Fraud Alert Message Center

Tips for Safe Banking Over the Internet

As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.

The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.

Current Online Threats

Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau.  None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts.  If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it.  The email could potentially contain a virus or malware.

For more information regarding email and phishing scams, please visit:

Online Shopping Tips for Consumers. Click Here for Information.

ATM and Gas pump skimming information. Click Here for Article.


Woman pleads guilty to defrauding Chevy Chase financial company of more than $1 million. A Germantown, Maryland resident pleaded guilty December 1 to embezzling at least $1.02 million from her employer, a Chevy Chase-based financial institution, between December 2007 and June 2014. The charges allege that the defendant sent banks fictitious invoices where she forged the signature of another employee of her financial firm, and deposited over 60 checks issued by various banks including U.S. Bank, Bank of America, and JPMorgan Chase & Co. into her personal financial accounts.

Couple pleads guilty to stealing 50K identities in tax fraud scam. A Houston couple pleaded guilty December 2 to stealing the identities of 50,000 victims and using the identities to apply for and obtain 230 debit cards from January 2014 – May 2015. The duo used the stolen identities to earn $250,000 in fraudulent Federal tax returns, while attempting to obtain a total of $1.9 million in tax refunds.

Eight vulnerabilities found in Moxa NPort devices. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported that Moxa’s NPort serial device servers are plagued by eight vulnerabilities after security researchers discovered three critical flaws that can be exploited to retrieve an administrator password without authentication, update the device’s firmware without authentication, and use brute force to bypass authentication, as well as high security flaws that can be exploited to cause a denial-of-service (DoS) condition and remotely execute arbitrary code, among other flaws. Moxa released firmware updates for most of the affected servers and advised its customers to install the updates.


5 facing federal charge for $33M mortgage fraud. Five co-conspirators were charged December 1 for their roles in a $33 million mortgage fraud conspiracy after their company, Terra Foundation filed nearly 60 fraudulent mortgage discharges in Westchester and Putnam counties in New York and in Connecticut that made it appear as though Terra’s clients’ mortgages were paid off. In order to make a profit, Terra charged monthly fees for services including audits that were never performed, and convinced clients to take out a second or reverse mortgage and retained large portions of the proceeds.

AirDroid app opens millions of Android users to device compromise. Zimperium security researchers reported that tens of millions of users of Android’s remote management tool, AirDroid are vulnerable to man-in-the-middle (MitM) attacks that could compromise their devices through fraudulent updates and result in data theft. If a user is on the same unsecured network as a malicious actor, the attacker could perform a MitM network attack to access the device authentication information, decrypt any Hypertext Transfer Protocol (HTTP) request the application performs, and redirect and modify the HTTP traffic sent and received by the device when it checks for updates, and then plant a malicious update for the app to use.

Bug allows activation lock bypass on iPhone, iPad. Security researchers discovered two variations of a flaw that can be exploited to bypass Apple’s Activation Lock feature and access the homescreen of locked iPhones and iPads running Apple’s mobile operating system (iOS) 10.1 and iOS 10.1.1. Once a locked device is started, users are required to connect to a WiFi network and attackers can enter long strings into the username and password fields to trigger a crash that display’s the device’s homescreen.


PayPal fixes security flaw allowing hackers to steal OAuth tokens. PayPal Holdings, Inc. patched a critical security flaw in its application after an Adobe Systems security researcher found a vulnerability that could allow attackers to steal OAuth tokens due to the way PayPal allows developers to register their apps with PayPal through a dashboard that generates token requests which are submitted to a central authentication server. The researcher found a hacker can trick the authentication server into using a localhost as a redirect_uri parameter to redirect a PayPal validation to a third-party domain where an attacker could access the data.

Kelihos botnet spreading Troldesh ransomware. Security researchers reported the Kelihos botnet was spotted distributing the Troldesh encryption ransomware to targeted devices via spam emails that contain URLs that redirect a victim to a JavaScript file and a Microsoft Word document before encrypting users’ files and adding the .no_more_ransom extension. The Troldesh ransomware displays a spam message impersonating Bank of America that convinces a user to open a malicious attachment claiming to have information on an outstanding debt, but instead downloads the malware and Pony info-stealer onto a victim’s device.

Gooligan Android malware used to breach a million Google accounts. Check Point security researchers discovered a new variant of an Android malware campaign dubbed Gooligan that has breached the security of more than 1 million Google accounts since August 2016 by rooting Android devices and stealing email addresses and authentication tokens stored on them, thereby enabling a malicious actor to access users’ sensitive data from Gmail, Google Docs, Google Photos, and Google Drive, among other programs. The researchers found the Gooligan campaign infects 13,000 devices daily and installs at least 30,000 apps on those infected devices each day, among other findings.

Flaws found in Emerson DeltaV, Liebert products. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published three advisories outlining flaws affecting Emerson’s DeltaV and Liebert products after a security researcher from Positive Technologies found that Emerson’s Liebert SiteScan tool versions 6.5 and earlier are plagued with an Extensible Markup Language (XML) external entity (XXE) flaw that can be remotely exploited to execute arbitrary code or access files from a server or connected network. The advisory also describes a vulnerability in the DeltaV Easy Security Management app that could be exploited to elevate privileges on the control system, among other flaws.


Former office worker pleads guilty to stealing nearly $290,000 from three different employers. A Rockville, Maryland resident pleaded guilty November 29 to embezzling nearly $290,000 from 3 of her employers between September 2012 and September 2015 while she worked as an office manager or executive assistant for the companies and had access to the firms’ financial information and accounts. The charges state the woman stole $218,802 from a consulting firm from September 2012 – February 2014, $41,240 from a non-profit organization, and an additional $29,598 from a management consulting company during the course of her employment.

Tor users targeted with Firefox zero-day exploit. Mozilla’s Firefox team and Tor Browser developers are working to release updates after Trail of Bits security researchers spotted a JavaScript exploit leveraging a zero-day use-after-free vulnerability in the Scalable Vector Graphics (SVG) parser in Firefox to target Tor users. The exploit reportedly consists of one Hypertext Markup Language (HTML) file and one Cascading Style Sheet (CSS) file.

158% increase in Android platform vulnerabilities. Quick Heal released a report which revealed a 14 percent increase in the detection count of malware on Microsoft Windows-based computers in the third quarter of 2016, a 33 percent rise in the amount of mobile ransomware in comparison to the second quarter, and a 25 percent increase in the detection of mobile banking trojans in the third quarter, among other findings.


McAfee Labs predicts 14 security developments for 2017. Intel Security released its McAfee Labs 2017 Threats Predictions Report, which identifies 14 security threat trends for 2017 including a predicted increase of undetectable Internet of Things (IoT) attacks on smart homes, an increase in targeted attacks against hardware and firmware, and an increase in the sophisticated and proliferation of social engineering attacks due to machine learning, among other trends.


cURL security audit reveals several vulnerabilities. The developer of cURL released version 7.51.0 to resolve a total of 11 vulnerabilities following a security audit by Cure53, which revealed the open source tool was plagued with 23 issues and 9 security flaws including 4 high severity issues that could lead to remote code execution.

Cerber 5.0 ransomware uses new IP ranges. Check Point security researchers discovered that version 5.0 of the Cerber ransomware was released and now uses new Internet Protocol (IP) ranges for the command and control (C&C) communication, skips 640 bytes when encrypting a file, targets files that feature the secret extension, and no longer encrypts files smaller than 2,560 bytes, among other new features. Check Point also found that the ransomware leverages spam email campaigns and the Rig-V exploit kit for distribution, and as with previous versions, Cerber 5.0 randomly generates encrypted file extensions using four alphabetic numbers

Flaws in Uber’s UberCENTRAL tool exposed user data. A security researcher discovered several issues in Uber Technologies Inc.’s UberCENTRAL service including a flaw that allows attackers to enumerate users’ universally unique identifiers (UUIDs) by sending requests with possible email addresses, and an issue that can be exploited to obtain full names, phone numbers, and email addresses of customers, among other flaws. Uber released patches for the flaws.


‘Soul Patch Bandit’ caught, accused of killing infant son in Newport News. A man dubbed the “Soul Patch Bandit” was arrested in Petersburg, Virginia, November 22 after he allegedly robbed 6 banks in the Richmond area. The suspect was also sought in connection with a murder in Newport News.

ATM skimmers found at Memorial Sloan-Kettering, 3 other hospitals; thousands stolen from victims. Authorities are searching November 23 for 2 suspects who allegedly installed ATM skimming devices at several hospitals in New York City between August 24 and November 1, 2016, stealing around $46,000 from at least 75 victims.

Founder of litigation marketing company guilty of multi-million dollar securities fraud. The co-founder of PLCMGMT LLC, doing business as Prometheus pleaded guilty November 22 after he and a co-conspirator defrauded about 200 investors out of $8.5 million in a securities fraud scheme where the duo falsely claimed investor funds would be allocated for marketing efforts to recruit plaintiffs for lawsuits against prescription drugs and medical device manufacturers. The duo solicited investors by promising investors up to 300 percent returns, falsely claiming the investors could redeem their investments at any time, and that their investments were secured by enforceable liens, among other fraudulent claims.

