Fraud Alert Message Center

5/23/2013

New Citadel malware strain targeting Payza service. Researchers at Trusteer discovered a new variant of the Citadel banking malware targeting users of the Payza money transfer service. The malware uses a man-in-the-browser technique to obtain users’ login information and PIN.

Apache Darkleech PDF and JavaScript attacks infect hundreds more websites. Researchers at Zscaler discovered a marked increase in the number of Web sites being infected by Darkleech (a.k.a. Linux Cdorked) JavaScript attacks. The exploit injects malicious redirections that lead to a page hosting the Blackhole exploit kit.

Researchers find critical vulnerabilities in popular game engines. Researchers at ReVuln found memory corruption and buffer-overflow issues in four computer game engines that could allow attackers to launch remote code execution or denial of service attacks against clients and servers.

Google fixes more than a dozen flaws in Chrome 27. Google released the newest version of its Chrome browser, addressing 16 vulnerabilities ranging in severity.

5/21/2013

Cyber espionage campaign uses professionally-made malware. Researchers at Trend Micro identified a large cyberespionage campaign dubbed “Safe” that has targeted computers in several countries and appears to have been created by an individual with formal computer engineering training.

Form-grabbing rootkit sold on underground forums. A Webroot researcher found a rootkit for sale on underground forums known as “Private Grabber” that can capture communication sent over SSL and steal login credentials.

5/20/2013

Ransomware adds password stealing to its arsenal. Microsoft researchers found a new variant of the Reveton malware that downloads a password-stealing component after it infects a victim’s computer.

Mac malware found with valid developer ID at freedom conference. A security researcher participating in the Oslo Freedom Conference discovered a piece of malware for Apple OS X that takes regular screenshots from a victim’s computer and then sends them to two servers.

5/17/2013

Researchers reveal OpUSA attackers’ MO. Trend Micro researchers analyzed attacks in the recent OpUSA campaign and found that attackers compromised some sites ahead of time with compromised URLs.

PushDo malware resurfaces with DGA capabilities. The PushDo Trojan associated with the Cutwail botnet was found to now incorporate a domain generation algorithm (DGA) to avoid detection and increase resiliency.

5/16/2013

Mozilla’s Firefox update fixes three critical holes. Mozilla released an update for its Firefox browser that fixes three vulnerabilities rated “critical” or “high severity.”

Microsoft fixes 33 vulnerabilities. Microsoft’s latest Patch Tuesday release included critical fixes for several programs, including a fix for an Internet Explorer (IE) 8 zero-day flaw recently used in targeted attacks.

Google Android malware levels rocket as spam threat grows. F-Secure released its Q1 2013 Threat Report, which found malware variants targeting mobile devices have risen by 49 per cent since 2012, among other findings.

5/15/2013

New Dorkbot worm spreads via Facebook chat steals data from infected PCs. A new variant of the information-stealing Dorkbot malware was identified by Bitdefender spreading through Facebook’s chat function and through infected USB drives.

5/14/2013

Privacy breach on Bloomberg’s data terminals. Bloomberg confirmed that reporters at its Bloomberg News division had had access to certain user information from customers using the company’s financial data terminals service before a complaint prompted the access to be disabled.

Malicious browser extensions are hijacking Facebook accounts. Microsoft warned that Facebook accounts are being hijacked via malicious extensions for the Firefox and Chrome Web browsers.

Font apps on Google Play deliver spyware. Webroot identified two malicious Android apps on the Google Play app store that download spyware to users’ devices. Google removed the apps but they remain on their developer’s site.

5/13/2013

Winnti backdoor created with Aheadlib to mimic legitimate system library. Researchers at Trend Micro found a new Winnti malware family backdoor dubbed “Bkdr_Tengo.A” which was built with Aheadlib in an attempt to make the malware appear to be a legitimate system library.

Hijacking Facebook accounts via expired Hotmail accounts. Researchers at Rutgers University found that Facebook accounts can be hijacked by requesting automatically retired Hotmail email accounts to be assigned to a new user, and then using Facebook’s password reset function.

5/10/2013

Adobe warns of critical vulnerability in ColdFusion. Adobe warned users that a critical vulnerability in ColdFusion has been observed in the wild which can allow unauthorized users to remotely retrieve files stored on servers.

Name.com forces customers to reset passwords following security breach. Domain registrar Name.com required its customers to reset their passwords after a security breach that may have exposed usernames, email addresses, encrypted passwords, and credit card information.

5/9/2013

OpUSA: Fake leaks, small website defacements, and “pedestrian” DDOS attacks. The “OpUSA” campaign of attacks against U.S. Web sites organized by various groups claiming the Anonymous label appears to have caused only minor damage or disruption, according to researchers.

Stealthy Web server malware spreads further. The Linux/Cdorked malware found infecting Apache Web servers continues to spread via an unknown means, with new versions found that are engineered for widely-used Lighttpd and NGINX servers.

Old IE attack finds its way into Cool Exploit Kit. Microsoft reported that the Cool Exploit Kit has been updated to include an Internet Explorer (IE) vulnerability that was patched in June 2012, as well as Adobe Reader and Flash vulnerabilities.

Hackers gain access to all .edu domains. The Hack the Planet (HTP) hacker group disclosed vulnerabilities in the MoinMoin wiki system and Adobe Cold Fusion that the group used in past attacks against Linode and the Massachusetts Institute of Technology.

