Cryptocurrency as the lure, an ISO as the attachment – why not open it?

By Paul Ducklin

You can’t move these days without bumping into words such as cryptocurrency, Bitcoin, coinminer and blockchain.

With Bitcoin’s value up more than 1000% in the past year, and with companies multiplying their share price simply by adding “Blockchain” to their names, you can see why these words are everywhere.

As you’ll have seen in many Naked Security articles, cryptocurrency is popular with cybercrooks, too.

Usually, cryptocurrency is the end, rather than the means of the crime, for example when crooks infect your computer with coinmining software to hijack your CPU to earn them money, or scramble your data with ransomware and demand that you pay them in cryptocoins to get it back.

But here’s something a bit different that ‘we’ve seen recently: cryptocurrency as the means to a malware infection, not the end of that infection.

These phishing campaigns are also slightly unusual in that they include attachments that are ISO files.

You probably associate ISO files with ripped music CDs or movie DVDs, and with bootable Linux (or Windows) distros – ISOs are just byte-for-byte copies of the raw content of an optical disk.

You usually use them as CD backups, or as a source to burn new CDs.

However, many Windows users have utilities that can open ISO files as though they really were CDs; in fact, Windows 10 will open up ISOs simply by double clicking on them, which allocates them a regular drive letter in the system.

Read more at https://nakedsecurity.sophos.com/2018/01/12/cryptocurrency-as-the-lure-an-iso-as-the-attachment-why-not-open-it/

Man charged with spying on thousands of Mac users for 13 years

By Taylor Armerding

The technical description of the “Fruitfly” malware is “spyware.” But given the way it has allegedly been used, a better label would be creepware – creepware that should have easily been detected, but somehow stayed under the radar for more than a decade.

According to a 16-count indictment unsealed on Wednesday in US District Court for the Northern District of Ohio, its creator, Phillip R. Durachinsky, 28, used it to spy on thousands of victims for more than 13 years. Durachinsky spent this time not only collecting personal data but also watching and listening to victims through their webcams and microphones, and using some of what he collected to produce child abuse imagery.

Durachinsky, of North Royalton, Ohio, was charged with Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child abuse imagery, and aggravated identity theft, according to a Department of Justice (DoJ) press release.

The victims ranged from individuals to companies, schools, a police department and government entities including one owned by a subsidiary of the US Department of Energy.

According to the DoJ:

(It) enabled him to control each computer by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio.

(He) used the malware to steal the personal data of victims, including their logon credentials, tax records, medical records, photographs, banking records, internet searches, and potentially embarrassing communications.

The indictment charges that while Durachinsky primarily used Fruitfly to infect Macs, he also wrote variants of Fruitfly that were capable of infecting computers running Windows.

It said he saved millions of images, kept detailed notes on what he observed, and designed it to alert him if a user typed words associated with pornography.

Besides the creep factor, a stunning thing about Fruitfly is that it is both unsophisticated and relatively easy to spot, yet according to the DoJ, Durachinsky was able to use it undetected from 2003 until January 2017, when he was arrested and jailed on another charge. He remains in custody.

Read more at https://nakedsecurity.sophos.com/2018/01/12/man-charged-with-spying-on-thousands-of-mac-users-for-13-years/

Bitcoin conference won’t let you pay with Bitcoin

By Lisa Vaas

Sure, as of Thursday, you could still get a last-minute ticket to attend next week’s North American Bitcoin Conference, to be held in Miami. That will be $1,000, if you please.

But if you expect to pay with Bitcoin – or with any other cryptocurrency, for that matter – prepare to be bit-crushed. The conference organizers said on the event’s site that it’s just too slow and pricey to accept at the last minute.

We have, and always will, accept cryptocurrencies for our conferences, up to fourteen days before the event. However, due to the manual inputting of data in our ticketing platforms when paid in cryptocurrencies, we decided to shut down bitcoin payments for last minute sales due to print deadlines.

The organizers blamed “network congestion and manual processing” for the decision. In other words, the fees are painful, and network congestion is gumming everything up. They said that they hope next year brings “more unity in the community about scaling” and that “global adoption becomes reality.”

As Bitcoin.com has reported and Redditors confirm, transaction fees have risen to $30-$60/per transaction at certain times of the day. The fees have skyrocketed from what was a few cents per transaction a few years back.

Moe Levin, the conference organizer, told Bitcoin.com that the organizers are “scrambling” to get bitcoin cash or a digital asset with cheaper fees integrated into the ticketing system. At this point, ticket service operators like Eventbrite or others just haven’t managed to integrate cryptocurrencies yet, he said.

We wish this was easier, but no ticketing options exist which can handle large volumes of ticket sales, and transaction fees on the Bitcoin blockchain exceed $30 at certain times of the day.

The conference certainly isn’t the only merchant that’s been forced to rethink cryptocurrency payments.

Read more at https://nakedsecurity.sophos.com/2018/01/12/bitcoin-conference-wont-let-you-pay-with-bitcoin/

Police give out infected USBs as prizes in cybersecurity quiz

By Lisa Vaas

So ironic. You work hard to win a cybersecurity award, and what do you get? A USB drive stuffed with creepy-crawly nasty, that’s what.

The Taiwanese government last month celebrated its crackdown on cyber crime. The national police – the Criminal Investigation Bureau (CBI) – picked up 250 blank USB drives, each with an 8G capacity, to give out as prizes at the data security expo, hosted by the Presidential Office on 11-15 December.

According to the Tapei Times, an employee at a New Taipei City-based contractor, Shawo Hwa Industries Co., transmitted the malware to the drives when testing their storage capacity… from his infected work station.

Oops! the CBI said after investigating the infection, which wound up on 54 of the drives that were handed out to winners of a quiz about cybersecurity knowledge. “Winners of a quiz about cybersecurity knowledge,” as in, “people who hopefully know enough not to plug in random USB drives conveniently scattered throughout the parking lot but not necessarily those handed on a silver platter at a security expo.”

According to the CBI, the 54 drives picked up an executable malware file that goes by the name of XtbSeDuA.exe. The CBI said that the malware was designed, years ago, to suck up personal data and transmit it to a Poland-based IP address that would then bounce the information to unidentified servers.

Read more at https://nakedsecurity.sophos.com/2018/01/12/police-give-out-infected-usbs-as-prizes-in-cybersecurity-quiz/