A VPN is typically a paid service that keeps your web browsing secure and private over public Wi-Fi hotspots.
VPNs can also get past regional restrictions for video- and music-streaming sites and help you evade government censorship restrictions—though that last one is especially tricky. The best way to think of a VPN is as a secure tunnel between your PC and destinations you visit on the internet. Your PC connects to a VPN server, which can be located in the United States or a foreign country like the United Kingdom, France, Sweden, or Thailand. Your web traffic then passes back and forth through that server.
The end result: As far as most websites are concerned, you’re browsing from that server’s geographical location, not your computer’s location. We’ll get to the implications of a VPN’s location in a moment, but first, let’s get back to our secure tunnel example. Once you’re connected to the VPN and are “inside the tunnel,” it becomes very difficult for anyone else to spy on your web-browsing activity.
The only people who will know what you’re up to are you, the VPN provider (usually an HTTPS connection can mitigate this), and the website you’re visiting. A VPN is like a secure tunnel for a web traffic. When you’re on public Wi-Fi at an airport or café, that means hackers will have a harder time stealing your login credentials or redirecting your PC to a phony banking site. Your Internet service provider (ISP), or anyone else trying to spy on you, will also have a near impossible time figuring out which websites you’re visiting. On top of all that, you get the benefits of spoofing your location.
If you’re in Los Angeles, for example, and the VPN server is in the U.K., it will look to most websites that you’re browsing from there, not southern California. This is why many regionally restricted websites and online services such as BBC’s iPlayer or Sling TV can be fooled by a VPN.
I say “most” services because some, most notably Netflix, are fighting against VPN (ab)use to prevent people from getting access to, say, the American version of Netflix when they’re really in Australia. For the most part, however, if you’re visiting Belgium and connect to a U.S.
VPN server, you should get access to most American sites and services just as if you were sitting at a Starbucks in Chicago. What a VPN can’t do While VPNs are an important tool, they are far from foolproof. Let’s say you live in an oppressive country and want to evade censorship in order to access the unrestricted web.
A VPN would have limited use.
If you’re trying to evade government restrictions and access sites like Facebook and Twitter, a VPN might be useful.
Even then, you’d have to be somewhat dependent on the government’s willingness to look the other way. Anything more serious than that, such as mission-critical anonymity, is far more difficult to achieve—even with a VPN. Privacy against passive surveillance? No problem. Protection against an active and hostile government? Probably not. HideMyAss A VPN service provider such as HideMyAss can protect your privacy by ensuring your internet connection is encrypted. The problem with anonymity is there are so many issues to consider—most of which are beyond the scope of this article. Has the government surreptitiously installed malware on your PC in order to monitor your activity, for example? Does the VPN you want to use have any issues with data leakage or weak encryption that could expose your web browsing? How much information does your VPN provider log about your activity, and would that information be accessible to the government? Are you using an anonymous identity online on a PC that you never use in conjunction with your actual identity? Anonymity online is a very difficult goal to achieve.
If, however, you are trying to remain private from prying eyes or evade NSA-style bulk data collection as a matter of principle, a reputable VPN will probably be good enough. Beyond surveillance, a VPN also won’t do much to keep advertisers from tracking you online. Remember that the website you visit is aware of what you do on its site and that applies equally to advertisers serving ads on that site. To prevent online tracking by advertisers and websites you’ll still need browser add-ons like Ghostery, Privacy Badger, and HTTPS Everywhere. How to choose a VPN provider There was a time when using a VPN required users to know about the built-in VPN client for Windows or universal open-source solutions such as OpenVPN. Nowadays, however, nearly every VPN provider has their own one-click client that gets you up and running in seconds.
There are usually mobile apps as well to keep your Android or iOS device secure over public Wi-Fi. Of course that brings up another problem.
Since there are so many services to choose from, how can you tell which ones are worth using, and what are the criteria to judge them by? First, let’s get the big question out of the way.
The bad news for anyone used to free services is that it pays to pay when it comes to a VPN.
There are tons of free options from reputable companies, but these are usually a poor substitute for the paid options.
Free services usually allow a limited amount of bandwidth usage per month or offer a slower service.
Some companies disallow torrents completely, some are totally fine with them, while others won’t stop torrents but officially disallow them. We aren’t here to advise pirates, but anyone looking to use a VPN should understand what is and is not okay to do on their provider’s network. Finally, does the VPN provider offer their own application that you can download and install? Unless you’re a power user who wants to mess with OpenVPN, a customized VPN program is really the way to go.
It’s simple to use and doesn’t require any great technical knowledge or the need to adjust any significant settings. Using a VPN You’ve done your due diligence, checked out your VPN’s logging policies, and found a service with a great price and a customized application. Now, for the easy part: connecting to the VPN. Here’s a look at a few examples of VPN desktop applications. TunnelBear, which is currently my VPN of choice, has a very simple interface—if a little skeuomorphic. With Tunnel Bear, all you need to do is select the country you want to be virtually present in, click the dial to the “on” position, and wait for a connection-confirmation message. SaferVPN works similarly.