5/8/2013

US convenience store chain Mapco Express hacked, payment cards compromised. The Mapco Express convenience store chain experienced a breach of customer credit/debit card information after malware was planted in payment processing systems. Customers who used credit/debit cards at Mapco Express stores during certain periods in March and April may be affected.

Exploit for new IE8 0-day vulnerability in the wild. A Metasploit module that exploits an Internet Explorer (IE) 8 zero-day vulnerability used in recent watering hole attacks is now available, making the exploit generally accessible. Microsoft suggested several security measures to implement until a patch is developed.

Malicious Flash Player updates hosted on Dropbox. Researchers at Zscaler found and analyzed a fake Flash Player update attack that stores the malicious update in a Dropbox account. The files attempt to disable security programs and then drop a Sality variant onto victims’ systems.

Unpatched building management system exposes Google’s Wharf 7 HQ to hackers. Two security researchers found that the Tridium Niagara AX building management system at Google Australia’s Wharf 7 headquarters was vulnerable to attack due to Google not having applied a patch that closed known vulnerabilities.

Google fixes CSRF vulnerability in Translator and clickjacking flaw in Gmail. A security researcher published proof-of-concept videos for a Google Translate cross-site reference forgery (CSRF) vulnerability, and for a clickjacking vulnerability in Gmail’s “Tasks” feature, after Google was informed and addressed the vulnerabilities.

5/7/2013

US SEC warns investors of oil and gas scams. The U.S. Securities and Exchange Commission issued a warning to investors over the increasing number of fraud schemes involving oil and gas ventures.

IE8 0-day used in watering hole attacks. An attack on the U.S. Department of Labor’s Web site the week of April 30 utilized a previously unknown exploit for the Internet Explorer (IE) 8 browser, and was found to also have been used in other watering hole attacks on aerospace, defense, and non-profit organization Web sites.

Experts identify 9 full sandbox bypass exploits affecting IBM Java. Researchers at Security Explorations discovered five new and four improperly addressed exploits for IBM’s Java sandbox, allowing a complete bypass of the sandbox.

Critical security updates released for IP.Board 3.2.x, 3.3.x and 3.4.x. Invision Power Services released updates for three IP.Board versions and advised users to apply the patches to close a critical security vulnerability that could allow unauthorized access to administrator accounts.

5/7/2013

g01pack: First exploit kit to deliver payload via multistage attack. Researchers at Trusteer found a variant of the g01pack Java exploit kit that delivers its payload in a multistage attack to help avoid security programs.

OAuth vulnerabilities allowed hackers to access private photo on Instagram. A researcher at Break Security identified two methods to hijack Instagram accounts by exploiting OAuth flaws. The flaws were reported to Instagram’s owner, Facebook, and were addressed.

Certificate bug in open source IPsec VPN. The developers of the strongSwan open source IPsec VPN software found its software may accept invalid digital signatures and certificates if the OpenSSL crypto backend is enabled.

CakePHP 1.2.12, 1.3.16, 2.2.8, and 2.3.4 released to prevent SQL injections. The Cake Software Foundation released updates to several versions of CakePHP to address a vulnerability that could allow SQL injection attacks.

5/3/2013

Java applet runs wild inside Notes. Researchers and IBM found that IBM’s Notes collaboration software can be compromised by sending html emails containing a Java applet or JavaScript, giving attackers access to user and company files.

D-Link publishes beta patches for IP camera flaws. D-Link published beta patches to address vulnerabilities in its IP surveillance cameras that could allow attackers to intercept video streams. Final versions of the patches will be available within a month.

Printers, routers used as bots in DDoS attacks. A report from Prolexic warned that various Internet-connected devices such as printers and IP cameras are being used in distributed denial of service (DDoS) attacks.

Bitdefender experts identify new TDL malware variants. Researchers at Bitdefender found new variants of the often-undetected TDL malware designed to infect computers’ master boot records.

5/2/2013

FBI: DDoS botnet has been modified. The FBI warned that the Brobot botnet used in a campaign of hacktivist attacks against U.S. banking institutions has been updated in an attempt to circumvent banks’ countermeasures.

Reputation.com hacked, all users passwords reset. Internet reputation and management company Reputation.com suffered a security breach where attackers obtained personal information and a limited number of encrypted passwords. The company reset all users’ passwords and is investigating.

Not cool: Bitcoin mining malware found in ESEA server client. The popular ESEA server client used for online gaming was found to contain Bitcoin mining malware, with some users reporting overheated or disabled GPUs as a result of the mining.

5/1/2013

Vulnerabilities in D-Link IP cameras can be used to capture video streams. Several vulnerabilities in D-Link IP cameras can be exploited to access video streams, execute arbitrary commands, bypass authentication, and other purposes, according to research from Core Security.

4/30/2013

Hackers access personal data of 50 million LivingSocial users. The operators of LivingSocial contacted about 50 million customers and asked them to change their passwords after attackers may have compromised encrypted passwords and personal information.

Umbraco developers warn users of severe vulnerability in integration Web services. The developers of the Umbraco content management service alerted customers to a vulnerability in the platform’s integration Web services affecting all versions.

McAfee spots Adobe Reader PDF-tracking flaw. McAfee researchers found a security flaw in Adobe Reader that can show when a user opened a document and where the file is located on users’ systems.

Travnet Trojan compresses files to send more info to data thieves. A new trojan dubbed “Travnet” was spotted by researchers being used in a targeted operation. The malware can gather user information and steal files by compressing them and then sending them back to botnet operators.

