Fraud Alert Message Center
Tips for Safe Banking Over the Internet
As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.
The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.
- Consumer Best Practices for Online Banking
- Business Best Practices for Online Banking
- Recommendations for Online Fraud Victims
- Recommendations for Mobile Phone Security
Current Online Threats
Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau. None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts. If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it. The email could potentially contain a virus or malware.
For more information regarding email and phishing scams, please visit: http://onguardonline.gov/
Online Shopping Tips for Consumers. Click Here for Information.
ATM and Gas pump skimming information. Click Here for Article.
Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers. The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.
FBI offering reward for info leading to capture of ‘North Hills Bandits’ bank robbery suspects: The FBI is offering a $10,000 reward for information leading to the arrest of 2 robbery suspects, dubbed the “North Hills Bandits,” who carried out armed robberies at 3 banks in the North Hills area of Pittsburgh since January. FBI agents reported that the suspects appeared to have former firearms training and used different vehicles in each robbery.
HSBC Finance Corporation exposes mortgage account info: HSBC Finance Corporation notified at least 1,000 mortgage account customers in States including New Hampshire, California, Maine, Massachusetts, and Alabama, that the company inadvertently published names, Social Security numbers, account numbers, and other personal data in a breach that was discovered March 27. The data was immediately secured following the discovery, law enforcement was notified, and HSBC offered all impacted customers a free one-year subscription to Identity Guard services.
Current threat prevention systems are not enough protection for enterprises: Findings from a recent study in automated breach detection carried out by security researchers at Seculert revealed that gateway solutions at participating Fortune 2000 enterprises only blocked 87 percent of communications from compromised devices within their networks. The report also found that about 2 percent of devices in organizations were compromised by malware while nearly 400,000 interactions that were generated went undetected, among other findings.
Company employees not sufficiently trained to avoid phishing, study finds: A survey commissioned by Intel Security of 700 respondents in businesses across multiple continents revealed that 38 percent of information technology and security professionals believe vulnerability to social engineering is a significant factor in the success of attacks and that threat actors’ use of multiple attack vectors, exploits, and payloads makes defending against attacks difficult, among other findings.
TeslaCrypt ransomware pushed by several exploit kits: Security researchers discovered that threat actors are distributing a new ransomware called TeslaCrypt via the Angler, Sweet Orange, and Nuclear exploit kits (EKs), which encrypts the typical assortment of file types along with those related to video games and game-related software, and iTunes-related files. Users have been targeted via redirects to compromised WordPress Web sites and hosts running vulnerable out-of-date Adobe Flash plugins.
Users in the U.S. targeted with ransomware via tax return-flavored emails: Security researchers at Kaspersky Lab identified a phishing scheme in which cybercriminals send emails purportedly from the U.S. Internal Revenue Service regarding tax refunds which contain rigged Microsoft Word files that download a trojan once macros are enabled. The trojan blocks access to the Internet and demands payment to a short message service (SMS) number via prepaid cards.
Police link man arrested in D.C. bank robbery to Black Hat Bandits: Court documents unsealed April 14 revealed that a man charged in the March 13 robbery of a Wells Fargo bank branch in Washington, D.C., confessed to 8 other bank robberies perpetrated by the “Black Hat Bandits” gang throughout Virginia and Maryland since January. Authorities are seeking other suspects linked to the nine robberies.
Victim of cyber-attack replies with own backdoor: Security researchers at Kaspersky Lab reported that it observed two cyberespionage advanced persistent threat (APT) groups called Hellsing and Naikon engage in deliberate APT-on-APT attacks through spear-phishing emails containing custom malware, signaling a potential new trend. Hellsing was previously linked to other APT groups and the group has targeted diplomatic organizations in the U.S.
Adobe fixes Flash Player zero-day exploited in the wild: Adobe released a new version of Flash Player for Windows, Macintosh, and Linux that addresses 22 critical vulnerabilities, including one that is exploited in the wild and could lead to code execution and an attacker taking control of the affected system. A security bypass vulnerability that could lead to information disclosure and memory leak flaws that could be leveraged to bypass address space layout randomization (ALSR) also received fixes.
With latest patches, Oracle signals no more free updates for Java 7: Oracle released patches addressing 14 vulnerabilities in Java as part of a 98 security-issue fix that covered multiple product lines and marked the end of free Java 7 updates. Three of the Java vulnerabilities were high severity and could be exploited over networks without authentication and could lead to a complete compromise of affected systems’ confidentiality and integrity, and 12 others could be exploited from the Web through the Java browser plug-in.
Google fixes 45 security flaws with release of Chrome 42: Google released Chrome 42 for Windows, Mac, and Linux, which included fixes for 45 security issues including a cross-origin bypass flaw in the HTML parser, a type confusion in V8, a use-after-free vulnerability in inter-process communication (IPC), and an out-of-bounds write bug in the Skia graphics engine, among others. The update also removed support for the Netscape Plugin Application Programming Interface (NPAPI).
Microsoft Patch Tuesday April 2015 closes 0-day holes: 4 of 11 patches rated critical: Microsoft released 11 security bulletins that address 26 vulnerabilities, including critical remote code execution (RCE) flaws in Microsoft Office, a critical RCE vulnerability in HTTP.sys that could allow an attacker to use a malicious HTTP request to Windows Server to gain full remote control of a system, and 9 critical security holes in Internet Explorer, among others.
Web app attacks, PoS intrusions and cyberespionage leading causes of data breaches: Findings from Verizon’s recently released annual Data Breach Investigations Report revealed that the top industries affected by data breaches in the last year were public administration, financial services, manufacturing, accommodations, and retail, and that over two-thirds of cyberespionage incidents since 2013 involved phishing attacks. The report also determined that banking information and credentials were the most common records stolen, among other findings.
Ex-Assembly speaker’s son-in-law charged in $7M Ponzi scheme: A New York investment manager and co-owner of Allese Capital was charged April 13 with defrauding investors out of $7 million in a Ponzi scheme in which he allegedly solicited securities trading investments from 2009 – 2014, and only invested portions of the funds, while using the remainder for his own benefit and to repay other investors.
Alleged creator of Svpeng Android malware arrested in Russia: Russia’s Ministry of Internal Affairs reported April 11 that the suspected developer of the Svpeng Android trojan along with 4 co-conspirators calling themselves “The Fascists” who had allegedly used the trojan to steal money from bank accounts in the U.S. and Europe were arrested. The malware employs a combination of short message service (SMS) hacking, phishing Web pages, credential logging, and ransomware to access victims’ account and access funds.
Vulnerabilities identified in NY banking vendors: The New York State Department of Financial Services released a report on cyber security in the banking sector April 9 which revealed that one in three New York banks are neglectful of information security relating to third-party vendors and are vulnerable to backdoor access by those looking to steal data as a result. One in three banks interviewed did not require vendors to notify them in the event of a data breach, and only half had strategies prepared for breach scenarios, among other findings.
Misconfigured DNS servers vulnerable to domain info leak: The U.S. Computer Emergency Readiness Team (US-CERT) released a security statement warning that misconfigured, public-facing domain name system (DNS) servers utilizing Asynchronous Transfer Full Range (AXFR) protocols are vulnerable to system takeovers, redirects to spoofed addresses, and denial-of-service (DoS) attacks from unauthenticated users via DNS zone transfer requests. Research from Alexa revealed that over 72,000 domains and 48,000 nameservers were affected by the issue.
18-year-old bug can be exploited to steal credentials of Windows users: A Cylance researcher identified a new technique for exploiting an 18-year-old flaw in Windows Server Message Block (SMB) in all versions of Windows operating systems (OS) which allows attackers to intercept user credentials by hijacking communications with legitimate Web servers via man-in-the-middle (MitM) attacks that send them to malicious server message block (SMB) servers that reveal victims’ usernames, domains, and hashed passwords.
Attackers use deceptive tactics to dominate corporate networks: Symantec released research revealing that spear-phishing attacks on corporations increased by 8 percent in 2014, and that email and social media had remained significant attack vectors. Researchers also found that software companies took an average of 59 days to release patches and that 24 zero-day vulnerabilities were discovered in 2014, among other findings.
Attackers can easily crack Belkin routers’ WPS PINs: A security researcher discovered that 80 percent of Belkin routers tested generated Wi-Fi Protected Setup (WPS) PINs based on the device’s own MAC addresses and serial numbers, leaving it vulnerable to discovery by attackers using unencrypted request/response packets via Wi-Fi probes.
Attacks against SCADA systems doubled in 2014: Dell: Dell revealed in its annual threat report that attacks against supervisory control and data acquisition systems (SCADA) doubled in 2014, including 51,258 attacks in the U.S., and that the attacks tended to be political in nature and targeted operational capabilities within power plants, factories, and refineries primarily in Finland, the U.K., and the U.S. The report found that 25 percent of the attacks witnessed exploited buffer overflow vulnerabilities followed by improper input validation and information exposure.
Mt. Pleasant woman admits opening fake accounts, stealing cash at Alpena bank: A former branch manager and personal banker at Citizens Bank in Alpena pleaded guilty to embezzlement and filing false tax returns April 9 after a U.S. Internal Revenue Service investigation revealed that she allegedly stole over $300,000 from 2010 – 2011 by opening bank accounts in fictitious names and transferred funds to them from certificates of deposit held by elderly and deceased customers.
Feds bust 40 suspects in ID theft-fraud takedown in South Florida: Miami officials reported April 9 that 42 individuals were charged in connection to various identity-tax refund, credit card, debit card, and Social Security fraud schemes in which the suspects allegedly used thousands of stolen identities to try to collect about $22 million in tax refunds and other government benefits from the U.S. Department of the Treasury, Florida, and other States. The suspects were paid out $3.2 million through the schemes.
Law enforcement, security firms team up to disrupt Simda botnet: U.S. and European agencies along with private security firms collaborated with Interpol to disrupt the Simda botnet by seizing 14 command and control (C&C) servers throughout the Netherlands, U.S., Poland, Luxembourg, and Russia. The malware is usually delivered via exploit kits (EK) and is often used for the distribution of malware and potentially unwanted applications (PUA), and has infected over 770,000 computers worldwide over the past 6 months.
Chinese hacker group among first to target networks isolated from internet: FireEye released findings in a technical report that identify a hacker group called Advanced Persistent Threat (APT) 30 as one of the first to target air-gapped networks with malware that has infected defense-related clients’ systems worldwide, utilizing custom-made malware components with worm-like capabilities that can infect removable drives such as USB sticks and hard drives.
New Shellshock worm seeks vulnerable systems at tens of thousands of IPs: Security researchers at Volexity observed that cybercriminals had amassed 26,356 internet protocol (IP) addresses belonging to systems vulnerable to the Shellshock bug for the Bash command shell found in many Linux and Unix systems, that allows attackers to execute arbitrary commands by appending them after a variable function. Scanning for vulnerable systems has since decreased and the malicious files were removed from the IP address hosting them.
Siemens patches DoS, other vulnerabilities in SIMATIC HMI products: Siemens began releasing security updates addressing several vulnerabilities in its SIMATIC HMI (human-machine interaction) devices which include allowing attackers positioned between the HMI panel and programmable logic controller (PLC) to cause a denial-of-service (DoS) condition and intercept or modify industrial communication by sending specially crafted packets on transmission control protocol (TCP) port 102. Additional vulnerabilities include the ability to launch a man-in-the-middle (MitM) attack, and a flaw that allows users to authenticate themselves with password hashes instead of full passwords.
SEC announces fraud charges against former accounting executive at Japanese subsidiary: The U.S. Securities and Exchange Commission charged the former controller of Lisle-based Molex Japan Co. Ltd., a Japanese subsidiary of Molex Incorporated, with fraud April 9 after he allegedly caused the company $201.9 million in net losses through unauthorized equity trading in the company’s brokerage accounts, which he tried to conceal by falsifying records and taking out unauthorized loans with Japanese banks and brokerage firms to replenish the funds and engage in further trading.
SEC halts microcap scheme in South Florida: The U.S. Securities and Exchange Commission announced fraud charges and an asset freeze April 9 against the CEO and 3 sales agents of Boca Raton-based eCareer Holdings, Inc., in a microcap scheme in which they allegedly defrauded over 400 investors out of more than $11 million since 2010 by selling unregistered stock shares in the company, falsely advertising the shares as a profitable investment, and concealing the exorbitant fees being paid to the sales agents.
