Viry a Červi

Your social media memories may have been compromised

Sophos Naked Security - 9 Červenec, 2018 - 16:42
Remember that "digital nostalgia" app you installed years ago? You may have forgotten it, but it hasn't forgotten you!

Timehop Breach Impacts Personal Data of 21 Million Users - 9 Červenec, 2018 - 15:52
A massive breach has impacted up to 21 million users' personal data and their social media "access tokens."
Kategorie: Viry a Červi

What sensitive data is lurking on your old SD card?

Sophos Naked Security - 9 Červenec, 2018 - 15:49
SD cards - those tiny devices that go into your camera or tablet - may be small, but they can hold a lot of revealing information.

Newsmaker Interview: Patrick Wardle Talks Apple Malware Flubs and Successes - 9 Červenec, 2018 - 15:15
Researcher brings Apple down to earth, addressing Mac malware questions and the company’s smart moves to bolster security.
Kategorie: Viry a Červi

Copyright Directive legislation voted down by European Parliament

Sophos Naked Security - 9 Červenec, 2018 - 15:11
The EU has voted down controversial copyright legislation, but the war's not over: a second vote is scheduled for September.

Smart TVs are spying on you through your phone

Sophos Naked Security - 9 Červenec, 2018 - 14:42
Smart TVs in millions of homes are using other devices on the same network in order to snitch on everything you watch and everywhere you go.

Leatherbound analogue password manager: For the hipster who doesn't mind losing everything

The Register - Anti-Virus - 9 Červenec, 2018 - 13:42
Notebook undermines years of good security hygiene with style

News reaches us that will leave password management outfits quaking in their boots. The Conran Shop has a solution for forgetful users, and it is a snip at a mere £22.…

Kategorie: Viry a Červi

Monday review – the hot 22 stories of the week

Sophos Naked Security - 9 Červenec, 2018 - 12:36
From Chrome and Firefox pulling a history-stealing browser extension and how Linux experts are crap at passwords to the child's avatar sexually assaulted on Roblox, and more!

In cryptoland, trust can be costly

Kaspersky Securelist - 9 Červenec, 2018 - 12:00

While the legal status of cryptocurrencies and laws to regulate them continue to be hammered out, scammers are busy exploiting the digital gold rush. Besides hacking cryptocurrency exchanges, exploiting smart-contract vulnerabilities, and deploying malicious miners, cybercriminals are also resorting to more traditional social-engineering methods that can reap millions of dollars. Their targets are not just the owners of cryptocurrency wallets, but basically anyone with an interest in the subject.

To understand how scammers can access victims’ money, it helps to remember how cryptocurrencies work and what it means when we talk about the address and private key of a cryptocurrency wallet.

Cryptocurrencies are based on asymmetric encryption with public and private keys. The wallet address, which anyone can transfer money to, can be generated from a public key, which in turn can be obtained from a private one. The private key is required for all wallet transactions, hence scammers’ interest in it. Note, however, that attackers are not always after the victim’s private key— the goal is often to get people to transfer funds into the scammers’ accounts all by themselves. But one thing at a time.

Classic phishing Authentication on cryptocurrency exchanges and wallets

Cryptocurrencies are bought and sold through specialized services known, like their physical counterparts, as exchanges. They also provide crypto storage services, issuing a wallet for each currency held and storing private keys on users’ behalf.  Naturally, if the scammers manage to get hold of the authentication data for a crypto exchange account, they will gain access to the user’s money. This explains the abundance of phishing pages mimicking the authorization pages of popular crypto exchanges. Such sites are usually very convincing and virtually indistinguishable from the originals, except for the URL. In the first half of the year, our security solutions prevented more than 100,000 attempts to redirect users to such resources.

Examples of phishing pages imitating the authorization pages of popular crypto exchanges

Another method of stealing money is to hack the service itself and siphon off funds from user accounts. A recent example of such a heist comes from South Korea, where the country’s largest exchange Bithumb was forced to cease trading following the theft of $32 million worth of virtual coins. And at the end of last year, having had 17% of all its assets swiped by cyber thieves, another crypto exchange, Youbit, also called time on trading.

Therefore, many users prefer to keep cryptocurrencies in their “own” wallets, of which there are two types: online and offline (desktop, hardware, paper). Online wallets are no safer than the ones held on exchanges: the private key is entrusted to a third party and the owner has no control over it.  Hardware crypto wallets are considered the most secure. These are physical devices that generate and internally store a non-recoverable private key for the wallet. When performing a transaction, all operations take place inside the wallet, and only the electronic signature is issued externally.