4/29/2013

Researchers warn over Apple Safari flaw. Researchers at Rapid7 highlighted a flaw in Apple’s Safari browser that could allow attackers to hijack users’ sessions or extract information and files if a victim opens a malicious webarchive file.

Possible Exploit Avenue discovered for DarkLeech web server attacks. A Cisco Systems researcher found that a script targeting Horde/IMP Plesk Webmail vulnerability may be the avenue of attack used by the DarkLeech campaign targeting servers running Apache 2.2.2 and up.

4/26/2013

Number of DDOS attacks increased by 200% in 2012, study shows. Akamai’s fourth quarter 2012 State of the Internet report found that distributed denial of service (DDoS) attack increased by 200% compared to 2011, and detailed other DDoS findings.

Researcher’s serial port scans find more than 100,000 hackable devices, including traffic lights and fuel pumps. A researcher from Rapid7 presented findings to the Infosec Southwest conference detailing how attackers could compromise various older devices that utilize serial ports connected to networking equipment. He found that devices set up in this manner had poor security and control varied operations including heating and cooling systems, point-of-sale (PoS) devices, and fuel pumps, among others.

4/25/2013

Cyber-attack briefly shutters Charles Schwab website. A distributed denial of service (DDoS) attack against Charles Schwab Corp shut down the company’s Web site and mobile applications for around 2 hours April 23.

Latest Gozi Trojan variant comes packaged with rootkit. The latest version of the Gozi banking malware now includes a difficult to extract rootkit that infects the master boot record (MBR) and injects itself into Internet Explorer upon launch to steal banking information.

Microsoft re-releases ‘Blue Screen of Death’ patch. Microsoft reissued a patch that previously crashed some users’ systems and sent the PCs into an endless reboot cycle.

4/24/2013

Wireless hack attacks target critical infrastructure. Network control systems for critical infrastructure are vulnerable to attacks carried out over Software Defined Radio (SDR), according to Digital Assurance. Proprietary wireless technologies in control devices may allow network access and networks will grow more vulnerable as more smart meters are installed.

Cyber-attacks growing more sophisticated, targeting IT firms. A report by FireEye found several trends in cyber-attacks, including the heavy use of command and control hubs, technology organizations being among the most common targets, and that most advanced persistent threat (APT) attacks are in some way associated with Chinese groups.

Viber flaw allows hackers to bypass Android smartphone lock screens. Researchers at Bkav identified vulnerability in the Viber phone and texting application that could allow attackers to bypass the lock screen on Android smartphones, enabling full access to the device.

Researchers discover more BadNews on Google Play. The BadNews malware for Android was again found in the Google Play store after Google removed other instances of it April 22. The malware steals users’ device information and tricks them into downloading other malicious apps.

Report: DDoS attacks getting bigger, faster than ever. Arbor Networks’ first quarter ATLAS report found that the average speed of distributed denial of service (DDoS) attacks grew to about 1.77 Gbps, and that large attacks exceeding 10 Gbps are increasing.

4/23/2013

World’s largest bitcoin exchange under DDoS attack. Mt. Gox, the largest exchange service for virtual currency Bitcoin, was downed by a distributed denial of service (DDoS) attack April 22, the latest in a series of recent DDoS attacks against the site.

TorRAT malware launches MitB attack to hijack Twitter accounts. A variant of the banking credential malware TorRAT has been found in the wild that steals authentication tokens to hijack users’ Twitter accounts and then send out tweets with malicious links.

108,000+ account details of Sims players leaked. The NewSeaSims resource for players of The Sims suffered a leak of user information affecting around 108,000 users.

World of Tanks security breach exposes email addresses and password hashes, but financial information remains safe. Wargaming.net, the owners of World of Tanks, reported a security breach where user’s information may have been compromised. Financial information was not affected, and Wargaming.net advised users to change their passwords.

4/22/2013

Reddit disrupted by DDOS attack – 4/19/2013. Representatives from Reddit announced the site was the target of a DDoS attack that disrupted service and they are working to mitigate the incident.

Hackers deface Google Kyrgyzstan and Google Bosnia and Herzegovina. Two hackers have defaced Google Kyrgyzstan and Google Bosnia Herzegovina along with several of their .kg and .ba domains. By breaching the country’s domain registrar, cybercriminals can make it seem as though they have breached a large number of high-profile Web sites.

Websites of 8 US organizations hacked for OpUSA. A hacktivist group is taking credit for defacing 8 U.S. organizations’ Web sites as part of their campaign to go after establishments with ties to the government. Some of the sites have been restored while others were taken offline.

Cybercriminals use fake TPG Telecom notifications to spread ZeuS variant. Kaspersky published a spam report and detailed an email campaign that utilizes the Australian telecom company TPG Telecom to distribute a variant of the ZeuS Trojan through an attachment.

4/19/2013

US Bitcoin exchange BitFloor shuts down again. Due to issues with financials, BitFloor, the largest Bitcoin exchange in the U.S. closed down indefinitely and will return all funds. The exchange is unable to provide the same amount of USD deposits and withdrawals as it has in the past.

Malware alert: Fertilizer plant explosion near Waco, Texas. Hackers are utilizing current U.S. events in order to send bogus emails depicting the incidents in the form of malicious links and videos that push malware onto victims’ computers through a RedKit exploit kit.

Snapchat warns users of spam campaign. The creators of Snapchat are warning users of hoax accounts that are targeting public accounts and sending spam messages inviting users to Skype conversations that could potentially link them to malicious sites or even make automated phone calls to spread bogus antivirus warnings. Snapchat temporarily disabled new account registrations and have prevented users from receiving messages from individuals not included on their friends list to help mitigate the issue.