From the left-hand side you select the country you’d like to use—the more common choices such as the U.S., Germany, and the U.K. are at the top. Once that’s done, hit the big Connect button and wait once again for the confirmation message. SaferVPN With SaferVPN, all you need to do is choose the country you wish to have a virtual presence in. HMA Pro is a VPN I’ll be reviewing in the next few days.
This interface is slightly more complicated, but it’s far from difficult to understand.
If you want to select your desired virtual location click the Location mode tab, click on the location name, and then choose your preferred location from the list. Once that’s done click the slider button that says Disconnected. Once it flips to Connected,you’re ready to roll. There are numerous VPN services out there, and they all have different interfaces; but they are all similar enough that if you can successfully use one, you’ll be able to use the others. That’s all there is to using a VPN.
The hard part is figuring out which service to use. Once that’s done, connecting to a VPN for added privacy or to stream your favorite TV shows while abroad is just a click away. This story, "How—and why—you should use a VPN any time you hop on the internet" was originally published by TechHive.
The vulnerable firmware is either the ZynOS-based “ras” (for low-power, small-memory units), or tclinux; and they use the BOA or Goahead Web server. Ribeiro warns that his tests are specific to the Thai versions of the boxes, but it's not likely to end there. About the hard-coded admin accounts, he writes: “It should be noted that tclinux contains files and configuration settings in other languages (for example in Turkish).
Therefore it is likely that these firmware versions are not specific to TrueOnline, and other ISP customised routers in other countries might also be vulnerable.” Similarly, the command injection vulnerabilities probably affect units other than those sold in Thailand. At this point, he writes, there is no fix: the only defence is that users block any untrusted client to connect to the routers. Securiteam has published a vulnerability summary here. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub
It was registered to a command and control server (C2) which held stolen keylog data from HawkEye RAT victims, but was also being used as a one-stop-shop for purchasing hacking goods. WhiteHats on the prowl? Before diving into an analysis of the server, it is worth pointing out some interesting behavior spotted in several of the victims’ stolen accounts.
A group of WhiteHat hackers who call themselves Group Demóstenes were found to be working around the clock, trawling the internet and looking to exfiltrate stolen data from C2 servers. When such a server was found, the group looked for a backdoor that would give them control over the filesystem.
They would then monitor the incoming, stolen data.
Either manually or automatically, they would collect the stolen credentials and send emails to the victims’ accounts.
These emails contained an attachment with proof that the user’s machine has been compromised.
In addition, they advise the user to change passwords immediately and offer to help. Hi *********** Our SERVERS detected information from a server on the US, we don’t even know goverment or another sourse …. we send a file with all your logins and passwords of all your accounts from hxxp://www.p******op[.]biz/*******WE HAVE TESTING IN YOUR PAYPAL ACCOUNT. LOG IN TO YOUR ACCOUNT AND YOU WILL SEE TWO CANCELED BILLING (OUR JOB IS WHITE HAT NO HACK ….
Steal)Seme you verify this information. it’s better thing we hurt all change password on the other computer Because Called Computer Name PC USER-PCLocal Time: 03.10.2016. 18:45:02Installed Language: en-Net Version: 2.0.50727.5485Operating System Platform: Win32NTOperating System Version: 6.1.7601.65536Operating System: Microsoft Windows 7 Home PremiumInternal IP Address: 192.168.0.101External IP Address:Installed Anti virus: Avast AntivirusInstalled Firewall: have a keylogger harm report All That You write, messages, passwords or more. ¿Why we do it?We have a Cause Called Group Demóstenes looking for Ciber attacks and false info.Please Donate by PayPal at h**cg**an@gmail[.]com 5 USD or more, Because this is only our ingress. PLEASE WRITE ME AT THIS MAIL FOR KNOW IF YOU KNOW ABOUT THIS The email above appears in two languages, English and Spanish.
The name of the group appears to be of Portuguese origin, though it is not certain. The shopfront: the command and control servers Scanning for network services which are running on the C2, we discovered that it contains not only a back-end for storing stolen credentials but also a front-end for selling some of them, alongside many other “goods”. Browsing the domain that communicated with the HawkEye RAT samples disclosed a login page.
Given the fact that the server was newly operational, it allowed users to register an account and login to purchase the goods on offer. After registering on the C2 web application, there was no sign of the stolen data transferred from compromised machines.
A forum-like web page opens up once a successful login is being processed. The C2 was meant to securely store the stolen data; however, it contained a crucial vulnerability which allowed researchers to download the stolen data. The C2 owners seem to have added six new Shell scripts on 22 November, just a week before the research started – a further indication of how new the operation is. Another item for sale is scam pages, and some are multilingual.