Federal agency sues collectors of “phantom debt”: The Consumer Financial Protection Bureau unsealed a March 26 lawsuit April 9 against two Georgia men, co-conspirators, and 7 debt collection companies following allegations that the firms used cold calls to convince millions of consumers to pay debts they did not owe through tactics that involved purchasing personal information such as bank account numbers from data brokers. A telemarketing company and several payment processing companies were also charged in the scheme.
OS X 10.9.x and older vulnerable to hidden backdoor API: A Swedish security researcher discovered a hidden backdoor application programming interface (API) present in the Admin framework of Apple OS X versions prior to 10.10.2 that could grant attackers root access to users with both admin and regular user accounts. Apple patched the issue in its release of OS X 10.10.3
United States, South Africa most affected by Changeup worm: A task force of European and American law enforcement organizations and private security companies including Intel, Kaspersky, and Shadowserver took action to disrupt the Changeup worm botnet and sinkhole its command-and-control (C&C) servers. The worm morphed every few hours and leveraged a LNK vulnerability in Windows to infect approximately 30,000 systems in early 2015, and downloaded other pieces of malware including banking trojans, click-fraud programs, crypto-malware and other botnet threats.
Cisco threat defense tool vulnerable to DoS attack: Cisco released a security advisory that a flaw in the company’s ASA FirePOWER and Context Aware (CX) Services can be exploited to allow attackers to cause denial-of-service (DoS) conditions by sending a high rate of crafted packets to the services’ management interface. Cisco released updates for the products addressing the issues as well as three additional related glitches.
Group uses over 300,000 unique passwords in SSH log-in brute-force attacks: Security researchers from Cisco Talos Group and Level 3 Communications collaborated to monitor and take down netblocks being used by a group of cybercriminals dubbed SSHPsychos to run large amounts of scamming traffic, utilizing a dictionary to find root user log-in credentials and install distributed denial-of-service (DDoS) rootkits that add compromised systems to a persistent DDoS botnet.
I-78 traffic stop nets wanted man with 75 fake credit cards in pants, police say: A New York man was arrested and charged April 7 after Pennsylvania State Police officers found 75 fake credit cards in his possession during a traffic stop on Interstate 78 in Lehigh County. The man was sent to the county jail and will be extradited to New York due to a separate warrant.
4 Miami residents indicted in international mortgage fraud scheme: The U.S. Attorney’s Office for the Southern District of Florida announced the indictment of 6 individuals and 3 companies April 8 in reference to an international mortgage fraud scheme in which the individuals allegedly used fraudulent loan applications and other documents to apply for over $9 million in mortgage loans from Chevy Chase Bank, JP Morgan Chase Bank, and Washington Mutual Bank for residential properties in Miami-Dade and Palm Beach counties from October 2004-May 2007.
Over 100 forum websites foist poorly detected malware: Security researchers at Cyphort discovered a supposed click-fraud campaign that exploits Web forums running outdated versions of vBulletin or IP Board software to use malicious code to direct visitors to a landing page hosting the Fiesta exploit kit (EK) to deliver Gamarue and FleerCivet malware that steals information and injects backdoor trojans. The malware ensures persistence by avoiding virtual environments and disabling security settings on compromised systems, and exploits vulnerabilities found in Internet Explorer and in Adobe Flash Player version 220.127.116.116 and earlier.
Apple iOS 8.3 includes long list of security fixes: Apple released iOS 8.3 for iPhone and iPad users patching over three dozen vulnerabilities, including flaws in the mobile operating system’s kernel, several bugs in WebKit, and a number of code-execution bugs.
Deadly combination of Upatre and Dyre trojans still actively targeting users: ESET researchers discovered that an email campaign targeting users worldwide utilizes a combination of the Upatre (Waski) downloader and Dyre/Dyreza banking trojans delivered via simple spam emails to gain information about compromised systems and intercept online banking credentials. Researchers believe that the scheme is part of the larger, previously discovered Dyre Wolf campaign that has targeted businesses around the world.
Google Chrome extension criticized for data collection: Security researchers at ScrapeSentry and Heimdal Security reported that the Webpage Screenshot Google Chrome third-party extension contained malicious code that allowed for copies of all browser data to be sent to a server in the U.S. Google removed the extension from the Chrome Web Store, and Webpage Screenshot claimed that the information was only used for marketing and development purposes.
Two NTP key authentication vulnerabilities patched: Network Time Protocol (NTP) patched two vulnerabilities that allowed attackers to leverage symmetric key authentication flaws to bypass message authentication code (MAC) to send packets to clients. The second vulnerability utilized symmetric key authentication to create denial-of-service (DoS) conditions when peering hosts receive packets with mismatched timestamps.
Troopers arrest Warwick man for embezzling $142K from manufacturer: Rhode Island State Police charged a Warwick man with embezzling $142,114.31 from United States Associates, LLC April 6 following allegations that the suspect was stealing and selling company inventory and keeping the proceeds for himself. An investigation found that the man was receiving checks from one of the company’s customers who had been ordering directly from him.
SEC charges L.A.-based Pacific West Capital Group with fraud in sale of life settlement investments: The U.S. Securities and Exchange Commission charged Los Angeles-based Pacific West Capital Group Inc., and its owner April 7 with fraud in the sale of life settlement investments for failing to disclose risks associated with the investments and for using the proceeds from the sale of new life settlements to continue funding previously sold investments, raising over $100 million from investors. Ohio-based PWCG Trust and five Pacific West sales agents were also charged in the scheme.
SEC files fraud charges against former Syracuse star, New York Giant player: The U.S. Securities and Exchange Commission filed civil fraud charges April 6 against a former National Football League player, his business partner, and Capital Financial Partners investment firms in connection to an alleged Ponzi scheme in which the pair paid approximately $7 million in investors’ money instead of using profits from the investments after paying out about $20 million to investors but only receiving around $13 million in loan repayments. The pair also misled investors about the terms and existence of loans and used some funds to cover personal expenses.
Stored XSS glitch in WP-Super-Cache may affect over 1 million WordPress sites: Security researchers from Sucuri discovered a cross-site-scripting (XSS) vulnerability in WP-Super-Cache plug-in versions prior to 1.4.4 for WordPress sites that could allow attackers to add new administrator accounts to the Web sites or inject backdoors due to improper sanitization of information originating from users. The plugin currently has over 1 million active installations and developers released a new version repairing the issue.
New evasion techniques help AlienSpy RAT spread Citadel malware: Fidelis researchers reported that hackers have co-opted the AlienSpy remote access tool (RAT) and are spreading it via phishing messages to deliver the Citadel banking trojan and establish backdoors inside a number of critical infrastructure operations, including technology companies, financial institutions, government agencies, and energy companies. The tool has the capability to detect whether it is being executed inside a virtual machine, can disable antivirus and other security tools, and employs transport-layer security (TLS) encryption to protect communication with its command-and-control (C&C) server.
Widespread outages hit Windows 8/8.1 Metro Mail, Windows Live Mail, Windows Phone 8.1 mail: Microsoft reported that its Windows 8 and 8.1 Metro Mail, Windows Live Mail, and Windows Phone 8.1 Mail clients were experiencing widespread outages for at least 6 hours April 8 that prevented the syncing and sending of email, and that the issue is expected to be resolved within 24 hours.
Majority of critical infrastructure firms in Americas have battled hack attempts: Survey: A report released by Trend Micro and the Organization of the American States revealed that in the last year 40 percent of 575 security leaders throughout critical infrastructure sectors dealt network shut down attempts, while 44 percent faced attempts to delete files, and 60 percent faced hacking attempts aimed at stealing vital information. The survey also found that 54 percent of organizations dealt with attempts of equipment manipulation through control networks or systems.
Fake downloads for Android vulnerability scanner lead to persistent ads: Security researchers at Trend Micro identified three fraudulent Web sites that claim to provide a tool to scan for previously-identified Android Installer hijacking vulnerabilities, which instead redirect users to risky locations that display persistent ads and install Android application package (APK) files on devices automatically.
Lazy remediation leaves most Global 2000 firms vulnerable after Heartbleed Flaw: Report: Venafi released new research revealing that as of April 2015, 74 percent of 1,642 Global 2000 organizations with public-facing systems vulnerable to the Open Secure Socket Layer (OpenSSL) Heartbleed flaw failed to fully remediate the risks around the flaw despite warnings and guidance. The study also found that 85 percent of the organizations’ external servers were still vulnerable and that 580,000 hosts belonging to them were not completely remediated.
Drive-by-login attack identified and used in lieu of spear phishing campaigns: Security researchers at High-Tech Bridge reported that attackers are increasingly utilizing drive-by-logins attacks that target specific visitors to infected Web sites with vulnerabilities that they can leverage to install backdoors that deliver malware directly to users. Researchers believe that these types of attacks are likely to be used in Advanced Persistent Threat (APT) campaigns and could eventually replace phishing attacks.
Simple FedEx email slips malware on the computer: Researchers discovered a FedEx phishing campaign that relies on the curiosity of victims to open an attachment in an email purportedly from the company which installs a malware dropper that can steal sensitive data from the system or add it to a network of compromised computers.
Word documents with scrambled text deliver banking trojan in the background: Security researchers from Cisco’s Talos research group discovered a new variant of the Dridex banking trojan being delivered via incomprehensible malware-laden Microsoft Word documents that trick users into enabling macros before using PowerShell to download and execute the trojan from a hard-coded IP address. The malware campaign lasted for less than 5 hours before antivirus solutions responded.
Dell System Detect flagged as a risk by antivirus product: Malwarebytes added Dell’s System Detect tool to its list of potentially unwanted applications (PUP) due to a serious remote code execution vulnerability in older versions that attackers could exploit by initiating requests from Web sites containing a “dell” string to download and launch files following an easily bypassed authentication process. Dell mitigated the vulnerability in an update released during the week of March 30.
Angler Exploit Kit now relies on more successful infection tactics: Security researchers from Zscaler’s Threat Lab identified an evolution in the Angler Exploit Kit (EK) in which attackers are utilizing 302 Cushioning and domain shadowing as infection vectors, in addition to typical malvertising that targets users with outdated browser plug-ins. Researchers believe that the malware dropped by Angler EK in recent attacks was a Carberp family banking trojan.
American Express card info exposed to cybercriminals: A law enforcement investigation revealed that financial and personal information, including the Social Security numbers of at least 500 California residents was revealed to unauthorized persons. The company notified affected account holders while authorities investigate the circumstances surrounding the breach.
Va. Beach employee had accidental access to millions: The city of Virginia Beach revealed a potential security breach April 3 in which Bank of America gave a city employee setting up a petty cash and small expenses account access to nine municipal bank accounts containing millions of dollars for 5 – 6 years. Authorities do not suspect that any of the accounts were compromised.
Police: Men stole more than $65,000 from ATM: Warwick police arrested 2 suspects April 4 who allegedly skimmed more than $65,000 from a Greenwood Credit Union ATM in March affecting more than 125 credit union customers. Authorities believe that the pair may have skimmed other East Coast ATMs.
Boise police see flurry of credit card and retail fraud cases: Boise police reported April 3 that 7 suspects from 4 different traveling credit fraud groups were arrested beginning March 27. Investigators recovered over $33,000 in illegally obtained merchandise and approximately 156 fraudulent credit cards after retail employees reported suspicious activity to authorities.
Google certificate expires, email clients return security warnings: An expired intermediate certificate signed by Google Internet Authority G2 for simple mail transport protocol (SMTP) in Google’s Gmail resulted in users receiving error messages on outgoing email activity for over 2 hours April 4. The company renewed the certificate through December 2015.
Flaw in Schneider Electric vamp software allows arbitrary code execution: The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released an advisory stating that Schneider Electric’s VAMPSET software is vulnerable to stack-based and heap-based buffer overflow attacks that can be exploited to execute arbitrary code via malformed VAMPSET disturbance recording files on the affected systems. The company released an update fixing the issue and advised organizations that use the software to leverage User Access Control (UAC) features and employ best security practices.
