Fraud Alert Message Center
Tips for Safe Banking Over the Internet
As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.
The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.
- Consumer Best Practices for Online Banking
- Business Best Practices for Online Banking
- Recommendations for Online Fraud Victims
- Recommendations for Mobile Phone Security
Current Online Threats
Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau. None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts. If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it. The email could potentially contain a virus or malware.
For more information regarding email and phishing scams, please visit: http://onguardonline.gov/
Online Shopping Tips for Consumers. Click Here for Information.
ATM and Gas pump skimming information. Click Here for Article.
‘Baggy Eyes Bandit’ sought in 4-county bank robbery spree. The FBI is searching August 20 for a man dubbed the “Baggy Eyes Bandit” who is suspected of committing 5 bank robberies and 1 attempted robbery at Citibank branches in Los Angeles, San Bernardino, Orange, and Riverside counties since February.
GnuPG project fixes “critical security problem” that existed since 1998. The GnuPG project patched a critical security problem affecting the mixing function in the random number generator (RNG) used for Libgcrypt in all GnuPG (Gnu Privacy Guard) versions released since 1998 after researchers from the Karlsruhe Institute of Technology discovered that an attacker who can obtain 4640 bits from the RNG can predict the next 160 bits of output. Researchers advised all users to update their software to the latest version to avoid the problem.
Around four in five DNSSEC servers can be hijacked for DDoS attacks. Security researchers from Neustar reported that 80 percent of Domain Name System Security Extensions (DNSSEC) servers have been improperly configured and contain vulnerabilities that could allow an attacker to reflect and amplify distributed denial-of-service (DDoS) attacks. Researchers found that attackers were sending DNSSEC requests to a domain name server signed with the ANY command in order to force the DNSSEC server to gather all the Domain Name System (DNS) information about that domain and respond to the query with its digital signature attached, thereby sending junk traffic to the victim’s Internet Protocol (IP) address.
Rex Linux trojan can launch DDoS attacks, lock websites, mine for cryptocurrency. Stormshield and Dr. Web researchers discovered a Linux trojan, dubbed Rex received updates that allow the trojan to infect more content management system (CMS) platforms than before, operate via an advanced peer-to-peer (P2P)-based botnet, launch distributed denial-of-service (DDoS) attacks, mine for crypto-currency on infected hosts, and self-propagate to other vulnerable devices or servers on the local network. Researchers also found the trojan can affect Drupal, WordPress, and Magneto, among other sites, and can be used to threaten other Webmasters with DDoS attacks unless a ransom fee is paid with Bitcoin, as well as distribute spam messages.
UAC bypass with elevated privileges works on all Windows versions. An enSilo security researcher discovered a method to bypass the Microsoft Windows User Account Control (UAC) mechanism in all supported Windows versions where malicious actors can use modified environment variables including the user’s current username and PC’s domain, among other details, to create malicious child processes under a legitimate app and carry out attacks with elevated privileges, as Windows UAC trusts the apps execution and will not display a warning due to the apps high privileges. The researcher found the flaw can be exploited to load malicious dynamic link libraries (DLLs) on the system if an attacker creates a copy of the C:/ Windows folder and modifies the system-wide environment variable to point to the wrong Windows operating system (OS) folder.
FBI searching for ‘Taxicab Bandit’ wanted in bank robberies. The FBI is searching August 18 for a man dubbed the “Taxicab Bandit” who is suspected of robbing a BestBank branch in Decatur, Georgia, 2 times since the week of August 8 and other DeKalb County banks.
‘Audi Bandit’ sought in string of Bay Area bank robberies. The FBI is searching August 18 for a man dubbed the “Audi Bandit” who is suspected of robbing at least 3 San Francisco Bay Area banks since May, including a Fremont Bank branch in Livermore and a Wells Fargo Bank branch in Pleasanton in June.
Flaws in smart sockets expose networks to remote attacks. Bitdefender researchers reported a popular brand of smart electrical sockets is plagued with serious vulnerabilities that could be exploited by a remote attacker who knows the media access control (MAC) and default password to take control of the device, make configuration changes, and obtain user information after finding that the socket’s hotspot is protected by default credentials and users are not advised to strengthen the credentials, the mobile app transfers Wi-Fi credentials in clear text, which could allow an attacker to intercept the information, and that communications between the device and application go through the manufacturer’s server without being encrypted, among other flaws. Researchers stated a patch for the flaws is expected to be released in the third quarter of 2016.
Global phishing numbers rise as hosting firms fail to respond. Cyren released its Cyberthreat Report that analyzed global phishing operations and found that the total number of malicious phishing Universal Resource Locators (URLs) spread on the Internet increased by 14 percent in quarter 2 of 2016 to 4.44 million, and revealed that 20 percent of all phishing pages disappear after 3 hours, with only 40 percent of all pages lasting more than 2 days. The report also states that Google Chrome and Mozilla Firefox are the quickest to identify phishing pages and malicious sites after Chrome detected 73.9 percent of phishing pages within 48 hours and Firefox marked 52.2 percent of the sites.
Locky ransomware reverts to malicious macros. FireEye researchers discovered that the Locky ransomware reverted to using Microsoft Office documents embedded with malicious macros to distribute the malware to individuals and organizations in the health care, telecommunications, and transportations industries. Researchers reported that the DOCM files install the ransomware onto a victim’s device once the malicious macros are enabled.
Thousands stolen with ATM skimmers in St. Paul. Authorities are searching August 17 for a group suspected of stealing tens of thousands of dollars from more than 100 people in St. Paul, Minnesota, after installing skimming devices on 2 ATMs at a Bremer Bank branch and a Top Line Federal Credit Union branch in St. Paul.
Cisco patches critical flaws in Firepower Management Center. Cisco released patches for its Firepower Management Center to address several flaws in the appliance’s Web-based graphical user interface (GUI) including a medium-severity cross-site scripting (XSS) flaw, a critical vulnerability that could allow an authenticated attacker to remotely execute arbitrary commands on a device with root-level privileges, and a flaw that could allow an authenticated attacker to elevate user account privileges due to insufficient authorization checking in the Fire Management Center and the Cisco ASA 5500-X series with select versions of FirePOWER Services. Cisco researchers stated there is no evidence the flaws have been exploited in the wild.
Cisco patches zero-day included in Shadow Brokers leak. Cisco released security patches after The Shadow Brokers, a group selling hacking tools stolen from the Equation Group, leaked tools that contain exploits to leverage two vulnerabilities, one of which is a zero-day vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) software, which can allow an unauthenticated attacker to cause a reboot of affected products and lead to remote code execution (RCE). Cisco researchers found
that the exploits also leverage a vulnerability in the command-line interface (CLI) parse of ASA software that could allow an authenticated, local attacker to execute arbitrary code on the device or create a denial-of-service (DoS) condition.
WordPress plugin hijacks websites to show payday loan ads. WordFence researchers discovered the authors of the 404 and 301 WordPress plugin were hijacking the content of other Web sites by adding code to the original Web site in order to show search engine optimization (SEO) spam email on a user’s homepage and to display ads for payday loan services. The plugin authors removed the code responsible for delivering the ads and researchers stated version 2.3.0 is safe to use.
Adwind RAT rebrands yet again, this time as JBifrost. Fortinet researchers discovered that the criminal group behind the Adwind remote access trojan (RAT) rebranded the malware as JBifrost and updated the malware to include a new column that shows an infected system’s keyboard status, a column that shows the title of the victim’s current window, a new feature that enables attackers to steal data from Web forms displayed in the Google Chrome browser, and a new tab called Misc that enables users to configure additional JBifrost servers. Researchers also found that JBifrost only accepts Bitcoin and that the RAT’s Web site now requires an invitation code to register and purchase the malware.
N.J. woman stole $89K in credit card scheme, cops say. A former accountant at Forever Collectibles in Somerset, New Jersey, was charged August 16 for her role in an $89,000 credit card fraud scheme where she and a co-conspirator allegedly put the refunds from customers’ returned items onto her family and friends’ credit cards instead of the customers’ cards between March and December 2015.
Vawtrak banking trojan uses SSL pinning, DGA. Fidelis security researchers discovered that a new version of the Vawtrak banking trojan includes a domain generation algorithm (DGA) that generates .ru domains using a pseudorandom number generator (PRNG) in the trojan’s loader, uses Hypertext Transfer Protocol Secure (HTTPS) to protect command and control (C&C) communications, and leverages certificate pinning, or secure sockets layer (SSL) pinning that helps the malware evade detection by enterprise security solutions that use their own certificates to intercept communications. Researches stated the trojan conducts checks based on the Common Name to identify the domain names associated with the certificate, and uses a public key from the initial inject carried out by the malware loader in order to ensure that no other certificates are accepted.
Backdoor abuses TeamViewer to spy on victims. Dr. Web security researchers discovered a backdoor trojan, dubbed BackDoor.TeamViewrENT.1 and distributed under the name “Spy-Agent” was installing legitimate TeamViewer components on a compromised device to spy on victims in the U.S., Europe, and Russia, steal victims’ personal information, and to install other malicious programs on a device. Researchers found that the trojan disables error messaging for the TeamViewer process, changes the attributes of its files and the TeamViewer files to “system,” “hidden,” and “ready only”, and kills the TeamViewer process if the Microsoft Windows Task Manager or Process Explorer are detected in order to hide its presence on an infected device.
