Crypto Scam Alert: YouTube Videos Promoting “Bitcoin Generator”
According to the reports on 29th May ’19, the Qulab
information-theft and clipboard hijacker trojan has been propagated
on YouTube through fraudulent and fake videos about a free
bitcoin [BTC] generator, BleepingComputer.
A new crypto scam has been discovered through Bleeping Computer. The fraudsters behind this are using videos on YouTube to promote a “Bitcoin generator” tool. For the individuals who are less tech-savvy and credulous, this promise of free Bitcoin [BTC] is just too big a temptation to resist and they end up following the link in the description of the movie. According to the report, the security researcher Frost, reached out to BleepingComputer regarding the trojan scam, conveying that YouTube would bring down fraudulent videos when they are reported, but new videos and accounts will pop up with the same MO.
The videos describe a tool which lets the users earn
free bitcoin through a link in the video description. These links then direct
to a download the Qulab trojan. After the download, the trojan needs to be
installed so as to be deployed. Keeping aside the attempt to steal user
information, the Qulab trojan will also reportedly attempt to steal cryptocurrency
by scanning for strings which are copied to the Windows clipboard which the
program is able to recognize as crypto addresses, and then substituting this in
the address of the attacker instead. If the user pastes this string into the
website field to specify the location of their funds getting spent, they will
paste in the string of the attacker instead and direct these funds there. According
to an official report by Fumko, there has been a big list of crypto
addresses the trojan can recognize, these include bitcoin, ether, Litecoin,
monero, bitcoin cash, cardano and more.
As it was previously reported, YouTube advertised
malware disguised as an advertisement for bitcoin wallet Electrum in
March this year. One of user’s of Reddit described the scam and predicated on
URL hijacking, as follows, “The
malicious advertisement is disguised to look like a real Electrum advertisement
[…] It even tells you to go to the correct link (electrum.org) in the video
but when you click on the advertisement it immediately starts downloading the
malicious EXE file. As you can see in the image, the URL it sent me to is
elecktrum.org, not electrum.org.”
Gloss