The attackers also reveal the scope of their victims, noting those who are registered to Amazon, Apple, Netflix and even National Bank of Australia and Barclays.
The listing of the year next to the banking information probably refers to how up-to-date the scam pages are in terms of the bank’s website updates. The attackers have spared no details and have added additional information regarding how one should act when using their services, and who to contact in the Support tab. To purchase goods in the private shop you must deposit money into your account on the website.
The attackers accept Bitcoins, PerfectMoney and WebMoney. Back to the stolen data As we described, HawkEye is a robust keylogger that can hijack keystrokes from any application being opened on the victim’s PC.
It can also identify login events and record the destination, username and password.
It is, however, limited to two-factor authentication and single sign-on. Stolen credentials on the server were found to be holding sensitive access passwords to government, healthcare, banking and payment web applications.
Among them is the following web server which belongs to the Pakistani government. As mentioned, hundreds of machines were found to be compromised by just one C2.
The following is a partial list of what was downloaded from the malicious server. Usually, careless threat actors forget to remove test files which might contain sensitive data.
In this case, we were able to obtain the attackers credentials from one very small file that was captured when searching related strings. Target geography The research is still ongoing and is currently affecting users located in APAC, such as Japan, Thailand and India, as well as parts of Eastern Europe such as Russia and Ukraine.
Based on telemetry, Kaspersky Lab estimates that Faketoken has claimed over 16,000 victims in 27 countries. Users in Russia, Ukraine, Germany and Thailand have been the most heavily affected.
Variants of the malware first surfaced back in July. Stealing financially related data on an industrial scale remains Faketoken’s main scam.
The ransomware element of the Android nasty is problematic for victims but not as potent as its developers might have hoped, as Kaspersky Lab researchers explain. “The newly added data-encryption capability is unusual in that most mobile ransomware focuses on blocking the device rather than the data, which is generally backed-up to the cloud,” Kaspersky Lab researchers explain. “In Faketoken’s case, the data – including documents and media files such as pictures and videos – is encrypted using an AES symmetric encryption algorithm that can, in some cases, be decrypted by the user without paying a ransom.” Faketoken poses as various programs and games, including Adobe Flash Player.
During the initial infection process, the Trojan demands administrator rights, permission to overlay other apps or to be a default SMS application – often leaving users with little or no choice but to comply.
Among other things, these rights enable Faketoken to steal data (such as contacts and files either directly or indirectly, through phishing pages). For example, the Trojan can overlay the Google Play Store, presenting a phishing page in attempts to trick marks into handing over their credit card details.
Another phishing template impersonates Gmail’s login page. The revised Faketoken also tries to replace application shortcuts for social media networks, instant messengers and browsers with its own versions.
The reason for this is unclear as the substitute icons lead to the same legitimate applications.
It’s probable that malicious coders have done this in order to lay the groundwork for future developments. The malware serves to underline why you should not blindly hand over permissions to mobile apps as well as the importance of backing up data. More details about the threat evolution of Faketoken can be found in a post on Kaspersky Lab’s Securelist blog here. ® Sponsored: Want to know more about PAM? Visit The Register's hub
The malicious app also displays phishing pages to steal credit card information, and it can read and send text messages. Faketoken’s creators have added the ability to encrypt user files stored on the phone’s SD card sometime in July and have since released thousands of builds with this functionality, according to researchers from Kaspersky Lab. “Once the relevant command is received, the Trojan compiles a list of files located on the device (external memory, memory card) corresponding to the given list of 89 extensions and encrypts them,” Kaspersky Lab researcher Roman Unuchek said Monday in a blog post. “The AES symmetric encryption algorithm is used, which leaves the user with a chance of decrypting files without paying a ransom.” Faketoken masquerades as popular apps and games and, once installed, it nags the user into giving it the necessary permissions through repeated prompts.
It has managed to infect more than 16,000 devices in 27 countries, many of them located in Russia, Ukraine, Germany, and Thailand. File encryption is not as popular as screen blocking techniques in mobile ransomware because many of the files stored on mobile devices are backed up to cloud services and can be easily restored, according to Unuchek. That doesn’t seem to stop developers from experimenting with such techniques, though. Researchers from security company Comodo have recently analyzed another mobile banking trojan called Tordow 2.0 that has the ability to encrypt files. Tordow 2.0 contains a pack of exploits that it uses to gain root privileges on infected devices.
It is distributed as trojanized versions of popular apps that are available through third-party app stores. Tordow 2.0 can make telephone calls, control SMS messages, download and install programs, steal login credentials, access contacts, encrypt files, visit webpages, manipulate banking data, remove security software, reboot devices, rename files, and act as ransomware, the Comodo researchers said in a blog post. Ransomware is a profitable business model for cybercriminals, and the number of file-encrypting programs has exploded this year.
