By Bradley Coulter / CryptocurrencyCyber SecurityHacking / 0 Comments

Malware Hijacks Millions of Android Devices to Mine Monero

Malware Hijacks Millions of Android Devices to Mine Monero

Cybercriminals are increasingly hijacking other people’s devices to mine Monero (XMR), in a trend now called cryptojakcing. According to Malwarebytes, a “drive-by” mining campaign recently redirected millions of Android users to a website that hijacked their devices to mine the privacy-centric cryptocurrency using Coinhive .

The campaign worked by redirecting users to a page that told them their device was “showing suspicious surfing behavior.” As such, they needed to verify they were human by solving a CAPTCHA, while their device was used to mine Monero “in order to recover server costs incurred by bot traffic.”

All users had to do was solve the CAPTCHA and click a “continue” button. Once solved, they would be redirected to Google’s home page, which researchers noted was an odd choice. Malwarebytes details that it first spotted the “drive-by” campaign last month, but that it could’ve been around since November 2017. The exact trigger that captured users isn’t clear, but researchers believes infected apps with malicious ads did the trick.

Their post reads:

“While Android users may be redirected from regular browsing, we believe that infected apps containing ad modules are loading similar chains leading to this cryptomining page. This is unfortunately common in the Android ecosystem, especially with so-called “free” apps.”

Malwarebytes researchers weren’t able to identify all the domains users were being redirected to. They managed to identify five domains, and concluded that these received about 800,000 visits per day, with an average of four minutes spent mining, per user.

To find out the number of hashes being produced, researchers note, a conservative rate of 10h/s was used. This low hash rate, coupled with the four minute average spent on time, means the hackers behind it could only be making “a few thousand dollars” per month.

The Cryptojacking Trend

Notably, researchers discovered the drive-by campaign while studying a separate malware dubbed EITest. They were testing various chains that often led to tech support scams on Windows, but soon found that things were different when using Android.

The ongoing cryptojacking trend seemingly began when torrent-index website the Pirate Bay started using it as a potential alternative to ads. Since then, bad actors took advantage of the code Coinhive provides to mine Monero, and used it on Google Chrome extensions, UFC’s website, and even Starbucks’ Wi-Fi.

While on their PCs users can block cryptocurrency mining scripts by using anti-malware programs on their machines and browsing the web through browsers with inbuilt tools like Opera and Brave, Android users are advised to stick to Google’s Play Store, and use security software.

Featured image from Shutterstock.

AUTHOR

Francisco Memoria

Russian hackers steal over a billion usernames and passwords
By Bradley Coulter / Hacking / 0 Comments

Russian hackers steal over a billion usernames and passwords

Wednesday 06 August 2014 10:00
Written by: Caroline Baldwin

A group of Russian cyber criminals attacked 500 million email addresses and stole 1.2 billion usernames and passwords.

According to US cyber security company Hold Security, the gang has the largest cache of stolen data in the history of cyber crime.

140415_0111.jpgDenys Rudyi – Fotolia

In a blog post written by Hold Security, the company said it took seven months of research to track down the data breach. The company nicknamed the Russian gang CyberVor (“vor” means “thief” in Russian).

The company claimed CyberVor hacked over 420,000 web and FTP sites to obtain over 4.5 billion records, 1.2 billion of which “appear to be unique”.

Of the 420,000 websites, the hackers didn’t target just large company websites. “Instead, they targeted every site their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites,” said the blogpost.

Hold stated that the Russian hackers obtained databases of stolen credentials from other hackers on the black market. These were then used to attack e-mail providers, social media, and other websites to send spam to victims and install malicious redirections.

CyberVor also accessed data from botnet networks. Botnets allow a network of infected computers to be controlled by one system. They can track victims’ systems to identify weaknesses, which are then manipulated to steal data from websites’ databases.

Hold Security advises companies to check if websites are susceptible to SQL injection.