Hackers can steal Tesla cars using Android app. Security researchers from Promon discovered a flaw in Tesla Motors companion applications for Android and Apple iOS that could enable hackers to locate, unlock, and steal Tesla vehicles by convincing a Tesla owner to download a malicious version of the companion app by offering a free burger upon installation, which allows the hacker to connect to the phone and begin the hijack process. As the flaw is in the mobile apps and not the vehicles, researches advised users to update their systems and apps and to avoid downloading apps from untrusted sources.

Telecrypt Decryptor foils ransomware’s simple encryption method. A malware analyst released Telecrypt Decryptor, a tool that is able to decrypt files encrypted by the Telecrypt ransomware when running on an Administrator account and if an affected user has .NET 4.0 and above or has at least one of the encrypted files in an unencrypted form.

Information disclosure flaws patched in VMware products. VMware released two security advisories, one of which includes patches for three flaws in VMware vCenter Server, vSphere Client, and vRealize Automation after security researchers from Positive Technologies discovered XML External Entity (XXE) flaws that could lead to information disclosure and a denial-of-service (DoS) condition. The second advisory describes a medium-severity information disclosure bug in Identity Manager and vRealize Automation that could allow an attacker to access folders that do not contain sensitive data.


Office 365 flaw made fake Microsoft emails look legitimate. A Turkey-based security researcher discovered a flaw in Microsoft Office 365 that could be exploited by attackers to send malicious emails and make them appear as if they were sent from a legitimate email address after a test of different email services’ spam filters found that some of his phishing emails that were marked as valid came from a spoofed address and were forwarded through Outlook 365 to the Yandex email service. Additional testing found that Gmail also accepted the spoofed emails that were forwarded from Outlook as legitimate.

Code execution flaws patched in HDF5 library. The HDF Group released version 1.8.18 of its HDF5 library after researchers from Cisco’s Talos Vulnerability Development Team discovered the library was plagued with a total of 4 local heap-buffer overflow flaws that could allow an attacker to execute arbitrary code in the context of the application using the library if they trick a victim into opening a maliciously crafted file. The vulnerabilities are the result of a failure to check if the number of dimensions for an array from a file is within bounds, failure to check if certain message types support a specific flag, and insufficient handling of select values in memory when parsing a Hierarchical Date Format (HDF) file, among other failures


FBI on the lookout for ‘Spelling Bee Bandit.’ The FBI is searching November 18 for a man dubbed the “Spelling Bee Bandit” who is suspected of robbing a TD Bank branch in Peabody, Massachusetts, November 13 and 3 other banks in Massachusetts since October 31.

Romanian man admits to role in $5M ATM skimming operation. A Romanian national pleaded guilty November 17 for his participation in a large-scale ATM skimming operation where he and 15 co-conspirators installed card-reading devices on ATMs in New Jersey, New York, Connecticut, and other States, affecting thousands of customers and defrauding multiple financial institutions of at least $5 million. The skimming operation’s leader and co-conspirator were previously convicted for their roles in the scheme.

iOS lockscreen bypass gives access to contacts, photos. Security researchers discovered a vulnerability in Apple’s mobile operating system (iOS) that could allow an attacker with physical access to a device that has Siri enabled on the lockscreen to bypass the phone’s lockscreen and access photos and contact information on a victim’s iPhone or iPad. The researchers reported the flaw affects iOS versions 8.0 – 10.2 and can be avoided by disabling Siri on the lockscreen.


Twelve individuals charged in ATM skimming conspiracy. Twelve individuals were charged November 16 for their alleged involvement in an ATM skimming scheme that defrauded Bank of America and PNC Financial Services Group, Inc. customers in New Jersey out of more than $428,000 between March 2015 and July 2016. The group reportedly installed skimming devices on ATMs at banks across New Jersey to record payment card data encoded on the magnetic stripe of credit and debit cards, and transferred the stolen information onto counterfeit bank cards that they subsequently used to withdraw cash from the affected accounts.

Two Tennessee residents indicted for conspiracy and employment tax fraud. Two Tennessee residents were charged in an indictment unsealed November 15 after the pair allegedly conspiring to defraud the U.S. Internal Revenue Service (IRS) by neglecting to collect and pay roughly $2.8 million in employment tax while running a temporary staffing company serving firms in Tennessee and elsewhere, failing to timely file employment tax returns, and filing false employment tax returns, among other fraudulent actions. The charges also allege that the duo falsely represented to the IRS their management of the company and knowledge of their responsibility to honestly account for and pay out employment taxes, placed the company in the names of nominees with no control over business operations, and established payment arrangements to impede an IRS levy placed on their customer payments.

Several vulnerabilities patched in Drupal 7, 8. Drupal released versions 7.52 and 8.2.3 addressing four vulnerabilities including a flaw in Drupal 8 that can be exploited to cause a denial-of-service (DoS) condition with specially crafted URLs via the transliteration mechanism. The updates also resolved a flaw in Drupal 7 that could allow a malicious actor to build a confirmation form Uniform Resource Locator (URL) that redirects victims to third-party Websites after they interact with the form, among other flaws.

Raspberry Pi-based hacking device can break into any computer in seconds. A security researcher created a hijacking device, dubbed PoisonTap, which is an inexpensive Raspberry Pi Zero device that leverages a backdoor installed on a targeted device via USB and imitates an Internet over USB connection to convince the computer it is connected via the Ethernet, causing the device to be configured to prioritize the USB connection and begin sending unencrypted Internet traffic to PoisonTap. Once the hacking device hijacks all the Web traffic, it collects Hypertext Transfer Protocol (HTTP) authentication cookies and session data, thereby allowing an actor to bypass two-factor authentication (2FA) and access a user’s online accounts.

Firefox 50 patches 27 vulnerabilities. Mozilla released Firefox 50 to address 27 vulnerabilities including a critical heap-buffer-overflow in the Cairo programming library when processing Scalable Vector Graphics (SVG) content that could lead to a crash due to compiler optimization, as well as a series of critical memory safety issues that could potentially be exploited by a malicious actor to run arbitrary code, among other flaws. The new browser also adds Download Protection for many executable file types on Microsoft Windows, Apple Mac, and Linux to improve overall security for users.

Backdoor in some Android phones sends data to server in China. Kryptowire security researchers reported that several Android models sold in the U.S. were found to include a backdoor in their firmware that transmits personal identifiable information (PII) including contact lists, call history, and text messages to third-party servers without the victim’s authorization via a commercial Firmware Over The Air (FOTA) update software system managed by Shanghai ADUPS Technology Co. Ltd. The researchers found the firmware could remotely install applications without user consent, target specific users and text messages by matching remotely defined keywords, and collect data on the use of applications on an affected device.

CryptoLuck ransomware emerges. A Proofpoint security researcher discovered a new ransomware family, dubbed CryptoLuck that leverages the RIG-Empire exploit kit (EK) for distribution, and abuses the legitimate GoogleUpdate.exe executable and dynamic-link library (DLL) hijacking to infect devices. The malware spreads in the form of a RAR self-extracting archive (SFX) file and performs a series of checks to ensure it is not running in a virtual machine before scanning all mounted drives and unmapped network shares for files it can encrypt.

Fourth defendant convicted in scheme that defrauded software company of over $16 million worth of virtual currency. A Whittier, California resident was convicted November 16 for his role in a scheme where he and 3 co-conspirators defrauded software company and FIFA Football video game publisher, Electronic Arts (EA) out of more than $16 million by creating software that fraudulently logged thousands of FIFA Football matches to circumvent security mechanisms created by the firm and illicitly earn FIFA coins, which the trio subsequently exchanged on a secondary market where the coins are exchanged for dollars. The three co-conspirators previously pleaded guilty for their roles in the scheme.


Former Tulsa attorney pleads guilty to embezzling almost $600K. A disbarred Tulsa County, Oklahoma attorney pleaded guilty November 15 after he embezzled $587,000 from probate estate accounts at the Bank of Oklahoma from August 2012 – October 2015 by illegally using checks made out to himself, diverting funds from the probate estates, and depositing the checks into his business and personal accounts to use for personal expenses.

2 Long Island men among trio charged in $5M investment scam: DA. Three men were indicted November 15 for their alleged involvement in a more than $5 million investment scam where the trio persuaded investors to funnel funds into a new social media platform they created that was purportedly sponsored by Staples, Inc. and The charges allege that the trio used the proceeds to cover personal expenses and the supposed business relationship with Staples and Myspace could not be verified.

Symantec patches DLL hijacking flaw in enterprise products. Symantec released updates to resolve a dynamic-link library (DLL) flaw affecting its IT Management Suite (ITMS) 8.0, Ghost Solution Suite (GSS) 3.1, and Endpoint Virtualization (SEV) 7.x products, which could cause a rogue DLL file to be loaded by the software before the legitimate file, leading to arbitrary code execution, potentially with elevated privileges, as the affected products do not use an absolute path when loading DLL files during reboot or boot-up.

Serious flaws found in Lynxspring SCADA product. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published an advisory that revealed versions 1.1.8 and earlier of Lynxspring’s JENEsys building operating system, the BAS Bridge, is affected by four remotely-exploitable vulnerabilities after a security researcher discovered a flaw that could allow an attacker with read-only access to send maliciously crafted commands to the application and make changes within the app. The researcher also found a flaw that can be exploited to access a system without authentication by using a hardcoded username with no password, as well as a cross-site request forgery (CSRF) vulnerability that could allow an attacker to carry out various malicious actions if they convince a user into accessing a maliciously crafted link, among other flaws.