User data leaked from analytics company Social Blade. Social Blade, a data provider for YouTube, Twitch, and Instagram accounts, confirmed that its Website and forum were hacked in August after LeakedSource researchers discovered that the details of 13,009 of the forum’s users and 273,806 of the Website’s users’ details were leaked, including email addresses, usernames, password hashes, and Internet Protocol (IP) addresses, among other information, after a malicious actor obtained a partial database dump by exploiting a vulnerability in the forum software. Social Blade reset all user passwords and shut down its forum.
Chrome and Firefox attached by simple URL spoofing bug that facilitates phishing. A security researcher discovered a flaw affecting security features in Google Chrome and Mozilla Firefox can be exploited to spoof Universe Resource Locators (URLs) in the browser address bar after finding that Web browsers handle URLs written with mixed right-to-left (RTL) (Arabic) and left-to-right (LTR) (Roman) characters incorrectly, which confuses the browsers and forces them to switch parts of the URL, thereby tricking the user into thinking that they are accessing a different Website than the one they are on. The researcher stated a hacker running a phishing site can add a few Arabic characters onto a server’s Internet Protocol (IP) to change the domain of a legitimate Website and embed this URL in spam email, short message service (SMS), or instant messaging (IM) message in order to redirect an user to the malicious actor’s server.
‘Bearded Bandit’ bank robbery suspect arrested in San Francisco. FBI officials reported August 15 that a man dubbed the “Dreaded Bandit” was arrested in San Francisco August 12 after he allegedly committed 4 bank robberies in the San Francisco Bay Area since April.
FalseCONNECT vulnerability affects software from Apple, Microsoft, Oracle, more. A security researcher discovered a flaw in how applications from several vendors respond to Hypertext Transfer Protocol (HTTP) CONNECT requests via HTTP/1.0 407 Proxy Authentication Required responses which could allow an attacker with a foothold in a compromised network and the ability to listen to proxy traffic to detect HTTP CONNECT requests sent to the local proxy and issue a 407 Proxy Authentication Required response where the user must input a password to access a specific service and then authenticate, thereby sending the response to the malicious actor. Researchers stated that WebKit-based clients including Google Chrome, Apple’s iTunes, and Google Drive, among others, are most vulnerable to the attack.
Windows script files used to deliver Locky ransomware. Researchers from Trend Micro warned that a Locky ransomware variant was being delivered to targeted organizations using Microsoft Windows script (WSF) files in order to download any malware payload and to make detection more difficult, as WSF files are not engine-specific, contain more than one scripting language, and are not monitored by typical endpoint security solutions, thereby increasing the chances of bypassing sandboxes and blacklisting technologies. Researchers stated the cybercriminals were targeting companies and that the files delivering Locky were compressed in ZIP archives and attached to emails with business-related subject lines.
RI State police following trail left by ATM skimming crime ring. Rhode Island police are searching August 12 for a group suspected of installing skimming devices on at least 4 ATMs across Rhode Island since June and using the stolen information to make large cash withdrawals from ATMs at other area banks.
Sharp increase in malware utilizing SSL. Blue Coat released a report revealing that the number of malware samples employing secure sockets layer (SSL) increased from 500 samples per month to 29,000 over a 2 month period and the number of active command and control (C&C) servers that used SSL-protected connections to communicate with their bots increased from 1,000 servers in quarter 1 of 2015 to 200,000 servers in quarter 2 after the security firm analyzed the detections and infrastructure of common malware families known to implement SSL
for protection, and cyber-criminal activity from January 2014 – December 2015.
New FSS Rowhammer attack hijacks Linux VMs. Researchers from the Vrije University in the Netherlands discovered a new version of the Rowhammer attack, dubbed Flip Feng Shui (FSS) that works in conjunction with memory deduplication is capable of compromising the memory of shared Linux-based virtual machines (VMs) used for cloud hosting services and could allow an attacker to gain control of a victim’s accounts despite the absence of software vulnerabilities if the malicious attacker buys access to cloud services co-hosted with the victim. Researchers discovered the flaw is in the cryptographic software and stated the attack can be used in multiple other forms and applications in the software stack.
New Windows trojan steals enterprise data and Microsoft Office files. Security researchers from Bleeping Computer discovered malicious actors were distributing a new type of infostealer trojan as a file, dubbed Aug_1st_java.exe that disguises itself as the process of the Google Chrome browser and targets 11 file types specific to enterprise environments, including extensions associated with Microsoft Office applications in order to gather information about the computer, including the username, version of Windows, and a list of currently installed applications, among other data, and then directs and uploads the files to its command and control (C&C) server via the Microsoft Message Queuing (MSMQ) protocol. Researchers also found that the infostealer trojan modifies the Windows Registry after installation in order to gain the ability to run automatically when the victim reboots their computer.
Police bust identity theft scheme that netted $650K. Two Houston residents were arrested August 11 for their roles in a more than $650,000 credit card fraud scheme where the duo and another co-conspirator allegedly used 2 southwest Houston businesses, Lagos Island Café and Lace Warehouse and African Fashions, to steal the identities of at least 12 customers in order to apply for and obtain 116 credit cards from 8 different Houston-area financial institutions. The charges allege that one of the co-conspirators ran the credit cards under a fraudulent business name, Sleek Auto Sales and deposited the funds into a personal bank account.
Locky ransomware uses vulnerable PHP forms for spam distribution. Researchers from Cisco’s OpenDNS team discovered that the group behind the Locky ransomware is leveraging security flaws in a PHP: Hypertext Preprocessor (PHP)-based Web-to-email service that allows the cybercriminals to brute-force the Web from and make it send a message with the Locky payload attached to any email address due to a vulnerability in a PHP contact form script. Researchers advised users to update their PHP Web-to-email form to the latest version to fix the problem.
Microsoft patches flaw related to “malicious butler” attack. Microsoft released a patch addressing a serious Windows authentication bypass vulnerability, dubbed a “remote malicious butler” attack after researchers discovered the flaw can be leveraged remotely to bypass authentication on the Windows login screen, and found that in a patched version of Windows, a device’s password could be changed if the rogue domain controller was disconnected in the middle of the password reset process. Researchers stated the patch addresses both the local evil maid attack and the remote butler version of the attack.
SEC charges former professional football player with running $10 million fraud. The U.S. Securities and Exchange Commission charged Cavalier Union Investments LLC and its 2 co-owners August 10 for running a $10 million investment fraud scheme where the duo allegedly misled investors about the unregistered debt securities they sold and convinced investors that the company’s investment funds were operated by experienced advisers in order to divert nearly $6 million of the investors’ funds to pay for personal expenses and to repay earlier investors. Officials also announced parallel criminal charges against one of the company’s owners for his role in the scheme.
Linux flaw allows attackers to hijack web connections. Researchers from the University of California at Riverside and the U.S. Army Research Laboratory discovered a vulnerability affecting the Transmission Control Protocol (TCP) specification implemented in Linux kernel could be leveraged to intercept TCP-based connections between two hosts on the Internet, to track users’ activity, terminate connections, and inject arbitrary data into a connection after an off-path attacker deduced the sequence numbers that identify TCP data packets exchanged between hosts using the Internet Protocol (IP) addresses of the targeted communicating devices. Developers of various Linux distributors were working to fix the security hole.
Chrome, Firefox, and IE browser hijacker distributed via legitimate software. Intel McAfee security researchers discovered recent versions of the Bing.vc malware were being delivered to Google Chrome, Mozilla Firefox, and Microsoft’s Internet Explorer via legitimate-looking applications distributed by Lavians Inc., in order to take over the Website’s homepage and insert ads into visited sites, and redirect all users to Bing.vc in an attempt to sell victims an expensive utility to fix the browser hijacking problem. Researchers stated users must remove the registry keys or use an automated PC clean-up utility, as well as clean the shortcuts for each browser in order clear the malware from an infected app.
Secure Boot vulnerability exposes Windows devices to attacks. Two researchers, dubbed MY123 and Slipstream discovered the new type of Secure Boot policy introduced in the Microsoft Windows 10 Anniversary Update, v1607, can be exploited to bypass the security feature and install rootkits and bootkits on Windows devices after finding that the new supplemental policies are loaded by the boot manager without being properly checked and can be used to enable “test-signing,” a feature that allows an attacker to bypass Secure Boot and load the malware once it is activated. Researchers stated the attack can only be carried out by an attacker with admin privileges or physical access to the targeted device and Microsoft was working to release a patch for the issue.
Brea man pleads guilty in $9 million mortgage modification scheme. The former owner and operator of California-based Rodis Law Group pleaded guilty August 9 for his role in a $9 million fraudulent mortgage modification scheme where he and co-conspirators convinced over 1,500 struggling homeowners to pay for fraudulent services from the Rodis Law Group by falsely claiming the firm consisted of a team of attorney’s experienced in negotiating lower principal balances and interest rates on mortgage loans, among other misrepresentations from October 2008 – June 2009. Two other co-conspirators have pleaded guilty for their roles in the scheme.
Data of nearly 2 million users exposed in Dota2 forum hack. Researchers from LeakedSource reported that the Dota2 official developers forum was breached after hackers stole the usernames, email addresses, user identifiers, passwords, and IP addresses of nearly 2 million of the forum’s users July 10 by hashing and salting the password with the MD5 algorithm. Forum administrators patched the vulnerability and reset all user account passwords.
