Fraud Alert Message Center

Tips for Safe Banking Over the Internet

As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.

The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.

Current Online Threats

Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau.  None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts.  If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it.  The email could potentially contain a virus or malware.

For more information regarding email and phishing scams, please visit:

Online Shopping Tips for Consumers. Click Here for Information.

ATM and Gas pump skimming information. Click Here for Article.


Data leaked by pagers useful for critical infrastructure attacks. Trend Micro security researchers reported that pagers used in industrial control systems (ICS) were susceptible to targeted attacks, as the messages sent to the devices are unencrypted, thereby allowing hackers to easily intercept the information regarding the operation of a facility and potentially use that information in a targeted social engineering attack against the company. Trend Micro found that messages sent by nuclear plants, chemical facilities, defense contractors, HVAC manufacturers, and power substations via pagers leaked potentially sensitive information.

Major vulnerability found in Schneider Electric Unity Pro. Indegy security researchers discovered that Schneider Electric’s Unity Pro PLC Simulator component of its Unity Pro software was plagued with a critical vulnerability that could allow hackers to remotely execute code on industrial networks if the Internet Protocol (IP) address of the Microsoft Windows PC running the software is accessible to the Internet, as the software allows any user to remotely run code directly on any device with Unity Pro installed. The flaw, which affects all versions prior to and including 11.1, could allow attackers to impact the production process within an industrial control system (ICS) physical environment.

Apple patches multiple flaws in iOS, macOS, Sierra, Safari. Apple released version 10.1 for its mobile operating system (iOS) patching 13 vulnerabilities affecting components such as FaceTime, Kernel, Security, and WebKit, among others, which could allow an attacker to run arbitrary code on the affected devices, leak sensitive user information, and execute arbitrary code with root privileges, among other malicious actions. Apple also released Sierra version 10.12.1 resolving 16 vulnerabilities that could result in privilege escalation, denial-of-service (DoS) conditions, process memory disclosure, and arbitrary code execution, as well as Safari version 10.0.1 resolving 3 vulnerabilities affecting WebKit, among other patches.

Critical vulnerabilities patched in Joomla. Joomla released version 3.6.4 addressing two critical account creation vulnerabilities in its content management system (CMS) versions 3.4.4 through 3.6.3, including a flaw that could allow an attacker to register on a Website even if registration has been disabled due to inadequate checks. The second vulnerability can be exploited by users to register on a Website with elevated privileges due to an incorrect use of unfiltered data.



Embraer paying $205 million to settle FCPA charges. The U.S. Securities and Exchange Commission, in collaboration with the U.S. Department of Justice and Brazilian authorities announced October 24 that Embraer S.A. agreed to pay over $205 million to resolve alleged violations of the Foreign Corrupt Practices Act after the company made more than $83 million in profits as a result of bribe payments its U.S.-based subsidiary paid through third-party agents to foreign government representatives in the Dominican Republic, Saudi Arabia, and Mozambique in order to win contracts in those countries. Officials stated Embraer allegedly created false records and books, and participated in an accounting scheme in India to conceal the illicit payments.

President of Telexfree pleads guilty to billion dollar pyramid scheme. The president of TelexFree, Inc., pleaded guilty October 24 to operating a pyramid scheme that bilked over $3 billion from roughly 965,000 investors in more than 240 countries between February 2012 and April 2014 by recruiting participants to make continuous payments to TelexFree to be promoters for the company and sell Voice-over-Internet Protocol (VoIP) telephone services, and giving participants substantial monetary incentives for recruiting others to join the scheme. The charges state that the participants met their sales requirements by buying the products themselves, thereby creating the illusion that TelexFree had thousands of legitimate VoIP customers, while the company only derived two percent of its total revenue from VoIP service sales.

Android root exploits abuse Dirty COW vulnerability. Security researchers found that the Dirty COW Linux kernel vulnerability disclosed the week of October 17 can be exploited by a local attacker to escalate privileges to root on Android devices running a Linux kernel higher than 2.6.22 and to compromise an entire system by altering the copy-on-write cache provided by the kernel to change what the system and apps see when reading the affected files. NowSecure researchers stated in order to exploit the vulnerability, an attacker must run code on the device via the Android Debug Bridge (ADB) over universal serial bus (USB) or by installing an app that leverages the exploit.

