Fraud Alert Message Center
Tips for Safe Banking Over the Internet
As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.
The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.
- Consumer Best Practices for Online Banking
- Business Best Practices for Online Banking
- Recommendations for Online Fraud Victims
- Recommendations for Mobile Phone Security
Current Online Threats
Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau. None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts. If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it. The email could potentially contain a virus or malware.
For more information regarding email and phishing scams, please visit: http://onguardonline.gov/
Online Shopping Tips for Consumers. Click Here for Information.
ATM and Gas pump skimming information. Click Here for Article.
Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers. The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.
SEC charges Avon Products, Inc. with Fcpa violations. Avon Products Inc. agreed to pay $67 million in disgorgement and interest to settle charges filed December 17 by the U.S. Securities and Exchange Commission accusing the beauty products company of violating the Foreign Corrupt Practices Act (FCPA) by failing to put in place controls that could have detected and prevented $8 million in payments to Chinese government officials by employees and consultants at the company’s Chinese subsidiary between 2004 and 2008.
Data compromised at Union First Market Bank. Richmond-based Union First Market Bank stated that they shut off all ATM capabilities for their customers’ debit cards after discovering skimming activities that affected over 3,000 customers’ cards. Affected customers were being contacted by the bank and issued new debit cards.
Serious vulnerabilities found in Schneider Electric’s ProClima solution. An advisory from the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) December 16 warned that five vulnerabilities in the Schneider Electrica ProClima thermal management software were identified and reported by researchers and could be remotely exploited. The software is used in industries such as manufacturing, energy, and commercial facilities and affects ProClima versions 6.0.1 and earlier.
“USBdriveby” emulates mouse and keyboard to hijack computers. A researcher demonstrated an attack method known as USBdriveby that can use a USB-based microcontroller to emulate a mouse and keyboard to run several tasks including disabling security measures, opening backdoors, and changing DNS settings due to many systems trusting USB devices by default. The researcher tested the method on an OS X device but believes that it can be used on Windows and Unix operating systems, and the source code and operations for the attack were made public.
ICANN systems breached via spear-phishing emails. The Internet Corporation for Assigned Names and Numbers (ICANN) stated December 16 that it was compromised via spearphishing emails during November and attackers were potentially able to access Centralized Zone Data System (CZDS) files and salted and hashed user information and credentials. ICANN deactivated all CZDS passwords as a precaution and notified all potentially affected users.
Syrian Electronic Army hacks website of International Business Times. Hacktivists claiming affiliation with the Syrian Electronic Army group claimed responsibility for defacing the Web site of the International Business Times December 17.
Ars Technica readers urged to change passwords in wake of hack. Ars Technica advised its registered readers to change their passwords as a precaution after an attacker briefly gained access to one of the site’s Web servers December 14. The site stated that the attacker may have been able to access hashed email addresses and passwords.
Backdoor found in Android phones manufactured by Coolpad: Research. Researchers with Palo Alto Networks reported that at least 24 models of Android devices manufactured by Coolpad contained a backdoor that could active applications, install unwanted applications, and upload device information and location data.
Xsser malware targeting iOS, Android devices. Researchers with Akamai identified a new mobile remote access trojan (mRAT) known as Xsser that is spread through phishing and man-in-the-middle (MitM) attacks and can steal credentials, execute code, and hijack browser sessions on Android and iOS devices. The researchers found that the mRAT is being used by an organized group currently targeting specific devices and software vendors, software-as-a-service (SaaS) providers, and Internet service providers mainly in Asia.
Credit card fraud ring used over 3,800 stolen cards. Ten men from several States were indicted December 16 for allegedly running a payment card fraud ring that operated in at least 11 States, used over 3,800 stolen credit card numbers, and made fraudulent transactions totaling more than $1.7 million. The alleged ring would use the stolen payment card information primarily to purchase tickets to sporting and other entertainment events and then resell them.
Former Miami-area mayor found guilty in mortgage fraud scheme. The former mayor of North Miami was found guilty December 16 of participating in an $11 million mortgage fraud scheme and affinity scheme that targeted the local Caribbean community in order to recruit straw buyers. The former mayor was suspended from office in May 2014 after being indicted.
10-year-old “mailx” vulnerability fixed in Debian, Red Hat Enterprise Linux. The developers of Red Hat Linux and Debian released updates that addressed two vulnerabilities in the operating systems’ mailx utility for Unix systems that could have been exploited by local attackers to execute arbitrary commands by using maliciously-formed email addresses.
phpBB asking users to change passwords following hack. The developers of open source forum software phpBB shut down their network following a cyberattack December 14 after attackers potentially gained access to hashed and salted passwords. The developers asked users who had registered accounts on phpBB.com and area51.phpBB.com to reset their passwords as a precaution.
Researchers confirm multiple Google App Engine security sandbox bypasses. Researchers with Security Explorations were permitted by Google to continue their investigation of security issues in the Google App Engine (GAE) Java security sandbox and subsequently reported 16 proof-of-concepts (PoC) codes to Google for evaluation. The researchers stated that details of the issues would be reported after Google reviews them.
Researcher identifies XSS vulnerability affecting Citibank website. A security researcher identified and reported a cross-site scripting (XSS) vulnerability in a Web site belonging to Citibank that could allow the personal information, login credentials, and cookies of users and administrators to be stolen.
Banking trojan abuses Pinterest in C&C routines. Researchers with Trend Micro identified a variant of the BANKER malware known as TSPY_BANKER.YYSI that is currently targeting users of South Korean banking Web sites via redirection to a phishing site and accesses comments on the Pinterest social network instead of a command and control (C&C) server. The comments are decoded into IP addresses for the server hosting the phishing page.
CA Technologies fixes vulnerable CA Release Automation. CA Technologies released a patch for its CA Release Automation continuous delivery system that closes a cross-site request forgery (CSRF), cross-site scripting (XSS), and SQL injection vulnerability in previous versions of the product.
Shellshock worm exploiting unpatched QNAP NAS devices. Researchers with the SANS Institute stated that network attached storage (NAS) devices manufactured by QNAP may still be vulnerable to attackers exploiting the Bash flaw that was patched previously due to the complexity and lack of automation in the patching process. The researchers published two hashes that have been used in recent attacks to perform click fraud against the JuiceADV advertising network.
Bail bondsman charged with writing fraudulent bonds. A Berks County bail bondsman and three other employees of Ace Bail Bonds were charged December 12 for allegedly writing $2 million in fraudulent bail bonds between August and September.
‘Play-Along Bandit’ sought by the FBI. The FBI asked for the public’s help in finding a suspect known as the “Play-Along Bandit” suspected in at least five Chicago bank robberies since October 18. The most recent robbery tied to the suspect took place at a Harris Bank branch December 7.
Court orders former managing director of the NASDAQ Stock Market to disgorge more than $898,000 in insider trading profits. A former managing director of the NASDAQ Stock Market was ordered to disgorge $898,107.92 in illicit profits plus interest for engaging in insider trading using nonpublic information entrusted to him by NASDAQ and listed companies ahead of nine announcements between August 2006 and July 2009.
SEC charges Manhattan-based attorney with conducting Ponzi scheme. The U.S. Securities and Exchange Commission filed charges December 12 against a New York City-based attorney for allegedly conducting a $5 million Ponzi scheme that purported to invest clients’ investments in an investment fund that the attorney was not in fact affiliated with. Parallel criminal charges were also filed by the U.S. Attorney’s Office for the Southern District of New York.
CloudFlare SSL certificate used for phishing scam. A researcher with Malwarebytes identified a new phishing email campaign that utilized a free CloudFlare certificate in order to make a malicious link appear more trustworthy. CloudFlare has since revoked the certificate.
Ursnif malware steals data, infects files in US, UK. Trend Micro researchers detected an increase in the number of Ursnif malware infections caused by a variant known as PE_URSNIF.A-O that is capable of infecting files as well as stealing passwords and other information. The largest number of the new infections were found in the U.S. and U.K.
Batten down the patches: New vuln found in Docker container tech. A security researcher identified an arbitrary code execution vulnerability in Docker that was introduced in a November patch and could be exploited by including malicious .xz binaries in image files. The developers of Docker released a new patch that closes the vulnerability, and all users were advised to apply the patch as soon as possible.
Upatre downloader spreading Dyreza banking trojan. Microsoft warned December 11 that the Upatre downloader is being used in a wire-transfer spam campaign to spread the Dyreza banking malware, mainly targeting victims in the U.S. and Canada. The malware is able to bypass encryption in order to steal online banking credentials and other data.
Hackable intercom lets you SPY on fellow apartment-dwellers. A researcher presenting at the Kiwicon security conference detailed how he was able to use several vulnerabilities in the GrandStream GXV3175 video intercom, including directory traversal and command injection flaws, to potentially spy on any resident in an apartment building equipped with the devices. The issues were patched by the manufacturer after the researcher reported them.
Microsoft pulls a patch and offers PHANTOM FIX for the mess. Microsoft took down an update included in its monthly Patch Tuesday release due to the patch causing issues on systems running Windows 7 Service Pack (SP1) and Windows Server 2008 R2 SP1. A second patch was then published to address the issue.
Malwarebytes anti-exploit upgrade mechanism vulnerable to MitM attacks. A Fox-IT researcher identified and reported vulnerabilities in consumer versions of Malwarebytes Anti-Malware 2.0.2 and earlier, and Malwarebytes Anti-Exploit 1.03 and earlier that could have left the security products vulnerable to man-in-the-middle (MitM) attacks and allowed the download of malicious content. The vulnerabilities were reported in July and August and patched in September and October.
Former TierOne Bank CEO indicted on fraud charges. The former CEO of Lincoln, Nebraska-based TierOne Bank was indicted on federal charges December 10 for allegedly concealing the failed bank’s financial condition to regulators by maintaining two sets of books and other documentation to conceal tens of millions of dollars in delinquent loans.
SEC announces fraud charges against Buffalo-based firm and co-owners accused of misleading investors in hedge fund. The U.S. Securities and Exchange Commission announced charges December 10 against Buffalo-based Reliance Financial Advisors and its two co-owners for allegedly directing investors to invest in a hedge fund run by a manager whose experience was greatly exaggerated, causing their clients to lose most of their $12 million in investments.
OphionLocker, the new ransomware on the block. Researchers with Trojan7Malware identified a new piece of ransomware known as OphionLocker that uses elliptic curve cryptography (ECC) to encrypt the data on victims’ systems and demand a ransom to decrypt the files. The ransomware was observed in the wild being spread by the RIG exploit kit in drive-by download attacks.
Elderly zombie Asprox botnet STILL mauling biz bods, says survey. A report by Palo Alto Networks found that the Asprox botnet (also known as Kuluoz) was responsible for around 80 percent of recorded attacks during October across almost 2,000 organizations in sectors including the healthcare, financial services, and retail industries. The botnet malware plants malicious code in vulnerable Web sites via SQL injection attacks and has been used in phishing, malware distribution, and other attacks.
Patch against critical flaw in HD FLV Player still leaves the plug-in vulnerable. A researcher with Sucuri reported that a recent patch closing a vulnerability that could have allowed unauthenticated arbitrary file downloads in the HD FLV Player component for Joomla, WordPress, and custom Web sites did not close a similar vulnerability that could allow an unauthenticated attacker to send out emails from an affected site.
FreeBSD developers VANQUISH Demon bug. Researchers with Norse identified and reported a vulnerability in FreeBSD that could have allowed an attacker to inject malicious code into systems running the software. The developers of FreeBSD released a patch after receiving the report, closing the vulnerability.
Black Energy malware may be exploiting patched WinCC flaw. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an update to a previous alert concerning the Black Energy malware seen targeting human-machine interface (HMI) products, which stated that the malware may be exploiting vulnerabilities in the Siemens SIMATIC WinCC software that was patched by Siemens November 11.
Taxi app Uber plugs ‘privacy threatening’ web security flaw. Ride-sharing service Uber closed a cross-site scripting (XSS) vulnerability in its Web site after a security researcher identified and reported the issue. The vulnerability could have exposed users’ cookies, personal information, browser history, and authentication credentials.
Critical’ security bugs dating back to 1987 found in X Window. The developers of the X Window System for Linux and other Unix operating systems issued patches closing several vulnerabilities that could be exploited to crash the system or run malicious code as the root user after they were identified and reported by a researcher at IOActive.
Hackers breached payment solutions provider CHARGE Anywhere: Undetected since 2009. Electronic payment solutions provider CHARGE Anywhere stated December 9 that attackers had gained access to its network as early as November 2009 using a previously unknown and undetected piece of malware and were able to capture payment card data from some communications that did not have encryption. The company discovered the compromise September 22 and an investigation found that network traffic capture occurred between August 17 and September 24.
