Fraud Alert Message Center
Tips for Safe Banking Over the Internet
As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.
The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.
- Consumer Best Practices for Online Banking
- Business Best Practices for Online Banking
- Recommendations for Online Fraud Victims
- Recommendations for Mobile Phone Security
Current Online Threats
Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau. None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts. If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it. The email could potentially contain a virus or malware.
For more information regarding email and phishing scams, please visit: http://onguardonline.gov/
Online Shopping Tips for Consumers. Click Here for Information.
ATM and Gas pump skimming information. Click Here for Article.
Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers. The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.
PayPal fixes XSS flaw that allowed access to unencrypted credit card details. PayPal addressed a cross-site scripting (XSS) flaw on the Web site’s SecurePayments page in which an attacker could inject customized payment forms into the page HyperText Markup Language (HTML) in order to intercept user financial and PayPal login information in clear text.
BNY Mellon pricing glitch affects billions of dollars of funds. BNY Mellon Corp worked to address an issue August 26 in its InvestOne system that is uses to calculate prices for client mutual funds and exchange traded funds (ETF), after the system broke down over the weekend of August 22 and created a backlog of funds to price. The system, run by SunGard, was operating at limited capacity August 25.
‘Uptown Beach Bandit’ robs 3 North Side banks. The FBI is searching for a suspect dubbed the “Uptown Beach Bandit” who authorities allege has robbed 3 North Side banks in Chicago since August 5, with the latest robbery occurring August 22 at a TCF bank. The suspect is considered armed and dangerous.
FireEye intern VXer pleads guilty for Darkode droid RAT ruse. A former FireEye intern from Pittsburgh pleaded guilty to creating and selling the Dendroid remote access trojan (RAT) for Android phones on the Darkode hacker forums. Denroid was capable of infecting about 1,500 phones for each buyer, while it is unknown how many copies the suspect sold.
Endress+Hauser patches buffer overflow in dozens of ICS products. Endress+Hauser and CodeWrights released updates addressing a remotely exploitable vulnerability found in the Device Type Manager (DTM) library of dozens of Endress+Hauser’s products used for industrial process automation, in which an attacker could use a specially crafted packet to create a buffer overflow in the DTM, causing the affected product to hang indefinitely.
Small percentage of employees responsible for most cloud security risk: Report. Report findings from a CloudLock analysis of 10 million users across 1,800 organizations revealed that the top 1 percent of users in organizations are responsible for 57 percent file ownership, 81 percent of file shares, 73 percent of exposed files, and 62 percent of application industries, suggesting that cyber risks could be mitigated by reaching out to an organization’s top users, among other findings.
Man linked to rejected AmEx accord admits cheating NY law firms. A man whose wife was tied to a recently rejected antitrust settlement between retailers and American Express Co pleaded guilty August 25 to charges that he and his wife defrauded 2 New York law firms out of $7.8 million through the use of bogus limited liability corporations for litigation support services that he never performed.
Zero-day, Angler kit exploits help drive up malvertising by 325%. Security researchers from Cyphort reported study findings revealing that malvertising attacks have increased by 325 percent in 2015, likely due to a combination of frequent zero-day exploits and new technology making the tactic more effective.
New Zeus variant “Sphinx” offered for sales. Malware developers released a new Zeus banking trojan variant called Sphinx that operates fully through The Onion Router (Tor) anonymity network and is designed to work on Microsoft Windows Vista and Windows 7 with User Account Control (UAC) enabled, as well as on low-privilege and “Guest” accounts. The malware has a full feature suite including Backconnect Virtual Network Computing (VNC) capability allowing users to transfer funds directly from the infected system.
CERT warns of hard-coded credentials in DSL SOHO routers. The Computer Emergency Readiness Team (CERT) published an advisory warning that certain Digital Subscriber Line (DSL) routers manufactured by ASUS Tek, DIGICOM, Observa Telecom, Philippine Long Distance Telephone, and ZTE contain hard-coded credentials that could allow a hacker to remotely control or access the devices via telnet services.
Sundown EK first to integrate exploit for recently patched IE flaw. Security researchers from Symantec discovered that the Sundown exploit kit (EK) integrated a recently patched Microsoft Internet Explorer memory corruption vulnerability, and reported observing watering hole attacks leveraging the EK to deliver the Trojan.Nancrat backdoor.
Researchers uncover new Italian RAT uWarrior. Security researchers from Palo Alto Networks discovered a new fully-featured remote access trojan (RAT) called uWarrior embedded in a rigged Rich Text Format (.RTF) file. After the file infects the system, it downloads a payload and is copied to another directory, where it communicates with a command and control server through an encrypted protocol.
Apple iOS Ins0mnia flaw that hides malicious apps revealed by FireEye. Security researchers from FireEye discovered that devices running versions of iOS prior to 8.4.1 are vulnerable to a flaw dubbed Ins0mnia, in which any application could bypass Apple background restrictions, and could allow an attacker to run in the background and steal sensitive user information indefinitely without the user’s consent or knowledge.
Flaw in Android remote-support tool exploited by screen recording app. Security researchers from Check Point discovered that the Recordable Activator Android app on Google Play was utilizing a recently discovered flaw in the TeamViewer remote support tool dubbed Certifi-gate, in which an attacker could use a rogue app to masquerade as an official tool and take control of an affected device. The app was pulled after having over 500,000 installations
AutoIt used in targeted attacks to move RATs. Security researchers at Cisco discovered that hackers are using the AutoIt task automation freeware to stealthily drop remote access trojans (RATs) that install via malicious macros in Microsoft Word documents. AutoIt is considered a legitimate information technology (IT) administration tool, and is often whitelisted in enterprises.
Former president of Bay Area home builder pleads guilty to mortgage fraud conspiracy. The former president of Discovery Sales Inc., pleaded guilty August 24 to his role in a mortgage fraud scheme in which he and conspirators allegedly caused fraudulent loans to be approved for unqualified buyers and inflated home values from 2006 – 2008, amounting to over $200 million in sales and causing banks to lose about $75 million through short sales and foreclosures.
Tor increasingly used by malicious actors: IBM. IBM Security released findings from its third quarter X-Force Threat Intelligence report revealing that The Onion Router (Tor) network has been used increasingly by cybercriminals for malicious purposes, with about 180,000 malicious events originating from Tor U.S. exit nodes since May. Researchers found that most Tor-based attacks have been Structured Query Language (SQL) injections and primarily targeted the information and communications industries, among other findings.
Dyre trojan uses semi- random file names to evade detection. Security researchers at IBM discovered that the developers of the Dyre banking trojan modified the malware’s persistence mechanism by making its execution a Microsoft Windows scheduled task, and assigned semi-random filenames to the trojan’s configuration files to evade detection.
AlienSpy RAT resurfaces as Jsocket. Security researchers discovered that the AlienSpy remote access trojan (RAT) malware was renamed and repackaged as Jsocket, and has been involved in phishing campaigns against targets in utilities, government, telecommunications, and other industries
‘Lucky Bandit’ pleads guilty to bank robbery charges. A man believed to be the suspect dubbed the “Lucky Bandit” pleaded guilty August 21 to attempting to rob a Citibank branch and to robbing a Wells Fargo bank in Pembroke Pines last April.
Zero-day flaws found in Dolphin, Mercury browsers for Android. A security researcher discovered a vulnerability in the Dolphin Web browser for Android in which a man-in-the-middle (MitM) attacker could inject a specially crafted file to arbitrarily write files or execute remotely, as well as unpatched insecure Intent URI scheme implementation and path transversal vulnerabilities in the Mercury Web browser that could allow a remote attacker to read and write arbitrary files within the application’s data directory.
Google patches Android vulnerability that allowed arbitrary code execution. Google issued an update addressing a heap overflow vulnerability in the Android mediserver’s Audio Policy Service that an attacker could trigger to cause a continuous crash loop in the affected device.
Apple patches nine vulnerabilities in QuickTime for Windows. Apple patched nine vulnerabilities in QuickTime 7.7.8 for Microsoft Windows, including denial-of-service (DoS) flaws that can be exploited via specially crafted .MOV files, leading to a memory corruption condition that can cause QuickTime to terminate unexpectedly.
‘Filter Bandit’ robs eighth bank, is considered armed and dangerous, says FBI. The FBI is offering a $5,000 reward leading to the arrest and conviction of a suspect dubbed the “Filter Bandit” who has allegedly stolen over $60,000 from 6 South Florida banks since August 2014, including a SunTrust Bank in Coral Springs August 20. The suspect is considered armed and dangerous.
Alexandria man pleads guilty in tax refund fraud scheme. An Alexandria, Virginia man pleaded guilty August 19 to charges related to a $20 million fraud scheme in which he allegedly submitted false sales claims and tax refunds to Virginia and Texas State tax authorities on behalf of 2 Ryan LLC corporate clients.
Ex-fugitive pleads guilty to $7.4M mortgage fraud. The former operator of Vilchez & Associates, Pino Title, and a branch of Mount Vernon Capital Corp., pleaded guilty August 18 following extradition from Peru to charges connected to a mortgage fraud scheme in which the suspect and co-conspirators allegedly submitted fraudulent loan documents falsifying the income of primarily Hispanic clients in Northern Virginia, resulting in $7.4 million in profits and causing more than $15 million in losses to lenders.
FBI, NYPD see ‘Taxi Cab Bandit’ suspected in 6 bank robberies in New York. Authorities are offering a reward for information leading to the arrest and conviction of a suspect dubbed the “Taxi Cab Bandit” who allegedly robbed 6 New York City banks, including a Santander Bank August 19.
SEC charges Florida man with participating in international boiler room fraud. The U.S. Securities and Exchange Commission charged a West Pam Beach, Florida man August 20 for his role in an international “boiler room”-type offering fraud in which callers from Southeast Asia solicited $1.5 million from 58 investors in 14 countries for supposed U.S. securities purchases via a non-existent broker-dealer, named Gruber and Green, Inc. The funds were distributed between personal accounts of the suspect and bank accounts in Asia.
Thousands of hacked WordPress sites abused in Neutrino EK attacks. Security researchers from Zscaler discovered a malware campaign in which cybercriminals have compromised over 2,600 WordPress 4.2 and prior Web sites in August by planting malicious iframes with redirects to Neutrino exploit kit (EK) landing pages. The Neutrino landing page exploits Adobe Flash Player vulnerabilities to inject CryptoWall 3.0 ransomware on victims’ computers.
New data leaked from ‘cheater’ site Ashley Madison. Vice Media reported that Impact Team hackers released 20 gigabytes (GB) worth of data August 20 related to a July Ashley Madison discrete dating Web site breach. The release, containing internal corporate data and emails, follows an August 18 data dump of 32 million emails and user account information from the Web site.
Citigroup to pay $15 mln to settle U.S. compliance charges. The U.S. Securities and Exchange Commission announced August 19 that a unit of Citigroup Inc., will pay $15 million to resolve civil charges that the company allegedly failed to review thousands of trades its trading desk carried out over a 10-year period, and that Citigroup improperly routed 467,0000 transactions for advisory clients to an affiliated market-making firm.
iOS sandbox flaw exposes companies using MDM solutions. Security experts from Appthority reported that organizations using mobile device management solutions (MDM) and enterprise mobility management (EMM) solutions are vulnerable to third-party app sandbox issue dubbed “Quicksand” in Apple’s iOS, in which an attacker could develop a malicious application that reads the configuration settings of managed applications.
Drupal security updates patch five vulnerabilities. The developers of the Drupal open source content management system (CMS) released security updates addressing five cross-site scripting (XSS), Structured Query Language (SQL) injection, cross-site request forgery (CSRF), and information disclosure vulnerabilities.
