Fraud Alert Message Center
Tips for Safe Banking Over the Internet
As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.
The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.
- Consumer Best Practices for Online Banking
- Business Best Practices for Online Banking
- Recommendations for Online Fraud Victims
- Recommendations for Mobile Phone Security
Current Online Threats
Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau. None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts. If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it. The email could potentially contain a virus or malware.
For more information regarding email and phishing scams, please visit: http://onguardonline.gov/
Online Shopping Tips for Consumers. Click Here for Information.
ATM and Gas pump skimming information. Click Here for Article.
Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers. The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.
Central figure in alleged $3M credit card scam arrested. A New York man was arrested February 10 for his role in a $3 million credit card fraud scheme based in Hudson County, New Jersey, where he allegedly provided stolen Social Security numbers to a group of 12 co-conspirators in order for them to create fake identities as part of a bust-out scheme to open bank accounts and obtain credit cards, deposit bad checks to make payments on the cards and inflate lines of credit, and use shell companies to increase credit limits through fake transactions. The co-conspirators are also facing Federal charges for their roles in the scheme.
Manhattan U.S. Attorney announces charges against owner of, and attorney for, $2 billion unlawful internet payday lending enterprise. Federal and New York State officials announced February 10 that 2 men were arrested in Kansas for violating the Racketeer Influenced and Corrupt Organizations Act (RICO) and the Truth in Lending Act (TILA) after the pair operated a $2 billion nationwide Internet lending enterprise which charged more than 4.5 million people with interest rates between 400 – 700 percent for payday loans from 1997 – 2013. The pair attempted to evade liability and claim sovereign immunity by entering into an agreement with several Native American tribal corporations to fraudulently claim that they owned and operated parts of the payday lending enterprise while receiving kickbacks from the scheme.
Dyre Trojan attacks inactive since mid-November sources say. Security researchers discovered that the Dyre trojan, previously seen targeting international banking companies, has been inactive since November 2015 and researchers allegedly believe the Dridex banking trojan might be using the same key developers or management to replicate attack scheme concepts as the Dyre trojan. Researchers advised users to install an email security solution to protect against malicious emails and to avoid opening emails from unknown sources.
Severe vulnerability affects Cisco ASA VPN server equipment. Cisco released patches for a buffer overflow vulnerability in its firewall equipment embedded in several versions of its Adaptive Security Appliance (ASA) software for corporate networks and data centers after a researcher found an issue in the InternetKey Exchange (IKE) protocol that could allow attackers to craft malicious User Datagram Protocol (UDP) packets and send it to an ASA device, exploiting the vulnerability.
Hackers invited to target VMware at Pwn2Own 2016. Hewlett Packard Enterprise, Trend Micro, and the Zero Day Initiative will be hosting a Pwn2Own 2016 competition that will allow white-hat hackers to hack Google Chrome, Microsoft Edge, Adobe Flash, Apple Safari, and VMware Workstation in exchange for monetary goods and to show potential vulnerabilities within each software.
Rooting malware lurking in third party Android app stores. Security researchers from Trend Micro discovered over 1,163 malicious trojanized Android application packages (APK) were found in the Google Play store through third party apps that allowed attackers to root the phone, download and install additional malicious apps, and collect and send user device data to a remote server controlled by hackers. Researchers advised app users to check the reputation of any app before downloading.
SAP patches flaws in xMII, other products. SAP released patches addressing several flaws in its products including a cross-site scripting (XSS) flaw, authentication check flaw, and implementation flaws after security researchers found that the vulnerabilities can be exploited to give malicious actors control over plant devices and manufacturing systems in the Manufacturing sector, Energy sector, Oil and Natural gas sector, and the Communications sector.
Monsanto paying $80 million penalty for accounting violations. The U.S. Securities and Exchange Commission (SEC) announced February 9 that St. Louis-based Monsanto Company agreed to pay an $80 million penalty and retain an independent compliance consultant to settle charges that the company violated accounting rules and misstated company earnings related to a rebate program tied its flagship product, Roundup, after an SEC investigation found that the company improperly accounted for millions of dollars in rebates to retailers and distributors and misstated its consolidated earnings during a 3-year period. Three accounting and sales executives also agreed to pay penalties for their roles in the scheme.
IRS employee pleads guilty to $1 million ID theft tax fraud scheme. A former U.S. Internal Revenue Service (IRS) employee who worked in the Taxpayer Advocate Services office in Alabama pleaded guilty February 8 in Federal court for her role in a tax-fraud scheme where she used her IRS computer access to steal taxpayers’ identities and file up to $1.5 million in fraudulent tax returns from 2008 – 2011. The former employee worked with three other co-conspirators who were charged for their roles in the scheme.
Linode VPS host accidentally deploys servers with the same SSH key. Linode reported that its virtual private servers (VPS) hosted on Ubuntu machines could have been susceptible to man-in-the-middle (MitM) attacks after the company disseminated Ubuntu 15.0 images to some of its clients’ server, which used the same hard-coded secure shell (SSH) key. The company stated its customers need to reconfigure the SSH daemon and run a specific shell command to fix the vulnerability.
Microsoft patches critical flaws in Windows, Browsers. Microsoft released several patches for its products including patches for 22 Flash Player flaws used in Internet Explorer 10, 11, and Edge, and patched a critical memory corruption flaw in Windows Journal, a remote code execution (RCE) flaw, and a denial-of-service (DoS) flaw, among other patched vulnerabilities.
Google will stop accepting new Flash ads on June 30. Google reported that it will stop accepting new Adobe Flash-based display ads for AdWords and DoubleClick Digital Marketing, and will not permit Flash ads on its Display Network or DoubleClick after January 2017 due to the frequent security vulnerabilities within Flash Players.
Tool for hacking facebook accounts contains Remtasu spyware. The Win32/Remtasu.Y malware, also known as Remtasu, was reported infecting computer systems through different variants and through an app named Hack Facebook to log keystrokes, steal data from clipboard, save the information to local files, and upload the information to a remote file transfer protocol (FTP) server by duplicating itself to the Windows System32 folder saved as InstallerDir and creating a registry key that executes the malware process each time a user starts their computer. Researchers reported an antivirus program should help detect the malware.
Nuclear EK gate uses decoy CloudFlare DDoS check page. Security researchers from Malwarebytes reported that hackers were using malvertising attacks to deceive users into visiting a rogue domain similar to CloudFlare’s distributed denial of service (DDoS) check page, that contained the Nuclear exploit kit (EK) to compromise a user’s system. CloudFlare reported the fraudulent domain was not associated with its security firm.
Adobe patches flaws in Flash, Photoshop, Connect. Adobe release security updates and patches for its Flash Player, Photoshop, Bridge, Connect, and Experience Manager that addressed several vulnerabilities including 22 memory corruption flaws that can be exploited for arbitrary code execution, a content spoofing flaw, a cross-site request forgery flaw, and an insufficient input validation flaw affecting a Uniform Resource Locator (URL), among other vulnerabilities.
Google adds warning to unencrypted emails. Google released a new security feature in its email services that warned users when a recipient’s email does not support transport layer security (TLS) encryption and reminded users to be mindful of transmitting or revealing sensitive information via email. The new feature will use a small red unlocked padlock icon to warn users of the various security levels.
Sophisticated malware-as-a-racket fraudsters have been scamming businesses for 10 years. Security researchers from Kaspersky Lab reported that the Poseidon Group, a global cyber-espionage group, has been targeting international financial sectors, telecommunications sectors, critical manufacturing sectors, and energy sectors to collect information from company networks via spear-phishing packages that are embedded with executable elements inside Word documents, and using the information to blackmail victim companies into contracting the Poseidon Group as a security firm. Researchers found that several of the infections were found to have a very short life span which contributed to the malware being undetectable.