Microsoft patches flaws in Windows, Office, browsers. Microsoft released 9 security bulletins patching a total of 27 important and critical vulnerabilities including 9 critical vulnerabilities in Internet Explorer and 8 critical flaws in Edge that can be exploited for remote code execution and information disclosure by tricking a targeted user into visiting a malicious Website, remote code execution issues in Windows, Office, Skype for Business and Lync caused by the way Windows font library handles specially crafted embedded fonts, and critical flaws in Office that can be leveraged for remote code execution if a victim opens a malicious file, among other vulnerabilities.
Juniper starts fixing IPv6 processing vulneraibility. Juniper Networks released hotfixes for its JUNOSe F3 and F2 products resolving a vulnerability in its JUNOSe and Junos routers after Cisco researchers discovered the flaw can be exploited to cause a denial-of-service (DoS) condition by sending a flood of specially crafted IPv6 Neighbor Disovery (ND) packets from non-link-local sources to affected devices in order to fill up the packet processing queue and cause legitimate IPv6 ND packets to drop. The company was working to release patches for the issue.
Researchers hide malware inside digitally signed files without breaking hashes. Security researchers from Deep Instinct discovered attackers could inject malware inside a digitally signed binary without affecting the overall file hash after finding that Microsoft Windows does not include three fields from a file’s Portable Executable (PE) headers during the file hash validation process and that modifying these fields does not break the certificate’s validity, allowing the malicious files to avoid detection by security and antivirus software. Researchers stated the technique does not require attackers to hide the malicious code via packers and bypasses any secondary checks of security software.
Go-based Linux trojan used for cryptocurrency. Doctor Web researchers reported that a new Linux trojan, dubbed Linus.Lady.1 allows hackers to earn a profit by exploiting infected systems for cryptocurrency mining after finding that the trojan collects information on an infected machine, including the operating system, central processing unit (CPUs), and processes, and sends the harvested data back to a command and control (C&C) server, which then provides a configuration file for downloading a cryptocurrency mining application designed for Monero (XMR) mining. Researchers also found the trojan is capable of spreading to other Linux computers on an infected network by connecting to remote hosts over port 6379 without a password and downloading a script from a specified Uniform Resource Locator (URL) which is responsible for downloading and installing a copy of the trojan.
Vulnerabilites found in several Fortinet products. Vulnerability Lab released the details of several flaws affecting the Web interface of the Fortinet FortiManager and FortiAnalyzer security management and reporting appliances including a vulnerability that can be exploited by a remote attacker with access to a low-privileged user account to inject arbitrary code into the application if a victim clicks on a link or visits a Webpage containing the malicious code, a filter bypass issue, and multiple persistent cross-site scripting (XSS) flaws in the FortiVoice enterprise phone systems that can be exploited by a remote, authenticated attacker, among other security flaws. Fortinet released patches for all of the vulnerabilities and advised users to update their Fortinet product installations.
Serious flaws found in Netgear, NUUO network video recorders. U.S. Computer Emergency Readiness Team (CERT) Coordination Center researchers warned that select network video recorders from NUUO Inc., and Netgear, Inc., were plagued by seven vulnerabilities including two input validation issues that could allow unauthenticated attackers to execute arbitrary code with root or admin privileges, an information disclosure bug that could allow a remote, unauthenticated attacker to view details on system processes, available memory and filesystem status by accessing a hidden page with a hardcoded username and password, and two flaws that can be leveraged to carry out arbitrary operating system (OS) commands and arbitrary code by any remote attacker who obtains admin privileges, among other flaws.
Midwest Bank officials, FDIC in settlement for $26.5 million over loans. The Federal Deposit Insurance Corporation announced August 5 that 18 former Midwest Bank officers and directors agreed to pay a total of $26.5 million to settle charges alleging that the officers’ negligence in lending over $100 million to 6 risky borrowers from 2005 – 2008 without properly analyzing the borrowers’ creditworthiness caused the bank over $128 million in losses.
New ATM hacking method uses stolen EMV card data. Rapid7 researchers discovered that Europay, Mastercard, and Visa (EMV) cards are susceptible to fraudulent transactions after finding that an attacker could insert a shimming device into the card slot of a point-of-sale (PoS) system to intercept and capture card data, which is then remotely sent to another device, dubbed “La-Cara.” La-Cara feeds the stolen transaction data to the targeted ATM, thereby allowing the fraudsters to withdraw up to $50,000 from the victim’s card.
Remote Butler attack; APT groups’ dream come true. Microsoft security researchers developed an extension of the “Evil Maid” attack dubbed “Remote Butler” which allows attackers to bypass local Windows authentication to defeat full disk encryption without physical access to the targeted device. A patch released by Microsoft for the “Evil Maid” attack also prevents attackers from carrying out a “Remote Butler” attack.
Cerber ransomware v2 spotted online, is now undecryptable. Trend Micro researcher PanicAll discovered that the Cerber ransomware was updated in versions v1.5 and v2 to break a previous decryption tool that allowed users to recover their hacked files for free. The updates changed the extension added at the end of each encrypted file from “.cerber” to “.cerber2,” and extended encryption keys generated by CryptGenRandom Microsoft application programming interface (API) from 16 bytes to 32 bytes, among other updates.
Linux botnets dominate the DDoS landscape. Kaspersky Lab released its distributed denial-of-service (DDoS) Intelligence Report which reported that Linux botnets accounted for 70.2 percent of all DDoS attacks initiated during quarter 2 (Q2) of 2016, while only 44.5 percent of DDoS attacks were carried out by Linux botnets in quarter 1. The report also stated that SYN DDoS attacks were the most popular methods for DDoS attacks during Q2, followed by transmission control protocol (TCP), Hypertext Transfer Protocol Secure (HTTP), and Internet control message protocol (ICMP) floods.
New Remcos RAT available for purchase on underground hacking forums. Symnatec researchers reported that a malware developer dubbed Viotto posted the Remcos Remote Access Trojan (RAT) targeting Microsoft Windows versions XP and higher for sale on underground hacking forums, which allows hackers the ability to take screenshots of infected computers, log keystrokes offline or in real times, and record content via the infected device’s camera, among other malicious actions, and send the stolen data encrypted via Hypertext Transfer Protocol Secure (HTTPS) to the command and control (C&C) server. Researchers also discovered the trojan can queue operations to be carried out when the victim goes online and includes a password dumping component that can dump passwords from applications like Microsoft’s Internet Explorer, Mozilla Firefox, and Apple Inc.’s Safari, among others.
VMware Tools flaw allowed code execution via DLL hijacking. VMware published an advisory describing two vulnerabilities in several of its products including a dynamic-link library (DLL) hijacking issue in the Windows version of VMware Tools related to the VMware Host Guest Client Redirector component that could be exploited to execute arbitrary code on a targeted system after finding that when a document is opened from a uniform naming convention (UNC) path, the Client Redirector injects a DLL named “vmhgfs.dll” into the file in order to open the file, allowing an attacker to load a malicious DLL into the application and to compromise the system. The second vulnerability is a Hypertext Transfer Protocol Secure (HTTP) header injection issue in vCenter Server and ESXi caused by a lack of input validation that could allow a hacker to launch cross-site scripting (XSS) or malicious redirect attacks.
Federal court permanently bars Maryland tax preparer from preparing federal tax returns. The U.S. District Court for the District of Maryland announced August 3 that the owner and operator of 6 Liberty Tax franchises in Baltimore has been permanently barred from preparing Federal tax returns after she allegedly filed 1,222 fraudulent tax returns that reported false household help incomes, among other fraudulent claims, and intentionally omitted Social Security Income and Wage and Tax Statement income. The charges also allege that the tax preparer kept each refund as a fee and paid customers a $50 cash payment as part of Liberty Tax’s “Cash-in-a-Flash” promotion.
58% of orgs have no controls in place to prevent insider threats. Veriato and other firms released the Insider Threat Spotlight Report which found that nearly half of the 500 cybersecurity professionals surveyed experienced an increase in insider attacks since 2015, 58 percent of organizations lack appropriate control to prevent insider attacks, and 44 percent of those surveyed were unaware if their organization had experienced an insider attack. The survey also found that the endpoint is the most common point for a malicious actor to launch an insider attack, followed by mobile devices.
Venmo fixes hole that allowed attackers to steal $2,999.99 per week using Siri. Venmo patched an attack vector in its digital wallet service after a security researcher discovered attackers could exploit design flaws in Venmo and Apple’s iPhone operating system (iOS) to approve roughly $3,000 a week in money requests if a malicious actor had physical access to a victim’s iPhone by instructing Siri to send a message to a Venmo five-digit phone number on an iOS device that would handle the payment request instead of showing app notifications to the user. Venmo removed the Short Message Service (SMS) “reply-to-pay” functionality, as well as other smaller patches that made the service vulnerable to similar attacks.
Washington Twp. TD Bank teller admits to $600K scam. A former teller at a TD Bank branch in Washington Township, New Jersey, pleaded guilty to Federal charges August 2 after she embezzled $608,000 from 8 bank customers between 2014 and 2015 by transferring money from dormant checking accounts into personal bank accounts or by obtaining cashier’s checks issued in her name. Officials stated the former teller used the stolen funds for personal use.
