Fraud Alert Message Center
Tips for Safe Banking Over the Internet
As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.
The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.
- Consumer Best Practices for Online Banking
- Business Best Practices for Online Banking
- Recommendations for Online Fraud Victims
- Recommendations for Mobile Phone Security
Current Online Threats
Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau. None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts. If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it. The email could potentially contain a virus or malware.
For more information regarding email and phishing scams, please visit: http://onguardonline.gov/
Online Shopping Tips for Consumers. Click Here for Information.
ATM and Gas pump skimming information. Click Here for Article.
Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers. The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.
Advisory of “Shellshock” Vulnerability
On September 24, 2014, multiple security experts began reporting on a security vulnerability, Shellshock, which affects an application called Bash.
1. Bash, which stands for the GNU Bourne Again Shell exists in the GNU Operating System (free software) that is distributed with most versions of Linux and Unix free software;
2. Could enable attackers, without authentication, to obtain information, modify authentication parameters, and disrupt service; and
3. Is currently given the highest possible ratings (“10”) for Severity, Impact, and Exploitability based on the Common Vulnerability Scoring System (CVSS).
In response, it is recommended that business clients work with their IT professionals to:
1. Identify, filter and block internet protocol (IP) addresses that may be maliciously scanning systems.
2. Review all systems and services to identify any systems that may be vulnerable to this exploit.
3. Actively work to identify effective patching for this vulnerability, and patch any systems and services that are vulnerable.
Shellshock known vulnerabilities and vendor statues: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=252743&SearchOrder=4
Vulnerability found in firmware update process of ASUS routers. A researcher identified and reported a vulnerability in ASUS RT-series routers that could have allowed attackers to use a man-in-the-middle (MitM) attack to trick users into downloading older, vulnerable firmware versions or potentially malicious code due to the firmware request being sent in HTTP instead of HTTPS. ASUS closed the vulnerability in its 184.108.40.206.367.1123 update.
‘Replay’ attacks spoof chip card charges. Three undisclosed U.S. banks reported receiving fraudulent payment card charges emanating from Brazil that disguise the fraudulent charges as charges using the Europay, MasterCard, and Visa (EMV) chip-and-pin system even though the banks have not yet issued EMV cards. The attacks disguised the charges as originating from EMV cards since some banks with misconfigured systems may not use the full range of security checks on EMV card transactions.
Tor exit node found maliciously modifying files. A researcher with Leviathan Security Group identified and reported an exit node on the Tor network that wraps binary files with malware as the files move through the node. The Tor Project stated that they set a “BadExit” flag on the node to protect users after it was reported
Backoff PoS malware boomed in Q3. Damballa released a report which found that detections of the Backoff point-of-sale (PoS) malware increased by 57 percent between August and September.
iMessage SPAM floods US mobile networks. CloudMark researchers reported that China-based designer goods counterfeiters are using the Apple iMessage platform to spam users with advertisements, the largest mobile spam campaign in the U.S. so far this year and accounting for over 80 percent of all reported mobile messages in the U.S.
Cisco fixes 3-year-old vulnerability affecting security appliances. Cisco released patches to close a vulnerability in its AsyncOS used in several of the company’s security appliances that could allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. The vulnerability affects all models of Cisco Email Security Appliances (ESA), Cisco Web Security Appliances (WES) and Cisco Content Security Management Appliances (SMA) running affected versions of AsyncOS.
Adobe Digital Editions now encrypts data collected from users. Adobe stated that its Adobe Digital Editions ebook software would begin using encryption to send data on users to Adobe’s servers starting October 23. Researchers previously discovered the transmission of user data and found that it was not encrypted, posing a security risk.
Akamai sees record-setting spikes in size and volume of DDoS attacks. Akamai released their Q3 2014 State of the Internet report and found that distributed denial of service (DDoS) attacks increased in average bandwidth by 389 percent over the past year, among other findings.
CryptoWall 2.0 delivered through malvertising on Yahoo and other large sites. Proofpoint researchers observed a recent campaign using malicious advertisements on Yahoo, 9gag, and other popular Web sites to deliver the CryptoWall 2.0 ransomware via the FlashPack Exploit Kit. The exploit kit exploits vulnerabilities in Adobe Flash Player to deliver the ransomware that encrypts users’ files and demands a ransom to decrypt them.
1.2 million Networking devices vulnerable due to NAT-PMP issues. A security researcher with Rapid7 reported October 21 that the company identified around 1.2 million Internet-connected devices that are vulnerable to various attacks due to poor implementation or configuration of the Network Address Translation – Port Mapping Protocol (NAT-PMP). The vulnerabilities could allow attackers to perform denial of service (DoS) attacks, intercept traffic, or perform other malicious actions.
Apple warns users of attack targeting iCloud site. Apple confirmed reports of man-in-the-middle (MitM) attacks against its iCloud service that employed an insecure certificate and advised users not to dismiss browser warnings regarding the security of content. The attacks trigger warnings in the Chrome and Firefox browsers but not in Qihoo, the most popular Web browser in China.
Windows zero-day exploited in targeted attacks through PowerPoint. Microsoft reported that it has observed limited targeted attacks exploiting a zero-day vulnerability in the company’s Object Linking and Embedding (OLE) technology which could allow an attacker to perform remote code execution if a user opens a specially-crafted Microsoft Office file. The vulnerability affects all current Microsoft Windows releases except Windows Server 2003 and Microsoft advised users to apply a series of workarounds until a patch can be released.
Koler worm spreads via SMS, holds phones for ransom. Researchers at AdaptiveMobile identified a new variant of the Koler worm for Android that spreads via a bitly link that directs users to a Dropbox page where the malware is disguised as an app. The malware then blocks infected devices’ screens with a fake law enforcement page and demands a ransom to be paid via Money Pak Voucher.
Attackers change home routers’ DNS settings via malicious code injected in ads. Sucuri Security researchers identified a malvertising campaign that embeds malicious code into an ad hosted on the googlesyndication.com network and attempts to change the DNS settings on users’ home routers in order to lead them to potentially malicious Web sites.
Malware directs stolen documents to Google Drive. Researchers with Trend Micro identified a new piece of information-stealing malware dubbed Drigo that uploads any .PDF, text, and Microsoft Word, Excel, and PowerPoint files to a Google Drive account. The researchers reported that the malware appears to be targeting government agencies and reported the Google Drive account associated with the malware to Google.
Apple fixes security flaws with release of iOS 8.1. Apple released an update to its iOS 8 mobile operating system, closing several vulnerabilities and adding new features.
One week after patch, flash vulnerability already exploited in large-scale attacks. Researchers identified an exploit kit sold on underweb forums known as Fiesta that is bundled with an exploit for a recently-patched Flash Player vulnerability. Users were advised to apply the patch that was issued October 14.
