Menu

Timesdelhi.com

May 23, 2019
Category archive

phishing

‘Crypto exchange’ Goxtrade caught using other people’s photos on its staff page

in Amber Baldet/Bitcoin/blockchain/cloudflare/Co-founder/cryptocurrencies/cryptocurrency/Delhi/digital currencies/Economy/illinois/India/Melbourne/money/mt.gox/phishing/Politics/Security/Yandex by

Alleged cryptocurrency exchange Goxtrade bills itself as a “trusted platform for trading bitcoins,” but its staff page is filled with photos of people of pulled seemingly at random from the internet.

The alleged exchange, which claimed to debut in 2017 yet its website is only a little more than a week old, used photos taken from social media profiles and other company websites not associated with the company.

Bizarrely, the alleged exchange didn’t bother to change all of the names of the people whose photos it used.

Amber Baldet, co-founder of Clovyr, a prominent figure in the blockchain community, and listed in Fortune’s ’40 Under 40′, was one of the people whose name and photos appeared on the site.

“Fraud alert: I am not a developer at Goxtrade and probably their entire business is a lie,” she tweeted Friday.

Nearly all of the names are accurate but have no connection to the site. (Image: TechCrunch)

Goxtrade claims to be an exchange that lets users “receive, send and trade cryptocurrency.” After we created an account and signed in, it’s not clear if the site even works. But the online chat room has hundreds of messages of users trying to trade their cryptocurrencies. The site’s name appears to associate closely with Mt. Gox, a failed cryptocurrency exchange that collapsed after it was hacked. At its 2014 peak, the exchange handled more than 70 percent of all bitcoin transactions. More than $450 million in bitcoins were stolen in the apparent breach.

Baldet isn’t the only person wrongly associated with the suspect site.

TechCrunch has confirmed the other photos on the site belong to other people seemingly chosen at random — including a claims specialist in Illinois, a lawyer in Germany, and an operations manager in Melbourne.

Another person whose photo was used without permission is Tom Blomfield, chief executive of digital bank Monzo. In a tweet, Blomfield — who was listed on the alleged exchange as “Arnold Blomfield” — said his legal team has filed complaints with the site’s hosts.

But things get weirder than just stolen staff photos.

Hours after the site was first flagged, Cloudflare now warns users that the alleged exchange is a suspected phishing site. (Image: TechCrunch)

GoxTrade lists its registered address as Heron Tower, one of the new skyscrapers in London. We checked the listings and there’s no company listed in the building of the same name. There’s also no mention of Goxtrade in the U.K.’s registry of companies and businesses. When we checked its listed registered number per its terms and conditions page, the listing points to an entirely unrelated clothing company in Birmingham that dissolved two years ago.

Later in the day, networking giant Cloudflare, which provides its service, flagged the site as a phishing site.

We reached out to Goxtrade by email prior to publication but did not hear back. When we checked, Goxtrade’s mail records was pointing to an email address run by Yandex, a Russian internet company.

It’s not the first time a cryptocurrency startup has been called into question for using other people’s photos on their staff pages. After raising more than $830,000, Miroskii was caught listing actor Ryan Gosling as one of its graphic designers. Almost every photo later transpired to have been lifted from another source. The company later claimed it was hacked.

Cryptocurrency-related scams are not rare. Many have taken what they’ve raised and gone dark, never to be seen again. We’ve covered a fair number here on TechCrunch, including a massive $660 million scam from 2018.

A fair warning with Goxtrade: all signs seem to point to yet another scam.

Read more:

News Source = techcrunch.com

Google recalls its Bluetooth Titan Security Keys because of a security bug

in Bluetooth/computer security/cryptography/cybercrime/Delhi/Google/India/key/Keys/mobile security/Password/phishing/Politics/security token/TC/wireless by

Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. The company says that the bug is due to a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users.

The bug affects all Titan Bluetooth keys, which sell for $50 in a package that also includes a standard USB/NFC key, that have a “T1” or “T2” on the back.

To exploit the bug, an attacker would have to within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attackers can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attackers can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

All of this has to happen at the exact right time, though, and the attacker must already know your credentials. A persistent attacker could make that work, though.

Google argues that this issue doesn’t affect the Titan key’s main mission, which is to guard against phishing attacks, and argues that users should continue to use the keys until they get a replacement. “It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,” the company writes in today’s announcement.