Critical flaws found in Cisco small business routers. Cisco released patches for its small business RV series routers after researchers discovered a critical flaw affecting the Web interface that allows remote, unauthenticated attackers to execute arbitrary code with root privileges, a high severity flaw that can be exploited remotely to perform a directory traversal and access arbitrary files on the system, and a medium severity command shell injection flaw that could allow a local attacker to inject arbitrary shell commands that are then executed by the device, among other vulnerabilities.
Google patches 10 vulnerabilities in Chrome 52. Google released an update for Chrome 52 resolving 10 security vulnerabilities after third-party developers discovered 4 high risk flaws affecting the Web browser including an address bar spoofing flaw, a use-after-free bug in Blink, and heap overflow bugs in pdfium, as well as 3 medium risk bugs including a same origin bypass for imagines in Blink, and parameter sanitization failure bugs in DevTools.
Four high-profile vulnerabilities in HTTP/2 revealed. Imperva released a report at the Black Hat USA 2016 conference documenting four high-profile vulnerabilities in Hypertext Transfer Protocol (HTTP)/2 after researchers from the Imperva Defense Center found a HPACK Bomb attack resembling a zip bomb, a dependency cycle attack that takes advantage of HTTP/2’s flow control mechanisms for network optimization, stream multiplexing abuse that results in denial-of-service to legitimate users, and Slow Read attacks in server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The vendors of the HTTP/2 protocol mechanisms released patches for the issues.
Police: ATM skimming device used to steal $110k. Rhode Island police are investigating August 2 after a card-skimming device was found on an ATM at the Navigant Credit Union in Cumberland August 1 and the skimmed payment information was used to steal more than $110,000 from ATMs across the State.
2 Detroit men busted in Alabama with 177 stolen identities. Two Detroit, Michigan residents were arrested in the Birmingham, Alabama, area July 28 after authorities found 177 stolen identities from over 25 banks in the duo’s possession.
36,000 SAP systems exposed online, most open to attacks. ERPScan released a comprehensive SAP Cybersecurity Threat Report which revealed the average number of security patches for SAP products per year has decreased, while the amount of vulnerable platforms has increased and now includes modern cloud and mobile technologies such as HANA. The report also found that SAP’s Customer Relationship Management (CRM), Enterprise Portal (EP), and Supplier Relationship Management (SRM) products are most vulnerable to flaws, and that the U.S. is one of the three countries with the most exposed services, among other findings.
Google SEO trick leads users to online scam, CryptMIC ransomware. Researchers from Malwarebytes discovered an active campaign where malicious actors were abusing Google search featured snippets to show links to compromised Websites and redirect users to online stores selling product keys for Microsoft Office or hosting the Neutrino exploit kits (EK), which would in turn infect the user’s device with the CryptMIC ransomware. Researchers found the attackers could also actively search for third-party Websites listed in featured snippets that run vulnerable content management systems (CMSs), and hack the sites to deliver the ransomware.
Google patches tens of critical vulnerabilities in Android. Google released security patches for the Android operating system (OS) resolving 81 vulnerabilities including 3 remote code execution (RCE) flaws, 4 Elevation of Privilege (EoP) bugs, and 4 denial-of-service (DoS) flaws in Mediaserver, a DoS issue in system clock, and a RCE flaw in libjhead, among other vulnerabilities.
‘Flip-Flop’ bandit wanted in NC bank robberies captured in GA. The FBI announced August 1 that a man dubbed the “Flip-Flop Bandit” was arrested July 29 after robbing a bank in Pooler, Georgia, and multiple others in North Carolina, Tennessee, Oklahoma, and Arkansas.
Feds: Tips led to capture of ‘North Center Bandit.’ A man dubbed the “North Center Bandit” was arrested July 29 after he allegedly robbed a Chase Bank branch in Chicago June 8 and four other North Side banks since October 2015.
Windows flaw reveals Microsoft account passwords, VPN credentials. Researchers discovered an exploit affecting the way Microsoft Windows handles old authentication procedures for shared network resources where an attacker could embed a disguised link to a server message block (SMB) resource inside a Webpage or an email viewed via Outlook that sends the victim’s login credentials to authenticate on the malicious actor’s domain once the user accesses the link via Internet Explorer, Edge, or Outlook. The exploit gives the hacker access to the user’s Microsoft username, virtual private network (VPN) credentials, or password, which is leaked as a NT LAN Manager (NTLM) hash.
Data of 200 million Yahoo users pops up for sale on the Dark Web. Yahoo is investigating a potential data breach after cyber-criminal Peace_of_Mind (Peace) published a listing on TheRealDeal Dark Web marketplace that reportedly offers data on over 200 million Yahoo users for 3 bitcoin, or approximately $1,800, including usernames, MD5-hashed passwords, dates of birth for all users, and in some cases, backup email addresses, country of origin, and ZIP codes for U.S. users.
Trojan in 155 Google Play Android apps affects 2.8 million users. Security researchers from Dr. Web discovered a new variant of the Android.Spy family trojan, dubbed Anrdoid.Spy.305 was plaguing 155 Android apps on the official Google Play Store and affecting over 2.8 million users by collecting data about the user’s device, including the email address connected to their Google user account, the name of the app the trojan leverages for distribution, and the developer ID and software developer’s kit (SDK) version, among other details in order to deliver ads. Google released a list of all the apps potentially impacted by the trojan.
SSL flaw in Intel Crosswalk exposes apps to MitM attacks. Intel released updates for its Crosswalk framework after security researchers from Nightwatch Cybersecurity discovered a serious vulnerability in the Crosswalk Project library that allows malicious actors to launch man-in-the-middle (MitM) attacks and capture sensitive information transmitted by the app after finding that when a user makes a network request and accepts the initial error message displayed by the app if an invalid Secure Socket Layer (SSL) certificate is found, the app accepts all future SSL certificates without validation even when connections are made via different WiFi hotspots and different certificates.
Major cyber-crime campaign switches from CryptXXX to Locky ransomware. Researchers from Palo Alto Networks reported that Afraidgate, the largest source of ransomware infections via exploit kits (EK), stopped delivering the CryptXXX ransomware and began distributing the Locky Zepto variant after switching from Angler to the Neutrino EK. Researchers stated that Afraidgate relies on malicious actors hacking Websites and adding malicious code to the site to redirect users to the Neutrino EK, which are easy to discover due to the “.top” domain extensions.
IP of ancient Conficker C&C domains resurfaces in new website hacking scheme. Sucuri’s forensic team discovered hacked Websites were redirecting their own traffic to one of their subdomains hosted on another server, prompting an investigation into the Websites which revealed the sites had been registered through NameCheap and were abusing the company’s FreeDNS service to hijack legitimate sites by redirecting domain name queries to the server’s IP address, which had been previously used to host command and control (C&C) servers for the Conficker malware.
New “QRLJacking” attack targets QR code logins. An independent researcher discovered that the Quick Response (QR) Login process is susceptible to a RLJacking attack after finding a hacker could access the login QR code from the target Website and place it into a phishing page in order to trick the user into visiting the page and logging into the QR login process, thereby sending the secret login token to the hacker instead of the authenticated Website and allowing the hacker to hijack the session. Researchers stated that the attack can be avoided by opting out of the QR Login feature and using a regular password for sites and apps that offer QR logins.
Android trojan SpyNote leaks on underground forums. Researchers from Palo Alto Networks reported a new Android trojan dubbed SpyNote has been leaked on several underground forums and allows hackers to steal users’ messages and contacts, record audio using the devices built-in microphone, listen in on an user’s calls, and control the device’s camera, among other illicit actions. Researchers stated the trojan, which prompts users for a long list of permissions on installation, is capable of updating itself and installing other rogue applications on the device.
Shelby County woman indicted for bank fraud. A former office manager and bookkeeper for Total Fire Protection in Alabaster, Alabama, was charged July 27 after she allegedly used the personal information of several individuals to embezzle approximately $328,000 from Total Fire Protection and related companies’ bank accounts from 2013 – 2015. The charges also allege the former manager drew unemployment benefits from the State under another person’s Social Security number and under reported her taxable income from 2013 – 2014.
SpyNote Androit RAT builder has been leaked. Palo Alto Networks’ researchers warned that a builder for the SpyNote Android remote access trojan (RAT) is being distributed freely on several underground hacker forums and configures the RAT to contact a specific command and control (C&C) server over a specific port, removing its icon once it is installed. The malware is capable of viewing messages on infected devices, collecting device information, and exfiltrating files, among other tasks.
The AdGholas malvertising campaign infected thousands of computers per day. Proofpoint researchers reported that the group behind the malvertising operation AdGholas managed to distribute malicious advertisements through more than 100 ad exchanges, attracted between 1 million and 5 million page hits a day, and redirected up to 20 percent of computers that loaded the rogue ads to servers hosting exploit kits (EK) through the use of a series of complex checks and the use of steganography. The operation was suspended July 20.
