Fraud Alert Message Center

Tips for Safe Banking Over the Internet

As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.

The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.

Current Online Threats

Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau.  None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts.  If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it.  The email could potentially contain a virus or malware.

For more information regarding email and phishing scams, please visit:

Online Shopping Tips for Consumers. Click Here for Information.

ATM and Gas pump skimming information. Click Here for Article.


Symantec products affected by multiple “as bad as it gets” vulnerabilities. A security researcher from Google’s Project Zero initiative discovered several vulnerabilities in Symantec’s security products including buffer overflow flaws, memory corruption flaws, and a high-severity flaw that does not require user interaction, affects default configuration, and allows the software to run on the highest privilege levels possible due to a vulnerable code in ASPack. Attackers could exploit the vulnerabilities by sending an email with a malicious file or embed a malicious link inside the email, among other methods.

Alpine Linux 3.4.1 released with Linux Kernel 4.4.14 LTS, latest security fixes. Alpine Linux project released its Alpine Linux 3.4.1 operating system (OS) which included security updates in its kernel packages and in its core components, as well as other improvements to several other applications within its systems.

LevelDropper Android app infected with autorooting malware. Lookout researchers identified the LevelDropper app in the Google Play Store which hides malware capable of rooting the user’s device in order to install unwanted applications. Researchers also found two privilege escalation exploits and supporting package files such as busybox and SuperSU, which also have the ability to root the device.



Former attorney pleads guilty to participating in fraudulent mortgage modification scheme. A former Irvine, California-based attorney pleaded guilty June 27 to Federal charges for his role in a multi-million dollar fraudulent mortgage modification scheme where he and co-conspirators allegedly convinced homeowners facing foreclosure to pay up to $5,500 for services from the Rodis Law Group (RLG) by falsely claiming that RLG consisted of a team of attorneys experienced in negotiating loan modifications from the homeowners’ mortgage lenders, and by purporting that RLG was consistently successful in obtaining lower interest rates for homeowners, among other misrepresentations between October 2008 and June 2009.

Michigan men suspected in Canton credit card fraud. Two Michigan men were arrested at a Walmart store in Canton, Ohio, June 24 for allegedly using stolen credit card information to clone a credit card and purchase 501 gift cards and pre-paid debit cards. Authorities stated the cards were worth over $50,000.

Microsoft Office 365 corporate users hit by Cerber ransomware attack. Avanan researchers reported that about 57 percent of all companies using Microsoft Office 365 received at least 1 copy of the Cerber ransomware in their inboxes in a June 22 attack that lasted 5 hours before Microsoft blocked the malicious file attachments.

MIRCOP ransomware claims to be victim, demands payback. Trend Micro researchers reported that the MIRCOP ransomware abuses Microsoft PowerShell to download and execute the malicious payload, and sends the user a ransom note claiming that the victim stole 48.48 Bitcoins, suggesting that the victim knows how to return the money. MIRCOP prepends files with the string “Lock” and can steal credentials from various applications including Mozilla Firefox, Google Chrome, Opera, FileZilla, and Skype.



Uber bugs allowed hackers to gather details on rides, drivers, passengers. Security researchers from Integrity discovered 14 issues in Uber Technologies Inc.’s system that could be exploited to extract user details via the mobile app’s Help Section, obtain a driver’s and user’s universally unique identifier (UUID) and request private information such as names, pictures, location, car types, status, among other data, and use over 1,000 active promo codes that could have added $100 to each driver’s fair earnings, among other flaws.

Bart ransomware locks files as individual password-protected ZIP archives. Security researchers from PhishMe, Proofpoint, and other firms reported that a new ransomware dubbed Bart was similar to the Locky ransomware and believe the ransomware was created by the same cyber-criminals as the distribution of the two ransomwares utilizes email spam campaigns to deliver a ZIP archive containing a malicious JavaScript (JS) file, which downloads RockLoader and the Bart ransomware. The Bart ransomware uses a different encryption method by placing each file in its ZIP archive file and securing the archive with a password.

Severe vulnerabilities found in Meinberg NTP servers. Meinberg released firmware updates for several of its network time protocol (NTP) time servers after a security researcher found the devices were plagued with two stack-based buffer overflows and a weak access control issue that could allow an attacker to exploit the vulnerabilities to escalate the privileges to root.

Flaw allowed hackers to deliver malicious images via PayPal. PayPal fixed a flaw in its Web site after a security researcher discovered the Uniform Resource Locator (URL) of payment pages set by users included a parameter named “image_url” that could be replaced with a URL pointing to an image hosted on a remote server, which could allow an attacker to use a third-party vendor’s PayPal payment page to deliver malicious images.



Hackers breach US company and unwittingly expose 154 million voter records. Security researchers from MacKeeper discovered that a CouchDB database containing details on over 154 million U.S voters was compromised after a hacker took down L2’s, a company that builds, manages, and sells access to U.S. voter records, firewall. The database contained 1-year-old information and was taken down, and authorities were unsure of the identity of the hacker.

Criminals set up fake companies to hijack and sell IPv4 addresses. Security researchers from Check Point reported that cyber criminals were leveraging legacy networks belonging to companies no longer in existence by scanning the IPv4 address pool and searching for networks’ contact information, and if no data is found, attackers impersonate the defunct company by re-registering old business names or expired domain names.

Massive spam flood delivering Cerber ransomware hit users at the end of May. Check Point released a report which detailed that the Cerber ransomware was attacking victims in April and May through two recent incidences that included large amounts of email spams containing Microsoft Office documents loaded with malicious macros that were downloading and installing the ransomware.


SEC halts scheme defrauding pro athletes. The U.S. Securities and Exchange Commission unsealed a complaint June 21 charging and freezing the assets of The Ticket Reserve Inc., its chief executive officer, a chief operating officer, and a managing director from RGT Capital Management after the group allegedly siphoned more than $33 million from professional athletes’ bank accounts without their authorization in order to invest the money into The Ticket Reserve, make Ponzi-like payments to existing investors using money from new investors, and falsify documents, among other illicit actions in order to conceal the scheme. The charges also allege that the managing director received nearly $2 million in hidden compensation from the company, failed to disclose to investors that he was a member of The Ticket Reserve’s board of directions, and falsely claimed to be a certified public accountant (CPA).

Over a dozen flaws patched in Pidgin chat client. Pidgin chat client released Pidgin 2.11.0 patching 16 information disclosure flaws, denial-of-service (DoS) flaws, directory traversal, and buffer overflow flaws after a security researcher from Cisco Talos discovered the vulnerabilities could allow a man-in-the-middle (MitM) attacker to overwrite arbitrary files on the system, among other actions.

Carbonite online backup service resets all users passwords after cyber-attack. Carbonite, the online backup software for Apple Mac and Microsoft Window products, reported that it issued a service-wide password reset for all of its users June 21 after the company discovered an ongoing, large account takeover (ATO) or Identify Testing Attacks in its systems. The company stated the third-party attack did not compromise any users’ accounts and initiated the password reset as a precautionary measure.

WordPress 4.5.3 fixes bug that allowed password change via stolen cookies. WordPress released its newest version WordPress 4.5.3 fixing 8 security bugs and 17 maintenance issues including simple cross-site scripting (XSS) flaws, a denial-of-service (DoS) flaw, and an insecure input filtering flaw after a company security researcher discovered that one of the flaws could allow attackers to change a user’s password by leveraging stolen cookies.

Several vulnerabilities patched in Libarchive library. Libarchive released a new version for its open-source library, Libarchive 3.2.1 after a security researcher from Cisco Talos discovered three severe flaws in the system, including a stack-based buffer overflow flaw and a heap corruption flaw that can lead to arbitrary code execution, as well as an integer overflow flaw that could allow an attacker to execute arbitrary code using specially crafted 7-Zip files.


Stafford police arrest man wanted for $386,000 in bank fraud by opening up phony bank accounts. A New Jersey man was arrested in Atlantic City June 18 after he and co-conspirators allegedly defrauded TD Bank out of $386,000 by opening over 86 fraudulent checking accounts at bank branches in New Jersey, Pennsylvania, New York, Connecticut, and Massachusetts since June 2015. The man was arrested after a bank employee recognized the man from previous fraud attempts and notified authorities.

Springfield woman admits cashing $1.4M worth of fake tax refund checks. A Springfield, Massachusetts woman pleaded guilty June 20 to orchestrating a scheme where she and co-conspirators cashed 236 fraudulent Federal income tax refund checks in order to steal nearly $1.4 million in tax returns from January 2012 – May 2013. Authorities stated that the group filed the fraudulent returns and Social Security numbers under the names of people living in Puerto Rico, while the addresses were falsely listed as Massachusetts and New York.

Cybercriminals use new tricks in phishing attacks. Sucuri researchers reported that phishing attacks were increasing and cyber attackers were using new techniques to avoid detection after discovering that attackers were leveraging hosting providers’ failures to properly configure temporary Uniform Resource Locators (URLs), which were offered to users to test their Web sites before linking them to separate domains. An attacker can register an account on a shared server, upload their phishing pages, and compile a list of other Web sites on that server, which enables hackers’ access from any neighboring domain names.

Acer security breach exposes data of 34,500 online shoppers. Acer Inc., reported that its online store was compromised after a hacker leaked 34,500 customers’ data including customer names, addresses, and credit card numbers with expiration dates and CVC security codes from May 2015 – April 2016. The breach was considered a security issue when the company inadvertently stored customer data in an unsecured format.


Man arrested in Boca Raton stole more than $89K using ATM skimmers, police say. A Colombian citizen was arrested in Boca Raton, Florida, June 16 after he allegedly installed 10 skimming devices at Chase Bank branch ATMs in Miami-Dade, Broward, and Palm Beach counties in order to steal the credit or debit card information of over 300 ATM customers and skim at least $85,000 from the victims’ accounts. The man was arrested when a Chase Bank investigator witnessed the man installing a skimmer and notified authorities.

Losses from business email scams reach a whopping $3 billion. The FBI’s Internet Crime Complaint Center (IC3) reported that global Business Email Compromise (BEC) scams and campaigns were increasing with companies losing over $3 billion in global scams and over $960 million in U.S-targeted scams from October 2013 – May 2016. Many targeted companies stated that the fraudulent actions occurred by hacking into the chief financial officer’s or chief executive officer’s email accounts.


Time runs out for suspected ‘Countdown Bandit;’ arrest made in North Jersey bank heists. A man dubbed the “Countdown Bandit” was arrested June 16 after he allegedly robbed the Spencer Savings Bank in Wallington, New Jersey, and at least nine other banks in the region since February 2015.