Popular home routers contain critical security vulnerabilities. Researchers offered consumers options to mitigate potential attacks on their home and small office routers that contain security problems. Thirteen popular routers were discovered vulnerable in allowing a hacker to snoop or modify network traffic as well as access credentials.

Backdoor Trojan uses “magic code” to contact C&C server. Researchers discovered a backdoor-opening malware that uses a “magic code” in order to start communication with the same IP address and port once the C&C server instructs it to do so. The attackers gain permanent access to the machine once the account is created.

Fake SourceForge website serves ZeroAccess malware. Experts from a security firm determined hackers are using the SourceForge Web site to drop the ZeroAccess Trojan onto user’s computers and inject malware.

Large-scale Google outage affects customers worldwide. Google is working to identify the cause of a nearly 3-hour outage of their web services April 17 when users noticed service disruptions worldwide.

Malwarebytes cripples thousands of computers with faulty software security update. Malwarebytes released a definitions update April 16 that treated essential Windows .dil and .exe files as malware, thereby stopping them from running and knocking thousands of IT systems and computers offline. The company is reworking the update and posted details for firms affected on their forum page.

Official UGG blog hacked abused for HSBC phishing scheme. The official UGG blog has been breached by hackers who are using the space to host a phishing scheme designed to look like the HSBC Web site and lure users into providing their personal information. The attack is executed through an email with the malicious HTML file attached.

4/18/2013

DDOS attacks have increased in number and size this year, report says. A report by Prolexic found that the volume, frequency, and duration of distributed denial of service (DDoS) attacks have increased significantly during the first 3 months of this year.

Tactics of WordPress attackers similar to bank assaults. Security researchers found similarities in recent brute-force attacks on WordPress Web sites and the methods used to create the Brobot botnet used in distributed denial of service (DDoS) attacks on financial institutions.

Mobile malware up 163 percent in 2012, study says. A report by NQ Mobile found that malware targeting mobile devices increased 163 percent in 2012, and that the Android operating system was targeted by nearly 95 percent of mobile malware discovered in 2012.

2.4M cards compromised in US supermarket chain breach. The Schnucks supermarket chain announced details of a data breach where attackers gained access to around 2.4 million customers’ credit and debit card information via its systems and networks. Seventy nine of the chain’s 100 stores may have been compromised over 4 months.

Attackers gain access to Linode customer data. Hosting company Linode provided details of an attack on its servers, stating that attackers gained access to one of its Web servers as well as part of its backend code and customer database.

Symantec report finds small businesses battered by cybercrime. Symantec’s Internet Security Threat Report 2013 found that small businesses are increasingly the targets of cyberattacks due to typically less-secure systems and to serve as a foothold for access to larger companies’ systems.

4/16/2013

Web hosting company Linode hacked, Seclist.org impacted. Linode, the Web hosting provider for Seclist.org, detected suspicious activity on its networks as attackers attempted to access the virtual private server (VPS) systems of Seclist.org.

Online poker rooms fraught with vulnerabilities. Findings published by two researchers found that many online poker Web sites whose clients rely on “skins” to design the gaming environment are vulnerable to attacks due to the Web site’s software updating infrastructure.

Brute force attacks build WordPress botnet. A growing series of brute force attacks against Wordpress blogs appears to be designed to compromise servers and recruit them into a large botnet that is already comprised of over 90,000 servers.

4/15/13

Microsoft shelves patch, asks customers to uninstall, after error discovered. Microsoft advised users to uninstall a recent patch and ceased distribution of the update after users reported system errors caused by interaction with certain third-party software.

Twitter OAuth feature can be abused to hijack accounts, researcher says. A researcher at Swissquote Bank presented a method where Twitter’s application programming interface (API) could potentially be misused to send Twitter access tokens to attackers for use in social engineering attacks.

Rotten spam causing more infections than ever. A report by AV-Test found that spam emails contain an increasing number and variety of malware attachments or links, among other findings.

Linksys Smart Wi-Fi safe from home routers flaws; Classic configuration vulnerable. Cisco issued a clarification stating that its EA2700 routers are safe from recently discovered vulnerabilities if they are running the Smart Wi-Fi firmware, but that EA2700 running on the classic configuration remain vulnerable.

4/12/2013

ZeroAccess Bitcoin botnet shows no signs of slowing. Research by FortiGuard Labs found that the biggest threat in the past quarter came from the ZeroAccess Bitcoin mining malware, among other findings in their report.

Gaming company certificates stolen and used to attack activists, others. Kaspersky Lab researchers found that at least 35 gaming developers had their systems compromised in the past year and a half, with digital certificates stolen and used in others attacks. Source code was also stolen to attempt to artificially increase in-game currencies. 

4/11/2013

Social Media Widget for WordPres a source of spam. Researchers at Securi discovered that WordPress Social Media Widget version 4.0 had malicious code added to it that injects spam advertisements into Web sites and recommended that over 900,000 users disable or remove the widget.

CAMP for Chrome catches 99% of malware, Google says. Google researchers presented a paper at the Network and Distributed System Security Symposium showing how their content-agnostic malware prediction system (CAMP) uses client- and server-side techniques to block almost all malware.

4/10/2013 

Malicious HP scan notifications target employees. Cybercriminals have been spotted using fake Hewlett-Packard (HP) printer notifications with links to malicious sites to infect targets with malware, a variant of past attacks that used attached documents. 