A couple of years ago, many observers had doubts that ransomware programs would begin targeting businesses on a large scale because businesses are more likely to have backup procedures in place than consumers. That didn’t stop attackers from trying, and now every 40 seconds, a business is hit by ransomware somewhere in the world.
It wouldn’t be very surprising to see the number of file-encrypting ransomware programs for mobile devices increase, too, even if mobile phones are more likely to have backups. Android users should install applications only from the official Google Play store and should make sure that their phones don’t allow the installation of apps from unknown sources.
It’s also a good idea to only download highly rated apps and to read their user reviews.
But we have discovered a modification of the mobile banking Trojan Trojan-Banker.AndroidOS.Faketoken that went even further – it can encrypt user data.
In addition to that, this modification is attacking more than 2,000 financial apps around the world. We have managed to detect several thousand Faketoken installation packages capable of encrypting data, the earliest of which dates back to July 2016.
According to our information, the number of this banker’s victims exceeds 16,000 users in 27 countries, with most located in Russia, Ukraine, Germany and Thailand. Trojan-Banker.AndroidOS.Faketoken is distributed under the guise of various programs and games, often imitating Adobe Flash Player. Preparing the groundwork The Trojan is capable of interacting with protection mechanisms in the operating system.
For example, it requests rights to overlay other apps or the right to be a default SMS application.
This allows Faketoken to steal user data even in the latest versions of Android. Once the Trojan becomes active, it requests administrator rights.
If the user denies the request, Faketoken repeatedly refreshes the window asking for these rights, which leaves the victim with little choice. The Trojan imitating “Yandex.Navigator” to request administrator rights Once it has received administrator rights, Faketoken starts requesting the necessary permissions: to access the user’s text messages, files and contacts, to send text messages and make calls.
These requests will also be repeatedly displayed until the user agrees to provide access. The Trojan then requests the right to display its windows on top of other applications.
This is necessary to block the device and steal user data by displaying phishing pages. The Trojan requesting the right to display its windows on top of other applications The final request at the preparatory stage is for the right to be the default SMS application – this allows Faketoken to covertly steal text messages on the latest versions of Android.
The Trojan integrates the options necessary for the user to work with SMS. However, on some Android devices and versions when the user attempts to send an SMS via Faketoken it returns an error.
As a result, the user cannot send SMS messages until they manually change the SMS application.
The Trojan doesn’t like that, and will start requesting the right again. Manipulations with application shortcuts can also be added to the preparatory stage.
After launching, Faketoken starts downloading an archive containing file icons of several applications (the version being analyzed here has eight) related to social networks, instant messengers and browsers.
Then it tries to delete the previous shortcuts to these applications and create new ones. On the test devices the Trojan failed to remove the previous shortcuts which eventually led to the appearance of duplicates It is not clear why it does this because the shortcuts created by Faketoken lead to the original applications. Data theft Once the shortcuts are installed, the next stage of the Trojan’s work begins – the theft of user data.
Faketoken downloads a database from the server containing phrases in 77 languages for different device localizations. Screenshot of the database with phrases in different languages Using these or other phrases from the database, depending on the operating system language, the Trojan will show the user various phishing messages. Examples of phishing messages displayed by the Trojan If the user clicks on the message, the Trojan opens a phishing page designed to steal passwords from Gmail accounts.
In addition to that, the Trojan overlays the original Gmail application with this page for the same purpose – to steal the password. Phishing page imitating the login page of the Gmail mail service However, the Trojan doesn’t limit itself to Gmail. Like most modern mobile Trojans, Faketoken overlays the original Google Play app with its phishing window to steal the victim’s bank card details. Phishing page used by the Trojan to steal credit card details The Trojan can also get the list of applications for attack and an HTML template page to generate phishing pages for the attacked applications from the C&C server.
In our case, Faketoken received a list of 2,249 financial applications from around the world. Example of the Trojan’s phishing pages designed for different applications It should be noted that the Trojan integrates functionality enabling it to call some of the methods from the HTML page it received from the C&C server.
As a result, in addition to the phishing functionality, the pages described above can get certain information about the device including the address of the Gmail account and, even worse, reset the device to factory settings. What’s more, Faketoken can perform the following actions upon command from the C&C server: Change masks to intercept incoming text messages; Send text messages to a specified number with a specified text; Send text messages with a specified text to a specified list of recipients; Send a specified text message to all contacts; Upload all text messages from the device to the malicious server; Upload all the contacts from the device to the malicious server; Upload the list of installed applications to the malicious server; Reset the device to factory settings; Make a call to a specified number; Download a file to the device following a specified link; Remove specified applications; Create a notification on the phone to open a specified page or run a specified application; Start overlaying specified applications with a specified phishing window; Open a specified link in its own window; Run an application; Block the device in order to extort money for unblocking it.