Red October cyber spy op goes mobile via spear-phishing. Researchers with Blue Coat and Kaspersky Lab identified and analyzed a cyber-espionage campaign that appears similar to the RedOctober campaign dubbed Cloud Atlas or Inception Framework that has been targeting the Android, iOS, and BlackBerry devices of specific users in the government, finance, energy, military, and engineering sectors in several countries via spearphishing. The malware appears to primarily be designed to record phone conversations and can also track locations, monitor text messages, and read contact lists.
Trihedral fixes vulnerability in SCADA monitoring and control software. Trihedral Engineering Ltd., released software updates for its VTScada (VTS) supervisory control and data acquisition (SCADA) software to close a vulnerability that could be used by an unauthenticated attacker to crash VTS servers. The software is used in industries including the energy, chemical, manufacturing, agriculture, transportation, and communications sectors.
Flash Player 220.127.116.11 fixes remote code execution bug exploited in the wild. Adobe released patches for six vulnerabilities in its Flash Player software, including a vulnerability reported by a researcher that could allow arbitrary code to be executed on affected systems. The arbitrary code execution vulnerability has been observed being exploited in the wild and all users were advised to update their versions of Flash Player as soon as possible.
SQL injection, other vulnerabilities found in InfiniteWP admin panel. A researcher with Slik identified and reported several vulnerabilities in the InfiniteWP administration application for WordPress Web sites, including SQL injection vulnerabilities that could be used by an unauthenticated attacker to gain control of WordPress sites.
Flaw in AirWatch by VMware leaks info in multi-tenant environments. VMware released an update for its AirWatch enterprise mobile management and security platform December 10 that closes vulnerabilities that could allow a user that manages a deployment in a multi-tenant environment to view the statistics and organizational information of another tenant.
Recursive DNS resolvers affected by serious vulnerability. The Computer Emergency Response Team Coordination Center (CERT/CC) reported December 9 that recursive Domain Name System (DNS) resolvers are vulnerable to an issue where a malicious authoritative server can cause them to follow an infinite chain of referrals, leading to a denial of service (DoS) state.
Third-party bundling made IBM products most vulnerable: Study. Secunia released a report on security vulnerabilities disclosed between August and October and found that vulnerabilities increased by 40 percent compared to the previous year to a total of 1,841 vulnerabilities in the 20 most vulnerable products, among other findings. The report also found that Google Chrome had the largest number of disclosed security issues, and that IBM was the most vulnerable vendor due to products being bundled with third-party software.
Microsoft releases critical IE security update on Patch Tuesday. Microsoft released its monthly Patch Tuesday round of updates for its products December 9, which included 7 security bulletins addressing 24 vulnerabilities. Three vulnerabilities were considered critical and affected Internet Explorer, Microsoft Word and Office Web Apps, and the VBScript scripting engine.
New version of Destover malware signed by stolen Sony certificate. Researchers at Kaspersky Lab identified a new variant of the Destover malware used in an attack on Sony Pictures Entertainment that uses a stolen, legitimate certificate from Sony. The malware is basically identical to previous versions except for the use of a certificate.
SEO poisoning campaign ensnares several thousand websites, security expert finds. A webmaster identified and researchers from Websense and High-Tech Bridge confirmed that several thousand legitimate Web sites hosted on GoDaddy and other services had been compromised to improve the search engine optimization (SEO) ranking of other sites by inserting links into the legitimate sites. GoDaddy stated that the company was investigating the issue.
Deutsche Bank sued by U.S. over alleged tax scheme. Federal charges were filed against Deutsche Bank December 8 seeking $190 million in taxes, interest, and penalties for the bank’s alleged use of three underfunded shell companies to evade U.S. taxes.
TD Bank settles Massachusetts data breach probe, to pay $625,000. TD Bank agreed December 8 to a settlement with the State of Massachusetts to pay $625,000 and improve security practices to resolve a probe of a 2012 data breach that exposed the personal information of more than 260,000 customers. The incident was caused by the loss of unencrypted back-up tapes in March 2012 and Massachusetts officials stated that the bank was too slow in reporting the breach to authorities in October.
Federal fraud charges filed against Copley man for $17 million Ponzi scheme with 70 victims. A Copley Township man who was a co-owner and operator of KGTA Petroleum Ltd., was charged December 8 for allegedly operating the company as a Ponzi scheme, defrauding 70 investors of around $17 million between 2010 and 2014. The man and others, including three PrimeSolutions Securities Inc. representatives, also allegedly failed to file appropriate documentation with the U.S. Securities and Exchange Commission for the company.
Former Arrow CEO indicted on 23 counts of bank, tax fraud. The former CEO of nationwide trucking company Arrow Trucking Co., pleaded guilty December 5 in federal court in Texas for allegedly conspiring with others to defraud the Internal Revenue Service and a Utah bank of $24 million in a fraud and tax evasion scheme that operated in 2009. The former CFO of the company previously pleaded guilty December 4 to tax fraud and bank fraud charges.
Newly discovered ‘Turla’ malware targets Linux systems. Kaspersky Lab researchers identified a piece of malware targeting Linux systems associated with the Turla advanced persistent threat (APT) group (also known as Uroburos or Snake) that is based on the cd00r proof-of-concept backdoor and is capable of hidden network communications, remote management, and arbitrary remote command execution. Previous versions of Turla malware have targeted Windows systems in government agencies, military groups, educational institutions, pharmaceutical companies, and other targets in more than 45 countries.
Fraud from bots represents a loss of $6 bln in digital advertising. The Association of National Advertisers and researchers with White Ops released a report December 9 which found that around 25 percent of video ads and 11 percent of display ads online are viewed by automated bots set up by cyber criminals to inflate Web site audiences. The researchers stated that such fraud could cost advertisers an estimated $6.3 billion in the next year.
POODLE attack also affects some TLS implementations. A researcher with Google reported that certain implementations of Transport Layer Security (TLS) with an SSL 3.0 decoding function can be exploited through POODLE attacks to decrypt sensitive information. The researcher identified the vulnerability in older versions of Network Security Services (NSS) as well as in Web sites administered by Bank of America with load balancing devices from A10 Networks and F5 Networks.
Info on millions of AliExpress customers could have been harvested due to site flaw. A security researcher identified and reported a flaw in the AliExpress online marketplace that could have allowed a logged-in user to exploit an insecure direct object reference vulnerability to view other users’ names, addresses, and phone numbers. Alibaba, parent company of AliExpress, closed the vulnerability after the researcher’s report.
Yik Yak flaw de-anonymizes user, allows control over account. SilverSky researchers identified and reported a vulnerability in the Yik Yak anonymous social media platform for iOS that could allow an attacker to discover the identity of a user and take over their account due to the Flurry advertising tool sending the app’s secure ID used by the app in the place of a password without encryption. The researchers reported the issue to Yik Yak and a patch was released in December.
New variant of Neverquest banking trojan targets North America. Researchers with IBM Trusteer reported December 5 that they have observed a new variant of the Neverquest banking trojan being used predominantly against financial institutions in North America, with some additional targets in the media, gaming, and social networking industries. The malware has been distributed by drive-by downloads using exploit kits as well as by the Chaintor and Zemot trojan downloaders.
Pizza orders reveal credit card scheme, and a secondhand market. Police in New York City conducted a sweep that led to 14 arrests November 13-14 after it was found that criminals using stolen payment card information were placing orders through a Domino’s mobile app in order to test which stolen card numbers were able to be charged to. Card numbers that were able to be successfully charged to were then used for larger fraudulent purchases. Source:
Hamilton County man arrested for investment scheme. A Hamilton County, Indiana man was arrested on criminal charges December 4 for allegedly operating his firm, Guaranty Reserves Trust LLC, as a fraud scheme that defrauded 16 investors of around $6 million from 2010 to 2013. The man was previously indicted on civil charges for the same alleged fraud.
Google App Engine plagued by tens of vulnerabilities: Researchers. Security Explorations researchers reported identifying several vulnerabilities in the Google App Engine platform-as-a-service (PaaS) product, including issues that could be used to achieve a complete sandbox escape. Google confirmed that it received the researchers’ report and was analyzing the reported issues.
Attackers knock PlayStation Network offline for hours. Sony Computer Entertainment America acknowledged that some users of its Sony Playstation Network (PSN) were unable to access the service for several hours December 7 due to an apparent attack. Attackers identifying themselves as the Lizard Squad group claimed credit for the disruption.
4 Miami residents accused of bank fraud arrested. Four individuals from Miami, Florida, were arrested December 4 on charges that they allegedly operated a bank fraud and payment card fraud operation that defrauded financial institutions of more than $100,000.
2 O.C. residents charged in $11M Ponzi scheme. The Orange County-based owner and operator of MBP Insurance Services Inc., and an agent at the company were charged December 3 for allegedly operating the company as a Ponzi scheme that defrauded victims of more than $11.3 million.
Striped hoodie bandit arrested in Huntsville, Ala., on Tuesday. A suspect known as the “Striped Hoodie Bandit” wanted for three bank robberies in North Carolina was arrested in Huntsville, Alabama, December 2. The suspect was wanted in connection to bank robberies in High Point, Asheboro, and Huntersville in North Carolina as well as for a convenience store robbery in the State.
‘Sign in with LinkedIn’ spoof allows baddies to penetrate Slashdot, NASDAQ.com and more. Researchers with IBM identified and reported a vulnerability that could have allowed attackers to gain access to Web sites that use MyDigiPass to enable logins using social media accounts due to LinkedIn and Amazon allowing the use of accounts without confirmed email addresses. The issue was closed before the findings were disclosed and affected Web sites including NASDAQ.com, Slashdot, Crowdfunder, and among many others
VMware warns of vCenter cross-site-scripting bug. VMware released six patches for vulnerabilities in its vCenter Server Appliance, one of which could allow cross-site scripting (XSS) attacks if a user is logged-in to vCenter and is tricked into clicking a malicious link or visiting a malicious Web page.
‘DeathRing’ malware found pre-installed on smartphones. Researchers with Lookout published a report that found that low-cost and counterfeit smartphones manufactured in Asia and Africa that come with a piece of pre-loaded malware known as DeathRing originates from China. The command and control server for the malware appears to be offline, and the malware could be used for SMS or browser phishing.
Details emerge on Sony wiper malware Destover. Kaspersky Lab researchers released a report analyzing the Destover wiper malware used in the recent attack on Sony Pictures Entertainment and stated that the malware appeared to use similar driver files and to have been developed on a similar timeline to the malware used in the Shamoon attack on Saudi Aramco and the DarkSeoul attack against South Korea in 2013.
Critical remote code execution flaw found in WordPress plugin. Researchers with Sucuri identified and reported a vulnerability in the WP Download Manager plugin for WordPress that could have allowed attackers to implant a backdoor or gain access to administrative accounts on vulnerable Web sites. The developers of WP Download Manager released an update to close the vulnerability the week of December 1.
Critical PayPal bug left all accounts vulnerable to hijacking. A security researcher identified and reported a cross-site request forgery (CSRF) vulnerability that could have been used with other flaws to allow an attacker to link their email address to a victim’s account by capturing a reusable authentication token that was valid for all PayPal accounts. The vulnerability was fixed by PayPal before the researcher publicly disclosed his findings, and the researcher was awarded $10,000 from PayPal’s Bug Bounty program.
Investigation reveals how Florida man ripped off DEA. A report from the U.S. Department of Justice’s Office of the Inspector General found that a now-deceased Jacksonville man who ran the FEBG Bond Fund operated the fund as a Ponzi scheme that defrauded around 130 individuals of over $30 million, more than half of whom were current or former Drug Enforcement Agency (DEA) employees or connected to DEA employees. The report found that some DEA personnel exercised poor judgment in giving the man access to DEA personnel and facilities and receiving gifts from the man.
Charlotte man pleads guilty to role in Wax House scheme. A Charlotte, North Carolina man pleaded guilty December 3 for his role in the $75 million Operation Wax House mortgage and investment fraud scheme in North Carolina and South Carolina. The man was charged with laundering over $200,000 in loan proceeds through his Perry Masonry Construction company and for working as a promoter to recruit straw buyers.
Big Blue patches big blooper in Endpoint Manager for mobes. IBM released a patch for its Endpoint Manager for Mobile Devices product that allowed attackers to gain remote access and compromise mobile devices connected to the network.
Asprox operators have started recruiting for a larger botnet. Researchers with Malcovery found that the operators of the Asprox botnet began a campaign using spam emails purporting to be order confirmation from major retailers such as HomeDepot, WalMart, CostCo, and Target in order to infect more users and expand the Asprox botnet.
Vulnerability in WhatsApp leads to losing conversations. Two security researchers reported and released a proof-of-concept (PoC) for a flaw in WhatsApp where an attacker could send a 2KB text containing special characters that would cause the app to crash unless the conversation thread is deleted. The researchers stated that the app affects WhatsApp versions 2.11.431 and 2.11.432 on Android devices.
