All posts in “hacking”

These hackers stole $85 million in Ether to save it from *the real crooks* (or so they say)

One for you, 85 million for me...
One for you, 85 million for me…

Image: Backyard Production/Getty Images

The clock was ticking. Thieves stole $32 million worth of Ether out of a popular Ethereum wallet, and with every passing minute the potential for additional losses grew. 

And so the White Hat Group stepped in. 

Like something out of a weird cryptocurrency reboot of National Treasure, the unidentified WHG hackers decided to steal the remaining Ether before the crooks could. All $85 million of it. 

Or so they say. 

The claim was posted to Reddit on July 19, and details a plan to return the funds to their rightful owners. Here’s how the poster, jbaylina, says it went down:

“The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract,” explained the post, referring to a vulnerability in the popular Ethereum wallet Parity that was successfully exploited by unknown thieves. “This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts.”

Essentially, the White Hat Group says they came across the vulnerability — likely because hackers were exploiting it to steal the aforementioned loads of Ether — and went ahead and boosted every last bit they could. But for a good cause.  

“If you hold a multisig contract that was drained, please be patient,” the post continued. “We will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and we will return your funds to you there.”

In other words, the WHG says it saw your money sitting in a busted safe, removed it before thieves could, and now promises to return it to you in a new safe that works. Unsurprisingly, people flocked to Reddit to thank them.

“You guys are literal fucking heros [sic],” wrote one person who may or may not have had Ether stolen. “Good fucking job.”

“They’re like ‘The Avengers’, but for buggy smart contracts instead of aliens,” noted another

And so, just like we would with a real-life caped crusader, we are left wondering the identity of the White Hat Group’s members. We reached out to the Reddit user who posted the WHG message, curious as to the group’s motivation and future plans, but perhaps unsurprisingly didn’t receive a response. 

Notably, however, this isn’t the first time WHG members have swooped in to save the day. As ETHNews notes, the WHG previously made waves when it hacked a hacker that had ripped off The DOA, “an investor-directed venture capital fund on Ethereum.” Just like in the recent case, WHG announced it would return the stolen funds that it had recovered. 

Even so, skeptics remain. After all, this unknown person or persons now controls around $85 million worth of Ether. Are they really going to just give it all back?

It’s the $85 million question, and one that an untold number of people in the cryptocurrency community are waiting with bated breath to see answered. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80316%2ff500b367 c74e 4fa7 97cd cde8f19f3003

A security researcher just revealed a huge Myspace security flaw. (And yes you should care.)

Tom, u up? MySpace — you know that game-changing social media platform that you created and sold — appears to have some serious security issues, dude. 

Security researcher Leigh-Anne Galloway shared a blog post on Monday detailing a huge security flaw she spotted on Myspace’s account recovery page back in April. 

“In April this year whilst roaming the plains of the wild world web, I stumbled across an old Myspace account of mine,” Galloway explains in the post. “Attempting to gain access and delete the account I discovered a business process so flawed it deserves its own place in history.”

Essentially, Galloway discovered that an attacker could use public information — info as basic as name, email address, username, and date of birth — to gain access to any myspace account by simply using the ‘Do Not Have Access To Old Email Address Form.”

Galloway shared the issue with the company … and, according to Galloway, she “received almost no response from Myspace, except an automated one.”

Why is this so troubling?

In 2016 you may recall that Myspace suffered a massive security breach involving 427 million passwords belonging to approximately 360 million users who created accounts before 2013. The database of passwords was then put online for all to see.

This is a bigger deal than it seems. In addition to the breach allowing hackers to access a trove of personal user information and direct messages from Myspace, basically everyone reuses their passwords (which for the record, is not something you should do). So the 2016 Myspace breach may have put a lot more people and accounts at risk than expected.

This, coupled with the fact that it’s been about three months since Galloway reported the most recent security flaw and she’s only received an automated response begs one very serious question: What are you doing Myspace?

In response to a request for comment, a Myspace spokesperson told Mashable, “In response to some recent concerns raised regarding Myspace user account reactivation, we have enhanced our process by adding an additional verification step to avoid improper access.”

