WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
The announcements of Facebook’s new cryptocurrency “Libra” and its associated digital wallet “Calibra” have conjured up discussion, debate, criticism, and praise from all corners of the Internet. Companies constantly launch new products and add brands to their portfolio, but it’s not every day that one of the world’s largest tech companies decides to establish its own digital currency, let alone with the support of several other big players like Mastercard, Visa, and Uber.
Since Facebook’s announcement on June 18, there has been a gold rush, with people scrambling to register a myriad of domain permutations that infringe on the new trademarks. These have ranged from seemingly innocuous websites to those which appear slightly more sinister. With Digital Shadows’ Shadow Search, we can pull up a chart which shows the number of domains with references to either “Libra” or “Calibra” registered in the days on and around the 18th.
Libra:
Calibra:
Figure 1: Shadow Search results over time for domains registered with “Libra” or “Calibra”
The vast majority of these are fairly boring- currently parked and not hosting content. Some domain squatters aim to jump on a domain name with the hope of making a profit when the company looks to buy it back from them. It’s become common practice for a lot of businesses to preemptively buy up all the relevant domains, so they don’t fall into the wrong hands, particularly TLDs which can cause reputational damage or send the wrong message.
Even if the company doesn’t plan on using them to host content, they can be set up to redirect to the legitimate page, preventing visitors from stumbling across an empty site by accident. Researchers or tech-savvy users have traditionally relied on WHOIS registration records to compare the legitimate domain records to a potential typosquat. However, unless a company makes their registration data public, with the advent of the EU’s GDPR, masked WHOIS data has become largely unhelpful. This can make it more difficult for customers and consumers to check if a domain is legitimate or not and can sometimes even be advantageous to those with more nefarious intentions.
Of all the domains set up since the 18th, those that are hosting malicious content can broadly be split into two categories:
Brand misuse in the form of domain impersonation is an issue that plagues companies large and small. Unsurprisingly, there have already been several domains that have been set up to be exact copies of Facebook’s official Libra and Calibra websites. Instead of relying on media buzz and hype around the brand, these types of scams instead aim to convince victims that they are on a legitimate website, and therefore more likely to trust it with their personal and financial data.
As a result, criminals can’t just rely on domain names that are obviously fake: Why would the official Libra website use a .fish or .style TLD? This is where punycode comes in. An increasingly common tactic is for criminals to register domains using characters from Greek, Cyrillic, and other alphabets which resemble letters in the Roman alphabet, also called a homograph attack. These can appear near-identical to unsuspecting users, and can be difficult to spot on smaller devices such as mobile phones. Examples could include substituting a lowercase A with the Cyrillic character “а”, or using the Turkish dotless I “ı” in place of a lowercase L.
Digital Shadows has identified at least six examples of domains either directly copying the Libra and Calibra websites or using the brand imagery for potentially malicious purposes:
Real: calibra.com
Fake: libra-ico.org
Crafty criminals can clone the entire website and change certain assets to suit their nefarious needs. In the examples above, note the change of text from “Get Started” on the real website to “Sale Libra” on the fake one. For the most convincing of sites, it can be nigh-impossible to determine which is legitimate and which is fake. Unfortunately for our scammer friends in this case, some of the page formatting was off, making it easier to recognize it as fraud.
Clicking the sale button directs you to a page that claims to exchange their Ether (the cryptocurrency for the Ethereum blockchain) for the equivalent amount in Libra, with a 25% bonus. What a deal!
Figure 2: “Sale Libra” page on libra-ico[.]org
The Ethereum address listed as the contribution address (the wallet controlled by this scammer) had already collected 0.2 Ether ($58.24 at the time of writing). Not a ground-breaking amount by any means, but it’s something!
Funnily enough, since starting work on this blog, content on several domains we identified has since been removed, with the owner of the calìbra[.]com (xn--calbra-yva[.]com) website leaving an almost-sincere message to those they defrauded:
Frequenters of the Internet will be no stranger to the vast number of cryptocurrency scams that have been circulating the web over the past few years (see Elon Musk’s Twitter). These have become wildly popular since the cryptocurrency boom in late 2017 and have since taken many forms, from social media posts asking for initial payment into a criminal’s wallet, to more technically complex schemes which use botnets to mine cryptocurrency with the power of unsuspecting victims’ computers (see Digital Shadow’s research on the Bitcoin gold rush)
It comes as no surprise that cybercriminals have leveraged the vast media attention received by Facebook to propagate new schemes with Libra – even though the currency is not even set to launch until 2020.
One website, libra-vps[.]com claims to have set up Debian-based Virtual Private Servers (VPS) with access to the Libra blockchain. These are available to purchase starting at $200, and purportedly allow anyone to create a wallet, send/receive Libra, and even mint coins (remember when I mentioned the cryptocurrency hasn’t even officially launched yet?).
The site even has a step-by-step guide on how to use their service, which includes accessing a Remote Desktop Connection (RDC) program and entering in a username, password, and IP address. If your internal alarm bells haven’t gone off yet, they should be at this point.
If the goal of this website isn’t just to scam people out of $200, going so far as to open your ports to an unknown source means you’re probably going to have a bad time. An attacker could leverage this connection to install all imaginable types of malware, harvest credentials and sensitive information, and more. If the ability to mint as much of a cryptocurrency that doesn’t yet exist sounds too good to be true or even implausible, then it probably is. So, caveat emptor.
If there’s one thing that will remain constant, it’s that scammers, uh, find a way. There will undoubtedly be dozens more domains created between this blog’s publishing and the time it takes you, my dear reader, to reach its conclusion.
Though not every company is as large as the behemoth that is Facebook, the gold rush that arose following the announcement of their cryptocurrency can serve as a useful example to other organizations and consumers alike, with several lessons learned:
[1] By this I mean characters as in letters and symbols, but you should generally be wary of other types of peculiar characters as well, like gnomes, or strangers in trenchcoats
To keep up with more research like this, make sure to subscribe to our email list below for updates.