Holes found in Pocket Firefox add-on. Mozilla released a fix August 17 for server-side vulnerabilities in the Pocket Firefox Web browser add-on in which an attacker could compromise the Pocket application to gain access to user data, and could use the add-on to populate links to malicious redirects.
SEC charges BNY Mellon with FCPA violations. The U.S. Securities and Exchange Commission announced August 18 that BNY Mellon agreed to pay $14.8 million to resolve allegations that the company violated the Foreign Corrupt Practices Act (FCPA) by providing student internships to family members of government officials affiliated with a Middle Eastern sovereign wealth fund, and that BNY Mellon lacked sufficient internal controls to guard against improper hiring practices.
Promontory Financial settles with New York regulator. Promontory Financial Group agreed August 18 to pay a $15 million penalty and admitted fault to settle New York Department of Financial Services allegations that the firm’s work for British bank Standard Chartered was not truly independent and did not meet agency standards for consultants
Hackers leak Ashley Madison user data.Security experts reported that hackers released a 10 gigabyte (GB) file containing the personal information and payment records of over 30 million Ashley Madison discrete dating Web sites users following a July breach and threats that information would be released if Avid Life Media Inc., continued its practices regarding user profile retention and confidentiality.
Adobe patches vulnerability in LiveCycle data services. Adobe released a security hotfix for its LiveCycle Data Services (DS) framework addressing an XML Eternal Entity (XXE) vulnerability that could result in information disclosure.
Internet company Web.com hit by credit card breach. The Web.com Group reported that a security breach discovered August 13 compromised the name, address, and credit card information of around 93,000 customers. The company reported that no verification codes or other customer information was exposed.
Emergency IE patch fixes vulnerability under attack. Microsoft released an emergency patch August 18 for all supported versions if its Internet Explorer Web browser addressing a zero-day memory corruption vulnerability that an attacker could leverage to remotely execute arbitrary code in the context of the current user.
Romanian National admits to international ATM skimming scheme. A Romanian citizen pleaded guilty in Philadelphia August 17 to his role in an international scheme in which conspirators allegedly placed skimming devices on ATMs in Europe and the U.S., and withdrew funds from compromised accounts. Authorities arrested the man in South Carolina and found a total of 4,583 stolen bank card numbers, ATM skimming devices, and about $15,000 in stolen funds.
FBI intensifies search for serial bank robber dubbed ‘Midday Bandit’. The FBI is offering $10,000 for information leading to the capture and arrest of a suspect dubbed the “Midday Bandit”, who allegedly robbed 8 Chicago-area banks and attempted to rob 2 others since June 2014, with the most recent incident occurring at a U.S. Bank branch in Oak Park August 3.
High severity flaw in Android allows arbitrary code execution. Security researchers from Trend Micro discovered a heap overflow vulnerability in the Android operating system’s (OS) mediaserver Audio Policy Service, AudioEffect component, in which an app requiring no permissions could be used to execute arbitrary code. The vulnerability was patched in August security updates.
Darkode member admits selling access to spam botnet. A New York member of the Darkode hacker forums pleaded guilty August 17 for his involvement in a scheme in which computers of Facebook users were infected with the Slenfbot worm and the “Facebook Spreader” malware, which used victim account information to spread. The suspect and co-conspirators allegedly received $200 - $300 for every 10,000 active infections from 2011 – 2012.
Reflection DDoS attacks abusing RPC Portmapper. Officials from Level 3 Communications observed attackers utilizing Remote Procedure Call (RPC) Portmapper services for reflection distributed denial-of-service (DDoS) attacks between June and August, representing a new and effective method for bandwidth saturation.
Citigroup affiliates to pay $180 million to settle hedge fund fraud charges. The U.S. Securities and Exchange Commission announced August 17 that Citigroup Global Markets Inc., and Citigroup Alternative Investments LLC (CAI) agreed to pay $180 million to settle allegations that the affiliates failed to disclose risks associated with the ASTA/MAT and Falcon hedge funds, which raised almost $3 billion from about 4,000 investors before collapsing, and that CAI accepted up to $110 million in investments after the funds began to collapse.
Alerts issued for zero-day flaws in SCADA systems. The Industrial Control Systems Computer Emergency Response Team (ICS-CERT) published six advisories after security researchers from Elastica discovered several remote and local file inclusion, weak password hashing, insecure authentication, hardcoded credentials, weak cryptography, and cross-site request forgery (CSRF) vulnerabilities, among others, affecting Web-based Supervisory Control and Data Acquisition (SCADA) human machine interfaces (HMI) used by multiple organizations.
BitTorrent flaws can be exploited for DRDoS attacks: researchers. Security researchers reported that malicious actors could exploit vulnerabilities in BitTorrent’s Micro Transport (uTP), Distributed Hash Table (DHT), and Message Stream Encrypton (MSE) protocols as well as its Sync tool to reflect and amplify traffic via distributed reflective denial-of-service (DRDoS).
Exploit for OS X zero-day published by researcher. A security researcher published a proof of concept (PoC) for a local privilege escalation vulnerability in Apple’s OS X Yosetime dubbed “tpwn”, which could be executed by leveraging two security bugs to gain root privileges using a specially crafted file
Administrators continue to fail in securing databases by using proper configs. Security researchers from BinaryEdge released analysis of 4 technologies including Redis, MongoDB, Memcached, and ElasticSearch, revealing that almost 1.2 petabytes (PB), or 1,175 terabytes (TB) of data were vulnerable due to administrators’ use of default configurations that do not block connections from untrusted external actors.
Florida investment adviser pleads guilty to orchestrating $9 million investment fraud scheme. The Tampa-based founder of OM Global Investment Fund LLC pleaded guilty August 13 to charges that he used $9 million in funds investors believed to be designated exclusively for the purchase of Facebook Inc., pre-initial public offering (IPO) shares for other “side pocket” investments, and that he misled them about the nature and value of their investments in his company’s OM Global Fund from 2011 – 2013.
Google has another try at patching Stagefright flaw. Google released a second update for a vulnerability affecting hundreds of millions of Android devices dubbed “Stagefright,” after security researchers from Exodus Intelligence discovered that a maliciously crafted MP4 file could be used to bypass a previous fix for the issue.
Apple releases patch for OS X vulnerability exploited in the wild. Apple released security updates for OS X, iOS, Safari, and OS X Server, patching 135 vulnerabilities including a local privilege escalation zero-day vulnerability related to the DYLD_PRINT_TO_FILE environment variable that attackers were exploiting in the wild to install adware and other questionable software.
Android ransomware locks up devices, has additional features. Security researchers from Fortinet reported that the recently observed Android ransomware “Android/Locker.CB!tr” utilizes an FBI warning containing the user’s picture and Internet Protocol (IP) address, and can send and intercept short message service (SMS) messages as well as access the device’s contact list.
Zero day in Android’s Google Admin app can bypass sandbox. Security researchers from MWR Labs discovered a vulnerability in Android’s Google Admin application on Android devices in which an attacker could use another application on the device to send a specific type of uniform resource locator (URL) to bypass the operating system’s (OS) Same Origin Policy and get data from the Google Admin sandbox.
Edward Jones to pay $20 million for overcharging retail customers in municipal bond underwritings. The U.S. Securities and Exchange Commission announced August 13 that the St. Louis-based brokerage firm Edward Jones and the former leader of its municipal bonds underwriting desk would pay over $20 million to resolve allegations that they overcharged customers in new municipal bonds sales instead of offering them at the typical initial offering price.
U.S. charges data brokers in $7 million payday loan scam. The U.S. Federal Trade Commission announced charges August 12 against Sequioa One LLC, Gen X Marketing Group LLC, and 4 suspects in a data broker operation for allegedly selling the financial information of 500,000 payday loan applicants’ to scammers, who raided bank accounts for at least $7.1 million.
Trio of regulators order big bank to pay $34M for deposit discrepancies. The U.S. Consumer Financial Protection Bureau, U.S. Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency ordered Citizens Bank to pay $20 million in fines and $14 million in restitution for failing to honor full credit for customer deposits until the fourth quarter of 2013.
SAP Security updates patch 22 vulnerabilities. SAP released patches for 22 vulnerabilities and updated four previously release patches, including a remote code execution flaw in SAP ST-P that an attacker could leverage to compromise SAP servers and access information stored on them, and a Reflected File Download (RFD) in SAP’s NetWeaver AFP Servlet that could be exploited to push malware onto victims’ devices using a specially crafted link, among other flaws.
Cisco spots attackers hijacking its networking gear by modifying firmware. Cisco reported that attackers have been conducting attacks in-the-wild in which they gain administrative or physical access to an IOS device before replacing the IOS ROMMON with a malicious ROMMON image in order to manipulate device behavior.
CAUGHT: Lenovo crams unremovable crapware into Windows laptops – by hiding it in the BIOS. Security researchers reported that Lenovo bundled laptops with persistent firmware that installs the Lenovo Service Engine (LSE) software, which is vulnerable to a buffer-overflow flaw that could be exploited to gain administrator-level privileges. The LSE software is no longer included in new laptops.
Vulnerabilities identified in several WordPress plugins. Researchers from dxw Security discovered cross-site scripting (XSS) and blind Structured Query Language (SQL) vulnerabilities in WordPress’ iframe version 3.0, Yoast’s Google Analytics, and Symposium plugins for WordPress that could give some users administrative privileges.
SEC charges ITG with operating secret trading desk and misusing dark pool subscriber trading information. The U.S. Securities and Exchange Commission announced August 12 that ITG Inc., and affiliate AlterNet Securities agreed to pay $20.3 million to resolve allegations that they operated “Project Omega” an undisclosed propriety trading desk for over a year, and misused dark pool subscriber trading information.
FTC investigation finds glitch to blame in Morgan Stanley data beach. The U.S. Federal Trade Commission announced that a December 2014 data breach that compromised information of 350,000 Morgan Stanley clients occurred as a result of improperly configured data security controls, and not due to a failure on the company’s part to secure account information.
Firefox 40 patches vulnerabilities, expands malware protection. Mozilla released version 40 of its Firefox Web browser patching about 20 issues and listing four critical advisories including, buffer overflow, integer overflow, use-after-free, and memory safety vulnerabilities which can result in exploitable crashes, among others.
Blacklists miss 90% of malware blogged IP love. RecordedFuture released findings from a report revealing that over 90 percent of 1,521 recorded malicious Internet Protocol (IP) addresses linked to 2 pieces of malware and 67,563 addresses associated with a malicious executable are not identified by current popular Web blacklists, among other findings.
Microsoft, Adobe patch dozens of security vulnerabilities. Microsoft released 14 security bulletins addressing about 60 vulnerabilities affecting Windows, Internet Explorer, .NET, Office, Lync, Silverlight, and its Edge Web browser, including a privilege escalation vulnerability affecting Windows’ Mount Manager that could be leveraged via a Universal Serial Bus (USB) device, and a memory corruption flaw in Office. In a separate release, Adobe addressed 35 use-after free, integer overflow, buffer overflow, and type confusion vulnerabilities for its Flash Player that could be exploited for arbitrary code execution.
OpenSSH 7.0 fixes authentication vulnerability, other security bugs. The OpenBSD Project released version 7.0 of its Secure Shell (SSH) OpenSSH project addressing four vulnerabilities, including a keyboard-interactive authentication mechanism flaw that exposed servers to brute-force attacks, a use-after-free flaw that could allow for arbitrary code execution, and two vulnerabilities in the portable version of OpenSSH.
