Spilnota Detector Media

Disclosure Eight fake chats copying the official “Main Intelligence Bot”

Fraudsters have launched eight fake chatbots that copy the official “Main Intelligence Bot” in name, description and appearance. The main goal of these fake resources is to mislead Ukrainians, especially those living in the temporarily occupied territories (TOT), in order to obtain confidential information or distort communication. This is written by the Center for Strategic Communications and Information Security.

Attackers create these bots to collect sensitive data from the population and misinform citizens. This can be used to pass personal information to hostile forces or to undermine trust in government agencies, in particular the GUR.

The Main Intelligence Directorate (GUR) notes that the use of such bots is extremely dangerous and calls on citizens not to transmit any information through them.

Links to the real GUR bot can be found on the official GUR website or on their verified social media pages marked with a blue or green checkmark.

Proven methods of communication with the GUR: the official chatbot of the Main Intelligence Directorate – @gur_official_bot; email: gur_official@proton.me; via Signal and WhatsApp: +38 096 945 53 41.

Fake In Ukraine, users are allegedly asked to confirm their age on Telegram

Anonymous Telegram channels write that the “Ukrainian authorities” allegedly require the owners of Telegram channels to confirm their age in order to log into the account. The publication says that without such verification, it will be impossible to log into the user's account. This is a lie.

The VoxCheck analysts processed this case and came to the conclusion that such information does not correspond to reality - on Telegram, one does not need to confirm their age to log into the account. This is a part of “clickbait” advertising, where, allegedly under the pretext of a change in the use of Telegram, users are offered to click on a link “to learn more”.

For example, experts recorded this advertisement in the “Kyiv Dvizh” telegram channel and in a number of others. And the User clicks the button and follows the link to the Telegram channel that ordered the advertisement.

Disclosure A new fraudulent scheme in WhatsApp

A new fraudulent scheme is spreading in the WhatsApp messenger. Users receive a message about the alleged lack of only a few signatures to award the title of Hero of Ukraine to an unnamed relative of the sender. At the end, a link to a fake page of “Electronic petitions” is added with a request to sign the corresponding petition.

The Center for Countering Disinformation at the National Security and Defense  Council writes that in fact, the link with the petition requires an additional WhatsApp login. If a person logs in again, the fraudsters get access to his personal WhatsApp profile.

The purpose of this scheme is to gain access to user profiles in order to then use them in their own interests. Therefore, if you receive such a message, the Center urges you to block the number from which it was sent, and in no case to follow unknown links. If you have become a victim of fraudsters, contact the cyber police or other competent authorities.

Disclosure Someone sends dangerous spam lists to Ukrainians' emails

The Center for Strategic Communications and Information Security reports a new tactic for cybercriminals. Attackers specifically accompany the dangerous file with text containing general phrases that may seem familiar to business correspondence:

“Hello, I am sending documents at your request. Please provide the incoming correspondence registration number.

Sincerely,

Mobilization department.”

The names from which the letters come are ostentatiously invented, for example, Konotopenko Radyvoi Ratyborovych. The signature “mobilization department” can confuse and force one to click on the file.

Here are tips from the Center on how to protect yourself from cybercriminals:

- under no circumstances open files received from unknown addresses;

- install an antivirus and keep it activated;

- make backup copies of important documents and files to restore them in case of loss.

Fake Unidentified people on behalf of the State Emergency Service are sending out an evacuation plan to Ukrainians due to the alleged “defeat of the Khmelnytskyi nuclear power plant by an enemy attack”

Ukrainians are receiving emails on behalf of the State Emergency Service with the text that one unit of the Khmelnytskyi Nuclear Power Plant was allegedly hit by a Russian airstrike. In addition, these letters add a link to download an electronic evacuation plan for residents.

The State Emergency Service reported that they did not send out such messages. This is the work of cyber scammers, and the link contained in the email is dangerous.

The Service also reminds that one should trust only trusted sources and remember: all relevant information is always posted on their official website and the State Emergency Service pages on social networks.

You can learn more about how to avoid becoming a victim of phishing links by watching the corresponding video from Dovidka.info.

