Fraud Alert Message Center

Tips for Safe Banking Over the Internet

As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.

The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.

Current Online Threats

Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau.  None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts.  If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it.  The email could potentially contain a virus or malware.

For more information regarding email and phishing scams, please visit: http://onguardonline.gov/

Online Shopping Tips for Consumers. Click Here for Information.

ATM and Gas pump skimming information. Click Here for Article.

9/23/16

Card skimmers found at 3 Kenosha ATMs. Wisconsin authorities are searching September 21 for 2 men suspected of installing credit card skimmers on ATMS at 3 banks in Kenosha, including a North Shore Bank branch and 2 TruStone Financial Federal Credit Union locations. Officials stated the duo also allegedly installed cameras on the ATMs in order to read bank customers’ PIN numbers.

Connecticut man admits conspiring to conceal income in undeclared Panamanian bank account. A Weston, Connecticut resident pleaded guilty September 21 to concealing over $1.5 million in income from the U.S. Internal Revenue Service after he and co-conspirators allegedly hid profits from duty-free alcohol and tobacco sales in an undeclared bank account in Panama from 2006 – 2012. The charges allege that the defendant used a registered Panamanian corporation, Centennial Group, to purchase and sell the duty-free products, shipped the alcohol via a warehouse in Florida and the tobacco products through a warehouse in New Jersey, and used the illicit proceeds for personal expenses.

Flaws in Cisco Cloud Services Platform allow command execution. Cisco notified its customers that its Cloud Services Platform (CSP) 2100 version 2.0 was plagued with two vulnerabilities, one of which is a critical vulnerability caused by insufficient sanitization of user input that could allow an unauthenticated attacker to remotely execute arbitrary commands on the operating system with root privileges. Cisco reported the second vulnerability could allow an unauthenticated attacker to execute arbitrary code on a targeted system remotely by sending a malicious “dnslookup” request.

Restriction bypass, XSS flaws patched in Drupal 8. The developers of the Drupal content management system (CMS) released versions 8.1.10 and 8.2.0-rc2 patching three serious vulnerabilities, including two restriction bypass issues and one cross-site scripting (XSS) flaw after reserachers discovered an attacker could exploit the flaws to execute arbitrary code in the victim’s browser if a targeted user accesses a maliciously crafted Universal Resource Locator (URL) due to inadequate sanitization in Hypertext Transfer Protocol (HTTP) exceptions. Drupal developers also patched a critical vulnerability in the feature that allows Drupal users to export their site’s configuration to a file, which could allow an attacker to download full configuration exports without administrative privileges, among other vulnerabilities.

Firefox 49 patches critical, high severity vulnerabilities. Mozilla released Firefox 49 resolving several critical vulnerabilities, including multiple memory safety bugs that could be exploited to execute arbitrary code, as well as a high severity certificate pinning flaw caused by flaws in the process Mozilla uses to update Preloaded Public Key Pinning, which could allow a Man in the Middle (MitM) attacker to replace legitimate add-on updates with malicious versions and execute arbitrary code on a targeted system, among other vulnerabilities.

9/22/16

Security bug lets hackers steal Monero, today’s 2nd most popular cryptocurrency. A security researcher at MWR Labs discovered that Monero’s Simplewallet tool was plagued with a cross-site request forgery (CSRF) flaw that can be exploited to empty a user's Simplewallet and potentially initiate the command and transfer of the user’s funds after an attacker issued malicious commands to a Remote Procedure Call (RPC) service on port 18082 using maliciously crafted JavaScript code. Monero stated it was working to develop a Simplewallet user interface without the vulnerable RPC service.

Federal jury finds a serial bank robber guilty of three counts of bank robbery. The U.S. District Court for the Northern District of Oklahoma convicted an individual September 20 for his role in 3 bank robberies in Tulsa and Fairfax, Oklahoma, in June 2016.

North Texas business owners guilty in money laundering scheme. Four North Texas residents were convicted September 20 for their roles in a more than $16 million money laundering scheme from June 2013 – October 2015 where the group, who owned and operated money services business (MSBs), used their authority as authorized agents of over 8 international money transfer companies to facilitate the transmission of profits obtained from the distribution of drugs through wire transfers to Michoacan, Mexico. The charges state that the MSBs charged wire transaction fees and structured the wires in amounts under $1,000, in addition to using fabricated sender information to circumvent financial reporting requirements and hide the ownership and source of the illegal profits.

MacOS 10.12 patches over 60 vulnerabilities. Apple Inc., released the final version of its Mac operating system (OS) Sierra 10.12 resolving at least 65 vulnerabilities, including 16 flaws in the “apache_mod_php” module that could lead to arbitrary code execution or unexpected application termination, as well as denial-of-service issues and arbitrary code execution flaws in Apple’s implementation of Apache, Audio, and Bluetooth, among other components. Apple also released Safari 10, macOS Server 5.2, and iCloud for Windows 6.0 patching a flaw in WebKit that could lead to arbitrary code execution when a device is processing specially crafted Web content, among other vulnerabilities.

Over 840,000 Cisco devices affected by NSA-linked flaw. The Shadowserver Foundation reported that as of September 21, more than 840,000 Cisco devices, including 255,000 in the U.S. were found to be affected by the vulnerability in Cisco’s IOS, IOS XE, IOS XR software Internet Key Exchange version 1 (IKEv1) packet processing code that can be exploited by a remote, unauthenticated attacker to access memory content potentially containing sensitive information, which was originally discovered following the Shadow Brokers leak.

9/21/16

Former United States Immigration and Customs Enforcement deportation officer pled guilty to bulk cash smuggling. A former U.S. Immigration and Customs Enforcement (ICE) deportation officer pleaded guilty September 15 to Federal charges after he allegedly smuggled over $2 million into the U.S. when he and co-conspirators, traveling from the Dominican Republic to the U.S. attempted to conceal the money in at least 7 pieces of luggage in order to avoid a currency reporting requirement on the U.S. Customs and Border Protection declaration form. The charges state authorities discovered the money during a subsequent search of the co-conspirators’ luggage.

“Wicked Wig Bandit” robs 5 Denver metro banks in monthlong spree. The FBI is searching September 20 for a woman dubbed the “Wicked Wig Bandit” who is suspected of robbing 5 banks in the Denver metropolitan area since August, including a Chase Bank branch in Northglenn September 19.

Rockwell patches code execution flaw in RSLogix product. Rockwell Automation released patches for several of its RSLogix products used in the food and agriculture, critical manufacturing, water, and chemical sectors to resolve a buffer overflow vulnerability after a researcher discovered the flaw can be exploited by convincing a local user to open a specially crafted rich site summary (RSS) file with a malicious version of RSLogix in order to execute arbitrary code on a targeted system.

9/20/16

Former Massachusetts man pleads guilty to multi-million ponzi scheme. A former Massachusetts resident pleaded guilty September 16 to Federal charges in connection with running a $10 million Ponzi scheme after he convinced more than 20 investors their funds would be used to finance Jamaican businesses through bridge loans while using the funds to repay investment principal to previous investors from 2008 – 2015.

Former owner of investment firms pleads guilty to $9 million fraud. A co-founder of Cavalier Union Investments, LLC and Black Bull Wealth Management, LLC, pleaded guilty September 16 to Federal charges after he and a co-conspirator allegedly caused more than 50 investors to lose over $9 million from 2009 – 2016 by soliciting individuals to invest money in private investment funds that the duo controlled, in addition to specific investment opportunities that they proposed. The charges allege that the pair used the money for personal expenses.

Cisco finds new zero-day linked to “Shadow Brokers” exploit. Cisco researchers discovered another zero-day vulnerability leaked by Shadow Brokers in August, which affects the Internet Key Exchange (IKE) v1 packet processing code in Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x, and 5.2.x and could allow a remote, unauthenticated attacker to retrieve memory contents potentially containing sensitive information by sending a specially crafted IKEv1 packet to an affected device that is configured to accept IKEv1 security negotiation requests. Cisco was working to release a patch for the vulnerability and stated no workaround is available.

H1N1 malware adds support for infostealing features, UAC bypass. Cisco, Proofpoint, and independent security researchers reported recent H1N1 malware versions include a User Access Control (UAC) bypass that can be exploited via unique code obfuscation and a dynamic-link library (DLL) hijacking technique, a self-propagation feature that enables the malware to spread itself to other computers on the same network, and the ability to collect information from infected systems and send it to a central command and control (C&C) server, thereby allowing an attacker to collect and steal information from organizations in the energy, communications, financial, and government sectors, including email login data from Microsoft Outlook and Mozilla Firefox profile login data, among other data.

Serious flaws found in Cisco WebEx Meetings Server. Cisco released software updates to resolve vulnerabilities in its WebEx Meetings Server version 2.6 including a critical flaw caused by insufficient sanitization of user-supplied data that can be remotely exploited to execute arbitrary commands with elevated privileges, and a high-severity issue that could allow an unauthenticated attacker to carry out denial-of-service (DoS) attacks by repeatedly attempting to access a specific service.

9/19/16

New York man convicted in federal court for his role in counterfeit gift card shopping spree. A Queens, New York resident was convicted September 14 of Federal charges after authorities discovered over 100 counterfeit Visa gift cards with the account numbers of customers from dozens of banks nationwide in his and co-conspirators’ possession in 2014. Officials stated the group attempted to or made purchases at more than 6 Pennsylvania stores using the fraudulent cards.

SAP patches serious flaws in database management product. SAP released a security update resolving 19 vulnerabilities, including a denial-of-service (DoS) flaw in Business Objects BI Launchpad, information disclosure bugs, cross-site scripting (XSS) issues, and Structured Query Language (SQL) injection issues that could allow an attacker to create and execute a stored procedure with SQL commands, thereby enabling the attacker to elevate their privileges, modify database objects, or execute commands without authorization.

