Malware Campaign Targeting Jaxx Wallet Holders Shut Down

A site spoofing the official Jaxx website was discovered packing several infections for Windows and Mac machines, and has been shut down.

A malware campaign targeted Jaxx cryptocurrency wallet holders through a website spoofed to mimic the legitimate Jaxx site, researchers at Flashpoint reported this week. The fraudulent site has since been taken down.

Jaxx was created by Ethereum cofounder and Decentral founder Anthony Di Iorio, who built the wallet in 2015 to help people manage digital assets. It has been downloaded more than 1.2 million times on desktop and mobile, the company reported in March. Its latest version, Jaxx Liberty supports more than a dozen cryptocurrencies, including Bitcoin and Ethereum.

Earlier this month, Flashpoint notified both Jaxx and the Cloudflare content delivery network of a spoofed site designed to mimic Jaxx's, created on Aug. 19. The site had a URL similar to the legitimate Jaxx[.]io and included line-by-line copy taken from the actual site, with modifications made to the download links to redirect visitors to a server controlled by attackers.

Researchers point out this campaign is built on social engineering and not a vulnerability in the Jaxx mobile app, website, or any domains owned by Decentral. The fraudulent Jaxx site packed several custom and commodity strains of malware developed to empty users' wallets.

"It's unclear how the attackers were luring victims to the spoofed Jaxx site, whether they were relying on poisoned search engine results, phishing via email or chat applications, or other means to infect victims," researchers report in a post on their findings.

Malware Skips Mobile, Goes to Desktop

This campaign was strictly focused on desktop victims, researchers report. Mobile users who clicked "download" on the malicious site were redirected to the legitimate Jaxx site, uninfected.

Windows and Mac OS X users, however, weren't quite as lucky. Visitors to the fake website would likely believe they were on the real one, as attackers installed the legitimate software onto victims' computers while malware was simultaneously installed in the background.

Mac users who clicked bad links received a custom malicious Java Archive (JAR) file, which was programmed in PHP and compiled using DevelNext, a Russian-language IDE. It seems the malware was developed specifically for this campaign; Jaxx branding is throughout the code.

If the JAR was executed it displayed a message in both Russian and English stating the user was temporarily blocked from creating a new wallet. They were rerouted to a "Pair/Restore Wallet" option, which prompted them for their Jaxx backup wallet phrase, a password used to decrypt wallets so threat actors could pilfer digital currency from the target's account. The victim's backup phrase went to the attackers' server, and they saw another error message.

The Windows link downloaded a custom-written .NET application, which contained both malicious behavior and two additional malware samples. This behavior included exfiltrating all the victim's desktop files to a command-and-control server, and the malware samples were KPOT Stealer and Clipper, both marketed on underground Russian-language cybercrime sites.

Victims who clicked the link downloaded a Zip archive from a Google Docs URL. The malicious .NET binary, like the JAR for OS X, was built for this campaign. Malware contacted the command-and-control server where the target's files were uploaded, while the fake application downloaded three executables from URLs: the Liberty Beta installer, KPOT, and Clipper.

KPOT is designed to steal information from the local hard drive; Clipper scans the clipboard for digital wallet addresses. Once it detects an address, it swaps it out for a different address under the attackers' control. If an address is changed in the clipboard, victims may not notice the recipient has changed when they copy-and-paste addresses to send payments.

via darkreading

Read more »

Move over ransomware attacks as hackers take to cryptojacking

When it comes to increased cryptojacking activities, India is second in the Asia-Pacific and Japan (APJ) region and ninth globally as hackers create a highly-profitable, new revenue stream with crypto-mining, cyber security giant Symantec said on Wednesday.

According to Symantec's "Internet Security Threat Report", detection of coinminers on endpoint computers increased by a whopping 8,500% in 2017.

"Cryptojacking is a rising threat to cyber and personal security," Tarun Kaura, Director, Enterprise Security Product Management, APJ at Symantec, said in a statement.

"The massive profit incentive puts people, devices and organizations at risk of unauthorised coinminers siphoning resources from their systems, further motivating criminals to infiltrate everything from home PCs to giant data centers," Kaura added.

Cryptojacking is defined as the secret use of a computing device to mine cryptocurrency.

With a low barrier of entry cyber criminals are harnessing stolen processing power and cloud CPU usage from consumers and enterprises to mine cryptocurrency.

