This new phishing campaign is targeting security experts across the globe

Hook on Keyboard
(Image credit: wk1003mike / Shutterstock)

A new phishing campaign has been discovered targeting cybersecurity professionals and hacking aficionados with the idea of stealing their cryptocurrency and obtaining sensitive identity information.

At the center of this attack is Flipper Zero - a portable multi-tool for pentesters, hackers and researchers. It can be used to explore any kind of access control systems, RFID, or radio protocols, Bluetooth, NFC, and similar. 

The tool started as a super successful Kickstarter project, but ran into numerous roadblocks in the production stage. As a result, the demand far outweighed the supply - creating a major opportunity for cybercriminals. Now, researchers have spotted multiple fake online stores selling Flipper Zero, as well as fake Twitter accounts promoting the shops. One of the accounts is using typosquatting to try and trick people (the “L” in Flipper is actually a capital “i”). These accounts are quite active, it was said, responding to customer queries relatively fast.

Stealing data and crypto

Those who fall for the trick will ultimately be redirected to the phishing checkout page, where they need to submit plenty of sensitive data - email address, full name, as well as the postal address. Furthermore, the only way to pay on these pages is with cryptocurrency - either bitcoin, or ether. However, researchers are saying that the wallets listed on the fake shops are empty, so either no one fell for the trick, or the tricksters are constantly changing their addresses to avoid getting doxxed. 

The company is trying to combat the plague, which has since spread to Instagram as well, but to no avail. In a recent tweet, the company said: “Dear @Instagram and @InstagramComms, there are hundreds of fake and scam accounts imitating our official Flipper Zero Instagram account. These fraudulent accounts try to fool people and steal money. We can't report them because we are rejected to have a verified blue check mark.”

Flipper Zero’s Kickstarter campaign was live back in 2020, and was widely successful. The initial campaign goal was $60,000, but ended up receiving more than $4.8 million in pledges. The first users were sharing their achievements on social media, to the amusement of the masses, which only hyped up the product even more. However, the production was significantly hindered when PayPal held $1.3 million for months.

In September 2020, the Flipper Zero team said the payment service decided to withhold the amount without explaining the reasoning, and after a quick back-and-forth, decided to terminate the company’s account, endangering the entire project. A few months later, in late November 2020, with the help of a legal team, Flipper Zero managed to get roughly three-quarters of the funds ($980,000), but still kept around $350,000 to “mitigate possible claims”.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.