Shazam for Mac keeps listening even when disabled. Synack security researchers reported that malware could silently spy on Apple Mac OS X users through the device’s Webcam and microphone by piggybacking on legitimate applications that utilize those components, such as the Shazam music discovery app, FaceTime, and Skype after finding that the Mac version of Shazam does not deactivate the device’s microphone once the user switches off the app. The researcher warned malware could leverage this flaw to capture audio from a device’s microphone without initiating a recording.


‘Faceless Bandit’ faceless no more: Accused armed bank robber faces justice. A man dubbed the “Faceless Bandit” was charged November 14 for allegedly robbing or attempting to rob 4 banks in Los Angeles County and Orange County, California, in October.

Cryptsetup flaw exposes Linux systems to attacks. Security researchers discovered a vulnerability affecting the disk encryption utility Cryptsetup that could allow attackers with physical access to a targeted Linux system to gain root access to the system, and copy, modify, or destroy data on the hard disk by holding down the “Enter” key for approximately 70 seconds during boot. The flaw occurs when the system partition is encrypted using the Linux Unified Key Setup (LUKS) disk encryption standard, and is due to the incorrect handling of password checks.

Kovter trojan fuels spike in new malware variants. Symantec released a report which revealed that the number of new malware variants increased from roughly 50.1 million in September to 96.1 million in October due to the Kovter trojan family. The report also revealed that the RIG exploit kit (EK) accounted for 37.4 percent of the EK activity spotted during October, among other findings.

Hackers find code execution flaw in VMware Workstation. VMware released a patch resolving a critical out-of-bounds memory access vulnerability in its Workstation Player and Pro 12.x, and Fusion Pro 8.x products that can be exploited from the guest to execute arbitrary code on the host operating system (OS) running the products if the drag-and-drop and copy-and-paste functions are enabled.


U.S. authorities reach settlement with Adobe over 2013 breach. Authorities in 15 States reached a $1 million settlement with Adobe Systems November 10 after the company reportedly failed to employ reasonable measures to protect its customers’ personal information and detect malicious activity within its network, causing a massive data breach in 2013 that compromised over 150 million records. As part of the settlement, Adobe agreed to institute new policies and practices to prevent future breaches, including effectively separating payment card data from public-facing servers, performing ongoing risk assessments, and providing security training to employees, among other practices.

Low-bandwidth “BlackNurse” DDoS attack can disrupt firewalls. Researchers from Danish telecom operator TDC warned that certain distributed denial-of-service (DDoS) attacks based on the Internet Control Message Protocol (ICMP) Type 3 Code 3 packets, dubbed “BlackNurse” can be highly effective over low bandwidths and can cause firewalls, including Cisco Adaptive Security Appliance (ASA) and SonicWall, to enter a temporary denial-of-service (DoS) condition. TDC reported that all the firewalls observed recovered once the DDoS attacks stopped.

High severity DoS flaw patched in OpenSSL. The OpenSSL Project released OpenSSL 1.1.0c resolving three vulnerabilities after a Google security researcher discovered a heap-based buffer overflow associated with Transport Layer Security (TLS) connections using ChaCha20-Poly1305 cipher suites that can lead to a denial-of-service (DoS) condition, which could result in a crash of OpenSSL. The update also addresses a moderate severity flaw that can cause applications to crash, and a low severity issue related to the Broadwell-specific Montgomery multiplication procedure.


Darien man convicted of bank fraud. A Darien, Connecticut resident and Minneapolis resident were convicted November 9 for defrauding foreign banks involved in the U.S. Department of Agriculture’s GSM-102 Export Credit Guarantee Program out of more than $25 million from September 2007 – January 2012 in a scheme where the duo and a co-conspirator obtained shipment lists and created fictitious invoices for agricultural products that they did not physically ship, and subsequently used the fake documents to secure capital from banks and collect millions of dollars in fees from the transactions. As part of the scheme, the duo created several companies under different names to acquire a larger share of the allocation of guarantees from the GSM-102 program, and used multiple bank accounts under the various entity names.

Futures trader pleads guilty to illegally manipulating the futures market in connection with 2010 “Flash Crash.” A British futures trader pleaded guilty November 9 for his role in a more than 5-year, $12.8 million market manipulation scheme, which included his role in the May 2010 “Flash Crash,” where he manipulated the market for E-mini Standard & Poor’s Financial Services LLC (S&P)’s 500 futures contracts (E-minis) by using an automated trading program and placing thousands of spoof orders for E-minis that he did not intend to trade, among other methods, in order to create the appearance of a substantial supply and demand, as well as to persuade other market participants to trade E-minis at prices and quantities they typically would not have traded.

Florida registered broker pleads guilty to securities fraud for participating in a $131 million market manipulation scheme. A registered stockbroker and resident of Boca Raton, Florida, pleaded guilty November 8 for his role in a scheme where he and co-conspirators defrauded ForceField Energy Inc. investors out of roughly $131 million from January 2009 – April 2015 by artificially regulating the price and volume of traded ForceField shares through nominees that bought and sold ForceField stock without revealing the information to investors and prospective investors. In order to conceal their involvement in the fraudulent scheme, the group used prepaid cell phones, communicated via encrypted messaging applications, and paid kickbacks in cash, among other methods.

Hackers can abuse iOS WebView to make phone calls. A security researcher reported that Apple mobile operating system (iOS) applications such as LinkedIn, Twitter, and others can be abused by a malicious actor to initiate phone calls to arbitrary phone numbers from a victim’s device by convincing a user to open a specially crafted Webpage via an affected app that redirects the victim to a TEL Uniform Resource Identifier (URI), which triggers the call. The researcher reported that the vulnerability can also prevent a victim from ending the call, and is related to how certain iOS applications handle the WebView component.

Privilege escalation flaw affects several Siemens products. Siemens released updates and temporary fixes addressing a medium-severity privilege escalation vulnerability in many of its industrial products, including several Siemens SCADA systems, SOFTNET, Security Configuration Tool (SCT), and distributed control systems (DCS), among other products. Researchers warned that users with local access to the Microsoft Windows operating system running on the same device as an affected Siemens application can escalate their privileges, and reported that the flaw cannot be exploited if the affected product is installed in the default path.

SAP patches OS command execution vulnerabilities. SAP released its November 2016 security updates resolving a total of 16 security flaws, including 2 critical flaws in the SAP Report for Terminology Exportl component and the SAP Text Conversion component that could be exploited to execute operating system (OS) commands without authorization, thereby allowing an attacker access to arbitrary files and directories located in a SAP server file system. SAP also patched a denial-of-service (DoS) flaw in SAP Message Server and an information disclosure vulnerability in SAP Software Update Manager component, which can be leveraged to reveal information about an impacted system, among other vulnerabilities.


'Harry Potter Bandit' apparently paints self orange, robs banks in Gresham and Aloha. Authorities are searching for a man dubbed the “Harry Potter Bandit” who is suspected of robbing a KeyBank branch in Gresham, Oregon, and a U.S. Bank branch in Aloha, Oregon, November 8. The individual is reportedly connected to a string of at least five previous robberies in the Seattle area.

Oregon woman pleads guilty to a tax fraud conspiracy. A Portland, Oregon resident pleaded guilty November 8 to conspiring with others to prepare and file over 227 fraudulent income tax returns to claim refunds in excess of $1 million in 2010, assisting her daughter and other co-defendants to prepare and file fictitious income tax returns, and sharing refunds and identities listed on tax forms with her associates. As part of the plea, the defendant also agreed to pay $429,269 in restitution to the U.S. Internal Revenue Service.

Microsoft patches 68 vulnerabilities, two actively exploited ones. Microsoft released 14 security bulletins resolving a total of 68 vulnerabilities in Windows, Office, Edge, Internet Explorer, and SQL Server. Two of the vulnerabilities have been exploited in the wild, including a zero-day that is being leveraged by a group of attackers dubbed Fancy Bear, APT28 or Strontium, and a second flaw that could allow for remote code execution and enable an attacker to take full control of affected systems.

Adobe patches 9 Flash Player flaws reported via ZDI. Adobe released patches addressing nine arbitrary code execution flaws in Flash Player and one security flaw in Connect for Microsoft Windows that could be exploited for cross-site scripting (XSS) attacks after researchers from Trend Micro’s Zero Day Initiative (ZDI) reported the flaws to Adobe.


‘Soul Patch Bandit’ wanted for 3 Richmond area bank robberies. Authorities are searching for a man dubbed the “Soul Patch Bandit” who is suspected of committing three bank robberies in the Richmond, Virginia area, including a November 7 robbery at a Union Bank & Trust branch in Colonial Heights.

Google patches 23 critical vulnerabilities in Android. Google released its November 2016 Android security patches addressing a total of 83 vulnerabilities in the mobile operating system (OS), including a critical flaw in Mediaserver that could allow an attacker using a maliciously crafted file to cause memory corruption during media file and data processing, a privilege escalation issue in the libzipfile component that could allow a local malicious application to execute arbitrary code, and a remote code execution (RCE) flaw in Qualcomm crypto driver, among other flaws.

