If you purchase via links on our site, we may receive affiliate commissions.

Fake free software scam nets crooks $50k

Updated on: 09 June 2022

Damien Black
Senior Journalist

Generic pic of button on computer saying FREE

A scam targeting cryptocurrency holders that uses cracked or free duplicated software has been detected by cybersecurity company Avast.

The latest cracked software scam uncovered by the analyst netted the masterminds at least $50,000 – taken from 37 cryptocurrency wallets, some of which had apparently been emptied.

The threat actors launched their attack on the unwary from “dubious sites that supposedly offer cracked versions of well-known and used software, such as games, office programs, or programs for downloading multimedia content.”

“All these sites are placed in the highest positions in search engine results,” added Avast, in a social engineering technique it dubbed “the Black SEO mechanism.”

Top search engine results leading to scam malware payload

The sites linked to a malware payload that Avast claims could have infected 10,000 machines a day, primarily in Brazil, Indonesia, France, and India. The zip file containing the malicious link was encrypted to prevent it from being detected by antivirus software.

“The second interesting technique that we observed in connection with this campaign was the use of proxies to steal credentials and other sensitive data from some crypto marketplaces,” said Avast.

“Attackers were able to set up an IP address to download a malicious proxy auto-configuration script. By setting this in the system, every time the victim accesses any of the listed domains, the traffic is redirected to a proxy server under the attacker’s control.

“This type of attack is quite unusual in the context of the crypto stealing activity. However, it is very easy to hide it from the user, and the attacker can observe the victim's traffic at given domains for quite a long time without being noticed.”

Computer users who fear their device may have been compromised by this attack should follow instructions for removing malicious proxy settings outlined by Avast.