Fraud Alert Message Center
Tips for Safe Banking Over the Internet
As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.
The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.
- Consumer Best Practices for Online Banking
- Business Best Practices for Online Banking
- Recommendations for Online Fraud Victims
- Recommendations for Mobile Phone Security
Current Online Threats
Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau. None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts. If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it. The email could potentially contain a virus or malware.
For more information regarding email and phishing scams, please visit: http://onguardonline.gov/
Online Shopping Tips for Consumers. Click Here for Information.
ATM and Gas pump skimming information. Click Here for Article.
Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers. The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.
Samsung says customer payment data not affected by hack attack. Samsung released a statement October 8 reassuring customers that no payment data was at risk following a March hacking incident involving LoopPay, a company that Samsung acquired to set up Samsung Pay. The attack reportedly only targeted LoopPay’s office network handling email, file sharing, and printing, and was possibly intended to steal the magnetic strip technology that the company developed.
Blackstone charged with disclosure failures. The U.S. Securities and Exchange Commission announced October 7 that 3 Blackstone Group private equity fund advisers agreed to pay $38.8 million to resolve allegations that the advisers failed to disclose the benefits they obtained via accelerated monitoring fees and legal fee discounts. The company will distribute $28.8 million to affected fund investors.
US Capital partner barred from securities work, ordered to repay $10M. Colorado State securities regulators announced October 7 that a former US Capital partner was permanently banned from the securities industry and will pay $10.3 million after an investigation found that the company allegedly offered real-estate purchase loans to typically ineligible commercial borrowers by obtaining investments from individuals who were promised interest, when in reality the company used the funds as loans for at least 10 other companies that they owned.
Illegal credit card manufacturing operation uncovered in North Miami. Miami-Dade police recovered at least 200 credit cards as well as card encoding equipment in a raid on a North Miami home while serving an arrest warrant October 7. A resident of the home was identified as a convicted felon and taken into custody.
New collision attack lowers cost of breaking SHA1. A team of experts from Centrum Wiskunde & Informatica in Europe, Inria in France, and Singapore’s Nanyang Technological University discovered that hackers could execute a “freestart collision” attack to break the full secure hash algorithm 1 (SHA1) cryptographic hash function within 10 days for a cost of $75,000 - $120,000 using graphics cards and computing power from Amazon’s EC2 cloud. Previous research estimated that the cost to break the algorithm would be approximately $700,000 in 2015 and $173,000 in 2018.
Operation Cleaver hackers return, now used LinkedIn to target victims. Security researchers from Dell’s SecureWorks Counter Threat Unit Threat Intelligence team discovered that a group that they observed building a network of fake LinkedIn user profiles to target aerospace, defense, military, chemical, energy, government, education, and telecommunications organizations worldwide, appear to be the same or affiliated the group who carried out Operation Cleaver in 2014, which targeted critical infrastructure points worldwide.
Journalist convicted of helping Anonymous hack the LA Times. A California journalist who previously worked for Reuters was convicted October 7 for his role in a conspiracy to make unauthorized changes to a computer and the transmission of malicious code on the Los Angeles Times’ Web site by passing login credentials enabling access to a content management system to an Anonymous hacking group member in December 2010.
Developers of mysterious Wifatch malware come forward. The group behind the “benevolent” Linux.Wifatch malware that was observed infecting tens of thousands of routers, Internet Protocol (IP) cameras, and other devices with the apparent purpose of protecting them, published the Wifatch source code and revealed themselves as “The White Team,” claiming it was an altruistic project.
Sheriff: Three men arrested in cigarette, illegal credit card bust in Caroline County. Caroline County authorities arrested a New Yorker and two Jamaican citizens October 6 after finding over 100 fraudulent credit cards, electronics, and skimming devices in their vehicle in Caramel Church, Virginia.
Fifth Third pays $85M to settle mortgage fraud. Federal officials announced October 6 that Cincinnati-based Fifth Third Bank will pay $85 million to settle civil fraud allegations that the company knowingly improperly certified 1,439 defective Federal Housing Administration mortgage loans, resulting in millions of dollars of losses to the agency from 2003 – 2013.
Third arrest made in BR-based national financial fraud scheme. Louisiana officials announced October 6 the arrest of the third suspect in a national financial fraud scheme in which conspirators allegedly stole over 300 identities and committed over $5 million in fraud. The suspect reportedly provided bogus credit repair services for free and helped issue stolen Social Security numbers and used the numbers for fraudulent loan applications.
Malicious Android adware infects devices in 20 countries. Security researchers from FireEye were monitoring a new malicious adware campaign dubbed Kemoge that has affected Android devices in 20 countries, in which the malware serves ads to an infected device, extracts exploits to root phones, and employs multiple persistence mechanisms. The malware is packaged with popular Android apps uploaded to third-party stores.
Zero-day exploit found in Avast antivirus. Security researchers from Google’s Project Zero discovered a zero-day exploit in Avast antivirus software in which an attacker could leverage a faulty method used for parsing X.509 certificates in secure connections to execute code on an affected system. Avast has since patched the vulnerability.
Major ransomware campaign disrupted, attackers lose potential revenues of $34M. Researchers from Cisco shut down a massive ransomware campaign accounting for 50 percent of all ransomware deployments via the Angler exploit kit (EK) that would have allowed the campaign’s operators to collect over $34 million. The cyber-criminals used a network of 147 proxy servers bought from Limestone Networks via stolen credit cards to deliver the largest ransomware delivery platform ever noticed in the wild.
Previously unknown Moker RAT is the latest APT threat. Security researchers from enSilo discovered a new Remote Access Trojan (RAT) dubbed Moker that takes over targeted systems by creating a new user account before opening a RDP channel to gain remote control, and tampers with sensitive system and security files and settings. The malware comes with a complete feature set and, achieves system privileges, and may also be controlled locally.
Remote code exec hijack hole found in Huawei 4G USB modems. Security researchers from Positive Technologies discovered cross-site scripting (XSS) and stack overflow vulnerabilities in Huawei E3272 USB 4G modem that could allow attackers to conduct remote execution and denial-of-service (DoS) attacks and hijack connected computers. Huawei released patches addressing the vulnerabilities.
Winnti spies use bootkit for persistence, distributing backdoors. Security researchers from Kaspersky Lab discovered that the advanced persistent threat (APT) group Winnti has been using an attack platform dubbed “HDRoot” as a bootkit disguised to look like Microsoft’s Net.exe utility while protected by VMProtect software, delivering two backdoors. The group previously targeted gaming companies in the U.S. and worldwide.
Google patches Stagefright 2.0 flaws on Nexus devices. Google released a security update for Nexus devices resolving 20 recently discovered critical security vulnerabilities in the libstagefright and libutils Android media playback engine, dubbed Stagefright 2.0, in which an attacker could push a specially crafted file to cause memory corruption and remote code execution.
Hackers breach Microsoft OWA server, steal 11,000 user passwords. Security researchers from Cybereason discovered that hackers placed a malicious dynamic link library (DLL) file via a unnamed company’s Microsoft Outlook Web Application (OWA), allowing them to steal usernames and passwords of 11,000 employees off the company’s server. The hackers replaced the OWAAUTH.dll with one containing a backdoor and collected user login and password information in clear text against the Active Directory server.
Scottrade breach hits 4.6 million customers. Scottrade officials reported October 2 that contact information and possibly Social Security numbers of 4.6 million customers were compromised after internal and Federal investigations reportedly revealed unauthorized access to systems housing the information between late 2013 – early 2014. The company does not believe any Social Security numbers were accessed, and that the breach focused solely on contact information.