Cisco products vulnerable to POODLE attacks. Cisco is analyzing its products to determine which may be affected by the POODLE vulnerability in Secure Sockets Layer (SSL) and released a list of confirmed vulnerable products, which includes Cisco Webex Social, Cisco ACE, Cisco Wireless LAN Controller, and several other products.
Palo Alto Networks boxes spray firewall creds across the net. A researcher found that misconfigured Palo Alto Networks firewalls could allow attackers to gain user and domain names and passwords, potentially exposing customer services such as VPNs and webmail. Palo Alto Network advised users to apply best practice guidelines developed by the company.
Microsoft pulls another dodgy patch. Microsoft stated that it is investigating a patch for Windows 7 and Windows Server 2008 R2 after some users reported experiencing issues with their systems after installation. Microsoft advised users experiencing problems to uninstall the patch.
Dropbox users are served a phishing page delivered over SSL. A researcher with Symantec stated that attackers are using a phishing campaign with a page hosted on Dropbox to attempt to steal users’ Dropbox and email credentials. The phishing page uses the secure sockets layer (SSL) protocol of its host in order to appear legitimate.
Apple releases MEGA security patch round for OS X, Server and iTunes. Apple released a round of patches for several of its products, including OS X, OS X Server, and iTunes, addressing 150 issues including patches to close the POODLE and Shellshock vulnerabilities.
Modular malware for OS X relies on open-source keylogger code. Kaspersky Lab researchers identified a piece of modular malware for Apple OS X known as Ventir that uses the legitimate LogKext keylogging software in order to steal information from infected systems.
Sandworm vulnerability seen targeting SCADA-based systems. An advisory issued by Trend Micro stated that researchers have identified attackers using the Sandworm vulnerability to target systems running the GE Intelligent Platform’s CIMPLICITY human-machine interface (HMI) solution used in supervisory control and data acquisition (SCADA) systems. The attackers appear to be using the vulnerability in the first stage of an advanced persistent threat (APT) targeted attack and use the vulnerability to install the Black Energy malware.
SAP patches DoS flaw in Netweaver. SAP released a patch for its Netweaver platform that closes a remotely exploitable denial of service (DoS) vulnerability reported by Core Security researchers in June. The vulnerability could allow an unauthenticated attacker to use a specially crafted SAP Enqueue Server packet to create the DoS condition.
New technique allows attackers to hide stealthy Android malware in images. Two researchers presenting at the Black Hat Europe conference October 16 revealed a technique dubbed AngeCryption that could allow an attacker to hide malicious Android applications inside image files in order to avoid detection by antivirus programs and potentially the Google Play store’s malware scanner.
XSS risk found in links to New York Times articles prior to 2013. A student reported and published a proof of concept for a vulnerability in articles on the New York Times Web site published before 2013 that could allow attackers to hijack browser sessions, direct users to phishing sites, or steal cookies by exploiting a cross-site scripting (XSS) flaw. The vulnerability exists on pages containing certain buttons and does not affect the most recent versions of popular Web browsers.
Bad news, fandroids: He who controls the IPC tool, controls the DROID. Researchers with Check Point presenting at the Black Hat Europe conference October 16 detailed a flaw in the Android inter-process communication (IPC) tool Binder that could allow attackers to override in-app security features to tamper with apps and steal passwords and other information.
All-in-one printers can be used to control infected air-gapped systems from far away. A cryptographer and two researchers from Ben-Gurion University presenting at the Black Hat Europe conference October 16 demonstrated how an all-in-one printer could be used to issue commands to infected systems on an air-gapped network by shining infrared or visible light at the scanner lid when open, issuing commands to malware already planted on the system via USB drive or other method. The researchers were able to successfully test the method at a target printer inside a building at 200, 900, and 1,200 meters and stated that a more powerful laser could produce reliable results from up to 5 kilometers.
Botnets used in “Wolf of Wall Street” spam campaign. Researchers with Bitdefender identified a spam campaign dubbed “Wolf of Wall Street” that uses botnets to send out promotional emails encouraging penny stock investors to purchase stocks of Canada-based Confederation Minerals Ltd., which has resulted in the transaction volume of the company increasing to 1,620,000 shares from 10,000 shares within 3 days. The spam campaign is the largest recorded in 2014 and the attackers behind it stand to profit by selling stocks after inflating the prices.
Attackers abuse UPnP devices in DDoS attacks, Akamai warns. Researchers at Akamai Technologies reported that attackers have increasingly used the Simple Service Discovery Protocol (SSDP) that comes enabled on Universal Plug and Play (UPnP) devices to launch reflection and amplification distributed denial of service (DDoS) attacks starting in July. The researchers found that 4.1 million Internet-facing devices could be used in this type of DDoS attack.
New OpenSSL updates fix POODLE, DoS bugs. The OpenSSL Project released updates to OpenSSL that close four serious vulnerabilities, including the POODLE issue and two memory leak issues that could be used to launch denial of service (DoS) attacks against servers.
FireEye, Microsoft, Cisco team up to take down RAT-flinging crew. A group of security and IT firms led by Novetta began a coordinated campaign to detect and remediate malware installations belonging to a cyberespionage campaign targeting policy groups, governments, financial services institutions, the education sector, and think tanks since 2010. The cyberespionage group uses several tools including Moudoor, a derivative of the Gh0st RAT remote access Trojan, and the Hikiti malware used to control compromised systems.
Drupal fixes highly critical SQL injection flaw. Drupal issued a patch for its popular content management system (CMS) that closes a critical SQL injection vulnerability affecting version 7.x. The vulnerability could allow an unauthenticated user to perform arbitrary SQL execution and all users were advised to update their installations as soon as possible.
Microsoft patches two more 0-days actively used by attackers. Microsoft released its monthly Patch Tuesday round of patches for October, closing several critical vulnerabilities including the SandWorm vulnerability and others exploited by attackers.
Flash Player 15 update plugs remote code execution bugs. Adobe released patches for three critical vulnerabilities in its Flash Player consisting of two memory corruption issues and one integer overflow vulnerability.
Mozilla fixes critical bugs in Firefox 33. Mozilla released the latest version of its Firefox browser, closing 33 critical vulnerabilities and adding improved functionality.
SSL 3.0 falls in the face of POODLE attack, needs to be disabled. Researchers with Google designed an attack named POODLE that can exploit a flaw in the design of the Secure Sockets Layer 3.0 (SSL 3.0) protocol that can allow the extraction of data from secure connections using the protocol. SSL 3.0 has been superseded by several other protocols but is still used in some clients and servers and as a backup protocol by Web browsers if modern protocols are unavailable.