Chicago FBI: ‘Pinball Bandit’ suspected in 5 bank robberies. The FBI is searching for a man dubbed the “Pinball Bandit” suspected of carrying out 5 robberies at 4 Chicago banks from January 13 – January 25. The suspect is considered armed and dangerous.
Cross-platform backdoor adwind hits 443,000 users: Kaspersky. Security researchers from Kaspersky Lab reported that a remote access trojan (RAT) dubbed Adwind RAT had infected approximately 443,000 victims by 2015 and targets Windows, Linux, Mac OS X, and other platforms that run Java, to log keystrokes and steal virtual private network (VPN) certificates, cryptocurrency wallet keys, passwords and other data from web forms, among other malicious actions via spear-phishing campaigns. The trojan also uses command and control (C&C) servers to execute commands and relies on free Dynamic Domain Name System (DNS) providers.
Download firmware 1.1.00.20 for NETGEAR’s D6200 modem router. NETGEAR released new firmware version 1.100.20 for its D6200 modem router that removes a flaw that disabled wireless connections when the region was assigned as WW in flash, fixes the unit’s currentsetting.htm page to show the correct information in the region field, and removes a debug file (/tmp/yuziven1) and fixes unterminated tries when checkfw fails.
Advantech failed to patch serious flaws in SCADA. The Zero Day Initiative (ZDI) published advisories that stated several unpatched vulnerabilities were affecting Advantech’s WebAccess 8.0 industrial automation SCADA/HMI products after researchers found unrestricted file upload, path traversal, improper access control, cross-site scripting (XSS), and SQL injections, among other vulnerabilities, that were reported to be patched, but were improperly patched. The unpatched flaws can be exploited by a remote, authenticated attacker to execute arbitrary code on a victim’s system.
Loanbase hacked due to WordPress bug, loses customer Bitcoins. Loanbase released an advisory February 7 stating that a security hole in its WordPress blog allowed unknown hackers to breach its Structured Query Language (SQL) database, steal approximately $3,000 worth of Bitcoins from its users, and access sensitive user data like email addresses, phone numbers, and names of user accounts that did not have two-factor authentication (2FA) turned on. Loanbase took its Web site offline to reset passwords for all users, cancel all 2FA tokens, and reject all approved withdrawals to prevent further abuse.
Ex-Viking found guilty in one bank fraud count. The former chairman of First Commercial Bank in Bloomington, Minnesota, and his business partner were found guilty in Federal court February 5 for bilking investors out of millions of dollars after the former chairman’s business partner used money invested in his Hennessey Financial LLC to pay off prior investors and other debts instead of financing real estate projects. The former executive also failed to disclose to the bank that his partner owed $12 million in debts while he applied for a line of credit.
Former York Federal Credit Union manager charged with embezzlement and fraud. The former chief executive officer-manager of the HD York Federal Credit Union in York, Pennsylvania, reached a plea agreement February 5 for allegedly embezzling $252,106 from 2010 – 2013 and failing to report $70,983 in stolen income on her 2011 Federal income tax return.
Twitter suspended 125,000 terrorism-related accounts. Twitter reported that they have suspended over 125,000 accounts since 2015 for threatening or promoting terrorist acts related to the Islamic State and have started using spam-fighting tools to discover potentially offending accounts to counter extremist content online. The company is working with law enforcement agencies around the world to stop terrorist organizations from using Twitter as a platform for communication.
Oracle issues emergency patch for Java on Windows. Oracle released an out-of-cycle emergency patch for its Java products to fix a during-installation flaw on Microsoft Windows platform that if exploited, can allow an attacker to trick users into visiting a compromised Web site and enable an attacker to compromise a user’s system. Oracle released Java versions 6, 7, and 8 installers to protect users from the vulnerability.
Cisco recalls switches that could short power to the case. And kill you. Cisco recalled two series of its Industrial Ethernet 5000 switches due to electrical and fire safety hazards after a factory test found the power source wiring could potentially cause a short to the metal enclosure/barrier. Users were advised to check their serial numbers as not all devices in the series were affected.
Fake Flash Player update delivers scareware to Mac OS X users. A researcher from SANS Technology Institute discovered a new campaign that tricks users into installing malicious Flash Player update packages that are embedded with valid and authentic Adobe Flash update files, but were also seen containing malicious malware that executes popups with apocalyptic messages to inform users that their computers were infected. Attackers then send victims a phone number to trick users to call the number and have their systems reset by professionals.
Gambrills women indicted for alleged roles in ‘Felony Lane Gang’ bank fraud. The U.S. Attorney’s Office reported that two Gambrills, Florida women and 13 other accomplices were indicted February 4 for stealing more than $1 million after breaking into vehicles parked at Maryland recreation areas, sports fields, gyms, and fitness centers and using the victim’s checks, credit cards, and IDs to make fraudulent financial transactions. The culprits obtained money from more than a dozen financial institutes by using the victims’ identities to withdraw large amounts of funds.
Father and son who ran $11M vending machine scam found guilty of fraud. Two men were found guilty February 3 in Manhattan Federal Court for bilking $11 million from 1,300 investors nationwide between January 2005 and December 2011 by falsely promising investors that they would receive windfalls from vending machine business opportunities, and access to established, high-end profit locations if the investors purchased packages of 5 or 10 vending machines.
Manhattan U.S. attorney announces criminal charges against Bank Julius Baer of Switzerland with deferred prosecution agreement requiring payment of $547 million, as well as guilty pleas of two Julius Baer bankers. Federal and State officials in New York announced February 4 that Switzerland-based Bank Julius Baer & Co., Ltd. will pay $547 million to settle charges that the bank helped U.S. taxpayers and others hide billions in offshore accounts, evade Federal income tax obligations, file false tax returns, and cheat the U.S. Internal Revenue Service (IRS) between 1990 – 2009. Two former client advisers at the bank pleaded guilty to helping several U.S. clients evade U.S taxes.
Man accused of fake credit card spree charged, real identity revealed. A California man was arrested and charged February 3 after he allegedly bought $300,000 worth of merchandise using a fake credit card in Ala Moana and Waikiki, Hawaii.
Avast patches vulnerability in SafeZone Tool. A researcher from Google discovered a vulnerability in Avast’s SafeZone tool, also known as Avastium, that allowed attackers to gain additional privileges and conduct various actions on the system by convincing a victim to visit a malicious Uniform Resource Locator (URL). The vulnerability was exploited due to Avast’s low security check which allowed any URL to pass through without any restrictions.
Dell adds BIOS verification technology to business PCs. Dell released a new enterprise endpoint security solution, the post-boot BIOS verification technology integrated with its Data Protection Endpoint Security Suite Enterprise that will help detect against BIOS-specific attacks or compromised systems by using a secure cloud platform to test individual BIOS images against official images held by Dell.
Exploits released for unpatched flaws in Netgear Management System. An information security researcher discovered flaws in Netgear’s ProSAFE NMS300 network management system that can allow a remote, unauthenticated attacker to upload an arbitrary file to the system by sending a specially crafted POST request to one of two Java servlets found in the default NMS300 installations, as well as conduct a directory traversal attack that can allow a hacker to download any file from the system, among other flaws.
2 doctors facing charges in wire fraud case. Two doctors from a family medicine clinic in Mexico were charged February 3 for their roles in a $5 million insurance benefits scheme in which the pair allegedly conspired with American Family Life Insurance Company (AFLAC) policyholders to prepare over 50,000 fraudulent claim forms and accident reports, file the false claims in the McAllen area, and then deliver the claims to the clinic in Mexico to receive benefit checks from the insurance company from September 2001 – August 2010.