DNSimple suffers downtime due to 25 Gbps DDoS attack. Florida-based DNS provider DNSimple reported that it experienced a distributed denial of service (DDoS) attack December 1 that peaked at 25 Gbps and lasted around 12 hours, causing outages for the company and its customers. The company stated that DNSimple was not targeted but was affected by the DDoS attack after domains already under attack were delegated to the company.
LastPass master password can be decrypted. Researchers presenting at the DefCamp 2014 conference during the November 29-30 weekend demonstrated how an attacker could use a man-in-the-middle (MitM) attack to trick users into running a malicious payload that could expose LastPass password manager passwords under certain conditions.
Former TigerDirect executives plead guilty to fraud. Two former senior executives at Miami-based electronics retailer TigerDirect pleaded guilty December 2 to securities and tax fraud charges in a $9.5 million bribery scheme that involved kickbacks from suppliers and concealing taxable income.
Two men plead guilty in check fraud ring. Connecticut authorities reported that a New Haven man and a man from North Carolina pleaded guilty December 1 and December 2 to running a stolen check cashing ring that successfully cashed 37 altered checks totaling $104,070.
Unauthorized intruders gain access to ART Payroll database. Payroll service American Residuals and Talent (ART Payroll) notified current and former customers that unauthorized intruders were able to gain access to its Web application October 18 and determined November 10 that customers’ personal and financial information may have been accessed. The information included names, addresses, dates of birth, Social Security numbers, bank account information, and other information.
Iranian CLEAVER hacks through airport security, Cisco boxes. Researchers with Cylance published a report on a suspected Iranian hacking group that has compromised a variety of targets including government and military systems, telecommunications companies, research facilities, airports, defense contractors, and utilities in a campaign dubbed Operation Cleaver. The researchers stated that the group compromised critical infrastructure assets and Cisco networking equipment but did not engage in manipulation of those systems.
Firmware update kills Lenovo Home Media Network HDDs. Here’s how to resurrect them. Lenovo stated that it was responding to customer reports of a firmware update causing its Home Media Network Hard Drive to fail to restart after installation of the update.
Lizard Squad announces DDoS attacks for Christmas time. Attackers claiming to be the Lizard Squad hacking group claimed responsibility for conducting a distributed denial of service (DDoS) attack against the Xbox Live network after users complained December 1 that they experienced issues connecting to the network.
Florida men plead guilty in St. Louis to fraud scheme. Two Miami, Florida men pleaded guilty December 1 in U.S. District Court in St. Louis to stealing personal information from over 400 people in 2011 and 2012 and using the information to file fraudulent tax returns seeking more than $2.25 million in refunds, leading to around $500,000 in losses.
FBI investigating Sony Pictures hack possibly linked to leaked footage of ‘Annie,’ Mr. Turner’ movies. Sony Pictures Entertainment issued a statement December 1 confirming that the company is continuing to respond to issues created by a cyberattack that occurred during the week of November 24. The FBI confirmed that the agency is investigating the incident.
OpenVPN versions released since 2005 affected by critical flaw. The developers of the open-source virtual private network software OpenVPN released a new version of the software to address a critical denial of service (DoS) vulnerability which could allow authenticated attackers to cause servers to crash. The vulnerability affects all OpenVPN 2.x versions released since 2005 as well as OpenVPN Access Server versions prior to version 2.0.11.
Mozilla fixes vulnerabilities, disables SSL 3.0 in Firefox 34. Mozilla released the latest version of its Firefox browser, Firefox 34, closing three critical vulnerabilities and five others, as well as disabling Secure Sockets Layer (SSL) 3.0 support to protect users against POODLE attacks.
FIN4 attack group targets firms for stock market profit. FireEye researchers published a report on a group of attackers known as FIN4 that have targeted high-level figures at various financial services companies, advisory firms, and regulators in order to obtain inside information on business decisions for possible use in stock trading. The group has been active since mid-2013 and uses visual basic applications (VBA) macros in Microsoft Word documents and links to fake Outlook Web App login pages in order to obtain user names and passwords.
Officials seize 292 domain names to protect consumers during holiday season. U.S. authorities, Europol, and law enforcement agencies in 19 countries seized 292 domain names as part of a coordinated operation to shut down Web sites selling counterfeit goods in order to protect consumers, Europol reported December 1.
Syrian Electronic Army Thanksgiving hack of Microsoft, NBC, Dell, Forbes used Gigya comment platform. The creators of the Gigya comment platform announced that they closed a vulnerability in the product that allowed attackers claiming affiliation with the Syrian Electronic Army hacktivist group to place pop-up messages on the Web sites of several major technology, news, and other entities November 27. The attackers took advantage of GoDaddy to alter Gigya’s Domain Name System (DNS) in order to place the messages.
Weather.com fixes web application vulnerabilities. The Weather Channel fixed a Web application security issue on its Web site after a student researcher identified and reported the issue which made most links from the Web site vulnerable to cross-site scripting (XSS) attacks.
Man pleads guilty to selling StealthGenie spyware. A Danish citizen pleaded guilty in federal court November 25 and was ordered to pay a $500,000 fine for advertising and selling the StealthGenie mobile device spyware.
Hacking Team surveillance malware masquerades as legitimate bookmark manager. The developers of the Detekt tool reported that the Remote Control System (RCS) surveillance malware developed and sold by Italian company Hacking Team was found disguised as the legitimate Linkman bookmark management application. The certificate signing the malware was found in two fake Linkman samples containing RCS as well as in a third malware sample, and the certificate was revoked by its issuing authority.
DoS vulnerability found in MatrikonOPC Server for DNP3. MatrikonOPC released updates for its OPC Server for DNP3 industrial connectivity devices to close a denial of service (DoS) vulnerability which could be exploited remotely by an attacker to cause a loop in the application until manually restarted. The product is used in industries including the energy and chemical sectors and users were advised to update their installations or use a workaround until the patch can be applied.
Fraud service uses charity websites to validate stolen credit card data. Researchers with PhishLabs reported November 21 that it had found online fraudsters using a bot and an IRC channel to conduct transactions on the Web sites of charity or non-profit organizations in order to test the validity of stolen payment card information and related personal information.
Symantec uncovers stealthy nation- state cyber attack platform. Symantec researchers reported the discovery of a piece of sophisticated cyber espionage malware dubbed Regin that works as a backdoor to steal information from compromised systems and appears to have been created by a nation-state actor. The malware is modular in design and has predominantly targeted small businesses, individuals, and telecoms companies, as well as the hospitality, energy, and airline industries and research organizations.
Sony quietly POODLE-proofs Playstations. Sony released a patch for its Playstation 3 and Playstation 4 gaming consoles that adds Transport Layer Security to the consoles’ apps and browsers and removes the use of SSL 3.0 to protect against POODLE attacks.
Facebook bug remains unpatched, risk is partially mitigated. A researcher who reported a flaw in Facebook that could allow posting to a user’s timeline without permission in 2013 reported that the proof-of-concept for the attack still works in some cases where certain third-party Facebook apps do not implement the new content share model Facebook developed to address the issue.
Attackers using compromised Web plug-ins in CryptoPHP blackhat SEO campaign. Researchers with Fox-IT identified a group of attackers using compromised WordPress themes and plugins to deliver a piece of malware dubbed CryptoPHP that engages in fraudulent search engine optimization (SEO) operations. The malware can also inject content into sites using the compromised plugins and themes, update itself, and perform other tasks.
Developers fix XSS vulnerability in jQuery Validation Plugin script. The developers of the jQuery Validation Plugin issued a fix for a vulnerability present in the plugin’s demo code that could have allowed an attacker to engage in session hijacking using a reflected cross-site scripting (XSS) attack. The code appeared to be first reported in 2007.
Angler exploit kit adds new Flash exploit for CVE-2014-8440. A security researcher reported that the Angler exploit kit has been equipped with an exploit for the CVE-2014-8440 vulnerability in Adobe Flash that can be used to take control of target systems. The vulnerability was patched by Adobe November 11 but unpatched systems remain vulnerable.
Drupal patches denial of service vulnerability; details disclosed. Researchers who identified a denial of service (DoS) vulnerability in the Drupal content management system published details of the vulnerability that could also expose user names following the release of a patch by Drupal November 19 to close the vulnerability.
Chrome 39 includes 42 security fixes, disables fallback to SSL 3.0. Google released version 39 of its Chrome browser, closing 42 security issues, 11 of which were rated as high-severity, adding features, and disabling fallback to SSL 3.0 which could be exploited in POODLE attacks.
FTC gets federal court to shut down $120M tech support scam. The Federal Trade Commission (FTC) announced November 19 that a federal court granted its request to temporarily shut down two telemarketing operations that allegedly defrauded consumers out of more than $120 million by convincing them to grant the marketers remote access and deceiving them into paying for services and products to solve nonexistent computer problems. The companies involved include PC Cleaner, Boost Software, and Inbound Call Experts, and the defendants are the targets of separate cases filed by the FTC and the State of Florida.
Privilege escalation risk fixed in Android Lollipop, lower versions vulnerable. A researcher who identified and reported a flaw in the Android operating system that could allow an attacker to execute arbitrary code released a proof-of-concept for the vulnerability following the November 3 release of a patch that closes the vulnerability in Android Lollipop (also known as Android 5.0). The vulnerability is still present on previous Android versions.
Citadel variant targets password managers. Researchers with IBM Trusteer notified the makers of the nexus Personal Security Client, KeePass, and Password Safe password managers that a new variant of the Citadel malware is targeting the three services in an attempt to steal users’ logins and passwords.
Advanced variant of “NotCompatible” Android malware a threat to enterprises. Researchers with Lookout identified a new variant of the NotCompatible Trojan for Android dubbed NotCompatible.C which includes several changes to avoid detection by security software, including encrypted communications and geographically distributed command and control (C&C) servers. The malware is being spread by spam emails and compromised Web sites and acts as a proxy on infected systems.
Microsoft fixes critical Kerberos flaw under attack with out-of-band patch. Microsoft released an out-of-band patch November 18 to close a vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to domain administrator privileges. The vulnerability has been exploited in limited, targeted attacks and users were advised to apply the patch as soon as possible due to the critical nature of the vulnerability.
Apple releases OS X Yosemite and iOS updates. Apple released updates November 18 for its OS X Yosemite operating system and iOS 8 mobile operating system, adding improvements and closing an unlimited passcode attempt vulnerability in iOS 8.
Flashpack exploit kit uses ad networks to deliver Cryptowall, Dofoil malware. Trend Micro researchers identified a malicious advertisement campaign that uses free ads to attempt to redirect users to a page hosting the Flashpack exploit kit, which then attempts to serve a variant of the Dofoil Trojan or the Cryptowall ransomware.
Legit Windows Phone apps can be replaced by malicious ones through copy/paste. A researcher reported that rogue versions of legitimate apps can be installed onto Windows Phone mobile devices after the installation of the legitimate app by replacing the files with the rogue app files.
BusyBox devices compromised through Shellshock attack. Researchers with Trend Micro identified a new version of the Bashlite malware that identifies devices on an infected system’s network that use the BusyBox software for Linux, including routers, and can then attempt to compromise them using the Shellshock vulnerability.
Steam password stealer is stored on Google Drive. A researcher with Panda Security analyzed and reported a piece of malware designed to steal passwords for the Steam gaming service that is being delivered from a Google Drive account. The account was still active when the researcher reported the malware November 16 and targets victims via a fraudulent link in Steam chat that downloads an executable file.
WinShock PoC clocked: But DON’T PANIC… It’s no Heartbleed. Researchers released a proof-of-concept (PoC) exploit for a SChannel crypto library flaw that was patched the week of November 10 in a Microsoft patch release. The flaw can still be exploited in unpatched Windows Server 2012, 2008 R2, and 2003 installations to run arbitrary code.
Attack reveals 81 percent of Tor users but admins call for calm. A paper released by researchers at the Indraprastha Institute of Information Technology outlined a traffic confirmation attack method that the researchers stated could be used to identify users of the Tor anonymity network in 81 percent of cases if an attacker has sufficient resources.
Alleged creators of WireLurker malware arrested in China. Authorities in China arrested three individuals for allegedly creating and distributing the WireLurker malware targeting Mac OS X, iOS, and Windows devices and shut down the Web site used to distribute the malware.
Majority of top 100 paid iOS, Android apps have hacked versions: Report. Arxan Technologies released their annual State of Mobile App Security report which found that there were cloned or repackaged versions of 97 percent of the top 100 paid Android apps and 87 percent for top 100 paid iOS apps, and that repackaged or cloned financial services apps existed for 95 percent of apps on Android and 70 percent in iOS, among other findings.
