Fraud Alert Message Center
Tips for Safe Banking Over the Internet
As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.
The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.
- Consumer Best Practices for Online Banking
- Business Best Practices for Online Banking
- Recommendations for Online Fraud Victims
- Recommendations for Mobile Phone Security
Current Online Threats
Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau. None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts. If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it. The email could potentially contain a virus or malware.
For more information regarding email and phishing scams, please visit: http://onguardonline.gov/
Online Shopping Tips for Consumers. Click Here for Information.
ATM and Gas pump skimming information. Click Here for Article.
Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers. The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.
TAILS team recommends workarounds for flaw in I2P. TAILS operating system developers claimed a vulnerability in the I2P anonymity network software affecting versions 1.1 and earlier can be mitigated with a couple of workarounds, though the vulnerability has yet to be patched.
Cloud botnets used for mining crypto-currency. Researchers from Bishop Fox created a botnet capable of mining several hundred dollars in Litecoin crypto-currency on a daily basis using free services of multiple cloud-computing businesses. Conducted distributed denial of service (DDoS) attacks was determined to be another way to use the machines.
Sony to shell out $15M in PSN breach settlement. Sony released a statement July 24 claiming it reached an agreement to pay $15 million in a preliminary settlement associated with the April 2011 hacking of its PlayStation Network system, its on-demand service Qriocity, and gaming portal Sony Online Entertainment, exposing the personal data of roughly 77 million users.
More details of Onion/Critroni crypto ransomware emerge. Kaspersky Lab and other researchers found that the Critroni or CTB-Locker dubbed Onion uses a number of features that separate it from other forms of malware including that the ransomware is spread through Andromeda using a version of the asymmetric ECDH (Elliptic Curve Diffie-Hellman) algorithm.
Popular wireless home alarms can be hacked from afar. Two security researchers found that wireless home alarm systems are vulnerable to remote hijacking which would allow for access into the protected environment without tripping the alarm due to the signals lack of encryption or authentication. The tools used to hack into systems are available for purchase, potentially allowing intruders to completely disable the alarm from 10 feet.
Six men charged in StubHub cyber-theft case. Six individuals were charged in the U.S. in connection with an alleged cybercrime ring that took over accounts on online ticket marketplace StubHub, used victims’ credit cards to purchase tickets to various entertainment events in New York City, sell the tickets, and then launder the proceeds through PayPal accounts and bank accounts in the U.S., U.K., Canada, Germany, and Russia. The alleged fraud totaled around $1 million and affected over 1,000 user accounts.
50,000 sites backdoored through shoddy WordPress plugin. A researcher with Sucuri reported that around 50,000 Web sites were vulnerable to malware injection, defacement, and spam due to vulnerability in the MailPoet plugin for WordPress. The vulnerability can affect Web sites that do not run MailPoet if the vulnerable plugin is present elsewhere on the same server.
Fake Googlebots used for layer 7 DDoS attacks. Incapsula issued a report that shows how malicious Web crawlers that mimic Googlebots to bypass security are being used for various malicious purposes. The majority of the fake crawlers were used for collecting marketing information while 23.5 percent were used for application layer distributed denial of service (DDoS) attacks.
DDoS attackers turn attention to SaaS and PaaS systems, Akamai reports. Akamai released its Q2 2014 Global DDoS Attack Report, which found a 22 percent increase in distributed denial of service (DDoS) attack activity in the second quarter of 2014. The report also found that around half of DDoS attacks targeted IT infrastructure, with vendors of cloud services such as Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) being common targets.
Metro News website compromised to serve malware. Researchers at Websense reported July 22 that the Web site of newspaper Metro.us was compromised and used to redirect visitors to a malicious Web site hosting the RIG exploit kit. The RIG exploit kit then attempts to exploit any present vulnerability in users’ software to install a piece of malware identified as Win32/Simda.
Android ransomware demands 12x more cash, targets English-speakers. Researchers at ESET identified a new version of the Simplocker ransomware for Android that displays a fake law enforcement ransom note in English and demands a higher ransom than previous versions that were written in Russian and demanded payment in Ukrainian hryvnias. The new version of the ransomware contains additional features such as the encryption of more types of files on victims’ devices and actions that make it more difficult to remove.
Mozilla fixes 11 vulnerabilities with release of Firefox 31. Mozilla released new versions of its Firefox Web browser and Thunderbird email client July 22, closing 11 vulnerabilities, including 3 rated as critical.
40% of orgs running VMware still susceptible to Heartbleed. Data collected and analyzed by CloudPhysics found that 57 percent of deployed VMware vCenter servers and 58 percent of ESXi hypervisor hosts remain vulnerable to the Heartbleed vulnerability in OpenSSL, affecting 40 percent of organizations in the CloudPhysics data set.
Internet Explorer vulnerabilities increase 100%. An analysis by Bromium Labs surveyed vulnerabilities in popular Web browsers and common software and found that vulnerabilities in Internet Explorer increased by more than 100 percent in the first quarter of 2014. Other findings included that Action Script Sprays were leveraged in zero day attacks and that zero day vulnerabilities in Java have declined greatly in the first quarter of 2014 compared to 2013.
Attackers bypass 2FA systems used by banks in ‘Operation Emmental’. Researchers with Trend Micro released a report July 22 detailing a cybercrime campaign targeting banks in Europe and Japan dubbed “Operation Emmental” that uses computer and Android mobile device malware to steal users’ banking credentials and two-factor authentication (2FA) tokens. The malware used in the campaign can install fake Secure Sockets Layer (SSL) certificates, delete itself after use, and perform other actions to trick users.
Banks: Card breach at Goodwill Industries. Goodwill Industries stated that it is working with the U.S. Secret Service to investigate a possible breach of payment card data from some of its U.S. stores. The company stated that it became aware of a possible breach July 18 after they were contacted by a payment card industry fraud investigation unit and federal authorities.
Significant deficiencies found in Treasury’s computer security. Two reports by the Government Accountability Office released the week of July 14 found new computer security vulnerabilities at the U.S. Department of the Treasury’s Bureau of Fiscal Service and existing security issues at the Federal Deposit Insurance Corporation that remain unaddressed from 2012 which could compromise reporting efficiency or the security of data.
iOS backdoors expose personal data: Researcher. A security researcher presenting at a security conference reported that Apple’s iOS mobile operating system contains several undocumented services which could be used in some circumstances to access email, location data, media, and other personal data. Apple stated that the services are used for diagnostic purposes and can only be used to access data with user approval.
Fresh threat to critical infrastructure found in Havex malware. Researchers at FireEye analyzed a variant of the Havex malware (also known as Fertger or Peacepipe) and found that it contained an open-platform communication (OPC) scanner that could be used to target supervisory control and data acquisition (SCADA) systems used by several industries, including power plants and water utilities.
Secondhand Point-o-Sale terminal was horrific security midden. A researcher with HP found that a second-hand Aloha point-of-sale (PoS) terminal purchased from eBay still held a database of employee names, Social Security numbers, and addresses, as well as default passwords that could be used by an attacker if the previous owners did not change passwords in new equipment.
Unpatched OpenSSL holes found on Siemens ICSs. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) stated July 17 that six Siemens industrial control products contained vulnerabilities in their OpenSSL implementation that could lead to man-in-the-middle (MitM) attacks or the crashing of Web servers. Four of the vulnerabilities remain unpatched and are present in industrial control products used by the manufacturing, chemical, energy, agriculture, and water industries and utilities.
Kelihos Trojan delivered through Askmen.com. Researchers with Malwarebytes reported that the online publication Askmen.com was compromised by attackers and used to redirect users to a malicious page serving the Nuclear Pack exploit kit for the purpose of infecting users with the Kelihos malware. The compromise was achieved by injecting malicious code into the Askmen.com server, and the site’s administrators were notified.
Fake Flash Player steals credit card information. Dr. Web researchers reported finding a new piece of Android malware dubbed BankBot that is disguised as Adobe Flash Player and persistently asks users for administrator privileges in order to display a fake credit card information form and steal any entered information. The malware is currently targeting users in Russia but can be repurposed to attack other targets.
Researchers analyze multipurpose malware targeting Linux/Unix Web servers. Virus Bulletin published an analysis of a recently discovered piece of malware that infects Linux and Unix Web servers known as Mayhem, which has infected around 1,400 servers. The malware relies on several plugins for various capabilities, including information stealing and brute-force attacks.
Neverquest banking Trojan expands list of targets. Researchers with Symantec found that the attackers operating the Neverquest banking Trojan, also known as Snifula, have focused their efforts on banks in the U.S. and Japan since December 2013. The Trojan is able to obtain banking login information from victims and can also steal digital certificates, among other capabilities.
New Android ransomware locks device completely. Researchers at Lookout identified a new piece of Android ransomware dubbed ScarePakage that infects devices by posing as a legitimate app on third-party Android markets and then locks the device and demands a ransom. The ransomware uses a Java TimerTask to kill other processes and a wave lock mechanism to prevent the phone from entering sleep mode.
DDoS attacks decrease in Q2 2014, compared to Q1. Arbor Networks reported that distributed denial of service (DDoS) attacks during the second quarter of 2014 decreased in terms of speeds and frequency compared to the previous quarter, with average DDoS attack size at 759.83 Mb/s, among other findings.
63% of businesses don’t encrypt credit cards. SecurityMetrics found in a study that 63.86 percent of businesses surveyed store unencrypted 16-digit payment cards on their systems, and 7 percent store magnetic stripe data, providing easy targets for fraud, among other findings.
Pushdo trojan outbreak: 11 THOUSAND systems infected in just 24 hours. Bitdefender researchers reported that a new campaign to spread the Pushdo botnet malware compromised over 11,000 systems within a 24-hour period, with the majority of infected users in Asia and some in the U.S., U.K., and France. The Pushdo botnet has previously been used in spam campaigns and to distribute malware such as Zeus and SpyEye.
Cisco patches critical issue in wireless residential gateway products. Cisco released patches for several Cisco Wireless Residential Gateway products, closing a vulnerability that could allow attackers to use malicious HTTP requests to crash the Web server and inject commands or execute code with elevated privileges.
SQL injection risk in vBulletin receives prompt patch. vBulletin released a patch for its forum software which closes a SQL injection vulnerability that was identified and disclosed by Romanian Security Team.
Critical vulnerabilities fixed in Drupal 7.29 and 6.32. The Drupal Security Team advised all users to update to versions to 7.29 or 6.32 in order to close vulnerabilities that could allow attackers to perform denial of service (DoS) attacks cross-site scripting (XSS) attacks.
Five vulnerabilities fixed in Apache Web Server. The Apache Software Foundation released version 2.4.10-dev of its Apache Web Server, closing five vulnerabilities, including a buffer overflow vulnerability and several denial of service (DoS) vulnerabilities.
Oracle patches 13 vulnerabilities, including 20 in Java. Oracle released its Critical Patch Update for July, which includes patches for 113 security vulnerabilities in various Oracle products, including 20 vulnerabilities in Java SE. The 20 vulnerabilities in Java can all be remotely exploited without authentication and users were advised to apply the updates as soon as possible.
vBulletin exploitable through SQL injection. Members of the Romanian Security Team group identified and reported an SQL injection vulnerability in vBulletin which could be used by attackers to gain access to a forum's administration panel and databases. The group reported the vulnerability to the developers of vBulletin and stated that they would disclose the full details of the issue once a fix is released.
OpenBSD downplays PRNG vulnerability in LibreSSL. A researcher with Opsmate reported finding a flaw in the pseudorandom number generator (PRNG) in LibreSSL for Linux. Representatives of the OpenBSD Project confirmed that the issue exists but stated that the now-fixed problem was unlikely to be exploitable in real world conditions.
Critical design flaw in Microsoft’s Active Directory could allow password change. Researchers with Aorato identified a flaw within Microsoft’s Active Directory which could allow attackers to change a victim’s password and use the new password to access a company’s network and enterprise functions. The vulnerability relies on the older NTLM authentication protocol to perform a “pass-the-hash” attack to gain access.
Amazon-based malware triples in 6 months. Solutionary released an analysis of Internet service providers (ISPs) and hosting providers hosting malware and found that Amazon was the top malware-hosting ISP, with a 250 per cent increase during the second quarter of 2014, among other findings.
Google’s Dropcam monitoring device open for video hijacking. Researchers with Synack found that the Google Dropcam home monitoring cameras contain vulnerabilities which could allow the camera’s video and sound content to be intercepted by attackers. The vulnerabilities stem from an old version of OpenSSL that is vulnerable to the Heartbleed flaw and other issues, and from an old version of BusyBox that contains exploitable flaws.
CNET attacked by Russian hackers, user database stolen. CBS Interactive confirmed that media Web site CNET was compromised after attackers claiming affiliation with the Russian hacker group W0rm stated that they were able to obtain databases containing usernames, emails, and encrypted passwords for over 1 million users. The attackers stated that they used a flaw in the site’s implementation of the Symfony PHP framework and claimed that the attack was performed for security demonstration purposes and the information would not be sold.