Cisco patches high severity flaws in several products. Cisco released software updates for its Application Policy Infrastructure Controller (APIC) and several other products that patched high severity vulnerabilities including a denial-of-service (DoS) flaw in Nexus 900 switches, a remote authentication flaw in ASA-CX and Prime Security Manager (PRSM), and a logic issue in the role-based access control (RBAC) processing code that allowed unauthenticated attackers to make configuration changes. In addition, Cisco released advisories detailing three medium severity issues that have yet to be patched.
Serious Crypto flaw found in Socat tool. A security researcher from Microsoft discovered a backdoor in the networking utility, Socat versions 18.104.22.168 and 2.0.0-b8 that could allow attackers to eavesdrop on communications and recover the shared secret from a key exchange within its encrypted channels after finding that to the “p” parameter in 1024-bit Diffie-Hallman (DH) was not prime.
Flaws expose Sauter SCADA systems to takeover. Sauter released firmware updates for its moduWEB Vision SCADA products after a researcher from Outpost24 discovered multiple vulnerabilities could be exploited by a remote attacker to take control of the products via a pass the hash attack. The attack can be administered through the use of default accounts, which have the password hash for the administrative account as a backup feature.
Google expands Chrome’s Safe Browsing defenses to sniff out ad scams. Google reported February 3 that it is expanding its Safe Browsing technology to help protect users from misleading embedded content, such as social engineering ads which deceived users into providing their personal information and convinced users to download malware disguised as updates for name-brand software.
Microsoft EMET adds Windows 10 compatibility. Microsoft released updated version 5.5 for its Enhanced Mitigation Experience Toolkit (EMET) to include Windows 10 capability and several other improvements including enhanced writing of the mitigations to the registry, ease in leveraging existing tools to manage EMET mitigations via Group Policy (GPO), and support for untrusted fonts mitigation in Windows 10.
Morgan Stanley to pay $63 million U.S. mortgage bond settlement: FDIC. The U.S. Federal Deposit Insurance Corp. (FDIC) announced February 2 that Morgan Stanley agreed to pay $62.95 million to settle allegations that the bank misrepresented securities in offering documents and sold toxic mortgage-backed securities to 3 banks, the Colonial Bank of Montgomery, Alabama; Security Savings Bank of Henderson, Nevada; and United Western Bank of Denver, which later failed.
Dual-Mode DMA ransomware cracked, users can recover files for free. Security researchers from Malwarebytes discovered a flaw in the DMA ransomware that could allow victims to decrypt their encrypted files without paying the ransomware after discovering that the ransomware’s encryption key was hard-coded in its binary, allowing victims to re-download the malicious file and input the encryption key inside the ransom note to unlock their files.
WordPress 4.4.2 patches open redirect, SSRF flaws. WordPress released version 4.4.2 for its content management system that patched an open redirection vulnerability, a server-side request forgery (SSRF) which affected certain local Uniform Resource Identifiers (URLs), and 17 flaws affecting WordPress versions 4.4 and 4.4.1.
Comodo browser breaks security: Google researcher. A researcher from Google found that the Chromodo web browser that comes installed with Comodo’s Internet Security product disables the same origin policy (SOP) and effectively turns off all Web security, allowing malicious scripts opened in one browser to interact with other windows and infect several systems. Comodo released a patch to fix the vulnerability, but researchers found the patch was ineffective.
Microsoft recalls 2.3 mln power cords sold with Surface Pro tablets. Microsoft issued a recall February 2 for about 2.25 million of its AC power cords sold with certain models of the Microsoft Surface Pro convertible tablet devices after the company received a total of 61 consumer reports that the power cords overheated, emitted flames, and posed electrical shock hazards.
DEA and European authorities uncover massive Hizballah drug and money laundering scheme. The U.S. Drug Enforcement Administration (DEA) announced February 1 significant enforcement activity including the arrests of top leaders of the European cell of the Lebanese Hizballah’s External Security Organization Business Affairs Component (BAC) as part of Project Cassandra, an ongoing global investigation that involves law enforcement agencies in seven countries, which found that the network participates in international criminal activities such as drug trafficking cocaine to European and U.S. drug markets, laundering drug proceeds through the Black Market Peso Exchange, and using the proceeds to provide revenue and a weapons stream for Hizballah’s activities in Syria and worldwide.
Deja-Vu: Google fixes another RCE vulnerability in the Mediaserver component. Google released patches for its Android mobile operating system (OS) fixing 13 flaws including 3 elevation of privilege issues in the Qualcomm Wi-Fi driver, and 2 remote code execution (RCE) vulnerabilities in its Mediaserver component that allowed an attacker to craft a malicious multimedia file and cause a memory corruption in the phone’s OS, among other exploits.
Joomla zero-day accounted for the majority of web attacks in Q4 2015. The Solutionary Security Engineering Research Team (SERT) released a report titled, “Sert Quarterly Threat Report Q4 2015” which stated that malware attacks had increased during the past quarter, with virus and worm numbers increasing by 236 percent compared to Quarter 3 (Q3) and that ransomware attacks were growing within the U.S., accounting for 78 percent of all malware delivered during Quarter 4 (Q4). In addition, the report stated most violations were Web applications that targeted flaws in Web-based software and leveraged the Joomla zero-day vulnerability in Q4, among other information.
WirelessHART industrial control kit is riddled with security holes. Security researchers from Applied Risk discovered several flaws in various WirelessHART products that could enable attackers to manipulate instruments and compromise process data integrity due to its low security protocol within its implementation layer, allowing hackers to extract the encryption key.
60+ trojanized Android games lurking on Google Play. Researchers from Dr. Web found over 60 game apps offered on the Google Play store were embedded with the malicious Xiny trojan that can download additional malicious apps and collect device information such as the device’s International Mobile Station Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI), and send the data to a command and control (C&C) server via 30 different game developer accounts including Billapps, Conexagon Studio, and Fun Color Games, among other accounts. Researchers believe the accounts are operated by the same cybercriminals.
Two-thirds of Android users vulnerable to web history sniff ransomware. Researchers from Symantec reported that two in three devices running Android versions prior to 5.0 (Lollipop) were susceptible to the Lockdroid ransomware, which tricks users into allowing malicious code to gain administrative privileges via overlaid popups that uses a fake message disguised from the U.S. Department of Justice to trick victims’ into paying a fee to unlock their devices after the message prompts them that their devices have been locked due to visiting inappropriate Web sites. In addition, the malware is capable of changing the device personal identification number (PIN) and deleting user data through a factory reset.
Facebook pays out $7,500 bounty for account hijacking flaw. A researcher discovered a serious cross-site scripting (XSS) vulnerability that could allow attackers to compromise users’ Facebook accounts by using several Facebook plugins designed in an iframe, which bypasses protections and can allow attackers to steal users’ cross-site request forgery (CSRF) token and compromise users’ accounts by convincing a user to click or visit a malicious link the hacker controls. Once the victim opens the malicious link, the hacker can execute any action to the victims’ account.
OpenSSL bug that could allow traffic decryption has been fixed. The OpenSSL Project released updates to its security protection system to protect its products against the malicious Logjam, and released new versions of its OpenSSL cryptographic library including OpenSSL 1.0.2f and 1.0.1r, which patches two security flaws that could have been exploited by attackers to obtain keys to decrypt secure communication and obtain sensitive information.
Alleged ISIL hacker faces US terror charges for doxing soldiers. The U.S. Department of Justice and the FBI reported January 28 that a man was extradited from Malaysia to Virginia after being charged with hacking crimes and for providing support to a Middle Eastern terrorist group after he allegedly released the personal information of more than 1,000 U.S. soldiers and government employees to the group who intended to use the information to attack the U.S. military and government personnel.