Nine charged in U.S. insider trading scheme involving hackers. Authorities announced indictments against 9 Ukrainian hackers and securities traders in the U.S. and Ukraine August 11, alleging that the suspects conspired and made up to $100 million by hacking into companies that publish news releases about publicly traded companies, and made trades using the information starting in February 2010. The U.S. Securities and Exchange Commission filed a related civil lawsuit alleging that the thefts generated over $100 million in illegal profits, and the case is the first example of prosecution alleging the use of hacked inside information for securities fraud.
Citigroup in US$13.5 mln settlement over defunct CSO hedge fund. Citigroup Inc., announced an agreement August 10 to pay $13.5 million to resolve allegations that the bank and its Alternative Investments affiliate deceived investors into staying in its Corporate Special Opportunities hedge fund, reporting that the fund’s portfolio was sound before liquidating it and losing most of the investment funds.
Grand jury indicts retired LAPD cop suspected as ‘Snowbird Bandit.’ A retired Los Angeles Police Department detective believed to be the robbery suspect dubbed the “Snowbird Bandit” was indicted the week of August 4, facing charges that he allegedly held up banks in Dana Point, Rancho Santa Margarita, Mission Viejo, and Ladera Ranch.
Guggenheim settles for $20 mln over not disclosing loan -SEC. The U.S. Securities and Exchange Commissioned (SEC) announced August 10 that Guggenheim Partners Investment Management LLC agreed to pay $20 million to resolve allegations that company senior officials failed to disclose a $50 million loan by a client to a senior executive to finance his personal investment in a corporate acquisition led by Guggenheim Partners LLC. The SEC also alleged that the company failed to enforce its code of ethics and improperly charged a client $6.5 million in asset management fees it did not earn.
Darkhotel APT uses Hacking Team exploit to target specific systems. Security researchers from Kaspersky Lab reported that the Darkhotel advanced persistent threat (APT) group recently started leveraging a Flash zero-day vulnerability revealed in the July Hacking Team Breach to target specific
systems, and that the group has been using a variety of techniques to attack defense industrial bases, energy policy makers, militaries, governments, electronics, pharmaceutical organizations, and medical providers in countries across Europe and Asia.
Angler EK exploits recently patched IE bug to deliver ransomware. Security researchers from FireEye discovered that the Angler exploit kit (EK) is exploiting a Microsoft Internet Explorer vulnerability uncovered in the July Hacking Team breach to deliver Cryptowall ransomware to affected systems.
Asprox botnet, a long-running nuisance, disappears. Officials from Palo Alto networks found that the Asprox botnet was apparently shut down, after observers reported last seeing the botnet distributing the Kuluoz malware in 2014.
Serialization vulnerabilities put many Android devices at risk. Security researchers from IBM discovered an Android operating system (OS) “serialization vulnerability” affecting versions 4.3 Jelly Bean through 5.1 Lollipop, related to Android’s OpenSSLX509Certificate class framework that an attacker could exploit for arbitrary code execution in applications and services, leading to privilege escalation, in which legitimate apps can be replaced with malicious apps that steal data, among other actions.
Tech firm Ubiquiti suffers $46M cyberheist. Ubiquiti Networks Inc., reported in the week of August 3 that cybercriminals stole $46.7 million from the company via a CEO fraud attack involving employee impersonation and fraudulent requests from an outside entity that targeted the company’s finance department. The company discovered the fraud on June 5 and has been working to recover the funds.
St. George businessman, others charged in new Federal fraud indictment. A St. George, Utah businessman and 4 others were charged August 7 in connection to a $300 million scheme in which the suspects allegedly set up a series of straw companies to charge customers’ credit and debit cards after firms started to fine the now-defunct iWorks online marketing enterprise for excessive chargebacks to customers.
Zynga in $23 mln settlement over alleged fraud tied to IPO. Zynga Inc., announced August 7 a settlement of $23 million to resolve allegations that the company defrauded shareholders about business prospects in the time surrounding its 2011 initial public offering by concealing declining user activity, failing to address upcoming changes in demand, and inflating its 2012 revenue forecast.
O.C. real estate executive found guilty on 11 counts in $170 million investor fraud. The owner of Irvine-based Pacific Property Assets was convicted August 7 for his role in a Ponzi scheme in which his company cost investors and banks over $193 million by soliciting investments while misleading investors and lenders as the real estate firm continued to lose up to $2 million a month.
First vulnerability found in Microsoft Edge, affects other software as well. Security researchers discovered a vulnerability in Microsoft’s Server Message Block (SMB) protocol used for local-network file-sharing impacting all versions of Windows, in which a faulty dynamic link library (DLL) could allow an attacker to extract user credentials from a closed Window domain via a man-in-the-middle (MitM) for SMB technique. The vulnerability affects Microsoft’s new Edge Web browser, as well as various software from other developers.
HTC phone stores fingerprints in easily accessible plaintext. Security researchers from FireEye discovered that several Android devices’ fingerprint scanner authorization frameworks are vulnerable to exploitation, while others store fingerprints in plaintext and fail to secure the device’s sensor.
Default WSUS configuration puts organizations at risk: researchers. Security researchers from Context Information Security revealed that configuration issues in Microsoft Windows Update and Windows Server Update Services could be exploited in a situation in which secure sockets layer (SSL) communication is not enabled and a man-in-the-middle (MitM) attacker could modify metadata to create fake updates and execute arbitrary commands.
Internal LTE/3G modems can be hacked to help malware survive OS reinstalls. Security researchers from Intel reported that an unsecure Huawei LTE/3G modem firmware update process could allow an attacker to create a malicious firmware image that could be flashed by a malicious program to re-infect the main operating system (OS) even if it is reinstalled, or could be modified to ignore future firmware updates
SDN switches aren’t hard to compromise, researcher says. Security researchers from Hellfire Security revealed that software-defined network (SDN) switches running on the Open Network Install Environment (Onie) lacked authentication, encryption, access controls and permissions, potentially enabling an attacker to install persistent malware and monitor all network traffic running through a switch.
Rush to put death records online lets anyone be ‘killed’. Security researchers at Def Con 2015 in Las Vegas revealed that flaws in online portals for submitting death and birth records could easily be exploited to create fake death and birth certificates due to a lack of authentication and credential protocols.
Google disables inline installation of Chrome extensions for deceptive developers. Google disabled inline installations for certain Chrome Web browser extension developers that the company has decided abused the feature to distribute the extensions via deceptive Web sites and advertisements, forcing redirects to extension product details on Chrome’s Web store to provide users with information before installing.
Glen Mills man pleads guilty to fraud, tax evasion. The previous owner of the former Arcadia Capital Group, Inc., pleaded guilty August 5 to a scheme in which he and others allegedly solicited almost $10 million in real estate investments, the majority of which were diverted for personal use or payments to prior investors.
Man accused of installing credit-card skimmers in Boca Raton, Delray Beach. Authorities reported August 4 that a Delray Beach man was arrested for allegedly working with a partner to plant ATM skimming devices in at least 6 Publix store locations, stealing a total of $27,774 from over 25 people.
Zero-day disclosure-to-weaponization period cut in half. Security researchers from Malwarebytes reported a trending decrease in time between the disclosure and weaponization of zero-day vulnerabilities, evident in a 50 percent drop in average weaponization times in the last 10 months, citing the fallout from the Hacking Team breach as a contributing factor.
Attackers could use Internet route hijacking to get fraudulent HTTPS certificates. Security researchers at Black Hat 2015 highlighted the threats posed by Border Gateway Protocol (BGP) hijacking attacks, also known as route leaking, in which an attacker could tailor attacks to specific geographic regions by tricking a certificate authority (CA) into issuing a valid certificate for a domain name that they do not own.
80 vulnerabilities found in iOS in 2015, 10 in Android. Secunia released findings from a report on security vulnerability trends for the first 7 months of 2015 revealing an increase of “extremely critical” and “highly critical” threats, a trending increase in zero-day exploits, and a total of 80 reported vulnerabilities in Apple’s iOS operating system (OS) versus 10 in Android devices. Researchers cited Apple’s control of its OS and patch cycle as the cause for higher number if iOS vulnerabilities.
Easily exploitable Certifi-gate bug opens Android devices to hijacking. Security researchers from Check Point’s mobile security research team discovered a set of vulnerabilities in the Android operating system (OS) dubbed “Certifi-gate” in the architecture of mobile Remote Support Tools (mRSTs) used by almost every Android device manufacturer in which an attacker can leverage hash collisions, inter-process communication (IPC) abuse, and certificate forging to gain unrestricted device access and steal personal data, track locations, and turn on microphones, among other actions.
Design flaw in Intel processors opens door to rootkits, researcher says. A security researcher from the Battelle Memorial Institute disclosed a vulnerability in the x86 processor architecture in which an attacker could install a rootkit in the processor’s System Management Mode (SMM), enabling destructive actions such as wiping the Unified Extensible Firmware Interface (UEFI) or re-infecting the operating system (OS) after a fresh install.
Updated DGA Changer malware generates fake domain stream. Researchers from Seculert published findings from a report revealing that the DGA Changer downloader malware now has the capability to generate a stream of fake domains once it determines that it is being run in a virtual environment, the first reported instance of malware generating fake domain generation algorithms (DGA).
DDoS attacks rage on, primarily impacting U.S. and Chinese entities. Kaspersky Lab released findings from its DDoS Intelligence Report Q2 2015, revealing that 77 percent of the distributed denial-of-service (DDoS) attacks from April to June impacted 10 countries, primarily the U.S. and China. The report recorded the longest attack at 205 hours, and the peak number at 1,960 May 7, attributing their popularity to the ease in which the attacks can be arranged.
BLEKey device breaks RFID physical access controls. Researchers at Black Hat 2015 released details from a number of proof of concept attacks highlighting the weaknesses in the Wiegand protocol used in radio-frequency identification (RFID) readers and other proximity card devices, which they were able exploit by using a device dubbed BLEKey to read cleartext data sent from card readers to door controllers to clone cards or send data to a mobile application that can unlock doors remotely at any time.
Family indicted on $18M fraud. A former Tennessee State Representative and his 2 sons were indicted August 5 for using their company, First American Monetary Consultants Inc., to allegedly defraud over 300 people in at least 9 States out of $18 million by encouraging customers to buy gold and silver that they never completely received.
Ex-Wilmington Trust president, 3 others are indicted over loans. The former president and chief financial officer of Wilmington Trust Co., and 2 others were indicted August 5 for allegedly concealing material amounts of past due loans and mortgages exceeding $300 million from 2009 – 2010, misleading regulators about the company’s finances.
Feds: Austin man linked to $23M worth of counterfeit money. An Austin man was indicted August 4 for role in a counterfeiting scheme in which he allegedly forged and distributed U.S. currency worth up to $23 million from March to July. Two other suspects were recently found guilty in connection to counterfeiting U.S. currency in the Austin area.
GameOver Zeus gang leader engaged in espionage: Researchers. Officials from FBI, Fox-IT, and Crowdstrike released analysis revealing that in addition to using the GameOver Zeus malware to steal about $100 million from banks, the cybercriminal ring used botnets to commit cyberespionage against various countries, including members of the Organization of the Petroleum Exporting Countries (OPEC).
Researcher hacks his way into a GlobalStar satellite. A security researcher from Synack disclosed vulnerabilities such as a lack of encryption in satellite communication protocols, and revealed that he was able to break down GlobalStar’s simplex satcom protocol to hack GlobalStar’s SPOT global-positioning system (GPS) devices. The same protocol could reportedly be used to induce panic by simulating a large-scale disaster, and could hamper emergency response.