Zero day vulnerability found in VMware product. Researchers from 7 Elements discovered a VMware vCentre zero day vulnerability involving the deployment of the JMX/RMI service used in the management interface in which an attacker could gain unauthorized remote system access to the hosting server, leading to full enterprise environment compromise. VMware reported that it is working on releasing a patch to address the vulnerability.
Fareit malware uses different file hash for each attack to avoid AV detection. Security researchers from Cisco’s Talos team discovered a new version of the Fareit trojan specializing in information stealing that changes its file hash with each infection. Researchers found only 23 shared common hashes out of 2,455 recorded samples, and determined that the samples communicated with only 2 command and control (C&C) servers.
South Florida ATM skimmer pleads guilty, apologizes. A Romanian citizen living in south Florida who was arrested June 1 in North Carolina pleaded guilty October 1 in connection to an ATM-skimming scheme in which criminals installed skimming devices and made multiple illegal withdrawals at SunTrust bank branches in Broward, Palm Beach, and Miami-Dade counties as well as banks in Tennessee, Georgia, North and South Carolina, Virginia, and Maryland from 2013 – 2015.
SEC halts $32 million scheme that promised riches from amber mining. The U.S. Securities and Exchange Commission announced October 1 charges and asset freezes against a California resident accused of operating a worldwide pyramid scheme via 13 California-based entities which raised over $32 million by misleading investors about a non-existent initial public offering for USFIA Inc., and claims that the company owned several large, valuable amber mines in Argentina and the Dominican Republic.
Unexpectedly benevolent malware improves security of routers, IoT devices. Security researchers from Symantec discovered an apparently benevolent botnet scheme targeting Internet of things (IoT)-connected devices utilizing code dubbed Wifatch that aims to protect devices from attacks via threat updates and removal of known malware families, among other features.
Latest Upatre trojan version targets Windows XP users. Researchers from AppRiver reported a new spam-scareware campaign targeting Microsoft Windows XP users with ZIP archives containing the Upatre trojan, which primarily acts as an entry point for other infections including Dryeza, Rovnix, Crilock, and Zeus, and shuts down when executed on a non-Windows XP platform.
Stored XSS in Jetpack plugin allows attackers to run code in the WordPress backend. Security researchers from Sucuri discovered a persistent cross-site scripting (XSS) vulnerability in Automattic’s Jetpack WordPress plugin versions 3.7 and lower in which an attacker could run malicious code that would execute whenever a WordPress administrator access the Feedback section of the admin panel, by crafting a malicious email string that would end up in the WordPress database. The development team released version 3.7.1 patching the XSS bug.
HTTP denial of service vulnerability found in Node.js 4.x and io.js 3.x. Node reported the existence of a hypertext transfer protocol (HTTP) denial-of-service (DoS) vulnerability affecting recent Node.js and io.js platforms, and urged users to migrate back to a previous version until a fix is released.
Feds seize assets, cash from woman accused in $15M embezzlement scheme. Federal authorities were investigating a former Matthews International Corporation treasurer specialist in Pittsburgh and seized millions of dollars in cash and assets September 30 in connection to an alleged fraud scheme in which the suspect allegedly took $15 million from the company since 2003.
Apple patches 100+ vulnerabilities in OS X, Safari, iOS. Apple released OS X version 10.11 El Capitan addressing over 100 security vulnerabilities, including 20 hypertext preprocessor (PHP) flaws, XARA password stealing vulnerabilities which could allow an attacker to use a malicious application to access a user’s keychain, and 45 issues in the Safari 9 Web browser, among others.
New Android vulnerabilities put over a billion devices at risk of remote hacking. Security researchers from Zimperium discovered a series of Android media processing vulnerabilities, dubbed Stagefright 2.0, affecting over 1 billion devices which could allow an attacker to trick users into visiting maliciously crafted Web sites that would exploit the flaws and lead to remote code execution on almost all devices starting with version 1.0 of the operating system (OS).
Critical flaw puts 500 million WinRAR users at risk of being pwned by unzipping a file. Security researchers disclosed a critical zero day WinRAR remote code execution vulnerability affecting up to 500 million users, in which an attacker could inject malicious code into an archive that would automatically execute upon unzipping. The vulnerability can be exploited without system user privileges or user interaction.
SEC sanctions 22 underwriting firms for fraudulent municipal bond offerings. The U.S. Securities and Exchange Commission announced enforcement actions September 30 against 22 municipal underwriting firms under the Municipalities Continuing Disclosure Cooperation (MCDC) Initiative, reportedly finding that the firms violated Federal securities laws by selling municipal bonds using offering documents containing materially false statements or omissions regarding the bond issuers’ compliance with disclosure obligations. The underwriting firms agreed to cease all operations of such violations and pay civil penalties
FBI searching for ‘North Center Bandit.’ The FBI is searching for information leading to the arrest of a suspect dubbed the “North Center Bandit,” who allegedly robbed 3 bank branches in North Center from August 21 – September 25.
Scammers use Google AdWords, fake Windows BSOD to steal money from users. Security researchers from Malwarebytes discovered that cybercriminals are using Google’s AdWords to place malicious links at the top of Google’s search page for common searches, which would lead to a fake “Blue Screen of Death” (BSOD) page prompting users to call a toll-free “helpline” with scammers that would solicit payments for support services and personal and bank account information.
Microsoft Exchange Server fixed against information disclosure bug. Microsoft released an update for Exchange Server 2013 addressing a vulnerability in Outlook Web Access (OWA) that could allow an attacker to gain access to an active Webmail session by forcing Exchange Server to dump debug data via a maliciously crafted Uniform Resource Locator (URL), granting access to previously inaccessible cookie session information.
Apple Gatekeeper bypass opens door for malicious code. Security researchers from Synack discovered that Apple’s Gatekeeper security platform could be bypassed by tricking a user into downloading a signed and infected application from a third-party source, or by loading a malicious library over an insecure HyperText Transfer Protocol (HTTP) download via a man-in-the-middle (MitM) position to gain access to the system.
Dyreza trojan targeting IT supply chain credentials. Security researchers from Proofpoint published research revealing that the Dyreza trojan has been used to phish information technology (IT) supply chain credentials for up to 20 organizations, including software companies supporting fulfillment and warehousing, and computer distributors. Researchers believe that hackers intend to infect all points of the supply chain to possibly divert physical shipments, issue payments and invoices to artificial companies, or enact large-scale gift-card issuances
SAP patches 12 SQL injection, XSS vulnerabilities in HANA. SAP released updates addressing 12 structured query language (SQL), cross-site scripting (XSS), and memory corruption vulnerabilities in its HANA in-memory management system that could allow an attacker to abuse management interfaces and compromise stored information, or lock users out of the platform, among other exploits.
Linux XOR DDoS botnet flexes muscles with 150+ Gbps attacks. Security researchers from Akamai Technologies released details of a botnet targeting primarily corporations in Asia that is capable of launching 150+ gigabit-per-second (Gbps) distributed denial-of-service (DDoS) attacks from Linux systems compromised by the XOR DDoS trojan, as well as being able to download and execute arbitrary code and self-update.
5 teens arrested for suspected ATM skimming operation. Officials arrested 5 teens September 25 for their roles in an ATM fraud operation in which the suspects allegedly planted skimming devices at 3 Pinnacle Bank locations in Lincoln. Authorities believe the suspects may be part of a national criminal enterprise responsible for losses of thousands of dollars at ATMs in 17 States.