Malware-like browser pop-ups used by advertisers to push apps on Android. A researcher at Malwarebytes reported that some advertisers are using fake warning or update notifications directed at Android users in an attempt to get them to download legitimate but potentially unwanted programs in an affiliate marketing scheme.
BlackBerry 10 devices open to bug that allows malicious app installation. BlackBerry released a patch for a vulnerability in BlackBerry 10 devices that could allow an attacker with a man-in-the-middle position to replace legitimate apps downloaded through the BlackBerry World app store with malicious apps.
Malicious YouTube ads lead to exploits, ransomware. Trend Micro researchers identified and reported a malvertising campaign where attackers appeared to have bought traffic from legitimate ad providers in order to place malicious ads on popular YouTube videos to redirect users through several sites to a server hosting the Sweet Orange exploit kit. The exploit kit then attempts to infect users with the Kovter ransomware via an Internet Explorer vulnerability.
Massive Oracle security update lands on Microsoft Patch Tuesday. Oracle released over 150 patches for several of its products, closing critical vulnerabilities in several products including Oracle Database and Java SE.
Russian espionage group used Windows 0-day to target NATO, EU. iSIGHT Partners discovered a zero-day vulnerability used in a cyber-espionage campaign dubbed SandWorm targeting the North Atlantic Treaty Organization, the European Union, Ukrainian and Polish government organizations, and several European telecommunications and energy sectors. Microsoft is expected to release a patch for the zero-day which exploits supported versions of Microsoft Windows and Windows Server 2008 and 2012.
Dropbox denies being hacked, points to third-party services. Dropbox announced that its servers were not breached after a list of 420 username and password pairs were publicized on Pastebin with a poster claiming that more would be published with Bitcoin donations. The company reported that the information was stolen from other Web services used by the victims, who had identical usernames and passwords for Dropbox.
The snappening: Snapsaved admits to hack that leaked SnapChat photos. Snapchat’s third-party app Snapsaved was hacked involving the release of 500MB of images containing between 90,000 and 200,000 photos and videos due to a misconfiguration in their Apache server. Snapsaved subsequently deleted the entire Web site and database associated with the breach.
Multiple vulnerabilities found in BMC Track-It! help desk software. Researchers with the Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) and Agile Information Security found that Track-It! version 220.127.116.115, the IT helpdesk solution created by BMC Software, contains three vulnerabilities related to permissions, privileges, and access control, missing authentication for critical function, and an exploitation using blind SQL injection. The company is working on addressing the issues.
New mobile Trojan masquerading as Tic-tac-toe game targets Android devices. Kaspersky Lab researchers found that a Tic-tac-toe game available on Android devices houses the Gomal Trojan which allows hackers to record audio from the microphone, steal incoming SMS messages, steal data from the device log, and obtain root privileges, among other things. Good for Enterprise researchers determined that the app was a proof-of-concept app presented at Black Hat 2013 and used only in Samsung Exynos memory access vulnerability, which has since been patched.
HP to remove digital signature that code-signed malware. Symantec discovered that an HP digital certificate was used to cryptographically sign (code-sign) malware shipped through HP products in May 2010. HP will revoke the digital certificate October 21 after researchers found an apparent signature on a four-year-old Trojan that may have been included in the software.
New Rovnix variant targets users in EU countries. Researchers with CSIS Security Group identified a new variant of the Rovnix malware currently targeting users in European Union countries that includes a new domain generation algorithm (DGA), changes to avoid detection, and removes a bootkit component.
Shellshock exploits spreading Mayhem botnet malware. Researchers at Malware Must Die reported detecting a number of Linux and UNIX systems infected by several IP addresses belonging to the Mayhem botnet. The botnet was found to be pinging Internet-facing systems looking for the Shellshock vulnerability in order to drop a new remote installer written in Perl.
Flaw in PayPal authentication process allows access to blocked accounts. A researcher with Vulnerability Laboratory identified and reported a flaw in the mobile authentication process for PayPal that can allow an attacker to attempt to input passwords an unlimited number of times without causing the account to be locked. The issue reported in March 2013 affects the iOS mobile app for PayPal and a fix is not currently available.
ATM programmer's reference manual leaked online. F-Secure researchers found a document online using the Baidu search engine that contains API documentation for ATM cashpoints manufactured by NCR Corporation during an investigation into ATM malware. The programming reference materials could be used by attackers to inform their development of ATM malware.
Aggressive Selfmite SMS worm variant goes global. Researchers with AdaptiveMobile identified a new variant of the Selfmite SMS worm for Android that spreads via malicious links in SMS messages that lead to a trojanized Google Plus app. The worm uses compromised devices to send the malicious SMS messages to every contact on the device several times and redirect users to unsolicited subscription Web sites.
Multiple vulnerabilities found in SAP enterprise software. Researchers at Onapsis published seven advisories for flaws in SAP HANA, SAP BusinessObjects, and SAP NetWeaver Business Warehouse enterprise software, including a remotely exploitable command injection vulnerability in HANA that could allow an unauthenticated attacker to completely compromise the SAP system and the information it handles and stores.
Several Siemens industrial products affected by ShellShock bug. Siemens released an advisory warning that variants of the Shellshock vulnerability can be leveraged by attackers against several of its products including some versions of Rugged Operating System on Linux (ROX) 1 and ROX 2 and APE Linux versions. The company is working on developing patches for the affected products.
There is anti-BadUSB protection, but it's a bit sticky. The researchers who revealed the details for infecting USB devices via the BadUSB vulnerability released a patch and instructions for preventing the reprogramming of USB devices by disabling the "boot mode" state of the device. The researchers stated that a patched device could be tampered with to reset it and remove the patch, and suggested physically securing the device with glue or similar substances to prevent undetected access.
Tyupkin is new ATM malware that allows cash extraction without card. Researchers with Kaspersky Lab identified and analyzed a new piece of ATM malware known as Tyupkin that is installed on ATMs through a bootable CD and can allow attackers to withdraw currency without a card. The malware includes several security features to prevent access and analysis and was mostly found in Eastern Europe as well as some cases in the U.S., Asia, and Western Europe.
Google fixes 159 security bugs with release of Chrome 38. Google released the latest version of its Chrome browser for Windows, Linux, Mac, and iOS, closing 159 security vulnerabilities.
Adobe spies on reading habits over unencrypted web because your ‘privacy is important.’ Adobe confirmed October 8 that its Digital Editions software collects information on users’ ebooks and sends it to Adobe servers as part of digital rights management (DRM) practices after a researcher reported finding the traffic being sent from Digital Editions. The company also confirmed that the information was sent in an unencrypted format and would be corrected, and stated that it was investigating the researcher’s claims that the program collected additional information on ebooks files stored on users’ systems.
