Spilnota Detector Media

Disclosure Cybercriminals send malicious emails to the addresses of government agencies in Ukraine

According to the State Intelligence Service, the public authorities of Ukraine received new dangerous letters with the subject "Specialized prosecutor's office in the military and defense sphere. Information about the availability of vacancies and their staffing". According to the department, the letters have an attachment in the form of an XLS document containing a macro, the activation of which will lead to the creation and launch of the "write.exe" file on the computer. It may cause the device to be damaged by Cobalt Strike Beacon. The State Intelligence Service associates the activity with the work of the UAC-0056 group, which was already involved in cyberattacks in Ukraine in April and March.    

Disclosure A fake page of Valerii Zaluzhny was created on Twitter

The Twitter social network created a fake page of the Commander-in-Chief Armed Forces of Ukraine, Valery Zaluzhny. The General Staff of the Armed Forces reported that Zaluzhny does not have an official Twitter page.    

Disclosure Fraudsters promise guaranteed payments to all Ukrainians from the European Union

The fake message about social benefits to all Ukrainians with the support of European Union countries is being distributed on the Facebook social network. Fraudulent advertising was spread specifically to the Volyn region.

According to the Brekhunets, two versions of the fake were distributed this time. In the first option, they promised a refund of VAT for the last three years per Resolution 28-9329k. In the second case, each citizen was pledged to the payment of 9,800 hryvnias using a manipulative clip of a video with Volodymyr Zelensky. Next, using the link, you need to enter the bank card's last name, first name, and last six digits. Remember that the card number, CVV code, or PIN code are personal data that cannot be disclosed to anyone, not even bank employees. Resolution 28-9329k, which the authors of the messages refer to, does not exist at all. Using a reference to a non-existent document gives the impression that the offer has legal force. People write that they have been paid different amounts on the fraudulent page in the comments. Still, the state constantly clearly regulates the amounts of funds that are paid out as financial assistance to different categories of citizens. All these signs point to fraud. The goal of fraudsters is to steal card data to gain access to the personal funds of their owners. Previously, we wrote about how fraudsters offered payments from the EU using the fake page of Lesya Nikityuk or provided compensation for VAT refunds in the amount of 7-9 thousand hryvnias, etc.    

Disclosure 100 million hryvnias were stolen from Ukrainians under the guise of social security payments from the EU

The cyber police reported that they exposed a group of nine criminals who, under the guise of social security payments from the EU, gained access to the bank data of more than five thousand Ukrainians. According to law enforcement officials, 100 million hryvnias were stolen from Ukrainians under this scheme. "Nine people created over 400 fake web resources to obtain citizens' banking data. Through the websites, Ukrainians were offered to form an application for the payment of financial assistance from the countries of the European Union. Hackers took surveys and entered bank card details using phishing links. After receiving the data, the attackers made an unauthorized intervention in online banking and withdrew money from the accounts," said the cyber police.

Disclosure The enemy collects data on Ukrainians using a fake chatbot

According to the Center for Combating Disinformation at the NSDC, the occupiers are trying to collect personal data of Ukrainians. According to Viktor Andrusiv, adviser to the Minister of Internal Affairs of Ukraine, the Russian special services created the spektr_robot bot for this purpose.

The Center warns not to use it to protect yourself and provides blocking instructions: you need to enter the name of the bot in the Telegram search bar; go to the settings of the specified bot (without clicking "start"); choose to "complain about" the illegal storage and use of personal data and the use of said data by the occupation authorities of the Russian Federation in the occupied territory of Ukraine against civilians. "We also advise you to send information about the spektr_robot bot to the Cyber ​​Police of Ukraine using the Telegram bot StopRussia | MRIYA @stopdrugsbot," said the Center's message.

Disclosure Fraudsters, under the guise of the "Ukraine 24" logo, are trying to steal payment card data - offering "compensation" for VAT paid along with "assistance from EU countries"

On Facebook, the attackers launched an old fraudulent scheme of alleged "compensation for VAT paid," which now was combined with "assistance from EU countries." This advertisement is promoted on Facebook, using the Ukraine 24 TV channel logo. The message is illustrated by a photo of Volodymyr Zelensky with the "signed decree" captions and "urgent check of cards for payments to each citizen from UAH 9,800" to draw attention to the information in it. The post's description states that "Ukrainians will receive financial assistance from EU countries" and about "VAT refunds for the last three years." To receive "compensation," social network users are offered to go to a third-party site, where they are asked to provide all the card data, they say "for verification." With this card information, attackers will appropriate all the money in the account. A similar scheme was distributed in 2021 when photos of the host of "1 + 1" Alla Mazur were used.

