Fraud Alert Message Center
Tips for Safe Banking Over the Internet
As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.
The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.
- Consumer Best Practices for Online Banking
- Business Best Practices for Online Banking
- Recommendations for Online Fraud Victims
- Recommendations for Mobile Phone Security
Current Online Threats
Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau. None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts. If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it. The email could potentially contain a virus or malware.
For more information regarding email and phishing scams, please visit: http://onguardonline.gov/
Online Shopping Tips for Consumers. Click Here for Information.
ATM and Gas pump skimming information. Click Here for Article.
Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers. The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.
ModPOS is a sophisticated criminal malware framework targeting POS devices. Security specialists from iSIGHT Partners discovered November 24 a new complex form of malware called ModPOS that targets U.S. retailers’ point-of-sale (PoS) systems via its three modules including Uploader/Downloader, Keylogger, and POS Scrapper that use obfuscation and encryption to evade security software and use its command and control (C&C) server to instruct the infected device to fetch other modules, once the stolen information is deemed valuable.
Lenovo patches privilege escalation flaws in system update. Lenovo released a new version of its System Update software addressing a security flaw, including a local unprivileged vulnerability, in which an attacker can gain administrative privileges on a victim’s system by predicting the temporary administration account generated by SUService.exe, as well as allowing a local unprivileged attacker to execute commands on users’ Windows systems.
Dell security error widens as researchers dig deeper. Researchers from Duo Security discovered that new Dell laptops were found with a self-signed root digital certificate, eDellRoot, which can allow attackers to conduct a man-in-the-middle attack, spy on incoming data, and use private keys to create their own digital certificates to produce fake Web sites that appear legitimate. Dell Inc. reported they plan to release instructions on how to remove the certificates.
ISIS retaliates against Anonymous, leaks data of “To-be-killed” US officials. Hackers from the Islamic State Hacking Division leaked a list containing data about employees who served on bases located in the Middle East, including personnel from the U.S. Defense Intelligence Agency, the FBI, the CIA, and the National Counterterrorism Center, the U.S. National Guard, and other Federal government agencies, via a Twitter account. The leak was contained.
Researchers find multiple Chrome extensions secretly tracking users. Researchers from Detectify Labs discovered that Google Chrome extensions including HooverZoom, SpeakIt, ProxFlow, Instant Translate, and other extensions were embedded with an analytics code to track users’ browsing history, collect data from cookies, and view secret access tokens from Facebook Connect without users’ consent while surfing across Web sites in different browser tabs.
Data breach at biz that manages Cisco, F5, Microsoft certifications. The certification management provider, Pearson VUE reported that its Credential Manager (PCM) system was breached, allowing attackers to access Cisco certification users’ information including their names, mailing address, email address, and phone numbers. Pearson reportedly believes Social Security numbers were not disclosed and other PCM systems were not compromised.
Nmap 7 brings faster scans, other improvements. Network Mapper (Nmap) released its Nmap Security Scanner 7.0.0 addressing significant improvements including the Nmap Scripting Engine (NSE) that allows users to construct script designed to automate networking tasks, an improved Internet Protocol version 6 (IPv6) support, faster and improved Secure Sockets Layer (SSL) and Transport Layer Security (TLS)-related scans, and an updated version of its Ncat utility.
Connecticut man faces federal charges for alleged housing scams. An Easton man was charged November 19 in Federal court for a $5 million fraud scheme, in which he targeted foreclosure victims by promising homeowners debt relief, but used their homes for profit and pocketed the money for personal expenses instead of applying the funds to homeowners’ mortgages, taxes, and other property-related expenses.
New Dyre variant can target Windows 10 and Microsoft Edge users. Security researchers from Heimdal discovered a new version of Dyre/Dyreza banking malware that can compromise a variety of Windows systems, connect into various browsers including Google Chrome and Internet Explorer, and terminate security software processes via a disguised Upatre trojan sent through spam emails that allows attackers to inject additional malware once the computer system has been compromised.
Assets frozen in alleged immigration scam. The U.S. Securities and Exchange Commission reported November 19 that the assets of a South Florida woman and her company would be frozen following allegations that the woman diverted $1 million to her personal expenses after collecting funds from investors seeking to invest $8.5 million in the EB-5 Immigrant Visa Program.
Scott Credit Union employee from Columbia charged with nine counts of fraud. A former manager at Scott Credit Union in Columbia was charged with 9 counts of fraud November 19 for conspiring to steal over $12 million from 2005 – 2014 by making up false loans, paying loans with misappropriated funds, and issuing loans and credit without authorization or required documentation.
Backdoor within backdoor puts over 600,000 Arris cable modems in danger. A Brazilian security researcher discovered that over 600,000 Arris’ old cable modems, TG862A, TG862G, DG860A, were manufactured with 2 backdoor codes installed in its hardware that can be activated via the libarris_password.so library, and if exploited, enables attackers to access the modem and enable Secure Shell (SSH) or Telnet ports, to access a BusyBox shell.
LinkedIn patches persistent XSS flaw in help center. LinkedIn patched a cross-site scripting (XSS) vulnerability, discovered by an independent security researcher, in its official Help Center Web site that allowed attackers to inject malicious code and enable the XSS vulnerability to perform actions on the victims’ behalf and inject an XSS worm designed to spread on LinkedIn’s forums.
VMware updates products due to flaw in Apache Flex BlazeDS. VMware released updates for several of its products including Flex BlazeDS 4.7.1 , which addresses Extensible Markup Language (XML) External Entity (XXE) vulnerability in Apache Flex BlazeDS that can be exploited by a remote attacker to cause a server to disclose information via a special crafted XML.
9 arrested, 11 at large in North Jersey crackdown on fraud, ID theft. New Jersey officials reported that 9 suspects were arrested November 16 and 11 others were identified and remain at large in connection to an alleged identity theft and fraud ring that a Liberian national and business owner reportedly orchestrated in order to steal over $100,000 from victims’ bank accounts by changing the victims’ mailing addresses, opening bank accounts, and using counterfeit checks to make illegal withdrawals from their accounts, in addition to applying for fraudulent loans in the victims’ names.
Microsoft blocks unauthorized code injection in Edge. Microsoft released several improvements to its Edge Software with the introduction of EdgeHTML 13 that adds a security feature to block dynamic-link library (DLL) injections into the browser process and only allow components signed by Microsoft and Windows Hardware Quality Labs (WHQL) signed-device drivers to load.
15-year-old Brit charged with DDoS attacks, bomb threats. British police arrested and charged a 15-year-old teenager November 16 for violating the Computer Misuse Act and Criminal Law Act after he launched a series of Distributed Denial of Service (DDoS) attacks from his home targeting companies and servers in Africa, Asia, Europe, and North America, as well as delivering several bomb threats against North American airlines via social media platforms.
Fort Myers man faces 120 years in prison for bank fraud. A Fort Myers man pleaded guilty November 17 to four counts of bank fraud after orchestrating a nearly $1.6 million check-kiting scheme in 2011 by profiting from fraudulent checks and auto loans procured through Coral Auto Sales, his used car business. An FBI investigation also revealed that the suspect tried to destroy 20 banker’s boxes of incriminating evidence from his home.
Woman admits to role in nationwide credit card theft scheme. A California woman pleaded guilty in Federal court November 17 for her role in a nationwide credit card fraud scheme to steal 94,000 credit and debit cards by replacing point-of-sale systems with counterfeit devices equipped with wireless technology at 80 Michaels stores in 19 states with the intention to steal bank accounts and collect consumers’ personal identification number (PIN).
Minnesota couple plead guilty to huge tax scam. A Minnesota couple pleaded guilty November 16 to a $1.8 million tax fraud scheme in which the pair used their tax filing and immigration service, American Group, to file fraudulent tax returns on behalf of 1,000 people in Minnesota and Florida.
Blackhole’s back: Hated exploit kit returns from the dead. Researchers from Malwarebytes discovered that the previously extinct Blackhole Exploit Kit has resurfaced after finding an active drive-by download campaign via compromised Web sites with the same Adobe Java platform and PDF exploits as the Blackhole Exploit Kit, which can still compromise vulnerable computers despite its old exploits.
Adobe issues security fixes for ColdFusion, LiveCycleDS, Premiere Clip. Adobe released a series of updates addressing security vulnerabilities in several of its products including ColdFusion, which resolved two input validation issues that may be used in reflected cross-site scripting (XSS) attacks; LiveCycleDS, which resolved a server-side request forgery vulnerability; and Premiere Clip products, which patched an input validation issue in a mobile application that allows Apple iOS users to create or edit videos on mobile devices.
Fund manager Virtus to pay $16.5 million to settle false-advertising charges. Connecticut-based Virtus Investment Advisers agreed to pay the U.S. Securities and Exchange Commission $16.5 million to settle charges for falsifying performance claims through exchange-traded funds (ETFs) and using hypothetical data to inflate the fund’s track record to boost their investment strategy November 16. The U.S. Securities and Exchange Commission is investigating whether advisors may have potentially misled investors with false performance data.