SEC charges Trinity Capital Corporation and former bank executives with accounting fraud. The U.S. Securities and Exchange Commission announced September 28 that Trinity Capital Corporation and its subsidiary, Los Alamos National Bank, agreed to pay $1.5 million to resolve allegations that the company materially misstated its provision and allowance for loan and lease losses in multiple quarterly and annual filings, including understating its 2011 net loss to common shareholders by $30.5 million. Five current or former executives were also charged for allegedly manipulating the company’s financial results and for failing to implement internal loan accounting controls.
Newly found TrueCrypt flaw allows full system compromise. A security researcher from Google’s Project Zero team discovered two vulnerabilities in TrueCrypt hard drive encryption software which could allow attackers to obtain elevated system privileges if they have access to a limited user account. VeraCrypt released patches for the vulnerabilities, and users were advised to switch products for these and other security improvements.
VBA malware makes a comeback inside booby-trapped Word documents. Security researchers from Sophos released research findings revealing that hackers are increasingly using Visual Basic for Applications (VBA) to deliver malware in Microsoft Word documents, and that the company discovers 50 – 100 new VBA templates every month which primarily deliver the Dridex, CryptoWall, Dyreza, and Zbot malware, among other findings.
Guilty plea in La Jolla bribery scheme. A former head of La Jolla Bank’s Small Business Administration (SBA) lending department pleaded guilty September 25 to a bribery scheme in which she conspired with senior executives to arrange over $55 million in loans to unqualified borrowers, for which she and other executives took cash bribes and kickbacks in exchange. Hundreds of millions of dollars’ worth of conventional loans were reportedly part of the scheme, and the SBA-backed loans issued by the suspect resulted in almost $20 million worth of bank losses.
Suspects skimmed Margate bank customers’ info, police say. Margate Police and U.S. Secret Service officials were investigating reports of fraud September 25 after ATM skimming devices installed on Bank of America ATMs in July reportedly resulted in losses of over $50,000 to 40 customers.
Cookies render HTTPS sessions vulnerable to data leaks. The Computer Emergency Readiness Team (CERT) published an advisory warning that cookies established via regular Hypertext Transfer Protocol (HTTP) requests are a security flaw for HTTP Secure (HTTPS) sessions, and that an attacker could set a cookie to be later used via an HTTPS connection instead of the original Web site, potentially gaining access to private information.
Operation Pony Express delivers malware via Microsoft Word files. Security researchers from Sophos reported that a spear-phishing campaign active from April – May, dubbed Operation Pony Express, utilized a documented Microsoft Word vulnerability delivered via an intermediary malware downloader. The campaign targeted specific individuals and organizations with emails containing fake rich text format (RTF) invoice files purporting to be from RingCentral.
Kasidet DDOSing bot adds credit card scraping capabilities. Security researchers from TrendMicro discovered a new version of the Kasidet/Neutrino distributed denial-of-service (DDoS) bot, which as of March added support for scraping a device’s point-of-sale (PoS) random access memory (RAM). The bot’s command-and-control (C&C) server also attempts to evade mitigation by sending “404 not found” errors to make it appear that it is not working properly.
SEC charges six in stock fraud scheme. The U.S. Securities and Exchange Commission charged 6 suspects for an investment scheme in which the suspects allegedly conspired to secretly issue $72 million Gerova shares to a family friend in Kosovo through a friend’s brokerage accounts, while bribing an investment adviser to stabilize Gerova shares in 2010. The suspects reportedly received at least $16 million in illicit profits through the scheme, and face criminal charges under a separate parallel action.
New Jersey’s Hudson City Bank to pay some $33 mln in redlining case. Hudson City Bancorp agreed September 24 pay $33 million in loan subsidies, community programs and outreach, and penalties to settle U.S. Department of Justice and Consumer Financial Protection Bureau allegations that the company discriminated against prospective black and Hispanic home buyers by attempting to avoid locating branches and marketing mortgages in neighborhoods with a majority of black and Hispanic residents.
N.J. bank fraud: Founder of defunct charter flight company pleads guilty. The former chief financial officer and co-founder of Southern Sky Air & Tours pleaded guilty September 23 to conspiracy to commit wire and bank fraud through a scheme in which he used fake documents and inflated revenue figures to defraud a New Jersey bank and other financial institutions out of millions of dollars.
‘Black Hat Bandit’ pleads guilty to 9 bank robberies. The suspect dubbed the “Black Hat Bandit” pleaded guilty September 24 in connection to 9 bank robberies throughout Virginia, Maryland, and Washington, D.C. earlier this year from January – March and resulted in more than $180,000 in losses to BB&T and Wells Fargo bank branches that he struck.
New malware infects ATMs, dispenses cash on command. Security researchers from Proofpoint detected a new malware ATM malware program dubbed GreenDispenser that allows attackers to withdraw cash on demand by hooking into the eXtensions for Financial Services (XFS) middleware on Microsoft Windows-based ATMs. The malware was first spotted in Mexico, and researchers warned it will likely spread quickly to the U.S.
Vulnerabilities found in several SCADA products. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published advisories identifying vulnerabilities in supervisory control and data acquisition (SCADA) products, including a privilege escalation bug in Resource Data Management’s Data Manager that could allow an attacker to change the passwords of users, a cross-site request forgery (CSRF) that an attacker could use to perform actions on behalf of authenticated users, and other vulnerabilities in IBC Solar and EasyIO products.
Cisco releases tool for detecting malicious router implants. Cisco Systems released a Python script called the SYNful Knock Scanner which scans networks for routers compromised by malicious SYNful Knock implants and provides next steps to users with affected routers.
XcodeGhost-infected apps open gates to malware hijacking. Security researchers from Palo Alto Networks reported that the DES ECB mode-encrypted communication streams between XcodeGhost-infected applications and the attacker’s command-and-control (C&C) servers lack proper encryption, leaving them vulnerable to man-in-the-middle (MitM) attacks that could expose affected users to additional malware.
Kovter malware now lives solely in the Windows registry. Security researchers from Symantec discovered a new version of the Kovter trojan that reportedly mimics the Poweliks malware’s survival methods, including the ability to hide its code in the Microsoft Windows registry, ensuring persistence and serving as an entry point for other malware. The Kovter trojan focuses primarily on click-fraud, and 56 percent of all infections have targeted U.S. users.
Cisco patches denial-of-service, bypass vulnerabilities in IOS. Cisco released updates for its IOS router and switch software addressing three denial-of-service (DoS) vulnerabilities and one authentication bypass flaw affecting RSA-based user authentication in which an attacker knowing a legitimate username and the user’s public key could log in with their privileges.
WAFB 9 Baton Rouge – (National) Second person arrested in credit fraud scheme that stole 300 identities, $5M. A Carencro woman was arrested September 22 for her alleged role in a nationwide financial fraud scheme that stole more than 300 identities and $5 million by coordinating with forgers to create fake bank records while using stolen identities to get car loans.
U.S. Securities and Exchange Commission – (National) SEC charges two Philadelphia area men for defrauding friends and family in private equity fund. Two suspects agreed to pay $6.8 million to settle U.S. Securities and Exchange Commission charges that the suspects allegedly solicited friends and family for investment funds which they diverted for personal expenses.
IDG News Service – (International) Ransomware pushers up their game against small businesses. TrendMicro researchers released analysis revealing that 67 percent of users who clicked on links in CryptoWall and 40 percent who clicked links in TorrentLocker ransomware-related emails were from small and medium businesses in June and July, attributing the percentage to social engineering and a lack of safeguards compared to larger organizations.
Softpedia – (International) Security researcher exposes potentially dangerous privacy flaw in iOS-iTunes connections. A security researcher discovered a privacy-related flaw in iOS and iTunes in which an attacker with physical access to a device could create a backup and potentially access sensitive information simply by accepting the device as “Trusted” in iTunes.
