Gas Is Back: Colonial Opens Up the Corpse Juice Hoses Just as Much of East Coast Runs Out

A gas station in Atlanta, Georgia, that was out of gas on Tuesday.

A gas station in Atlanta, Georgia, that was out of gas on Tuesday.
Photo: Ben Margot (AP)

Large swathes of the East Coast are running out of the precious refined corpse juice used to fuel most of the nation’s vehicles, five days after ransomware knocked out most of the 5,500-mile Colonial Pipeline system—the biggest gasoline pipeline in the country, connecting Gulf Coast refineries to cities as far north as New York. Due to a combination of panic buying, hoarding, and regular gas guzzling, some regions have now almost completely run out. (The pipeline is coming back, see update below.)


There’s no shortage of fossil fuels; they just can’t reach their destination thanks to malware that encrypted Colonial computer systems and forced them to shut down the pipeline as a “precautionary measure.” The Colonial Pipeline system ships 2.5 million barrels of gasoline, diesel, and jet fuel a day, which Bloomberg reports is equivalent to the capacity of the entire nation of Germany. According to CNN Business, nearly two-thirds (65%) of gas stations in North Carolina were without gas as of 12:37 p.m. ET, with similar outages at 42% of stations in Georgia, Virginia, and South Carolina. Tennesee (14%), Florida (10%), Maryland (9%), and West Virginia (4%) were also running low. Some cities were even worse off: 71% of stations in metro Charlotte, 60% in Atlanta, 72% in Raleigh, and 73% in Pensacola have run dry.

The total number of stations shut down runs over ten thousand, and gas prices broke $3 a gallon, according to AAA data. Making the situation worse, the pipeline outage coincides with a shortage of fuel truck drivers. The feds have considered waiving the Jones Act, a maritime law that requires U.S.-built and manned ships to transport goods between U.S. ports, in the hope that enlisting foreign vessels could ease the logistical difficulties currently preventing gas from reaching consumers.

Bloomberg reported on Wednesday that a solution to the issue is still days away, with three distribution hubs in Pennsylvania out of gas and long lines of tanker trucks waiting to fill up in New Jersey. The network reported that Colonial will announce on Wednesday whether it will be able to begin the process of restarting the pipeline network.

“Colonial has announced that they’re working toward full restoration by the end of this week, but we are not taking any chances,” Pete Buttigieg, the Secretary of Transportation, told reporters at a press briefing on Wednesday. “Our top priority now is getting fuel to communities that need it, and we will continue doing everything that we can to meet that goal in the coming days.”

Even then, Bloomberg reported, it will take quite a bit of time for normal service to be fully restored:

Colonial has only managed to restart a small segment of the pipeline as a stopgap measure. Even when the pipeline is restored to full service, it will take about two weeks for gasoline stored in Houston to reach East Coast filling stations, according to the most recent schedule sent to shippers. For diesel and jet fuel, the transit time is even longer — about 19 days — because they are heavier and move more slowly.


The FBI believes that the hackers behind the ransomware attack belong to a gang of cybercriminals called DarkSide that has been active since August 2020 and generally does not attack targets in the former Soviet bloc, according to the Associated Press. (Cybersecurity expert Brian Krebs recommends installing a Cyrillic keyboard on your PC to avoid contamination.) Ransomware functions by infiltrating a computer network, duplicating itself to connected machines, and then locking out users from access by encrypting file systems, typically prompting them with a ransom demand in cryptocurrency. Unless there’s a known flaw in the encryption technique or cybersecurity researchers have discovered the specific encryption key used in an attack, it is practically impossible to decrypt a computer network once ransomware has triggered. Hackers have used variants of the malware to attack everything in the U.S. from hospitals and school networks to entire municipal governments in recent years, causing billions in damages.

DarkSide has tried to cultivate a reputation for only using ransomware to attack the rich, not institutions like hospitals, and has given out some of its proceeds in charitable donations. The group has also publicly announced on its website that the Colonial chaos was not intentional or motivated by political reasons. However, as Wired explains, the gang’s business model appears to be ransomware as a service, loaning out its malware and cyber infrastructure to other attackers and pocketing a slice of any profit, and it has tried to shift the blame for the Colonial incident to one of the criminal partners it works with. (Ransomware can also be indiscriminate, spreading to systems never explicitly anticipated by whoever is controlling it.) As of this time, the feds have indicated they do not believe the attack was conducted by or on behalf of a rival nation-state.