Adobe patches flash zero-day exploited by APT Group. Adobe released Flash Player which addressed 36 flaws that could be exploited for arbitrary code execution and information disclosure after a new advanced persistent threat (APT) group dubbed, “ScarCruft” was using the flaws to disseminate its “Operation DayBreak” campaign to target high-profile targets. In addition, researchers discovered that attackers were using a method to bypass modern anti-malware products by decrypting and executing a shellcode that downloads and runs a Dynamic Link Library (DLL) file.

GitHub resets some user passwords after brute-force attack. GitHub reported that it reset all its users’ passwords and advised its users to look at their password complexity level and enable the two-factor authentication for their accounts after the company’s security researchers found a hacker had used credentials leaked during a previous breach to access GitHub users’ accounts. The company stated their systems were not compromised or breached in the attack.

Microsoft open-sources “Checked C,” a safer C version. Microsoft released its open-sourced Checked C, which will help developers detect common programming errors such as buffer overruns, out-of-bounds memory access, and incorrect type casts that were previously used in vulnerabilities including Shellshock, Heartbleed, and Sandworm. Checked C will modify how pointers are handled and will allow programmers to detect errors as they create the code.


Former credit union CEO accused of bank fraud. Pennsylvania officials charged the former chief executive officer of Valor Federal Credit Union, formerly known as Tobyhanna Federal Credit Union, June 15 after he allegedly embezzled over $700,000 from the bank and used the money for personal use. Authorities stated that the former executive also attempted to rig the elections for the bank’s board of directors and established a fraudulent severance deal where he would be paid over $1 million if he was terminated.

Man uses fake ID to get debit card, steals $90K. Authorities are searching June 15 for a man who used a fraudulent ID and documents to steal $90,000 from a victim’s bank accounts at 5 Chase Bank branches in San Diego County since March. Authorities stated that the man is suspected of committing similar thefts in Los Angeles and Orange counties.

24 charged in ‘intricate’ international bank fraud ring. Twenty-four people were charged June 14 for their roles in an international bank fraud ring where the group stole $1 million from banks and corporations by creating phony companies to defraud individuals and companies into wiring over $8 million to the group’s fraudulent corporate bank accounts. Authorities stated that the indictments were part of an ongoing investigation that was initiated following a routine traffic stop.

Microsoft OLE abused to embed malicious code in Office docs, similarly to macros. Security researchers discovered a macro malware infection method was abusing Microsoft’s Object Linking and Embedding (OLE) system by tricking users into embedding a JavaScript or a VBScript file that downloads an encrypted binary and bypasses network-based protections that identify malicious data formats. Once the scripts save the encrypted binary, a Vibrio or the Donvibs trojan is installed and the final payload, Cerber ransomware can infect the victim’s system.

Flaw allowed hackers to steal emails from Verizon users. A security researcher discovered several vulnerabilities in Verizon’s Webmail portal that could be exploited by hackers, who possess a Verizon email account, to substitute the value of the userID in their own request with the victim’s userID in order to forward all the victim’s emails to an arbitrary email address. Victims would be unaware of the email forwarding as the transactions are not shown in the Verizon inbox.

70,000 hacked servers for sale on xDedic underground market. Security researchers from Kaspersky Lab investigated the xDedic marketplace, a global forum where cybercriminals can buy and sell access to compromised servers, and found that 70,624 hacked remote desktop protocol (RDP) servers used to host or provide access to popular consumer Web sites were for sale. The illegal data can be used to target government entities, corporations, and universities without the institute’s knowledge.

Schneider patches severe flaw in video management system. Schneider Electric released version 7.13.84 for its Pelco Digital Sentry (DS) product after the company found the tool contained hardcoded credentials that could be leveraged by an attacker to elevate their privileges and gain access to sensitive information or execute arbitrary code on the affected system.


Serial bank robber ‘The Forever Loyal Bandit’ arrested in Virginia, police say. The “Forever Loyal Bandit” was arrested June 14 in Fairfax County, Virginia, after he allegedly committed six bank robberies and one attempted robbery in Fairfax and Arlington counties since June 2014.

Hacker steals 45 million records from 1,100 home, sports and tech support forums. reported that its system was compromised in February after a hacker stole over 45 million user records from its database which contained details from over 1,100 tech, home, and sport support portals.

APT group uses Flash zero-day to attack high-profile targets. Security researchers from Kaspersky Lab reported that a new advanced persistent threat (APT) group dubbed, “ScarCruft” was using a Flash Player zero-day vulnerability and Microsoft XML Core Services (MSXML) vulnerability to target high-profile people through a campaign dubbed “Operation Daybreak” and “Operation Erebus.” Kaspersky stated they will release more details on the campaigns after Adobe releases a patch.

SAP patch batch includes fix for 3-year-old info disclosure vuln. SAP released patches for its Business Intelligence and Business Warehouse products, which addressed a three-year-old flaw and more than 20 vulnerabilities including a directory traversal vulnerability that can be exploited to access any file on the operating system (OS) and obtain critical data about the company’s finances.

Microsoft patches critical flaws in Windows, Edge, Office. Microsoft released 16 security bulletins which patched about 40 vulnerabilities in its Windows, Edge, Internet Explorer, Office, and Exchange Server products after security researchers found a remote attacker could exploit a use-after-free vulnerability for arbitrary code execution by sending a specially crafted request to the targeted Doman Name System (DNS) server. Other patched vulnerabilities included privilege escalation flaws, remote code execution (RCE) flaws, and a denial-of-service (DoS) flaw, among others.

Flash security patch coming in two days to fix zero-day used in live attacks. Adobe announced that they will release an emergency patch June 16 that will fix a zero-day vulnerability affecting all Flash Player installations after security researchers from Kaspersky found the flaw was used in targeted attacks and exploited in the wild. An attacker could exploit the flaw to crash a Flash Player installation, enabling a hacker to run malicious code on the user’s system and control the machine.


Former Ithaca accountant admits to $10M investment fraud. The former managing partner, treasurer, and secretary of Global Financial Fund 8 LLP pleaded guilty June 13 to Federal charges after he and 2 co-conspirators allegedly defrauded at least 16 investors out of $10 million by making phony profit payments to the investors between 2004 and 2005, and by claiming investors’ funds were held in an Italian bank where the money was generating significant profits. Officials stated the former accountant used $1.5 million of the investors’ funds for personal use.

RAA ransomware is 100 percent JavaScript. Security researchers from Emsisoft reported that a new ransomware family titled RAA was the first ransomware to solely use obfuscated JavaScript code to infect computers and encrypt victims’ data after finding the ransomware includes the CryptoJS library which allows RAA to encrypt files. The ransomware uses JavaScript to deter security researchers from reverse-engineering its source code.

Samsung patches privilege escalation flaw in update tool. Samsung released SW Update version after a security researcher from Frost Security discovered that Samsung’s SW Update application tool was plagued with a vulnerability that could allow an attacker to gain complete control over a Samsung computer by placing a specially crafted Dynamic Link Libraries (DLLs) in the SW Update folder.

Ransomware targets Android smart TVs. Security researchers found that Sharp and Philip brand smart TVs running the Android TV operating system (OS) were susceptible to the FLocker ransomware which disguises itself as U.S. Cyber Police, accuses the victims of crimes they did not commit, and demands $200 worth of iTunes gift cards via spam Short Message Service (SMS) or malicious links. Researchers advised affected users to contact the device vendor and enable the Android Debugging Bridge (ADB) tool.


‘Bad Eye Bandit:’ guaranteed $1,000 reward to help catch serial bank robber wearing wig, patch over hurt eye for heists. Authorities offered a reward June 10 in exchange for information on a man dubbed the “Bad Eye Bandit” who is suspected of committing six bank robberies in Washington since January.

Email server glitch exposes email addresses for 7,618 Let’s Encrypt users. The Let’s Encrypt project, launched by Mozilla Foundation and the Electronic Frontier Foundation, reported June 11 that a glitch in its email newsletter system inadvertently exposed the email addresses of 7,618 users, which were 1.9 percent of the entire subscriber base. Let’s Encrypt officials stated they will provide an incident report on what transpired.

Hackers find clever way to bypass Google’s two-factor authentication. A security researcher from reported that a Google two-factor authentication, or 2FA, attack was active after discovering attackers were disguising themselves as Google notifications in order to trick victims into sending the 6-digit verification code associated with each email account.

Facebook activates Safety Check after Orlando massacre, its first use in US. Facebook activated its Safety Check tool which aimed to inform family and friends of the status of people near an affected area following the June 12 shooting at the Pulse nightclub in Orlando. The tool was utilized for the first time in the U.S. after it was activated during the 2015 Paris shooting.


‘North Center Bandit’ hits bank for first time in 6 months. Authorities offered a reward in exchange for information on a man dubbed the “North Center Bandit” who is suspected of robbing a Chase Bank branch in the Jefferson Park area of Illinois June 8. Officials stated the man is suspected of committing four other bank robberies in the Chicago area since August 2015.

Two arrested in southwest VA after traffic stop, search yields 99 fake credit cards. Two New York men were arrested and charged in southwest Virginia June 6 after police discovered around 99 counterfeit or forged credit cards in the duo’s vehicle during a routine traffic stop.

Fourteen defendants charged with drug trafficking and illegal weapons possession in the Cypress Hills Houses in Brooklyn. Indictments unsealed June 7 revealed that authorities arrested and charged 14 members of the Back Side and Team Side gangs in Brooklyn, New York, after FBI agents intercepted a package belonging to the defendants that contained more than 1,300 fraudulent credit cards. Authorities stated that a Federal investigation also revealed the gang members were trafficking weapons and drugs from the New York City Housing Authority’s Cyprus Hills Houses.

Bug in Chrome’s PDF reader allows arbitrary code execution. A security researcher discovered that the PDFium, a default PDF reader in Google Chrome Web browser was susceptible to a heap-based buffer overflow vulnerability in OpenJPEG parsing library that can be exploited through a PDF file with an embedded jpeg2000 whose SIZ marker states 0 components. In addition, the vulnerability can be exploited to achieve arbitrary code execution on a victim’s system and cause disruption of service, unauthorized information disclosure, and modification.

uTorrent forums breached via software vendor, consider passwords compromised. The uTorrent team released a security advisory warning users of an intrusion into their IP.Board forum, provided by Invision Power Services, after a client experienced a breach when an attacker downloaded user information from the forum and accessed other Invision users. The attacker’s entry point was unknown, but Invision Power Services released a security update June 1 for its IP.Board forum platform.

RansomWeb attacks on the rise. Security researchers from High-Tech Bridge reported that RansomWeb attacks were increasing and have been targeting large organizations with business-critical Web applications by encrypting data on-the-fly before its insertion into the database, which can allow attackers to remain undetected and ensure that Web site backups are overwritten with encrypted content to prevent victims from decrypting the files.

Mandatory password reset for some Facebook and Netflix users in wake of mega-branches. Facebook Inc., and Netflix began notifying its customers that as a precaution the companies have reset their users’ passwords after an attacker breached the Web sites of, Tumblr, MySpace, and LinkedIn and released over 750 million user records online.