Cisco resets password on careers portal. Cisco Systems, Inc. prompted a password reset for all user accounts on its Cisco Professional Careers mobile Website after a security researcher discovered a breach in the portal that may have exposed user data including names, addresses, email addresses, phone numbers, and answers to security questions, among other application-related information. The vulnerability was reportedly caused by an incorrect security setting following system maintenance on a third party Website.


Credit Suisse said to hold accounts for latest U.S. tax felon. An emeritus professor in Rochester, New York, pleaded guilty November 4 for allegedly concealing $200 million worth of assets from the U.S. Internal Revenue Service through offshore accounts at a Zurich, Switzerland-based bank, and filing false tax returns from 2008 – 2014 that failed to disclose his earnings from his Swiss bank accounts. The professor agreed to pay the U.S. Government a $100 million penalty for neglecting to file Reports of Foreign Bank and Financial Accounts (FBARs) until 2011, including fraudulent ones from 2012 – 2013.

Critical privilege escalation flaws found in MySQL. Oracle Corporation released updates for its MySQL database management systems after a security researcher discovered an arbitrary code execution flaw and race condition issue in MySQL that a malicious actor could chain together to escalate privileges to root and fully compromise a targeted system. Percona released an update for its Percona Server for MySQL and Percona XtraDB cluster to address the same vulnerabilities in its software, and MariaDB released a patch for the race condition flaw in its software.

Android spyware targets executives. Security researchers form Skycure discovered an Android spyware, dubbed Exaspy could be leveraged to access a victim’s chats and messages, record audio during calls or in the background, take screenshots, and collect contact lists and call logs, among other malicious actions. The researchers found that the malware required physical access to a targeted device for installation, and once installed, the app runs under the name Google Services, disguising itself as the legitimate Google Play Services.


FBI: 'Scruffy Faced Bandit' robs sixth area bank, this one in Kennesaw. Authorities are searching November 3 for a man dubbed the “Scruffy Faced Bandit” who is suspected of robbing 6 banks in Cobb and Fulton counties in Georgia since August 2016, including a Chase Bank branch in Kennesaw November 1.

Former chief financial officer pleads guilty to embezzlement. A former chief financial officer (CFO) at Clarkston Brandon Community Credit Union (CBCCU) pleaded guilty November 3 for embezzling over $18 million from his employer from January 2003 – January 2016 by issuing cashier’s checks from different CBCCU accounts without authorization and depositing those funds into accounts that he managed at other financial institutions, as well as using Automated Clearing House withdrawals to illicitly transfer funds from CBCCU’s accounts to his personal accounts at other banks. The charges also state that in order to conceal the fraud, the CFO created fraudulent investments in certificates of deposit and bonds, leading auditors and bank examiners to believe that the money he embezzled was invested in these vehicles.

GitLab plugs critical flaw in its code repository manager software. GitLab released security updates for its Community Edition (CE) and Enterprise Edition (EE) of its code repository manager software resolving a critical flaw in the import/export project feature that did not adequately check for symbolic links in user-provided archives, thereby allowing an authenticated user to access the contents of any file accessible to the GitLab service account.

PLCs vulnerable to stealthy pin control attacks. Security researchers at the Black Hat Europe 2016 security conference discovered two new attack methods involving manipulating programmable logic controllers’ (PLCs) input and output at a low level, thereby allowing attackers to control the physical processes managed by the PLCs without triggering any alarms. The first method involves changing the pin’s configuration and allows malware in the PLC to switch a pin from input to output, or vice-versa, while the second attack method involves multiplexing and changes the functionality of the same pin.


Accountant admits guilt in $40 million central Kentucky bank fraud case. An accountant and co-owner and manager of several Kentucky businesses pleaded guilty October 31 for his role in a more than $40 million bank fraud scheme where he and 3 co-conspirators allegedly submitted information to 5 central Kentucky banks that inflated loan applicants’ income and assets and minimized or omitted their debts in order to improve their chances of being approved for loans from July 2006 – September 2010. The charges allege that the accountant and his co-conspirators caused banks to issue or renew loans to individuals who were not the actual borrowers, and used the money for purposes other than what they told the banks.

North Carolina businessman pleads guilty to misappropriating approximately $2.9 million in funds from NFL players. The operator of North Carolina-based Capital Management Wealth Advisors Inc. and APS Management LLC pleaded guilty October 31 for allegedly converting and misappropriating about $2.9 million from his clients’ bank accounts, including National Football League players and other professional athletes from May 2008 – August 2014, and for neglecting to report over $1.4 million of the embezzled funds on his Federal income tax returns between 2009 and 2013. The charges allege that the defendant instructed his clients to execute an agency agreement that permitted him access to the clients’ bank accounts and misrepresented to clients that he would only make transactions authorized by them and for their benefit.


Police say they've caught 'Buckeye Bandit,' blamed for up to 30 robberies. Authorities in Columbus, Ohio, announced November 1 that a man dubbed the “Buckeye Bandit” was arrested October 21 after he allegedly committed up to 30 robberies at banks and pharmacies across the State since September 2013, including a robbery at a KeyBank branch in Columbus where the suspect allegedly stole over $53,000 in October 2016. Officials reported that while the suspect currently faces one charge of armed robbery, additional charges could be filed at a later date pending further investigation.

Marion overdose cases lead to credit card skimming operation. Authorities in Marion, Ohio, arrested and charged several individuals October 31 after discovering hundreds of fraudulent credit cards and gift cards, a credit card imprinter, and other illicit items in a Marion home while investigating a drug trafficking operation.

Multiple RCE flaws found in Memcached web speed tool. Web performance tool Memcached received security patches after a security researcher from Cisco Systems, Inc., discovered that Memcached version 1.4.31 and earlier were plagued with three integer overflow vulnerabilities that could be exploited to achieve remote code execution (RCE) on a targeted system, and are manifested in Memcached functions used to insert, append, or modify key-value data pairs. The researcher reported that systems with Memcached compiled with support for Simple Authentication and Security Layer (SASL) authentication were also vulnerable to another flaw due to how Memcached handles SASL authentication commands.

Security firm discloses unpatched flaws in Schneider HMI product. CRITIFENCE discovered two unpatched denial-of-service (DoS) flaws, dubbed PanelShock affecting several of Schneider Electric’s Magelis human-machine interface (HMI) panels, which could allow attackers to cause the affected devices to enter into a DoS condition by sending maliciously crafted Hypertext Transfer Protocol (HTTP) requests due to a faulty implementation of HTTP request methods and resource consumption management mechanisms. Schneider Electric was working to release patches for the security holes.

Vulnerability impacts web-exposed SAP systems. A security researcher from Quenta Solutions reported that an information disclosure vulnerability affecting SAP systems that was patched in September affects over 941 SAP systems exposed to the Internet. The flaw could be exploited to remotely access the list of SAP users from the system and obtain information such as usernames, user IDs, and email addresses that can be used to launch phishing campaigns.

Teen behind Titanium DDoS Stresser pleads guilty in London. A British national pleaded guilty to running the Titanium Stresser, a distributed denial-of-service (DDoS) for-hire service that malicious actors used to launch a total of 1.7 million DDoS attacks internationally. Authorities reported that the service operator made over $385,000 in profits from renting his DDoS tools to hackers.


Company co-founder charged in manipulation scheme. The U.S. Securities and Exchange Commission charged October 31 the co-founder of Minnesota-based Dakota Plains Holdings Inc. for orchestrating a scheme where he and co-conspirators allegedly siphoned $32 million from the company by concealing his control of the company, manipulating the company’s stock prices, and issuing millions of shares to himself, family, and friends. Dakota Plains’ co-founder agreed to pay almost $8 million to resolve allegations that he acquired illicit payments and evaded public disclosure requirements by disseminating his company’s stock holdings across 10 accounts in various names to hide his ownership of over 20 percent of the firm’s shares and his accumulation of millions of dollars in bonus payments.

Audit partner charged in failed audits of venture capital fund. The U.S. Securities and Exchange Commission announced October 31 proceedings against a PricewaterhouseCoopers LLP audit partner after the partner allegedly failed to scrutinize millions of dollars taken from Burrill Life Sciences Capital Fund III, LP during independent audits, failed to establish whether the fund’s adviser had appropriate authorization and reasoning for taking the money, and neglected to confirm that the transactions were accurately disclosed in the fund’s financial statements. The money taken from the venture capital fund was allegedly used by the owner and principal of the investment adviser to cover personal and business expenses.

Manhattan U.S. Attorney announces charges against six individuals for their role in international money laundering scheme involving over $100 million. Six individuals were charged October 31 for their roles in a more than $100 million money laundering scheme where the group allegedly caused front companies in Mexico to export outdated cell phones to other shell companies in the U.S., and created export documents that falsely inflated the value of the exported phones in order to deceitfully obtain value added tax (VAT) refunds from the Mexican government from about June 2011 – May 2016. The charges allege that each mobile phone transfer was accompanied by a transfer of funds to and from accounts in the names of the relevant front companies owned and controlled by the group in order to make the cell phone sales appear legitimate.

Google warns of actively exploited Windows zero-day. Google disclosed a Microsoft Windows zero-day local privilege escalation vulnerability in the Windows kernel that could allow attackers to escape the sandbox. Google researchers warned that the flaw is being actively exploited in the wild.