New variant of Dofoil trojan emerges with strong evasion features. Fortinet researchers identified a new variant of the Dofoil botnet malware that contains several changes aimed at preventing the malware from being detected and analyzed.
New encryption ransomware offers file decryption trial. Researchers at Webroot identified a new piece of encryption ransomware dubbed CoinVault that encrypts victims’ files using AES-256 encryption, demands a ransom, and offers a free trial of the decryption performed if a ransom is paid.
Google misses trojan SMS app in Play Store for more than a year. An SMS trojan named Thai Fun Content was identified by Malwarebytes researchers on the Google Play Store and was available for download for over 1 year. The app subscribes victims to a paid SMS service and charges victims $0.37 per day.
Mobile Pwn2Own 2014: iPhone 5s, Galaxy S5, Nexus 5, Fire Phone hacked. Researchers participating in the Mobile Pwn2Own mobile device hacking competition in Tokyo November 12-13 were able to compromise several popular smartphones and mobile devices, achieving a full sandbox escape on an iPhone 5s, successful near field communications (NFC) attacks on the Galaxy 5S, and several other successful compromises.
Coast Guard contractor pleads guilty to stealing personal information. A Pawcatuck man who ran a computer repair business and also worked as a contractor for the U.S. Coast Guard pleaded guilty November 12 to stealing personal information and data over 250 times from computers and other devices brought to him for repairs.
18-year-old remotely exploitable vulnerability in Windows patched by Microsoft. Microsoft released a patch November 11 for a data manipulation vulnerability that has existed in Windows operating systems starting with Windows 95. Researchers with IBM’s X-Force discovered and reported the vulnerability in May, which could have been used by attackers to gain control of affected systems for the last 18 years.
Microsoft patches Windows, IE, Word, SharePoint and IIS. Microsoft released its monthly Patch Tuesday round of updates for its products, which includes 14 bulletins including one patching a zero-day vulnerability in the Windows OLE packager for Windows Vista and newer Windows operating systems.
18 critical vulnerabilities patched in Flash Player 18.104.22.168. Adobe released a new version of its Flash Player software, closing 18 critical security issues, 15 of which could allow an attacker to execute arbitrary code.
Google DoubleClick down, leaving sites ad-free. The Google DoubleClick for Publishers service experienced an outage November 12, preventing ads from being displayed on several Web sites. Google stated that the company was working to resolve the issue.
Air-gapped systems targeted by Sednit espionage group. Researchers with ESET stated that the Sednit espionage group (also known as APT28 or Sofacy) have employed a tool known as Win32/USBStealer since at least 2005 that can exfiltrate data from air gapped systems. The tool is added to a compromised system connected to the Internet and then plants the tool on any removable storage device, collects information on the air gapped system, and then transmits it back to the attackers whenever the storage device is next connected to an Internet-connected system.
Uroburos espionage group is still active, relies on new remote access trojan. G Data researchers found that the Uroburos espionage group (also known as Turla or Snake) remains active and is using two similar versions of a new remote access trojan (RAT) known as ComRAT that includes increased obfuscation and anti-analysis capabilities.
SQL injection vulnerability patched in IP.Board forum software. Invision Power Services released patches for its IP.Board forum software November 9, closing a SQL injection vulnerability several hours after its discovery on versions 3.3.x and 3.4.x.
iOS security issue allows attackers to swap good apps for bad ones: FireEye. Researchers with FireEye identified a new attack dubbed a Masque Attack that can allow attackers to replace a legitimate iOS app with a malicious one if both applications use the same bundle identifier. Victims targeted by the attack must be lured into installing the malicious app which can then be replaced by the malicious app on jailbroken and non-jailbroken iOS devices.
Darkhotel attackers target business travelers via hotel networks. Kaspersky Lab researchers identified an advanced persistent threat (APT) group dubbed Darkhotel APT that has targeted travelers in the Asia-Pacific region in addition to the U.S. using malicious hotel WiFi networks, spear phishing, and malicious torrent files. The group’s hotel attacks involve prompting users with a software update notice that installs a backdoor, and the group has targeted guests associated with industries and sectors including government organizations, the defense industry, energy industry, pharmaceutical industry, electronics manufacturers, medical providers, and non-governmental organizations.
BrowserStack HACK ATTACK: Service still suspended after rogue email. Browser testing service BrowserStack stated that it was temporarily suspending service to recover after an attacker managed to gain access to a list of email addresses and the company’s official email account, using it to send out a fake message to developers.
Emoticons blast three security holes in Pidgin :-(. Researchers at Cisco reported that the instant messaging client Pidgin contained three security vulnerabilities that could have allowed attackers to overwrite files or cause a denial of service (DoS) situation. The vulnerabilities have since been patched.
Belkin flings out patch after Metasploit module turns guests to admins. Belkin recently released a patch for its N750 dual-band router to close a vulnerability demonstrated in a Metasploit module that could allow attackers on guest networks to gain root access. Users were advised to update their firmware to close the vulnerability.
WireLurker: Apple blocks Trojanized apps, revokes certificate. Apple stated that it blocked apps identified as containing the WireLurker malware for OS X and iOS and revoked the certificate used to sign the malware.
Metasploit module released for new UXSS vulnerability in Android browser. An independent researcher in coordination with Rapid7 identified and reported a universal cross-site scripting (UXSS) vulnerability in the default Android browser that could allow an attacker to scrape page contents and cookie data. A Metasploit module for the vulnerability was released, and although Google fixed the issue September 30 many Android users may not receive the fix due to lack of Android version updates.
After Silk Road 2, global law enforcement seizes other dark markets. U.S. and European law enforcement agencies undertook joint action against several other underweb marketplaces following actions against the Silk Road 2.0 marketplace, resulting in 17 arrests and the takedown of over 410 hidden services. Authorities also seized around $1 million in cash, illegal drugs, and precious metals.
Cisco patches three out of four buggy small business RV series routers. Cisco posted an advisory November 5 stating that three vulnerabilities in four routers intended for small business use could allow attackers to execute arbitrary commands and upload files to the devices. The company issued patches for the RV120W Wireless-N VPN Firewall, RV180 VPN Router, and RV 180W Wireless-N Multifunction VPN Router, while a patch for the RV220W Wireless Network Security Firewall is expected by the end of November.
Crypto attack that hijacked Windows Update goes mainstream in Amazon Cloud. A researcher stated that he was able to replicate the MD5 hash collision method used in the Flame cyberespionage attacks using a GPU instance on Amazon Web Service to cause two images to have the same MD5 hash. The method was used in the Flame campaign to cause compromised Windows Update certificates to be recognized as valid on targeted systems, allowing malware to be downloaded undetected.
New technique makes phishing sites easier to create, more difficult to spot. Trend Micro researchers identified a new phishing site technique targeting an e-commerce site that uses a proxy to relay user traffic to a legitimate site and then redirects users to a phishing site once they make a purchase and enter payment information. The method was observed in an attack on an online store in Japan but could be used for other sites.
Compromised EDU domain used to send out ZeuS-laden emails. Researchers with PhishMe detected a spam email campaign distributing the Zeus (also known as Zbot) information-stealing Trojan through email addresses belonging to an undisclosed U.S. educational organization with around 25,000-30,000 enrolled students.
Spin.com redirects to Rig Exploit Kit, infects users with malware, Symantec observes. Symantec researchers stated November 4 that the music news Web site Spin.com was redirecting users to a page hosting the Rig Exploit Kit October 27 and that the issue has been closed. The researchers were unsure of how the compromise occurred but found that the attackers injected an iFrame into the site in order to redirect visitors.
New version of Backoff PoS malware appears: Fortinet. Researchers with Fortinet recently reported finding a new version of the Backoff point-of-sale (PoS) malware with the version name ROM that includes changes designed to make the malware more difficult to detect and analyze.
BlackEnergy cyberespionage group targets Linux systems and Cisco routers. Researchers with Kaspersky Lab reported that the cyberespionage group that uses the BlackEnergy malware has developed several modules for the malware that can be downloaded to infected systems to add the ability to perform port scanning, disk wiping, digital certificate theft, and other actions. The malware has compromised routers, Linux systems, and Windows systems and the group behind it targets organizations in the energy, manufacturing, banking, and education sectors as well as government agencies.
227,747 new malware samples created daily. PandaLabs reported that around 20 million new strains of malware were created during the third quarter (Q3) of 2014, with Trojans the most common type of malware at 78.08 percent, among other findings.
Upatre malware dropper sent to Bitstamp exchange users. Researchers with ThreatTrack identified an email campaign targeting users of the Bitstamp digital currency exchange that uses sophisticated social engineering to attempt to trick users into opening an attachment containing the Upatre malware dropper. The dropper then adds the Dyre (also known as Dyreza) banking malware to compromised systems.
VMware: Yep, ESXi bug plays ‘finder’s keepers’ with data backups. VMware confirmed an issue reported by users of its ESXi 4.x and ESXi 5 hypervisor where virtual machines with Changed Block Tracking (CBT) enabled and that have been increased in size by more than 128GB show an inaccurate list of allocated virtual machine disk sectors, which could cause backed-up data to be unrecoverable. VMware recommended that users disable and then re-enable CBT and stated that the company is working on a permanent solution.
Researchers notice uptick in ‘Poweliks’ Trojan infections. Symantec researchers observed an increase in reported Poweliks Trojan infections, with the malware delivered by spam emails, exploit kits, and a spam campaign that impersonates the U.S. Postal Service and Canadian Post.
New RAT hijacks COM objects for persistence, stealthiness. Researchers at G DATA Software’s SecurityLabs identified a new remote access Trojan (RAT) dubbed COMpfun that hijacks legitimate Component Object Model (COM) objects to evade detection by security software. The RAT is capable of executing code, logging keystrokes, downloading or uploading files, and other tasks.
Phishing attack leads to title firm breach. Fidelity National Financial notified an unspecified number of customers that personal and financial information including payment card, driver’s license, and Social Security numbers may have been compromised when attackers gained access to employees’ email accounts via a phishing attack. The company stated that an investigation showed that the attackers’ goal was to obtain information in order to redirect scheduled money transfers.
RIG Exploit Kit used in Drupal CMS exploit incidents. RiskIQ researchers observed the RIG Exploit Kit being used in attacks that exploit a critical SQL injection vulnerability in the Drupal content management system (CMS) to redirect users to the exploit kit. The researchers found that all instances of the exploit kit are hosted on a machine at a Selectel datacenter in Russia.
iOS app vulnerability exposed GroupMe accounts. A researcher identified and reported vulnerability in the GroupMe app for iOS that could have allowed an attacker to hijack the account of another user due to the sign-up process for new accounts lacking rate limiting or a security lockout mechanism on a phone number verification process. The issue was reported August 28 and patched September 17, and the researcher stated that there was no evidence it was exploited before being fixed.
Android dialer hides, resists attempts to remove it. Researchers with Dr. Web identified a malicious dialer for Android dubbed Android.Dialer.7.origin that places calls to a paid service at regular intervals after infecting devices disguised as an app. The malware attempts to hide itself by deleting its shortcut, disabling the device earpiece during calls, and removing evidence of the calls from the call and system logs.
Danish court finds Pirate Bay cofounder guilty of hacking CSC servers. A court in Denmark found a cofounder of the Pirate Bay Web site guilty of working with an anonymous accomplice to compromise servers belonging to U.S. Company CSC that contained data for European governments between February and August 2012.
Advisory of “Shellshock” Vulnerability
On September 24, 2014, multiple security experts began reporting on a security vulnerability, Shellshock, which affects an application called Bash.
1. Bash, which stands for the GNU Bourne Again Shell exists in the GNU Operating System (free software) that is distributed with most versions of Linux and Unix free software;
2. Could enable attackers, without authentication, to obtain information, modify authentication parameters, and disrupt service; and
3. Is currently given the highest possible ratings (“10”) for Severity, Impact, and Exploitability based on the Common Vulnerability Scoring System (CVSS).
In response, it is recommended that business clients work with their IT professionals to:
1. Identify, filter and block internet protocol (IP) addresses that may be maliciously scanning systems.
2. Review all systems and services to identify any systems that may be vulnerable to this exploit.
3. Actively work to identify effective patching for this vulnerability, and patch any systems and services that are vulnerable.
Shellshock known vulnerabilities and vendor statues: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=252743&SearchOrder=4
Vulnerability found in firmware update process of ASUS routers. A researcher identified and reported a vulnerability in ASUS RT-series routers that could have allowed attackers to use a man-in-the-middle (MitM) attack to trick users into downloading older, vulnerable firmware versions or potentially malicious code due to the firmware request being sent in HTTP instead of HTTPS. ASUS closed the vulnerability in its 22.214.171.124.367.1123 update.