According to CBS, it remains unclear whether a ransom has been demanded or whether Colonial intends to pay–the FBI officially encourages ransomware victims not to pay such ransoms but has acknowledged they may feel they have no other choice. The Washington Post reported Colonial has enlisted cybersecurity firm Mandiant (a division of FireEye) to help it rebuild its system from backups, and that DarkSide’s access to the targeted systems has been cut off, meaning there may no longer be any incentive to pay up.

It’s easy to see why DarkSide has tried to distance themselves from the attack—disruption on this scale is drawing a massive federal response and U.S. authorities will be determined to track whoever did this down.


On Wednesday, President Biden told reporters that we should expect to “hear some good news in next 24 hours,” adding that he believes “we’ll be getting that under control.”

“I am not surprised that this happened. It was realistically only a matter of time before there was a major critical infrastructure ransomware incident,” says Brett Callow, a threat analyst at security firm Emsisoft, told Wired. “DarkSide appears to have realized that this level of attention is not a good thing and could bring governments to action. They may stay with smaller attacks now in the hope that they’ll be able to continue making money for longer.”


Update 5:19 PM: Secretary of Energy Jennifer Granholm confirmed moments ago that the CEO of Colonial Pipeline has informed her that pipeline operations would resume around 5 PM this afternoon. The juice will still take some time to make its way around the country.

Update: 6:20 PM: This article has been updated to clarify that the ransomware attack did not directly affect the pipeline control system, and Colonial took it offline as a precautionary measure.


A Hacker Gang Has Been Trying to Extort D.C. Police for $4 Million

Illustration for article titled A Hacker Gang Has Been Trying to Extort D.C. Police for $4 Million

Photo: Brendan Smialowski/AFP (Getty Images)

A ransomware gang, Babuk Locker, has been attempting to extort the Metropolitan Police Department in Washington D.C. for $4 million, but negotiations between the cops and the criminals recently collapsed, leaked documents appear to show.


Several weeks ago, the cybercriminal group announced that it had stolen the MPD’s data—some 250GB that included thousands of pages of sensitive internal documents, including disciplinary files on officers, and intelligence on local gang activity and informant programs. The police department later confirmed that it had been hacked.

Since then, Babuk has been attempting to extort the agency, threatening to leak sensitive internal documents if cops did not pay them. About two weeks ago, the gang leaked a limited amount of data to the web, publishing personnel files on a select number of current or former MPD officers.

On Tuesday, an apparent communication breakdown between both groups resulted in a much larger tranche of the MPD’s data being leaked to the web, a 22.7GB file.

In a statement posted to their leak site, the criminals said:

“The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers, you can download this archive, the password will be released tomorrow. if during tomorrow they do not raise the price, we will release all the data.”

The criminals also posted screenshots of what appear to be conversations between themselves and police, giving an apparent window into how ransom negotiations went. The screenshots show that the hackers asked for $4 million in exchange for the data, but police claimed they were only willing to pay $100,000.

At one point, Babuk delivered a sober, dead-eyed address to the police department, claiming to only have monetary interests—not political ones. On April 28, the gang said:

BABUK: We want to inform you that we are not interested in the international politics and other issues between governments, conflicts, e.t.c. Our offer for you is to pay us for deletion of the information that we have collected plus we issue a warning statement on the website for other individuals not to intrude to the US government institutions. How does it sound to you?


After days of back and forth between the criminal group and the cops, the police negotiator seemed to signal a willingness to pay for the data, though not the allotted $4 million. A message dated May 10 goes as follows:

PD: Our proposal is an offer to pay $100,000 to prevent the release of the stolen data. If this offer is not acceptable, then it seems our conversation is complete. I think we both understand the consequences of not reaching an agreement. We are okay with that outcome.

BABUK: This is unacceptable on our side. Follow our web-site at midnight.

Not long after that, data from the police department began leaking out onto the group’s website. A spokesperson for the police department did not immediately return a request for comment from Gizmodo. We will update this story if we hear back.