This command may include an option indicating the need to encrypt files. Ransomware banker As mentioned above, the ransomware functionality in mobile banking Trojans is now commonplace, after being pioneered by Svpeng in early 2014. However, the new Faketoken version can not only extort money by blocking the screen but also by encrypting user files. Screenshot of the Trojan code that renames and then encrypts files. Once the relevant command is received, the Trojan compiles a list of files located on the device (external memory, memory card) corresponding to the given list of 89 extensions and encrypts them.
The AES symmetric encryption algorithm is used, which leaves the user with a chance of decrypting files without paying a ransom.
The Trojan receives the encryption key and the initialization vector from the C&C server.
The encrypted files include both media files (pictures, music, videos) and documents.
The Trojan changes the extension of the encrypted files to .cat. In conclusion, we would like to note that file encryption is not that popular with the developers of mobile ransomware (at least currently), which may be because most files stored on a mobile device are copied to the cloud.
In other words, demanding a ransom in return for decrypting them is pointless.
The relationship enables retailers to securely process payments in Asia-Pacific through Computop’s Paygate payment gateway using the payment methods that consumers in the region prefer and trust, helping to positively impact sales and the overall customer experience.A recent e-Marketer report noted that Asia-Pacific will remain the world’s largest retail e-commerce market, with sales expected to top $1 trillion in 2016 and more than double to $2.725 trillion by 2020.
Findings also noted that the region will see the fastest rise in retail e-commerce sales, increasing 31.5% this year.
In addition, according to a study by Kantar TNS, Asia-Pacific is leading the world in mobile payment with over half (53%) of connected consumers using their mobile phones to pay for goods or services at the point-of-sale via apps.
As such, the Computop and AsiaPay partnership enables retailers to capitalize on the growth opportunity that Asia-Pacific presents. “Expanding business into foreign markets may seem daunting, but working with companies that have a strong foothold in those regions and that understand the payment behaviors and preferences of consumers in those countries is key to retailer success,” said Ralf Gladis, CEO of Computop. “Through our partnership with AsiaPay, Computop is able to provide merchant customers with the opportunity to take advantage of Asia-Pacific consumers’ appetite for e-commerce. With Computop Paygate integrated with AsiaPay, retailers benefit from the secure payment options that southeast Asian consumers expect and trust.” “We are very honoured to be a strategic partner of Computop,” said Joseph Chan, CEO of AsiaPay. “Our company has more than 16 years of experience in credit card processing and international business service, giving us a solid position as a premier e-Payment player in the region.
Furthermore, we have a keen understanding of merchants’ payment requirements in the fast-paced e-commerce business environment. We believe that a strategic cooperation with Computop can help merchants improve their processing efficiency, thereby contributing to their business growth as well as support their global endeavor,” he added. Founded in 2000, AsiaPay offers secure and cost-effective electronic payment processing solutions and services to banks and e-businesses globally.
The company offers a variety of card payments, online bank transfers, e- wallets and cash payments across over 16 countries, including Hong Kong, China, India, Indonesia, Malaysia, Singapore, Philippines, Taiwan, Thailand and Vietnam.
It is a certified international 3-D secure vendor for VISA, MasterCard, American Express and JCB. Computop Paygate is a PCI-certified omnichannel payment platform that provides retailers with secure payment solutions and efficient fraud prevention for international markets.
Computop integrated AsiaPay into Paygate to offer merchants a wide range of payment methods in the Asia-Pacific region to support their cross-border and global commerce efforts. Payment methods available on Paygate include Alipay, American Express, JCB, Tenpay and WeChat, along with many other widely-accepted payment options that consumers in these countries use. About ComputopComputop is a leading global payment service provider (PSP) that provides compliant and secure solutions in the fields of e-commerce, POS, m-commerce and Mail Order and Telephone Order (MOTO).
The company, founded in 1997, is headquartered in Bamberg, Germany, with additional independent offices in China, the UK and the U.S.
Computop processes transactions totalling $24 billion per year for its client network of over 14,000 mid-size and large international merchants and global marketplace partners in industries such as retail, travel and gaming.
Global customers include C&A, Fossil, Metro Cash & Carry, Rakuten, Samsung and Swarovski.
Following the recent asset deal with the Otto Group, Computop is now processing payments for merchants that previously used EOS Payment, including all 100 Otto retail brands.
In cooperation with its network of financial and technology partners, which it has expanded over many years, Computop offers a comprehensive multichannel solution that is geared to the needs of today's market and provides merchants with seamlessly integrated payment processes. For further information, please visit www.computop.com. About AsiaPayFounded in 2000, AsiaPay, a premier electronic payment solution and technology vendor and payment service provider, strives to bring advanced, secure, integrated and cost-effective electronic payment processing solutions and services to banks, corporate and e-Businesses in the worldwide market, covering international credit card, China UnionPay (CUP) card, debit card and other prepaid card payments. AsiaPay is an accredited payment processor and payment gateway solution vendor for banks, certified IPSP for merchants, certified international 3-D Secure vendor for Visa, MasterCard, American Express and JCB.