Corporate networks can be compromised via Windows updates. Researchers from Context Information Security reported that Microsoft Windows Update can be used to attack corporate networks by leveraging improperly configured Windows Server Update Services (WSUS) implementations, allowing for fake automatic updates that can install a trojan or other malware, and could be used to grant administrator privileges with a false login.
Hacking Team brewed potent iOS poison for non-jailbroken iThings. Security researchers from FireEye released analysis of Hacking Team breached data revealing that the company had created an “iOS Remote Control System (RCS) agent” to hack into jailbroken iOS devices, as well as other methods targeting non-jailbroken devices via remotely downloaded Masque Attack apps that can execute commands and extract data from compromised devices.
Android device makers promise monthly security fixes. Google, Samsung, and LG announced plans to begin issuing monthly security patches for Android devices, citing the operating system’s (OS) increased targeting from cybercriminals. The first large update includes a patch for the Stagefright vulnerability, which can compromise a device via a specially crafted multimedia message (MMS).
Nuclear nightmare: Industrial control switches need fixing, now. Security researchers at Dragos Security discovered at least 11 vulnerabilities in control switches being used in industrial control systems (ICS) across multiple sectors that could allow an attacker to execute man-in-the-middle (MitM) attacks to cause control systems to shut down a plant or process or force an ICS into a hazardous state. Researchers believe that the attacks are being exploited in the wild, and that the vulnerabilities are made possible by poor authentication protocols and cryptographic integrity.
APT group gets selective about data it steals. Security researchers from the Dell SecureWorks Counter Threat Unit released findings from a report revealing that the Emissary Panda advanced persistent threat (APT) group has focused its efforts on a number of manufacturing, automotive, aerospace, pharmaceutical, oil and gas, defense industrial base, political, and education organizations in the U.S. and the United Kingdom, utilizing a number of tools to steal and transmit intellectual property via backdoors .
South Florida developers plundered money meant for housing poor, U.S. says. Two officers at the Miami-based Carlisle Development Group and 4 others were charged August 4 for allegedly stealing $36 million in U.S. tax credits from 14 government-subsidized low-income housing projects in Miami-Dade County by inflating construction costs of rental properties to secure higher tax credit amounts while receiving kickbacks from contractors.
Symantec patches critical vulnerabilities in Endpoint Protection. Security researchers from Code White discovered 6 vulnerabilities in Symantec Endpoint Protection (SEP) 12.1, including an authentication bypass, 3 path traversals, a privilege escalation, multiple structured query language (SQL) injections, and a high severity binary planting flaw which could allow an unauthenticated attacker to execute arbitrary commands on the SEP Manager (SEPM) server and on SEP clients running Microsoft Windows. Symantec released a patch addressing the vulnerabilities and users are urged to update their SEP installations
“Man-in-the-Cloud” attacks leverage storage services to steal data. Findings from Imperva’s latest Hacker Intelligence Initiative report revealed that attackers can abuse popular cloud storage services for command and control (C&C) communications, endpoint hacking, remote access, and data exfiltration via Man-in-the-Cloud (MITC) techniques in which they access and decrypt stored user synchronization tokens.
Man convicted in Las Vegas mortgage fraud case. An Arizona man was convicted August 3 for his role in a mortgage fraud scheme in which he and 10 others conspired to cause Federally insured banks about $25 million in losses between 2005 – 2007 by using several investment businesses to recruit straw buyers who obtained mortgage loans for 110 Las Vegas and Henderson homes that they would purchase before going into foreclosure.
SEC charges Houston-area businessman in Ponzi scheme. The U.S. Securities and Exchange Commission charged a co-owner of F.A. Voight & Associates LP and DayStar Funding LP August 3 with allegedly defrauding over 300 investors in a $114 million Ponzi scheme in which he solicited investments towards the development of a “Driver Alertness Detection System” while promising high returns, but instead used funds for Ponzi payments and personal gain funneled to a startup company through 2 other partnership companies.
Former bank trader convicted in Libor scandal. A former Citigroup and UBS trader was convicted August 3 of conspiring with two dozen traders and employees to rig the London Interbank Offered Rate (Libor) to benefit their trading positions and boost profits while working for UBS and Citigroup.
Chinese VPN used by APT actors relies on hacked servers. Security researchers at RSA analyzed a Chinese virtual private network (VPN) service dubbed “Terracotta” and found that the service has at least 31 hacked Windows server nodes worldwide in hospitality, government organizations, universities, technology services providers, and private firms. Researchers have observed compromised servers running the Gh0st Remote Administration Tool (RAT), the Mitozhan trojan, and the Liudoor Backdoor, among others
Macs can be permanently compromised via firmware worm. Security researchers discovered vulnerabilities in the firmware of Apple computers, dubbed “Thunderstrike 2,” in which a worm delivered via a phishing email or malicious Web site could spread across connected devices and systems before rewriting itself in the firmware to ensure persistence. Researchers stated that users need to re-flash the chip that contains the malware in order to get rid of the worm.
RIG Exploit Kit 3.0 succeeded in infecting 1.25 million machines. Trustwave researchers reported that version 3.0 of the RIG Exploit Kit (EK) infected an average of 27,000 machines a day, totaling 1.25 million infections, through various campaigns in which it predominantly leveraged Adobe Flash zero-day exploits exposed by a Hacking Team leak in July.
Malvertising hits Yahoo! ad network. Security researchers at Malwarebytes discovered that the Yahoo! advertising network was hit by a large malvertising attack starting July 28 that leveraged Microsoft Azure Web sites to redirect users to pages hosting the Angler exploit kit (EK) to infect systems with ransomware and possibly banking or ad-fraud malware. The attack was shut down August 3.
Zero-day vulnerability in OS X exploited in the wild. Security researchers from Malwarebytes observed attacks leveraging an unpatched local privilege escalation vulnerability in Apple’s OS X operating system (OS) in which an attacker could modify a hidden UNIX file to execute adware and other suspicious software with root permissions.
79% of companies release apps with known vulnerabilities. Prevoty released findings from a survey and report on security and application development revealing that many enterprises face challenges in releasing secure software on development schedules, and that 43 percent of respondents admitted to releasing applications with vulnerabilities at least 80 percent of the time, due to business pressures and other concerns.
WordPress 4.2.4 fixes three XSS vulnerabilities and one potential SQL injection. WordPress released an update for its content management system (CMS) addressing three cross-site scripting (XSS) vulnerabilities, a structured query language (SQL) injection, an issue that allowed attackers to lock posts indefinitely, and a timing side-channel attack vector point in which an attacker could analyze cryptographic algorithm routine execution times.
SEC charges man with microcap fraud involving shares of Cynk Technology Corp. The U.S. Securities and Exchange Commission charged a Canadian man July 31 with allegedly using straw shareholders, foreign dummy corporations, and fake corporate officers worldwide to conceal his control of shares of Cynk Technology Corp., which he intended to liquidate when the stock’s price increased.
Fake “Windows 10 Free Upgrade” emails deliver ransomware. Security researchers from Cisco’s Talos Group discovered a ransomware campaign in which attackers purporting to be from Microsoft send victims emails with a fake Windows 10 installer attached that is actually a variant of the CTB-Locker crypto-malware.
Chrome extensions can be disabled without user interaction. Security experts from Detectify Labs discovered that an attacker could disable a list of Google Chrome security extensions upon visiting a site using the “ping” attribute inside a regular link, effectively removing safeguards without the user’s knowledge. Google Chrome was notified of the vulnerability and released a patch addressing the issue.
DNS server attacks being using BIND software flaw. Security researchers from Sucuri reported that attackers have begun exploiting a denial-of-service (DoS) flaw in all versions of BIND 9 open-source Domain Name System (DNS) software that was patched the week of July 27. The company confirmed that two clients in different sectors had experienced attacks.
The leading cause of insider threats? Employee negligence. The Ponemon Institute released findings from a survey on insider information technology (IT) threats in U.S. and German firms, revealing that in addition to malicious intent, employee negligence is a significant cause of security incidents that lead to decreases in IT productivity, which can cause a company as much as $1.5 million in losses per year. The report cited long hours and multitasking as common elements leading to negligence, among other findings.
How vulnerable are the U.S. stock markets to hackers? An analysis of information security and cyber risk trends in the financial sector cited findings from a 2015 U.S. Securities and Exchange Commission Risk Alert revealing that about 88 percent of brokerages and 74 percent of financial advisers in the U.S. have suffered cyber-attacks, and that according to Congressional testimony, a major U.S. bank is attacked every 34 seconds, among other disclosures.
Cybercriminals are preying on existing vulnerabilities to plan future attacks. An analysis of cyber threats by Solutionary identified several campaigns consisting of over 600,000 events worldwide that targeted the bash vulnerability in the second quarter of 2015, and found that the U.S. was a leading source of command and control traffic and malware threats, among other findings.
Stack ranking the SSL vulnerabilities for the enterprise. Security researchers discovered an OpenSSL vulnerability dubbed “OprahSSL” in which an attacker with a legitimate end-leaf certificate could circumvent OpenSSL code validating the certificate’s purpose, and sign other certificates in order to perpetrate man-in-the-middle (MitM) attacks on Secure Sockets Layer (SSL) sessions, and ranked the severity of the flaw in relation to other SSL vulnerabilities, including Heatbleed, Early CCS, and LOGJAM.
Google fixes Chrome issue that leaked the user’s real IP from behind a VPN. Google released a Chrome Web browser extension called “WebRTC Network Limiter” to address an issue with the WebRTC protocol in which certain circumstances could reveal the real public and local Internet Protocol (IP) address of a user connected via a virtual private network (VPN).
SEC charges operators of fraud based in Upstate New York. The U.S. Securities and Exchange Commission charged 2 men and 8 companies July 30 with allegedly defrauding over 125 investors out of at least $8 million through misleading statements about company prospects, and through the sale of purported “charitable gift annuities” falsely claimed to have been backed by reputable insurance companies.
AK-47 Bandit strikes again, robs credit union in Iowa. Authorities offered a $100,000 reward for information leading to the arrest and conviction of a suspect dubbed the “AK-47 Bandit”, who allegedly robbed a credit union in Mason City Iowa July 28, shot a police officer in a robbery in California in 2012, and is linked to 4 other bank robberies in multiple States.
Investment adviser pleads guilty in $1.2B Ponzi scheme. A Florida investment adviser pleaded guilty July 29 to charges surrounding his role in a $1.2 billion Ponzi scheme that collapsed in 2009, in which he allegedly lured investors to the scheme’s mastermind through deception and false assurances. Over two dozen other suspects have been convicted in connection to the scam.
“Thin green line” scam allegedly made millions for scam artists. Authorities indicted 8 South Florida individuals who allegedly solicited about $2.4 million from over 200 investors by claiming their company, Thought Development Inc., had invented a device that generated a green laser line on football fields for easier first-down measurement, as well as a scheme in which the suspects fraudulently sold stock in a fee-based gaming serviced called Virgin Gaming.
Cisco IOS-XE update time: squash that DoS bug. Cisco released a patch for a vulnerability In its IOS-XE operating system (OS) in which an attacker could cause a denial-of-service (DoS) condition by sending a series of Internet Protocol version 4 (IPv4) or IPv6 fragments designed to trigger an error message.
More than a third of employees would sell company data. Loudhouse released results from a survey on enterprise security practices polling over 500 Internet technology (IT) decision-makers and 4,000 employees across the U.S., Europe, and Australia, revealing that 25 percent of employees polled would sell company data for less than $8,000, citing the ready access most employees have access to valuable data, among other findings.