Samsung patches critical vulnerabilities in Android devices. Samsung released a maintenance update for its major Android flagship Galaxy models that patched 16 vulnerabilities including a flaw in Skia which allowed attackers to conduct denial-of-service attacks via a crafted media file, and a remote code execution (RCE) flaw in Android Mediaserver, which allowed attackers to cause memory corruption, among other vulnerabilities.
WhatsApp will get security indicators to highlight encrypted chats. WhatsApp mobile messaging application will release two new features in its WhatsApp 3.0 interface including the “Show security indicators” feature that will add a lock icon to a user’s WhatsApp encrypted conversations and the “Share my account info” feature that will send a user’s WhatsApp data to Facebook servers in an effort to improve users’ Facebook experience.
Cisco plugs hole in firewall devices that could lead to device hijacking. Cisco released firmware updates for its RV220W Wireless Network Security Firewall devices, specifically versions prior to 22.214.171.124, after an anonymous researcher working with Beyond Security discovered a critical vulnerability that allowed attackers to send crafted Hypertext Transfer Protocol (HTTP) request embedded with malicious Structured Query Language (SQL) statements to the management interface of a targeted device, which may allow attackers to bypass authentication protocols on the management interface and gain administrative privileges on the infected device.
LG patches severe smartphone hijack vulnerability. LG Electronics released patches fixing a critical vulnerability in the Smart Notice application (SNAP), which comes pre-loaded on all LG smartphones, after researchers from BugSec and Cynet discovered the flaw can allow attackers to extract private user information from the device’s secure digital (SD) card, WhatsApp application data, and private user images, as well as render users vulnerable to phishing attacks, ultimately resulting in the installation of mobile malware on the affected devices. Attackers can exploit the vulnerability through different methods due to functionality issues and validation issues.
Oracle to kill Java browser plugin. Oracle reported January 27 that it plans to discontinue the Java browser plugin in its Java Development Kit (JDK) 9 and remove the plugin completely from JDK and Runtime Environment (JRE) in a future Java release due to the large number of vulnerabilities found in the plugin. Security experts advised users to disable the application unless specifically needed and to ensure users are running the latest Java version.
BlackEnergy APT group spreading malware via tainted word docs. Researchers from Kaspersky Lab discovered attackers were delivering the BlackEnergy malware via spear phishing emails with malicious Microsoft Word document attachments, which are embedded with malicious macros to target Industrial Control Systems (ICS) and Supervisory control and data acquisition (SCADA) companies around the world.
This is what Microsoft’s vulnerability patching efforts looked like in 2015. Researchers from ESET released a report that analyzed the most affected components in Microsoft Windows during 2015 and addressed the importance of patching vulnerabilities, which revealed that more than 570 vulnerabilities were patched in Microsoft products and that many of the patches affected the Internet Explorer (IE) browser.
3 Cubans indicted in Nebraska for credit card scam. Nebraska officials announced January 26 that 3 Cuban-born Texas men were indicted for allegedly participating in a scheme in which they allegedly stole credit and debit account numbers and re-encoded the information onto 251 fake credit cards to buy or redeem gift cards across Iowa and Nebraska. The scheme cost cardholders nearly $30,000 in losses.
Hackers can abuse HP enterprise printers for storage. A researcher from MacKeeper reported that misconfigured enterprise devices can be susceptible to hosting malicious code and evading detection by security products, in addition to allowing attackers to use free, open-source tools to upload files to HP printers and interact with the devices over port 9100 through access via a web browser at “http://<Printer_IP_Address>/ hp/device /<File_Name>.” HP advised users to protect their printers by implementing a logging system on each device and turning off unused ports and protocols.
PayPal patches deadly server remote code execution flaw. PayPal patched a critical remote code execution flaw after an independent security researcher discovered the flaw in PayPal’s Manager portal, hosted at manager.paypal.com which could potentially allow attackers to execute arbitrary shell commands on PayPal’s servers through a Java object deserialization bug to gain access to production databases.
Check Point unveils new threat prevention appliances. Check Point network security firm released new hardware appliances, including its 15000 and 23000 Series for enterprise networks targeted with zero-day threats that allow each new hardware to run all security protections simultaneously including full Secure Sockets Layer (SSL) traffic inspection, advanced monitoring, and threat prevention protocols without creating a performance bottleneck or compromising security effectiveness.
NanoLocker ransomware can be cracked, but only under certain conditions. A Canadian security researcher discovered a flaw in the NanoLocker ransomware’s operations that can halt the ransomware’s encryption by restarting a victim’s personal computer (PC) or entering the PC into sleep mode, which stops the encryption process and leaves the configuration file in an uncompleted encryption stage. While in the uncompleted encryption state, the Canadian security researcher created a decrypter to restore encrypted files from the ransomware, which can be downloaded from GitHub or from Google Drive.
Former CEO of Summit Wealth Management and business partner indicted in a multi-million dollar fraud scheme. The former President and Chief Operating Officer of Summit Wealth Management in Atlanta, Georgia and his business partner were charged January 25 for orchestrating a $35 million investment fraud scheme after they allegedly established fraudulent investment funds and stole money from 300 investors for securities trading to pay personal expenses, fund other business like Detroit Memorial Partners LLC, and pay redemptions to earlier investors, among other actions, by selling fraudulent promissory notes throughout the U.S. to acquire and manage Michigan-based cemeteries.
US government agencies asked about Juniper backdoor patching. The U.S. House Oversight and Government Reform Committee sent out letters to dozens of government agencies asking that each department provide documents and information on whether they used affected Juniper products, how each entity discovered the vulnerability, and if measures were taken before the Juniper patch was released following a December 2015 incident where an unauthorized code was found in Juniper’s ScreenOS firewall operating system (OS). Several Federal government agencies included were the U.S. Securities and Exchange Commission, the U.S. Department of Health and Human Services, the U.S. Nuclear Regulatory Commission, and the U.S. Department of Transportation, among other agencies.
Lenovo’s file sharing app included some pretty irresponsible security bugs. Lenovo released new versions of its SHAREit file app for Microsoft Windows, Google Android, and Apple iOS devices after researchers from Core Security discovered three security flaws in the app that allowed attackers to access a victim’s files and devices via a hard-coded password embedded in the app’s source code that can be seen after the app creates a WiFi hotspot, allowing attackers to connect to the hotspot and browse files by sending specific Hypertext Transfer Protocol (HTTP) requests to a web server.
Microsoft finally hides IP addresses by default in Skype. Microsoft released updates to its Skype Voice-over-IP (VoIP) application that included a privacy enhancement which enabled the default setting to hide users’ Internet Protocol (IP) addresses after researchers from Inria and Polytechnic Institute of New York University discovered they could track thousands of users for several weeks November 2010, which could have potentially led to attackers breaching business systems and stealing sensitive information, or compromising an entire corporate network.
It’s official, ransomware has gone corporate. The FBI’s Internet Crime Complaint Center (IC3) released a report stating that recent data shows ransomware such as CryptoWall and its variants, have been increasing its attacks against U.S. victims and revealed three ways companies can help mitigate ransomware attacks: Start employee training, maintain up-to-date backups, and consider new endpoint protection approaches.
3 arrested in insurance fraud scheme that intentionally damaged cars near Salinas. The owners of San, Francisco-based Universal Automotive and West Market Auto Body were arrested January 22 for conspiracy to commit a crime and insurance fraud after the three men and 11 suspected auto shops allegedly participated in a $1 million “scratch out” insurance-fraud scheme in which they convinced car owners to vandalize undamaged cars offsite and file false insurance claims, splitting the money for the repairs with the car owner and keeping the remaining money for profit.