“We take data security very seriously at Myspace,” the spokesperson went on. “We will continue to monitor the security of these accounts and make appropriate modifications.”

Okay, Myspace. But why did it take so long to even address the issue?

What even is Myspace nowadays?

The Myspace that today’s users know is far from the Myspace you left behind to join Facebook back in the day, and maybe that’s part of the problem.

After co-founder Tom Anderson sold the social media platform to NewsCorp in 2005, it was acquired in 2011 by Tim and Chris Vanderhook and Justin Timberlake. A year later, Timberlake attempted to bring sexy back to the site with a swanky new redesign and then the world basically never heard another peep about Myspace ever again.

Cut to today where the site appears to be a somewhat confusing, music-centered hub where people can stay informed on the music world but also chat with one another and maintain a personal profile.

The website’s stats page proudly displays the number of songs on the site, and a search bar at the bottom of the homepage gives you access to articles, songs, videos, and artists on what vaguely resembles iTunes.

Image: screengrab/myspace

Image: screengrab/myspace

According to the site, Myspace is currently comprised of 150 engineers, designers, writers, and strategists. For comparison, as of March 31, 2017 Facebook reported a whopping 18,770 employees. And back in 2016 Myspace received a reported 15 million monthly unique global visitors, whereas Facebook currently has around 2 billion monthly active users.

In other words: Myspace is not top dog. But you still have to care.

Do I really have to?

Yes.

You may not use Myspace anymore but if you have an old dormant account, you either have to keep tabs on it or delete it completely. Breaches have happened before and they can happen again. That said, there’s no denying that the months-long delay in Myspace addressing the issue is concerning.

Myspace may be struggling to stay relevant in the modern era of social media, but there is one easy way to get people to take your site seriously: address your security flaws.

Https%3a%2f%2fvdist.aws.mashable.com%2fjw%2f2017%2f5%2f9e0648d8 8f77 b38e%2fthumb%2f00001

It only took hackers 3 minutes to steal $7 million worth of Ether

Oops.
Oops.

Image: Shutterstock / Lightboxx

All it took was three minutes. 

Shortly after going live, CoinDash’s July 17 Initial Coin Offering (ICO) was in serious trouble. The company, which allows for the trading of the popular cryptocurrency Ether (the “money unit” of the Ethereum platform), was all set for a big fundraising round with investors given the chance to invest in CoinDash with Ether. It’s a well-established practice similar to an IPO: Buy into a company now in exchange for tokens, which are in some sense analogous to stock, and hope to reap the rewards later. 

It didn’t exactly work out as planned. 

As explained after the fact on the company’s website, hackers managed to change one tiny but important detail on the CoinDash website just as the ICO was scheduled to begin: The Ethereum wallet address. That little change was all it took to redirect cryptocurrency slated for CoinDash into the wallet of the attacker. 

“It is unfortunate for us to announce that we have suffered a hacking attack during our Token Sale event,” the company explained. “During the attack $7 million were stolen by a currently unknown perpetrator.”

According to a screenshot of the CoinDash Slack channel, posted to Reddit and confirmed as authentic by Motherboard, CoinDash realized what was happening within three minutes — but the damage was done. 

Well this is bad.

Well this is bad.

Image: Coindash/reddit

Angry online commenters, who may or may not have fallen prey to the scam, quickly took to Reddit to vent their frustration — with some hinting at the possibility of an inside job. 

“Is there any proof that this was a hack,” wondered one Redditor. “What if Coindash put an address in and then cried hacker to get away with free ETH?”

“This propably [sic] was a set up from the beginning,” speculated another

However, those that sent their Ether to the wrong address may not be entirely out of luck. CoinDash says it will still issue tokens to anyone who was swindled (as long as it happened before company employees shut their site down upon discovery of the hack). 

“CoinDash is responsible to all of its contributors and will send CDTs [CoinDash Tokens] reflective of each contribution,” the company further noted on its site. “Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly.”

CoinDash, for its part, did manage to raise $6.4 million from its “early contributors and whitelist participants” before things went south. 