Most malvertising attacks are hosted on news and entertainment Web sites. Bromium Labs released an analysis of malware evasion technology revealing that over 50 percent of malware is hosted on news and entertainment Web sites, and reported an 80 percent increase in new ransomware families since 2014, among other findings.
Shellshock flaw still actively exploited: Solutionary. Solutionary’s Security Engineering Research Team released findings from a report revealing that the Shellshock bug discovered in 2014 has been actively exploited by threat actors, identifying about 600,000 Shellshock-related events from over 25,000 Internet Protocol (IP) addresses, mostly in the U.S. Researchers noted that education organizations were the most targeted, among other findings.
Maliciously crafted MKV video files can be used to crash Android phones. Security researchers from Trend Micro discovered a vulnerability in the Android operating system’s (OS) mediaserver component in which an attacker could use a malformed Matroska video container (MKV) file to crash and render a device unusable.
Floridian last of 12 convicted in Texas for timeshare fraud. A Florida man was convicted July 28 for leading a $10 million timeshare scam in the U.S. and Canada in which he scammed over 5,000 timeshare owners by hiring telemarketers to solicit fees in false buying promises. Eleven other suspects have pleaded guilty in connection to the scheme.
Two sought for allegedly stealing more than $100K through fraudulent credit card accounts. Authorities reported July 28 that they are seeking the owners of the Fort Washington-based Centra-Spike heating, ventilation, and air conditioning company on charges that the pair allegedly stole $124,981 by using stolen identities of at least 8 victims to obtain fraudulent loans.
Western Union’s Paymap to pay $38.4 mln over mortgage ads. The U.S. Consumer Financial Protection Bureau reported July 28 that Paymap Inc., a unit of Western Union Co., agreed to pay $38.4 to resolve U.S. regulatory allegations that the company deceived consumers into signing up for a LoanCare LLC program that promised false savings. LoanCare LLC will pay a $100,000 civil fine, and both companies agreed not to advertise the mortgage program’s benefits without providing supporting evidence.
Russian hacker tool uses legitimate Web services to hide attacks: FireEye. Security researchers from FireEye discovered that the APT29 threat group is employing a malicious backdoor dubbed “HAMMERTOSS” that utilizes a multi-stage process involving social media, steganography, and PowerShell to hide malicious activity within legitimate network traffic. Researchers believe that the backdoor is only being deployed against critical targets, possibly as a backup in case other tools fail or are disrupted.
BIND update patches critical DoS vulnerability. The Internet Systems Consortium released updates for the popular BIND Domain Name System (DNS) software addressing a critical remotely exploitable vulnerability in the handling of TKEY recorded queries in which an attacker could use a specially crafted DNS packet to trigger a denial-of-service (DoS) condition.
Black Vine espionage group attacked aerospace, energy, healthcare industries. Security researchers from Symantec reported that the Black Vine espionage group responsible for the 2014 Anthem system breach has been active since 2012, used custom-built malware, zero-day exploits, and watering hole attacks to target organizations across the aerospace, healthcare, energy, military, defense, finance, agriculture, and technology industries, primarily in the U.S.
Microsoft admits critical .NET Framework 4.6 bug, issues workaround. Microsoft released a workaround addressing a critical codegen bug for those running 64-bit processes on .NET Framework 4.6, in which incorrect parameters could be passed, leading to unpredictable results.
Cellphones can steal data from isolated “air-gapped” computers. Researchers at the Ben-Gurion University of the Negev Cyber Security Research Center discovered a way to use central processing unit (CPU) firmware-modification software to turn an air-gapped system into a cellular transmitting antenna, making it possible for any mobile phone infected with malicious code to use GSM phone frequencies to steal data from infected air-gapped systems. Researchers recommended mitigation measures including defined “zones” where mobile phones and other devices are not allowed near at-risk air-gapped computers.
China-tied hackers that hit U.S. said to breach United Airlines. Investigators involved in a probe of a previously unreported May or June breach of United Airlines’ computer systems reported links between the hackers and the Chinese threat group that perpetrated the theft of security-clearance records from the U.S. Office of Personnel Management and medical data from Anthem Inc., as well as at least seven other travel and health insurance organizations. Officials believe that the breach may have compromised movement data of millions of Americans and opened the airline’s systems to future disruptions and attacks.
Xen patches new virtual-machine escape vulnerability. The Xen Projected released updates for its virtualization software addressing a vulnerability in the CD-ROM drive emulation feature of the QEMU open-source hardware emulator that could allow an attacker to bypass the security barrier between virtual machines and their host operating systems (OS).
Fraud victims speak out after financial adviser indicted, arrested. Authorities unsealed indictments against the owner of Stanfill Wealth Management July 27 in Knoxville, alleging that she defrauded over 21 investors out of almost $7 million by promising to invest funds in Charles Schawb and Co., and instead diverted the money for her personal use.
One in 600 Web sites lists its .git folder, exposing sensitive data. A Web developer discovered that out of 1.5 million Web sites scanned, 2,402 had an inadvertently exposed .git folder, possibly exposing sensitive information.
Cybercriminals use Angler exploit kit to target PoS systems. Trend Micro researchers reported that cybercriminals have been utilizing the Angler exploit kit (EK) to deliver a reconnaissance trojan that detects mitigation tools before downloading one of three point-of-sale (PoS) malware payloads.
Over 10 million Web surfers possibly exposed to malvertising. Cyphort released tracking data from malicious advertisement campaigns revealing that since July 18, over 10 million people may have visited Web sites containing malicious ads which redirect visitors to directories hosting the Angler exploit kit (EK).
Darkode forum returns with enhanced security measures. MalwareTech researchers reported that the Darkode hacker forum was back online with enhanced security and authentication processes to prevent future infiltrations, after July raids by the FBI and international partners led to the shutdown of the Web site and the detainment of multiple individuals associated with it.
Apple App Store and iTunes buyers hit by zero-day. Security researchers from Vulnerability Lab published a zero-day filter bypass flaw in Apple’s online invoicing system used in its App Store and iTunes that could allow an attacker to hijack a user’s purchasing session to buy and download any app or content they want, before charging it to the original user.
Software vulnerabilities hit a record high in 2014, report says. Secunia released analysis from its Vulnerability Review 2015 revealing that the number of recorded software vulnerabilities hit a record high of 15,435 in 2014, an increase of 18 percent from the previous year, and that many organizations are too slow to release security fixes, among other findings
Phishing attacks drive spike in DNS threat. Infoblox and Internet Identity published data revealing that the Domain Name System (DNS) Threat Index jumped nearly 60 percent in the second quarter of 2015, reportedly due to a corresponding 74 percent increase in phishing and phishing domains over the same period
FBI asks public’s help identifying “Sabbatical Bandit” bank robber. FBI officials are looking for information leading to the capture of a suspect dubbed the “Sabbatical Bandit”, who allegedly robbed a Mesa bank July 18 in addition to at least 4 others since 2010.
Android Stagefright flaws put 950 million devices at risk. Security researchers at Zimperium zLabs reported that about 950 million Android devices are vulnerable to flaws in the operating system’s (OS) Stagefright media engine, in which excessive permissions could allow an attacker to send a Multimedia Messaging Service (MMS) or Google Hangouts message to trigger the vulnerability, granting system access on the affected device.
Many high-profile firms using vulnerable PHP File Manager: researcher. A security researcher identified several vulnerabilities in Revived Wire Media’s PHP File Manager application, including the existence of a default user account with backdoor access to systems running the software, lack of protection for the user database, and arbitrary file upload vulnerabilities, among other flaws. Many firms reportedly still use the application even though it has not been updated since its release in 2010 – 2011.
Over 5,000 mobile apps found performing in-app ad fraud. Security researchers from Forensiq discovered at least 5,000 mobile applications being used for mobile hijacking ad fraud worldwide that were observed affecting 12 million unique devices over a 10-day period.
Pair of bugs open Honeywell home controllers up to easy hacks. Researchers discovered vulnerabilities in Honeywell’s Tuxedo touch devices used for controlling home systems, including an authentication bypass bug that could grant access to restricted systems, and a cross-site request forgery bug that an attacker could use during an active authenticated session to execute the same commands as the user.
Retired LAPD detective arrested in series of ‘Snowbird Bandit’ bank robberies. Orange County authorities arrested a former Los Angeles Police Department detective July 23 on suspicion of being the ‘Snowbird Bandit,” who robbed at least 5 Orange County banks since March.
Four east coast men arrested in San Carlos for credit card fraud. San Mateo County officials arrested 4 suspects July 22 after deputies discovered hundreds of fraudulent gift and credit cards, equipment used to manufacture cards, and various merchandise valued at $125,000 in their vehicle. .
Discover to pay $18.5 mln over student loan allegations. U.S. regulators reported July 22 that Discover Financial Services agreed to
pay $18.5 million in penalties and consumer refunds to resolve allegations that Discover Bank overstated minimum amounts due on billing statements, took unfair actions on debt collection, and failed to provide basic student loan servicing functions.
Red Hat patches “libuser” library vulnerabilities. Red Hat patched two vulnerabilities in its “libuser” library, including a race condition flaw that could lead to a denial-of-service (DoS) condition and a bug in the chfn function of the userhelper utility that an attacker could leverage to create a DoS condition and achieve privilege escalation on the system.
Citi to shut Banamex USA, pay $140 million fine. Citigroup Inc., announced July 22 plans to liquidate subsidiary Banamex USA and pay $140 million in fines to the Federal Deposit Insurance Corporation and California’s Department of Business Oversight to resolve allegations that Banamex USA failed to comply with Federal anti-money laundering requirements and the Bank Secrecy Act.
Springfield restaurant owner and son plead guilty in multi-million dollar fraud scheme. An owner of multiple Springfield area restaurants and commercial properties and his son pleaded guilty July 22 to charges that they submitted false financial documents to Great Southern Bank in order to receive 4 commercial loans worth about $6 million in 2011.
Four zero days disclosed in internet explorer. Hewlett Packard’s Zero Day Initiative released four new remote code execution (RCE)
zero day vulnerabilities in Microsoft’s Internet Explorer, including an issue in how the browser processes arrays representing cells in Hyptertext Markup Language (HTML) tables in which an attacker could execute code under the context of the current process.
Flash zero-day monster Angler dominates exploit kit crime market. Security researchers from SophosLabs reported that the Angler exploit kit’s (EK) prevalence in the underground malware market has ballooned from about 25 – 83 percent between September 2014 and May 2015, likely due to factors including its low cost and high traffic to Angler-infected Web sites. The EK recently incorporated three Adobe Flash zero-day flaws that were exposed in the breach of Hacking Team.
Cyber poltergeist threat discovered in Internet of Stuff hubs. Security researchers from Tripwire’s Vulnerability and Exposure Research Team (VERT) discovered vulnerabilities in Internet of Things-enabled smart home hubs made by Wink, Vera, and SmartThings, that could allow an attacker to obtain root shell access on the device, provide entry points to the home network.
Smartwatches: a new open frontier for attack. Hewlett Packard released findings from an assessment of 10 smart-watches and their Android and iOS cloud and mobile application components revealing that each watch contained significant vulnerabilities, including insufficient authentication, lack of encryption, insecure software, firmware, interfaces, and privacy concerns.
Bartalex variants spotted dropping Pony, Dyre malware. Security researchers at Rackspace reported that strains of the macro-based Bartalex malware has been observed dropping Pony loader malware along with the Dyre banking trojan.