9/16/16

6.6 million users affected by ClixSense breach. ClixSense confirmed that the details of over 6.6 million users were stolen after hackers gained access to the company’s database server after accessing an old server still connected to the database. ClixSense reported the vulnerable server has been shut down and restored user balances, forum, and account names, and reset user passwords, among other measures.

Sixth Linux DDoS trojan discovered in the last 30 days. Dr. Web security researchers discovered a trojan affecting Linux machines via the Shellshock vulnerability that launches 25 child processes that carry out a distributed denial-of-service (DDoS) attack on a targeted device when the attacker in control of the trojan botnet issues an attack command. Researchers stated the trojan can start Transmission Control Protocol (TCP) floods, User Datagram Protocol (UDP) floods, and Hypertext Transfer Protocol (HTTP) floods, as well as update itself, terminate its process, and delete itself, among other capabilities.

Apple patches 7 flaws with release of iOS 10. Apple Inc., released version 10 of its operating system (iOS), Xcode version 8, and watchOS version 3 patching a total of seven vulnerabilities, including a flaw in iOS that can be exploited by a man-in-the-middle (MitM) attacker to prevent a device from receiving updates, an information disclosure vulnerability in iOS and watchOS that can be exploited by malicious applications to access an user’s location data, and a flaw in Xcode that could allow a local attacker to execute arbitrary code or crash an application, among other flaws.

9/15/16

Regions bank agrees to pay $52.4 million to resolve alleged False Claims Act liability arising from FHA-insured mortgage lending. The U.S. Department of Justice announced September 13 that Regions Bank agreed to pay $52.4 million to settle allegations that the bank violated the False Claims Act by originating and underwriting mortgage loans insured by the U.S. Department of Housing and Urban Development’s (HUD) Federal Housing Administration (FHA) that did not meet HUD underwriting requirements regarding borrower creditworthiness from January 2006 – December 2011. The charges also allege that Regions failed to maintain a quality control program in compliance with HUD requirements, failed to consistently review samples of FHA-insured loans, and failed to review Early Payment Default (EPD) loans per HUD guidelines, among other violations.

Adobe patches 29 vulnerabilities in Flash Player. Adobe released updates for Flash Player, Digital Editions, and Adobe Air SDK & Compiler resolving a total of 37 vulnerabilities, including integer overflow, use-after-free, among other memory corruption issues in Flash Player that can be exploited to leverage arbitrary code execution, as well as several memory corruption flaws and a use-after-free issue in Digital Editions 4.5.1 and earlier that can be exploited for arbitrary code execution, among other vulnerabilities.

Microsoft patches browser vulnerability exploited in attacks. Microsoft released 13 security bulletins patching nearly 50 vulnerabilities plaguing Windows, Internet Explorer, Edge, Exchange, and Office, including an information disclosure flaw in Internet Explorer and Edge that can be exploited if an attacker convinces a victim to access a compromised Website, as well as a memory corruption issue that can be exploited for remote code execution if the victim accesses a compromised Website, among other vulnerabilities.

9/14/16

Nevada stock promoter admits role in $33 million microcap stock manipulation scheme. A Henderson, Nevada resident pleaded guilty September 12 to his role in a $33 million pump-and-dump stock market manipulation scheme where he and co-conspirators fraudulently inflated the prices of shares of 4 public companies by distributing promotional information about the shares and engaging in manipulative trading in order to sell the stocks at inflated rates before dumping large volumes of the shares, causing investors millions of dollars in losses. Officials also stated the group paid cash kickbacks to a Las Vegas-based investment adviser who purchased the stock of the target companies on behalf of his clients.

Federal grand jury indicts three in $6.5 million diamond investment fraud scheme. The chief compliance officer of Stonebridge Advisers, LLC, the principal partner of Worldwide Diamond Ventures, L.P., and another Dallas, Texas resident were indicted September 9 for their roles in a $6.5 million diamond investment scheme where the group allegedly defrauded 77 Worldwide Diamond Ventures investors by fraudulently concealing material information, including how the group used investor funds from March 2011 – November 2011 and February 2012 – May 2013. The charges also allege that the trio failed to disclose to investors that nearly $2.5 million in investor funds were used to make unauthorized loans to third parties.

Critical MySQL zero-day exposes servers to attacks. An independent security researcher discovered a critical zero-day vulnerability affecting the MySQL open-source database software that can be exploited by an attacker who can authenticate to the MySQL database via a Web interface or network connection to leverage arbitrary code execution with root privileges, which can compromise the server running MySQL. The researcher reported that all MySQL branches are susceptible to the attack, and that the attack can be leveraged on a device with Linux security modules installed.

9/13/16

Court docs: McDonald’s employee stole about 100 credit card numbers while working drive-thru. A former employee at McDonald’s in West Lafayette, Indiana, was charged in court documents unsealed September 9 after she and co-conspirators allegedly skimmed information from about 100 customer credit cards while working at the restaurant and created fake credit cards to make more than $6,000 worth of fraudulent purchases at area stores. Authorities stated the former employee swiped customers’ cards through a handheld skimming device to steal their account information.

Free decrypter available for Philadelphia ransomware. An Emsisoft security researcher released a decrypter for the Philadelphia ransomware that can unlock a victim’s files for free after the researcher discovered the malware was deleting a predetermined number of files from an infected device if the user did not immediately pay the ransom.

Privilege escalation, DoS vulnerabilities patched in Xen. The Xen Project released patches addressing four vulnerabilities, including a privilege escalation flaw in all versions of Xen that could allow a malicious 32-bit paravirtualization (PV) guest administrator to gain host privileges, an overflow issue affecting all Xen versions that could be leveraged by a hardware virtual machine (HVM) guest admin to cause Xen to fail a bug check and cause a host to enter a denial-of-service (DoS) condition, and a use-after-free vulnerability that can be leveraged by a guest admin to crash the host and for information leaks and arbitrary code execution, among other vulnerabilities.

9/12/16

Wells Fargo fined $185M on phony accounts, fires 5,300 staff. California and Federal regulators fined Wells Fargo & Company a total of $185 million September 8 after the bank’s employees allegedly opened more than 2 million bank and credit card accounts and transferred money into those accounts without the authorization of its customers in order to meet projected sales goals. Officials reported that 5,300 Wells Fargo employees were fired in connection with the fraudulent activities.

Former Bergen man admits role in $65 million identity theft scheme. A former Demarest, New Jersey resident pleaded guilty September 8 to Federal charges for his role in a $65 million identity theft scheme where he and co-conspirators stole the birth dates and Social Security numbers from Puerto Rican citizens in order to file fraudulent tax returns and obtain $4.7 million in tax refund checks, which he deposited into bank accounts controlled by the group. The man also stated he and co-conspirators bribed a mail carrier to intercept the refund checks before they were delivered to the identity theft victims.

New Linux trojan discovered coded in Mozilla’s Rust language. Dr. Web security researchers discovered a new trojan coded in Mozilla’s Rust programming language was targeting Linux-based platforms and found that an attacker in control of an Internet Relay Chat (IRC) channel can send a message to the channel’s public chat that forces all connected bots to parse the message and execute the malicious action. The researchers believe this is a testing version of the malware as the trojan infects victims and gathers information about the device’s local system and sends it to its command and control (C&C) center.

DropboxCache cross-platform backdoor targets OS X. Kaspersky Lab security researchers discovered that the DropboxCache, known as Mokes.A or Backdoor.OSX.Mokes now targets Apple Mac operating system (OS) X devices and establishes a connection to the command and control (C&C) server using Hypertext Transfer Protocol (HTTP) on Transmission Control Protocol (TCP) port 80 in order to set up its backdoor features on an infected device, which include capturing audio, monitoring removable storage, scanning the file system for Microsoft Office documents, as well as creating a series of temp files with the collected data when the C&C server is not available, among other features. Researchers warned the malware’s operator can execute arbitrary commands on the infected system and define own file filters to improve its monitoring of the file system.

9/9/16

4 arrested, guns and thousands of blank credit cards seized in Brooklyn: NYPD. Four people were arrested in Bedford-Stuyvesant in Brooklyn, New York, September 7 after authorities discovered 2,433 blank credit cards, 2 credit card embossing machines, and 3 credit card skimmers, among other illicit materials, while executing a search warrant at the group’s apartment.

Gugi banking trojan can bypass Android 6 protection. Kaspersky security researchers discovered a variant of the Gugi mobile banking trojan can bypass two security features in Google’s Android 6.0, including the permission-based app overlays and the dynamic permission requirement for dangerous in-app activities like calls or short message service (SMS) in order to overlay applications and steal mobile banking credentials from its victims, and found the trojan is being distributed via SMS spam that tricks victims into accessing phishing Websites, which downloads the malware onto the device. Researchers advised users to reboot the infected device in safe mood and attempt to uninstall the trojan.

WordPress 4.6.1 security update is out, time to update peeps. WordPress released version 4.6.1 of its WordPress Content Management System (CMS) resolving a path traversal vulnerability and a cross-site scripting (XSS) flaw affecting the admin panel that can be exploited via image metadata and allow a malicious actor to take over the affected Website. The update also patches 15 other bugs related to the underlying CMS codebase.

Flaws in Network Management Systems open enterprise networks to attacks. Rapid7 researchers and an independent researcher discovered over 12 vulnerabilities plaguing 9 different Network Management Systems (NMSs) products that could be exploited via cross-site scripting (XSS) attacks over Simple Network Management Protocol (SNMP) agent-provided data, which could allow a local attacker to add a malicious device to the network, XSS attacks over SNMP trap alert messages, and format string processing on the NMS Web management console that can be carried out via specially crafted trap alert messages. Researchers reported that all the flaws have received patches.