Registered broker pleads guilty to securities fraud for participating in a $131 million market manipulation scheme. A former registered broker pleaded guilty July 27 to defrauding ForceField Energy Inc., investors out of $131 million between January 2009 and April 2015 after he and co-conspirators manipulated the price and volume of traded ForceField shares by orchestrating the trading of ForceField stock to create the appearance of interest and trading volume in the stock, and concealing payments to stock promoters and broker dealers who claimed to be independent of the company, among other fraudulent means. The charges also state that a ForceField executive paid kickbacks to the broker in exchange for purchasing company stocks in his client’s brokerage accounts between October 2014 and April 2015.
Many web attacks come from United States: Sucuri. Researchers at Sucuri analyzed metadata from 30 days of Web traffic and blocked requests from its firewall product and found that the Structured Query Language (SQL) injection, brute force, and other exploit attempts had various browser user agents, more than one-third of the attacks came from the U.S. followed by Indonesia and China, and that when it came to operating systems (OS) 45 percent of attacks came from Microsoft Windows.
Media-stealing Android app targets developers. Google removed the “HTML Source Code Viewer” app from its Google Play distribution service after Symantec researchers discovered the malicious app stole photos and videos from victims’ mobile devices by requesting permissions to access the device’s external storage. The app targeted all versions of Android after and including Gingerbread.
Chrome, Firefox vulnerable to crashes via search suggestions. Nightwatch Cybersecurity researchers found that Google Chromium, Android, and Mozilla Firefox do not protect browser built-in search suggestions via an encrypted Hypertext Transfer Protocol Secure (HTTPS) channel, which could allow an attacker on the local channel to intercept search suggestion inquiries and answer before the search provider. Firefox, Chrome, and Android are working to address the issue.
Presidential Policy Directive – United States Cyber Incident Coordination. The U.S. President’s administration released Presidential Policy Directive/PPD-41 July 26 detailing the U.S. Cyber Incident Coordination, which sets forth principles that govern the Federal Government’s response to cyber incidents and the designation of responsibility to certain Federal agencies, including the FBI and DHS.
So-called ‘Cowboy Bandits’ convicted for robberies throughout L.A. County: FBI. Two Los Angeles residents dubbed the “Cowboy Bandits” were convicted July 26 for their roles in a series of armed robberies at gas stations and a Citibank branch in Los Angeles County during the fall of 2013.
DDoS attacks increase 83%, Russia top victim. Nexusguard released a report showing that distributed denial-of-service (DDoS) attacks increased 83 percent to more than 182,900 attacks in the second quarter of 2016, with Russia as the top victim country. The U.S. and China were part of the top three targeted countries as the company also reported increases in routing information protocol (RIP) and multicast domain name service (mDNS) threats.
Siemens patches flaws in industrial automation products. Siemens released software updates addressing several vulnerabilities found in SIMATIC and SINEMA products including a cross-site scripting (XSS) vulnerability in the integrated Web server of SINEMA Remote Connect Server which can be exploited by a remote attacker by tricking the user into clicking on a specially crafted link, as well as two high severity improper input validation bugs that were discovered in SIMATIC WinCC SCADA systems and PCS7 distributed control systems (DCS), among other vulnerabilities.
FBI seeks ‘We’re Listening Bandit’ in three-county bank robbery spree. The FBI is searching July 23 for a man dubbed the “We’re Listening Bandit” who is suspected of robbing and attempting to rob six banks in Los Angeles, San Bernardino, and Riverside counties since June.
Critical holes in Micro Focus Filr found, plugged. Micro Focus released patches addressing a cross-site request forgery (CSRF) flaw, an Operating System (OS) Command Injection vulnerability, a persistent cross-site scripting (XSS) flaw, a path traversal, and an authentication bypass vulnerability in its Filr enterprise file management and collaborative file sharing solution after a SEC Consult researcher discovered the flaws during a quick security check.
CTB-Faker ransomware uses WinRAR to lock data in password-protected ZIP files. Bleeping Computer and Check Point researchers found that the CTB-Faker ransomware family is currently being distributed via adult Websites, and encourages users to download a ZIP file which contains an executable that initiates the ransomware which moves files to a password-protected file at “C:Users.zip” through the use of the WinRAR application. Researchers determined that the ransomware is decryptable.
Stampado ransomware stomped out before it could do any real damage. A malware analyst at Emsisoft created a free decrypter, unlocking files encrypted by the Stampado ransomware which presents itself as an ad for a Ransomware-as-a-Service (RaaS) offering on Dark Web cyber-crime forums for a low price.
Hacker downloads Vine’s entire source code. Twitter secured an insecure Docker setup used by the company’s staff to manage Vine’s content after security researcher Avicoder discovered the critical security flaw which would have allowed an attacker to download Vine’s entire source code, its application program interface (API) keys, and third party keys, from its servers after determining that the Docker installations were publicly accessible and that Twitter was running Docker API v1 instead of the latest version of Docker (v2).
‘Midday Bandit’ tries to rob West Town bank. The FBI is searching July 21 for a man dubbed the “Midday Bandit” who is suspected of robbing 15 banks in the Chicago area since 2014, including a South Central Bank branch July 21.
Decrypter available for ODCODC ransomware. Security researchers from BloodyDolly released a decrypter for the ODCODC ransomware that circumvents ODCODC’s RSA-2048 encryption to recover the victim’s files without paying the ransom.
“Dum-Dum Bandit” robs 3 Colorado banks in 30 days. The FBI is searching July 20 for a man dubbed the “Dum-Dum” Bandit who is suspected of robbing three banks in Denver since June, including a U.S. Bank branch July 19.
Police seize 150 credit cards, IDs in counterfeit bust. Two men were arrested in Corona, California, July 16 after authorities found about 150 counterfeit credit cards, numerous counterfeit IDs, and an encoding machine, among other illicit materials in the duo’s apartment after police received information regarding the illegal activities in May. Officials said the duo used the counterfeit cards to make fraudulent purchases in Los Angeles, Orange, and Riverside counties.
Vulnerabilities affecting SAP HANA and SAP Trex put 10,000 customers at risk. Onapsis released security advisories reporting on vulnerabilities in SAP High-Performance Analytic Appliance (HANA) and SAP Trex including a critical risk brute force attack affecting SAP HANA that could allow an attacker to gain unrestricted access to business information, and a critical risk remote command execution flaw affecting SAP Trex that could allow an unauthenticated attacker to modify arbitrary database information, among other vulnerabilities. Researchers from Onapsis reported the flaws pose a risk to over 10,000 SAP customers running different versions of SAP HANA.
Cisco plugs critical flaw in data center operations management solution. Cisco patched a critical vulnerability affecting its Unified Computing System (UCS) Performance Manager software’s Web framework after a researcher from the Adidas Group discovered that an attacker could exploit the vulnerability by sending crafted Hypertext Transfer Protocol Secure (HTTP) GET requests to an affected system, allowing the attacker to execute arbitrary commands with root user privileges.
Chrome 52 patches 48 vulnerabilities. Google released Chrome 52 patching 48 security flaws including 11 high risk flaws and 6 medium severity flaws after external researchers found a high risk sandbox escape flaw in Pepper Plugin application programming interface (PPAPI), a high risk uniform resource locator (URL) spoofing on iOS, a use-after-free in Extensions, and a heap-buffer-overflow issue affecting sfntly, among other vulnerabilities.
Backdoor account found in Dell network security products. Researchers from Digital Defense, Inc., (DDI) released patches addressing six serious security flaws affecting the Dell SonicWALL Global Management System (GMS) after discovering the equipment had a hidden account that could be exploited to add non-administrative users via the command-line interface (CLI) Client, thereby elevating an attacker’s privilege and allowing the malicious actor full control of the GMS interface and all attached SonicWALL appliances. DDI researchers also discovered two unauthenticated root command injections that lead to remote code execution (RCE) with root privileges on Dell equipment, among other vulnerabilities.
CrypMIC ransomware emerges as CryptXXX copycat. Trend Micro security researchers discovered a ransomware dubbed CrypMIC was mimicking the CryptXXX ransomware family, in that it exploits the Neurtino exploit kit (EK) to distribute the malware, utilizes the same ransom note and payment site, and employs a custom protocol via transmission control protocol (TCP) Port 443 to communicate with its command and control (C&C) servers, among other similarities. Researchers reported that the source code and capabilities of the two families are different after finding the CrypMIC ransomware cannot harvest credentials and related information from the affected device, as it does not download and execute an information-stealing module on its process memory.
SoakSoak botnet pushing Neutrino exploit kit and CryptXXX ransomware. Invincea researchers reported a surge in CryptXXX ransomware infections targeting popular Web sites running the Revslider slideshow plugin for Wordpress after discovering the SoakSoak botnet was delivering the CryptXXX ransomware via business Web sites that were compromised to redirect to the Neutrino exploit kit (EK).
Man dubbed ‘Bandaged Bandit’ sought in area bank robberies. The FBI is searching for a man dubbed the “Bandaged Bandit” who is suspected of committing four bank robberies in El Dorado Hills, California, and in Folsom and Stateline, Nevada, since June, including a U.S. Bank branch in Folsom July 15.
Oracle’s critical patch update for July contains record number of fixes. Oracle released its July Critical Patch Update (CPU) that addressed a total of 276 vulnerabilities in several of its products including 19 critical security flaws affecting the Oracle WebLogic Server component, the Hyperion Financial Reporting component, and the Oracle Health Sciences Clinical Development Center component, among other applications. The update also resolves 36 security flaws in applications specifically designed for the insurance, health, financial, and utility sectors, as well as 159 remote code execution (RCE) flaws that can be exploited without authentication.