‘Replay’ attacks spoof chip card charges. Three undisclosed U.S. banks reported receiving fraudulent payment card charges emanating from Brazil that disguise the fraudulent charges as charges using the Europay, MasterCard, and Visa (EMV) chip-and-pin system even though the banks have not yet issued EMV cards. The attacks disguised the charges as originating from EMV cards since some banks with misconfigured systems may not use the full range of security checks on EMV card transactions.
Tor exit node found maliciously modifying files. A researcher with Leviathan Security Group identified and reported an exit node on the Tor network that wraps binary files with malware as the files move through the node. The Tor Project stated that they set a “BadExit” flag on the node to protect users after it was reported
Backoff PoS malware boomed in Q3. Damballa released a report which found that detections of the Backoff point-of-sale (PoS) malware increased by 57 percent between August and September.
iMessage SPAM floods US mobile networks. CloudMark researchers reported that China-based designer goods counterfeiters are using the Apple iMessage platform to spam users with advertisements, the largest mobile spam campaign in the U.S. so far this year and accounting for over 80 percent of all reported mobile messages in the U.S.
Cisco fixes 3-year-old vulnerability affecting security appliances. Cisco released patches to close a vulnerability in its AsyncOS used in several of the company’s security appliances that could allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. The vulnerability affects all models of Cisco Email Security Appliances (ESA), Cisco Web Security Appliances (WES) and Cisco Content Security Management Appliances (SMA) running affected versions of AsyncOS.
Adobe Digital Editions now encrypts data collected from users. Adobe stated that its Adobe Digital Editions ebook software would begin using encryption to send data on users to Adobe’s servers starting October 23. Researchers previously discovered the transmission of user data and found that it was not encrypted, posing a security risk.
Akamai sees record-setting spikes in size and volume of DDoS attacks. Akamai released their Q3 2014 State of the Internet report and found that distributed denial of service (DDoS) attacks increased in average bandwidth by 389 percent over the past year, among other findings.
CryptoWall 2.0 delivered through malvertising on Yahoo and other large sites. Proofpoint researchers observed a recent campaign using malicious advertisements on Yahoo, 9gag, and other popular Web sites to deliver the CryptoWall 2.0 ransomware via the FlashPack Exploit Kit. The exploit kit exploits vulnerabilities in Adobe Flash Player to deliver the ransomware that encrypts users’ files and demands a ransom to decrypt them.
1.2 million Networking devices vulnerable due to NAT-PMP issues. A security researcher with Rapid7 reported October 21 that the company identified around 1.2 million Internet-connected devices that are vulnerable to various attacks due to poor implementation or configuration of the Network Address Translation – Port Mapping Protocol (NAT-PMP). The vulnerabilities could allow attackers to perform denial of service (DoS) attacks, intercept traffic, or perform other malicious actions.
Apple warns users of attack targeting iCloud site. Apple confirmed reports of man-in-the-middle (MitM) attacks against its iCloud service that employed an insecure certificate and advised users not to dismiss browser warnings regarding the security of content. The attacks trigger warnings in the Chrome and Firefox browsers but not in Qihoo, the most popular Web browser in China.
Windows zero-day exploited in targeted attacks through PowerPoint. Microsoft reported that it has observed limited targeted attacks exploiting a zero-day vulnerability in the company’s Object Linking and Embedding (OLE) technology which could allow an attacker to perform remote code execution if a user opens a specially-crafted Microsoft Office file. The vulnerability affects all current Microsoft Windows releases except Windows Server 2003 and Microsoft advised users to apply a series of workarounds until a patch can be released.
Koler worm spreads via SMS, holds phones for ransom. Researchers at AdaptiveMobile identified a new variant of the Koler worm for Android that spreads via a bitly link that directs users to a Dropbox page where the malware is disguised as an app. The malware then blocks infected devices’ screens with a fake law enforcement page and demands a ransom to be paid via Money Pak Voucher.
Attackers change home routers’ DNS settings via malicious code injected in ads. Sucuri Security researchers identified a malvertising campaign that embeds malicious code into an ad hosted on the googlesyndication.com network and attempts to change the DNS settings on users’ home routers in order to lead them to potentially malicious Web sites.
Malware directs stolen documents to Google Drive. Researchers with Trend Micro identified a new piece of information-stealing malware dubbed Drigo that uploads any .PDF, text, and Microsoft Word, Excel, and PowerPoint files to a Google Drive account. The researchers reported that the malware appears to be targeting government agencies and reported the Google Drive account associated with the malware to Google.
Apple fixes security flaws with release of iOS 8.1. Apple released an update to its iOS 8 mobile operating system, closing several vulnerabilities and adding new features.
One week after patch, flash vulnerability already exploited in large-scale attacks. Researchers identified an exploit kit sold on underweb forums known as Fiesta that is bundled with an exploit for a recently-patched Flash Player vulnerability. Users were advised to apply the patch that was issued October 14.
Cisco products vulnerable to POODLE attacks. Cisco is analyzing its products to determine which may be affected by the POODLE vulnerability in Secure Sockets Layer (SSL) and released a list of confirmed vulnerable products, which includes Cisco Webex Social, Cisco ACE, Cisco Wireless LAN Controller, and several other products.
Palo Alto Networks boxes spray firewall creds across the net. A researcher found that misconfigured Palo Alto Networks firewalls could allow attackers to gain user and domain names and passwords, potentially exposing customer services such as VPNs and webmail. Palo Alto Network advised users to apply best practice guidelines developed by the company.
Microsoft pulls another dodgy patch. Microsoft stated that it is investigating a patch for Windows 7 and Windows Server 2008 R2 after some users reported experiencing issues with their systems after installation. Microsoft advised users experiencing problems to uninstall the patch.
Dropbox users are served a phishing page delivered over SSL. A researcher with Symantec stated that attackers are using a phishing campaign with a page hosted on Dropbox to attempt to steal users’ Dropbox and email credentials. The phishing page uses the secure sockets layer (SSL) protocol of its host in order to appear legitimate.
Apple releases MEGA security patch round for OS X, Server and iTunes. Apple released a round of patches for several of its products, including OS X, OS X Server, and iTunes, addressing 150 issues including patches to close the POODLE and Shellshock vulnerabilities.
Modular malware for OS X relies on open-source keylogger code. Kaspersky Lab researchers identified a piece of modular malware for Apple OS X known as Ventir that uses the legitimate LogKext keylogging software in order to steal information from infected systems.
Sandworm vulnerability seen targeting SCADA-based systems. An advisory issued by Trend Micro stated that researchers have identified attackers using the Sandworm vulnerability to target systems running the GE Intelligent Platform’s CIMPLICITY human-machine interface (HMI) solution used in supervisory control and data acquisition (SCADA) systems. The attackers appear to be using the vulnerability in the first stage of an advanced persistent threat (APT) targeted attack and use the vulnerability to install the Black Energy malware.
SAP patches DoS flaw in Netweaver. SAP released a patch for its Netweaver platform that closes a remotely exploitable denial of service (DoS) vulnerability reported by Core Security researchers in June. The vulnerability could allow an unauthenticated attacker to use a specially crafted SAP Enqueue Server packet to create the DoS condition.
New technique allows attackers to hide stealthy Android malware in images. Two researchers presenting at the Black Hat Europe conference October 16 revealed a technique dubbed AngeCryption that could allow an attacker to hide malicious Android applications inside image files in order to avoid detection by antivirus programs and potentially the Google Play store’s malware scanner.
XSS risk found in links to New York Times articles prior to 2013. A student reported and published a proof of concept for a vulnerability in articles on the New York Times Web site published before 2013 that could allow attackers to hijack browser sessions, direct users to phishing sites, or steal cookies by exploiting a cross-site scripting (XSS) flaw. The vulnerability exists on pages containing certain buttons and does not affect the most recent versions of popular Web browsers.
Bad news, fandroids: He who controls the IPC tool, controls the DROID. Researchers with Check Point presenting at the Black Hat Europe conference October 16 detailed a flaw in the Android inter-process communication (IPC) tool Binder that could allow attackers to override in-app security features to tamper with apps and steal passwords and other information.
All-in-one printers can be used to control infected air-gapped systems from far away. A cryptographer and two researchers from Ben-Gurion University presenting at the Black Hat Europe conference October 16 demonstrated how an all-in-one printer could be used to issue commands to infected systems on an air-gapped network by shining infrared or visible light at the scanner lid when open, issuing commands to malware already planted on the system via USB drive or other method. The researchers were able to successfully test the method at a target printer inside a building at 200, 900, and 1,200 meters and stated that a more powerful laser could produce reliable results from up to 5 kilometers.
Botnets used in “Wolf of Wall Street” spam campaign. Researchers with Bitdefender identified a spam campaign dubbed “Wolf of Wall Street” that uses botnets to send out promotional emails encouraging penny stock investors to purchase stocks of Canada-based Confederation Minerals Ltd., which has resulted in the transaction volume of the company increasing to 1,620,000 shares from 10,000 shares within 3 days. The spam campaign is the largest recorded in 2014 and the attackers behind it stand to profit by selling stocks after inflating the prices.
Attackers abuse UPnP devices in DDoS attacks, Akamai warns. Researchers at Akamai Technologies reported that attackers have increasingly used the Simple Service Discovery Protocol (SSDP) that comes enabled on Universal Plug and Play (UPnP) devices to launch reflection and amplification distributed denial of service (DDoS) attacks starting in July. The researchers found that 4.1 million Internet-facing devices could be used in this type of DDoS attack.
New OpenSSL updates fix POODLE, DoS bugs. The OpenSSL Project released updates to OpenSSL that close four serious vulnerabilities, including the POODLE issue and two memory leak issues that could be used to launch denial of service (DoS) attacks against servers.
FireEye, Microsoft, Cisco team up to take down RAT-flinging crew. A group of security and IT firms led by Novetta began a coordinated campaign to detect and remediate malware installations belonging to a cyberespionage campaign targeting policy groups, governments, financial services institutions, the education sector, and think tanks since 2010. The cyberespionage group uses several tools including Moudoor, a derivative of the Gh0st RAT remote access Trojan, and the Hikiti malware used to control compromised systems.
Drupal fixes highly critical SQL injection flaw. Drupal issued a patch for its popular content management system (CMS) that closes a critical SQL injection vulnerability affecting version 7.x. The vulnerability could allow an unauthenticated user to perform arbitrary SQL execution and all users were advised to update their installations as soon as possible.
Microsoft patches two more 0-days actively used by attackers. Microsoft released its monthly Patch Tuesday round of patches for October, closing several critical vulnerabilities including the SandWorm vulnerability and others exploited by attackers.
Flash Player 15 update plugs remote code execution bugs. Adobe released patches for three critical vulnerabilities in its Flash Player consisting of two memory corruption issues and one integer overflow vulnerability.
Mozilla fixes critical bugs in Firefox 33. Mozilla released the latest version of its Firefox browser, closing 33 critical vulnerabilities and adding improved functionality.
SSL 3.0 falls in the face of POODLE attack, needs to be disabled. Researchers with Google designed an attack named POODLE that can exploit a flaw in the design of the Secure Sockets Layer 3.0 (SSL 3.0) protocol that can allow the extraction of data from secure connections using the protocol. SSL 3.0 has been superseded by several other protocols but is still used in some clients and servers and as a backup protocol by Web browsers if modern protocols are unavailable.
Malware-like browser pop-ups used by advertisers to push apps on Android. A researcher at Malwarebytes reported that some advertisers are using fake warning or update notifications directed at Android users in an attempt to get them to download legitimate but potentially unwanted programs in an affiliate marketing scheme.
BlackBerry 10 devices open to bug that allows malicious app installation. BlackBerry released a patch for a vulnerability in BlackBerry 10 devices that could allow an attacker with a man-in-the-middle position to replace legitimate apps downloaded through the BlackBerry World app store with malicious apps.
Malicious YouTube ads lead to exploits, ransomware. Trend Micro researchers identified and reported a malvertising campaign where attackers appeared to have bought traffic from legitimate ad providers in order to place malicious ads on popular YouTube videos to redirect users through several sites to a server hosting the Sweet Orange exploit kit. The exploit kit then attempts to infect users with the Kovter ransomware via an Internet Explorer vulnerability.
Massive Oracle security update lands on Microsoft Patch Tuesday. Oracle released over 150 patches for several of its products, closing critical vulnerabilities in several products including Oracle Database and Java SE.
Russian espionage group used Windows 0-day to target NATO, EU. iSIGHT Partners discovered a zero-day vulnerability used in a cyber-espionage campaign dubbed SandWorm targeting the North Atlantic Treaty Organization, the European Union, Ukrainian and Polish government organizations, and several European telecommunications and energy sectors. Microsoft is expected to release a patch for the zero-day which exploits supported versions of Microsoft Windows and Windows Server 2008 and 2012.
Dropbox denies being hacked, points to third-party services. Dropbox announced that its servers were not breached after a list of 420 username and password pairs were publicized on Pastebin with a poster claiming that more would be published with Bitcoin donations. The company reported that the information was stolen from other Web services used by the victims, who had identical usernames and passwords for Dropbox.