WordPress, Joomla sites infected with malicious Flash file: Security researchers at Sucuri discovered that several hundred Web sites running WordPress or Joomla content management systems (CMS) have been attacked since November 2014 with malicious one-pixel-large small web format (SWF) files containing hidden iframe code that directs users to Web sites hosting malware such as exploit kits.
New MS Word exploit kit adds statistics tool to track success of the campaign: Security researchers at FireEye discovered a Web-based tool called MWISTAT released in December 2014 that allows cybercriminals using the Microsoft Word Intruder (MWI) exploit kit to track details about rigged Microsoft Word documents including Internet Protocol (IP) addresses and user-agents of victims, payloads requested and served, and the version of Microsoft Word used to open the file. The malware has reportedly affected over 1400 users worldwide in 2 separate spam campaigns.
Auto loan company founders accused of $11M fraud: The two founders of now-defunct Iofin Inc., in Rockland were charged with mail fraud, wire fraud, and conspiracy April 2 for allegedly defrauding investors out of over $11 million by luring them to roll their retirement plans into investment accounts to fund company operations from 1998 – 2011, despite lacking government approval to oversee retirement funds. Almost all of the investors’ funds were lost when the company went bankrupt.
Four charged in international Uganda-based cyber counterfeiting scheme: Four suspects were indicted April 2 on charges relating to their roles in a Uganda-based international conspiracy in which they allegedly manufactured, advertised, bought, and sold over $1.4 million in counterfeit U.S. Federal Reserve Notes worldwide via “dark Web” criminal online forums that they created from 2013 – 2014.
Mozilla revokes trust for CNNIC certificates: A spokesperson at Mozilla announced that the company will no longer allow its products to recognize digital certificates issued by the China Internet Network Information Center (CNNIC), following an incident during the week of March 23 in which an intermediate certificate authority (CA) operating under CNNIC issued a number of unauthorized digital certificates for Google domains. The company will also ask CNNIC to provide a list of current valid certificates to make public.
DoS vulnerabilities patched in Cisco Unity Connection: Cisco patched several vulnerabilities in its Unity Connection in which attackers could have caused denial-of-service (DoS) conditions on systems configured with Session Initiation Protocol (SIP) trunk integration by exploiting flaws in the Connection Conversation Manager (CuCsMgr), a flaw in the handling of abnormally terminated SIP conversations, and a resource allocation flaw that can allow attackers to block all SIP connection lines.
IBM uncovers new, sophisticated bank transfer cyber scam: Security researchers at IBM discovered a sophisticated fraud scheme dubbed “The Dyre Wolf” in which cybercriminals infect users’ systems with the Dyre malware to trick individuals into initiating large wire transfers with criminals posing bank employees over the phone, before moving the funds from bank to bank and using denial-of-service (DoS) attacks to avoid detection. The scheme has caused losses of over $1 million from multiple large- and medium-sized companies in the U.S.
Fourth member of international computer hacking ring pleads guilty to hacking and intellectual property theft conspiracy. An Indiana man pleaded guilty to charges surrounding his role in an international hacking ring that gained unauthorized access to computer networks of companies including Microsoft Corp., Epic Games Inc., Valve Corporation and Zombie Studios, and stole unreleased software, source code, trade secrets, copyrighted works and financial and other sensitive information. The hacker admitted to transmitting approximately 11,266 log-in credentials from one company, and total losses from the scheme were estimated to range from $100 – $200 million.
Broward man committed securities fraud linked to Ponzi scheme, jury finds: A Broward man was found guilty of securities fraud April 1 for his role in a scheme in which he raised more than $157 million from at least 150 investors through 2 private investment funds, and purchased non-existent, legal settlements from a Fort Lauderdale attorney that was convicted of running a $1.4 billion Ponzi scheme.
‘Black Cap Bandit’ sought in 5 bank robberies, FBI says: The FBI is offering a reward for information leading to the capture of a suspect dubbed the Black Cap Bandit who is believed to be connected to 5 robberies at TCF Bank and Standard Bank branches in the Chicago area from September – December 2014.
N.Y. lawyer charged for alleged role in scheme over Maxim magazine: A former New York lawyer at Bryan Cave LLP was charged April 1 for his alleged role in a conspiracy with a former United Parcel Service Inc. executive’s son that defrauded investors out of more than $8 million and attempted to secure another $20 million to finance the purchase of Maxim magazine by making misrepresentations to various lenders. The former executive’s son pleaded guilty to related charges in November 2014.
Customs: $730K in fake checks, money orders smuggled into JFK: U.S. Customs and Border Protection officers at New York’s John F. Kennedy International Airport seized 516 counterfeit bank and money orders totaling $732,585 in a shipment from the Ivory Coast over the weekend of March 28. The officers deemed the documents fake after noticing that they lacked the necessary security features found in legitimate monetary instruments.
Google decides to stop trusting CNNIC certificates: Google security engineers announced that the company would no longer allow its Chrome Web browser to recognize digital certificates issued by the China Internet Network Information Center (CNNIC), following an incident during the week of March 23 in which an intermediate certificate authority (CA) operating under CNNIC issued a number of unauthorized digital certificates for Google domains.
Researchers spot 64-bit version of NewPosThings Trojan: Security researchers at Trend Micro identified a new 64-bit version of the NewPosThings point-of-sale (PoS) malware that infects systems by collecting passwords for virtual network computing (VNC) software and disabling operating system security warnings for certain file extensions, and collects user inputs and payment card information via memory scraping. Experts discovered command and control (C&C) servers used by the trojan associated with internet protocol (IP) addresses at two U.S. airports.
Swiss asset manager pleads guilty in U.S. over tax dodge scheme: A Swiss asset manager from an unidentified firm pleaded guilty March 31 to conspiring to defraud the U.S. and the Internal Revenue Service in a scheme in which he and a Zurich-based lawyer who pleaded guilty in 2013 helped U.S. clients hide millions of dollars in offshore accounts in at least 5 Swiss banks and established accounts under the names of Liechtenstein-based sham foundations that they had created.
WordPress sites compromised to redirect to Pirate Bay clone, exploit kit: Security researchers at Malwarebytes identified a malware campaign that uses an unknown number of compromised WordPress Web sites containing iframes that direct users to a site hosting the Nuclear exploit kit, which leverages an Adobe Flash Player vulnerability in versions before 18.104.22.1687 to download a banking trojan.
Firefox 37 fixes critical flaws, adds OneCRL certificate revocation mechanism: Mozilla released an update for its Firefox browser that addresses several critical vulnerabilities, including two type confusion flaws, two memory corruption crashes, a user-after-free error, and memory safety hazards that could have allowed attackers to run arbitrary code on users’ systems. Firefox version 37 also includes OneCRL, a feature that allows developers to update the list of revoked certificates without pushing a new application update.
Google bans 192 bad extensions affecting 14 million Chrome users: Google removed 192 extensions from its Web store that contained ad injectors that exposed up to 14 million users to risks of man-in-the-middle (MitM) attacks and links to install dangerous software, after researchers at the University of California, Berkeley devised a method to root out potentially malicious extensions. Findings from a recent Google study confirmed that 5 percent of all visitors to Google sites have ad injectors present on their systems, and that 34 percent of Chrome extensions that contained ad injectors were classified as malware.
AmEx Black Card members are more likely targets for fraud: Forter released results of a year-long study of hundreds of thousands of transactions worldwide March 30, in which they found that holders of American Express Co.’s Centurion Card are nearly twice as likely to be targets of credit card fraud as other basic credit card holders, due to their higher perceived market value.
Anonymous proxies used for “Shotgun DDoS” attacks: Security researchers at Incapsula released findings from a one-month study revealing that 20 percent of all Layer 7 application layer distributed denial-of-service (DDoS) attacks from January – February were “Shotgun DDoS” attacks carried out through anonymous proxies to bypass mitigation systems by spreading across multiple internet protocols (IPs) and multiple geo-locations. Approximately 45 percent of the incidents originated from addresses in the Tor anonymity network and 60 percent of them employed Tor’s Hammer denial-of-service (DoS) tool, which carries out low-and-slow power-on self-test (POST) attacks.
Trojan Laziok used for reconnaissance in the energy sector: Security researchers from Symantec identified new malware designed for stealing information, dubbed Laziok that was observed targeting users in the petroleum, gas, and helium industries worldwide, and is delivered via a malicious Microsoft Excel file that exploits a buffer overflow/security glitch that allows remote code execution, and downloads custom variants of Cyberat and Zbot malware from servers in the U.S., United Kingdom, and Bulgaria.
Lebanese cyberespionage campaign hits defense, telecom, media firms worldwide: Security researchers at Check Point Software Technologies discovered that a cyberespionage group has hacked into hundreds of defense contractor, telecommunications operator, media group, and educational organization networks from at least 10 countries in ongoing attacks that began in late 2012. The attackers detect vulnerabilities and use Web shells to compromise affected servers, including a sophisticated custom-made trojan on servers running Microsoft’s IIS software called Explosive that can infect servers and systems on networks and can spread via USB mass storage devices.
eBay fixes file upload and path disclosure bugs: eBay addressed two security vulnerabilities on its Web site that allowed attackers to upload malicious files, including executables, disguised as images that could be used in drive-by download attacks by leveraging poor header check’s and eBay server return messages with exact file paths.
SEC announces fraud charges against investment adviser accused of concealing poor performance of fund assets from investors: The U.S. Securities and Exchange Commission charged an investment adviser and her New York-based Patriarch Partners firms with fraud March 30, for allegedly hiding the poor performance of loan assets in 3 collateralized loan obligation funds and collecting almost $200 million in illegitimate fees from investors.
Massive DDoS against GitHub continues: Systems engineers at GitHub reported that complex, large-scale distributed denial-of-service (DDoS) attacks against the company’s servers that started March 26 are ongoing but that all of the Web site’s services are available to users. Security researchers from Insight Labs traced the start of the attack to advertising and visitor tracking provided by the Chinese search engine Baidu.
U.S. offers $3 million reward for alleged Russian cybercriminals: The U.S. Department of State announced rewards totaling $3 million March 26 for information leading to the arrest or conviction of 2 Russian nationals believed to be key members in the Carder.su operation, in which participants created and trafficked identification documents and payment cards and perpetrated financial fraud and identity theft, causing losses of at least $50 million. Thirty members involved in the operation have been convicted and 25 remaining are fugitives or pending trial.
FINRA fines Oppenheimer $3.75M in employee fraud case: The Financial Industry Regulatory Authority issued a $3.75 million fine to Oppenheimer & Co., for failing to supervise and stop an employee from transferring $2.9 million of client funds to his own accounts or for use in excessive trades while he was under investigation for other fraud accusations, including a 2012 scheme in which he allegedly scammed a New York City Broadway show’s producers out of $20,000 after promising to raise $4.5 million from phony investors.
GitHub has been under a continuous DDoS attack in the last 24 hours: The GitHub Web site suffered a minor service outage March 26 and has been mitigating a sustained distributed denial-of-service (DDoS) attack on its servers that has lasted over 24 hours. Administrators reported that that connectivity resumed to normal after the attack was amplified March 27, and are continuing to monitor for any abnormalities.
GE fixes buffer overflow bug in DTM library: General Electric released a patch for a vulnerability in device type management (DTM) libraries affecting five Highway Addressable Remote Transducer (HART) digital communication devices deployed in various critical infrastructure areas, including one manufactured by MACTek. The vulnerability allows an attacker to execute arbitrary code by causing a buffer overflow in the product’s DTM and crashing the Field Device Tool (FDT) Frame Application.
DDOS attacks less frequent last year, more dangerous: San Francisco-based Black Lotus Communications released a report which found that the total number of distributed denial-of-service (DDoS) attacks declined steadily in 2014, but increased in packet size by 3.4 times in the third quarter, and average attack size by 12.1 gigabits per second (Gbps) in the fourth quarter. The report also identified an increase in complex, hybrid network and application-layer attacks.
Thousands of hijacked WordPress sites redirect users to exploit kits: Security researchers at Germany’s Computer Emergency Response Team (CERT-Bund) discovered that at least 3,000 Web sites have been compromised by a local file inclusion (LFI) vulnerability in the Slider Revolution WordPress plugin that allows attackers to take control of sites by accessing and downloading files from the affected server. Many victims are directed to exploit kit landing pages including Angler and Fiesta which can inject various ransomware, fraud malware, and trojan malware into affected systems.