Kansas tax return preparer pleads guilty to stealing more than $2 million in government funds. A Kansas tax return preparer pleaded guilty June 6 to Federal charges after he obtained over $2 million in fraudulent tax returns from the U.S. Internal Revenue Service (IRS) by filing false tax returns in the names of his clients without their knowledge and directing the refunds into bank accounts he controlled.

Critical vulnerabilities patched with release of Firefox 47. Mozilla released version 47 of its Firefox Web browser which patched more than a dozen flaws including a heap buffer overflow vulnerability that can be exploited when parsing Hypertext Markup Language 5 (HTML5) fragments, several memory safety bugs, a use-after-free flaw, a pointer lock permission bypass issue, and an out-of-bounds write flaw, among other vulnerabilities.

Uber pays researcher $10K for login bypass exploit. Uber Technologies Inc., recently patched a flaw in its Web site after a security researcher found a hacker could bypass the OneLogin system used for employee authentication and potentially compromise its internal network hosted on Atlassian’s Confluence collaboration software. In addition, the security researcher stated that the flaw could be exploited to compromise a server that uses WordPress plugins.

Critical vulnerabilities patched in Android Mediaserver, Qualcomm drivers. Google released security updates for its Android operating system (OS) which patched a total of 40 vulnerabilities in the platform including 15 security vulnerabilities in the Mediaserver component, 16 flaws in the Qualcomm drivers, and 9 bugs in other components and drivers.


Facebook patches vulnerability in Messenger app. Security researchers from Check Point discovered that the Facebook Messenger app was plagued with a vulnerability that could allow attackers to change the content of a conversation or replace legitimate links and files with malicious content. Attackers could exploit the flaw by obtaining identification (ID) assigned to each message via a request to “” and send another message with a duplicate ID to the victim.

Massive DDoS attacks reach record levels as botnets make them cheaper to launch. Akamai released a report titled State of the Internet which revealed that during the first quarter of 2016, there were 19 distributed denial-of-service (DDoS) attacks that exceeded 100 Gigabits per second, making DDoS attacks four times more prevalent than the previous quarter. The report indicated that criminals could now afford to launch crippling attacks towards major companies.

Angler exploit kit finds a method to escape Microsoft’s EMET security toolkit. Security researchers from FireEye reported that the Angler exploit kit (EK) installations were capable of bypassing Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) on Windows 7 to infect a system by deploying two exploits, one for Flash and one for Silverlight. The two exploits run their code via protected memory slots that allow them to deliver a malicious payload regardless of EMET’s Data Execution Mitigation (DEP), Export Address Table Access Filtering (EAF), and EAF+ mitigations.

Black Shades ransomware asks victims only for a measly $30. Several security researchers from various companies discovered a ransomware dubbed Black Shades Crypter was locking user files and demanding ransom money after finding that the ransomware adds an extra extension, “.silent” to encrypted files, informs victims to pay a small ransom to unlock their files, and encodes strings in its source code to make it difficult for malware analysts to decode.

Windows BITS Service used to reinfect computers with malware. Security researchers from SecureWorks stated that attackers were using Window’s Background Intelligent Transfer Service (BITS) to set up recurring malware download tasks, and then leveraging its autorun capabilities to install the malware after an investigation revealed that the original malware, called Zlob.Q, added malicious entries to the BITS service, which would download malicious code on the system, run the malware, and erase itself when the infection is completed.


FDIC, banks in $190 million settlement over risky Countrywide debt. The U.S. Federal Deposit Insurance Corporation (FDIC) announced June 2 that 8 financial services firms paid the FDIC $190 million to settle claims that they violated Federal and State securities laws after they misled 5 U.S. banks into buying risky residential mortgage-backed securities (RMBS) from the former Countrywide Financial Corp., by making material misrepresentations in the offering documents for 21 Countrywide RMBS the financial firms underwrote from 2005 – 2007. The settlement funds will be distributed among the five banks, which failed in 2008 and 2009 in part as a result of the risky mortgage securities.

CryptXXX ransomware improves security, GUI slurps Cisco creds. Security researchers from Proofpoint reported that the developers behind the CryptXXX malware released new variations of the malware that can encrypt network shares and steal account logins by using a StillerX to steal account credentials from various software programs including Cisco Virtual Private Networks (VPNs), Microsoft Credential Manager, and online poker platforms after researchers found the new variant had updates to its encryption, network share scanning, cosmetic updates, and updates to lock screen behavior.

High severity DoS vulnerability patched in NTP. NTP project released a new version of its Network Time Protocol daemon (ntpd) patching five vulnerabilities including a high severity denial-of-service (DoS) flaw that an off-path attacker can leverage to cause a preemptable client association to be demobilized. Other patched flaws included bad authentication demobilizes ephemeral associations, processing spoofed server packets, autokey association reset, and a broadcast interleave issue.

New Cerber ransomware variants morph every 15 seconds. Security researchers from Invincea reported that the developers behind the Cerber ransomware were using a technique called “malware factory” to change the ransomware’s mode of operation to bypass basic scanning techniques and infect computers even with antivirus products by sending out different file hashes every 15 seconds from its command and control (C&C) server.

GhostShell leaks around 36 million records from 110 MongoDB servers. The Romanian hacker, GhostShell reportedly leaked 36 million user records from 110 MongoDB servers online after the hacker found 5.6 gigabytes of data on the hacked server’s Internet Protocol (IP), which contain real names, usernames, email addresses, passwords, general social media data, and details about the user’s smartphone model, among other personal information. The hacker revealed that the hack was part of a campaign to raise awareness on the importance of cyber security practices.



SEC: Adviser steered investor money to his own companies. The U.S. Securities and Exchange Commission announced June 2 charges against a North Carolina-based investment advisor for allegedly defrauding at least 85 investors out of approximately $11.5 million after he sold interests in two unregistered pooled investment vehicles, DCG Commercial Fund I LLC and DCG Real Estate Assets LLC, siphoned the investment funds into deals with companies he owned and operated, and improperly received over $1.5 million from the investor funds’ bank accounts in management fees. Officials stated that the adviser continued the scheme by making false or misleading statements to investors regarding their investments, and failed to inform investors of their losses as his companies failed to pay the loans in full, among other illicit actions.

SEC: forex trader misrepresented track record and hid massive losses. The U.S. Securities and Exchange Commission announced June 2 charges against a New York City-based trader for allegedly defrauding over 30 investors out of $14 million since 2012 by misrepresenting her investment track record, the profitability of her investments, and her use of investor funds after she purported to have profitable foreign currency (forex) trading strategies and sent investors fraudulent account statements showing fictitious profits. New York officials filed parallel criminal charges June 2 against the trader for the scheme which caused over $16 million in losses.

One in ten NFS servers worldwide is misconfigured, exposes sensitive files. Fortinet researchers found that tens of thousands of inattentive system administrators are using older versions of the Network File System (NFS) protocol, such as insecure NFSv3, which can expose private or sensitive files to the Internet including server logs, server backups, the source code of various Web sites, and server image files. Researchers recommended companies to switch to NFSv4 protocol which has been modified to use Kerberos to provide a basic level of authentication.

WordPress sites under attack from new zero-day in WP mobile detector plugin. Security researchers from Plugin Vulnerabilities discovered that hackers were exploiting an arbitrary file upload vulnerability in WP Mobile Detector plugin, which handles image uploads, to upload Hypertext Preprocessor (PHP)-based backdoors on WordPress Web sites after finding that the plugin lacks basic input filtering, allowing attackers to pass a malicious file to upload it to the plugin’s /cache directory.

Researchers find 5,275 login credentials for top 100 companies on the Dark Web. A U.K.-based security firm, Anomali reported that over 5,000 login credentials including email addresses, cleartext passwords, and usernames were posted online via the Dark Web, potentially allowing hackers to use the stolen information to access various sections of an Information Technology (IT) network owned by the top 100 international companies. The firm stated that the credentials were primarily from the oil and gas industry, pharmaceuticals, consumer goods, banking, telecommunications, and military sectors.

Two men plead guilty in U.S. to hacking, spamming scheme. Officials reported June 2 that two men pleaded guilty in New Jersey for their involvement in a hacking and spamming scheme that generated more than $2 million in illegal profits after the duo and a co-conspirator targeted and stole the personal information of 60 million people, hacked into corporate email accounts, seized control of corporate mail servers, and created their own software to exploit vulnerabilities in numerous corporate Web sites via specially crafted code in computer programs, which hid the origin of the spam and bypassed spam filters.



Couple arrested for allegedly manufacturing 80 fake credit cards. Two Tennessee residents were arrested in Kingston May 27 for allegedly manufacturing about 80 counterfeit credit and gift cards after a routine traffic stop led authorities to the duo’s motel room, prompting a subsequent search of the room which revealed a card reader, a machine used to punch numbers on credit cards, and blank cards, among other illicit materials.

KeePass update check MitM flaw can lead to malicious downloads. A security researcher reported that all versions of KeePass, an open source password manager, were susceptible to a man-in-the-middle (MitM) attack that could allow attackers to trick users into downloading malware disguised as a software update as the product uses Hypertext Transfer Protocol (HTTP) to request the current version information, allowing an attacker to modify the server response. A KeePass developer stated the vulnerability will not be fixed as the cost of switching to Hypertext Transfer Protocol Secure (HTTPS) make it a inviable solution.

Cisco fixes flaws in network analysis modules. Cisco released patches addressing high and medium severity vulnerabilities in its Prime Network Analysis Module products that could allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition by sending a specially crafted Internet Protocol v6 (IPv6) packets on the network, as well as remotely execute arbitrary commands on the underlying operating system via specially crafted Hypertext Transfer Protocol (HTTP).

Google fixes 15 security bugs in Chrome, awards $26,000 to researchers. Google released version 51.0.2704.79 for its Chrome Web browser which fixes 15 security flaws including two high-level vulnerabilities that could allow attackers to bypass the browser’s cross-origin code execution restrictions and run malicious code via the Blink engine and its Extensions component. The new Web browser version also patched some flaws that crashed the browser or scrambled up its download file paths.

Microsoft patches to fix recent spam flood. Microsoft released a patch for its Outlook and Hotmail products after the company received reports of a massive spam flood that bypassed the products spam filters, allowing hackers to inundate users with Viagra ads and Russian bride ads.

ABB patches password flaws in substation automation tool. ABB released software updates for one of its substation automation products, PCM600 after a security researcher from Positive Technologies found several vulnerabilities in industrial control systems (ICS) and found that the PCM600 product was plagued with four password-related flaws. The flaw can be exploited via the hash, which can be easily broken and allow an attacker to obtain the password.

