Browsing Category

security

security,

Cryptojackers Get Super Creative – Infected Updates Are Now Viral

Cryptojackers are here to make fun of legitimate app developers and to make some money along the way. Since everything in technology changes, the cyber culprits are not going for infecting Wi-Fi networks, Amazon Fire TVs, and random websites with Coinhive. These days they are delivering the change by compromising otherwise legitimate Adobe Flash Players.

In fact, it is the old-school Trojan horse tactics but hey, old-school always works. In short, when you download the latest Adobe Flash Player update, you get an XMRig bot, which is here to hijack your computing power and mine some Monero for the bad boys.

cryptojacking

Source: Palo Alto Networks

The first to uncover the mining malware was the cybersecurity entity Palo Alto Networks. Indeed the corrupted Flash updater has been circulating the internet since the beginning of August. Apart from getting the “newest” Flash Player, you get the “newest” mining malware installed in the background, silently making profits for someone else. The chances are many users are unaware of the fact that they have been cryptojacked. While they may experience system outages, slow and impaired performance, those who are not familiar with crypto malware may have a hard time figuring out what is wrong with their devices.

The cybersecurity researchers have stumbled upon 113 files dubbed “AdobeFlashPlayer”. But the catch is, none of them are stored on Adobe-owned servers. Palo Alto Networks suggests that the cryptojackers have used bogus URLs to redirect their potential victims. One question remains, however, how and why users reached these URLs?

While the analysis of the URLs showed no signs of something suspicious, after the installation process the mining bot immediately connects to a Monero mining pool and starts doing its thing.

“Because of the legitimate Flash update, a potential victim may not notice anything out of the ordinary. Meanwhile, an XMRig cryptocurrency miner or other unwanted program is quietly running in the background of the victim’s Windows computer,” reads the post.

security,

Google Restricts Third-party Apps From Using Sensitive Data

Traders from all walks of life know that storing cryptocurrencies in a mobile wallet is bad, bad, bad. There are hundreds of reasons one should refrain from hot wallets in general but mobile wallets and easily the most vulnerable of them all.

It’s not only that there are copycat applications that impersonate legitimate apps. The problem is that even “legitimate” apps sometimes do get compromised. And when that happens, oh boy… You can only hope you are fast enough to relocate your tokens. Indeed, hackers manage to corrupt mobile application much more often than you think.

This is the reason why Google has revamped their Apps Policy. In a blog post published on Monday, the tech giant clarifies that apart from shutting down its social media Google+ it will also give more power to decide what data they share with third-party apps. This puts the power back in users’ hands. From now on, when you install an app you can specifically choose what you share with it and what you don’t. This means that you can restrict camera, photos, docs, and calls access.

What does it mean for crypto geeks?

It means that in case you still want to store some tokens in a mobile wallet, they are a just a little better protected now. The new app update doesn’t prevent future hacks but it still levels up security. You should be careful how you handle your sensitive data such as passwords, PINs, 2FA, etc. The good news is that even if the bad guys sneak into your phone through an (supposedly compromised) app, they would not be able to access your docs, notes, etc. if you have explicitly restricted the app in question from using them.

Google says:

“Only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests. (There are some exceptions—e.g., voicemail and backup apps.).”

Yeah, not necessarily a problem solver but still better than the previous data policy we would say. You never know when the bandits are coming for you, so you’d better go for a cold wallet instead.

security,

Cryptojackers Wage War On India

In case you haven’t noticed, there is already a cryptojacking pandemic. The largest infection this year took place in Brazil where the culprits compromised quite a lot of routers. Unsurprisingly, crypto mining software is multiplying, thus plaguing India as well.

The cryptojackers have declared war on the internet in general and their latest attack targeted 30,000 MikroTik routers in India. Combined with the 280,000 infected units in South America, we can safely say that cryptojacking is big bizniz now.

The internet punks have secretly inserted Coinhive in literally tens of thousands of routers and it looks like the Indian internet providers are a) unaware or b) they just don’t care. This forces corrupted MikroTik routers to mine Monero on every page opened.

Coinhive is by far the most popular Monero mining script. The tiny JavaScript code allows the cybercriminals to embed it in websites, ad banners, routers, wi-fi networks, etc and thus secretly mine Monero on users’ devices.
Now, Coinhive could be put in action for noble purposes as well. For example, UNICEF used it to raise funds for charity. If you want to dig deeper into cryptojacking click here.

Coinhive wouldn’t have been such a pain if the baddies did not make hundreds of versions out of it. They do that in order to circumvent security layers and trick networks into running it. In fact, McAfee Labs reports that just in the last three months they have launched 2.5 million versions of cryptojacking software. Notable, most of them are Coinhive-based.