Gameover ZeuS botnet pulls dripping stake from heart, staggers back from the UNDEAD. Sophos researchers reported that a new variant of the GameOver Zeus trojan is being used to re-establish a botnet 6 weeks after an international law enforcement effort disrupted the original botnet used for banking credential theft and the distribution of the CryptoLocker ransomware.
Citi to pay $7 billion in Justice settlement. Citigroup announced July 14 that it would pay $7 billion to settle U.S. Department of Justice charges that the financial institution knowingly sold risky mortgage-based securities prior to the 2008 financial crisis.
Kronos: New financial malware sold on Russian underground forum. Researchers with Trusteer reported July 11 that a new piece of banking malware known as Kronos has recently been advertised on a Russian underweb forum in a pre-release sale. The malware contains HTML injection and form-grabbing capabilities, allegedly works with modern and older Web browsers, and is compatible with the Zeus trojan.
International hacker pleads guilty to 2011 global cyberattack. A member of an international cybercrime organization pleaded guilty July 11 for working with co-conspirators to hack into the payment card processor for the American Red Cross in 2011 and stealing payment card data that was then used to make $14 million in fraudulent ATM withdrawals around the world.
Critical vulnerabilities in web-based password managers found. Researchers at the University of California identified and reported various vulnerabilities in five Web-based password managers that could allow attackers to obtain a user’s credentials. LastPass, My1Login, RoboForm, and PasswordBox reported that they closed the vulnerabilities after they were reported, while the researchers did not receive word on the issues from NeedMyPassword.
Cisco patches four-year-old Apache Struts 2 issue. Cisco patched a vulnerability in Apache Struts 2 that was reported in 2010 which could allow an attacker to use a malicious Object-Graph Navigation Language (OGNL) expression to compromise vulnerable systems.
Attackers use keyloggers, email to steal data in “NightHunter” attacks. Cyphort researchers reported identifying a cybercriminal operation known as “NightHunter” that has been active since 2009 and uses various pieces of malware and keyloggers to target organizations in the energy, education, health, insurance, and charity industries. The campaign distributes the malware through phishing emails that are usually sent to finance, human resources, and sales departments.
Source code for tiny ‘Tinba’ banking malware leaked. Researchers with CSIS Security Group reported that the source code for the Tinba, also known as Zusy, banking malware was posted openly on underweb forums, potentially allowing a greater number of attackers to utilize the malware. The malware is capable of interfering in online banking sessions to steal user credentials and has an unusually small code base.
Shylock malware infrastructure targeted by international authorities. Law enforcement agencies in the U.S., E.U. and Turkey along with several security firms conducted a coordinated operation July 8-9 to seize domains and command and control servers used by the Shylock banking malware. The malware, also known as Caphaw, has infected at least 30,000 computers and been in use since 2011.
Kaspersky Lab details ‘versatile’ DDoS trojan for Linux systems. Researchers with Kaspersky Lab reported identifying a Linux distributed denial of service (DDoS) trojan with several modules to add various capabilities. Components of the trojan were identified a Backdoor.Linux.Ganiw.a and Backdoor.Linux.Mayday.f.
Gmail for iOS poses man-in-the-middle attack risk. Lacoon researchers found the Gmail app for iOS can leave users vulnerable to man-in-the-middle (MitM) attacks due to the app lacking the certificate pinning feature. This could allow attackers to use a rogue certificate to impersonate the Gmail server and route traffic through their systems.
Kaspersky quickly addresses XSS flaw impacting company website. Kaspersky Lab closed a cross-site scripting (XSS) vulnerability on one of its Web sites after being notified of the issue by a security researcher, the company reported July 10. There was no indication that the flaw was exploited by attackers.
CryptoLocker infrastructure used for other threats: Bitdefender. Researchers with Bitdefender found that the infrastructure for the CryptoLocker ransomware remains active even though a takedown operation in June disrupted the ransomware operation. The infrastructure is currently being used for various fraudulent and malicious purposes including fake antivirus scams and the distribution of the Citadel banking trojan.
Exploit kit dropped through Akamai content delivery network. Malwarebytes researchers found and reported that attackers are abusing the Akamai Technologies Akamaihd.net content delivery network (CDN) to trick users with fake software update notifications to bundle pay-per-install programs and use a malicious iframe to redirect users to an exploit kit. The exploit kit used appears to be the Nuclear Pack exploit kit that targets vulnerabilities in Java, Flash, Internet Explorer, and Adobe Reader.
Crusty API opened Facebook accounts to hijacking. A security researcher revealed that a legacy API in Facebook allowed attackers to make REST API calls on behalf of Facebook users if their user ID was known, allowing attackers to update statuses, like content, and upload or delete photos. The flaw was reported to Facebook in April and fixed by Facebook, earning the researcher $20,000 through Facebook’s bug bounty program.
Nearly 70% of critical infrastructure providers suffered a breach. Unisys released the results of a survey of 599 security executives in the manufacturing, utility, and energy sectors and found that almost 70 percent of respondents reported at least one security breach that led to a disruption in operations or disclosure of confidential information within the last 12 months. The report also found that data breaches were most often attributed to negligent insiders, among other findings.
Buffer overflow vulnerabilities in Yokogawa ICS gear patched. Yokogawa Electric Corporation released patches for its CENTUM and Exaopac industrial control system (ICS) software the week of July 7, closing vulnerabilities that could allow an attacker to remotely execute code.
Feds charge carding kingpin in retail hacks. The U.S. Department of Justice announced July 7 that the U.S. Secret Service arrested a Russian national for allegedly working with others to steal and sell payment card details from stores and restaurants throughout the U.S. between 2009 and 2011. The man and his accomplices allegedly planted malware on merchants’ point-of-sale (POS) devices in order to obtain the payment card information and then sold it through underweb forums.
Rosetta Flash attack mitigated by the new Adobe Flash Player 188.8.131.52. Adobe released an update for its Flash Player that closes a vulnerability identified by a Google researcher that could allow an attacker to abuse JSONP endpoints and cause victims to run arbitrary requests and leak sensitive data.
Vulnerability in AVG security toolbar puts IE users at risk. Researchers with the CERT Coordination Center (CERT/CC) found that the AVG Secure Search browser toolbar could allow attackers to execute malicious code due to an ActiveX control that exposes sensitive functionality to Web sites. The vulnerability affects AVG Secure Search versions 18.1.6 and earlier.
NETGEAR switches exposed to attacks from hardcoded credentials. An advisory from the CERT Coordination Center (CERT/CC) warned users of Netgear GS108PE ProSafe Plus Switches that attackers can log into the switches and execute arbitrary code by using a hardcoded login and password.
Massachusetts man charged in Twitter hack. A Massachusetts man was charged July 2 for allegedly hacking into helpdesk services company Zendesk, disabling a security feature that restricted access to customer information, and exporting Twitter support tickets. The information was then allegedly used to compromise and deface Twitter’s and Zendesk’s Twitter feeds.
App permissions? Pah! Rogue Android soft can ‘place phone calls at will’. Researchers with Curesec identified vulnerabilities in the Android mobile operating system that could allow malicious apps to place phone calls and send Unstructured Supplementary Service Data (USSD) codes. One vulnerability affects Android versions 4.1.1 and up, while the second affects older Android 2.3.3 and 2.3.6 versions.
Researchers find vulnerability in internal PayPal portal. Vulnerability Lab researchers disclosed and published a proof-of-concept for a vulnerability in an “Ethernet portal” used by PayPal employees that could have been used by attackers to gain access to personal and financial information of customers or to hijack accounts. The vulnerability was reported in February 2013, fixed around December 2013, and cleared for publication July 4.
Attack on Dailymotion redirected visitors to exploits. Symantec researchers reported that beginning June 28 attackers injected malicious code into video-sharing Web site Dailymotion.com which redirected visitors to a malicious Web site hosting the Sweet Orange Exploit Kit. Computers compromised by the exploit kit were then infected with the Trojan.Adclicker artificial traffic generator malware.
4th of July malware campaign targets travel websites. Researchers with Proofpoint identified several travel Web sites being compromised and altered to serve an unknown exploit kit to visitors. The attacks were timed to take advantage of the 4th of July holiday and feature an exploit kit that was detected by only four antivirus engines on VirusTotal.
Security vulnerabilities fixed with release of Python 2.7.8. The Python Software Foundation released Python 2.7.8 July 1, closing three security vulnerabilities.
‘CosmicDuke’ malware emerges as update to MiniDuke espionage trojan. Researchers with F-Secure and Kaspersky Lab identified a new version of the MiniDuke information-stealing malware dubbed CosmicDuke that shares code with the Cosmu malware. The researchers stated that the group behind the CosmicDuke malware appears to be the same group that used the MiniDuke malware to steal information from European governments in 2013.
Your Android phone is a SNITCH: Wi-Fi bug makes you easy to track. Researchers with the Electronic Frontier Foundation found that Android devices running Android 3.1 and later may disclose the 15 most recent WiFi networks a user connected to, potentially compromising privacy by allowing attackers to discern a user’s movements or identity. The issue is present on some Android devices but not others, and is also present on all OS X laptops and some Windows 7 laptops.
You CAN’T bust into our login app’s password vault, insists Roboform. RoboForm announced that it adjusted security for the mobile version of its password manager after a security researcher reported that the security of the RoboForm mobile app for Android and iOS can be bypassed by deleting a line in the app’s preferences file. The researcher also claimed that the way the private key is shared with parent company Siber System’s servers could also compromise security.
Bitcoin phishing ads present in Bing search engine. Netcraft researchers found two links to phishing sites targeting Bitcoin users in Bing search result ads. One malicious ad linked to a phishing page, while the other was non-functional due to the attackers using an incorrect top-level domain in the address.
New Android malware targets banking apps, phone information: FireEye. FireEye researchers identified a piece of Android malware known as HijackRAT that disguises itself as a ‘Google Service Framework’ and is capable of disabling antivirus applications, stealing banking credentials and personal information, and remotely accessing infected devices. The malware is currently targeting banks in Korea but can be easily modified to target others.
Enhanced KIVARS malware now attacks 64-bit systems. Researchers with Trend Micro analyzed a new version of the KIVARS malware that is capable of targeting systems running 64-bit operating systems. The malware is distributed using the TROJ_FAKEWORD.A dropper and is capable of several data-stealing and remote actions.
Oh SNAP! Old-school ’80s Unix hack to smack OSX, iOS, Red Hat? Researchers with DefenseCode released a white paper outlining how Unix-based systems could be vulnerable to hijacking via a class of vulnerabilities involving ‘wildcard’ characters in filenames. The vulnerability could allow attackers to inject arbitrary arguments to shell commands run by other users.
Ruby on Rails receives security fixes. Updates for the Ruby on Rails Web application framework were released that include fixes for two vulnerabilities that affected PostgreSQL.
Running Cisco’s VoIP manager? Four words you don’t want to hear: ‘Backdoor SSH root key’. Cisco warned users of its Unified Communications installations that a vulnerability exists in its Unified Communications Domain Manager (Unified CDM) software that can allow an unauthenticated attacker to gain root access by exploiting a default SSH key designed for use by Cisco support representatives. The vulnerability is present in all versions of Cisco Unified CDM prior to version 4.4.2 and users were advised to update the software, or to filter SSH access as a stopgap measure.
HSBC settles U.S. fraud charges over foreclosure fees. HSBC agreed July 1 to pay $10 million to settle charges that the bank overcharged the Federal Housing Administration and Fannie Mae for foreclosure-related fees on federally-backed home loans between 2009 and 2010.
Critical flaw in WordPress newsletter plug-in endangers many blogs. Researchers with Sucuri identified a vulnerability in the MailPoet (formerly wysija-newsletters) plugin for WordPress that could allow attackers to take control of sites using the plugin. The vulnerability was patched July 1 in an update for MailPoet and all users were advised to upgrade as soon as possible.
MONSTER COOKIES can nom nom nom ALL THE BLOGS. A security researcher identified and reported a method that could be used to prevent users from accessing Web sites by setting cookies with header values so large that they trigger Web server errors. The researcher demonstrated the attack against the Google Blog Spot network and showed that users given the altered cookies were not able to see any blogs on the service.
MS No-IP takedown hits 25% of APT attackers. Kaspersky stated that the takedown by Microsoft of several domains belonging to the No-IP Internet service also disrupted in some form the operations of around 25 percent of advanced persistent threat (APT) groups the company is tracking. Microsoft also stated that service was restored to legitimate customers July 1, however No-IP stated that domains were still experiencing outages July 2
Redmond’s EMET defense tool disabled by exploit torpedo. Researchers with Offensive Security demonstrated how an exploit code can be uploaded which disables and bypasses version 4.1 of Microsoft’s Enhanced Mitigation Toolkit (EMET) security tool.
Number and diversity of phishing targets continues to increase. The Anti-Phishing Working Group (APWG) released a report on phishing during the first quarter of 2014 and found that the number of phishing sites increased by 10.7 percent over the previous quarter, among other findings.