User data possible stolen in hack. released a patch and warned its users that their usernames, email addresses, encrypted passwords, password decryption keys, profile pictures, and certification information may have been compromised after an investigation revealed that an unknown user had created a new admin account on the mail server and modified the settings. In addition, was notified that its software was plagued with a flaw that could be exploited to conduct the same malicious activities.


SEC: Nashville firm schemed to collect extra fees from hedge funds. The U.S. Securities and Exchange Commission announced May 31 charges against Nashville-based Hope Advisers Inc., and its owner for allegedly scheming to collect extra monthly fees from two hedge funds managed by the firm, Hope Investments LLC and HDB Investments LLC, by orchestrating certain trades that enabled the funds to experience large gains at the end of one month, guaranteeing significant losses at the beginning of the next month in order to delay the realization of trading losses and continue earning large incentive fees. Officials stated that the scheme allowed Hope Advisers to avoid the realization of over $50 million in losses in the hedge funds and earn millions of dollars in fraudulent fees.

Update tools preinstalled on PCs expose users to attacks. Security researchers from Duo Security conducted an analysis on software updates and support tools shipped by major personal computers (PCs) makers including Acer, Asus, HP, Dell, and Lenovo, and discovered that each of the tested updater tools were plagued with a least one flaw that could be easily exploited for remote code execution (RCE) with SYSTEM permissions, which can lead to a complete compromise of the vulnerable device.

ZCryptor ransomware spreads via removable drives. Security researchers from Microsoft and TrendMicro reported that the ransomware dubbed, Ransom: Win32/ZCryptor.A was targeting Windows XP 64-bit computers and Windows 7 and Windows 8 versions to encrypt files and demand monetary funds by dropping a autorun.inf file on removable drives, which allows the ransomware to infect a computer once the removable drives are connected. In addition, the ransomware leverages network drives to self-propagate from a compromised system.

Windows zero-day affecting all OS versions on sale for $90,000. A hacker under the name, BuggiCorp was discovered selling a zero-day vulnerability affecting over 1.5 billion users and all versions of Window operating systems (OS) after security firm Trustawave found the attacker could escalate the privileges of an application in Windows 10 with the May 2016 security patch installed, and bypass all security features including Microsoft’s newest version of the Enhanced Mitigation Experience Toolkit (EMET) toolkit.

DDoS attack via TFTP protocol become a reality after research goes public. Security researchers from Akami Security Incident Response Team (SIRT) reported that it has detected at least ten distributed denial-of-service (DDoS) attacks since April 20 after attackers employed Trivial File Transfer Protocol (TFTP) servers as part of a multi-vector DDoS attack by mixing different DDoS-vulnerable protocols together to confuse a victim’s Information Technology (IT) department. In addition, researchers found a weaponized version of the TFTP attack script circulating online following The Edinburgh Napier University study which detailed how to carry out reflection DDoS attacks via TFTP servers.

ICS system with public exploits cannot be patched. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released a security advisory for customers using the Environmental Controls System (ECS) 8832 version 3.02 and earlier version after a security researcher discovered the product had two vulnerabilities, which cannot be patched, including an authentication bypass flaw and a privilege escalation flaw that could allow an attacker to perform unauthenticated operations over the network. The ECS product is used in the energy industry to provide operators with an interface to control calibration functions.


Bank robber called ‘Ball Cap Bandit’ hunted by FBI. Authorities offered a reward May 31 in exchange for information regarding a man dubbed the “Ball Cap Bandit,” who is suspected of robbing nine Chase Bank branches in Palm Beach County, Broward County, and Martin County, and one PNC Bank branch in Martin County since December 2015. Authorities stated that the suspect should be considered armed and dangerous. 

65 million users affected by Tumblr breach. Tumblr officials reported that as a precaution, they have reset all their customers’ passwords after an Australian security researcher found that a hacker under the online name, “peace_of_mind” posted the information of 50 million Tumblr accounts on a darknet Web site called, “The Real Deal” for a small sum of money. The same hacker was also seen selling millions of records of LinkedIn,, and Myspace users. 

Tor browser 6.0 based on Firefox 45-ESR released with updated security features. The Tor Project released version 6.0 for its Web browser affected Linux, Mac, and Window products that will include Hyper Text Markup Language 5 (HTML5) support, code-signing for Mac operating system (OS) X, and the removal of support for Secure Hash Algorithm 1 (SHA-1) certificates. 

Recently patched OpenSSL flaw still plagues top sites. An OpenSSL vulnerability previously patched in early May was discovered unpatched on 19 percent of Alexa Top 10,000 Web sites after a security researcher from High-Tech Bridge conducted an automated, non-intrusive scan by searching for the use of Advanced Encryption Standard (AES) Cipher Block Chaining (CBC) and by using custom OpenSSL code designed to check for the vulnerability. 

WordPress plug-in flaw puts over 1M websites at risk. Security researchers from Sucuri discovered a cross-site scripting (XSS) vulnerability that affects all Jetpack versions starting with 2.0 and released since 2012 after finding that the flaw was located in the Shortcode Embeds Jetpack module and could allow an attacker to inject malicious JavaScript code into the comments of external videos, images, documents, tweets, and other resources. The flaw can be exploited to steal users’ authentication cookies, redirect victims to exploits, and inject search engine optimization (SEO) spam. 

Ancient Bayrob backdoor trojan resurfaces after nine years with updated versions. Security researchers discovered that the Bayrob trojan, which was dormant for nine years, started reappearing with new features including cloning techniques that allows the trojan to launch multiple processes tasked with its own malicious routine, encrypt exfiltrated information, and uses a custom protocol over Transmission Control Protocol/ Internet Protocol (TCP/IP) to communicate with its server. 

Reddit resets passwords for 100,000 users after recent surge in hacked accounts. A Reddit spokesperson reported May 26 that as a precaution, the company advised 100,000 of its users to reset their passwords after a security researcher detecting an increase in account hijackings. 


PayPal settles with Texas over Venmo app security claims. The State of Texas and PayPal entered into an Assurance of Voluntary Complance agreement May 26 after Venmo, a company acquired by PayPal, violated the Texas Deceptive Trade Practices – Consumer Protection Act by allegedly providing confusing and deficient privacy and security disclosures, and failing to provide clarification over access to the user’s contact list. PayPal agreed make “behavioral” changes regarding interactions between Venmo and its users. 

Nearly 100 reports of missing money in Hermiston bank fraud. Authorities are searching May 26 for a man suspected of installing a skimming device on a Portland area ATM beginning the week of May 8 and using the stolen data to manufacture fraudulent debit cards in order to withdraw cash from other area ATMs after officials received approximately 100 reports of fraudulent bank account activity. Authorities stated that the scheme has caused thousands of dollars in losses, and believe the man is part of an organized group.

Angler EK malvertising campaign abuses recent Flash zero-day. Security researchers from Malwarebytes reported that a previously patched zero-day flaw in Adobe Flash Player was being exploited in a new malvertising campaign targeting ad networks through a conditional malicious code which redirects users to the Angler exploit kit (EK) after executing fingerprinting checks. Attackers exploit the vulnerability via specially crafted Microsoft Office documents. 

Windows trojan uses TeamViewer to turn your PC into a web proxy. Security researchers from Dr. Web and Yandex reported that the backdoor trojan dubbed, BackDoor.TeamViewer.49 was using a malware dropper called Trojan.MulDrop6.39120 and a malicious Adobe Flash Player update package to secretly distribute the TeamViewer trojan. Once the TeamViewer trojan is installed, the trojan connects via an encrypted channel to the attackers’ command and control (C&C) server, where it relays Web traffic to other servers on the Internet and uses the affected device as a proxy server. 

“SandJacking” attack allows hackers to install evil iOS apps. A security researcher from Mi3 Security discovered that attackers could exploit a new Apple feature, which allows developers to create mobile operating system (iOS) apps using certificates easily obtained by providing an Apple ID, to quickly replace a legitimate app on an iOS device with a rogue version that contains malicious capabilities to give attackers complete control and access to the application. The security researcher released a proof-of-concept (PoC) titled, “Su-A-Cyder” that can replace legitimate apps for malicious apps when the targeted phone is connected to a computer.


Elderly ex-con arrested for alleged $5M fraud scheme. Texas officials announced May 24 that a former executive at AG Cooper & Associates was arrested and indicted the week of May 16 on charges alleging that the executive orchestrated a wire and mail fraud scheme that bilked over 50 investors out of $5 million by issuing false quarterly statements to investors that indicated their funds were earning over 11 percent in legitimate investments. Officials stated that the executive used the funds for personal use.

The Treasury Department says it has arrested five people in Miami accused of defrauding victims of nearly $2 million by posing as IRS agents and demanding payment of overdue taxes. Officials from the U.S. Treasury Inspector General for Tax Administration office announced May 24 that 5 Cuban nationals were arrested in Miami for their roles in an estimated $2 million fraud scheme where the group posed as U.S. Internal Revenue Service (IRS) agents in telephone calls and threatened to arrest victims if they did not make an immediate payment of overdue taxes or other fees. Authorities stated that the victims were required to wire transfer the money, which is a method not used by the IRS.

Fiverr removes DDoS-for-Hire services from its marketplace. Fiverr banned and removed a series of ads reportedly providing distributed denial-of-service (DDoS)-related offerings on its marketplace Web site after security researchers from Incapsula found several DDoS services.

Hackers take over thousands of Twitter accounts and tweet out adult content. Symantec discovered that over 2,500 Twitter accounts were compromised after hackers took over Twitter profiles, changed a user’s avatar picture, and sent out links to adult Web sites or Web cam sites by using Uniform Resource Identifier (URL) shorteners, primarily, to hide a link to adult Web sites using referral tags.

Unpatched flaws plague Moxa connectivity products. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and an independent security researcher discovered that Moxa’s MiiNePort E1, E2, and E3 device models were plagued with at least three serious vulnerabilities including a weak credentials management issue, a clear text password issue, and a cross-site request forgery (CSRF) flaw. The devices are used in the commercial facilities sector, critical manufacturing sector, the energy sector, and the transportation sector.

After record high numbers, a lot of people still don’t know what ransomware is. Kaspersky released a report after studying over 5,000 users in the U.S. and Canada which revealed that 43 percent of users studied were unfamiliar with ransomware and were unaware that they could lose critical data after such infections. The lack of knowledge reveals why users are unaware of how to deal with ransomware infections. 


Columbia man guilty of federal bank, loan fraud. A former employee at Scott Credit Union in Illinois pleaded guilty May 19 to Federal charges after he defrauded the bank out of $12 million by embezzling credit union funds, creating fraudulent loans, paying loans through the misapplications of funds from other loans, and increasing credit limits on loans that did not have board approval, among other fraudulent actions from November 2005 – December 2014. Officials stated the man also knowingly submitted a fraudulent report to the bank for the third quarter of 2014 that misstated loan balances, omitted loan amounts, and severely underreported loans.