Coinminers can slow devices, overheat batteries and in some cases, render devices unusable. For enterprise organisations, coinminers can put corporate networks at risk of shutdown and inflate cloud CPU usage, adding to the cost.

"Now you could be fighting for resources on your phone, computer or Internet of Things (IoT) device as attackers use them for profit. People need to expand their defenses or they will pay for the price for someone else using their device," Kaura added.

Symantec found 600 per cent increase in overall IoT attacks in 2017. India today ranks among the top five countries as a source for IoT attacks.

The firm also identified a 200% increase in attackers injecting malware implants into the software supply chain in 2017.

Threats in the mobile space continue to grow year-over-year, including the number of new mobile malware variants which increased by 54%.

Mobile users also face privacy risks from grayware apps that are not completely malicious but can be troublesome. Symantec found that 63% of grayware apps leak the device's phone number.

In 2017, the average ransom cost lowered to $522.

"Several cyber criminals may have shifted their focus to coin mining as an alternative to cashing in while cryptocurrency values are high," the report noted.

via gadgetsnow

Read more »

You don't want to see this screen

#Phishing is a threat. Protect your assets. Learn more at:

#cybersecurity #infosec #technology #hacker #data #dataprotection #risk #management #business #cybercrime #cyberattack #privacy #malware #ransomware #IoT #security #hackers

Read more »

How Scammers Steal Your Computing Power to Mine Cryptocurrencies

Cryptojacking, an internet scam found on thousands of websites in which nefarious actors mine cryptocurrencies on computers without users’ permission, has been on the rise since the prices of bitcoin and many other cryptocurrencies began spiking last year. The con involves websites stealing computational power from a visitor’s computer to execute the algorithms that are involved in cryptocurrency mining, which requires significant amounts of energy.

While it’s most common in the sketchier corners of the internet, hackers have also been able to inject the cryptojacking software onto websites for Showtime and PolitiFact and on e-commerce platforms. Patrons of a Buenos Aires, Argentina, Starbucks branch discovered in December that its Wi-Fi service was covertly using their computers for mining, and last week disgruntled netizens complained on social media that YouTube ads were also stealing mining power. AdGuard estimates websites can earn up to $326,000 per month from cryptojacking based on traffic to popular websites found to have the mining software.

Cryptocurrencies are digital currencies that exist on a blockchain, an encrypted digital ledger that securely keeps track of the order of transactions between computers. Mining in general requires a computer to solve extremely complex mathematical puzzles in order to produce a piece of data, which serves as a unit of a given cryptocurrency. The mining process needs to be difficult and energy-intensive to make sure that these data sets are scarce enough to serve as a currency. If it were too easy to mine a bitcoin, then the coin would have no value. Cryptojackers are essentially stealing the energy that mining requires.

One of the most popular tools among cryptojackers is a JavaScript plugin called Coinhive, which mines Monero, a privacy-focused cryptocurrency launched in 2014. Although not as valuable as bitcoin, a single Monero is worth roughly $300. And it’s easy to mine on a personal computer, unlike bitcoin, whose mining process usually requires large server farms. A portion of the processing power that a computer allots to a website with the Coinhive plugin goes toward the mining process. The creators of the tool then get a 22 percent cut of the mined Monero.

Coinhive and other in-browser miners are often employed in a deceptive manner. AdGuard released data in December showing that four of the most popular streaming and video-conversion sites (Streamango, RapidVideo, Openload, and OnlineVideoConverter), which collectively receive about 992 million monthly visits, take users’ processing power for mining without informing them.

Cryptojackers are essentially stealing the energy that cryptomining requires.

To observe the effects of cryptojacking for myself, I went on publicwww.com, a search engine for source code, and found a list of websites that use Coinhive. Most of them appeared, based on their URLs, to feature either porn or pirated movies. I then visited five of the sites on separate Chrome windows at the same time, veering away from the NSFW content and toward websites for universities in Indonesia and Mexico. Only one site, the notorious Kiwi Farms forum, gave me the option to turn the miner on or off. Within 15 minutes, my laptop was hot to the touch, and the internal fan began whirring like a commercial airliner at takeoff. My cursor could no longer keep up with my finger’s trackpad movements, and the text that appeared on the screen was a good five words behind what I was typing on my keyboard. I opened the activity monitor, which showed a huge increase in processing:

Yet, returning my computer to its regular functions didn’t require any help from my anti-virus software or trips to the Genius Bar. Simply exiting out of the offending websites did the trick.