Poor backend security practices expose sensitive data. Researchers at the Technical University of Darmstadt in Germany discovered more than 18.6 million records of security risks associated with the use of Backend-as-a-Service (BaaS) offerings including extrapolation of an ID and an undisclosed key for authentication from a victims’ mobile application that allows attackers access to the backend with the same privileges as the application.
Flaw in D-Link switches exposes corporate networks: Researchers. Security researchers from Elastica’s Cloud Threat Labs discovered a flaw in DGS-1210 Series Gigabit Smart Switches from D-Link that can be exploited by remote attackers to access backup files found on the flash memory and the web server, where log and configuration files are stored, with any authentication credentials if the attackers identify the targeted device’s Internet Protocol (IP) address.
Cyber crooks actively hijacking servers with unpatched vBulletin installations. Symantec researchers discovered that attackers are using a patched zero-day flaw that affects vBulletin Connect versions 5.1.4 through 5.1.9, to remotely execute code on a vulnerable server by first downloading and executing a multipurpose malicious shell script, filesender1.sh onto a vulnerable server via a single Hypertext Transfer Protocol (HTTP) request.
Automation fuels onslaught of web app attacks: Report. Imperva released its Web Application Attack Report (WAAR) revealing that more than 75 percent of analyzed applications were targeted by automated attacks via SQL injection (SQLi), remote file inclusion (RFI), remote code execution (RCE), directory traversal (DT), cross-site scripting (XSS), spam, file upload (FU), and Hypertext Transfer Protocol (HTTP) reconnaissance, to compromise users and steal sensitive information as cybercriminals leverage automated tools, making SQL injections attacks 3 times higher this year than previous years.
Wheaton financial firm owner charged with wire fraud. The owner of Illinois Stock Transfer Company in Wheaton was charged November 12 for 10 counts of wire fraud after stealing more than $1.2 million from a client’s fund account and using the funds for his company’s corporate taxes, payroll, and business expenses from 2012 to 2014.
PoS malware spread via weaponized Microsoft Word documents. Researchers from Proofpoint discovered the point-of-sale (PoS) malware dubbed AbaddonPOS was a part of a malware-delivery campaign allowing attackers to download other malware from Command and Control servers (C&C) using its own custom protocol via Microsoft Word documents and malicious Web sites, in an attempt to steal credit and debit card transaction data.
Thousands of sites infected with Linux encryption ransomware. Researchers from Dr. Web reported that approximately 2,000 Web sites were compromised by the Linux file-encrypting ransomware dubbed Linux.Encoder1, that targets the root and home files, web servers, backups, and source code via a downloaded file containing the public RSA key used to store AES keys that adds .encrypt extension to each file, allowing files to be nearly impossible to recover without paying a ransom to the attackers. A patch was released, but experts warned that attackers may update the malware to make file decryption more difficult.
State-sponsored cyberspies inject victim profiling and tracking scripts in strategic websites. Security researchers from FireEye discovered an attack campaign dubbed WITCHCOVEN, which has injected computers profiling and tracking scripts into over 100 Web sites involved in international business travel, diplomacy, energy production and policy, international economics, and official government work. The malware was designed to identify users of interest and target such users with exploits designed for their specific computer and software configurations.
Microsoft fixes Hyper-V bug in Windows. Microsoft released patches for vulnerabilities in its Hyper-V hypervisor software affecting several Windows Servers, including a flaw in the central processing unit (CPU) chip set that issues instructions and causes the host system into a nonresponsive state, resulting in a denial-of-service condition for users’ operating systems. No attacks in the wild have been reported.
A quarter of web-accessible devices have vulnerable firmware. Researchers from EURECOM and Ruhr University in Bochum, Germany, released a study confirming the weak state of security for Internet of Things (IoT) devices included cross-site scripting (XSS) vulnerabilities, cross-site request forgery (CSRF) vulnerabilities, SQL injection (SQLi) vulnerabilities, and remote code/command execution (RCE) vulnerabilities which can grant attackers access to devices, spy on users, steal data, and rewrite the firmware to perform other malicious activities.
Libpng Library updated to patch vulnerabilities. The official Portable Network Graphics (PNG) reference library, Libpng released an update addressing several memory corruption vulnerabilities in all its versions from 1.6.18 – 1.0.63, affected by a potential out-of-bounds read in the png_set_tIME() and png_convert_to_rfc1123() functions, and an out-of-bounds write issue in the png_get_PLTE() and png_set_PLTE() functions that failed to check for an out-of-range palette when reading or writing PNG files. The flaws were patched with the release of updated versions.
Compromised Web site fools security vendor, continues to infect users. Researchers from Palo Alto Networks reported that the CryptoWall 3.0 ransomware, that previously affected all users via the Angler Exploit Kit when users visited the Web site, cxda.[.]gov[.]cn, was still active and compromised 4,000 additional Web sites despite initial reports that revealed the malicious campaign had stopped. Researchers revealed a “dormant” and “filtering” functionality imbedded in the campaign’s malicious code allowed attackers to go unnoticed depending on the Web sites’ source Internet Protocol (IP) and user agent.
Oil and gas companies indirectly put at risk by vulnerabilities in ERP systems. Researchers from ERPScan presenting at Black Hat Europe 2015 showed how a vulnerability in an enterprise resource planning (ERP) suite from SAP and Oracle used inside oil and gas companies, could allow an attacker to gain access into operation technology (OT) infrastructure through connected applications that are insecure. The researchers also determined that misconfigurations, the presence of unnecessary privileges, and custom code provided entry or access escalation points for attacks.
New PoS malware delivered via malicious docs, exploit kit. Researchers from Proofpoint observed the “AbaddonPOS” point-of-sale (PoS) malware and determined that it was being widely distributed with the aid compromised Microsoft Word documents designed to download information-stealing threats. Once the malware infects the system, it targets the memory of all processes in track 1 and track 2 data associated with payment cards.
Newport lawyer accused of $8 million investment scam pleads guilty to 3 felonies. A former attorney from Orange County pleaded guilty to 2 felony counts of wire fraud and 1 felony count of tax evasion November 12 for misleading investors by collecting their investment money and spending it on personal expenses, netting at least $8 million.
Secretary of State alleges corporate-voting fraud at Realty Capital Securities. Boston-based Realty Capital Securities LLC was charged by Massachusetts financial regulators November 12 for allegedly impersonating shareholders to use their stocks to vote on corporate governance, which included a proxy vote that was used for a proposed $378 million deal and another that would have given New York investors who controlled the company more control over Business Development Corp. of America.
Treasury sanctions the Khanani Money Laundering Organization. The U.S. Department of the Treasury’s Office of Foreign Assets Control announced November 12 that the Altaf Khanani Money Laundering Organization (Khanani MLO) and Dubai-based money services company Al Zarooni Exchange were sanctioned as transnational criminal organizations after investigators determined that the organizations were knowingly laundering billions of dollars to organized crime groups, drug trafficking organizations, and designated global terrorist groups.
36 people charged in fraud scheme involving staged car wrecks in the Tri-State. Thirty suspects out of the 36 people allegedly involved in a scheme to defraud insurance companies out of more than $600,000 in false insurance claims over a 4 year period were served warrants November 10 in Indiana. The suspect’s recruited people to participate in staged crashes and trained them how to act in order to file false insurance claims and run up medical bills through hospital stays.
Flaw in “Spring Social” puts user accounts at risk. Researchers at SourceClear (SRC:CLR) discovered that a vulnerability in Pivotal Software’s Spring Social authentication feature can be exploited via a specially crafted Uniform Resource Locator (URL) that bypasses the cross-site request forgery (CSRF) protection to link an attacker’s account, on a similar service to GitHub or Facebook, with a victim’s account on a compromised Web site. Pivotal Software patched the vulnerability with the release of Spring Social Core update.
Jenkins plugs 11 security holes with two updates. Jenkins released Versions 1.638 and 1.625.2 for its open source integration tool that patched 11 critical security vulnerabilities including a zero-day vulnerability that exploited Jenkins CLI subsystem; a secret key flaw that allowed attackers to connect as slaves, take over Jenkins systems, and access private data; and a critical flaw that used unsafe deserialization, allowing remote attackers to run arbitrary code on the Jenkins master, among other vulnerabilities.
“Cherry Picker” PoS malware cleans up after itself. Researchers from Trustwave discovered that a point-of-sale (PoS) malware dubbed “Cherry Picker” relies on a new memory scraping algorithm using a file infector for persistence that removes all traces of the infection from the system with updated versions of sr.exe and srf.exe, which has been used to install the malware and inject a data definition language (DLL) into processes. The latest version of the malware relies on an application programming interface (API) called “QueryWorkingSet” to scrape the memory and harvest the data.
Microsoft reissues security update due to Outlook crash. Microsoft reissued a security patch updating its KB3097877 software on Windows 7 and some versions of its KB3105213 update on Windows 10 after customer complaints revealed that the software update had an issue with its Outlook 2010 and 2013 versions which caused crashes for consumers viewing HyperText Markup Language (HTML) emails.
