Security Weekly 29

Security Weekly 29

Security Weekly 29: The New Adventures of Coinhive, a Foolish Error of Phishers, a Shop for Trading Passwords is Over

Extraction of cryptocurrency on other people’s computers is a trending work, but slow and ungrateful. So many tricks the miners have tried to use! Last week, we talked about how Coihnive was built into the plugin to communicate with an online consultant.

  • But the adventures of a successful miner script continue: this time sophisticated minds have found a way to keep it working and after closing the window with the source site. It is simply opened in a separate window that hides behind the Windows taskbar.

So far, the miner-ninja has been found only on one portal (an adult website), and it’s dangerous only for those who use the Chrome browser. The code on the “parent” site calculates the dynamic position for the new browser window using the following formula:

Horizontal position = (current screen width) – 100px
Vertical position = (current screen height) – 40px

It is not difficult to guess that the window opened in these coordinates appears just under the toolbar. In addition to the fact that the miner hides so well visually, it also tries not to overload the CPU and act secretly, in the best traditions of the ninja: its creators have clearly decided to take not the capacity of the miner, but the number of installations.

You can only see the extra window if you have a transparent panel. But an unauthorized process can be detected and easily stopped by the task manager

Hackers from Cobalt merged a list of their goals through the mail … again

Security Weekly 29 1

Whoever in the criminal group Cobalt is involved in mailing, he definitely has a lot to learn in the field of work with mail. Sending messages for the targeted phishing, the poor guy put the complete list of phishing mail recipients in the “To” line, and not to the “Bcc copy”. And not for the first time – in March this year a similar open letter lit up 1880 targets among financial organizations of Kazakhstan.

The disclosed attack was a mailing to employees’ personal addresses of letters warning about changes allegedly occurred in the SWIFT system. Rather, there was nothing in the body of the letter, just a nested RTF document called Swift changes.

  • At the opening, he used CVE-2017-11882, a newly discovered vulnerability in the formula insertion mechanism in Microsoft Office, which allows executing code without user intervention. Microsoft delivered the corresponding patch in November, but not everything was updated, as usual. Those who did not have time – received a tool Cobalt Strike, which is theoretically used for pen testing. It was he who connected the infected computer to the command center of the attackers.

Among the recipients of the malicious mail were mostly financial institutions from Russia and Turkey, but also came across employees from European, Middle Eastern and American banks.

LeakBase password trade service is closed

The LeakBase site used to sell passwords from the MySpace and LinkedIn accounts but suddenly began redirecting users to a legitimate site that allowed you to check if your password was compromised. Sudden benevolence is simple: the owners of LeakBase were arrested as a result of the unwinding of the case of Hansa, another site that trades in heavy drugs.

  • It turns out that the Dutch police seized it in the summer and for some time did not advertise its operation, managing the resource on its own. They tried to track the connections between criminals and collected a decent catch, including merchants stolen passwords from LeakBase.

While it is not very clear, whether it is possible to attract malefactors to the answer for password trade: the data that was offered by the site, flowed into free access much earlier as a result of mass hacking.