Android AirDroid flaw can lead to XSS, DoS attacks. The U.S. Computer Emergency Readiness Team (US-CERT) warned that the cloud management application AirDroid contains a vulnerability that could allow cross-site scripting (XSS) and denial of service (DoS) attacks.

4/9/2013

Shylock Trojan going global with new features, resilient infrastructure. Symantec found that the cybercriminals behind the Shylock banking Trojan have added new functions and infrastructure to the malware, expanding the banking institutions that it targets and allowing it to steal other passwords and user information. 

Doctor Web hijacks control of BackDoor botnet from criminals. Antivirus provider Doctor Web took control of the BackDoor.Bulknet.739 botnet and posted an analysis of its composition and effectiveness. 

Server attack forces Harmonix sites offline. Video game developer Harmonix took their Web sites offline April 7 after they detected a possible intrusion.

Bitcoin wallet service Coinbase faces phishing attacks after data leak. Coinbase, a wallet service for the virtual currency Bitcoin, accidentally exposed user and transaction information on its Web site, leading to phishing attacks against the revealed email addresses.

Android Trojan spreads through Cutwail spam botnet. A large Cutwail botnet has been found spreading an Android Trojan dubbed Stels which is capable of gleaning user information and performing functions on infected devices.

 Coca Cola, Credit Suisse and Mercedez-Benz execs caught up in phishing scam. Webroot researchers found Microsoft Access files from major international companies for sale on underground market Web sites, offering executives’ contact information for use in creating more effective phishing attacks.

4/8/2013 

Skype malware stealing victims processing power to mine Bitcoins. An ongoing Skype spam campaign that began April 4 infects users’ systems to perform Bitcoin ‘mining’, using large amounts of processing power to create the virtual currency.

In 92% of attacks ZIP files are used to deliver malware, FireEye study finds. FireEye released its Advanced Threat Report covering the latter half of 2012, detailing malware and methods of its distribution.

4/5/2013

Wide variety of malware lurking in Skype messages. A researcher uncovered a new malware campaign targeting Skype users which rotates the type of malware served to victims. It also may be related to past Madi and Flashback malware campaigns.

4/4/2013

Banking Trojan disguised as innocuous Word and WinHelp files. A Panda Security researcher discovered a banking Trojan that uses fake .docx and WinHelp file types to avoid detection. The first piece of malware used in the process currently has a low detection rate by antivirus programs.

Darkleech infects scores of Apache servers. The Darkleech malware was found on 2,000 Apache servers during an investigation by Cisco during February and March. The malware is believed to be responsible for injecting invisible iFrames which link to Web pages were users can be targeted by the Blackhole exploit kit.

Symantec finds plethora of fraud apps on Google Play market. Symantec researchers found that a fraud ring mostly targeting Japanese users placed up to 200 ‘one click’ fraud apps in the Google Play app marketplace.

Stealthy BaneChant Trojan lurks in Word file, relies on multiple mouse clicks. FireEye researchers identified a Trojan named BaneChant which can send system information and create back doors. The Trojan is delivered by spear phishing and uses user clicks to trigger itself.

4/2/2013

Zeus still king of the botnets, say researchers. Researchers at McAfee found that the Zeus malware continues to be the most popular botnet family, with its variants accounting for 57.9 percent of botnet malware infections.

8 in 10 companies suffered web-borne attacks. A survey conducted by Webroot found that 80 percent of companies experienced at least one variety of Web-borne attacks in 2012, and that phishing was the most common attack, among other findings.

Spammers bypass spam filters with Google Translate links. Barracuda Labs researchers found spammers using links to Google Translate that redirect to another site as a method of avoiding spam filters.

Largest-ever DDoS campaign demonstrates danger of new attack method. A massive distributed denial of service (DDoS) campaign targeting anti-spam organization Spamhaus reached 300 GB per second, illustrating how use of open recursive resolvers can amplify the power of DDoS attacks.

3/28/2013

“Dump Memory Grabber” malware steals data from ATMS and POS systems. Researchers from Group-IB identified malware dubbed “Dump Memory Grabber” that can infect point of sale (POS) devices and ATMs, steal customer account information, and send the information to a remote server. The malware has already taken information from some U.S. bank customers.

Attackers shifting to delivering unknown malware via FTP and Web pages. A report by Palo Alto Networks found that malware that goes undetected by antivirus programs has shifted primarily to Web-based exploits rather than email-based exploits, with 94 percent coming from Web browsing or Web proxies.

U.S. and Russia --not China-- lead list of malicious hosting providers. According to Host Exploit’s quarterly World Hosts Report, the U.S. and Russia ranked as the countries with the highest number of malicious hosting providers.

Honeypot stings attackers with counterattacks. A researcher outlined in a paper how he set up a “honeypot‟ to catch attackers and enabled the honeypot to install a backdoor agent on attackers‟ computers via a Java applet as a research experiment, revealing information on them.

LinkedIn patches XSS and CSRF vulnerabilities. Professional social network LinkedIn fixed cross-site scripting (XSS) and cross-site request forgery (CSRF) issues on elements of its Web site that were reported in January and March.

3/27/2013

VSkimmer Trojan steals card data on point-of-sale systems. A new Trojan called VSkimmer is capable of infecting Windows systems and stealing financial information from any point of sale (POS) devices attached to infected systems. VSkimmer appears to be similar to the Dexter POS malware and to spread via USB devices.