A phishing email, supposedly from the Luno team, alerting the user to suspicious activity on their account and inviting them to click on a link to secure the account

The methods used to access online wallets are indistinguishable from classic phishing techniques: scammers create pages that mimic the authentication page of the target website. Links to fake resources are most often distributed via email with typical scare stories about accounts being blocked or unusual activity on them. The hook is to persuade users that they must go through identification to prevent losing funds.

Examples of phishing pages imitating the authentication pages of popular online crypto wallets

Delving deeper into phishing site scripts, it’s clear that in addition to logins and passwords, scammers also harvest information about IP addresses and user agents. Using this data, cybercriminals can get round some anti-fraud systems by using this information to masquerade as the account owner.

Example of a phishing page imitating a BLOCKCHAIN.INFO wallet, and a snippet of code generating a message with data to be sent to the scammers

Fake registration

For the wallet-less, scammers have a separate scheme that involves luring them to fake crypto wallet sites, promising all sorts of registration “bonuses,” including, for example, a sum of cryptocurrency.

The simplest phishing pages simply collect users’ personal data, and then redirect them to the real site of the service. The more dangerous ones really do open wallets for the victim using the data they specify. As a result, the victim receives a confirmation message at the email address they provided and a personal account on the real online resource, lulling them into a false sense of security. But the wallet is compromised from the start, so as soon as any money appears there, it is quickly siphoned off.

A fake BLOCKCHAIN.INFO wallet registration form, the original confirmation letter of registration, and the fake personal account that the victim is redirected to after registration

It might seem that only online wallets and exchanges are targeted by phishers, but that’s not the case. For instance, fakes of MyEtherWallet, a solution that facilitates transactions with digital coins stored on users’ local PCs, are very popular.

A fake registration page replicating precisely the MyEtherWallet registration process

The registration procedure is exactly the same as the original, including downloading the Keystore file, required to access the funds. The private key, which the victim receives after such registration, is already compromised, and any money transferred to the wallet ends up in the hands of the scammers.

Fake mobile apps

Another attack vector is fake crypto storage software distributed through official app stores. Such programs often top the downloads, as in the case of a fake MyEtherWallet mobile app that became the third most popular finance app in the App Store.

This is NOT US. We have file reports and emailed and reported. Would appreciate the communities assistance in getting these scamtards out of our lives.

PS: We are #Foss4Lyfe

— (@myetherwallet) 10 декабря 2017 г.


According to CoinSchedule stats for 2018, when this article went to press, 427 ICOs (initial coin offerings) had been held and funds totaling more than $10 billion raised. The huge sums, the hype, and the lack of legislative control in many countries make ICOs a natural target for scammers.

One of the most common ways to steal funds is by sending phishing emails to potential investors. When an ICO is announced, email addresses of interested persons are often collected in order to notify them, for instance, about the start of the token selling. But the database of potential investors’ details could fall into the wrong hands. In this case, shortly before the actual start date, scammers send out emails saying that sales (or a preliminary round) have already begun and containing the number of the wallet to which funds should be transferred.

The Bee Token ICO: scammers managed to get hold of the emails of potential investors and send out a perfectly timed invitation specifying an e-wallet for the transfer of Ether tokens. This wallet pocketed 123.3275 Ether (about $84,162.37). The scammers also created several phishing sites masquerading as the official platform

Another common method is to create fake sites that mimic official ICO projects.

Fake ICO projects: the first page is located on the domain and mimics, the real site of the FANTOM project; the second—hosted on—is a fake version of, the website of the SPARKSTER project

Links to such resources are distributed not only by email, IM, and social networks, but through ads in major search engines.

Advertising helps push this phishing site to the top of the search results

The more popular the project, the greater the number and the higher the quality of the fakes. Telegram’s ICO currently holds the record for investments raised. We found dozens of phishing resources exploiting this event, some of which looked very professional indeed. What’s more, the wallet addresses for victims to transfer money were created individually for each “investor,” making it harder to track the funds.

Coin dispensing Airdrop

A crypto airdrop is a way of popularizing new virtual coins that are not yet available on exchanges. Anyone can receive an “airdropped” sum of new cryptocurrency in exchange for doing something to promote the project. For example, the user may need to subscribe to a Twitter account, make a repost, or write a blogpost.