Geodo infostealer gets help from worm. A security researcher identified a new version of the Cridex information-stealing malware known as Geodo that works in conjunction with a worm to spread. The researcher found that the malware is completely new code but uses the same botnet, command and control infrastructure, and distribution mechanisms as the previous Feodo version of Cridex.
Microsoft boosts anti-snooping protection in Outlook.com, OneDrive. Microsoft announced that it added encryption protection to its Outlook.com webmail service and OneDrive cloud storage service in order to better protect users’ privacy.
Facebook SDK flaw allows unauthorized access to Facebook accounts. MetaIntell researchers identified a vulnerability in the Facebook SDK for Android and iOS that could allow an attacker to compromise users’ Facebook accounts due to insecure storage of the Facebook Access Token. The vulnerability is present in 31 of the top 100 Android apps and 71 of the top 100 iOS apps.
Microsoft disrupts malware networks and APT operations. Microsoft’s Digital Crimes Unit seized 22 free domain names operated by No-IP.com due to the domain names allegedly being used by the NJrat and NJw0rm families of malware. No-IP stated that the Microsoft takeover and rerouting of traffic through sinkholes has also disrupted legitimate customers’ service.
Apple patches iOS, OSX and Safari on mega Monday. Apple released updates June 30 for its iOS mobile operating system, OSX operating system, and Safari Web browser, closing 44 vulnerabilities in iOS, 19 in OSX, and 12 in Safari.
A lighter ZeuS is discovered. Researchers with Fortinet identified a new variant of the Zeus trojan named Zeus Lite that has fewer functions than previous versions but contains improved encryption and the ability to control infected systems.
“Emotet” banking malware steals data via network sniffing. Researchers at Trend Micro identified a new piece of banking malware dubbed Emotet that attempts to steal banking credentials by logging outgoing traffic and comparing it against a list of targeted financial institutions. The malware is distributed via spam emails containing a link to a malicious Web site, and currently is primarily targeting financial institutions in Germany.
London teen charged over Spamhaus mega-DDoS attacks. Authorities in the U.K. charged a teenager for his alleged involvement in several major distributed denial of service (DDoS) attacks against anti-spam service Spamhaus during 2013. The attacks were also led to worldwide disruptions in Internet exchanges and services.
PHP fixes OpenSSL flaws in new releases. The PHP Group released new versions of PHP, closing two vulnerabilities in OpenSSL that are related to timestamps.
Google Drive update fixes data-leaking flaw. Google closed a security issue in its Google Drive service that previously allowed some files shared with a direct link to be accessed by unauthorized third parties. Some files could still be seen by unauthorized parties, and Google advised users with files that met certain criteria to remove them.
Pony Loader 2.0 malware source code for sale. Researchers with Damballa stated that the source code for version 2.0 of the Pony Loader information-stealing trojan has been seen for sale in underweb markets. The trojan was offered for sale starting in May and allows attackers to steal information such as passwords as well as virtual currency such as Bitcoin and others.
Android SMS worm punts dodgy downloads…from your MATES. AdaptiveMobile researchers reported finding a piece of Android malware known as Selfmite that spreads like a worm by sending out SMS messages to infected users’ contacts that contain a link that attempts to get users to install the Mobogenie app in a likely pay-per-install scheme. The malware was first observed on mobile networks in the U.S. and has since spread to several other countries.
RIG Exploit Kit used in Flash-based malvertising campaign. Researchers with Malwarebytes stated June 26 that they have detected a malvertising campaign that attempts to lure users to a malicious Web site containing the RIG Exploit Kit, which then attempts to use Adobe Flash and Microsoft Silverlight vulnerabilities to spread a trojan identified a Trojan.Agent.ED.
LZO algorithm patched after 20 years. The CEO of Lab Mouse Security revealed that an integer overflow bug in the Lempel-Ziv-Oberhumer (LZO) compression and decompression algorithm has been present for as long as 20 years, leaving software using the algorithm vulnerable to remote code execution and denial of service attacks. The algorithm has been integrated into a variety of software, including the Linux kernel, some Android phones, medical equipment, and others, though the variety of applications means that attackers would need to build custom malicious payloads in order to exploit the issue.
Yet another WordPress vuln: Image furtler plugin lets BADNESS in. Security researchers warned users of the TimThumb plugin for Wordpress that a vulnerability exists in the plugin that could allow attackers to inject code or create, remove, and modify files. The vulnerability exists in the plugin’s Webshot option, which is turned off by default.
VMware implements Apache Struts security fixes in vCOps. VMware released an update for its vCenter Operations Management Suite (vCOps) that close several vulnerabilities affecting the Apache Struts Java application framework.
Data breaches in 2013 exposed 14% of all debit cards. PULSE released the results of a study which found that 14 percent of debit cards from institutions in the study were affected by data breaches in 2013, and that consumers are continuing to shift to electronic payments, among other findings.
U.S. brokerage must pay athletes $13.7 mln for Ponzi fraud - FINRA. The Financial Industry Regulatory Authority (FINRA) stated June 25 that it ordered Success Trade Securities and its CEO to be ejected from the securities industry and repay $13.7 million in restitutions to investors that were defrauded in an alleged Ponzi scheme. FINRA found that the CEO and company sold investors $19.4 million in promissory notes by misrepresenting or omitting information in order to hide the company’s dire financial condition.
Hackers found controlling malware and botnets from the cloud. Researchers at Trend Micro released a blog post detailing the company’s findings regarding botnets and malware being hosted and controlled through cloud servers. The researchers reported that they observed a malicious command and control server hosted on DropBox in order to disguise its traffic as legitimate corporate traffic, among other findings.
22 vulnerabilities found in Oracle Database Java VM implementation. Security Explorations researchers reported finding 22 vulnerabilities affecting the Java Virtual Machine implementation used in Oracle Database which can be leveraged by an attacker to escalate privileges and execute arbitrary Java code on vulnerable Oracle Database servers. Six of the vulnerabilities have been fixed in the main codeline and are scheduled for a future Critical Patch Update.
PayPal two-factor authentication broken. PayPal disabled its two-factor authentication option for mobile users after Duo Security researchers confirmed an independent researcher’s findings showing that it was possible to bypass the feature. The vulnerability exists in a PayPal API and affects mobile users but not PayPal’s Web application.
GameOver trojan is still in the game. Researchers with Arbor Networks reported that a Citadel campaign that evaded takedown attempts has been retrofitted with the GameOver trojan in order to continue its bank fraud operations as well as to distribute the CryptoLocker ransomware.
Cybercriminals lift over $680,000/500,000 EUR in one week. Researchers with Kaspersky reported finding a command and control (C&C) server for a man-in-the-browser (MitB) campaign that targeted an undisclosed large European bank and stole around $680,000 within 1 week from customers’ accounts. The C&C server was identified in January but the cybercriminals running it took it offline after 2 days, which prevented further analysis.
Researchers expect large wave of rootkits targeting 64-bit systems. McAfee released a report June 24 that found that the number of new rootkit samples in the first quarter of 2014 increased to the highest levels seen since 2011, with more rootkits designed for 64-bit operating systems expected in the future.
AskMen compromised to distribute financial malware report. Researchers at Websense reported June 23 that the AskMen online magazine was compromised and used to redirect visitors to a malicious Web site hosting exploits for Java and Adobe Reader.
Microsoft says it’s resolved Outlook outage for business users across the country. Microsoft reported that it experienced an outage June 24 affecting its Exchange Online service, with users reporting being unable to access the email service for several hours. The issue was resolved later that evening.
New Havex malware variants target industrial control system and SCADA users. Researchers with F-Secure reported June 23 that attackers have been distributing new versions of the Havex remote access trojan (RAT) by compromising industrial control system (ICS) manufacturers’ Web sites and adding the RAT to legitimate software downloads. The researchers did not name the manufacturers but stated that they are based in Belgium, Germany, and Switzerland.
Researchers go inside HackingTeam mobile malware, command infrastructure. Researchers from Kaspersky Lab and the University of Toronto reported findings of research into the Remote Control System (RCS) or Galileo malware created and sold by the HackingTeam company to various governments and law enforcement agencies, including the malware’s command and control (C&C) infrastructure and mobile malware components for Android and iOS devices. The researchers also found that the majority of the C&C servers were hosted in the U.S., U.K., Canada, Ecuador, and Kazakhstan.
Comcast Xfinity evil twin steals subscriptions. A researcher at LogRhythm Labs demonstrated how an attacker could compromise Comcast Xfinity accounts by creating a malicious hotspot that mimics Comcast customer-run hotspots, and that Comcast customer devices would automatically connect to. The malicious hotspot then presents a legitimate-looking login page that collects a customer’s login and password.
188 websites shut down for selling counterfeit products. Law enforcement agencies from the U.S. and Europe shut down a large number of domains created to sell counterfeit merchandise due to the risk they represented to customers’ financial information as well as for engaging in the sale of counterfeit items.
300,000 servers still vulnerable to Heartbleed bug. The CEO of Errata Security reported that a scan of port 443 June 22 showed 309,197 servers that are still vulnerable to the Heartbleed vulnerability in OpenSSL due to not being patched over 2 months after the vulnerability was revealed.
Ad network compromise led to rogue page redirects on Reuters site. Hacktivists associated with the Syrian Electronic Army redirected users who accessed certain stories on the Reuters Web sites to a Web page controlled by the group for about 1 hour June 22 by compromising an ad feed run by Taboola. Taboola stated that the attackers were able to compromise one of its widgets used on the Reuters site.
Online daters targeted by massive phishing campaign. Researchers at Netcraft identified a large phishing campaign targeting users of several online dating Web sites. The campaign is likely intended to takeover users’ profiles for use in fraud schemes.
Com Spammers behind Pinterest spam attack. A cybercriminal group known as the Com Spammers was believed to be behind a recent spam attack on Pinterest that attempts to lure users to fake diet pill Web sites. The attacks are similar to recent spam attacks on compromised Tumblr blogs.
2012 RCE bug is still highly exploited in targeted attacks, Trend Micro finds. Trend Micro found that a remote code execution vulnerability disclosed in April 2012 affecting Windows common controls was still the most commonly exploited vulnerability in the second half of 2013. The vulnerability was patched over 2 years ago and affects a variety of products, including Microsoft Office.
OpenSSL vulnerability addressed in Android 4.4.4 updates. Google released an update for Android KitKat, version 4.4.4, which closes a significant OpenSSL injection vulnerability in the crypto library. The update will be deployed to Nexus devices automatically, though factory images were also made available for manual updating.
Critical flaw exposes admin passwords of nearly 32,000 servers. A researcher with CARI.net’s Security Incident Response Team discovered that 31,964 servers with Supermicro baseboard management controllers (BMCs) will disclose their password files in plain text to anyone who connects to port 49152. The issue was fixed in a patch, but the patch requires administrators to reflash their systems with a new IPMI BIOS, which is not always possible.
“Yo” messaging app gets hacked multiple times. A Georgia Tech student reported finding a method to bypass the security functions of the Yo messaging app, allowing access to the phone numbers of Yo users and allowing the student to spam users with messages.
Malicious Google Play clone steals banking credentials. Google and FireEye worked to take down email addresses associated with a piece of banking malware that imitates the Google Play icon in Android devices and steals users banking and personal information. The malware was spotted by only 3 of 51 security programs and appears to currently be targeting Korean-speaking users.
Scan of Google Play apps reveals thousands of secret keys. Researchers with Columbia University used an automated tool called PlayDrone to scan, download, and decompile over 880,000 apps from the Google Play app store and found that several app developers often leave secret authentication keys embedded in the apps, potentially allowing attackers to steal user data or server resources, among other findings.
Code hosting Code Spaces destroyed by extortion hack attack. Cloud code hosting service Code Spaces announced that it was forced to shut down its business after attackers deleted most of its stored code and backups after a ransom that accompanied a distributed denial of service (DDoS) attack was not paid.
Simplocker changes attack vectors. Researchers from ESET and Kaspersky found that several variants of the Simplocker ransomware were developed and that some attackers are using a trojan downloader known as Android/TrojanDownloader.FakeApp to attempt to infect victims. The ransomware is currently most prevalent in Ukraine and Russia and demands ransoms in those countries’ currencies.
Bitcoin miner lurking on Facebook. Bitdefender researchers spotted a new Bitcoin mining malware campaign that utilizes Facebook messages to send users a malicious file that downloads .DLL files which embed a Bitcoin mining program on victims’ systems. The delivered payload can be changed by attackers as well, potentially allowing other forms of malware to be added to infected systems.
Ancestry services crippled by DDoS attack. Servers belonging to Ancestry.com and several of its services were affected by a distributed denial of service (DDoS) attack that began June 16 and continued to cause issues for users June 19. Users reported that the site was only accessible intermittently and the site recommended that users switch to offline mode until the issue is resolved.