The snappening: Snapsaved admits to hack that leaked SnapChat photos. Snapchat’s third-party app Snapsaved was hacked involving the release of 500MB of images containing between 90,000 and 200,000 photos and videos due to a misconfiguration in their Apache server. Snapsaved subsequently deleted the entire Web site and database associated with the breach.
Multiple vulnerabilities found in BMC Track-It! help desk software. Researchers with the Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) and Agile Information Security found that Track-It! version 126.96.36.1995, the IT helpdesk solution created by BMC Software, contains three vulnerabilities related to permissions, privileges, and access control, missing authentication for critical function, and an exploitation using blind SQL injection. The company is working on addressing the issues.
New mobile Trojan masquerading as Tic-tac-toe game targets Android devices. Kaspersky Lab researchers found that a Tic-tac-toe game available on Android devices houses the Gomal Trojan which allows hackers to record audio from the microphone, steal incoming SMS messages, steal data from the device log, and obtain root privileges, among other things. Good for Enterprise researchers determined that the app was a proof-of-concept app presented at Black Hat 2013 and used only in Samsung Exynos memory access vulnerability, which has since been patched.
HP to remove digital signature that code-signed malware. Symantec discovered that an HP digital certificate was used to cryptographically sign (code-sign) malware shipped through HP products in May 2010. HP will revoke the digital certificate October 21 after researchers found an apparent signature on a four-year-old Trojan that may have been included in the software.
New Rovnix variant targets users in EU countries. Researchers with CSIS Security Group identified a new variant of the Rovnix malware currently targeting users in European Union countries that includes a new domain generation algorithm (DGA), changes to avoid detection, and removes a bootkit component.
Shellshock exploits spreading Mayhem botnet malware. Researchers at Malware Must Die reported detecting a number of Linux and UNIX systems infected by several IP addresses belonging to the Mayhem botnet. The botnet was found to be pinging Internet-facing systems looking for the Shellshock vulnerability in order to drop a new remote installer written in Perl.
Flaw in PayPal authentication process allows access to blocked accounts. A researcher with Vulnerability Laboratory identified and reported a flaw in the mobile authentication process for PayPal that can allow an attacker to attempt to input passwords an unlimited number of times without causing the account to be locked. The issue reported in March 2013 affects the iOS mobile app for PayPal and a fix is not currently available.
ATM programmer's reference manual leaked online. F-Secure researchers found a document online using the Baidu search engine that contains API documentation for ATM cashpoints manufactured by NCR Corporation during an investigation into ATM malware. The programming reference materials could be used by attackers to inform their development of ATM malware.
Aggressive Selfmite SMS worm variant goes global. Researchers with AdaptiveMobile identified a new variant of the Selfmite SMS worm for Android that spreads via malicious links in SMS messages that lead to a trojanized Google Plus app. The worm uses compromised devices to send the malicious SMS messages to every contact on the device several times and redirect users to unsolicited subscription Web sites.
Multiple vulnerabilities found in SAP enterprise software. Researchers at Onapsis published seven advisories for flaws in SAP HANA, SAP BusinessObjects, and SAP NetWeaver Business Warehouse enterprise software, including a remotely exploitable command injection vulnerability in HANA that could allow an unauthenticated attacker to completely compromise the SAP system and the information it handles and stores.
Several Siemens industrial products affected by ShellShock bug. Siemens released an advisory warning that variants of the Shellshock vulnerability can be leveraged by attackers against several of its products including some versions of Rugged Operating System on Linux (ROX) 1 and ROX 2 and APE Linux versions. The company is working on developing patches for the affected products.
There is anti-BadUSB protection, but it's a bit sticky. The researchers who revealed the details for infecting USB devices via the BadUSB vulnerability released a patch and instructions for preventing the reprogramming of USB devices by disabling the "boot mode" state of the device. The researchers stated that a patched device could be tampered with to reset it and remove the patch, and suggested physically securing the device with glue or similar substances to prevent undetected access.
Tyupkin is new ATM malware that allows cash extraction without card. Researchers with Kaspersky Lab identified and analyzed a new piece of ATM malware known as Tyupkin that is installed on ATMs through a bootable CD and can allow attackers to withdraw currency without a card. The malware includes several security features to prevent access and analysis and was mostly found in Eastern Europe as well as some cases in the U.S., Asia, and Western Europe.
Google fixes 159 security bugs with release of Chrome 38. Google released the latest version of its Chrome browser for Windows, Linux, Mac, and iOS, closing 159 security vulnerabilities.
Adobe spies on reading habits over unencrypted web because your ‘privacy is important.’ Adobe confirmed October 8 that its Digital Editions software collects information on users’ ebooks and sends it to Adobe servers as part of digital rights management (DRM) practices after a researcher reported finding the traffic being sent from Digital Editions. The company also confirmed that the information was sent in an unencrypted format and would be corrected, and stated that it was investigating the researcher’s claims that the program collected additional information on ebooks files stored on users’ systems.
SSDP reflection attacks spike in Q3: Arbor Networks. Arbor Networks released its report on distributed denial of service (DDoS) attacks during the third quarter (Q3) of 2014 and found that Simple Service Discovery Protocol (SSDP) reflection attacks grew significantly during Q3, with almost 30,000 such attacks during the quarter, among other findings.
Siemens swats security bugs affecting PCS 7. Siemens released an update for its PCS 7 supervisory control and data acquisition (SCADA) product that addresses five issues with the WinCC product, including a hard coded encryption key and another issue that could lead to privilege escalation.
Belkin says router outages should be resolved. Belkin stated October 7 that it fixed an issue in some older wireless routers that caused the routers to experience problems around midnight October 7 when pinging a Belkin-hosted service in order to check network connectivity. Belkin advised users still experiencing issues to restart their routers.
Monster banking trojan botnet claims 500,000 victims. Researchers with Proofpoint identified a new banking trojan botnet known as Qbot or Qakbot that has infected 500,000 systems and stolen data from users including 800,000 online banking transactions, with 59 percent of the stolen sessions taken from accounts in major U.S. banks. The researchers found that the malware for the botnet was launched from compromised WordPress sites using drive-by download attacks.
Bugzilla vulnerability exposes undisclosed bugs. The developers of the Bugzilla bug-tracking software released an update to address several security issues, including one reported by Check Point Software Technologies researchers that could allow an attacker to bypass the email validation process and potentially receive information on undisclosed security issues.
Yahoo! changes tune after saying servers were hacked by Shellshock. Yahoo reported October 6 that some servers that were recently compromised were not compromised using the Shellshock vulnerability but instead by a bug in a parsing script used on some servers.
Trojans-SMS are top threat on Android, INTERPOL and Kaspersky say. Kaspersky Labs and INTERPOL released the results of a study of mobile security threats over a 1 year period and found that Android users were the most targeted by attackers, with SMS trojans accounting for 57.08 percent of all detections, among other findings.
Bash bug payload downloads KAITEN DDoS malware source code. Trend Micro researchers detected a payload being delivered via attacks exploiting the Shellshock vulnerability that downloads the source code for the KAITEN distributed denial of service (DDoS) malware.
76M households hit by JPMorgan data breach. JPMorgan Chase & Co. stated October 2 that a large cyberattack against the company’s systems compromised the customer information of around 76 million households and 7 million small businesses. The attack was discovered in August and began as early as June and compromised customers’ names, addresses, email addresses, and phone numbers but the bank stated that there was no evidence that the breach included account information.
CryptoWall 2.0 available in the wild, has new obfuscator. A 2.0 version of the CryptoWall ransomware has been spotted in the wild by researchers and includes the use of the Tor network for communicating with command and control servers and a new obfuscator to prevent analysis and debugging.
Destructive Android trojan poses as newest Angry Birds game. Researchers with Doctor Web identified a piece of destructive Android malware detected as Android.Elite.1.origin that poses as an unreleased Angry Birds game app and once installed deletes a device’s data, blocks communications programs, and sends out a high volume of messages to all contacts on the device.
“BadUSB” code published. Two researchers presenting at the Derbycon 4.0 conference reverse-engineered USB firmware to launch various attacks and posted the attack code online. The flaw in USB firmware that enables the attack was first revealed at the Black Hat conference but the attack code was not released at that time.
Second same-origin policy bypass flaw haunts Android browser. A researcher identified and reported a same-origin policy bypass vulnerability in the Android browser in versions prior to 4.4 that could allow an attacker to steal data from a user’s browser. Google issued a patch for the vulnerability for users of Android 4.1-4.3 in late September.
Major security flaw in Xen hypervisor disclosed. The developers of the Xen hypervisor released a patch after a security vulnerability was disclosed October 1 that could allow an attacker to use a malicious hardware virtual machine to read data from other virtual machines or crash the host machine.
OS X botnet malware uses Reddit to get IPs of control servers. Researchers with Doctor Web found that a piece of botnet malware for OS X known as iWorm uses the search function on Reddit to access a list of command and control (C&C) servers used to receive instructions. Over 17,000 unique IP addresses are associated with systems infected by iWorm and the C&C server addresses are disguised on Reddit by purporting to be addresses for Minecraft servers.
VMware releases software updates to fix ShellShock bug. VMware released patches for several of its products in order to close the Shellshock vulnerability in GNU Bash.
Researchers bypass Redmond’s EMET, again. Researchers with Offensive Security reported that they were able to bypass the fifth version of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) security tool on several versions of the Windows operating system.
Bash bug flung against NAS boxes. FireEye researchers warned that attackers are attempting to exploit the Shellshock vulnerability in GNU Bash in order to compromise Network Attached Storage (NAS) systems before the systems can be patched. The researchers reported that NAS systems made by QNAP were especially targeted and that attackers were seeking to install backdoors.
Joomla re-issues security update after patches glitch. The developers of Joomla released a second version of a security update October 1 after an initial update designed to close critical vulnerabilities created some technical issues with users.
Data breach on Flinn Scientific server lasted for four months. Flinn Scientific officials notified October 2 customers that made at least one purchase through its online store since May 2 that their financial information, including payment card number and card verification code, may have been compromised after malware was planted on the company’s Web based payment system. The breach was discovered September 8 and the company removed the malicious software from its network.
Four hackers accused of $100m US military software and gaming IP theft. Four individuals were indicted for allegedly stealing over $100 million worth of intellectual property from game developers and the U.S. Army including data from yet-to-be-released games and training software used to train helicopter pilots. Two of the accused pleaded guilty and reportedly used a SQL injection attack to steal the usernames and passwords of employees and software developers in order to gain access to the data.
Xsser mRAT, advanced spyware for iOS, discovered. Researchers with Lacoon Mobile Security identified a new remote access trojan (RAT) for iOS mobile devices dubbed Xsser that targets jailbroken iOS devices and can exfiltrate personal and device data. The researchers believe that Xsser is linked to the Chinese government and targets protestors in Hong Kong.
High risk vulnerability patched in Joomla. The developers of the Joomla content management system (CMS) released a patch for version 3.x closing two vulnerabilities including a remote file inclusion (RFI) issue that could allow an attacker to run remote files.
OpenVPN open to pre-auth Bash Shellshock bug - researcher. The chief technology officer of Mullvad stated that some configurations of OpenVPN are susceptible to the Shellshock vulnerability if Bash is allowed to run scripts. A proof-of-concept for the issue was identified online.
Asprox botnet malware sent through fake Viber email notification. An analysis from Tech Help List identified a new spam campaign utilizing fake Viber emails to attempt to add new bots to the Asprox botnet. The analysis noted that the attackers were using several techniques to hide their malicious activity and avoid analysis by researchers.
Variant of Upatre malware dropper seen in bank emails. A security researcher reported finding a new variant of the Upatre malware dropper attached to emails purporting to be from financial institutions. The new variant is distributed as a download through a link in the malicious emails and has a low VirusTotal detection rate.
Apple patches Shellshock bug in OS X. Apple released a security update for its OS X operating system that closes two remotely exploitable vulnerabilities in the GNU Bash UNIX shell known as Shellshock.
‘Shellshock’ attacks could already top 1 billion: Report. Incapsula researchers reported that the company’s Web application firewall deflected over 217,000 attempted exploitations of the Shellshock vulnerability in GNU Bash during the 4 days after the vulnerability was disclosed and estimated that the total number of attacks attempting to exploit the flaw could reach 1 billion.
Seller of StealthGenie mobile spyware app indicted and arrested. The CEO of InvoCode was arrested September 27 in Los Angeles for allegedly selling and advertising the StealthGenie mobile spyware. The Pakistani national allegedly worked with others to develop and market the spyware that is compatible with major mobile operating systems such as Android, Blackberry, and iOS.
