WEEK OF DECEMBER 13, 2021
Bitmart loses $150m in large-scale hack
- Crypto exchange Bitmart lost $150 million worth of assets on Sunday in what it described as a large-scale security breach.
- The company revealed that the hack was related to one if its ETH hot wallets and one of its BSC hot wallets.
- In a tweet, Bitmart’s founder and chief executive Sheldon Xia assured customers that the wallets carry a small percentage of assets on its exchange and that all other wallets are secure and unharmed.
- The company has temporarily suspended withdrawals.
‘Family Safety’ app selling precise location data of millions of users
- Life360, a family safety app, sells information about the whereabouts of millions of its users with “few safeguards to prevent the misuse of this sensitive information,” an investigation by The Markup has revealed.
- Ex-employees of the company, which provides an app to enable parents to track the location of children and vulnerable family members, spoke to The Markup on 6 Dec. due to their “concerns with the location data industry’s security and privacy.”
- In response to the report, Life360 founder Chris Hulls said selling data was an “important part” of the company’s “business model,” which allowed it “to keep the core Life360 services free” for most users.
- The company said it implemented a policy in 2020 that would prevent the sale of data to government agencies, and that it does not sell the data of children under 13 owing to the Children’s Online Privacy Protection Act (COPPA), a US federal privacy law.
Maryland health department says there’s no evidence of data lost after cyberattack
- The Maryland Department of Health said Monday that there was “no evidence” any of its data had been compromised after a cyberattack forced the agency to take its website offline over the weekend.
- “As part of the ongoing investigation into the network security incident that occurred, the Maryland Department of Health’s servers will remain offline out of an abundance of caution,” Owen said. “Data updates will resume as soon as possible.”
- The attack, first reported Sunday, has halted the department’s reporting of Maryland’s COVID-19 statistics for two days, including new cases, deaths and hospitalizations from the virus.
Hackers pretending to be Iranian govt steal credit card information and create botnet
- Hackers in Iran have convinced citizens using SMS messages to download malicious applications by claiming judicial complaints have been filed against them.
- The first messages typically claim that a complaint has been filed against the victim and that an application needs to be downloaded in order to respond.
- Once downloaded, the applications allow hackers to access the victim’s personal messages. Victims are asked to enter credit card information in order to cover a service fee, giving attackers access to card information that can then be used. With access to a victim’s personal messages, the attackers can also get past two-factor authentication.
Hackers infect random WordPress plugins to steal credit cards
- Credit card swipers are being injected into random plugins of e-commerce WordPress sites, hiding from detection while stealing customer payment details.
- With the Christmas shopping season in full swing, card-stealing threat actors raise their efforts to infect online shops with stealthy skimmers, so administrators ought to remain vigilant.
- The latest trend is injecting card skimmers into WordPress plugin files, avoiding the closely-monitored ‘wp-admin’ and ‘wp-includes’ core directories where most injections are short-lived.
Hacked cryptocurrency platform begs hacker to please return $119 million
- BadgerDAO, which lost about $119 million in a hack last week, is now pleading with the hacker to return the money.
- Last week, an unknown hacker or hackers stole around 2,100 BTC ($118,500,000) and 151 ETH ($679,000) worth of cryptocurrency tokens from a blockchain company called BadgerDAO.
- “You have taken funds that do not belong to you, but we are willing to work with you and compensate you for identifying this vulnerability in the systems,” BadgerDAO wrote in a public announcement. “We are providing you with a direct line of communication to discuss a peaceful resolution without involving any outside parties. Contact us to discuss further and do the right thing on behalf of the community.”
- The hack on BadgerDAO took advantage of an old-school web-based attack: The hacker was able to steal an API key that gave them control of BadgerDAO’s account on Cloudflare, the project’s content delivery network for its site. This gave the hacker the ability to inject a malicious script on the site that prompted users to give up wallet permissions, which then allowed the hackers to steal customers’ cryptocurrency.