Tornadoes flatten tiny rural Nebraska town; 2 dead. Two tornadoes touched down June 16 in Pilger, Nebraska, damaging or destroying between 50 and 75 percent of the town, including grain bins, a co-op, a school, and several buildings and homes, and prompting an evacuation of the town’s 350 residents and closure of all roadways in the area. Two individuals were killed and 19 others were injured by the storm system.
Evernote’s forum server has been hacked. Evernote advised certain users to change their passwords for the company’s forum after attackers were able to access the forum server, potentially exposing hashed passwords as well as email addresses and birthdays if users provided them. Those affected are users with forum accounts created in 2011 or earlier.
Technology sites “riskier” than illegal sites in 2013, according to Symantec data. Symantec researchers released a post based on Norton Web Safe user data that found that technology Web sites were the riskiest category of site to visit in 2013 based on the amount of malware and fake antivirus attempts utilizing that category of sites to attempt to infect users.
Internet Explorer script engine susceptible to attacks. A researcher with Fortinet reported that the script engine in Microsoft Internet Explorer is potentially vulnerable to attacks via changing a security flag in Jscript or VBScript. Such attacks would require a target machine with escalated privileges.
Dyreza banker trojan seen bypassing SSL. Researchers identified a new banking trojan known as Dyre or Dyreza that uses browser hooking to intercept traffic moving between victims' systems and their intended Web site, allowing attackers to bypass SSL protections and redirect traffic through the attackers' servers. Researchers at CSIS Group found that the trojan is spread through spam messages and then contacts command and control servers, some of which are located in Latvia.
FINRA fines Merrill Lynch $8 million; over $89 million repaid to retirement accounts and charities overcharged for mutual funds. The Financial Industry Regulatory Authority (FINRA) stated June 16 that it fined Merrill Lynch $8 million for the company's failure to waive mutual fund sales charges for some retirement accounts and charities, and ordered the company to pay $24.4 million in restitutions. Merrill Lynch previously repaid another $64.8 million to investors who were overcharged.
P.F. Chang's confirms credit card breach. P.F. Chang's Chinese Bistro stated June 14 that it had confirmed that it was the victim of a customer payment card data breach affecting an unknown number of customers. The company stated that it has temporarily switched to manual payment card imprinting to process transactions while the breach continues to be investigated.
NAS boxes "pwned" by crypto currency miner. Researchers with Dell SecureWorks released a report which showed how an attacker was able to utilize vulnerabilities in the DiskStation Manager (DSM) operating system used in Synology network access storage (NAS) devices to plant the CPUMiner crypto currency mining malware. The attacker used the malware to mine over $600,000 in the Dogecoin crypto currency, though the vulnerabilities were later patched by Synology.
ISC patches critical DoS vulnerability in BIND. The Internet Systems Consortium (ISC) reported June 11 that a vulnerability exists in some BIND domain name system (DNS) servers that could allow attackers to perform denial of service (DoS) attacks by sending a specially designed query. The ISC advised users to update to the newest version of BIND, which is not vulnerable.
Hacker claims PayPal loophole generates FREE MONEY. A man turned white hat reported a loophole in PayPal’s system that can be exploited to earn free money by funneling cash into a mule account before filing for a transaction refund. The company stated that the vulnerability is an issue with its protection policy and did not give additional information about its ability to prevent one-off instances of the scam.
Entirely new trojan quietly wheeled into black hat forums. A researcher from RSA reportedly discovered a new trojan, Pandemiya, which contains about 25,000 lines of fresh code and has the ability to steal data from forms, take screen shots to send back to the botmasters who deploy it, and create fake web pages. Pandemiya can be removed by tweaking registry and command line action.
Cisco fixes XSS vulnerability in AsyncOS management interface. Cisco advised customers to update their AsyncOS installations in order to address a cross-site scripting (XSS) vulnerability impacting the Web management interface of the operating system. The flaw affects Cisco Email Security Appliance (ESA) 8.0 and earlier, Cisco Web Security Appliance (WSA) 8.0 and earlier, as well as Content Security Management Appliance (SMA) 8.3 and earlier.
Cybercriminals targeting cloud-based PoS systems via browser attacks. IntelCrawler researchers dubbed a form of malware, POSCLOUD, which targets vulnerabilities in major Web browsers to compromise cloud-based PoS software typically used by grocery stores, retailers, and other small businesses. The malware relies on keylogging and screenshots to steal personal information and financial data.
Food chain, PF Chang’s, investigates possible card breach. Restaurant chain P.F. Chang’s reported that it is investigating a potential data breach after a large batch of stolen payment card information data was spotted by Hold Security researchers on the Rescator underweb marketplace and appeared to originate from the chain.
Ex-Rabobank trader pleads guilty to Libor scheme, U.S. says. A former Rabobank Group trader pleaded guilty in U.S. court June 10 to charges of wire fraud and bank fraud for conspiring to manipulate the London interbank offered rate (LIBOR) used to determine benchmark interest rates. Rabobank previously agreed to a $325 million settlement with the U.S. to resolve charges that the bank was involved in LIBOR manipulation.
New Zeus variant targeting online banking users in Canada. Security researchers at Trusteer identified a new variant of the Zeus banking trojan known as Zeus.Maple that has been in use since January 2014 and is primarily targeting major Canadian financial institutions. The variant improves on features from past versions but does not add new functionality.
Feedly DDoSed by ransom-threat crims: ‘We refused to give in.’ News aggregator service Feedly was knocked offline June 11 by a distributed denial of service (DDoS) attack after the company refused to pay attackers a ransom to stop the attack. Other entities were targeted by the same group, with Evernote reporting being knocked offline for a time by another DDoS attack.
Microsoft patches IE8 zero day, critical Word bug. Microsoft released its June round of Patch Tuesday updates, with a total of seven updates. Included was a patch for a zero day vulnerability in Internet Explorer 8, as well as a vulnerability in Word 2007.
Online gambling site hit by five-vector DDoS attack peaking at 100Gbps. Incapsula reported that it responded to a distributed denial of service (DDoS) attack on a customer’s online gambling Web site June 6 that used five different vectors to create a 100 gigabits per second attack.
Zeus being used in DDoS, attacks on cloud providers. Researchers with the Prolexic Security Engineering and Response Team released a threat advisory that describes how the Zeus trojan and toolkit is being equipped with new payloads to perform attacks outside its usual use in banking fraud. Zeus was identified being used in a variety of attacks including distributed denial of service (DDoS), spam, virtual currency mining, and attacks on platform as a service (PaaS) and software as a service (SaaS) infrastructure.
Sealed with an XSS: I gave TweetDeck a heart attack, says teen comp sci boff Firo. A computer science student who identified a basic cross-site scripting (XSS) flaw in Twitter’s TweetDeck client stated that the vulnerability was spotted while experimenting with the HTML heart-symbol character. The vulnerability caused Twitter to shut down the TweetDeck client for some users due to others abusing the XSS vulnerability.
Poison PDF pusher released to public. A security researcher released a tool developed as part of a penetration testing exploit kit which allows users to easily create malicious PDF documents with URL pointers added to them. Only unpatched systems were likely to be affected.
Twitter fixes TweetDeck XSS security vulnerability. Twitter disabled its TweetDeck app for about an hour June 11 after a cross-site scripting (XSS) vulnerability was discovered that could allow XSS to be executed by viewing a specially-crafted tweet. Researchers at Rapid7 reported that the issue primarily affected users of the TweetDeck plugin for Chrome.
Chrome, Firefox updates address security vulnerabilities. Google released an update for its Chrome browser, closing four security vulnerabilities. Mozilla also released an update for its Firefox browser, which closed seven vulnerabilities, five of which were rated as critical.
Adobe issues security updates for Flash Player, AIR. Adobe released updates for several versions of its Flash Player and AIR products June 10, including updates for Flash Player for Windows and Mac OS X which were rated as high priority due to current or potential attacks exploiting those vulnerabilities.
Zeus alternative “Pandemiya” emerges in cybercrime underground. Researchers with RSA identified a completely new banking trojan known as Pandemiya that has several typical banking fraud tools as well as a modular design. The trojan does not share any code in common with other banking fraud toolkits and has appeared for sale on underweb marketplaces.
Clandestine Fox hackers spreading malware via Facebook, Twitter and LinkedIn. FireEye researchers detected a new attack campaign by a group known as Clandestine Fox which uses malicious attachments in social media and email messages to spread malware. The attackers behind the campaign previously utilized a vulnerability that affected multiple versions of Internet Explorer before a patch was issued by Microsoft.
‘Red button’ attack could compromise some smart TVs. Researchers with Columbia University’s Network Security Lab reported that a vulnerability in the Hybrid Broadcast Broadband Television (HbbTV) feature in some smart TVs could allow attackers to steal personal information, access home networks, and perform denial of service (DoS) attacks by luring users to a compromised channel.
Zeus malware control panel vulnerable: Websense. Websense researchers published information and a proof-of-concept that illustrate how the control panel for the Zeus banking trojan can be compromised by uploading a customized file to the command and control server.
Majority of comment spam generated by small number of attackers: Imperva. Imperva released their June Hacker Intelligence Initiative report, which found that during the report’s 2-week survey period in September 2013, 28 percent of attack sources generated 80 percent of traffic associated with comment spam, among other findings.
Possibly 350K ransomware infections, $70K earned, in Dropbox phishing scheme. Researchers with PhishMe found that an ongoing phishing campaign utilizing links to Dropbox may have infected almost 350,000 systems with the Cryptowall ransomware, bringing in over $70,000 in Bitcoins of ransom for the attackers.
Cybercrime remains growth industry with $445 billion lost. A McAfee and Center for Strategic and International Studies (CSIS) report estimated that various forms of cybercrime globally caused losses of $445 billion a year to various industries, including financial institutions, energy companies, and retailers. The report pointed to stolen trade secrets and intellectual property as the largest source of losses to legitimate companies, as well as the potential for market manipulation and insider trading, among other findings.
Debian urging users patch Linux kernel flaw. Debian published a security update June 5 that closes several vulnerabilities in the Linux kernel that could allow attackers to perform privilege escalation or denial of service (DoS) attacks. Users were advised to apply the patch as soon as possible.
Redmond is patching Windows 8 but NOT Windows 7, say security bods. Two security researchers created a tool known as DiffRay which scans Windows libraries and found that several security functions were updated by Microsoft in Windows 8 but not in Windows 7. The researchers warned that the differences in patching could lead to the discovery of zero day vulnerabilities.
TweetDeck scammers steal Twitter IDs via OAuth. Researchers at Bitdefender found that scammers are luring users into authorizing TweetDeck as part of a free or paid followers scheme, allowing the scammers to obtain users’ authentication tokens. The scammers can then take actions on behalf of users, such as posting tweets and following other users.
RIG Exploit Kit used to deliver “Cryptowall” ransomware. Researchers with Cisco Systems found the RIG Exploit Kit is being used to manipulate malicious advertisements being shown on popular Web sites in order to lead users to Web sites that attempt to drop the Cryptowall ransomware. Exploits for Java, Silverlight, and Flash have been used on the malicious sites in order to infect users.
OpenSSL releases patches for critical MITM, code execution flaws. The team behind OpenSSL released security updates that close six vulnerabilities, two of which are considered to be critical. Users were advised to apply the patches as soon as possible.
Security bods mop blood, sigh: NEW CryptoLocker zombies? We don’t see their kind. Heimdal Security researchers found that the number of CryptoLocker ransomware infections declined significantly since an international law enforcement takedown operation against the infrastructure powering the Gameover Zeus botnet used to spread the ransomware. The researchers noted that the weekly run rate of the ransomware dropped from tens of thousands to the low hundreds.
New OpenSSL MitM flaw affects all clients, some server versions. A security researcher identified a remotely exploitable vulnerability in all versions of OpenSSL that could be used in a man-in-the-middle (MitM) attack to decrypt traffic between vulnerable clients and servers. The researcher reported that the vulnerability appears to have existed in OpenSSL’s code since 1998.
Skype users face security risk due to unencrypted data. Solutionary researchers reported in the company’s May Threat Report that Skype users’ personal information and chat transcripts could be vulnerable to attackers due to the data being kept in an unencrypted file on the local system in Windows and Linux. The files are hidden by default but could easily be found by an attacker.
Soraya malware mixes capabilities of Zeus and Dexter to target payment card data. Researchers with Arbor Networks identified a new family of point-of-sale (PoS) malware known as Soraya that is capable of performing memory scraping techniques similar to the Dexter PoS malware as well as intercepting Web browser data similar to the Zeus trojan. The researchers found that thousands of payment cards have been compromised by the malware, mostly originating from financial institutions in the U.S. and Puerto Rico.
New software nasty encrypts Android PHONE files and demands a ransom. Researchers at ESET identified a new piece of Android ransomware known as Android/Simplocker that encrypts victims’ data and demands a ransom via the MoneXy service. The malware is controlled by a command and control server hosted within the TOR network.