Attackers abuse security products to install “Bookworm” trojan. Researchers from Palo Alto Networks discovered a new trojan dubbed “Bookworm” which captures keystrokes and steals the content of a clipboard, as well as load additional modules from its command and control (C&C) server to expand its abilities by using a Smart Installer Maker tool to disguise the malware as a self-extracting RAR archive, or a Flash slideshow/installer, to write a executable data definition language (DDL) file named “Loader.ddl,” and a file named “readme.txt,” to the victims’ system.
Here’s the list of all security bugs that Adobe fixed in Flash 184.108.40.206. Adobe released patches for 17 critical bugs in its Flash Player 220.127.116.11 for Windows and Apple Mac, Flash Player 18.104.22.1688 for Linux systems, as well as Adobe AIR that patched vulnerabilities including a type confusion flaw, and a security bypass vulnerability that allows attackers to write data to the target’s file system with the user’s permission.
Charges announced in J.P. Morgan hacking case. A Federal indictment was unsealed November 10 against three men in connection to an alleged massive cyber-attack against J.P. Morgan Chase & Co., and several other U.S. financial institutions that allowed the suspects to steal the personal information of more than 100 million customers by hacking into the financial institutions’ systems and stealing customer information to carry out a stock-manipulation scheme. The defendants would artificially inflate stock prices and send spam emails to customers to trick them into buying stocks.
Flaw in Linux encryption ransomware exposes decryption key. Researchers at Bitdefender discovered a flaw in the Linux.Encoder1 ransomware in its advanced encryption standard (AES) key generation process that revealed the libc rand() function, seeded with the current system timestamp during encryption, allows the retrieval of the AES key without having to decrypt the malware by paying the attackers for a RSA public key. The security firm released a decryption tool that automatically restores encrypted files previously attacked by Linux.Encoder1.
Remote code execution flaw found in Java app servers. Researchers from FoxGlove Security released a report addressing deserialization vulnerabilities in Java applications including Oracle WebLogic, IBM WebSphere, and Jenkins, among other products that can be remotely exploited for arbitrary code due to poor coding via Java library Apache Commons Collections that is used for more than 1,300 projects. A Java deserialization library and a report were released to secure applications from malicious actors and educate developers on how to avoid such flaws.
FBI seeks a bandit ‘loyal’ to his trade. Agents from the FBI are looking for a suspect known as the “Forever Loyal Bandit” tied to a string of five bank robberies in the northern Virginia area beginning in June 2014. The suspect’s most recent robbery took place at a Capital One bank branch in Arlington November 6.
Ex-CEO of failed Nebraska bank found guilty of fraud. The U.S. Department of Justice reported November 6 that the former CEO of the failed Lincoln, Nebraska-based TierOne Bank was found guilty of concealing more than $100 million in loan and real estate losses from shareholders and the Federal government during and after the financial crisis, in addition to falsely reporting the bank’s revenues.
Six charged in $2.7 million tax refund fraud scheme. Federal authorities charged six people November 6 for their roles in a $2.7 million Internal Revenue Service tax refund scheme where suspects would acquire the personal information of deceased persons from genealogical databases and use it to create fraudulent W-2 forms, driver’s licenses, and Social Security cards to file for tax refunds.
Broward man admits $10 million in investment fraud. A Broward County man pleaded guilty November 6 for his role in a three person scheme where the suspects lied to investors for more than a decade about the status of their investments to defraud them out of $10 million that was subsequently spent or deposited in offshore accounts. Officials believe that the third suspect is living overseas and has not yet been arrested.
‘Beardo’ bandit wanted for 6 bank robberies. Police are searching for a suspect involved in six armed bank robberies in the Everett, Washington area beginning June 1 with the most recent robbery occurring at a Bank of Washington branch October 30.
U.S. charges Scottish man over fake tweets that hurt stocks. The U.S. Department of Justice reported November 5 that a Scottish national was charged after he set up Twitter accounts as market research firms Muddy Waters Research and Citron Research and falsely reported that Audience Inc., and Sarepta Therapeutics Inc., were under Federal investigation, sending their stock prices plunging and costing investors $1.6 million in losses in an effort to profit from illegal trading.
User data compromised in Touchnote breach. UK-based postcard-sending service, Touchnote revealed that its systems were compromised in an attack that stole customers’ personal information including names, email addresses, postal addresses, and other histories that may be used to trick victims into supplying attackers with more sensitive information. The company has notified impacted customers and an investigation is ongoing to find the attackers.
No surprise here: Adobe’s Flash is a hacker’s favorite target. Researchers from Recorded Future released a new study November 9 revealing that Adobe Systems’ Flash plugin was the highest targeted software program used by cybercriminals to install malware onto computers following research that revealed 8 of the 10 top vulnerabilities were seen targeting Adobe’s Flash plugin.
Security flaws found in Google Chromecast, Home Security Systems, Smart Coffee Makers. Security researchers from Kaspersky discovered several vulnerabilities in Internet of Things devices (IoT) including a “rickrolling” vulnerability in Google Chromecast devices that enables attackers to hijack smart TV content, a vulnerability in a smart coffee maker device that exposes the user’s Wi-Fi password, allowing attackers to spy on homeowners by connecting to Internet protocol (IP) cameras used in Webcams and baby monitors, as well as infiltrate a home security system by using powerful magnets that allows attackers to gain access to homes without triggering the alarm.
Ransomware found targeting Linux servers and coding repositories. Researcher from Russian-based antivirus maker Dr. Web discovered a new ransomware that targets Linux Web servers and attacks Web development environments used to host Web sites or code via a downloaded file containing the public RSA key used to store AES keys that add .encrypt extension to each file, as well as a ransom text message where it encrypts data. The ransomware was detected as Linux.Encoder.1 and uses the PolarSSL library.
‘Hipster Bandit’ hits 3rd bank. Authorities are searching for a suspect known as the ‘Hipster Bandit’ who reportedly robbed three bank branches in San Diego, with the most recent heist taking place at a Wells Fargo banking desk inside a Vons store November 2. The suspect allegedly robbed U.S. Bank branches in Albertsons supermarkets July 2 and September 25, and usually hands the teller a demand note.
JPMorgan broker faces up to 50 years for $20 million scam. A former JPMorgan Chase & Co. broker pleaded guilty to securities fraud and embezzlement November 5 for defrauding 10 of his clients out of more than $20 million by withdrawing hundreds of thousands or millions of dollars from their accounts with the promise of investment into low-risk municipal bonds. The suspect never invested the money and used it for personal expenses.
New York attorney and two registered brokers arrested for engaging in a $300 million market manipulation scheme. Federal and State authorities reported November 4 that the founder of Ofsink LLC and the managing director of Halcyon Cabot Partners, Ltd., and a registered broker were arrested for their roles in a $300 million market manipulation scheme where the trio, along with 7 other co-conspirators took part in the scheme to mislead securities markets and the public through false and misleading press releases and manipulated trading activity
Firefox 42 is out, with many privacy and security improvements. Mozilla released Firefox 42 addressing several security patches including a new feature named Tracking Protection that actively blocks contents like ads, analytics trackers, requests from active trackers, and social share buttons that may record users’ activity and send personal information without their knowledge across multiple Web sites.
2-ex-N.Y. fed employee pleads guilty over Goldman leaks. A former Federal Reserve of New York employee pleaded guilty November 4 to stealing confidential information and providing it to a colleague at Goldman Sachs Group Inc., who allegedly shared it with other Goldman employees.
Deutsche Bank hit with $258M penalty for sanctions violations. U.S. Federal and State officials imposed penalties against Deutsche Bank AG, including a $258 million fine and the termination of 6 employees for their roles in knowingly conducting more than $10.86 billion in transactions with nations blacklisted by the U.S. government, including Iran, Libya, Burma, and Syria between 1999 and 2006 after investigators uncovered email evidence of improper conduct.
Fenway Partners, four executives, to pay $10.2 million for disclosure lapses: SEC. U.S. securities regulators announced November 3 that New York-based Fenway Partners LLC and 4 of its executives will pay $10.2 million to settle allegations that the firm failed to notify clients and investors that a subsidiary private equity fund paid more than $20 million to its employees. The company did not admit any wrongdoing in the settlement.
Cisco patches serious flaws in security, wireless appliances. Cisco released software updates patching several critical and high severity vulnerabilities including a command injection vulnerability, CVE-2015-6298 that affects the certificate generation process in the interface of the Cisco Web Security Appliance (WSA), denial-of-service (DoS) vulnerabilities that causes affected devices to run out of system memory, and vulnerabilities in the Mobility Service Engine that allows unauthenticated attackers to remotely log in to the platform via a user account protected by a default and static password, among other updates.
Multi-platform RAT OmniRAT used to hijack devices. Researchers from Avast reported that OmniRAT, a multi-platform remote administration tool (RAT) was being distributed and used by cybercriminals as a remote access trojan through social engineering in which victims would receive malicious short message service (SMS) with a shortened link, that if clicked, would load an icon labeled “MMS Retrieve,” allowing attackers to install the malware.