XSS flaw in WordPress plugin allows injection of malicious code. Vulnerability in the WP Banners Lite plugin for WordPress can allow attackers to inject malicious HTML or Javascript on vulnerable Web sites.

Phishers can disguise links with Javascript. A researcher disclosed a Javascript method that can be used to show a different URL when a user hovers over a link in a phishing email, disguising the malicious link's destination to appear legitimate.

Tax scam allegedly run from Minnesota prison. The IRS and other authorities are investigating a tax refund fraud scheme allegedly run by Minnesota prison inmates and their not-incarcerated accomplices. The investigation involves hundreds of falsified tax returns from between 2006 and 2012.

Websense: Over 93% of endpoints vulnerable to latest Java exploit. Research from Websense found that 93 percent of Web browser users are vulnerable to common Java exploits because they are not using a current version of Java, making them easy targets for unsophisticated attackers using Cool or other exploit kits.

Activists now targeted with Trojanized backdoor apps. Researchers from Kaspersky Lab identified a targeted attack on Uyghur and Tibetan activists that sends a malicious backdoor Android app to targets‟ mobile devices, the first use the researchers have seen of a targeted attack against mobile devices.

Lime Pop emerges as the latest strain of Android Enesoluty malware. Symantec identified a new variant of the Android.Enesoluty data-stealing malware, spread through an app called Lime Pop. The group behind Enesoluty has been active since summer 2012 and has registered more than 100 domains to host the malicious apps.

Hackers steal photos, turn wi-fi cameras into remote surveillance device. Researchers from ERNW demonstrated various methods to remotely steal photos, turn cameras on, and execute denial of service (DoS) attacks against Wi-Fi-enabled Canon EOS-1D X cameras.

3/25/2013

Yahoo, LinkedIn, Twitter accounts vulnerable to session fixation attacks. A security researcher identified a vulnerability that could allow cybercriminals to launch session fixation attacks and gain access to users’ accounts.

PyCon incident: Two people fired, DDOS attack launched against SendGrid site. SendGrid’s Web site was targeted by a distributed denial of service (DDoS) attack after an incident by a former employee at a conference drew the attention of social media users and a self-professed Anonymous group.

3/22/2013

Experts study malware used in South Korean attacks. Researchers began studying the malware used to attack TV stations and banks in South Korea March 20, and found features including malware designed to disable popular Korean antivirus programs and the ability to target both Windows and Linux systems.

Weakened password hashing found in Cisco devices. Cicso’s new “Type 4” password algorithm was found to be implemented incorrectly, resulting in weaker passwords than the previous algorithm.

Researcher points out critical Samsung Android phone vulnerabilities. A researcher made public several vulnerabilities that affect Samsung mobile phone software, allowing the installation of unauthorized apps, SMS sending, and other tasks.

New Yantoo Mac Trojan uses browser plugin to inject ads into websites. Malware dubbed Trojan.Yahtoo.1 was found which prompts victims to install a browser plugin which then injects third-party code into Web sites viewed by the victim.Researchers uncover ‘TeamSpy’ attack campaign against government, research targets. Researchers uncovered a long-running cyberespionage campaign by a group dubbed “TeamSpy” for its use of the legitimate TeamViewer application. The group targeted government, heavy industry, intelligence, and activist organizations around the world.

3/21/2013

What 420,000 insecure devices reveal about Web security. A researcher using simple techniques to take over unsecured devices left exposed to the Internet, created a benign botnet to demonstrate how many personal and industrial computer systems are easily exploitable.

Internal-use SSL certificates pose security risk for upcoming domain extensions. An advisory by the Internet Corporation for Assigned Names and Numbers (ICANN) stated that issuing secure socket layer (SSL) certificates for internal domain names could lead to privacy and integrity concerns for HTTPS communications and new generic top-level domains (gTLD).

Microsoft: Hackers obtained high profile Xbox Live accounts. Microsoft reported that several Xbox Live accounts of current and former employees were compromised using social engineering techniques to obtain access.

Uracto malware hidden in at least 10 Android apps, Symantec finds. Researchers at Symantec found that the Uracto malware targeting Japanese users was seen in 10 different apps, has multiple variants, and appears to be created by the same
group or developer as two other pieces of malware.

3/18/2013

NIST National Vulnerability Database down, malware identified on two Web servers. The National Institute of Standards and Technology (NIST) took down several of their Web sites, including the National
Vulnerability Database (NVD) after malware was found on them.

Android users hit by evolved Not Compatible malware attack. A new version of the Not Compatible malware for Android has been found by researchers, peaking at around 20,000 detections a day.

AVG anti-virus software mistakes Windows system file for a Trojan. AVG anti-virus incorrectly identified a Windows system file as a Trojan for part of the day March 14, causing users to be unable to boot their
computers.

3/14/2013

National Journal hacked,used to push malware via Fiesta exploit kit. Atlantic Media confirmed that the Web site of the National Journal was compromised and used to spread malware.

Microsoft has access issues with Hotmail, Outlook, SkyDrive services. Microsoft experienced issues with its Hotmail, Outlook, and SkyDrive services for several hours March 12, leaving users unable to login.

Issue with SWFUploader could lead to XSS vulnerabilities, content spoofing. Several versions of the popular SWFUploader applet contain vulnerabilities that could allow cross-site scripting (XSS) and content
spoofing and let attackers take over accounts.

3/13/2013

Bank DDoS attacks resume. The Web sites of several U.S. banks were hit with distributed denial of service (DDoS) attacks March 6, after a hacktivist group that previously targeted banks announced the start of a new round of attacks.