Disclosure Cars were assembled across the country at the "rally in support of Russia" in the Luhansk region

On the day of Russia, the propaganda media published a lot of news about the celebration of this date in the so-called "LPR," including a rally in the occupied part of the region. According to the propagandists, all this should have convinced the audience of Russia's support for the local population. But the fact-checkers from Russia received evidence that in the column of cars that went under the flags of the invader, there were cars with Crimean license plates, from Chuvashia, from other regions of Russia. They suggest that most of them belong to the Russian military. And in the column was an ambulance, which the occupiers seized from Ukrainian medics - and did not even stick the inscription on it in Ukrainian.

Disclosure The attackers call relatives and friends of the Armed Forces soldiers and offer their "help" in their alleged release from captivity

The Security Service of Ukraine has exposed such fraudsters in Zaporizhzhia, said SSU spokesman Artem Dekhtyarenko.

They demanded a separate fee for their "services." Prices varied and, in most cases, depended on the emotional state of relatives.

Among the pseudo-services offered by fraudsters:

- a telephone conversation with a prisoner, for which they asked from 10 to 50 thousand hryvnias;

- release from captivity, which was estimated at 50 to 200 thousand hryvnias;

- transportation of the deceased's body - up to 10 thousand hryvnias.

"Of course, the attackers could not fulfill any of these mythical promises. And after receiving the money that was sent to them online, they just disappeared. The fraudsters monitored the Internet, where they collected data on missing Ukrainian soldiers and their families to make their words credible. The organizer of the scheme was a man currently in the temporarily occupied Mariupol. He was recently released from prison. In addition, in Zaporizhzhia, he had an associate who was responsible for the financial component and provided mobile calls, constantly changing numbers and operators. SSU special forces detained her, " Artem Dekhtyarenko said.

According to Dekhtyarenko, during the search of the suspect, in particular, the following were seized:

- Computer equipment with evidence of illegal activity;

- A large number of mobile phones and SIM cards;

- Bank cards for receiving payments; - A quarter of a million hryvnias in cash.

The Security Service draws attention to the fact that the issue of releasing prisoners of war is within the exclusive competence of public authorities.

Suppose you or your acquaintances find yourself in a situation where unknown people demand money for the "release" of a relative from captivity. In that case, you should immediately contact the Joint Center for Search and Release of Prisoners:

+38 067 650-83-32

+38 098 087-36-01

Disclosure The Italian media is a platform for Russian propaganda

It was announced on the Polish Radio by the Speaker of the Minister-Coordinator of Special Services, Stanislaw Zharyn.

"Russian propagandists and experts promoting pro-Russian theses are frequent visitors to Italian news and journalism programs that comment on the 'special operation in Ukraine' and spread Kremlin propaganda. There are even allegations that the Italian media has become Russia's "disinformation bridgehead in the West," Zharyn said. He also added that since the beginning of the full-scale Russian aggression against Ukraine, Russian politicians and propagandists had left virtually no Italian programs on public and private channels. "They appear in the most popular interviews and talk shows in the country of entertainment, where viewers applaud the guests," says Zharyn. He also believes that although the Italian media maintains a balance, this position equates propaganda with facts.

Disclosure All Ukrainians can receive state aid, and the amount will depend on the place of residence

Messages with such a thesis are spread in the Volyn segment of Facebook. "Officially! All citizens of Ukraine will receive cash payments! The amount depends on the area of ​​residence ", - it is said in the messages distributed on Facebook. In particular, such a post was published in the group "Tereveni pro VolynUA." However, this is not true.

According to the journalists of the fact-checking project "Brekhunets," there is no program in Ukraine under which all citizens, without exception, receive cash benefits. As in the pre-war period, certain vulnerable categories of the population receive social assistance. As for cash payments due to the Russian invasion, only internally displaced persons can claim these funds. New rules came into force in May to help people who had fled their homes due to the war. Only Ukrainians from certain regions approved by the government are entitled to cash benefits. Read more.

Disclosure Fake letters are allegedly sent to Volyn entrepreneurs from the regional state administration. In Volyn, entrepreneurs receive fraudulent letters allegedly on behalf of the Volyn Regional State Administration

According to the regional state administration, the fraudsters tried to extort funds "from the Armed Forces of Ukraine."

"It became known about the letters on fundraising for the Armed Forces of Ukraine, which are received by entrepreneurs in Volyn allegedly on behalf of the Volyn Regional State Administration. Be careful! These are scammers. The Volyn Regional State Administration did not send such letters, " said in the statement. According to the fact-checking project "Brekhunets," the regional state administration's economic department told them that several entrepreneurs had applied to the regional state administration with such a problem. As it turned out, fraudsters sent many similar letters.

