hacking |

$25K from Pornhub to Hackers

Pornhub to Hackers: Who’s in for $25K?

From Pornhub to hackers: “Who’s in for $25K?”

Tuesday, the popular pornography site Pornhub disclosed a hackers bounty program for site bug hacker hunting. Many jokes come to our mind, but the $25K figure is a money cold bucket of reality.

The site, owned by MindGeek, a Canadian private company, will pay ethical hackers dubbed white hat hackers to find vulnerabilities in their site and report the cracks to the administrators.

This program is being run on HackerOne, a start-up company capitalizing on bug bounty. The company began with Facebook and is now operating similar bug-finding programs for General Motors, Twitter, Dropbox, Yahoo, Uber and, you’ll never guess who else – yes, the United States Department of Defense.

Other security problem detection programs like HackerOne are gaining momentum because they can offer outside help for the internal teams working with code.

Synack and Bugcrowd are two of the companies running this type of programs. They work for sharks like Adobe, Snapchat or Square. Heavyweight tech companies like Microsoft and Google have also turned to bounty programs, but they have used their internal platforms for it.

Following the example of the “major tech players”, Corey Price, the vice president of Pornhub stated that they too want to tap into the existing hacking talent as a measure of precaution. This program would mean an addition to their development and security teams.

The bounty rewards range from $5 to $25.000. To receive the prize, hackers must report and detail the vulnerability with screenshots and code. This reporting should be, of course, disclosed only to the Pornhub admins.

More rules say hackers will not interrupt the porn service of the adult entertainment website, will not use automated tools, and the bug should be reported 24 hours after its discovery.

It would take the security team up to a month to reply and depending on the complexity of the bug, up to three months to fix it.

With 60 million – wait for it – daily visitors, Pornhub is the second most popular pornographic site in the world. Yes, almost 1% of the world is accessing this porn site alone, daily. No wonder they’re taking all the available help there is.

They’ve also been the target of someone’s malware before. An advertising malicious scheme attacked the site in November 2015. They recovered and learned from the mistake.

Now, who’s first to crack, not the porn site, but a joke on this $25K from Pornhub to hackers news?

Image source: Wikimedia

Russian Hackers Stole more than a Billion Passwords

By Leave a Comment

You were afraid that your password is not strong enough? Fear no more, because it actually might not matter that much. You might have heard about many passwords and email lists being leaked or hacked, but this is the largest action of a kind ever recorded. New York Times reports about a Russian gang who amassed the largest collection of stolen credentials. The Russian hackers stole 1.2 billion usernames and passwords and more than 500 million emails.

Recently Google announced a grandiose project, Project Zero, meant to ensure security over the internet, with the hope that increased trust will attract more internet users. Maybe that will stop this type of large scale hacking.

The Milwaukee-based company Hold Security discovered the fact. They say that more than 420.000 websites are victims of the large scale action. No names have been disclosed yet, but we can imagine that some of the largest and used websites are among them. Hold Security seems to be a reliable source, according to the New York Times, as they uncovered similar actions in the past.

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security for the New York Times. “And most of these sites are still vulnerable.”

Russian hackers stole a billion password combinations to use it for social network spamming

Until now, the hackers did not offer databases for sale. Instead, they use the stolen information for spamming. Social networks like Twitter are among the victims, with the hackers spamming users while receiving payments for their actions from clients.

“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”

Hold Security has contacts with the hacker world that allow them to trace the activities. They know that this is the action of a Russian gang based in a small city from south central Russia. No more than a dozen men activate compose the gang and they know each other outside of the virtual world as well. Starting as amateurs in 2011, they speeded up their activity in the recent months, possibly after a partnership with another gang. Even if the Russian hackers stole the credentials for spamming, they might use it for other purposes besides spamming.

Android Hackers Attacked more than 30 Financial Institutions

By 2 Comments

The newest cyber attack is named after the Swiss cheese Emmental, because this is what the Android security system looks right now. Android hackers attacked the bank accounts of smartphone users in six countries by convincing them to install a rogue program on their devices. The emails they thought were sent by major retailers contained a malicious attachment. As in any other classical attack of the kind, if the users downloaded the attachment, a malicious software installed on their smartphones.

Google just launched a new security project called Project Zero. The company aims to fight cybercrime all over the internet, because a safe environment will render more clients for the pervasive Google services.

Trend Micro Inc. explains how the Android hackers attacked the banking system

The fraud was discovered by Trend Micro Inc., a security company. Tom Kellermann, Trend Micro Chief Cyber security Officer, stated the damages rise to a couple million dollars, as banks in Austria, Sweden, Switzerland and Japan suffered from the criminal attack. Allegedly, the authors of the attack are based in Romania and Russia, Reuters reports. Russian slang was found in the app code and some logs indicate Romanian origin. There are not enough hints to identify the original location of the attack.

Unfortunately, it is a sign that financial institutions must quickly adapt the login procedures to the mobile apps. Most financial institutions rely on a two stage authentication protocol. Due to the nature of the operation, banks ask for more than one password if you plan to perform mobile online transactions. The first password is the one you already chose, while the second is sent to your mobile device as a text message. The program unwarily installed by fraud victims managed to have access to their bank accounts by redirecting users to fake web pages.

Users thought they are opening emails from well-known retailers. The emails contained an attachment which seemed to be a receipt. Another step of the attack is the luring of users to download a security oriented app from Google Play Store. Through the respective app, hackers manage to get full control of the bank accounts.

After seeing how the Android hackers attacked the banking system, Trend Micro thinks it is time for a new approach in online banking security. One alternative would be a photo recognition system. A physical card reader is another option suggested by the online security company, but that does not seem feasible in a time when smartphone users want to use only one device. As in every similar attack, users must pay particular attention when they access web pages and download attachments.