Free decrypter available for Bart ransomware. A security researcher for AVG released a free decrypter for the Bart ransomware that recovers files locked by the ransomware after discovering Bart uses one password for all files placed inside a password-protected ZIP archive.
Petya ransomware gets encryption upgrade. A security researcher dubbed Hasherezade discovered the Petya ransomware no longer allows for easy data recovery after finding that the malware operators bundled Petya with Mischa, a failsafe designed to encrypt user files one at a time if Petya was unsuccessful in manipulating the Master Boot Record (MBR) to take over the boot process and encrypt the entire hard disk after a reboot.
Security software that uses ‘code hooking’ opens the door to hackers. Researchers from enSilo discovered 6 security vulnerabilities affecting over 15 different products, including antivirus programs from Kapersky Lab, Trend Micro, and Symantec, among others, using hooking to intercept, monitor, or modify potentially malicious behavior in applications and operating systems (OS), can be exploited by malicious attackers to easily bypass the anti-exploit mitigations provided by Microsoft Windows or third-party applications in order to exploit the vulnerabilities and inject malicious code into any process running on a victim’s device while remaining undetected.
Gmail security filters can be bypassed just by splitting a word in two. Security researchers from SecureState discovered that an attacker can bypass Gmail’s security features responsible for detecting malicious macros in Microsoft Office document attachments by separating “trigger words” into two words or across a row of text after finding that the security filters failed to detect malicious macros in the script when an attacker split a sensitive term on two different lines of the exploit code.
DoS vulnerability patched in BIND. The Internet Systems Consortium (ISC) released BIND versions 9.9.9-P2 and 9.10.4-P2 addressing a medium severity, remote code execution (RCE) vulnerability that could cause systems using the lightweight resolver protocol (lwresd) to resolve names to enter a denial-of-service (DoS) condition due to an error in the way the protocol was implemented after finding that the server can terminate when the lwresd is asked to resolve a query name that exceeds the maximum allowable length when combined with a search list entry.
$5K reward offered to stop ‘Americas Bandit’ after 6 Manhattan banks struck in almost a year. Authorities offered a reward July 18 in exchange for information on a man dubbed “America’s Bandit” who is suspected of robbing six banks in New York City since September 2015, including a Chase Bank branch July 9. The suspect is considered armed and dangerous.
Apple patches tens of vulnerabilities in iOS, OS X. Apple Inc., released security updates for several of its products including OS X El Capitan version 10.11.6, which patched a total of 60 security bugs affecting components such as audio, FaceTime, and CFNetwork, among others after a Zscaler researcher discovered the flaws could allow unprivileged applications to access cookies stored in the Safari browser. Apple also released iOS version 9.3.3., resolving 43 vulnerabilities, one of which could allow an attacker with physical access to the device to abuse Siri and view private contact information, among other patches.
HTTPoxy vulnerability affects CGI-based apps in PHP, Python, and Go. A developer from Vend discovered CGI applications written in Hypertext Preprocessor (PHP), Python, and Go were plagued by a HTTPoxy vulnerability after finding that CGI-based environments receiving incoming Hypertext Transfer Protocol Secure (HTTP) requests containing a “Proxy” header were dropping the header’s content in the HTTP_PROXY environment without sanitization, which could allow an attacker to force a vulnerable CGI-based application to use a malicious proxy for its outgoing HTTP requests, carry out Man-in-the-Middle (MitM) attacks, and poison servers.
CryptXXX now being distributed via spam emails. Security researchers from Proofpoint warned that the CryptXXX malware was leveraging a spam email campaign after discovering that the emails, using subjects such as “Security Breach – Security Report #123456789,” were tricking users into activating malicious macros embedded in the emails’ document attachments, which were designed to download and install the ransomware when the victim interacted with them.
Steemit social network hacked, user funds stolen, DDoS attack ensued. Steemit, a social networking platform, announced July 14 that an unknown attacker exploited the network’s browser-side vulnerabilities to steal $85,000 worth of Steem Dollars and Steem Power from approximately 260 users’ funds after a user reported mysterious transactions that transferred funds from his account to another Bittrex account, a Bitcoin trading portal. Steemit’s servers also faced a distributed denial-of-service (DDoS) attack, prompting the network to bring down its servers for maintenance and service upgrades.
‘Dreaded bandit’ wanted in series of Bay Area bank robberies. The FBI offered a reward July 15 in exchange for information leading to the arrest or conviction of a man dubbed the “Dreaded Bandit” who is suspected of robbing at least three San Francisco Bay area banks since April, including a Comerica, Inc., bank branch in the Cow Hollow neighborhood July 11. Authorities stated the suspect is armed.
Metairie woman convicted of multi-State bank fraud scheme and aggravated identity theft. A Metairie, Louisiana woman pleaded guilty July 13 to Federal charges for her role in a multi-State bank fraud scheme where she stole individual’s personal information and used the information to create fraudulent credit cards in order to embezzle approximately $102,257 from victims’ accounts at 21 banks in Louisiana, Texas, and Mississippi.
Ubuntu Forums hacked again, 2 million users exposed. Canonical chief executive officer (CEO) reported that an attacker exploited a Structured Query Language (SQL) injection flaw in its Ubuntu Forums to access and download part of the Forums database, containing usernames, email addresses, and internet protocol addresses (IPs) for 2 million users. Canonical shut down the database, reset all users’ passwords, and installed a Web application firewall after being notified that an individual was claiming to have a copy of the Forums database.
Researcher finds way to steal money from Instagram, Google, and Microsoft. An independent Belgian security researcher discovered a flaw in Facebook, Google, and Microsoft’s two-factor authorization (2FA) voice-based token distribution systems that could allow an attacker, who has created premium phone services and linked them together with fake Instagram, Google, and Microsoft Office 365 accounts, to use automated scripts to request 2FA tokens for all accounts, and by doing so, place legitimate phone calls to their premium phone service, thereby earning a substantial profit.
Cisco patches serious flaws in router and conferencing server software. Cisco Systems released patches addressing several vulnerabilities in its Cisco internetwork operating system (IOS), IOS XR, ASR 5000, WebEx Meetings Server, and Cisco Meeting Server including a high severity denial-of-service flaw and an arbitrary code execution issue in its Cisco IOS XR software, two cross-site scripting (XSS) vulnerabilities in the WebEx Meetings Server version 2.6, and an insure Simple Network Management Protocol (SNMP) implementation flaw in the ASR 5000 Series platform, among other vulnerabilities.
Locky ransomware gets offline encryption capabilities. Security researchers from Avira discovered an update to the Locky ransomware that allows the ransomware to enter an offline encryption mode when it cannot connect to the command and control (C&C) server. The development mimics the Bart ransomware, in that it ensures that the ransomware can carry out malicious actions even when its Internet connectivity is blocked, making detection more difficult.
Investigators: Link between skimmers and 103 credit cards found possible. A New York resident was arrested in Symmes Township, Ohio, July 14 after police found over 103 fraudulent Visa gift cards that had been re-encoded with stolen credit card numbers in the suspect’s vehicle during a routine traffic stop. Authorities are investigating whether the man is linked to a credit card skimming scheme targeting New York, New Jersey, and Connecticut.
‘Hipster Bandit’ bank robbery suspect arrested. A man dubbed the “Hipster Bandit” was arrested in Serra Mesa, California, July 14 after he allegedly robbed eight banks and attempted to rob two others in San Diego, Riverside, and Orange counties since November 2015.
New trojan helps attackers recruit insiders. Researchers at Gartner Research and Diskin Advanced Technologies found a new trojan dubbed “Delilah” that uses social engineering and extortion to recruit insiders by collecting personal information and capturing video from the targeted user’s webcam while instructing users to use virtual private networks (VPNs) and the Tor network in order to manipulate or blackmail the targeted individual.
IE exploit added to Neutrino after experts public PoC. FireEye and Symantec researchers found that Neutrino exploit kit (EK) researchers use an Adobe Flash file to deliver exploits in order to profile a victim’s system to determine which exploit to use after researchers published a proof-of-concept (PoC) exploit on two remote code execution (RCE) vulnerabilities that were patched by Microsoft in May. Researchers determined that the exploit added to Neutrino is identical to the one published, except for the code that runs after initial control.
CryptXXX devs provide free decryption keys for some ransomware versions. Bleeping Computer researchers released a category of users who could obtain a free decryption key by visiting the Tor-based payment sites of the CryptXXX ransomware after their files were encrypted by the ransomware using the “.crypz” and “.cryp1” file extensions at the end.
Maxthon browser collects sensitive data even if users opt out. Maxthon is investigating after Exatel and Fidelis Cybersecurity researchers found that the Maxthon Web browser collects sensitive information and sends it to its servers, even if the user opts out of the option due to an issue in the current implementation of User Experience Improvement Program (UEIP) that lets the browser manufacturer collect analytical information about how users utilize their product.
Two arrested for credit card fraud scheme. Two individuals were arrested and charged in Montgomery County, Texas, July 11 after authorities discovered approximately 100 stolen credit cards and a credit card embossing machine, among other illicit material in the duo’s vehicle during a routine traffic stop.