Banbreach has found that at least 45% of the infected routers are located in rural areas. While such massive attacks are barely something unusual anymore it is still striking that internet providers seem to just neglect the threat. Not that cryptojacking can really harm you since it neither steals money nor data but it can really ruin your browsing experience and even your device.

If your PC or smartphone suddenly gets super slow, the chances are you have been cryptojacked. The easiest thing to do is to close your browser and open other websites. If nothing changes, you’d better contact your internet operator.

security,

How To Protect Your Cryptocurrency In 1 Single Step

If you haven’t noticed so far we are often bitchin’ about security here. And while there are some things that are out of your control (like hacker’s attacks), others are up to you. For example, talking about how much Bitcoins you own is a bad idea. Doing this in public is even worse because you can easily drag the attention of any fraudsters nearby. Your bragging is music to their ears as they start to see you as a target.

In case you don’t believe us, consider this – a Google executive who specializes in fighting email frauds recently discussed the matter in a chat with CNBC. Mark Risher explained that people who like to talk about their cryptocurrency fortunes in public often fall victims to email hack attempts.

“It could just be a case of mistaken identity or guilt by association,” he said, adding that cybercriminals can easily find your email. He explained that they often monitor social media accounts and target people who are smart enough to reveal they own some tokens.

“They could be using someone who seems to be low value to pivot toward somebody considered a higher value target, like somebody political in nature. Or maybe they saw that you were discussing Bitcoin on a public message board.”

Another bad idea is to use one and the same email address to both log in to social media and back up your cryptocurrency wallet. It is a piece of cake to check somebody’s email on Facebook and then hack it, reset its password and do some other nasties.

Fraudsters are getting smarter

While you are unlikely to fall for the ancient “Nigerian Prince” scam (we hope so) the bad boys often do their research pretty well before contacting you. They might be impersonating someone you know and trust.

“You might think of this generic ‘Dear Sir or Madam, I am contacting you to ask you for a favor,’ but the truth is many of these attackers have done some serious research on their victims. So you might get what we call ‘social truth’ in your message,” Risher adds.

The point here is, don’t talk about crypto. Neither in public nor in social media. Use several email addresses and pay extra caution when dealing with those connected to financial services. Level up your passwords and pins to further enhance your protection.

security,

A Crucial Bug In Monero Could’ve Resulted In Millions Lost

Monero might be one of those cryptocurrencies that care about use anonymity but it turns out Monero was too vulnerable to hacks. Well, until now, according to its core development team. Today the devs made the news by revealing the Monero network had a severe security flaw left unnoticed.

An excerpt from the bone-chilling blog post reads:

“The bug basically entails the wallet not providing a warning when it receives a burnt output. Therefore, a determined attacker could burn the funds of an organization’s wallet whilst merely losing network transaction fees.” Further adding, “In sum, a bug in the wallet software allowed a determined attacker to cause significant damage to organizations present in the Monero ecosystem with minimal cost. Fortunately, the bug did not affect the protocol and thus the coin supply was not affected.”

How does it happen?

We are not getting in details here but just like the Bitcoin and Ethereum networks, the Monero blockchain can also “burn” its own tokens. When similar or identical stealth addresses settle transactions between each other the Monero mainnet is programmed to allow only one “correct” transaction. It considers the remaining transactions fake and “burns” them. The burnt XMR tokens become unusable as they are neither removed nor replaced with new tokens.

However, the security researchers have recently discovered that hacker might exploit that and smuggle tokens directly from external wallets and third-party apps.

The disclosure explains that the bad guys can generate a private key and then adjust in such a way that it redirects funds to a certain public address(let’s say a wallet in an exchange), which is the same as the stealth address (which they control). The attackers then send a thousand transactions of one XMR to the exchange wallet.

What happens then? The blog post outlines, “Because the exchange’s wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1000 XMR. The attacker then sells his XMR for BTC and lastly withdraws this BTC. The result of the hacker’s action(s) is that the exchange is left with 999 unspendable/burnt outputs of 1 XMR.”

The Monero developers insist they have contacted major exchanges and offered their help in fixing the problem. In fact, they have released and sent a private patch to exchanges. We must all thank the Monero community members who voiced their concerns on the potential attack on Reddit. It helped the developing team investigate and review the code before someone have managed to pull a nasty trick.

In conclusion, the announcement reads, “this event is again an effective reminder that cryptocurrency and the corresponding software are still in its infancy and thus quite prone to (critical) bugs.”

 

security,

Crypto Thefts In Japan Triple In H1 2018

According to the Japanese media The Asahi Shimbun, the number of cryptocurrency thefts has tripled over the first half of 2018. Japan is one of the leading crypto markets but it looks like it has a hard time keeping cybercriminals away. The National Police Agency (NPA) reports that compared to the same period last year, the number of hacks has grown immensely.

