Crimeware

GoPIX and Lumar: New Crimeware Threats

One of the goals of the MyIDMatters quarterly issue is to keep you abreast of new threats in the crimeware space. This way, you not only defend yourself against bad actors, but you also have a better understanding of how they work. In a recent crimeware report, Kaspersky identified new cyberattacks that are designed to target data and funds from unsuspecting victims. No matter where you live or what software you use, the unassuming nature of these attacks should be on everyone’s radar.

Recently, Brazil has instituted an instant payment system called PIX (created by Banco Central do Brasil). Whenever any new form of financial services becomes prominent, it is almost a guarantee that cybercriminals will attempt to exploit it—and that is precisely what is occurring in Brazil. While the aim of PIX is to increase the convenience of making payments, bad actors have instead weaponized the system via malware called GoPIX.

This malware is a version of a tactic called “malvertising.” Due to the manner in which search engines frontload advertising at the top of search results, malicious attacks are able to blend in with regular advertisements. In this case, when users search for “WhatsApp web,” they are presented with the malvertising; once clicked on, users are redirected through a cloaking service that encourages them to download an installer from a fake WhatsApp download page. Even for users who are not located in Brazil and do not use PIX, this attack should serve as a cautionary tale for navigating internet searches and downloading from suspicious-looking sites.

The GoPIX campaign is not the only example of bad actors stealing information from individuals. Another cybersecurity stealer called Lumar is gaining popularity for its ability to capture Telegram sessions and harvest passwords, cookies, autofill data and more via a Malware as a Service program. As a relatively small file, Lumar is able to hide on your system and deploy a devastating attack because the size of the program does not seem to compromise its effectiveness. Bad actors can then use statistics and data logs to monitor their attacks and receive Telegram notifications for incoming data. This is yet another example of how cyberattacks are lurking around the most unassuming software applications, and it is also another reason why it is important to always exercise caution when opening new links or downloading unknown files.