Nymaim starts using PowerShell to download payload. Verint security researchers discovered the Nymaim malware dropper received updates and is now delivered via spear-phishing emails carrying Macro-enabled Microsoft Word documents, uses PowerShell to download a first-stage payload, includes more effective obfuscation methods, and abuses MaxMind to avoid detection by security software. If the MaxMind query response includes a string of interest, such as the names of security vendors, the first stage Nymaim payload is not downloaded.

Joomla websites attacked en masse using recently patched exploits. Sucuri security researchers discovered that malicious actors were exploiting two critical vulnerabilities patched in Joomla 3.6.4 to create accounts with elevated privileges on Websites built with the Joomla content management system, even in cases where registration is disabled. Sucuri researchers reported that nearly every Joomla Website on its network was impacted and between October 26 and October 28, there were roughly 28,000 attacks.


Defendants entered pleas of guilty today. The owner of Munster, Indiana-based Weichman & Associates PC and Medical Management & Data Services and 3 co-conspirators pleaded guilty October 28 for conspiring to conceal a nearly $2 million tax debt to the U.S. Internal Revenue Service (IRS) and neglecting to report to the IRS at least $100,000 in income, hiding hundreds of thousands of dollars from the business owner’s bankruptcy creditors in January 2011, and withdrawing $95,000 from a client’s retirement fund in April 2012. The charges also state that the owner stole $10,000 from one of his physician clients in a bank fraud scheme where at least $660,000 was illegally taken from that client’s account.

Credit card cloning suspects arrested by police. The owners of Caffe Aficionado in Arlington, Virginia, were arrested October 28 for allegedly participating in a money laundering and credit card fraud scheme where the suspects redeemed hundreds of thousands of dollars’ worth of pre-payable gift cards using cloned credit cards since at least November 2015.

Serial spammer pleads guilty, faces up to ten years in jail. A Florida resident pleaded guilty October 27 for orchestrating spam campaigns where he and 2 co-conspirators operated a legitimate business named A Whole Lot of Nothing LLC, which provided on-demand spam campaigns for legitimate business and illegal parties, including groups selling untested pharmaceutical drugs. The charges state the trio built botnets to distribute their spam, constructed proxy networks to avoid detection, and hacked into at least four corporate networks and Websites in order to take control of corporate emails and servers to distribute spam from devices that were not blacklisted, among other malicious activities.

Mirai botnet infects devices in 164 countries. Imperva security researchers discovered that roughly 49,657 unique Internet Protocol (IP) addresses across 164 countries are hosting Internet of Things (IoT) devices infected with the Mirai botnet. The researchers found that 10 percent of the IP addresses hosting Mirai-infected devices are located in the U.S.

LDAP attack vector makes terabit-scale DDoS attacks possible. Corero Network Security researchers reported a newly observed zero-day distributed denial-of-service (DDoS) attack vector that relies on the Lightweight Directory Access Protocol (LDAP) could be used to leverage an amplification factor of 46 times and a peak of 55 times to carry out terabit-scale DDoS events against a target. Corero also reported that an attacker could send a simple query to a compromised reflector supporting the Connectionless LDAP service (CLDAP) to make it appear as though the query originated from the intended victim, causing unwanted network traffic to be immediately sent to the attacker’s target.


Justice Department charges dozens in massive Indian call center scheme. A total of 61 individuals and entities were charged in an indictment unsealed October 27 for their alleged roles in a call center scheme that defrauded at least 15,000 U.S. residents out of more than $250 million after call center operators in India impersonated U.S. Internal Revenue Service or U.S. Citizenship and Immigration Services officials and threatened potential victims with arrest, imprisonment, or deportation if they failed to pay taxes or debts to the government. The charges state that a network of U.S.-based co-conspirators liquidated and laundered the extorted funds through wire transfers or by purchasing prepaid debit cards that were registered with stolen information from the identity theft victims.

Apple patches flaws in Xcode, Windows software. Apple released version 8.1 of its Xcode integrated development environment (IDE) to address 10 vulnerabilities in Node.js and OpenSSL that an attacker could exploit for arbitrary code execution or to cause an application to crash. Apple also released iTunes version 12.5.2 and iCloud version 6.0.1 for Microsoft Windows due to flaws in the WebKit Web browser engine, which can be exploited through processing specially crafted Web content for arbitrary code execution and disclosure of user information.

New code injection attack works on all Windows versions. Security researchers from enSilo discovered a code injection method, dubbed AtomBombing can be leveraged against all Microsoft Windows versions without triggering security solutions. The researchers found attackers can write malicious code into the operating system’s atom table in order to force a legitimate program to retrieve the malicious code and manipulate the program to execute that code, thereby enabling attackers to take screenshots, access encrypted passwords, and perform Man in the Browser (MitB) attacks.


Data leaked by pagers useful for critical infrastructure attacks. Trend Micro security researchers reported that pagers used in industrial control systems (ICS) were susceptible to targeted attacks, as the messages sent to the devices are unencrypted, thereby allowing hackers to easily intercept the information regarding the operation of a facility and potentially use that information in a targeted social engineering attack against the company. Trend Micro found that messages sent by nuclear plants, chemical facilities, defense contractors, HVAC manufacturers, and power substations via pagers leaked potentially sensitive information.

Major vulnerability found in Schneider Electric Unity Pro. Indegy security researchers discovered that Schneider Electric’s Unity Pro PLC Simulator component of its Unity Pro software was plagued with a critical vulnerability that could allow hackers to remotely execute code on industrial networks if the Internet Protocol (IP) address of the Microsoft Windows PC running the software is accessible to the Internet, as the software allows any user to remotely run code directly on any device with Unity Pro installed. The flaw, which affects all versions prior to and including 11.1, could allow attackers to impact the production process within an industrial control system (ICS) physical environment.

Apple patches multiple flaws in iOS, macOS, Sierra, Safari. Apple released version 10.1 for its mobile operating system (iOS) patching 13 vulnerabilities affecting components such as FaceTime, Kernel, Security, and WebKit, among others, which could allow an attacker to run arbitrary code on the affected devices, leak sensitive user information, and execute arbitrary code with root privileges, among other malicious actions. Apple also released Sierra version 10.12.1 resolving 16 vulnerabilities that could result in privilege escalation, denial-of-service (DoS) conditions, process memory disclosure, and arbitrary code execution, as well as Safari version 10.0.1 resolving 3 vulnerabilities affecting WebKit, among other patches.

Critical vulnerabilities patched in Joomla. Joomla released version 3.6.4 addressing two critical account creation vulnerabilities in its content management system (CMS) versions 3.4.4 through 3.6.3, including a flaw that could allow an attacker to register on a Website even if registration has been disabled due to inadequate checks. The second vulnerability can be exploited by users to register on a Website with elevated privileges due to an incorrect use of unfiltered data.


Embraer paying $205 million to settle FCPA charges. The U.S. Securities and Exchange Commission, in collaboration with the U.S. Department of Justice and Brazilian authorities announced October 24 that Embraer S.A. agreed to pay over $205 million to resolve alleged violations of the Foreign Corrupt Practices Act after the company made more than $83 million in profits as a result of bribe payments its U.S.-based subsidiary paid through third-party agents to foreign government representatives in the Dominican Republic, Saudi Arabia, and Mozambique in order to win contracts in those countries. Officials stated Embraer allegedly created false records and books, and participated in an accounting scheme in India to conceal the illicit payments.

President of Telexfree pleads guilty to billion dollar pyramid scheme. The president of TelexFree, Inc., pleaded guilty October 24 to operating a pyramid scheme that bilked over $3 billion from roughly 965,000 investors in more than 240 countries between February 2012 and April 2014 by recruiting participants to make continuous payments to TelexFree to be promoters for the company and sell Voice-over-Internet Protocol (VoIP) telephone services, and giving participants substantial monetary incentives for recruiting others to join the scheme. The charges state that the participants met their sales requirements by buying the products themselves, thereby creating the illusion that TelexFree had thousands of legitimate VoIP customers, while the company only derived two percent of its total revenue from VoIP service sales.

Android root exploits abuse Dirty COW vulnerability. Security researchers found that the Dirty COW Linux kernel vulnerability disclosed the week of October 17 can be exploited by a local attacker to escalate privileges to root on Android devices running a Linux kernel higher than 2.6.22 and to compromise an entire system by altering the copy-on-write cache provided by the kernel to change what the system and apps see when reading the affected files. NowSecure researchers stated in order to exploit the vulnerability, an attacker must run code on the device via the Android Debug Bridge (ADB) over universal serial bus (USB) or by installing an app that leverages the exploit.

Researchers leverage voicemail flaw to compromise messaging apps. InTheCyber security researchers discovered a voicemail caller-ID spoofing flaw could be leveraged to steal activation codes sent by messaging applications such as Telegram, WhatsApp, and Signal and compromise accounts after finding that an automated call leaves the account activation code in a user’s voicemail if the code sent via text message is not promptly inputted into the app. Once the activation code has reached a victim’s voicemail, the attacker can spoof their caller ID to impersonate the victim in order to access the targeted voicemail and activation code.