Hackers Threatening East Coast’s Fuel Supply Claim They’re Not Trying to Cause Anybody Trouble

Illustration for article titled Hackers Threatening East Coast's Fuel Supply Claim They're Not Trying to Cause Anybody Trouble

Photo: Michael M. Santiago (Getty Images)

Over the weekend, a cyberattack by the Russia-based ransomware gang DarkSide managed to hamstring America’s largest oil pipeline, Colonial, threatening to choke off significant energy flows to the East Coast.


Per Bloomberg News, the gang pilfered approximately 100GB of data from the company’s IT network in just two hours on Thursday. The attack was part of what is known as a “double extortion scheme,” a tactic used by criminal groups in which they steal and then threaten to leak significant amounts of data from a high-value target in an effort to extort money from the victim. A coalition of private companies, along with major government agencies like the FBI, the NSA, and CISA, apparently worked together to stop further data theft from occurring.

The Biden administration acknowledged the attack Monday, with the President calling the incident a “criminal act, obviously.” Biden also said that he planned to meet with Russian President Vladimir Putin about the attack and that he would encourage him to take “some responsibility to deal with this.”

Like all unscrupulous businessmen, the members of DarkSide have sought to impress upon their victims that the attack was just business, and nothing personal. On Monday, a statement published to the gang’s website emphasized that their “goal is to make money” and that they are not interested in “creating problems for society.” The group stated:

We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined goverment [sic] and look for other our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.

The gang originally emerged last summer, with the first known sighting of it in August, said Ekhram Ahmad of security firm Check Point Research. DarkSide operates via a Ransomware-as-a-Service model, by which it sells its malware to affiliate groups, who then use it in attacks. The malware has been used in other previous attacks against other energy companies. “What we do know is that to take down extensive operations like the Colonial pipeline reveals a sophisticated and well-designed cyber attack,” said Lotem Finkelsteen, head of threat intelligence with Check Point.

You’d think it would be hard to stand out in a year that has seen a veritable blitz of cyberattacks, each one seemingly more disastrous than the next (see: SolarWinds, Microsoft Exchange, the PulseVPN attacks, and more). Yet this is exactly what DarkSide has managed to do—both via its Batman villain-like ability to spur a coastal energy crisis, and its sheepish apology for, like, causing trouble or whatever.


As disastrous as the incident may be for Colonial, it is likely a boon to the current, ongoing efforts to elevate U.S. cyber policy. The political impact of the attack will likely only be to further strengthen the argument that America needs to take a more aggressive, proactive and organized approach when it comes to tracking and combatting cybercriminal groups—something that those in the cyber community have been lobbying for for some time.

On top of this, the fact that a coalition of private sector companies led the charge to assist in containing the fallout from the incident only further belies the argument, oft made by security professionals, that the solution to these attacks will be forged in a holistic alliance between the public and private sector.


Your Old Phone Number Could Get You Hacked, Researchers Say

Illustration for article titled Your Old Phone Number Could Get You Hacked, Researchers Say

Photo: STR/AFP (Getty Images)

When you get a new phone number, mobile carriers will often “recycle” your old one—assigning it to a new phone and, therefore, a new customer. Carriers say the reason they do this is to stave off a hypothetical future of “number exhaustion”—a sort of “peak oil” for phone numbers, when every possible number that could be assigned to a phone has been taken.


However, the act of number recycling actually brings with it a host of security and privacy risks, a new study conducted by Princeton University researchers shows. More often than not, recycled numbers allow new customers access to old customer information, opening up opportunities for a variety of invasive, potentially exploitative encounters.

For one thing, new number owners will often continue to get personalized updates meant for the former owner. This can be quite invasive—for both parties: The study relates one particular incident in which a user of a new number was “bombarded with texts containing blood test results and spa appointment reservations” that were obviously meant for someone else. While this may sound more comical than concerning, the access presented by a phone number can obviously be a lot more dire.