Backdoor found in several Fortinet products. Fortinet released an advisory stating that several of its products including versions of FortiSwitch switches, FortiAnalyzer centralized log and reporting appliances, and FortiCache web cashing appliances were susceptible to a management authentication flaw after company researchers discovered the flaw affected various products following previous reports that the bug only affected its FortiOS system. The flaw can be exploited to log in to vulnerable devices with administration privileges via a shell scripting (SSH) in Interactive-Keyboard mode using a shared password used among all devices.
Simple yet efficient Linux backdoor Trojan discovered. Security researchers from Dr. Web discovered a trojan with backdoor capabilities named Linux.BackDoor.Xunpes can copy files, delete files, launch files into execution, run bash commands, and log keystrokes, among other actions by infecting a device via a dropper component that downloads the malware payload and enable attackers to send over 40 different types of commands to any infected host through a command and control (C&C) server.
XSS bug in Magento allows attackers to take over online shops. The Magento project released patches fixing a stored cross-site scripting (XSS) vulnerability in its content management system (CMS) that powers online shops after security researchers from Sucuri discovered that the flaw can be exploited when users register a new account or when users change their current account’s email address as the CMS system has an improper data filtering mechanism that allows attackers to enter malicious code next to their email addresses, allowing hackers to steal cookies and use them to illegally access the site later, among other malicious actions.
CryptoWall 4.0 spreading via Angler Exploit Kit. Bitdefender researchers discovered that the CrytoWall 4.0 was added to the Angler Exploit Kit (EK) to encrypt files on an infected device and allow attackers to demand users pay a ransom in order to decrypt files by disguising itself as an AV solutions tester to protect user’s data, while encrypting victims’ data and convincing victims that the “CryptoWall Project” is not malicious.
Hourslong search for 2 bank robbery suspects ends in Culver City; 2 others detained. Two schools were placed on lockdown and a T.J. Maxx store was evacuated January 21 after four armed men reportedly fired shots at a One West Bank in Culver City and robbed the bank of an undisclosed amount of funds. Two of the four suspects were detained outside of the bank and the retail store, and no injuries were reported.
Sacramento woman pleads guilty to role in credit card fraud conspiracy. The U.S. Attorney's Office announced that a Sacramento woman pleaded guilty January 21 to conspiracy to commit access-device fraud and aggravated identity theft charges after she was linked to a credit card scheme involving four others who allegedly committed mail fraud, obtained at least 500 counterfeit credit and debit cards, and made over $186,000 in fraudulent purchases at retail stores in the Sacramento area from July 2014 – April 2015.
TeslaCrypt flaw opens the door to free file decryption. A security researcher discovered that the TeslaCrypt ransomware and variants of TeslaCrypt 2.0 contained a design flaw in how the ransomware’s encryption keys were stored in a victim’s computer following the discovery that a new Advanced Encryption Standard (AES) key was generated during each encryption session, revealing that researchers could use specialized programs to retrieve prime numbers of the stored keys to reconstruct a decryption key. Researchers developed software that generates decryption keys for TeslaCrypt files with the extensions .ECC, .EZZ, .EXX, .XYZ, .ZZZ, .AAA, .ABC, .CCC, and .VVV.
Backdoor account found on devices used by White House, US military. AMX released a firmware update for its NX-1200 device, a central controller used by the White House for conference room equipment, after a security researcher from SEC Consult discovered that older versions of the devices’ firmware were embedded with a series of backdoor accounts under the username, “BlackWidow” and “1MB@tMaN” that could have allowed attackers to spy on users and hack the device. A source code named “setUpSubtleUserAccount” was found to set up hidden user accounts without appearing in the devices’ configuration screen, posing several vulnerabilities.
Cybercriminals target bank accounts of firms in UK, US, India. Researchers from Symantec discovered attackers were targeting finance departments of small and medium-sized businesses in India, the United Kingdom, and the U.S. to download financial software and steal files, passwords, and money by using stolen accounts to distribute malicious emails embedded with one of two remote access Trojans (RATs), that if deployed gives attackers complete control over the infected device and enables attackers to log keystrokes, among other actions. Researchers believe the attackers are based in Europe or the U.S.
Former Kingman finance director arrested for $1.1M fraud. The former Kingman Budget Analyst and Interim Finance Director was arrested and charged January 20 for 23 felony counts including theft, forgery, and misuse of public monies after she allegedly stole more than $1 million from the city by using a city credit card for personal expenses, falsifying invoices to account for the charges, misappropriating funds from a bank account used to fund the city’s Employees Benefits Trust, and altering account settings that granted her sole authority to initiate and approve transactions.
Threat group uses dating sites to build a botnet of vulnerable home routers. Damballa security researchers reported that a Linux ELF binary, a variant of TheMoon worm, was targeting Home Network Administration Protocol (HNAP) by using adult dating Web sites to infect home routers and prevents consumers from using their routers’ inbound ports via a malicious iframe embedded on the malicious web pages. Researchers reported the worm is spread by opening outbound ports on the router to infect other routers.
Google Chrome 48 patches 37 security flaws. Google released its newest web browser version, Chrome 48 for Microsoft Windows, Apple Mac, and Linux users that patches 37 security vulnerabilities including a bad cast flaw in V8, a use-after-free bug in PDFium, and six other vulnerabilities found by external researchers, among other patched flaws. In addition, company officials reported the updated version included a series of improvements to the browser.
Fake Facebook emails deliver malware masquerading as audio message. Researchers from Comodo reported that a similar malware, previously targeting WhatsApp users, has been targeting Facebook users to steal information about a victim’s computer and send the stolen information to a command-and-control (C&C) server where attackers can send additional malware via malicious emails embedded with a variant of the Nivdort information-stealing Trojan. Once the malicious email is open, the malware will replicate itself into “C:/” directory and add a Windows Registry entry, allowing the malware to run automatically after each restart or shutdown of the device.
Malvertising returns on Microsoft’s MSN portal. Security researchers from Malwarebytes reported that Microsoft’s MSN portal was susceptible to malvertising campaigns via the Nuetrino and RIG exploit kits (EK) by creating new domains used a few days prior to each attack or hiding behind the CloudFlare service. Researchers advised users to use a security product to block incoming malware.
Lake Twp. man pleads guilty in investment fraud case. The owner of Lake Township-based Keystone Capital Management pleaded guilty January 19 to one count of wire fraud and two counts of money laundering charges after he reportedly ran a Ponzi scheme which defrauded 19 investors out of nearly $5.5 million between October 2009 and September 2013. The owner also used his client’s money to pay personal and business expenses and promote and prolong his investment scheme, among other illegal actions.
SEC: Alternative fund manager overcharged fees, misled investors. The U.S. Securities and Exchange Commission announced January 19 that Equinox Fund Management LLC agreed to pay $400,000 in penalties, $600,000 in prejudgment interest, and $5.4 million in refunds to investors to settle allegations that the company overcharged management fees and misled investors by deviating from its valuation methodology for its future funds, The Frontier Fund (TFF) holdings.
US Department of Treasury warns taxpayers about a ‘frightening’ fraud scam. The U.S. Department of the Treasury issued a warning January 19 advising taxpayers to be aware of callers impersonating Internal Revenue Service (IRS) agents and threatening victims to pay back-owed taxes following reports that the Treasury Inspector General for Tax Administration (TIGTA) received 900,000 reports of fraudulent calls, resulting in over $26.5 million in victim losses since October 2013. TIGTA is urging people to hang up on the fraudulent callers.
Apple releases 28 security fixes for iOS, OS X and Safari. Apple released 28 security patches for its iOS and Mac OS X operating systems (OS) and its Safari web browser through updated versions of OS X El Capitan 10.11.13, Safari 9.0.3, and OS X kernel that addressed critical vulnerabilities and allowed attackers to execute arbitrary code in the operating system’s kernel and execute arbitrary code on the underlying operating system to trick a victim into accessing a malicious Web site.