Exploit for recently patched flash flaw added to Magnitude EK. A French security researcher discovered that attackers were integrating the Magnitude exploit flaw against previously patched Flash Player installations to potentially deliver various pieces of malware, including Locky and Cerber ransomware. The exploit was not fully implemented in Magnitude and researchers advised users to be cautious of the exploit.

Ransomware adds DDoS capabilities to annoy other people, not just you. Security researchers from Invincea reported that the Cerber ransomware was discovered to have a new payload capability to launch network packets to a network subnet, which is a specific capability to distributed denial-of-service (DDoS) botnets. The ransomware was detected by 37 out of the 57 antivirus engines and spreads via weaponized rich text format (RTF) files.

Crooks used SQL injections to hack Drupal sites and install fake ransomware. Chief executive officer (CEO) and co-founder of Forkbombus Labs reported that attackers were leveraging a structured query language (SQL) injection vulnerability in Drupal 7.x installations prior to version 7.32 content management system (CMS) platform to compromise Web sites and install Web-based ransomware by scanning the Drupal site version and leveraging the flaw to break into the affected Web sites and change the admin user’s password.


SEC announces insider trading charges in case involving sports gambler and board member. The U.S. Securities and Exchange Commission announced insider trading charges May 19 against a professional sports gambler and a former board member at Dean Foods Company after the board member allegedly provided the gambler with advance information about Dean Foods including market-moving events, and company earnings statements from 2008 – 2012, among other information regarding Darden Restaurants stocks, which the gambler used to make $40 million in illegal profits. Officials stated the duo used prepaid cell phones and other methods to conceal the illicit activity, and convinced a professional athlete to trade the food company’s securities to pay off a gambling debt. 

60 percent of Androids exposed by new attack on mediaserver. A security researcher from Duo reported that about 60 percent of enterprise Android phones running Lollipop version 5 operating system (OS), KitKat version 4.4, and Marshmallow version 6 OS were susceptible to a Qualcomm Secure Execution Environment (QSEE) vulnerability after researchers discovered the flaw in the mediaserver component that could allow an attacker to gain complete control over the device by tricking users into installing a malicious app. 

Researcher wins $5,000 for finding two ways to brute-force Instagram accounts. Facebook fixed two security flaws on its social network, Instagram that could have allowed an attacker to execute brute-force attacks and gain control over users’ accounts due to Instagram’s weak password policy, its usage of incremental user identifications, and lack of proper rate limiting protection. 

Vulnerabilities found in Siemens SIPROTEC protection relays. Security researchers from Siemens and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) discovered SIPROTEC 4 and SIPROTEC Compact devices were plagued with several information disclosure vulnerabilities that can allow attackers to obtain sensitive device information if hackers gain access to the network hosting the devices. Siemen released updates for its firmware version 4.27, but has yet to release updates for other relays.


‘Hipster Bandit’ robs bank minutes after failed attempt. Authorities are searching for a man dubbed the “Hipster Bandit” who is suspected of robbing a Union Bank branch and attempting to rob a Wells Fargo Bank branch in Oceanside, California, May 18. The man is suspected of robbing at least four other banks in San Diego County since July 2015. 

Naples men pleads guilty to defrauding insurance companies. A Naples man pleaded guilty May 18 to Federal charges after the man and co-conspirators ran five unlicensed chiropractic clinics that received over $2 million in fraudulent insurance payments from car insurance companies by soliciting people to participate in staged vehicle accidents in exchange for compensation, and coaching the patients involved in the scheme to receive unneeded treatment. Officials stated the group used a shell corporation to conceal the proceeds from the fraudulent insurance claims and four other people were charged for their roles in the scheme. 

ATMs targeted with improved “Skimer” malware. Researchers at Kaspersky Lab discovered a new version of an ATM malware dubbed, “Skimer” that allows attackers direct interaction with ATMs by inserting two types of cards with specially crafted Track 2 data into the infected machine; one designed to execute commands hardcoded in Track 2, while the other allows attackers to launch 1 of 21 predefined commands using the personal identification number (PIN) and malware interface to dispense money from the machine, collect the details of cards inserted, and print the information collected from cards. Researchers stated attackers can use the malware interface to delete the malware, debug it, and update it with code stored on the special card. 

A quarter of all hacked WordPress sites can be attributed to three plugins. Sucuri conducted an investigation on over 11,485 compromised Web sites and released its “Website Hacked Report” which revealed that during the first 3 months of 2016, 78 percent of hacked Web sites were using the WordPress Content Management System (CMS) platform and found that attackers were primarily using outdated plugins to hack WordPress sites. Outdated plugins included RevSlider, GravityForms, and TimThumb, but officials concluded that only 56 percent of all WordPress sites were running outdated WordPress core versions. 

TeslaCrypt ransomware project appears to shut down, offers free decryption key. Security researchers from ESET found that the TeslaCrypt ransomware operation will be shut down and the operators of the ransomware agreed to offer a master decryption key for all victims infected with the TeslaCrupt v3 and v4 after a researcher contacted the ransomware operator using the ransom Web site hosted on the Dark Web via their support channel. 

Cyber attackers target US presidential campaigns: Official. The DHS and the FBI are investigating cyberattacks against the campaigns of the U.S. presidential candidates after the director of the U.S. National Intelligence Council reported there were indications that revealed cyber attackers were targeting both the Democratic and Republican representatives. Officials stated the attacks could range from defacement to intrusion. 

Macro malware makes improvements on hiding malicious code. Security researchers from Microsoft’s Malware Protection Center discovered a new variation of the Donoff macro malware had evolved to avoid detection after finding that the malware was disseminated via spam email campaigns with attachments made to look non-malicious. The attachments contain seven Visual Basic for Applications (VBA) modules with an encrypted string in the Caption field for CommandButton3 and an unusual code in Module2. 

117M LinkedIn passwords leaked. LinkedIn officials reported May 18 that an additional 117 million LinkedIn users’ emails and passwords were compromised as attackers were discovered selling the information on the Dark Web May 16 following a 2012 breach where a hacker named “Peace” gained unauthorized access and compromised more than 6 million users’ accounts. The social network reported that the additional compromised accounts were not a result of a new security breach and were working to apply a password reset to potentially compromised accounts.


Fraud alert: Card skimmers discovered at 4 Greenville First Citizens Bank ATM locations. Authorities are searching May 17 for the persons responsible for installing card skimmers at four different First Citizen Bank ATM locations in Greenville, North Carolina, after a bank employee discovered one of the malicious card readers during an ATM inspection. Police and First Citizen Bank staff were monitoring account activity for suspicious transactions. 

Guilty plea in multi-million-dollar Ponzi scheme. A Minnesota resident pleaded guilty May 17 to running a $250 million Ponzi scheme where the man used his business, Minnesota Print Services Inc., to defraud investors by claiming he had printing contracts with major corporations and needed cash upfront to receive discounts on purchasing paper, causing investors in 7 States up to $54 million in losses. Officials stated the man used the investors’ funds for personal expenses. 

‘BDL’ bandit robs Warrensville Heights bank. FBI authorities are searching for a man dubbed the “BDL Bandit” who is suspected of robbing five banks including the First Merit Bank in Warrensville Heights, Ohio, May 17. Authorities stated the suspect is considered armed and dangerous. 

Minnesota woman pleads guilty to faking husband’s death for insurance money. A Minnesota woman pleaded guilty May 16 to defrauding Mutual of Omaha Insurance Company out of more than $2 million in life insurance proceeds by falsely claiming her ex-husband’s death after she identified the remains of a body in Moldova as her former husband. Officials stated the woman recruited a third party to open a U.S. bank account and transfered $1.5 million of the insurance proceeds to her son’s account, which was then transferred to bank accounts in Switzerland and Moldova from March 2012 – January 2015. 

Cisco patch blocks DoS vulnerability. Cisco released patches for its Adaptive Security Appliance (ASA) software after security researchers found attackers could alter a memory block, allowing the system to cease transferring traffic and cause a denial-of-service (DoS) situation. The flaw was reportedly linked to an issue in the installation of Internet Control Message Protocol (ICMP) error handling for Internet Protocol Security (IPSec) packets. 

Windows malware tries to avoid 400 security products. A senior security researcher at enSilo reported that the malware, Furtim was seen avoiding security detection as the malware has the ability to search the infected machine for registry entries or service executable names of 400 security products, including rare security products, virtualization environments, and sandboxing products. Once the malware detects a security product, the malware terminates itself and leaves the computer unharmed, avoiding any type of detection. 

Researcher wins $5,000 for finding XSS bug on Google in most peculiar manner. A security researcher from ERNW found a “sleeping stored” cross-site scripting (XSS) vulnerability in Google’s Cloud Console product which could allow an attacker to create a project with a payload in its name and leave it on the dashboard, tricking an administrator into deleting the unknown project and triggering the exploit. Google was made aware of the exploit.


Ukrainian hacker admits stealing business press releases for $30M gain. A Ukrainian citizen pleaded guilty May 16 to Federal charges for his role in a $30 million hacking scheme where the man and 9 co-conspirators hacked into PR Newswire, Business Wire, and Marketwired to get advance notice on over 150,000 company’s earnings statements, and sold the insider trading information for tens of thousands of dollars to traders who executed deals to buy or sell stocks based on the stolen information, which had not yet been released from 2010 – 2015. Officials stated that once the transactions were complete, the traders shared the illegal profits with the hackers through foreign shell companies. 

Possible security breach at local bank has customers concerned. Southern Michigan Bank and Trust alerted its customers May 6 to a possible security breach targeting the bank chain after a company laptop containing sensitive information including customers’ names, addresses, and account numbers, among other data, was stolen from a vehicle owned by the company’s operations manager in April. Bank officials stated the laptop is password protected and there have been no indications of an active breach of sensitive information. 

Critical vulnerability in Symantec AV Engine exploited by just sending an email. Symantec updated its Antivirus Engine (AVE) addressing a critical memory corruption flaw after a security researcher from Google Project Zero discovered the flaw affected most Symantec and Norton-branded antivirus products and reported the issue related to how the antivirus products handle executables compressed in the ASPack file compressor. The vulnerability can be remotely exploited for code execution by sending a specially crafted file to the victim. 

Apple patches flaws in iOS, OS X, other products. Apple released version 9.3.2 for its mobile operating systems (iOS) including its OS X, iOS, iTunes, Safari, tvOS, and watchOS products which patched 39 flaws after security researchers from Google, Trend Micro, and Context Information Security, among other security companies, found a way to bypass the lockscreen on the iPhone 6s and access photos and contacts by using Siri to conduct an online search for email addresses via Twitter. 

