A malicious Chrome extension surreptitiously steals Ethereum keys and passwords:
According to Denley, the extension is dangerous to users in two ways. First, any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk.
Denley says that the extension sends the private keys of all wallets created or managed through its interface to a third-party website located at erc20wallet[.]tk.
Another example of how blockchain requires many single points of trust in order to be secure.
Posted on January 3, 2020 at 6:09 AM •
The New Yorker has published the long and interesting story of the cybersecurity firm Tiversa.
Watching “60 Minutes,” Boback saw a remarkable new business angle. Here was a multibillion-dollar industry with a near-existential problem and no clear solution. He did not know it then, but, as he turned the opportunity over in his mind, he was setting in motion a sequence of events that would earn him millions of dollars, friendships with business élites, prime-time media attention, and respect in Congress. It would also place him at the center of one of the strangest stories in the brief history of cybersecurity; he would be mired in lawsuits, countersuits, and counter-countersuits, which would gather into a vortex of litigation so ominous that one friend compared it to the Bermuda Triangle. He would be accused of fraud, of extortion, and of manipulating the federal government into harming companies that did not do business with him. Congress would investigate him. So would the F.B.I.
Posted on December 3, 2019 at 6:19 AM •
This is a fascinating article about a bait-and-switch Airbnb fraud. The article focuses on one particular group of scammers and how they operate, using the fact that Airbnb as a company doesn’t do much to combat fraud on its platform. But I am more interested in how the fraudsters essentially hacked the complex sociotechnical system that is Airbnb.
The whole article is worth reading.
Posted on November 6, 2019 at 6:19 AM •
This article discusses an e-commerce fraud technique in the UK. Because the Royal Mail only tracks packages to the postcode—and not to the address – it’s possible to commit a variety of different frauds. Tracking systems that rely on signature are not similarly vulnerable.
Posted on September 25, 2019 at 6:01 AM •
This seems to be an identity theft first:
Criminals used artificial intelligence-based software to impersonate a chief executive’s voice and demand a fraudulent transfer of €220,000 ($243,000) in March in what cybercrime experts described as an unusual case of artificial intelligence being used in hacking.
Another news article.
Posted on September 12, 2019 at 6:04 AM •
Interesting analysis of the possibility, feasibility, and efficacy of deliberately fake scientific research, something I had previously speculated about.
Posted on August 27, 2019 at 5:14 AM •
Interesting article on people using banks of smartphones to commit ad fraud for profit.
No one knows how prevalent ad fraud is on the Internet. I believe it is surprisingly high—here’s an article that places losses between $6.5 and $19 billion annually—and something companies like Google and Facebook would prefer remain unresearched.
Posted on August 6, 2019 at 6:20 AM •
Reuters has a long article on the Chinese government APT attack called Cloud Hopper. It was much bigger than originally reported.
The hacking campaign, known as “Cloud Hopper,” was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies but stopped short of naming them. A Reuters report at the time identified two: Hewlett Packard Enterprise and IBM.
Yet the campaign ensnared at least six more major technology firms, touching five of the world’s 10 biggest tech service providers.
Also compromised by Cloud Hopper, Reuters has found: Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology. HPE spun-off its services arm in a merger with Computer Sciences Corporation in 2017 to create DXC.
Waves of hacking victims emanate from those six plus HPE and IBM: their clients. Ericsson, which competes with Chinese firms in the strategically critical mobile telecoms business, is one. Others include travel reservation system Sabre, the American leader in managing plane bookings, and the largest shipbuilder for the U.S. Navy, Huntington Ingalls Industries, which builds America’s nuclear submarines at a Virginia shipyard.
Posted on July 10, 2019 at 5:51 AM •
ProPublica is reporting on companies that pretend to recover data locked up by ransomware, but just secretly pay the hackers and then mark up the cost to the victims.
Posted on July 8, 2019 at 7:08 AM •
Forget deep fakes. Someone wearing a latex mask fooled people on video calls for a period of two years, successfully scamming 80 million euros from rich French citizens.
Posted on June 26, 2019 at 5:46 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.