Longtime fugitive pleads guilty to stealing $65 million from hundreds of people. A fugitive, initially indicted in October 2003 pleaded guilty July 13 to defrauding around 800 investors out of an estimated $65 million in a Ponzi scheme where he and co-conspirators operated Doylestown, Ohio-based Cyprus Funds, Inc., to sell certificates of deposit and unregistered mutual funds in Latin America and the U.S. from 1995 – 1999.
Juniper patches high-risk flaws in Junos OS. Juniper Networks fixed several vulnerabilities in the Junos operating system (OS) used on its networking and security appliances, including an information leak in the J-Web interface, vulnerabilities that could lead to denial of service conditions, a potential kernel crash, a potential memory buffer (mbuf) leak, a crypto vulnerability, and an issue with SRX Series devices.
Microsoft discovers new version of Troldesh ransomware. Microsoft Malware Protection Center researchers discovered a new version of the Troldesh ransomware, also known as Encoder.858 and Shade Ransomware, that contains new modifications including a dedicated payment portal where users can get information on how to pay the ransom, utilization of a Tor Web site, and two new extensions, “.da_vinci_code” and “.magic_software_syndicate,” which are added to the end of encrypted files.
Huge spam wave drops Locky variant that can work without an internet connection. F-Secure researchers examined a July 12 campaign utilizing the Locky ransomware where the group sent out 120,000 spam email messages every 2 hours in 2 instances of activity. Avira researchers also found that a new Locky variant works in “offline mode,” making it harder to block
Three popular Drupal modules patch site-takeover flaws. Drupal, a content management system, worked with three third-party module maintainers, RESTWS, Coder, or Webform Multiple File Upload, to address critical vulnerabilities that could allow attackers to take control of Web sites, including a flaw that allows attackers to execute rogue Hypertext Preprocessor (PHP) code Web servers that host Drupal Web sites with the modules, as well as flaws that could lead to remote code execution (RCE).
Ransomware permanently deletes your files then has the nerve to ask for money. Cisco Talos researchers discovered a new piece of ransomware dubbed Ranscam that deletes the victim’s files after infecting the computer, and removes core Microsoft Windows executables responsible for the System Restore feature, hard drive shadow copies, and several registry keys associated with booting into Safe Mode, among other modifications. Once the removal is complete, the ransomware shows its ransom note and falsely informs the victim that their files are encrypted and moved into a hidden partition.
SAP patches critical Clickjacking vulnerabilities. SAP released 10 Security Patch Day Notes and 26 Support Package Notes addressing several vulnerabilities, including a critical Clickjacking flaw in multiple SAP frameworks and technologies, denial of service flaws, missing authorization checks, code injection, and a cross-site scripting (XSS) issue, among other vulnerabilities.
New Stampado ransomware advertised on the Dark Web for only $39. Heimdal Security researchers spotted a new version of ransomware on the Dark Web dubbed, Stampado, which is offered via Ransomware-as-a-Service (RaaS) model and locks files with a “.locked” file extension, similar to other ransomware families. Stampado is being offered for $39 for a lifetime license and mimics the Jigsaw ransomware, in that it deletes a random file from the infected computer every 6 hours in order to scare the victim into paying the ransom.
Microsoft patches critical flaws in Internet Explorer, Edge. Microsoft released 11 bulletins addressing 15 bugs in Internet Explorer, 13 bugs in Edge, and several other flaws in Office, Jscript, VBScript, and .NET Framework including a remote code execution (RCE) bug, an elevation of privilege issue in Windows Print Spooler, and a scripting engine memory corruption vulnerability in Jscript and VBScript, among others.
Adobe patches critical vulnerabilities in Flash, Acrobat, Reader. Adobe released security updates for Flash Player, Acrobat, Reader, and XMP Toolkit for Java patching more than 82 bugs affecting Microsoft Windows, Mac OS X, ChromeOS, and Linux users, including an integer overflow issue, a user-after-free vulnerability, a heap buffer overflow bug, and multiple memory corruption vulnerabilities, among others.
Southern California man pleads guilty for his role as sales manager in fraudulent mortgage modification scheme. An Orange County, California resident pleaded guilty July 11 for his role as the sales manager of an estimated $9 million fraudulent mortgage modification scheme where he supervised dozens of telemarketers who made misleading statements and false promises to convince over 1,500 homeowners facing foreclosure to pay up to $5,500 for the services of Rodis Law Group (RLG) and a successor entity, America’s Law Group between October 2008 and June 2009 by falsely claiming RLG consisted of a team of attorneys experienced in negotiating lower interest rates and lowering principal balances, among other misrepresentations. Two co-defendants were also charged for their roles in the scheme.
Code execution flaw plagues Intel Graphics Driver. Security researchers from Cisco Talos discovered a local code execution vulnerability in Intel HD Graphics Windows Kernel Mode Driver version 10.18.14.4264 that could allow an attacker to run arbitrary code on a victims’ system or cause denial-of-service (DoS) by sending a specially crafted D3DKMTEscape request to the Intel DH Graphics drivers. Microsoft removed the NTVDM subsystem from its Windows 8 to mitigate the attack, but researchers stated the mitigations were not foolproof.
Website takeover issue fixed in WordPress’ most popular plugin. A security researcher reported that the All in One SEO Pack WordPress plugin was plagued with a vulnerability that could allow attackers to store malicious code in the Web site’s admin panel which could potentially enable attackers to control the Web site.
DoS flaw affects Symantec endpoint products. Symantec released a patch that addressed a denial-of-service (DoS) vulnerability that affected its Norton Security’s Portable Executable file scanning functionality as well as its Endpoint Protection products after a security researcher from Cisco Talos found an attacker could exploit the vulnerability by sending a victim a crafted file with a large SizeOfRawData field in a section header due to a flaw in the Client Intrusion Detection System (CIDS) driver, which can cause a system to crash when interacted with a specially-crafted portable executable (PE) file.
GootKit banking trojan receives massive update. Security researchers from IBM’s X-Force Research reported that the GootKit trojan, which targets banks internationally, has updated its source and mode of operation to avoid antivirus detection by changing its installation method to use scheduled tasks that run every minute, allowing the trojan to run with least-privilege user accounts (LUA) and administrator accounts.
FBI seeks ‘Hipster Bandit,’ offers $20K reward. The FBI offered a reward July 8 in exchange for information leading to the capture of a man dubbed the “Hipster Bandit” who is suspected of robbing eight banks and attempting to rob two others in San Diego County since September 2015, including a Wells Fargo Bank branch July 2.
Norwich resident admits role in insurance fraud scheme. A Norwich, Connecticut resident pleaded guilty July 7 for his role in an insurance fraud scheme where he and co-conspirators staged approximately 50 car crashes in southeastern Connecticut, and filed fraudulent property damage and bodily injury claims with various automobile insurance companies in order to collect up to $30,000 in insurance payouts per fraudulent claim between April 2011 and February 2014.
MIUI vulnerability affects millions of Xiaomi Android devices. Security researchers from IBM’s Security Intelligence team reported that a remote code execution (RCE) vulnerability exists in MIUI analytics component in versions prior to MIUI Global Stable 7.2 after researchers discovered that the self-update mechanism can be hijacked via a Man-in-the-Middle (MitM) attack and used to deliver malicious update packages. The analytics package uses Hypertext Transfer Protocol (HTTP) to query an update server for upgrades and downloads the update requests, allow attackers to watch for requests and use basic spoofing techniques.
Former Regions Bank VPs indicted in bribery, wire fraud scheme. Two former vice presidents at Regions Bank, who also served as officers at Regions Equipment Financing Corp., (REFCO) in Birmingham, Alabama, were indicted July 7 for their roles in a $5 million bribery and wire fraud scheme where the duo and a co-conspirator allegedly established a fraudulent company, Residual Assurance Inc., that would enter an agreement with REFCO to provide residual value insurance, directed REFCO’s residual value insurance business to the company, and split the business’s proceeds between September 2010 and November 2015. The charges allege that the former executives collectively received over $3 million for their roles in the scheme.
New “Patchwork” cyber-espionage group uses copy-pasted malware for its attacks. Security researchers from Cymmetria reported that a new cyber-espionage group dubbed, Patchwork Advanced Persistent Threat (APT) was seen infecting at least 2,500 machines since December 2015 and can infect an underlying operating system (OS) with their malware using spear-phishing emails that contain PowerPoint files as attachments, which are embedded with the Sandworm exploit. The cyber criminals use an assortment of copy-pasted code from known malware such as PowerSploit, Meterpreter, Autolt, and UACME.
Ex-Wall Streeter pleads guilty in fraud case. A former executive at Park Hill Group pleaded guilty July 6 to Federal charges after he bilked approximately $38.5 million from more than 10 individuals and entities in a Ponzi-like scheme where he convinced family and friends to invest in a non-existent private equity firm from July 2015 – March 2016 and used the money for personal option trades, to repay money he had previously diverted from the Park Hill Group, and for personal use, among other illicit purposes. Officials stated the scheme attempted to bilk investors out of nearly $150 million.
Dangerous GNU wget vulnerability still not patched in all Linux distros. Security researchers from Golunski and SecuriTeam discovered a GNU wget vulnerability that could be exploited to allow an attacker to upload arbitrary files and achieve code execution due to wget’s improper handling of file names when redirecting users from an initial Hypertext Transfer Protocol (HTTP) Uniform Resource Locator (URL) to a File Transfer Protocol (FTP) link.