PayPal to pay $7.7 million in U.S. Treasury sanctions case: PayPal agreed to pay $7.7 million March 25 to settle U.S. Department of the Treasury charges for failing to adequately screen transactions for several years, resulting in 486 violations of sanctions programs against countries including Iran, Cuba, and Sudan, as well as for a specific Turkish national on the sanctions blacklist that had been tied to proliferators of weapons of mass destruction.
U.S. jury convicts former bank exec of securities fraud: The former chief operating officer of United Commercial Bank in San Francisco was convicted March 25 of several criminal counts, including securities fraud, for allegedly concealing the falling value of collateral used to secure the bank’s loans from auditors during the 2008 financial crisis.
Ohio businessmen convicted in sports drink investment scheme: Two Ohio businessmen were convicted March 25 of charges relating to a fraud scheme in which they used their sport drink company, Imperial Integrated Health Research and Development LLC, to defraud investors out of about $9 million and diverted investors’ funds for their personal use. The wife of one of the businessmen was also convicted on several charges which included filing a false income tax return and structuring financial transactions to evade currency reporting requirements.
Microsoft revokes rogue digital certificate for Google and other web domains: Microsoft updated its Certificate Trust List (CTL) for Windows operating systems and pushed automatic updates to revoke a certificate fraudulently issued by Egypt-based MCS Holdings. The fraudulent certificates affected several Google and other domains, and left Windows users vulnerable to Web content spoofing, phishing, and man-in-the-middle (MitM) attacks.
Apple customers lured to disclose Apple ID and card data: Security analysts at Bitdefender discovered a phishing scheme in which Apple device users are being targeted with emails that link to a hoax site requesting Apple ID credentials, personal information, payment card information, and a 3D Secure password. After users fill out the form, they are notified of a bogus two-factor authentication (2FA) process and are given an option to change their password.
Cisco fixes DoS vulnerabilities in IOS software: Cisco Systems released security updates patching 16 vulnerabilities in IOS and IOS XE software components including Autonomic Network Infrastructure (ANI), Common Industrial Protocol (CIP), multicast Domain Name System (mDNS), transmission control protocol (TCP), Virtual Routing and Forwarding (VRF), and Internet Key Exchange version 2 (IKEv2). The vulnerabilities allowed remote, unauthenticated attackers to trigger denial-of-service (DoS) conditions on targeted systems.
Default setting in Windows 7, 8.1 could allow privilege escalation, sandbox escape: A Google Security Project Zero researcher identified certain default authentication settings in Microsoft’s Windows versions 7 and 8.1 that could allow attackers to use cross-protocol NT LAN Manager (NTLM) reflection to attack a local Server Message Block (SMB) server and leverage Web Distributed Authoring and Versioning (WebDAV) to elevate privileges or escape application sandboxes. Microsoft urged users to implement Extended Protection for Authentication (EPA) to mitigate the vulnerability.
Alleged hacker brought to N.J. on charges of large-scale identity theft: A Romanian national was extradited to the U.S. March 20 to face charges that he allegedly oversaw a large-scale computer hacking scheme in which he breached computer systems of retailers, medical offices, security companies, and individuals’ online accounts to obtain several thousand user names, passwords, and payment card numbers from 2011 – 2014, including 10,000 credit and debit cards from one victim alone.
Over 15,000 vulnerabilities detected in 2014: Secunia: Secunia released its annual vulnerability review and found that 15,435 vulnerabilities across 3,870 applications from 500 vendors were discovered in 2014, 11 percent of which were considered highly critical while .3 percent were rated extremely critical. The report also states that over 60 percent of attacks occurred through remote networks making it the most common attack vector, among other trends.
Half of all Android devices vulnerable to installer hijacking attacks: Security researchers at Palo Alto Networks discovered that a critical Android vulnerability discovered over a year ago and dubbed “Android Installer Hijacking”, can allow attackers to completely compromise devices by changing or replacing seemingly legitimate applications with malware during installation without users’ knowledge. The flaw affects all devices running Android versions 4.2 and earlier, and some running version 4.3.
Yebot backdoor built for wide range of malicious operations: Security researchers from Dr.Web discovered that a backdoor trojan dubbed Yebot can run file transfer protocol (FTP) and socket secure (SOCKS) 5 proxy servers, gain remote access to systems through a remote desktop protocol (RDP), capture keystrokes and screenshots, intercept system functions, change code of running processes, search for private keys, and intercept all features associated with Web browsing. The trojan infects computers by injecting code into four Microsoft Windows processes before downloading and decrypting its contents and running in memory.
Leaked full version of NanoCore RAT used to target energy companies: Security researchers at Symantec identified that approximately 40 percent of systems infected by the widely-available NanoCore remote access trojan (RAT) delivered by a malicious rich text format (RTF) or Microsoft Word file that exploits an old vulnerability in Windows Common Controls ActiveX component since January 2014 were in the U.S., while cyber-criminals have been employing the malware in targeted attacks on energy companies in Asia and the Middle East since March 6.
Over 22.5 million PUAs detected last month by antivirus vendor: Germany-based Avira reported that the company’s antivirus software detected over 22.5 million potentially unwanted applications (PUAs) and highlighted five as the most prevalent in February that could inject malicious code, request sensitive information from users, or extract information without their consent.
Kreditech investigates insider breach: Germany-based Kreditech is working with authorities to investigate a November 2014 internal isolated security incident where an apparent insider breach of its systems occurred and information from credit applicants was taken. The company stated that no customer data was breached from the event which originated from a form on its official Web site that stored data in a caching system which deleted data every few days.
Phishers leverage .gov domain loophole to bypass email validation: Security researchers at Trend Micro discovered that cybercriminals responsible for a March 4 – 11 phishing attack that sent over 430,000 emails targeting American Express customers maximized the attack’s effectiveness by exploiting a loophole in the way DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) email verification systems handle messages from .gov top-level domains (TLDs).
Jailbroken iPhones unlocked with software brute-force tool in 14 hours, tops: An iOS jailbreaker published a software library under the GNU General Public License called TransLock, that unlocks iOS devices in 14 hours or less via brute-force by injecting itself into the app that manages the device’s home screen and setting return values in the “SBFDeviceLockController” class to “No”, allowing unlimited attempts and the ability to try a new PIN every five seconds. The tool only requires that the device be connected via USB.
Unauthorized certificates issued for several Google domains: Security engineers at Google reported that intermediate certificate authority at Egypt-based MCS Holdings caused certifications for several Google domains that are trusted by most operating systems (OS) and Web browsers to be issued without authentication, leaving users vulnerable to impersonation and securecommunication decryption via man-in-the-middle (MitM) attacks. Users of Google Chrome and Mozilla Firefox versions starting 33 are unaffected by the issue.
Air-gapped computers can communicate through heat: Researchers. Researchers at Israel’s Ben Gurion University demonstrated that it was possible to establish a bidirectional communication channel between two unconnected computers using heat and radio signals emitted from components such as the central processing unit (CPU) and graphics processing unit (GPU), allowing an attacker to use malware installed on each system to exfiltrate datfrom an air-gapped computer, dubbed BitWhisper.
Flash Player vulnerable to bug patched in 2011: Security researchers from Minded Security and LinkedIn’s security division discovered that the latest versions of Adobe’s Flash Player Web browser plug-in are vulnerable to a same-origin bypass (SOP) flaw in the company’s Flex SDK compiler that was patched in 2011, which could allow attackers to steal victims’ data via SameOrigin Request Forgery or perform actions on behalf of victims via Cross-site RequeForgery (CSRF) asking them to visit a malicious Web page.
Twitch security breached, mandatory password reset in effect for all: The Twitch streaming service instituted mandatory password resets, disconnected all accounts from Twitter and YouTube, and emailed affected users after the company detected an authorized access attempt that could havcompromised users’ information including dates of birth, time and Internet protocol (IP) address of last login, and limited information associated with credit cards.
DDoS attackers distracting security teawith shorter attacks: Corero Networks: Corero Network Security reported in their quarterly trends and analysis report that 96 percent of distributed denial-of-service (DDoS) attacks against its customers in the fourth quarter of 2014 were less than 30 minutes in length and 79 percent used less than 5 gigabits per second (Gbps) of peak bandwidth, indicating that attacks were becoming more difficult to detect and were likely intended to partially saturate networks and distract security teams while leavinenough bandwidth for subsequent attacks to infiltrate networks and access sensitive information.
Dridex banking malware dodges detection with run-on-close macros: Security researchers at Proofpoint discovered that the Dridex banking malware is using run-on-close macros in infected Microsoft Office documents to avoid detection by malware sandboxes and antivirus software. The Dridex malware was previously linked to attacks targeting banking customers in the U.S., Canada, and the U.K.
New point-of-sale malware PoSeidon exfiltrates card data to Russian domains: Security researchers from Cisco Systems’ Talos Security Intelligence and Research Group discovered that cybercriminals are using a new point-of-sale (PoS) malware family dubbed PoSeidon that infects systems via a binary file and uses a memory scraping technique to retrieve and clone Discover, American Express, MasterCard, and Visa card information before delivering it to command and control (C&C) servers in Russia. The malware contains routines to ensure persistence regardless of restart or user log-off.
Cisco Small Business IP phones vulnerable to eavesdropping: Cisco Systems confirmed that its Small Business SPA 300 and 500 series IP phones with firmware version 7.5.5 or older, contain flaws in authentication settings that could allow attackers to listen in on phone audio streams or make calls remotely by sending crafted extensible markup language (XML) requests to the affected device. The company is reportedly working on a patch to address the vulnerability.
Fake patient data could have been uploaded through SAP medical app: SAP fixed two issues in the Electronic Medical Records (EMR) Unwired app that could have allowed attackers to potentially leverage an SQL injection flaw and configuration file vulnerability to access the embedded database and change medical records stored on the server.
BNY Mellon to pay $714M to settle currency suits: The Bank of New York Mellon (BNY) agreed March 19 to a $714 million settlement with the U.S. Department of Justice, the State of New York, the U.S. Securities and Exchange Commission, the U.S. Department of Labor, and private investors to resolve allegations that the bank had misrepresented pricing to its clients in foreign exchange markets for years by claiming to provide them with the best rates while giving them the worst margin prices instead. The bank’s own rates became more favorable and profitable from the difference between the higher rates assigned to customers and their own foreign exchange trade rates.
Woman charged in string of bank robberies: Authorities arrested a woman in Hartford March 19 after she escaped from prison and allegedly robbed 5 banks in Wallingford, East Hartford, Wethersfield, Vernon, and Cromwell during a 2-week period in February. Authorities were able to link her to the crimes after she left behind a pair of gloves and a bag of stolen cash.
Zero-days for Firefox, IE 11, Adobe’s Flash and Reader exploited at Pwn2Own 2015: Security researchers leveraged multiple zero-day vulnerabilities to exploit 13 undisclosed bugs in Adobe’s Flash and Reader, Mozilla’s Firefox, and Microsoft’s Internet Explorer 11 to take control of compromised systems through various methods which included, heap overflow remote code execution, a cross-origin vulnerability, and a use-after-free (UAF) remote code execution, among others at Hewlett Packard and Google Project Zero’s Pwn2Own hacking competition.
OpenSSL’s undisclosed high-severity issue is far from FREAK, POODLE, or Heartbleed: OpenSSL released an update for its cryptographic library addressing one high severity denial-of-service (DoS) vulnerability affecting version 1.0.2 that could allow a NULL pointer dereference to occur. The update also addressed a number of other moderate vulnerabilities affecting several OpenSSL versions including segmentation faults and an issue with processing Base64 encoded data.
At least 700,000 routers given to customers by ISPs are vulnerable to hacking. A security researcher discovered that over 700,000 ADSL routers, mostly running firmware from the China-based Shenzhen Gongjin Electronics, doing business as T&W trademark, and distributed to customers from internet service providers (ISPs) worldwide, contain directory transversal flaws in their firmware that could allow attackers to extract sensitive data and change router configuration settings. The researcher notified the firmware developer, affected device vendors, and the U.S. Computer Emergency Readiness Team (US-CERT).
Suspicious package found near Killeen banks: A USAA Financial Center and Broadway Bank in Killeen were closed March 18 while authorities investigated a vehicle in the financial center’s parking lot that contained a suspicious package. Police detailed the driver and the contents of the package were deemed to be “not mechanical” while the incident remains under investigation.