Intel patches MiTM flaw in its Driver Update Utility. Intel Corporation patched a remotely exploitable vulnerability in its Intel Driver Update Utility program that could have been exploited by attackers to conduct a man-in-the-middle (MiTM) attack to corrupt transferred data, leak information, and conduct arbitrary code execution.
Oracle released 248 security fixes. Oracle released its Critical Patch Update (CPU) that fixed 248 vulnerabilities including authentication flaws and security issues in its Oracle Database, Java SE, and Oracle E-Business Suite, as well as other products. The company advised users to ensure all their products were updated to the newest versions to avoid exploitation.
Cisco patches borked web box proxy hole. Cisco released a patch fixing a vulnerability in its Web Security Appliance versions 8.5.3-055, 9.1.0-000, and 9.5.0-235 that allowed unauthenticated remote attackers to circumvent functionality that prevents proxied network traffic and bypass security restrictions due to improper handling of malformed Hypertext Transfer Protocol (HTTP) methods.
Critical infrastructure incidents increased in 2015: ICS-CERT. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported that there was an increase in incidents involving U.S. critical infrastructure in fiscal year 2015, increasing the total count to 295 incidences. Officials reported the increase was due to a spear-phishing campaign launched by an advanced persistent threat (APT) group against organizations in critical manufacturing, energy, transportation systems, government facilities, healthcare, and the communications sector, among other sectors.
2 from Solano County plead guilty in multimillion-dollar mortgage fraud scheme. Prosecutors announced January 16 that two Solano County, California residents pleaded guilty January 15 to conspiracy to make false statements on loan applications after the two reportedly took part in a $10 million loan fraud scheme by convincing homeowners facing foreclosure to sign the titles of their homes over to the pair’s business, Capital Access LLC where they would sell the titles to straw buyers, who obtained loans under the false pretense that they would reside in the houses. The company stripped home equity from at least 69 properties in California to pay the operating expenses of Capital Access LLC.
Yahoo fixes bug that could compromise email accounts when opening an email. Yahoo! patched a cross-site scripting (XSS) vulnerability that affected its Mail’s Web interface after a researcher from Finish found that the flaw allowed attackers to fully compromise email accounts by crafting an email with a malicious code in the message’s body and sending the malicious email to a target. The vulnerability can be executed each time a user opens an email.
Siemens patches flaw in building automation products. Siemens released firmware updates patching a reflected cross-site scripting (XSS) vulnerability for its automation products running on the OZW Web server after a researcher found the flaw affected login pages of the QZW672 and OZW772 embedded Web servers, which enabled attackers to redirect users to phishing Web sites, steal users’ data, or convince users to download malware onto their devices.
Linux zero-day affects most Androids, millions of Linux PCs. A security researcher from Perception Point discovered a new zero-day vulnerability affecting Android phones running 4.4 KitKat operating system (OS) and Linux machines running Kernel 3.8 or higher OS that can allow attackers to delete files, view private information, and install malicious programs on Android or Linux applications. Researchers reported that no exploits were observed in the wild.
Linux trojan takes screenshots every 30 seconds. Security researchers from Doctor Web detected a new Linux trojan dubbed Linux.Ekoms.1 can help cybercriminals spy on users by searching through temporary folders for audio recordings and screenshots with the .aat, .sst, .ddt, and .kkt extensions in users’ devices, which are uploaded to a remote server hardcoded within the malware. Once the stolen data is sent to the remote server, the data is encrypted and attackers can use the command and control (C&C) server to send various commands to the infected machine.
Authentication flaw found in Advantech ICS Gateways. Security researchers from Rapid7 discovered a serious authentication bypass vulnerability and a potential backdoor account in Advantech’s EKI products that allowed attackers to bypass the authentication process by using any public key and password via the Dropbear SSH daemon, which was lacking a verification protocol. In addition, researchers discovered an alleged backdoor account after a hardcoded username and password could be used by an unauthenticated attacker to access a production device.
Kaspersky warns of potential cyberattacks against World Economic Forum participants. Kaspersky security experts reported that it is expecting advanced persistent threat (APT) groups to increase their efforts and attempts at hacking high-ranking officials’ computers and mobile devices from various countries and companies at the World Economic Forum (WEF) in Davos, Switzerland. The security firm advised attendees to use Virtual Private Network (VPN) connections to browse the Internet, charge mobile devices from an outlet, and use passwords instead of PINs to protect devices
Updated Android malware steals voice two factor authentication. A Symantec security researcher reported that the Android.Bankosy trojan malware can open a backdoor to activate unconditional call forwarding and silent mode on Android handsets, collect a list of system-specific information and send it to the command and control (C&C) server to register the infected device, and obtain a unique identifier to further communicate with the C&C server to receive commands.
DDoS attack hits Kickass Torrents, DNS servers crippled. The largest Internet portal, Kickass Torrents reported that its Web site was offline for almost 24 hours after an unknown attacker conducted denial-of-service (DDoS) attacks to its Web site’s domain name servers (DNS), and that during the week of January 10, the Web site was hit with smaller DDoS attacks. Officials reported the Web site is running, but are anticipating further attacks.
Apple’s Gatekeeper bypassed again. A security researcher from Synack discovered a Gatekeeper bypass technique that managed to bypass Apple’s operating system (OS) X’s Gatekeeper security feature by finding a signed application that loads and executes an external binary at runtime, create a .dmg file in which the external binary is replaced with a malicious file, and deliver the malicious file to users via injecting the file into insecure download connections or by uploading the file to third-party application stores. Apple released a temporary patch addressing the vulnerability.
SEC Charges Goldman Sachs with improper securities lending practices. Goldman, Sachs & Co. agreed to pay the U.S. Securities and Exchange Commission (SEC) $15 million in penalties January 14 to settle charges that the company inaccurately recorded the firm’s locates log and violated Federal regulations in its securities lending practices by improperly providing locates to customers without performing an appropriate review of the securities to be located, leading customers to engage in illegal short selling sales, among other charges.
SEC charges State Street for pay-to-play scheme. The U.S. Securities and Exchange Commission announced January 14 that State Street Bank and Trust Company agreed to a $12 million settlement over allegations that the company conducted a pay-to-play scheme in which the company’s former senior vice president agreed to make illicit cash payments and political campaign contributions to Ohio’s deputy treasurer in order to win sub-custodian contracts to service Ohio pension funds.
Federal jury convicts ringleader of bank fraud and identity theft scheme. A man from Virginia was convicted January 13 by a Federal jury for 1 count of conspiracy to commit bank fraud, 19 counts of bank fraud, and 4 counts of aggravated identity theft after an investigation revealed he was the organizer of a nationwide bank fraud and identity theft scheme that targeted banks and individuals, and opened numerous checking, credit, and personal line accounts using the stolen identities of his victims.
U.S. jury finds ex-Capital One analyst liable in insider trading case. A Federal jury convicted a former Capital One Financial Corp analyst January 13 on civil charges that he engaged in insider trading by using non-public sales data, gathered by the credit card company, to buy and sell stocks in advance while disguising the non-public sales data as material data. The traded information gave the man a significant advantage and earned him $1.5 million in trade sales.
‘Hipster Bandit’ robs forth bank. Authorities are searching January 13 for a man dubbed the “Hipster Bandit” after he allegedly robbed four banks in San Diego including his most recent robbery at a Wells Fargo Bank branch January 9 in which the suspect slipped a note to the teller and demanded specific denominations before leaving with the stolen funds.