Over 6,000 Redis database servers ready for taking. Security researchers from Risk Based Security released a report detailing that 6,338 Redis servers were compromised after performing a non-intrusive scan using Shodan which revealed that the hacked servers featured the “crackit” Secure Socket Shell (SSH) key and were attached to an email address that was previously seen in other incidences. Researchers recommended that Webmasters update their Redis database to the recent version and activate “protected mode” feature.
Campaign of infected WordPress and Joomla sites leads to CryptXXX ransomware. Security researchers from Sucuri discovered that a new campaign dubbed Realstatistics was using outdated Content Management Systems (CMSs), primarily WordPress and Joomla Web sites, to hack Web sites using vulnerabilities in plugins rather than using core vulnerabilities after discovering at least 2,000 Web sites were affected by the campaign.
Caja toolkit vulnerability exposed Google Docs domain to XSS attacks. Google released patches for several cross-site scripting (XSS) issues in its Caja toolkit used inside its Docs and Developers series after a security researcher found the tool failed to sanitize various types of XSS attacks, potentially allowing attackers to create malicious Google Docs files containing Google Apps Script, that when loaded, could steal cookies and execute malicious actions.
Information-collecting Android keyboard tops 50 million installs. Security researchers from Pentest Limited discovered a third-party keyboard application for Android dubbed “Flash Keyboard” was allegedly seen conducting malicious activity by communication with servers in several countries and sending personal data including the device manufacturer and model number, International Mobile Station Equipment Identity (IEMI), Android version, user email address, mobile networks, and GPS co-ordinates to a remote server. The application engages in deceptive behavior, which Google prohibits.
New malware uses Tor to open backdoor on Mac OS X systems. Security researchers from Bitdefender discovered a new malware family named Backdoor.MAC.Eleanor on Mac operating system (OS) X can open a backdoor via the Tor hidden service, Hypertext Preprocessor (PHP) Web service, and a Pastebin client. The backdoor can allow cyber criminals to navigate and interact with local fire system, launch reverse shells to execute root commands, and launch and execute several scripts including PHP, PERL, Python, Ruby, Java, and C.
4 men face credit card fraud-related charges. Four men were arrested in Tolland, Connecticut, July 2 after police were notified that the group allegedly attempted to use several fake or stolen credit cards at a Mobil gas station. A subsequent search of the suspects’ vehicle revealed numerous fraudulent credit cards in various stages of production, a credit card embossing machine, and two electronic credit card writers, among other illicit materials.
‘Straw Hat Bandit’ strikes North Wales bank. Authorities are searching for a man dubbed the “Straw Hat Bandit” who is suspected of robbing 10 banks in the Philadelphia area since 2012, including a PNC Bank branch in North Wales July 2.
Flaws in free SSL tool allowed attackers to get SSL certificates for any domain. StartCom released a new version of its StartEncrypt Linux tool after a security researcher from CompuTest discovered the product had several design and implementation flaws that could allow an attacker to extract signatures from any Web site that enables its users to upload files including GitHub and Dropbox. In addition, an attacker could obtain Secure Sockets Layer (SSL) certificates for other domains.
Free decrypter available for download for MIRCOP ransomware. A security researcher created a decrypter tool that can recover files locked by the MIRCOP ransomware without paying the ransomware fee after an independent researcher and security researchers from Trend Micro revealed the presence of the new ransomware family at the end of June.
New Adwind RAT campaign with zero AV detection targets businesses in Denmark. Security researchers from Heimdal Security discovered a spam email campaign was targeting Danish companies after finding that the spam emails came with malicious file attachments named “Doc-[Number].jar” that were not detected by antivirus engines, even if the attachments carried Adwind Remote Access Trojan (RAT). Researchers believe the campaign may target other international countries as the emails were written in English.
Malware spread via Facebook makes 10,000 victims in 48 hours. Security researchers from Kaspersky Lab reported that from June 24 – June 27, cyber criminals were using Facebook spam messages to distribute malware to user accounts and allegedly selling Facebook “likes” and “shares” via botnet of infected devices by informing users about mentions in comments and convincing them to access a link that would secretly download a trojan on the user’s computer, as well as secretly install an extension in the user’s Google Chrome Web browser. Facebook blocked the technique and Google removed the extension from its Chrome Web Store.
Critical vulnerability breaks Android full disk encryption. An independent Israeli security researcher discovered that Qualcomm Secure Execution Environment (QSEE) was plagued with a critical elevation of privilege (EoP) flaw that affects 57 percent of Android devices, which could allow an attacker to bypass the Full Disk Encryption (FDE) security feature previously implemented in Android 5.0 Lollipop. The flaw could allow a compromised, privileged application, with access to QSEECOM, to execute arbitrary code in the TrustZone content.
HawkEye keylogger users employ hacked emails accounts to receive stolen data. Security researchers from Trustwave discovered a spam email campaign was using the HawkEye keylogger to allow attackers to collect emails, browsers, and File Transfer Protocol (FTP) settings and passwords by delivering malicious Rich Text Format (RTF) documents disguised as Microsoft Word files to victims, and allowing the hijacked accounts to reroute all messages received from a victim’s email address to the attacker’s personal inbox.
Second man pleads guilty to hacking entertainment celebs. The U.S. District Court for the Central District of California reported that an Illinois resident pleaded guilty for his involvement in a phishing scheme where he gained access to several female celebrities and non-celebrities’ usernames, passwords, and personal information including private photographs and videos after he sent them emails disguised as security accounts of Internet service providers. The culprit accessed at least 300 Apple iCloud and Google Gmail accounts.
Firmware zero-day allows hackers to disable security features. A security researcher discovered a zero-day firmware vulnerability in the Unified Extensible Firmware Interface (UEFI), which is installed on all Lenovo ThinkPad series laptops, after identifying that the flaw exists in the System Management Mode (SMM) code of Lenovo’s UEFI and can be exploited for several malicious actions including disabling the Secure Boot feature, disabling UEFI write protections, and bypassing Windows 10 Enterprise security features. Lenovo is investigating the incident.
Satana ransomware encrypts your boot record and prevents your PC from starting. Security researchers from Malwarebytes reported that the new ransomware dubbed Satana encrypts files using the same method as other ransomware families, but attaches its email address to each file, encrypting the Master Boot Record (MBR) and replaces it with its own. Once a user restarts their computer, the MBR boot code will load and lock the user out of the computer while Santa’s ransom note displays on the screen.
Man accused of using fraudulent plastic to charge $85,000 in purchases. A Raleigh resident was arrested June 29 for allegedly using a fraudulent credit card to spend approximately $85,000 at businesses in Cary and Garner, North Carolina, and for cashing two checks drawn on a closed Bank of America account.
Google finds 16 bugs, 2 zero-days, in Windows kernel font handling. Microsoft released patches for its Windows kernel that fixed 16 flaws after security researchers from Project Zero discovered that Windows executes all font processing operations in the kernel’s ring-0 with the highest level of permissions, allowing attackers to have direct access to the entire operating system (OS).
Free decrypter available for Unlock92 ransomware. An independent security researcher created a decrypter tool for the ransomware, Unlock92 after security researchers from Malwarebytes discovered the new ransomware can encrypt victims’ files with a symmetric and Advanced Encryption Standard encryption (AES) and generate a 64-character hexadecimal password for each target.
Foxit patches RCE flaws in Reader, PhantomPDF. Foxit Software released updates for its Reader and PhantomPDF products running version 220.127.116.111 and earlier Windows versions, that addressed more than a dozen vulnerabilities including out-of-bounds read, heap buffer overflows, stack buffer overflow, user-after-free, and uninitialized pointer issues that could have been exploited remotely to expose sensitive information, crash the application, and execute arbitrary code.
Hackers can exploit LibreOffice flaw with RTF files. LibreOffice 5.1.4 was released June 30 after security researchers from Cisco Talos discovered that the Rich Text Format (RTF) parser in LibreOffice was susceptible to a flaw that could allow an attacker to execute arbitrary code using specially crafted RTF files by tricking the victim into opening a malicious RTF file sent via email.
6 arrested in fast-food credit card scheme in northern Colorado. Six New York residents were arrested and indicted June 15 for allegedly using fraudulent credit cards to purchase more than $10,000 worth of gift cards at McDonald’s Corp., restaurants and other fast-food chain restaurants in Wyoming and Colorado. Authorities confiscated over 1,000 gift cards, a credit card reader, and a machine used for printing credit cards during the groups’ arrest.
Google adds SEO spam notifications to Google analytics dashboard. Google reported that it will be enhancing its security notifications for compromised Web sites by integrating the Safe Browsing application programming interface (API) into the Google Analytics dashboard, which will help detect malware and warn the Webmaster of a search engine optimization (SEO) spam on their Web site.
Android ransomware quadrupled in the past year. Kaspersky Lab released a study which revealed that in 2016, Android ransomware infections grew 4 times the amount of previous years, increasing from 35,413 victims in 2015 to 136,532 victims in 2016. Security researchers stated the attacks were attributed to four Android ransomware strains including Small, Fusob, Pletor, and Svpeng.