Mobile malcoders pay to (Google) Play. Users on underground forums have been observed offering to buy verified Google Play developer accounts to spread malware.

U.S. fighting use of armored cars in money laundering. U.S. authorities believe that Mexican drug cartels are using armored car services to launder money across the border, and regulators are preparing guidance for armored car companies to combat this activity.

Flash, Adobe Reader and Java hacked on the second day of Pwn2Own 2013. Researchers participating in the Pwn2Own 2013 competition discovered
vulnerabilities in Flash, Adobe Reader, and Java.

XSS vulnerability identified in Google Fusion Tables. A researcher found a cross-site scripting (XSS) vulnerability in Google Fusion Tables thatcould allow attackers to trick users into clicking malicious links.

Report: Android is home to 96% of new mobile malware. F-Secure’s latest Mobile Threat Report found that Android accounted for 96% of new mobile threats.

Old and new botnets behind spam resurgence. Several botnets have been identified behind recent spam campaigns; with some being new botnets and others revamped older botnets.

Andromeda botnet resurfaces spreading malware in spam emails. The Andromeda botnet has returned from inactivity to spread spam containing malware and malicious links, researchers reported.

Zoosk asks users to reset passwords following mass leak. The online dating Web site Zoosk asked some users to change their passwords after a large password dump was posted online containing Zoosk passwords, among others.

Pop-up browser flaw allows hackers to bypass lock screen on Samsung phones - video.  A researcher uncovered a method to unlock Samsung Note II and Galaxy S III phones, the third similar bypass method revealed in recent
weeks.

HP, CERT warns of critical hole in LaserJet printers. HP and DHS’s Computer Emergency Response Team (CERT) warned that some LaserJet printers manufactured by Hewlett-Packard (HP) have a security vulnerability that could allow remote data access to attackers.

3/7/2013

Asprox botnet proves to be a resilient foe. The Asprox botnet has been upgraded and continues to be involved in new spam and fake anti-virus campaigns, according to a paper by Trend Micro.

Raspberry Pi hit by DDoS attack. The Raspberry Pi Foundation was the target of an advanced distributed denial of service (DDoS) attack that may have been powered by a botnet with around 1 million nodes.

Security cameras continue to pose snooping risk. A researcher recently found hundreds of publicly-accessible security cameras with a Google search, allowing the cameras to be viewed and in some cases controlled remotely.

3/6/2013

New class of industrial-scale super-phishing emails threatens biz. Security researchers have identified a new large-scale form of phishing that uses tailored messages and variable links to direct users to drive-by download sites where rootkits are installed.

Evernote forces password reset for 50M users. The Evernote note-syncing service stated that digital intruders gained access to customer information, and forced its 50 million users to reset their passwords.

USA is number one! (…for spam). The U.S. rose from third to first in rankings of countries with the most spam being sent between December 2012 and February 2013.

Blackhole outfitted with exploit for recently patched Java flaw. A recently patched Java vulnerability was added to the Blackhole exploit kit, seen in a PayPal-themed spam email analyzed by researchers.

3/4/2013

New Java 0-day exploited in ongoing attacks. Researchers at FireEye detected and reported a new Java zero-day vulnerability that allows arbitrary read and write, and noted attacks using the vulnerability that drop the McRAT Trojan on targets’ systems.

3/1/2013

BT Yahoo phishing scam: Final warning. A falsified email prompting BT Yahoo! And Yahoo! users to verify their log in information on a bogus homepage, is being distributed by cybercriminals whose aim is to take the information and redistribute it for monetary benefits.

Fake Adobe Flash Player Web sites distribute Ransomlock Ransomware. Experts discovered two vulnerabilities in Adobe Flash Player that prompts users to pay a fine in order to have their computer screens unlocked. Users are guided through a malicious domain to download one of two corrupted files that when installed, infect the computer with malicious elements.

2/28/2013

Emergency Flash update to protect Firefox users. Firefox released an update to Flash which addresses vulnerabilities that target the browser and leave it susceptible to crashes and open to malicious attacks.

2/27/2013

Scam Alert: Ames police warn of a hotel credit card theft. Ames Police have learned of a new scam targeting hotel guests’ credit card information. A call is made to hotel guests as if they were a hotel employee looking to fix a crashed computer system by inputting the guests’ credit card information, at times including a partial refund for inconvenience.

Six-strikes piracy alert system rolling out in the US. After a strain of delays a new anti-piracy system will be implemented in the U.S. that holds Internet service providers accountable for warning and educating users on the dangers of obtaining copyrighted material.

Bit9 says its systems had been compromised since July 2012. Bit9 reported their systems were breached in July 2012 but the company did not discover the SQL Injection vulnerability that was implemented on their public Web site until January 2013. The company stated the attackers were able to gain access to 32 files with the goal of installing a malicious Java applet to send additional malicious files.

Cyber fighters to resume attacks against US banks on March 5. A hacktivist group threatened to resume their attack on a number of U.S. banks unless the all remaining digital copies of a Muslim-based movie are removed from the Internet.

2/26/2013

Microsoft also victim of recent watering hole attack. Microsoft confirmed February 22 that their systems were breached in a watering hole attack that affected a small number of computers by installing exploits for Java vulnerabilities on visitor’s computers. They are continuing to investigate the attack and assured the public that no customer data was affected.

