799\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media\/18810"}],"wp:attachment":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media?parent=18799"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/categories?post=18799"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/tags?post=18799"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}