Despite the fact that phone numbers are typically used in two-factor authentication or for other security purposes, people often fail to immediately update all of their online accounts when they change numbers, and old numbers can linger as methods for SMS-authenticated password resets. This means that they could be used to connect to social media, email, or consumer accounts. Researchers say other personal information could easily be collected to augment such account takeovers, typically from online “people search sites” like BeenVerified or Intelius (these sites don’t always have the most accurate, up-to-date information, however). Phone numbers could also be paired with passwords culled from large data breaches. In these ways, a bad actor could potentially commit fraud and/or hijack accounts to steal more personal data—or for other nefarious purposes.

If these scenarios may sound a bit far fetched, there nevertheless seem to be plenty of opportunities to commit them. One of the researchers, Arvind Narayanan, said that 66% of recycled numbers they sampled were still tied to previous owners’ online accounts, and, as a result, were potentially vulnerable to account hijacking. The researchers surveyed 259 phone numbers and, of those, 215 were “recycled and also vulnerable to at least one of the three attacks,” the study says. Researchers write:

“We obtained 200 recycled numbers for one week, and found 19 of them were still receiving security/privacy-sensitive calls and messages (e.g., authentication passcodes, prescription refill reminders). New owners who are unknowingly assigned a recycled number may realize the incentives to exploit upon receiving unsolicited sensitive communication, and become opportunistic adversaries.”

Narayanan said that after he and his fellow researcher, Kevin Lee, reached out to carriers about these issues, “Verizon and T-mobile improved their documentation but have not made the attack harder.” The companies essentially made it slightly easier for users to inform themselves about these vulnerabilities, but didn’t ultimately do anything to stop the potential attacks from occurring.

This whole line of inquiry hinges largely on the premise that whoever gets your new number turns out to be a malevolent creep, willing to exploit your personal information for their gain. While that might not be the case 9 times out of 10, the vulnerabilities presented by number recycling are certainly enough to make you worry about its current safeguards.


Hackers Leak Data on D.C. Cops as Part of Extortion Scheme

Illustration for article titled Hackers Leak Data on D.C. Cops as Part of Extortion Scheme

Photo: Alex Wong (Getty Images)

In an attempt to extort some unknown amount of money out of the D.C. Metropolitan Police Department, hackers with the Babuk ransomware gang have leaked large amounts of data on five of the department’s officers.


The data, which was published on the gang’s dark web site early Wednesday morning, is quite extensive, and includes individual dossiers on each officer that have been marked “confidential” and are “around 100 pages long,” NBC News reports. Those dossiers include a “vast array of personal information,” including “arrest history, housing and financial records, polygraph results and extensive details about their training and work background,” the outlet writes. Some officers detailed in the files are currently employed with the department, while others are former employees.

The files are part of a larger 250GB-ish cache that was stolen from the police department’s servers sometime during the past few weeks. That large stockpile goes far beyond the data published Wednesday—and potentially includes intelligence on D.C.’s local gang activity, the agency’s response to the violent Jan. 6 Capitol riot, and much more. The hackers have threatened to publish the rest if their demands are not met.

Babuk, which is a relatively new cybercriminal gang, has played an increasingly aggressive game with the police department over the last several days—posting taunting messages on its website and threatening to “out” information on police informants if the ransom is not paid, among other things. On Tuesday, the group stated, “We advise the police station to get in touch as soon as possible, you do not need this leak, because of it people may suffer.”

The gang had previously advertised screenshots of the stolen data, “previewing” them on its website, but Wednesday was the first actual release of such data. As of Monday, Babuk had given the law enforcement agency a period of approximately three days to respond to their demands.

Shortly after Wednesday’s leak, the page referring to the MPD disappeared from Babuk’s website. In a cyber extortion plot, a page takedown would typically indicate that a victimized party has agreed to negotiate with the ransomware gang. It’s unclear if that is the case. We have reached out to the MPD for comment.

Ransomware gangs will typically use any leverage available to them to increase the likelihood of a payout. To strike a prominent police department during the current moment—only a week or so after the Derek Chauvin verdict and amidst ongoing police-involved shooting scandals—shows that logic at work. Every police department in the country is in a vulnerable position right now, and cybercriminals are taking advantage.