My experience with cryptojacking was more annoying than destructive. But this is not to condone the practice—it does rely on deceit and can cause crashes and make your computer vulnerable to other malicious codes. There are also more invasive forms of the scam, like miners disguised as legitimate Android apps that users unknowingly download. “This is a theft of power and time from people,” said Tarah Wheeler, a cybersecurity policy fellow at the New America Foundation. (New America is a partner with Slate and Arizona State University in Future Tense.)

However, the creators of Coinhive say they didn’t intend for it to be malicious. Their websiteadvises, “While it’s possible to run the miner without informing your users, we strongly advise against it. You know this. Long term goodwill of your users is much more important than any short term profits.”

I emailed the Coinhive team to ask if they knew whether anyone was using their miner legitimately, as all the coverage of their software I had seen had been in the context of the cryptojacking. They pointed me to a German image board called pr0gramm, which has been allowing users to access premium accounts with extra features in exchange for running the miner on a separate page. The team further claimed that some porn sites have been giving viewers the option to disable invasive pop-up ads by mining Monero. “Cryptomining in the browser is a very new concept and we (the web) still have to figure out how to use it properly. We have high hopes that a more ‘legitimate’ use of the miner will eventually prevail,” they wrote in the email.

At best, the outsourcing concept behind Coinhive could hold potential as a new way for websites to earn revenue. Users caught Pirate Bay, one of the most established internet hubs for sharing movies and other files, using Coinhive on some of its websites without prior notice in 2017. The site’s administrators explained in a blog post, “We really want to get rid of all the ads. But we also need enough money to keep the site running.”

While many weren’t pleased, some users actually seemed open to the idea of contributing spare processing power if it meant the end of pesky, and often crude, ads. Perhaps if Pirate Bay had presented cryptomining as a bargain beforehand, its users wouldn’t have been so irritated. As Wheeler, the cybersecurity policy fellow, said, “Cryptocurrency mining when you have the consent of the people that are visiting a site is like borrowing a cup of sugar from the neighbors. Cryptocurrency mining when you don’t have consent is like sneaking in and stealing the sugar.”

Almost everyone I conferred with about this monetization scheme mentioned SETI@home, a project at the University of California, Berkeley, that uses a radio telescope to listen for unnatural signals that could be evidence of extraterrestrial life. Whereas previous iterations of the project required a supercomputer to analyze all the data, researchers in 1999 released a software program to the general public that allowed people to donate their computers’ processing power while not in use. More than 4 million people have participated, and the collective effort of their idle computers has turbocharged the search. SETI represents what current efforts to outsource cryptomining could aspire to be. “[SETI] actually asked people if they could use the computers. … The research community has already found a way to do this with permission,” said Yvo Desmedt, professor of computer science at the University of Texas, Dallas.

However, there are many hurdles to jump before this vision can come to fruition. For the majority of people who are not familiar with the mechanics of plugins like Coinhive, the prospect of a website co-opting their computers to mine cryptocurrency may seem invasive. Bill Maurer, director of the Institute for Money, Technology and Financial Inclusion at the University of California, Irvine, said, “It depends on a pretty sophisticated consumer … you need to have a certain level of geekiness.”

And this revenue model also, of course, relies on the viability of cryptocurrencies, which have seen an overall slump in prices in 2018. Extreme volatility and high transaction costs have often precluded bitcoin owners from using it for purchasing—the online payment platform Stripe recently announced that it would no longer accept bitcoin as payment. The possibility of a large-scale hack or bubble burst bringing the whole currency system down may also prevent companies from implementing a cryptomining model. Nicole Becher, a fellow at New America’s Cybersecurity Initiative, surmised, “In the advertising world, you have to be able to sell this to a C-level [senior management] and say, ‘This is actually a new, viable to make money, so you can actually make payroll and actually become profitable.’ It’s all cool and nerdy, but at the end of the day, doesn’t it really come down to that?” 

One more thing

You depend on Slate for sharp, distinctive coverage of the latest developments in politics and culture. Now we need to ask for your support.

Our work is more urgent than ever and is reaching more readers—but online advertising revenues don’t fully cover our costs, and we don’t have print subscribers to help keep us afloat. So we need your help. If you think Slate’s work matters, become a Slate Plus member. You’ll get exclusive members-only content and a suite of great benefits—and you’ll help secure Slate’s future.