After registration, this Tubig Blockchain Water airdrop scheme steals funds through a wallet verification phishing page

Similar schemes are used by scammers to lure users to websites of non-existent airdrops. After registering on the site of a non-existent project, the victim is directed to a wallet verification phishing site where they are asked to enter their private key or other personal information that cybercriminals can use to gain access to money.

Phishing page mimicking a crypto wallet site. Note the use of an “ł” character to create a domain name barely distinguishable from the original

Ironically, victims themselves contribute to the spread of such scams by reposting information and subscribing to fake company accounts in social media.


One of the most common baits is the promise of free coins under the “give a bit, get a lot” motto. The user’s initial contribution is supposedly required for wallet verification purposes. To make the cover story more convincing, a list of transactions is displayed showing how the funds of other users of the service have magically multiplied, but in fact it’s just a pretty picture.

List of fake transactions with user “earnings”

In fact, all the transferred funds go the scammers, which is confirmed by a simple check of the transactions made with the wallet number. The scheme is simple yet there seems to be no lack of gullible users. One site alone (pictured above) received “contributions” worth 405.43 ETH, which at the current exchange rate is approximately $245,000.

Cybercriminals often mask such methods as bounty programs exploiting the names of well-known crypto wallets, exchanges, or ICOs:

A page offering coins seemingly on behalf of popular exchange Binance under the pretext of a bounty program. To receive the “reward,” users must verify their identity by transferring 0.3-5 ETH from their wallet to the one specified on the website, with the promise of a tenfold payback

Coin giveaways are sometimes announced as a thank you to users or to mark the company’s success; fake comments on the site about money received encourage victims to act rashly.

At first glance, the link in the image above points to the Bitfinex site, but the user is redirected to a phishing page:

Fake giveaways also exploit famous names. In the last couple of years, for instance, Twitter has become a hotbed of fake accounts masquerading as profiles of well-known companies and people, often linked in some way to the cryptocurrency industry. For example, there are numerous fake accounts in the name of Vitalik Buterin (cofounder of Ethereum) with information about a 100 ETH giveaway for the Ethereum community. To receive the money, users are again asked to transfer a certain sum to a specific wallet. Scammers often spread this information in the form of replies to posts from the original account.

Buterin’s name is so commonly exploited by scammers that he himself changed his account name to Vitalik “Not giving away ETH” Buterin:

The original account is marked with a special icon that guarantees the owner’s true identity

Fake accounts are generally spottable by the lack of a verification badge next to the name (issued by the administration of the social network), a small number of subscribers, and a recent registration date. But the mighty blue tick is not a cast-iron guarantee: there have been cases of cybercriminals buying verified accounts and changing the name (for example, to Pavel Durov, Telegram founder).

Attacks are more successful if accompanied by a news hook. For example, when Telegram suffered a blackout and Pavel Durov tweeted about it, a multitude of scam replies offered “compensation” in Pavel’s name. To obtain it, users had to go to a site and transfer a certain sum to the wallet number indicated, after which they could look forward to receiving 5-100 ETH in return.

A fake Pavel Durov account

Fairly large sums in various cryptocurrencies are also regularly offered on Twitter by phoney Elon Musks. Again, if 0.3-2 ETH is sent to a particular wallet, a payout ten times that amount is promised. Links in tweets point to sites similar to those described above, which specify a wallet number and show a constantly updated “list of transactions.” Scammers use bots to boost the number of likes for messages from fake accounts and leave gushingly positive comments.

Fake giveaways are also held in the name of Tesla

According to some estimates, scammers en masse have managed to extract around $4.9 million from trusting users of the microblog.

 ETH giveaway scam stats:

EtherScamDB lists 468 known addresses
8,148 ETH ($4.9M) sent to scam addresses
Someone sent 30 ETH (~$18k) to fake Erik Voorhees

Even if part is fake activity, this is still easily a million dollar scam!

— John Backus (@backus) 9 июня 2018 г.

Don’t forget that scammers themselves sometimes transfer a certain sum to their wallets to assuage doubts about their legitimacy. However, the above examples show that a static image of a fake list of transactions is usually sufficient. Comments on the popular Etherscan token tracker contain heartfelt pleas either from duped users or from scammers looking to cash in on sympathizers:

Comments of a user who transferred 20 ETH to scammers

Whatever the case, the number of instances of naive users sending scammers their last savings in the hope of a windfall is large and rising.

