Fraud Alert Message Center
Tips for Safe Banking Over the Internet
As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.
The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.
- Consumer Best Practices for Online Banking
- Business Best Practices for Online Banking
- Recommendations for Online Fraud Victims
- Recommendations for Mobile Phone Security
Current Online Threats
Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau. None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts. If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it. The email could potentially contain a virus or malware.
For more information regarding email and phishing scams, please visit: http://onguardonline.gov/
Online Shopping Tips for Consumers. Click Here for Information.
ATM and Gas pump skimming information. Click Here for Article.
Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers. The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.
(Arkansas) LR man reaches a deal in IRS case. The former CEO, president, and manager of Little Rock-based Global Coal LLC pleaded guilty May 27 to charges alleging that he fraudulently sold millions of dollars’ worth of non-existent refined coal tax credits since starting the company in 2010.
(International) World soccer rocked by U.S., Swiss arrests of officials for graft. Seven Fédération Internationale de Football Association (FIFA) officials were arrested on U.S. corruption and face extradition in Switzerland May 27 after an investigation revealed FIFA officials were allegedly apart of corruption involving more than $150 million in bribes over a period of 24 years. U.S. officials reportedly plan to make more arrests in connection to the charges and announced a criminal investigation into the awarding of the next two World Cups.
(Oregon) ‘Short Stack Bandit’ pleads guilty to 5 Portland area bank robberies. A bank robbery suspect dubbed the “Short Stack Bandit” pleaded guilty May 26 to allegedly robbing 5 Portland-area banks and attempting to rob another from 2013 – 2014.
(New Jersey) Police seeking suspect in ATM thefts at Kearny Bank in North Arlington. Authorities are searching for a suspect that allegedly used a skimming device to steal over $100,000 dollars from more than 128 customers of Kearny Bank in North Arlington in April. The bank plans to reimburse affected customers.
(Texas) Ponzi man looking at eight years in stir. The former owner of Dallas-based GC Resources LLC pleaded guilty May 28 to charges connected to an alleged Ponzi scheme in which he solicited $11.8 million worth of investments in oil and gas wells that the company neither owned nor controlled and forged contracts to fool victims.
(International) Apache Cordova glitch allows tampering with mobile app behavior. A security researcher at Trend Micro discovered a high-severity security flaw in Android apps built with Apache Cordova which could allow an attacker to use locally compromised apps or remote web servers to inject malicious intent bundles by taking advantage of default behavior preferences in the Cordova framework.
(International) Flash Player vulnerability exploited 2 weeks after Adobe’s patch release. Security researchers at FireEye discovered that cybercriminals are targeting outdated versions of Adobe’s Flash player with drive-by attacks that leverage a memory corruption vulnerability to deliver the Bedep trojan, which initiates click-fraud activities and an infection cycle that funnels in additional malware through redirects.
(International) Rockwell addresses weak password protections in its HMI software. Rockwell Automation patched a vulnerability in its RSView32 human machine interface (HMI) software in which an attacker with local access could exploit weak, outdated user-defined password encryption algorithms to reveal passwords and gain access to the automation environment.
Orchard Lake attorney charged with conducting mortgage fraud scheme. An Orchard Lake attorney and his company, Home Legal Group PLLC, were charged May 22 for allegedly defrauding over 114 victims by falsely promising mortgage modifications to clients seeking to avoid foreclosure and collecting hundreds of thousands of dollars in fees from the victims.
New Linux-based router worm used in social network scheme. Security researchers at ESET discovered a new piece of malware, known as Moose, that primarily spreads by compromising unsecure Linux-based consumer routers and can eavesdrop on communications. Compromised devices steal unencrypted network traffic, mostly from social network sites, and act as a proxy service for botnet operators.
SEC Charges Deutsche Bank with misstating financial reports during financial crisis. The U.S. Securities and Exchange Commission (SEC) reported May 26 that Deustche Bank AG agreed to pay $55 million to settle charges that the bank allegedly filed misstated financial reports during the financial crisis that discounted material gap risks for potential losses estimated to be in the billions of dollars. The SEC also ordered the bank to avoid committing similar violations in the future. Source: http://
Apache HBase fixes denial-of-service, info disclosure flaw. Apache released a fix for a vulnerability in its HBase software in which a remote attacker with network access could create a denial-of-service (DoS) condition and read sensitive information by exploiting insecure Access Control Lists (ACLs) on the ZooKeeper quorum.
Synology fixes XSS, command injection vulnerabilities in NAS software. Taiwan-based Synology released software updates addressing security vulnerabilities in DiskStation Manager (DSM) network attached storage (NAS) software that runs on the company’s DiskStation and RackStation devices, including a cross-site scripting (XSS) bug that could allow attackers to steal victims session tokens and login credentials or perform arbitrary actions, and a command injection flaw that exposes devices to cross-site request forgery (CSRF) attacks.
Massive campaign uses router exploit kit to change routers’ DNS servers. A security researcher discovered an active campaign in which attackers are targeting Google Chrome browser users with cross-site request forgery (CSRF) code attacks via compromised Web sites with the intent of compromising routers and changing their domain name system (DNS) settings to point to a hacker-controlled server. Researchers believe that millions of devices across 55 router models made by several manufacturers have been affected in the campaign.
New PoS malware hits victims via spam campaign: FireEye. Security researchers at FireEye discovered a new type of point-of-sale (PoS) malware dubbed NitlovePoS that can capture and exfiltrate both track one and two data from payment cards by running process on compromised machines, and is distributed via emails containing Word documents with embedded malicious macros.
Emerson patches SQL injection vulnerability in ICS product. Emerson’s Process Management group released a software addressing a structured query language (SQL) injection vulnerability in its AMS Device Manager in which an attacker could escalate privileges and gain access to administrative functions by supplying a malformed input to the software. The AMS Device Manager is part of the AMS Suite and is used in many industrial control systems (ICS) worldwide, especially in the oil, gas, and chemical industries.
South Florida men targeted seniors around the world in $28M sweepstakes fraud, feds say. Authorities arrested 4 individuals in connection to a sweepstakes fraud ring that allegedly bilked about $28 million from hundreds of thousands of victims internationally by targeting senior citizens with false notifications of sweepstake winnings that were guaranteed in exchange for small payments from the winners.
Apache Hive infrastructures vulnerable to authentication flaw in HiveServer2. Apache reported that a vulnerability in all versions of its HiveServer2 interface for Apache Hive enterprise data warehouse infrastructure in which users without proper credentials could gain access by exploiting a flaw in the Lightweight Directory Access Protocol (LDAP) authentication mode. The company recommended that users update to the newest version or disable unauthenticated binds in the LDAP service.
Flawed Android factory reset allows recovery of sensitive data: researchers. Security researchers at the University of Cambridge discovered that up to 500 million Android devices may not properly sanitize data partitions containing credentials and other personal data when users utilize the “factory reset” feature.
mSpy finally admits they’ve been hacked. Officials from mSpy announced that their servers had been breached, and that data from 80,000 customers could have been stolen and leaked on the Dark Web. The software is intended for legal monitoring of individuals’ online and phone activity.
Major banks admit guilt in forex probe, fined $6 billion. Citigroup, JP Morgan, Barclays, the United Bank of Switzerland (UBS), and the Royal Bank of Scotland (RBS) agreed to plead guilty and pay $6 billion in fines May 20 in a settlement with the U.S. Federal Reserve and U.S. Department of Justice (DOJ) to resolve charges of foreign currency exchange manipulation that had occurred until regulators started punishing banks for the misconduct in 2013. The settlement represents the largest antitrust fines issued by the DOJ in agency history.
State finds 103 credit-card skimmers in 3-month inspection of gas pumps. Florida’s Commissioner of Agriculture and Consumer Services announced May 19 that a 3-month inspection of 7,571 gas pumps revealed 103 credit-card skimming devices across the State. The Florida Petroleum Council and the Florida Petroleum Marketers and Convenience Store Association plan to train employees to be vigilant for skimmers.
PayPal to pay $25 mln over credit product problems. The U.S. Consumer Financial Protection Bureau (CFPB) announced allegations May 19 that PayPal illegally signed consumers up for an online credit product without their knowledge or permission, and has issued the company to pay $25 million in fines to the government and consumer refunds. The CFPB also alleged that PayPal Credit failed to honor advertised promotions and charged illegitimate late fees when Web site problems prevented customers from making payments.
TLS protocol flawed, HTTPS connections susceptible to FREAK-like attack. Cryptography and security researchers discovered that approximately 8.4 percent of the top one million domains containing mail and web servers are vulnerable to an attack dubbed Logjam, in which an attacker could compromise a secure communication between a client and server by downgrading the transport layer security (TLS) connection to 512-bit export-grade cryptography due to left over variants of the Diffie-Hellman cryptographic key exchange mechanism from the 1990s. The attack method is similar to the one used in the Factoring RSA Export Keys (FREAK) attacks from early 2015
Millions of routers vulnerable to attacks due to NetUSB bug. Security researchers at SEC Consult discovered a kernel stack buffer overflow vulnerability in NetUSB drivers developed by Taiwan-based KCodes, in which an unauthenticated attacker can execute arbitrary code or cause a denial-of-service (DoS) condition by specifying a computer name longer than 64 characters when the client connects to the server. The driver is found in millions of routers from vendors including Netgear, TP-Link, ZyXEL, and TRENDnet.
Google fixes sandbox escape in Chrome. Google patched 37 bugs in Chrome version 43, including 6 high-risk sandbox-escape, cross-origin bypass, and use-after-free vulnerabilities discovered by various security researchers.
Malvertising leads to Magnitude exploit kit, ransomware infection. Security researchers at Zscaler discovered that attackers are using malicious ads and 302 cushioning attacks to direct users to sites hosting the Magnitude exploit kit (EK), which in turn infects users with CryptoWall ransomware. The researchers reported that most of the threat infrastructure for these attacks is housed in Germany.
Thieves use skimmer to get away with $50,000 from Lincolnwood ATM: Lincolnwood police are searching for 2 suspects who allegedly placed skimming devices on an ATM at a BMO Harris Bank in Chicago and stole at least $50,000 from bank customers since April 26. A similar incident in January cost bank customers $70,000, and bank officials reported that all affected accounts will be fully reimbursed.
Accused ‘ghost employee’ pleads guilty to bank fraud: A man described by authorities as a former “ghost employee” of the Knox County Trustee’s Office pleaded guilty May 18 for allegedly conspiring with 2 others to file false loan applications to defraud Bank of America, SmartBank, and Pinnacle National Bank of over $6.7 million, which they used for personal expenses. The man also faces separate charges for receiving pay for work for a former trustee that he did not do.
St. Louis Federal Reserve suffers DNS breach: The St. Louis Federal Reserve reported that hackers hijacked its domain name servers (DNS’) April 24 and redirected a portion of the bank’s online traffic to rogue sites resembling portions of its research.stlouisfed.org Web site. The bank recommended that potentially affected users change login information that could have been compromised in the attack.
Attackers use trojanized version of PuTTY to steal SSH credentials: Security researchers at Symantec discovered that actors are using a malicious version of the PuTTY open-source secure shell (SSH) software to access systems remotely and steal data by copying secure server connection info and login details to be sent to an attacker-controlled server. The software bypasses common firewalls and security products due to its whitelisted status and used by system and database administrators and web developers.
Address bar spoofing bugs found in Safari, Chrome for Android: Security researchers identified address bar vulnerabilities in the Safari and Chrome for Android Web browsers in which attackers could leverage Web page reloads via the setInterval() function in Safari and a problem in how Chrome handles 204 ‘No Content’ responses to render spoofed Web pages.
Finter Bank Zurich to pay $5.4 million in deal with U.S. over tax offenses: Finter Bank Zurich reached a settlement with the U.S. Department of Justice May 15 in which the bank agreed to pay $5.4 million to avoid U.S. prosecution for helping U.S. clients open, conceal, and maintain bank accounts, undeclared assets, and income from U.S. tax authorities from 2008 – 2011. The bank provided detailed information on designated accounts, agreed to close accounts that do not meet U.S. obligations, and agreed to implement new controls to stop future misconduct.
FBI hunts for serial bank robber dubbed ‘Lucky Bandit’: The FBI is offering a $2,500 reward for information leading to the arrest of the suspect dubbed the “Lucky Bandit”, who is wanted in connection to 8 robberies in Pembroke Pines, Cooper City, and Hollywood in a 6 month span.
Theft ring accused of using Oregon data breach to help steal $2 million in tax refunds: Five suspects from Georgia and Maryland were indicted May 7 for their roles in an identity-theft ring which they allegedly mined the personal information of over 125,000 people to file $6.6 million in false tax returns from 2013 – 2014, $2 million of which they successfully collected. Four of the suspects have been arrested while one remains at large.
Aparche fixes vulnerability affecting security manager protections: The security team responsible for Apache Tomcat discovered a vulnerability in multiple versions of the software’s open-source web server and servlet container that could allow an attacker to bypass protections for the Security Manager component and run malicious web applications.
Washington Post mobile site temporarily shut down in apparent hack: The Washington Post confirmed that it was the victim of an apparent hack May 14 after the paper’s mobile Web site was blocked and redirected users to a site claiming to be run by the Syrian Electronic Army. No customer information was impacted.
Connecticut fund executive faces new SEC fraud charges: The U.S. Securities and Exchange Commission charged and froze the assets of a former Oak Investment Partners venture capital executive from Greenwich, May 13, alleging that the suspect transferred $27.5 million worth of investors’ funds to himself, induced his firm to overpay for investments into 2 Asian e-commerce companies for which he pocketed $20 million, and induced the firm to pay I-Cubed Domains LLC $7.5 million for its stake in an e-commerce company without disclosing that he and his wife owned I-Cubed Domains and had purchased the stake for $2 million.
Delco mortgage lender charged with $9.7M fraud scheme: A former co-owner of Folsom-based Capital Financial Mortgage Corporation was charged May 13 for his role in a $9.7 million mortgage fraud scheme in which he allegedly defrauded lenders including Wells Fargo & Co., and Customers Bank into purchasing second mortgages that he represented as first mortgages and defrauded other lenders that loaned money to the company on a warehouse line of credit. Authorities claim he used the fraudulent profits to pay for personal expenses.
FBI increases reward for serial ‘Bandage Bandit’ bank robbery suspect: The FBI increased the reward for information leading to the arrest of the bank robber dubbed the “Bandage Bandit” to $10,000, after a May 9 robbery at a Chase Bank in Chicago was attributed to him, bringing the total to 5 robberies since March.
Cisco TelePresence vulnerable to unauthorized root access, denial of service: Cisco reported two vulnerabilities in versions of its TelePresence TC and TE video conference products in which an attacker could exploit improper authentication protocols for internal services to bypass authentication and obtain root access on the system, and a flaw in the network drivers in which an attacker could use specially crafted internet protocol (IP) packets sent at a high rate to cause a denial-of-service (DoS) condition.
APT17 DeputyDog hackers are pushing Blackcoffee malware using TechNet: Research by FireEye revealed that the APT17 threat group used posts and profiles on the TechNet blog as a way to conceal their use of the Blackcoffee backdoor by embedding strings that the malware would decode to find and communicate with the malware’s true command-and-control (C&C) server. The TechNet blog was not compromised and the operation was shut down, but FireEye warned that other groups may mimic the tactic.
XSS, CSRF vulnerabilities identified in WSO2 Identity Server: Researchers at SEC Consult discovered three cross-site scripting (XSS), cross-site request forgery (CSRF), and extensible markup language (XML) external injection vulnerabilities in version 5.0.0 of WSO2 Identity Server that could allow an attacker to take over a victim’s session, add arbitrary users to the server, or inject arbitrary XML entities.
Flaw found in OSIsoft product deployed in critical infrastructure sectors: OSIsoft advised customers to mitigate an incorrect default permissions vulnerability in its PI Asset Framework (PI AF) in which an unauthorized remote attacker could leverage “Trusted Users” group status in some product installations to execute arbitrary structured query language (SQL) statements on the affected system, potentially leading to information disclosure, data tampering, privilege escalation, and/or denial-of-service (DoS) conditions.
Russian cyber espionage group planning to hit banks: Report: The cybersecurity services and training provider root9B discovered that the cyberespionage group APT28, also known as Pawn Storm, Sednit, Fancy Bear, Tsar Team, and Sofacy, has planned attacks on financial institutions worldwide including Bank of America, The United Nations Children’s Fund, and others. The group was previously linked to Russia by cybersecurity experts.
Nomura, RBS face $805 million damages after U.S. ruling –lawyer: A U.S. District Judge ruled May 11 that Nomura Holdings Inc., and the Royal Bank of Scotland Group Plc., were liable for making false statements in the sale of mortgage-backed securities to Fannie Mae and Freddie Mac. Officials estimated that the damages owed to the Federal Housing Finance Agency could exceed $805 million, while the exact amount is yet to be determined.
Flash Player 220.127.116.11 addresses security holes: Adobe released updates for Flash Player that fixed 18 vulnerabilities, including 10 memory corruption, heap overflow, integer overflow, type confusion, and use-after-free bugs that could allow an attacker to run arbitrary code on an affected system.
Mozilla Firefox 38 fixes 13 vulnerabilities, 5 are critical: Mozilla released fixes for 13 vulnerabilities in Firefox version 38, including 5 critical flaws that could be leveraged to execute arbitrary code or read parts of the memory containing sensitive data. The update also added support for Digital Rights Management (DRM), among other improvements.
Adobe rolls out critical update for Reader and Acrobat: Adobe released new versions for Acrobat and Reader PDF software patching 34 vulnerabilities, 17 of which include use-after-free, heap-based buffer overflow, and buffer overflow to memory corruption bugs that could have allowed an attacker to execute arbitrary code and take control of an affected system.
Microsoft fixes 46 flaws in Windows, IE, Office, other products: Microsoft released patches addressing 46 vulnerabilities across various products, including 3 critical security bulletins that covered remote code execution flaws in Windows, Internet Explorer, Office, Microsoft .NET Framework, Lync, and Silverlight.
“VENOM” flaw in virtualization software could lead to VM escapes, data theft: Security researchers from CrowdStrike discovered a vulnerability in virtualization platforms in which an attacker could exploit a flaw in the virtual floppy disk controller component of the QEMU open-source visualization package to escape from a guest virtual machine (VM) to gain code execution on the host in addition to any other VMs running on the affected system. The bug has been dubbed VENOM and affects a variety of virtualization software running on all major operating systems (OS’).