SSDP reflection attacks spike in Q3: Arbor Networks. Arbor Networks released its report on distributed denial of service (DDoS) attacks during the third quarter (Q3) of 2014 and found that Simple Service Discovery Protocol (SSDP) reflection attacks grew significantly during Q3, with almost 30,000 such attacks during the quarter, among other findings.
Siemens swats security bugs affecting PCS 7. Siemens released an update for its PCS 7 supervisory control and data acquisition (SCADA) product that addresses five issues with the WinCC product, including a hard coded encryption key and another issue that could lead to privilege escalation.
Belkin says router outages should be resolved. Belkin stated October 7 that it fixed an issue in some older wireless routers that caused the routers to experience problems around midnight October 7 when pinging a Belkin-hosted service in order to check network connectivity. Belkin advised users still experiencing issues to restart their routers.
Monster banking trojan botnet claims 500,000 victims. Researchers with Proofpoint identified a new banking trojan botnet known as Qbot or Qakbot that has infected 500,000 systems and stolen data from users including 800,000 online banking transactions, with 59 percent of the stolen sessions taken from accounts in major U.S. banks. The researchers found that the malware for the botnet was launched from compromised WordPress sites using drive-by download attacks.
Bugzilla vulnerability exposes undisclosed bugs. The developers of the Bugzilla bug-tracking software released an update to address several security issues, including one reported by Check Point Software Technologies researchers that could allow an attacker to bypass the email validation process and potentially receive information on undisclosed security issues.
Yahoo! changes tune after saying servers were hacked by Shellshock. Yahoo reported October 6 that some servers that were recently compromised were not compromised using the Shellshock vulnerability but instead by a bug in a parsing script used on some servers.
Trojans-SMS are top threat on Android, INTERPOL and Kaspersky say. Kaspersky Labs and INTERPOL released the results of a study of mobile security threats over a 1 year period and found that Android users were the most targeted by attackers, with SMS trojans accounting for 57.08 percent of all detections, among other findings.
Bash bug payload downloads KAITEN DDoS malware source code. Trend Micro researchers detected a payload being delivered via attacks exploiting the Shellshock vulnerability that downloads the source code for the KAITEN distributed denial of service (DDoS) malware.
76M households hit by JPMorgan data breach. JPMorgan Chase & Co. stated October 2 that a large cyberattack against the company’s systems compromised the customer information of around 76 million households and 7 million small businesses. The attack was discovered in August and began as early as June and compromised customers’ names, addresses, email addresses, and phone numbers but the bank stated that there was no evidence that the breach included account information.
CryptoWall 2.0 available in the wild, has new obfuscator. A 2.0 version of the CryptoWall ransomware has been spotted in the wild by researchers and includes the use of the Tor network for communicating with command and control servers and a new obfuscator to prevent analysis and debugging.
Destructive Android trojan poses as newest Angry Birds game. Researchers with Doctor Web identified a piece of destructive Android malware detected as Android.Elite.1.origin that poses as an unreleased Angry Birds game app and once installed deletes a device’s data, blocks communications programs, and sends out a high volume of messages to all contacts on the device.
“BadUSB” code published. Two researchers presenting at the Derbycon 4.0 conference reverse-engineered USB firmware to launch various attacks and posted the attack code online. The flaw in USB firmware that enables the attack was first revealed at the Black Hat conference but the attack code was not released at that time.
Second same-origin policy bypass flaw haunts Android browser. A researcher identified and reported a same-origin policy bypass vulnerability in the Android browser in versions prior to 4.4 that could allow an attacker to steal data from a user’s browser. Google issued a patch for the vulnerability for users of Android 4.1-4.3 in late September.
Major security flaw in Xen hypervisor disclosed. The developers of the Xen hypervisor released a patch after a security vulnerability was disclosed October 1 that could allow an attacker to use a malicious hardware virtual machine to read data from other virtual machines or crash the host machine.
OS X botnet malware uses Reddit to get IPs of control servers. Researchers with Doctor Web found that a piece of botnet malware for OS X known as iWorm uses the search function on Reddit to access a list of command and control (C&C) servers used to receive instructions. Over 17,000 unique IP addresses are associated with systems infected by iWorm and the C&C server addresses are disguised on Reddit by purporting to be addresses for Minecraft servers.
VMware releases software updates to fix ShellShock bug. VMware released patches for several of its products in order to close the Shellshock vulnerability in GNU Bash.
Researchers bypass Redmond’s EMET, again. Researchers with Offensive Security reported that they were able to bypass the fifth version of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) security tool on several versions of the Windows operating system.
Bash bug flung against NAS boxes. FireEye researchers warned that attackers are attempting to exploit the Shellshock vulnerability in GNU Bash in order to compromise Network Attached Storage (NAS) systems before the systems can be patched. The researchers reported that NAS systems made by QNAP were especially targeted and that attackers were seeking to install backdoors.
Joomla re-issues security update after patches glitch. The developers of Joomla released a second version of a security update October 1 after an initial update designed to close critical vulnerabilities created some technical issues with users.
Data breach on Flinn Scientific server lasted for four months. Flinn Scientific officials notified October 2 customers that made at least one purchase through its online store since May 2 that their financial information, including payment card number and card verification code, may have been compromised after malware was planted on the company’s Web based payment system. The breach was discovered September 8 and the company removed the malicious software from its network.
Four hackers accused of $100m US military software and gaming IP theft. Four individuals were indicted for allegedly stealing over $100 million worth of intellectual property from game developers and the U.S. Army including data from yet-to-be-released games and training software used to train helicopter pilots. Two of the accused pleaded guilty and reportedly used a SQL injection attack to steal the usernames and passwords of employees and software developers in order to gain access to the data.
Xsser mRAT, advanced spyware for iOS, discovered. Researchers with Lacoon Mobile Security identified a new remote access trojan (RAT) for iOS mobile devices dubbed Xsser that targets jailbroken iOS devices and can exfiltrate personal and device data. The researchers believe that Xsser is linked to the Chinese government and targets protestors in Hong Kong.
High risk vulnerability patched in Joomla. The developers of the Joomla content management system (CMS) released a patch for version 3.x closing two vulnerabilities including a remote file inclusion (RFI) issue that could allow an attacker to run remote files.
OpenVPN open to pre-auth Bash Shellshock bug - researcher. The chief technology officer of Mullvad stated that some configurations of OpenVPN are susceptible to the Shellshock vulnerability if Bash is allowed to run scripts. A proof-of-concept for the issue was identified online.
Asprox botnet malware sent through fake Viber email notification. An analysis from Tech Help List identified a new spam campaign utilizing fake Viber emails to attempt to add new bots to the Asprox botnet. The analysis noted that the attackers were using several techniques to hide their malicious activity and avoid analysis by researchers.
