Kaspersky has uncovered a global fraud campaign targeting cryptocurrency and personal information, believed to be led by Russian-speaking cybercriminals, through sophisticated phishing websites mimicking legitimate services. The campaign, dubbed “Tusk,” employs malware to steal credentials and manipulate cryptocurrency transactions.
16 August 2024 – Kaspersky’s Global Emergency Response Team (GERT) has identified a sophisticated online fraud campaign, believed to be orchestrated by Russian-speaking cybercriminals, that exploits popular topics such as Web3, cryptocurrency, artificial intelligence, and online gaming. This global campaign targets users on both Windows and macOS platforms, employing tactics to steal cryptocurrency and sensitive personal information through malicious websites that mimic legitimate services.
The campaign’s fake websites, crafted with a polished and professional appearance, deceive victims by closely resembling the design and functionality of authentic crypto platforms, online games, and AI services. These deceptive sites lure individuals into disclosing sensitive information, including cryptocurrency wallet private keys, or downloading malware, which allows attackers to drain funds or harvest credentials and other valuable data.
Ayman Shaaban, Head of Incident Response at Kaspersky, highlighted the organized nature of the operation, linking it to a potential single actor or group with financial motives. The campaign, dubbed “Tusk” by Kaspersky, appears to be a well-coordinated effort, adapting quickly to trending topics and deploying multiple sub-campaigns. Kaspersky’s analysis also revealed that the campaign’s malicious code contains Russian language strings, further supporting the theory of Russian-speaking involvement.
The Tusk campaign is currently spreading info-stealer malware like Danabot and Stealc, as well as clipboard hijackers (clippers) designed to manipulate copied cryptocurrency wallet addresses. These malware variants are distributed through Dropbox-hosted files that disguise themselves as legitimate software, tricking users into downloading and installing them.
To combat this threat, Kaspersky advises individuals and organizations to implement robust cybersecurity measures. This includes using comprehensive security solutions like Kaspersky Premium, investing in cybersecurity training for staff, and employing tools such as Kaspersky Password Manager to protect against password-targeting malware. The detailed analysis of the Tusk campaign is available on Securelist, and further insights into emerging cyber threats will be discussed at Kaspersky’s Security Analyst Summit (SAS) in October 2024.