SEC charges investment adviser with failing to adopt proper cybersecurity policies and procedures prior to breach. St. Louis-based R.T. Jones Capital Equities Management agreed September 22 to pay $75,000 to settle U.S. Securities and Exchange Commission charges that the firm failed to establish required cybersecurity policies and procedures in advance of a breach that compromised information of about 100,000 individuals in July 2013.
Attorney General announces arrest of Baton Rouge man for orchestrating national financial fraud scheme. A Baton Rouge man was arrested September 22 for allegedly running a major credit-repair fraud involving at least 13 other suspects that resulted in over 300 stolen identities and losses of more than $5 million by stealing the Social Security numbers of children and selling them as Credit Profile Numbers to individuals who needed lines of credit.
Firefox 41 patches critical vulnerabilities. Mozilla released updates addressing 30 vulnerabilities in Firefox version 41, including use-after-free bugs with IndexedDB and manipulation of HyperText Markup Language (HTML) content that could lead to an exploitable crash, memory safety bugs that can be exploited to execute arbitrary code, and two flaws involving cross-origin resource sharing (CORS)“preflight” request handling, among others.
Brute-forcing URL shorteners can expose sensitive corporate information. Security researchers and social engineers discovered that brute-force attacks could be used to uncover active short links by services running Bit.ly Uniform Resource Locator (URL) shorteners, potentially accessing sensitive or private documents passed through a company’s shortener, and that attackers could bypass rate limits with the use of proxies.
WD My Cloud NAS devices can be hijacked by attackers. Security researchers from VerSprite discovered vulnerabilities in Western Digital My Cloud network attached storage (NAS) products’ RESTful Application Program Interface (API) in which any authorized remote user can remotely execute commands and steal files belonging to other users, as well as abuse root access to the NAS in a private internal network. Researchers also discovered a separate flaw in the device’s web application allowing for cross-site request forgery attacks.
Large number of iOS apps infected by XcodeGhost. Security researchers from Pangu discovered that the number of iOS applications affected by the XcodeGhost malware is over 3,400, and FireEye reported the number on the App store could be over 4,000. The malware injects malicious code into legitimate iOS and OS X applications using a modified version of Apple’s Xcode development platform, and has been detected in apps distributed worldwide.
Malvertisers slam Forbes, Realtor with world’s worst exploit kits. Security researchers from FireEye and Malwarebytes reported that multiple Forbes Web sites and Realtor.com were hit with malvertising attacks that redirected users to sites hosting the Neutrino and Angler exploit kits (EKs), which boast a 40 percent exploit-rate for victims and leverage Adobe Flash, Java, Microsoft Silverlight, and other browser vulnerabilities and quickly incorporate zero day flaws.
New adware facilitates the distribution of trojans for Mac users. Security researchers from Dr. Web discovered a new malware named “Adware.Mac.WeDownload.1” containing a modified version of Adobe Flash Player that, once clicked, requests administrator privileges and contacts a command-and-control (C&C) server to install additional malicious applications.
Ex-Morgan Stanley adviser pleads guilty in connection with data breach. A former Morgan Stanley financial adviser pleaded guilty September 21 to taking confidential data including names, addresses, account numbers, and investment information from 730,000 accounts from a bank computer without permission between 2011 and 2014. No clients lost money as a result of the breach.
Adobe patches 23 vulnerabilities in Flash Player. Adobe released updates for Flash Player addressing 23 information disclosure, security bypass, memory leak, type confusion, use-after-free, buffer overflow, stack corruption, and memory corruption vulnerabilities, and includes additional validation checks to ensure rejection of malicious content from vulnerable JSONP callback Application Program Interfaces (APIs), among other improvements.
Malware-infected game discovered on Google Play, up to 1 million users at risk. Security researchers from Check Point discovered a new type of malware employing persistence and advanced detection evasion techniques, found packaged within the BrainTest Android game application. The malware can download and execute any code remotely and has infected about 200,000 – 1 million users.
Apple watchOS2 includes host of code-execution patches. Apple released updates addressing over 12 code execution vulnerabilities in watchOS2 and other Apple Watch components, as well as certificate validation issues and vulnerabilities in CFNetwork, and a bug in the system’s dynamic linker, among others.
Nasty URL bug brings Google Chrome to a screeching halt. Security researchers discovered a Uniform Resource Locator (URL) denial-of-service (DoS) vulnerability in the Google Chrome Web browser in which mousing over “%%30%30” appended to the end of a URL causes the browser to hang and crash. The issue affects both Windows and OS X current versions of Chrome.
First Eagle to pay nearly $40 mln in SEC case over distribution fees. First Eagle Investment Management and its affiliated distributor FEF Distributors agreed to pay $25 million to shareholders and $12.5 million in penalties to resolve U.S. Securities and Exchange Commission allegations that the investment firm improperly used mutual fund assets to pay for marketing and distribution fees without permissions from the fund’s board.
“Filter Bandit” robs plantation bank on back-to-back days. Authorities are searching for a suspect dubbed the “Filter Bandit” who struck a Plantation Chase bank September 18 and 19, and may be linked to 9 other robberies in Plantation, Coral Springs, and Tamarac since August 2014.
Three Symantec employees fired for issuing fake Google SSL certificates. Symantec fired three employees for issuing rogue Secure Sockets Layer (SSL) certificates after Google engineers working for the Certificate Transparency project discovered that the company had issued fake Google.com certificates with “extended validation” labels.
Apple removes malware-infected iOS apps from store. Apple officials reported that the company had taken down about 40 iOS applications that were affected by a new form of malware called XcodeGhost, which modifies the Xcode integrated development environment and collects information on devices.
Ghost Push Android malware infects 600,000 new users per day. Security researchers from Cheetah Mobile discovered that a new type of boot-persistent Android malware called Ghost Push is being packaged with 39 applications distributed through unofficial channels. The malware has infected 14,847 phone types and models across 3,658 brands worldwide.
Infographic: Over 170,000 Magento shops are still vulnerable to Shoplift bug. Security researchers from Byte reported that 173,547 Magento stores are still vulnerable to the Shoplift vulnerability discovered in February, which resulted in stolen customer data and diverted payments.
Google details plans to disable SSLV3 RC4. Google officials announced the company’s formal intent to move away from the Rivest Cipher 4 (RC4) and Secure Sockets Layer version 3 (SSLv3) protocols due to security concerns, and laid out future standards for Transport Layer Security (TLS) clients.
SEC charges clearing firm officials for improper margin loans, accounting and disclosure failures. The U.S. Securities and Exchange Commission charged 4 Penson Financial Services officials September 17 for alleged accounting and disclosure failures that resulted in loaning nearly $100 million in margin loans secured by impaired, unrated municipal bonds that cost investors $60 million. The SEC filed a separate complaint against a customer who benefited from one of the margin loans, for allegedly fraudulently obtaining $6.8 million in loans or credit from Penson.
Shawnee Mission man pleads guilty to $6 million embezzlement. A Shawnee Mission man pleaded guilty September 16 to embezzling over $6 million from Overland Park-based Commodity Specialists Company by creating fake companies and by billing CSC for fake deliveries and associated invoices. The suspect also failed to report the income on Federal tax returns.
VMware addresses vulnerability in vCenter server. VMware released an update addressing a certificate validation vulnerability in select versions of its vCenter Server which an attacker could exploit to intercept traffic between the vCenter Server and the Lightweight Directory Access Protocol (LDAP) server to capture sensitive information
D-Link accidentally publishes code signing keys. A Norwegian developer and researchers from Fox-IT discovered that D-Link inadvertently released private code signing keys along with a recent firmware update following the purchase of the company’s DCS-5020L surveillance camera. D-Link revoked the certificate and published new versions of the firmware that do not contain the code signing keys.