SEC charges ITT Educational, CEO, CFO with fraud; shares plunge. The U.S. Securities and Exchange Commission charged ITT Educational Services Inc., its chief executive officer, and chief financial officer May 12 with fraud, alleging that the defendants concealed two poorly performing financially-guaranteed student loan programs by making payments on behalf of struggling borrowers and by hiding the extent of losses due to high default rates.
DDoS botnet relies on thousands of insecure routers in 109 countries. An investigation by the Web site security company Incapsula revealed that cybercriminals are using tens of thousands of Internet service providers (ISP) distributed home routers with default security configurations to create large botnets for distributed denial of service (DDoS) attacks. Findings revealed that 60 command and control (C&C) servers were being used for the botnets by a variety of groups employing various forms of malware worldwide.
FBI agent shot at motel; suspect dead: An FBI agent was injured May 8 after being fired upon while trying to serve an arrest warrant at a Littleton motel to the bank robbery suspected dubbed “The Longhorn Bandit,” who had allegedly robbed multiple banks in the area since February. Authorities reported that officers did not fire any shots, and that the suspect was found dead in his room.
MacKeeper patches serious remote code execution flaw: The developers of the MacKeeper utility software suite for Apple OS X patched a critical input validation vulnerability which an attacker could exploit to remotely execute code on affected systems by tricking victims to visit a specially crafted Web site that runs code with root privileges once visited.
Angler EK makes it difficult to track down malvertising sources: A security expert discovered that the Angler Exploit Kit (EK) is leveraging Web browser bugs to break the referrer chain, making it more difficult for security researchers and advertising networks to determine the kit’s source in the campaign.
Apple fixes webkit vulnerabilities in Safari browser. Apple released an update for its Safari Web browser fixing multiple vulnerabilities in Webkit, including memory corruption and anchor element issues that could be exploited by an attacker to send users to malicious Web sites, leading toarbitrary code execution or unexpected application termination, as well as a state management problem in which unprivileged origins could access filesystem contents via a specially crafted Web page.
Six people convicted in Sacramento-area mortgage fraud scheme: Six Sacramento residents were convicted of wire fraud May 6 in connection to a mortgage fraud scheme in which they served as straw buyers for area homes and obtained over $5 million in loans from 2007 – 2008 by using falsified applications and documentation.
US charges ex-Wilmington Trust officers over troubled loans: Four executives from Wilmington Trust Co., a part of M&T Bank Corp, were indicted May 6 on charges alleging that they concealed the amount of loans that were not being repaid from U.S. regulators following the financial crisis. The U.S. Securities and Exchange Commission previously brought related civil charges against the individuals for their roles.
Ex-MillerCoors executive, 7 others charged for $7 mln fraud: U.S. authorities announced charges May 6 against a former MillerCoors executive and seven others for their roles in an alleged scheme in which they defrauded the brewing company out of at least $7 million by falsely billing for promotional and marketing services. The individuals allegedly used the money for personal expenses, collectible firearms, and investments in a hotel and bar, among other things.
Feds: Republic man gathers $14.5 million for phony video games: Authorities unsealed Federal charging documents revealing that the former owner of multiple video game companies including Interzone Entertainment, LLC, and Spectacle Games, was indicted in June 2014 on charges of wire fraud and money laundering after the suspect allegedly raised over $14.5 million from clients for companies in Missouri, Chicago, Australia, Brazil, and China since 2008, which produced less than $2,300 in revenue in that period. Authorities claimed the suspect solicited funds to create video games, but instead used the money for personal expenses.
Cisco plugs critical vulnerability in UCS Central Software: Cisco reported that it released an update addressing a vulnerability in its Unified Computing System (UCS) Central Software versions 1.2 and older that could have allowed attackers to access information, run arbitrary code, or make affected devices unavailable by leveraging an improper input validation flaw in the software’s Web framework.
WordPress 4.2.2 fixes DOM-based XSS bug affecting millions of websites: WordPress developers released a critical security update for the platform’s content management system (CMS) addressing a critical cross-site scripting (XSS) flaw in all plugins and themes utilizing the Genericons icon font package, in which attackers could take over an affected Web site or execute code remotely via a document object model (DOM)-based XSS attack targeting a file called “example.html.”
Lenovo patches vulnerabilities in system update service: Security researchers from IOActive reported that Lenovo patched three vulnerabilities in April including a serious bug that allows least privileged users to potentially run commands as a system administrator due to the use of a predictable authentication token, another in which an attacker could bypass signature validation by creating a fake certificate authority (CA) to swap out executables being downloaded by System Update, and a third in which local users could run commands as an administrator using a directory writeable by any user.
Tinba banking trojan checks for sandbox before launching: Security researchers from F-Secure discovered a new variant of the Tiny Banker (Tinba) trojan, which checks for mouse movement and the active window a user is working on to ensure that it is executed on a real machine and not a sandbox before running its malicious routines. The trojan also queries the number of cylinders available to the system’s storage device to determine if it is a virtual machine.
Ripple Labs Inc. resolves criminal investigation: The U.S. Treasury Department Financial Crimes Enforcement Network (FinCEN) in conjunction with the U.S. Attorney’s Office of the Northern District of California assessed a $700,000 penalty against San Francisco-based Ripple Labs Inc., and its subsidiary, XRP II, LLC May 5, for willful violations of the Bank Secrecy Act. Violations include selling virtual currency without registering with FinCEN, and failing to implement and maintain an adequate anti-money laundering program.
SEC lawsuit alleges Ponzi scheme over North Dakota ‘man camps.’: The U.S. Securities and Exchange Commission (SEC) sued North Dakota Developments LLC and its three owners May 5, for an alleged fraud and Ponzi scheme in which the suspects illegally raised over $62 million from hundreds of investors in at least 12 States and multiple European countries since 2012 by selling stakes in 4 short-term housing projects for oil workers in the Bakken oil field region in North Dakota and Montana, known as “man camps.” The SEC claimed that the trio paid investors from other invested funds and misappropriated over $25 million for hidden broker commissions, payment to themselves, and investment in other Bakken projects.
Longhorn Bandit strikes again: Suspect robs credit union in Broomfield; 9th target, FBI says: Denver authorities are searching for a suspect dubbed the “Longhorn Bandit” who is allegedly responsible for six bank robberies, one casing, and two attempted robberies in the area since February. The suspect’s most recent robbery included a Public Service Credit Union branch in Broomfield May 4.
New AlphaCrypt ransomware delivered via Angler EK: Security researchers at Webroot and Rackspace discovered and determined that a new form of ransomware resembling TeslaCrypt and CryptoWall, dubbed AlphaCrypt, is being delivered via the Angler exploit kit (EK). Researchers stated that it differs from other ransomware variants by deleting volume snapshot services (VSS) and executing quietly in background processes to avoid detection.
New infostealer tries to foil analysis attempts by wiping hard drive: Security researchers from Cisco discovered a new information-stealing trojan dubbed Romberik, which is being delivered via spoofed emails purporting to be from the “Windows Corporation,” and hooks into users’ browsers to read credentials and other sensitive information for exfiltration to an attacker-controlled server. If the trojan detects an analysis attempt, it attempts to destroy the affected computer’s hard disk by overwriting the system’s master boot record (MBR).
Cybercriminals borrow from APT playbook in attack against PoS vendors: Security researchers at RSA and FireEye reported cybercriminals began mimicking cyberespionage advanced persistent threat (APT) groups by deploying spear-phishing campaigns designed to infect point-of-sale PoS payment systems. The attacks delivered the Vawtrak banking trojan and a new document-based exploit kit (EK) called Microsoft Word Intruder (MWI).
Crimeware infects one-third of computers worldwide: The Anti-Phishing Working Group (APWG) reported that 23.5 million malware variants were detected in the fourth quarter of 2014, setting a new record that was up 59 percent from the second quarter of 2014. According to researchers, the retail/service industry was the most targeted sector, specifically through payment services.
3 suspects charged with credit, debit card fraud: Salem, Oregon police reported that three suspects from California were arrested April 23 on charges of identity theft related to a regional skimming scheme in which the suspects allegedly planted skimming devices at various locations to steal credit and debit card information that they used to purchase thousands of dollars of merchandise in multiple cities in Oregon. Authorities recovered over 100 fraudulent credit and debit cards, electronics, clothing, gift cards, and $3,500 in currency in searches of the suspects’ vehicle and hotel room.
3 convicted in $9.2-million wire fraud scheme: Three businessmen were convicted of wire fraud May 1 for a scheme in which they used two New Zealand-based companies, Unistate Investments Savings and Loan Limited, as well as Aster Capital, Inc., and Vital Funds, Inc., to offer clients alternative capital financing and collected account arrangement fees on deals that were never closed, costing clients about $9.2 million in losses. One additional suspect remains a fugitive while two others pleaded guilty to their roles in the scheme.
“Cotton Ball Bandit” convicted for 10 bank robberies: A Lakspur, California man dubbed the “Cotton Ball Bandit” was convicted April 29 for robbing 10 banks and attempting to rob another throughout Marin County between December 2012 and December 2013. Police arrested the suspect after he robbed the Novato Bank of the West in 2013 and led officers on a chase before crashing near Northgate Mall on U.S. Highway 101 in San Rafael.
Kearny bank branch in North Arlington says skimmer was hooked up to ATM: Authorities are investigating after reporting May 1 that 128 Kearny Bank customers in North Arlington, New Jersey, may have had their credit or debit card data stolen after a skimmer device was found on an ATM machine at the bank.
PayPal fixes remote code execution flaw in Partner Program website: PayPal fixed a vulnerability discovered by Vulnerability Lab researchers in its Partner Program Web site which would allow an attacker to leverage a bug in the site’s Java Debug Wire Protocol (JDWP) service to remotely execute server-side commands with root privileges.
Mozilla moving toward full HTTPS enforcement in Firefox: The Mozilla Foundation reported that it will be phasing out unsecured hypertext transfer protocol (HTTP) connections in the Firefox browser in a two-phase plan, in which the company will only offer new browser features to secure, HTTPS (HTTP Secure)-enabled Web sites, before ultimately making existing features incompatible with HTTP sites altogether.
2 men arrested with hundreds of fraudulent credit cards: Two individuals were arrested April 29 in Palm Desert for burglary, fraud, identity theft, and possession of stolen property after authorities discovered hundreds of manufactured credit cards, purchased gift cards, and stolen clothing and electronics from several local businesses in a rental car. Investigators allege the pair racked up tens of thousands of dollars in fraudulent charges in the area with stolen credit card numbers from victims across the U.S.
Security bug in ICANN portals exploited to access user data: The Internet Corporation for Assigned Names and Numbers (ICANN) released April 30 initial findings from an investigation revealing that a vulnerability in two of the organizations generic top-level domain (gTLD) portals had resulted in the exposure of 330 advanced search result records pertaining to 96 applicants and 21 registry operators since April 2013. The organization plans to contacboth the affected users and those who exploited the vulnerability to access the records.
Unnoticed for years, malware turned Linux and BSD servers into spamming machines: Security researchers at ESET discovered that servers running BSD and Linux operating systems (OS) worldwide have been targeted for the past 5 years by a group that compromised systems via a backdoor trojan that would use a commercial automated e-mail distribution system to send out anonymous emails.
Dyre banking trojan jumps out of sandbox: Security researchers at Seculert discovered a new strain of the Dyre banking trojan, called Dyreza, that evades detection by checking for the number of processor cores running on an infected machine, and terminating itself if there is only one. The researchers also noted that the new strain changed to a new user agent and incluother minor updates to avoid signature-based detection products.
MySQL bug can strip SSL protection from connections: Researchers at Duo Security identified a serious vulnerability in how versions of Oracle’s MySQL database product handle requests for secure connections, in which an attacker could use a man-in-the-middle (MitM) attack to force an unencrypted connection and intercept unencryptoed queries from the client to the database. In this scenario, the attack could occur regardless of whether or not the server is toggled to require secure socket layer (SSL).
FBI offers $5,000 after ‘Bandage Bandit’ hits fourth bank in last month: The FBI offered a $5,000 reward for information leading to a suspect dubbed the “Bandage Bandit” who allegedly robbed 4 Chicago banks since March 31, including a PNC Bank branch on Western Avenue April 28.
Barracuda fixes critical MITM flaws in its Web filter: Barracuda Networks issued a security update patching two critical flaws in the firmware of its Web Filter appliances in which an attacker could perform man-in-the-middle (MitM) attacks due to vulnerabilities in certificate verification when performing secure socket layer (SSL) inspection and the use of default certificates for multiple machines.
Bartalex malware used to deliver Dyre banking trojan to enterprises: Security researchers at Trend Micro discovered a campaign employing thousands of spam emails purporting to be from the Automated Clearing House (ACH) that point to malicious documents on Dropbox containing the Bartalex malware, which downloads the Dyre banking trojan once macros are enabled. Thirty-five percent of the infections observed in the past 3 months were in the U.S.
Reward increased for ‘Buckeye Bandit.’: The FBI and Central Ohio Crime Stoppers offered an increased reward of up to $10,000 for information leading to the arrest of the bank robbery suspect dubbed the ‘Buckeye Bandit’ after he allegedly robbed the Cooper State Bank branch in Columbus April 26. The suspect is believed to have committed 24 bank and store robberies dating back to 2013.
Malware delivered via malicious macro in Word document embedded in PDF: Security researchers at Avast discovered that cybercriminals are employing a new malware delivery technique in which they embed Microsoft Word documents with malicious macros into seemingly legitimate Adobe Portable Document Files (PDFs). Once the document is opened and macros are enabled, a script downloads a variant of the Dridex banking trojan to steal banking credentials and Google and Microsoft login information.
InFocus projectors plagued by authentication flaws: Core Security: Security researchers at Core Security identified an authentication bypass vulnerability in InFocus network-connected projectors in which an unauthenticated user could bypass the login page and access the projector’s Web interface as an administrator by navigating to the “main.html” page. Once logged in, the unauthenticated user would have the ability to access and modify private network and WiFi configuration information.
Routers built with RealTek SDK affected by remote command-injection bug: A security researcher at HP’s Zero Day Initiative discovered a vulnerability in version 1.3 of the RealTek Software Development Kit (SDK) used in the development of D-Link and Trendnet broadband routers in which attackers can exploit a flaw in the simple object access protocol (SOAP) service to execute arbitrary code on the devices.
Threats on government networks remain undetected for 16 days: Findings from a report by MeriTalk and Splunk on the state of cyber security in Federal, State, and local government agencies revealed that cyber threats exist on government networks for an average of 16 days without detection, and that 68 percent of respondents reported that their organizations are overwhelmed by the volume of security data they must analyze. Respondents also reported the benefits of big data in analytics and the challenges they face due to lack of skill or time, among other findings.
Hacker exploits Android devices with self-implanted NFC chip: A security researcher at APA Wireless demonstrated that he could implant himself with a near field communication (NFC) chip that is undetectable by body scanners and could be used to infiltrate and compromise devices in high-security locations. The chip would ping nearby Android devices with links to malicious files that, once run and installed, would allow for further exploits from a remote computer.
West Hollywood ‘Purse Packing Bandit’ pleads to series of bank robberies: An individual pleaded no contest April 27 to charges alleging that she robbed 9 banks and attempted to rob 2 others in Beverly Hills, Los Angeles, and West Hollywood as the “Purse Packing Bandit.” Authorities arrested the woman in August 2014 as she fled a bank robbery in Beverly Hills.
Cyber gang stealing $15 million from banks dismantled by Romanian authorities: Romanian authorities raided 42 locations in 6 countries and detained 25 individuals April 26 in connection to their roles in a group of over 52 suspects who allegedly cloned cards with information from banks’ computer systems to steal over $15 million from financial institutions in the U.S. and worldwide. The thieves supposedly made 34,000 cash withdrawals from ATMs in 24 countries from February – December 2013.
US plays host to largest number of phishing sites: Findings from a report by Webroot’s 2015 Threat Brief revealed that the U.S. hosts over 75 percent of phishing sites and 31 percent of internet protocol (IP) addresses, and that technology companies and financial institutions were the most frequent targets.
Email delivery service SendGrid confirms data breach: SendGrid email and delivery service officials reported April 27 that a hacker had accessed internal systems containing account login information, email lists, and contact details of company employees and customers in three separate attacks in February and March that compromised a Bitcoin-related customer’s account and used it to send phishing emails. SendGrid announced the release of new security features and forced password resets for all customers.
SEC sues Indy securities firm for alleged Ponzi scheme: The U.S. Securities and Exchange Commission (SEC) sued Indianapolis-based Veros Partners April 22 for an alleged Ponzi-like scheme in which the company’s president, 2 associates, and 3 associated companies raised at least $15 million from investors to make short-term operating loans to farmers and used a portion of the funds to cover unpaid debt from prior loans. The SEC claimed that the company owes millions of dollars in past due payments to over 80 investors.
Wordpress 4.2 affected by zero-day stored XSS, PoC available: A security researcher from Klikki Oy discovered a stored cross-site scripting (XSS) vulnerability in WordPress 4.2 and earlier versions in which unauthenticated parties can exploit a flaw in comment text truncation to run arbitrary code on affected servers.
Over 25,000 iOS apps affected by bug breaking HTTPS: Security researchers at SourceDNA discovered a vulnerability in version 2.5.3 of the AFNetworking library for Apple iOS and OS X products in which attackers could carry out man-in-the-middle (MitM) attacks and access encrypted information by exploiting the library’s failure to check the domain name secure sockets layer (SSL) certificates were issued for. More than 25,000 apps are affected by the flaw.
Former fast-food magnate now facing federal charges in fraud scheme: The former owner of dozens of Jack In The Box, TGI Fridays, Sonic Burger, and Qdoba Mexican Grill restaurants in California was indicted April 23 on charges that he allegedly defrauded banks out of about $20 million by forging documents to increase loan amounts and prevent his businesses from closing.
Arrest made in bank fraud ring: Connecticut State Police arrested a Bridgeport woman in connection to a bank fraud ring that has allegedly defrauded People’s United Bank of more than $150,000 by depositing fraudulent checks into legitimate bank accounts since 2006.
Asset manager pleads guilty to $5 million fraud scheme: A former asset manager at a Bethesda, Maryland company pleaded guilty April 22 in connection to a $5 million fraud scheme in which he allegedly redirected funds that were supposed to be applied to commercial mortgage loans into three bank accounts that he controlled from 2012 – 2013.