Variant of Upatre malware dropper seen in bank emails. A security researcher reported finding a new variant of the Upatre malware dropper attached to emails purporting to be from financial institutions. The new variant is distributed as a download through a link in the malicious emails and has a low VirusTotal detection rate.
Apple patches Shellshock bug in OS X. Apple released a security update for its OS X operating system that closes two remotely exploitable vulnerabilities in the GNU Bash UNIX shell known as Shellshock.
‘Shellshock’ attacks could already top 1 billion: Report. Incapsula researchers reported that the company’s Web application firewall deflected over 217,000 attempted exploitations of the Shellshock vulnerability in GNU Bash during the 4 days after the vulnerability was disclosed and estimated that the total number of attacks attempting to exploit the flaw could reach 1 billion.
Seller of StealthGenie mobile spyware app indicted and arrested. The CEO of InvoCode was arrested September 27 in Los Angeles for allegedly selling and advertising the StealthGenie mobile spyware. The Pakistani national allegedly worked with others to develop and market the spyware that is compatible with major mobile operating systems such as Android, Blackberry, and iOS.
Signed CryptoWall delivered via malvertising campaign on top-ranked websites. Researchers with Barracuda Labs identified a variant of the CryptoWall ransomware signed with a valid digital certificate from DigiCert and spread through malicious ads on the Zedo ad network to several popular Web sites. As of September 29, the CryptoWall variant was detected by 12 of 55 security solutions on VirusTotal.
RadEditor web editor vulnerable to XSS attacks. A researcher identified and reported a cross-site scripting (XSS) vulnerability in the RadEditor text editor used in several Microsoft products that could allow attackers to inject malicious script and obtain private data. The vulnerability was closed by Telerik September 24.
All CloudFlare customers benefit from Universal SSL. CloudFlare announced September 29 that it was providing all customers with SSL certificates under its Universal SSL service to enhance security.
New data breaches hit Supervalu, Albertson's. Supervalu officials reported a second incident September 29 where hackers installed a different piece of malware on the company’s computer system that potentially captured customers’ payment card information from the payment processing systems of four Cub Foods stores in Minnesota and several Albertson’s grocery stores across the U.S. between August and September.
Dyre banking trojan delivered via voice message email notification. Researchers discovered that the Dyre (Dyreza) banking trojan is being employed via phishing emails claiming to be from financial institutions and bogus emails purporting to inform of a new voicemail message which include a link to a malware dropper that has five Romanian Portable Executable (PE) resources and downloads a variant of the trojan. The malware relies on the man in the middle (MitM) technique to take over the connection between the client and the server.
U.S. Bank refunding $48 million to customers. The Consumer Financial Protection Bureau ordered U.S. Bank September 25 to refund $48 million to consumers and pay $9 million in penalties to resolve allegations that the bank charged about 420,000 customers for fraudulent credit card add-on products and services that were not provided between 2004 and 2012.
New remote code execution flaws found in Shellshock-patched Bash. Researchers found four additional vulnerabilities with the Bash command interpreter for Linux, Shellshock, two of which were unofficially patched after new changes to the code. The two new bugs that remain could be exploited remotely and in an easier way due to the rare use of address space layout randomization (ASLR) when compiling Bash.
Ello social network recovers after DDoS attack. Administrators with Ello, a social networking site, announced they blocked a bad IP address that was responsible for sending junk traffic after reporting the site was under an apparent distributed denial of service (DDoS) attack.
Cisco lists 31 products vulnerable to the Shellshock vulnerability. Cisco released a list of 31 products vulnerable to the Shellshock glitch which included connection routing, network management, and media content delivery and encoding, among others. Oracle also released a list of 32 products vulnerable to attack by the Bash bug after the company changed its initial list and appended new products.
iThemes users asked to change passwords following attack. The CEO if iThemes, a WordPress themes, plugins, and training provider, advised 60,000 past and current users to reset their passwords following an attack on its membership database that may have compromised usernames, email addresses, passwords, names, IP addresses, and purchase information.
Dyre malware takes inventory of software on infected systems. Researchers from Proofpoint analyzed a new variant of the Dyre (also known as Dyreza) banking trojan and found that several new features were added to the malware, including the addition of its own SSL certification and a feature that enables hackers to collect cookies, client-side certificates, and private keys from an infected computer’s Windows Certificate Store. The latest version of the Trojan can also extract a list of installed programs and services from an infected computer to be by hackers to determine which vectors can be exploited in the future.
Honeypot catches malware exploiting Shellshock Bash bug. Alien Vault researchers found two pieces of malware through their honeypots, an Internet Relay Chat (IRC) bot and an Executable and Linkable Format (ELF) binary that offers malicious actors the possibility to use the infected machine in distributed denial of service (DDoS) attacks in order to exploit the Shellshock Bash vulnerability. Patches are available for several software platforms as attackers are rapidly working to exploit the CVE-2014-6271 vulnerability.
Phishers go after unprecedented breadth of targets. The Anti-Phishing Working Group (APWG) released its Global Phishing Survey co-authored with Internet Identity (IID) and found that in the first half of 2014 Apple was the most phished brand in the world, accounting for 17 percent of all reports sampled. PayPal came in second accounting for 14.4 percent or 17,811 targeted attacks the report stated, among other findings.
BlackEnergy malware linked to targeted attacks. ESET and F-Secure researchers found that the BlackEnergy malware has been active in targeted attacks in 2014, modified to be used as a tool for sending spam and for online bank fraud. The alteration was dubbed “BlackEnergyLite” by researchers due to the lack of a kernel-mode driver component and less support for plug-ins and a lighter overall footprint.
New Tinba banking trojan variant is stealthier, uses public key signing. Researchers from Trusteer analyzed an updated variant of the Tiny Banker (also known as Tinba) financial malware and discovered that the authors added a domain generation algorithm (DGA) and fitted it with user-mode rootkit capabilities and a verification process to make sure that messages are sent from an authentic bot master.
Mozilla to part ways to SHA-1. Mozilla asked Certificate Authorities and Web sites to upgrade certificates to SHA-256, SHA-384, or SHA-512 after experts reported that SHA-1 will be practical for collision attacks by 2018. Mozilla will release warnings to update certificates on versions of Firefox in early 2015.
Fiberlink wipes one smartphone or tablet every three minutes. Researchers at Fiberlink examined 130,000 devices managed by MaaS360 and found that one mobile device is wiped every 3 minutes. The study also determined that in 2013 businesses, on average, cleared 10 percent to 20 percent of their entire device populations yearly.
Mitigations for Spike DDoS toolkit-powered attacks. Akamai Technologies released an advisory alerting enterprises of the Spike distributed denial of service (DDoS) toolkit that runs on a Windows system and can launch infrastructure-based and application-based DDoS payloads including SYN flood, UDP flood, GET flood, and Domain Name system (DNS) query floods. The toolkit can be mitigated be implementing access control lists (ACLs).