Critical Bugzilla flaw allows access to unpatched vulnerability information. Mozilla released an update addressing a critical vulnerability in its Bugzilla bug-tracking software in which an attacker could gain access to information about a project’s unpatched flaws by tricking the system into granting domain-specific privileges. Attackers can create an account with an email address different than originally requested due to a vulnerability where login names longer than 127 characters could cause the domain name of the email address to be corrupted.
Malicious SYNful Cisco router implant found on more devices across the globe. Security researchers followed recent FireEye findings of SYNful modified malicious router firmware with four scans of public IPv4 addresses and found that 79 hosts displayed behavior consistent with the SYNful Knock implant, including 25 in the U.S. which belong to a single East Coast service provider
Apple patches vulnerabilities in iOS, OS X, iTunes, Xcode. Apple released software updates adding new capabilities and addressing over 100 vulnerabilities in iOS, Mac OS X, iTunes, and Xcode, including a security flaw in AirDrop that could allow an attacker to send malicious files to an affected device within Bluetooth range, 33 vulnerabilities affecting WebKit, and 9 relating to CFNetwork, among others.
Under DDoS attack? It could just be a distraction. Kaspersky Lab released findings from polling of managers and information technology professionals at 5,500 companies in 26 countries revealing that three-quarters of distributed denial-of-service (DDoS) attacks are accompanied by other security incidents, implying that the attacks are often used as a diversion tactic and that businesses should keep resources available to manage corporate security in its entirety.
New POS trojan created by mixing code from older malware. Security researchers from Dr. Web discovered a new trojan dubbed Trojan.MWZLesson, targeting point-of-sale (PoS) terminals to obtain bank card data from the device’s compromised random access memory (RAM), that was pieced together with parts of the Neutrino backdoor and the Dexter PoS trojan. The malware can update itself, download and execute files, find documents, and mount HyperText Transport Protocol (HTTP) Flood attacks.
Ex-Morgan Stanley broker pleads guilty to insider training. A former broker for Morgan Stanley pleaded guilty to charges of insider trading on insider information stolen from Simpson, Thacher & Bartlett LLP, and to fraud charges alleging he bought securities for himself, his family, his friends and business partners, gaining $5.6 million in profit from 2009 - 2013.
CVS Health in $48 million settlement of lawsuit over hiding loss. CVS Health Corp agreed to pay $48 million to resolve charges accusing the company of fraudulently concealing a $4.5 billion loss of annual revenue in its pharmacy benefits manager business, leading to a dip in stock price on November 2009.
Two arrested in alleged $21 million movie investment scheme. A former insurance agent and a director were arrested on charges accusing them of a movie investment Ponzi scheme that cost more than 140 victims about $21 million, in which they allegedly solicited investors for funding for fake films through Windsor Pictures LLC, while promising returns.
Chinese-based cyber attacks on US military are ‘advanced, persistent and ongoing’: Report. Trend Micro released research confirming that the Chinese advanced persistent threat (APT) group dubbed Iron Tiger was observed stealing trillions of bytes of data from U.S. defense contractors, intelligence agencies, FBI-based partners, other government entities, and tech-based contractors in the electric, aerospace, intelligence, telecommunications, energy, and nuclear engineering industries, including Westinghouse Electric Company. The group is believed to be an iteration of Emissary Panda/Threat Group 3390, who previously focused on east-Asian political targets.
80% increase of malware on Windows devices. Alcatel-Lucent released report findings revealing that 80 percent of mobile network malware infections detected in the first half of 2015 were found on Windows-based systems, that 10 of the largest threats on smartphones were mobile spyware, and that the prevalence of adware has been increasing, among other findings.
Malware links Russians to 7-year global cyberspy campaign. Security researchers from F-Secure released new analysis revealing that the group behind the Dukes 7-year cyber-espionage malware campaign has been utilizing unique malware toolsets to steal information from governments worldwide as well as non-government organizations (NGOs). Researchers believe that the group operated to support Russian intelligence gathering.
Dutch police arrest CoinVault ransomware authors. Dutch authorities arrested two suspects believed to be behind the CoinVault ransomware campaign that started in May 2014 and targeted over 1,500 users in nearly 24 countries. The ransomware encrypted victims’ files and made them unrecoverable until payment was received.
Schenider patches plaintext credentials bug in building automation system. Schneider Electric released a firmware update for its StruxureWare Building Expert automation system addressing a remotely executable vulnerability regarding how the system transmits user credentials in plaintext between server and client machines. The Industrial Control System Cyber Emergency Response Team reported that the vulnerability has not been publicly exploited.
Two defendants plead guilty in Manhattan federal court for their roles in orchestrating $18.5 million mortgage modification fraud scheme. Two men pleaded guilty September 15 for their roles in a mortgage modification scheme which defrauded over 8,000 homeowners out of more than $18.5 million by charging homeowners exorbitant fees for promised mortgage modifications that were never provided.
RBS in $129.6 mln mortgage securities deal with U.S. regulator. The Royal Bank of Scotland Group PLC (RBS) agreed September 15 to pay $129.6 million to the National Credit Union Administration to resolve allegations that RBS ignored underwriting guidelines and sold toxic mortgage-backed securities to now-failed credit unions.
Major malvertising operation went undetected for three weeks. Security researchers from Malwarebytes discovered a malvertising campaign affecting Web sites of several major companies including eBay, Drudge Report, and Answers.com, in which attackers were able to redirect victims to malware-serving Web sites containing the Angler exploit kit (EK) by loading ads through a rogue ad server. The campaign went undetected for nearly three weeks, and 46 percent of the affected users were in the U.S.
Persistent XSS flaw in SharePoint 2013 revealed, patched. Microsoft patched a persistent cross-site scripting (XSS) vulnerability in SharePoint 2013 in which an attacker could obtain information about a user’s operating system (OS), browser, plugins, and other information in order to steal sensitive information, gain control of the system, and download and execute malicious code remotely.
Android 5 bug allows attackers to easily unlock password-protected devices. The University of Texas at Austin Information Security Office discovered a lockscreen bypass vulnerability affecting Android version 5.1.1 in which an attacker could use a large string password with the camera app open to crash the password lockscreen and gain full access to the device. Google addressed the issue in Android 5.1.1 build LMY48M.
Bug in iOS allows writing of arbitrary files via AirDrop. Researchers from Azimuth Security discovered a vulnerability in a library of Apple’s iOS and OS X operating systems which an attacker could leverage via AirDrop with or without the user’s approval to execute a director traversal attack, and arbitrarily write files to any location in an affected device’s file system.
Thought Heartbleed was dead? Nope – hundreds of thousands of things still vulnerable to attack. The founder of the Shodan search engine reported that over 200,000 devices on the Internet are still vulnerable to the Heartbleed OpenSSL vulnerability discovered in 2014, including 57,272 devices in the U.S. The vulnerability allows an attacker to extract passwords and other sensitive information due to a missing bounds check that allowed repeated data checks from server memory.
Russian pleads guilty in major hacking case. A Russian national arrested in 2012 and extradited to the U.S. in February 2015 pleaded guilty September 15 to leading a hacking and data breach scheme that compromised the Nasdaq stock market and payment systems at 7-Eleven, Carrefour, JC Penny, and other companies, resulting in losses of over $300 million between 2005 and 2012.
FirstBank warns customers some local ATMs had illegal “skimmers.” FirstBank notified an undetermined number of customers that their accounts may have been breached after the bank found skimming devices on ATMs inside grocery stores at University Blvd in Englewood, E. Ninth Avenue in Denver, and 30th Street in Boulder. The bank has issued new cards to users and older cards will no longer work starting September 15.