Google patches QuadRooter, other critical Android vulnerabilities. Google released its September 2016 Android Security Bulletin resolving 55 vulnerabilities, including 2 critical remote code execution (RCE) flaws in LibUtils and Mediaserver, a high risk RCE in MediaMuxer, and 2 issues in QuadRooter that impacted over 900 million Android devices using Qualcomm chipsets, among other vulnerabilities.

Siemens fixes several flaws in SIPROTEC products. Siemens released firmware updates addressing vulnerabilities in its SIPROTEC 4 and SIPROTEC Compact devices after Kaspersky Lab researchers found the devices were plagued with a flaw that an attacker with network access could exploit to bypass authentication mechanisms and carry out administrative operations, and a flaw that could allow an attacker with network access to perform those actions while a legitimate user is logged in to the Web interface. Siemens advised customers to use network segmentation, virtual private networks (VPNs), and firewalls to protect their systems against attacks.

9/8/16

Texas woman pleads guilty to preparing false tax returns. A Greenville, Texas-based tax preparer operating under the names TX ASAP Tax Services and Fiesta Tax Service pleaded guilty September 6 to preparing and filing approximately 1,163 fraudulent income tax returns for clients, including false credits and deductions, as well as fraudulent business income and losses in order to produce inflated returns, thereby causing the U.S. more than $1 million in losses.

Cry ransomware uses Google Maps to find victim locations. BleepingComputer researchers discovered a new piece of ransomware, dubbed Cry or CSTO, as it pretends to come from a fake group called the Central Security Treatment Organization, was using public Websites to host information about victims, and could determine a victim’s location by using a nearby wireless service set identifier (SSID) to query the Google Maps application programming interface (API). Researchers also spotted the malware encrypting the victim’s files and deleting Shadow Volume Copies to prevent users from restoring their files.

9/7/16

FBI: Prolific ‘Filter Bandit’ strikes again at Fort Lauderdale bank. The FBI is searching September 2 for a man dubbed the “Filter Bandit” who is suspected of robbing several banks in Broward County, Florida, since August 2014, including an AmTrust Bank branch in Fort Lauderdale September 2.

Cerber 3.0 ransomware variant emerges. TrendMicro researchers reported a new variant of the Cerber ransomware, dubbed Cerber 3.0 emerged as a payload in a malvertising campaign and serves users with a malicious ad in a pop-up window after clicking a video to play, which then redirects the victims to the Magnitude and RIG exploit kits (EKs) landing page. Researchers found the malware appends the .cerber3 extension to the encrypted files, then deletes all copies of the files to prevent users from restoring their files, and prompts victims with a ransom note.

Attackers combine three botnets to launch massive DDoS attack. Sucuri researchers reported attackers combined a home router botnet comprised of 11,767 devices, an internet of things (IoT) closed circuit television (CCTV) botnet comprised of 25,000 cameras, and a botnet made up of compromised Linux servers to carry out a Layer 7 distributed denial-of-service (DDoS) attack involving traffic from over 47,000 Internet Protocol (IP) addresses. Sucuri stated the 3-botnet distribution enabled the attacker to send 120,000 requests per second without disrupting the operation of the infected machines.

9/6/16

Thousands of fraudulent cards, crystal meth found in SW Miami-Dade home. Two southwest Miami-Dade, Florida residents were arrested September 1 after authorities discovered over 2,000 counterfeit gift cards, thousands of fraudulent credit cards, and several laptops in the duo’s home, which were used to steal over $50,000 from victims.

Staten Island man indicted as ‘Mad Hatter’ bank bandit. A man dubbed the “Mad Hatter” was indicted August 30 after he allegedly robbed or attempted to rob 11 banks in Manhattan since March 9, stealing a total of more than $22,000.

Apple patches spyware-related zero-days in OS X, Safari. Apple released patches resolving three zero-day vulnerabilities, dubbed Trident affecting its Mac operating system (OS) X including OS X Yosemite, OS X El Capitan, and in Safari for OS X Mavericks that were exploited by Pegasus surveillance software to spy on individuals via iOS devices and could lead to kernel memory disclosure, applications executing arbitrary code with kernel privileges, and arbitrary code execution when a user visits a maliciously crafted Website.

Google fixes Nexus 5X flaw that allowed attackers to dump phone memory via USB. Google patched a vulnerability affecting Android images deployed on LG Nexus 5X devices with the Android Debug Bridge (ADB) feature turned on after researchers from IBM’s X-Force team discovered the flaw could allow an attacker to infect a victim’s device with malware that exploits the vulnerability and dumps the phone’s memory and extracts sensitive information via a universal serial bus (USB) port.

9/2/16

FBI seeks help identifying ‘Helmet Head Bandit’ in connection with 2 recent bank robberies. Authorities are searching August 31 for a man dubbed the “Helmet Head Bandit” who is suspected of robbing 2 banks in La Canada Flintridge and Tujunga, California, and attempting to rob 1 other in Tujunga August 31.

Duo arrested in widespread LA ATM machine skimming scam. Two men were arrested in Torrance, California, August 30 for their roles in an $85,000 ATM skimming scheme where the duo installed skimming devices on ATM machines in Burbank and elsewhere in Los Angeles County and stole the account information from over 50 bank customers to create cloned ATM cards and withdraw cash from other ATMs in the county. Officials discovered an additional $233,000 in declined transactions attempted by the duo.

Betabot starts delivering Cerber ransomware. Security researchers from Invincea discovered the Betabot ransomware began carrying out a second-stage payload where the malware delivers the Cerber ransomware on the endpoint of a compromised machine after stealing user passwords in the first-stage, in order for the malware operators to increase their profits. Researchers also found the ransomware was being delivered by the Neutrino exploit kit (EK) and stated the malware avoids detection and analysis through virtual machine awareness and by checking for sandboxes.

Cisco fixes severe flaw in WebEx, small business products. Cisco released software and firmware updates addressing several vulnerabilities in its WebEx Meetings Player version T29.10 for WebEx Recording Format (WRF) files after a COSIG security researcher discovered a critical flaw that could allow an unauthenticated attacker to execute arbitrary code remotely by tricking a user to open a specially crafted file, and a medium severity vulnerability that could allow an unauthenticated attacker to remotely crash the program by convincing the user to access a malicious file. Cisco also released fixes for three denial-of-service (DoS), cross-site request forgery (CSRF), and cross-site scripting (XSS) issues plaguing its Small Business 220 Series Smart Plus (Sx220) switches that could allow a remote, unauthenticated attacker to gain access to Simple Network Management Protocol (SNMP) objects on a compromised device.

Vulnerability in Yandex browser allows attackers to steal victims’ browsing data. A security researcher from Netsparker discovered the login form of the Yandex Browser was plagued with a cross-site forgery request (CSRF) vulnerability that could allow an attacker to steal a victim’s passwords, bookmarks, autocomplete info, and browser history, among other data, by convincing a user to visit a malicious Website that includes code to create a Yandex Browser data sync login form and submits the information with the attacker’s credentials, thereby starting an automatic syncing process that sends a copy of the user’s data to the attacker.

Adobe patches critical vulnerability in ColdFusion. Adobe released security updates for ColdFusion versions 10 and 11 resolving a critical vulnerability after a researcher from legalhackers.com discovered the flaw is related to parsing specially crafted XML entities and could lead to information disclosure. Adobe officials advised users to install the patches and apply secure configuration settings to avoid the security flaw.

9/1/16

‘Baggy Eyes Bandit,’ suspected in Anaheim Hills, Placentia bank robberies, has been arrested. A man dubbed the “Baggy Eyes Bandit” was charged August 30 in connection with 2 bank robberies after he allegedly robbed 6 banks in Los Angeles, Riverside, San Bernardino, and Orange counties and attempted to rob a Citibank branch in Anaheim Hills, California, August 27.

Investment advisor pleads guilty to stealing from clients. A former investment adviser and operator of Gist, Kennedy & Associates pleaded guilty August 30 to defrauding more than 30 clients out of $5 million by falsely informing investors that he would make conservative investments for investors in corporate bonds and other securities, while he used the funds for personal expenses, to fund ENCAP Technologies operations, and to pay other clients proceeds and dividends from the fraudulent investments. Officials stated the adviser also prepared and mailed false account statements to the investors that showed false investment returns in order to continue the fraud scheme.

68 million exposed in old Dropbox hack. Dropbox, Inc. began prompting password resets for more than 68 million users potentially exposed in a July 2012 data breach where user email addresses and hashed and salted passwords for Dropbox accounts may have been improperly accessed after a Dropbox employee’s password was stolen and used to access an employee account that contained a document containing the user information. Dropbox officials do not believe any account was improperly accessed during the breach.

Vulnerabilities found in CryptWare BitLocker enhancement tool. CryptWare released CryptoPro Secure Disk 5.2.1 for BitLocker addressing two serious vulnerabilities, one of which can be exploited to access a root shell at boot and execute arbitrary commands, as CryptoPro Secure Disk improperly blocks terminal access, and a second serious flaw that can be exploited to modify files on the system and bypass the verification process, which can be leveraged to backdoor the system and steal sensitive information such as domain credentials and BitLocker, among other information, due to inadequate verification mechanisms.

Unsophisticated Revenge RAT released online for free. Security researchers discovered a malware coder named Napoleon released a new remote access trojan/tool (RAT), dubbed Revenge v0.2 online for free via underground hacking forums. Researchers found the RAT is able to access the user’s Webcam, open a remote shell, initiate remote desktop sessions, interact with the victim’s file manager, and manage operating system (OS) services, among other malicious actions.

Site of BitTorrent app “Transmission” again used to deliver OS X malware. Security researchers from ESET reported that the official Website for the BitTorrent client, Transmission was being exploited to distribute an Apple Mac operating system (OS) X malware, dubbed OSX/Keydnap that steals the content of the OS X keychain and maintains a permanent backdoor on an infected system after finding that cybercriminals compromised the Transmission site and replaced the legitimate app with a malicious version, which was available for download as Transmission v2.92 between August 28 and August 29. Researchers stated users can determine if their systems are infected by checking if files associated with the malware are present on their system.