UK watchdog fines BoA’s Merrill Lynch $20 million for reporting failures: The United Kingdom’s Financial Conduct Authority (FCA) reported April 22 that it had fined Bank of America Merrill Lynch $20 million for incorrectly reporting 35 million transactions and failing to report 121,387 others from 2007 – 2014.
Login vulnerability exposes SAP ASE databases: The German business software company SAP patched a login vulnerability in its SAP Adaptive Server Enterprise (ASE) in which attackers could use a flawed “probe” two-phase commit login to gain unauthorized access and potentially exploit a privilege escalation flaw to take complete control of the affected server.
Deutsche Bank to pay $2.5 billion fine to settle rate-rigging case: U.S. and United Kingdom officials reported April 23 that Deutsche Bank will pay $2.5 billion to authorities to settle allegations that bank employees in London, New York City, Frankfurt, and Tokyo had knowingly manipulated benchmarks used to set interest rates on trillions of dollars in mortgages, student loans, credit cards, and other debt from 2005 – 2009. Other terms included the guilty plea by a British subsidiary, the firing of 7 managers suspected of involvement, and the installation of an independent monitor to confirm that the bank complies with New York laws.
Improper parsing of SSID info exposes Wi-Fi client’s memory contents: Security researchers at Alibaba and Google discovered a vulnerability in the cross-platform “wpa_supplicant” Wi-Fi software that affects versions 1.0 – 2.4 with the Config_P2P option turned on and could allow an attacker to create a service set identifier (SSID) buffer overflow condition, potentially exposing sensitive information in the memory of the device and allowing for arbitrary code execution.
Net Nanny parental control software vulnerable to HTTPS spoofing: Researchers from Carnegie Mellon’s Computer Emergency Response Team (CERT) discovered security vulnerabilities in ContentWatch’s Net Nanny software resulting from its use of man-in-the-middle (MitM) proxies and the same root certificates and private key for all installations, the latter of which is included in plain text in the application. The researchers believe that an attacker could use the key to generate new certificates to spoof legitimate Web sites and avoid user alerts for malicious domains
Banking botnets persist despite takedowns: Dell SecureWorks released analysis from its annual Top Banking Botnets report revealing that attackers targeted an array of Web sites in addition to traditional banking portals, including those related to corporate finance and payroll services, stock trading, employment portals, and email services in 2014, that over 90 percent of the 1,400 financial institutions targeted worldwide were in the U.S., and that attackers began avoiding countries where international transactions are more difficult, among other findings.
Malware uses invisible command line argument in shortcut file: Security researchers at F-Secure discovered that a variant of the Janicab trojan for Microsoft Windows delivered as a link (LNK) file includes invisible shell commands and uses the right-to-left override (RLO) technique to avoid detection. The malware has existed for two years, and uses Python and Visual Basic Scripts (VBScript) to infect machines.
Two ex-New York investment firm employees convicted in Ponzi fraud: Two former employees of Long Island-based Agape World Inc., were convicted of charges including securities fraud, conspiracy, and mail fraud April 21 for their roles in a Ponzi scheme that bilked around 3,800 investors out of about $147 million from 2005 – 2009. The pair pocketed about $12.4 million by promising unrealistic returns on investments while paying returns from other investors’ deposits.
Romanian charged in ATM scheme extradited to NJ from Spain: A Romanian citizen was arrested and extradited from Spain during the week of April 13 and faced charges April 20 for his alleged role in an ATM-skimming scheme that used card-reading devices and pinhole cameras to steal over $5 million from thousands of Citibank, TD Bank, Wells Fargo, and other financial institutions’ customers on the east coast from 2012 – 2013. Thirteen suspects have been convicted in connection to the scheme.
UK speed trader arrested over role in 2010 ‘flash crash’: Authorities in London arrested a high-frequency trader from Waddell & Reed Financial Inc., and Nav Sarao Milking Markets Ltd., after the U.S. Department of Justice (DOJ) announced criminal charges April 21 in connection to his role in the 2010 “flash crash” that wiped out almost $1 trillion in market value, in which he allegedly used an automated program to generate large sell orders that pushed down prices, canceled the orders, and subsequently bought the contracts at lower prices. The DOJ plans to request that the suspect be extradited to the U.S.
WordPress 4.1.2 fixes critical XSS flaw: WordPress developers announced that the newest release of the blogging platform, 4.1.2, addresses critical security vulnerabilities including a cross-site scripting (XSS) glitch affecting the content management system (CMS) that could allow an attacker to compromise a vulnerable Web site, as well as three other flaws. The release also included increased protection for files that could present a security risk.
White House, US State Department hit with Advanced CozyDuke threat: Security researchers from Kaspersky Lab reported that 2014 cyber-attacks against the White House and the U.S. Department of State were part of an advanced persistent threat (APT) campaign dubbed CozyDuke, also known as CozyBear and CozyCar, and could be connected with the MiniDuke campaign that used spear-phishing emails and malicious attachments and Web sites to target the North Atlantic Treaty Organization (NATO) and European government agencies.
‘No iOS Zone’ Wi-Fi zero-day bug forces iPhones, iPads to crash and burn: Security researchers from Skycure discovered a zero-day denial-of-service (DoS) secure sockets-layer (SSL) vulnerability in Apple’s iOS 8 called “No iOS Zone” that attackers can exploit to create a malicious Wi-Fi hotspot that forces users to connect, and manipulates traffic to cause apps and the operating system (OS) on connected iOS devices to crash, even in offline mode.
Zero-day malvertising attack went undetected for two months: Security researchers at Malwarebytes reported that cybercriminals had managed to exploit a zero-day Adobe Flash Player vulnerability patched in February to target U.S. users with the HanJuan exploit kit (EK) containing ransomware embedded in online ads for nearly two months without detection. The attacks infected Web sites belonging to Dailymotion, Huffington Post, and answers.com, among others, and reached over 1 billion users in February alone.
Malicious hackers can exploit a vulnerability in Magento to access credit card data: Security researchers at Check Point Software identified a security hole in unpatched versions of eBay’s Magento e-commerce platform that contain remote code execution (RCE) vulnerabilities that could allow attackers to execute hypertext preprocessor (PHP) code on Web servers containing online stores in order to gain access to databases containing customers’ credit card, financial, and personal information.
Highly popular WordPress plugins vulnerable to XSS attacks: A security researcher from Scrutinizer discovered an issue with two coding functions used in many content management system (CMS) plugins created by WordPress developers that could allow attackers to run cross-site scripting (XSS) attacks and access sensitive areas of affected Web sites. The vulnerability was a result of improper documentation regarding external users’ ability to run commands via the functions.
iOS apps from developers vulnerable to HTTPS data decryption: Research from SourceDNA revealed that almost 1,000 iOS apps are vulnerable to a security flaw in build 2.5.1 of open source AFNetworking that disables secure sockets layer (SSL) certificate validation, which could allow attackers to carry out man-in-the-middle (MitM) attacks and read encrypted information in plain text. The flaw was patched in late March, but many developers have not yet integrated the updated code.
Fake antivirus delivered to users in the US via Fiesta exploit kit: Security researchers at Trend Micro discovered that cybercriminals have switched the payload delivered via the Fiesta exploit kit (EK) from crypto-malware such as TeslaCrypt to a fake antivirus program called “Antivirus Pro 2015” that disables Windows tools and software that could deactivate it, before requiring users to pay to remove the infection. Researchers reported that Fiesta EK distributors targeted the U.S. more than any other country in March.
New fileless malware found in the wild: Security researchers at Trend Micro discovered that a new fileless malware, dubbed Phasebot, uses Microsoft Windows PowerShell to evade detection and run components hidden in the Windows registry, contains an external module loader to add and remove functionalities on infected systems, and can execute numerous routines per the instruction of the bot administrator.
New ransomware “Threat Finder” delivered by Angler exploit kit: Security researchers at Rackspace discovered that a new piece of crypto-malware called Threat Finder has been distributed in drive-by attacks via Bedep malware downloaded by the Angler exploit kit (EK). The crypto-malware encrypts important file types including documents, media files, and database formats before asking affected users for bitcoin in exchange for the decryption key.
Pushdo spamming botnet gains strength again: Security researchers at Fidelis Cybersecurity reported that an updated version of the Pushdo botnet has infected systems in over 50 countries with the Fareit and Cutwail malware as well as the Dyre and Zeus banking trojans. The spamming botnet has been in operation since 2007 due to its frequently changing command and control (C&C) system that generates 30 domain names a day that infected computers can contact.
Data at risk for 9,000 individuals following unauthorized access to SRI Inc. website: Indiana-based SRI Incorporated notified approximately 9,000 individuals that their personal information, as well as tax identification numbers, bank account and routing numbers, and Social Security numbers, may have been breached after new files were added to the software behind the company’s auction Web site, enabling unauthorized access to users to post and delete files. The company is investigating the incident and removed all personal information from its system.
True religion subcontractors charged with insurance fraud: The California Department of Insurance charged three subcontractors of True Religion Brand Jeans, who were the heads of garment factories Meriko Inc., and SF Apparel Inc., along with their accountant, for alleged compensation insurance fraud totaling over $11 million in losses. The group reportedly conspired to avoid paying workers’ compensation insurance premiums and underreported $78.5 million in payroll to several insurers, including the State Compensation Insurance Fund.
Russian hackers exploit Windows, Flash Player zero-day flaws in targeted attack: Microsoft is working to patch a privilege escalation flaw in its operating system (OS) affecting Windows 7 and earlier products after FireEye researchers reported the zero-day attack, allegedly run by a Russian group dubbed APT28, on Adobe Flash Player that relies on the Flash vulnerability to gain access to the targeted system. Adobe released a patch addressing the flaw with its current version of Flash Player.
New variant of Upatre malware downloader integrates full SSL encryption: Talos researchers discovered new versions of the Upatre malware that adopts encrypted communication with command and control (C&C) servers, including a version that uses secure sockets layer (SSL) cryptographic protocol to hide the type of data flowing between the infected client and the C&C server. The new version of the malware downloads the payload in the background while the communication is encrypted.
Ex-JPMorgan adviser charged in $20M fraud: A former JPMorgan Chase investment adviser was arrested and charged April 16 for allegedly stealing $20 million from at least 7 customers between 2011-2015 by withdrawing funds from client accounts and convincing others to invest large sums in supposed low-risk municipal bonds in a JPMorgan account, which he instead used to obtain cashier’s checks that he deposited in brokerage accounts that he and his wife held and used for personal expenses. The adviser allegedly gave clients fraudulent account statements and shifted funds between accounts to avoid discovery.
SEC charges 10 individuals in scheme to sell stock in blank check companies secretly bound for reverse mergers: The U.S. Securities and Exchange Commission charged 10 individuals April 16 for their roles in a scheme in which they allegedly collected about $6 million through penny stocks offered via undisclosed “blank” check companies bound for reverse mergers which they misrepresented to the public as startups with false business plans.
Pawn Storm cyberspies still at work, target NATO and the White House: Security researchers at Trend Micro reported that cybercriminals are concentrating attacks in the Pawn Storm cyber-espionage operation on the North Atlantic Treaty Organization (NATO) and White House personnel in the U.S., in addition to government and military officials and media companies. The attacks seek to compromise targets’ computers and Microsoft Outlook accounts via spear-phishing emails and compromised Web sites that deliver the SEDNIT/Sofacy trojan malware.
Flash Player bug allows video, audio recording without user consent: A security researcher from Klikki Oy discovered a vulnerability in versions of Adobe Flash Player prior to 18.104.22.168 in which an information disclosure could be leveraged to deliver audio and/or video streams captured on victims’ devices to remote locations controlled by attackers. The flaw is connected to another double-free vulnerability that could allow an attacker to execute arbitrary code on the affected system.
1 in 4 employees enable cloud attacks: CloudLock released research from a study of over 750 million files, 77,500 apps, and 6 million users in the cloud that concludes nearly 1 in 4 employees violate corporate data security policy in public cloud applications, culminating in an average of 4,000 instances of exposed credentials in each organization, among other findings.
Users warned of serious flaw in deprecated Cisco Secure Desktop feature: Cisco released a security advisory warning of a high severity command execution vulnerability affecting Cisco-signed Java Archive (JAR) executables in Cache Cleaner for Cisco Secure Desktop that could allow an unauthenticated attacker to run arbitrary commands on affected systems. The company deprecated the Cache Cleaner product over 2 years ago and advised users to transition to the Cisco Host Scan standalone package.
D-Link failed to patch HNAP flaws in routers: Researcher: D-Link published security advisories for multiple router models that identify vulnerabilities related to the Home Network Administration Protocol (HNAP) that could allow unauthenticated attackers to inject commands through HNAP requests, leverage flaws to gain access to information on hosts connected to the network, change system settings, and reset the devices to factory settings. D-Link is working on fixing the flaws through additional firmware updates.
PCI SSC releases version 3.1, eschews SSL, early TLS: The Payment Card Industry Security Standards Council (PCI SSC) announced in its release of PCI Data Security Standard (PCI DSS) Version 3.1 that secure-sockets layer (SSL) support would be discontinued in favor of current transport layer security (TLS) encryption, due to weaknesses that were identified in SSL by the National Institute of Standards and Technology that could put payment data at risk. The change also occurred as a result of previous Web browser attacks that took advantage of SSL vulnerabilities such as POODLE and BEAST.
POS threat ‘Punkey’ allows additional malware download for greater access: An investigation by the U.S. Secret Service and Trustwave researchers discovered a new point-of-sale (POS) malware threat resembling NewPosThings that utilizes advanced encryption standard (AES) encryption with an embedded key, and has the capability to download additional malware on affected systems. Authorities revealed that up to 75 unique POS terminals may be infected with the malware.
IBM’s X-Force Exchange to make decades worth of cyber-threat data public: IBM announced that that it will release a raw cyber-threat database of over 700 terabytes to cyber-threat data and intelligence companies, as well as malware threat data from 270 million computers and devices, 25 billion Web pages and images, and spam and phishing attack emails in an initiative called X-Force Exchange, which seeks to help companies mobilize against ongoing threats.
FBI offering reward for info leading to capture of ‘North Hills Bandits’ bank robbery suspects: The FBI is offering a $10,000 reward for information leading to the arrest of 2 robbery suspects, dubbed the “North Hills Bandits,” who carried out armed robberies at 3 banks in the North Hills area of Pittsburgh since January. FBI agents reported that the suspects appeared to have former firearms training and used different vehicles in each robbery.
HSBC Finance Corporation exposes mortgage account info: HSBC Finance Corporation notified at least 1,000 mortgage account customers in States including New Hampshire, California, Maine, Massachusetts, and Alabama, that the company inadvertently published names, Social Security numbers, account numbers, and other personal data in a breach that was discovered March 27. The data was immediately secured following the discovery, law enforcement was notified, and HSBC offered all impacted customers a free one-year subscription to Identity Guard services.
Current threat prevention systems are not enough protection for enterprises: Findings from a recent study in automated breach detection carried out by security researchers at Seculert revealed that gateway solutions at participating Fortune 2000 enterprises only blocked 87 percent of communications from compromised devices within their networks. The report also found that about 2 percent of devices in organizations were compromised by malware while nearly 400,000 interactions that were generated went undetected, among other findings.
Company employees not sufficiently trained to avoid phishing, study finds: A survey commissioned by Intel Security of 700 respondents in businesses across multiple continents revealed that 38 percent of information technology and security professionals believe vulnerability to social engineering is a significant factor in the success of attacks and that threat actors’ use of multiple attack vectors, exploits, and payloads makes defending against attacks difficult, among other findings.
TeslaCrypt ransomware pushed by several exploit kits: Security researchers discovered that threat actors are distributing a new ransomware called TeslaCrypt via the Angler, Sweet Orange, and Nuclear exploit kits (EKs), which encrypts the typical assortment of file types along with those related to video games and game-related software, and iTunes-related files. Users have been targeted via redirects to compromised WordPress Web sites and hosts running vulnerable out-of-date Adobe Flash plugins.
Users in the U.S. targeted with ransomware via tax return-flavored emails: Security researchers at Kaspersky Lab identified a phishing scheme in which cybercriminals send emails purportedly from the U.S. Internal Revenue Service regarding tax refunds which contain rigged Microsoft Word files that download a trojan once macros are enabled. The trojan blocks access to the Internet and demands payment to a short message service (SMS) number via prepaid cards.
Police link man arrested in D.C. bank robbery to Black Hat Bandits: Court documents unsealed April 14 revealed that a man charged in the March 13 robbery of a Wells Fargo bank branch in Washington, D.C., confessed to 8 other bank robberies perpetrated by the “Black Hat Bandits” gang throughout Virginia and Maryland since January. Authorities are seeking other suspects linked to the nine robberies.
Victim of cyber-attack replies with own backdoor: Security researchers at Kaspersky Lab reported that it observed two cyberespionage advanced persistent threat (APT) groups called Hellsing and Naikon engage in deliberate APT-on-APT attacks through spear-phishing emails containing custom malware, signaling a potential new trend. Hellsing was previously linked to other APT groups and the group has targeted diplomatic organizations in the U.S.
Adobe fixes Flash Player zero-day exploited in the wild: Adobe released a new version of Flash Player for Windows, Macintosh, and Linux that addresses 22 critical vulnerabilities, including one that is exploited in the wild and could lead to code execution and an attacker taking control of the affected system. A security bypass vulnerability that could lead to information disclosure and memory leak flaws that could be leveraged to bypass address space layout randomization (ALSR) also received fixes.
With latest patches, Oracle signals no more free updates for Java 7: Oracle released patches addressing 14 vulnerabilities in Java as part of a 98 security-issue fix that covered multiple product lines and marked the end of free Java 7 updates. Three of the Java vulnerabilities were high severity and could be exploited over networks without authentication and could lead to a complete compromise of affected systems’ confidentiality and integrity, and 12 others could be exploited from the Web through the Java browser plug-in.
Google fixes 45 security flaws with release of Chrome 42: Google released Chrome 42 for Windows, Mac, and Linux, which included fixes for 45 security issues including a cross-origin bypass flaw in the HTML parser, a type confusion in V8, a use-after-free vulnerability in inter-process communication (IPC), and an out-of-bounds write bug in the Skia graphics engine, among others. The update also removed support for the Netscape Plugin Application Programming Interface (NPAPI).
Microsoft Patch Tuesday April 2015 closes 0-day holes: 4 of 11 patches rated critical: Microsoft released 11 security bulletins that address 26 vulnerabilities, including critical remote code execution (RCE) flaws in Microsoft Office, a critical RCE vulnerability in HTTP.sys that could allow an attacker to use a malicious HTTP request to Windows Server to gain full remote control of a system, and 9 critical security holes in Internet Explorer, among others.