U.S. charges two more in multimillion-dollar text message fraud. Two men were charged on September 14 for allegedly helping a “cramming” scheme which involved charging thousands of unsuspecting mobile phone users $9.99 a month for unsolicited texts from 2011 - 2013 by using their positions as mobile aggregator executives to continue and protect the scheme. Six other suspects were previously charged in connection to the scheme.
The rise of repeated “low and slow” DDoS attacks. Neustar released research findings revealing an increase in small, repeated distributed denial-of-service (DDoS) attacks from 2014 to early 2015, with 54 percent of companies surveyed being hit by at least 6 attacks. Research also found that the duration of DDoS attacks is increasing, with 10 percent of attacks lasting about a week, among other findings.
Popular mobile travel apps have critical security issues: Report. Bluebox Security released report findings revealing that the top ten most popular mobile travel applications contain critical flaws, including failures to encrypt sensitive data stored on mobile devices, a lack of certificate pinning which leaves users vulnerable to man-in-the-middle (MitM) attacks, and a lack of anti-tampering measures, among other findings.
Cisco router break-ins bypass cyber defenses. Security researchers from FireEye discovered attacks in August across multiple industries and government agencies on three continents in which Cisco 1841, 2811, and 3825 routers were implanted with the sophisticated SYNful Knock malware, which can duplicate normal router functions and jump from router to router using device syndication functions. Researchers believe attackers accessed the devices by stealing valid network administration credentials or by gaining direct physical access.
TLS communications exposed to KCI attacks: Researchers. Security researchers from Research Industrial Systems Engineering revealed that a flaw in the Transport Layer Security (TLS) protocol could be leveraged to execute a Key Compromise Impersonation (KCI) attack, allowing a man-in-the-middle (MitM) attacker to take over client-side code running on a victim’s browser, intercept communications, arbitrarily replace Web site content, and perform actions on the victim’s behalf.
New malware can make ATMs not give users’ card back. Security researchers from FireEye reported that new ATM malware dubbed Suceful has the capability to read all credit and debit card track data, data from the card’s microchip, and retain or eject an inserted card on demand. The malware can also be controlled via the ATM’s personal identification number (PIN) pad and, may disable the device’s alarm and proximity sensors.
Area bank robber dubbed the ‘Teardrop Bandit’ suspected in pair of recent heists. East Providence, Rhode Island police arrested a suspect September 11 dubbed the “Teardrop Bandit” in connection to an August 18 robbery at a People’s Bank branch in Milford, Connecticut, and a September 9 robbery at a Citizen’s Bank branch in Wareham, Massachusetts. The suspect was recently released from prison for a series of bank robberies in New Hampshire and Massachusetts.
‘Bluto Bandit,’ suspected in Irvine and other bank robberies, is charged. FBI officials reported that a Rancho Cucamonga suspect dubbed the “Bluto Bandit” was arrested and charged September 10 in connection to 8 bank robberies across the Los Angeles, Orange, and San Bernardino counties between June 10 and August 12.
At least 100 fake credit cards connected to fraud scheme. Authorities in Bourboursville, West Virginia, arrested 4 individuals they dubbed the “Chinese Mafia” the week of September 7 after finding over 100 fake credit cards and merchandise bought using stolen credit card information. Officials believe that the suspects, who are all from the New England, are part of a larger organized crime ring, and that they skimmed card information using a pocket device while working at West Virginia area Chinese restaurants.
SEC charges five Arizona residents with stealing millions from investors to fund travel and entertainment sprees. The U.S. Securities and Exchange Commission charged 5 Arizona residents September 11 for allegedly defrauding 225 investors out of nearly $18 million by promising to use the funds for property acquisition and development in Mexico, to operate recycling facilities, and to purchase foreclosed properties for resale, while instead using the investments to fund their lifestyle. The suspects lied about the prospects and progress of investments and made Ponzi-like payments to investors who threatened litigation.
Three charged in major credit scam. Authorities arrested 3 New York men in Randolph County, North Carolina, September 4 after finding at least 200 fraudulent credit cards with international identifications as well as credit-card embossing equipment at an apartment in Randleman. The origin of the credit card numbers is under investigation.
Attackers use Google Search Console to hide website hacks. Security researchers from Sucuri discovered that cybercriminals have been using the Google Search Console to improve spam page search engine optimization (SEO) and to hide their presence on hijacked Web sites by receiving notification when hacks are detected, and by unverifying legitimate Web site owners.
CoreBot becomes full-fledged banking trojan. IBM researchers determined that the CoreBot trojan has evolved to become a full-fledged banking trojan and includes new features such as browser hooking, real-time form grabbing, a virtual network computing (VNC) module for remote control, and man-in-the-middle (MitM) functionality, among other features. The new CoreBot’s data theft routines have evolved, which has made the trojan similar to the Zeus, Dridex, and Dyre trojans.
Wall Street exec charged with manipulating stock prices. Officials arrested a New York financier September 10 for allegedly hiding his control of U.S. companies traded over-the-counter by using family members and employees to obtain shares, and for using a Beijing-based subsidiary to offer help to Chinese companies seeking to raise U.S. capital by arranging reverse mergers, allowing the Chinese companies to take control of U.S. shell companies. The financier manipulated stock prices by reportedly using two brokers to solicit customers to buy shares while discouraging sales.
Yokogawa patches serious flaws in ICS products. Japan-based Yokogawa Electric released patches addressing three critical flaws related to network communication functions affecting several of the company’s industrial control system (ICS) products. The remotely exploitable vulnerabilities include buffer overflows and a flaw that could allow an attacker to execute arbitrary code.
U.S. charges three in multibillion-dollar drug money laundering scheme. Three Columbian nationals were charged September 10 for their roles in a global money laundering network, in which a Guangzhou, China-based organization brought in at least $5 billion in drug proceeds from the U.S. and several other countries by using Chinese casinos, currency exchange houses, export companies and factories to receive the proceeds. The money traveled through networks in Hong Kong and China and was used to purchase counterfeit goods that were shipped to other countries
No patches available for flaws in Cisco security appliances. Cisco revealed that its content security management appliance (SMA) 7.8.0-000 and possibly other versions are affected by denial-of-service (DoS) vulnerabilities that can be exploited remotely by an unauthenticated attacker due to inadequate validation of user credentials for incoming hypertext transfer protocol (HTTP) requests. Customers were urged to apply workarounds while the company worked to release a software update addressing the vulnerabilities.
SEC charges BDO and five partners in connection with false and misleading audit opinions. The U.S. Securities and Exchange Commission September 9 charged national audit firm BDO USA and five of the firm’s partners for allegedly dismissing red flags and issuing false and misleading unqualified audit opinions about the financial statements of staffing services company General Employment Enterprises regarding $2.3 million purportedly invested in a 90-day nonrenewable CD. BDO agreed to pay disgorgement of its audit fees and interest totaling approximately $600,000 and pay a $1.5 million penalty in addition to complying with undertakings related to its quality controls.
SEC charges father, son, friend with insider trading in GE deal. The U.S. Securities and Exchange Commission charged three California men September 9 with alleged insider trading ahead of General Electric Co.’s $580 million merger with cancer diagnostics company Clarient Co. in 2010 after one of the men reportedly learned about the merger from a senior Clarient director. The three men agreed to pay a total of $169,485 in fines
Bankrate to pay $15 million to settle SEC fraud charges. Bankrate Inc., agreed to pay $15 million in a settlement with the U.S. Securities and Exchange Commission (SEC) September 8 after its chief financial officer, former director of accounting, and former vice president of finance allegedly posted artificially inflated financial results in 2012, causing share prices to rise, allowing the chief financial officer to sell $2 million of company stock at inflated prices.