Signed CryptoWall delivered via malvertising campaign on top-ranked websites. Researchers with Barracuda Labs identified a variant of the CryptoWall ransomware signed with a valid digital certificate from DigiCert and spread through malicious ads on the Zedo ad network to several popular Web sites. As of September 29, the CryptoWall variant was detected by 12 of 55 security solutions on VirusTotal.
RadEditor web editor vulnerable to XSS attacks. A researcher identified and reported a cross-site scripting (XSS) vulnerability in the RadEditor text editor used in several Microsoft products that could allow attackers to inject malicious script and obtain private data. The vulnerability was closed by Telerik September 24.
All CloudFlare customers benefit from Universal SSL. CloudFlare announced September 29 that it was providing all customers with SSL certificates under its Universal SSL service to enhance security.
New data breaches hit Supervalu, Albertson's. Supervalu officials reported a second incident September 29 where hackers installed a different piece of malware on the company’s computer system that potentially captured customers’ payment card information from the payment processing systems of four Cub Foods stores in Minnesota and several Albertson’s grocery stores across the U.S. between August and September.
Dyre banking trojan delivered via voice message email notification. Researchers discovered that the Dyre (Dyreza) banking trojan is being employed via phishing emails claiming to be from financial institutions and bogus emails purporting to inform of a new voicemail message which include a link to a malware dropper that has five Romanian Portable Executable (PE) resources and downloads a variant of the trojan. The malware relies on the man in the middle (MitM) technique to take over the connection between the client and the server.
U.S. Bank refunding $48 million to customers. The Consumer Financial Protection Bureau ordered U.S. Bank September 25 to refund $48 million to consumers and pay $9 million in penalties to resolve allegations that the bank charged about 420,000 customers for fraudulent credit card add-on products and services that were not provided between 2004 and 2012.
New remote code execution flaws found in Shellshock-patched Bash. Researchers found four additional vulnerabilities with the Bash command interpreter for Linux, Shellshock, two of which were unofficially patched after new changes to the code. The two new bugs that remain could be exploited remotely and in an easier way due to the rare use of address space layout randomization (ASLR) when compiling Bash.
Ello social network recovers after DDoS attack. Administrators with Ello, a social networking site, announced they blocked a bad IP address that was responsible for sending junk traffic after reporting the site was under an apparent distributed denial of service (DDoS) attack.
Cisco lists 31 products vulnerable to the Shellshock vulnerability. Cisco released a list of 31 products vulnerable to the Shellshock glitch which included connection routing, network management, and media content delivery and encoding, among others. Oracle also released a list of 32 products vulnerable to attack by the Bash bug after the company changed its initial list and appended new products.
iThemes users asked to change passwords following attack. The CEO if iThemes, a WordPress themes, plugins, and training provider, advised 60,000 past and current users to reset their passwords following an attack on its membership database that may have compromised usernames, email addresses, passwords, names, IP addresses, and purchase information.
Dyre malware takes inventory of software on infected systems. Researchers from Proofpoint analyzed a new variant of the Dyre (also known as Dyreza) banking trojan and found that several new features were added to the malware, including the addition of its own SSL certification and a feature that enables hackers to collect cookies, client-side certificates, and private keys from an infected computer’s Windows Certificate Store. The latest version of the Trojan can also extract a list of installed programs and services from an infected computer to be by hackers to determine which vectors can be exploited in the future.
Honeypot catches malware exploiting Shellshock Bash bug. Alien Vault researchers found two pieces of malware through their honeypots, an Internet Relay Chat (IRC) bot and an Executable and Linkable Format (ELF) binary that offers malicious actors the possibility to use the infected machine in distributed denial of service (DDoS) attacks in order to exploit the Shellshock Bash vulnerability. Patches are available for several software platforms as attackers are rapidly working to exploit the CVE-2014-6271 vulnerability.
Phishers go after unprecedented breadth of targets. The Anti-Phishing Working Group (APWG) released its Global Phishing Survey co-authored with Internet Identity (IID) and found that in the first half of 2014 Apple was the most phished brand in the world, accounting for 17 percent of all reports sampled. PayPal came in second accounting for 14.4 percent or 17,811 targeted attacks the report stated, among other findings.
BlackEnergy malware linked to targeted attacks. ESET and F-Secure researchers found that the BlackEnergy malware has been active in targeted attacks in 2014, modified to be used as a tool for sending spam and for online bank fraud. The alteration was dubbed “BlackEnergyLite” by researchers due to the lack of a kernel-mode driver component and less support for plug-ins and a lighter overall footprint.
New Tinba banking trojan variant is stealthier, uses public key signing. Researchers from Trusteer analyzed an updated variant of the Tiny Banker (also known as Tinba) financial malware and discovered that the authors added a domain generation algorithm (DGA) and fitted it with user-mode rootkit capabilities and a verification process to make sure that messages are sent from an authentic bot master.
Mozilla to part ways to SHA-1. Mozilla asked Certificate Authorities and Web sites to upgrade certificates to SHA-256, SHA-384, or SHA-512 after experts reported that SHA-1 will be practical for collision attacks by 2018. Mozilla will release warnings to update certificates on versions of Firefox in early 2015.
Fiberlink wipes one smartphone or tablet every three minutes. Researchers at Fiberlink examined 130,000 devices managed by MaaS360 and found that one mobile device is wiped every 3 minutes. The study also determined that in 2013 businesses, on average, cleared 10 percent to 20 percent of their entire device populations yearly.
Mitigations for Spike DDoS toolkit-powered attacks. Akamai Technologies released an advisory alerting enterprises of the Spike distributed denial of service (DDoS) toolkit that runs on a Windows system and can launch infrastructure-based and application-based DDoS payloads including SYN flood, UDP flood, GET flood, and Domain Name system (DNS) query floods. The toolkit can be mitigated be implementing access control lists (ACLs).
Apple’s new iPhone 6 vulnerable to last year’s TouchID fingerprint hack. Lookout researchers found that a vulnerability that could allow access into Apple’s iPhone 6 and 6 Plus models through their TouchID fingerprint sensors remained unpatched. Scammers can unlock the devices by creating a fake fingerprint, the same flaw that was found in the iPhone 5S model in 2013.
DDoS attackers turn fire on ISPs and gaming servers. NSFOCUS researchers determined gaming hosts and Internet service Providers (ISP) have been the focus for distributed denial of service (DDoS) attacks in 2014, rising in the first half to 10 percent and nearly 15 percent of attacks respectively.
Kyle and Stan malvertising network nine times bigger than first reported. Researchers found nearly 6,500 malicious domains are involved in the Kyle and Stan malvertising network and over 31,000 connections were made to the domains, nine times larger than originally reported by Cisco. The campaign is unique in its ability to infect Windows and Mac OS X software differently and can drop ads on larger Web sites.
Hackers target Destiny and Call of Duty servers with DDoS attack. Several servers for online games Destiny and Call of Duty: Ghost went down during the weekend of September 20 due to a distributed denial of service (DDoS) attack that affected PlayStation and Xbox users. Attackers claiming affiliation with the Lizard Squad group claimed responsibility for the attacks.
Exercise-tracking app not QUITE fit for purpose. A researcher identified and reported a direct object reference vulnerability in the MyFitnessPal app that allowed users’ personal information, including location and dates of birth, to be accessed by any user. The vulnerability was closed 2 days after being reported.
Yahoo fixes RCE flaw leading to root server access. A researcher identified and reported a series of vulnerabilities in a Yahoo domain which led to a remote code execution vulnerability that was leveraged to gain root access to a Yahoo server. The vulnerability was reported September 5 and closed September 7.
Payment card info of 880k Viator customers compromised. Viator representatives confirmed September 19 that the company was made aware September 2 that its network was breached and the encrypted personal and financial information of about 1.4 million customers may have been compromised. Customers were advised to update their Viator online account information, including passwords.
Bank tellers helped steal identities, $850G, A.G. says. Five people, including three bank tellers at branches in New York and Florida, were indicted September 16 in White Plains, New York, for allegedly running an identity theft and bank fraud ring that stole over $850,000 in funds as well as customers’ personal information over at least 4 years. The tellers allegedly supplied information to their co-conspirators that enabled them to create fraudulent checks, driver’s licenses, and other documents used to withdraw the stolen funds from bank branches in Connecticut, Massachusetts, and New York.
Apple fixes “backdoors” with release of iOS 8. Apple released the newest version of its mobile operating system, iOS 8, September 17, which adds improvements and closes over 50 security vulnerabilities.
Series of vulnerabilities found in Schneider Electric SCADA products. An advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned users of Schneider Electric StruxureWare SCADA Expert ClearSCADA products after researchers discovered unpatched, remotely-exploitable vulnerabilities. Included in the vulnerabilities is a cross-site scripting (XSS) issue that could allow industrial control systems (ICS) to be shut down, while an authentication bypass issue could give attackers access to sensitive information.
AppBuyer iOS malware targets jailbroken iPhones. Researchers with Palo Alto Networks analyzed a piece of iOS malware discovered by WeiPhone Technical Group in May and found that the malware dubbed AppBuyer is targeting jailbroken iPhones in order to steal Apple ID and password information and make unauthorized purchases from the App Store.
Analysts spot ‘Critolock,’ ransomware claims to be CryptoLocker. Researchers at Trend Micro identified a new piece of ransomware known as Troj_Critolock.A or Critolock that infects devices and encrypts users’ data and demands a ransom. The malware purports to be the CryptoLocker ransomware but contains several differences including its use of the Rijndael symmetric-key algorithm.
Drupal patches XSS vulnerability in spam module. Drupal released a patch September 17 for the Mollom spam and content moderation module that closes a cross-site scripting (XSS) vulnerability that could allow an attacker to gain admin-level access to Web sites and enable them to steal data or hijack sessions.
Breach at Goodwill vendor lasted 18 months. Payment vendor C&K Systems stated that its hosted managed services systems were found by investigators to be compromised between February 10, 2013 and August 14, 2014, allowing the installation of the infostealer.rawpos point of sale (PoS) malware that led to payment card breaches from over 330 Goodwill retail locations. The malware infection was not detected by the company’s systems until September 5 and affected Goodwill and two other customers.
Twitter fixes vulnerability potentially impacting company’s ad revenue. A security researcher identified and reported a vulnerability in a Twitter subdomain that could be used to delete the payment card information used by advertisers to pay for ads on the social media network. Twitter addressed the vulnerability and awarded a $2,800 bounty to the researcher.
Amazon fixes persistent XSS vulnerability affecting Kindle library. Amazon addressed a cross-site scripting (XSS) vulnerability on the Amazon Web page used to manage users’ Kindle libraries that could be used by an attacker to inject malicious code through eBook metadata.
Macro based malware is on the rise. Researchers with Sophos found that macro-based malware created in Visual Basic rose from around 6 percent of document malware to 28 percent in July, among other findings.
Adobe gets delayed Reader update out the door. Adobe released new versions of Adobe Reader and Acrobat September 16 that were delayed during Adobe’s scheduled patch release the week of September 8. The updates close eight vulnerabilities including two memory corruption issues and a cross-site scripting (XSS) vulnerability affecting Macintosh users.
Archie exploit kit targets Adobe, Silverlight vulnerabilities. Researchers at AlienVault Labs analyzed a new exploit kit first identified by EmergingThreats researchers and found that the Archie exploit kit attempts to exploit older versions of Adobe Flash, Reader, and Microsoft Silverlight and Internet Explorer.
Malicious Kindle eBooks can give hackers access to your Amazon account. A security researcher identified a security issue in Amazon’s “Manage your Kindle page” that can be exploited using a malicious eBook file to take over a user’s Amazon account. The same vulnerability was reported and fixed in November 2013 but was reintroduced in a new version of the page.
THREE QUARTERS of Android mobes open to web page spy bug. A Metasploit developer released a Metasploit module for a vulnerability in Android versions 4.2.1 and below that was discovered September 1, which could automate an exploitation of the vulnerability and allow attackers behind a malicious Web page to see users’ other open pages and hijack sessions.
LinkedIn feature exposes email addresses. Researchers with Rhino Security Labs demonstrated how an attacker could use a ‘find connections’ feature in LinkedIn and a large number of email contacts generated with likely email addresses to identify the email address of specific individuals for possible use in spear-phishing or other malicious activities. LinkedIn stated that it was planning at least two changes to the way the professional network handles user email addresses to counteract the issue.
SNMP DDoS scans spoof Google public DNS server. The SANS Internet Storm Center reported September 15 that large-scale scans of Simple Network Management Protocol (SNMP) spoofing Google’s public DNS server traffic were taking place, indicating a scan being used to identify routers and devices using default SNMP passwords. Vulnerable routers and devices could have their configuration variables changed, creating a denial of service (DoS) situation on the affected devices.