4 arrested in schemes said to be tied to JPMorgan Chase breach. U.S. and Israeli law enforcement officials arrested 4 suspects in Florida and Israel July 21 and are searching for another in connection to an illegal Bitcoin money laundering operation and a separate pump-and-dump securities manipulation scheme that allegedly netted millions of dollars, which the suspects allegedly funneled through international shell companies. Authorities are investigating the suspects’ potential roles in a 2014 cyber-attack on JPMorgan Chase that compromised the contact information of 83 million customers.
‘Snowbird Bandit’ strikes again at Rancho Santa Margarita bank. FBI officials reported that the suspect dubbed the “Snowbird Bandit,” tied to at least 3 other area robberies since June, struck a First Citizens Bank in Santa Margarita July 21.
Siemens patches vulnerabilities in SIPROTEC, SIMATIC, RuggedCom products. Siemens released updates for its SIPROTEC 4 and SIPROTEC Compact devices addressing a vulnerability in which an attacker could cause a denial-of-service (DoS) condition, a locally exploitable flaw in its SIMATIC WinCC Sm@rtClient application for Android in which an attacker could extract credentials for the Sm@rtServer, and a flaw in RuggedCom devices leaving them vulnerable to Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks in which a man-in-the-middle (MitM) attacker could extract sensitive information from encrypted communications.
It’s official: the average DDoS attack size is increasing. Arbor Networks reported analysis from Quarter 2, 2015 global distributed denial-of-service (DDoS) attack data revealing that the average size of attacks increased, and that the majority of large volumetric attacks leveraged Network Time Protocol (NDP), Simple Service Discovery Protocol (SSDP), and Domain Name System (DNS) servers for reflecting amplification, among other findings.
Researcher discloses local privilege escalation vulnerability in OS X. Security researchers from SektionEins released details on a vulnerability in Mac Operating System (OS) X in which an attacker could open or create arbitrary files owned by the root user anywhere in the file system by leveraging an environmental variable that enables error logging to arbitrary files.
Google Chrome update includes 43 security fixes. Google released an update for Chrome addressing 43 heap-buffer-overflow, use-after-free, and memory corruption vulnerabilities, among others, that could allow an attacker to take control of an affected system.
Bug exposes OpenSSH servers to brute-force password guessing attacks. Security researchers reported that OpenSSH servers with keyboard-interactive authentication enabled by default are vulnerable to unlimited authentication retries over a single connection, exposing users to brute-force password guessing attacks.
Skimming devices found at 3 ATM machines in Seminole. Seminole County authorities reported that ATM skimming devices were installed at three locations in early July, and an investigation is ongoing to locate suspects.
Configuration issue exposes 30,000 MongoDB instances: researcher. The founder of the Shodan computer search engine reported that a default listening configuration in MongoDB exposed about 30,000 database instances containing 592.2 terabytes (TB) of data
Microsoft issues critical out-of –band patch for flaw affecting all Windows versions. Microsoft released an update addressing a critical remote code execution vulnerability (RCE) with the OpenType Font Driver in the Windows Adobe Type Manager Library affecting all supported versions of Windows that was being exploited in the wild.
Study: half of critical infrastructure IT professionals believe major attack looming. Findings from a survey of over 600 critical infrastructure information technology (IT) professionals in Intel Security’s “Critical Infrastructure Readiness Report” revealed that about half of all respondents believe an attack on critical infrastructure in the next three years will down systems and lead to loss of life, and that 90 percent of respondents’ organizations faced an average of 20 attacks in the last year, among other statistics.
Canadian pleads guilty in massive U.S. penny stock fraud case. A Canadian man pleaded guilty July 17 to charging U.S. penny stock investors with $5 million in fees for nonexistent services, stemming from a related$140 million penny stock fraud operation. Nine defendants in four countries have been charged in connection to both schemes.
Three men arrested for 100+ fraudulent credit cards. Marion County, Missouri authorities charged 3 suspects with trafficking in stolen identities July 16 after discovering over 115 fraudulent credit cards and card-manufacturing equipment in their vehicle in Palmyra.
FBI: Midday Bandit strikes again in Galewood bank robbery. Authorities are searching for a suspect dubbed the “Midday Bandit” who allegedly robbed a Galewood bank in Chicago July 17 and is believed to be connected to 6 other bank robberies and 2 attempted robberies dating back to 2014.
TD Bank to pay $20 million to settle Ponzi scheme lawsuit. TD Bank agreed to pay $20 million July 17 to resolve allegations from a class action lawsuit that the bank aided a $223 million-plus Ponzi scheme run on European investors by failing to properly monitor trust accounts and investigate suspicious activity.
JPMorgan reaches $388 mln settlement in mortgage securities case. JPMorgan Chase & Co agreed to pay $388 million to settle charges brought by the Fort Worth Employees’ Retirement fund and other investors alleging that the bank misled them about the quality and safety of $10 billion worth of residential mortgage-backed securities leading up to the 2008 financial crisis.
Ashley Madison hacked, info of 37million users stolen. Hackers calling themselves “The Impact Team” reportedly accessed and stole personal information and financial records of 37 million of AvidLife’s Ashley Madison Web site as well as user databases for 2 other sites that the company owns. The hack was perpetrated in response to Avid Life’s failure to provide its offered “full delete” feature for user profiles.
Eaton patches TCP/IP stack flaw affecting controls, relays. Eaton released software updates addressing a remotely executable Transmission Control Protocal/Internet Protocol (TCP/IP) stack vulnerability in its Cooper Power Series Form 6 recloser control and Idea/IdeaPLUS relay protection platforms that could allow an attacker to launch man-in-the-middle (MitM) attacks and execute arbitrary code or crash systems connected to the Internet.
CVS investigating possible payment card breach, shuts down photo Web site. CVS reported that the company had shut down its CVSPhoto.com Web site while it investigated a possible payment card beach of the independent vendor that manages and hosts the site, PNI Digital Media. Company officials confirmed that purchases made in-store and on other CVS Web pages are not affected.
‘Cal Bear Bandit’ pleads guilty to bank robberies in Westminster. The suspect dubbed the “Cal Bear Bandit” pleaded guilty July 16 to charges surrounding 8 bank robberies across Orange County dating back to August 2014.
Medford police arrest man possibly connected to ATM skimming ring. Police in Medford, Massachusetts arrested a suspect July 15 believed to be connected to a ring of Romanian ATM skimmers that have stolen over $1 million from Bank of America. The suspect allegedly stole over $100,000 from the bank and is linked to 4 other cases in Massachusetts.
BMO Harris settles Ponzi scheme lawsuit for $16 million. BMO Harris Bank agreed to pay $16 million July 16 in a settlement with Palm Beach Finance Partners LP and Palm Beach Finance II LP, resolving allegations that its subsidiary, M&I Bank, was complicit in a Ponzi scheme run by a Minnesota businessman that cost investors billions of dollars.
California payment processing company owner pleads guilty to fraud. The owner of California-based Check Site Inc., pleaded guilty July 16 to charges that he used his company to assist at least two fraudulent payday loan merchants who used consumer information to withdraw millions of dollars from consumer accounts without their knowledge by knowingly processing the transactions, and by providing the merchants access to the banking system via remotely created checks (RCC).
Nearly all Web sites have serious security vulnerabilities. Acunetix released a report on 15,000 Web site and network scans of 5,500 companies revealing that almost half of Web applications scanned contained high security vulnerabilities, and 4 of 5 were affected by medium security vulnerabilities, plying that most organizations fail to comply with the Payment Card Industry Data Security Standard (PCI DSS), among other findings.
New GamaPoS malware targets U.S. companies. Security researchers from Trend Micro reported that the operators are using the Andromeda botnet to deliver a new point-of-sale (PoS) malware called GamaPoS that scrapes data via Microsoft’s .NET platform, to U.S. financial, information technology, supply, hospitality, and retail organizations nationally, among others.
TotoLink routers plagued by XSS, CSRF, RCE bugs. Security researchers reported that 15 TotoLink routers contain backdoor credentials, multiple remote code execution flaws that could allow an attacker to bypass administrator authentication and execute commands, and cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities that could allow an attacker to change router network configuration settings.
ATM skimmer use discovered at 7th Wichita bank. Home Bank & Trust Co., officials reported that an ATM skimming device was used at a Wichita location, bringing the total number of skimmers found in Wichita in July to seven.
Santa Ana man suspected of being “Big A Bandit’ is arrested. FBI officials reported July 15 that authorities had arrested a suspect believed to be the “Big A Bandit” responsible for robbing 3 banks in Anaheim, Fullerton, and La Habra.
Security support ends for remaining Windows XP machines. Microsoft ended security support for Microsoft Security Essentials customers running Windows XP as part of its July Patch Tuesday roll-out, and released security advisories for a patched race condition flaw in the Malicious Software Removal Tool (MSRT) allowing for privilege escalation, as well as an update enhancing use of Data Encryption Standard (DES) encryption keys.
Siemens patches authentication bypass bug in telecontrol product. Siemens released a firmware update for its SICAM MIC modular telecontrol devices addressing an authentication bypass vulnerability in which an attacker with network access to the device’s web interface could bypass authentication and perform administrative operations.
Thunder-faced Mozilla lifts Flash Firefox block after 0-days plugged. Mozilla lifted a block on all versions of Adobe Flash in its Firefox Web browser after Adobe released cross-platform updates addressing two zero-day vulnerabilities that were revealed in a recent breach of the Italian surveillance company, Hacking Team.
Vulnerability exposes Cisco Videoscape devices to DoS attacks. Cisco released an advisory warning of a security bug in its Videoscape Distribution Suite for Internet Streaming (VDS-IS) and VDS Service Broker products in which an unauthenticated remote attacker could cause a denial-of-service (DoS) condition by sending specially crafted Hypertext Transfer Protocol (HTTP) packets to trigger device instability.
New RC4 attack dramatically reduces cookie decryption time. Belgian security researchers discovered biases in the Rivest Cipher 4 (RC4) encryption algorithm that could lead to attacks breaking encryption on websites running transport layer security (TLS) with RC4 and Wi-Fi Protected Access (WPA) Temporal Key Integrity Protocol (TKIP) to perform actions under a victim’s name or gain access to personal information.
Three plead guilty in $64M mortgage fraud scheme. Three suspects pleaded guilty July 14 to their roles in a $64 million mortgage fraud scheme in which Great Country Mortgage Bankers employees targeted first-time, low-income, and poor-credit buyers with U.S. Federal Housing Administration loans which they would obtain with falsified documents, before selling them at a profit. Twenty-five have pleaded guilty in connection with the scheme.
SEC Charges 34 defendants in microcap market manipulation schemes. The U.S. Securities and Exchange Commission charged 15 individuals and 19 entities July 14 for allegedly attempting to manipulate the trading of microcap stocks by acting as unregistered broker-dealers for customers wanting to hide their stock ownership and manipulate the microcap market.
Darkode computer hacking forum shuts after investigation spanning 20 countries. U.S. authorities filed hacking charges against 12 suspects affiliated with the Darkode hacker Web forum after the FBI and law enforcement organizations from 20 countries shut down the site and arrested or searched 70 Darkode members worldwide. The Web site allowed hackers to share technology and tradecraft used to infect computers and wireless devices of victims.
Hacking Team malware hides in UEFI BIOS to survive PC reinstalls. Security researchers from Trend Micro discovered that Hacking Team ensured surveillance malware persistence on systems by using Unified Extensible Firmware Interface (UEFI) Basic Input/Output System (BIOS) rootkit to re-install the malware every time it was deleted from the system.