AsiaPay offers its variety of award-winning payment solutions that are multi-currency, multi-lingual, multi-card and multi-channel, together with its advanced fraud detection and management solutions. Headquartered in Hong Kong, AsiaPay offers its professional e-Payment solution consultancy and quality local service support across its other 12 offices in Asia including: Thailand, Philippines, Singapore, Malaysia, Mainland China, Taiwan, Vietnam, Indonesia and India.
For more information, please visit www.asiapay.com and www.paydollar.com. ### For further information, please contact:Jessica MularczykAscendant Communications, for Computop in the U.S.Tel: 508-498-9300E-mail: email@example.com Charlotte HansonAscendant Communications, for Computop in the UKTel: +44 (0) 208 334 8041E-mail: firstname.lastname@example.org Valerie SanchezSenior Channel ManagerAsiaPayTel: (632) 887-2288E-mail: email@example.com Alvin ChanAssociate Director, Sales & MarketingAsiaPayTel: +852-2538 8278E-mail: firstname.lastname@example.org
Although Deutsche Telekom has offered a software update to stop the malware, security experts worry that the hackers will continue to upgrade Mirai’s source code to infect additional devices. The original version of Mirai became notorious for quickly enslaving poorly secured IoT devices, such as DVRs and surveillance cameras.
This new strain infects routers from a company called Zyxel, using a known flaw with the product’s SOAP (Simple Object Access Protocol) to take them over. The goal of Mirai is to form a botnet, or an army of enslaved computers that can be used to launch massive distributed denial-of-service attacks that can shut down websites.
In October, Mirai botnets were blamed for doing just that in a disruption that slowed internet access across the United States. Flashpoint said it's already found this new strain of Mirai creating a botnet to launch “small-scale” DDoS attacks on an IP address in Africa and a cloud hosting provider.
The attacks, which lasted between a few minutes and to more than an hour, occurred on Monday and Tuesday. Hackers have been exploiting the Mirai malware ever since its source code was released on a forum in late September.
The developers of this new strain probably wanted to make their Mirai botnet bigger, Flashpoint said. However, the spread of the new Mirai strain appears to be slowing down, according to Craig Young, a security researcher at Tripwire. On Monday, he estimated the malware was attempting to infect devices at a rate of one every 90 seconds.
But as of Tuesday morning, that rate had slowed to about one every six minutes, he said. Young said the Deutsche Telekom attack was in one sense a failure.
The hackers probably never intended to disrupt Deutsche Telekom customers' Internet connections, but simply to secretly infect their routers to grow the botnet, he said. The way the Mirai strain took over the routers drew too much attention, provoking the German carrier to quickly issue a security patch. “The malware may have been too demanding on the routers, and overloaded them, so they wouldn’t be able to operate,” Young said. He expects the hackers to keep upgrading Mirai. “Someone will fix the bugs in the code,” he said. “People will also incorporate more exploits related to routers.”
The remote hack works from anywhere in the world, robbing banks in as little as 10 minutes.
It is every consumer's dream to find an ATM spitting out cash like a winning slot machine, and it seems that hackers in Eastern Europe have figured out how to make that a reality.
As outlined by Russian security firm Group IB, the hackers are linked to the Buhtrap crew, which stole $28 billion from Russian banks between August 2015 and January 2016, according to Reuters. But while Buhtrap looted ATMs via fraudulent wire transfers, the ATM scammers reportedly use a less hands-on method: "touchless jackpotting."
The remote hack works from anywhere in the world, robbing banks in as little as 10 minutes. The hackers reportedly use a penetration testing tool known as Cobalt Strike, which lets them access servers that control ATMs via bank PCs infected by malicious emails. Accomplices then wait by the targeted ATMs and scoop up the cash as it spits out of the machine.
The hackers reportedly hit financial institutions in Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Malaysia, Moldova, the Netherlands, Poland, Romania, Russia, Spain, and the UK. Group IB did not reveal which banks were targeted.
Global ATM manufacturers Diebold Nixdorf and NCR confirmed to PCMag that they are "familiar" with these types of breaches.
"ATM attacks are becoming more complex and sophisticated as hackers dedicate more time to attacking infrastructure," an NCR spokeswoman said in a statement. "Securing one's infrastructure and endpoints is a never-ending and extremely important task that does not depend on the region or attack type."
Diebold Nixdorf, meanwhile, claims there is "no indication to us that this group of fraudsters is active in Europe or the Americas."
But that doesn't mean they won't be. "Logical attacks on ATMs are expected to become one of the key threats targeting banks," according to Dmitry Volkov, head of the Group IB investigation department.
"They enable cybercriminals to commit fraud remotely from anywhere globally and attack the whole ATM network without being 'on the radar' of security services," he said in a statement. "This type of attack does not require development of expensive advanced software—a significant amount of the tools used are widely available on the deep Web."