Researchers leverage voicemail flaw to compromise messaging apps. InTheCyber security researchers discovered a voicemail caller-ID spoofing flaw could be leveraged to steal activation codes sent by messaging applications such as Telegram, WhatsApp, and Signal and compromise accounts after finding that an automated call leaves the account activation code in a user’s voicemail if the code sent via text message is not promptly inputted into the app. Once the activation code has reached a victim’s voicemail, the attacker can spoof their caller ID to impersonate the victim in order to access the targeted voicemail and activation code.

Russian man accused of hacking LinkedIn, Dropbox. A Russian national was arrested in the Czech Republic October 5 and indicted on Federal charges in the U.S. October 21 for his alleged role in the 2012 LinkedIn, Formspring, and Dropbox breaches. Officials reported that the Dropbox hack has affected more than 68 million accounts and all 3 hacks were carried out after attackers stole employee credentials.


Alleged architect of $30 million mortgage relief fraud scheme and four others indicted in conspiracy to defraud banks and homeowners. Five people operating a web of sham mortgage relief companies under the names Ownership Management Service LLC and Trust Holding Service LLC were charged October 21 for allegedly defrauding homeowners and banks out of $30 million from 2005 – 2014 by claiming to perform short sales for homeowners, while in reality failing to make mortgage payments and submitting fictitious short sale purchase offers to banks in order to delay foreclosure and maximize the time period during which the defendants could collect rent from the homeowners. The charges allege that the defendants also regularly forged signatures, used fake and stolen identities, and filed fraudulent bankruptcy petitions to maximize their profits.

Chicago woman arrested in $5 million fraud scheme involving bogus business to re-sell tickets to concerts and sporting events. A Chicago resident was arrested October 21 for allegedly orchestrating a more than $5 million fraud scheme where she mislead investors by claiming their funds would be used to purchase tickets for sporting events and concerts at face value and then subsequently re-sold for a profit on the secondary market, while she used the victims’ money for personal expenses and to make Ponzi-type payments to other investors.


Federal jury convicts woman in Stolen Identity Refund scheme - some stolen identities belonged to incarcerated individuals. A Dallas woman was convicted October 20 for her participation in a Stolen Identity Refund Fraud scheme where she and co-conspirators filed fraudulent tax returns using the stolen identities of incarcerated individuals and others, and used shell company bank accounts to transfer the tax refunds from debit and Green Dot cards into cash and cashier’s checks, which the group used to buy nearly $1.2 million worth of used cars that they subsequently shipped to Nigeria from May 2012 – May 2014.

Former director of Ohio County Schools Credit Union charged with embezzlement. The former executive director of the Ohio County Public Schools Federal Credit Union in Wheeling, West Virginia, was charged October 20 for allegedly embezzling over $156,000 from the credit union between June 2013 and March 2016 after an employee detected the scheme in March during a routine credit union account reconciliation. The charges allege that the defendant used the stolen profits to cover personal debts.

Weebly breach affects over 43 million users. Weebly, a San Francisco-based Web hosting service, confirmed that hackers stole the account information of over 43 million users, including usernames, Internet Protocol (IP) addresses, and password hashes after breaching the company’s systems in February 2016. The company advised its user to reset their passwords and the cause of the breach remains under investigation.

Linux kernel zero-day CVE-2016-5195 patched after being deployed in live attacks. The Linux kernel team patched a zero-day security flaw named Dirty COW, as it is caused by a race condition in the way Linux kernel’s memory handles copy-on-write (COW) breakage of read-only memory mappings, which could allow an attacker to escalate their privileges, potentially to root level, on a targeted system. A security researcher notified Red Hat of attackers deploying an exploit that leverages this vulnerability in the wild.

Cisco plugs critical bug in ASA security devices. Cisco patched a critical vulnerability affecting the Identity Firewall feature of its Cisco Adaptive Security Appliance (ASA) Software, which could allow a remote attacker to take control of the system, cause a reload, and execute arbitrary code by sending a specially crafted NetBIOS packet in response to a NetBIOS probe sent by the software. Cisco reported the vulnerability is caused by a buffer overflow in the affected area code.


Rayville PD takes down fake credit card ring. Two Little Rock, Arkansas residents were arrested in Rayville, Louisiana, October 18 after authorities discovered roughly 120 credit and bank cards made out in the suspects’ names, a credit card machine for activating the cards, and blank money orders worth $500, among other illicit items in the suspects’ vehicle. The suspects allegedly made fraudulent credit card transactions in Jackson, Louisiana, and Little Rock, Arkansas.