GnuTLS patches critical remote code execution bug. GnuTLS released a patch for the open source cryptographic library May 28 that closes a critical remote execution vulnerability which could allow an attacker to trigger a buffer overflow and cause a server to crash or potentially execute arbitrary code.
Report examines how attackers mask threat activity. Palo Alto Networks released their latest Application Usage and Threat Report June 2, which found that attackers continue to use common sharing applications such as email and social media to initiate multi-phased attacks, among other findings.
US disrupts hacking schemes that stole millions. A Russian man was indicted June 2 in federal courts in Pittsburgh and Nebraska for allegedly working with five co-conspirators to run the GameOver Zeus botnet and the Cryptolocker malware, which combined infected millions of computers and were used to steal over $100 million from businesses and individuals.
Global mobile roaming network a HOTBED of vulnerabilities. Researchers from KPN reported in a presentation at the Haxpo convention that 15 of 25 mobile roaming network operators had systems visible to the Internet due to misconfigurations or unnecessary services, potentially exposing users on their networks to security compromises.
FBI, European authorities go after GameOver Zeus botnet. U.S. and European law enforcement authorities and several companies cooperatively seized servers and disrupted the operations of the GameOver Zeus botnet May 30, and are seeking a Russian citizen allegedly connected to the operation of the peer-to-peer (P2P) botnet. The botnet is used to perform wire fraud by stealing financial credentials and then transferring money to accounts controlled by its operators.
Middle East hackers target government departments, U.S. financial institution. FireEye researchers identified an attack campaign targeting an undisclosed U.S. financial institution as well as government agencies in several countries that attempts to drop remote access trojans (RATs) on targets’ systems. The researchers attributed the campaign to a Middle Eastern group known as “Operation Molerats” due to the location of the attack infrastructure and the variants of the Poison Ivy and Xtreme RATs used.
Card Recon tool repurposed by attackers to sniff out payment card data. Researchers at Arbor Networks and Trend Micro reported finding the legitimate Card Recon compliance software being used by attackers to seek out payment card data in point-of-sale (PoS) infrastructure. The legitimate software seen was cracked for use by attackers and included in attack toolkits along with PoS malware.
New Heartbleed attack vectors impact enterprise wireless, Android devices. A security researcher detailed new attack methods for using the Heartbleed vulnerability in OpenSSL which could allow attacks over the Extensible Authentication Protocol (EAP) used in wireless networks and peer-to-peer (P2P) connections. The new vectors can threaten enterprise wireless networks, Android devices, and other connections.
Flaws open gates to WordPress en-masse SEO beat-down. A patch was released June 1 for the popular All in One SEO Pack plugin for WordPress, closing vulnerabilities which could allow attackers to launch privilege escalation and cross-site scripting (XSS) attacks in sites using older versions of the plugin. Users were advised to update their installations.
Apache patches DoS, information disclosure bugs in Tomcat. The Apache Software Foundation released a patch for Tomcat, closing three information disclosure vulnerabilities and one denial of service issue. Users were advised to apply the patches to their installations.
New attack methods can ‘brick’ systems, defeat Secure Boot, researchers say. A security researcher at Mitre demonstrated at the Hack in the Box 2014 conference that the Unified Extensible Firmware Interface (UEFI)’s Secure Boot mechanism can be bypassed on around half of computers in order to install bootkits. The researcher also demonstrated that a specific UEFI variable could be modified directly from the computer’s operating system to make the system unusable.
Malware creation breaks all records! 160,000 new samples every day. Panda Security reported that new malware creation occurred at record rates during the first quarter (Q1) of the year, with more than 15 million new samples observed during Q1. The researchers found that trojans made up 71.85 percent of new samples, and that some of the largest data thefts ever occurred during Q1, among other findings.
SAP NetWeaver flaw spews user tables. Researchers with PT Security reported a vulnerability in SAP NetWeaver versions 7.20 and earlier that could allow an attacker to gain access to Central User Administration tables, which could lead to the disclosure of user data.
Spy platform zero day exposes cops’ wiretapped calls. Researchers at SEC Consult Vulnerability Lab disclosed nine flaws in NICE Recording eXpress voice recording products marketed to law enforcement organizations that include a root backdoor and remote unauthenticated access to intercepted voice recordings. The vulnerabilities were initially reported to NICE 6 months ago, and the company stated that it would have patches released shortly for five issues that remain unpatched.
Siemens fixes DoS flaw in Rugged OS devices. Siemens issued patches to address a denial of service (DoS) vulnerability in some of its devices that run its Rugged Operating System, which could allow an attacker to crash Rugged OS by sending specially-crafted packets to the devices’ Web interface. Affected devices running Rugged OS are used in several industries, including energy, transportation, and healthcare.
Compromised Apple IDs used to hold iPhones for ransom. Users of Apple mobile devices reported attackers using compromised Apple IDs to enable Lost Mode through Apple’s iCloud service, using the service to lock devices and demand a ransom to unlock them. The ransom messages bear the name of an Oracle engineer that was likely chosen at random by the attackers, according to a Symantec researcher.
Hybrid Zberp trojan targets bank users around the world. Researchers with Trusteer identified a new piece of malware targeting financial institutions dubbed Zberp which combines the code and features of the Zeus malware and Carberp trojan. The malware is capable of several different information-stealing attacks and can use various methods to avoid detection.
Researchers find large global botnet of infected PoS systems. IntelCrawler researchers discovered a botnet known as Nemanja that has infected around 1,500 point-of-sale (PoS) terminals, accounting systems, and other retail systems in the U.S. and several other countries. The malware behind the botnet is able to collect payment card information and contains a keylogger to obtain other information entered into infected systems.
Spotify warns Android users to upgrade app following hack. Music streaming service Spotify advised users of its Android app to update the app in the next few days as a precaution after unauthorized access to company systems was detected in one user.
AVAST forum hacked, user passwords being reset. AVAST Software reported that the company’s forum was attacked during the weekend of May 24, compromising all user names, email address, and passwords. AVAST took the forum offline as a precaution while it resets all user passwords.
Don’t log in to WordPress via open WiFi or your blog could get hijacked. A researcher with the Electronic Frontier Foundation identified and reported an issue with the login process for WordPress sites where a browser cookie is sent in plain text, potentially allowing an attacker to use the cookie to gain access to the corresponding WordPress site. WordPress stated that a fix for the vulnerability would be included in an upcoming update.
In wake of breach, eBay has to deal with multiple Web vulnerabilities. Several security researchers identified and reported two cross-site scripting (XSS) vulnerabilities and a login cookie issue with eBay Web pages that could be used to gain control of servers or steal users’ information.
Apple patches 22 Safari Webkit vulnerabilities. Apple released an update for its Safari browser May 22, patching 22 vulnerabilities in the Webkit browser engine that could be exploited in drive-by download attacks.
Microsoft will patch IE zero day but doesn’t give timeline. Microsoft announced May 22 that it plans to patch a use-after-free vulnerability in Internet Explorer (IE) 8 disclosed by the HP Zero Day Initiative May 21.
Android Outlook app could expose emails, attachments. Researchers at Include Security made public May 21 details of two content encryption issues in Microsoft’s Outlook app for Android after first reporting the issues to Microsoft in December 2013. The issues involve the storage of email attachments on devices’ SD card partitions that could make them accessible to any app or third party with physical access.
Better safe than sorry: SourceForge pushes password reset. SourceForge asked its users to change their passwords as part of an update to the site’s security systems. New passwords will then be stored in a more secure manner in accordance with the updated policies.
Point-of-sale attacks accounted for a third of data breaches in 2013, report says. Trustwave released a report on data breaches that the company investigated in 2013, which found that e-commerce intrusions accounted for 54 percent of investigated data breaches, while point-of-sale (POS) system intrusions constituted 33 percent of data breaches, among other findings.
PayPal Manager bug left web stores wide open to cyber-burglars. PayPal closed a vulnerability in its PayPal Manager that allowed attackers to change merchants’ passwords, hijack accounts, and order merchandise for free. The vulnerability was closed after a researcher at Securatary identified and reported it to PayPal, and the company stated that there was no evidence that customer information had been compromised.
Sophisticated Google Drive phishing campaign persists. Researchers at Symantec reported that a persistent phishing campaign targeting Google users is using a Google Drive phishing page that appears more legitimate than most due to it being served over SSL from the Google Drive service itself. Users who fall victim to the phishing page are also redirected to another malicious page and may be exposed to malware infection.
Hackers bypass iOS 7/iCloud activation lock, free thousands of iPhones (some potentially stolen). Two researchers created a service which can unlock devices locked by Apple’s iCloud Activation Lock system, allowing users to return locked devices to service. The same service could be used by criminals to unlock stolen Apple devices however, and the researchers contacted Apple to inform them of the flaw that allows the unlocking.
New Internet Explorer zero-day details released after Microsoft fails to patch. Details of an unpatched zero-day vulnerability in Microsoft’s Internet Explorer (IE) 8 browser were released by HP’s Zero Day Initiative after the researcher that discovered the flaw reported it 6 months ago. The vulnerability is classified as a use-after-free flaw and could allow an attacker to gain the same user rights as a user who is brought to a malicious Web site.
A billion shortened URLs go down following DoS attack. Link-shortening service is.gd was disrupted May 18 due to a denial-of-service (DoS) attack that made around a billion links shortened by the service unavailable.
Security breach at eBay – change your passwords now. eBay advised all users to change their passwords after it detected an intrusion that compromised a database containing encrypted passwords and other non-financial data. eBay stated that attackers were able to compromise a small number of employee login credentials between February and March, giving them access to eBay’s corporate network.
Public utility compromised after brute-force attack, DHS says. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) stated in a report that an undisclosed public utility was compromised via a brute-force attack on an Internet-facing host that used a simple password system. ICS-CERT determined that the utility’s systems were likely exposed to numerous threats prior to the identified intrusion.
Chrome 35 fixes 23 security flaws. Google released version 35 of its Chrome browser, closing 23 security issues, 3 of which were rated as high-risk.
Infections increasing with ransomware, Kovter. Researchers at Damballa reported that infections of the Kovter ransomware doubled during April. The Kovter ransomware attempts to blackmail users into paying a ransom and can generate false browser history content to support its scam.
Credit Suisse pleads guilty in tax evasion case. Credit Suisse pleaded guilty and agreed to pay a $2.6 billion settlement May 19 in response to U.S. Department of Justice charges that the bank helped U.S. clients to evade taxes through 2009.
Researchers discover critical flaws in the Chip and PIN system. Researchers at Cambridge University identified two vulnerabilities in the Europay, MasterCard, and Visa (EMV) ‘chip and PIN’ payment card system that could allow attackers to carry out “pre-play” attacks in order to commit ATM or point of sale (POS) fraud. One vulnerability involves poor random number generation that could be predicted and used for ATM withdrawal, while the second is a protocol failure that could enable malware or a man-in-the-middle (MitM) attack to replace randomly generated numbers with ones chosen by the attacker.
Fascinating MiniDuke backdoor hits again. ESET researchers identified a new variant of the MiniDuke Assembler-based backdoor. The new variant uses a Word RTF memory corruption vulnerability to deliver the backdoor, and contains new features including a Jscript component that contacts a command and control server via Twitter.
Angler exploit kit starts wielding Silverlight exploits. Researchers at Cisco reported an increase in the number of exploit kits adding Silverlight vulnerabilities to their capabilities, with a large increase in traffic being directed to sites hosting the Angler exploit, which then attempt to exploit a Silverlight memory disclosure vulnerability.
‘Infinity’ exploit kit targets IE, Firefox, Opera to deliver malware. Researchers at IntelCrawler identified a new exploit kit known as Infinity being sold on underweb markets which targets vulnerabilities in the Internet Explorer (IE), Firefox, and Opera browsers, as well as plug-ins such as Adobe Flash, in order to upload malware.
LifeLock snaps shut Wallet mobile app over credit card leak fears. LifeLock removed its Wallet app from application markets and deleted user data as a precaution due to undisclosed elements of the app being incompatible with the payment card industry’s Data Security Standard (PCI DSS), according to a company statement.
U.S. charges China with cyber-spying on American firms. The U.S. Department of Justice announced criminal charges May 19 against five members of the Chinese military’s Unit 61398 for allegedly conducting cyberespionage against U.S. solar power, nuclear power, and metals manufacturing companies for the purpose of stealing trade secrets.
81 people arrested in international operation against BlackShades RAT users. Law enforcement agencies in 13 countries arrested 81 people the week of May 12 for allegedly being involved in the creation, sale, or use of the BlackShades remote access trojan (RAT). The BlackShades RAT can be used to hijack webcams, log keystrokes, steal files, and launch denial of service (DoS) attacks and is sold on underweb markets.
Record month for Linux trojans. Researchers at Dr. Web identified a record-high number of trojans for the Linux operating system thus far in the month of May, with variants of three separate trojans appearing to be created by the same author. The majority of the trojans are designed to carry out distributed denial of service (DDoS) attacks and can infect Linux desktop, server, and ARM distributions.