Apple’s new iPhone 6 vulnerable to last year’s TouchID fingerprint hack. Lookout researchers found that a vulnerability that could allow access into Apple’s iPhone 6 and 6 Plus models through their TouchID fingerprint sensors remained unpatched. Scammers can unlock the devices by creating a fake fingerprint, the same flaw that was found in the iPhone 5S model in 2013.
DDoS attackers turn fire on ISPs and gaming servers. NSFOCUS researchers determined gaming hosts and Internet service Providers (ISP) have been the focus for distributed denial of service (DDoS) attacks in 2014, rising in the first half to 10 percent and nearly 15 percent of attacks respectively.
Kyle and Stan malvertising network nine times bigger than first reported. Researchers found nearly 6,500 malicious domains are involved in the Kyle and Stan malvertising network and over 31,000 connections were made to the domains, nine times larger than originally reported by Cisco. The campaign is unique in its ability to infect Windows and Mac OS X software differently and can drop ads on larger Web sites.
Hackers target Destiny and Call of Duty servers with DDoS attack. Several servers for online games Destiny and Call of Duty: Ghost went down during the weekend of September 20 due to a distributed denial of service (DDoS) attack that affected PlayStation and Xbox users. Attackers claiming affiliation with the Lizard Squad group claimed responsibility for the attacks.
Exercise-tracking app not QUITE fit for purpose. A researcher identified and reported a direct object reference vulnerability in the MyFitnessPal app that allowed users’ personal information, including location and dates of birth, to be accessed by any user. The vulnerability was closed 2 days after being reported.
Yahoo fixes RCE flaw leading to root server access. A researcher identified and reported a series of vulnerabilities in a Yahoo domain which led to a remote code execution vulnerability that was leveraged to gain root access to a Yahoo server. The vulnerability was reported September 5 and closed September 7.
Payment card info of 880k Viator customers compromised. Viator representatives confirmed September 19 that the company was made aware September 2 that its network was breached and the encrypted personal and financial information of about 1.4 million customers may have been compromised. Customers were advised to update their Viator online account information, including passwords.
Bank tellers helped steal identities, $850G, A.G. says. Five people, including three bank tellers at branches in New York and Florida, were indicted September 16 in White Plains, New York, for allegedly running an identity theft and bank fraud ring that stole over $850,000 in funds as well as customers’ personal information over at least 4 years. The tellers allegedly supplied information to their co-conspirators that enabled them to create fraudulent checks, driver’s licenses, and other documents used to withdraw the stolen funds from bank branches in Connecticut, Massachusetts, and New York.
Apple fixes “backdoors” with release of iOS 8. Apple released the newest version of its mobile operating system, iOS 8, September 17, which adds improvements and closes over 50 security vulnerabilities.
Series of vulnerabilities found in Schneider Electric SCADA products. An advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned users of Schneider Electric StruxureWare SCADA Expert ClearSCADA products after researchers discovered unpatched, remotely-exploitable vulnerabilities. Included in the vulnerabilities is a cross-site scripting (XSS) issue that could allow industrial control systems (ICS) to be shut down, while an authentication bypass issue could give attackers access to sensitive information.
AppBuyer iOS malware targets jailbroken iPhones. Researchers with Palo Alto Networks analyzed a piece of iOS malware discovered by WeiPhone Technical Group in May and found that the malware dubbed AppBuyer is targeting jailbroken iPhones in order to steal Apple ID and password information and make unauthorized purchases from the App Store.
Analysts spot ‘Critolock,’ ransomware claims to be CryptoLocker. Researchers at Trend Micro identified a new piece of ransomware known as Troj_Critolock.A or Critolock that infects devices and encrypts users’ data and demands a ransom. The malware purports to be the CryptoLocker ransomware but contains several differences including its use of the Rijndael symmetric-key algorithm.
Drupal patches XSS vulnerability in spam module. Drupal released a patch September 17 for the Mollom spam and content moderation module that closes a cross-site scripting (XSS) vulnerability that could allow an attacker to gain admin-level access to Web sites and enable them to steal data or hijack sessions.
Breach at Goodwill vendor lasted 18 months. Payment vendor C&K Systems stated that its hosted managed services systems were found by investigators to be compromised between February 10, 2013 and August 14, 2014, allowing the installation of the infostealer.rawpos point of sale (PoS) malware that led to payment card breaches from over 330 Goodwill retail locations. The malware infection was not detected by the company’s systems until September 5 and affected Goodwill and two other customers.
Twitter fixes vulnerability potentially impacting company’s ad revenue. A security researcher identified and reported a vulnerability in a Twitter subdomain that could be used to delete the payment card information used by advertisers to pay for ads on the social media network. Twitter addressed the vulnerability and awarded a $2,800 bounty to the researcher.
Amazon fixes persistent XSS vulnerability affecting Kindle library. Amazon addressed a cross-site scripting (XSS) vulnerability on the Amazon Web page used to manage users’ Kindle libraries that could be used by an attacker to inject malicious code through eBook metadata.
Macro based malware is on the rise. Researchers with Sophos found that macro-based malware created in Visual Basic rose from around 6 percent of document malware to 28 percent in July, among other findings.
Adobe gets delayed Reader update out the door. Adobe released new versions of Adobe Reader and Acrobat September 16 that were delayed during Adobe’s scheduled patch release the week of September 8. The updates close eight vulnerabilities including two memory corruption issues and a cross-site scripting (XSS) vulnerability affecting Macintosh users.
Archie exploit kit targets Adobe, Silverlight vulnerabilities. Researchers at AlienVault Labs analyzed a new exploit kit first identified by EmergingThreats researchers and found that the Archie exploit kit attempts to exploit older versions of Adobe Flash, Reader, and Microsoft Silverlight and Internet Explorer.
Malicious Kindle eBooks can give hackers access to your Amazon account. A security researcher identified a security issue in Amazon’s “Manage your Kindle page” that can be exploited using a malicious eBook file to take over a user’s Amazon account. The same vulnerability was reported and fixed in November 2013 but was reintroduced in a new version of the page.
THREE QUARTERS of Android mobes open to web page spy bug. A Metasploit developer released a Metasploit module for a vulnerability in Android versions 4.2.1 and below that was discovered September 1, which could automate an exploitation of the vulnerability and allow attackers behind a malicious Web page to see users’ other open pages and hijack sessions.
LinkedIn feature exposes email addresses. Researchers with Rhino Security Labs demonstrated how an attacker could use a ‘find connections’ feature in LinkedIn and a large number of email contacts generated with likely email addresses to identify the email address of specific individuals for possible use in spear-phishing or other malicious activities. LinkedIn stated that it was planning at least two changes to the way the professional network handles user email addresses to counteract the issue.
