Tag Archives: Bitcoin

October 24th AVIEN updates

Updates to Anti-Social Media 

The Register: Facebook, Google sued for ‘secretly’ slurping people’s whereabouts – while Feds lap it up – “Facebook and Google are being sued in two proposed class-action lawsuits for allegedly deceptively gathering location data on netizens who thought they had opted out of such cyber-stalking.”

Graham Cluley: Twitter thought Elon Musk’s bizarre tweets were evidence he’d been hacked – “It’s an odd state of affairs when the bogus Elon Musk accounts offering bitcoin giveaways appear more legitimate than the real Elon’s tweets.”

Since there’s been a spate of Bitcoin fraud tweets spoofing his account, offering to sell someone some Bitcoin may have been a tweet too far.

Updates to Cryptocurrency/Crypto-mining News and Resources

Graham Cluley: Twitter thought Elon Musk’s bizarre tweets were evidence he’d been hacked – “It’s an odd state of affairs when the bogus Elon Musk accounts offering bitcoin giveaways appear more legitimate than the real Elon’s tweets.”

Since there’s been a spate of Bitcoin fraud tweets spoofing his account, offering to sell someone some Bitcoin may have been a tweet too far.

Updates to Specific Ransomware Families and Types

BitDefender: Gamma ransomware compromises data on 16,000 patients at California hernia institute – “The attack was tied to the email address Glynnaddey@aol.com which, according to databreaches.net, is associated with Gamma ransomware (part of the Crysis ransomware family). ”

Updates to Mac Virus

 for ESET: Banking Trojans continue to surface on Google Play
The malicious apps have all been removed from the official Android store but not before the apps were installed by almost 30,000 users

Buzzfeed: Apps Installed On Millions Of Android Phones Tracked User Behavior To Execute A Multimillion-Dollar Ad Fraud Scheme – “A BuzzFeed News investigation uncovered a sophisticated ad fraud scheme involving more than 125 Android apps and websites, some of which were targeted at kids.”

David Harley

Hi ho, hi ho, off to cryptomine we go

Updates to Cryptocurrency/Crypto-mining News and Resources

Sophos: The Pirate Bay is plundering your CPU for cryptocash, again – “Popular file sharing site The Pirate Bay seems to have returned to its old tricks again by mining cryptocurrency in visitors’ browsers without telling them.” Graham Cluley: The Pirate Bay is cryptomining for Monero with your CPU again

The Hacker News: New Virus Decides If Your Computer Good for Mining or Ransomware – “Researchers at Russian security firm Kaspersky Labs have discovered a new variant of Rakhni ransomware family, which has now been upgraded to include cryptocurrency mining capability as well.”

The Register: Japanese cryptominer slapped with suspended sentence – “Said to have netted only £34…”

Sophos: Think that bitcoins and a VPN keep you anonymous? Think again… – “A security lapse by a VPN operator can therefore be very worrying news indeed, and that’s what popular online cybercurrency wallet service MyEtherWallet (MEW) is warning about right now…Hola is a free VPN that essentially shares out participating users’ browser connections out amongst the community in order to get around geoblocks.”

David Harley

AVIEN resource updates 27th June 2018

Updates to Cryptocurrency/Crypto-mining News and Resources

The Register: Top banker batters Bitcoin for sucky scalability, security – “Australia’s Reserve Bank sees no need for national cryptocurrencies, for now”

Sophos: Why Bitcoin’s about to give up one of its closely guarded secrets – “…the Bitcoin Core developers are finally set to unveil the not-as-secret-as-it-should-be private key that allows them to send messages to everyone on the entire Bitcoin network.”

Trend Micro: Cryptocurrency-Mining Bot Targets Devices With Running SSH Service via Potential Scam Site – “Through social engineering, users are tricked into installing the miner that directly funnels profit (in the form of Monero and Ethereum coins, in this case)…”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

The Register: So you’re doing an IoT project. Cute. Let’s start with the basics: Security – “And for heaven’s sake, don’t fall in love with the data…Data is seen as one of IoT’s biggest payoffs – generating and gathering it to help your business. But get IoT wrong, and you stand to be overwhelmed by that data wave. Cisco estimates IoT will generate 500 zetabytes of data by the end of 2019…”

The Register: A volt out of the blue: Phone batteries reveal what you typed and read – “Power trace sniffing, a badly-designed API and some cloudy AI spell potential trouble…Both snitching and exfiltration were described in this paper (PDF), accepted for July’s Privacy Enhancing Technologies Symposium.”

Updates to Meltdown/Spectre and other chip-related resources

Ars Technica: Hyperthreading under scrutiny with new TLBleed crypto key leak – “A new attack prompted OpenBSD’s developers to disable hyperthreading by default…developers on OpenBSD—the open source operating system that prioritizes security—disabled hyperthreading on Intel processors.