Disclosure Russian special services are trying to intimidate the Ukrainian military by sending threatening messages to personal numbers

 The General Staff of the Armed Forces of Ukraine has warned that Russia's special services are trying to intimidate the Ukrainian military by sending SMS, telegram, Viber, Signal, and WhatsApp messages to personal numbers threatening to break an oath, give up, surrender or side with the enemy. The General Staff of the Armed Forces of Ukraine explained that these threats are aimed primarily at morally destabilizing units of the Defense Forces of Ukraine, sowing doubts and reducing morale. "Threats of personal data (surname and name of the person, taxpayer's code, place of registration and, sometimes, data on the number and composition of the family) are increasing," the General Staff of the Armed Forces said. - The text of the threats refers to the alleged exact location of the person who received the message; it is noted that, in case of continuation of service, missile strikes will be fired at the exact residence of the telephone owner and his family. " At the same time, the personal data in these reports are usually outdated (the person has already changed the place of registration, moved to another location, changed the military unit, etc.). 

Fake Andrzej Duda donates several thousand zlotys to Ukrainians

  Such information is spread in the Volhynia segment of Facebook. In messages, Polish President Andrzej Duda allegedly distributed several thousand zlotys as a gift to Ukrainians. It is reported that the amount of payments varies and allegedly depends on the month of birth. However, this is a fake. According to the fact-checkers of the Brekhunets project, the text says that you need to choose your month of birth and get a gift corresponding to the month of birth. "You need to do it confidently. The money is charged in zlotys. The highest pay is for those born in May and September - PLN 9,600, and the lowest in March - PLN 6,800. There is also an additional post to the post in which I express my sincere gratitude to the President of Poland and all Poles for their support! And added four photos depicting Andrzej Duda, bundles of money, and many packages with "gifts." In fact, the President of Poland does not give money to Ukrainians depending on the month of birth. Duda's Facebook page is fake. Even his name was misspelled. In the fake post - ANDRZEJJ, in fact correctly in Polish - ANDRZEJ. She has only 1,896 likes and two posts. And in the sphere of activity, the "Real Estate Agent" is mentioned, " the fact-checkers write. 

Disclosure Cyber ​​attacks were again carried out on the state authorities of Ukraine

According to the State Special Service, employees of state organizations in Ukraine receive new dangerous e-mails with the file "changes in wages with accruals.docx." Experts say that the document's opening threatens to damage the computer with malicious software Cobalt Strike Beacon. It is known that the document contains a link to an external object (HTML file containing JavaScript code), the opening of which will lead to the launch of the PowerShell command, download the EXE file "ms-msdt.exe," and damage the computer. The State Special Communications Service and Information Protection of Ukraine asks employees of state organizations to be careful and work on blocking the domain name and the corresponding server.

Fake The Red Cross will pay 3,000 hryvnias to refugees, displaced persons, the military, etc

The network spreads fakes about alleged financial assistance from the Ukrainian Red Cross, saying that the organization will pay 3,000 hryvnias to refugees, displaced persons, the military, children under 18, and people who have lost their jobs. It is offered to go to the telegram bot. The Red Cross of Ukraine denied this information and called not to transfer personal data and bank card numbers to scammers. "Be careful, check the information on official sources of the Red Cross of Ukraine, for example, on the website redcross.org.ua," the organization said. "If you find fake information, let us know by sending a link to the fake source and a letter to sos@redcross.org.ua."

Scammers often manipulate Ukrainians and launch schemes with alleged financial aid from the state, banks, other organizations, or countries. If you have become a victim of a fraudulent scheme and provided scammers with your social network login or bank card details, you should immediately change your login passwords, change your bank card's CVV code, or reissue your card. We remind you that you can not enter your personal data and payment card details on unfamiliar and suspicious websites and advises you to set up control over the movement of funds (SMS notifications, transaction limits, etc.). Banks never ask users for a payment card PIN, CVV code, payment confirmation codes, and passwords for Internet banking. Similarly, no institution needs your passwords to log in to the social network to process your data. Passwords are requested only by scammers to gain access to your account. We warn that fraudsters often create clones of social networking sites, banks, and other institutions. To avoid problems - do not go to these sites with a link; search for official sites through a search engine, and pay attention to their addresses - one extra letter or misspelling may indicate that this site is fake.