Lexmark patches critical flaw in printer management tool. Lexmark International, Inc. released an update for its Markvision Enterprise printer management software after security researchers from Digital Defense Inc. (DDI) found the software was plagued with a vulnerability in the Apache Flex BlazeDS that can be exploited to read arbitrary files via specially crafted Action Message Format (AMF) messages and retrieve the file storing the admin credentials, as well as an issue that allows attackers to upload arbitrary files and execute code with elevated privileges, among other vulnerabilities. Users are advised to change the admin password after installation, as the encrypted password stored in the text file is not updated after installation.

Windows zero-day exploited by “FruityArmor” APT group. Security researchers from Kaspersky Lab discovered that a zero-day remote code execution vulnerability patched by Microsoft in its October 2016 security bulletin was being leveraged in attacks carried out by an advanced persistent threat (APT) group, dubbed “FruityArmor” for privilege escalation on an affected system. Researchers found that the FruityArmor APT’s attack platform is built around Microsoft PowerShell and abuses Windows Management Instrumentation (WMI) for persistence in order to make it difficult to detect on a system.


Ernst & Young to pay $11.8 million for audit failures. The U.S. Securities and Exchange Commission (SEC) announced October 18 that Ernst & Young LLP agreed to pay over $11.8 million to resolve charges related to the repeated failure of its audit team to uncover fraud by its client, oil services provider Weatherford International, thereby allowing the client to inflate its earnings through deceptive income tax accounting for more than 4 years. As part of the settlement, investors affected by the accounting fraud will be reimbursed a total of over $152 million, and 2 individuals from Ernst & Young’s audit team agreed to a suspension from appearing or practicing before the SEC as accountants.

West Virginia business owners plead guilty to failing to pay employment taxes. Two owners of Bluegrass Aggregates in Wayne, West Virginia, pleaded guilty October 18 to withholding more than $850,000 from their employees’ paychecks from July 2007 – 2010, as well as neglecting to pay over $490,000 in employment taxes for a previous business, causing the U.S. Internal Revenue Service a total of $1.4 million in losses. The charges allege that the duo used the proceeds for personal expenses.

Construction company partner pleads guilty to evading taxes on more than $1 million. A former partner at American Construction Logistics and Services LLC (ACLS) operating in Afghanistan pleaded guilty October 14 after he failed to file tax returns for tax years 2009 – 2011 on income consisting of over $1 million in wages, ACLS funds used for personal expenses, and cash wired from ACLS employees to his wife, and failed to pay the U.S. Internal Revenue Service more than $200,000 in taxes from the unreported income. The charges allege that from 2010 – 2011, the defendant diverted over $350,000 from the ACLS corporate account to his personal bank accounts to cover personal expenses.

Oracle Critical Patch Update for October 2016 fixes 253 vulnerabilities. Oracle Corporation released its Critical Patch Update (CPU) for October 2016 to resolve a total of 253 new security flaws in several of its products, including 36 flaws in its Oracle Communications Applications, 14 flaws in the Oracle E-Business Suite that can be remotely exploited without authentication, 24 flaws in its Financial Services Applications, and issues affecting its Retail Applications, among other vulnerabilities that could allow an attacker to hijack the vulnerable application stack and potentially expose confidential application data.

VeraCrypt security audit concludes despite rocky start. The VeraCrypt project released version 1.19 of its encryption software after a recent security audit performed by QuarksLab revealed 26 security flaws plaguing the open-source software, including the ability to encrypt user data via the insecure GOST 2814-89 algorithm, and a flaw in the boot password mechanism that allowed attackers to determine password length. Version 1.19 also replaced the insecure XZip and XUnzip libraries with the modern libzip library, and updated the VeraCrypt bootloader component in order to secure its code against outside exploitation and data exfiltration.


WordPress sites under attack via security flaw in unmaintained plugin. Security researchers from White Fir Design discovered the WordPress Marketplace plugin was plagued with an arbitrary file upload vulnerability that could allow an attacker to upload arbitrary files on Websites with the plugin installed and potentially take over a site’s underlying server. The researchers discovered the flaw after detecting scans for the plugin’s Cascading Style Sheets (CSS) file on multiple Websites.


Accountant pleads guilty to stealing $3.5 million from employer. A former accountant at an investment advising company in Massachusetts pleaded guilty October 14 to embezzling over $3.5 million from his employer between April 2011 and November 2015 after he made wire transfers in excess of $3 million from his employer’s accounts to his personal accounts and forged signatures on approximately 46 checks payable to himself totaling roughly $456,000. The charges state the accountant concealed his scheme by making fraudulent entries in his employer’s electronic accounting system and modifying online bank statements before forwarding them to his manager.