Ransomware uses GnuPG encryption program to lock down files: Researchers from Bleeping Computer and Emsisoft discovered that cybercriminals are using open source GNU Privacy Guard (GnuPG) code and Visual Basic Scripting Edition (VBS) to power VaultCrypt ransomware that uses a 1024-bit RSA key pair to encrypt information and Microsoft’s sDelete application to remove data used in the process. The ransomware sends user log-in credentials for Web sites to a command and control (C&C) server hidden in the Tor anonymous network.
Repackaged Android apps filling third-party stores: Security researchers at Trend Micro discovered an increase of the number of Android apps that are either localized or repackaged containing malware being released for free on unofficial app stores, including spyware that can intercept payment notices or collect the user’s phone model and location, and list of installed apps.
Thief dubbed ‘Longhorn Bandit’ robs Westerra Credit Union in Arvada, police say: Authorities are searching for a suspect dubbed the “Longhorn Bandit”, who allegedly robbed a Westerra Credit Union branch in Arvada March 17 and is believed to be linked to 5 other bank robberies in the area.
Apple fixes WebKit vulnerabilities with release of Safari 8.0.4. Apple released Safari versions 8.0.4, 7.1.4, and 6.2.4 which address a total of 16 memory corruption issues that were identified in WebKit, by Apple’s own security team and Google Chrome Security Team, and included a user interface inconsistency.
Johnson Controls, XZERES, Honeywell patch vulnerable products: The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced that Johnson Controls, Honeywell, and XZERES released patches addressing vulnerabilities in their products which can be exploited by an attacker to gain administrative access and compromise affected systems through a cross-site request forgery (CSRF) flaw, an unrestricted file upload vulnerability, or a path traversal vulnerability.
Almost 2,000 popular Android and iOS apps are vulnerable to FREAK attack: FireEye researchers discovered that 1,999 popular Android and Apple iOS apps used for photo and video, financial, lifestyle, social networking, communication, or shopping are susceptible to the Factoring RSA-Export Key (FREAK) attack which weakens encryption due to a vulnerable build of OpenSSL cryptographic library. The apps all contain sensitive information including data related to online banking, account log-in credentials, or medical information.
Windows Live SSL certificate issued to unauthorized third party: Microsoft released an advisory warning of a fraudulent certificate for the Finnish Windows Live domain which is generated by the Certificate Authority (CA) Comodo following an unauthorized request from a privileged email account which can be used by hackers to spoof Microsoft Web content and carry out man-in-the-middle (MitM) and phishing attacks. The certificate affects systems running certain Windows and Server versions, as well as Windows Phone 8 and Windows Phone 8.1. A standalone updater is available for revoked certificate.
Three defendants plead guilty in Bakersfield mortgage fraud scheme: Three Bakersfield residents pleaded guilty March 16 to charges related to a $5.6 million mortgage fraud scheme in which the defendants allegedly conspired with others to use straw buyers and fraudulent loan applications to purchase properties developed by Jara Brother Investments and Pershing Partners LLC from 2007-2010. Four co-conspirators previously pleaded guilty in connection to the scheme and two others were indicted in the case.
Three individuals charged with defrauding banks and USDA export financing program: The U.S. District Attorney for Connecticut announced March 16 that three suspects were charged for their roles in a multimillion dollar fraud scheme in which they allegedly used altered documents and a U.S. Department of Agriculture export financing program to secure loans from U.S. financial institutions, and then transferred the funds to foreign banks in Russia for a commission. The foreign banks defaulted on over $10 million worth of loans from 2007-2012.
D-Link patches against critical remote command and code execution flaws: D-Link released firmware updates patching two critical vulnerabilities that allowed attackers to intercept network traffic and execute commands on vulnerable devices and exploit cross-site request forgery (CSRF) attacks to create, modify, or delete data and execute code.
OpenSSL mystery patches due for release Thursday: The OpenSSL Project Team released an advisory stating that several undisclosed security vulnerabilities in the open-source encryption software which utilizes the Secure Sockets Layer/Transport Layer Security (SSL/TSL) protocol will be patched March 19 in versions 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf.
BlackBerry begins slow rollout for FREAK security flaw, most devices still at risk: BlackBerry confirmed that all versions of newer BlackBerry 10 and older 7.1 devices along with Blackberry Enterprise Service 12 and earlier, as well as the BlackBerry messenger app on Android, iPhones, Windows phones, and iPads are all vulnerable to Factoring RSA-EXPORT Key (FREAK) attacks that intercept encrypted traffic and force weaker encryption. Blackberry is working to mitigate the vulnerability.
Commerzbank AG admits to sanctions and bank secrecy violations, agrees to forfeit $563 million and pay $79 million fine: Frankfurt, Germany-based Commerzbank AG and its U.S. branch, Commerz New York, entered into a deferred prosecution agreement March 12 with federal authorities and agreed to pay a total of $1.45 billion in penalties and forfeitures related to violations of the International Emergency Economic Powers Act and the Bank Secrecy Act after the bank moved and concealed $263 million on behalf of Iranian and Sudanese entities and allowed Japanese-based Olympus to commit a multibillion dollar securities fraud scheme by failing to maintain adequate policies, practices, and procedures to ensure compliance with U.S. law.
Brute force box lets researchers, cops, pop iDevice locks: A security researcher from MDSec discovered that the IP-Box tool exploits a vulnerability in iOS devices running versions 8.1 and older for iPhones or iPads that allows unlimited password guesses of four-digit personal identification numbers (PIN) allowing hackers to bypass rate-limiters and settings to gain personal data after a set of failed attempts.
WPML WordPress plugin vulnerabilities expose 400,000 websites: WPML developers released an update to address security flaws in its WordPress premium multilingual plugin, including a vulnerability that allows an attacker to leverage an SQL injection exploit to read contents on affected users’ databases, including password hashes and other user detail, and another that allows the removal of content from Web sites due to lack of access control in the “menu sync” functionality. More than 400,000 commercial Web sites utilize the plugin.
Over 5.3 million Upatre infections detected in the US since January: Security researchers at Microsoft’s Malware Protection Center discovered that the U.S. has recorded the largest number of Upatre malware infections in the world at 5,326,970 since January, 7 times more than the next country. Upatre is usually delivered through malicious emails and via botnets, and is used by cybercriminals as a distribution platform for other malware.
Fake IRS agents target 366,000 in massive tax scam: An official at the U.S. Department of the Treasury announced March 12 that over 3,000 victims have lost $15.5 million in a tax scam targeting over 366,000 nationwide, in which scammers purporting to be Internal Revenue Service agents call taxpayers claiming that they owe taxes and must pay or risk arrest, deportation, or the loss of a business or driver’s license. Two individuals in Florida have been arrested in connection to the scheme.
Google leaks Whois data for over 282,000 protected domains: Cisco Systems’ Talos researchers reported to Google that private information such as names, physical and email addresses, and phone numbers belonging to 282,867 domains registered through Google Apps’ registrar, eNom, were leaked for nearly two years due to a software defect that did not extend the company’s unlisted registration service, potentially exposing them to spam, spear-phishing attacks, or identity theft.
TeslaCrypt ransomware encrypts files of over 20 games: Security researchers at Bromium discovered that crypto-ransomware dubbed TeslaCrypt has targeted a total of 185 extensions in over 20 popular games with drive-by attacks through Adobe Flash Player and Internet Explorer exploits dropped by the Angler exploit kit. The malware apparently attempts to pass as the more infamous CryptoLocker, but researchers stated that the two variants only share 8 percent similarity.
Adobe fixes critical Flash Player vulnerabilities: Adobe released security updates patching 11 critical flaws, including memory corruption vulnerabilities and type confusions that attackers could leverage for remote code execution to take control of affected systems.
Google fixes privilege escalation vulnerabilities in Android 5.1 Lollipop: Google released fixes in Android 5.1 Lollipop for two serious vulnerabilities in previous versions that could have allowed attackers to use integer overflows leading to heap memory corruptions to gain elevated privileges or cause denial-of-service (DoS) attacks on targeted systems.
Forget viruses: Evil USB drive ‘fries laptops with a power surge’: A Russian security researcher revealed a vulnerability with USB sticks which could potentially overload and damage a PC’s sensitive inner electronics by using an inverted direct current to direct current (DC-DC) converter and some capacitors through a foreign Web site, causing the USB to malfunction.
RBS trader admits defrauding customers in multimillion dollar securities fraud scheme: A former trader at Royal Bank of Scotland Securities Inc., (RBS) pleaded guilty March 11 to his role in a securities fraud scheme in which he and co-conspirators defrauded at least 20 victim firms out of millions of dollars by misrepresenting collaterized loan obligation bond prices to buyers and sellers to increase RBS’ profits, often creating fictitious third party sellers that enabled RBS to collect extra commissions on sales. Some of the victimized firms were affiliated with recipients of federal bailout funds through the Troubled Asset Relief Program.
2,400 unsafe mobile apps found in average large enterprise: Veracode researchers found that hundreds of thousands of mobile applications installed in corporate environments across multiple industries revealed the average global enterprise contains approximately 2,400 unsafe applications in its mobile environment, including apps that expose sensitive data, perform suspicious security actions, or retrieve or share personal information about users.
Cyber crooks take advantage of ad bidding networks to deliver ransomware: Security researchers at FireEye discovered that malware distributors are leveraging Real Time Bidding networks that are either compromised or controlled entirely by attackers to deliver Cryptowall and other ransomware variants and gain information about victims’ geographic locations, operating systems (OS), and browsers. The malvertising campaign has been active since February 4.
Self-deleting malware targets home routers to gather information: Trend Micro researchers identified malware called VICEPASS that infects users’ systems via a fake Adobe Flash update, connects to their home routers using a predefined list of usernames and passwords, and attempts to spread to every device on their networks before sending information to a command-and-control (C&C) server and deleting itself. The researchers believe that the malware could be a reconnaissance tool for larger campaigns.
Apple’s iTunes, App Store reopen after long outage: Apple restored service to its iTunes, App Store, Mac App Store, and iBooks store March 11 after an internal domain name system (DNS) error brought the services down globally for approximately 12 hours.
Dropbox Android SDK flaw exposes mobile users to attack: IBM: Researchers at IBM Security discovered a flaw, dubbed DroppedIn, in the Dropbox app’s Android software development kit (SDK) that could have enabled attackers to connect to mobile apps using the kit to a Dropbox account they control, and transfer sensitive information or inject malicious data into apps. Dropbox released a fix for the vulnerability that was distributed to other apps that use the same SDK.
Intel Security launches new critical infrastructure security platform: Intel Security announced the Intel Security Critical Infrastructure Protection (CIP) platform, developed in a joint project with Wind River, designed to protect new and legacy infrastructure within electric power grids by separating security management functions of the platform from operational applications, enhancing device identity, malware, data protection, and resiliency. The company stated that CIP can be leveraged across multiple industries and uses.
Key player in $5M ATM bank card scheme found guilty: A Chicago man was convicted March 10 for his role in an ATM bank card skimming scheme in which he and up to 16 other suspects installed card-reading devices and pinhole cameras on ATMs in New Jersey and elsewhere, and created thousands of phony ATM cards that they used to withdraw more than $5 million from customer bank accounts.
Shortcut parsing glitch used by Equation group re-patched by Microsoft: Microsoft fixed a shortcut parsing vulnerability in Windows that was discovered by Kaspersky Labs researchers to have been in use since 2008 in large-scale cyber-espionage activities involving the Equation group and the Fanny worm. Microsoft corrected how Windows handles dynamic link library (DLL) files to patch the vulnerability that allowed attackers to infect systems by creating malformed shortcut files (LNK) loaded from a malicious DLL that would execute automatically when opened.
Malware uses Windows product IDs to mix mutex: A security researcher at SANS discovered a new trojan dubbed “TreasureHunter” that uses Microsoft’s Windows unique product identification numbers to create dynamic mutex values to avoid detection by anti-malware software and researchers.
Redmond’s Patch Tuesday to kill off the Windows FREAK show: Microsoft issued 14 security bulletins patching 44 security vulnerabilities, including a critical patch for Windows and Windows Server versions running Secure Channel components vulnerable to the Factoring RSA-Export Keys (FREAK) attack.