How to avoid getting hooked

The chances of scammers losing interest in cryptocurrencies are zero: the entry threshold for the “business” is too low and the potential pickings are too juicy. Our rather rough estimates (based on data from more than a thousand ETH wallets used by cybercriminals) show that this past year they managed to earn more than 21,000 ETH (nearly $10 million at the current exchange rate), and that’s not even counting classic phishing and cases of generating individual addresses for each victim. Given the sheer scale of fraud, if you’ve decided to try your hand as a crypto investor, always follow these simple rules:

  • Remember that the only free cheese is in a mousetrap, so take tempting offers with a large pinch of salt.
  • Check information about giveaways and “charitable” actions in official and independent sources.
  • Use a third-party resource to verify the transactions on the wallet that you plan to entrust with your savings.
  • Wallets that have been spotted in fraudulent schemes are often flagged in token trackers and block explorers (online tools for viewing detailed information about cryptocurrency transactions).
  • Always check hyperlink addresses and URLs.
  • Bookmark the address of your wallet and access it only from there.

Web biz DomainFactory confirms: We were hacked in January 2018

The Register - Anti-Virus - 9 Červenec, 2018 - 08:30
German name 'n' hosting outfit tells customers told to reset passwords after hacker taunts

Updated  German hosting company DomainFactory has taken down its forums after someone posted messages alleging to have compromised the company's computers.…

Kategorie: Viry a Červi

Nostalgic social network 'Timehop' loses data from 21 million users

The Register - Anti-Virus - 9 Červenec, 2018 - 06:54
Probably wishes it could go back in time and run 2FA, cos lack of it sparked the leak

A service named “Timehop” that claims it is “reinventing reminiscing” – in part by linking posts from other social networks – probably wishes it could go back in time and reinvent its own security, because it has just confessed to losing data describing 21 million members and can’t guarantee that the perps didn’t slurp private info from users’ social media accounts.…

Kategorie: Viry a Červi

Fitness app Polar even better at revealing secrets than Strava

The Register - Anti-Virus - 9 Červenec, 2018 - 05:03
'I spent a year hiding in shrubs, and they just … publish their daily runs'

+Comment  Online investigations outfit Bellingcat has found that fitness tracking kit-maker Polar reveals both the identity and daily activity of its users - including soldiers and spies.…

Kategorie: Viry a Červi

Snooping passwords from literally hot keys, China's AK-47 laser, malware, and more

The Register - Anti-Virus - 7 Červenec, 2018 - 15:06
Your two-minute guide to the week's infosec bits

Roundup  The week surrounding America's "Huzzah, we kicked out the Brits, and will now spell color any way we like" Day, on July 4, is traditionally one of the slowest periods in the annual business tech news cycle.…

Kategorie: Viry a Červi

Old Malware Gives Criminals Tricky New Choice: Ransomware or Mining - 6 Červenec, 2018 - 21:33
The Rakhni Trojan is now giving bad actors the ability to infect victims either with a ransomware cryptor or a miner.
Kategorie: Viry a Červi

Google Patches Critical Remote Code Execution Bugs in Android OS - 6 Červenec, 2018 - 20:54
The July Android Security bulletin tackles 44 vulnerabilities in all, with the bulk rated high in severity.
Kategorie: Viry a Červi

Keeping False Positives in Check - 6 Červenec, 2018 - 20:30
InfoSec Insider Justin Jett shares his opinions on how to avoid false positive security threat fatigue before sets in and companies drop their guard.
Kategorie: Viry a Červi

Japanese cryptominer slapped with suspended sentence

The Register - Anti-Virus - 6 Červenec, 2018 - 17:54
Said to have netted only £34...

A Japanese man has received a suspended sentence for using a cryptominer in a failed attempt to turn an illicit profit.…

Kategorie: Viry a Červi

Linux experts are crap at passwords!

Sophos Naked Security - 6 Červenec, 2018 - 15:59
Last week's megastory was the Gentoo breach that saw an entire online Linux code repository hacked - now we know how it happened...

Chrome and Firefox pull history-stealing browser extension

Sophos Naked Security - 6 Červenec, 2018 - 15:47
An extension used by about two million people has been pulled by Chrome and Firefox after it was found exfiltrating browsing data.

Welsh firm fined £60k for pummelling phones with 270k pay-day loan texts

The Register - Anti-Virus - 6 Červenec, 2018 - 15:46
STS Commercial you're fined: Pay b4 August GET 20% off

A Welsh firm has been handed a £60,000 fine for spamming more than 270,000 pay-day loan texts around Christmas 2016.…

Kategorie: Viry a Červi
Syndikovat obsah