Symbiotic X Hacked, Malware Infecting SVG Files: Crypto-Sec

The latest crypto scams, hacks and exploits and how to avoid them: Crypto-Sec

Fish of the Week: Symbiotic X's account is broken.

According to a PeckShield report, the X account for the staking protocol Symbiotic was hacked on October 5. As of October 7, the team's official website said the account was still compromised.

The hacked account advertises a list of “points” and asks users to click on a link to check how many points they have. However, the link redirects to the wrong URL, Network-Symbiotic.[.]fi, rather than the correct, symbiotic.fi.

When users connect to the fake phishing site with a wallet, they are presented with a page that says they've earned thousands of points, even though they have nothing to do with the symbiotic protocol.

The site urges users to redeem their points immediately and says they will be lost if they don't click a big green, “redeem” button in the middle of the screen.

Pushing the “Redeem Points” button with an empty wallet will result in an error message stating that the user should try a different wallet.

If the user's wallet contains symbiotic tokens, the site may ask the user to sign a message, which is used to dry the user's tokens. Cointelegraph has not tested the app with a wallet with money in it.

Related: New Crypto Scam Drains Users' Wallets Without Transaction Approval

From the official website, the Symbiotics team warns users that its X is currently compromised and that users should not connect to any websites linked to the account.

X account hacking has become a regular problem in the crypto space. Although not 100% foolproof, consider bookmarking URLs for apps that users use frequently, as this is generally a more reliable way to get to the right website. Users should be especially careful when asked to sign an encrypted message, as this is often, but not always, a sign of a phishing attack.

Malware Corner: Attackers now use SVG files to lure victims

Attackers now use SVG image files to infect victims' computers, according to a September report by the HP Wolf security team.

The new technique allows attackers to take control of a victim's computer via Remote Access Trojan (RAT) software. Once the software is installed, the attackers use it to steal the victim's website passwords, passwords and other personal information. If the user owns the cryptocurrency, these credentials are used for further attempts to access and empty the user's wallet.

Researchers simulated the malware as a zip file that loads when the image is opened in a browser. The malicious program also delivered a PDF file that attracted the attention of the victim when it was downloaded and installed in the background.

According to Adobe, Scalable Vector Graphics (SVG) files store images in “point and grid-based mathematical formulas” rather than pixels. This means they can be easily changed without losing their quality. In addition, they are written in XML code, which allows them to store text in themselves.

According to Mozilla, SVG files have a “script” component that allows developers to inject executable programs into them. It is this scripting ability that malware developers have learned to abuse.

HP researchers found an image that creates a zip archive when opened in a browser. If the user clicks on the folder, it will open a file explorer window and start downloading a shortcut file.

Clicking the shortcut will load a deceptive .pdf file onto the victim's screen. Meanwhile, the tool starts copying various scripts and storing them in the victim's music, photos, and startup directories, allowing the program to run over time.

After copying these scripts to the device, it will run them. As a result, several dangerous malware programs including VenomRAT, AsyncRAT, Remcos and XWORM are installed on the user's device. Once the malware is installed, the attacker can take complete control of the victim's computer by swiping the files it contains.

Given this new attack vector, crypto users should exercise caution when dealing with SVG image files from completely untrusted sources. If the image loads other file types when opened, users should consider rejecting these files by closing the browser window.

Fire sign exploitation shows the dangers of novel signs

Buying new tokens with novel features and unaudited contracts is often risky, as was the case with the FIRE token on October 1st.

Uniswap's pool was almost completely liquidated after an attacker used it to repeatedly sell the token at higher and higher prices each time.

After the exploit, the Token team immediately deleted their social accounts and disappeared, indicating that the project may have been a carpet-pulling or exit scam from the start.

The token has not been traded since October 2nd, indicating that there is very little liquidity for it and it may be impossible to sell it.

The proposition for FIRE investors was simple. According to its website, it was an “ultra-high-destruction simulator.” Whenever holders sell the token into the Uniswap liquid pool, it will be sent immediately to the burner address. This causes the token supply to decrease, increasing the value of FIRE held by those not selling it.

The token was launched on October 1 at 8:00 am UTC. 90 seconds later, an account ending in 1e2e has drained $22,000 worth of Ether (ETH) from the token liquidity pool.

To achieve this, he first took a 20 ETH flash loan from the lending platform Spark Protocol. He then swapped ETH for FIRE and then swapped it back, creating a fraudulent contract that inflated the price, destroying the newly acquired FIRE in the process.

This process is repeated with 122 transfers in 16 different modern contracts, each transfer is part of one transaction. Each time FIRE was converted to ETH, a slightly higher amount of ETH was received in return. As a result, the attacker was able to drain the ETH pool worth $22,000. In addition, this transaction destroyed 230 FIRE tokens.

Related: New Crypto Scam Drains Users' Wallets Without Transaction Approval

The attack was repeated several times, with the last exploit transaction taking place on October 2 at 1:14 am UTC.

Blockchain security platform TenArmor reported the attack on X, writing, “Our system #FIRE token @Fire_TokenEth was attacked in #ETH and suffered a loss of $22.3K as a result.”

According to price data from trading platform Apespace, the initial price of FIRE is approximately 33 ETH ($81,543 at current prices), or 0.0001 FIRE is set at around $8. During the exploit, the value of FIRE skyrocketed, to 30 billion ETH per coin, or $244.6 billion per 0.0001 FIRE. It then dropped to 4.7 billion ETH per coin in the next two minutes.

Note that by the time these high values ​​are achieved, much less of the token supply is in circulation than a single FIRE coin, as most of the token supply has been destroyed by the exploit.

After the raid, the FIRE group deleted the X and Telegram accounts, suggesting the attacker may have been affiliated with the group. The token's Apespace page also displays a warning that the FIRE contract has a “blacklist” feature that prevents developers from banning any user's account and selling the token. The developers may have used this restricted list of features to allow themselves to sell themselves.

Users should exercise caution when dealing with tokens that have new features that may not be fully understood.

In this case, the developers say that anyone who sells into the pool will destroy the tokens, reducing the supply. Still, some users may not realize that this allows a trader to repeatedly trade in and out of tokens, allowing them to artificially inflate the price and dry up their liquidity.

Magazine: Crypto Scam Journalist Suspect Arrested, Japan's Pro-Crypto Prime Minister: Asia Express