Apple fixes FREAK vulnerability in Secure Transport: Apple released a patch for its iOS and OS X devices to address the Factoring RSA-Export Keys (FREAK) attack vulnerability affecting Secure Transport on Safari by removing support for ephemeral RSA keys.
Former Kearny councilman pleads guilty in $13M mortgage fraud scheme: A former Kearny, New Jersey councilman pleaded guilty March 9 to his role in a $13 million mortgage fraud scheme in which he and co-conspirators recruited straw buyers from 2006-2011 to purchase condominiums and creating $4.7 million worth of mortgages based on false and fraudulent loan applications and closing documents.
Six charged in loan modification scheme: Six suspects were charged in Salt Lake City March 5 for their supposed roles in a loan modification scheme that defrauded over 10,000 individuals nationwide out of more than $33 million. Authorities allege the suspects created CC Brown Law LLC in 2009 to execute a largely telemarketing-based scheme to sell fake home loan modification services to distressed homeowners then kept the customers’ money without performing the services.
Exploit code published for Elasticsearch remote code execution flaw: Security researchers at Xiphos Research created an exploit for a glitch in Elasticsearch versions earlier than 1.3.8 and 1.4.3 that allows server-side code execution by passing Groovy code in a search query and executing it in the sandbox. The glitch was patched in updates released February 11.
Yahoo patches critical eCommerce, small business vulnerabilities: Yahoo recently patched vulnerabilities discovered by security researchers that could have allowed attackers to gain complete access to any user-run eCommerce Web site hosted on Yahoo’s eCommerce platform, Yahoo Small Business, including all site administration privileges, access to personally identifiable information, and control over prices of items in any Yahoo store.
Row Hammer DRAM bug exploited, unlocks access to physical memory: Security researchers from Google’s Project Zero leveraged a known vulnerability, dubbed Row Hammer, in some dynamic random- access memory (DRAM) chips to identify one exploit that runs as a Native Client program and escalates privilege to call the host system SYSCALLs directly, and another that runs as a normal process on Linux and escalates privilege and allows access to data in the entire physical memory.
FBI investigates possible ISIS supporters’ hack of Western sites: The FBI is investigating after hackers claiming to be affiliated with the Islamic State of Iraq and Syria (ISIS) placed black flags attributed with the group, the words “hacked by ISIS, we are everywhere,” an invalid Facebook address, and an Adobe Flash audio plugin that played a song in Arabic on several U.S. Web sites over the weekend of March 7. Some of the businesses targeted during the attack include a speedway in Ohio, a Goodwill store and digital agency in Missouri, a historic condominium complex in New York, a zoo in California, and restaurants in Minnesota, Massachusetts, and Ohio.
Wig-wearing bandit robbed bank of more than $100G; Email spoofing flaw found in Google Admin console; and Two arrested in the largest data breach in the US
Wig-wearing bandit robbed bank of more than $100G: Authorities arrested and charged a White Plains, New York woman March 5, for allegedly using a paintball gun to rob a Glen Rock Savings Bank branch in Glen Rock, New Jersey, of more than $100,000.
Email spoofing flaw found in Google Admin console: Security researchers identified a security flaw in the Google Apps Admin console that could have been exploited to gain temporary ownership of any previously unclaimed domain and used to send malicious emails that would not be flagged as suspicious because they came from trusted servers. Google has addressed the vulnerability.
Two arrested in the largest data breach in the US: Two men were arrested for their roles in what authorities are calling the largest data breach in U.S. history, in which the suspects allegedly made millions of dollars between 2009-2012 by stealing over 1 billion email addresses from 8 U.S. email service providers and used their distribution platforms to send millions of spam emails containing links to Web sites that promoted products through affiliated marketing activities. Authorities continue to search for a third suspect connected to the scheme.
Couple who fled to Eastern Europe during bank fraud investigation enter guilty pleas: A King County couple that had fled to Moldova pending a 2009 indictment, pleaded guilty March 5 to charges related to a mortgage fraud scheme in which they allegedly submitted 55 fraudulent construction loan packets worth $49 million to Westsound Bank, while diverting some of the funds for personal use, collecting commissions on property sales, and costing the bank over $10 million in losses. One of the suspects was extradited back to the U.S. in December 2014, and the other returned in February 2015 to resolve the case.
Fake “Flash Player Pro” update delivers password-stealing Trojan: Security researchers at F-Secure discovered a new malware campaign in which users with previously compromised routers and domain name system (DNS) server settings are being targeted with fake Adobe Flash Player Pro installation notifications that contain the Fareit trojan, allowing attackers to steal passwords and download other malware onto the infected system.
SSL/TLS cipher suite downgrade affects all supported Windows versions: Microsoft released a security advisory that its Secure Channel (Schannel) used in all versions of Windows is vulnerable to Factoring RSA Export Keys (FREAK) attacks that force secure sockets layer (SSL) and transport layer security (TLS) cryptographic protocols to use a weak RSA key through a man-in-the-middle (MitM) attack, allowing hackers to decrypt HTTPS traffic. Microsoft has not yet specified a release date for patching the vulnerability.
Cryptowall makes a comeback via malicious help files: Security researchers at Bitdefender Labs discovered a new spam email campaign targeting users worldwide, in which attackers have sent hundreds of emails with Compiled HTML (.chm) files that install the Cryptowall ransomware when opened. Researchers believe the attack is targeting employees from different organizations to compromise company networks.
Angler exploit kit and domain shadowing: A deadly combination: Security researchers at Cisco Talos Group discovered that hackers have created several hundred compromised registrant accounts, which control thousands of unique domains that were typically compromised by phishing campaigns to redirect victims to Web pages that host the Angler Exploit Kit, dubbed Domain Shadowing. The attackers use and quickly abandon the subdomains housing the exploit kit, making detection difficult.
Banking malware targets almost 1,500 financial institutions in 86 countries: Security researchers from Symantec reported an analysis of 999 banking malware configurations that targeted 1,467 financial institutions worldwide in 2014, most of which were in the U.S. where consumers have been attacked with 95 percent of the trojans analyzed. The analysis also revealed that 4.1 million users’ systems had been compromised in 2014.
New POS malware uses mailslots to avoid detection: Security researchers from Morphick discovered that the new LogPOS point-of-sale (PoS) malware uses Microsoft Windows’ mailslots technology to avoid detection. inject code, and act like a client while it relays stolen payment card numbers to a command and control (C&C) server.
Strong SSL/TLS ciphers downgraded to use weak crypto key in FREAK attack: A security researcher at INRIA and the Microsoft Research Team identified a serious vulnerability in the implementation of secure sockets layer (SSL) and transport layer security (TLS) protocols on Apple and Android devices that can be abused through man-in-the-middle (MitM) attacks that capitalize on abandoned policies to force the use of weak RSA keys, potentially leaving a wide range of government and other Web sites vulnerable. The researchers have dubbed the attack FREAK (Factoring RSA Export Keys) and Akamai cloud platform announced that it patched the vulnerability.
Google fixes 51 vulnerabilities with release of Chrome 41: Google addressed 51 security issues and added new apps, extension application program interfaces (APIs), and stability and performance improvements in the release of Google Chrome version 41. The addressed vulnerabilities include 13 high-severity and 6-medium-severity issues discovered by external researchers.
Black hat bandits rob Wells Fargo bank in Falls Church: Authorities continue to search for the “Black Hat Bandits” after the 3-man crew allegedly robbed a Wells Fargo bank branch in Falls Church, Virginia, March 2. The suspects are believed to be connected to 7 other bank robberies across northern Virginia and Maryland since January 2, and the FBI reported that the group has become more brazen with each robbery.
SEC suspends trading in 128 dormant shell companies to put them out of reach of microcap fraudsters: The U.S. Securities and Exchange Commission (SEC) announced March 2 that it suspended 128 inactive penny stock companies in 24 States and Canada to prevent fraudsters from manipulating the companies’ stock value through misinformation campaigns and dumping the stocks when investors buy in. The SEC has suspended over 800 microcap stocks since 2012 as part of its Operation Shell-Expel initiative.
Pioneer Bank customer data at risk: Pioneer Bank executives in Troy, New York, confirmed March 2 that an employee’s laptop that was stolen from an unidentified location January 26 contained secured personal and account information of an undisclosed number of customers. The bank notified local police and potentially affected customers following the theft, and continues to investigate the incident to determine if an unauthorized party accessed the information.
Armed men take $4 million in gold from armored truck in North Carolina: police: Authorities are searching for 3 armed men that allegedly stole $4 million worth of gold from a TransValue Inc. semi-truck carrying a silver and gold shipment while it was stopped due to a mechanical issue along Interstate 95 in Wilson County, North Carolina, March 1. The drivers reported that the suspects approached the broken down semi-truck, bound the 2 armed guards, and ordered them into the woods while the men escaped with several barrels of gold.
Phishers target victims of iOS device theft: Security researchers at Malwarebytes discovered an elaborate phishing campaign that targets victims of iOS device theft by using spoofed messages and a fake iCloud log-in Web page that is available in 10 different languages to steal users’ log-in credentials, enabling the thieves to unlock the stolen devices.
Lossy image compression can hide malicious code in PDF files: Researcher: A security researcher at CSIS discovered that lossy image compressors such as DCTDecode could be used to embed malicious code in high-quality grayscale JPEG images found in PDF files.
Mass infection malware attack targets Android: AdaptiveMobile security researchers uncovered a massive new malware attack directed at Android users that uses victims’ mobile device contacts to send email, Facebook, and SMS messages with links to spoofed Amazon vouchers containing the Gazon malware. The attack has infected thousands of devices worldwide and generated over 16,000 click-throughs since it began in the U.S. February 25.
D-Link fixes router flaws following public disclosure: D-Link released a firmware update for its DIR-820L router that fixed a flaw that allowed attackers to gain root access to routers through cross-site request forgery (CSRF) attacks by tricking victims into visiting malicious Web pages, allowing unauthorized access to domain name system (DNS) configuration. The company will release updates for other vulnerable routers by March 10.
West Michigan developer indicted in $8 million real estate mortgage ‘stacking’ fraud: Authorities arrested a part owner of the GBW Development real estate firm in Michigan during the week of February 23 for allegedly conspiring with the owner of Prime Title Service to defraud banks, private lenders, and real estate title insurance companies out of $8 million by taking multiple mortgages out on a single property without lenders’ knowledge.
SEC halts Ponzi-like scheme by purported venture capital fund manager in Buffalo: The U.S. Securities and Exchange Commission charged a New York-based supposed venture capital fund manager February 27 for allegedly using his firms Archipel Capital LLC and BIM Management LP to solicit money from investors for the purchase of 230,000 pre-IPO Twitter shares, of which he only purchased 80,000 shares, and using 3 unrelated funds and Ponzi-like payments with fake documents to pay investors.
Texas brothers must pay $299 million in SEC fraud case: judge: A Texas man and his late brother’s estate were ordered to pay the U.S. Securities and Exchange Commission $299.4 million February 26 for allegedly engaging in securities fraud and earning $553 million in undisclosed profits by trading in Michaels Stores Inc., Sterling Software Inc., Scottish Annuity & Life Holdings Ltd. now known as Scottish Re Group Ltd., and Sterling Commerce Inc. using trusts in the Isle of Man.
0-day flaw in Seagate NAS devices endangers thousands: A security researcher discovered that certain firmware versions of Seagate Business Storage 2-Bay NAS devices are susceptible to an easily-exploitable zero-day remote code execution vulnerability due to outdated Web-enabled application management versions of Hypertext Preprocessor (PHP), CodeIgniter, and Lighttpd technologies that contain known security issues. The company is reportedly working on the issue.
Privilege escalation glitch found in Toshiba software: SmartNet researchers discovered a path privilege escalation vulnerability in Toshiba’s Bluetooth Stack for Windows and Service Station that could allow attackers to take over control of computers by implementing malicious programs, and alter or delete information stored on hard disks. Toshiba released updates for its vulnerable products.
Two Kent residents indicted as part of large bank fraud ring. A 10-member bank fraud ring in Washington was indicted during the week of February 23 for allegedly using stolen checks from 7 banks to make fraudulent deposits into 219 different bank accounts to inflate the bank accounts and withdraw more than $987,000 in cash from November 2010 to present.