Web app attacks, PoS intrusions and cyberespionage leading causes of data breaches: Findings from Verizon’s recently released annual Data Breach Investigations Report revealed that the top industries affected by data breaches in the last year were public administration, financial services, manufacturing, accommodations, and retail, and that over two-thirds of cyberespionage incidents since 2013 involved phishing attacks. The report also determined that banking information and credentials were the most common records stolen, among other findings.
Ex-Assembly speaker’s son-in-law charged in $7M Ponzi scheme: A New York investment manager and co-owner of Allese Capital was charged April 13 with defrauding investors out of $7 million in a Ponzi scheme in which he allegedly solicited securities trading investments from 2009 – 2014, and only invested portions of the funds, while using the remainder for his own benefit and to repay other investors.
Alleged creator of Svpeng Android malware arrested in Russia: Russia’s Ministry of Internal Affairs reported April 11 that the suspected developer of the Svpeng Android trojan along with 4 co-conspirators calling themselves “The Fascists” who had allegedly used the trojan to steal money from bank accounts in the U.S. and Europe were arrested. The malware employs a combination of short message service (SMS) hacking, phishing Web pages, credential logging, and ransomware to access victims’ account and access funds.
Vulnerabilities identified in NY banking vendors: The New York State Department of Financial Services released a report on cyber security in the banking sector April 9 which revealed that one in three New York banks are neglectful of information security relating to third-party vendors and are vulnerable to backdoor access by those looking to steal data as a result. One in three banks interviewed did not require vendors to notify them in the event of a data breach, and only half had strategies prepared for breach scenarios, among other findings.
Misconfigured DNS servers vulnerable to domain info leak: The U.S. Computer Emergency Readiness Team (US-CERT) released a security statement warning that misconfigured, public-facing domain name system (DNS) servers utilizing Asynchronous Transfer Full Range (AXFR) protocols are vulnerable to system takeovers, redirects to spoofed addresses, and denial-of-service (DoS) attacks from unauthenticated users via DNS zone transfer requests. Research from Alexa revealed that over 72,000 domains and 48,000 nameservers were affected by the issue.
18-year-old bug can be exploited to steal credentials of Windows users: A Cylance researcher identified a new technique for exploiting an 18-year-old flaw in Windows Server Message Block (SMB) in all versions of Windows operating systems (OS) which allows attackers to intercept user credentials by hijacking communications with legitimate Web servers via man-in-the-middle (MitM) attacks that send them to malicious server message block (SMB) servers that reveal victims’ usernames, domains, and hashed passwords.
Attackers use deceptive tactics to dominate corporate networks: Symantec released research revealing that spear-phishing attacks on corporations increased by 8 percent in 2014, and that email and social media had remained significant attack vectors. Researchers also found that software companies took an average of 59 days to release patches and that 24 zero-day vulnerabilities were discovered in 2014, among other findings.
Attackers can easily crack Belkin routers’ WPS PINs: A security researcher discovered that 80 percent of Belkin routers tested generated Wi-Fi Protected Setup (WPS) PINs based on the device’s own MAC addresses and serial numbers, leaving it vulnerable to discovery by attackers using unencrypted request/response packets via Wi-Fi probes.
Attacks against SCADA systems doubled in 2014: Dell: Dell revealed in its annual threat report that attacks against supervisory control and data acquisition systems (SCADA) doubled in 2014, including 51,258 attacks in the U.S., and that the attacks tended to be political in nature and targeted operational capabilities within power plants, factories, and refineries primarily in Finland, the U.K., and the U.S. The report found that 25 percent of the attacks witnessed exploited buffer overflow vulnerabilities followed by improper input validation and information exposure.
Mt. Pleasant woman admits opening fake accounts, stealing cash at Alpena bank: A former branch manager and personal banker at Citizens Bank in Alpena pleaded guilty to embezzlement and filing false tax returns April 9 after a U.S. Internal Revenue Service investigation revealed that she allegedly stole over $300,000 from 2010 – 2011 by opening bank accounts in fictitious names and transferred funds to them from certificates of deposit held by elderly and deceased customers.
Feds bust 40 suspects in ID theft-fraud takedown in South Florida: Miami officials reported April 9 that 42 individuals were charged in connection to various identity-tax refund, credit card, debit card, and Social Security fraud schemes in which the suspects allegedly used thousands of stolen identities to try to collect about $22 million in tax refunds and other government benefits from the U.S. Department of the Treasury, Florida, and other States. The suspects were paid out $3.2 million through the schemes.
Law enforcement, security firms team up to disrupt Simda botnet: U.S. and European agencies along with private security firms collaborated with Interpol to disrupt the Simda botnet by seizing 14 command and control (C&C) servers throughout the Netherlands, U.S., Poland, Luxembourg, and Russia. The malware is usually delivered via exploit kits (EK) and is often used for the distribution of malware and potentially unwanted applications (PUA), and has infected over 770,000 computers worldwide over the past 6 months.
Chinese hacker group among first to target networks isolated from internet: FireEye released findings in a technical report that identify a hacker group called Advanced Persistent Threat (APT) 30 as one of the first to target air-gapped networks with malware that has infected defense-related clients’ systems worldwide, utilizing custom-made malware components with worm-like capabilities that can infect removable drives such as USB sticks and hard drives.
New Shellshock worm seeks vulnerable systems at tens of thousands of IPs: Security researchers at Volexity observed that cybercriminals had amassed 26,356 internet protocol (IP) addresses belonging to systems vulnerable to the Shellshock bug for the Bash command shell found in many Linux and Unix systems, that allows attackers to execute arbitrary commands by appending them after a variable function. Scanning for vulnerable systems has since decreased and the malicious files were removed from the IP address hosting them.
Siemens patches DoS, other vulnerabilities in SIMATIC HMI products: Siemens began releasing security updates addressing several vulnerabilities in its SIMATIC HMI (human-machine interaction) devices which include allowing attackers positioned between the HMI panel and programmable logic controller (PLC) to cause a denial-of-service (DoS) condition and intercept or modify industrial communication by sending specially crafted packets on transmission control protocol (TCP) port 102. Additional vulnerabilities include the ability to launch a man-in-the-middle (MitM) attack, and a flaw that allows users to authenticate themselves with password hashes instead of full passwords.
SEC announces fraud charges against former accounting executive at Japanese subsidiary: The U.S. Securities and Exchange Commission charged the former controller of Lisle-based Molex Japan Co. Ltd., a Japanese subsidiary of Molex Incorporated, with fraud April 9 after he allegedly caused the company $201.9 million in net losses through unauthorized equity trading in the company’s brokerage accounts, which he tried to conceal by falsifying records and taking out unauthorized loans with Japanese banks and brokerage firms to replenish the funds and engage in further trading.
SEC halts microcap scheme in South Florida: The U.S. Securities and Exchange Commission announced fraud charges and an asset freeze April 9 against the CEO and 3 sales agents of Boca Raton-based eCareer Holdings, Inc., in a microcap scheme in which they allegedly defrauded over 400 investors out of more than $11 million since 2010 by selling unregistered stock shares in the company, falsely advertising the shares as a profitable investment, and concealing the exorbitant fees being paid to the sales agents.
Federal agency sues collectors of “phantom debt”: The Consumer Financial Protection Bureau unsealed a March 26 lawsuit April 9 against two Georgia men, co-conspirators, and 7 debt collection companies following allegations that the firms used cold calls to convince millions of consumers to pay debts they did not owe through tactics that involved purchasing personal information such as bank account numbers from data brokers. A telemarketing company and several payment processing companies were also charged in the scheme.
OS X 10.9.x and older vulnerable to hidden backdoor API: A Swedish security researcher discovered a hidden backdoor application programming interface (API) present in the Admin framework of Apple OS X versions prior to 10.10.2 that could grant attackers root access to users with both admin and regular user accounts. Apple patched the issue in its release of OS X 10.10.3
United States, South Africa most affected by Changeup worm: A task force of European and American law enforcement organizations and private security companies including Intel, Kaspersky, and Shadowserver took action to disrupt the Changeup worm botnet and sinkhole its command-and-control (C&C) servers. The worm morphed every few hours and leveraged a LNK vulnerability in Windows to infect approximately 30,000 systems in early 2015, and downloaded other pieces of malware including banking trojans, click-fraud programs, crypto-malware and other botnet threats.
Cisco threat defense tool vulnerable to DoS attack: Cisco released a security advisory that a flaw in the company’s ASA FirePOWER and Context Aware (CX) Services can be exploited to allow attackers to cause denial-of-service (DoS) conditions by sending a high rate of crafted packets to the services’ management interface. Cisco released updates for the products addressing the issues as well as three additional related glitches.
Group uses over 300,000 unique passwords in SSH log-in brute-force attacks: Security researchers from Cisco Talos Group and Level 3 Communications collaborated to monitor and take down netblocks being used by a group of cybercriminals dubbed SSHPsychos to run large amounts of scamming traffic, utilizing a dictionary to find root user log-in credentials and install distributed denial-of-service (DDoS) rootkits that add compromised systems to a persistent DDoS botnet.
I-78 traffic stop nets wanted man with 75 fake credit cards in pants, police say: A New York man was arrested and charged April 7 after Pennsylvania State Police officers found 75 fake credit cards in his possession during a traffic stop on Interstate 78 in Lehigh County. The man was sent to the county jail and will be extradited to New York due to a separate warrant.
4 Miami residents indicted in international mortgage fraud scheme: The U.S. Attorney’s Office for the Southern District of Florida announced the indictment of 6 individuals and 3 companies April 8 in reference to an international mortgage fraud scheme in which the individuals allegedly used fraudulent loan applications and other documents to apply for over $9 million in mortgage loans from Chevy Chase Bank, JP Morgan Chase Bank, and Washington Mutual Bank for residential properties in Miami-Dade and Palm Beach counties from October 2004-May 2007.
Over 100 forum websites foist poorly detected malware: Security researchers at Cyphort discovered a supposed click-fraud campaign that exploits Web forums running outdated versions of vBulletin or IP Board software to use malicious code to direct visitors to a landing page hosting the Fiesta exploit kit (EK) to deliver Gamarue and FleerCivet malware that steals information and injects backdoor trojans. The malware ensures persistence by avoiding virtual environments and disabling security settings on compromised systems, and exploits vulnerabilities found in Internet Explorer and in Adobe Flash Player version 22.214.171.1246 and earlier.
Apple iOS 8.3 includes long list of security fixes: Apple released iOS 8.3 for iPhone and iPad users patching over three dozen vulnerabilities, including flaws in the mobile operating system’s kernel, several bugs in WebKit, and a number of code-execution bugs.
Deadly combination of Upatre and Dyre trojans still actively targeting users: ESET researchers discovered that an email campaign targeting users worldwide utilizes a combination of the Upatre (Waski) downloader and Dyre/Dyreza banking trojans delivered via simple spam emails to gain information about compromised systems and intercept online banking credentials. Researchers believe that the scheme is part of the larger, previously discovered Dyre Wolf campaign that has targeted businesses around the world.
Google Chrome extension criticized for data collection: Security researchers at ScrapeSentry and Heimdal Security reported that the Webpage Screenshot Google Chrome third-party extension contained malicious code that allowed for copies of all browser data to be sent to a server in the U.S. Google removed the extension from the Chrome Web Store, and Webpage Screenshot claimed that the information was only used for marketing and development purposes.
Two NTP key authentication vulnerabilities patched: Network Time Protocol (NTP) patched two vulnerabilities that allowed attackers to leverage symmetric key authentication flaws to bypass message authentication code (MAC) to send packets to clients. The second vulnerability utilized symmetric key authentication to create denial-of-service (DoS) conditions when peering hosts receive packets with mismatched timestamps.
Troopers arrest Warwick man for embezzling $142K from manufacturer: Rhode Island State Police charged a Warwick man with embezzling $142,114.31 from United States Associates, LLC April 6 following allegations that the suspect was stealing and selling company inventory and keeping the proceeds for himself. An investigation found that the man was receiving checks from one of the company’s customers who had been ordering directly from him.
SEC charges L.A.-based Pacific West Capital Group with fraud in sale of life settlement investments: The U.S. Securities and Exchange Commission charged Los Angeles-based Pacific West Capital Group Inc., and its owner April 7 with fraud in the sale of life settlement investments for failing to disclose risks associated with the investments and for using the proceeds from the sale of new life settlements to continue funding previously sold investments, raising over $100 million from investors. Ohio-based PWCG Trust and five Pacific West sales agents were also charged in the scheme.
SEC files fraud charges against former Syracuse star, New York Giant player: The U.S. Securities and Exchange Commission filed civil fraud charges April 6 against a former National Football League player, his business partner, and Capital Financial Partners investment firms in connection to an alleged Ponzi scheme in which the pair paid approximately $7 million in investors’ money instead of using profits from the investments after paying out about $20 million to investors but only receiving around $13 million in loan repayments. The pair also misled investors about the terms and existence of loans and used some funds to cover personal expenses.
Stored XSS glitch in WP-Super-Cache may affect over 1 million WordPress sites: Security researchers from Sucuri discovered a cross-site-scripting (XSS) vulnerability in WP-Super-Cache plug-in versions prior to 1.4.4 for WordPress sites that could allow attackers to add new administrator accounts to the Web sites or inject backdoors due to improper sanitization of information originating from users. The plugin currently has over 1 million active installations and developers released a new version repairing the issue.
New evasion techniques help AlienSpy RAT spread Citadel malware: Fidelis researchers reported that hackers have co-opted the AlienSpy remote access tool (RAT) and are spreading it via phishing messages to deliver the Citadel banking trojan and establish backdoors inside a number of critical infrastructure operations, including technology companies, financial institutions, government agencies, and energy companies. The tool has the capability to detect whether it is being executed inside a virtual machine, can disable antivirus and other security tools, and employs transport-layer security (TLS) encryption to protect communication with its command-and-control (C&C) server.
Widespread outages hit Windows 8/8.1 Metro Mail, Windows Live Mail, Windows Phone 8.1 mail: Microsoft reported that its Windows 8 and 8.1 Metro Mail, Windows Live Mail, and Windows Phone 8.1 Mail clients were experiencing widespread outages for at least 6 hours April 8 that prevented the syncing and sending of email, and that the issue is expected to be resolved within 24 hours.
Majority of critical infrastructure firms in Americas have battled hack attempts: Survey: A report released by Trend Micro and the Organization of the American States revealed that in the last year 40 percent of 575 security leaders throughout critical infrastructure sectors dealt network shut down attempts, while 44 percent faced attempts to delete files, and 60 percent faced hacking attempts aimed at stealing vital information. The survey also found that 54 percent of organizations dealt with attempts of equipment manipulation through control networks or systems.
Fake downloads for Android vulnerability scanner lead to persistent ads: Security researchers at Trend Micro identified three fraudulent Web sites that claim to provide a tool to scan for previously-identified Android Installer hijacking vulnerabilities, which instead redirect users to risky locations that display persistent ads and install Android application package (APK) files on devices automatically.
Lazy remediation leaves most Global 2000 firms vulnerable after Heartbleed Flaw: Report: Venafi released new research revealing that as of April 2015, 74 percent of 1,642 Global 2000 organizations with public-facing systems vulnerable to the Open Secure Socket Layer (OpenSSL) Heartbleed flaw failed to fully remediate the risks around the flaw despite warnings and guidance. The study also found that 85 percent of the organizations’ external servers were still vulnerable and that 580,000 hosts belonging to them were not completely remediated.
Drive-by-login attack identified and used in lieu of spear phishing campaigns: Security researchers at High-Tech Bridge reported that attackers are increasingly utilizing drive-by-logins attacks that target specific visitors to infected Web sites with vulnerabilities that they can leverage to install backdoors that deliver malware directly to users. Researchers believe that these types of attacks are likely to be used in Advanced Persistent Threat (APT) campaigns and could eventually replace phishing attacks.
Simple FedEx email slips malware on the computer: Researchers discovered a FedEx phishing campaign that relies on the curiosity of victims to open an attachment in an email purportedly from the company which installs a malware dropper that can steal sensitive data from the system or add it to a network of compromised computers.
Word documents with scrambled text deliver banking trojan in the background: Security researchers from Cisco’s Talos research group discovered a new variant of the Dridex banking trojan being delivered via incomprehensible malware-laden Microsoft Word documents that trick users into enabling macros before using PowerShell to download and execute the trojan from a hard-coded IP address. The malware campaign lasted for less than 5 hours before antivirus solutions responded.
Dell System Detect flagged as a risk by antivirus product: Malwarebytes added Dell’s System Detect tool to its list of potentially unwanted applications (PUP) due to a serious remote code execution vulnerability in older versions that attackers could exploit by initiating requests from Web sites containing a “dell” string to download and launch files following an easily bypassed authentication process. Dell mitigated the vulnerability in an update released during the week of March 30.
Angler Exploit Kit now relies on more successful infection tactics: Security researchers from Zscaler’s Threat Lab identified an evolution in the Angler Exploit Kit (EK) in which attackers are utilizing 302 Cushioning and domain shadowing as infection vectors, in addition to typical malvertising that targets users with outdated browser plug-ins. Researchers believe that the malware dropped by Angler EK in recent attacks was a Carberp family banking trojan.
American Express card info exposed to cybercriminals: A law enforcement investigation revealed that financial and personal information, including the Social Security numbers of at least 500 California residents was revealed to unauthorized persons. The company notified affected account holders while authorities investigate the circumstances surrounding the breach.
Va. Beach employee had accidental access to millions: The city of Virginia Beach revealed a potential security breach April 3 in which Bank of America gave a city employee setting up a petty cash and small expenses account access to nine municipal bank accounts containing millions of dollars for 5 – 6 years. Authorities do not suspect that any of the accounts were compromised.
Police: Men stole more than $65,000 from ATM: Warwick police arrested 2 suspects April 4 who allegedly skimmed more than $65,000 from a Greenwood Credit Union ATM in March affecting more than 125 credit union customers. Authorities believe that the pair may have skimmed other East Coast ATMs.
Boise police see flurry of credit card and retail fraud cases: Boise police reported April 3 that 7 suspects from 4 different traveling credit fraud groups were arrested beginning March 27. Investigators recovered over $33,000 in illegally obtained merchandise and approximately 156 fraudulent credit cards after retail employees reported suspicious activity to authorities.