Siemens patches flaws in SIMATIC, license manager products. Siemens released software updates addressing several vulnerabilities in its SIMATIC and Automation License Manager (ALM) products after Kaspersky Lab researchers discovered ALM was plagued with a critical path traversal issue that could allow a remote attacker to upload files to the disk, create and remove files, or move existing files via specially crafted packets, as well as a denial-of-service (DoS) flaw, and a Structured Query Language (SQL) injection flaw. Siemens also patched two low severity issues in its SIMATIC STEP 7 engineering software after Positive Technologies researchers found the flaws can be exploited by a local attacker to access sensitive information and to brute-force pre-shared keys that protect device-to-device communications.

Locky ransomware accounted for 97 percent of all malicious email attachments. Proofpoint released its Quarterly Threat Summary for quarter 3 (Q3) 2016, which reported that the Locky ransomware was found in 96.8 percent of all malicious spam email attachments and typically manifests itself as a ZIP file with a JavaScript file inside, Microsoft Office documents with malicious macro scripts, Hypertext Markup Language Application (HTA) files, or Microsoft Windows Script Files (WSF). The report also stated that banking trojans continue to be a pervasive threat, while exploit kit (EK) activity has decreased 65 percent since Q2.


Former Cay Clubs chief financial officer charged with bank fraud and tax offenses. The former vice president and chief financial officer of Cay Clubs Resorts and Marinas was charged October 13 for his role in a more than $28 million scheme where he and a co-conspirator allegedly fraudulently sold the company’s units to insiders, using money from the company’s bank accounts to finance the cash to close for purchases while obtaining mortgage funding from lending institutions in order to falsely show demand for and inflate the prices of Cay Clubs units from 2004 – 2008. The charges also allege that in 2010 and 2011, the former vice president filed fake individual tax returns for tax years 2004 – 2006, significantly underreporting his income and hiding his receipt of millions of dollars in company earnings.

Urbana police allege bank employees stole $391,000. Two former employees at Urbana Security National Bank in Urbana, Ohio, were indicted the week of October 10 after the duo allegedly embezzled $391,000 from the bank since 2009.

Critical vulnerability patched in Cisco conferencing product. Cisco reported that its Cisco Meeting Server (CMS) prior to version 2.0.6 and Acano Server prior to versions 1.8.18 and 1.9.6 were plagued with a critical vulnerability affecting the Extensible Messaging and Presence Protocol (XMPP) service that could allow an unauthenticated attacker to access the system as another user if the XMPP is enabled on the affected devices, as the XMPP service incorrectly processes deprecated authentication schemes. The flaw was discovered during a routine security audit of a Cisco customer and there is no evidence the flaw has been exploited in the wild.


4 arrested in Caroline County skimming scam after police chase. Four Brooklyn, New York residents were charged the week of October 10 in Caroline County, Virginia, for their roles in a credit card skimming scam after authorities discovered roughly 75 credit cards, a card skimming device, and a credit card embossing machine, among other illicit materials in the suspects’ vehicle. The individuals are suspected of conducting credit card skimming operations at truck stops in North Carolina and Virginia.

Fraud charges filed against owner of Budget Finance Company. The owner of Budget Finance Company in New Martinsville, West Virginia, was charged October 12 for allegedly running a more than $31 million Ponzi scheme from 2005 – 2015 where she defrauded investors by mailing checks to those who requested periodic payments, and sending them fake quarterly investment statements indicating their account balances and interest paid. The charges allege the owner used funds from new investors to repay previous investors, causing at least 25 investors between $9.5 million and $25 million in losses.

Attackers actively exploit recently patched BIND flaw. The Internet Systems Consortium (ISC) reported that it learned a high severity denial-of-service (DoS) vulnerability patched in the Domain Name Server (DNS) software BIND was exploited in the wild to crash servers after Infobyte security researchers published a proof-of-concept (PoC) code and Metasploit module demonstrating the attack.

Cerber 4.0 fuels new wave of ransomware attacks. Trend Micro security researchers reported that the latest variant of the Cerber ransomware, dubbed Cerber 4.0 was being dropped by the RIG, Neutrino, and Magnitude exploit kits (EK) in malvertising campaigns. Researchers also found Cerber 4.0 uses a randomly generated file extension, and has shifted from a Hypertext Markup Language (HTML) ransom note to an HTML Application (HTA) format.