A Notorious Ransomware Gang Claims to Have Stolen Apple’s Product Designs

Illustration for article titled A Notorious Ransomware Gang Claims to Have Stolen Apple's Product Designs

Photo: Eric Thayer (Getty Images)

Cybercriminals claim to have stolen blueprints for some of Apple’s newest products and are now attempting to extort the tech giant by threatening to publish the documents online.


On Tuesday, the ransomware gang REvil publicly claimed that it had hacked Quanta Computer, a third-party supplier in Taiwan that has partnerships with over a dozen large U.S. tech firms, including Apple, Dell, Hewlett-Packard, Blackberry, and several others.

Quanta, which is one of the largest laptop manufacturers in the world, works to assemble Apple’s products based on designs supplied by the Cupertino company, meaning there is a logical basis for the theft claims.

On REvil’s “leak site” (where the gang posts samples of stolen data to bully targeted companies into meeting extortion demands), the hackers posted a select number of product blueprints, timing the release to coincide with Tuesday’s much-anticipated Spring Loaded product launch. A message on the site reads:

“In order not to wait for the upcoming Apple presentations, today we, the REvil group, will provide data on the upcoming releases of the company so beloved by many.Tim Cook can say thank you Quanta.From our side, a lot of time has been devoted to solving this problem. Quanta has made it clear to us that it does not care about the data of its customers and employees, thereby allowing the publication and sale of all data we have.”

The gang has demanded that Apple “buy back” the stolen documents “by May 1,” or else “more and more files will be added [to the leak site] every day.” BleepingComputer reports that the gang is extorting Quanta for $50 million—giving the company a deadline of April 27 to pay for the alleged stolen data.

The hackers also mention that they are “negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands,” implying that Apple may not be the only company affected by the hack. When you look at how widely Quanta’s services are used, the ripple effect here could (hypothetically) be large:


Neither Apple nor Quanta immediately responded to multiple requests for comment.


At the moment, it’s difficult to say whether the alleged documents REvil has are actually all that important. The designs visible on the leak site look like basic blueprints for a Macbook—and don’t appear to be super “TOP SECRET” stuff. Brett Callow, a threat analyst with security firm Emsisoft, said it’s not necessarily the case that the hackers are telling the truth about the severity of the hack.

“The REvil operators have been responsible for a number of high profile attacks and also some of the highest demands to have become publicly known,” Callow said in an email. “That said, ransomware groups have lied about the strength of their hand in other incidents, so it would be a mistake to assume that REvil has all the data they claim to have and that other parties are interested in buying it.”


On the other hand, REvil is a prominent ransomware gang—one that has actively sought to foster a fearsome reputation by ruthlessly targeting high-profile companies. The gang recently took responsibility for hacking large electronics firm Acer, demanding a then-record-breaking ransom of $50 million in return for its stolen files.

A Geico Data Breach Let Cyber Fraudsters Steal Customers’ Driver’s License Numbers

Illustration for article titled A Geico Data Breach Let Cyber Fraudsters Steal Customers' Driver's License Numbers

Photo: David McNew (Getty Images)

Car insurance giant Geico has quietly disclosed that a recent security breach allowed cyber thieves to steal customers’ driver’s license information right off the company’s website.


The breach was made public Monday after TechCrunch noticed that the company had recently filed a breach notice with the California Attorney General’s Office—as is required by state law.

While it’s not totally clear how big the breach was, the state’s disclosure requirements are pegged to incidents affecting more than 500 state residents. We reached out to Geico and will update this story if we hear back from them.

According to their notice, a security issue sat unpatched on the company’s website for more than a month, though it’s not totally clear what the issue actually was. The issue has since been resolved, though not before an unknown amount of people had their information stolen. Geico provides the following picture of what happened:

We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you – which they acquired elsewhere – to obtain unauthorized access to your driver’s license number through the online sales system on our website. We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.

That the data might be used for unemployment fraud is unfortunate if not totally unexpected. Throughout 2020, organized cybercrime groups targeted systems all across the country and made an amazing amount of money doing it. California’s fraudulent claims have numbered in the billions. In Washington state, a reported $650 million was lost to “questionable claims.” Ohio allegedly paid out $330 million. The list goes on and on.

In such schemes, cybercriminals will typically use previously leaked or stolen personal information to pretend to be someone else, in the hopes of successfully phishing state unemployment systems.