Google certificate expires, email clients return security warnings: An expired intermediate certificate signed by Google Internet Authority G2 for simple mail transport protocol (SMTP) in Google’s Gmail resulted in users receiving error messages on outgoing email activity for over 2 hours April 4. The company renewed the certificate through December 2015.
Flaw in Schneider Electric vamp software allows arbitrary code execution: The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released an advisory stating that Schneider Electric’s VAMPSET software is vulnerable to stack-based and heap-based buffer overflow attacks that can be exploited to execute arbitrary code via malformed VAMPSET disturbance recording files on the affected systems. The company released an update fixing the issue and advised organizations that use the software to leverage User Access Control (UAC) features and employ best security practices.
WordPress, Joomla sites infected with malicious Flash file: Security researchers at Sucuri discovered that several hundred Web sites running WordPress or Joomla content management systems (CMS) have been attacked since November 2014 with malicious one-pixel-large small web format (SWF) files containing hidden iframe code that directs users to Web sites hosting malware such as exploit kits.
New MS Word exploit kit adds statistics tool to track success of the campaign: Security researchers at FireEye discovered a Web-based tool called MWISTAT released in December 2014 that allows cybercriminals using the Microsoft Word Intruder (MWI) exploit kit to track details about rigged Microsoft Word documents including Internet Protocol (IP) addresses and user-agents of victims, payloads requested and served, and the version of Microsoft Word used to open the file. The malware has reportedly affected over 1400 users worldwide in 2 separate spam campaigns.
Auto loan company founders accused of $11M fraud: The two founders of now-defunct Iofin Inc., in Rockland were charged with mail fraud, wire fraud, and conspiracy April 2 for allegedly defrauding investors out of over $11 million by luring them to roll their retirement plans into investment accounts to fund company operations from 1998 – 2011, despite lacking government approval to oversee retirement funds. Almost all of the investors’ funds were lost when the company went bankrupt.
Four charged in international Uganda-based cyber counterfeiting scheme: Four suspects were indicted April 2 on charges relating to their roles in a Uganda-based international conspiracy in which they allegedly manufactured, advertised, bought, and sold over $1.4 million in counterfeit U.S. Federal Reserve Notes worldwide via “dark Web” criminal online forums that they created from 2013 – 2014.
Mozilla revokes trust for CNNIC certificates: A spokesperson at Mozilla announced that the company will no longer allow its products to recognize digital certificates issued by the China Internet Network Information Center (CNNIC), following an incident during the week of March 23 in which an intermediate certificate authority (CA) operating under CNNIC issued a number of unauthorized digital certificates for Google domains. The company will also ask CNNIC to provide a list of current valid certificates to make public.
DoS vulnerabilities patched in Cisco Unity Connection: Cisco patched several vulnerabilities in its Unity Connection in which attackers could have caused denial-of-service (DoS) conditions on systems configured with Session Initiation Protocol (SIP) trunk integration by exploiting flaws in the Connection Conversation Manager (CuCsMgr), a flaw in the handling of abnormally terminated SIP conversations, and a resource allocation flaw that can allow attackers to block all SIP connection lines.
IBM uncovers new, sophisticated bank transfer cyber scam: Security researchers at IBM discovered a sophisticated fraud scheme dubbed “The Dyre Wolf” in which cybercriminals infect users’ systems with the Dyre malware to trick individuals into initiating large wire transfers with criminals posing bank employees over the phone, before moving the funds from bank to bank and using denial-of-service (DoS) attacks to avoid detection. The scheme has caused losses of over $1 million from multiple large- and medium-sized companies in the U.S.
Fourth member of international computer hacking ring pleads guilty to hacking and intellectual property theft conspiracy. An Indiana man pleaded guilty to charges surrounding his role in an international hacking ring that gained unauthorized access to computer networks of companies including Microsoft Corp., Epic Games Inc., Valve Corporation and Zombie Studios, and stole unreleased software, source code, trade secrets, copyrighted works and financial and other sensitive information. The hacker admitted to transmitting approximately 11,266 log-in credentials from one company, and total losses from the scheme were estimated to range from $100 – $200 million.
Broward man committed securities fraud linked to Ponzi scheme, jury finds: A Broward man was found guilty of securities fraud April 1 for his role in a scheme in which he raised more than $157 million from at least 150 investors through 2 private investment funds, and purchased non-existent, legal settlements from a Fort Lauderdale attorney that was convicted of running a $1.4 billion Ponzi scheme.
‘Black Cap Bandit’ sought in 5 bank robberies, FBI says: The FBI is offering a reward for information leading to the capture of a suspect dubbed the Black Cap Bandit who is believed to be connected to 5 robberies at TCF Bank and Standard Bank branches in the Chicago area from September – December 2014.
N.Y. lawyer charged for alleged role in scheme over Maxim magazine: A former New York lawyer at Bryan Cave LLP was charged April 1 for his alleged role in a conspiracy with a former United Parcel Service Inc. executive’s son that defrauded investors out of more than $8 million and attempted to secure another $20 million to finance the purchase of Maxim magazine by making misrepresentations to various lenders. The former executive’s son pleaded guilty to related charges in November 2014.
Customs: $730K in fake checks, money orders smuggled into JFK: U.S. Customs and Border Protection officers at New York’s John F. Kennedy International Airport seized 516 counterfeit bank and money orders totaling $732,585 in a shipment from the Ivory Coast over the weekend of March 28. The officers deemed the documents fake after noticing that they lacked the necessary security features found in legitimate monetary instruments.
Google decides to stop trusting CNNIC certificates: Google security engineers announced that the company would no longer allow its Chrome Web browser to recognize digital certificates issued by the China Internet Network Information Center (CNNIC), following an incident during the week of March 23 in which an intermediate certificate authority (CA) operating under CNNIC issued a number of unauthorized digital certificates for Google domains.
Researchers spot 64-bit version of NewPosThings Trojan: Security researchers at Trend Micro identified a new 64-bit version of the NewPosThings point-of-sale (PoS) malware that infects systems by collecting passwords for virtual network computing (VNC) software and disabling operating system security warnings for certain file extensions, and collects user inputs and payment card information via memory scraping. Experts discovered command and control (C&C) servers used by the trojan associated with internet protocol (IP) addresses at two U.S. airports.
Swiss asset manager pleads guilty in U.S. over tax dodge scheme: A Swiss asset manager from an unidentified firm pleaded guilty March 31 to conspiring to defraud the U.S. and the Internal Revenue Service in a scheme in which he and a Zurich-based lawyer who pleaded guilty in 2013 helped U.S. clients hide millions of dollars in offshore accounts in at least 5 Swiss banks and established accounts under the names of Liechtenstein-based sham foundations that they had created.
WordPress sites compromised to redirect to Pirate Bay clone, exploit kit: Security researchers at Malwarebytes identified a malware campaign that uses an unknown number of compromised WordPress Web sites containing iframes that direct users to a site hosting the Nuclear exploit kit, which leverages an Adobe Flash Player vulnerability in versions before 126.96.36.1997 to download a banking trojan.
Firefox 37 fixes critical flaws, adds OneCRL certificate revocation mechanism: Mozilla released an update for its Firefox browser that addresses several critical vulnerabilities, including two type confusion flaws, two memory corruption crashes, a user-after-free error, and memory safety hazards that could have allowed attackers to run arbitrary code on users’ systems. Firefox version 37 also includes OneCRL, a feature that allows developers to update the list of revoked certificates without pushing a new application update.
Google bans 192 bad extensions affecting 14 million Chrome users: Google removed 192 extensions from its Web store that contained ad injectors that exposed up to 14 million users to risks of man-in-the-middle (MitM) attacks and links to install dangerous software, after researchers at the University of California, Berkeley devised a method to root out potentially malicious extensions. Findings from a recent Google study confirmed that 5 percent of all visitors to Google sites have ad injectors present on their systems, and that 34 percent of Chrome extensions that contained ad injectors were classified as malware.
AmEx Black Card members are more likely targets for fraud: Forter released results of a year-long study of hundreds of thousands of transactions worldwide March 30, in which they found that holders of American Express Co.’s Centurion Card are nearly twice as likely to be targets of credit card fraud as other basic credit card holders, due to their higher perceived market value.
Anonymous proxies used for “Shotgun DDoS” attacks: Security researchers at Incapsula released findings from a one-month study revealing that 20 percent of all Layer 7 application layer distributed denial-of-service (DDoS) attacks from January – February were “Shotgun DDoS” attacks carried out through anonymous proxies to bypass mitigation systems by spreading across multiple internet protocols (IPs) and multiple geo-locations. Approximately 45 percent of the incidents originated from addresses in the Tor anonymity network and 60 percent of them employed Tor’s Hammer denial-of-service (DoS) tool, which carries out low-and-slow power-on self-test (POST) attacks.
Trojan Laziok used for reconnaissance in the energy sector: Security researchers from Symantec identified new malware designed for stealing information, dubbed Laziok that was observed targeting users in the petroleum, gas, and helium industries worldwide, and is delivered via a malicious Microsoft Excel file that exploits a buffer overflow/security glitch that allows remote code execution, and downloads custom variants of Cyberat and Zbot malware from servers in the U.S., United Kingdom, and Bulgaria.
Lebanese cyberespionage campaign hits defense, telecom, media firms worldwide: Security researchers at Check Point Software Technologies discovered that a cyberespionage group has hacked into hundreds of defense contractor, telecommunications operator, media group, and educational organization networks from at least 10 countries in ongoing attacks that began in late 2012. The attackers detect vulnerabilities and use Web shells to compromise affected servers, including a sophisticated custom-made trojan on servers running Microsoft’s IIS software called Explosive that can infect servers and systems on networks and can spread via USB mass storage devices.
eBay fixes file upload and path disclosure bugs: eBay addressed two security vulnerabilities on its Web site that allowed attackers to upload malicious files, including executables, disguised as images that could be used in drive-by download attacks by leveraging poor header check’s and eBay server return messages with exact file paths.
SEC announces fraud charges against investment adviser accused of concealing poor performance of fund assets from investors: The U.S. Securities and Exchange Commission charged an investment adviser and her New York-based Patriarch Partners firms with fraud March 30, for allegedly hiding the poor performance of loan assets in 3 collateralized loan obligation funds and collecting almost $200 million in illegitimate fees from investors.
Massive DDoS against GitHub continues: Systems engineers at GitHub reported that complex, large-scale distributed denial-of-service (DDoS) attacks against the company’s servers that started March 26 are ongoing but that all of the Web site’s services are available to users. Security researchers from Insight Labs traced the start of the attack to advertising and visitor tracking provided by the Chinese search engine Baidu.
U.S. offers $3 million reward for alleged Russian cybercriminals: The U.S. Department of State announced rewards totaling $3 million March 26 for information leading to the arrest or conviction of 2 Russian nationals believed to be key members in the Carder.su operation, in which participants created and trafficked identification documents and payment cards and perpetrated financial fraud and identity theft, causing losses of at least $50 million. Thirty members involved in the operation have been convicted and 25 remaining are fugitives or pending trial.
FINRA fines Oppenheimer $3.75M in employee fraud case: The Financial Industry Regulatory Authority issued a $3.75 million fine to Oppenheimer & Co., for failing to supervise and stop an employee from transferring $2.9 million of client funds to his own accounts or for use in excessive trades while he was under investigation for other fraud accusations, including a 2012 scheme in which he allegedly scammed a New York City Broadway show’s producers out of $20,000 after promising to raise $4.5 million from phony investors.
GitHub has been under a continuous DDoS attack in the last 24 hours: The GitHub Web site suffered a minor service outage March 26 and has been mitigating a sustained distributed denial-of-service (DDoS) attack on its servers that has lasted over 24 hours. Administrators reported that that connectivity resumed to normal after the attack was amplified March 27, and are continuing to monitor for any abnormalities.
GE fixes buffer overflow bug in DTM library: General Electric released a patch for a vulnerability in device type management (DTM) libraries affecting five Highway Addressable Remote Transducer (HART) digital communication devices deployed in various critical infrastructure areas, including one manufactured by MACTek. The vulnerability allows an attacker to execute arbitrary code by causing a buffer overflow in the product’s DTM and crashing the Field Device Tool (FDT) Frame Application.
DDOS attacks less frequent last year, more dangerous: San Francisco-based Black Lotus Communications released a report which found that the total number of distributed denial-of-service (DDoS) attacks declined steadily in 2014, but increased in packet size by 3.4 times in the third quarter, and average attack size by 12.1 gigabits per second (Gbps) in the fourth quarter. The report also identified an increase in complex, hybrid network and application-layer attacks.
Thousands of hijacked WordPress sites redirect users to exploit kits: Security researchers at Germany’s Computer Emergency Response Team (CERT-Bund) discovered that at least 3,000 Web sites have been compromised by a local file inclusion (LFI) vulnerability in the Slider Revolution WordPress plugin that allows attackers to take control of sites by accessing and downloading files from the affected server. Many victims are directed to exploit kit landing pages including Angler and Fiesta which can inject various ransomware, fraud malware, and trojan malware into affected systems.
PayPal to pay $7.7 million in U.S. Treasury sanctions case: PayPal agreed to pay $7.7 million March 25 to settle U.S. Department of the Treasury charges for failing to adequately screen transactions for several years, resulting in 486 violations of sanctions programs against countries including Iran, Cuba, and Sudan, as well as for a specific Turkish national on the sanctions blacklist that had been tied to proliferators of weapons of mass destruction.
U.S. jury convicts former bank exec of securities fraud: The former chief operating officer of United Commercial Bank in San Francisco was convicted March 25 of several criminal counts, including securities fraud, for allegedly concealing the falling value of collateral used to secure the bank’s loans from auditors during the 2008 financial crisis.
Ohio businessmen convicted in sports drink investment scheme: Two Ohio businessmen were convicted March 25 of charges relating to a fraud scheme in which they used their sport drink company, Imperial Integrated Health Research and Development LLC, to defraud investors out of about $9 million and diverted investors’ funds for their personal use. The wife of one of the businessmen was also convicted on several charges which included filing a false income tax return and structuring financial transactions to evade currency reporting requirements.
Microsoft revokes rogue digital certificate for Google and other web domains: Microsoft updated its Certificate Trust List (CTL) for Windows operating systems and pushed automatic updates to revoke a certificate fraudulently issued by Egypt-based MCS Holdings. The fraudulent certificates affected several Google and other domains, and left Windows users vulnerable to Web content spoofing, phishing, and man-in-the-middle (MitM) attacks.
Apple customers lured to disclose Apple ID and card data: Security analysts at Bitdefender discovered a phishing scheme in which Apple device users are being targeted with emails that link to a hoax site requesting Apple ID credentials, personal information, payment card information, and a 3D Secure password. After users fill out the form, they are notified of a bogus two-factor authentication (2FA) process and are given an option to change their password.
Cisco fixes DoS vulnerabilities in IOS software: Cisco Systems released security updates patching 16 vulnerabilities in IOS and IOS XE software components including Autonomic Network Infrastructure (ANI), Common Industrial Protocol (CIP), multicast Domain Name System (mDNS), transmission control protocol (TCP), Virtual Routing and Forwarding (VRF), and Internet Key Exchange version 2 (IKEv2). The vulnerabilities allowed remote, unauthenticated attackers to trigger denial-of-service (DoS) conditions on targeted systems.
Default setting in Windows 7, 8.1 could allow privilege escalation, sandbox escape: A Google Security Project Zero researcher identified certain default authentication settings in Microsoft’s Windows versions 7 and 8.1 that could allow attackers to use cross-protocol NT LAN Manager (NTLM) reflection to attack a local Server Message Block (SMB) server and leverage Web Distributed Authoring and Versioning (WebDAV) to elevate privileges or escape application sandboxes. Microsoft urged users to implement Extended Protection for Authentication (EPA) to mitigate the vulnerability.
Alleged hacker brought to N.J. on charges of large-scale identity theft: A Romanian national was extradited to the U.S. March 20 to face charges that he allegedly oversaw a large-scale computer hacking scheme in which he breached computer systems of retailers, medical offices, security companies, and individuals’ online accounts to obtain several thousand user names, passwords, and payment card numbers from 2011 – 2014, including 10,000 credit and debit cards from one victim alone.
Over 15,000 vulnerabilities detected in 2014: Secunia: Secunia released its annual vulnerability review and found that 15,435 vulnerabilities across 3,870 applications from 500 vendors were discovered in 2014, 11 percent of which were considered highly critical while .3 percent were rated extremely critical. The report also states that over 60 percent of attacks occurred through remote networks making it the most common attack vector, among other trends.
Half of all Android devices vulnerable to installer hijacking attacks: Security researchers at Palo Alto Networks discovered that a critical Android vulnerability discovered over a year ago and dubbed “Android Installer Hijacking”, can allow attackers to completely compromise devices by changing or replacing seemingly legitimate applications with malware during installation without users’ knowledge. The flaw affects all devices running Android versions 4.2 and earlier, and some running version 4.3.
Yebot backdoor built for wide range of malicious operations: Security researchers from Dr.Web discovered that a backdoor trojan dubbed Yebot can run file transfer protocol (FTP) and socket secure (SOCKS) 5 proxy servers, gain remote access to systems through a remote desktop protocol (RDP), capture keystrokes and screenshots, intercept system functions, change code of running processes, search for private keys, and intercept all features associated with Web browsing. The trojan infects computers by injecting code into four Microsoft Windows processes before downloading and decrypting its contents and running in memory.
Leaked full version of NanoCore RAT used to target energy companies: Security researchers at Symantec identified that approximately 40 percent of systems infected by the widely-available NanoCore remote access trojan (RAT) delivered by a malicious rich text format (RTF) or Microsoft Word file that exploits an old vulnerability in Windows Common Controls ActiveX component since January 2014 were in the U.S., while cyber-criminals have been employing the malware in targeted attacks on energy companies in Asia and the Middle East since March 6.
Over 22.5 million PUAs detected last month by antivirus vendor: Germany-based Avira reported that the company’s antivirus software detected over 22.5 million potentially unwanted applications (PUAs) and highlighted five as the most prevalent in February that could inject malicious code, request sensitive information from users, or extract information without their consent.
Kreditech investigates insider breach: Germany-based Kreditech is working with authorities to investigate a November 2014 internal isolated security incident where an apparent insider breach of its systems occurred and information from credit applicants was taken. The company stated that no customer data was breached from the event which originated from a form on its official Web site that stored data in a caching system which deleted data every few days.