Member of north Idaho drug trafficking organization pleads guilty to money laundering. A Las Vegas resident and member of a drug trafficking organization operating in 5 States pleaded guilty October 11 after she laundered nearly $500,000 in drug proceeds for the organization since 2010 by depositing the organization’s earnings into her personal bank accounts and business accounts belonging to a Las Vegas-based hair salon that she and her mother owned. The charges state the woman used a portion of the profits to pay expenses related to the organization.

Microsoft patches four zero-days used in live attacks. Microsoft released a security bulletin addressing 4 zero-day vulnerabilities in several of its products, including an information disclosure bug in Internet Explorer, remote code execution (RCE) flaws in Edge’s scripting engine and Windows graphics device interface (GDI), and a memory corruption vulnerability in Office, among other vulnerabilities. Microsoft reported all four zero-days have been exploited in the wild.

SAP patches multiple implementation flaws. SAP released security patches resolving 48 vulnerabilities affecting its products, including a denial-of-service (DoS) flaw in SAP ASE that could be exploited to terminate a process in a vulnerable component, a Structured Query Language (SQL) injection issue in SAP ST-PI component that allows an attacker to read and alter sensitive database information, and a cross-site scripting (XSS) flaw in SAP Messaging System Service that enables a malicious actor to inject script into a page to access all session tokens, cookies, and other critical information, among other vulnerabilities.

Adobe patches critical flaws in Flash Player, PDF apps. Adobe released patches resolving 71 critical vulnerabilities affecting its Acrobat, Reader, Flash Player, and Creative Cloud desktop application products , including a security bypass vulnerability, an unquoted search path vulnerability that could lead to local privilege escalation in Creative Cloud for Microsoft Windows, and several memory flaws that could allow arbitrary code execution, among other vulnerabilities.

DXXD ransomware encrypts files on unmapped network shares. Security researchers from BleepingComputer reported a new ransomware family, dubbed DXXD was spotted targeting and encrypting files on both mapped and unmapped network shares, and was abusing Remote Desktop Services and brute-forcing passwords on infected devices for distribution. DXXD changes a Microsoft Windows Registry setting in order to display a notice when a victim logs in to their infected device, ensuring that the user sees the ransom note.


Malware abuses Windows Troubleshooting Platform for distribution. Proofpoint security researchers discovered a malicious backdoor, dubbed “LatentBot” was abusing the Microsoft Windows Troubleshooting Platform (WTP) feature to trick users into executing the malicious payload, which was being distributed via email attachments with a lure document that once opened, launches a digitally signed DIAGCAB file containing PowerShell commands that download and install the backdoor trojan. Proofpoint reported the malware allows an attacker to preform surveillance, steal information, and gain remote access operations.

Alleged Lizard Squad and PoodleCorp members arrested. Authorities in the U.S. and the Netherlands arrested two individuals who allegedly operated the,,, and Websites, which offered distributed denial-of-service (DDoS) services for hire as part of the Lizard Squad and PoodleCorp hacking crews. Officials stated the investigation into the hacking groups began when authorities were investigating the service, a Website with ties to other sites operated by the hacking groups that allowed anyone to purchase on-demand harassment phone calls.

New JavaScript malware shuts down your PC if you terminate its process. Kahu Security researchers discovered a new malware variant was hijacking victims’ browsers’ homepages and shutting down the user’s computer if the user detects the malware and attempts to terminate its process in order to hide a series of operations that alter the underlying operating system (OS) settings on a victim’s device. Researchers found the malware is delivered via spam email as a malicious file attachment coded in JavaScript and is executed via the Microsoft Windows Script Host.

GE machine monitoring system plagued by serious flaw. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned a serious vulnerability plaguing the serial and universal serial bus (USB) versions of General Electric’s Bently Nevada 3500/22M machine monitoring system could be exploited by remote attackers to gain unauthorized access to the system with elevated privileges due to the existence of several open ports on the affected device. The devices are used in the energy and chemical sectors, and the company advised users to segment networks, leverage system hardening techniques, and implement bump-in-the-wire solutions to secure the devices.


Boston man charged with identity theft in scheme to defraud retirement accounts. A Boston resident was charged October 6 for his role in an identity theft scheme where he and a co-conspirator who worked as a customer service employee at Mercer, Inc. allegedly stole the personal information and bank account numbers from roughly 270 retirement accounts managed by Mercer, Inc. in order to withdraw money from the accounts from February 2014 – April 2014. The charges allege that the stolen retirement account information was used to load a prepaid card with almost $20,000 in illicitly obtained funds, which the defendant used for personal expenses.

