tag:blogger.com,1999:blog-4503292949532760618.post8759881044204446949..comments2024-03-16T18:42:21.178-07:00Comments on DSHR's Blog: Correlated CryptojackingDavid.http://www.blogger.com/profile/14498131502038331594noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-4503292949532760618.post-88354844178195269542019-03-04T17:06:59.862-08:002019-03-04T17:06:59.862-08:00Brian Krebs has more on the Coinhive shutdown, and...Brian Krebs has more on the <a href="https://krebsonsecurity.com/2019/02/crytpo-mining-service-coinhive-to-call-it-quits/" rel="nofollow">Coinhive shutdown</a>, and the sleaze behind it.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-58117914723194480892019-02-27T17:18:31.126-08:002019-02-27T17:18:31.126-08:00Catalin Cimpanu's Coinhive cryptojacking servi...Catalin Cimpanu's <a href="https://www.zdnet.com/article/coinhive-cryptojacking-service-to-shut-down-in-march-2019/" rel="nofollow"><i>Coinhive cryptojacking service to shut down in March 2019</i></a> reports that:<br /><br />"Coinhive, an in-browser Monero cryptocurrency miner famous for being abused by malware gangs, announced this week its intention to shut down all operations next month, on March 8, 2019.<br /><br />The service cited multiple reasons for its decision in a <a href="https://coinhive.com/blog/en/discontinuation-of-coinhive" rel="nofollow">blog post</a> published yesterday.<br /><br />"The drop in hash rate (over 50%) after the last Monero hard fork hit us hard," the company said. "So did the 'crash' of the crypto currency market with the value of XMR depreciating over 85% within a year."<br /><br />"This and the announced hard fork and algorithm update of the Monero network on March 9 has lead us to the conclusion that we need to discontinue Coinhive," the company said."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-69662763987685122432019-01-24T06:21:16.639-08:002019-01-24T06:21:16.639-08:00Malvertisers target Mac users with steganographic ...<a href="https://arstechnica.com/information-technology/2019/01/malvertisers-target-mac-uses-with-stenographic-code-stashed-in-images/" rel="nofollow"><i>Malvertisers target Mac users with steganographic code stashed in images</i></a> by Dan Goodin reports on a fascinating new malvertising technique:<br /><br />"The ads were served by a group security firm Confiant has dubbed VeryMal, a name that comes from veryield-malyst.com, one of the ad-serving domains the group uses. A run that was active from January 11 to January 13 on about 25 of the top 100 publisher sites triggered the image as many as 5 million times a day. In an attempt to bypass increasingly effective measures available to detect malicious ads, the images used steganography—the ancient practice of hiding code, messages, or other data inside images or text—to deliver its malicious payload to Mac-using visitors."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-86353776295681302002018-11-29T20:26:53.302-08:002018-11-29T20:26:53.302-08:00Catalin Cimpanu's US iOS users targeted by mas...Catalin Cimpanu's <a href="https://www.zdnet.com/article/us-ios-users-targeted-by-massive-malvertising-campaign/" rel="nofollow"><i>US iOS users targeted by massive malvertising campaign</i></a> reports that:<br /><br />"A cyber-criminal group known as ScamClub has hijacked over 300 million browser sessions over 48 hours to redirect users to adult and gift card scams, a cyber-security firm has revealed today.<br /><br />The traffic hijacking has taken place via a tactic known as malvertising, which consists of placing malicious code inside online ads.<br /><br />In this particular case, the code used by the ScamClub group hijacked a user's browsing session from a legitimate site, where the ad was showing, and redirected victims through a long chain of temporary websites, a redirection chain that eventually ended up on a website pushing an adult-themed site or a gift card scam.<br /><br />These types of malvertising campaigns have been going on for years, but this particular campaign stood out due to its massive scale, experts from cyber-security firm Confiant told ZDNet today."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-59165612560013125492018-10-14T08:21:14.102-07:002018-10-14T08:21:14.102-07:00Shaun Nichols at The Register reports on yet anoth...Shaun Nichols at <i>The Register</i> reports on yet another instance of <a href="https://www.theregister.co.uk/2018/10/12/branchio_xss_flaw/" rel="nofollow">vulnerabilities in JavaScript libraries</a>:<br /><br />"As it turned out, the vulnerability they discovered went far beyond one subdomain on a site for lonely hearts. The team at VPNMentor said the since-patched security hole had left as many as 685 million netizens vulnerable to cross-site-scripting attacks, during which hackers attempt to steal data and hijack accounts. To pull off one of these scripting attacks, a victim would have to click on a malicious link or open a booby-trapped webpage while logged into a vulnerable service.