8/31/16

New and mysterious FairWare ransomware targets Linux server. A Bleeping Computer analyst reported that at least 3 Linux server administrators discovered that a ransomware variant, dubbed FairWare hacked their servers, removed their Website root folders, and left a ransom note in the /root folder demanding a 2 Bitcoin, or roughly $1,150, payment in order to retrieve the files. The researcher stated there is no evidence that the ransomware encrypts the user’s files and warned FairWare may be deleting the files and scamming victims after the ransom is paid.

Kelihos botnet triples in size overnight. MalwareTech researchers warned that the Kelihos botnet’s activity significantly increased to 34,533 infections in August and discovered that the botnet was spamming other malware after finding that Kelihos was distributing Wildfire ransomware as well as banking trojans based on the Zeus source code. Researchers believe Kelihos started distributing ransomware and banking trojans after the botnet’s operator realized the malware was more profitable than its original pump and dump spamming campaigns.

8/30/16

FBI offers $5K reward for ‘Filter Bandit.’ Authorities offered a reward August 26 in exchange for information leading to the arrest and conviction of a man dubbed the “Filter Bandit” who is suspected of robbing 9 Broward County, Florida banks since 2014, including a SunTrust Bank branch in Coral Springs August 26.

Former Greenwich resident pleads guilty to stealing more than $700K in fraud scheme. A former employee at HB Nitkin Group in Greenwich, Connecticut, pleaded guilty August 26 to embezzling more than $700,000 from the company and related companies and individuals after the employee created fraudulent invoices for carpentry, plumbing, and electrical services, and used the company’s checkbook to pay the phony invoices, which she deposited into her personal bank accounts from February 2014 – December 2015. Officials stated the former employee also cashed checks that she stole from other employees of the company, among other fraudulent actions.

XSS flaw in D-Link NAS devices allows attackers to mess with your data. A security researcher discovered seven D-Link network-attached storage (NAS) devices were plagued with a cross-site scripting (XSS) flaw in the device’s administrative Web interface that can be exploited through an authenticated Server Message Block (SMB) login attempt and could allow attackers to access a targeted device and change the stored contents after detecting the flaw in the firmware of D-Link DNS-320 rev A. The researcher stated this XSS flaw does not require the victim to visit a malicious Website or open an attacker-supplied link, and that the malicious code can be injected without direct nor indirect access to the vulnerable application.

Kaspersky patches vulnerabilities in consumer products. Kaspersky Lab released updated for its KLIF, KLDISK, and KL1 Internet security products resolving several denial-of-service (DoS) and memory disclosure vulnerabilities after Cisco researchers discovered a flaw in KLIF drivers that can allow a malicious app to execute an application programming interface (API) call using invalid parameters and crash the system, a flaw related to how the KL1 driver handles input/output control (IOCTL) calls, which could be exploited to cause a memory access violation and crash the system, and a flaw caused by weak implementation of the KlDiskCtl service in the KLDISK that can allow attackers to use specially crafted IOCTL calls to leak kernel memory content and obtain information.

Tech support scammers find new tricks to hijack Chrome browser. Malwarebytes researchers discovered a new method to hijack Google Chrome Web browsers where hidden JavaScript code puts the user’s browser into full screen mode, hiding the address bar and user interface (UI) toolbar in order to load a JPEG image at the top of the page that is crafted to look like Chrome’s original UI bar. The researchers also discovered a second trick targeting Chrome users where scammers created popups that mimicked original Chrome alerts, and would continue to display more alerts if a user clicked the appropriate checkmark.

User data possibly stolen in Opera Sync breach. Opera notified 1.7 million Sync customers August 26 of a potential data breach discovered the week of August 22 after an attacker hacked the system and potentially accessed user information, including usernames and passwords. Opera officials advised its customers to change their Sync passwords, as well as any passwords to third-party Websites synchronized with the service.

Fantom ransomware mimics Windows update screen. An AVG security researcher discovered a new ransomware variant, dubbed Fantom was being distributed as a fake Microsoft Windows critical update screen to trick users into running the malicious file, criticalupdate01.exe, which encrypts victims’ files and displays a ransom note in Hypertext Markup Language (HTML) or TXT files after the encryption process ends. Researchers stated that users must contact the malicious actor via email to get the private key and unlock their encrypted files, and then the ransomware runs two batch scripts to delete its installation files.

8/29/16

New Locky ransomware version delivered as DLL file. Cyren security researchers discovered that a variant of the Locky ransomware, Zepto received updates and is now installed on infected devices as dynamic-link library (DLL) files, instead of executable (EXE) files. Researchers also found that the DLL file uses a custom packer in order to prevent detection from anti-malware scanners.

Apple issues emergency fix for iOS zero-days: What you need to know. Apple released an emergency security update for its iOS devices after discovering its iPhone 4s and later, iPad 2 and later, and iPod touch fifth generation and later versions were plagued with three zero-day vulnerabilities, dubbed Trident, including an information leak in the Kernel, a memory corruption bug that could allow an attacker to jailbreak the device and install surveillance software without user knowledge, and a memory corruption bug in the Safari WebKit, which could allow an attacker to execute arbitrary code and compromise the device when a user clicks a link on a specially crafted Website. Researchers found the vulnerabilities were exploited by Pegasus, a high-end surveillance software, and were leveraged in attacks against human rights activists and journalists via a text message phishing campaign.

PowerShell script steals credentials from IIS config files. SecureWorks researchers discovered attackers were exploiting already compromised devices to upload and execute a malicious PowerShell script that searchers for Microsoft Internet Information Server (IIS) configuration files on the infected machine, which store credentials for other connection services as connectionStrings in order to steal the access credentials and copy the content to the local /TEMP folder.

Security firm releases decrypter for Alma Locker ransomware. PhishLabs malware analysts released a decrypter for the Alma Locker ransomware family that allows victims to recover their files without paying the ransom after finding the malware’s decrypter was susceptible to a Man-in-the-Middle attack, which allowed the researchers to spoof communications from the attackers’ command and control (C&C) server in order to gain insight into how the ransomware’s decrypter operates.

8/26/16

Cisco updates ASA software to address NSA-linked exploit. Cisco began releasing updates for its Adaptive Security Appliance (ASA) software resolving a remote code execution flaw leveraged by a zero-day exploit, dubbed EXTRABACON which affects the Simple Network Management Protocol (SNMP) code of the ASA software and can be exploited by a remote hacker to cause a system crash or execute arbitrary code. Cisco advised users to update their installations to version 9.1.7(9) or later.

Attackers can target enterprises via GroupWise collaboration tool. Micro Focus released patches resolving critical vulnerabilities in its GroupWise collaboration tool, including two reflected cross-site scripting (XSS) flaws that can be abused to execute arbitrary JavaScript and hijack and admin’s session, a persistent XSS vulnerability affecting the GroupWise WebAccess message viewer that can be exploited by embedding malicious code in an email and getting the victim to interact with the message, and a heap-based buffer overflow flaw affecting the GroupWise Post Office Agent and GroupWise WebAccess that could be used to achieve remote code execution, among other vulnerabilities. Micro Focus advised users to update their installations to GroupWise 2014 R2 SP1 HP1 or later.

Android botnet uses Twitter for receiving commands. Researchers from ESET reported a new Android backdoor, dubbed Android/Twitoor impersonates a MMS program or adult content player application and uses a defined Twitter account to receive commands after being launched, which either instruct the backdoor to download malicious applications, including mobile banking malware onto the infected device or to switch to a different command and control (C&C) Twitter account. Researchers also found that Twitoor botnet’s transmitted messages are encrypted and use new communication methods, such as social networks in order to remain undetected and more difficult to block.

Flaw allow attackers to hijack VMware vRA appliances. VMware addressed vulnerabilities affecting its vRealize Automation (vRA) appliances, including a flaw in vRA 7.0.x appliance via port 40002 that can be abused for remote code execution and allow an attacker to gain access to a low-privileged account on the affect device, and a second flaw in vRA 7.0.x and VMware Identity Manager 2.x that can be exploited by a hacker with access to a low-privileged account to obtain root privileges. VMware reported attackers could combine the vulnerabilities to compromise and take control of a vRA appliance and urged users to update vRA to version 7.1.

8/25/16

Apollo charged with disclosure and supervisory failures. The U.S. Securities and Exchange Commission announced August 23 that 4 private equity fund advisers affiliated with Apollo Global Management, LLC agreed to pay a $52.7 million settlement to resolve claims that the Apollo advisers failed to adequately inform investors about accelerated monitoring fees and benefits the advisers received, failed to disclose information regarding interest payments made on a loan between an adviser’s affiliated general partner and 5 funds, and failed to monitor a senior partner who charged personal expenses to Apollo-advised funds and their portfolio companies.

Four arrested in fraudulent credit card case in Murfreesboro. Four people were arrested in Murfreesboro, Tennessee, August 17 when police discovered 83 magnetic strips in the suspects’ vehicle after the group allegedly used re-encoded credit cards at an area Walmart store to make multiple fraudulent purchases.

Leaked EXTRABACON exploit can work on newer Cisco ASA firewalls. Researchers from SilentSignal discovered the EXTRABACON exploit of the zero-day buffer overflow vulnerability affecting the Simple Network Management Protocol (SNMP) code of the Cisco Adaptive Security Appliance (ASA), Private Internet eXchange (PIX), and Firewall Services Module versions 8.4. (4) and earlier leaked by ShadowBrokers, can also be modified to compromise ASA version 9.2.(4). Cisco researchers are working to develop a definite solution of the exploit.

Two free decrypters available for WildFire ransomware. Kaspersky and Intel McAfee released two decrypters that can unclock files encrypted by WildFire ransomware infections and are available for download from the NoMoreRansom Website. Researchers stated that since July 23, WildFire infected 5,309 devices and earned 136 Bitcoin, or $79,000 from users paying the ransom.

