Chrome and Firefox pull history-stealing browser extension

By John E Dunn

One minute that favorite browser plug-in is your friend, the next it’s quietly turned into a privacy disaster that’s profiling your browsing in the most intimate way possible.

Browser makers should be on top of this phenomenon and yet, here we are reporting on the latest example, this time spotted by software engineer Robert Heaton.

He’d been using a Chrome and Firefox extension called Stylish for years to re-skin websites and hide their “distracting parts” such as Facebook and Twitter feeds. (Safari and Opera versions are also available.)

Usefully, it even:

Added manga pictures to everything that wasn’t a manga picture already.

Not hard to see why Heaton and two million others might want to use it then.

Unbeknownst to him, however, in January 2017 the extension was sold to new owners, SimilarWeb, who changed its privacy policy – and outlook.

This came to his attention when he noticed Stylish had started sending obfuscated data back to its website as part of what looked like data gathering.

Sure enough, after more research:

When I looked at the contents of the decoded payload, I realized that Stylish was exfiltrating all my browsing data.

From inside his browser, Stylish could monitor every website he visited. Worse, because Heaton had an account login for the extension, it could relate his activity to his identity.

Read more at https://nakedsecurity.sophos.com/2018/07/06/chrome-and-firefox-pull-history-stealing-browser-extension/

Employee allegedly stole government spyware and hid it under his bed

By Lisa Vaas

A former, unnamed programmer for spyware maker NSO Group was indicted last week for allegedly stealing source code, disabling company security so they could load it onto a storage drive, and trying to sell it on the Dark Web for USD $50m.

Actually, that would have been a bargain: According to a translated version of the indictment (PDF), the powerful spyware’s capabilities are estimated to be worth “hundreds of millions of [US] dollars.”

The company’s products have made headlines on multiple occasions.

NSO Group, an Israeli company, sells off-the-shelf spyware that’s been called History’s Most Sophisticated Tracker Program.

One of its products, codenamed Pegasus, enables governments to send a personalized text message with an infected link to a blank page. Click on it, whether it be on an iOS or Android phone, and the software gains full control over the targeted device, monitoring all messaging, contacts and calendars, and possibly even turning on microphones and cameras for surveillance purposes.

Pegasus is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists. But once software blinks into existence, keeping it out of the hands of the wrong people can be very difficult.

One case in point came last year, when Pegasus was reportedly used to target Mexico’s “most prominent human rights lawyers, journalists and anti-corruption activists, in spite of an explicit agreement that it be used only to battle terrorists or the drug cartels and criminal groups that have long kidnapped and killed Mexicans,” as the New York Times reported.

According to Amnesty International, Pegasus has also been used in the United Arab Emirates, where the government targeted prominent activist and political dissident Ahmed Mansoor. Last month, Mansoor was sentenced to 10 years in jail and a fine of 1,000,000 Emirati Dirham (USD $272K) on charges including “insulting the UAE and its symbols.”

Read more at https://nakedsecurity.sophos.com/2018/07/06/employee-allegedly-stole-government-spyware-and-hid-it-under-his-bed/

The Pirate Bay is plundering your CPU for cryptocash, again

By Danny Bradbury

Popular file sharing site The Pirate Bay seems to have returned to its old tricks again by mining cryptocurrency in visitors’ browsers without telling them. Last month, a user called okremix posted a complaint in Suprbay, which is the Pirate Bay’s official forum.

I wanted to upload my torrents to TPB and because of the current upload error (file not found) I leaved the tab open and noticed that my CPU is getting really hot.

I remember that TPB was testing background mining in the past so checked the source on upload page and there it was.

He posted a segment of JavaScript designed to mine for cryptocurrency.

Browser-based cryptominers use code embedded in a web page to force your miner into solving the complex mathematical problems that earn cryptocurrency. Instead of doing it for you, though, they do it for someone else.

Occasionally, publishers will give you the option to mine for cryptocurrency if you don’t want to read their ads. More often, crooks hack someone’s website to embed the code without their knowledge.

Sometimes, as was the case with the Pirate Bay first time around at least, the site owner embeds the code themselves but doesn’t tell visitors. When the person visiting the website doesn’t know about the mining and doesn’t give their permission, that can be classified as cryptojacking.

The Pirate Bay has done this before, using well-known miner Coinhive. This time, though, they seem to have opted for the relatively new cryptojacking service called Crypto-Loot (probably because it charges 12% commission on Monero mining, compared to Coin-Hive’s 30% commission).

Both Coinhive and Crypto-Loot focus on mining Monero, which has become the cryptocurrency of choice for cryptojackers for two reasons. First, it is CPU-friendly, meaning that miners can use a computer’s CPU in a browser without having to rely on expensive GPU hardware. Second, Monero is designed to be even more anonymous than Bitcoin, obfuscating sending and receiving addresses by default.

Read more at https://nakedsecurity.sophos.com/2018/07/06/the-pirate-bay-is-plundering-your-cpu-for-cryptocash-again/

SIM card in bird’s GPS tracker used to rack up $2,700 phone bill

By Lisa Vaas

A migrating, tagged, male white stork—known to the Polish environmentalists who were tracking him as “Kajtek”—blipped out of contact on 26 April.

That, however, did not stop him from making good use of the SIM card in his GPS tracker, with which the bird—or somebody who found the GPS device and picked it apart in order to get at the card—racked up a $2,700 phone bill.

As IFL Science reports, Kajtek was last located at the Blue Nile valley in Sudan, on his way back home to Poland after successfully making his annual 6,000-kilometer (3,700-mile) trip to Africa, when his GPS tracker showed that he had stopped moving.

White storks aren’t endangered, though their habitats are threatened. The birds spend the warm summer months of the breeding season in parts of central and southern Europe—including in Poland—the Middle East, and west-central Asia before heading to Africa to spend the winter.

When his GPS tracker showed that Kajtek had stopped moving, researchers at the environmental group Grupa EkoLogiczna—EcoLogic—assumed the bird was dead. They had placed the tracker on him in April 2017: a “fairly routine” practice, as you can see by the many accounts of tagging white storks that the group posts to Facebook.

It was 26 April when things got weird. That’s when the scientists who were monitoring Kajtek’s tracker noticed that the bird’s signal again started to move, taking a roundabout, 25-kilometer (16-mile) trip before it went dead.

Then, a number of weeks later, on 7 June, EcoLogic got the giant bill from its phone company. According to The Register, the group said in June that someone pulled apart the tracker to get at the SIM card, then used it for a marathon call-everywhere-and-everyone spree.

EcoLogic told IFL Science that it doesn’t know who made the calls, but they’ll likely have to fork over the money for the phone bill out of their own pockets.

Read more at https://nakedsecurity.sophos.com/2018/07/06/sim-card-in-birdss-gps-tracker-used-to-rack-up-2700-phone-bill/