Disclosure Through loyal Western experts, Russia is promoting the narrative of its imminent victory and the need for Ukraine to make concessions

According to the Center for Countering Disinformation, in particular, the French Center for Intelligence Research has published an analytical report that partially promotes the Kremlin's narratives about "inexperienced Ukrainian soldiers" and the "professional Russian army"; Former US Senator Richard Black spoke in an interview with English-language media about Russia's imminent victory, as "Russia cannot afford to lose because of the threat of NATO enlargement"; Italian General Leonardo Tricarico called on the EU to abandon the "crazy idea of ​​winning the war in Ukraine" and persuade Ukraine to surrender so as not to provoke Russia to use weapons of mass destruction; The German Schiller Institute held an international discussion on the threat of World War III, and the participants concluded that "the confrontation with Russia is detrimental to Germany and the EU." It will be recalled that this is not the first time that Russian propaganda has tried to promote its narratives through “Western experts.” In this way, the propagandists want to create the appearance of support for Russia's actions by the Western world.

Manipulation All Ukrainians, without exception, can receive $ 75 a month from Binance and an 8% cashback card in bitcoins

Such information is spread in Rivne telegram channels. In particular, in the Rivne Holovne channel. Such reports add a link to the instruction, which will "help" to get support in cryptocurrency and also claim that help is supposed to receive by every Ukrainian who applied by May 31. However, this is a manipulation. As the fact-checkers of the “Brekhunets” project found out, the official Binance website states that on April 26, 2022, the company launched the Refugee Crypto Card for Ukrainians. “Ukrainians who have been inspected by local non-profit organizations and applied for Binance Refugee cryptocurrency cards will receive 75 BUSDs, equivalent to $ 75 per month for three months. The cryptocurrency BUSD will be automatically converted into local currency when paying by card. We also note that the card's message has 8% cashback is true.

However, the statement that EVERY Ukrainian will be able to get this "plastic" is not valid! After all, according to the company's official report, the cards will be available only to those Ukrainians who were forced to travel to the European Economic Area due to the war with Russia, " the fact-checkers write.

Disclosure Fraudsters are trying to steal payment card data - through the resource "TSN" offer monetary aid from the UN.

The government emergency response team of Ukraine CERT-UA, which operates under the State Special Communications Agency, warns of a new fraudulent scheme. A fraudulent page was found in Facebook, which imitates the resource of the TV channel "TSN". On the page offers to take part in a survey. To do this, you have to click on the link and allegedly receive "monetary aid as part of the UN social program". Later the user will be asked to provide personal information and make an additional payment.

As a result, the payment card data will be compromised.

The State Special Communications Agency cautions:

1. Never enter payment card details on unfamiliar and suspicious websites. Set control over movements of funds (activate SMS-informing, set transaction limits).

2. If the data of payment card were entered erroneously on the fraudulent website, block the payment card immediately using mobile application, bank hotline (the phone number is indicated on the back of the card) or via internet-banking.

3. Remember to always follow the basic rules of cyber hygiene.

In April, fraudsters used a similar scheme. Then they pretended to be the popular TV channel Ukraine 24 and used the theme of financial aid from EU countries.

Disclosure Russian hackers are sending out dangerous emails with the subject line "About a revenge action in Kherson!".

As reported by the government response team to computer emergency events in Ukraine CERT-UA, a grouping associated with the Russian Federal Security Service UAC-0010 (Armageddon ) carries out a new cyber attack As stated in the message, the hackers are sending dangerous emails with the theme "About the action of revenge in Kherson!", which contain attachments in the form of a file "Plan Kherson.htm".

If a person opens the file, a new file is created on the victim's computer - "Herson.rar" with the shortcut "Plan of approach and laying explosives on critical infrastructure facilities in Kherson.lnk". And as an end result, the GammaLoad.PS1v2 malware is downloaded. The UAC-0010 (Armageddon) hacker group is among those that have been actively attacking our country's critical information infrastructure since the beginning of Russia's full-scale military invasion of Ukraine. During cyber attacks, hackers use topics that are painful for Ukrainians. There have also been cases of cyber attacks by this group against EU countries," the State Security Service reported.

Fake Russia has not engaged in cyber aggression.

The Russian media and pro-Kremlin telegram channels circulated a statement from the Russian Embassy in the United States stating that Russia "was not engaged in cyber aggression. With this statement, the Russian institution tried to argue that Russian hackers attacked the KA-SAT satellite network. Recall that the kink was known back in March 2022. In fact, EU High Representative for Foreign Affairs and Security Policy Josep Borrel reported, that Russia carried out a cyberattack on the KA-SAT satellite network operated by Viasat on February 24, an hour before the full-scale invasion of Ukraine. The attack, he said, caused disruptions in communications between several government agencies, businesses and users in Ukraine, as well as affecting several EU member states.