Federal indictment charges four conspirators in fraudulent credit card scheme. Four individuals were charged October 6 for their roles in a fraudulent credit card scheme where the group allegedly stole the personal information of at least 33 victims in order to apply for and obtain credit cards, which were used to purchase merchandise and gift cards worth more than $135,000 from October 2014 – July 2016.

VMware patches directory traversal flaw in Horizon View. VMware released versions 7.0.1, 6.2.3, and 5.3.7 of its Horizon View products for Microsoft Windows after a security researcher, dubbed “Bruk0ut” discovered the products were plagued with a flaw that could allow a remote attacker to carry out a directory traversal attack on the Horizon View Connection Server to access sensitive information.

X.Org library flaws allow privilege escalation, DoS attacks. The X.Org Foundation released patches addressing more than a dozen vulnerabilities in its client libraries, including an out-of-bounds memory read or write error flaw in libX11 versions 1.6.3 and earlier, an integer overflow issue on 32-bit systems in libXfixes versions 5.0.2 and earlier, and a denial-of-service (DoS) condition via out of boundary memory access or endless loops in XRecord versions 1.2.2 and earlier, among other vulnerabilities. X.Org reported most of the flaws exist because the client libraries trust the server to send correct protocol data and do not consider that the values could cause an overflow or other issues.

Cerber ransomware can now kill database processes. Security researchers from BleepingComputer discovered a new variant of the Cerber ransomware family is able to kill many database processes before the encryption process begins by using a close_process directive in the configuration file in order to encrypt the processes’ data files. The researchers also found Cerber switched to a four-character randomly generated extension and started scrambling the name of the encryption file, making it more difficult for victims to recover their data. 


ATM data-skimmers target the valley. Virginia authorities are searching October 6 for a group of Romanian nationals suspected of installing four skimming devices on ATMs at banks in Virginia’s Shenandoah Valley since March 2016, including the DuPont Community Credit Union in Staunton October 2.

Credit Suisse paying $90 million penalty for misrepresenting performance metric. The U.S. Securities and Exchange Commission announced October 5 that Credit Suisse AG agreed to pay $90 million to resolve charges that it misrepresented how it determined its net new assets (NNA) by applying an undisclosed results-driven approach to determining NNA in order to meet specific targets created by the company’s senior executives. As part of the settlement, a former executive agreed to settle charges that he was a cause of the violations.

Owner of tax preparation franchises in Illinois, Kansas and Missouri convicted of tax evasion. The owner and operator of at least 20 Instant Tax Service (ITS) franchise locations in Illinois, Kansas, and Missouri was convicted October 5 after he filed fraudulent Federal tax returns that underreported over $1.5 million in income and submitted falsified financial summaries to his tax return preparer from 2010 – 2011 that undervalued the gross receipts generated by his franchises, A&S Tax Service LLC and ERI Enterprises LLC, which his tax preparer used to generate his individual Federal income tax returns. The charges also state that the franchise owner and A&S have been permanently enjoined from operating a tax preparation business and preparing Federal tax returns since 2013.

Mac malware can abuse legitimate apps to spy on users. A security researcher from Synack discovered that Apple Mac operating system (OS) X malware can monitor an infected system for legitimate user-initiated video sessions on applications such as FaceTime, Skype, and Google Hangouts, and piggyback on those legitimate sessions to record video and spy on users without their knowledge or authorization.

New backdoor trojan spreads through RDP brute-force attacks. GuardiCore security researchers discovered a new malware family, dubbed Trojan.sysscan was being leveraged as a backdoor trojan to collect data and credentials used for accounts on banking, gambling, and tax Websites from compromised systems and transfer the information to an attacker’s remote server by carrying out brute-force attacks on open Remote Desktop Protocol (RDP) ports. GuardiCore reported the trojan is coded in the Delphi programming language and is equipped with support for dumping passwords from locally installed applications including databases, point of sale (PoS) software, and Web browsers.

iMessage URL preview exposes user data. A security researcher discovered that Apple’s iMessage service could leak user data including the message receivers Internet Protocol (IP) address, device type, and operating system (OS) version when the user receives a Uniform Resource Locator (URL) in a message due to a feature available in MacOS and iOS that enables the service to extract metadata from the URL and display it as an accessible link. The researcher stated the iMessage implementation sends requests from each of the devices the receiver has, which could allow an attacker sending the URL to determine the victim’s physical location based on the IP address.