Hackers cleverly hide backdoor inside the EXIF Data of a Joomla CMS logo. Security researchers from Sucuri, a company specializing in providing security solutions for Web site owners, discovered a backdoor encoded in the Joomla CMS logo image in its base64 that was added to the copyright field of image, inside its exchangeable image file format (EXIF) metadata header. The image was previously displayed via the application.php file, allowing hackers to modify the line of code to execute the backdoor on infected sites without distorting the final image.
Backdoored ad library found in thousands of iOS apps. Researchers at FireEye discovered 17 different versions of a backdoor malware similar to mobiSage software development kit (SDK), dubbed iBackDoor, in applications of popular ad libraries including 2,846 Apple’s mobile operating system (iOS) that allows attackers to potentially carry out a range of tasks including manipulating files in the app’s data container, uploading encrypted data to a remote server, and monitoring device location, among other tasks.
Spam botnet leverages vulnerable WordPress sites. Researchers from Akamai Security Intelligence Research Team (SIRT) discovered a new spam botnet in the wild dubbed Torte that infects machines via Executable and Linkable Format (ELF) Linux binaries and Hypertext Preprocessor (PHP) scripts placed on the targeted server’s filesystem after the SIRT team received a suspicious PHP script for analysis. The botnet is one of the largest in recent years and accounts for 83,000 infections across 2 of 4 infection layers.
XcodeGhost Malware updated to target iOS 9. FireEye researchers discovered the malware XcodeGhost designed to target Apple’s mobile operating system (iOS) and graphical interface operating systems (OS X) is still active and has evolved to support Xcode 7 and iOS 9, allowing attackers to perform various actions including collecting information from infected devices and opening arbitrary Web sites. The malware has primarily targeted China, Germany, and the U.S.
Malware served via anti-adblocking service pagefair. The anti-adblocking solutions provider, PageFair reported hackers breached its systems after gaining access to a key email account via a spear phishing attack, which allowed attackers to hijack the content delivery network MaxCDN account and change its settings to replace the legitimate analytics JavaSript tag with malware disguised as an Adobe Flash Player update. PageFair reported that just 2.3 percent of the affected Web sites’ visitors were at risk of infection before neutralizing the attack.
Password reset invoked after vBulletin.com forum software site defaced. The official Web site of vBulletin.com was compromised October 30 following a hacker attack that used the handle “Coldzer0” by exploiting a zero-day vulnerability in its systems to hack its Web site and other Web sites powered by the company. User data including user names, email addresses, security questions and answers, and password salts were exposed, and as a precaution, vBulletin reset all account passwords.
JPMorgan settles California debt collection charges. JPMorgan Chase & Co., agreed to pay $50 million in a settlement with the State of California to resolve allegations that the company tried to collect incorrect sums, sold bad credit card debt, engaged in “robosigning” of thousands of court documents never reviewed, and improperly obtained default judgements against military personnel November 2 after withholding from a July JPMorgan’s $216 million settlement for related charged by the Federal government
100 million Android users may have a backdoor on their devise thanks to the Baidu SDK. Researchers from Trend Micro reported the Moplus software development kit (SDK) being offered by Chinese search engine, Baidu includes a functionality that can be abused to install backdoors on users’ devices via an Hypertext Transfer Protocol (HTTP) server on the targeted smartphone, allowing attackers to send HTTP requests to port 6259 or 40310 and execute malicious commands. The vulnerability has been included on an estimated 14,112 Android applications, potentially impacting over 100 million Android users.
Windows legacy layer used to bypass EMET security measures. Security researchers from Duo Labs discovered that the Windows WoW64 subsystem used to support older or newer 32-bit applications on 64-bit architectures can be leveraged to bypass security measures added by Microsoft with the introduction of the Enhanced Mitigation Experience Toolkit (EMET) that was specifically designed to inspect 32-and 64-bit processes, allowing for more targeted attacks.
Google researchers find 11 zero-day bugs in Samsung Galaxy S6 Edge. Google’s Project Zero security team identified 11 zero-day vulnerabilities in Samsung’s Galaxy S6 Edge phone after the team began investigating new flaws when Samsung adapted the Android operating system (OS) to its custom hardware setup. Samsung fixed 8 of the vulnerabilities during its October Maintenance Release, and the other 3 vulnerabilities are scheduled to be resolved by November.
Flaw in SAP firm’s XSS filter exposed many sites to attacks. A security researcher identified a reflective cross-site scripting (XSS) flaw on SuccessFactors, a SAP-owned company, and discovered that about 100 Web sites were exposed to the XSS filter, potentially allowing attackers to easily bypass Web pages due to the developers’ failure to escape certain strings when sanitizing user input.
Google patches critical media processing flaws in Android. Google released security patches for Nexus devices running both Android 5.1 (Lollipop) and 6.0 (Marshmallow) versions addressing seven vulnerabilities, two of which are critical and can be exploited remotely via specially crafted media files including sending multimedia messaging service (MMS) messages and deceiving users to play media in the browsers. The flaws are located in the mediaserver, libstagefright, Bluetooth, Telephony, and libutils components of Android.
BofA reaches $335 mln settlement over mortgages, MERS. Charlotte, North Carolina-based Bank of America Corp reached a $335 million settlement with the U.S. Securities and Exchange Commission October 30 to resolve accusations that the bank misled shareholders about its exposure to risky mortgage securities and its dependence on an electronic mortgage registry known as MERS.
South Texan faces $5M securities fraud, theft charges. A South Texas man was indicted October 26 for securities fraud, theft, and money laundering due to his alleged involvement in a $5 million investment scam in the Alice area since 2013.
Latest flash zero-day bug already part of the Angler and Nuclear exploit kits. Researchers from Malwarebytes detected that recent versions of the Angler and Nuclear exploit kits (EK) were actively integrating and using a previously patched Adobe zero-day flaw that affected several Flash versions on Windows and Linux systems which could allow successful exploitation causing a crash and allowing the hacker to take control of the affected system. Experts recommended that users disable Flash in browsers while it is not in use.
Hillsborough resident admits to $400,000 bank fraud. Officials reported that a man who owned Kelmar Construction Co., pleaded guilty to 2 counts of bank fraud before a Federal court in Newark, New Jersey, October 29 for using his construction company to sell properties to straw buyers and create phony loan documents, which he used to fraudulently obtain a $400,500 loan on a property in Irvington in 2007.
New types of reflection DDoS attacks spotted. Akamai’s Security Intelligence Response Team released a new threat advisory detailing 3 new types of reflection distributed denial-of-service (DDoS) attacks abusing the remote procedure call (RPC) portmap service with attacks exceeding 100 Gbps; Network Basic Input/Output System (NetBIOS) name servers with the largest attack peaking at 15.7 Gbps; and Sentinel license servers with peak bandwidth attacks of 11.7 Gbps.
Falls businessman who shot brother-in-law pleads guilty to bank fraud. A suspect serving a prior prison sentence for attempted murder pleaded guilty October 28 in a Buffalo district court to defrauding M&T Bank of $177,500 by cashing 42 checks from an overdrawn company account from the now-defunct Electro-Dyne Choke Corp., between November 2012 and March 2013. The suspect had the company’s payroll firm issue payroll checks to himself and another individual from bank accounts that did contain enough money.
Goldman agrees to pay $50 million to settle N.Y. Fed leak case. Goldman Sachs Group Inc., reached a $50 million settlement and accepted a 3-year suspension on some advisory capacities within New York October 28 following allegations of unauthorized access to classified documents from the Federal Reserve Bank of New York. The case involves a Federal Reserve employee who provided a client’s confidential information to a Goldman Sachs employee, who then circulated the information to senior personnel.
Politician goes from speaker to felon, but his dark past still a mystery. A U.S. politician plead guilty October 28 in a Federal courtroom in Chicago to charges related to allegations of illegally structuring more than $3.5 million in bank account withdrawals to avoid financial reporting requirements as part of a payout to cover up alleged wrongdoing.
13 million passwords leaked from free hosting service. A security expert reported October 28 that 13 million personal user records including names, emails, and plaintext passwords from the free web hosting service, 000webhost.com were compromised after its main server was exploited via a flaw in its old version of PHP. To mitigate future breaches, 000webhost updated its systems, increased its encryption, and changed all passwords.
Several flaws patched in Xen Hypervisor. Researchers from Xen Project released a total of nine advisories addressing recently patched Xen hypervisor vulnerabilities including hypercall issues leveraged to cause a denial-of-service (DoS) condition via repeated logging to the hypervisor console, privilege escalation vulnerability, and a multicall issue exploited via a malicious guest to crash a host, amongst other patched security holes after experts from Citrix, Alibaba, and SUSE discovered each vulnerability.
“Chikdos” Malware abuses MySQL Servers for DDoS attacks. Researchers from Symantec reported that the Chikdos trojan malware designed to hijack both Linux and Windows, recently targeted MySQL servers via a malicious user-defined function (UDF) working as a downloader trojan (Downloader.Chikdos) that allows actors to conduct distributed denial-of-service (DDoS) attacks via SQL injection attacks. Symantec data confirms the most infected MySQL servers were located in India, China, Brazil, Holland, and the U.S.