Flaw allows malicious OpenSSH servers to steal users’ private SSH keys. Researchers from Qualys reported that two vulnerabilities including an Information Disclosure flaw were found in the OpenSSH implementation of the secure shell (SSH) protocol that can allow an attacker to pose as an owner of the SSH keys and extract users’ private cryptographic keys through the default client code that can be tricked into leaking client memory to the server.
Alleged author of MegalodonHTTP malware arrested. Norwegian officials arrested an individual suspected of authoring the MegalodonHTTP malware that powers distributed denial-of-service (DDoS) botnets internationally after police arrested five men on suspicion of possessing, using, and selling malware. Authorities reported that the malware’s moniker is no longer active or doing business once the man was arrested.
McAfee Application Control Flaws expose critical infrastructure: Researchers. A researcher from SEC Consult discovered a series of low level vulnerabilities in McAfee’s Application Control product that can be exploited to bypass application whitelisting protection and gain arbitrary code execution through various techniques, which can be leveraged to cause denial-of-service (DoS) conditions to overwrite whitelisted applications once code execution is achieved.
Google’s Go upgrade fixes bug that could leak RSA private key. Google released an update to its programming language, Go 1.5.3, patching a security issue that can affect RSA computations in cryto/rsa used by crypto/tls and potentially leak their RSA private key on TLS servers with 32-bit systems.
U.S. Treasury Department to track some real estate deals in NY and Miami. The U.S. Department of the Treasury announced January 13 that it will track sales of high-end real estates in Manhattan and Miami in order to discover and prevent money-laundering by establishing temporary disclosure requirements beginning March 2016, which will require certain title companies to identify individuals behind companies that purchase properties exceeding $3 million.
Former Mirae Bank exec charged with bank fraud. A former executive of Mirae Bank was charged January 13 with 6 counts of Federal bank fraud and 2 counts of falsifying statements to a financial institute after allegedly arranging $150 million in fraudulent loans on behalf of the bank and skimming money from the loans for personal profit, which reportedly led to approximately $33 million in losses and the bank’s failure by 2009.
SEC charges 11 bank officers and directors with fraud. The U.S. Securities and Exchange Commission charged 11 former executives and board members of Birmingham-based Superior Bank and its holding company January 13 for their involvement in various fraud schemes in which they allegedly concealed or understated the bank’s allowances for loan and lease losses (ALLL) by propping up Super Bank’s financial condition through straw borrowers, fake appraisals, and insider deals.
Cisco patches serious flaw in networking, security products. Cisco released software updates that addressed multiple critical vulnerabilities in several of its networking and security products including an unauthorized access issue that affects Cisco standalone and modular controllers running Wireless LAN Controller (LAN) software that allowed attackers to modify the device’s configuration and compromise the device.
DHCP gets a fix for denial-of-service bug. The Internet Systems Consortium (ICS) patched a flaw in its Dynamic Host Configuration Profile (DHCP) software packages after a security researcher from Sophos discovered the vulnerability allowed attackers to crash the systems by sending a malicious network packet with an invalid IPv4 UDP length field.
Microsoft fixes critical flaws in Windows, Office, Edge, IE and other products. Microsoft released security updates that patched critical flaws in its Windows, Office, Edge, Internet Explorer, Silverlight, and Visual Basic products, including remote code execution vulnerabilities, elevation of privilege vulnerabilities, and a spoofing flaw.
Shoddy ransomware destroys user’s files. Security researchers from Trend Micro identified a ransomware dubbed RANSOME_CRYPTEAR.B that used a crypto flaw hidden in the Hidden Tear ransomware to infect users and encrypt their files by redirecting users to fake Adobe Flash Web sites that distributes a malicious Flash Player update and allows attackers to infect the victim’s system with a crypto-ransomware that would encrypt all data files. Authors of the malware were seen throwing away the encryption key, rendering all encrypted files unrecoverable.
Mozilla Persona login system to shut down in November. Mozilla reported that its login system, Persona (persona.org) and related domains will be shut down November 30 due to limited resources and low customer usage within the last two years. The company will continue to maintain the system including providing security fixes and support, but will not introduce new features or produce major enhancements.
Google researcher finds RCE flaws in Trend Micro product. Trend Micro released updates for its Password Manager product addressing a remote code execution (RCE) flaw, security feature flaws, and several application program interface (API) flaws, among others, that exposed nearly 70 APIs to the Internet, which could have enabled an attacker to steal user passwords without the consent or knowledge of the user.
WhatsApp users targeted by sneaky spam campaign. Researchers from Comodo discovered that the Nivdort malware has been using WhatsApp users to steal information about a victim’s computer and send the collected information to a command-and-control server (C&C) where hackers can send additional malware, including banking trojans, complex spyware, or point-of-sale (PoS) malware via spam email campaigns that contain malicious file attachments disguised as WhatsApp messages, images, audio, or video files.
US DHS just spent $1.7 million to develop better DDoS protection tech. DHS awarded a $1.7 million contract to Galois, a U.S. Research and Development company to help develop a new technology dubbed, DDoS Defense for Community of Peers (3DCoP) that will mitigate and stop denial-of-service (DDoS) attacks by detecting, tracking, and preventing ongoing attacks via a unique traffic flow monitoring capability that will find patterns of interest.
Smartwatches can be used to spy on your card’s PIN code. A software engineer released a report titled, Deep-Spying: Spying using Smartwatch and Deep Learning that introduces a new theoretical attack that can allow attackers to extract sensitive information including credit card information or phone access personal information number (PIN) codes by interpreting data from a smartphone’s motion sensor and making an analogy to each PIN pad’s keystrokes.
Cops: Man admits to stealing $20M from suburban credit union. The chief financial officer at Clarkston Brandon Community Credit Union in Detroit was charged with embezzlement January 8 after confessing January 6 to stealing $20 million from the credit union over the course of 12 years.
CSRF bug in Verizon’s API left My FiOS accounts open to attacks. Verizon released patches for a cross-site request forgery flaw and a proof-of-concept (PoC) vulnerably in its My FiOS application program interface (API) after an independent security researcher discovered that attackers can access users’ accounts via malicious Web pages distributed through email campaigns. Once users open the malicious pages, a password reset command can be triggered.
Drupal starts patching update process flaws. Drupal reported its researchers were working to patch a cross-site request forgery (CSRF) vulnerability and an update status vulnerability found in its Content Management System (CMS) product after an IOActive researcher discovered the flaws affected Drupal versions 7 and 8.
Juniper to enhance RNG in ScreenOS. Juniper Networks reported January 8 that it will replace the Duel Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) technology used in its ScreenOS products with the same random number generation (RNG) technology used in Junos OS products after an investigation revealed that the Junos OS products will be more difficult to plant unauthorized code and will include a more robust RNG subsystem.
US ramps up war on IS propaganda, recruitment. White House officials reported January 8 that the U.S. Department of Justice and DHS formed a new unit called the Countering Violent Extremism Task Force to coordinate U.S. efforts to fight extremist groups such as the Islamic State (IS) domestically, and to support international partners of the U.S. in their programs to neutralize potential extremist activities by preventing radical groups from using the Internet to recruit supporters and prevent the groups from using encrypted technologies to hide their activities.
Unpatched Drupal flaws expose sites to attacks. A researcher from IOActive reported that there were several vulnerabilities in the update process for the Drupal content management system (CMS) versions 6 and 7 series including a cross-site request forgery (CSRF) vulnerability that can be exploited to force Web site administrators to check for updates, which can enable hackers to deliver server-side request forgery (SSRF) attacks against drupal.org. Additional issues included an authentication vulnerability that allows hackers to launch Man-in-the-Middle (MitM) attacks due to Drupal’s lack of authentication checks, allowing hackers to deliver backdoored versions of Drupal modules to compromise a Web site, among other vulnerabilities.