SNMP DDoS scans spoof Google public DNS server. The SANS Internet Storm Center reported September 15 that large-scale scans of Simple Network Management Protocol (SNMP) spoofing Google’s public DNS server traffic were taking place, indicating a scan being used to identify routers and devices using default SNMP passwords. Vulnerable routers and devices could have their configuration variables changed, creating a denial of service (DoS) situation on the affected devices.
Twitch chat malware spreads, wipes dry Steam accounts. Researchers at F-Secure identified a piece of malware known as Eskimo that is being spread through a fake raffle invitation in Twitch.tv’s chat feature. The page used for the fake raffle sign-up drops the Windows binary that can take screenshots as well as take control of the client for gaming service Steam to add friends, trade or sell items, and buy items if funds are available.
Freenode suffers breach, asks users to change their passwords. IRC network Freenode notified users that it experienced a security breach September 13 and advised all users to change their passwords as a precaution.
Vulnerabilities found in website of Google-owned Nest. A security researcher identified and reported several security vulnerabilities in the Web site of home automation company Nest, including a file upload vulnerability that could allow attackers to upload a shell and gain access to personal and financial details of Nest customers. Google stated that the issue was addressed by restricting access to the affected domain and redirecting visitors to a different domain.
Four vulnerabilities patched in IntegraXor SCADA. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory September 11 advising users of Ecava Sdn Bhd’s IntegraXor supervisory control and data acquisition (SCADA) server software to patch their systems after four remotely exploitable vulnerabilities were discovered. The software is primarily used for industrial automation in firms managing railways, sewage systems, telecommunications, and heavy engineering.
Chinese attack groups operate in parallel in cyber espionage campaigns: FireEye. Researchers with FireEye discovered two cyberespionage campaigns originating in two regions of China that appear to share several commonalities including using the same custom backdoors and remote access trojans (RATs). One campaign dubbed Moafee targets various military, government, and defense industry entities while the second known as DragonOK targets high-tech and manufacturing companies in Taiwan and Japan.
Researchers find malicious extension in Chrome Web Store. Trend Micro researchers identified several malicious extensions inside the Chrome Web Store, including one spread via a Facebook scam campaign that allows attackers to post statuses, send messages, and take other actions using a victim’s Facebook account.
Zemot malware dropper strain delivered via Asprox botnet and exploit kits. Microsoft researchers analyzed the Zemot malware dropper, a variant of Upatre, and observed that it has been distributed through the Asprox (also known as Kuluoz) spam botnet and via exploit kits including Magnitude and Nuclear Pack. Once it infects a system the dropper can then deliver click fraud malware and was recently observed to distribute information-stealing malware including Rovnix, Tesch, and Viknok.
TorrentLocker unpicked: Crypto coding shocker defeats extortionists. Researchers with Nixu found that the encryption used by the TorrentLocker ransomware to encrypt victims’ files can be defeated if a user has an original copy of the encrypted version of a file over 2MB in size by applying XOR between the encrypted and unencrypted files.
Massive Gmail credential leak is not result of a breach. Google investigated a dump of Gmail credentials posted online and found that the credentials were not the result of a breach and that less than 2 percent of the credentials might have worked. Users were advised to change their passwords, use strong passwords, and enable two-factor authentication if possible as a precaution.
Details disclosed for critical vulnerability patched in Webmin. A researcher with the University of Texas published details on a critical vulnerability in Webmin that was patched in May, showing that the vulnerability could have been used by unauthenticated users to delete files stored on the server.
Apache warns of Tomcat remote code execution vulnerability. The Apache Software Foundation warned users of some older versions of Apache Tomcat that they are vulnerable under limited circumstances to a vulnerability that could allow an attacker to upload malicious JavaServer Pages (JSP) to a server, trigger the execution of the JSP, and then execute arbitrary commands on the server. The vulnerability affects versions 7.0.0 to 7.0.39 and users were advised to update their installations.
Vendor fixes vulnerabilities in wireless traffic sensors. Sensys Networks, a company that manufactures sensor devices used in wireless traffic control systems, announced September 5 that it released software updates for its products to address security vulnerabilities and protect systems against attacks caused by lack of encryption or sufficient authentication methods. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory stating that the issues affect Sensys Networks VSN240-F and VSN240-T systems and advised operators to update their software installations.
Adobe fixes critical flaws in Flash Player, delays Reader and Acrobat updates. Adobe Systems released a critical security update for its Flash Player software, closing 12 security issues, 9 of which could lead to remote code execution. The company also delayed planned patches for Reader and Acrobat by 1 week due to issues identified during testing.
September Patch Tuesday: Microsoft closes door on IE zero day attacks. Microsoft released its monthly Patch Tuesday round of updates for September, with 4 bulletins closing 42 vulnerabilities in various Microsoft products. One bulletin for the Internet Explorer browser closes 37 vulnerabilities, 1 of which was a critical Internet Explorer zero-day vulnerability.
Use home networking kit? DDoS bot is BACK…and it has EVOLVED. A researcher identified a new variant of the Lightaidra router-to-router malware that targets consumer-grade cable and DSL modems using default passwords in order to use them in distributed denial of service (DDoS) attacks. The new variant is able to reconfigure victims’ firewalls and requires Linux to be running on targeted devices in order to infect them.
Apple beefs up security, sends iCloud access alert. Apple announced September 5 that within 2 weeks it would implement new security policies for its iCloud service following attacks that leaked personal photos belonging to celebrities. Some features have already been implemented, such as a notification when an iCloud account is accessed via a Web browser.
Phishing miscreants are THWARTING secure-sleuths with AES crypto. Researchers with Symantec identified what they believe was the first use of AES encryption to disguise fraudulent Web sites designed to steal users’ login credentials. The use of AES encryption allows attackers to make the analysis of phishing sites more difficult without affecting how the sites appear and function to users.
Yandy.com hacked, financial information exposed. Yandy.com notified its customers that a Web-based database hosting customers’ information, including payment card data, was accessed by an unknown party at least four times between May 28 and August 18. The online retailer detected the breach August 18 and has implemented additional measures to secure its systems.
Malvertising on YouTube and Amazon delivers sophisticated malware. Researchers with Cisco’s Talos Security Research identified a malvertising campaign dubbed Kyle & Stan that began in May and is currently affecting Windows and Mac users on popular Web sites such as Amazon and YouTube. The campaign inserts malicious ads that serve various forms of spyware, adware, and browser hijacking malware and uses unique configuration files and encryption to attempt to avoid detection.
Dyre banking trojan targets Salesforce customers. Customer relationship management (CRM) provider Salesforce found that the Dyre banking malware (also known as Dyreza) has been used against some of its customers but found no evidence that any were impacted. The malware uses man-in-the-middle (MitM) attacks to steal credentials and Salesforce advised its users to ensure that their systems were protected against the malware.