Infinite Automation patches flaws in SCADA/HMI product. Infinite Automation Systems released an updated version of its Mango Automation product patching a series of vulnerabilities after researchers from ICS-CERT discovered unrestricted fire upload, information exposure, SQL injection, and cross-site scripting vulnerabilities. The version fixed all the flaws except an OS command injection and a cross-site request forgery (CSRF) flaw.
Johnson County man sentenced in credit card ID fraud case. A suspect in Johnson County was convicted by the Kansas Department of Corrections October 27 in connection to stealing over 500 credit card account numbers from Canadian citizens through skimming devices. The suspect re-coded the numbers on bank cards in the U.S.
Guilty pleas by 4, charges against 11 announced in federal fraud prosecution of Buffalo debt collectors. The U.S. attorney’s office in Manhattan reported October 27 that 4 suspects pleaded guilty and 11 others were charged for participating in a $31 million fraudulent debt collection scheme in which victims were misled and served threats including felony charges and driver’s license suspensions unless they paid debts in amounts greater than they owed.
Adobe patches critical vulnerability in Shockwave Player. Adobe released a patch resolving a memory corruption vulnerability in its Shockwave Player 22.214.171.124 for Windows and Mac user after researchers from Fortinet’s Fortiguard Labs discovered that the vulnerability allowed attackers to compromise remote computers and execute remote code, allowing full control of the operating system without the victim being aware.
Oracle EBS fixed against XSS, XXE, and SQL injection vulnerabilities. Oracle released patches for 154 fixes addressing vulnerabilities in several of its products including six found by ERPScan researchers in the Oracle E-Business Suite (Oracle EBS) including 3 XXE (XML External Entity) injection vulnerabilities, a user enumeration flaw, a cross-site scripting (XSS) problem, and a Structured Query Language (SQL) flaw that could potentially give attackers administrative rights over the Oracle EBS and its subsequent applications to access sensitive company data including financial, human resources, supply chain, and customer support departments.
Joomla flaw exploited in the wild within hours of disclosure. Security researchers from Sucuri reported that malicious actors started exploiting critical vulnerabilities, including a Structured Query Language (SQL) injection issue in Joomla, within 4 hours of patches released by developers addressing the issue and subsequent flaw disclosures by researchers at Trustwave. The SQL injection vulnerability could allow a remote attacker to hijack administrator sessions and gain access to affected Joomla Web sites.
Man accused of ‘skimming’ ATMs. Authorities arrested a suspect in New Lebanon October 24 who was allegedly part of a widespread ATM skimming operation that stole hundreds of thousands from banks in New York, New Jersey, Massachusetts, and potentially elsewhere. Police arrested the man after he reportedly used a skimming device at Berkshire Bank and First Niagara Bank ATMs in Chatham.
Appalachian Trail hiker pleads guilty to wire fraud in embezzling case. A Kentucky accountant pleaded guilty October 23 to charges that he embezzled $8.7 million from G&J Pepsi-Cola Bottlers Inc., by creating a sham account where he deposited checks before moving them to personal accounts. The man was found in Damascus, Virginia, after hiking along the Appalachian Trail as a fugitive for about six years.
12 new malware strands are discovered every minute. Security researchers at G DATA released report findings revealing that the company discovered 3,045,722 new types of malware in the first half of 2015, a 26.6 percent increase since the second half of 2014, and that most attacks were either adware or potentially unwanted programs (PUPs) hosted on U.S. Web sites from the healthcare and technology and telecommunications, among others. G DATA also observed an increase in banking trojan usage for the first time since 2012.
Malware spread via black hat SEO campaign. Security researchers from Heimdal Security discovered a malware campaign in which criminals are using black hat search engine optimization (SEO) to distribute malicious software to technical users typing terms such as “Java JRE,” “MSN 7,” or “Windows 8,” into searches, which would then return infected Google top search results.
Federal grand jury in Denver indicts pair in investment fraud. Two suspects from Colorado Springs and Nevada were indicted in the week of October 19 on charges alleging that they bilked over $17 million from investors from 2010 – 2011 through a fraudulent collateralized mortgage obligation (CMO) loan scheme, and diverted substantial funds for personal use. One of the suspects reportedly misrepresented his experience and contact to investors in order to secure their funds
CCTV cameras hijacked to form worldwide DDoS botnet. Security researchers from Incapsula discovered that hackers had used brute-force attacks to compromise over 900 closed circuit television (CCTV) cameras running the BusyBox operating system (OS) and install malware derived from ELF_BASHLITE to launch distributed denial-of-service (DDoS) attacks using Hypertext Transfer Protocol (HTTP) GET request floods. One device was recorded sending over 20,000 HTTP requests per second.
Joomla update patches critical SQL injection vulnerability. Joomla developers released an update to its content management system (CMS) addressing a Structured Query Language (SQL) injection vulnerability which could allow an attacker to gain access to data in a Web site’s backend, due to code in a Hypertext Preprocessor (PHP) file in Joomla’s Administrator folder. The update also addressed two sets of inadequate access control list (ACL) checks that could have allowed potential read access to restricted data.
‘North Center Bandit’ strikes bank again, FBI says. FBI officials are searching for a suspect dubbed the “North Center Bandit,” believed to be responsible for 4 robberies at Chase and PNC Bank branches in the Chicago area beginning August 21. The suspect’s most recent alleged robbery occurred at a Chase Bank branch in North Ashland October 20.
New NTP vulnerabilities put networks at risk. The Network Time Foundation’s NTP Project released an update addressing 13 denial-of-service (DoS), directory traversal, memory corruption, authentication bypass, and file overwrite vulnerabilities in the Network Time Protocol (NTP), as well as a “crypto-NAK” issue that could allow an unauthenticated off-path attacker to force Network Time Protocol daemon (ntpd) processes to peer with malicious time sources, eventually gaining the ability to bypass security mechanisms and change system time, among other activities.
Drupal releases version 7.41 to fix open redirect vulnerability. Drupal’s developers released update 7.41 addressing an open redirect vulnerability in the system’s Overlay module in which an attacker could redirect Drupal admins, logged into their admin panel, to a fake login page in order to harvest credentials. The vulnerability was previously addressed, but incompletely patched in version 7.38.
New ransomware infects computers via Windows Remote Desktop Services. Researchers discovered a new strain of ransomware that hackers are manually installing by brute-forcing user account passwords onto Windows computers that have Remote Desktop or Terminal Services connections open. Once installed, the ransomware encrypts files with a 2048-bit RSA key and drops a file with information on how to pay the ransom.
Apple patches flaws in OS X, iOS, other products. Apple released OS X El Capitan v10.11.1 addressing 60 vulnerabilities that could be exploited for arbitrary code execution, denial-of-service (DoS), information disclosure, privilege elevation, overwriting arbitrary files, and bypassing restrictions, as well as a flaw that allowed malicious actors to exercise unused Extensible Firmware Interface (EFI) functions. The update also addresses two vulnerabilities used for jailbreaks and a lock screen issue.
Flaws in Apple productivity apps expose users to attacks. Apple recently released updates addressing input validation vulnerabilities related to how malicious documents are parsed in Keynote, Pages, Numbers, and iWork for iOS 2.6 which could have allowed an Extensible Markup Language (XML) External Entity (XXE) attack potentially leading to disclosure of data, denial-of-service (DoS), or other impacts, as well as memory corruption issues that could lead to unexpected termination of applications or arbitrary code execution.
Oracle quarterly security update patches 154 vulnerabilities. Oracle released a quarterly patch addressing 154 security issues in 54 products, including 24 vulnerabilities in Java SE, 16 remotely exploitable bugs in Fusion Middleware, and 7 in Oracle Database, among others. Eighty-four of the patches address vulnerabilities that may be remotely exploitable without authentication.
‘10-second’ hack jogs Fitbits into malware-spreading mode. Security researchers from Fortinet discovered a vulnerability in Fitbit devices in which attackers within a close proximity could use Bluetooth to deliver fully persistent malware within 10 seconds, which could then infect a computer once the device is synchronized.
Western Digital My Passport hard drives come with a slew of security holes. Security researchers published findings on the International Association for Cryptologic Research Web site revealing that attackers could use brute force attacks to bypass built-in encryption and password-based authentication in Western Digital My Passport hard drives, and that attackers could use all Western Digital devices’ firmware update mechanisms to install malicious code via “evil maid” and “badUSB” attacks.
Firefox FindMyDevice service lets hackers wipe or lock phones, change PINs. Researchers discovered a flaw in Mozilla’s “Find My Device” service for devices running the Firefox operating system (OS) in which a hacker could remotely lock device screens, make devices ring, and wipe all device data via clickjacking-enabled cross-site request forgery (CSRF) attacks. The attack requires the user to be logged in to the service with their Firefox account.