XSS vulnerability affected comments section of hundreds of Yahoo pages. A researcher identified and reported a cross-site scripting (XSS) vulnerability affecting hundreds of Yahoo pages via the pages’ comment sections that could be used to perform a persistent XSS attack that would affect all visitors or a self-XSS attack that would only affect users if the comment with the malicious code was a popular or recent comment. Yahoo closed the vulnerability after being notified.
Yahoo, Microsoft and Orange domains affected by same remote code injection flaw. A researcher identified and reported a remote code injection vulnerability affecting several subdomains belonging to Yahoo, Microsoft, Orange, and others that could allow an attacker to access an administrator panel without login credentials. The vulnerability appears to be connected to an astrology content delivery network, and Yahoo, Orange, and Microsoft closed the vulnerabilities once informed.
Critical info on modems, load balancer, exposed via SNMP community string. Researchers at Rapid7 reported that information disclosure vulnerabilities were identified in Brocade ServerIron ADX 1016-2-PREM TrafficWork application load balancers and Ambit U10C019, Ubee DDW3611, and Netopia 3347 modems. The vulnerability can be exploited by the Simple Network Management Protocol (SNMP) public community string and can disclose Management Information Base (MIB) tables that contain device and configuration information.
‘Elderwood’ hackers continue to set pace for zero-day exploits. Symantec released research into the Elderwood hacking platform showing that the attackers using it may be more numerous and diverse than previously thought, with several groups or subgroups using that platform to attack defense, IT, supply chain, and human rights organizations. The Elderwood platform is linked to several cyberespionage campaigns including the Operation Aurora and Icefog attacks, among others.
Filenames used by VOBFUS malware change depending on victim’s language. Researchers at Trend Micro identified a new variant of the VOBFUS worm that changes the filenames of its malicious files depending on the victim’s operating system language. The new variant is able to choose appropriate filenames for 21 languages.
Adobe restores Creative Cloud login service after day-long outage. Adobe restored service to users of its Creative Cloud service May 15 after a 24-hour outage that left users unable to use some aspects of the service and unable to use the service if not already logged in.
Five year old security vulnerability patched in Linux kernel. A patch was issued for a serious vulnerability in the Linux kernel that could allow attackers to cause denial of service issues or obtain administrator privileges. The vulnerability has reportedly been present for 5 years, and a proof-of-concept exploit was made available.
Three security fixes included in Chrome 34.0.1847.137. Google released the latest stable version of its Chrome browser, including three security fixes.
Fake Kaspersky apps discovered on Windows Phone Store and Google Play. Kaspersky Labs researchers identified fake Kaspersky mobile security apps in the Windows Phone Store and Google Play store. The fake apps appear similar to previous fake antivirus apps that ask users for payment but contain no actual functionality.
Buffer overflows patched in Yokogawa control system products. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported May 14 that Yokogawa Electric Corporation made patches available for three vulnerabilities identified in its Yokogawa Centrum CS3000 production control system. The Centrum CS line is used for several industrial uses such as in oil refineries, steel manufacturing, public utilities, and other manufacturing industries.
Dogevault praying backups work after confirming attack. Virtual currency wallet service Dogevault reported that it was compromised by attackers May 11 and had the data on its hosted virtual machines destroyed. The service reported that it was attempting to restore its data from an off-site backup
Microsoft releases eight security updates. Microsoft released its monthly Patch Tuesday round of updates, containing eight advisories, two of which were rated as critical. The critical updates close a vulnerability in the Internet Explorer browser and one in SharePoint.
Google account passwords stolen in phishing attack. Researchers at Bitdefender identified a new phishing campaign targeting Chrome and Firefox users that attempts to steal users’ Google login credentials. The phishing campaign attempts to use the way Chrome displays data Uniform Resource Identifiers (URIs) to trick users in to logging into a fake Google login page.
Microsoft extends deadline for Windows 8.1 Update requirement. Microsoft announced that Windows 8.1 consumers have until June 10 to upgrade to Windows 8.1 Update before users stop receiving security updates on the former operating system, extending the previous deadline of May 13.
Bitly says hackers breached offsite database backup. Bitly enabled two-factor authentication for all its accounts on its hosted source code repository after learning hackers gained access to customer accounts from an offsite database backup storage, that was not initiated by the company, through a compromised employee account.
Point DNS blitzed by mystery DDoS assault. Point DNS reported a high intensity distributed denial-of-service (DDoS) attack which knocked out all of its domain name system (DNS) servers for several hours May 9. The company believes the attack originated from China and is investigating the size and techniques used.
Rush to defend against Heartbleed leads to mistakes with certificates, patches. Netcraft released a report May 9 stating 30,000 sites that revoked their compromised SSL certificates after the Heartbleed vulnerability reissued new ones with the same private keys as the old certificate and that around 57 percent of sites vulnerable have not revoked or reissued their SSL certificates.
Bitly suffers data breach, account credentials compromised. URL-shortening service Bitly disconnected customers’ Twitter and Facebook accounts and advised them to change their passwords after the company stated that they believed that user account credentials had been compromised.
Digi ICS gateways vulnerable to Heartbleed OpenSSL bug. The Industrial Control Systems Computer Emergency Response Team (ICS-CERT) issued an advisory May 8 alerting users that five Digi wireless Web mesh gateways used in industrial control systems and home networks are vulnerable to the Heartbleed bug in OpenSSL. The vulnerability could allow attackers to obtain login credentials and private encryption keys.
Customers of WordPress themes developer WooThemes report credit card fraud. WordPress themes developer WooThemes reported that it is aware of around 300 instances of fraudulent payment card activity involving its customers and was investigating a possible breach of its systems. The company does not store payment information in its systems, and the company and outside experts are working to identify how the information was taken.
Cybercriminals use Viknok trojan to make money via click fraud. Symantec researchers noted a significant increase in the number of computers infected with the Viknok trojan during April, with 16,500 unique victims of the click fraud malware identified during May. Cisco addresses five vulnerabilities in WebEx players. Cisco released updates for several WebEx Player multimedia applications after researchers identified and reported vulnerabilities that could be exploited to crash the applications or to perform remote code execution. Snapchat settles FTC deception charges, will be monitored for 20 years. Snapchat entered into an agreement with the U.S. Federal Trade Commission (FTC) May 8 to settle charges that the company had misrepresented the privacy of its messaging app by claiming that messages are deleted completely after a set amount of time. The agreement prohibits Snapchat from misrepresenting the extent of users’ data privacy and security, and will require the company to be monitored by a third-party privacy group for 20 years.
Malware peddlers prefer deceptive tactics to exploits. Microsoft released its latest Security Intelligence Report which found that attackers are concentrating on using deceptive downloads and ransomware rather than exploits for most attacks. The report noted that the Sefnit, Brantall, and Rotbrow families of malware were responsible for a large amount of deceptive malware attacks, among other findings.
Koler Android ransomware targets users in 31 countries. Bitdefender researchers identified a new piece of ransomware dubbed Android.Trojan.Koler.A that is served either through a fake Android app or the Angler exploit kit. The ransomware targets users in 31 countries and displays fake law enforcement messages matched to the country when demanding a ransom.
Ground(ctrl) advises customers to change passwords following hack attack. Web site operator Ground(ctrl) notified customers and authorities after attackers breached the company’s systems and were able to obtain email addresses, passwords, and the expiration dates and last four digits of payment cards. The company advised customers to change their passwords.
iOS 7.1 flaw lets hacker access contacts book. A programmer demonstrated that the Siri voice assistant on an iPhone running iOS 7.1 can be used to display a phone’s full list of contacts while locked and password protected.
Syrian Electronic Army hijacks WSJ Twitter accounts. Hacktivists affiliated with the Syrian Electronic Army group gained control over four Twitter accounts belonging to the Wall Street Journal May 6 for a time before the owners of the accounts regained control.
Ruby on Rails updated to prevent hackers from stealing files from application server. Updates for three versions of Ruby on Rails were released, closing a serious vulnerability that could allow an attacker to retrieve arbitrary files from the Rails application server using a specially crafted request. Users were advised to update their installations as soon as possible.
CryptoLocker ransomware moves to Android. A security researcher reported that an Android variant of the CryptoLocker ransomware is being sold by the group responsible for the Reveton ransomware. The ransomware is spread when users visit compromised domains that use social engineering to prompt them to install a malicious APK that contains CryptoLocker.
Dropbox patches shared links privacy vulnerability. Dropbox closed a vulnerability in its shared links feature that could potentially allow third party access to shared documents.
CryptorBit demands $500 Bitcoin ransom. A researcher at KnowBe4, LLC identified a new ransomware known as CryptorBit that encrypts victims’ files and demands a ransom, similar to the CryptoLocker ransomware.
Windows flaw allows access to data after accounts are revoked. Researchers at Aorato found that disabled, deleted, expired, or locked-out accounts in Microsoft Windows networks can remain valid for up to 10 hours after being revoked, potentially allowing attackers to use the accounts to gain access to company data.
DrawQuest shut down after hackers gain access to Amazon servers. DrawQuest shut down its free drawing community service following a compromise of its systems where attackers used the service’s Amazon account to order hundreds of expensive servers. There was no indication that users’ encrypted passwords were stolen, though users were advised to change their passwords as a precaution.
Workers exposed to chemical leak at Intel plant in Arizona. Two workers at an Intel Corp. plant near Phoenix were taken to a hospital for observation after a spill of around 100 gallons of ammonium hydroxide caused by a construction crew that accidentally cut into a pipe.
“Covert redirect” OAuth security flaw not as serious as it sounds, experts say. A researcher reported finding a vulnerability dubbed “covert redirect” in OAuth and OpenID that could allow an attacker to access users’ information. However, security researchers found that the vulnerability is only in certain implementations of OAuth and requires both user interaction and an open redirect to be present in a targeted application to be effective.
Windows XP Users As of April 8, 2014, Microsoft will no longer offer technical assistance or provide security updates for Windows XP operating systems. PCs running Windows XP after April 8, 2014, should not be considered to be protected. It is important Windows XP users migrate to a current supported operating system in order to receive regular security updates to protect against malicious online attacks.
XSS vulnerability found in Google Search Appliance. An update for the Google Search Appliance index and search device was released after a security researcher identified and reported a cross-site scripting (XSS) vulnerability that is present when the dynamic navigation feature is enabled.
Microsoft updates IE against latest 0-day, updates also XP. Microsoft released an out-of-band security update for its Internet Explorer browser to close a zero-day vulnerability that is being actively exploited in the wild. The update also covers the recently-discontinued Windows XP operating system.
Staunch your Heartbleed patching: FreeBSD has a nasty credentials leak. The creators of FreeBSD advised users to apply a patch that was released after a TCP ordering issue was discovered which could allow attackers to perform denial-of-service (DoS) or data leakage attacks.
Possibly the first Android worm, spreading through SMS, found in wild. ESET researchers reported that the Android/Samsapo.A malware may be the first Android worm seen in the wild. The malware spreads via SMS messages, can perform a variety of actions, and is currently seen targeting users in Russia.
4chan hacked, attacker mainly targeted moderator accounts. The founder of 4chan stated April 30 that the popular bulletin board site was breached by attackers who leveraged a software vulnerability to gain administrator functions and steal moderator account names and credentials. The vulnerability used by the attackers was patched once 4chan became aware of it.
14 security issues addressed with the release of Firefox 29. Mozilla released the latest version of it Firefox browser, Firefox 29, which closes 14 vulnerabilities, five of which were rated as critical.
99 percent of Q1 mobile threats targeted Android. F-Secure Labs released its latest Mobile Threat Report, which found that 99 percent of new mobile threats detected in the first quarter of 2014 targeted the Android mobile operating system, and that 277 new threat families were discovered during the time period, among other findings.
AOL breach confirmed, bigger than initially thought. AOL confirmed April 28 that attackers breached the company’s systems and networks, leading to a significant increase in spoofed email spam from AOL Mail accounts. Around 500,000 users had their email addresses, postal addresses, address book contacts, encrypted passwords, and encrypted security questions compromised in the breach.
Siemens patches Heartbleed bug in industrial products. Siemens published an advisory and updates for several of its industrial control systems (ICS) programs that address the Heartbleed vulnerability in OpenSSL. Some Siemens ICS software remain unpatched, and the company advised users to apply workarounds until a full patch is made available.
Apple fixes vulnerability that granted anyone access to personal details of developers. Apple closed a vulnerability in its Developer Center’s Radar application that could have been exploited to obtain the contact information of Apple retail and corporate employees and iOS, Mac, and Safari developers. A proof-of-concept was revealed by the researcher who discovered the vulnerability after Apple closed the vulnerability.
Phishers abuse Microsoft Azure to target PayPal, Apple, and Visa customers. Researchers at Netcraft reported that cybercriminals are making use of 30-day trials of Microsoft’s Azure cloud service to host phishing Web sites. The researchers identified several Azure-hosted phishing pages targeting Apple, Comcast, PayPal, Visa, American Express, and Cielo customers.