Phishers leverage .gov domain loophole to bypass email validation: Security researchers at Trend Micro discovered that cybercriminals responsible for a March 4 – 11 phishing attack that sent over 430,000 emails targeting American Express customers maximized the attack’s effectiveness by exploiting a loophole in the way DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) email verification systems handle messages from .gov top-level domains (TLDs).
Jailbroken iPhones unlocked with software brute-force tool in 14 hours, tops: An iOS jailbreaker published a software library under the GNU General Public License called TransLock, that unlocks iOS devices in 14 hours or less via brute-force by injecting itself into the app that manages the device’s home screen and setting return values in the “SBFDeviceLockController” class to “No”, allowing unlimited attempts and the ability to try a new PIN every five seconds. The tool only requires that the device be connected via USB.
Unauthorized certificates issued for several Google domains: Security engineers at Google reported that intermediate certificate authority at Egypt-based MCS Holdings caused certifications for several Google domains that are trusted by most operating systems (OS) and Web browsers to be issued without authentication, leaving users vulnerable to impersonation and securecommunication decryption via man-in-the-middle (MitM) attacks. Users of Google Chrome and Mozilla Firefox versions starting 33 are unaffected by the issue.
Air-gapped computers can communicate through heat: Researchers. Researchers at Israel’s Ben Gurion University demonstrated that it was possible to establish a bidirectional communication channel between two unconnected computers using heat and radio signals emitted from components such as the central processing unit (CPU) and graphics processing unit (GPU), allowing an attacker to use malware installed on each system to exfiltrate datfrom an air-gapped computer, dubbed BitWhisper.
Flash Player vulnerable to bug patched in 2011: Security researchers from Minded Security and LinkedIn’s security division discovered that the latest versions of Adobe’s Flash Player Web browser plug-in are vulnerable to a same-origin bypass (SOP) flaw in the company’s Flex SDK compiler that was patched in 2011, which could allow attackers to steal victims’ data via SameOrigin Request Forgery or perform actions on behalf of victims via Cross-site RequeForgery (CSRF) asking them to visit a malicious Web page.
Twitch security breached, mandatory password reset in effect for all: The Twitch streaming service instituted mandatory password resets, disconnected all accounts from Twitter and YouTube, and emailed affected users after the company detected an authorized access attempt that could havcompromised users’ information including dates of birth, time and Internet protocol (IP) address of last login, and limited information associated with credit cards.
DDoS attackers distracting security teawith shorter attacks: Corero Networks: Corero Network Security reported in their quarterly trends and analysis report that 96 percent of distributed denial-of-service (DDoS) attacks against its customers in the fourth quarter of 2014 were less than 30 minutes in length and 79 percent used less than 5 gigabits per second (Gbps) of peak bandwidth, indicating that attacks were becoming more difficult to detect and were likely intended to partially saturate networks and distract security teams while leavinenough bandwidth for subsequent attacks to infiltrate networks and access sensitive information.
Dridex banking malware dodges detection with run-on-close macros: Security researchers at Proofpoint discovered that the Dridex banking malware is using run-on-close macros in infected Microsoft Office documents to avoid detection by malware sandboxes and antivirus software. The Dridex malware was previously linked to attacks targeting banking customers in the U.S., Canada, and the U.K.
New point-of-sale malware PoSeidon exfiltrates card data to Russian domains: Security researchers from Cisco Systems’ Talos Security Intelligence and Research Group discovered that cybercriminals are using a new point-of-sale (PoS) malware family dubbed PoSeidon that infects systems via a binary file and uses a memory scraping technique to retrieve and clone Discover, American Express, MasterCard, and Visa card information before delivering it to command and control (C&C) servers in Russia. The malware contains routines to ensure persistence regardless of restart or user log-off.
Cisco Small Business IP phones vulnerable to eavesdropping: Cisco Systems confirmed that its Small Business SPA 300 and 500 series IP phones with firmware version 7.5.5 or older, contain flaws in authentication settings that could allow attackers to listen in on phone audio streams or make calls remotely by sending crafted extensible markup language (XML) requests to the affected device. The company is reportedly working on a patch to address the vulnerability.
Fake patient data could have been uploaded through SAP medical app: SAP fixed two issues in the Electronic Medical Records (EMR) Unwired app that could have allowed attackers to potentially leverage an SQL injection flaw and configuration file vulnerability to access the embedded database and change medical records stored on the server.
BNY Mellon to pay $714M to settle currency suits: The Bank of New York Mellon (BNY) agreed March 19 to a $714 million settlement with the U.S. Department of Justice, the State of New York, the U.S. Securities and Exchange Commission, the U.S. Department of Labor, and private investors to resolve allegations that the bank had misrepresented pricing to its clients in foreign exchange markets for years by claiming to provide them with the best rates while giving them the worst margin prices instead. The bank’s own rates became more favorable and profitable from the difference between the higher rates assigned to customers and their own foreign exchange trade rates.
Woman charged in string of bank robberies: Authorities arrested a woman in Hartford March 19 after she escaped from prison and allegedly robbed 5 banks in Wallingford, East Hartford, Wethersfield, Vernon, and Cromwell during a 2-week period in February. Authorities were able to link her to the crimes after she left behind a pair of gloves and a bag of stolen cash.
Zero-days for Firefox, IE 11, Adobe’s Flash and Reader exploited at Pwn2Own 2015: Security researchers leveraged multiple zero-day vulnerabilities to exploit 13 undisclosed bugs in Adobe’s Flash and Reader, Mozilla’s Firefox, and Microsoft’s Internet Explorer 11 to take control of compromised systems through various methods which included, heap overflow remote code execution, a cross-origin vulnerability, and a use-after-free (UAF) remote code execution, among others at Hewlett Packard and Google Project Zero’s Pwn2Own hacking competition.
OpenSSL’s undisclosed high-severity issue is far from FREAK, POODLE, or Heartbleed: OpenSSL released an update for its cryptographic library addressing one high severity denial-of-service (DoS) vulnerability affecting version 1.0.2 that could allow a NULL pointer dereference to occur. The update also addressed a number of other moderate vulnerabilities affecting several OpenSSL versions including segmentation faults and an issue with processing Base64 encoded data.
At least 700,000 routers given to customers by ISPs are vulnerable to hacking. A security researcher discovered that over 700,000 ADSL routers, mostly running firmware from the China-based Shenzhen Gongjin Electronics, doing business as T&W trademark, and distributed to customers from internet service providers (ISPs) worldwide, contain directory transversal flaws in their firmware that could allow attackers to extract sensitive data and change router configuration settings. The researcher notified the firmware developer, affected device vendors, and the U.S. Computer Emergency Readiness Team (US-CERT).
Suspicious package found near Killeen banks: A USAA Financial Center and Broadway Bank in Killeen were closed March 18 while authorities investigated a vehicle in the financial center’s parking lot that contained a suspicious package. Police detailed the driver and the contents of the package were deemed to be “not mechanical” while the incident remains under investigation.
Ransomware uses GnuPG encryption program to lock down files: Researchers from Bleeping Computer and Emsisoft discovered that cybercriminals are using open source GNU Privacy Guard (GnuPG) code and Visual Basic Scripting Edition (VBS) to power VaultCrypt ransomware that uses a 1024-bit RSA key pair to encrypt information and Microsoft’s sDelete application to remove data used in the process. The ransomware sends user log-in credentials for Web sites to a command and control (C&C) server hidden in the Tor anonymous network.
Repackaged Android apps filling third-party stores: Security researchers at Trend Micro discovered an increase of the number of Android apps that are either localized or repackaged containing malware being released for free on unofficial app stores, including spyware that can intercept payment notices or collect the user’s phone model and location, and list of installed apps.
Thief dubbed ‘Longhorn Bandit’ robs Westerra Credit Union in Arvada, police say: Authorities are searching for a suspect dubbed the “Longhorn Bandit”, who allegedly robbed a Westerra Credit Union branch in Arvada March 17 and is believed to be linked to 5 other bank robberies in the area.
Apple fixes WebKit vulnerabilities with release of Safari 8.0.4. Apple released Safari versions 8.0.4, 7.1.4, and 6.2.4 which address a total of 16 memory corruption issues that were identified in WebKit, by Apple’s own security team and Google Chrome Security Team, and included a user interface inconsistency.
Johnson Controls, XZERES, Honeywell patch vulnerable products: The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced that Johnson Controls, Honeywell, and XZERES released patches addressing vulnerabilities in their products which can be exploited by an attacker to gain administrative access and compromise affected systems through a cross-site request forgery (CSRF) flaw, an unrestricted file upload vulnerability, or a path traversal vulnerability.
Almost 2,000 popular Android and iOS apps are vulnerable to FREAK attack: FireEye researchers discovered that 1,999 popular Android and Apple iOS apps used for photo and video, financial, lifestyle, social networking, communication, or shopping are susceptible to the Factoring RSA-Export Key (FREAK) attack which weakens encryption due to a vulnerable build of OpenSSL cryptographic library. The apps all contain sensitive information including data related to online banking, account log-in credentials, or medical information.
Windows Live SSL certificate issued to unauthorized third party: Microsoft released an advisory warning of a fraudulent certificate for the Finnish Windows Live domain which is generated by the Certificate Authority (CA) Comodo following an unauthorized request from a privileged email account which can be used by hackers to spoof Microsoft Web content and carry out man-in-the-middle (MitM) and phishing attacks. The certificate affects systems running certain Windows and Server versions, as well as Windows Phone 8 and Windows Phone 8.1. A standalone updater is available for revoked certificate.
Three defendants plead guilty in Bakersfield mortgage fraud scheme: Three Bakersfield residents pleaded guilty March 16 to charges related to a $5.6 million mortgage fraud scheme in which the defendants allegedly conspired with others to use straw buyers and fraudulent loan applications to purchase properties developed by Jara Brother Investments and Pershing Partners LLC from 2007-2010. Four co-conspirators previously pleaded guilty in connection to the scheme and two others were indicted in the case.
Three individuals charged with defrauding banks and USDA export financing program: The U.S. District Attorney for Connecticut announced March 16 that three suspects were charged for their roles in a multimillion dollar fraud scheme in which they allegedly used altered documents and a U.S. Department of Agriculture export financing program to secure loans from U.S. financial institutions, and then transferred the funds to foreign banks in Russia for a commission. The foreign banks defaulted on over $10 million worth of loans from 2007-2012.
D-Link patches against critical remote command and code execution flaws: D-Link released firmware updates patching two critical vulnerabilities that allowed attackers to intercept network traffic and execute commands on vulnerable devices and exploit cross-site request forgery (CSRF) attacks to create, modify, or delete data and execute code.
OpenSSL mystery patches due for release Thursday: The OpenSSL Project Team released an advisory stating that several undisclosed security vulnerabilities in the open-source encryption software which utilizes the Secure Sockets Layer/Transport Layer Security (SSL/TSL) protocol will be patched March 19 in versions 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf.
BlackBerry begins slow rollout for FREAK security flaw, most devices still at risk: BlackBerry confirmed that all versions of newer BlackBerry 10 and older 7.1 devices along with Blackberry Enterprise Service 12 and earlier, as well as the BlackBerry messenger app on Android, iPhones, Windows phones, and iPads are all vulnerable to Factoring RSA-EXPORT Key (FREAK) attacks that intercept encrypted traffic and force weaker encryption. Blackberry is working to mitigate the vulnerability.
Commerzbank AG admits to sanctions and bank secrecy violations, agrees to forfeit $563 million and pay $79 million fine: Frankfurt, Germany-based Commerzbank AG and its U.S. branch, Commerz New York, entered into a deferred prosecution agreement March 12 with federal authorities and agreed to pay a total of $1.45 billion in penalties and forfeitures related to violations of the International Emergency Economic Powers Act and the Bank Secrecy Act after the bank moved and concealed $263 million on behalf of Iranian and Sudanese entities and allowed Japanese-based Olympus to commit a multibillion dollar securities fraud scheme by failing to maintain adequate policies, practices, and procedures to ensure compliance with U.S. law.
Brute force box lets researchers, cops, pop iDevice locks: A security researcher from MDSec discovered that the IP-Box tool exploits a vulnerability in iOS devices running versions 8.1 and older for iPhones or iPads that allows unlimited password guesses of four-digit personal identification numbers (PIN) allowing hackers to bypass rate-limiters and settings to gain personal data after a set of failed attempts.
WPML WordPress plugin vulnerabilities expose 400,000 websites: WPML developers released an update to address security flaws in its WordPress premium multilingual plugin, including a vulnerability that allows an attacker to leverage an SQL injection exploit to read contents on affected users’ databases, including password hashes and other user detail, and another that allows the removal of content from Web sites due to lack of access control in the “menu sync” functionality. More than 400,000 commercial Web sites utilize the plugin.
Over 5.3 million Upatre infections detected in the US since January: Security researchers at Microsoft’s Malware Protection Center discovered that the U.S. has recorded the largest number of Upatre malware infections in the world at 5,326,970 since January, 7 times more than the next country. Upatre is usually delivered through malicious emails and via botnets, and is used by cybercriminals as a distribution platform for other malware.
Fake IRS agents target 366,000 in massive tax scam: An official at the U.S. Department of the Treasury announced March 12 that over 3,000 victims have lost $15.5 million in a tax scam targeting over 366,000 nationwide, in which scammers purporting to be Internal Revenue Service agents call taxpayers claiming that they owe taxes and must pay or risk arrest, deportation, or the loss of a business or driver’s license. Two individuals in Florida have been arrested in connection to the scheme.
Google leaks Whois data for over 282,000 protected domains: Cisco Systems’ Talos researchers reported to Google that private information such as names, physical and email addresses, and phone numbers belonging to 282,867 domains registered through Google Apps’ registrar, eNom, were leaked for nearly two years due to a software defect that did not extend the company’s unlisted registration service, potentially exposing them to spam, spear-phishing attacks, or identity theft.
TeslaCrypt ransomware encrypts files of over 20 games: Security researchers at Bromium discovered that crypto-ransomware dubbed TeslaCrypt has targeted a total of 185 extensions in over 20 popular games with drive-by attacks through Adobe Flash Player and Internet Explorer exploits dropped by the Angler exploit kit. The malware apparently attempts to pass as the more infamous CryptoLocker, but researchers stated that the two variants only share 8 percent similarity.
Adobe fixes critical Flash Player vulnerabilities: Adobe released security updates patching 11 critical flaws, including memory corruption vulnerabilities and type confusions that attackers could leverage for remote code execution to take control of affected systems.
Google fixes privilege escalation vulnerabilities in Android 5.1 Lollipop: Google released fixes in Android 5.1 Lollipop for two serious vulnerabilities in previous versions that could have allowed attackers to use integer overflows leading to heap memory corruptions to gain elevated privileges or cause denial-of-service (DoS) attacks on targeted systems.
Forget viruses: Evil USB drive ‘fries laptops with a power surge’: A Russian security researcher revealed a vulnerability with USB sticks which could potentially overload and damage a PC’s sensitive inner electronics by using an inverted direct current to direct current (DC-DC) converter and some capacitors through a foreign Web site, causing the USB to malfunction.
RBS trader admits defrauding customers in multimillion dollar securities fraud scheme: A former trader at Royal Bank of Scotland Securities Inc., (RBS) pleaded guilty March 11 to his role in a securities fraud scheme in which he and co-conspirators defrauded at least 20 victim firms out of millions of dollars by misrepresenting collaterized loan obligation bond prices to buyers and sellers to increase RBS’ profits, often creating fictitious third party sellers that enabled RBS to collect extra commissions on sales. Some of the victimized firms were affiliated with recipients of federal bailout funds through the Troubled Asset Relief Program.
2,400 unsafe mobile apps found in average large enterprise: Veracode researchers found that hundreds of thousands of mobile applications installed in corporate environments across multiple industries revealed the average global enterprise contains approximately 2,400 unsafe applications in its mobile environment, including apps that expose sensitive data, perform suspicious security actions, or retrieve or share personal information about users.
Cyber crooks take advantage of ad bidding networks to deliver ransomware: Security researchers at FireEye discovered that malware distributors are leveraging Real Time Bidding networks that are either compromised or controlled entirely by attackers to deliver Cryptowall and other ransomware variants and gain information about victims’ geographic locations, operating systems (OS), and browsers. The malvertising campaign has been active since February 4.
Self-deleting malware targets home routers to gather information: Trend Micro researchers identified malware called VICEPASS that infects users’ systems via a fake Adobe Flash update, connects to their home routers using a predefined list of usernames and passwords, and attempts to spread to every device on their networks before sending information to a command-and-control (C&C) server and deleting itself. The researchers believe that the malware could be a reconnaissance tool for larger campaigns.
Apple’s iTunes, App Store reopen after long outage: Apple restored service to its iTunes, App Store, Mac App Store, and iBooks store March 11 after an internal domain name system (DNS) error brought the services down globally for approximately 12 hours.
Dropbox Android SDK flaw exposes mobile users to attack: IBM: Researchers at IBM Security discovered a flaw, dubbed DroppedIn, in the Dropbox app’s Android software development kit (SDK) that could have enabled attackers to connect to mobile apps using the kit to a Dropbox account they control, and transfer sensitive information or inject malicious data into apps. Dropbox released a fix for the vulnerability that was distributed to other apps that use the same SDK.
Intel Security launches new critical infrastructure security platform: Intel Security announced the Intel Security Critical Infrastructure Protection (CIP) platform, developed in a joint project with Wind River, designed to protect new and legacy infrastructure within electric power grids by separating security management functions of the platform from operational applications, enhancing device identity, malware, data protection, and resiliency. The company stated that CIP can be leveraged across multiple industries and uses.
Key player in $5M ATM bank card scheme found guilty: A Chicago man was convicted March 10 for his role in an ATM bank card skimming scheme in which he and up to 16 other suspects installed card-reading devices and pinhole cameras on ATMs in New Jersey and elsewhere, and created thousands of phony ATM cards that they used to withdraw more than $5 million from customer bank accounts.
Shortcut parsing glitch used by Equation group re-patched by Microsoft: Microsoft fixed a shortcut parsing vulnerability in Windows that was discovered by Kaspersky Labs researchers to have been in use since 2008 in large-scale cyber-espionage activities involving the Equation group and the Fanny worm. Microsoft corrected how Windows handles dynamic link library (DLL) files to patch the vulnerability that allowed attackers to infect systems by creating malformed shortcut files (LNK) loaded from a malicious DLL that would execute automatically when opened.