Man previously arrested for a bank robbery in Milford pleads guilty to 3 others: Feds. A Rhode Island resident, dubbed the “Teardrop Bandit” pleaded guilty October 4 after he robbed two banks in Connecticut and one in Massachusetts between July and September 2015.

Google patches 78 vulnerabilities in Android. Google released patches resolving at least 78 security flaws in its Android operating system, including 11 elevation of privilege vulnerabilities in ServiceManager, Lock Settings Service, and Mediaserver, among other components, 3 denial-of-service (DoS) issues in Wi-Fi, GPS, and Mediaserver, as well as critical remote execution flaws in kernel ASN.1 decoder and kernel networking system, among other vulnerabilities. Google reported that the Qualcomm components were most affected by the security flaws.

Hacked WordPress core file leveraged for hijacking a site’s web traffic. Sucuri security researchers discovered attackers were leveraging a WordPress core file responsible for managing the site’s page templates in order to insert malicious code and alter a compromised Website and redirect users to a malicious Webpage selling product keys for several Microsoft products at reduced prices.

Hacked WordPress core file leveraged for hijacking a site’s web traffic. Sucuri security researchers discovered attackers were leveraging a WordPress core file responsible for managing the site’s page templates in order to insert malicious code and alter a compromised Website and redirect users to a malicious Webpage selling product keys for several Microsoft products at reduced prices.


EMC patches critical flaws in VMAX storage products. Dell EMC released patches resolving six vulnerabilities in versions 8.0.x – 8.2.x of its VMAX Unisphere Web-based management console and vApp Manager configuration and support tool for VMware deployments after researchers from Digital Defense, Inc. (DDI) discovered a critical vulnerability that can be exploited to add new admin users and compromise the virtual appliance, as well as a flaw that can be exploited by an unauthenticated attacker to execute arbitrary commands with root privileges and hijack the targeted appliance via maliciously crafted Action Message Format (AMF) messages, among other vulnerabilities.

Polyglot ransomware decryption tool released. Kaspersky Lab security researchers released a decryption tool for the Polyglot trojan, also known as MarsJoke, which allows victims to restore their files after finding that the trojan mimics the CTB-Locker ransomware, in that it uses a weak encryption key generator that allowed security researchers to develop a tool capable of unlocking a victim’s data.

OpenJPEG flaw allows code execution via malicious image files. OpenJPEG released an update addressing several security flaws after Cisco Talos researchers discovered that the open-source library was plagued with an out-of-bounds heap write issue that could allow an attacker to execute arbitrary code on a targeted system when the victim opens a maliciously crafted JPEG2000 image or PDF document that contains a malicious file, among other vulnerabilities.

DressCode malware infects 400 apps in Google Play. Trend Micro security researchers warned that a mobile malware family, dubbed DressCode has infected over 3,000 apps distributed by several popular Android mobile markets, including the Google Play store. The malware connects with the command and control (C&C) server, which turns the device into a proxy that can relay traffic between the attacker and internal servers that the device is connected to, thereby allowing the attacker to compromise the user’s network environment, download sensitive data, or use the device as a bot that can be leveraged for distributed denial-of-service (DDoS) attacks or spam email campaigns.


Branch Banking & Trust Company agrees to pay $83 million to resolve alleged False Claims Act liability arising from FHA-insured mortgage lending. The U.S. Department of Justice announced September 29 that Branch Banking & Trust Company (BB&T) agreed to pay $83 million to resolve allegations that it violated the False Claims Act by knowingly originating and underwriting mortgage loans insured by the U.S. Department of Housing and Urban Development’s (HUD) Federal Housing Administration (FHA) that did not comply with FHA’s quality control requirements or meet HUD underwriting requirements between January 2006 and September 2014. The charges also allege that BB&T failed to self-report loans containing material underwriting defects from at least 2006 – 2013, among other violations.

Over 400 vulnerabilities reported to ICS-CERT in 2015. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released its vulnerability coordination report for the fiscal year 2015, which revealed ICS-CERT published 197 advisories covering a total of 427 vulnerabilities during 2015, while only 245 issues were covered in 2014. The report also revealed that 43 percent of the vulnerabilities were rated as high severity, and the energy sector was affected by more than 800 vulnerabilities since 2011, followed by the critical manufacturing sector which was plagued with over 700 flaws, and the water and wastewater systems sector which was infected with over 600 issues.