Disclosure Unidentified persons on behalf of the SBU are sending emails calling for downloading malware

This was recorded by specialists from the Center for Strategic Communications and Security. They explained that unknown persons are sending phishing emails allegedly on behalf of the SBU - after all, in such messages users are asked to download malware with dangerous content. For example, Russian intelligence services can use this to collect private information about Ukrainian users.

The SBU department urged not to click on links or download anything when receiving such emails. If such a situation occurs, you should report it by phone: 0 800 501 482 or send an appeal by email: callcenter@ssu.gov.ua .

Disclosure On behalf of Ukrposhta, unidentified persons send messages urging users to follow unknown links

This was recorded by the fact-checker of the Brekhunets (Liar) project. They explain that Ukrainians began to receive messages seemingly from Ukrposhta that their parcel was “detained because it does not have a number”. In order for it to be sent, one needs to update their address by clicking on the link.

The Ukrposhta main office previously warned that messages with similar content could be sent on their behalf. Ukrposhta specialists are convinced that in this way scammers are ready to obtain users’ personal data in order to take possession including, for example, of their funds. Therefore, one should not click on unclear links.

Disclosure Hackers send messages with malicious software to Ukrainian military personnel

Attackers in the Signal messenger send messages to Ukrainian Armed Forces military personnel on the topic of recruiting for the Third Separate Assault Brigade of the Ukrainian Armed Forces and the Israel Defense Forces (IDF), containing malicious software.

The hackers’ messages contain archived files, the launch of which will lead to infection of the computer with REMCOSRAT and REVERSESSH malware. At the same time, the attackers try to make the names and contents of the archives interesting for the military: “interrogation of a prisoner”, “geolocation”, “encoding commands”, “claims”, etc. Specialists from the American-Japanese company Trendmicro showed suspicious activity back at the end of December 2023.

Afterwards, the Ukrainian government computer emergency response team CERT-UA, operating under the State Special Communications Agency, took action on a series of cyber attacks. The team also noted that if suspicious activity is detected on computers and in information and communication systems of the Armed Forces of Ukraine, the ITS Cyber Security Center (military unit A0334; email: csoc@post.mil.gov.ua ) should be immediately informed.

Disclosure In Zaporizhzhia, unknown people on behalf of local authorities are distributing leaflets for complaints and suggestions in a chatbot

The name of such a chat is President’s Messenger. The leaflets themselves are distributed on behalf of the chairman of the Zaporizhzhia regional council, Olena Zhuk. They say that city residents can share all their problems and what worries them through a chatbot by clicking on the QR code on the leaflet, since “this is a quick way to draw attention to an existing problem”.

The Center for Strategic Communications and Information Security reported that the head of the local regional council, Olena Zhuk, called these leaflets fake, saying that she, her colleagues and the regional council have nothing to do with them, as well as with the President’s Messenger chat. In addition, Olena Zhuk asked citizens not to follow the QR code on the leaflets and not to transfer their personal data to unknown persons on the Internet. She also reminded residents of Zaporizhzhia about cybersecurity, urging them to observe the rules of digital hygiene.

Disclosure Ukrainians are sent SMS messages on behalf of Ukraine’s National Post trying to deceive them

Ukrainians began receiving notifications from foreign numbers on behalf of Ukraine's National Post that it could not deliver parcels due to an alleged lack of data on the delivery address. To enter one’s full address and receive “one’s” package, scammers encourage one to follow a link and fill out all the necessary data.

The Center for Countering Disinformation under the National Security and Defense Council urges people to never click on links of a dubious nature, since the goal of scammers is to obtain all the necessary information about users for further criminal actions. In addition, it is worth noting that not a single postal service in Ukraine sends messages to users from foreign numbers.

If you have become a victim of scammers and have lost access to your page on a social network, contact the cyber police or other competent authorities.

Disclosure A phishing attack has begun on Facebook: in order not to have the account blocked allegedly due to a violation of community rules, one needs to follow the link

A phishing attack on group administrators has begun on the social network Facebook. They receive a message saying that, allegedly due to serious violations of community rules, their account will be blocked within 24 hours. To prevent the account from being blocked, they  need to follow the link in the message and appeal the decision.

The specialists from the Center for Countering Disinformation have investigated this scheme and urge people not to click on dubious links. In this way, scammers try to gain access to your Facebook account and information about bank cards and personal data.

Moreover, the Facebook administration does not send such messages. If someone has written something like this, send a complaint and block the author. If you have become a victim of scammers, contact the cyber police.