“Ponytail Bandit” pleads guilty to bank robbery spree. The suspect believed to be the “Ponytail Bandit” pleaded guilty October 16 to charges connected to 4 Providence and Cranston Citizen’s and Sovereign bank branch robberies in February 2013.
UBS to pay $17.5 mln in SEC settlement over fund’s strategy change. U.S. Securities and Exchange Commission officials announced October 19 that UBS AG agreed to pay $17.5 million to settle allegations that UBS Willow Management, a joint venture between UBS Fund Advisor and Bond Street Capital, failed to notify investors of a shift to investing in credit default swaps in 2008 – 2009, leading to significant losses that eventually led to the UBS Willow Fund LLC’s liquidation in 2012.
Vulnerabilities found in HP ArcSight products. HP began releasing security updates addressing vulnerabilities in HP’s ArcSight products, including an authentication bypass flaw in the ArcSight Logger interface in which a remote authenticated user without permissions could conduct searches through the Simple Object Access Protocol (SOAP) interface, improper restriction of excessive authentication attempts which could allow brute force attacks on the SOAP interface, and an insufficient compartmentalization vulnerability which could allow a user to escalate privileges to root.
Malware disguises as Google Chrome browser clone. Security researchers from PCRisk and Malwarebytes discovered a new Web browser designed to mimic Google Chrome called eFast, which delivers adware and malware and hijacks file and Uniform Resource Locator (URL) associations on infected systems. The application is based on the Chromium open source browser.
250+ iOS apps offered on Apple’s App Store found slurping user data. Security researchers from SourceDNA and Purdue University discovered that over 250 Apple App Store applications are built on a software development kit (SDK) that uses private application program interfaces (APIs) to gather user and device information, despite Apple disallowing the practice. Apple has removed an unspecified number of apps and Youmi, the China-based mobile advertising company that created the SDK is working with the company to resolve the issue.
A slew of LTE 4G vulnerabilities endanger Android users and mobile carriers. Researchers from Carnegie Mellon University’s Computer Emergency Response Team Coordination Center reported that carriers and users of Long-Term Evolution (LTE 4G) devices are vulnerable to issues that may result in loss of privacy, data spoofing, incorrect billing, and denial-of-service (DoS) attacks due to LTE networks’ reliance on packet switching and the Internet Protocol (IP) schema versus circuit switching used in previous generations.
1 in 4 organizations have experienced an APT. ISACA released findings from a study surveying over 660 cybersecurity professionals revealing that about 28 percent of those surveyed have experienced an attack from an advanced persistent threat (APT), that mobile device security continues to be an issue, and that most organizations tend to focus on technical controls instead of education and training when most APT attacks tend to employ social engineering, among other findings.
Sites cling to a million flawed, fading SHA-1 certificates: Netcraft. Security researchers from Netcraft reported that over a million organizations are still using Secure Hash Algorithm 1 (SHA-1) certificates, that 120,000 were issued this year, and that another 250,000 surveyed are scheduled to live past 2017, despite documented weaknesses in the algorithm’s security.
Flaws in LibreSSL could open Web servers to attack. Security researchers from Qualys discovered memory leak and buffer overflow vulnerabilities in all versions of LibreSSL which could allow attackers to create a denial-of-service (DoS) condition or execute arbitrary code. LibreSSL is a fork of the Open Secure Sockets Layer (SSL) library intended as a replacement after the Heartbleed vulnerability was discovered in Open SSL’s code, and the vulnerabilities were reportedly addressed in subsequent updates.
Woman pleads guilty to $435K counterfeit credit card scheme. A Guyana citizen pleaded guilty October 16 to charges alleging that she and co-conspirators used hundreds of counterfeit credit cards to purchase $435,000 worth of gift cards from 47 Price Chopper supermarkets in New York, Massachusetts, Vermont, New Hampshire, and Connecticut from February 2012 – January 2013.
JPMorgan, Morgan Stanley pay most in $1.9 bln swaps price-fixing settlement. Twelve banks, including JPMorgan Chase & Co, Morgan Stanley, and Barclays Plc, agreed to pay over $1.86 billion October 16 to settle allegations that the banks forced investors to pay unfair prices on credit default swap contracts from 2008 – 2013.
‘Windy City Bandit’ caught in bank heists? Teller gets bomb threat. Authorities arrested a suspect believed to be the “Windy City Bandit” October 17 after he allegedly robbed a Chase bank in Santa Fe Springs October 15 via a bomb threat. FBI officials linked the suspect to October robberies at two other Chase banks in Orange and Anaheim.
Adobe patches Flash zero-day exploited by Pawn Storm. Adobe released Flash Player updates addressing a zero-day type confusion vulnerability discovered by security researchers from Trend Micro, which the Pawn Storm threat group was exploiting in attacks targeting Foreign Affairs Ministries worldwide via spear-phishing emails leading to a variant of the Sednit malware.
Feds pursue Greenwood Credit Union ATM skimmer in Ecuador. U.S. officials indicted 2 New York men October 14 on charges that they skimmed $709,597.50 from 1,329 ATM accounts at Greenwood Credit Union, Bank Newport, First Niagra Bank, and Fairfield City Bank locations in Rhode Island and Connecticut. Authorities are seeking to extradite one of the men from Ecuador.
Critical flaw patched in Akismet plugin for WordPress. Automattic released an update for the Akismet WordPress plugin versions 3.1.4 and earlier after security researchers from Sucuri discovered a cross-site scripting (XSS) vulnerability in the plugin that could allow an unauthenticated attacker to insert malicious code into the WordPress administration panel’s comments area by using emoticons.
Nuclear EK generates Flash exploits on-the-fly to evade detection. Security researchers from Morphisec discovered that the Nuclear exploit kit (EK) is generating different variations of an Adobe Flash exploit on-the-fly throughout the day and changing host Web sites that victims are being directed to hourly in an effort to bypass detection. The EK also tracks victims’ Internet protocol (IP) addresses to prevent the same exploit combination being served to the same victim twice.
Attackers can use Siri, Google Now to secretly take over smartphones. Security researchers from the French Network and Information Security Agency discovered that attackers could use a laptop running GNU Radio, an amplifier, a universal software radio peripheral (USRP) software-defined radio, and antenna to take over smartphones with headphones plugged in via the Google Now and Siri personal assistants. The attack utilizes the device’s headphone cord as an antenna, and can enable hackers to force phones to send emails and messages, visit malicious sites, or become an eavesdropping device.
Serious vulnerabilities patched in SAP products. SAP released 29 patches and support packages addressing 1 critical and 15 high priority issues, including missing authorization checks, information disclosure vulnerabilities, cross-site scripting (XSS) flaws, buffer overflows, and a structured query language (SQL) injection vulnerability, as well as a severe remote command execution vulnerability affecting the SAP HANA database management system.
Zero-day flaw in Magento tool exploited in the wild. Security researchers from Trustwave discovered a vulnerability in a version of the Magmi mass importer tool for eBay’s Magento platform in which the tool’s “download_file.php” opens a specified file without conducting checks to guard against directory traversal attacks, potentially allowing access to sensitive files. Magento identified and contacted the owners of 1,700 potentially vulnerable Web sites.
ATM ‘skimmer’ admits ripping off $121,000 from TD Bank customers in 5 Western Massachusetts communities. A Washington resident pleaded guilty October 9 to charges that he and a co-conspirator used ATM skimming devices to steal over $121,000 from dozens of TD Bank customers in Chicopee, Ludlow, Springfield, Agawam, and East Longmeadow, Massachusetts, in August and September 2014.
UBS settles U.S. SEC case over structured notes for $19.5 mln. A U.S. Securities and Exchange Commission official announced October 13 that UBS AG will pay $19.5 million to resolve civil allegations that the bank misled U.S. retail investors in offering documents for structured notes tied to a proprietary foreign currency index by not revealing index reductions of about 5 percent through bank hedging trades. The bank neither admitted nor denied the charges.
Authorities seize servers to disrupt Dridex botnet. U.S. and European authorities worked with private cybersecurity organizations to disrupt the activities of the Dridex information-stealing botnet by poisoning the peer-to-peer (P2P) network of each sub-botnet, redirecting infected systems’ communications from the botnet to a sinkhole. The botnet resulted in estimated losses of $10 million in the U.S., and authorities are seeking to extradite one of its administrators who was arrested in Cyprus in August.
Chrome 46 patches vulnerabilities, simplifies page security icon. Google announced the release of version 46 of its Chrome Web browser, which addresses 24 security vulnerabilities including a cross-origin bypass in the Blink rendering engine, a user-after-free in PDFium and ServiceWorker, and a bad cast issue in PDFium, among others. The update also changed the icon used for Hypertext Transfer Protocol Secure (HTTPS) connections.
Adobe Flash Player zero-days used by hackers linked to Russian government. Security researchers from Trend Micro warned that attackers in the Operation Pawn Storm cyber-espionage campaign are exploiting unpatched zero-day vulnerabilities in Adobe Flash Player in an effort to trick members of overseas government departments and ministries to access Web sites hosting malicious code. The group previously targeted high-profile government targets worldwide, as well as the North Atlantic Treaty Organization (NATO) and the U.S. White House.