The Russian embassy's claims that Russia allegedly uses "information and communication technologies exclusively for the benefit of the development of the world community" are blatant lies. Just before the full-scale invasion of Ukraine by Russian troops, according to Microsoft, at least six hacker groups affiliated with the Russian Federation carried out 237 cyber attacks against Ukrainian businesses and government institutions. And in the first month and a half since the full-scale war began, Ukraine has experienced 362 cyber attacks. The Security Service of Ukraine, in its turn, reported, that the Russian special services planned to destroy the entire cyber defense of Ukraine: the night of February 24 saw the largest number of hacker attacks on Ukrainian systems.

Russia's attempts to shift responsibility to the United States, saying that it is America that is "one of the main sources of global cyberthreats" is also a manipulation. After all, Canada's Communications Security Center previously reported, that Russia, China and Iran are responsible for the majority of cyber threats against democratic processes around the world.

Fake Three Ukrainian banks, Privat, Mono and Sber, charge each customer 3,000 hryvnias.

According to the Slavyansk City Military and Civil Administration, residents of the community receive a notice that Privatbank, Monobank, and Oschadbank will allegedly charge each user 3,000 UAH in connection with Russia's military aggression. However, this is a fake. The civil-military administration urges people not to click on the links that come in such messages, so as not to get hooked by fraudsters.

Disclosure Fraudsters swindle money from Ukrainians by assuring them that every Ukrainian can get a refund of value-added tax from 7,000 hryvnias.

Reports that Ukrainians can get back the value added tax they paid are spreading in social networks. In particular in Facebook. Messages of such content appear in the network not for the first time. In a message advertised on Facebook, a page called UA News with stolen branding TSN informs that "every resident of Ukraine can get a refund of value added tax from 7000 to 90 000 hryvnia". And in order to get the money, you need to follow the link and click "get compensation." "Next, you are assured that you are on the official website of the authorized unit for financial protection of the population - EKC PNGK. Probably, you mean the Unified Compensation Center for the Return of Unpaid Monetary Funds, which does not exist in Ukraine! Scammers engage in phishing, because they ask you to specify an email and the last six digits of the bank card number you use most often (!). Of course if you use it often, there is most likely money on it. The purpose of such scheme is to trick you into giving out your personal confidential data. Most likely, having specified this data, the next step is to enter the card expiration date and CVV2 code. Thus, the attackers will get access to all the funds in the account", - write the fact checkers of the project "Brekhunets".

Disclosure Fraudsters distribute a fake chatbot of the state platform "Diia" in the network.

The fraudsters' messages say that allegedly at the link everyone officially working has the opportunity to receive monetary support from the state in the amount of 3000 hryvnias. According to the fact-checkers of "Stop Fake Dnipro" project, the link opens "Privatbank" page, where you have to indicate your card number and CCV code.From what data you enter, we can conclude that the project is fraudulent, which aims to steal money from the cards of people who will register using the link "Neither "Diia", nor Ministry of Digital Transformation send any SMS or messages in social networks. The crediting of funds is reported by the "Action" app and push notification bank, which contains only text - no links," the fact checkers said in a statement.

Disclosure Hackers attack computers with emails with the subject line "№1275 of 07.04.2022".

According to the Ukrainian government emergency response team CERT-UA, acting under the State Service of Special Communication and Information Security, hacker group Armageddon attacks state agencies of Ukraine with dangerous e-mails with the subject line "¹ 1275 of 07.04.2022". The emails contain an HTML file, which, when opened, creates an archive on the computer with a file called "On the facts of persecution and murder of Prosecutor's Office employees by the Russian military in the temporarily occupied territories.lnk". If opened, hackers can gain full control over the computer and steal confidential information or damage data and computer systems. Read more.

Ukrainians are sent malicious letters with the theme "Information about Russian war criminals".

According to the State Service of Special Communications and Information Protection, the attackers use painful for Ukrainians topics, in particular, "parasitize" on information about personal data of the Russians who committed war crimes.

It is reported that Russian hackers send such emails, in particular, to the emails of state bodies of Ukraine. The dangerous e-mails contain an HTML file "Military criminals of the Russian Federation.htm", the opening of which will lead to the creation of a RAR-archive "Viyskovi_zlochinci_RU.rar" on the computer. According to the State Service for Special Communications and Information Protection, the archive contains a shortcut file "Military criminals destroying Ukraine (home addresses, photos, phone numbers, pages in social networks).lnk".

The State Service of Special Communication and Information Protection warns that opening the letter will lead to the fact that the attackers will gain remote access to the victim's computer. The activity is associated with the activities of the group UAC-0010 (Armageddon).