Not a Twitter Experiment: Scammers Capitalize on Twitter Recommendations

Yesterday, a number of Twitter users were duped into following fake Twitter accounts known as @VerifiedReport and @MagicReports. Both accounts claimed to be part of a Twitter experiment between users, news organizations, and journalists, and followed a number of Twitter users while tweeting the following, “This is a Twitter experiment. We are changing the way users interact with journalists and news organizations.”
 

Twitter Exp 1.png

Figure 1. MagicRecs notification about @VerifiedReport
 

Many users who discovered these accounts did so through a legitimate Twitter account known as @MagicRecs.
 

Twitter Exp 2.png

Figure 2. MagicRecs, an experimental Twitter account
 

MagicRecs is an experimental account developed by Twitter that “sends personalized recommendations as direct messages (DMs) when something interesting happens in your network.” This service was recently integrated as a feature in Twitter’s mobile applications, and Twitter states, “With this new feature, you’ll receive personalized recommendations when multiple people in your network follow the same user or favorite or retweet the same Tweet.”

Users who have used @MagicRecs swear by it, which is why it makes sense that scammers would try to create fake experiments as they tap into the credibility of the legitimate service.

Some users did question the validity of both accounts, while others, including Twitter employees followed them, especially after @MagicRecs recommended it.

 

 

Twitter has since suspended both of the accounts. However, there are some other suspect accounts that still remain active. These include @MagicFavs, @MagicSmacks, and @MagicSext, which was recommended by @MagicRecs and has nearly 1000 followers.

Symantec found that neither account attempted to send us links through direct messages. While it’s still unclear what these accounts were created to do, it serves as a reminder that scammers continue to experiment with new ways to scam unsuspecting Twitter users into clicking on links to steal login credentials or make money through affiliate program schemes.

When using a legitimate service like @MagicRecs, be skeptical about which accounts you choose to follow. Check to see if Twitter has verified the account, especially if it claims to be owned by Twitter. Remember, if it sounds suspicious, there’s a good chance that it is.

Flying hacker contraption hunts other drones, turns them into zombies

Serial hacker Samy Kamkar has released all the hardware and software specifications that hobbyists need to build an aerial drone that seeks out other drones in the air, hacks them, and turns them into a conscripted army of unmanned vehicles under the attacker's control.

Dubbed SkyJack, the contraption uses a radio-controlled Parrot AR.Drone quadcopter carrying a Raspberry Pi circuit board, a small battery, and two wireless transmitters. The devices run a combination of custom software and off-the-shelf applications that seek out wireless signals of nearby Parrot drones, hijack the wireless connections used to control them, and commandeer the victims' flight-control and camera systems. SkyJack will also run on land-based Linux devices and hack drones within radio range. At least 500,000 Parrot drones have been sold since the model was introduced in 2010.

Kamkar is the creator of the infamous Samy worm, a complex piece of JavaScript that knocked MySpace out of commission in 2005 when the exploit added more than one million MySpace friends to Kamkar's account. Kamkar was later convicted for the stunt. He has since devoted his skills to legal hacks, including development of the "evercookie," a highly persistent browser cookie with troubling privacy implications. He has also researched location data stored by Android devices.

Read 4 remaining paragraphs | Comments

Bitcoin Boom Prompts Flood of Virtual Bank Robberies

The value of Bitcoin has surged dramatically in recent weeks, fuelling fears that a bubble is forming around the virtual currency. As investors pile in, a crash in Bitcoin prices isn’t the only thing they have to worry about. There has been a spate of incidents in recent weeks in which Bitcoin wallet and banking services have been attacked and millions of dollars worth of the currency stolen.
 

Bitcoin Thefts 1.png

Figure 1. Size of recent Bitcoin heists (US$ value on November 29)
 

Multi-million dollar heists

The current round of attacks began on November 7, when Australian Bitcoin wallet service Inputs.io announced that it had closed its doors after two attacks resulted in around 4,100 Bitcoins (US $4.34 million at the time of writing) being stolen. Inputs.io said the attackers were able to bypass two-factor authentication due to a flaw on the server host side. The attacks left the site unable to pay all of its user balances.

Why did people keep their Bitcoins with Inputs.io? One of the services it offered was that it "mixed wallets up", swapping Bitcoins around between users. It effectively was a type of anonymizing service, making Bitcoin transactions harder to track. However, giving Inputs.io that level of access to Bitcoin wallets may have left it more vulnerable to attack.

Inputs.io was run by a young Australian who goes by the moniker of TradeFortress. Following the theft, he gave an interview to Australia's ABC news, denying that he taken the Bitcoins himself. Interestingly, he said that he wasn't going to report the incident to the police. "The police don't have access to any more information than any user does when it comes to Bitcoin. Some say it gives them control of their money," he said.

Within days, there was another incident, this time in China. GBL, a Bitcoin exchange, suddenly closed its doors on November 11. Approximately US $12.7 million in investors' money disappeared along with the site. A closer look at GBL revealed that it wasn't all it claimed to be. It asserted it was licensed by the Hong Kong government, but it transpired that it was simply registered as a business there and had no license to operate as a financial services company.

This incident was quickly followed by news of an attack on Czech exchange, Bitcash.cz. Roughly 4,000 people were affected by the breach, which saw the equivalent of $514,000 taken by attackers. Obviously this haul wasn't enough as the attackers then used Bitcash.cz email addresses to send emails to site users, claiming that they were using a U.S. recovery firm to retrieve the stolen money and asking for 2 Bitcoins from each user to cover the costs. 