Netgear publishes patched firmware for routers under attack. Netgear published firmware updates addressing a remotely exploitable authentication bypass vulnerability that hackers had exploited to take over up to 10,000 routers, most of which were in the U.S. The flaw allowed an attacker to access the device’s administration interface without knowing the router password.
Dow Jones suffers data breach. Dow Jones & Company alerted customers October 9 after discovering that hackers targeted contact details of current and former subscribers between August 2012 – July 2015, and may have accessed financial information belonging to 3,500 individuals. There is reportedly no direct evidence that any information was stolen or misused, and law enforcement officials believe that the attack was linked to a broader hacking campaign.
E-Trade notifies 31,000 customers that their contact info may have been breached in 2013 hack. E-Trade notified about 31,000 customers in the week of October 5 that their personal information including email account names and physical names and addresses may have been compromised in a 2013 cyberattack. The company reportedly warned customers out of an abundance of caution and found no fraud or losses resulting from the incident.
Cisco IOS rootkits can be created with limited resources: Researchers. Security researchers from Grid32 released research revealing that cybercriminals could easily create a basic Cisco IOS rootkit within a month or less which could rival the effectiveness of the SYNful Knock malware designed to replace router firmware. Cisco has implemented several new security technologies in current devices to help mitigate threats.
Command injection flaw found in HP SiteScope. Security researchers from Rapid7 and Knowledge Consulting Group discovered a vulnerability in HP SiteScope in which an attacker with local system access could execute arbitrary operating system (OS) commands by accessing a default deployment of the product’s administration panel.
Thousands of Zhone SOHO routers can easily be hijacked. A security researcher from Vantage Point Security revealed a number of recently patched vulnerabilities, including a remote code execution (RCE) flaw in Zhone Technologies Small Office/Home Office (SOHO) routers, and reported that some users could not access the products’ administration panels to apply the corresponding firmware update.
Kaspersky Antivirus fixes bug that allowed attackers to block Windows Update and other services. Kaspersky Antivirus fixed a flaw in its Internet Security package’s Network Attack Blocker component that could have allowed an attacker to spoof traffic and to use the product to block services such as Microsoft Windows Update, Kaspersky’s update servers, or other services that would enable a system to be compromised further. The company reported that the flaw had never been exploited in the wild.
Android Adware hits to Google Play Store once again. Google removed applications from the Google Play Store after security researchers from ESET discovered a new Android adware in which the “Cheats for Pou,” “Cheats for Subway,” and “Guide for SubWay,” applications were compromised with malware that would show fullscreen ads intermittently.
DDoS attacks can bypass mitigation services by taking aim at a website’s origin IP. Security researchers from the U.S. and Belgium released research revealing that most Cloud-Based Security Providers’ (CBSP) distributed denial-of-service (DDoS) mitigation can be bypassed by attackers who discover targeted Web site’s origin Internet protocol (IP) addresses either by analyzing outbound connections, Secure Sockets Layer (SSL) certificates, via sensitive files hosted on the server, or during migration or maintenance operations that expose the site. Researchers found that 71.5 percent of 17,877 scanned Web sites revealed origin IP addresses.
Ex-TD Bank executive pleads guilty to role in Ponzi scheme. A former Toronto-Dominion Bank executive pleaded guilty October 8 to wire fraud conspiracy for his role in a $1.2 billion Ponzi scheme that defrauded investors by promising profits from confidential legal settlements that did not exist. The suspect signed “lock letters” assuring investors that their funds were secure in bank accounts, and instead used the money for personal use.
WordPress XML-RPC service used to amplify brute-force attacks. Security researchers from Sucuri discovered a variation of brute-force attacks that is utilizing WordPress’ built-in extensible markup language remote procedure call (XML-RPC) feature to amplify attacks by bundling together hundreds and thousands of administrative username and password combinations. Researchers recommend deleting the plugin if it is not being used.
Samsung says customer payment data not affected by hack attack. Samsung released a statement October 8 reassuring customers that no payment data was at risk following a March hacking incident involving LoopPay, a company that Samsung acquired to set up Samsung Pay. The attack reportedly only targeted LoopPay’s office network handling email, file sharing, and printing, and was possibly intended to steal the magnetic strip technology that the company developed.
Blackstone charged with disclosure failures. The U.S. Securities and Exchange Commission announced October 7 that 3 Blackstone Group private equity fund advisers agreed to pay $38.8 million to resolve allegations that the advisers failed to disclose the benefits they obtained via accelerated monitoring fees and legal fee discounts. The company will distribute $28.8 million to affected fund investors.
US Capital partner barred from securities work, ordered to repay $10M. Colorado State securities regulators announced October 7 that a former US Capital partner was permanently banned from the securities industry and will pay $10.3 million after an investigation found that the company allegedly offered real-estate purchase loans to typically ineligible commercial borrowers by obtaining investments from individuals who were promised interest, when in reality the company used the funds as loans for at least 10 other companies that they owned.
Illegal credit card manufacturing operation uncovered in North Miami. Miami-Dade police recovered at least 200 credit cards as well as card encoding equipment in a raid on a North Miami home while serving an arrest warrant October 7. A resident of the home was identified as a convicted felon and taken into custody.
New collision attack lowers cost of breaking SHA1. A team of experts from Centrum Wiskunde & Informatica in Europe, Inria in France, and Singapore’s Nanyang Technological University discovered that hackers could execute a “freestart collision” attack to break the full secure hash algorithm 1 (SHA1) cryptographic hash function within 10 days for a cost of $75,000 - $120,000 using graphics cards and computing power from Amazon’s EC2 cloud. Previous research estimated that the cost to break the algorithm would be approximately $700,000 in 2015 and $173,000 in 2018.
Operation Cleaver hackers return, now used LinkedIn to target victims. Security researchers from Dell’s SecureWorks Counter Threat Unit Threat Intelligence team discovered that a group that they observed building a network of fake LinkedIn user profiles to target aerospace, defense, military, chemical, energy, government, education, and telecommunications organizations worldwide, appear to be the same or affiliated the group who carried out Operation Cleaver in 2014, which targeted critical infrastructure points worldwide.
Journalist convicted of helping Anonymous hack the LA Times. A California journalist who previously worked for Reuters was convicted October 7 for his role in a conspiracy to make unauthorized changes to a computer and the transmission of malicious code on the Los Angeles Times’ Web site by passing login credentials enabling access to a content management system to an Anonymous hacking group member in December 2010.
Developers of mysterious Wifatch malware come forward. The group behind the “benevolent” Linux.Wifatch malware that was observed infecting tens of thousands of routers, Internet Protocol (IP) cameras, and other devices with the apparent purpose of protecting them, published the Wifatch source code and revealed themselves as “The White Team,” claiming it was an altruistic project.
Sheriff: Three men arrested in cigarette, illegal credit card bust in Caroline County. Caroline County authorities arrested a New Yorker and two Jamaican citizens October 6 after finding over 100 fraudulent credit cards, electronics, and skimming devices in their vehicle in Caramel Church, Virginia.
Fifth Third pays $85M to settle mortgage fraud. Federal officials announced October 6 that Cincinnati-based Fifth Third Bank will pay $85 million to settle civil fraud allegations that the company knowingly improperly certified 1,439 defective Federal Housing Administration mortgage loans, resulting in millions of dollars of losses to the agency from 2003 – 2013.
Third arrest made in BR-based national financial fraud scheme. Louisiana officials announced October 6 the arrest of the third suspect in a national financial fraud scheme in which conspirators allegedly stole over 300 identities and committed over $5 million in fraud. The suspect reportedly provided bogus credit repair services for free and helped issue stolen Social Security numbers and used the numbers for fraudulent loan applications.
Malicious Android adware infects devices in 20 countries. Security researchers from FireEye were monitoring a new malicious adware campaign dubbed Kemoge that has affected Android devices in 20 countries, in which the malware serves ads to an infected device, extracts exploits to root phones, and employs multiple persistence mechanisms. The malware is packaged with popular Android apps uploaded to third-party stores.
Zero-day exploit found in Avast antivirus. Security researchers from Google’s Project Zero discovered a zero-day exploit in Avast antivirus software in which an attacker could leverage a faulty method used for parsing X.509 certificates in secure connections to execute code on an affected system. Avast has since patched the vulnerability.
Major ransomware campaign disrupted, attackers lose potential revenues of $34M. Researchers from Cisco shut down a massive ransomware campaign accounting for 50 percent of all ransomware deployments via the Angler exploit kit (EK) that would have allowed the campaign’s operators to collect over $34 million. The cyber-criminals used a network of 147 proxy servers bought from Limestone Networks via stolen credit cards to deliver the largest ransomware delivery platform ever noticed in the wild.
Previously unknown Moker RAT is the latest APT threat. Security researchers from enSilo discovered a new Remote Access Trojan (RAT) dubbed Moker that takes over targeted systems by creating a new user account before opening a RDP channel to gain remote control, and tampers with sensitive system and security files and settings. The malware comes with a complete feature set and, achieves system privileges, and may also be controlled locally.