Face authentication systems can be bypassed using a VR headset & Facebook photos. Researchers from the University of North Carolina at Chapel Hill reported hackers could bypass face authentication systems on the 1U App, BioID, KeyLemon, Mobius, and True Key after finding that if an attacker passes a high-resolution photo through a three-dimensional (3D) modeling software, then transfers the 3D head to a virtual reality (VR) device, a machine running the facial recognition software will authenticate the attacker. Researchers found that in photos where the quality was lower, such as social media photos, the authentication rate was lower.

8/24/16

Intruders use virtual machines on infected PCs to hide their actions. SecureWorks discovered malicious actors were attempting to install and launch a new virtual machine (VM) on an infected host in order to connect to the compromised device’s VM and withdraw sensitive data or execute other malicious actions without being detected by security software after finding that the attacker was using the Microsoft Management Console (MMC) to launch the Hyper-V Manager to manage Microsoft’s VM infrastructure.

DetoxCrypto ransomware sends screenshots to operators. Bleeping Computer researchers discovered a new ransomware, dubbed DetoxCrypto was being distributed under two different variants, one of which, named Calipso.exe takes screenshots of a victim’s device and sends them to the malicious actor’s servers, and the other, dubbed Pokemon.exe poses as a PokemonGo app. Researchers found both variants can stop MySQL and Microsoft structured query language (MSSQL) services on an infected device, and use a single distributed executable to extract a MicrosoftHost.exe file, among other files, which encrypts the user’s files, displays a lock screen, and in the case of the Calipso variant, instructs a victim to contact the malware operator to receive payment instructions.

WordPress plugin fixes SQL injection flaw that let attackers dump site passwords. Ninja Forms released version 2.9.55.2 after Sucuri researchers discovered a structured query language (SQL) injection vulnerability affecting the Ninja Forms WordPress plugin installed on over 600,000 sites where an attacker with a registered account on a targeted Website can exploit the flaw to send a custom Hypertext Transfer Protocol (HTTP) POST request to an attacked site and trigger an SQL injection attack, which could allow an attacker to dump sensitive details including the site’s usernames and hashed passwords, as well as WordPress secret keys.

8/23/16

‘Baggy Eyes Bandit’ sought in 4-county bank robbery spree. The FBI is searching August 20 for a man dubbed the “Baggy Eyes Bandit” who is suspected of committing 5 bank robberies and 1 attempted robbery at Citibank branches in Los Angeles, San Bernardino, Orange, and Riverside counties since February.

GnuPG project fixes “critical security problem” that existed since 1998. The GnuPG project patched a critical security problem affecting the mixing function in the random number generator (RNG) used for Libgcrypt in all GnuPG (Gnu Privacy Guard) versions released since 1998 after researchers from the Karlsruhe Institute of Technology discovered that an attacker who can obtain 4640 bits from the RNG can predict the next 160 bits of output. Researchers advised all users to update their software to the latest version to avoid the problem.

Around four in five DNSSEC servers can be hijacked for DDoS attacks. Security researchers from Neustar reported that 80 percent of Domain Name System Security Extensions (DNSSEC) servers have been improperly configured and contain vulnerabilities that could allow an attacker to reflect and amplify distributed denial-of-service (DDoS) attacks. Researchers found that attackers were sending DNSSEC requests to a domain name server signed with the ANY command in order to force the DNSSEC server to gather all the Domain Name System (DNS) information about that domain and respond to the query with its digital signature attached, thereby sending junk traffic to the victim’s Internet Protocol (IP) address.

Rex Linux trojan can launch DDoS attacks, lock websites, mine for cryptocurrency. Stormshield and Dr. Web researchers discovered a Linux trojan, dubbed Rex received updates that allow the trojan to infect more content management system (CMS) platforms than before, operate via an advanced peer-to-peer (P2P)-based botnet, launch distributed denial-of-service (DDoS) attacks, mine for crypto-currency on infected hosts, and self-propagate to other vulnerable devices or servers on the local network. Researchers also found the trojan can affect Drupal, WordPress, and Magneto, among other sites, and can be used to threaten other Webmasters with DDoS attacks unless a ransom fee is paid with Bitcoin, as well as distribute spam messages.

UAC bypass with elevated privileges works on all Windows versions. An enSilo security researcher discovered a method to bypass the Microsoft Windows User Account Control (UAC) mechanism in all supported Windows versions where malicious actors can use modified environment variables including the user’s current username and PC’s domain, among other details, to create malicious child processes under a legitimate app and carry out attacks with elevated privileges, as Windows UAC trusts the apps execution and will not display a warning due to the apps high privileges. The researcher found the flaw can be exploited to load malicious dynamic link libraries (DLLs) on the system if an attacker creates a copy of the C:/ Windows folder and modifies the system-wide environment variable to point to the wrong Windows operating system (OS) folder.

8/22/16

FBI searching for ‘Taxicab Bandit’ wanted in bank robberies. The FBI is searching August 18 for a man dubbed the “Taxicab Bandit” who is suspected of robbing a BestBank branch in Decatur, Georgia, 2 times since the week of August 8 and other DeKalb County banks.

‘Audi Bandit’ sought in string of Bay Area bank robberies. The FBI is searching August 18 for a man dubbed the “Audi Bandit” who is suspected of robbing at least 3 San Francisco Bay Area banks since May, including a Fremont Bank branch in Livermore and a Wells Fargo Bank branch in Pleasanton in June.

Flaws in smart sockets expose networks to remote attacks. Bitdefender researchers reported a popular brand of smart electrical sockets is plagued with serious vulnerabilities that could be exploited by a remote attacker who knows the media access control (MAC) and default password to take control of the device, make configuration changes, and obtain user information after finding that the socket’s hotspot is protected by default credentials and users are not advised to strengthen the credentials, the mobile app transfers Wi-Fi credentials in clear text, which could allow an attacker to intercept the information, and that communications between the device and application go through the manufacturer’s server without being encrypted, among other flaws. Researchers stated a patch for the flaws is expected to be released in the third quarter of 2016.

Global phishing numbers rise as hosting firms fail to respond. Cyren released its Cyberthreat Report that analyzed global phishing operations and found that the total number of malicious phishing Universal Resource Locators (URLs) spread on the Internet increased by 14 percent in quarter 2 of 2016 to 4.44 million, and revealed that 20 percent of all phishing pages disappear after 3 hours, with only 40 percent of all pages lasting more than 2 days. The report also states that Google Chrome and Mozilla Firefox are the quickest to identify phishing pages and malicious sites after Chrome detected 73.9 percent of phishing pages within 48 hours and Firefox marked 52.2 percent of the sites.

Locky ransomware reverts to malicious macros. FireEye researchers discovered that the Locky ransomware reverted to using Microsoft Office documents embedded with malicious macros to distribute the malware to individuals and organizations in the health care, telecommunications, and transportations industries. Researchers reported that the DOCM files install the ransomware onto a victim’s device once the malicious macros are enabled.

8/19/16

Thousands stolen with ATM skimmers in St. Paul. Authorities are searching August 17 for a group suspected of stealing tens of thousands of dollars from more than 100 people in St. Paul, Minnesota, after installing skimming devices on 2 ATMs at a Bremer Bank branch and a Top Line Federal Credit Union branch in St. Paul.

Cisco patches critical flaws in Firepower Management Center. Cisco released patches for its Firepower Management Center to address several flaws in the appliance’s Web-based graphical user interface (GUI) including a medium-severity cross-site scripting (XSS) flaw, a critical vulnerability that could allow an authenticated attacker to remotely execute arbitrary commands on a device with root-level privileges, and a flaw that could allow an authenticated attacker to elevate user account privileges due to insufficient authorization checking in the Fire Management Center and the Cisco ASA 5500-X series with select versions of FirePOWER Services. Cisco researchers stated there is no evidence the flaws have been exploited in the wild.

Cisco patches zero-day included in Shadow Brokers leak. Cisco released security patches after The Shadow Brokers, a group selling hacking tools stolen from the Equation Group, leaked tools that contain exploits to leverage two vulnerabilities, one of which is a zero-day vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) software, which can allow an unauthenticated attacker to cause a reboot of affected products and lead to remote code execution (RCE). Cisco researchers found
that the exploits also leverage a vulnerability in the command-line interface (CLI) parse of ASA software that could allow an authenticated, local attacker to execute arbitrary code on the device or create a denial-of-service (DoS) condition.

WordPress plugin hijacks websites to show payday loan ads. WordFence researchers discovered the authors of the 404 and 301 WordPress plugin were hijacking the content of other Web sites by adding code to the original Web site in order to show search engine optimization (SEO) spam email on a user’s homepage and to display ads for payday loan services. The plugin authors removed the code responsible for delivering the ads and researchers stated version 2.3.0 is safe to use.

Adwind RAT rebrands yet again, this time as JBifrost. Fortinet researchers discovered that the criminal group behind the Adwind remote access trojan (RAT) rebranded the malware as JBifrost and updated the malware to include a new column that shows an infected system’s keyboard status, a column that shows the title of the victim’s current window, a new feature that enables attackers to steal data from Web forms displayed in the Google Chrome browser, and a new tab called Misc that enables users to configure additional JBifrost servers. Researchers also found that JBifrost only accepts Bitcoin and that the RAT’s Web site now requires an invitation code to register and purchase the malware.

8/18/16

N.J. woman stole $89K in credit card scheme, cops say. A former accountant at Forever Collectibles in Somerset, New Jersey, was charged August 16 for her role in an $89,000 credit card fraud scheme where she and a co-conspirator allegedly put the refunds from customers’ returned items onto her family and friends’ credit cards instead of the customers’ cards between March and December 2015.