Draper man indicted for 15 counts of mail fraud after allegedly misappropriating $24 million. A former American Pension Services executive was indicted in a U.S. District Court in Utah February 26 for allegedly running a scheme from 1998-2014 that defrauded over 5,000 customers out of approximately $24 million by using false and fraudulent representations, promises, and omissions of material facts to obtain the funds that were used to make personal, high-risk investments.
Apps bypass Google Play verification and spew tempest of ads. Bitdefender security researchers discovered 10 apps hosted in Google Play that use social engineering to trick users into installing ad-spewing software and relied on deceptive tactics to ensure persistence on users’ devices. None of the apps linked to Web sites hosting malware, allowing the apps to bypass Google Play quality controls.
Critical vulnerability found in Jetty web server. Security researchers from Gotham Digital Science discovered a critical vulnerability dubbed JetLeak in the Eclipse Foundation’s Jetty Web server that allows remote, unauthenticated attackers to read arbitrary data from requests previously submitted by users to the server, including cookies, authentication tokens, anti-CSRF tokens, usernames, and passwords. The flaw was addressed February 24 with the release of Jetty version 9.2.9 while the Jetty development team reported an anticipated fix for the vulnerability in version 9.3.0. which is in beta.
It’s official – FCC enacts expansive net-neutrality rules. The Federal Communications Commission (FCC) approved sweeping net-neutrality regulations February 26 that gives the government expanded power over Internet access, and allows the FCC to bar Internet providers from blocking Web sites, selectively slowing down any content, or offering bandwidth increases for specific content with payment. The rules also classify the Internet as a telecommunications service under Title II of the Communications Act.
Founder accused of defrauding investors in $40M mutual fund. A Massachusetts financier was charged with securities fraud, wire fraud, aggravated identify theft, and obstruction of justice February 25 for allegedly issuing fictitious consumer loans as co-portfolio manager of GL Beyond Income Fund, and diverting the fund’s assets for use on business and personal expenses.
MetLife unit to pay $123.5 million for alleged mortgage fraud. The U.S. Department of Justice announced February 25 that Met Life Home Loans LLC will pay $123.5 million to resolve accusations that the company, doing business as MetLife Bank at the time of the alleged infractions, knowingly violated the False Claims Act from September 2008 to March 2012 by originating and underwriting mortgage loans insured by the Federal Housing Administration (FHA) that did not meet underwriting requirements. MetLife was allegedly aware of the accused violations through its internal quality control measures and reportedly downgraded its sub-standard FHA loans to appear to have fewer issues.
Lizard Squad hijacks Lenovo website, emails. Lizard Squad hackers hijacked the Lenovo Web site and email servers by using CloudFlare IP addresses to modify DNS records in Lenovo domain registrar accounts and redirect users to defacement pages, and changed mail server records to allow the group to intercept emails sent to Lenovo email addresses. The hijacking mirrored a similar attack that targeted Google Vietnam during the week of February 23
Los Angeles-area executive arrested in $9 million bank fraud scheme. An executive of Ontario, California based Eastern Tools and Equipment was arrested February 24 following an October 2014 indictment for his role in a scheme to defraud United Commercial Bank and East West Bank of more than $9 million. The executive and his co-conspirators allegedly overstated Eastern Tools’ accounts receivable to increase the company’s line of credit with the banks then shifted money from the company’s bank accounts into about 20 shell companies before siphoning the money into their personal accounts.
Mozilla fixes 17 vulnerabilities in Firefox 36. Mozilla released version 36 of its Firefox browser closing 17 vulnerabilities and flaws, including 4 rated as critical.
New DDoS attack and tools use Google Maps plugin as proxy. PLXsert security researchers discovered that attackers are exploiting a known vulnerability in Joomla’s Google Maps plugin by spoofing the sources of requests, causing results to be sent from proxies to their denial of service (DDoS) targets. Researchers identified more than 150,000 potential Joomla reflectors on the internet, many of which remain vulnerable to be used for this type of attack.
Ramnit botnet shut down. Europol Cybercrime Centre (EC3) investigators, Microsoft, AnubisNetworks, and Symantec carried out an operation to shut down the Ramnit botnet’s 7 command and control (C&C) servers and redirected traffic from 300 domains used by the botnet. EC3 estimated that more than 3.2 million Windows computers have been infected with the botnet via spam campaigns, phishing scams, and drive-by downloads that installed malicious code to grant attackers access to banking credentials and other log-in information.
McAfee: Popular mobile apps remain vulnerable to MitM flaws found last year. Intel Security’s McAfee Labs reported that almost 75 percent of the most popular mobile apps found vulnerable to man-in-the-middle (MitM) attacks remain exposed to attacks since they were first identified in a September 2014 analysis by the Computer Emergency Response Team (CERT) at Carnegie Mellon University.
Connecticut credit union manager found wearing suspected bomb vest. Police found February 23 an Achieve Financial Credit Union executive in a car outside of the New Britain, Connecticut branch with a bomb-like device strapped to his body in an apparent scheme to rob the financial institution that was aborted after the man was allegedly abducted from his home. The suspected explosive device was removed and destroyed without incident, and officials are seeking 3 suspects in connection with the incident while working to determine if the executive was a willing participant in the alleged plot.
Older vulnerabilities a top enabler of breaches, according to report. Hewlett Packard security researchers reported that 44 percent of known breaches happened as a result of server misconfigurations and vulnerabilities discovered years ago. The report cites 33 percent of identified exploit samples from Microsoft Windows, 11 percent from Adobe Reader and Acrobat, 6 bugs in Oracle Java, and 2 flaws in Microsoft Office flaws.
Norton update caused Internet Explorer to crash. Symantec released a new version of the Intrusion Prevention System (IPS) definition package after a corrupt file in the previous release caused the 32-bit version of Microsoft’s Internet Explorer Web browser to crash on computers running Norton Security, Norton Security with Backup, Norton 360, and Norton Internet Security.
Comodo’s PrivDog breaks HTTPS security possibly worse than Superfish. A security researcher discovered that Comodo’s PrivDog browsing privacy protection tool compromised browsing security by acting as a man-in-the-middle (MitM), intercepting and replacing all certificates with its own, causing browsers to accept every HTTPS certificate regardless of authority. The issue could affect nearly 64,000 users worldwide, and PrivDog released an update with a fix for the issue.
CSIS security group warns of fake emails using its name. CSIS security experts discovered an email campaign that spoofed the company’s email address and used an employee’s name to distribute a malicious attachment and deploy malware on the recipients’ machines. The Danish-based company provides security services for some of the largest global banks and acts as a consultant to governments, media, and businesses.
Ex-Oppenheimer executive pleads guilty in loan fraud scheme: A former Oppenheimer & Co executive pleaded guilty in Manhattan federal court February 20 for his role in a fraud scheme that deceived Oklahoma regulators and the company by collaborating with three individuals to process a $30 million loan through the investment bank for the fraudulent purchase of Providence P&C while illegally using the insurance company’s assets as collateral. The case originated with a related investigation into Park Avenue Bank, which went under in March 2010.
Cisco IPv6 processing bug can cause DoS attacks: Cisco announced that its NCS 6000 and Carrier Routing System (CRS-X) contain an IPv6 software bug that attackers could repeatedly exploit by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card to cause an extended denial of service (DoS) condition.
Superfish SSL interception library found in several applications: Researchers: Security researchers discovered that the Komodia Redirector and SSL Digestor, originally used by the Superfish software preinstalled on Lenovo laptops can be found in several products and at least 12 Facebook applications using the SSL interception library. The researchers stated that Komodia’s proxy software does not properly implement SSL or validate certificates, enabling attackers to potentially hijack affected users’ connections.
Tax related spear-phishing aims at CTOs in tech companies. Security researchers at Talos discovered a new phishing campaign targeting chief technology officers (CTOs) with malicious attachments disguised as Microsoft Word documents laced with macros that funnel in the Vawtrak banking trojan, which can capture user credentials for more than 100 online services. The emails purport to be related to large sum payment details and federal taxes, with some appearing to originate from fake government addresses.
Commercial spyware found in enterprise environment. Security researchers at Lacoon Mobile Security and Check Point discovered 18 different commercial remote access trojan (mRAT) spying tools that connect to the company’s Wi Fi and communicate with the command and control (C&C) server on 1,000 of 900,000 corporate mobile devices tested. The spyware, generally marketed for monitoring children, allows employers to track the location of users, log activity on the device, access emails, texts, and contacts, and possibly activate the device’s microphone for recording.
Hackers now popping Cisco VPN portals. An Australian hacker reported a flaw that allows attackers to crack customized Cisco virtual private networks (VPNs) to steal credentials, inject malware, modify Clientless Secure Sockets Layer (SSL) and VPN portal content, and launch cross-site scripting (XSS). Cisco stated that the flaw was due to improper implementation of authentication checks in the customization framework of Clientless SSL VPN portal versions earlier than October 8, 2014 and recommended customers follow their incident response process.
Android malware takes over device’s shutdown process. AVG security researchers discovered a new mobile malware strain affecting Android devices that hijacks the shutdown process and obtains root permission to run nefarious activities such as initiating calls or taking pictures while the phone appears to be off.
Over 250,000 home routers found with duplicate SSH keys. A Shodan researcher discovered that mis-configuration of devices likely led over 250,000 home routers from Spain, 200,000 routers from mostly China and Taiwan, and 150,000 routers from the U.S. and Japan to share the same Secure Shell (SSH) keys, which could allow an attacker to gain access to any device with a single key. Researchers recommended disabling SSH connectivity in the router.
Lenovo to stop pre-installing controversial software. Errata Security researchers determined that Superfish adware pre-installed on Lenovo computers hijacks and throws open encrypted connections, allowing hackers to seize connections and listen in through man-in-the-middle (MitM) attacks. Lenovo disabled all Superfish software from its consumer computers and stopped pre-installing the software on its devices, but experts warned that systems could still be vulnerable even after uninstalling the software.
DoubleFantasy is Equation group’s first attack wave. Kaspersky analysts discovered that hackers from the cyber-espionage group Equation developed the DoubleFantasy trojan, a tool used to verify the infected system as a target and a vehicle for installing more sophisticated attack tools that could steal usernames and passwords for Microsoft’s Internet Explorer and Mozilla’s Firefox Web browsers, Windows protected storage on versions up to Windows XP, and operating system authentication subsystems on Windows Vista and above. Multiple versions of the tool were discovered, and some were deployed to targets via a post-meeting compact disk from a 2009 scientific conference in Houston
Accused Russian hacker to face charges in US court. A Russian national was extradited to the U.S. and charged February 17 in New Jersey for his alleged involvement in an international scheme that stole more than 160 million credit card numbers resulting in hundreds of millions of dollars in losses to consumers and financial institutions including Dow Jones, 7-Eleven, Nasdaq, Visa, and JetBlue. The suspect, arrested in the Netherlands in 2012, allegedly hacked victims’ networks to gain access to usernames and passwords, credit card and personal identifiable information, and sold them to resellers around the world.
Fire badly damages Key Bank branch in Phoenicia; vault contents, customer records OK. The Key Bank branch in Phoenicia, New York, issued a statement that all client information and vault contents were secure February 17 after a February 16 fire caused extensive damage to the structure. The cause of the fire remains under investigation, and the bank is closed indefinitely until officials can repair the damage.
Vawtrak trojan downloaded via malicious macro for Microsoft Word. Trend Micro security researchers discovered a new cyber criminal campaign targeting banks including Bank of America, Barclays, Citibank, HSBC, Lloyd’s Bank, and J.P. Morgan with emails containing malicious macro-enabling Microsoft Word documents that install the Vawtrak banking trojan by downloading a batch file, a visual basic scripting edition (VBS script), and Powershell file. The malware serves clients modified pages to trick them into providing log in data for Microsoft Outlook, Google Chrome, Mozilla Firefox, and file transfer protocol (FTP) clients.
Banking trojan Dyreza sends 30,000 malicious emails in one day. Bitdefender security researchers discovered that 30,000 malicious emails containing the banking trojan Dyreza were sent in one day to customers of banks including HSBC, NatWest, Barclays, RBS, Lloyds Bank, and Santander from servers in the U.K., France, Turkey, Russia, and the U.S. The trojan allows hackers to covertly steal credentials and manipulate accounts.