Russian man accused of hacking LinkedIn, Dropbox. A Russian national was arrested in the Czech Republic October 5 and indicted on Federal charges in the U.S. October 21 for his alleged role in the 2012 LinkedIn, Formspring, and Dropbox breaches. Officials reported that the Dropbox hack has affected more than 68 million accounts and all 3 hacks were carried out after attackers stole employee credentials.


Alleged architect of $30 million mortgage relief fraud scheme and four others indicted in conspiracy to defraud banks and homeowners. Five people operating a web of sham mortgage relief companies under the names Ownership Management Service LLC and Trust Holding Service LLC were charged October 21 for allegedly defrauding homeowners and banks out of $30 million from 2005 – 2014 by claiming to perform short sales for homeowners, while in reality failing to make mortgage payments and submitting fictitious short sale purchase offers to banks in order to delay foreclosure and maximize the time period during which the defendants could collect rent from the homeowners. The charges allege that the defendants also regularly forged signatures, used fake and stolen identities, and filed fraudulent bankruptcy petitions to maximize their profits.

Chicago woman arrested in $5 million fraud scheme involving bogus business to re-sell tickets to concerts and sporting events. A Chicago resident was arrested October 21 for allegedly orchestrating a more than $5 million fraud scheme where she mislead investors by claiming their funds would be used to purchase tickets for sporting events and concerts at face value and then subsequently re-sold for a profit on the secondary market, while she used the victims’ money for personal expenses and to make Ponzi-type payments to other investors.


Federal jury convicts woman in Stolen Identity Refund scheme - some stolen identities belonged to incarcerated individuals. A Dallas woman was convicted October 20 for her participation in a Stolen Identity Refund Fraud scheme where she and co-conspirators filed fraudulent tax returns using the stolen identities of incarcerated individuals and others, and used shell company bank accounts to transfer the tax refunds from debit and Green Dot cards into cash and cashier’s checks, which the group used to buy nearly $1.2 million worth of used cars that they subsequently shipped to Nigeria from May 2012 – May 2014.

Former director of Ohio County Schools Credit Union charged with embezzlement. The former executive director of the Ohio County Public Schools Federal Credit Union in Wheeling, West Virginia, was charged October 20 for allegedly embezzling over $156,000 from the credit union between June 2013 and March 2016 after an employee detected the scheme in March during a routine credit union account reconciliation. The charges allege that the defendant used the stolen profits to cover personal debts.

Weebly breach affects over 43 million users. Weebly, a San Francisco-based Web hosting service, confirmed that hackers stole the account information of over 43 million users, including usernames, Internet Protocol (IP) addresses, and password hashes after breaching the company’s systems in February 2016. The company advised its user to reset their passwords and the cause of the breach remains under investigation.

Linux kernel zero-day CVE-2016-5195 patched after being deployed in live attacks. The Linux kernel team patched a zero-day security flaw named Dirty COW, as it is caused by a race condition in the way Linux kernel’s memory handles copy-on-write (COW) breakage of read-only memory mappings, which could allow an attacker to escalate their privileges, potentially to root level, on a targeted system. A security researcher notified Red Hat of attackers deploying an exploit that leverages this vulnerability in the wild.

Cisco plugs critical bug in ASA security devices. Cisco patched a critical vulnerability affecting the Identity Firewall feature of its Cisco Adaptive Security Appliance (ASA) Software, which could allow a remote attacker to take control of the system, cause a reload, and execute arbitrary code by sending a specially crafted NetBIOS packet in response to a NetBIOS probe sent by the software. Cisco reported the vulnerability is caused by a buffer overflow in the affected area code.


Rayville PD takes down fake credit card ring. Two Little Rock, Arkansas residents were arrested in Rayville, Louisiana, October 18 after authorities discovered roughly 120 credit and bank cards made out in the suspects’ names, a credit card machine for activating the cards, and blank money orders worth $500, among other illicit items in the suspects’ vehicle. The suspects allegedly made fraudulent credit card transactions in Jackson, Louisiana, and Little Rock, Arkansas.

Lexmark patches critical flaw in printer management tool. Lexmark International, Inc. released an update for its Markvision Enterprise printer management software after security researchers from Digital Defense Inc. (DDI) found the software was plagued with a vulnerability in the Apache Flex BlazeDS that can be exploited to read arbitrary files via specially crafted Action Message Format (AMF) messages and retrieve the file storing the admin credentials, as well as an issue that allows attackers to upload arbitrary files and execute code with elevated privileges, among other vulnerabilities. Users are advised to change the admin password after installation, as the encrypted password stored in the text file is not updated after installation.

Windows zero-day exploited by “FruityArmor” APT group. Security researchers from Kaspersky Lab discovered that a zero-day remote code execution vulnerability patched by Microsoft in its October 2016 security bulletin was being leveraged in attacks carried out by an advanced persistent threat (APT) group, dubbed “FruityArmor” for privilege escalation on an affected system. Researchers found that the FruityArmor APT’s attack platform is built around Microsoft PowerShell and abuses Windows Management Instrumentation (WMI) for persistence in order to make it difficult to detect on a system.


Ernst & Young to pay $11.8 million for audit failures. The U.S. Securities and Exchange Commission (SEC) announced October 18 that Ernst & Young LLP agreed to pay over $11.8 million to resolve charges related to the repeated failure of its audit team to uncover fraud by its client, oil services provider Weatherford International, thereby allowing the client to inflate its earnings through deceptive income tax accounting for more than 4 years. As part of the settlement, investors affected by the accounting fraud will be reimbursed a total of over $152 million, and 2 individuals from Ernst & Young’s audit team agreed to a suspension from appearing or practicing before the SEC as accountants.

West Virginia business owners plead guilty to failing to pay employment taxes. Two owners of Bluegrass Aggregates in Wayne, West Virginia, pleaded guilty October 18 to withholding more than $850,000 from their employees’ paychecks from July 2007 – 2010, as well as neglecting to pay over $490,000 in employment taxes for a previous business, causing the U.S. Internal Revenue Service a total of $1.4 million in losses. The charges allege that the duo used the proceeds for personal expenses.

Construction company partner pleads guilty to evading taxes on more than $1 million. A former partner at American Construction Logistics and Services LLC (ACLS) operating in Afghanistan pleaded guilty October 14 after he failed to file tax returns for tax years 2009 – 2011 on income consisting of over $1 million in wages, ACLS funds used for personal expenses, and cash wired from ACLS employees to his wife, and failed to pay the U.S. Internal Revenue Service more than $200,000 in taxes from the unreported income. The charges allege that from 2010 – 2011, the defendant diverted over $350,000 from the ACLS corporate account to his personal bank accounts to cover personal expenses.

Oracle Critical Patch Update for October 2016 fixes 253 vulnerabilities. Oracle Corporation released its Critical Patch Update (CPU) for October 2016 to resolve a total of 253 new security flaws in several of its products, including 36 flaws in its Oracle Communications Applications, 14 flaws in the Oracle E-Business Suite that can be remotely exploited without authentication, 24 flaws in its Financial Services Applications, and issues affecting its Retail Applications, among other vulnerabilities that could allow an attacker to hijack the vulnerable application stack and potentially expose confidential application data.

VeraCrypt security audit concludes despite rocky start. The VeraCrypt project released version 1.19 of its encryption software after a recent security audit performed by QuarksLab revealed 26 security flaws plaguing the open-source software, including the ability to encrypt user data via the insecure GOST 2814-89 algorithm, and a flaw in the boot password mechanism that allowed attackers to determine password length. Version 1.19 also replaced the insecure XZip and XUnzip libraries with the modern libzip library, and updated the VeraCrypt bootloader component in order to secure its code against outside exploitation and data exfiltration.


WordPress sites under attack via security flaw in unmaintained plugin. Security researchers from White Fir Design discovered the WordPress Marketplace plugin was plagued with an arbitrary file upload vulnerability that could allow an attacker to upload arbitrary files on Websites with the plugin installed and potentially take over a site’s underlying server. The researchers discovered the flaw after detecting scans for the plugin’s Cascading Style Sheets (CSS) file on multiple Websites.


Accountant pleads guilty to stealing $3.5 million from employer. A former accountant at an investment advising company in Massachusetts pleaded guilty October 14 to embezzling over $3.5 million from his employer between April 2011 and November 2015 after he made wire transfers in excess of $3 million from his employer’s accounts to his personal accounts and forged signatures on approximately 46 checks payable to himself totaling roughly $456,000. The charges state the accountant concealed his scheme by making fraudulent entries in his employer’s electronic accounting system and modifying online bank statements before forwarding them to his manager.

Siemens patches flaws in SIMATIC, license manager products. Siemens released software updates addressing several vulnerabilities in its SIMATIC and Automation License Manager (ALM) products after Kaspersky Lab researchers discovered ALM was plagued with a critical path traversal issue that could allow a remote attacker to upload files to the disk, create and remove files, or move existing files via specially crafted packets, as well as a denial-of-service (DoS) flaw, and a Structured Query Language (SQL) injection flaw. Siemens also patched two low severity issues in its SIMATIC STEP 7 engineering software after Positive Technologies researchers found the flaws can be exploited by a local attacker to access sensitive information and to brute-force pre-shared keys that protect device-to-device communications.