As the Wall Street Journal reports, the FBI recently warned US banks to look out for potential attacks, following incidents in Taiwan and Thailand over the summer.
"Every bank is under threat of logical attacks on ATMs and should be protected accordingly," Volkov added.
Thanks, Internet of Things.reader comments 29 Share this story Mirai—the malware responsible for creating a massive "botnet" of hacked Internet-connected cameras, digital video recorders, and other devices that interrupted Internet services for many last week—is still in action, according to data from the network security company Arbor Networks.
An ever-shifting army of about 500,000 compromised Internet of Things (IoT) devices is still being controlled by Mirai, based on Arbor's tracking of the malware's communications.
And multiple command-and-control networks are still directing those devices to attack websites and service providers across the Internet.
But as previously predicted, new and improved versions of the Mirai malware—based on the openly-published source code Mirai's alleged author posted on September 30—are now appearing in the " and wreaking additional havoc. In a blog post, Roland Dobbins, Principal Engineer on Arbor's ASERT Team, noted that "relatively high concentrations of Mirai nodes have been observed in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain." Devices that are vulnerable to Mirai takeover, he noted, "are typically listening for inbound telnet access on TCP [port] 23 and TCP [port] 2323," and compromised devices communicate via "a remote-control backdoor" that is also present in Mirai, "accessible via TCP/103." Mirai botnets constantly scan the entire Internet for vulnerable devices, so even when a device is rebooted or reset, it can be compromised all over again within 10 minutes. Dobbins also noted that "multiple threat actor groups are actively working to expand and improve" the attacks that were coded into Mirai, and that "some alterations in the DDoS attack capabilities of at least one Mirai-derived botnet have been observed in the wild." In a Skype call with Ars, Dobbins said, "It's a minor enhancement to one of the existing [Mirai] attacks." He couldn't give detail about the enhancements, but he added that "multiple groups are working to enhance and customize Mirai." The original Mirai code is capable of a variety of attacks against DNS services and websites, in addition to more generic network "flood" attacks based on the TCP, UDP, and Generic Routing Encapsulation protocols. Mirai accounted for most of the attack on Dyn's DNS service on October 21, and was part of earlier attacks on security reporter Brian Krebs' site and on French cloud provider OVH.
Those attacks measured over 600 gigabits per second and over 1.5 terabits per second at their peaks, respectively. While the total volume of traffic thrown at Dyn hasn’t yet been publicly released, Level 3 Communications chief security officer Dale Drew said in a Twitter conversation that the numbers had been shared with major network operators.
Drew told Ars in a separate conversation that "tens of millions" of distinct devices were involved in the Dyn DoS attack, and that some of them were clearly not Mirai-infected devices; not all of the devices were necessarily active at the same time. Dobbins wrote that the "potential collateral impact of DDoS attacks launched by the Mirai botnet can be highly significant." The outbound traffic from hacked devices—including attacks against intended targets and scanning for other vulnerable devices—could crimp the network bandwidth of even major broadband ISPs, causing outages for customers. Given the wide availability of the code, it's fairly certain that even more Mirai variants will emerge—and make their presence felt as the holidays approach.
Criminal botnet operators will likely use Mirai's success as a way to extract blackmail payments from online retailers and banks with threats of interfering with online shopping.
Stopping (or at least reducing) those attacks will require network operators to work to identify vulnerable or hacked devices themselves and block the command-and-control traffic to them.
But there he was: Roger Thomas Clark, the man accused of being “Variety Jones,” notorious dope dealer and top advisor to Silk Road founder Ross “Dread Pirate Roberts” Ulbricht. Enlarge / Clark entering court. Clark did the perp-walk, shuffling unchained and unnoticed past the Bangkok press brigade, which was focused that day on the trial of an accused Spanish murderer.
Accompanied by a lone Thai corrections officer in a sand-coloured uniform, Clark was led to the eighth floor and was greeted by his team of lawyers and interpreters. Clark was here to battle extradition to America and a possible life sentence on charges of narcotics conspiracy and conspiracy to commit money laundering.
But face-to-face, whether in a Thai court or a prison, Clark appeared unfazed by the powerful forces seeking him for a trial on the other side of the planet. Though acknowledging that his odds of beating extradition are slim, Clark remained in high spirits during his July day-trip to the courthouse. He even slipped in a brag or two on the way. “Normally a senior person signs an extradition order, but my order was signed and stamped by John Kerry,” he said, adding that the order came with a blue silk ribbon. “Very few people ever have an extradition signed by John Kerry.” (In the past, Clark has proven to be an eccentric interviewee who has made bold, unsubstantiated claims, such as having access to helicopters and being guarded by members of the Thai Tourist Police, the Khmer Palace Guard, and the Vietnamese Special Forces.) Clark is fighting for his life any way he knows how.
But one thing he’s sure of: he won’t go down like Ulbricht, laptop open and unencrypted.