The Register: Meet TLBleed: A crypto-key-leaking CPU attack that Intel reckons we shouldn’t worry about – “How to extract 256-bit keys with 99.8% success…Intel has, for now, no plans to specifically address a side-channel vulnerability in its processors that can be potentially exploited by malware to extract encryption keys and other sensitive info from applications.”

Bleeping Computer: Changes in WebAssembly Could Render Meltdown and Spectre Browser Patches Useless – “Upcoming additions to the WebAssembly standard may render useless some of the mitigations put up at the browser level against Meltdown and Spectre attacks, according to John Bergbom, a security researcher at Forcepoint. WebAssembly (WA or Wasm) is a new technology that shipped last year and is currently supported within all major browsers, such as Chrome, Edge, Firefox, and Safari.”

Updates to Mac Virus

ThreatPost: – MALICIOUS APP INFECTS 60,000 ANDROID DEVICES – BUT STILL SAVES THEIR BATTERIES – “A battery-saving app that also allows attackers to snatch text messages and read sensitive log data has been downloaded by more than 60,000 Android devices so far…“Although the app these scam pages send users to does its advertised function, it also has a nasty secret—it infects victims’ devices and comes with a side of information-stealing and ad-clicking,” Yonathan Klijnsma, threat researcher at RiskIQ, said in a post on Thursday.”

An interesting example that bears out a definition of Trojan that I’ve used for decades – “…a program that pretends to offer some useful or desirable function, and may even do so, but whose primary function is something you don’t expect it to do, and wouldn’t want it to if you did.”

David Harley

Resource updates 20th March 2018

[Update to Ransomware Resources page, also posted to Chain Mail Check]

If I had a separate category for ‘miscellaneous extortion’ this might belong there. Included here because it isn’t just a hoax, but one that centres on extortion, though it looks as if the point is to embarrass/harass the apparent sender of the extortion email (the Michigan company VELT)  rather than actually make a direct profit from extortion. The company’s CEO told the BBC that the attacker was probably a Minecraft player who had been banned from using the Veltpvp server, by way of revenge.

[Updates to Cryptocurrency/Crypto-mining News and Resources]

[Update to Tech support scams resource page]

Sophos: Fake Amazon ad ranks top on Google search results. “Yep, not for the first time, Google’s been snookered into serving a scam tech support ad posing as an Amazon ad.”

[MacVirus news]

(1) Commenting on Symantec’s warning of a new Fakebank Android variant, Graham Cluley reports: This Android malware redirects calls you make to your bank to go to scammers instead – “MALWARE HELPS SCAMMERS TRICK YOU INTO THINKING YOU’RE SPEAKING TO YOUR BANK.”

The Fakebank malware is only targeting South Korea, right now, but Graham rightly suggests that the same gambit is likely to be re-used elsewhere.

(2) Apple has dealt a major blow to users of supercookies with a security improvement in Safari.

David Harley

The Smiling Assassin (shaken not stirred)


I recently saw this article from Mark Stockley for Sophos entitled Ransom email scam from ‘hitman’ demands: pay up or die and assumed – as I suspect many people will – that it was some particularly horrible example of ransomware. In fact, while it is pretty horrible in its way, it turns out that there’s no real malware as such involved, just social engineering of the 419 persuasion, where the scammer claims to be an assassin ordered to kill the person who receives the email. In fact, I’ve written about this particular 419 sub-species several times before.

While the version noted by Mark Stockley rather more polished and up-to-date technologically (it wants payment in Bitcoin!) than most of the 419 scam messages I’ve seen that use a similar approach, it’s not much different, fundamentally. Here’s an extract from a particularly crass example I came across some years ago.

I want you to read this message very carefully, and keep the secret with you till further notice, You have no need of knowing who i am, where am from, till i make out a space for us to see, i have being paid $50,000.00 in advance to terminate you with some reasons listed to me by my employers, its one i believe you call a friend, i have followed you closely for one week and three days now and have seen that you are innocent of the accusation


You will need to pay $15,000.00 to the account i will provide for you, before we will set our first meeting, after you have make the first advance payment to the account, i will give you the tape that contains his request for me to terminate you, which will be enough evidence for you to take him to court (if you wish to), then the balance will be paid later.

Sometime later, my friend and colleague Urban Schrott drew my attention to a spam campaign that had been causing some hilarity over at ESET Ireland. The message had the subject “YOUR LIFE IS IN DANGER,” and apparently came from someone calling himself Spike Dwaggin, though later he signs himself Dai Teatime. A commenter on one of my earlier blogs pointed out that Spike Dwaggin is a dragon from My Little Pony, that the name Dai features the 4th, 1st, and 9th letters of the alphabet (419 – geddit?), and told me that Dai Teatime is the assassin from Terry Pratchett’s ‘Hogfather’. (In fact, Pratchett’s assassin is Jonathan Teatime, but close enough.)]