SAP updates patch twenty vulnerabilities. Germany-based SAP enterprise software maker updated 5 previously released patches and issued a new patch addressing 20 vulnerabilities including 8 that were missing authorization checks, 6 cross-site scripting (XSS) bugs, an information disclosure vulnerability, cross-site forgery (CSRF), remote code execution, SQL injection, in addition to other types of attacks.
PIN-changing, screen-locking Android ransomware. ESET researchers found a piece of ransomware that locks Android users out of their devices by changing the personal identification number (PIN) via masquerading as an app to view adult videos. Once users download and install the malicious app the LockerPin trojan prompts the user to install a patch for the app which unknowingly activates the Device Administrator privileges while appearing as an alleged message from the FBI asking the victim to pay a $500 fine to regain access to the device.
Russian hacking group uses satellites to hide C&C servers. Kaspersky Labs announced that the Turla advanced persistent threat (APT) group utilizes design flaws on older communications satellites, allowing the group to intercept Internet traffic and use it to hide the location of their command-and-control (C&C) servers. The group can reportedly launch man-in-the-middle (MitM) attacks and intercept traffic through satellite dishes located in areas were the unencrypted satellites provide coverage.
Zimperium releases exploit code for testing against Stagefright vulnerability. Zimperium released its Stagefright exploit code and Python script, allowing security experts, phone vendors, and users to test if their devices are vulnerable to the Stagefright bug, which affects over 95 percent of all Android devices running versions 2.2 or higher.
DD4BC extortionist group launched over 140 DDoS attacks: Akamai. A report published by Akamai Technologies’ Prolexic Security Engineering and Response Team (PLXert) found that the extortionist group DD4BC, who led a distributed denial-of-service (DDoS) attack against several organizations and demanded Bitcoin payments, launched a total of 141 attacks between September 2015 and August 2015, with 58 percent of attacks targeting financial service institutions. The report also found that that group now utilizes social media platforms to expose and threaten targeted organizations in addition to the DDoS attack.
SEC charges video management company executives with accounting fraud. The U.S. Securities and Exchange Commission charged two former executives at KIT Digital September 8 with accounting fraud in connection to schemes in which the executives allegedly manipulated the company’s books and misled investors, including an off-the-books slush fund used to generate payments back to the company while creating a false appearance that the company was being paid for its products, among other deceptions.
SEC charges three RMBS traders with defrauding investors. The U.S. Securities and Exchange Commission charged three former Nomura Securities International residential mortgage-backed securities (RMBS) traders September 8 with fraud, alleging that the suspects misrepresented RMBS bids, offers, prices, and spreads, generating at least $7 million in fraudulent revenue. The suspects also allegedly invented phantom third-party sellers and fictional offers for bonds that the company already owned.
Microsoft patches Windows vulnerability exploited in the wild. Microsoft released security bulletins patching over 50 vulnerabilities, including a Win32k memory corruption flaw allowing privilege escalation that has been exploited in the wild, a kernel address space layout randomization (ASLR) bypass, a Windows Media Center remote code execution (RCE) vulnerability, a .NET Framework integer overflow, and a memory corruption flaw in the Edge and Internet Explorer Web browsers, among others.
Adobe patches critical vulnerabilities in Shockwave Player. Adobe released an update addressing two critical memory corruption vulnerabilities in its Shockwave Player for Microsoft Windows versions 126.96.36.199 and earlier that could allow an attacker to take control of an affected system and execute malicious code.
ICS flaw disclosures at high levels since Stuxnet attack: Report. Findings from a report published by Recorded Future revealed a dramatic increase in disclosed industrial control system (ICS) vulnerabilities since a 2011 Stuxnet attack targeting Iran’s nuclear facilities, including almost 50 new vulnerabilities discovered in 2015 through mid-July.
NETGEAR patches vulnerability in Wireless Management System. NETGEAR released a firmware update addressing a vulnerability in its WMS5316 ProSafe 16AP Wireless Management System running version 188.8.131.52 (Build 1236) in which an attacker could gain unauthorized access and privilege escalation by including a specific symbol in the password value for the system’s login.
Researcher discloses zero-day flaws in Advantech WebAccess. A security researcher discovered seven zero-day stack-based buffer overflow vulnerabilities affecting Advantech’s WebAccess software versions 8.0 and earlier used in human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems which an attacker could exploit for remote code execution.
Verified Play Store apps found to be spreading MKero malware. Security researchers from Bitdefender discovered malware dubbed MKero present in at least seven Google Play Store apps that uses a CAPTCHA translation service that evades detection to automatically sign users up for a premium short message service (SMS).
Credit Suisse to pay $288 million in damages in Lake Las Vegas refinancing. Credit Suisse Group AG was ordered to pay $287.5 million in damages by a Texas district court to an affiliate of Highland Capital Management following an event in which the Zurich-based bank was found to have used inflated appraisals to convince the affiliate to refinance Lake Las Vegas resort in 2007. The Nevada resort community filed for Chapter 11 bankruptcy in 2008.
Vulnerabilities in WhatsApp web affect 200 million users globally. WhatsApp patched a vulnerability discovered by Check Point researchers that could potentially allow hackers to execute malware on the devices via sending the user a malicious vCard contact card containing an executable file ordering it to distribute ransomware, bots, remote access tools (RAT), and other types of malicious codes.
Webroot, Avira patch flaws in mobile security apps. Webroot and Avira Mobile Security released separate patches addressing vulnerabilities including, a secure sockets layer (SSL) certificate vulnerability for Webroot Mobile Protection for iOS versions 1.10.316 and prior that could have allowed a man-in-the-middle (MitM) attacker to obtain usernames, passwords, and other sensitive information. Avira Mobile Security patched a vulnerability on versions 1.5.7 and prior that allowed a MitM attacker to capture login information via an HTTP POST request.
Kaspersky patches critical vulnerability in antivirus products. Kaspersky Lab released an update addressing a flaw affecting 2015 – 2016 versions of its antivirus products related to a buffer overflow vulnerability affecting the application’s default configuration that could allow a successful exploit. A security researcher identified several vulnerabilities in FireEye products, including a command injection and login bypass bug that is being addressed by FireEye officials.
Ransomware risk from over 140 million websites, researchers warn. Security researchers found that hackers were using the Neutrino Exploit Kit (EK) to inject malicious scripts into outdated Webserver software that could potentially impact 400 million users that use 142 million legitimate Web sites running out of date versions of the WordPress content management system or outdated plugins.
Android pornography app takes pictures of users and blackmails them for cash. Zscaler researchers discovered an Android app dubbed Adult Player that is used as a platform to deliver ransomware to mobile device users by secretly taking the user’s picture while it loads an Android application package (APK) file where the malware code is hosted. The photograph is used inside the ransom message.
Mozilla bug tracker hacked, data about Firefox vulnerabilities stolen. Mozilla’s bug tracker, Bugzilla, forced users with access to the bug tracker’s private section to change their passwords while cutting down access to the section after engineers found that the bug tracking application was compromised, and that an attacker used a privileged account to gain access to information about unpatched Firefox vulnerabilities.
More ATM “Insert Skimmer” innovations. U.S. and European security researchers reported recent trends in ATM skimming, including devices being planted via a hidden “insert skimmer” placed through the ATM’s card reader, “wiretapping attacks” in which devices are installed via holes drilled near the card reader entry throat, and the use of solid explosives to blow open cash machines in 11 countries.