Locky ransomware accounted for 97 percent of all malicious email attachments. Proofpoint released its Quarterly Threat Summary for quarter 3 (Q3) 2016, which reported that the Locky ransomware was found in 96.8 percent of all malicious spam email attachments and typically manifests itself as a ZIP file with a JavaScript file inside, Microsoft Office documents with malicious macro scripts, Hypertext Markup Language Application (HTA) files, or Microsoft Windows Script Files (WSF). The report also stated that banking trojans continue to be a pervasive threat, while exploit kit (EK) activity has decreased 65 percent since Q2.


Former Cay Clubs chief financial officer charged with bank fraud and tax offenses. The former vice president and chief financial officer of Cay Clubs Resorts and Marinas was charged October 13 for his role in a more than $28 million scheme where he and a co-conspirator allegedly fraudulently sold the company’s units to insiders, using money from the company’s bank accounts to finance the cash to close for purchases while obtaining mortgage funding from lending institutions in order to falsely show demand for and inflate the prices of Cay Clubs units from 2004 – 2008. The charges also allege that in 2010 and 2011, the former vice president filed fake individual tax returns for tax years 2004 – 2006, significantly underreporting his income and hiding his receipt of millions of dollars in company earnings.

Urbana police allege bank employees stole $391,000. Two former employees at Urbana Security National Bank in Urbana, Ohio, were indicted the week of October 10 after the duo allegedly embezzled $391,000 from the bank since 2009.

Critical vulnerability patched in Cisco conferencing product. Cisco reported that its Cisco Meeting Server (CMS) prior to version 2.0.6 and Acano Server prior to versions 1.8.18 and 1.9.6 were plagued with a critical vulnerability affecting the Extensible Messaging and Presence Protocol (XMPP) service that could allow an unauthenticated attacker to access the system as another user if the XMPP is enabled on the affected devices, as the XMPP service incorrectly processes deprecated authentication schemes. The flaw was discovered during a routine security audit of a Cisco customer and there is no evidence the flaw has been exploited in the wild.


4 arrested in Caroline County skimming scam after police chase. Four Brooklyn, New York residents were charged the week of October 10 in Caroline County, Virginia, for their roles in a credit card skimming scam after authorities discovered roughly 75 credit cards, a card skimming device, and a credit card embossing machine, among other illicit materials in the suspects’ vehicle. The individuals are suspected of conducting credit card skimming operations at truck stops in North Carolina and Virginia.

Fraud charges filed against owner of Budget Finance Company. The owner of Budget Finance Company in New Martinsville, West Virginia, was charged October 12 for allegedly running a more than $31 million Ponzi scheme from 2005 – 2015 where she defrauded investors by mailing checks to those who requested periodic payments, and sending them fake quarterly investment statements indicating their account balances and interest paid. The charges allege the owner used funds from new investors to repay previous investors, causing at least 25 investors between $9.5 million and $25 million in losses.

Attackers actively exploit recently patched BIND flaw. The Internet Systems Consortium (ISC) reported that it learned a high severity denial-of-service (DoS) vulnerability patched in the Domain Name Server (DNS) software BIND was exploited in the wild to crash servers after Infobyte security researchers published a proof-of-concept (PoC) code and Metasploit module demonstrating the attack.

Cerber 4.0 fuels new wave of ransomware attacks. Trend Micro security researchers reported that the latest variant of the Cerber ransomware, dubbed Cerber 4.0 was being dropped by the RIG, Neutrino, and Magnitude exploit kits (EK) in malvertising campaigns. Researchers also found Cerber 4.0 uses a randomly generated file extension, and has shifted from a Hypertext Markup Language (HTML) ransom note to an HTML Application (HTA) format.


Member of north Idaho drug trafficking organization pleads guilty to money laundering. A Las Vegas resident and member of a drug trafficking organization operating in 5 States pleaded guilty October 11 after she laundered nearly $500,000 in drug proceeds for the organization since 2010 by depositing the organization’s earnings into her personal bank accounts and business accounts belonging to a Las Vegas-based hair salon that she and her mother owned. The charges state the woman used a portion of the profits to pay expenses related to the organization.

Microsoft patches four zero-days used in live attacks. Microsoft released a security bulletin addressing 4 zero-day vulnerabilities in several of its products, including an information disclosure bug in Internet Explorer, remote code execution (RCE) flaws in Edge’s scripting engine and Windows graphics device interface (GDI), and a memory corruption vulnerability in Office, among other vulnerabilities. Microsoft reported all four zero-days have been exploited in the wild.

SAP patches multiple implementation flaws. SAP released security patches resolving 48 vulnerabilities affecting its products, including a denial-of-service (DoS) flaw in SAP ASE that could be exploited to terminate a process in a vulnerable component, a Structured Query Language (SQL) injection issue in SAP ST-PI component that allows an attacker to read and alter sensitive database information, and a cross-site scripting (XSS) flaw in SAP Messaging System Service that enables a malicious actor to inject script into a page to access all session tokens, cookies, and other critical information, among other vulnerabilities.

Adobe patches critical flaws in Flash Player, PDF apps. Adobe released patches resolving 71 critical vulnerabilities affecting its Acrobat, Reader, Flash Player, and Creative Cloud desktop application products , including a security bypass vulnerability, an unquoted search path vulnerability that could lead to local privilege escalation in Creative Cloud for Microsoft Windows, and several memory flaws that could allow arbitrary code execution, among other vulnerabilities.

DXXD ransomware encrypts files on unmapped network shares. Security researchers from BleepingComputer reported a new ransomware family, dubbed DXXD was spotted targeting and encrypting files on both mapped and unmapped network shares, and was abusing Remote Desktop Services and brute-forcing passwords on infected devices for distribution. DXXD changes a Microsoft Windows Registry setting in order to display a notice when a victim logs in to their infected device, ensuring that the user sees the ransom note.


Malware abuses Windows Troubleshooting Platform for distribution. Proofpoint security researchers discovered a malicious backdoor, dubbed “LatentBot” was abusing the Microsoft Windows Troubleshooting Platform (WTP) feature to trick users into executing the malicious payload, which was being distributed via email attachments with a lure document that once opened, launches a digitally signed DIAGCAB file containing PowerShell commands that download and install the backdoor trojan. Proofpoint reported the malware allows an attacker to preform surveillance, steal information, and gain remote access operations.

Alleged Lizard Squad and PoodleCorp members arrested. Authorities in the U.S. and the Netherlands arrested two individuals who allegedly operated the,,, and Websites, which offered distributed denial-of-service (DDoS) services for hire as part of the Lizard Squad and PoodleCorp hacking crews. Officials stated the investigation into the hacking groups began when authorities were investigating the service, a Website with ties to other sites operated by the hacking groups that allowed anyone to purchase on-demand harassment phone calls.

New JavaScript malware shuts down your PC if you terminate its process. Kahu Security researchers discovered a new malware variant was hijacking victims’ browsers’ homepages and shutting down the user’s computer if the user detects the malware and attempts to terminate its process in order to hide a series of operations that alter the underlying operating system (OS) settings on a victim’s device. Researchers found the malware is delivered via spam email as a malicious file attachment coded in JavaScript and is executed via the Microsoft Windows Script Host.

GE machine monitoring system plagued by serious flaw. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned a serious vulnerability plaguing the serial and universal serial bus (USB) versions of General Electric’s Bently Nevada 3500/22M machine monitoring system could be exploited by remote attackers to gain unauthorized access to the system with elevated privileges due to the existence of several open ports on the affected device. The devices are used in the energy and chemical sectors, and the company advised users to segment networks, leverage system hardening techniques, and implement bump-in-the-wire solutions to secure the devices.


Boston man charged with identity theft in scheme to defraud retirement accounts. A Boston resident was charged October 6 for his role in an identity theft scheme where he and a co-conspirator who worked as a customer service employee at Mercer, Inc. allegedly stole the personal information and bank account numbers from roughly 270 retirement accounts managed by Mercer, Inc. in order to withdraw money from the accounts from February 2014 – April 2014. The charges allege that the stolen retirement account information was used to load a prepaid card with almost $20,000 in illicitly obtained funds, which the defendant used for personal expenses.

Federal indictment charges four conspirators in fraudulent credit card scheme. Four individuals were charged October 6 for their roles in a fraudulent credit card scheme where the group allegedly stole the personal information of at least 33 victims in order to apply for and obtain credit cards, which were used to purchase merchandise and gift cards worth more than $135,000 from October 2014 – July 2016.

VMware patches directory traversal flaw in Horizon View. VMware released versions 7.0.1, 6.2.3, and 5.3.7 of its Horizon View products for Microsoft Windows after a security researcher, dubbed “Bruk0ut” discovered the products were plagued with a flaw that could allow a remote attacker to carry out a directory traversal attack on the Horizon View Connection Server to access sensitive information.

X.Org library flaws allow privilege escalation, DoS attacks. The X.Org Foundation released patches addressing more than a dozen vulnerabilities in its client libraries, including an out-of-bounds memory read or write error flaw in libX11 versions 1.6.3 and earlier, an integer overflow issue on 32-bit systems in libXfixes versions 5.0.2 and earlier, and a denial-of-service (DoS) condition via out of boundary memory access or endless loops in XRecord versions 1.2.2 and earlier, among other vulnerabilities. X.Org reported most of the flaws exist because the client libraries trust the server to send correct protocol data and do not consider that the values could cause an overflow or other issues.