Malware uses Windows product IDs to mix mutex: A security researcher at SANS discovered a new trojan dubbed “TreasureHunter” that uses Microsoft’s Windows unique product identification numbers to create dynamic mutex values to avoid detection by anti-malware software and researchers.
Redmond’s Patch Tuesday to kill off the Windows FREAK show: Microsoft issued 14 security bulletins patching 44 security vulnerabilities, including a critical patch for Windows and Windows Server versions running Secure Channel components vulnerable to the Factoring RSA-Export Keys (FREAK) attack.
Apple fixes FREAK vulnerability in Secure Transport: Apple released a patch for its iOS and OS X devices to address the Factoring RSA-Export Keys (FREAK) attack vulnerability affecting Secure Transport on Safari by removing support for ephemeral RSA keys.
Former Kearny councilman pleads guilty in $13M mortgage fraud scheme: A former Kearny, New Jersey councilman pleaded guilty March 9 to his role in a $13 million mortgage fraud scheme in which he and co-conspirators recruited straw buyers from 2006-2011 to purchase condominiums and creating $4.7 million worth of mortgages based on false and fraudulent loan applications and closing documents.
Six charged in loan modification scheme: Six suspects were charged in Salt Lake City March 5 for their supposed roles in a loan modification scheme that defrauded over 10,000 individuals nationwide out of more than $33 million. Authorities allege the suspects created CC Brown Law LLC in 2009 to execute a largely telemarketing-based scheme to sell fake home loan modification services to distressed homeowners then kept the customers’ money without performing the services.
Exploit code published for Elasticsearch remote code execution flaw: Security researchers at Xiphos Research created an exploit for a glitch in Elasticsearch versions earlier than 1.3.8 and 1.4.3 that allows server-side code execution by passing Groovy code in a search query and executing it in the sandbox. The glitch was patched in updates released February 11.
Yahoo patches critical eCommerce, small business vulnerabilities: Yahoo recently patched vulnerabilities discovered by security researchers that could have allowed attackers to gain complete access to any user-run eCommerce Web site hosted on Yahoo’s eCommerce platform, Yahoo Small Business, including all site administration privileges, access to personally identifiable information, and control over prices of items in any Yahoo store.
Row Hammer DRAM bug exploited, unlocks access to physical memory: Security researchers from Google’s Project Zero leveraged a known vulnerability, dubbed Row Hammer, in some dynamic random- access memory (DRAM) chips to identify one exploit that runs as a Native Client program and escalates privilege to call the host system SYSCALLs directly, and another that runs as a normal process on Linux and escalates privilege and allows access to data in the entire physical memory.
FBI investigates possible ISIS supporters’ hack of Western sites: The FBI is investigating after hackers claiming to be affiliated with the Islamic State of Iraq and Syria (ISIS) placed black flags attributed with the group, the words “hacked by ISIS, we are everywhere,” an invalid Facebook address, and an Adobe Flash audio plugin that played a song in Arabic on several U.S. Web sites over the weekend of March 7. Some of the businesses targeted during the attack include a speedway in Ohio, a Goodwill store and digital agency in Missouri, a historic condominium complex in New York, a zoo in California, and restaurants in Minnesota, Massachusetts, and Ohio.
Wig-wearing bandit robbed bank of more than $100G; Email spoofing flaw found in Google Admin console; and Two arrested in the largest data breach in the US
Wig-wearing bandit robbed bank of more than $100G: Authorities arrested and charged a White Plains, New York woman March 5, for allegedly using a paintball gun to rob a Glen Rock Savings Bank branch in Glen Rock, New Jersey, of more than $100,000.
Email spoofing flaw found in Google Admin console: Security researchers identified a security flaw in the Google Apps Admin console that could have been exploited to gain temporary ownership of any previously unclaimed domain and used to send malicious emails that would not be flagged as suspicious because they came from trusted servers. Google has addressed the vulnerability.
Two arrested in the largest data breach in the US: Two men were arrested for their roles in what authorities are calling the largest data breach in U.S. history, in which the suspects allegedly made millions of dollars between 2009-2012 by stealing over 1 billion email addresses from 8 U.S. email service providers and used their distribution platforms to send millions of spam emails containing links to Web sites that promoted products through affiliated marketing activities. Authorities continue to search for a third suspect connected to the scheme.
Couple who fled to Eastern Europe during bank fraud investigation enter guilty pleas: A King County couple that had fled to Moldova pending a 2009 indictment, pleaded guilty March 5 to charges related to a mortgage fraud scheme in which they allegedly submitted 55 fraudulent construction loan packets worth $49 million to Westsound Bank, while diverting some of the funds for personal use, collecting commissions on property sales, and costing the bank over $10 million in losses. One of the suspects was extradited back to the U.S. in December 2014, and the other returned in February 2015 to resolve the case.
Fake “Flash Player Pro” update delivers password-stealing Trojan: Security researchers at F-Secure discovered a new malware campaign in which users with previously compromised routers and domain name system (DNS) server settings are being targeted with fake Adobe Flash Player Pro installation notifications that contain the Fareit trojan, allowing attackers to steal passwords and download other malware onto the infected system.
SSL/TLS cipher suite downgrade affects all supported Windows versions: Microsoft released a security advisory that its Secure Channel (Schannel) used in all versions of Windows is vulnerable to Factoring RSA Export Keys (FREAK) attacks that force secure sockets layer (SSL) and transport layer security (TLS) cryptographic protocols to use a weak RSA key through a man-in-the-middle (MitM) attack, allowing hackers to decrypt HTTPS traffic. Microsoft has not yet specified a release date for patching the vulnerability.
Cryptowall makes a comeback via malicious help files: Security researchers at Bitdefender Labs discovered a new spam email campaign targeting users worldwide, in which attackers have sent hundreds of emails with Compiled HTML (.chm) files that install the Cryptowall ransomware when opened. Researchers believe the attack is targeting employees from different organizations to compromise company networks.
Angler exploit kit and domain shadowing: A deadly combination: Security researchers at Cisco Talos Group discovered that hackers have created several hundred compromised registrant accounts, which control thousands of unique domains that were typically compromised by phishing campaigns to redirect victims to Web pages that host the Angler Exploit Kit, dubbed Domain Shadowing. The attackers use and quickly abandon the subdomains housing the exploit kit, making detection difficult.
Banking malware targets almost 1,500 financial institutions in 86 countries: Security researchers from Symantec reported an analysis of 999 banking malware configurations that targeted 1,467 financial institutions worldwide in 2014, most of which were in the U.S. where consumers have been attacked with 95 percent of the trojans analyzed. The analysis also revealed that 4.1 million users’ systems had been compromised in 2014.
New POS malware uses mailslots to avoid detection: Security researchers from Morphick discovered that the new LogPOS point-of-sale (PoS) malware uses Microsoft Windows’ mailslots technology to avoid detection. inject code, and act like a client while it relays stolen payment card numbers to a command and control (C&C) server.
Strong SSL/TLS ciphers downgraded to use weak crypto key in FREAK attack: A security researcher at INRIA and the Microsoft Research Team identified a serious vulnerability in the implementation of secure sockets layer (SSL) and transport layer security (TLS) protocols on Apple and Android devices that can be abused through man-in-the-middle (MitM) attacks that capitalize on abandoned policies to force the use of weak RSA keys, potentially leaving a wide range of government and other Web sites vulnerable. The researchers have dubbed the attack FREAK (Factoring RSA Export Keys) and Akamai cloud platform announced that it patched the vulnerability.
Google fixes 51 vulnerabilities with release of Chrome 41: Google addressed 51 security issues and added new apps, extension application program interfaces (APIs), and stability and performance improvements in the release of Google Chrome version 41. The addressed vulnerabilities include 13 high-severity and 6-medium-severity issues discovered by external researchers.
Black hat bandits rob Wells Fargo bank in Falls Church: Authorities continue to search for the “Black Hat Bandits” after the 3-man crew allegedly robbed a Wells Fargo bank branch in Falls Church, Virginia, March 2. The suspects are believed to be connected to 7 other bank robberies across northern Virginia and Maryland since January 2, and the FBI reported that the group has become more brazen with each robbery.
SEC suspends trading in 128 dormant shell companies to put them out of reach of microcap fraudsters: The U.S. Securities and Exchange Commission (SEC) announced March 2 that it suspended 128 inactive penny stock companies in 24 States and Canada to prevent fraudsters from manipulating the companies’ stock value through misinformation campaigns and dumping the stocks when investors buy in. The SEC has suspended over 800 microcap stocks since 2012 as part of its Operation Shell-Expel initiative.
Pioneer Bank customer data at risk: Pioneer Bank executives in Troy, New York, confirmed March 2 that an employee’s laptop that was stolen from an unidentified location January 26 contained secured personal and account information of an undisclosed number of customers. The bank notified local police and potentially affected customers following the theft, and continues to investigate the incident to determine if an unauthorized party accessed the information.
Armed men take $4 million in gold from armored truck in North Carolina: police: Authorities are searching for 3 armed men that allegedly stole $4 million worth of gold from a TransValue Inc. semi-truck carrying a silver and gold shipment while it was stopped due to a mechanical issue along Interstate 95 in Wilson County, North Carolina, March 1. The drivers reported that the suspects approached the broken down semi-truck, bound the 2 armed guards, and ordered them into the woods while the men escaped with several barrels of gold.
Phishers target victims of iOS device theft: Security researchers at Malwarebytes discovered an elaborate phishing campaign that targets victims of iOS device theft by using spoofed messages and a fake iCloud log-in Web page that is available in 10 different languages to steal users’ log-in credentials, enabling the thieves to unlock the stolen devices.
Lossy image compression can hide malicious code in PDF files: Researcher: A security researcher at CSIS discovered that lossy image compressors such as DCTDecode could be used to embed malicious code in high-quality grayscale JPEG images found in PDF files.
Mass infection malware attack targets Android: AdaptiveMobile security researchers uncovered a massive new malware attack directed at Android users that uses victims’ mobile device contacts to send email, Facebook, and SMS messages with links to spoofed Amazon vouchers containing the Gazon malware. The attack has infected thousands of devices worldwide and generated over 16,000 click-throughs since it began in the U.S. February 25.
D-Link fixes router flaws following public disclosure: D-Link released a firmware update for its DIR-820L router that fixed a flaw that allowed attackers to gain root access to routers through cross-site request forgery (CSRF) attacks by tricking victims into visiting malicious Web pages, allowing unauthorized access to domain name system (DNS) configuration. The company will release updates for other vulnerable routers by March 10.
West Michigan developer indicted in $8 million real estate mortgage ‘stacking’ fraud: Authorities arrested a part owner of the GBW Development real estate firm in Michigan during the week of February 23 for allegedly conspiring with the owner of Prime Title Service to defraud banks, private lenders, and real estate title insurance companies out of $8 million by taking multiple mortgages out on a single property without lenders’ knowledge.
SEC halts Ponzi-like scheme by purported venture capital fund manager in Buffalo: The U.S. Securities and Exchange Commission charged a New York-based supposed venture capital fund manager February 27 for allegedly using his firms Archipel Capital LLC and BIM Management LP to solicit money from investors for the purchase of 230,000 pre-IPO Twitter shares, of which he only purchased 80,000 shares, and using 3 unrelated funds and Ponzi-like payments with fake documents to pay investors.
Texas brothers must pay $299 million in SEC fraud case: judge: A Texas man and his late brother’s estate were ordered to pay the U.S. Securities and Exchange Commission $299.4 million February 26 for allegedly engaging in securities fraud and earning $553 million in undisclosed profits by trading in Michaels Stores Inc., Sterling Software Inc., Scottish Annuity & Life Holdings Ltd. now known as Scottish Re Group Ltd., and Sterling Commerce Inc. using trusts in the Isle of Man.
0-day flaw in Seagate NAS devices endangers thousands: A security researcher discovered that certain firmware versions of Seagate Business Storage 2-Bay NAS devices are susceptible to an easily-exploitable zero-day remote code execution vulnerability due to outdated Web-enabled application management versions of Hypertext Preprocessor (PHP), CodeIgniter, and Lighttpd technologies that contain known security issues. The company is reportedly working on the issue.
Privilege escalation glitch found in Toshiba software: SmartNet researchers discovered a path privilege escalation vulnerability in Toshiba’s Bluetooth Stack for Windows and Service Station that could allow attackers to take over control of computers by implementing malicious programs, and alter or delete information stored on hard disks. Toshiba released updates for its vulnerable products.
Two Kent residents indicted as part of large bank fraud ring. A 10-member bank fraud ring in Washington was indicted during the week of February 23 for allegedly using stolen checks from 7 banks to make fraudulent deposits into 219 different bank accounts to inflate the bank accounts and withdraw more than $987,000 in cash from November 2010 to present.
Draper man indicted for 15 counts of mail fraud after allegedly misappropriating $24 million. A former American Pension Services executive was indicted in a U.S. District Court in Utah February 26 for allegedly running a scheme from 1998-2014 that defrauded over 5,000 customers out of approximately $24 million by using false and fraudulent representations, promises, and omissions of material facts to obtain the funds that were used to make personal, high-risk investments.
Apps bypass Google Play verification and spew tempest of ads. Bitdefender security researchers discovered 10 apps hosted in Google Play that use social engineering to trick users into installing ad-spewing software and relied on deceptive tactics to ensure persistence on users’ devices. None of the apps linked to Web sites hosting malware, allowing the apps to bypass Google Play quality controls.
Critical vulnerability found in Jetty web server. Security researchers from Gotham Digital Science discovered a critical vulnerability dubbed JetLeak in the Eclipse Foundation’s Jetty Web server that allows remote, unauthenticated attackers to read arbitrary data from requests previously submitted by users to the server, including cookies, authentication tokens, anti-CSRF tokens, usernames, and passwords. The flaw was addressed February 24 with the release of Jetty version 9.2.9 while the Jetty development team reported an anticipated fix for the vulnerability in version 9.3.0. which is in beta.
It’s official – FCC enacts expansive net-neutrality rules. The Federal Communications Commission (FCC) approved sweeping net-neutrality regulations February 26 that gives the government expanded power over Internet access, and allows the FCC to bar Internet providers from blocking Web sites, selectively slowing down any content, or offering bandwidth increases for specific content with payment. The rules also classify the Internet as a telecommunications service under Title II of the Communications Act.
Founder accused of defrauding investors in $40M mutual fund. A Massachusetts financier was charged with securities fraud, wire fraud, aggravated identify theft, and obstruction of justice February 25 for allegedly issuing fictitious consumer loans as co-portfolio manager of GL Beyond Income Fund, and diverting the fund’s assets for use on business and personal expenses.
MetLife unit to pay $123.5 million for alleged mortgage fraud. The U.S. Department of Justice announced February 25 that Met Life Home Loans LLC will pay $123.5 million to resolve accusations that the company, doing business as MetLife Bank at the time of the alleged infractions, knowingly violated the False Claims Act from September 2008 to March 2012 by originating and underwriting mortgage loans insured by the Federal Housing Administration (FHA) that did not meet underwriting requirements. MetLife was allegedly aware of the accused violations through its internal quality control measures and reportedly downgraded its sub-standard FHA loans to appear to have fewer issues.
Lizard Squad hijacks Lenovo website, emails. Lizard Squad hackers hijacked the Lenovo Web site and email servers by using CloudFlare IP addresses to modify DNS records in Lenovo domain registrar accounts and redirect users to defacement pages, and changed mail server records to allow the group to intercept emails sent to Lenovo email addresses. The hijacking mirrored a similar attack that targeted Google Vietnam during the week of February 23
Los Angeles-area executive arrested in $9 million bank fraud scheme. An executive of Ontario, California based Eastern Tools and Equipment was arrested February 24 following an October 2014 indictment for his role in a scheme to defraud United Commercial Bank and East West Bank of more than $9 million. The executive and his co-conspirators allegedly overstated Eastern Tools’ accounts receivable to increase the company’s line of credit with the banks then shifted money from the company’s bank accounts into about 20 shell companies before siphoning the money into their personal accounts.
Mozilla fixes 17 vulnerabilities in Firefox 36. Mozilla released version 36 of its Firefox browser closing 17 vulnerabilities and flaws, including 4 rated as critical.
New DDoS attack and tools use Google Maps plugin as proxy. PLXsert security researchers discovered that attackers are exploiting a known vulnerability in Joomla’s Google Maps plugin by spoofing the sources of requests, causing results to be sent from proxies to their denial of service (DDoS) targets. Researchers identified more than 150,000 potential Joomla reflectors on the internet, many of which remain vulnerable to be used for this type of attack.
Ramnit botnet shut down. Europol Cybercrime Centre (EC3) investigators, Microsoft, AnubisNetworks, and Symantec carried out an operation to shut down the Ramnit botnet’s 7 command and control (C&C) servers and redirected traffic from 300 domains used by the botnet. EC3 estimated that more than 3.2 million Windows computers have been infected with the botnet via spam campaigns, phishing scams, and drive-by downloads that installed malicious code to grant attackers access to banking credentials and other log-in information.
McAfee: Popular mobile apps remain vulnerable to MitM flaws found last year. Intel Security’s McAfee Labs reported that almost 75 percent of the most popular mobile apps found vulnerable to man-in-the-middle (MitM) attacks remain exposed to attacks since they were first identified in a September 2014 analysis by the Computer Emergency Response Team (CERT) at Carnegie Mellon University.
Connecticut credit union manager found wearing suspected bomb vest. Police found February 23 an Achieve Financial Credit Union executive in a car outside of the New Britain, Connecticut branch with a bomb-like device strapped to his body in an apparent scheme to rob the financial institution that was aborted after the man was allegedly abducted from his home. The suspected explosive device was removed and destroyed without incident, and officials are seeking 3 suspects in connection with the incident while working to determine if the executive was a willing participant in the alleged plot.
Older vulnerabilities a top enabler of breaches, according to report. Hewlett Packard security researchers reported that 44 percent of known breaches happened as a result of server misconfigurations and vulnerabilities discovered years ago. The report cites 33 percent of identified exploit samples from Microsoft Windows, 11 percent from Adobe Reader and Acrobat, 6 bugs in Oracle Java, and 2 flaws in Microsoft Office flaws.
Norton update caused Internet Explorer to crash. Symantec released a new version of the Intrusion Prevention System (IPS) definition package after a corrupt file in the previous release caused the 32-bit version of Microsoft’s Internet Explorer Web browser to crash on computers running Norton Security, Norton Security with Backup, Norton 360, and Norton Internet Security.