Million-Machine botnet manipulates search results for popular search engines. Security researchers from Bitdefender reported that a click-fraud botnet, Million-Machine can modify Internet Explorer proxy settings and add a Proxy Auto Configuration (PAC) script to hijack all Web traffic through a local proxy server and view all Web traffic originating from the personal computer (PC) via infected downloadable versions of popular software programs including WinRAR, YouTube Downloader, and Connectify, among other products. The malware’s dissemination was assisted by the Redirector.Paco botnet that modifies a computer’s local registry keys with two entries disguised as Adobe products to make the Million-Machine malware begin its operations after each PC restart. 

Chrome to deprecate Flash in favor of HTML5. The technical program manager at Google (Chrome) reported that they will only allow Flash Player execution if a user has indicated that the domain should execute the program and will begin to implement an “HTML5 by Default” policy on its Chrome Web browser by Quarter 4 (Q4) 2016. Chrome will introduce the new feature with a temporary whitelist of the current top Flash Player Web sites, which will expire after one year. 

Attackers deliver latest Flash exploit via malicious documents. Security researchers from FireEye reported that a type confusion flaw, previously patched by Adobe, was revealed to have disseminated the exploit via Uniform Resource Identifier (URL) or email attachment after attackers embedded the Flash Player exploit inside Microsoft Office documents, which attackers hosted onto their Web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload.


Upgraded Android banking trojan targets users in 200 countries. Security researches from Doctor Web reported that an Android banking trojan dubbed Android.SmsSpy.88. origin, initially discovered in 2014, was updated with new ransomware capabilities including a credit card information stealing capability that targets around 100 banking applications by using WebView to display a phishing window on top of the legitimate banking app, and by utilizing a fake Google Play payment phishing page to intercept and send short message service (SMS) and multimedia messaging service (MMS) messages, send unstructured supplementary service data (USSD) requests, and transmit all saved messages to the server, among other malicious actions. Security researchers stated the trojan has infected over 40,000 devices in over 200 countries. 

M&T Bank settles Federal fraud case for $64 million. M&T Bank Corporation agreed May 13 to pay the Federal government $64 million to settle charges after a former underwriter at M&T filed a whistleblower lawsuit against the bank in 2013 alleging she witnessed fraud in the bank’s Federal Housing Administration underwriting practices, prompting a Federal investigation which revealed that the bank awarded housing loans that did not meet Federal requirements. 

SEC charges two attorneys with defrauding escrow clients. The U.S. Securities and Exchange Commission announced May 13 fraud charges against two attorneys acting as escrow agents after the duo allegedly made undisclosed risky investments and stole $13.8 million they obtained in escrow amounts from small business owners by making misrepresentations to clients about a purported loan company, Atlantic Rim Funding, siphoning clients’ investment funds to pay themselves and others, and gambling on risky securities derivatives. Officials stated the pair concealed their illicit actions by claiming the money used for the securities trades was their own and did not belong to clients. 

Data leaked from hacker forum Risk Based Security reported that the popular forum, was compromised after hackers leaked a 1.3Gb archive containing more than 536,000 user account information including usernames, email addresses, hashed passwords, application program interface (API) credentials for payment gateways, authentication logs, and Internet Protocol (IP) addresses, among other data. Researchers are unsure how the database was compromised and the forum was taken offline due to the attack. 

New Simple attack on Squid proxies leverages malicious flash ads. Squid released versions 4.0.10 and 3.5.18 addressing a vulnerability in its products after a graduate from Tsinghua University discovered a vulnerability dubbed Squison in Squid 3.5.12 to 3.5.17 and all 4.x versions up to 4.0.9 that could allow hackers to poison a Squid proxy server’s cache with malicious content by using simple attacks including a malicious Flash ad or through a Web site controlled by an attacker. 

Researchers crack new version of CryptXXX ransomware. Researchers from Kaspersky Lab created a new tool titled, RannohDecryptor that will help victims decrypt files and recover lost information affected by the CryptXXX 2.0 malware. Researchers advised users to install software program updates to mitigate ransomware attacks. 

Silk Road 3.0 pops up on the Dark Web, once again. A Reddit online thread reported that a new Silk Road marketplace dubbed, Silk Road 3.0, was active after its predecessor site was shut down following an FBI raid that arrested the Web site’s users, moderators, and administer. The marketplace was seen actively compiling stolen data, exploits, botnets, drugs, and weapons, among other illegal items, for attackers to purchase. 

Five-year-old SAP vulnerability affects over 500 companies, not 36. The U.S. Computer Emergency Response Team (US-CERT) issued a public alert to all U.S. companies after ERPScan discovered at least 533 companies were affected by an SAP vulnerability largely due to the companies’ failure in installing a SAP security patch issued in 2010. The vulnerability can allow attackers to gain complete control of SAP business platforms via a bug in Invoker Servlet, a component in SAP’s Java platforms. 

Meteocontrol patches flaws in Photovoltaic Data logger. Meteocontrol released an update for all versions of its WEB’log Basic 100, Light, Pro, and Pro unlimited products used in the energy, water, critical manufacturing, and commercial facilities sectors after a security researcher discovered that the products were plagued by critical authentication flaws, information exposure flaws, and a cross-site request forgery (CSRF) flaw that could allow attackers to perform actions on behalf of the user without authentication and access an administrator password in clear text.


SWIFT warns of malware attack on another customer. The Society for Worldwide Interbank Financial Telecommunication (SWIFT) warned customers May 13 against a second malware attack discovered at a bank using its services that targeted customer banks’ secondary security controls by modifying the bank’s PDF reader with malicious software to conceal the fraudulent transactions in PDF reports of payment confirmations. Attackers also exploited vulnerabilities in the bank’s systems in order to initiate fund transfers, steal credentials, and use them to send irrevocable fund transfer orders via the SWIFT network.

RushCard to pay $19 million to users for last year’s outage. RushCard agreed to pay at least $19 million to compensate its users impacted by an October 2015 service outage after the company attempted to switch payment processors, which caused tens of thousands of RushCard accounts to freeze leaving customers without access to their money for as long as 2 weeks. According to the agreement, the company will pay each customer who could not access their funds at least $100, and up to $500 to individuals who can document any losses incurred due to the outage.

Former worker pleads guilty in $626,941 banks embezzlement case. The former president of People’s Savings Bank in Crawfordsville, Iowa, pleaded guilty May 9 to embezzling $626,941 from the bank after he created multiple straw loans involving existing bank customers and stole the loan proceeds from December 2002 – March 2013. Officials stated the former executive also received unauthorized bonuses and salary increases from January 2008 – October 2013.

Adobe patches Flash zero-day exploited in the wild. Adobe updated its Flash Player for Microsoft Windows, Apple Mac, and Linux addressing 25 vulnerabilities including a type confusion, use-after-free, buffer overflow, directory search path, various memory corruption vulnerabilities that can lead to arbitrary code execution, and a zero-day that has been exploited in the wild.

7-Zip 16.0 released to fix gaping security hole. The 7-Zip project released version 16.0 of their open-source (de)compression software patching two critical vulnerabilities discovered by Cisco’s Talos team, which include a heap overflow vulnerability and an out-of-bounds read vulnerability, due to an issue with how the 7-Zip client handles Universal Disk Format (UDF) files. Attackers can create a booby-trapped 7-Zip archive which contains a malicious file that clients’ can unzip, initiating the attack.


FBI: Serial ‘Ballcap Bandit’ bank robbery suspect strikes again. Authorities are searching May 11 for a man dubbed the “Ballcap Bandit” who is suspected of robbing a Wells Fargo Bank branch in Falls Church, a Wells Fargo Bank branch in Alexandria, and a SunTrust Bank branch in Del Ray, Virginia, since April. Authorities were unsure if the suspect is armed.

Former Savannah CEO pleads guilty to $9M bank fraud. The former chief executive officer (CEO) and president of Central Bank in Savannah, Tennessee, pleaded guilty May 11 to Federal fraud charges after he made unauthorized advances to Tennessee Materials Corp., (TMC) and allowed TMC to deposit 161 insufficiently funded checks to cover overdraft balances in the company’s account from 2009 – 2012, causing Central Bank, Wayne County Bank, and First Metro Bank more than $9 million in losses. Officials stated the bad checks created false balances in TMC’s account, enabling the company to use approximately $3.9 million that belonged to Central Bank without the bank’s knowledge or approval.

Region 8 women plead guilty to bank fraud of nearly $4 million. Officials from the U.S. Attorney’s Office for the Eastern District of Arkansas and the FBI announced May 11 that three employees at the First National Bank of Lawrence County pleaded guilty to embezzling more than $3.9 million from the bank from 2005 – 2015. Officials stated that the trio received advanced notice of internal audits, and would temporarily transfer money from other branches of the bank into the main vault to conceal their theft from auditors.

Google patches more high risk vulnerabilities in Chrome 50. Google released a round of security patches for Chrome 50 addressing five vulnerabilities, three of which were deemed high severity, and include a same origin bypass issue in the Document Object Model (DOM), a same bypass bug in Blink V8 bindings, and a buffer overflow flaw in V8. A directory traversal flaw using the file scheme on Android, and a race condition bug in loader were also patched, among other vulnerabilities.

SAP patches critical vulnerabilities in Enterprise products. SAP released 10 Security Patch Day Notes and 11 Support Package Notes fixing 10 vulnerabilities , mainly in its NetWevwer Advanced Business Application Programming (ABAP) platform and Java, including critical flaws in Adaptive Server Enterprise (ASE) XPServer, Crystal Reports for Enterprise, and Predictive Analytics which could allow an attacker to potentially execute commands remotely without authorization, obtain critical technical and business-related information, or gain unauthorized access and perform actions in the system.


Guilty plea in $250M pump-and-dump scheme. The owner of a broker-dealer and investment management firm based in Panama and Belize pleaded guilty May 9 to running a $250 million pump-and-dump scheme where he and co-conspirators convinced U.S. investors to buy stock in over 40 thinly-traded public companies by falsely touting and inflating the share values, and established shell companies to circumvent U.S. Internal Revenue Service (IRS) tax reporting requirements from 2010 – 2014. Officials stated that the broker and his co-conspirators dumped their shares at inflated rates and used corrupt law firms to launder the fraudulent proceeds. 

Prominent Manhattan landlord arrested. A Manhattan landlord was arrested and charged May 9 after he allegedly secured more than $45 million in fraudulent mortgage loans by inflating rental and other income from his Manhattan residential buildings, and submitting fraudulent mortgage documents to banks. The New York State Attorney General’s office also filed parallel civil charges against the landlord after he and his staff drove tenants from their rent-regulated apartments by creating dangerous and unlivable conditions, filing frivolous lawsuits, and offering buyouts. 