<br /><br />That staggering nine-figure number is because the security issue was actually within a toolkit, called branch.io, that tracks website and app users to figure out where they've come from, be it Facebook, email links, Twitter, etc. With the bug lurking in <a href="https://branch.io/" rel="nofollow">branch.io</a>'s code and embedded in a ton of services and mobile applications, the number of people potentially at risk of being hacked via cross-site scripting soared past the half-a-billion mark, we're told."<br /><br />As usual, the vulnerable code wasn't doing anything for the readers of the Web pages, it was scraping their information to be sold. This is why you need to block ads and disable JavaScript wherever possible.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-87806013994440216272018-08-15T19:59:25.216-07:002018-08-15T19:59:25.216-07:00Like everything else in the blockchain world, cryp...Like everything else in the blockchain world, <a href="https://www.theregister.co.uk/2018/08/15/coinhive_mining_money/" rel="nofollow">cryptojacking is centralized</a>:<br /><br />"according to researchers from RWTH Aachen University, who used a new detection technique to track pages mining the cryptocurrency and <a href="https://arxiv.org/pdf/1808.00811.pdf" rel="nofollow">found that</a> [PDF] just 10 users were responsible for 85 per cent of the links that the Coinhive service uses to mine about $250,000 worth of Monero currency every month."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-90366434755293299972018-08-06T16:48:23.967-07:002018-08-06T16:48:23.967-07:00In The Bullshit Web Nick Heer takes up the cudgels...In <a href="https://pxlnv.com/blog/bullshit-web/" rel="nofollow"><i>The Bullshit Web</i></a> Nick Heer takes up the cudgels laid down in 2015 by Georgis Kontaxis and Monica Chew in <a href="https://www.ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_32.pdf" rel="nofollow"><i>Tracking Protection in Firefox for Privacy and Performance</i></a>. They demonstrated that Tracking Protection provided:<br /><br />"a 67.5% reduction in the number of HTTP cookies set during a crawl of the Alexa top 200 news sites. [and] a 44% median reduction in page load time and 39% reduction in data usage in the Alexa top 200 news site."<br /><br />Heer's excellent rant takes off from this observation:<br /><br />"When I moved into my own apartment several years ago, I got to pick my plan and chose a massive fifty megabit per second broadband connection, which I have since upgraded.<br /><br />So, with an internet connection faster than I could have thought possible in the late 1990s, what’s the score now? A story at the Hill took <a href="https://d.pr/HElAyq" rel="nofollow">over nine seconds</a> to load; at Politico, <a href="https://d.pr/PXrBhY" rel="nofollow">seventeen seconds</a>; at CNN, over <a href="https://d.pr/5R0EBL" rel="nofollow">thirty seconds</a>. This is the bullshit web."<br /><br />He looks at:<br /><br />"<a href="https://www.cnn.com/2018/07/24/politics/michael-cohen-donald-trump-tape/index.html" rel="nofollow">that CNN article</a>, for example. Here’s what it contained when I loaded it:<br /><br />+ Eleven web fonts, totalling 414 KB<br />+ Four stylesheets, totalling 315 KB<br />+ Twenty frames<br />+ Twenty-nine XML HTTP requests, totalling about 500 KB<br />+ Approximately one hundred scripts, totalling several megabytes — though it’s hard to pin down the number and actual size because some of the scripts are “beacons” that load after the page is technically finished downloading.<br /><br />The vast majority of these resources are not directly related to the information on the page, and I’m including advertising. Many of the scripts that were loaded are purely for surveillance purposes: self-hosted analytics, of which there are several examples; various third-party analytics firms like Salesforce, Chartbeat, and Optimizely; and social network sharing widgets."<br /><br />Heer continues with an interesting discussion of Google's AMP, which needs a whole post to itself.