Disclosure Unknown people send phishing emails from ukr.net in order to gain access to email accounts

This was discovered by specialists of the State Service for Special Communications. They explained that the attackers allegedly send emails on behalf of ukr.net technical support, claiming that the user has “fixed” suspicious activity. Attachments are also included as a PDF file called Security Warning.pdf. The scammers send emails to the fake ukr.net technical support email address - account.support.0@ukr.net. The PDF document itself indicates that the email box can be blocked and you should confirm access to the account in order to avoid this. Subsequently, the letter contains a link that you need to “go to”. However, the link directs to a fraudulent site that imitates the web page of the mail service. If one enters their data there, unknown people can gain access to your email box. At the moment, experts are eliminating the consequences of the problem and trying to minimize cases of user data leakage.

Disclosure Russian hackers send phishing emails to Romanians, urging them to enter bank account details

Romanians have started receiving emails en masse on behalf of a real parcel delivery company. Such messages say that the alleged delivery address of the parcel is incorrect. Fraudsters ask to update the data within a day, otherwise “the parcel will be returned back”. That is, if during this time people made a delivery or sent a package using this service, they received a message from hackers about incorrect data.

This was reported by journalists from Digi24, who found that letters from a so-called courier company look like real ones, but no company can ask people for detailed bank account details (i.e. PIN or CVV). That is why journalists are convinced that this is a fraudulent scheme. After checking, it turned out that the IP address of the site from which the letters are sent is Russian. Accordingly, the message is sent by the Russian network of hackers.

Disclosure On Facebook, scammers urge Ukrainians to apply for financial assistance

Several pages of alleged Facebook users leave comments under posts on the pages of Ukrainian authorities and other organizations. The comments call on Ukrainians to apply for “financial assistance along with the Uappl project”.

There is no information about the organization providing assistance on the site posted on the link. It is designed solely to collect data from people who need help and those who want to become a volunteer. After registration, you need to record a video message for help, which is redirected to the TikTok page of this volunteer organization. All video messages end with a fake QR code supposedly to help with this message. However, this code does not recognize either a smartphone or online verification sites. Also, according to their requirements, it is necessary to create an account on Binance, to which allegedly funds will be received. No information about those who received assistance could be found.

The site is located on the same server with a resource related to cryptocurrencies. There is also a similar site focused on Poland.

This help is advertised on pages that attract attention because they are registered in foreign names, but most of the messages on them are in Ukrainian. In addition to the main photo, place of residence and educational institution, there is no other personal information. Most allegedly live in London and graduated from various British educational institutions. The pages are generally active. Moreover, one of the bots left a comment with the “help” advertising on another fake page. Of the four verified accounts, two downloaded avatars on June 10, and the next two - on June 12.

Disclosure Russian hackers send letters with malicious links on behalf of the State Service of Special Communications and Information Protection of Ukraine

Ukrainians began to receive e-mails from Russian hackers represented by specialists from the State Service of Special Communications. Attached to this message is a link to download the archive file (RAR) and a label with the name "TZI tools with an expert opinion on compliance with the requirements of technical information security.lnk".

Specialists of the State Service of Special Communications and the Computer Events Response Team note that opening this file will lead to the download of malicious programs, including some that can steal your personal data.

Letters are sent through the service @mail.gov.ua This is how attackers try to disguise themselves as representatives of state bodies.

Disclosure On the Telegram began a phishing attack: "There is information about you too"

Ukrainians started receiving pirated messages in Telegram, which users shouldn't open in any way.

The messages refer to a bot that allegedly finds hidden data and photos of people: "There is information about you too. See by yourself." If you follow the link, there will be another link, and the account will be hacked, after which a message about the bot will be sent on behalf of the user to five of his friends.

As fact-checkers from "NotaYenota" noted, phishing attacks were widespread on Facebook during the New Year holidays, when users receiving messages from friends "Tse ty na video" massively followed the specified link and became victims.

Phishing is a type of cyber fraud. The purpose of phishing is to gain access to your logins, passwords, bank cards, and other confidential information by deception. If such actions are aimed at many users (of a specific institution, for example, a bank or country), then such actions are called phishing attacks. Phishing messages are aimed at emotions because the weakest link in the system is a person.