Read more »

A Hacker's Tool Kit - Cybercrime is growing ever more pervasive—and costly.

Cybercrime is growing ever more pervasive—and costly. According to researcher Cybersecurity Ventures, the annual cost of cybercrime globally will rise from $3 trillion in 2015 to $6 trillion in 2021. Enabling this boom are thriving marketplaces online, where hackers sell tools and services to criminals. Virtually anything is available for the right price, points out Andrei Barysevich, director of advanced collection (“a fancy name for ‘spy,’ ” he says) at threat intelligence firm Recorded Future. A former consultant for the FBI’s cybercrime team in New York, Barysevich trawled the shadiest corners of the web to compile the cybercrime shopping list above, exclusively for Fortune. In the market for some basic malware? It’ll cost you as little as $1.

Read more »

Low-cost tools making #cybercrime more accessible

A report from the security vendor has said the increasing affordability of cybercrime tools is providing budding criminals with a low barrier of entry into the game.

Malware as a service, along with the affordability of spam botnets, is providing criminals with a low barrier of entry into the cybercrime space, a report from SecureWorks has said.

In 2017 State of Cybercrime: Exposing the threats techniques and markets that fuel the economy of cybercriminals, the SecureWorks Counter Threat Unit explained that less experienced hackers are able to purchase information-stealing malware for reasonably low prices, and, as a result, this has increased who can conduct malicious activity online.

"The internet underground is thriving with ready-to-purchase malware. In underground forums, inexperienced or less-skilled cybercriminals are able to purchase information-stealing malware for reasonably low prices, typically in the form of pre-compiled binaries or premium builder kits that enable attackers to custom configure their own binaries," the report explains.

Similarly, spam botnets, labelled the most frequently used method for the distribution of all "wares" by SecureWorks, are readily available for a low cost to budding cybercriminals.

"Today, cybercriminals can tap into large botnets to increase the spread of their spam exponentially, a product that can be thought of as 'spam as a service'," the report says.

As one example, the report says one large spam botnet known as Kelihos was charged at as little as $200 per million emails sent for pharmaceutical and counterfeit goods-type messages.

Personal information remains a popular commodity, SecureWorks said, with tested and verified credit card data available in some cases for as little as $10, and highly detailed personal information records also offered for as low as $10.

In total, the report details 11 key findings based on the company's research. However, in addition to the malware and ransomware explosion that was WannaCry and Petya, as well as the business email compromise (BEC) threat that accounted for $5 billion in losses globally between October 2013 and December 2016, SecureWorks highlighted that online crime is a market economy of its own.

The global financial toll of cybercrime is difficult to quantify, but pointing to a report from the US Federal Bureau of Investigation (FBI), SecureWorks said internet crime led to losses in excess of $1.3 billion [PDF] in 2016.

The report from SecureWorks labelled the online criminal landscape as one that is complex and composed of actors with a diverse range of capabilities.

As defined by SecureWorks, the underground internet is the collection of forums, digital shop fronts, and chat rooms that cybercriminals use to form alliances, trade tools, and techniques, and sell compromised data that can include banking details and personally identifiable information, as well as anything else.

However, SecureWorks concedes that the full extent of cybercrime is not visible solely through this window.

"Lucrative online criminality is run like a business, controlled by organised crime groups who are focused on minimising risk and maximising profit," the report says. "Such groups have considerable reach, will often be active in other areas of more traditional criminality, and, when necessary, will employ the services of other professional criminals who specialise in certain areas, such as moving money or goods around the world."

With money in tow, cybercrime organisations are often able to scoop up security talent before the good guys can employ them. This has created an underground job market that SecureWorks said mainly requires skills in malware writing, inject writing, data processing, network and sysadmin, and network exploitation, as well as vendors to perform exploit kit loading.

Money muling, where a "middleman" takes the data and passes it on -- knowingly or unknowingly -- to the cybercriminal, also continues to be a valuable component of the online criminal landscape, the report explained.

SecureWorks also said the perceived gap between criminality and nation states, in terms of both actors and capabilities, will continue to shrink, pointing to the $81 million Bangladesh heist -- and the criminals' links with North Korea -- as its example.

#cyberattack #CyberSecurity #Ransomware #Malware #tech #hacker

via zdnet

Read more »