Bitcoin Phishing Ring CoinHoarder

Cisco’s Talos Group has published their findings on a Bitcoin theft campaign they have been tracking in the Ukraine. By purchasing Google AdWords, the attackers were able to target specific search terms, such as “blockchain” or “bitcoin wallet”. Potential victims, searching for these terms, would see the cybercriminals’ links in the search results as a featured ad. Clicking on the fake ad would send the victim’s browser to a landing page in their native language that attempted to garner credential information. These phishing pages were hosted on and, except for the URL, appear quite similar to the real site. Using results from DNS queries and WHOIS data, Talos was not only able to track where the victims resided (Nigeria, Ghana, Estonia, and others), but were able to identify other potentially malicious sites as well. During the time Talos was watching this campaign, they noticed it evolving, the phishing pages began to look more like the real ones as well as the use of secure websites (HTTPS). The secure sites made use of certificates issued by Cloudflare and Let’s Encrypt. Another tactic observed was the use of internationalized domain names, referred to as homograph attacks. This is where an international character closely resembles an English character and could be mistaken by a casual viewer for the real URL.



5000 websites hacked to serve cryptomining malware

Five thousand websites in the US, UK and Australia have been hacked to serve cryptomining malware. Cryptomining malware is when cybercriminals infect your computer to do the calculations needed to generate a cryptocurrency like Bitcoin, Monero or Euthereum. The crooks use your electricity and processing power but keeps any cryptocoins proceed for themselves. The infection  is coming from , a site that serves Javascript to your website to convert the page into voice reading to assist blind people. Of course, governments sites are meant to help out visitors even those who are not good at reading English. The server was hacked , obfuscated javascript was added to download the code from and start mining cryptocurrency.

The only way to bypass this is to shut down your browser.




Ordinypt the ransomware targetting German Human Resources.

Ordinypt is a new ransomware in Germany . It appears as a ransomware but destroys data. It seems to be targetting only people in Germany because of  its email delevering language only in German. The email arrives as a ”job advertisement submission” resume with 2 files attachments : – A JPG image of a woman submitting a resume

-a ZIP file supposedly containing a resume and Curriculum Vitae.


The ZIP archive  contains two EXE files, but appears to be PDFs files to fool the user that those are not executable. Clicking on the EXE files will launch the Ordinypt wiper. This malware does not encrypt files but overwrites these latter with random data.

It displays a ransom note in every folder where it destroys files named  Wo_sind_meine_Dateien.html, translates as where_are_my_files.


The only ways to bypass are:

  • Ensure anti-virus software and associated libraries are up to date
  • Ensure attachments do not have hidden / double extensions prior to clicking to open

CNET Hacked, Remote Servers accessed

CNET the most popular review technology websites has been hacked. A twitter user going by the name of worm and the handle @rev-priv8 posted a photo of a remote access to server . The exploit was done through a vulnerability in the content management system probably WordPress or Joomla. CNET is not saying much about the attack but claims that username and password were not accessed.According to Forbes, Worm has even sold a database of at a price of one Bitcoin.


French manufacturer LaCie admits data breah

LaCie is a french manufacturer of  hard drive. It was a victim of a security breach and obviously sent notifications to customers about the incident . The breach was detected by the FBI on March 19,2014 which forwarded the alarm. A malware was used to gain access to customer’s transactions made between March 27,2013 and March 10,2014. Names, addresses,email addresses,payment card numbers and cards expiration dates belonging to customers  have been accessed by the unauthorized party. LaCie urged everyone to change their password believing that customers’ usernames and passwords  on LaCie’s website could have also been accessed.


Ukraine , target of Snake or Uroburo malware


A dangerous cyber weapon has infected many computers in Ukraine in 2014. It is a spyware designed to steal sensitive secret information from high potential networks . Experts believe that this rootkit has been undetected for more than three years. Due to the complexity and the estimated high cost of this malware, G Data the German security company believes a sponsored state is behind this attack, possibly linked to Russia, since the developers of this malicious program speak Russia language.

Uroburo works autonomously and works on peer-to-peer mode .The infected computers spy on documents and send those to a PC connected to the internet. It supports 32 and 64 bit Windows Operating System.


Hackers targeted Finland for years


Finland has been a target of a cyber espionage for years. The minister of foreign affairs Erkki Tuomioja has admitted : I can confirm there has been a severe and large hacking in the ministry’s data network.” The intrusion has not been discovered by the finns themselves, but by another agency reporting to CERT-FI . The malicious code use by the cybercrook is similar to the Red October malware source code . The malware was implanted in the finnish ministry of Foreign affairs network for years during the spying campaign. The actor of this crime is unknown, but the finnish television MTV3 is suspecting Russia or China.