During a series of recent interviews from prison, Clark bragged about how his machines, when seized by Thai police last year, were all cryptographically secured. Enlarge / Bangkok Remand Prison, where Clark is being held as he awaits the outcome of his extradition hearing. Sam Cooley "They found my three notebooks closed and encrypted" Silk Road functioned for years as a sort of “Amazon.com for drugs.” Equipped with the proper software, users around the world could log into Silk Road and cruise through hundreds of drug listings, read reviews, and decide to purchase a kilogram of heroin off someone named “BigDaddy24”—all without leaving their bedrooms.
During its lifetime, from 2011 to 2013, Silk Road’s user base exploded. Ulbricht eventually had to hire administrators to keep things running smoothly—and Clark is believed to have been one of the most important. In 2013, Ulbricht was captured red-handed in a San Francisco library with his laptop open and logged into Silk Road—and on that laptop was a photograph of Clark. (To this day, the photograph functions as one of the few public pieces of evidence linking Clark to the “Variety Jones” name.) Also on Ulbricht’s computer was a 2011 journal entry paying tribute to Variety Jones’ influence on Silk Road. “He has helped me better interact with the community around Silk Road, delivering proclamations, handling troublesome characters, running a sale, changing my name, devising rules, and on and on,” Ulbricht wrote. “He also helped me get my head straight regarding legal protection, cover stories, devising a will, finding a successor, and so on. He’s been a real mentor.” This evidence, in part, led investigators to suggest that Clark was in fact Variety Jones and that he had advised Ulbricht “on all aspects of the [Silk Road], including how to maximize profits and use threats of violence to thwart law enforcement,” according to a press release issued after Clark’s arrest in Thailand. On the Internet, Variety Jones came across as a bit of a tough guy.
According to seized chat logs, Jones may have been instrumental to Ulbricht’s decision to commission the killing of one of his workers whom he believed had defected. (The “killing” was actually faked by a corrupt—and now-convicted—DEA agent.) That toughness came through in prison, where Clark periodically receives visitors. When the buzzers rang at the visitation segment of Bangkok Remand Prison this June, Clark took a seat at a row of telephones to discuss his predicament during a series of interviews with co-author Sam Cooley. (Disclosure: Cooley purchased two containers of Pringles and three cartons of soy milk for Clark before one interview.) “Guilt is a technical term,” Clark said, adding that he won’t be taken by the FBI the same way Ulbricht was in 2013. “They don’t have shit on me.
I’m not going [to the US].
It’s an impossible circumstance.” “They might have caught Ross with his notebook opened, as they claim, but they found my three notebooks closed and encrypted,” Clark added, claiming his home was raided without a warrant on the Thai island of Koh Chang in December 2015. “Forensics could spend 30 years trying to decrypt those hard drives and still not get anywhere; so in a way, those hard disks are a headache,” he said. “The longer they need to open them, the longer I can relax here in Bangkok.
They would rather deny that they seized all this evidence.” For the past 20 years, Clark says he’s been living internationally—though most recently on the concrete floor of the jail, where he’s been held for the past nine months. Clark shook his head when asked if he was mistreated. He laughed, saying the only people who complain about the conditions are foreigners—and that he wasn’t about to do so over a jail telephone. “My chances of survival are zero if I go to the US,” he added. Clark also repeated a previous claim to have knowledge about a so-far undiscovered dirty FBI agent—information which he said he’s keeping “under (his) hat” until the right opportunity presents itself. Enlarge / A Thai prison guard. Sam Cooley "39 words exactly" During Clark's July appearance at Ratchada court, an officer of Thailand’s Ministry of Foreign Affairs functioned as a liaison between the US government and its Thai counterparts. Discussion in court that day—all of it in Thai, which was interpreted into English by co-author Akbar Khan—revolved around domain registration and whether the prosecution could provide information about the official registrant of the Silk Road domain name.
Given the complexities of Silk Road’s operations, which formerly existed in the semi-public darknet, prosecutors were forced to concede they did not have a copy of the domain registry. Clark’s defence team responded by launching a barrage of strategic questions which could, at the least, prolong the extradition process.
Shortly afterwards, the court session concluded and Clark was shuffled back to prison. (The hearing was attended by only one other person, a slick-looking Chinese man who described himself as a law student.) As for Clark's newest gambit to save himself from extradition, it comes right out of a spy movie. He said that he recently requested a meeting with an intelligence official close to Thailand’s Prime Minister, Prayut Chan-ocha, because Clark has “top secret information” for the military government. “I am going to write (the information) on a piece of paper for them and hand it to them to read.
It’s not even going to be 40 words; it’s just going to be 39 words. 39 words exactly,” he told me. “The deal can only be done within six days after the verdict has been read, and I have no idea how long this is going to drag on for.” Freelance journalist Sam Cooley tweets at @samcooley. Listing image by Sam Cooley