A bug centering around the Ethereum-based GasToken that paved the way for abuse on cryptocurrency exchanges has been fixed.


How Did It Work?

The bug made it possible for hackers to force exchanges into paying very high fees, though at press time, it’s unclear which exchanges lacked the specific security means to prevent the problem from expanding. Additionally, the hackers could potentially exploit the bug to garner profits.

The issue was discovered by a group of cryptocurrency researchers, who later issued private messages to “as many digital exchanges as possible.” The platforms later implemented the appropriate security measures to disrupt the bug and end the threat once and for all.

You Need to Get Strict

Many exchanges, the researchers discovered, were not implementing appropriate limits on GasToken utilization or on how many tokens could be sent to random addresses. Thus, upon the completion of a transaction, the hackers could potentially force the exchanges into paying very high amounts for ongoing computation and then drain the exchanges’ reserves. They could also mint new GasTokens if they wanted (minting is the process of creating entirely new coins for a profit).

Hackers could also enforce high fees on users engaging in business with random accounts. On a positive note, not all exchanges were made vulnerable to the bug, as it was initially reported that only exchanges taking part in Ethereum-based transactions could be victimized.

Very Few Could Be Affected

This was later narrowed down to exchanges that initiated such transactions, not those that processed them, which made for a limited number of platforms that could be affected. Decentralized exchanges (DEXs) and those that utilized smart contracts to process users’ money transfers, for example, could not be attacked.

The bug was first discovered in late October. The researchers then went on to inform those who could be affected, advising that they implement “reasonable gas limits on all transactions” to defend against the possibility of a threat. At the time of writing, the exchanges have implemented the necessary defenses and the problem is now null and void.

This Looks Familiar

This isn’t the first time Ethereum has opened the door to malicious activity. Early this year, research staffers discovered a vulnerability in Coinbase that allowed users to reward themselves with virtually unlimited amounts of ether tokens. In addition, a flaw in Monero’s wallet system allowed users to potentially steal XMR from digital exchanges.

To learn more about the recent bug, click here.

Will we continue to see issues like these in the future? Why or why not? Post your comments below.

This post is credited to livebitcoinnews

2018 have so far proven to be the year with the most cryptocurrency related hacking attacks since 2008 when it was introduced. A recent report is showing that some yet to be identified hackers have infiltrated the computer security system of the Bucharest’s District 1 City Hall, Romania.

City Hall Under Attack

The City hall has been identified as one of the richest in the country and it has an annual budget of about RON 1.3 billion (EUR 280 million).
The attackers of the city hall computer security were able to penetrate the system making use of an infected email content.

The computer hackers have requested the authorities to pay a yet to be identified amount of money in bitcoin in order to gain access to their system again. This was made known by the mayor of District 1, Dan Tudorache.

The City Hall’s IT team has so far been able to restore some of the computers hacked. The report also shows that at this rate, even without paying this ransom to the hackers, the computers are expected to return to full function before the week runs to an end.

Not the First Time

It was also made known that this is not the first time the city hall’s computer will be under this type of hacking attack. As of last year, the computers were also hacked, but no ransom was paid to the hacker then, and the city’s mayor has also made it known that such actions will not be condoned.

Before now, when hackers request for ransom payments, they do so making use of general payment methods such as bank accounts and PayPal. This method makes it possible to trace them easily. However, with the use of cryptos by hackers for ransom purposes, tracing them will pose some major issues, due to the anonymous nature of the network.

This post is credited to coindoo

Scammers tricked victims to pay ransom in bitcoin for compromising video that didn’t exist.

Image: Shutterstock
Sometimes scammers just need to say they hacked you to pull in the cash. Since July, cybersecurity researchers, journalists and victims, have seen a spike in extortion letters and emails demanding hefty sums of bitcoin. The twist is that the scammers send the victim one of their own passwords, likely gleaned from an already public breach, and use that as an intimidation tactic. The blackmailers then claim they have hacked into the target’s webcam while they were watching pornography. Pay up, or they’ll release the (made-up) video.
Advertisement

Now, researchers have found this scam has been pretty profitable, especially considering the low-level of work involved on the fraudsters’ part.
“What is worrying is that, scammers were able to siphon off [$500,000], from old passwords dumps, with very little effort,” Suman Kar, CEO of cybersecurity firm Banbreach, told Motherboard in an online chat.
In July, cybersecurity journalist Brian Krebs reported on the new wave of sextortion emails.
“I’m aware that [victim’s password] is your password,” one part of an example email Krebs published reads. “First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!),” the version Krebs published adds, before demanding the victim sends $1,400 in bitcoin to a specific bitcoin address.
It’s an enticing, if not devilish, proposition. Banbreach looked at around 770 wallets in total, according to a spreadsheet the company shared with Motherboard. The majority of those, around 540, did not receive any funds. But the remaining ~230 had over 1,000 transactions, receiving a total of around 70.8 BTC.
This figure is also likely only a conservative estimate, considering Banbreach’s methodology would not have captured all, or perhaps even the majority, of sextortion emails. Kar said Banbreach collected different bitcoin addresses used in this style of extortion by scraping comments on related media coverage, and picking them out from journalists’ articles. Kar said the company also fielded reports from victims in India, where scammers appear to be targeting at the moment in particular.
Advertisement

“$1000 is a lot of money for the average Indian,” Kar said.
Banbreach believes some of the passwords used to trick victims came from the LinkedIn and Anti-Public Combo list data breaches, the latter being a large collection of various data caches from multiple sources. Those two breaches turn up when entering sextortion victims’ email addresses into breach notification site Have I Been Pwned, Banbreach said in a write-up of its research provided to Motherboard. However, it is still difficult to fully determine where a password did ultimately come from, the company added.

This post is credited to motherboard.vice