Researchers warn of resurgent Sefnit malware. Researchers at Facebook reported that the Sefnit malware has been seen in use again, but without the use of a Tor client. The malware instead establishes direct connections to one or more command and control servers using a secure Plink connection.
Flash 0-day exploited in watering hole attacks, Adobe provides patch. Adobe released updates for it Flash Player for Windows, Mac, and Linux following the discovery of a new zero-day vulnerability that is being actively exploited in the wild. Users were advised to update immediately.
Stop using Microsoft’s IE browser until bug is fixed, US and UK warn. The U.S. Computer Emergency Readiness Team (US-CERT) advised users to stop using the Internet Explorer browser until Microsoft can develop a patch for a recently-disclosed vulnerability that can allow attackers to run malicious code. The vulnerability is currently being used in attacks against U.S. defense and financial organizations, according to FireEye researchers.
Critical Microsoft Internet Explorer flaw leaves one in four web users vulnerable. Microsoft warned users of its Internet Explorer (IE) browser after FireEye researchers discovered a critical zero day vulnerability that affects IE 6 through IE 11 and could allow an attacker to use a Flash exploitation technique to remotely execute code. FireEye researchers spotted attacks using the vulnerability targeting IE 9 through IE 11, representing about a quarter of total browser users.
4 vulnerabilities and 38 bugs fixed with the release of MyBB 1.6.13. The latest version of MyBB was released for download, closing 4 security vulnerabilities and addressing 38 functionality bugs.
Apache Struts 184.108.40.206 released to properly fix zero-day vulnerability. The Apache Software Foundation released an update for its Apache Struts open-source framework, addressing an issue with a previous update that included a fix for a zero day vulnerability that was not efficient.
XSS vulnerability in Sohu.com leveraged for large-scale DDoS attacks. The source of a distributed denial of service (DDoS) attack on a client of Incapsula early in April that involved 20 million GET requests was found to be Sohu.com, a popular Chinese Web portal. Incapsula informed Sohu.com of the issue and the site was able to close a cross-site scripting (XSS) vulnerability that was used to power the attack.
Security patches released for IP.Board 3.3.x and 3.4.x. Invision Power Services released security patches for its IP.Board 3.3.x and 3.4.x products, addressing three file inclusion issues and a cross-site scripting (XSS) vulnerability.
Exploiting Facebook Notes to launch DDoS. A security researcher discovered and reported a method that can be used to launch distributed denial of service (DDoS) attacks through the Facebook Notes feature by using random GET parameters for HTML tags. Facebook stated that they acknowledged the issue but would not change the method the tags are handled because it would degrade user functionality.
Heartbleed bug patched on all US government websites. Trend Micro researchers reported that less than 10 percent of Web sites remain vulnerable to the Heartbleed flaw in OpenSSL, with all U.S. government Web sites patched. Distil Networks researchers also reported that 84 percent of the top 10,000 global Web sites have applied patches to close the vulnerability.
Apache warns of faulty zero day patch for Struts. The Apache Software Foundation (ASF) released an advisory April 24 stating that a patch issued in March to close a zero day vulnerability in Apache Struts did not completely close the vulnerability. The advisory stated that a new patch would likely be released within 72 hours, and ASF provided a temporary mitigation for users to apply until then.
No encryption means easy compromise of Viber location data, communications. Researchers with the University of New Haven Cyber Forensics Research & Education Group reported that the Viber text message and voice over IP (VoIP) service manages data in an unencrypted form that could allow attackers and service providers to intercept data being sent and stored.
NetSupport Manager vulnerability could lead to data leakage. A researcher at SpiderLabs reported finding a vulnerability in NetSupport Manager that could allow an attacker to bypass Windows and Domain credentials and remotely connect to and compromise hosts.
Spammers use non-Latin characters to evade spam filters. Kaspersky Lab researchers found that spammers have recently started replacing regular characters in spam emails with similar-looking non-Latin characters in an attempt to evade spam filters.
Prosecutor: ID theft scheme cost US Treasury $10M. A U.S. Attorney announced the indictments April 23 of five men accused of running an identity theft and fake tax return scheme that defrauded the U.S. government of around $10 million. The men are accused of obtaining stolen driver’s licenses and Social Security cards and using the information to open bank accounts in several States and filing around 2,400 fraudulent tax returns.
Mobile bad bots running across most top mobile operators. Distil Networks released a report on harmful bot traffic and found that harmful bots increased their share of Web traffic in 2013 from 12.25 percent of traffic to 23.6 percent. The report also found that the financial services industry had more organizations contributing a high percentage of harmful bot traffic than other industries, and that mobile harmful bots are running across nine of the world’s top ten mobile operators, among other findings.
Cisco: Hey, IT depts. You’re all malware hosts. Cisco released its latest security survey and found that 100 percent of companies in the survey sample show malicious traffic calling to malware hosts and that the length of time that the activity persists suggests that network penetrations are ongoing and undetected, among other findings.
Major Twitter spam attack ‘traced’ to fellow social media site. We Heart It disabled its sign-in and sharing via Twitter April 23 after it appeared to be the source of thousands of spam messages being sent out over Twitter. We Heart It stated that they are investigating the cause of the spam.
AOL Mail locks down email servers to deal with spam tsunami. AOL confirmed that their AOL Mail email servers were under an intensive spoofing attack beginning April 20 that has sent large volumes of spam emails to users’ inboxes. AOL stated that they changed their DMARC policy in order to prevent unauthorized use, but the change may affect some email-forwarding services and listservs.
Amazon Cloud IaaS Service servers riddled with vulnerabilities. Researchers at Bkav found in the course of a customer-prompted investigation that several servers for Amazon’s Cloud infrastructure as a service (IaaS) Service and HP’s Public Cloud service contain several vulnerabilities due to the servers’ Windows Server installations not being updated for several months.
SMS trojan FakeInst targets users in 66 countries. Researchers at Kaspersky analyzed the FakeInst trojan for Android and found that attackers have added capabilities since it first appeared in February 2013, allowing it now to target users in 66 countries. The trojan is disguised as an app and can send SMS messages to premium rate numbers as well as intercept text messages.
DDoS attacks increasingly used as a smokescreen for data theft. Neustar released its DDoS Attacks and Impacts Report for 2014 which found that distributed denial of service (DDoS) attacks are increasingly used by attackers as cover for more damaging compromises. Around half of organizations that reported suffering a breach or DDoS attack in 2013 also had malware installed on their systems, with 55 percent of those hit by DDoS attacks losing data or funds, among other findings.
Patch iOS, OS X now: PDFs, JPEGs, URLs, Web pages can pwn your kit. Apple released updates for its OS X and iOS operating systems, closing 19 security issues including a “triple handshake” error in iOS Secure Transport that could allow an attacker to inject data into secure connections.
Supposedly patched router backdoor was simply hidden. A security researcher who discovered a backdoor vulnerability in several popular home routers found that the firmware update issued by manufacturer Sercomm does not close the vulnerability but instead hides the backdoor. The backdoor can then be opened after sending a specific network packet to the router from the local area network (LAN) or the Internet service provider (ISP), allowing attackers reset the device’s configuration, username, and password to default settings.
Verizon publishes 2014 Data Breach Investigations Report. Verizon published its 2014 Data Breach Investigations Report, focusing on cyber and physical data breaches across several industries. The report found 198 point of sale (POS) intrusions during 2013, with retail, accommodation, and food services industries the most targeted, among other findings.
Django 1.6.3 released to address 3 security issues. The developers of the Django framework for Python released new versions of the framework, closing three security vulnerabilities.
Oracle gives Heartbleed update, patches 14 products. Oracle released updates for five products April 21, closing vulnerabilities related to the Heartbleed vulnerability in OpenSSL.
Heartbleed attack targeted enterprise VPN. Researchers at Mandiant identified a successful attack campaign that utilized the Heartbleed vulnerability in OpenSSL to target an undisclosed organization’s virtual private network (VPN) and obtain VPN session tokens. The attack began April 8, hijacked several active user sessions, and allowed the attackers to attempt to escalate their privileges within the organization.
Sophos names spam-relaying “dirty dozen” countries for Q1 2014. Sophos released its list of top spam-relaying countries for the first quarter of 2014, with the U.S. accounting for the most spam by volume at 16 percent of all spam, followed by Spain and Russia.
ICS-CERT warns of Heartbleed vulnerabilities in Siemens gear. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory warning that the Innominate mGuard firmware and several Siemens industrial control systems are vulnerable to the Heartbleed vulnerability in OpenSSL. Innominate issued a patch for the vulnerable firmware, while Siemens identified affected systems.
Reddit users discover iOS malware threat. Reddit users identified a piece of malware for iOS devices known as Unflod Baby Panda which can target jailbroken iOS devices. Researchers at SektionEins found that the malware listens to SSL traffic and searches for Apple ID information to steal.
Retailer Michaels Stores confirms payment card data breach. Craft retailer Michaels Stores confirmed April 17 that it was the victim of a data breach that may have exposed information on around 2.6 million payment cards used at Michaels and Aaron Brothers stores. The breach was initially reported in January, and after investigation was found to have taken place between May 8, 2013 and January 27, 2014.
SEC’s information technology at risk of hacking: report. A report by the Government Accountability Office found that the U.S. Securities and Exchange Commission failed to take steps to protect its data networks from breaches, including failing to encrypt sensitive information and failing to physically secure some systems.
Cybercriminals can hijack Steam accounts with Steam Guard enabled. Researchers at Malwarebytes found that attackers have been able to compromise Steam accounts with the Steam Guard verification service enabled by using phishing pages that ask users to upload the .ssfn file from their Steam folder, allowing the Steam Guard security feature to be bypassed.
Trojan-SMS.AndroidOS.Stealer.a is one of the most widespread mobile trojans. Kaspersky Labs researchers found that the Trojan-SMS.AndroidOS.Stealer.a trojan accounted for almost a quarter of attempted infections of Android devices running the company’s security software during the first quarter of 2014, with the highest amount of infections found in Russia. The trojan is capable of opening Web pages, sending SMS messages, installing applications, and other functions.
Java RAT UNRECOM mines for Litecoins, infects Android devices. Researchers at Trend Micro analyzed a new version of the UNRECOM remote access trojan (RAT) and found that it is being distributed via spam emails in order to compromise Android and other devices. The RAT contains the ability to take screenshots, mine for the Litecoin virtual currency, and can add additional plugins to itself, among other functions.
Tor relays vulnerable to Heartbleed dropped from anonymity network. The leader of the Tor Project stated that the Tor anonymity network could temporarily lose around 12 percent of exit capacity and guard capacity after the network began rejecting relays and bridges that are still vulnerable to the Heartbleed vulnerability in OpenSSL.
Attackers use reflection techniques for larger DDoS attacks. Akamai released a global distributed denial of service (DDoS) attack report, which found that attackers in the first quarter of 2014 favored using reflection and amplification techniques to conduct DDoS attacks, rather than relying on traditional botnets. The report found that the most abused protocols were Character Generator (CHARGEN), Network Time Protocol (NTP), and Domain Name Syste.m (DNS.)
POS malware, RATs and banking trojans used by cybercrime group. FireEye researchers reported on the activities of a cybercrime group that is targeting financial services companies, banks, and businesses with a variety of malware, including the Netwire and DarkComet remote access trojans (RATs), JackPOS point of sale malware, and the Zeus trojan. The researchers found that the group uses spam emails to begin their attacks and that over 9 percent of targets opened the emails’ malicious attachments.
Oracle fixes 104 security holes with April 2014 CPU. Oracle released its April Critical Patch Update (CPU), containing patches for 104 vulnerabilities in various Oracle products, 37 of which affect Java SE.
Samsung Galaxy S5 fingerprint scanner hacked. Researchers at Security Research Labs demonstrated a method to defeat the Samsung Galaxy S5’s fingerprint scanner, which could allow an attacker to unlock the device by using a print of the owner’s fingerprint.
Adobe Reader for Android 11 updated to fix remote code execution vulnerability. Adobe released an update for its Adobe Reader for Android, closing a vulnerability that could be used to remotely execute arbitrary code when a user opens a malicious .PDF document.
RCE, information disclosure and XSS flaws found in PayPal Partner Program. A security researcher identified and reported a cross-site scripting (XSS) issue and an information disclosure issue that could be leveraged for remote code execution in the PayPal Partner Program’s payment processor Web site. The issues were later closed by PayPal.
Expert finds SQL injection, RCE vulnerabilities in Flickr Photo Books. A security researcher identified and reported a SQL injection vulnerability and a remote code execution vulnerability in Flickr’s Photo Books Web site that could allow an attacker to gain access to Flickr’s databases. Yahoo closed the vulnerabilities after a second report by the researcher.
Hardware manufacturer LaCie suffered year-long data breach. Computer storage manufacturer LaCie stated that the FBI informed the company of a data breach where malware was used to gain access to customer transactions carried out on the company’s Web site. LaCie temporarily disabled the e-commerce portion of its Web site and will be resetting users’ passwords in response.