The company also offers a few tips for mitigating the potential security issues here.

Some of Google’s competitors in the security key space, including YubiCo, decided against using Bluetooth because of potential security issues and criticized Google for launching a Bluetooth key. “While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” YubiCo founder Stina Ehrensvard wrote when Google launched its Titan keys.

News Source = techcrunch.com

Google turns your Android phone into a security key

in Access Control/Android/authentication/Authenticator/computer security/cryptography/Delhi/Google/google authenticator/Google Cloud Next 2019/Hardware/India/multi-factor authentication/phishing/Politics/Security/security token/TC by

Your Android phone could soon replace your hardware security key to provide two-factor authentication access to your accounts. As the company announced at its Cloud Next conference today, it has developed a Bluetooth-based protocol that will be able to talk to its Chrome browser and provide a standards-based second factor for access to its services, similar to modern security keys.

It’s no secret that two-factor authentication remains one of the best ways to secure your online accounts. Typically, that second factor comes to you in the form of a push notification, text message or through an authentication app like the Google Authenticator. There’s always the risk of somebody intercepting those numbers or phishing your account and then quickly using your second factor to log in, though. Because a physical security key also ensures that you are on the right site before it exchanges the key, it’s almost impossible to phish this second factor. The key simply isn’t going to produce a token on the wrong site.

Because Google is using the same standard here, just with different hardware, that phishing protection remains intact when you use your phone, too.

Bluetooth security keys aren’t a new thing, of course, and Google’s own Titan keys include a Bluetooth version (though they remain somewhat controversial). The user experience for those keys is a bit messy, though, since you have to connect the key and the device first. Google, however, says that it has done away with all of this thanks to a new protocol that uses Bluetooth but doesn’t necessitate the usual Bluetooth connection setup process. Sadly, though, the company didn’t quite go into details as to how this would work.

Google says this new feature will work with all Android 7+ devices that have Bluetooth and location services enabled. Pixel 3 phones, which include Google’s Titan M tamper-resistant security chip, get some extra protections, but the company is mostly positioning this as a bonus and not a necessity.

As far as the setup goes, the whole process isn’t all that different from setting up a security key (and you’ll still want to have a second or third key handy in case you ever lose or destroy your phone). You’ll be able to use this new feature for both work and private Google accounts.

For now, this also only works in combination with Chrome. The hope here, though, is to establish a new standard that will then be integrated into other browsers, as well. It’s only been a week or two since Google enabled support for logging into its own service with security keys on Edge and Firefox. That was a step forward. Now that Google offers a new service that’s even more convenient, though, it’ll likely be a bit before these competing browsers will offer support, too, once again giving Google a bit of an edge.

News Source = techcrunch.com

New Apple voice phishing scam looks just like a real support call

in Apple/Delhi/Gadgets/India/phishing/Politics/TC by

A new voice phishing scam is going after iPhone users in a clever new way: by making calls seem like they are coming directly from Apple Support.

Brian Krebs reported today that a user, Jody Westby, got a call from Apple Support asking for her to call back. The contact information that came along with the number appeared to be Apple Inc.’s in the identity screen for the call. When she called the 866 number, however, something was clearly amiss.

KrebsOnSecurity called the number that the scam message asked Westby to contact (866-277-7794).

An automated system answered and said I’d reached Apple Support, and that my expected wait time was about one minute and 30 seconds. About a minute later, a man with an Indian accent answered and inquired as to the reason for my call.

Playing the part of someone who had received the scam call, I told him I’d been alerted about a breach at Apple and that I needed to call this number. After asking me to hold for a brief moment, our call was disconnected.

No doubt this is just another scheme to separate the unwary from their personal and financial details, and to extract some kind of payment (for supposed tech support services or some such). But it is remarkable that Apple’s own devices (or AT&T, which sold her the phone) can’t tell the difference between a call from Apple and someone trying to spoof Apple.

The exploit is unique because it allows callers to masquerade as other callers essentially by polluting search results with junk information that makes one number look like the contact number for a real company. The number Westby was told to call is a known phishing source. Remember: If anyone calls you claiming that your computer is broken they are most probably lying. After all, support people will never be proactive when it comes to problems with your computers, only reactive (if that).

News Source = techcrunch.com

Go to Top