Really stupid “smart contract” bug let hackers steal $31 million in digital coin

Blockchain startup MonoX Finance said on Wednesday that a hacker stole $31 million by exploiting a bug in software the service uses to draft smart contracts. The company uses a decentralized finance protocol known as MonoX that lets users trade digital currency tokens without some of the requirements of traditional exchanges. “Project owners can list their tokens without the burden of capital requirements and focus on using funds for building the project instead of providing liquidity,” MonoX company representatives say here. “It works by grouping deposited tokens into a virtual pair with vCASH, to offer a single token pool design.” An accounting error built into the company’s software let an attacker inflate the price of the MONO token and to then use it to cash out all the other deposited tokens, MonoX Finance revealed in a post. The haul amounted to $31 million worth of tokens on the Ethereum or Polygon blockchains, both of which are supported by the MonoX protocol.

Hackers are guessing your credit card details – and there’s nothing you can do about it

Cybersecurity researchers have revealed hackers have discovered a way to find card numbers without breaking into a database, and there’s also a booming underground black market for them.  Researchers at popular VPN service provider, NordVPN analyzed statistical data that was collated by independent researchers from dark web markets and learnt that most of the card numbers sold on the dark web are brute forced. The attackers are able to pull this off because the digits on most cards follow a fixed pattern, and can be deduced. For instance, the first couple of digits indicate the financial service provider, while the sixteenth is a checksum, and so on. Furthermore, the CVV is made up of three digits, which also helps with the guesswork.

Phishing actors start exploiting the Omicron COVID-19 variant

Phishing actors have quickly started to exploit the emergence of the Omicron COVID-19 variant and now use it as a lure in their malicious email campaigns. Threat actors are quick to adjust to the latest trends and hot topics, and increasing people’s fears is an excellent way to cause people to rush to open an email without first thinking it through. In this case, the Omicron variant is an emerging strain of COVID-19 that has scientists concerned over its high transmissibility and the potential ineffectiveness of existing vaccines against its mutations. This all makes it an ideal topic for phishing, as even the vaccinated are worried about how Omicron would affect them in the case of an infection.

Rights groups urge EU to ban NSO over clients’ use of Pegasus spyware

Dozens of human rights organisations have called on the European Union to impose global sanctions on NSO Group and take “every action” to prohibit the sale, transfer, export and import of the Israeli company’s surveillance technology. The letter, signed by 86 organisations including Access Now, Amnesty International and the Digital Rights Foundation, said the EU’s sanctions regime gave it the power to target entities that were responsible for “violations or abuses that are of serious concern as regards to the objectives of the common foreign and security policy, including violations or abuses of freedom of peaceful assembly and of association, or of freedom of opinion and expression”. “These rights have been repeatedly violated using NSO technology,” the letter said, pointing to findings by a UN special rapporteur on freedom of opinion who found that use of spyware by abusive governments could also “facilitate extrajudicial, summary or arbitrary executions and killings, or enforced disappearance of persons.”

Someone stole $120 million in crypto by hacking a DeFi website

On Wednesday night, someone drained funds from multiple cryptocurrency wallets connected to the decentralized finance platform BadgerDAO. According to the blockchain security and data analytics Peckshield, which is working with Badger to investigate the heist, the various tokens stolen in the attack are worth about $120 million. While the investigation is still ongoing, members of the Badger team have told users that they believe the issue came from someone inserting a malicious script in the UI of their website. For any users who interacted with the site when the script was active, it would intercept Web3 transactions and insert a request to transfer the victim’s tokens to the attacker’s chosen address. Because of the transparent nature of the transactions, we can see what happened once the attackers pounced. PeckShield points out one transfer that yanked 896 Bitcoin into the attacker’s coffers, worth more than $50 million. According to the team, the malicious code appeared as early as November 10th, as the attackers ran it at seemingly random intervals to avoid detection.

US FTC sues to stop Nvidia’s Arm acquisition, says it would harm data center chip innovation

The Federal Trade Commission (FTC) has sued to block Nvidia’s acquisition of chip designer Arm. The US agency said that the deal would give Nvidia too much control over the technology and designs of rival firms, and give it the means and incentive to stifle innovation. “The FTC is suing to block the largest semiconductor chip merger in history to prevent a chip conglomerate from stifling the innovation pipeline for next-generation technologies,” said FTC Bureau of Competition Director Holly Vedova. “The FTC’s lawsuit should send a strong signal that we will act aggressively to protect our critical infrastructure markets from illegal vertical mergers that have far-reaching and damaging effects on future innovations.”