Heartbleed: VMware starts delivering patches. VMware announced that it began issuing patches for its products affected by the Heartbleed OpenSSL vulnerability, with patches for all affected products expected by April 19.
Flash SMS flaw in iOS can be exploited to make the lock screen unresponsive. A security researcher identified a Flash SMS flaw in iOS that can be used to make a device’s lock screen unresponsive, which could be used for ransom attacks. The flaw was fixed with the release of iOS 7.1 but devices running previous versions of the mobile operating system are vulnerable.
Nine people accused of stealing millions of dollars with Zeus malware. The U.S. Department of Justice unsealed an indictment against nine individuals for allegedly being involved in a criminal organization that used the Zeus banking trojan to steal millions of dollars. The alleged scheme used Zeus to steal account information and then transfer stolen money to accounts belonging to ‘mules’ who withdrew and transferred the money.
Akamai admits issuing faulty OpenSSL patch, reissues keys. Akamai Technologies stated April 13 that a patch issued by the company designed to protect its customers from the Heartbleed vulnerability contained a fault, making it ineffective. The company then began reissuing all Secure Sockets Layer (SSL) certificates and security keys for affected sites.
Jetpack pushes update to close critical security hole. The creators of the Jetpack plugin for WordPress published an update for the popular plugin that closes a vulnerability discovered during a security audit that could allow an attacker to bypass a site’s access controls.
Google rewards experts for XXE vulnerability in Toolbar Button Gallery. Google awarded two Detectify researchers $10,000 after they identified and reported an XML External Entity (XXE) vulnerability in the Google Toolbar Button Gallery that could have allowed an attacker to gain access to data on the company’s production servers. The vulnerability was closed soon after being reported.
Cyber attacks are targeting Heartbleed flaw, says US CERT. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a warning April 10 stating that attackers have begun exploiting the Heartbleed vulnerability in OpenSSL and advised affected entities to report any incidents involving the vulnerability.
Expert shows that hackers can abuse Chrome speech recognition API flaw. A security researcher identified a vulnerability in an older version of Chrome’s speech recognition API that could be leveraged to obtain the transcript generated by the browser. The API was introduced in Chrome 11 but may still be used by some Web sites.
BlackBerry, Cisco products vulnerable to OpenSSL bug. BlackBerry reported that several of its software products are vulnerable to the Heartbleed OpenSSL vulnerability, though its phones were unaffected. Cisco also reported that many of its products, including video communications and phone systems, were also vulnerable.
Deltek suffers data breach, hackers gain access to credit card information. Deltek reported that attackers breached the company’s GovWin IQ Web site, exposing personal and financial details of around 80,000 employees of federal contractors and about 25,000 payment card details belonging to customers of the site’s eCommerce platform. The breach was first discovered March 13 but occurred sometime between July 3, 2013 and November 2, 2013.
Not just websites hit by OpenSSL’s Heartbleed – your PC, phone and more may be in peril. A researcher from the SANS Institute reported in a presentation that the Heartbleed vulnerability in OpenSSL could also affect devices and applications on the client side as well as the server side, potentially allowing attackers to obtain passwords and cryptographic keys from PCs, phones, routers, and other devices.
SQL injection vulnerability fixed in Orbit Open Ad Server. High-Tech Bridge researchers identified and reported a SQL injection vulnerability in the popular open-source ads server Orbit Open Ad Server that could have allowed attackers to compromise Web sites running vulnerable installations. OrbitScripts fixed the vulnerability after being notified by the researchers.
BlackBerry patches remote code execution vulnerability. BlackBerry released an update April 9 which closes a remote code execution vulnerability in BlackBerry 10 that could be exploited in a limited number of scenarios.
Uh oh! Here comes the first bug in the Windows 8.1 Update. Microsoft suspended distribution of the Windows 8.1 Update for April after some enterprise customers using Windows Server Update Services (WSUS) 3.0 Service Pack 2 reported that the update prevented machines’ abilities to receive future updates.
SEC charges CVS with misleading investors and committing accounting violations. CVS Caremark Corp. agreed to pay $20 million in a settlement with the U.S. Securities and Exchange Commission to resolve charges that the company misled investors and used improper accounting that artificially inflated its financial performance.
Companies advise users to change passwords due to possible Heartbleed attacks. Several private companies and government organizations advised users to change their passwords in the wake of the Heartbleed vulnerability in OpenSSL that could expose usernames, passwords, and other secure communications. Security researchers also began posting analyses of the vulnerability as organizations worked to close the vulnerability on their systems.
Four vulnerabilities fixed with the release of Adobe Flash Player 220.127.116.11. Adobe issued an update for its Flash Player, closing four security issues.
WordPress 3.8.2 addresses 2 vulnerabilities, includes 3 security hardening changes. A new version of WordPress was released for download containing fixes for two security vulnerabilities and three changes that enhance security.
Last call for XP, Office 2003 updates: April Patch Tuesday fixes 11 vulnerabilities. Microsoft released its monthly Patch Tuesday round of updates April 8, including the final updates for Windows XP and Office 2003, with 4 bulletins closing 11 vulnerabilities.
Cybercriminals use sophisticated PowerShell-based malware. Researchers at Symantec identified a new malicious PowerShell script that contains several ways to hide itself and can inject malicious code into rundll32.exe. The finding follows the discovery of another malicious PowerShell script by Trend Micro researchers known as CRIGENT or Power Worm during March.
Google patches 31 flaws in Chrome. Google released a new version of its Chrome browser, closing 31 vulnerabilities, 19 of which were rated as high priority.
2013 threat report: 8 mega data breaches, 552 million identities exposed. Symantec published its Internet Security Threat Report for 2013, showing a 62 percent increase in data breaches from organizations during the year, with 552 million identities exposed, among other findings.
Yahoo email anti-spoofing policy breaks mailing lists. Security researchers reported encountering an issue with mailing lists after Yahoo introduced a new Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy to prevent email spoofing.
Microsoft drops Windows XP support. Microsoft ended support April 8 for its Windows XP operating system, leaving the widely-used operating system vulnerable to any vulnerabilities identified in the future. The operating system is still used on a significant portion of systems, including personal computers, ATMs, medical systems, industrial control systems, and other critical infrastructure systems.
OpenSSL 1.0.1g released to prevent hackers from eavesdropping on communications. A new version of OpenSSL was released after security researchers from Codenomicon and Google Security identified and reported a vulnerability that exposes all data transmissions, encryption keys, usernames, passwords, and other content via a memory leak known as Heartbleed. The vulnerability affects a variety of applications and users are advised to update as soon as possible.
Information disclosure flaw in Flickr fixed after two months. Yahoo fixed an information disclosure vulnerability in its Flickr photo sharing service which could have been exploited to reveal users’ names and email addresses.
Expert finds 8 files vulnerable to SQL injection in Yahoo HK promotions page. Yahoo removed vulnerable files from its Hong Kong promotions subdomain after a security researcher identified and reported several SQL injection vulnerabilities.
Google kills fake anti-virus app that hit No. 1 on Play charts. Google removed the Virus Shield app from its Google Play store after the app, which briefly was a top download, was found to be a fake app with no functionality. Appbrain estimated that the fake app generated around $40,000 from sales for its developer.
Upatre downloader distributed via banking-themed spam campaign. Researchers at Trend Micro detected a spam campaign using banking-themed emails to distribute the Upatre downloader, which in a sample downloaded the Zeus trojan and the Necurs security-disabling malware.
85% of links spotted in cyberattacks in 2013 led to compromised legitimate sites. Websense Security Labs released their 2014 Threat Report, detailing threats and trends during the past year. The report found that 85 percent of malicious links in email and Web attacks were directed at legitimate sites that were compromised by attackers, among other findings.
Millions of consumers at risk from mobile POS flaws. Security researchers from MWR InfoSecurity presenting April 4 at the SyScan security conference demonstrated how mobile point-of-sale (MPOS) systems can be compromised through several attack techniques, allowing criminals to capture payment card data, cause the devices to accept fraudulent cards, and perform other actions. The vulnerabilities were reported to affect popular MPOS devices but the researchers did not disclose which models are affected.
Zeus malware found with valid digital certificate. Comodo researchers April 3 reported finding a variant of the Zeus banking malware that includes a valid digital certificate, making it appear to be a trustworthy Internet Explorer document.
Android trojan Waller sends premium SMSs, steals money from QIWI wallets. Researchers at Kaspersky analyzed a piece of Android malware known as SMS.AndroidOS.Waller.a which can use infected devices to send SMSs to premium-rate numbers to earn criminals money and can also steal funds from Visa QIWI Wallet accounts. The malware can also perform other tasks such as update itself and install other malware.
Yahoo encrypts data center links, boosts other services. Yahoo announced April 2 that it has begun encrypting all traffic moving between its data centers, turned encryption on between its email servers and others who support the SMTPLS standard, and turned on encryption on its home page, searches, and other properties to enhance user privacy and security.
Cybercriminals add new component to Sality to hijack the DNS addresses of routers. Researchers at ESET analyzed a new component of the Sality malware that was recently added and allows the malware to hijack the primary DNS address of routers. The analysis showed that the malware targets specific router models and attempts to use a brute force attack to gain administrator access, and then changes the router’s DNS server address in order to direct users to fake installation sites.
ISPs exposed to DNS DDoS attacks due to millions of vulnerable home routers. Researchers at Nominum reported finding over 5.3 million routers have open DNS proxies, which can put Internet service providers at risk of DNS amplification distributed denial of service (DDoS) attacks.
Passwords, messages of 158k+ Boxee.tv users leaked. Attackers compromised the forum database for Web TV service Boxee.tv and posted the private information for over 158,000 users. The breach and subsequent leak contain email addresses, encrypted passwords, dates of birth, message histories, IP addresses, and other information.
Cybercriminals abuse security camera recorders and routers to mine for Bitcoins. A researcher at the SANS Technology Institute identified malware designed to infect security camera recorders and routers and use the devices to attempt to mine Bitcoin virtual currency. The malware is designed to run on ARM infrastructure and was spotted on Hikvision DVRs, which have a simple default root password that users often do not change.
Apple releases Safari 7.0.3, fixes security. Apple released version 7.0.3 of its Safari browser, fixing
Several issues and adding compatibility and stability improvements.
SellHack deactivates plugin after cease and desist letter from LinkedIn. The makers of the SellHack browser plugin, which uses publicly visible data to help users obtain hidden email addresses of LinkedIn users, deactivated the plugin April 1 following a cease-and-desist letter from LinkedIn.
Oculus VR finds SQL injection flaw, asks Developer Center users to change passwords. Oculus VR advised users of its Oculus Developer Center to change their passwords as a precaution after the company identified a SQL injection vulnerability. The company reported that there was no indication that the vulnerability had been exploited.
Password bug lets me see shoppers’ credit cards in eBay ProStores, claims infosec bod. A security researcher from Securatary disclosed March 20 that he identified a vulnerability in eBay’s ProStores shops that could have allowed attackers to credit themselves with gift cards for ProStores and obtain customer payment card information. The vulnerability was reported in February and later fixed by eBay.
Hotmail-gate: Windows 8 code leaker pleads guilty to theft of trade secrets. A former Microsoft employee pleaded guilty March 31 to stealing company trade secrets for sending unreleased updates for the RT operating system as well as a copy of the Microsoft Activation Server Software Development Kit to a blogger.
Experts unhappy with Oracle’s Java Cloud patching process, vulnerability details published. Researchers at Security Explorations published details of 30 vulnerabilities in Oracle Java Cloud Service, about half of which can be used to break the Java security sandbox. The vulnerabilities were previously reported to Oracle in January.
CryptoDefense ransomware leaves decryption key accessible. Symantec researchers analyzed the CryptoDefense encryption ransomware and found that the decryption key needed to undo the malware’s file encryption is also left on the victim’s computer, potentially allowing victims to decrypt the files held for ransom themselves.
Middle Eastern hackers use remote access trojan to infect 24,000 machines worldwide. Researchers at Symantec reported finding 487 groups actively using the njRAT remote access trojan (RAT) for malicious uses, with around 24,000 machines infected worldwide. Symantec reported that most attacks using njRAT originate in the Middle East and that the majority of the RAT’s command and control servers are located in the Middle East and North Africa.
Email marketing service Mad Mimi hit by DDoS attacks, blackmailed. Email marketing service Mad Mimi reported that it was the target of a distributed denial of service (DDoS) attack March 30, which caused intermittent issues. An attack claiming to be behind the DDoS attack demanded a ransom to stop the attack but was refused.
Smartphones at risk of malicious code injection through HTML5-based apps. Researchers at Syracuse University published a paper detailing how HTML5-based smartphone apps could allow for devices to be targeted with a new Cross-Device Scripting (XDS) attack that could inject malicious code via WiFi scanning, SMS messaging, or other means.