WordPress 4.4.1 patches XSS vulnerability. WordPress released security and maintenance updates within version 4.4.1 for its content management system (CMS) that resolved 1 vulnerability and 52 non-security issues including a cross-site scripting (XSS) vulnerability that allowed hackers to compromise infected Web sites.
HTTPS Bicycle attack reveals password length, allows easier brute-forcing. A security researcher released a report detailing how a new attack, named HTTPS Bicycle attack can enable hackers to discover the length of a users’ password to web applications and potentially make a Web site or browser more susceptible to brute-force attacks by analyzing and using a packet capture of a user’s Hypertext Transfer Protocol Secure (HTTPS) traffic and the plaintext HTTP headers included in each and every request. The researcher offered preventative measures such as including hashing or padding the passwords to disguise its length.
Mozilla warns Firefox fans its SHA-1 ban could bork their security. Mozilla advised its users to update its Firefox web browser to the latest iteration as users may not have access to Web sites with Secure Hash Algorithm 1 (SHA-1) signed Secure Sockets Layer (SSL) certificate due to the company’s rejection of SHA-1-signed certificates, which could allow attackers to spy on users’ activities without the users’ consent. The company reported that Web sites with the SHA-1-signed certificate were blocked and could not be accessed.
Backdoors not patched in many Juniper firewalls. A security researcher reported that Juniper Networks NetScreen devices were still vulnerable to firewall backdoors after an Internet-wide scan revealed that a total of 1,595 devices had potentially unpatched firewalls. The backdoors can be accessed with any username and the “<<<%s(un='%s') = %u” password.
Facebook disabled page scam wants your credit card data, Facebook and PayPal credentials. Researchers from RNLI and Malwarebytes reported that a new scam has been targeting Facebook Pages users into disclosing their Facebook login credentials, their PayPal credentials, and credit card details by spreading the scam via comments left on Facebook pages that demand owners to access a link or have their pages disabled.
Windows and Linux malware linked to Chinese DDoS tool. Researchers from Malware Must Die! reported that the malware, dubbed Linux/DDOSTF primarily targets Linux systems running Elasticsearch servers, with some attacks against Microsoft Windows systems, via a PHP-MySQ webshell that exploits the Windows Management Instrumentation (WMI) infrastructure, enabling attackers to infiltrate the system, upload and execute malicious exploits, and gain system privileges over the infected machine. The malware is distributed as a malicious executable and linkable format (ELF) and shares similarities to an older malware named JrLinux.
Former McKinsey partner, McLean County Board chair indicted for wire fraud. A former partner at McKinsey & Company’s Chicago office and a former internal consultant for State Farm were charged January 5 for allegedly bilking both companies out of $900,000 in phony consulting fees through two companies, Gabriel Solutions and Andy’s BCB, while using the funds to pay for personal trips that were listed as business expenses.
Linode resets user passwords after breach. Linode reported that it reset customers’ Linode Manager passwords after the company discovered that a massive distributed denial-of-service (DDoS) attack was launched on its Web site, data centers, and Domain Name System (DNS) infrastructure, in addition to multiple volumetric attacks that targeted its authoritative nameservers and public Web sites, which may have compromised user credentials’ from the company’s database. The exposed database included usernames, email addresses, password hashes, and encrypted two-factor authentication seeds.
Researchers publish default passwords for ICS products. SCADA StrangeLove research team released a list of default credentials for industrial control system (ICS) products from various vendors including industrial routers, programmable logic controllers (PLC), and wireless gateways, among other products, to reveal that default passwords can pose a serious vulnerability for systems if remotely accessed. The team reported that vendors should implement proper security controls such as establishing password strength policies and forcing users to change passwords on the first login.
Vulnerability exposed Blackphone to complete takeover. Silent Circle released updates for its privacy-focused Blackphone 1 mobile device that patched several security flaws including a modem vulnerability that can be exploited by attackers to take control of the device’s functions through an open-access socket that interacts with an NVIDIA Icera modem binary named agps_daemon, embedded with elevated privileges, to communicate directly to the Blackphone modem and record anything it receives to the ttySHM3 port. Attackers disguised with shell user privileges could send commands to the modem to exploit the flaw.
Author of Linux.Encoder fails for the third time, ransomware is still decryptable. Researchers from Bitdefender reported that a Linux.Encoder decryption tool was available for free following the discovery of a third version of the Linux.Encoder malware which has infected about 600 servers. The ransomware targets Web servers and looks to encrypt files used in Web hosting and Web development environments.
‘Operation Nip Tuck’ cuts women off in credit card scheme. Authorities in Orlando, Florida, announced January 4 the arrest of 8 women allegedly involved in a scheme that stole personal and credit card information in order to undergo $160,000 worth of plastic surgery and dental work. Three additional warrants were issued and five others could face charges in connection to the scheme.
Google patches Android for yet another RCE flaw in its Mediaserver component. Google released patches for 12 vulnerabilities, five of which were categorized as critical, for its Android operating system (OS) including a remote code execution (RCE) flaw in its Mediaserver component, which allowed attackers to craft malicious media files and send them via a multimedia messaging service (MMS) or stream them through a user’s browser. Other issues included an elevation of privilege vulnerability in misc-sd driver and elevation of privilege vulnerabilities in Trustzone, among other flaws.
PSN down: PlayStation Network mostly back online following 12-hour outage. Sony Computer Entertainment reported that its PlayStation Network was back online following a 12-hour outage that affected almost all its systems including the PlayStation Store and online play, PlayStation Vita, PS3, and PlayStation 4. Some users continued to have issues following the outage.
Cisco Jabber client flawed, exposes users to MitM attacks. Security researchers from Synacktiv discovered a serious security vulnerability, which affects Cisco’s Jabber client for Windows versions 10.6.x, 11.0.x and 11.1.x that allows attackers to expose a user’s private conversations and steal their login credentials via a simple Man-in-the-Middle (MitM) attack that would downgrade STARTTLS settings and force communications to take place through cleartext, tricking the desktop application into exposing sensitive information. Cisco released version 1.1 after discovering Jabber versions 9.x, 10.6.x, 11.0.x, and 11.1.x for Apple’s iPhone and iPad and Jabber for Android were affected.
Mozilla adds W^X security feature to Firefox. Mozilla reported a new security feature, Write XOR Execute (W^X) was added to its web browser, Firefox in an attempt to protect against basic buffer overflow flaws and memory corruption issues in its OpenBSD operating system (OS). W^X affects how the code, executed inside the browser, interacts with the operating system’s memory and does not allow a process to be writeable and executable simultaneously.
BlackEnergy malware used in Ukraine power grid attacks. Researchers from ESET reported that the BlackEnergy malware, which previously targeted Ukrainian government entities and U.S. critical infrastructure companies, and a Secure Shell (SSH) backdoor have been targeting news media and electrical power companies in the Ukraine after researchers found that the malware was planted on the networks of several regional power companies and news companies via a destructive plugin called KillDisk that attempted to make the operating system (OS) unbootable and use sec_service.exe to sabotage an industrial’s control system (ICS) software.
Mac OS X, iOS registered most disclosed vulnerabilities in 2015. A data report from CVE Details states that Apple’s desktop and mobile operating systems (OS) have the most distinct vulnerabilities publicly disclosed in 2015 including its Mac OS X with 384 security flaws, as well as its iOS with 375 security issues, among others. Apple patched several vulnerabilities in its products and is working to mitigate future flaws.
Details of 34,000 Steam users exposed during DDoS attack. Valve Corporation reported that its Internet-based platform, Steam deployed catching configurations, one that incorrectly cached traffic for unauthenticated users, which resulted in users’ personal information to be displayed to other users after the company tried to resolve distributed denial-of-service (DDoS) attacks against the Steam Store that affected 34,000 users. The company was working to identify affected users.