Wi-Fi flaw exposes Android devices to attacks. Google and the developers of Wi-Fi Protected Access (WPA) supplicant patched a high severity privilege escalation flaw that is used in the Android operating system (OS) and several other products after SEARCH-LAB researchers determined that the vulnerability can be exploited to write arbitrary values in the wpa_supplicant configuration file, allowing an attacker to execute arbitrary code with elevated privileges or disrupt the device’s Wi-Fi functionality. The weakness is exploited through a Wi-Fi Protected Setup (WPS) attack or the wpa_supplicant control interface. 

Microsoft patches flaws exploited in targeted attacks. Microsoft released 16 security bulletins patching over 30 flaws exploited via Internet Explorer, Windows, and Office which address JavaScript and Visual Basic Scripting Edition (VBScript) zero-days, several remote code execution (RCE) vulnerabilities in Edge running on Windows 10, and a Transport Layer Security (TLS) vulnerability, among others. 

Syrian Electronic Army hacker extradited to U.S. A suspected member of the Syrian Electronic Army hacktivist group was extradited from Germany to the U.S. to face charges that he and two other alleged members took part in a criminal conspiracy related to their campaign which involved targeting and hacking into the systems of government organizations, media companies, and other private-sector entities. 

DHS moves to bolster intrusion/detection for Federal networks. DHS released its Privacy Impact Assessment and announced the addition of a new intrusion prevention security service to its National Cybersecurity Protection System (NCPS) dubbed Einstein 3A which is a Web Content Filtering system that provides protection at the application layer for Web traffic by blocking access to suspicious sites, and works to prevent, detect, and block malware from running on systems and networks. 

Adobe warns of Flash zero day, patches Acrobat, Reader. Adobe issued 95 fixes for Acrobat, Reader, and ColdFusion addressing use-after-free vulnerabilities, memory corruption flaws that could lead to code execution, heap buffer overflow vulnerabilities, and several other flaws that could result in information disclosure or memory leak. A patch for a zero day vulnerability in Flash Player which could cause a crash and allow an attacker to take control of the system is expected to be released the week of May 9.


Four charged in alleged central Kentucky bank fraud involving $40 million. A loan officer and three others were indicted on Federal charges May 9 after the group, operating as various businesses, allegedly defrauded several central Kentucky banks out of more than $40 million in loans or loan renewals by making false representations or omissions on loan documents to banks in Fayette, Woodford, and Harrison counties from May 2006 – September 2010. Officials stated that the group used the loans for purposes other than those listed in the application. 

Android trojan steals credit card info, locks devices remotely. Researchers from Avast discovered a new Android banking trojan that is capable of spying on users and stealing credit card information by gaining admin rights to a victim’s device after continuously prompting the Device Admin activation dialog until the user grants the malware admin rights, while hiding the app icon following the program’s first run. Researchers stated that the trojan is designed to send information about the device to a command and control (C&C) server, intercept incoming short message service (SMS) messages and send them to the server, and receive further commands from its operators. 

SS7 attack leaves WhatsApp and Telegram encryption useless. Positive Technologies researchers unveiled a new attack that utilizes Signaling System No. 7 (SS7) to carry out attacks on encrypted communications apps such as WhatsApp and Telegram by spoofing a mobile network node and intercepting the initial phase of a chat between two users. The researchers were able to impersonate a second user through SS7 loopholes that were never patched. 

CryptXXX is now undecryptable, prevents users from accessing their PC. Researchers at Proofpoint discovered CryptXXX version 2.006, an update to CryptXXX, which defeats a Kaspersky Lab decrypter, blocks users’ from going online, and locks a user’s entire screen, forcing them to log onto a different computer to go online to buy Bitcoin and pay the ransom. The ransomware is distributed via malvertising campaigns, malicious ads on legitimate Web sites, or through an intermediary malware called Bedep.


Israel approves extradition to U.S. of two securities fraud suspects. Officials from Israel’s Ministry of Justice approved May 8 the extradition of two men to the U.S. indicted in the U.S. District Court for the Southern District of New York for their roles in a “pump-and-dump” stock manipulation scheme where the men and co-conspirators acquired shares in thinly traded companies, sent millions of spam emails inducing investors to purchase the stocks in order to artificially inflate the price, then sold off their holdings from 2011 – 2015. Authorities stated that charges were added to the indictment in March after discovering that the duo hacked into a dozen companies’ networks and stole the personal information of more than 100 million people. 

Over two dozen flaws found in Aruba products. Aruba Networks patched some of the 26 security flaws discovered by a Google security engineer, and is working to patch the remaining vulnerabilities which impact all versions of ArubaOS, AirWave Management Platform 8.x versions prior to 8.2, and Aruba Instant access points (IAP) prior to and Some of the vulnerabilities discovered include the transmission of login credentials via Hypertext Transfer Protocol (HTTP), default accounts, remote code execution flaws, firmware-related weaknesses, information disclosure issues, and Protocol Application Programming Interface (PAPI)-related security bugs. 

Google suffers minor data breach via third-party benefits vendor. Google notified an unknown number of employees following a data breach that occurred when a manager of a third-party benefits vendor sent a file containing the names and Social Security numbers of an undisclosed number of Google employees to the wrong person. The individual who received the data deleted it from his computer and notified Google’s vendor of the incident. 

Bucbi ransomware makes a comeback after two years. Researchers at Palo Alto Networks reported that a cyber-crime group is utilizing a re-tooled version of the Bucbi ransomware that does not rely on social engineering tactics and works without needing to connect to an online command and control (C&C) server, uses a different installation routine, and also employs a different ransom note. The group uses brute-force attacks against corporate networks running Internet-available Remote Desktop Protocol (RDP) servers. 

190 Android apps infected with malware discovered on the Google Play Store. Google removed 190 applications infected with malware from its Google Play Store after it was notified by Dr. Web security researchers who discovered that the malware’s mode of operation, Android.Click, waits for 6 hours after it is installed before forcibly loading a Uniform Resource Locator (URL) in the user’s browser, prompting the user back to the Google Play Store to download a second app. 

WordPress 4.5.2 released to fix XSS and SOME security bugs. The WordPress project released version 4.5.2 of its open-source platform addressing two security issues in two libraries packed with the content management system (CMS) after Cure53 researchers found a Same-Origin Method Execution (SOME) vulnerability in the Plupload library, which allows attackers to perform unintended actions on a Web site on behalf of victims, and a cross-site scripting (XSS) issue in the MediaElement.js library.


New trojan targets banks in US, Mexico. Researchers from Zscaler discovered that a new information stealer trojan which leverages legitimate tools to target online banking users in the U.S. and Mexico is delivered via the “curp.pdf.exe” installer served on several compromised Web sites which downloads a main payload file, a Fiddler dynamic link library (DLL) file, and a Json.Net DLL file on a victim’s device to collect system information and send it back to the command and control (C&C) server, to parse the server’s response and save the information in an extensible markup language (XML) file, and to intercept Hypertext Transfer Protocol (HTTP) and Secure Hypertext Transfer Protocol (HTTPS) connections and redirect users to a malicious Web site masked as a bank’s legitimate domain. 

Pair arrested in counterfeit credit card scheme: MDPD. Two men were arrested and charged May 5 after detectives witnessed the duo using counterfeit credit cards to make fraudulent purchases at the Dadeland Mall and stores throughout Miami-Dade County. Authorities stated a subsequent search of one of the suspects’ vehicles revealed 192 counterfeit credit cards. 

Chicago financial adviser pleads guilty to $4.2M fraud. The operator of a Chicago-based investment firm, D.J. Mosier and Associates pleaded guilty May 5 to defrauding 9 clients out of more than $4.2 million by persuading them to invest in phony “Chicago Anticipatory Notes” debt securities. The financial adviser cashed the investors’ checks into her personal bank account and used the money for personal expenses, and to make bogus interest payments to previous clients. 

Android trojan pesters victims, won’t take no for an answer. Avast researchers determined that an information-stealing Android trojan that is inadvertently downloaded by users, begins its infection after an icon is installed in the launcher in the name of a fake app which launches a dialog box that asks the user to grant it admin rights and blocks further access. Users can remove the trojan by powering down the phone and restoring it to factory settings or uninstalling the app. 

New security flaw found in Lenovo Solution Center software. Trustwave SpiderLabs reported a new vulnerability in Lenovo’s Solution Center software which is tied to the software’s backend and can allow an attacker with local network access to a PC to execute arbitrary code and elevate privileges. The company updated a previous security advisory disclosing the additional vulnerability and released a fix addressing the vulnerability. 

Ransomware infections grew 14 percent in early 2016, April the worst month. Kaspersky, Enigma Software Group, and the FBI issued a warning to companies about the increase in ransomware infections following reports of at least 2,900 new ransomware variants, representing a 14 percent increase in Quarter 1 of 2016. Researchers also found a significant increase in the number of attacks during April. 

New Attack on WordPress sites redirects traffic to malicious URLs. Security researchers from Sucuri reported that hackers were continuously leveraging vulnerabilities in older WordPress versions or WordPress plugins by altering the Web sites’ main theme’s header.php file via 12 lines of obfuscated code to redirect users to malicious Web sites. In addition, Joomla Web sites were seen with a similar malicious code in the administrator/includes/help.php file. 

Qualcomm software flaw exposes Android user data. Security researchers from FireEye discovered Qualcomm Technologies, Inc., open source software package and devices running Android 5.0 Lollipop and earlier versions were plagued with an information disclosure vulnerability that could allow a malicious application to access user information as long as the application has the “ACCESS_NETWORK_STATE” permission. Qualcomm issued security updates patching the vulnerability. 

Adobe issues pre-patch advisory for Reader, Acrobat. Adobe issued a pre-patch advisory stating that it will release patches for its PDF Reader and Acrobat software products May 10, which will address critical vulnerabilities


Cisco patches serious flaws in FirePOWER , TelePresence. Cisco released software updates patching several vulnerabilities in its FirePOWER and TelePresence products including a critical vulnerability that allows a remote, unauthenticated attacker to bypass authentication and gain access to a targeted system, as well as several high severity denial-of-service (DoS) vulnerabilities that could allow a remote attacker to cause a system to stop inspecting and processing packets by sending a specially crafted packet. The company stated there was no evidence to suggest the exploits were used for malicious purposes. 

Apple updates Xcode to patch Git vulnerabilities. Apple released Git version 2.7.4 and Xcode version 7.3.1, patching several remote code execution (RCE) vulnerabilities affecting Git versions 2.7.3 and earlier versions, after discovering attackers could exploit the flaws to push or clone a repository with a large file name or a large number of nested trees in Apple’s operating system (OS) X El Capitan. 

Exclusive: Big data breaches found at major email services – expert. The founder and chief information security officer of Hold Security reported that 273.3 million stolen accounts including users of, Google accounts, Yahoo accounts, and Microsoft accounts were being traded in Russia’s criminal underworld after the security firm discovered a Russian hacker, dubbed, “The Collector” was seen bragging in an online forum pertaining to the number of stolen credentials he collected and was prepared to sell. Many of the stolen username and passwords allegedly belong to employees in U.S. banking, manufacturing, and retail companies. 