In 2017, the authorities have registered less than 60 cases, while this year they are 158 and counting. Unsurprisingly, Bitcoin leads the race. The number one cryptocurrency seems to be the most targeted  as it was the prime subject of the attacks 94 times. Bitcoin thefts amount to 860 million yen stolen. Second comes Ripple’s XRP, which was targeted 42 times. The bad guys have snatched 1.52 billion yen worth of XRP in the first six months of the year. Surprisingly, Ethereum was the prime target in just 14 cases, which however result in 60 million yen losses.

Of course, tens of altcoins have been compromised as well. NEM (XEM) for example made the news during the infamous Coincheck hack.

“More than 60 percent of all cases, or 102 incidents, involved individuals who used the same ID and password for their e-mail account and other Internet services, such as online shopping, for cryptocurrency dealings,” read the police report.

In total, the Japanese market has lost over 60.50 billion yen (roughly $540 million) in the first half of 2018. In contrast, for the same period last year, the cyber thieves have stolen a mere $5.5 million. We should note, however, that since the Coincheck wrongdoing the officials introduced stricter regulations. The NPA is monitoring whether exchanges comply with KYC and AML policies, while the Financial Services Agency has investigated many of the domestic exchanges.

Though in general, the number of crypto thefts declined after March, the culprits still managed to steal $60 million from Zaif earlier this week.

 

Exchanges, security,

Fake EOS Tokens Flood A Fake Decentralized Exchange, $60k Stolen

If you think your tokens are safe in an exchange, you are wrong. If you think trading through an exchange is safe, you are wrong again. If an exchange claims it is decentralized, well it doesn’t mean it really is. So why am I bitching about this again? Well, partly because crypto security is an evergreen topic and partly because somebody somehow exploited exchange vulnerabilities once again.

Pssst, kid! Wanna buy some EOS?

It seems like EOS troubles have no end. The startup did raise $4 billion from institutional investors to challenge Ethereum and virtually every couple of days we see hackers chewing off bits of EOS and spitting them in investors’ faces.

The EOS protocol allows everyone to create a token and name it whatever they like. Yes, “EOS” is just the perfect name and it’s free, ya know. Thanks to this smart move from the real EOS engineers, the baddies “developed” an EOS-based token, named it “EOS” and flooded one particular “decentralized” exchange with copycats. One billion fake tokens to be exact. And do you know what’s worse? By the end of the perfectly staged attack, the culprits smuggled some $58,000 from ordinary traders.

Decentralize this!

Probably, this is the most hackless hack in the history of hacks and here’s why. The bad boys never really had to hack the exchange, because it doesn’t utilize smart contracts and it is not even decentralized. They purchased some altcoins with their fake EOS tokens and then exchanged them for the real EOS equivalent, which they siphoned through Bitfinex.

Newdex (the “hacked” marketplace) said in a statement:

“EOS account oo1122334455 issued 1,000,000,000 fake EOS tokens. After testing the feasibility of the attack, the account began to place large [buy orders]. A total of 11,800 fake EOS orders were issued to purchase BLACK, IQ [sic] and ADD.”

Thanks, Captain Obvious! Now, since there is no smart contract to verify the authenticity of the tokens it receives, anyone can send anything and fool the system. In other words, Newdex is not a decentralized exchange. It is just a single account that conducts the transactions, pretending to be an asset exchange. Ha-ha-ha, very smart. It turns out traders were just sending money to a personal EOS account, hoping it would settle their transactions accordingly.

In fact, the crypto community smelled something wrong is going on days before the attack:

“Unlike a real DEX, they do not have a smart contract that holds funds / handles order matching on-chain. Instead, they match all orders off-chain in a centralized server. […] What’s worse, they deceptively present Scatter as the login and trading interface, so you feel like you’re using a DEX. In reality, you aren’t sending funds to any smart contract, it’s just a regular EOS account they own ‘newdexpocket’, that doesn’t even have a smart contract running on it. […]This means there’s no smart contract or ABI on that account. Essentially all you are doing when you submit an order from their interface is sending your funds to their personal EOS account and hoping they return you the tokens you’re buying/selling.”

Well, I have nothing more to add, this whole fiasco has really blown me away. And remember, stay off of Newdex.

security,

Ledger Wins “Startup of the Year” Award In France

Apart from being one of the most renowned cold wallets manufacturers, Ledger is one of the most praised. The French startup has built a dedicated community of customers but it’s not only regular users that give kudos to Ledger, as even global businesses do.

The international accountancy heavyweight EY rewarded Ledger its annual Startup of the Year Award for the Ile-de-France region. EY annually runs a competition where France’s best performing new companies lead the race. There are three main categories that the Le Prix de l’Entrepreneur de l’Année includes – best entrepreneur, best social commitment, and best startup.