2/25/2013

Certified online banking Trojan in the wild. An employee with Eset discovered Trojans that could allow online banking access to spyware by successfully passing superficial tests. The flawed certificate and signature validations in question were produced by two companies that no longer exist.

NBC.com hacked and served up malware. NBC.com was the target of the malware scheme, where the hacker embedded iFrames into the pages and infected the site as well as computers of those visiting the site. NBC has since cleaned up the malware although reports show affiliated sites were also affected.

2/22/2013 

Trustwave TrustKeeper PCI Scan Notification - Phishing ALERT

Posted By Cas Purdy on Feb 21, 2013 01:33 PM

Over the last few hours, Trustwave has received multiple reports of individuals receiving fake emails purported to be from Trustwave.

These emails did not originate from Trustwave. Recipients should immediately delete the emails and not follow any links presented in them.

These emails indicate they are being sent as part of a “TrustKeeper PCI Scan Notification” and are alerting the recipient to login to a portal to respond to an issue related to a vulnerability scan of their network.

Early analysis has shown these emails are being sent from many variations of fake Trustwave email addresses and redirecting users to multiple non-Trustwave URLs. Visiting these URLs might introduce malware onto your systems.

2/21/2013

Fake Delta Airlines emails: Your credit card has been successfully processed. Hoax emails are being distributed claiming Delta Airlines has processed ticket purchases in an attempt to pull in users to install malicious software on their systems. Targets include several financial institutions.

Apple confirms being hit in recent watering hole attack. Officials with Apple confirmed a recent watering hole attack that left their Mac systems open to infection through a Java plug-in for browsers. The assured the attack affected only a small number of systems and there was no evidence that data was taken, they have since patched several vulnerabilities and issued a Java update.

2/20/2013

Adobe to release emergency patches for Reader, Acrobat. Adobe Systems announced they will release patches the week of February 18 for two key vulnerabilities that can lead users to opening a malicious PDF, which is typically sent via email.

2/19/2013

Spammers unleash DIY phone number slurping web tool. A new phone number harvesting tool was seen being offered for sale openly online, which allows the harvesting of users’ phone numbers to be used in SMS spam campaigns or other fraud.

2/18/2013

Hackers offer phone flooding services that “take care” of competitor’s phone lines. Cybercriminals have been seen advertising automated phone flooding services that could be used to disrupt businesses or prevent financial institutions from receiving reports of fraud.

LA Times cleans up website, but over 320,000 have been exposed to malware attack. The LA Times stated February 14 that the newspaper’s ‘Offers and Deals’ Web site was used to serve malware since December 2012 and has been now secured.

2/15/2013

Cybercriminals hide their malicious code by injecting it into JavaScript. Sophos researchers found a technique being used by cybercriminals to inject malware into JavaScript code hosted on legitimate Web sites.

Global malicious websites increase by 600%. A Websense Security Labs report detailed several findings regarding Web-based cyberattacks, including that legitimate hosting services hosted 85 percent of malicious sites.

Cryptome email, website and Twitter account hacked. Two hackers took credit for breaching the email, Web site, and Twitter account of Cryptome. The site and email were restored but the Twitter account remained under unauthorized control as of February 13.

Four types of URLs used in 2013 BlackHole spam campaigns. Trend Micro researchers outline four kinds of URLs used in spam campaigns using the new version of the BlackHole exploit kit.

2/13/2013

Hackers: Attacks on US banks will be resumed if all copies of film are not removed. A hacktivist group that previously attacked U.S. banking Web sites threatened to resume attacks in a statement.

Business Wire possibly hacked, company resets user’s passwords. All customers of Business Wire received a notice from the company requiring them to reset their passwords as part of what the company said were ongoing security measures.

Dorkbot worm lurks on Skype and MSN Messenger again. Fortinet researchers found the Dorkbot/Rodpicom worm spreading malware linked to a botnet via the Skype and MSN Messenger services.

Google warns Myanmar reporters of ‘state-sponsored’ attack of Gmail accounts. Google warned journalists covering Myanmar (Burma) that Gmail accounts are being targeted by state-sponsored attacks.

Yahoo! pushing Java version released in 2008. Yahoo!’s Site Builder tool comes bundled with Java 6 Update 7, a version of Java dating from 2008 that contains a large amount of currently-patched vulnerabilities.

Bit9 says attack likely targeted a narrow set of companies. Security Company Bit9 had its network compromised, allowing attackers to issue false certificates. The company stated it believes the compromise was used to target a small group of organizations.

Banking malware returns to basics to evade detection, Trusteer says. Creators of financial malware are increasingly using traditional phishing methods to steal credentials now that banks have deployed more systems to monitor more advanced banking session tampering.

2/08/2013

Researchers demo building control system hack. Researchers have demonstrated a way for attackers to control building systems that use the Tridium Niagara Framework used by manufacturers, hospitals, and other industries. Attackers could also potentially use the vulnerability to gain access to corporate networks.

Microsoft, Symantec take down Bamital click-fraud botnet. Symantec and Microsoft cooperated to take down the Bamital botnet that has been used for click fraud and identity theft.

2/04/2013

Turkish hackers upload malicious browser extension to official Chrome web store. Kaspersky discovered that hackers are attempting to distribute malicious browser extensions through the official Google Chrome store. Google is attempting to remove the malware; similar fake extensions have been found for Mozilla’s Firefox browser.

Email attack exploits vulnerability in Yahoo site to hijack accounts. Bitdefender researchers found that a recent email attack campaign is utilizing vulnerability in the Yahoo Web site to take over email accounts and use them to send spam emails.