Vawtrak banking trojan uses SSL pinning, DGA. Fidelis security researchers discovered that a new version of the Vawtrak banking trojan includes a domain generation algorithm (DGA) that generates .ru domains using a pseudorandom number generator (PRNG) in the trojan’s loader, uses Hypertext Transfer Protocol Secure (HTTPS) to protect command and control (C&C) communications, and leverages certificate pinning, or secure sockets layer (SSL) pinning that helps the malware evade detection by enterprise security solutions that use their own certificates to intercept communications. Researches stated the trojan conducts checks based on the Common Name to identify the domain names associated with the certificate, and uses a public key from the initial inject carried out by the malware loader in order to ensure that no other certificates are accepted.

Backdoor abuses TeamViewer to spy on victims. Dr. Web security researchers discovered a backdoor trojan, dubbed BackDoor.TeamViewrENT.1 and distributed under the name “Spy-Agent” was installing legitimate TeamViewer components on a compromised device to spy on victims in the U.S., Europe, and Russia, steal victims’ personal information, and to install other malicious programs on a device. Researchers found that the trojan disables error messaging for the TeamViewer process, changes the attributes of its files and the TeamViewer files to “system,” “hidden,” and “ready only”, and kills the TeamViewer process if the Microsoft Windows Task Manager or Process Explorer are detected in order to hide its presence on an infected device.

User data leaked from analytics company Social Blade. Social Blade, a data provider for YouTube, Twitch, and Instagram accounts, confirmed that its Website and forum were hacked in August after LeakedSource researchers discovered that the details of 13,009 of the forum’s users and 273,806 of the Website’s users’ details were leaked, including email addresses, usernames, password hashes, and Internet Protocol (IP) addresses, among other information, after a malicious actor obtained a partial database dump by exploiting a vulnerability in the forum software. Social Blade reset all user passwords and shut down its forum.

Chrome and Firefox attached by simple URL spoofing bug that facilitates phishing. A security researcher discovered a flaw affecting security features in Google Chrome and Mozilla Firefox can be exploited to spoof Universe Resource Locators (URLs) in the browser address bar after finding that Web browsers handle URLs written with mixed right-to-left (RTL) (Arabic) and left-to-right (LTR) (Roman) characters incorrectly, which confuses the browsers and forces them to switch parts of the URL, thereby tricking the user into thinking that they are accessing a different Website than the one they are on. The researcher stated a hacker running a phishing site can add a few Arabic characters onto a server’s Internet Protocol (IP) to change the domain of a legitimate Website and embed this URL in spam email, short message service (SMS), or instant messaging (IM) message in order to redirect an user to the malicious actor’s server.

8/17/16

‘Bearded Bandit’ bank robbery suspect arrested in San Francisco. FBI officials reported August 15 that a man dubbed the “Dreaded Bandit” was arrested in San Francisco August 12 after he allegedly committed 4 bank robberies in the San Francisco Bay Area since April.

FalseCONNECT vulnerability affects software from Apple, Microsoft, Oracle, more. A security researcher discovered a flaw in how applications from several vendors respond to Hypertext Transfer Protocol (HTTP) CONNECT requests via HTTP/1.0 407 Proxy Authentication Required responses which could allow an attacker with a foothold in a compromised network and the ability to listen to proxy traffic to detect HTTP CONNECT requests sent to the local proxy and issue a 407 Proxy Authentication Required response where the user must input a password to access a specific service and then authenticate, thereby sending the response to the malicious actor. Researchers stated that WebKit-based clients including Google Chrome, Apple’s iTunes, and Google Drive, among others, are most vulnerable to the attack.

Windows script files used to deliver Locky ransomware. Researchers from Trend Micro warned that a Locky ransomware variant was being delivered to targeted organizations using Microsoft Windows script (WSF) files in order to download any malware payload and to make detection more difficult, as WSF files are not engine-specific, contain more than one scripting language, and are not monitored by typical endpoint security solutions, thereby increasing the chances of bypassing sandboxes and blacklisting technologies. Researchers stated the cybercriminals were targeting companies and that the files delivering Locky were compressed in ZIP archives and attached to emails with business-related subject lines.

8/16/16

RI State police following trail left by ATM skimming crime ring. Rhode Island police are searching August 12 for a group suspected of installing skimming devices on at least 4 ATMs across Rhode Island since June and using the stolen information to make large cash withdrawals from ATMs at other area banks.

Sharp increase in malware utilizing SSL. Blue Coat released a report revealing that the number of malware samples employing secure sockets layer (SSL) increased from 500 samples per month to 29,000 over a 2 month period and the number of active command and control (C&C) servers that used SSL-protected connections to communicate with their bots increased from 1,000 servers in quarter 1 of 2015 to 200,000 servers in quarter 2 after the security firm analyzed the detections and infrastructure of common malware families known to implement SSL
for protection, and cyber-criminal activity from January 2014 – December 2015.

New FSS Rowhammer attack hijacks Linux VMs. Researchers from the Vrije University in the Netherlands discovered a new version of the Rowhammer attack, dubbed Flip Feng Shui (FSS) that works in conjunction with memory deduplication is capable of compromising the memory of shared Linux-based virtual machines (VMs) used for cloud hosting services and could allow an attacker to gain control of a victim’s accounts despite the absence of software vulnerabilities if the malicious attacker buys access to cloud services co-hosted with the victim. Researchers discovered the flaw is in the cryptographic software and stated the attack can be used in multiple other forms and applications in the software stack.

New Windows trojan steals enterprise data and Microsoft Office files. Security researchers from Bleeping Computer discovered malicious actors were distributing a new type of infostealer trojan as a file, dubbed Aug_1st_java.exe that disguises itself as the process of the Google Chrome browser and targets 11 file types specific to enterprise environments, including extensions associated with Microsoft Office applications in order to gather information about the computer, including the username, version of Windows, and a list of currently installed applications, among other data, and then directs and uploads the files to its command and control (C&C) server via the Microsoft Message Queuing (MSMQ) protocol. Researchers also found that the infostealer trojan modifies the Windows Registry after installation in order to gain the ability to run automatically when the victim reboots their computer.

8/15/16

Police bust identity theft scheme that netted $650K. Two Houston residents were arrested August 11 for their roles in a more than $650,000 credit card fraud scheme where the duo and another co-conspirator allegedly used 2 southwest Houston businesses, Lagos Island Café and Lace Warehouse and African Fashions, to steal the identities of at least 12 customers in order to apply for and obtain 116 credit cards from 8 different Houston-area financial institutions. The charges allege that one of the co-conspirators ran the credit cards under a fraudulent business name, Sleek Auto Sales and deposited the funds into a personal bank account.

Locky ransomware uses vulnerable PHP forms for spam distribution. Researchers from Cisco’s OpenDNS team discovered that the group behind the Locky ransomware is leveraging security flaws in a PHP: Hypertext Preprocessor (PHP)-based Web-to-email service that allows the cybercriminals to brute-force the Web from and make it send a message with the Locky payload attached to any email address due to a vulnerability in a PHP contact form script. Researchers advised users to update their PHP Web-to-email form to the latest version to fix the problem.

Microsoft patches flaw related to “malicious butler” attack. Microsoft released a patch addressing a serious Windows authentication bypass vulnerability, dubbed a “remote malicious butler” attack after researchers discovered the flaw can be leveraged remotely to bypass authentication on the Windows login screen, and found that in a patched version of Windows, a device’s password could be changed if the rogue domain controller was disconnected in the middle of the password reset process. Researchers stated the patch addresses both the local evil maid attack and the remote butler version of the attack.

8/12/16

SEC charges former professional football player with running $10 million fraud. The U.S. Securities and Exchange Commission charged Cavalier Union Investments LLC and its 2 co-owners August 10 for running a $10 million investment fraud scheme where the duo allegedly misled investors about the unregistered debt securities they sold and convinced investors that the company’s investment funds were operated by experienced advisers in order to divert nearly $6 million of the investors’ funds to pay for personal expenses and to repay earlier investors. Officials also announced parallel criminal charges against one of the company’s owners for his role in the scheme.

Linux flaw allows attackers to hijack web connections. Researchers from the University of California at Riverside and the U.S. Army Research Laboratory discovered a vulnerability affecting the Transmission Control Protocol (TCP) specification implemented in Linux kernel could be leveraged to intercept TCP-based connections between two hosts on the Internet, to track users’ activity, terminate connections, and inject arbitrary data into a connection after an off-path attacker deduced the sequence numbers that identify TCP data packets exchanged between hosts using the Internet Protocol (IP) addresses of the targeted communicating devices. Developers of various Linux distributors were working to fix the security hole.

Chrome, Firefox, and IE browser hijacker distributed via legitimate software. Intel McAfee security researchers discovered recent versions of the Bing.vc malware were being delivered to Google Chrome, Mozilla Firefox, and Microsoft’s Internet Explorer via legitimate-looking applications distributed by Lavians Inc., in order to take over the Website’s homepage and insert ads into visited sites, and redirect all users to Bing.vc in an attempt to sell victims an expensive utility to fix the browser hijacking problem. Researchers stated users must remove the registry keys or use an automated PC clean-up utility, as well as clean the shortcuts for each browser in order clear the malware from an infected app.

Secure Boot vulnerability exposes Windows devices to attacks. Two researchers, dubbed MY123 and Slipstream discovered the new type of Secure Boot policy introduced in the Microsoft Windows 10 Anniversary Update, v1607, can be exploited to bypass the security feature and install rootkits and bootkits on Windows devices after finding that the new supplemental policies are loaded by the boot manager without being properly checked and can be used to enable “test-signing,” a feature that allows an attacker to bypass Secure Boot and load the malware once it is activated. Researchers stated the attack can only be carried out by an attacker with admin privileges or physical access to the targeted device and Microsoft was working to release a patch for the issue.