Oracle patches Java zero-day, 192 other security bugs. Oracle released updates addressing 193 security issues across multiple product lines, including a Java remote code execution vulnerability that was exploited by the advanced persistent threat (APT) group Pawn Storm, 54 flaws in third-party components in Oracle product distributions, and 23 vulnerabilities in Java SE that can be exploited remotely by an unauthenticated attacker, among other fixes.
TeslaCrypt 2.0 makes it impossible to decrypt affected files. Security researchers at Kaspersky Lab discovered that recent TeslaCrypt version 2.0 ransomware infections display a Cryptowall 3.0 Web page, possibly in an attempt to convince victims that the malware uses more robust encryption than it actually does.
HTML5 can be used to hide malware in drive-by download attacks. Italian security researchers discovered that Hypertext Markup Language 5 (HTML5)-based obfuscation techniques could be used to hide malware in drive-by download exploits using HTML technologies and application program interfaces (API).
Microsoft patches Hacking Team zero-days, other vulnerabilities. Microsoft released 14 bulletins addressing vulnerabilities in Windows, Office, SQL Server, and Internet Explorer, including a zero-day Jscript 9 use-after-free memory corruption bug in Internet Explorer 11 and a memory corruption flaw in the Adobe Type Manager Font Driver that could both allow an attacker to take complete control of a vulnerable system, as well as a remote code execution flaw affecting the Remote Desktop Protocol (RDP).
More ATM skimmers found in Wichita, at three Intrust Bank locations. Bank and police officials confirmed July 12 that ATM skimming devices were discovered at six Sunflower, INTRUST, and Fidelity Bank locations in Wichita and two Sunflower Bank locations in Salina in July. Authorities believe the suspects are part of an organized gang.
Naples man pleads guilty to $7M wire fraud scheme. A Naples man pleaded guilty July 13 to an investment fraud scheme in which he allegedly used false assurances and fake documentation to solicit over $7 million from about 96 investors, which he used to pay other investors and diverted for personal expenses.
Ex-NY Assembly speaker’s son-in-law admits to defrauding investors. The co-owner of New York-based Allese Capital LLC pleaded guilty July 13 to operating a Ponzi scheme in which he allegedly defrauded investors out of almost $6 million from 2007 – 2014 by soliciting securities investments, only a portion of which he actually invested, while using the rest to repay other investors and for personal expenses.
Flash Player update patches two Hacking Team zero days. Adobe released patches addressing two critical use-after-free vulnerabilities in ActionScript 3 revealed in data dumped from a recent breach of the Italian surveillance software company Hacking Team. Both flaws allowed an attacker to use a Web site hosting the exploit to completely take over an affected system.
Kaseya patches two bugs in VSA IT management platform. Kaseya patched two flaws in its VSA IT management platform, including open redirect vulnerability in which an unauthenticated attacker could redirect users to sites with malicious content, and a path traversal bug in which an authenticated attacker could use a specially crafted Hyptertext Transfer Protocol (HTTP) request to traverse directories and download arbitrary files.
Police: men use backhoe to steal ATM at Winter Haven bank. Winter Haven, Florida police charged two Clewiston men with grand theft after the pair allegedly used a backhoe to steal an ATM machine from a CenterState Bank July 10.
Grand jury indicts 11 for making credit cards at Las Vegas hotels. Las Vegas prosecutors reported July 10 that 11 suspects were indicted for a year-long credit card scheme operated out of casino hotels in which they allegedly used stolen information to manufacture thousands of credit cards that they would use for thousands of fraudulent transactions.
Ex-Patriot indicted for alleged Ponzi scheme. A former professional football player and a business partner were indicted July 10 for their roles in an alleged Ponzi scheme in which they used their company, Capital Financial Partners LLC, to solicit $32 million from over 40 investors to fund high-interest, short-term loans to athletes, from which they would use new investors’ funds to pay off earlier ones while diverting a portion for their personal use.
APT group uses Seaduke trojan to steal data from high-value targets. Security researchers from Symantec released an analysis of the highly-configurable Seaduke trojan used by an advanced persistent threat (APT) group known for cyber-espionage attacks against high-value targets including government organizations. The report revealed that the trojan is installed onto select systems through the CozyDuke trojan, and that it shares similarities with other “Duke” malware.
Java zero-day used in attacks on NATO member, U.S. defense organization. Security researchers at Trend Micro reported that the cyber-espionage group with monikers including Pawn Storm and APT28 was using a Java Oracle SE zero-day remote code execution vulnerability in attacks directed against the armed forces of a NATO member country as well as a U.S. defense organization by sending out emails containing links to malicious domains containing the exploit and a trojan dropper.
Two new Flash Player zero-day bugs found in Hacking Team leak. Security researchers discovered exploits for two additional Adobe Flash Player zero-day vulnerabilities in the recent Hacking Team data leak, including a flaw in the DisplayObject class in ActionScript 3, and a use-after-free (UAF) vulnerability in the ActionScript3 BitmapData object. Both vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary code on an affected system.
‘Dropout Bandit’ sought in 3 NorCal bank robberies. The FBI is searching for a suspect dubbed the ‘Dropout Bandit’ who allegedly robbed at least 3 Schools Credit Union branches in Sacramento since March.
‘Sock Hat Bandit’ indicted for bank robberies during two month period. A Dayton man dubbed the “Sock Hat Bandit” was indicted July 9 for three robberies at the Hebron U.S. Bank, Bellevue Fifth Third Bank, and Independence Fifth Third Bank in Kentucky between May – June, while authorities continue to investigate his role in at least six more robberies across Ohio and Indiana in the two-month span.
Adviser, racer convicted in fraud case. A former financial adviser and a retired professional race car driver were convicted July 9 of stealing over $30 million from investors over 10 years by falsely promising investments, including land development in Hawaii and a credit card company in Arizona, and that the men used holding companies to divert funds for personal expenses.
Chinese APT group uses Hacking Team’s Flash Player exploit. Security researchers from Volexity reported that the Wekby advanced persistent threat group (APT), also known as APT 18, Dynamite Panda, and TG-0416, was leveraging an Adobe Flash Player exploit revealed through the July breach of the software company Hacking Team by sending spear-phishing emails purporting to be from Adobe which directed users to download a compromised Flash Player file containing malware.
VMware fixes host privilege escalation bug in Workstation, Player, Horizon View. VMware issued patches addressing a privilege escalation vulnerability in the company’s Workstation, Player, and Horizon View Client for Microsoft Windows in which an attacker could leverage a lack of a discretionary access control list (DACL) in a process to elevate privileges and execute code.
Estonian man pleads guilty to role in DNSChanger botnet scheme. The alleged mastermind of an Estonian-based international cyber fraud group pleaded guilty to his role in a 2007 – 2011 operation dubbed “Ghost Click” in which he and co-conspirators installed the DNSChanger trojan on 4 million computers in over 100 countries and collected over $14 million through clickjacking and ad fraud via the malware.
Hacking Team claims terrorists can now use its tools. The Italian security company Hacking Team warned July 8 that the release of 400 gigabytes (GB) of internal data in a July 5 breach of its systems represented an “extremely dangerous” situation and that terrorists and other threat actors could potentially leverage available code to deploy software against any target.
NYSE shut down for nearly four hours by technical glitch. The New York Stock Exchange (NYSE) suspended trading for almost four hours July 8 due to an internal technical issue. Other exchanges traded normally, and the trading of NYSE-listed stocks was unaffected.
Las Vegas exec bilked Japanese victims in $1.5 bln Ponzi scheme- Justice Dept. U.S. Department of Justice officials reported that the former owner of Las Vegas-based MRI International Inc., and 2 Japanese associates were indicted July 8 for allegedly running a $1.5 billion Ponzi scheme targeting Japanese citizens between 2009 – 2013 by promising to buy accounts receivable form medical companies at a discount and to recoup the value later, when instead the defendants used investments to repay earlier investors while diverting funds to themselves.
APT-style evasion techniques spotted in “Kofer” ransomware campaign. Security researchers from Cybereason discovered a ransomware campaign primarily targeting European users dubbed “Operation Kofer” that is mimicking advanced persistent threat (APT) operations by continuously generating new variants of the same malware to evade detection, among other anti-detection techniques.
Despite warnings, majority of firms still run some Windows Server 2003. Softchoice released findings from a June report covering 200 enterprise data centers comprised of over 90,000 servers revealing that all but 7 percent of enterprises still used Microsoft Windows Server 2003, exposing companies to security, compliance, and operational risks as support for the platform is set to end July 14.
Bug in Android ADB backup system can allow injection of malicious apps. Security researchers discovered a severe vulnerability in all versions of the Android debug bridge (ADB) in which an attacker could inject a malicious Android application package (APK) file via the BackupAgent, which does not require Android permissions and does not filter the data stream returned by applications.
OpenSSL patches serious certificate forgery vulnerability. OpenSSL developers released patches for a high severity alternative chain certificate forgery flaw, in which an attacker could bypass untrusted certificate checks and issue invalid certificates. The vulnerability affects versions 1.0.1n and 1.0.2b.
FBI hunts suspected serial bank robber dubbed ‘Filter Bandit’. The FBI announced a $5,000 reward for information leading to the arrest of a suspect dubbed the “Filter Bandit,” who allegedly stole over $60,000 from 7 banks in Broward County since August 2014, ending with the robbery of a BB&T Bank June 16 in Davie
Firms accused of faking loans, draining bank accounts settle with Feds. U.S. Federal Trade Commission officials announced $54 million in settlements July 7 with 14 companies owned by 2 Johnson County, Missouri men to resolve charges that the men allegedly used personal data from short-term payday loan Web sites in conjunction with “lead generators” to take out loans for people without their permission, and that they produced phony loan documentation, misstated loan terms, and misrepresented the transactions to banks.
Bank vice president stole $5.3M in scheme. A former M&T Bank vice president from Williamsville, New York pleaded guilty July 7 to a $5.3 million loan scheme in which he created at least 12 “funding loans” in the name of credit-worthy entities, which he then distributed to customers of his choosing.
Cybercriminal group spying on U.S., European businesses for profit. Symantec reported that a cybercriminal group dubbed Morpho that was known for hacking Apple, Microsoft, Facebook, and Twitter, has extended its cyber-espionage to hit research-and-development related computer systems in 49 different multi-billion dollar pharmaceutical, software, Internet, oil, and metal mining commodities organizations across 20 countries, with the majority being in the U.S. Researchers believe the group has U.S. ties and is run by an organized crime ring.
Hacker search engine becomes the new Internet of Things search engine. The developer of the Shodan Internet device search engine reported that the search engine exposes the systemic vulnerabilities present in consumer-grade Internet of Things hubs due to a poor security posture, where many hubs still use default passwords and have telnet enabled. Once compromised attackers could leverage hubs to monitor sensor data or determine if someone is home
Adobe patches Hacking Team’s Flash Player zero-day. Adobe released an emergency update for its Flash Player to address a zero-day vulnerability in the ActionScript 3 ByteArray class, which could allow a remote, unauthenticated attacker to execute arbitrary code. The vulnerability was exposed after hackers breached and dumped corporate information of the Hacking Team surveillance software company.
ANTlabs patches vulnerabilities in gateway products. ANTlabs released patches for several of its gateway products addressing a Structured Query Language (SQL) injection flaw in the default login page in which a remote attacker could execute arbitrary queries, and a cross-site scripting (XSS) vulnerability in the admin login page that could allow an attacker to obtain login credentials from the administrator panel.