Hackers going Nuclear following Blackhole takedown. A Zscaler ThreatLabz researcher identified a campaign utilizing the Nuclear Exploit Kit and compromised sites including SocialBlade.com, AskMen.com, and Facebook survey scam pages to attempt to infect users’ systems. The researcher reported that the Nuclear Exploit Kit has become increasingly popular in the last 3 months following the arrest of the alleged creator of the Blackhole Exploit Kit.
New timing attack could de-anonymize Google users. Mavenlink identified and reported an issue in Google accounts that could be used by an attacker in specific circumstances to identify when a particular user visits a site by sharing a Google document with the user’s address. Google acknowledged the issue but stated it would not address the issue because the risk presented was judged to be low and only usable in limited circumstances.
Home Depot confirms months-long hack. Home Depot representatives confirmed September 8 that the company’s payment systems were breached as early as April 2014 and the attack went unnoticed until September 2 when banking institutions reported unusual activity connected to debit and credit card data from the company’s stores in the U.S. and Canada. The company is working with the U.S. Secret Service to determine the scope of the breach and has implemented additional security measures at its stores.
Dodgy Norton update borks UNDEAD XP systems. Symantec issued a fix for a recent update to its Norton security software after some users running Windows XP reported issues after applying the update.
Hackers target Apple Max OS X with 25 malware variants. F-Secure released its Threat Report H1 2014 which found that 25 new malware variants targeting Apple OS X systems were observed in the first half of the year. Several variants were observed being used in targeted attacks against activities, the energy industry, and other industries.
Social engineering campaign leads to malicious Chrome extension. TrendMicro researchers identified a social engineering campaign that uses malicious shortened Twitter links to lead victims to a malicious Chrome browser extension used in a click fraud campaign. The malicious extension circumvents Google’s security policy against non-Chrome Web Store apps by creating a folder in the browser directory where it then drops its components.
Bitcoin exchange CEO pleads guilty to enabling Silk Road drug deals. The former CEO of Bitcoin exchange BitInstant and a Bitcoin seller pleaded guilty September 4 in New York City to charges of operating an unlicensed money exchange that was used to facilitate illicit transactions for users of the Silk Road underweb marketplace.
Cyberespionage group starts using new Mac OS X backdoor program. FireEye researchers found that a cyberespionage group dubbed GREF has recently begun using a backdoor program known as XSLCmd that targets Mac OS X systems in order to steal files and install additional malware. The GREF group is known for attacks on several sectors including the U.S. defense industry as well as electronics manufacturers, engineering firms, and non-governmental organizations worldwide.
Coursera privacy issues exposed. A researcher identified and reported two issues in the Coursera online educational software that could disclose a list of students’ names, email addresses, information on their courses, and disable a stated protection feature. Coursera partially addressed one of the reported issues while the second remains unaddressed.
Researchers discover two SQL injection flaws in WordPress security plugin. Researchers with High-Tech Bridge identified and reported two SQL injection vulnerabilities in the All in One WordPress Security and Firewall plugin that affects version 3.8.2 and likely all prior versions.
Verizon failed to tell 2 million using their personal info for marketing. Now the FCC is making it pay. The U.S. Federal Communications Commission issued a $7.4 million fine against Verizon after the company failed to tell 2 million customers of their ability to opt out of having their personal information used for marketing purposes for 6 years. Verizon agreed to pay the fine and stated that the technical glitch has since been fixed.
Updated Vawtrak banking malware strain expands target list. Researchers with PhishLabs identified a new variant of the Vawtrak financial malware (also known as Neverquest) that has added features in the last month enabling it to expand its targets to users in the U.S., Canada, and Europe. The malware targets financial institutions as well as social networks, online retailers, gaming portals, and analytics firms and can steal credentials and automate fraudulent transactions.
Old Slider Revolution vulnerability massively exploited. Researchers at Sucuri found that attackers began heavily exploiting an old vulnerability in unpatched versions of the Slider Revolution Premium plugin for WordPress during August, which could allow a Local File Inclusion (LFI) attack. The vulnerability was fixed in February and all users were advised to update to the latest version as soon as possible.
CERT warns of Android apps vulnerable to MitM attacks. The Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) published a list of popular Android apps that expose users to man-in-the-middle (MitM) attacks due to the apps not properly validating SSL certificates. CERT/CC released its findings in a spreadsheet detailing their results and is attempting to contact the authors of every app that failed the organization’s tests.
Home router DNS settings changed via Web-based attack. Kaspersky Lab researchers identified a Web-based attack that uses Web pages with malicious scripts to attempt to change users’ home router Domain Name System (DNS) settings in order to redirect users to phishing pages of financial institutions. The attack was mostly observed in Brazil but also targeted some users in the U.S., Canada, Mexico, and other countries.
VirusTotal mess means YOU TOO can track Comment Crew! A researcher released findings on how he was able to use structured data and analysis to identify a subgroup of the Comment Crew group and an unnamed Iranian group using Google’s VirusTotal service to test new versions of malware against security software and check for detection rates.
Semalt botnet hijacked nearly 300k computers. Incapsula researchers reported that the Semalt botnet is spreading quickly and is currently made up of around 290,000 infected machines. The botnet is linked to a Ukrainian search engine optimization (SEO) service and spams millions of Web sites in a referrer spam campaign designed to fraudulently boost a site’s search engine ranking.
Linux systems infiltrated and controlled in a DDoS botnet. Researchers at Akamai Technologies reported that Linux systems could be at risk of infections using IptabLes and IptabLex to compromise systems and use them in distributed denial of service (DDoS) attacks. The researchers reported that the infections appeared to be caused by a large number of Linux-based Web servers being compromised via Apache Struts, Tomcat, and Elasticsearch vulnerabilities.
Firefox 32 moves to kill MITM attacks. The Mozilla Foundation released version 32 of its Firefox browser, which adds new features including public key pinning to help protect users against man-in-the-middle (MitM) attacks.
Apple fixes glitch in Find My iPhone app connected to celebrity photo leak. A security issue in Apple’s Find My iPhone app that researchers demonstrated could be exploited in brute force attacks was fixed by the company. Apple stated that a recent breach of celebrities’ personal photos stored in its iCloud service was not the result of the researchers’ findings, but instead involved targeted attacks on the individuals’ accounts.
Cybercriminals love PayPal, financial phishing on the rise. Kaspersky Lab researchers released statistics on spam and phishing emails for the month of July, which found that phishing emails targeting financial services increased 7.9 percent during the month, with PayPal being the most targeted company. The researchers also found that the overall share of spam in all email traffic increased 2.2 percent to a total of 67 percent during July, among other findings.