8/11/16

Brea man pleads guilty in $9 million mortgage modification scheme. The former owner and operator of California-based Rodis Law Group pleaded guilty August 9 for his role in a $9 million fraudulent mortgage modification scheme where he and co-conspirators convinced over 1,500 struggling homeowners to pay for fraudulent services from the Rodis Law Group by falsely claiming the firm consisted of a team of attorney’s experienced in negotiating lower principal balances and interest rates on mortgage loans, among other misrepresentations from October 2008 – June 2009. Two other co-conspirators have pleaded guilty for their roles in the scheme.

Data of nearly 2 million users exposed in Dota2 forum hack. Researchers from LeakedSource reported that the Dota2 official developers forum was breached after hackers stole the usernames, email addresses, user identifiers, passwords, and IP addresses of nearly 2 million of the forum’s users July 10 by hashing and salting the password with the MD5 algorithm. Forum administrators patched the vulnerability and reset all user account passwords.

Microsoft patches flaws in Windows, Office, browsers. Microsoft released 9 security bulletins patching a total of 27 important and critical vulnerabilities including 9 critical vulnerabilities in Internet Explorer and 8 critical flaws in Edge that can be exploited for remote code execution and information disclosure by tricking a targeted user into visiting a malicious Website, remote code execution issues in Windows, Office, Skype for Business and Lync caused by the way Windows font library handles specially crafted embedded fonts, and critical flaws in Office that can be leveraged for remote code execution if a victim opens a malicious file, among other vulnerabilities.

Juniper starts fixing IPv6 processing vulneraibility. Juniper Networks released hotfixes for its JUNOSe F3 and F2 products resolving a vulnerability in its JUNOSe and Junos routers after Cisco researchers discovered the flaw can be exploited to cause a denial-of-service (DoS) condition by sending a flood of specially crafted IPv6 Neighbor Disovery (ND) packets from non-link-local sources to affected devices in order to fill up the packet processing queue and cause legitimate IPv6 ND packets to drop. The company was working to release patches for the issue.

Researchers hide malware inside digitally signed files without breaking hashes. Security researchers from Deep Instinct discovered attackers could inject malware inside a digitally signed binary without affecting the overall file hash after finding that Microsoft Windows does not include three fields from a file’s Portable Executable (PE) headers during the file hash validation process and that modifying these fields does not break the certificate’s validity, allowing the malicious files to avoid detection by security and antivirus software. Researchers stated the technique does not require attackers to hide the malicious code via packers and bypasses any secondary checks of security software.

Go-based Linux trojan used for cryptocurrency. Doctor Web researchers reported that a new Linux trojan, dubbed Linus.Lady.1 allows hackers to earn a profit by exploiting infected systems for cryptocurrency mining after finding that the trojan collects information on an infected machine, including the operating system, central processing unit (CPUs), and processes, and sends the harvested data back to a command and control (C&C) server, which then provides a configuration file for downloading a cryptocurrency mining application designed for Monero (XMR) mining. Researchers also found the trojan is capable of spreading to other Linux computers on an infected network by connecting to remote hosts over port 6379 without a password and downloading a script from a specified Uniform Resource Locator (URL) which is responsible for downloading and installing a copy of the trojan.

8/10/16

Vulnerabilites found in several Fortinet products. Vulnerability Lab released the details of several flaws affecting the Web interface of the Fortinet FortiManager and FortiAnalyzer security management and reporting appliances including a vulnerability that can be exploited by a remote attacker with access to a low-privileged user account to inject arbitrary code into the application if a victim clicks on a link or visits a Webpage containing the malicious code, a filter bypass issue, and multiple persistent cross-site scripting (XSS) flaws in the FortiVoice enterprise phone systems that can be exploited by a remote, authenticated attacker, among other security flaws. Fortinet released patches for all of the vulnerabilities and advised users to update their Fortinet product installations.

Serious flaws found in Netgear, NUUO network video recorders. U.S. Computer Emergency Readiness Team (CERT) Coordination Center researchers warned that select network video recorders from NUUO Inc., and Netgear, Inc., were plagued by seven vulnerabilities including two input validation issues that could allow unauthenticated attackers to execute arbitrary code with root or admin privileges, an information disclosure bug that could allow a remote, unauthenticated attacker to view details on system processes, available memory and filesystem status by accessing a hidden page with a hardcoded username and password, and two flaws that can be leveraged to carry out arbitrary operating system (OS) commands and arbitrary code by any remote attacker who obtains admin privileges, among other flaws.

8/9/16

Midwest Bank officials, FDIC in settlement for $26.5 million over loans. The Federal Deposit Insurance Corporation announced August 5 that 18 former Midwest Bank officers and directors agreed to pay a total of $26.5 million to settle charges alleging that the officers’ negligence in lending over $100 million to 6 risky borrowers from 2005 – 2008 without properly analyzing the borrowers’ creditworthiness caused the bank over $128 million in losses.

New ATM hacking method uses stolen EMV card data. Rapid7 researchers discovered that Europay, Mastercard, and Visa (EMV) cards are susceptible to fraudulent transactions after finding that an attacker could insert a shimming device into the card slot of a point-of-sale (PoS) system to intercept and capture card data, which is then remotely sent to another device, dubbed “La-Cara.” La-Cara feeds the stolen transaction data to the targeted ATM, thereby allowing the fraudsters to withdraw up to $50,000 from the victim’s card.

Remote Butler attack; APT groups’ dream come true. Microsoft security researchers developed an extension of the “Evil Maid” attack dubbed “Remote Butler” which allows attackers to bypass local Windows authentication to defeat full disk encryption without physical access to the targeted device. A patch released by Microsoft for the “Evil Maid” attack also prevents attackers from carrying out a “Remote Butler” attack.

Cerber ransomware v2 spotted online, is now undecryptable. Trend Micro researcher PanicAll discovered that the Cerber ransomware was updated in versions v1.5 and v2 to break a previous decryption tool that allowed users to recover their hacked files for free. The updates changed the extension added at the end of each encrypted file from “.cerber” to “.cerber2,” and extended encryption keys generated by CryptGenRandom Microsoft application programming interface (API) from 16 bytes to 32 bytes, among other updates.

Linux botnets dominate the DDoS landscape. Kaspersky Lab released its distributed denial-of-service (DDoS) Intelligence Report which reported that Linux botnets accounted for 70.2 percent of all DDoS attacks initiated during quarter 2 (Q2) of 2016, while only 44.5 percent of DDoS attacks were carried out by Linux botnets in quarter 1. The report also stated that SYN DDoS attacks were the most popular methods for DDoS attacks during Q2, followed by transmission control protocol (TCP), Hypertext Transfer Protocol Secure (HTTP), and Internet control message protocol (ICMP) floods.

New Remcos RAT available for purchase on underground hacking forums. Symnatec researchers reported that a malware developer dubbed Viotto posted the Remcos Remote Access Trojan (RAT) targeting Microsoft Windows versions XP and higher for sale on underground hacking forums, which allows hackers the ability to take screenshots of infected computers, log keystrokes offline or in real times, and record content via the infected device’s camera, among other malicious actions, and send the stolen data encrypted via Hypertext Transfer Protocol Secure (HTTPS) to the command and control (C&C) server. Researchers also discovered the trojan can queue operations to be carried out when the victim goes online and includes a password dumping component that can dump passwords from applications like Microsoft’s Internet Explorer, Mozilla Firefox, and Apple Inc.’s Safari, among others.

VMware Tools flaw allowed code execution via DLL hijacking. VMware published an advisory describing two vulnerabilities in several of its products including a dynamic-link library (DLL) hijacking issue in the Windows version of VMware Tools related to the VMware Host Guest Client Redirector component that could be exploited to execute arbitrary code on a targeted system after finding that when a document is opened from a uniform naming convention (UNC) path, the Client Redirector injects a DLL named “vmhgfs.dll” into the file in order to open the file, allowing an attacker to load a malicious DLL into the application and to compromise the system. The second vulnerability is a Hypertext Transfer Protocol Secure (HTTP) header injection issue in vCenter Server and ESXi caused by a lack of input validation that could allow a hacker to launch cross-site scripting (XSS) or malicious redirect attacks.

8/8/16

Federal court permanently bars Maryland tax preparer from preparing federal tax returns. The U.S. District Court for the District of Maryland announced August 3 that the owner and operator of 6 Liberty Tax franchises in Baltimore has been permanently barred from preparing Federal tax returns after she allegedly filed 1,222 fraudulent tax returns that reported false household help incomes, among other fraudulent claims, and intentionally omitted Social Security Income and Wage and Tax Statement income. The charges also allege that the tax preparer kept each refund as a fee and paid customers a $50 cash payment as part of Liberty Tax’s “Cash-in-a-Flash” promotion.

HEIST attack can steal data from HTTP-encrypted traffic. Two security researchers discovered hackers could carry out a Web-based attack, dubbed HEIST to steal encrypted content from Hypertext Transfer Protocol Secure (HTTPS) traffic by embedding special JavaScript code on a Webpage that fetches content via a hidden JavaScript call from a private page containing sensitive information including credit card numbers and Social Security numbers, then pinpoints the size of the embedded data transferred in small transmission control protocol (TCP) packets using a repeated probing mechanism in order to guess the content exchanged in the HTTPS traffic. Researchers advised users to disable support for third-party cookies or JavaScript execution in their browsers to block HEIST attacks.

58% of orgs have no controls in place to prevent insider threats. Veriato and other firms released the Insider Threat Spotlight Report which found that nearly half of the 500 cybersecurity professionals surveyed experienced an increase in insider attacks since 2015, 58 percent of organizations lack appropriate control to prevent insider attacks, and 44 percent of those surveyed were unaware if their organization had experienced an insider attack. The survey also found that the endpoint is the most common point for a malicious actor to launch an insider attack, followed by mobile devices.