Zero-day exploits leaked in Hacking Team breach. Security researchers from Trend Micro and Symantec reported that data from a recently confirmed Hacking Team breach contained several zero-day vulnerabilities and exploits, including a use-after-free (UAF) flaw affecting Adobe Flash Player versions 9 and later on Microsoft Internet Explorer, Google Chrome, Mozilla Firefox, and Apple Safari, and a Microsoft Windows kernel vulnerability.
Microsoft security tool fails malware detection test. AV Test released results from a recent experiment revealing that Microsoft Security Essentials performed the worst out of 11 tested antivirus products, only detecting 87 percent of malware in real-time tests, when the others were all at least 95 percent effective.
Crypto leaders: “exceptional access” will undo security. Cryptography experts released a report warning of the long term economic and security risks associated with “exceptional access,” a U.S. government initiative to maintain access to cryptographic keys to secure information over the Internet primarily for law enforcement use.
Hackers targeting users of Barclays, Royal Bank of Scotland, HSBC, Lloyds Bank and Santander. Security researchers from Bitdefender warned of a malicious phishing scheme targeting financial users of banks worldwide, including Bank of America, Citibank, Wells Fargo, JP Morgan Chase, and PayPal in the U.S., in which spam servers are distributing emails directing users to download an archive containing a downloader for the Dyreza banking trojan. The three-day campaign has so far distributed 19,000 emails worldwide.
SEC charges oil company and CEO in scheme targeting Chinese-Americans and EB-5 investors. The U.S. Securities and Exchange Commission charged San Francisco-based Luca International Group July 6 and its chief executive officer with running a $68 million Ponzi-like scheme in which the company allegedly falsely portrayed itself to targeted Chinese-American investors in California as well as Chinese citizens through the EB-5 Immigrant Investor Program, and diverted investor funds to personal uses and profit repayments.
Flaw allows hijacking of professional surveillance AirLive cameras. Engineers from Core Security discovered vulnerabilities in AirLive’s surveillance cameras in which an attacker could invoke computer-generated imagery (CGI) files without authentication or utilize backdoor accounts to execute arbitrary operating system commands, possibly allowing the attacker to see camera’s transmission stream and compromise network devices.
Fraudulent BatteryBot Pro app yanked from Google Play. Google pulled a malicious spoof of the Android BatteryBot Pro app from its Play service after Zscaler researchers discovered that the app requested excessive permissions from users in an attempt to gain full control of affected devices, supposedly to download and install other malicious Android packages and profit from click fraud, ad fraud, and SMS fraud. Once the app is granted admin privileges, it is impossible to uninstall.
Old MS Office feature can be exploited to deliver, execute malware. A researcher reported a vulnerability in Microsoft Office in which its Object Linking and Embedding (OLE) Packager could be leveraged to deliver malicious executable files embedded in Office documents without triggering security software.
Fullerton ‘Bandit’ linked to six bank robberies in Orange County. FBI officials are searching for a suspect dubbed the “Big A Bandit” who allegedly robbed a Bank of the West in Fullerton, California July 2 and is believed to be linked to 5 other Orange County bank robberies since 2013.
Developers accused in $16M mortgage fraud. Two Glenview real estate developers and 4 alleged co-conspirators were indicted July 1 on charges alleging that they caused over $16 million in losses to banks, mortgage lenders, Fannie Mae, and Freddie Mac by falsely promoting condominiums at “The Woods at Countryside” in Palatine by promising impossible financial incentives, and that they conspired to conceal and misrepresent facts from banks and mortgage lenders to approve nonconforming loans.
NYPD: 17 charged in counterfeit credit card scheme. New York Police Department officials reported July 2 that 17 suspects were charged in connection with an alleged credit card counterfeiting ring that used stolen debit and credit card information to encode blank cards, which would be used to purchase items in New York City stores.
KINS malware toolkit leaked online. Security researchers from MalwareMustDie reported that version 2.0 of the KINS banking trojan toolkit was leaked and widely distributed on the Internet, and that the malware’s developers have integrated ZeusVM banking trojan technology in the newest release, including the use of stenography to conceal configuration data.
Govt supplier of surveillance software gets hacked, 400GB of data leaked. The Italian surveillance software company, Hacking Team reported that its systems were hacked, and 400 gigabytes of corporate data was leaked to the public. The company developed products for government agencies worldwide, including the U.S. Drug Enforcement Agency and the FBI.
Matsnu backdoor uses RSA crypto on exfiltrated data. Security researchers from Check Point discovered malware dubbed Matsnu, also known as Androm backdoor and Boxed.DQH, which acts as a backdoor on compromised machines, and sends Rivest-Shamir-Andleman (RSA)-encrypted user and system information back to a command and control (C&C) server.
TYPO3 Enterprise CMS update adds 7 security fixes. TYPO3 released an update for its Enterprise Content Management System (CMS) addressing 7 security fixes for cross-site scripting (XSS) and authentication vulnerabilities, as well as the addition of login protection against brute-force attacks.
Dungarees Web site hacked, card information exposed. Dungaree reported that the company’s Web site had been hacked, and that customers who placed orders from March 26 – June 5 may have had their card-related data compromised, including card verification values (CVV). Dungaree secured the Web site and is offering identity theft protection services to affected customers.
Mozilla patches critical vulnerabilities with release of Firefox 39. Mozilla released version 39 of Firefox addressing 24 issues, including 3 use-after-free vulnerabilities, 7 critical uninitialized memory, buffer overflow, unowned memory, poor validation issues, 3 critical memory safety browser engine bugs, and high-severity privilege escalation, and type confusion flaws.
Ad fraud trojan Kovter patches Flash player, IE to keep other malware out. A security researcher from Kafeine reported that the Kovter ad fraud trojan has been updating Adobe Flash Player and Microsoft Internet Explorer on infected systems in an effort to exclude other malware platforms.
SEC charges former stockbroker with conducting Ponzi scheme. The U.S. Securities and Exchange Commission charged a former stockbroker in Pennsylvania July 1 with conducting a Ponzi scheme in which he allegedly raised $15.5 million from over 50 investors by selling fraudulent certificates of deposit (CDs) to customers while promising higher-than-normal interest rates of return, before spending invested funds on himself or to repay earlier investors.
North Miss. bank robbery suspect had gun, pipe bomb. Saltillo, Mississippi Police Department officials reported July 1 that they arrested a man suspected of robbing a First American National Bank with a firearm and a pipe bomb. A local bomb squad responded and closed the area surrounding the bank.
Cisco UCDM platform ships with default, static password. Cisco warned customers that its Unified Communications Domain Manager Platform software versions prior to 4.4.5 have a default, static password for an account with root privileges, possibly allowing an unauthenticated remote attacker to take full control of an affected system with root privileges.
GhostShell hackers reveal 548 targets, links to dumps. Hackers associated with GhostShell released a list of 548 compromised targets including government, educational, and retail sector Web sites along with links to previews of extracted data in an effort to reportedly draw attention to poor cybersecurity practices. The data contained contact information, dates of birth, and hashed and plain text passwords.
PCI Council updates Point-to-Point Encryption Standard. The Payment Card Industry Security Standards Council (PCI SSC) announced the release of Version 2.0 of its PCI Point-to-Point Encryption Solution Requirements and Testing Procedures, updating requirements for encryption products and giving merchants the option to manage their own encryption solutions for point-of-sale (PoS) locations, among other changes intended to enhance security and PCI SSC compliance.
LifeLock patches XSS that could’ve led to phishing. LifeLock patched a cross-site scripting (XSS) vulnerability on its Web site that could have allowed an attacker to inject HyperText Markup Language (HTML) into the site’s uniform resource locator (URL) to create a fake login page to harvest usernames and passwords from customers.
Flaw in 802.11n standard exposes wireless networks to attacks: researchers. Security researchers in Belgium discovered a vulnerability in the frame aggregation mechanism in the 802.11n wireless networking standard in which an attacker could use a Packet-in-Packet (PIP) technique to inject arbitrary frames into wireless networks, allowing access to internal services.
4,900 new Android malware strains discovered every day. Security researchers from G DATA reported that they discovered 440,267 new Android malware strains in the first quarter of 2015, and that at least 50 percent of the malware currently being distributed includes banking trojans and SMS trojans for financial motivations, among other findings.
Schneider Electric’s Wonderware products receive security patch. Schneider Electric released a patch addressing a high-severity security vulnerability in its InTouch, Application Server, Historian, and SuiteLink applications in the Wonderware System Platform in which an attacker could leverage dynamic link library (DLL) hijacking to run code on an affected machine.
Patched Apple Quicktime vulnerability details disclosed. Security researchers from Cisco released details on a recently patched use-after-free vulnerability in Apple’s QuickTime media player in which an attacker could access and control data inside the internal data in a QuickTime file to remotely execute code on a targeted system.
Goldman settles SEC charges over 2013 trading incident. Goldman Sachs Group Inc., agreed to pay $7 million June 30 to resolve U.S. Securities and Exchange Commission charges connected to the “market access” rule, and a 2013 programming error which flooded the stock options market with about 16,000 erroneous orders, causing 1.5 million options contracts to be executed and costing the company $38 million.
Attackers abuse RIPv1 Protocol for DDoS reflection: Akami. Security researchers from Akami discovered that malicious actors have been leveraging routers running Routing Information Protocol version 1 (RIPv1) to reflect distributed denial-of-service (DDoS) attacks by creating malicious requests for routes and then spoofing the source Internet protocol (IP) address to match the one of the targeted system.
iOS 8.4 fixes 33 security vulnerabilities. Apple released iOS version 8.4 addressing 33 security vulnerabilities, including a fix for the Logjam flaw that allows a man-in-the-middle (MitM) attacker to downgrade cryptographic security, and other protection against potential arbitrary code execution.
Researchers expose attack on iOS that can break system apps. Security researchers from FireEye reported two Apple iOS flaws, dubbed Manifest Masque and Extension Masque, in which an attacker could break or replace system apps and extensions on an affected device by taking advantage of apps created in Xcode outside of Apple’s App Store. The vulnerabilities behind Manifest Masque attacks were partially addressed in the release of iOS 8.4.
ESET analyzes complex espionage platform used by “Animal Farm” APT. ESET released research on the Dino cyber-espionage platform used by the “Animal Farm” advanced persistent threat (APT) group revealing that Dino is capable of retrieving information, executing Microsoft Windows batch commands, searching for files, and transferring files back and forth between a command and control (C&C) server. Researchers have not determined the tool’s initial infection vector.
2 downtown Springfield banks robbed, 3 suspicious packages left behind: Springfield officials are investigating two bank robberies at a United Bank and a Bank of America in Springfield, Massachusetts, after a suspect allegedly left three suspicious packages and stole cash June 29.
Dridex is the most prevalent banking malware in the corporate sector: SecurityScorecard released findings from a report revealing that the Dridex banking trojan was the most prevalent malware found in corporate environments from January – May, primarily targeting the manufacturing and retail sectors, followed by the Beloh and Tinba trojans, which targeted telecommunications and technologies companies.
Yahoo patches SSRF vulnerability in image processing system: researcher: A security researcher reported that Yahoo patched a server-side request forgery (SSRF) vulnerability affecting all of its services that required images to be processed in which an attacker could use the vulnerability to bypass controls and access data on the affected system.
Many organizations using Oracle PeopleSoft vulnerable to attacks: report: ERPScan released findings from a report revealing that Oracle’s PeopleSoft contained several vulnerabilities including information disclosure, extensible markup language external entity (XXE), cross-site scripting (XSS), and authentication bypass flaws as well as configuration-related issues that could allow an attacker to breach PeopleSoft systems connected to the Internet.