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-118014279886852382018-07-30T12:31:55.252-07:002018-07-30T12:31:55.252-07:00In A Malvertising Campaign of Secrets and Lies Che...In <a href="https://research.checkpoint.com/malvertising-campaign-based-secrets-lies/" rel="nofollow"><i>A Malvertising Campaign of Secrets and Lies</i></a> Check Point describe in detail a massive malvertising campaign:<br /><br />"an alarming partnership between a threat actor disguised as a Publisher and several legitimate Resellers that leverage this relationship to distribute a variety of malware including Banking Trojans, ransomware and bots. Furthermore, powering the whole process is a powerful and infamous Ad-Network called AdsTerra.<br /><br />The following analysis reveals the full extent of this well-planned Malvertising operation and the manipulation of the entire online advertising supply chain. Our research also raises questions, as seen in our conclusion, about the collaboration involved in this campaign as well as proper verification of adverts in the online advertising industry as a whole. Furthermore, concerns from this discovery include the current role of Ad-Networks in the Malvertising ecosystem, who, as we shall see, are the companies powering these attacks."<br /><br />It is a must-read, the details are fascinating. Tip of the hat to John Leyden at <i>The Register</i>, who <a href="https://www.theregister.co.uk/2018/07/30/malvertising_wordpress/" rel="nofollow">writes</a>:<br /><br />"The researchers told The Register that they have observed over 40,000 infection attempts per week from this campaign (that is, at least 40,000 clicks on malicious adverts) and said the campaign was still active. They reckon the crims are getting a decent return on their ad spend so they can afford to outbid legitimate publishers.<br /><br />Check Point claimed that the brain behind the campaign – whom it dubbed Master134 – redirected stolen traffic from over 10,000 hacked WordPress sites and sold it to AdsTerra, a real-time bidding ad platform. They wrote that AdsTerra then sold it to advert resellers (ExoClick, AdKernel, EvoLeads and AdventureFeeds) which then went on to sell it to the highest bidding "advertiser".<br /><br />However, the security researchers claimed, these "advertisers" were actually criminals looking to distribute ransomware, banking trojans, bots and other malware. The infected adverts then appeared on the websites of thousands of publishers worldwide, instead of clean, legitimate ads."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-70485878263440383712018-05-10T15:55:27.105-07:002018-05-10T15:55:27.105-07:00"Criminals infected more than 100,000 compute..."Criminals infected more than 100,000 computers with browser extensions that stole login credentials, surreptitiously mined cryptocurrencies, and engaged in click fraud. The malicious extensions were hosted in Google’s official <a href="https://chrome.google.com/webstore/category/extensions" rel="nofollow">Chrome Web Store</a>." reports <a href="https://arstechnica.com/information-technology/2018/05/malicious-chrome-extensions-infect-more-than-100000-users-again/" rel="nofollow">Dan Goodin at <i>Ars Technica</i></a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-22367997716509178902018-05-06T08:49:01.655-07:002018-05-06T08:49:01.655-07:00"The Node Package Manager (npm) team avoided ..."The Node Package Manager (npm) team avoided a disaster today when it discovered and blocked the distribution of a cleverly hidden backdoor mechanism inside a popular —albeit deprecated— JavaScript package.<br /><br />The actual backdoor mechanism was found in "getcookies," a relatively newly created npm package (JavaScript library) for working with browser cookies.<br /><br />The npm team —who analyzed this package earlier today after reports from the npm community— says "getcookies" contains a complex system for receiving commands from a remote attacker, who could target any JavaScript app that had incorporated this library."<br /><br />This from <a href="https://www.bleepingcomputer.com/news/security/somebody-tried-to-hide-a-backdoor-in-a-popular-javascript-npm-package/" rel="nofollow"><i>Somebody Tried to Hide a Backdoor in a Popular JavaScript npm Package</i></a> by Catalin Cimpanu.<br /><br />Attacks on the package distribution channel like this show that the security of the Web depends on the vigilance of package maintainers and distributors. You don't realize, and can't even find out, the set of people you are trusting to keep you safe. Cimpanu writes:<br /><br />"Npm index maintainers appear to have caught a future supply-chain attack before it happened. The npm team has also removed the "dustin87" user behind the attack and unpublished the getcookies, express-cookies, and http-fetch-cookies packages.