8/5/16

Venmo fixes hole that allowed attackers to steal $2,999.99 per week using Siri. Venmo patched an attack vector in its digital wallet service after a security researcher discovered attackers could exploit design flaws in Venmo and Apple’s iPhone operating system (iOS) to approve roughly $3,000 a week in money requests if a malicious actor had physical access to a victim’s iPhone by instructing Siri to send a message to a Venmo five-digit phone number on an iOS device that would handle the payment request instead of showing app notifications to the user. Venmo removed the Short Message Service (SMS) “reply-to-pay” functionality, as well as other smaller patches that made the service vulnerable to similar attacks.

Washington Twp. TD Bank teller admits to $600K scam. A former teller at a TD Bank branch in Washington Township, New Jersey, pleaded guilty to Federal charges August 2 after she embezzled $608,000 from 8 bank customers between 2014 and 2015 by transferring money from dormant checking accounts into personal bank accounts or by obtaining cashier’s checks issued in her name. Officials stated the former teller used the stolen funds for personal use.

Critical flaws found in Cisco small business routers. Cisco released patches for its small business RV series routers after researchers discovered a critical flaw affecting the Web interface that allows remote, unauthenticated attackers to execute arbitrary code with root privileges, a high severity flaw that can be exploited remotely to perform a directory traversal and access arbitrary files on the system, and a medium severity command shell injection flaw that could allow a local attacker to inject arbitrary shell commands that are then executed by the device, among other vulnerabilities.

Google patches 10 vulnerabilities in Chrome 52. Google released an update for Chrome 52 resolving 10 security vulnerabilities after third-party developers discovered 4 high risk flaws affecting the Web browser including an address bar spoofing flaw, a use-after-free bug in Blink, and heap overflow bugs in pdfium, as well as 3 medium risk bugs including a same origin bypass for imagines in Blink, and parameter sanitization failure bugs in DevTools.

Four high-profile vulnerabilities in HTTP/2 revealed. Imperva released a report at the Black Hat USA 2016 conference documenting four high-profile vulnerabilities in Hypertext Transfer Protocol (HTTP)/2 after researchers from the Imperva Defense Center found a HPACK Bomb attack resembling a zip bomb, a dependency cycle attack that takes advantage of HTTP/2’s flow control mechanisms for network optimization, stream multiplexing abuse that results in denial-of-service to legitimate users, and Slow Read attacks in server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The vendors of the HTTP/2 protocol mechanisms released patches for the issues.

8/4/16

Police: ATM skimming device used to steal $110k. Rhode Island police are investigating August 2 after a card-skimming device was found on an ATM at the Navigant Credit Union in Cumberland August 1 and the skimmed payment information was used to steal more than $110,000 from ATMs across the State.

2 Detroit men busted in Alabama with 177 stolen identities. Two Detroit, Michigan residents were arrested in the Birmingham, Alabama, area July 28 after authorities found 177 stolen identities from over 25 banks in the duo’s possession.

36,000 SAP systems exposed online, most open to attacks. ERPScan released a comprehensive SAP Cybersecurity Threat Report which revealed the average number of security patches for SAP products per year has decreased, while the amount of vulnerable platforms has increased and now includes modern cloud and mobile technologies such as HANA. The report also found that SAP’s Customer Relationship Management (CRM), Enterprise Portal (EP), and Supplier Relationship Management (SRM) products are most vulnerable to flaws, and that the U.S. is one of the three countries with the most exposed services, among other findings.

Google SEO trick leads users to online scam, CryptMIC ransomware. Researchers from Malwarebytes discovered an active campaign where malicious actors were abusing Google search featured snippets to show links to compromised Websites and redirect users to online stores selling product keys for Microsoft Office or hosting the Neutrino exploit kits (EK), which would in turn infect the user’s device with the CryptMIC ransomware. Researchers found the attackers could also actively search for third-party Websites listed in featured snippets that run vulnerable content management systems (CMSs), and hack the sites to deliver the ransomware.

Google patches tens of critical vulnerabilities in Android. Google released security patches for the Android operating system (OS) resolving 81 vulnerabilities including 3 remote code execution (RCE) flaws, 4 Elevation of Privilege (EoP) bugs, and 4 denial-of-service (DoS) flaws in Mediaserver, a DoS issue in system clock, and a RCE flaw in libjhead, among other vulnerabilities.

8/3/16

‘Flip-Flop’ bandit wanted in NC bank robberies captured in GA. The FBI announced August 1 that a man dubbed the “Flip-Flop Bandit” was arrested July 29 after robbing a bank in Pooler, Georgia, and multiple others in North Carolina, Tennessee, Oklahoma, and Arkansas.

Feds: Tips led to capture of ‘North Center Bandit.’ A man dubbed the “North Center Bandit” was arrested July 29 after he allegedly robbed a Chase Bank branch in Chicago June 8 and four other North Side banks since October 2015.

Windows flaw reveals Microsoft account passwords, VPN credentials. Researchers discovered an exploit affecting the way Microsoft Windows handles old authentication procedures for shared network resources where an attacker could embed a disguised link to a server message block (SMB) resource inside a Webpage or an email viewed via Outlook that sends the victim’s login credentials to authenticate on the malicious actor’s domain once the user accesses the link via Internet Explorer, Edge, or Outlook. The exploit gives the hacker access to the user’s Microsoft username, virtual private network (VPN) credentials, or password, which is leaked as a NT LAN Manager (NTLM) hash.

Data of 200 million Yahoo users pops up for sale on the Dark Web. Yahoo is investigating a potential data breach after cyber-criminal Peace_of_Mind (Peace) published a listing on TheRealDeal Dark Web marketplace that reportedly offers data on over 200 million Yahoo users for 3 bitcoin, or approximately $1,800, including usernames, MD5-hashed passwords, dates of birth for all users, and in some cases, backup email addresses, country of origin, and ZIP codes for U.S. users.

Trojan in 155 Google Play Android apps affects 2.8 million users. Security researchers from Dr. Web discovered a new variant of the Android.Spy family trojan, dubbed Anrdoid.Spy.305 was plaguing 155 Android apps on the official Google Play Store and affecting over 2.8 million users by collecting data about the user’s device, including the email address connected to their Google user account, the name of the app the trojan leverages for distribution, and the developer ID and software developer’s kit (SDK) version, among other details in order to deliver ads. Google released a list of all the apps potentially impacted by the trojan.

SSL flaw in Intel Crosswalk exposes apps to MitM attacks. Intel released updates for its Crosswalk framework after security researchers from Nightwatch Cybersecurity discovered a serious vulnerability in the Crosswalk Project library that allows malicious actors to launch man-in-the-middle (MitM) attacks and capture sensitive information transmitted by the app after finding that when a user makes a network request and accepts the initial error message displayed by the app if an invalid Secure Socket Layer (SSL) certificate is found, the app accepts all future SSL certificates without validation even when connections are made via different WiFi hotspots and different certificates.

8/2/16

Major cyber-crime campaign switches from CryptXXX to Locky ransomware. Researchers from Palo Alto Networks reported that Afraidgate, the largest source of ransomware infections via exploit kits (EK), stopped delivering the CryptXXX ransomware and began distributing the Locky Zepto variant after switching from Angler to the Neutrino EK. Researchers stated that Afraidgate relies on malicious actors hacking Websites and adding malicious code to the site to redirect users to the Neutrino EK, which are easy to discover due to the “.top” domain extensions.

IP of ancient Conficker C&C domains resurfaces in new website hacking scheme. Sucuri’s forensic team discovered hacked Websites were redirecting their own traffic to one of their subdomains hosted on another server, prompting an investigation into the Websites which revealed the sites had been registered through NameCheap and were abusing the company’s FreeDNS service to hijack legitimate sites by redirecting domain name queries to the server’s IP address, which had been previously used to host command and control (C&C) servers for the Conficker malware.

New “QRLJacking” attack targets QR code logins. An independent researcher discovered that the Quick Response (QR) Login process is susceptible to a RLJacking attack after finding a hacker could access the login QR code from the target Website and place it into a phishing page in order to trick the user into visiting the page and logging into the QR login process, thereby sending the secret login token to the hacker instead of the authenticated Website and allowing the hacker to hijack the session. Researchers stated that the attack can be avoided by opting out of the QR Login feature and using a regular password for sites and apps that offer QR logins.

Android trojan SpyNote leaks on underground forums. Researchers from Palo Alto Networks reported a new Android trojan dubbed SpyNote has been leaked on several underground forums and allows hackers to steal users’ messages and contacts, record audio using the devices built-in microphone, listen in on an user’s calls, and control the device’s camera, among other illicit actions. Researchers stated the trojan, which prompts users for a long list of permissions on installation, is capable of updating itself and installing other rogue applications on the device.

8/1/16

Shelby County woman indicted for bank fraud. A former office manager and bookkeeper for Total Fire Protection in Alabaster, Alabama, was charged July 27 after she allegedly used the personal information of several individuals to embezzle approximately $328,000 from Total Fire Protection and related companies’ bank accounts from 2013 – 2015. The charges also allege the former manager drew unemployment benefits from the State under another person’s Social Security number and under reported her taxable income from 2013 – 2014.

SpyNote Androit RAT builder has been leaked. Palo Alto Networks’ researchers warned that a builder for the SpyNote Android remote access trojan (RAT) is being distributed freely on several underground hacker forums and configures the RAT to contact a specific command and control (C&C) server over a specific port, removing its icon once it is installed. The malware is capable of viewing messages on infected devices, collecting device information, and exfiltrating files, among other tasks.

The AdGholas malvertising campaign infected thousands of computers per day. Proofpoint researchers reported that the group behind the malvertising operation AdGholas managed to distribute malicious advertisements through more than 100 ad exchanges, attracted between 1 million and 5 million page hits a day, and redirected up to 20 percent of computers that loaded the rogue ads to servers hosting exploit kits (EK) through the use of a series of complex checks and the use of steganography. The operation was suspended July 20.