“It is hard to spot and it may be not on your main site but on one of your auxiliary sites instead. If your websites are vulnerable, this is not the last time you can be victimised,” said the company.

Russian blogger law

Earlier this week, Russia also came under the spotlight for implementing its controversial blogger law. The new information security law places restrictions on Russian bloggers and social media users. The law states Russian bloggers cannot be anonymous and that popular blogs must register with a regulator.

In March 2014, security experts warned that Ukraine and Russia were locked in a cyber stand-off amid diplomatic efforts to reduce political tensions between the two countries.

Ukraine accused Russia of disrupting mobile communications.

Hacking
By Bradley Coulter / Hacking / 0 Comments

Hacking

safe_image

Approximately 1.3 million Patients have been victimized during a hacking incident in the State of Montana’s Department of Public Health and Human Services.

So far, there are no evidences that point to the stolen information being used inappropriately. Nevertheless, the state is providing identity protection insurances to possible victims. Families of deceased patients are also being notified by the state.

The breach was discovered after an independent forensic investigation that later on alerted the officials.  According to Jon Ebeit, DPHHS Officials noticed suspicious activities on May 15. What followed was the investigation conducted on May 22.

The Vice-president of cyber research at LightCyber, Eyal Firstenberg, says that, “The time gap between the initial breach and the detection, while outrageously long, is far from being a rare occurrence. In fact, once mission-driven attackers have established a stable beachhead they leverage legitimate existing network resources, like user credentials, for the next phases of the attack. They thus render traditional security controls, like AV, firewalls, and sandboxes useless. With no system in place to monitor the internal network in real-time, attackers are effectively allowed to explore, compromise, and exploit the network at their leisure.”

The attack has forced DPHHS to employ stronger preventive tools, including restoring the affected systems safely, adding more security software to protect existing sensitive information on servers, and effectively monitoring security practices. No specific detailing has been released by DPHHS regarding these expansions.

The Federal Bureau of Investigation and the Montana Attorney General have been notified by the DPHHS, despite there being no information about potential suspects.

Just some years ago, information breaches can be traced to human error; employees being careless in handling the network. Now, however, hackers have gained quite a momentum attacking the industry’s well of personal information. Health records are filled with useful information like Social Security numbers, credit card data, and addresses. In 2004, Verizon reported that 73% of healthcare breaches are results of physical theft and loss, insider misuse, and miscellaneous errors.

Michael Raggo, security evangelist at MobileIron openly expresses, “I will never say never, but the healthcare industry has seen a disproportionately low instance of cyberattacks, and rather a higher proportion of accidental data loss through well-intentioned but risky user behaviors on the device or lost devices. A major reason for a low instance of cyberattacks is because stringent HIPAA guidelines are a core part of the data security and compliance strategy of all healthcare organizations in the United States. That said, cyberattacks are increasing, as are the number of attack vectors organizations need to protect.”

The Office of Civil Rights reported 61 new breaches in mid-May. This affected more than 500 patients raising the 2014 tally to 992 victimized organizations, and 31,000 compromised patient information.

In April, another hacking occurred, this time targeting Dekalb Health’s website. Apparently, an overseas hacking group attacked the service provider operating the Indiana organization’s website. It was a case of phishing where hackers created a fraudulent page, resembling the legitimate site of the DeKalb Health Foundation. To make it more alarming, the real website was linked to the malicious fake one.

Another phishing scam in May affected Centura Health. This time, hackers targeted employees at the non-profit section of Mercy Regional Medical Center. About 1,000 patients have been notified.

It’s not wise to wait to be the next breach headline before reinforcing your security. Though monitoring your servers maybe a massive task to deal with, it is necessary if we want our clients to be at ease with whom they trust their sensitive personal information with.

Have questions about your healthcare IT security? UR Gadget Doctors is here to help. UR Gadget Doctors provides extensive coverage for healthcare agencies large and small. Please call us at 856-209-0865 or email us at info@urgadgetdoctors.com if you have any concerns about your healthcare IT security and support.