The most recent incident involved BIPS, a Danish Bitcoin payment processor and wallet provider, which this week confirmed it was the target of a coordinated attack that resulted in a breach of its systems. The company said that several consumer wallets had been compromised. It is estimated that around 1,295 Bitcoins (worth approximately US $1.37 million) were taken in the attack, but most of the Bitcoins stolen belonged to the company itself rather than customers. Following the attacks, BIPS has said that it will close its consumer wallet services to focus on merchant processing.
 

Protecting your investment

While Bitcoin is commonly talked about as being secure, that, in essence, refers to the fact that it cannot be counterfeited, at least not yet. However, it doesn’t mean that it can't be stolen, as these recent thefts have illustrated.

What can Bitcoin owners do to prevent theft? Given the kind of attacks we have witnessed, proper due diligence on where you are storing Bitcoins should be a priority. For example, GBL claimed that it was licensed in Hong Kong, but it wasn't. Similarly, while Inputs.io's service of mixing wallets up might have appealed to the privacy conscious, the level of access it had to user funds was a possible security risk.

After Inputs.io was attacked, its owner TradeFortress said: "I don’t recommend storing any Bitcoins accessible on computers connected to the internet". The attack on BIPS also prompted its chief executive Kris Henriksen to change his opinion on the security of online wallets. He went as far as to advise his customers to avoid online wallets altogether.

While a lot of people think that the only way to store Bitcoins is in online, virtual wallets, it is also possible to store them offline. This involves creating a wallet that is stored on an offline device, such as a USB key and then sending your Bitcoins to this wallet address. The best practice procedure for creating an offline wallet is somewhat lengthy, but it is, in theory at least, safer than online storage. Technically, the Bitcoins themselves remain online. What is being taken offline is the means of accessing them, the private key.

It is also possible go one step further in offline storage, by taking electronic devices out of the equation entirely and creating a paper wallet. However, a paper based wallet bears the same risk as cash. It needs to be stored somewhere securely.

Online service providers have also begun to beef up their own security. Mt.Gox, ones of the world’s biggest Bitcoin exchanges, has implemented an additional layer of security by introducing a One Time Password (OTP) card, which will be shipping to all of its users immediately. The company said that the card can be used on its own or in conjunction with other two factor authentication methods, such as a Yubikey, a USB key the user must insert to verify their identity.

Once the user has input the card into their preferences on Mt.Gox, they can configure their account to require an additional password on login. Pushing a button on the card will generate a unique password for every login.
 

Bitcoin’s explosion in value

The upsurge in Bitcoin theft is more than likely linked to the fact that the value of the currency has shot through the roof in recent weeks. At the time of writing, one Bitcoin was valued at approximately $1,060. Its value has grown by more than 45 times this year and much of the gains have come in recent weeks. One month ago, it was trading at around $190.

The result of this boom is that what were once relatively minor holdings of Bitcoin can now be quite valuable. Nothing illustrates this better than the story of the IT professional who realized he had thrown out a laptop with a wallet containing 7,500 Bitcoin. He had mined the Bitcoins himself in 2009 and at the time they were only worth a few dollars.
 

Bitcoin Thefts 2.png

Figure 2. Bitcoin/US$ exchange rate for the past six months (Credit: bitcoincharts.com)
 

Since then, their value has increased dramatically, with occasional dips along the way. When Silk Road, the underground drugs bazaar was shut down by the FBI in early October, it led to some speculation that the value of Bitcoin would plummet, since the currency is widely used in the underground. While there was a sell-off in the immediate aftermath of the bust, Bitcoin recovered within days and then began to climb quickly.

Part of the surge may be attributable to the fact that regulators are beginning to take the currency more seriously. For example, the U.S. Senate’s Homeland Security and Governmental Affairs Committee last week held a hearing on virtual currencies, at which the Department of Justice's representative described Bitcoin as a “legal means of exchange”. Committee chairman Tom Carper meanwhile said Congress and government needed to develop "smart, sensible, and effective policies" around the currency.

However, Bitcoin’s steep appreciation has led to widespread fears that a bubble is forming. One look at the graph charting its dollar exchange rate is enough to prompt questions. While the number of businesses accepting Bitcoin as a form of payment has undoubtedly grown, it has not been at the same rate as its appreciation. Instead, speculation appears to be driving much of the current boom and, as history has shown; such buying frenzies can often end in tears.

New product shuts car engines off with a radio pulse

Bullitt would likely not approve.
Warner Brothers

The company E2V has developed a prototype device that uses a radio-frequency pulse to shut down a car’s engine at range, according to a report from the BBC. While the range of the device is fairly short, it worked on a handful of cars and motorbikes and could also potentially be used on boats.

The product, named the RF Safe-stop, works by sending an RF pulse to a car at up to 50 meters (164 feet) away. The pulse “confuses” the car’s electronic systems, which the BBC said made the “dashboard warning lights and dial [behave] erratically.” The engine then stalls, and the car comes to a stop. How safely and quickly the vehicle would stop depends on the vehicle, and this technique would not work on older vehicles.

Engineer Magazine suggests the RF Safe-stop could be used for stopping vehicles that are suspected of being car bombs. Likewise, the Safe-stop could cut police chases short or be installed in a fixed area to prevent cars from entering. The Association of Chief Police Officers, speaking to the BBC, said that it would be a safer alternative to stopping two-wheeled vehicles than shooting out their tires. E2V does not specify how narrowly the Safe-stop can be targeted.

Read 1 remaining paragraphs | Comments