Socialite found guilty of mail fraud got $55M from victims, Feds say. A former Wellington man was convicted September 3 on 15 Federal mail fraud charges for allegedly soliciting dozens of investors for about $55 million that would purportedly be invested in oil in the Middle East, which he instead used to finance his lifestyle. The suspect was previously ordered to pay $112 million in damages and civilian penalties for selling fake investments.
Counterfeit crimes in Seal Beach found to be part of nationwide scheme. U.S. Secret Service and California police authorities arrested 8 suspected gang members in Seal Beach September 3 in connection to a national counterfeiting scheme in which perpetrators allegedly used fake bills for over 4,200 transactions totaling $100,000 nationwide since 2013. The source of the counterfeiting is under investigation.
Cisco patches flaw in data center management products. Cisco released software updates addressing a remotely exploitable JavaServer Pages (JSP) vulnerability in the company’s UCS Director and Integrated Management Controller (IMC) Supervisor products which could allow an unauthenticated attacker to use specially crafted HyperText Transfer Protocol (HTTP) requests to overwrite arbitrary files, resulting in instability or a denial-of-service (DoS) condition.
Flaws in OrientDB expose databases to remote attacks. The Computer Emergency Readiness Team (CERT) published an advisory warning of three vulnerabilities in OrientDB’s Community Edition, including a cross-site request forgery (CSRF) affecting the Web administration interface in which an attacker could perform actions with user privileges, an insufficient random value issue that could allow an attacker to gain administrative privileges to the database, and an improper input validation that could allow an attacker to create specially crafted pages to launch clickjacking attacks.
FortiClient antivirus fixes system-level privilege escalation bug. FortiClient antivirus client developers released an update addressing a privilege escalation bug in the software that could have allowed an attacker who had previously infected the system to gain unauthorized access to system-level privileges.
Consumers advised to check bills after credit card ‘skimming gadget’ found hidden in Baton Rouge gas station pump. A fraudulent card-reading device was found inside a Shell gas station pump at the corner of Tom Drive and Airline Highway in Baton Rouge August 31, the third device found within the area in the past 2 months. Investigators advised customers to check credit card statements for suspicious activity.
Heflin police uncover 180 credit/debit cards, ID theft tools during traffic stop. A Heflin police officer uncovered approximately 180 credit and debit cards, several fake drivers licenses, 3 laptops, a credit card encoder, a credit card embosser, fake checks, and several other potential identity theft tools during a traffic stop September 1. The case has been turned over to the U.S. Secret Service.
Lost $3.9M from fraud, bank reveals. The First National Bank in Walnut Ridge announced August 31 that it had been the victim of employee fraud or theft, resulting in the loss of $3.9 million. An investigation into the culprit is ongoing and officials believe the incident occurred over an extended period of time.
Man admits $279K theft from employer in wire fraud plea. A former employee of Grand Rapids-based IGA Abrasives LLC pleaded guilty to wire fraud September 1 in connection with the theft of $279,000 through fraudulent receipt submissions claiming reimbursement to IGA’s parent company, South Carolina-based S.L. Munson & Company, between January 2010 and November 2013.
Siemens patches vulnerability in RUGGEDCOM switches. Siemens released a firmware update addressing a vulnerability in the ROS operating system (OS) running on some RUGGEDCOM switches, which an attacker with access to a virtual local area network (VLAN) could exploit to bypass isolation and access devices on another VLAN.
Mobile gaming apps expose enterprise data: report. Veracode released findings from a report on gambling applications installed on mobile devices in corporate environments revealing that many gambling applications leave enterprise environments vulnerable to man-in-the-middle (MitM) attacks, Remote Access Trojans (RATs), fake certificates, and other types of attacks. The report attributed the vulnerabilities to applications’ use of weak encryption and pre-loaded adware.
Future Firefox, Chrome, IE, and Edge releases will not support RC4 encryption. Google, Mozilla, and Microsoft announced that RC4 encryption algorithm support will be removed from the companies’ Web browsers by late February 2016.
Google patches 29 vulnerabilities with release of Chrome 45. Google released Chrome 45 for Windows, Mac, and Linux, addressing 29 security issues including cross-origin bypass and use-after-free-flaws, a character spoofing bug in the Omnibox address bar, and other-medium impact vulnerabilities. The update also disabled automatic Adobe Flash plugin ad support.
CoMo man pleads guilty to six bank robberies involving bike as a getaway. A Columbia, Missouri, man pleaded guilty August 31 to robbing 6 Columbia banks between November 2014 and January 2015, in which he used a bicycle as a getaway vehicle.
Intel: Criminals getting better at data exfiltration. Security researchers from Intel released findings from a report revealing that cybercriminals are using increasingly sophisticated techniques to exfiltrate pilfered data once systems are accessed, including compressing and disguising the data, leveraging Gmail and encryption, and leveraging graphics processors.
CERT warns of slew of bugs in Belkin N600 routers. The Computer Emergency Response Team Coordination Center (CERT/CC) issued an advisory warning of unpatched vulnerabilities in Belkin N600 DB Wireless Dual Band N+ routers, including insufficient randomization values for transaction identification, a man-in-the-middle (MitM) vulnerability that could allow an attacker to send arbitrary files to routers, and a global cross-site request forgery (CSRF) bug.
5 charged in $30 million investment pyramid scheme. Five suspects were indicted August 27 for an investment pyramid scheme in which Hong Kong-based companies purportedly ran online children’s education courses, but instead solicited $30 million in investments from Chinese-Americans in Los Angeles, San Francisco, and New York.
New Mexico’s prosecutor charges State official with embezzlement. New Mexico’s Secretary of State was charged August 28 with embezzlement, money laundering, and campaign finance violations after an investigation revealed that she withdrew over $430,000 from bank accounts at 8 New Mexico casinos from 2013 – 2014, and authorities allege that she used campaign contributions for personal gain.
Russian-speaking hackers breach 97 Web sites, many of them dating ones. Security researchers from Hold Security discovered that hackers breached 97 Web sites between July - August after analysts found batches of stolen information including a list of Web sites and their vulnerabilities, notes, and large lists of email addresses and unencrypted passwords.
‘KeyRaider’ iOS malware targets jailbroken devices. Security researchers from Palo Alto Networks discovered that hackers have compromised over 225,000 Apple user accounts using malware called KeyRaider to target jailbroken devices. The malware steals account usernames, passwords, device identification codes, certificates, private keys, and purchase receipts, and was also observed being used as ransomware.
Vulnerability allowed hackers to hijack Smartsheet accounts. Smartsheet patched an insecure direct object reference vulnerability in its cloud application that could have allowed an attacker to hijack user accounts via the software’s “import users” feature. The application is used by over 65,000 businesses and 5 million users worldwide.
Hackers linked to Russian government impersonate EFF Web site to spread malware. Google security researchers discovered that hackers affiliated with Operation Pawn Storm were using spear phishing emails purporting to be from an Electronic Frontier Foundation domain to deliver a recently discovered Java zero-day exploit that would inject the affected system with Sednit malware.
Cisco ISE carries HTML authentication bug. Cisco discovered a vulnerability in its Identity Services Engine (ISE) in which an attacker could exploit a lack of access control for uploaded HyperText Markup Language (HTML) files to see custom pages an administrator has created, which can include sensitive network and security information.
IBM warns of new CoreBot stealer. Security researchers at IBM discovered a new threat dubbed “CoreBot” that uses a modular plugin system to steal local data from Web browsers, applications, File Transfer Protocol (FTP) clients, email clients, and other software after setting up a key in the Microsoft Windows Registry to maintain persistence. The malware also contains a domain generation algorithm (DGA), and can download and execute other threats through Windows PowerShell.