Twitch chat malware spreads, wipes dry Steam accounts. Researchers at F-Secure identified a piece of malware known as Eskimo that is being spread through a fake raffle invitation in Twitch.tv’s chat feature. The page used for the fake raffle sign-up drops the Windows binary that can take screenshots as well as take control of the client for gaming service Steam to add friends, trade or sell items, and buy items if funds are available.
Freenode suffers breach, asks users to change their passwords. IRC network Freenode notified users that it experienced a security breach September 13 and advised all users to change their passwords as a precaution.
Vulnerabilities found in website of Google-owned Nest. A security researcher identified and reported several security vulnerabilities in the Web site of home automation company Nest, including a file upload vulnerability that could allow attackers to upload a shell and gain access to personal and financial details of Nest customers. Google stated that the issue was addressed by restricting access to the affected domain and redirecting visitors to a different domain.
Four vulnerabilities patched in IntegraXor SCADA. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory September 11 advising users of Ecava Sdn Bhd’s IntegraXor supervisory control and data acquisition (SCADA) server software to patch their systems after four remotely exploitable vulnerabilities were discovered. The software is primarily used for industrial automation in firms managing railways, sewage systems, telecommunications, and heavy engineering.
Chinese attack groups operate in parallel in cyber espionage campaigns: FireEye. Researchers with FireEye discovered two cyberespionage campaigns originating in two regions of China that appear to share several commonalities including using the same custom backdoors and remote access trojans (RATs). One campaign dubbed Moafee targets various military, government, and defense industry entities while the second known as DragonOK targets high-tech and manufacturing companies in Taiwan and Japan.
Researchers find malicious extension in Chrome Web Store. Trend Micro researchers identified several malicious extensions inside the Chrome Web Store, including one spread via a Facebook scam campaign that allows attackers to post statuses, send messages, and take other actions using a victim’s Facebook account.
Zemot malware dropper strain delivered via Asprox botnet and exploit kits. Microsoft researchers analyzed the Zemot malware dropper, a variant of Upatre, and observed that it has been distributed through the Asprox (also known as Kuluoz) spam botnet and via exploit kits including Magnitude and Nuclear Pack. Once it infects a system the dropper can then deliver click fraud malware and was recently observed to distribute information-stealing malware including Rovnix, Tesch, and Viknok.
TorrentLocker unpicked: Crypto coding shocker defeats extortionists. Researchers with Nixu found that the encryption used by the TorrentLocker ransomware to encrypt victims’ files can be defeated if a user has an original copy of the encrypted version of a file over 2MB in size by applying XOR between the encrypted and unencrypted files.
Massive Gmail credential leak is not result of a breach. Google investigated a dump of Gmail credentials posted online and found that the credentials were not the result of a breach and that less than 2 percent of the credentials might have worked. Users were advised to change their passwords, use strong passwords, and enable two-factor authentication if possible as a precaution.
Details disclosed for critical vulnerability patched in Webmin. A researcher with the University of Texas published details on a critical vulnerability in Webmin that was patched in May, showing that the vulnerability could have been used by unauthenticated users to delete files stored on the server.
Apache warns of Tomcat remote code execution vulnerability. The Apache Software Foundation warned users of some older versions of Apache Tomcat that they are vulnerable under limited circumstances to a vulnerability that could allow an attacker to upload malicious JavaServer Pages (JSP) to a server, trigger the execution of the JSP, and then execute arbitrary commands on the server. The vulnerability affects versions 7.0.0 to 7.0.39 and users were advised to update their installations.
Vendor fixes vulnerabilities in wireless traffic sensors. Sensys Networks, a company that manufactures sensor devices used in wireless traffic control systems, announced September 5 that it released software updates for its products to address security vulnerabilities and protect systems against attacks caused by lack of encryption or sufficient authentication methods. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory stating that the issues affect Sensys Networks VSN240-F and VSN240-T systems and advised operators to update their software installations.
Adobe fixes critical flaws in Flash Player, delays Reader and Acrobat updates. Adobe Systems released a critical security update for its Flash Player software, closing 12 security issues, 9 of which could lead to remote code execution. The company also delayed planned patches for Reader and Acrobat by 1 week due to issues identified during testing.
September Patch Tuesday: Microsoft closes door on IE zero day attacks. Microsoft released its monthly Patch Tuesday round of updates for September, with 4 bulletins closing 42 vulnerabilities in various Microsoft products. One bulletin for the Internet Explorer browser closes 37 vulnerabilities, 1 of which was a critical Internet Explorer zero-day vulnerability.
Use home networking kit? DDoS bot is BACK…and it has EVOLVED. A researcher identified a new variant of the Lightaidra router-to-router malware that targets consumer-grade cable and DSL modems using default passwords in order to use them in distributed denial of service (DDoS) attacks. The new variant is able to reconfigure victims’ firewalls and requires Linux to be running on targeted devices in order to infect them.
Apple beefs up security, sends iCloud access alert. Apple announced September 5 that within 2 weeks it would implement new security policies for its iCloud service following attacks that leaked personal photos belonging to celebrities. Some features have already been implemented, such as a notification when an iCloud account is accessed via a Web browser.
Phishing miscreants are THWARTING secure-sleuths with AES crypto. Researchers with Symantec identified what they believe was the first use of AES encryption to disguise fraudulent Web sites designed to steal users’ login credentials. The use of AES encryption allows attackers to make the analysis of phishing sites more difficult without affecting how the sites appear and function to users.
Yandy.com hacked, financial information exposed. Yandy.com notified its customers that a Web-based database hosting customers’ information, including payment card data, was accessed by an unknown party at least four times between May 28 and August 18. The online retailer detected the breach August 18 and has implemented additional measures to secure its systems.
Malvertising on YouTube and Amazon delivers sophisticated malware. Researchers with Cisco’s Talos Security Research identified a malvertising campaign dubbed Kyle & Stan that began in May and is currently affecting Windows and Mac users on popular Web sites such as Amazon and YouTube. The campaign inserts malicious ads that serve various forms of spyware, adware, and browser hijacking malware and uses unique configuration files and encryption to attempt to avoid detection.
Dyre banking trojan targets Salesforce customers. Customer relationship management (CRM) provider Salesforce found that the Dyre banking malware (also known as Dyreza) has been used against some of its customers but found no evidence that any were impacted. The malware uses man-in-the-middle (MitM) attacks to steal credentials and Salesforce advised its users to ensure that their systems were protected against the malware.
Hackers going Nuclear following Blackhole takedown. A Zscaler ThreatLabz researcher identified a campaign utilizing the Nuclear Exploit Kit and compromised sites including SocialBlade.com, AskMen.com, and Facebook survey scam pages to attempt to infect users’ systems. The researcher reported that the Nuclear Exploit Kit has become increasingly popular in the last 3 months following the arrest of the alleged creator of the Blackhole Exploit Kit.
New timing attack could de-anonymize Google users. Mavenlink identified and reported an issue in Google accounts that could be used by an attacker in specific circumstances to identify when a particular user visits a site by sharing a Google document with the user’s address. Google acknowledged the issue but stated it would not address the issue because the risk presented was judged to be low and only usable in limited circumstances.
Home Depot confirms months-long hack. Home Depot representatives confirmed September 8 that the company’s payment systems were breached as early as April 2014 and the attack went unnoticed until September 2 when banking institutions reported unusual activity connected to debit and credit card data from the company’s stores in the U.S. and Canada. The company is working with the U.S. Secret Service to determine the scope of the breach and has implemented additional security measures at its stores.
Dodgy Norton update borks UNDEAD XP systems. Symantec issued a fix for a recent update to its Norton security software after some users running Windows XP reported issues after applying the update.
Hackers target Apple Max OS X with 25 malware variants. F-Secure released its Threat Report H1 2014 which found that 25 new malware variants targeting Apple OS X systems were observed in the first half of the year. Several variants were observed being used in targeted attacks against activities, the energy industry, and other industries.
Social engineering campaign leads to malicious Chrome extension. TrendMicro researchers identified a social engineering campaign that uses malicious shortened Twitter links to lead victims to a malicious Chrome browser extension used in a click fraud campaign. The malicious extension circumvents Google’s security policy against non-Chrome Web Store apps by creating a folder in the browser directory where it then drops its components.
Bitcoin exchange CEO pleads guilty to enabling Silk Road drug deals. The former CEO of Bitcoin exchange BitInstant and a Bitcoin seller pleaded guilty September 4 in New York City to charges of operating an unlicensed money exchange that was used to facilitate illicit transactions for users of the Silk Road underweb marketplace.
Cyberespionage group starts using new Mac OS X backdoor program. FireEye researchers found that a cyberespionage group dubbed GREF has recently begun using a backdoor program known as XSLCmd that targets Mac OS X systems in order to steal files and install additional malware. The GREF group is known for attacks on several sectors including the U.S. defense industry as well as electronics manufacturers, engineering firms, and non-governmental organizations worldwide.
Coursera privacy issues exposed. A researcher identified and reported two issues in the Coursera online educational software that could disclose a list of students’ names, email addresses, information on their courses, and disable a stated protection feature. Coursera partially addressed one of the reported issues while the second remains unaddressed.
Researchers discover two SQL injection flaws in WordPress security plugin. Researchers with High-Tech Bridge identified and reported two SQL injection vulnerabilities in the All in One WordPress Security and Firewall plugin that affects version 3.8.2 and likely all prior versions.
Verizon failed to tell 2 million using their personal info for marketing. Now the FCC is making it pay. The U.S. Federal Communications Commission issued a $7.4 million fine against Verizon after the company failed to tell 2 million customers of their ability to opt out of having their personal information used for marketing purposes for 6 years. Verizon agreed to pay the fine and stated that the technical glitch has since been fixed.
Updated Vawtrak banking malware strain expands target list. Researchers with PhishLabs identified a new variant of the Vawtrak financial malware (also known as Neverquest) that has added features in the last month enabling it to expand its targets to users in the U.S., Canada, and Europe. The malware targets financial institutions as well as social networks, online retailers, gaming portals, and analytics firms and can steal credentials and automate fraudulent transactions.
Old Slider Revolution vulnerability massively exploited. Researchers at Sucuri found that attackers began heavily exploiting an old vulnerability in unpatched versions of the Slider Revolution Premium plugin for WordPress during August, which could allow a Local File Inclusion (LFI) attack. The vulnerability was fixed in February and all users were advised to update to the latest version as soon as possible.
CERT warns of Android apps vulnerable to MitM attacks. The Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) published a list of popular Android apps that expose users to man-in-the-middle (MitM) attacks due to the apps not properly validating SSL certificates. CERT/CC released its findings in a spreadsheet detailing their results and is attempting to contact the authors of every app that failed the organization’s tests.
Home router DNS settings changed via Web-based attack. Kaspersky Lab researchers identified a Web-based attack that uses Web pages with malicious scripts to attempt to change users’ home router Domain Name System (DNS) settings in order to redirect users to phishing pages of financial institutions. The attack was mostly observed in Brazil but also targeted some users in the U.S., Canada, Mexico, and other countries.
VirusTotal mess means YOU TOO can track Comment Crew! A researcher released findings on how he was able to use structured data and analysis to identify a subgroup of the Comment Crew group and an unnamed Iranian group using Google’s VirusTotal service to test new versions of malware against security software and check for detection rates.
Semalt botnet hijacked nearly 300k computers. Incapsula researchers reported that the Semalt botnet is spreading quickly and is currently made up of around 290,000 infected machines. The botnet is linked to a Ukrainian search engine optimization (SEO) service and spams millions of Web sites in a referrer spam campaign designed to fraudulently boost a site’s search engine ranking.
Linux systems infiltrated and controlled in a DDoS botnet. Researchers at Akamai Technologies reported that Linux systems could be at risk of infections using IptabLes and IptabLex to compromise systems and use them in distributed denial of service (DDoS) attacks. The researchers reported that the infections appeared to be caused by a large number of Linux-based Web servers being compromised via Apache Struts, Tomcat, and Elasticsearch vulnerabilities.
Firefox 32 moves to kill MITM attacks. The Mozilla Foundation released version 32 of its Firefox browser, which adds new features including public key pinning to help protect users against man-in-the-middle (MitM) attacks.
Apple fixes glitch in Find My iPhone app connected to celebrity photo leak. A security issue in Apple’s Find My iPhone app that researchers demonstrated could be exploited in brute force attacks was fixed by the company. Apple stated that a recent breach of celebrities’ personal photos stored in its iCloud service was not the result of the researchers’ findings, but instead involved targeted attacks on the individuals’ accounts.
Cybercriminals love PayPal, financial phishing on the rise. Kaspersky Lab researchers released statistics on spam and phishing emails for the month of July, which found that phishing emails targeting financial services increased 7.9 percent during the month, with PayPal being the most targeted company. The researchers also found that the overall share of spam in all email traffic increased 2.2 percent to a total of 67 percent during July, among other findings.