As for the stolen Ether? Well, that’s just chilling in a wallet, waiting until the crook comes to collect. And, unless the perp left some clues behind during the hack itself, he or she will soon be sitting pretty with their ill-gotten gains. Following laundered cryptocurrency, after all, is a notoriously difficult task. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f6%2f7b8092f3 b074 5cce%2fthumb%2f00001

You know that Jayden K. Smith Facebook hack? It’s actually a hoax that doesn’t make any damn sense

Image: diego AZUBEL/EPA/REX/Shutterstock

Here’s a story you’ve probably heard before: A viral hoax is spreading on Facebook, that, when you stop and think about it, really doesn’t make any damn sense

Monday’s hoax involves a supposed hacker named Jayden K. Smith. 

As far as the hoax goes, users are warned about an incoming friend request from a user named “Jayden K. Smith,” who is reportedly a hacker. Then the user is encouraged to share the warning with all of their friends to protect one’s Facebook network from Jayden.

The warning looks a little something like this:

Please tell all the contacts in your Messenger list, not to accept Jayden K Smith friendship request. He is a hacker and has the system connected to your Facebook account. If one of your contacts accepts it, you will also be hacked, so make sure that all your friends know it. Thanks. Forwarded as received.

The thing is: the message itself is the hoax. Which we should have all realized if we just stopped and thought about it for a second.

First, “the system connected to your Facebook account.” Lol. Gonna need more info there. 

Second, it’s silly to think you’ll be hacked if any of your Facebook friends becomes friends with Jayden. Becoming friends with someone on Facebook doesn’t somehow provide a person access to, say, your email password. 

This viral message isn’t smart, but it seems to be designed to take advantage of a critical nexus of (the lack of) hacking knowledge: Many people don’t know how hacking works and many people are also understandably afraid of being hacked. 

Hey, at least we get the memes, I guess. 

We reached out to Facebook for comment, and we’ll update if we hear back.

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80316%2ff500b367 c74e 4fa7 97cd cde8f19f3003

Alleged hackers behind NotPetya cyberattack demand $260,000 bitcoin ransom

Image: CHRISTOPHER MINESES/MASHABLE

The ransom is on the move. 

The Bitcoin wallet controlled by the NotPetya attackers showed surprising signs of life over the Fourth of July holiday weekend, with approximately $10,000 in paid ransom disappearing from the account. Around the same time, a message purporting to be from the culprits behind the maybe-ransomware attack surfaced — demanding 100 bitcoin in exchange for a key they say can unlock encrypted files. 

At the time of writing, 100 bitcoin is worth approximately $260,000.

“Send me 100 Bitcoins and you will get my private key to decrypt any harddisk (except boot disks),” read the message posted to Pastebin. “See the attached file signed with the key.”

As NotPetya, which first surfaced in Ukraine on June 27, has been shown to damage an infected computer’s master boot record, the person behind the message is only claiming to be able to decrypt specific files — not entire systems. Still, that ability could be a godsend for companies struggling to restore lost data, assuming the ransomer is telling the truth.

The new demand was posted on July 4, the same day ransom payments made in the hopes of obtaining decryption keys were moved from the Bitcoin address listed in the initial NotPetya attack to another wallet.

The message displayed by NotPetya.

The message displayed by NotPetya.

Image: SYMANTEC

No new Bitcoin address was listed for payments should anyone decide to actually fork over the 100 bitcoin. However, a link was provided to a chatroom for the purpose of getting in touch with the hackers and presumably arranging payment. 

Motherboard exchanged messages with someone claiming to be one of the hackers, who told the publication the key for sale would “decrypt all computers.”

So, should organizations desperate for their data pay up? It’s a tough question. Security researchers have more or less reached a consensus that the intention behind NotPetya was to damage cyber-infrastructure, not to make money. As such, the calculus for victims is different than it would be with a more traditional form of ransomware. 

Either way, this latest series of developments — the transfer of funds between Bitcoin wallets and the new demand — serves to further muddy the waters behind the NotPetya attack. It also makes one thing clear: The story of the latest ransomware scourge to sweep the globe is not over yet. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80316%2ff500b367 c74e 4fa7 97cd cde8f19f3003