Remote code exec hijack hole found in Huawei 4G USB modems. Security researchers from Positive Technologies discovered cross-site scripting (XSS) and stack overflow vulnerabilities in Huawei E3272 USB 4G modem that could allow attackers to conduct remote execution and denial-of-service (DoS) attacks and hijack connected computers. Huawei released patches addressing the vulnerabilities.
Winnti spies use bootkit for persistence, distributing backdoors. Security researchers from Kaspersky Lab discovered that the advanced persistent threat (APT) group Winnti has been using an attack platform dubbed “HDRoot” as a bootkit disguised to look like Microsoft’s Net.exe utility while protected by VMProtect software, delivering two backdoors. The group previously targeted gaming companies in the U.S. and worldwide.
Google patches Stagefright 2.0 flaws on Nexus devices. Google released a security update for Nexus devices resolving 20 recently discovered critical security vulnerabilities in the libstagefright and libutils Android media playback engine, dubbed Stagefright 2.0, in which an attacker could push a specially crafted file to cause memory corruption and remote code execution.
Hackers breach Microsoft OWA server, steal 11,000 user passwords. Security researchers from Cybereason discovered that hackers placed a malicious dynamic link library (DLL) file via a unnamed company’s Microsoft Outlook Web Application (OWA), allowing them to steal usernames and passwords of 11,000 employees off the company’s server. The hackers replaced the OWAAUTH.dll with one containing a backdoor and collected user login and password information in clear text against the Active Directory server.
Scottrade breach hits 4.6 million customers. Scottrade officials reported October 2 that contact information and possibly Social Security numbers of 4.6 million customers were compromised after internal and Federal investigations reportedly revealed unauthorized access to systems housing the information between late 2013 – early 2014. The company does not believe any Social Security numbers were accessed, and that the breach focused solely on contact information.
Zero day vulnerability found in VMware product. Researchers from 7 Elements discovered a VMware vCentre zero day vulnerability involving the deployment of the JMX/RMI service used in the management interface in which an attacker could gain unauthorized remote system access to the hosting server, leading to full enterprise environment compromise. VMware reported that it is working on releasing a patch to address the vulnerability.
Fareit malware uses different file hash for each attack to avoid AV detection. Security researchers from Cisco’s Talos team discovered a new version of the Fareit trojan specializing in information stealing that changes its file hash with each infection. Researchers found only 23 shared common hashes out of 2,455 recorded samples, and determined that the samples communicated with only 2 command and control (C&C) servers.
South Florida ATM skimmer pleads guilty, apologizes. A Romanian citizen living in south Florida who was arrested June 1 in North Carolina pleaded guilty October 1 in connection to an ATM-skimming scheme in which criminals installed skimming devices and made multiple illegal withdrawals at SunTrust bank branches in Broward, Palm Beach, and Miami-Dade counties as well as banks in Tennessee, Georgia, North and South Carolina, Virginia, and Maryland from 2013 – 2015.
SEC halts $32 million scheme that promised riches from amber mining. The U.S. Securities and Exchange Commission announced October 1 charges and asset freezes against a California resident accused of operating a worldwide pyramid scheme via 13 California-based entities which raised over $32 million by misleading investors about a non-existent initial public offering for USFIA Inc., and claims that the company owned several large, valuable amber mines in Argentina and the Dominican Republic.
Unexpectedly benevolent malware improves security of routers, IoT devices. Security researchers from Symantec discovered an apparently benevolent botnet scheme targeting Internet of things (IoT)-connected devices utilizing code dubbed Wifatch that aims to protect devices from attacks via threat updates and removal of known malware families, among other features.
Latest Upatre trojan version targets Windows XP users. Researchers from AppRiver reported a new spam-scareware campaign targeting Microsoft Windows XP users with ZIP archives containing the Upatre trojan, which primarily acts as an entry point for other infections including Dryeza, Rovnix, Crilock, and Zeus, and shuts down when executed on a non-Windows XP platform.
Stored XSS in Jetpack plugin allows attackers to run code in the WordPress backend. Security researchers from Sucuri discovered a persistent cross-site scripting (XSS) vulnerability in Automattic’s Jetpack WordPress plugin versions 3.7 and lower in which an attacker could run malicious code that would execute whenever a WordPress administrator access the Feedback section of the admin panel, by crafting a malicious email string that would end up in the WordPress database. The development team released version 3.7.1 patching the XSS bug.
HTTP denial of service vulnerability found in Node.js 4.x and io.js 3.x. Node reported the existence of a hypertext transfer protocol (HTTP) denial-of-service (DoS) vulnerability affecting recent Node.js and io.js platforms, and urged users to migrate back to a previous version until a fix is released.
Feds seize assets, cash from woman accused in $15M embezzlement scheme. Federal authorities were investigating a former Matthews International Corporation treasurer specialist in Pittsburgh and seized millions of dollars in cash and assets September 30 in connection to an alleged fraud scheme in which the suspect allegedly took $15 million from the company since 2003.
Apple patches 100+ vulnerabilities in OS X, Safari, iOS. Apple released OS X version 10.11 El Capitan addressing over 100 security vulnerabilities, including 20 hypertext preprocessor (PHP) flaws, XARA password stealing vulnerabilities which could allow an attacker to use a malicious application to access a user’s keychain, and 45 issues in the Safari 9 Web browser, among others.
New Android vulnerabilities put over a billion devices at risk of remote hacking. Security researchers from Zimperium discovered a series of Android media processing vulnerabilities, dubbed Stagefright 2.0, affecting over 1 billion devices which could allow an attacker to trick users into visiting maliciously crafted Web sites that would exploit the flaws and lead to remote code execution on almost all devices starting with version 1.0 of the operating system (OS).
Critical flaw puts 500 million WinRAR users at risk of being pwned by unzipping a file. Security researchers disclosed a critical zero day WinRAR remote code execution vulnerability affecting up to 500 million users, in which an attacker could inject malicious code into an archive that would automatically execute upon unzipping. The vulnerability can be exploited without system user privileges or user interaction.
SEC sanctions 22 underwriting firms for fraudulent municipal bond offerings. The U.S. Securities and Exchange Commission announced enforcement actions September 30 against 22 municipal underwriting firms under the Municipalities Continuing Disclosure Cooperation (MCDC) Initiative, reportedly finding that the firms violated Federal securities laws by selling municipal bonds using offering documents containing materially false statements or omissions regarding the bond issuers’ compliance with disclosure obligations. The underwriting firms agreed to cease all operations of such violations and pay civil penalties
FBI searching for ‘North Center Bandit.’ The FBI is searching for information leading to the arrest of a suspect dubbed the “North Center Bandit,” who allegedly robbed 3 bank branches in North Center from August 21 – September 25.
Scammers use Google AdWords, fake Windows BSOD to steal money from users. Security researchers from Malwarebytes discovered that cybercriminals are using Google’s AdWords to place malicious links at the top of Google’s search page for common searches, which would lead to a fake “Blue Screen of Death” (BSOD) page prompting users to call a toll-free “helpline” with scammers that would solicit payments for support services and personal and bank account information.
Microsoft Exchange Server fixed against information disclosure bug. Microsoft released an update for Exchange Server 2013 addressing a vulnerability in Outlook Web Access (OWA) that could allow an attacker to gain access to an active Webmail session by forcing Exchange Server to dump debug data via a maliciously crafted Uniform Resource Locator (URL), granting access to previously inaccessible cookie session information.
Apple Gatekeeper bypass opens door for malicious code. Security researchers from Synack discovered that Apple’s Gatekeeper security platform could be bypassed by tricking a user into downloading a signed and infected application from a third-party source, or by loading a malicious library over an insecure HyperText Transfer Protocol (HTTP) download via a man-in-the-middle (MitM) position to gain access to the system.
Dyreza trojan targeting IT supply chain credentials. Security researchers from Proofpoint published research revealing that the Dyreza trojan has been used to phish information technology (IT) supply chain credentials for up to 20 organizations, including software companies supporting fulfillment and warehousing, and computer distributors. Researchers believe that hackers intend to infect all points of the supply chain to possibly divert physical shipments, issue payments and invoices to artificial companies, or enact large-scale gift-card issuances
SAP patches 12 SQL injection, XSS vulnerabilities in HANA. SAP released updates addressing 12 structured query language (SQL), cross-site scripting (XSS), and memory corruption vulnerabilities in its HANA in-memory management system that could allow an attacker to abuse management interfaces and compromise stored information, or lock users out of the platform, among other exploits.
Linux XOR DDoS botnet flexes muscles with 150+ Gbps attacks. Security researchers from Akamai Technologies released details of a botnet targeting primarily corporations in Asia that is capable of launching 150+ gigabit-per-second (Gbps) distributed denial-of-service (DDoS) attacks from Linux systems compromised by the XOR DDoS trojan, as well as being able to download and execute arbitrary code and self-update.