While it’s not unusual for purveyors of 419 scams to use noms de plume reminiscent of famous people (real or fictional), this one is notably rich in popular cultural references. The article cited above references a few more, if you’re interested. But here’s the message from Spike/Dai, with some comments from me.

As I sit here sipping a martini it is my regretful duty to inform you that you have been selected for assassination.

[Given the subsequent references to SMERSH, I can only assume that this would be a vodka martini (shaken not stirred).]

I am a professional assassin (I enclose my certificate of assassination as proof) and SMERSH have contracted me to assassinate you and have specifically paid extra for a particularly nasty death which makes it look like you died in a particularly bizarre sex game gone wrong; I had already bought the shire horse stallion (he’s called Henry – picture attached), the lard and the dragon dildo (from Bad Dragon of course, I only use the very best tools) when I found out that you are innocent of the accuse, so I make out this time to contact you. Unfortunately international crime syndicates won’t admit to mistakes and cancel the hit so I will be forced to carry out the assassination on you. Sorry about that old chap but rules are rules…

[Interestingly, the killer’s modus operandi seems to have been influenced by a story relating to the Russian empress Catherine the Great, who was said (quite untruthfully) to have died as a result of being somewhat over-intimate with a horse. And could this particular horse be the Henry who ‘of course dances the waltz’ in the Beatles song ‘Being for the benefit of Mr Kite’?]

There is an option for me to help you in other for you to know who had paid SMERSH for your DEATH and don’t forget my men had been monitoring you for the past few days and daily record of your activities is been sent to me but I have refuse to order your DEATH.

[If your acquaintanceship with James Bond is limited to the movies, you may be unaware that a fictionalized version of SMERSH (a real Russian counter-intelligence agency that was wound up in 1946) plays a significant part in the very early novels.  Oddly enough, a lot of commentary on 419-related forums relating to this particular example misses the fact that SMERSH and SPECTRE (a purely fictional criminal organization) are by no means the same thing, though there seems to be a certain amount of traffic from one to the other in terms of personnel. A bit like the AV industry…]

Get back to me if you value your LIFE with all due speed or else I regret I will have to carry out my original contract to assassinate you and although he is quite charming for a horse I don’t think Henry is the most sensitive of lovers.

Toodle Pip!

Dai Teatime
International Assassin

When I first saw the message on ESET Ireland’s site, I assumed it was some kind of spoof intended to amuse rather than threaten. However, after checking on one or two scam-baiter forums, it seemed that Mr Teatime was probably quite willing to take money from anyone who appeared to have fallen for his shtick. And however funny this particular message may seem to people who are security-savvy, there are others who will find messages from self-described assassins as genuinely frightening. Sadly, I suspect that not all of them will come across articles like Mark Stockley’s (or even this one) to reassure them that it’s just another scam, mailed out more or less at random.

Still, sometimes all you can do with stuff like this is laugh at it.

David Harley


Ransomware: Understanding Bitcoin

It probably hasn’t escaped your notice that ransomware gangs are fond of Bitcoin, and you may also be aware that some victims who decide to pay up are finding the Bitcoin technology somewhat daunting, to the extent that PadCrypt may be intended to offer advice on paying with Bitcoin by way of a live chat facility (offline at the time of writing). At any rate, Bleeping Computer’s Lawrence Abrams comments:

“A feature like this could potentially increase the amount of payments as the victim can receive “support” and be guided on the confusing process of making a payment.

I’m not familiar enough with Bitcoin at the moment to help much as far as that’s concerned, but I have noticed a number of articles recently that relate to it:

  • Bitcoin and Cryptocurrency Technologies assumes that ‘…you have a basic understanding of computer science — how computers work, data structures and algorithms, and some programming experience. If you’re an undergraduate or graduate student of computer science, a software developer, an entrepreneur, or a technology hobbyist, this textbook is for you.’ However, it is written using a fairly conversational tone, so it’s certainly worth a look if you’re reasonably IT-literate.
  • This primer from Princeton is about 296 pages shorter and more consumer friendly. And here’s Bitcoin’s own FAQ.
  • Richard Chirgwin points out that Bitcoiners are just like everybody else: They use rubbish passwords, which may not reassure you.
  • Imperva has published an interesting paper on ‘The secret of Cryptowall’s success‘ based Bitcoin wallet analysis.

William Hugh Murray comments in a recent SANS newsletter:

Cyber currency is too slow ever to play a major role as a medium of exchange.  It is too volatile to serve as a store of value.  However, anonymity will serve to encourage extortion.

That section of the Newsbites newsletter has a number of interesting links to commentary on the Locky ransomware, by the way.

David Harley