Author of Android Xbot malware includes curse at AV companies. Avast security researchers discovered that the Xbot Android malware infected over 2,570 installations in 350 unique files through third-party marketplaces since the beginning of February. The malware persistently runs on infected devices, has the capability to download content to command and control (C&C) servers, and primarily focuses on capturing, reading, and writing short text messages.
Credit card info stolen in BigFish Games site compromise. BigFish Games reported that the personal and financial information of some of its customers that made purchases between December 24, 2014 and January 8 may have been compromised after the company discovered malware installed on the billing and payment pages of their Web site January 12. Affected customers were notified of the breach February 11, and the company removed the malware and has taken steps to prevent the malware from being reinstalled.
Siemens fixes security flaws in Simatic Step 7 (TIA Portal). Siemens patched two minor and two more severe vulnerabilities due to glitches in Simatic Step 7 that allowed hackers to possibly learn user passwords, escalate privileges, or hijack and intercept industrial communication on TCP port 102.
Flaw in Netgear Wi-Fi routers exposes admin password, WLAN details. A network engineer discovered and notified Netgear support that certain versions of the brand’s WNDR3700v4, WNR2200, and WNR2500 home wireless routers contain a vulnerability in the embedded simple object access protocol (SOAP) service that could allow unauthenticated remote and locally-connected attackers to obtain the administrator password, device serial number, WLAN details, and various information related to clients connected to the device.
Arabic threat group attacking thousands of victims globally. Kaspersky Lab security researchers reported that “Desert Falcons,” the first known full-scale Arabic cyber-espionage group, has used spear-phishing and social engineering techniques to deliver two backdoors though 100 malware samples to infect Windows PCs and Android devices of targets based in Egypt, Palestine, Israel, Jordan, the U.S., and other countries for at least 2 years. The malware has full-backdoor capability as well as the capability to steal call and SMS logs in Android versions, and attackers have targeted victims from political, military, government individuals and organizations, media outlets, energy and utility providers, physical security companies, and others holding geopolitical information.
Ongoing cyber attack on banks worldwide creates billion dollar loss. Kaspersky security researchers discovered that cyber criminals robbed over 100 financial institutions worldwide of up to $1 billion by using spear-phishing attacks exploiting 2 vulnerabilities in Microsoft Office and 1 vulnerability in Microsoft Word to install malware and infiltrate institutions’ networks. The attackers cashed in by instructing ATMs to dispense money at specific times without payment cards, opening accounts with fake balances, and artificially inflating account balances of bank customers and then transferring the surplus to their accounts in China and the U.S.
Feds: Up to 900 potential victims of insurance scam preying on trucking companies. Federal investigators seized approximately $732,000 from Appeal Insurance Agency bank accounts February 12 alleging that the owner scammed up to 900 victims, primarily in commercial trucking, by collecting insurance premiums without securing legitimate policies and using the money to fund his lifestyle and pay off insurance claims filed with his office. Authorities found that $3.7 million was deposited into one of the owner’s accounts between January 2013 and July 2014.
Firmware of over a dozen hard drive brands altered to lodge malware. Kaspersky researchers discovered that a cyber-espionage group calling itself Equation modified hard drive firmware in over 12 brands to potentially infect tens of thousands of computers worldwide, including those in sectors such as government and military institutions, nuclear research, oil and gas, telecommunications, transportation, and the financial sector, among others. Reprogramming the firmware allowed attackers to create persistent hidden storage spaces accessible only through specific methods known to them.
In the wake of TurboTax fraud, email scams emerge. Intuit reported an increase in phishing scam attempts to harvest personal and financial information from TurboTax users using a variety of themes including notifications of bogus security checks, fake tax return status updates, or notices of locked accounts. Users are led to click on an URL that links to a fake log-in page used by hackers to steal names, addresses, and Social Security numbers.
Brinks guard shot at Capital One Bank near Galleria dies. Authorities are searching for three suspects after their getaway vehicle was found near the robbery scene following an attempted robbery of a Brinks truck that left a security guard dead near the Galleria area of Houston February 12. The suspects shot at the vehicle and the security guard during the incident.
16 million mobile devices infected by malware. Alcatel-Lucent’s Motive Security Labs released a report and found that approximately 16 million mobile devices worldwide were infected by malware, with a 25 percent increase in infections in mobile devices in 2014. Researchers also found that command and control (C&C) protocols were more sophisticated and mobile spyware increased, among other findings.
RIG exploit kit source code leaked online. Trustwave researchers analyzed an alleged leak of a source code for an RIG exploit kit and determined that the code is legitimate after the individual published the code after attempting to sell it online. The leaker also purported that the exploit kit included exploits for two Internet Explorer, two Adobe Flash Player, one Microsoft Silverlight, and two Java vulnerabilities.
Several PayPal-mimicking phishing sites taken offline. OpenDNS researchers found a number of phishing Web sites that appear as legitimate PayPal sites being used to steal user’s login credentials. PayPal is working to shut down the fraudulent sites.
Ex-GOP candidate for governor facing fraud charges. A former candidate for governor and his girlfriend were arrested and charged during the week of February 2 for allegedly stealing more than $11 million from investors in New York and North Carolina and attempting to defraud banks of $8 million by submitting fake tax returns and inflated pay stubs in 3 schemes between February 2009 and July 2013. The pair allegedly promised investors that their money was being used to buy and consolidate other investments firms while the funds were being used for pair’s personal use and other business ventures.
Google Play, browser flaws expose Android devices to remote code execution. Researchers at Rapid7 reported that vulnerabilities in Google Play due to a lack of appropriate X-Frame-Options (XFO) headers combined with a universal cross-site scripting (UXSS) vulnerability in browsers shipped with Android versions prior to 4.4 (KitKat), or a cross-site scripting (XSS) bug in Google Play, could be leveraged by attackers to remotely install arbitrary Android application packages (APKs) on smartphones. Attacks can be prevented by logging out of the Google account prior to using the affected browsers, or by using Mozilla FireFox or Chrome instead.
Simplocker ransomware for Android returns with new version. Avast researchers reported that over 5,000 unique users were infected by a newly discovered Simplocker ransomware variant for Android that poses as an Adobe Flash Player update, employs unique encryption keys to make unlocking difficult, and displays a fake notification from the FBI about suspicious files and copyright infringement to fool victims into paying the $200 ransom.
Feds seize over $7 million (plus a little Bitcoin) during software piracy investigation. Federal agents seized $25,000 in cryptocurrency from a Seattle resident and more than $7 million and other assets from related suspects in December 2014 as part of an ongoing software piracy case. The January 30 court filing alleges that suspects traded and distributed fraudulent product activation key codes for Microsoft and other software through e-commerce sites to make at least $30 million in profits since 2009.
Cyber Caliphate hackers take over Twitter account of Newsweek. The FBI is investigating a February 10 hijack of Newsweek’s Twitter feed in which attackers claiming to be Islamic State (ISIS)-affiliated hacker group Cyber Caliphate posted threats to the U.S. President’s family before the company regained control of the feed within 14 minutes. Newsweek confirmed that the Twitter accounts of International Business Times and Latin Times were also hijacked by the group.
Researchers bypass all Windows protections by modifying a single bit. Microsoft released a patch for two vulnerabilities, including one that affected all versions of the Windows Operating System via Windows kernel-mode driver and allowed attackers to install software, view and change data, and create new accounts with full administrative rights. A patch addressing a critical remote code execution flaw was also released.
Microsoft patches critical Windows, Internet Explorer vulnerabilities in Patch Tuesday update. Microsoft issued 9 security bulletins that fixed a total of 41 vulnerabilities as part of its Patch Tuesday updates that addresses issues for Windows, Office, and Server Software.
Microsoft corporate clients targeted with volume license phishing email. A Cisco Threat Defense researcher reported that cyber-criminals were targeting Microsoft’s corporate users with phishing emails purporting to be from Microsoft’s Volume Licensing Service Center which contains a link that leads to a compromised WordPress server and downloads the Chanitor malware.
Waldwick police seize 125 credit cards from Walgreens customers. Three individuals were arrested by police at a Waldwick Walgreens February 7 when they were caught with more than 125 stolen credit cards allegedly taken from all over the U.S. The suspects were caught while they were purchasing a gift card and police found additional gift cards on them while they were arrested.
New York plans cybersecurity reviews of insurers after breach. New York’s Financial Services Department announced plans February 9 to increase State insurers preparedness through regular cyber-security reviews and enhanced regulations in the wake of February’s Anthem Inc., breach that affected up to 80 million customers.
About 40,000 MongoDB databases found open online. Three Saarland University cyber-security students reported security vulnerabilities in MongoDB’s database configuration, including servers with no access control mechanisms that could potentially allow access outside the backend and expose the information of millions of customer to unauthorized parties. An initial scan found nearly 40,000 databases that were open, prompting the researchers to submit their findings to MongoDB maintainers for integration into revised security instructions for users.
Researcher publishes 10 million usernames and passwords. A researcher released 10 million username/password combinations that he collected over the years in an attempt to advance research and make authentication more secure. The researcher asserted that most combinations were dated and had been scrubbed of all identifying and compromising information.
Box Sync for Mac exposed sensitive information: Researcher. Box Sync for Mac released version 4.0.6035 to fix a security issue discovered in January that exposed Python files containing sensitive data such as application program interface (API) keys, internal user IDs, passwords, and URLs. Box Sync representatives asserted that customer data was never at risk.
LG fixes authentication bypass vulnerability in on-screen phone app. LG released On-Screen Phone application update 4.3.010 to fix a vulnerability discovered by Search-Lab researchers in September 2014 that allowed attackers to possibly bypass authentication and take control of users’ smartphones without their knowledge through a connection between the mobile device and the computer conducted via USB cable, Wi-Fi, or Bluetooth.
Tax fraud prompts Intuit to temporarily suspend state e-filing. Financial software developer Intuit paused State income tax e-filings made through the company’s TurboTax services February 5 and restored services February 6 after suspected fraudulent filings using stolen identities appeared in returns from 19 States.
Area real estate investor guilty in multimillion dollar wire fraud, monetary transactions case. A real estate investor pleaded guilty February 6 to defrauding investors out of $7 million to $20 million using the Quantico Corporate Center in Stafford, Virginia, as an investment opportunity. Instead of investing the millions into land development deals, the real estate investor spent the money on poor day trading investments and other transactions.
Surfside investment advisor in Ponzi scheme charged with fraud. A Surfside investment advisor was charged with wire-fraud conspiracy February 5 for allegedly receiving commissions in return for advising investors to sink millions into a $1.2 billion Ponzi scheme. The investment advisor collaborated with a Fort Lauderdale lawyer who was convicted and sentenced in 2010 for his role in the investment scam.
DDoS malware for Linux distributed via SSH brute force attacks. FireEye researchers reported February 9 that a campaign utilizing Secure Shell (SSH) brute force attacks to install a distributed denial of service (DDoS) XOR.DDoS malware, first discovered by Malware Must Die in September 2014, has executed nearly 1 million login attempts between November 2014 and the end of January.
Impostors bilk Omaha’s Scoular Co. out of $17.2 million. Officials reported that Scoular Co., of Omaha was defrauded out of $17.2 million in June 2014 when perpetrators impersonated the company’s chief executive and outside auditing firm via email and ordered the Scoular controller to wire 3 separate payments to the Shanghai Pudong Development Bank in China, to be held for Dadi Co. Ltd. The FBI is seeking to recover the lost funds and continues to investigate the incident.
Suspected bank robber shot and killed by police after chase in Chino. A man who robbed the Corona branch of the Pacific Premier Bank February 4 was killed in a shootout with police after allegedly carjacking a vehicle and leading a pursuit that ended in Chino, after crashing the car.
Zero-day flaw in WordPress plugin used to inject malware into sites. WordPress patched a zero-day flaw in its FancyBox plugin after Sucuri researchers noted the vulnerability could allow attackers to inject malware or scripts into Web sites, after numerous users complained of malicious “iframe” injections on their sites.
Adobe Flash Player security update fixes 18 vulnerabilities. Adobe released updates that patch a total of 18 Flash Player vulnerabilities, including fixes for use-after-free flaws and two types of confusion vulnerabilities.