<br /><br />They've also rolled Mailparser to v2.2.0, removing three versions (2.2.3, 2.2.2, and 2.2.1) that contained the http-fetch-cookies malicious package."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-44331640158077194162018-04-03T20:10:25.836-07:002018-04-03T20:10:25.836-07:00"After a policy that previously permitted the..."After a policy that previously permitted them, Google has decided to <a href="https://blog.chromium.org/2018/04/protecting-users-from-extension-cryptojacking.html" rel="nofollow">remove any and all Chrome extensions that mine for cryptocurrencies</a> after finding that too many developers didn't play by the company's rules." reports <a href="https://arstechnica.com/gadgets/2018/04/google-bans-cryptomining-chrome-extensions-because-they-refuse-to-play-by-the-rules/" rel="nofollow">Peter Bright at <i>Ars Technica</i></a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-16984508617673150652018-03-28T13:24:38.151-07:002018-03-28T13:24:38.151-07:00"Multiple security firms recently identified ..."Multiple security firms recently identified cryptocurrency mining service Coinhive as the top malicious threat to Web users, thanks to the tendency for Coinhive’s computer code to be used on hacked Web sites to steal the processing power of its visitors’ devices. This post looks at how Coinhive vaulted to the top of the threat list less than a year after its debut, and explores clues about the possible identities of the individuals behind the service." writes <a href="https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/" rel="nofollow">Brian Krebs in a must-read post</a>. Read to the end - it gets scary.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-5026097379273192732018-03-22T20:03:37.130-07:002018-03-22T20:03:37.130-07:00"GitHub says its security scan for old vulner..."GitHub says its security scan for old vulnerabilities in JavaScript and Ruby libraries has turned up over four million bugs and sparked a major clean-up by project owners." reports Liam Tung at ZDnet in <a href="http://www.zdnet.com/article/github-our-dependency-scan-has-found-four-million-security-bugs-in-public-repos/" rel="nofollow"><i>GitHub: Our dependency scan has found four million security flaws in public repos</i></a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-45184831105442485992018-02-27T11:33:14.300-08:002018-02-27T11:33:14.300-08:00In Ad network uses advanced malware technique to c...In <a href="https://arstechnica.com/information-technology/2018/02/ad-network-uses-advanced-malware-technique-to-conceal-cpu-draining-mining-ads/" rel="nofollow"><i>Ad network uses advanced malware technique to conceal CPU-draining mining ads</i></a> Dan Goodin reports on the next round of the war between ad-blockers and cryptojackers.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-53769459667576548542018-02-20T14:47:11.756-08:002018-02-20T14:47:11.756-08:00Hackers Hijacked Tesla's Amazon Cloud Account ...<a href="https://it.slashdot.org/story/18/02/20/1757204/hackers-hijacked-teslas-amazon-cloud-account-to-mine-cryptocurrency" rel="nofollow"><i>Hackers Hijacked Tesla's Amazon Cloud Account To Mine Cryptocurrency</i></a> reports msmash at \.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-77813001164504421392018-02-20T12:32:54.516-08:002018-02-20T12:32:54.516-08:00Epidemic of cryptojacking can be traced to escaped...<a href="XXX" rel="nofollow"><i>Epidemic of cryptojacking can be traced to escaped NSA superweapon</i></a> writes Cory Doctorow:<br /><br />"The <a href="https://boingboing.net/?s=cryptojacking" rel="nofollow">epidemic of cryptojacking malware</a> isn't merely an outgrowth of the incentive created by the cryptocurrency bubble -- that's just the motive, and the all-important the means and opportunity were provided by the same leaked NSA superweapon that powered <a href="http://boingboing.net/?s=wannacry" rel="nofollow">last year's Wannacry ransomware epidemic</a>."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-8073026696965750702018-02-17T10:00:06.879-08:002018-02-17T10:00:06.879-08:00The gross from the Browsealoud hack was just $24!....The gross from the <a href="https://motherboard.vice.com/en_us/article/qvevxq/biggest-cryptocurrency-mining-hack-coinhive-monero-made-24-dollars" rel="nofollow">Browsealoud hack was just $24!</a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.com