Comodo’s PrivDog breaks HTTPS security possibly worse than Superfish. A security researcher discovered that Comodo’s PrivDog browsing privacy protection tool compromised browsing security by acting as a man-in-the-middle (MitM), intercepting and replacing all certificates with its own, causing browsers to accept every HTTPS certificate regardless of authority. The issue could affect nearly 64,000 users worldwide, and PrivDog released an update with a fix for the issue.
CSIS security group warns of fake emails using its name. CSIS security experts discovered an email campaign that spoofed the company’s email address and used an employee’s name to distribute a malicious attachment and deploy malware on the recipients’ machines. The Danish-based company provides security services for some of the largest global banks and acts as a consultant to governments, media, and businesses.
Ex-Oppenheimer executive pleads guilty in loan fraud scheme: A former Oppenheimer & Co executive pleaded guilty in Manhattan federal court February 20 for his role in a fraud scheme that deceived Oklahoma regulators and the company by collaborating with three individuals to process a $30 million loan through the investment bank for the fraudulent purchase of Providence P&C while illegally using the insurance company’s assets as collateral. The case originated with a related investigation into Park Avenue Bank, which went under in March 2010.
Cisco IPv6 processing bug can cause DoS attacks: Cisco announced that its NCS 6000 and Carrier Routing System (CRS-X) contain an IPv6 software bug that attackers could repeatedly exploit by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card to cause an extended denial of service (DoS) condition.
Superfish SSL interception library found in several applications: Researchers: Security researchers discovered that the Komodia Redirector and SSL Digestor, originally used by the Superfish software preinstalled on Lenovo laptops can be found in several products and at least 12 Facebook applications using the SSL interception library. The researchers stated that Komodia’s proxy software does not properly implement SSL or validate certificates, enabling attackers to potentially hijack affected users’ connections.
Tax related spear-phishing aims at CTOs in tech companies. Security researchers at Talos discovered a new phishing campaign targeting chief technology officers (CTOs) with malicious attachments disguised as Microsoft Word documents laced with macros that funnel in the Vawtrak banking trojan, which can capture user credentials for more than 100 online services. The emails purport to be related to large sum payment details and federal taxes, with some appearing to originate from fake government addresses.
Commercial spyware found in enterprise environment. Security researchers at Lacoon Mobile Security and Check Point discovered 18 different commercial remote access trojan (mRAT) spying tools that connect to the company’s Wi Fi and communicate with the command and control (C&C) server on 1,000 of 900,000 corporate mobile devices tested. The spyware, generally marketed for monitoring children, allows employers to track the location of users, log activity on the device, access emails, texts, and contacts, and possibly activate the device’s microphone for recording.
Hackers now popping Cisco VPN portals. An Australian hacker reported a flaw that allows attackers to crack customized Cisco virtual private networks (VPNs) to steal credentials, inject malware, modify Clientless Secure Sockets Layer (SSL) and VPN portal content, and launch cross-site scripting (XSS). Cisco stated that the flaw was due to improper implementation of authentication checks in the customization framework of Clientless SSL VPN portal versions earlier than October 8, 2014 and recommended customers follow their incident response process.
Android malware takes over device’s shutdown process. AVG security researchers discovered a new mobile malware strain affecting Android devices that hijacks the shutdown process and obtains root permission to run nefarious activities such as initiating calls or taking pictures while the phone appears to be off.
Over 250,000 home routers found with duplicate SSH keys. A Shodan researcher discovered that mis-configuration of devices likely led over 250,000 home routers from Spain, 200,000 routers from mostly China and Taiwan, and 150,000 routers from the U.S. and Japan to share the same Secure Shell (SSH) keys, which could allow an attacker to gain access to any device with a single key. Researchers recommended disabling SSH connectivity in the router.
Lenovo to stop pre-installing controversial software. Errata Security researchers determined that Superfish adware pre-installed on Lenovo computers hijacks and throws open encrypted connections, allowing hackers to seize connections and listen in through man-in-the-middle (MitM) attacks. Lenovo disabled all Superfish software from its consumer computers and stopped pre-installing the software on its devices, but experts warned that systems could still be vulnerable even after uninstalling the software.
DoubleFantasy is Equation group’s first attack wave. Kaspersky analysts discovered that hackers from the cyber-espionage group Equation developed the DoubleFantasy trojan, a tool used to verify the infected system as a target and a vehicle for installing more sophisticated attack tools that could steal usernames and passwords for Microsoft’s Internet Explorer and Mozilla’s Firefox Web browsers, Windows protected storage on versions up to Windows XP, and operating system authentication subsystems on Windows Vista and above. Multiple versions of the tool were discovered, and some were deployed to targets via a post-meeting compact disk from a 2009 scientific conference in Houston
Accused Russian hacker to face charges in US court. A Russian national was extradited to the U.S. and charged February 17 in New Jersey for his alleged involvement in an international scheme that stole more than 160 million credit card numbers resulting in hundreds of millions of dollars in losses to consumers and financial institutions including Dow Jones, 7-Eleven, Nasdaq, Visa, and JetBlue. The suspect, arrested in the Netherlands in 2012, allegedly hacked victims’ networks to gain access to usernames and passwords, credit card and personal identifiable information, and sold them to resellers around the world.
Fire badly damages Key Bank branch in Phoenicia; vault contents, customer records OK. The Key Bank branch in Phoenicia, New York, issued a statement that all client information and vault contents were secure February 17 after a February 16 fire caused extensive damage to the structure. The cause of the fire remains under investigation, and the bank is closed indefinitely until officials can repair the damage.
Vawtrak trojan downloaded via malicious macro for Microsoft Word. Trend Micro security researchers discovered a new cyber criminal campaign targeting banks including Bank of America, Barclays, Citibank, HSBC, Lloyd’s Bank, and J.P. Morgan with emails containing malicious macro-enabling Microsoft Word documents that install the Vawtrak banking trojan by downloading a batch file, a visual basic scripting edition (VBS script), and Powershell file. The malware serves clients modified pages to trick them into providing log in data for Microsoft Outlook, Google Chrome, Mozilla Firefox, and file transfer protocol (FTP) clients.
Banking trojan Dyreza sends 30,000 malicious emails in one day. Bitdefender security researchers discovered that 30,000 malicious emails containing the banking trojan Dyreza were sent in one day to customers of banks including HSBC, NatWest, Barclays, RBS, Lloyds Bank, and Santander from servers in the U.K., France, Turkey, Russia, and the U.S. The trojan allows hackers to covertly steal credentials and manipulate accounts.
Author of Android Xbot malware includes curse at AV companies. Avast security researchers discovered that the Xbot Android malware infected over 2,570 installations in 350 unique files through third-party marketplaces since the beginning of February. The malware persistently runs on infected devices, has the capability to download content to command and control (C&C) servers, and primarily focuses on capturing, reading, and writing short text messages.
Credit card info stolen in BigFish Games site compromise. BigFish Games reported that the personal and financial information of some of its customers that made purchases between December 24, 2014 and January 8 may have been compromised after the company discovered malware installed on the billing and payment pages of their Web site January 12. Affected customers were notified of the breach February 11, and the company removed the malware and has taken steps to prevent the malware from being reinstalled.
Siemens fixes security flaws in Simatic Step 7 (TIA Portal). Siemens patched two minor and two more severe vulnerabilities due to glitches in Simatic Step 7 that allowed hackers to possibly learn user passwords, escalate privileges, or hijack and intercept industrial communication on TCP port 102.
Flaw in Netgear Wi-Fi routers exposes admin password, WLAN details. A network engineer discovered and notified Netgear support that certain versions of the brand’s WNDR3700v4, WNR2200, and WNR2500 home wireless routers contain a vulnerability in the embedded simple object access protocol (SOAP) service that could allow unauthenticated remote and locally-connected attackers to obtain the administrator password, device serial number, WLAN details, and various information related to clients connected to the device.
Arabic threat group attacking thousands of victims globally. Kaspersky Lab security researchers reported that “Desert Falcons,” the first known full-scale Arabic cyber-espionage group, has used spear-phishing and social engineering techniques to deliver two backdoors though 100 malware samples to infect Windows PCs and Android devices of targets based in Egypt, Palestine, Israel, Jordan, the U.S., and other countries for at least 2 years. The malware has full-backdoor capability as well as the capability to steal call and SMS logs in Android versions, and attackers have targeted victims from political, military, government individuals and organizations, media outlets, energy and utility providers, physical security companies, and others holding geopolitical information.
Ongoing cyber attack on banks worldwide creates billion dollar loss. Kaspersky security researchers discovered that cyber criminals robbed over 100 financial institutions worldwide of up to $1 billion by using spear-phishing attacks exploiting 2 vulnerabilities in Microsoft Office and 1 vulnerability in Microsoft Word to install malware and infiltrate institutions’ networks. The attackers cashed in by instructing ATMs to dispense money at specific times without payment cards, opening accounts with fake balances, and artificially inflating account balances of bank customers and then transferring the surplus to their accounts in China and the U.S.
Feds: Up to 900 potential victims of insurance scam preying on trucking companies. Federal investigators seized approximately $732,000 from Appeal Insurance Agency bank accounts February 12 alleging that the owner scammed up to 900 victims, primarily in commercial trucking, by collecting insurance premiums without securing legitimate policies and using the money to fund his lifestyle and pay off insurance claims filed with his office. Authorities found that $3.7 million was deposited into one of the owner’s accounts between January 2013 and July 2014.
Firmware of over a dozen hard drive brands altered to lodge malware. Kaspersky researchers discovered that a cyber-espionage group calling itself Equation modified hard drive firmware in over 12 brands to potentially infect tens of thousands of computers worldwide, including those in sectors such as government and military institutions, nuclear research, oil and gas, telecommunications, transportation, and the financial sector, among others. Reprogramming the firmware allowed attackers to create persistent hidden storage spaces accessible only through specific methods known to them.
In the wake of TurboTax fraud, email scams emerge. Intuit reported an increase in phishing scam attempts to harvest personal and financial information from TurboTax users using a variety of themes including notifications of bogus security checks, fake tax return status updates, or notices of locked accounts. Users are led to click on an URL that links to a fake log-in page used by hackers to steal names, addresses, and Social Security numbers.
Brinks guard shot at Capital One Bank near Galleria dies. Authorities are searching for three suspects after their getaway vehicle was found near the robbery scene following an attempted robbery of a Brinks truck that left a security guard dead near the Galleria area of Houston February 12. The suspects shot at the vehicle and the security guard during the incident.
16 million mobile devices infected by malware. Alcatel-Lucent’s Motive Security Labs released a report and found that approximately 16 million mobile devices worldwide were infected by malware, with a 25 percent increase in infections in mobile devices in 2014. Researchers also found that command and control (C&C) protocols were more sophisticated and mobile spyware increased, among other findings.
RIG exploit kit source code leaked online. Trustwave researchers analyzed an alleged leak of a source code for an RIG exploit kit and determined that the code is legitimate after the individual published the code after attempting to sell it online. The leaker also purported that the exploit kit included exploits for two Internet Explorer, two Adobe Flash Player, one Microsoft Silverlight, and two Java vulnerabilities.
Several PayPal-mimicking phishing sites taken offline. OpenDNS researchers found a number of phishing Web sites that appear as legitimate PayPal sites being used to steal user’s login credentials. PayPal is working to shut down the fraudulent sites.
Ex-GOP candidate for governor facing fraud charges. A former candidate for governor and his girlfriend were arrested and charged during the week of February 2 for allegedly stealing more than $11 million from investors in New York and North Carolina and attempting to defraud banks of $8 million by submitting fake tax returns and inflated pay stubs in 3 schemes between February 2009 and July 2013. The pair allegedly promised investors that their money was being used to buy and consolidate other investments firms while the funds were being used for pair’s personal use and other business ventures.
Google Play, browser flaws expose Android devices to remote code execution. Researchers at Rapid7 reported that vulnerabilities in Google Play due to a lack of appropriate X-Frame-Options (XFO) headers combined with a universal cross-site scripting (UXSS) vulnerability in browsers shipped with Android versions prior to 4.4 (KitKat), or a cross-site scripting (XSS) bug in Google Play, could be leveraged by attackers to remotely install arbitrary Android application packages (APKs) on smartphones. Attacks can be prevented by logging out of the Google account prior to using the affected browsers, or by using Mozilla FireFox or Chrome instead.
Simplocker ransomware for Android returns with new version. Avast researchers reported that over 5,000 unique users were infected by a newly discovered Simplocker ransomware variant for Android that poses as an Adobe Flash Player update, employs unique encryption keys to make unlocking difficult, and displays a fake notification from the FBI about suspicious files and copyright infringement to fool victims into paying the $200 ransom.
Feds seize over $7 million (plus a little Bitcoin) during software piracy investigation. Federal agents seized $25,000 in cryptocurrency from a Seattle resident and more than $7 million and other assets from related suspects in December 2014 as part of an ongoing software piracy case. The January 30 court filing alleges that suspects traded and distributed fraudulent product activation key codes for Microsoft and other software through e-commerce sites to make at least $30 million in profits since 2009.
Cyber Caliphate hackers take over Twitter account of Newsweek. The FBI is investigating a February 10 hijack of Newsweek’s Twitter feed in which attackers claiming to be Islamic State (ISIS)-affiliated hacker group Cyber Caliphate posted threats to the U.S. President’s family before the company regained control of the feed within 14 minutes. Newsweek confirmed that the Twitter accounts of International Business Times and Latin Times were also hijacked by the group.
Researchers bypass all Windows protections by modifying a single bit. Microsoft released a patch for two vulnerabilities, including one that affected all versions of the Windows Operating System via Windows kernel-mode driver and allowed attackers to install software, view and change data, and create new accounts with full administrative rights. A patch addressing a critical remote code execution flaw was also released.
Microsoft patches critical Windows, Internet Explorer vulnerabilities in Patch Tuesday update. Microsoft issued 9 security bulletins that fixed a total of 41 vulnerabilities as part of its Patch Tuesday updates that addresses issues for Windows, Office, and Server Software.
Microsoft corporate clients targeted with volume license phishing email. A Cisco Threat Defense researcher reported that cyber-criminals were targeting Microsoft’s corporate users with phishing emails purporting to be from Microsoft’s Volume Licensing Service Center which contains a link that leads to a compromised WordPress server and downloads the Chanitor malware.
Waldwick police seize 125 credit cards from Walgreens customers. Three individuals were arrested by police at a Waldwick Walgreens February 7 when they were caught with more than 125 stolen credit cards allegedly taken from all over the U.S. The suspects were caught while they were purchasing a gift card and police found additional gift cards on them while they were arrested.
New York plans cybersecurity reviews of insurers after breach. New York’s Financial Services Department announced plans February 9 to increase State insurers preparedness through regular cyber-security reviews and enhanced regulations in the wake of February’s Anthem Inc., breach that affected up to 80 million customers.
About 40,000 MongoDB databases found open online. Three Saarland University cyber-security students reported security vulnerabilities in MongoDB’s database configuration, including servers with no access control mechanisms that could potentially allow access outside the backend and expose the information of millions of customer to unauthorized parties. An initial scan found nearly 40,000 databases that were open, prompting the researchers to submit their findings to MongoDB maintainers for integration into revised security instructions for users.
Researcher publishes 10 million usernames and passwords. A researcher released 10 million username/password combinations that he collected over the years in an attempt to advance research and make authentication more secure. The researcher asserted that most combinations were dated and had been scrubbed of all identifying and compromising information.
Box Sync for Mac exposed sensitive information: Researcher. Box Sync for Mac released version 4.0.6035 to fix a security issue discovered in January that exposed Python files containing sensitive data such as application program interface (API) keys, internal user IDs, passwords, and URLs. Box Sync representatives asserted that customer data was never at risk.
LG fixes authentication bypass vulnerability in on-screen phone app. LG released On-Screen Phone application update 4.3.010 to fix a vulnerability discovered by Search-Lab researchers in September 2014 that allowed attackers to possibly bypass authentication and take control of users’ smartphones without their knowledge through a connection between the mobile device and the computer conducted via USB cable, Wi-Fi, or Bluetooth.
Tax fraud prompts Intuit to temporarily suspend state e-filing. Financial software developer Intuit paused State income tax e-filings made through the company’s TurboTax services February 5 and restored services February 6 after suspected fraudulent filings using stolen identities appeared in returns from 19 States.
Area real estate investor guilty in multimillion dollar wire fraud, monetary transactions case. A real estate investor pleaded guilty February 6 to defrauding investors out of $7 million to $20 million using the Quantico Corporate Center in Stafford, Virginia, as an investment opportunity. Instead of investing the millions into land development deals, the real estate investor spent the money on poor day trading investments and other transactions.
Surfside investment advisor in Ponzi scheme charged with fraud. A Surfside investment advisor was charged with wire-fraud conspiracy February 5 for allegedly receiving commissions in return for advising investors to sink millions into a $1.2 billion Ponzi scheme. The investment advisor collaborated with a Fort Lauderdale lawyer who was convicted and sentenced in 2010 for his role in the investment scam.
DDoS malware for Linux distributed via SSH brute force attacks. FireEye researchers reported February 9 that a campaign utilizing Secure Shell (SSH) brute force attacks to install a distributed denial of service (DDoS) XOR.DDoS malware, first discovered by Malware Must Die in September 2014, has executed nearly 1 million login attempts between November 2014 and the end of January.
Impostors bilk Omaha’s Scoular Co. out of $17.2 million. Officials reported that Scoular Co., of Omaha was defrauded out of $17.2 million in June 2014 when perpetrators impersonated the company’s chief executive and outside auditing firm via email and ordered the Scoular controller to wire 3 separate payments to the Shanghai Pudong Development Bank in China, to be held for Dadi Co. Ltd. The FBI is seeking to recover the lost funds and continues to investigate the incident.
Suspected bank robber shot and killed by police after chase in Chino. A man who robbed the Corona branch of the Pacific Premier Bank February 4 was killed in a shootout with police after allegedly carjacking a vehicle and leading a pursuit that ended in Chino, after crashing the car.
Zero-day flaw in WordPress plugin used to inject malware into sites. WordPress patched a zero-day flaw in its FancyBox plugin after Sucuri researchers noted the vulnerability could allow attackers to inject malware or scripts into Web sites, after numerous users complained of malicious “iframe” injections on their sites.
Adobe Flash Player security update fixes 18 vulnerabilities. Adobe released updates that patch a total of 18 Flash Player vulnerabilities, including fixes for use-after-free flaws and two types of confusion vulnerabilities.