Geico has warned that if you receive information from your state system about unemployment benefits that you haven’t personally filed for, there’s a solid chance you have been targeted for identity theft. If that happens, you should “contact that agency/department if there is any chance fraud is being committed,” the company said.

Cybercriminals Bought Facebook Ads for a Fake Clubhouse App That Was Riddled With Malware

Illustration for article titled Cybercriminals Bought Facebook Ads for a Fake Clubhouse App That Was Riddled With Malware

Photo: Josh Edelson/AFP (Getty Images)

Cybercriminals have been pushing Facebook users to download a Clubhouse app “for PC,” something that doesn’t exist. The app is actually a trojan designed to inject malware into your computer. The popular new invite-only chat app is only available on iPhone but worldwide interest in the platform has risen and users are clamoring for Android and, presumably, “PC” versions.


Per TechCrunch, the malicious campaign used Facebook ads and pages to direct platform users to a series of fake Clubhouse websites. Those sites, hosted in Russia, asked visitors to download the app, which they promised was just the most recent version of the product: “We tried to make the experience as smooth as possible. You can check it out right now!” one proclaims.

However, once downloaded, the app would begin signaling to a command and control (C&C) server. In cyberattacks, the C&C is typically the server that informs malware what to do once it has infected a system. Testing of the app through malware analysis sandbox VMRay apparently showed that, in one instance, it tried to infect a computer with ransomware.

Taking advantage of a popular new product to deploy malware is a pretty classic cybercriminal move—and given Clubhouse’s prominence right now, it’s no surprise that this is happening. In fact, researchers recently discovered a different fake Clubhouse app. Lukas Stefanko of security firm ESET revealed how another fictional “Android version” of the app was acting as a front for criminals looking to steal users’ login credentials from others services.

Fortunately, it doesn’t appear that this most recent campaign was too popular, as TechCrunch reports that the Facebook pages associated with the fake app only had a handful of likes.

It’s an interesting little incident, though it may be difficult to find out more about this tricky campaign because the websites hosting the fake app have apparently disappeared. The takedown of the sites appears to have disabled the malware. Facebook has also taken down the ads associated with the campaign.

An Android App That Promised Free Netflix Shockingly Just Highly Annoying Malware

Illustration for article titled An Android App That Promised Free Netflix Shockingly Just Highly Annoying Malware

Photo: OLIVIER DOULIERY/AFP (Getty Images)

So-called pirating apps have been around for years—and they have only gained popularity since covid-19 put us all indefinitely on the couch, phone in hand, awaiting a reason (that never comes) to stop streaming.


Well, not all pirating apps have your content-viewing interests in mind. Enter “FlixOnline.” Until recently, this app sat in Google’s Play Store, promising users the opportunity to gain free mobile access to Netflix from anywhere in the world, even if they didn’t have an account. Sounds too good to be true, right?

Yes, well, exactly.

FlixOnline, discovered by security firm Check Point Research, never actually let users binge Breaking Bad or whatever. Instead, the researchers say, it delivered a self-replicating worm onto their devices—the likes of which could potentially be used by hackers in phishing and data-theft operations.

According to researchers, the Flix wormable malware burrows into a phone by abusing its permissions, then uses a victim’s WhatsApp conversations to spread itself. As soon as you download it, Flix asks for access to a variety of your device’s controls. It then hijacks your WhatsApp and uses it to send spammy messages to people who message you. For instance, if your friend sends you, “Hey dude, whaddup,” Flix will secretly auto-reply for you, sending them a, uh, really subtle advertisement for its fake services:

“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE” [insert malicious link].

If your friend, lost in a confused fog—baffled by the fact that their pal of many years has transformed, overnight, into a robotic Netflix shill—happens to click on the link provided, they get directed to a website where they can download the app, and the malware replicates itself anew. Researchers say the site could easily serve as a way for hackers to steal a victim’s personal information. In truth, it’s hard to imagine most people being, let’s say, gullible enough to follow that last step, but then again, “123456″ remains a popular password.

So, voila! It’s like a moral lesson about the ills of piracy, packed into a very, very stupid app—an app that does literally nothing except hijack your conversations with friends and loved ones to re-spawn its own daft, useless existence.