Surprisingly or not, in a year heavily dominated by cyber attacks, one cryptocurrency business won one of the EY’s awards. The accountancy firm has given the Startup of the Year Award for the Ile-de-France region to Ledger.

 

In the next round, Ledger will face eight other startups from various fields and only one of them will grab the major prize. According to Forbes, in 2017 the French company has sold over one million hardware wallets, thus netting close to $29 million in profit.

Why is Ledger any different?

It’s not that researchers have never found vulnerabilities in the Ledger devices. This has happened to virtually everyone in the business. Unlike other, Ledger is always quick to approach the issue and communicate and even co-work with its users.

Fortunately, when some security experts pointed to a possible Ledger Nano S hack, it turned out that the case is rather extraordinary (check the linked article for more info). In a real-life situation, when you purchase your Ledger device directly from the company or from pre-approved resellers, you can be sure your coins are safe.

 

security,

Cryptojacking Attacks Seem To Have No End

One can only imagine the scale of the latest cryptojacking attack. The trend to steal internet users’ computing power to mine cryptocurrencies shows no signs of slowing down. In fact, it is quite the opposite, cryptojackers get smarter and more creative than expected.

A group of cybersecurity researchers has stumbled upon 3,700 routers that silently run cryptocurrency mining scripts. These particular routers have not been infected before but it looks like the internet cowboys have changed that. This brings the total number of corrupted devices to 280,000. What is more concerning is the fact that just three months ago this number was 200,000. Read between the lines babe, roughly 888 devices are being hacked every day. That makes 37 hacks per hour. Yet some dare to say, cryptojacking is unprofitable.

The recent discovery just proves that the attack that took place in Brazil one month ago is not over yet. Back then the culprits performed “zero-day attack” on MicroTik routers, successfully compromising 200,000 of them. Prior to the attack, no one was aware of the existing vulnerabilities. As always, CoinHive was the software that was injected in the routers, thus allowing the hackers to effectively mine Monero.

CoinHive is the most notorious piece of code on planet Earth in recent months. It is super popular among hackers as it is easy to use as well as effective. So far, the online criminals have infected AdSense banners, websites, Wi-Fi networks, and routers. Once an internet network (or a website) starts running CoinHive the script hijacks computing power from user’s devices and mines Monero.

One research even suggests that cryptojackers literally earn $250,000 per month. If you want to learn more about cryptojacking, click here.

Unfortunately, cryptojacking is not the only tool the bad guys rely on. We have to fear Android Banker as well. It is a Trojan Horse virus, which effectively circumvents two-factor authentication (2FA) and thus stealing usernames and passwords. Hackers primarily use it against banking apps and have already compromised 200 applications in 2018 alone.

Never ever download and trust applications from unknown sources. You will thank me later.

security,

What Makes A Strong Password?

In an age where an invasion of our online security might virtually erode our offline well-being, it is extremely important to protect the passwords we use. The last time we talked about PINs and how the majority of them could be cracked within seconds. Unfortunately, when speaking of passwords the statistics ain’t much better.

 How weak are weak passwords?

In short, they are as weak as the weakest PIN you can think of. Digging deeper, Keeper Security has discovered that the majority of internet users go for “123456”, “qwerty” and other combinations that are literally “unbreakable”. In fact, 17% of all 10,000,000 passwords scanned were “123456”. More interesting and disturbing facts – the top 25 most common passwords make up for 50% of all passwords examined by Keeper Security.

I know this might come as a surprise to you but even more complex patterns like “1q2w3e4r5t6y” fail miserably. Hackers know too damn well that they can easily feed an algorithm with strings of numbers and letters that are commonly used as passwords and brute force accounts. It will take the algorithm just minutes to compromise your account. Remember, hackers can read too, meaning research findings such as those by Keeper Security practically help them develop even better hacking tools.

Why should this not disturb you?

Because you are a human. Unlike machines, you think slower but you have something bots don’t have (at least for now) – imagination. Leveling up your security is just a matter of some creativity. Usually, there is one simple rule – the longer the password, the better. Rule #2 – use a variety of symbols AKA combine letters and numbers.

No, your street number and your dog’s name don’t make a strong pass. A quick check on social media will give the bad actors all the necessary information. However, your options are countless – combine a favorite quote (better choose a less popular one) with the last three digits of your best friend’s phone number.

Draw on your keyboard! Well, not literally. Here’s what I’m talking about – make up a password that will form a triangle, X, octagon, square (you get the idea) on the keyboard. Are you a musician? Great, you can easily use the opening chords (or notes) of the first song you’ve ever learned.

Your possibilities are endless. Your password should make sense to you. It should be hard to guess but easy to remember. You are human after all, not a machine.