Cerber ransomware can now kill database processes. Security researchers from BleepingComputer discovered a new variant of the Cerber ransomware family is able to kill many database processes before the encryption process begins by using a close_process directive in the configuration file in order to encrypt the processes’ data files. The researchers also found Cerber switched to a four-character randomly generated extension and started scrambling the name of the encryption file, making it more difficult for victims to recover their data. 


ATM data-skimmers target the valley. Virginia authorities are searching October 6 for a group of Romanian nationals suspected of installing four skimming devices on ATMs at banks in Virginia’s Shenandoah Valley since March 2016, including the DuPont Community Credit Union in Staunton October 2.

Credit Suisse paying $90 million penalty for misrepresenting performance metric. The U.S. Securities and Exchange Commission announced October 5 that Credit Suisse AG agreed to pay $90 million to resolve charges that it misrepresented how it determined its net new assets (NNA) by applying an undisclosed results-driven approach to determining NNA in order to meet specific targets created by the company’s senior executives. As part of the settlement, a former executive agreed to settle charges that he was a cause of the violations.

Owner of tax preparation franchises in Illinois, Kansas and Missouri convicted of tax evasion. The owner and operator of at least 20 Instant Tax Service (ITS) franchise locations in Illinois, Kansas, and Missouri was convicted October 5 after he filed fraudulent Federal tax returns that underreported over $1.5 million in income and submitted falsified financial summaries to his tax return preparer from 2010 – 2011 that undervalued the gross receipts generated by his franchises, A&S Tax Service LLC and ERI Enterprises LLC, which his tax preparer used to generate his individual Federal income tax returns. The charges also state that the franchise owner and A&S have been permanently enjoined from operating a tax preparation business and preparing Federal tax returns since 2013.

Mac malware can abuse legitimate apps to spy on users. A security researcher from Synack discovered that Apple Mac operating system (OS) X malware can monitor an infected system for legitimate user-initiated video sessions on applications such as FaceTime, Skype, and Google Hangouts, and piggyback on those legitimate sessions to record video and spy on users without their knowledge or authorization.

New backdoor trojan spreads through RDP brute-force attacks. GuardiCore security researchers discovered a new malware family, dubbed Trojan.sysscan was being leveraged as a backdoor trojan to collect data and credentials used for accounts on banking, gambling, and tax Websites from compromised systems and transfer the information to an attacker’s remote server by carrying out brute-force attacks on open Remote Desktop Protocol (RDP) ports. GuardiCore reported the trojan is coded in the Delphi programming language and is equipped with support for dumping passwords from locally installed applications including databases, point of sale (PoS) software, and Web browsers.

iMessage URL preview exposes user data. A security researcher discovered that Apple’s iMessage service could leak user data including the message receivers Internet Protocol (IP) address, device type, and operating system (OS) version when the user receives a Uniform Resource Locator (URL) in a message due to a feature available in MacOS and iOS that enables the service to extract metadata from the URL and display it as an accessible link. The researcher stated the iMessage implementation sends requests from each of the devices the receiver has, which could allow an attacker sending the URL to determine the victim’s physical location based on the IP address.


Man previously arrested for a bank robbery in Milford pleads guilty to 3 others: Feds. A Rhode Island resident, dubbed the “Teardrop Bandit” pleaded guilty October 4 after he robbed two banks in Connecticut and one in Massachusetts between July and September 2015.

Google patches 78 vulnerabilities in Android. Google released patches resolving at least 78 security flaws in its Android operating system, including 11 elevation of privilege vulnerabilities in ServiceManager, Lock Settings Service, and Mediaserver, among other components, 3 denial-of-service (DoS) issues in Wi-Fi, GPS, and Mediaserver, as well as critical remote execution flaws in kernel ASN.1 decoder and kernel networking system, among other vulnerabilities. Google reported that the Qualcomm components were most affected by the security flaws.

Hacked WordPress core file leveraged for hijacking a site’s web traffic. Sucuri security researchers discovered attackers were leveraging a WordPress core file responsible for managing the site’s page templates in order to insert malicious code and alter a compromised Website and redirect users to a malicious Webpage selling product keys for several Microsoft products at reduced prices.

Hacked WordPress core file leveraged for hijacking a site’s web traffic. Sucuri security researchers discovered attackers were leveraging a WordPress core file responsible for managing the site’s page templates in order to insert malicious code and alter a compromised Website and redirect users to a malicious Webpage selling product keys for several Microsoft products at reduced prices.


EMC patches critical flaws in VMAX storage products. Dell EMC released patches resolving six vulnerabilities in versions 8.0.x – 8.2.x of its VMAX Unisphere Web-based management console and vApp Manager configuration and support tool for VMware deployments after researchers from Digital Defense, Inc. (DDI) discovered a critical vulnerability that can be exploited to add new admin users and compromise the virtual appliance, as well as a flaw that can be exploited by an unauthenticated attacker to execute arbitrary commands with root privileges and hijack the targeted appliance via maliciously crafted Action Message Format (AMF) messages, among other vulnerabilities.

Polyglot ransomware decryption tool released. Kaspersky Lab security researchers released a decryption tool for the Polyglot trojan, also known as MarsJoke, which allows victims to restore their files after finding that the trojan mimics the CTB-Locker ransomware, in that it uses a weak encryption key generator that allowed security researchers to develop a tool capable of unlocking a victim’s data.

OpenJPEG flaw allows code execution via malicious image files. OpenJPEG released an update addressing several security flaws after Cisco Talos researchers discovered that the open-source library was plagued with an out-of-bounds heap write issue that could allow an attacker to execute arbitrary code on a targeted system when the victim opens a maliciously crafted JPEG2000 image or PDF document that contains a malicious file, among other vulnerabilities.

DressCode malware infects 400 apps in Google Play. Trend Micro security researchers warned that a mobile malware family, dubbed DressCode has infected over 3,000 apps distributed by several popular Android mobile markets, including the Google Play store. The malware connects with the command and control (C&C) server, which turns the device into a proxy that can relay traffic between the attacker and internal servers that the device is connected to, thereby allowing the attacker to compromise the user’s network environment, download sensitive data, or use the device as a bot that can be leveraged for distributed denial-of-service (DDoS) attacks or spam email campaigns.


Branch Banking & Trust Company agrees to pay $83 million to resolve alleged False Claims Act liability arising from FHA-insured mortgage lending. The U.S. Department of Justice announced September 29 that Branch Banking & Trust Company (BB&T) agreed to pay $83 million to resolve allegations that it violated the False Claims Act by knowingly originating and underwriting mortgage loans insured by the U.S. Department of Housing and Urban Development’s (HUD) Federal Housing Administration (FHA) that did not comply with FHA’s quality control requirements or meet HUD underwriting requirements between January 2006 and September 2014. The charges also allege that BB&T failed to self-report loans containing material underwriting defects from at least 2006 – 2013, among other violations.

Over 400 vulnerabilities reported to ICS-CERT in 2015. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released its vulnerability coordination report for the fiscal year 2015, which revealed ICS-CERT published 197 advisories covering a total of 427 vulnerabilities during 2015, while only 245 issues were covered in 2014. The report also revealed that 43 percent of the vulnerabilities were rated as high severity, and the energy sector was affected by more than 800 vulnerabilities since 2011, followed by the critical manufacturing sector which was plagued with over 700 flaws, and the water and wastewater systems sector which was infected with over 600 issues.


Och-Ziff executives also settle charges. The U.S. Securities and Exchange Commission (SEC) announced September 29 that Och-Ziff Capital Management Group agreed to pay roughly $200 million to settle charges that the firm’s executives disregarded red flags and corruption risks as determined by the Foreign Corrupt Practices Act (FCPA), and used intermediaries, agents, and business partners to pay bribes to high-level government officials in Africa in order to secure mining rights and corruptly influence government officials in 5 African countries. SEC officials stated that Och-Ziff fraudulently documented the bribe payments and neglected to maintain proper internal controls to recognize or prevent the bribes.

Dridex banking trojan adopts improved encryption. MalwareTech security researchers discovered the Dridex banking trojan started using malicious Rich Text Format (RTF) files that are password protected in order to prevent automated systems from scanning the attachment for malicious code and to avoid detection. Researchers also found Dridex employs delayed execution and may be focused on infecting corporate systems.

Dual Jamaican-U.S. citizen pleads guilty in connection with Jamaica-based lottery fraud scheme. A dual Jamaican and U.S. citizen pleaded guilty September 28 for her role in a Jamaica-based fraudulent lottery scheme where she persuaded U.S. citizens to send her hundreds of thousands of dollars to cover fraudulent fees for lottery winnings that victims had not won and never obtained, causing U.S. citizens tens of millions of dollars in losses from 2011 – 2012. The charges state the dual citizen used some of the funds for personal expenses

Tofsee malware distribution switched from exploit kit to spam. Security researchers from Cisco Talos reported that attackers stopped distributing the Tofsee ransomware via the RIG exploit kit (EK), and began leveraging spam email campaigns to deliver the malware downloaders, which instruct victims to download and open the ZIP archive attached to the message that contains an obfuscated JavaScript file with a WScript downloader, which runs an executable from a remote server controlled by the attacker. Researchers stated the malware allows hackers to conduct cryptocurrency mining, carry out distributed denial-of-service (DDoS) attacks, and send spam, among other malicious actions.