Of course, the access supplied by an app like this means a bad actor could definitely abuse it to do more than send annoying messages (they could steal your private information and thereby entrap you in an extortion scheme, for instance). Additionally, if the messages being sent to a victim’s contacts were modified to something other than a hacky Netflix ad, or additional malicious links were added to the hijacked WhatsApp messages, a person could have quite a mess on their hands. So, it’s not just an annoying app, but potentially dangerous, too.

Perhaps the worst thing here is that Flix sat in the Play Store for approximately two months, compromising about 500 devices, according to Check Point (the app has since been taken down). It’s another great example of how Google hasn’t always done an amazing job when it comes to weeding out bad apps being distributed on its platform.


“The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags,” said Aviran Hazum, manager of mobile intelligence at Check Point. He added that, while this specific malware campaign was halted, the same malware could be deployed again via a different fake app. So… be careful out there, my pirate friends. Remember: There’s no such thing as free content.

A New Phishing Campaign Sends Malware-Laced Job Offers Through LinkedIn

Illustration for article titled A New Phishing Campaign Sends Malware-Laced Job Offers Through LinkedIn

Photo: Carl Court (Getty Images)

With unemployment at formidable levels and the economy doing weird, covid-related reversals, I think we can all agree that the job hunt is a pretty hard slog right now. Amidst all that, you know what workers really don’t need? A LinkedIn inbox full of malware. Yeah, they don’t need that at all.


Nevertheless, that is apparently what some may be getting, thanks to one group of cyber-assholes.

Security firm eSentire recently published a report detailing how hackers connected to a group dubbed “Golden Chickens” (I’m not sure who came up with that one) have been waging a malicious campaign that preys on job-seekers’ desire for the perfect position.

These campaigns involve tricking unsuspecting business professionals into clicking on job offers that are titled the same thing as their current position. A message, slid into a victim’s DMs, baits them with an “offer” that is really rigged with a spring-loaded .zip file. Inside that .zip is a fileless malware called “more_eggs” that can help hijack a targeted device. Researchers break down how the attack works:

…If the LinkedIn member’s job is listed as Senior Account Executive—International Freight the malicious zip file would be titled Senior Account Executive—International Freight position (note the “position” added to the end). Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, more_eggs.

Whoever they are, the “Chickens” probably aren’t conducting these attacks themselves. Instead, they are pedaling what would be classified Malware-as-a-service (MaaS)—which means that other cybercriminals purchase the malware from them in order to conduct their own hacking campaigns. The report notes that it is unclear who exactly is behind the recent campaign.

A backdoor trojan like “more_eggs” is basically a program that allows other, more destructive kinds of malware to be loaded into the system of a device or computer. Once a criminal has used the trojan to gain a toehold into a victim’s system, they can then deploy other stuff like ransomware, banking malware, or credential stealers, to wreak more extensive havoc on their victim.


Rob McLeod, Sr. Director of the Threat Response Unit (TRU) for eSentire, called the activity “particularly worrisome” given how the compromise attempts could pose a “formidable threat to businesses and business professionals.”

“Since the COVID pandemic, unemployment rates have risen dramatically. It is a perfect time to take advantage of job seekers who are desperate to find employment. Thus, a customized job lure is even more enticing during these troubled times,” McLeod said.


We reached out to LinkedIn to see what their take on this whole situation is and will update this story if they reply. Considering that employers don’t usually just offer you a job, you would think this campaign wouldn’t be too hard to avoid. Yet people click on random stuff on the internet all the time—usually out of curiosity, if nothing else. Suffice it to say, if you get a job offer that seems too good to be true, probably best to steer clear.

UPDATE, 9:12 p.m. When reached by email, a LinkedIn spokesperson provided the following statement:

“Millions of people use LinkedIn to search and apply for jobs every day — and when job searching, safety means knowing the recruiter you’re chatting with is who they say they are, that the job you’re excited about is real and authentic, and how to spot fraud. We don’t allow fraudulent activity anywhere on LinkedIn. We use automated and manual defenses to detect and address fake accounts or fraudulent payments. Any accounts or job posts that violate our policies are blocked from the site.”