Lost door RAT promoted via Facebook and Google’s Blogspot. Security researchers from Trend Micro reported that a remote access trojan (RAT) named, Lost Door can be customizable and difficult to detect, posing a challenge to information technology (IT) administrators after researchers found the trojan leverages a router’s Port Forward feature to access the server of a private network and disguises malicious traffic or communication as normal traffic. Attackers can mask their command and control (C&C) addresses and evade network monitoring as the servers only connect to an internal router Internet Protocol (IP) address.


New York man pleads guilty to role in ATM skimming scam. A New York man pleaded guilty May 3 to Federal charges for his alleged role in a $709,000 ATM skimming scheme where the man installed skimming devices on ATMs at banks across Rhode Island in order to steal account information from 1,329 victims’ credit cards, and encoded the data onto counterfeit credit cards which were used to make fraudulent purchases. 

9 accused of losing investors $131M in ForceField Energy scheme. The U.S. Attorney’s Office for the Eastern District of New York announced May 3 charges against 9 stock promoters, brokers, and investor relations officials for defrauding investors into purchasing worthless ForceField Energy Inc., stock from December 2009 – April 2015 by secretly trading the stock in undisclosed accounts, inflating trading volume to create a false sense of demand, and concealing kickbacks to stock promoters and brokers, causing investors $131 million in losses. The U.S. Securities and Exchange Commission also filed related civil charges against the defendants. 

Attackers exploit critical ImageMagick vulnerability. Two security researchers discovered a remote code execution (RCE) vulnerability dubbed, “ImageTragick,” was leveraged in the wild and found in the open-source software, ImageMagick. Attackers could exploit the flaw to gain access to the victim’s server by creating an exploit file and assigning the file an image extension to bypass the security check, which tricks ImageMagick into converting the malicious file and activating the malicious code. 

Stored XSS bug affects all bbPress WordPress Forum versions. Automattic released its newest version of its WordPress forum plugin, bbPress 2.5.9 that patched a stored cross-site scripting (XSS) vulnerability after a security researcher from Sucuri found attackers could use the bbPress user mention (@username) system to store malicious code inside forum posts, allowing skilled attackers to craft malicious code to steal cookies from forum admins and impersonate them with elevated privileged on the WordPress backend. 

MosQUito exploit stealing legitimate traffic from WordPress and Joomla Websites., Inc., published a list that revealed 9,285 Web sites were affected by a malicious campaign dubbed, MosQUito after discovering that hackers were searching for Web sites where the jQuery JavaScript library was loaded and replaced with a malicious PHP file, jQuery.min.php, to steal paid traffic from legitimate businesses and to redirect victims to another Web site controlled by the attacker.


Google patches 40 vulnerabilities in Android. Google released security updates for its Android operating system (OS) patching 40 vulnerabilities including a remote code execution flaw (RCE) in Mediaserver that could allow an attacker to execute code within the software, and a privilege escalation flaw in the Android debugger that could allow a malicious application to execute arbitrary code in Android debugger or kernel, among other patched flaws. 

Accellion patches flaws found during Facebook hack. The Computer Emergency Response Team (CERT) Coordination Center (CC) released an advisory addressing seven vulnerabilities in the Accellion File Transfer Appliance after a security consultant discovered one of the flaws could be leveraged to upload a web shell, which is an SQL injection, due to improper handling of data in the “client_id” parameter in “/home/seos/courier/security_key2.api.” Other vulnerabilities include three cross-site scripting (XSS) flaws and a number of local privilege escalation issues related to incorrect default permissions. 

Millions of credentials exposed by PwnedList flaw. A security researcher discovered a parameter tampering vulnerability in a new PwnedList service called Vendor Security Monitoring which could allow an attacker to add any desired domain through a flaw in the service’s two-step authentication process and submit arbitrary data by tampering with the request. An attacker with an active PwnedList account can exploit the flaw to add the domain of any major company to generate a list of all compromised email accounts. 

Compromised RDP Servers used in corporate ransomware attacks. Researchers from Fox-IT discovered that attackers could disseminate ransomware through a compromised remote desktop server by using brute force attacks to infiltrate a remote desktop server connected to the Internet and use privilege escalation methods to find domain administration status. Once an attacker infiltrates a system and gains administrative privileges, they can extract data, recruit into a botnet, deliver spam, and demand monetary funds from a compromised company.  


Man in $5M ATM ‘skimming’ ring pleads guilty. A Romanian man pleaded guilty April 29 to Federal charges for his role in a $5 million ATM skimming ring where he and co-conspirators allegedly installed skimming devices on ATMs at banks in New Jersey, New York, Connecticut, and Florida, and transferred the stolen data onto blank ATM cards which were used to withdraw funds from customers’ accounts. Officials stated that a total of 16 people were charged for their involvement and one suspect remains at large. 

Cleveland FBI asks for help identifying ‘breakdown lane bandit.’ FBI officials and local police departments in Cleveland are searching April 29 for a man dubbed the “BDL Bandit” who is suspected of committing three bank robberies in the Cleveland area since March, including a PNC Bank branch, a First Merit Bank branch, and a US Bank branch. Authorities stated that the suspect is armed and believed to have an accomplice. 

Police seeking Garfield bank robber who may be ‘Count Down Bandit.’ Authorities are searching for a man suspected of robbing an M&T Bank branch in Bergen County, New Jersey, April 28. Officials stated that the suspect is believed to be the “Count Down Bandit,” a man allegedly responsible for seven other bank robberies in Bergen and Passaic counties since July 2015. 

Baseball Hat Bandit:’ Guaranteed $1,000 reward to identify serial bank robber wearing different caps for slew of capers. Authorities offered a reward April 29 in exchange for information about a man dubbed the “Baseball Hat Bandit,” who is suspected of robbing five banks in King and Pierce counties in Washington. 

Serious flaw found in “PL/SQL Developer” update system. Allround Automations released a new version of its PL/SQL Developer product after an application security consultant discovered that version 11.0.4, and earlier versions, used Hyper Text Transfer Protocol (HTTP) updates and did not validate the downloaded file’s authenticity, allowing a man-in-the-middle (MitM) attacker to replace the authentic Uniform Resource Locator (URL) with another URL that leads to a malicious file, as well as replace the download link with an arbitrary command that will execute in a user’s context during the PL/.SQL Developer update process. 

Microsoft adds Nano server to bug bounty program. Microsoft reported April 29 that it is offering large monetary rewards for vulnerabilities found in the Nano Server installation option of its Windows Server 2016 Technical Preview 5 and all subsequent releases after stating that the product was ideal for a compute host for Hyper-V virtual machines, a storage host for Scale-Out File Server, a Domain Name System (DNS) server, and a host for cloud apps, and if infected, could pose severe damages to each component. 

Valve fixes steam crypto bug that exposed passwords in plaintext. Valve updated its Steam gaming client after a security researcher found that the lack of Message Authentication Code (MAC) in its application’s crypto package allowed an attacker to carry out man-in-the-middle (MitM) attacks, enabled victims to become Valve Anti-Cheat (VAC) banned, or potentially exposed users’ passwords in plaintext. 

Decrypter for Alpha ransomware lets victims recover files for free. A team of security researchers discovered and decrypted a new ransomware version called Alpha ransomware, which demands targets pay $400 worth of iTunes gift cards to decrypt encrypted files by using AES-256 encryption to lock files, change each file’s name with the .encrypted extension, add a ransom note in text format in each folder, change the target’s wallpaper, and delete itself to avoid detection. Researchers found a weakness in the ransomware’s encryption routine and released a decrypter to help victims retrieve locked files. 

Crooks deliver android malware via Fake Google Chrome updates. Security researchers from Zscaler discovered that cyber criminals were distributing fake Google Chrome update packages disguised as Android application package (APK) files affecting Android users to steal a target’s credit card information, terminate the device’s antivirus software, monitor incoming and outgoing calls and Short Message Service (SMS) messages, as well as start or end calls, among other actions. Attackers were seen using large collections of domain names to host the malware, which were changed a regular intervals. 

BPlug trojan hides in Chrome Extensions and Spams your Facebook friends. Security researchers from Dr. Web discovered that over 12,000 users were infected with the trojan titled, Trojan.BPlug.1074 or BPlug after the bug was seen hiding in Google Chrome’s extensions and collecting a target’s Facebook user identifier (UID) and their cross-site request forgery (CSRF) token to execute actions on a Facebook users’ behalf. Attackers can send out malicious links disguised as YouTube videos to Facebook friends in an aim to increase the trojan’s infection. 

Malware leverages Windows “God Mode” for persistency. Researchers from Intel Security reported that the malware dubbed, “Dynamer” was abusing the Microsoft Windows Easter Egg called “God Mode” function to gain persistency on an infected machine by installing itself into a folder inside the %AppData% directory, creating a registry run key, and executing its capability normally. Researchers advised affected users to terminate the malware’s process via Task Manager and run a specially crafted command from the command prompt. 


Slack API credentials left in GitHub repos open new door for corporate hacking. Security researchers from Detectify Labs reported that companies in all industries may be at risk after finding that developers were leaving sensitive credentials inside open-sourced code following a scan on GitHub projects which revealed over 1,500 Slack access tokens were available online. The access tokens could allow attackers to access application program interfaces (APIs) and harvest user data, view Slack channel conversations, group information, private messages, and automate the use of Slack’s search feature. 

Google and Mozilla address security issues in Chrome 50 and Firefox 46. Google released its newest web browser, Chrome 50.0.2661.94 which patched nine security flaws including two use-after-free vulnerabilities, one vulnerability in the Blink engine’s V8 bindings, and one vulnerability in the browser’s extensions component, among other patched flaws. 

Microsoft patches Office 365 platform against SAML exploit. Microsoft released a temporary patch for its Security Assertion Markup Language (SAML) Service Provider implementation used for its Office 365 platform after two security researchers found the product had an authentication bypass vulnerability that allowed attackers to authenticate themselves on a service and access user’s data on all shared domains. Microsoft was working to release a permanent patch. 

OpenSSL to patch high severity vulnerabilities. The OpenSSL Project reported that it will release OpenSSL versions 1.0.2h and 1.0.1t May 3 to patch several flaws affecting the crypto library as well as flaws rated as high-severity vulnerabilities. 

Pentagon working to ‘take out’ Islamic State’s internet. Pentagon officials reported April 28 that the U.S. military’s Cyber Command (CYBERCOM) was working to destroy the Islamic State’s Internet connection and leave the terrorist group in virtual isolation by interrupting the Islamic State’s command and control (C&C), interrupting the group’s ability to move funds, and interrupting the group’s ability to recruit externally, among other actions. The task will be the command’s first major combat operation in relation to the Islamic State threat.