Och-Ziff executives also settle charges. The U.S. Securities and Exchange Commission (SEC) announced September 29 that Och-Ziff Capital Management Group agreed to pay roughly $200 million to settle charges that the firm’s executives disregarded red flags and corruption risks as determined by the Foreign Corrupt Practices Act (FCPA), and used intermediaries, agents, and business partners to pay bribes to high-level government officials in Africa in order to secure mining rights and corruptly influence government officials in 5 African countries. SEC officials stated that Och-Ziff fraudulently documented the bribe payments and neglected to maintain proper internal controls to recognize or prevent the bribes.

Dridex banking trojan adopts improved encryption. MalwareTech security researchers discovered the Dridex banking trojan started using malicious Rich Text Format (RTF) files that are password protected in order to prevent automated systems from scanning the attachment for malicious code and to avoid detection. Researchers also found Dridex employs delayed execution and may be focused on infecting corporate systems.

Dual Jamaican-U.S. citizen pleads guilty in connection with Jamaica-based lottery fraud scheme. A dual Jamaican and U.S. citizen pleaded guilty September 28 for her role in a Jamaica-based fraudulent lottery scheme where she persuaded U.S. citizens to send her hundreds of thousands of dollars to cover fraudulent fees for lottery winnings that victims had not won and never obtained, causing U.S. citizens tens of millions of dollars in losses from 2011 – 2012. The charges state the dual citizen used some of the funds for personal expenses

Tofsee malware distribution switched from exploit kit to spam. Security researchers from Cisco Talos reported that attackers stopped distributing the Tofsee ransomware via the RIG exploit kit (EK), and began leveraging spam email campaigns to deliver the malware downloaders, which instruct victims to download and open the ZIP archive attached to the message that contains an obfuscated JavaScript file with a WScript downloader, which runs an executable from a remote server controlled by the attacker. Researchers stated the malware allows hackers to conduct cryptocurrency mining, carry out distributed denial-of-service (DDoS) attacks, and send spam, among other malicious actions.


Former president and chairman of the board of Gerova Financial Group, found guilty of defrauding shareholders. The former president and chairman of the board at Gerova Financial Group, Ltd. was convicted September 28 for defrauding the firm’s shareholders out of roughly $72 million by secretly diverting corporate stock to himself and 6 co-conspirators without any legitimate business purpose from 2009 – 2011, causing the former executive to personally accumulate over $2.6 million in illicit earnings. The charges state that the former Gerova official intentionally deceived the firm’s chief financial officer and other officers, causing the company to conceal information about the stock scheme in its public filings with the U.S. Securities and Exchange Commission, among other fraudulent activities.

New York City resident pleads guilty to using sham foreign entity and secret foreign accounts in Switzerland and Israel to evade taxes. A New York resident pleaded guilty September 28 to Federal and New York State tax evasion for tax years 2003 – 2005 and 2007 – 2010 by hiding more than $7.3 million in undeclared financial accounts from 1987 – 2011 in Switzerland and Israel, as well as using Contactus Partnership Associated S.A., a fake British Virgin Island entity, to avoid paying over $650,000 in U.S. taxes. The charges allege the man repatriated the funds by having an attorney draft a fraudulent agreement between himself and Contactus, and wiring the funds into his attorney’s escrow account.

Syrian Electronic Army member pleads guilty to hacking, extortion. A member of the Syrian Electronic Army (SEA) hacker group pleaded guilty to Federal charges for his role in an extortion scheme where he and another SEA member breached the systems of various organizations in the U.S. and other countries and threatened to damage their computers and data unless a ransom was paid. The FBI is searching for two other suspects involved in the extortion scheme.

Apple confirms weakened security in local iOS 10 backups. Apple confirmed an issue affecting the encryption strength for local backups of devices running on operating system (iOS) 10 after ElcomSoft security researchers discovered a bug in iOS 10 that makes local backups more susceptible to brute-force attacks than previous operating systems by allowing for 6,000,000 passwords to be attempted per second, while iOS 9 only allowed for 2,400 passwords to be attempted per second. Apple officials stated a patch for the flaw would be released in an upcoming update.


Jury convicts two in $2.6M stolen identity, tax fraud scheme. Two employees of the Dominican Supermarket in Pawtucket, Rhode Island, were convicted September 27 for their roles in a $2.6 million Stolen Identity Refund Fraud (SIRF) scheme where the duo and co-conspirators used more than 400 stolen identities, primarily from residents of Puerto Rico, to file falsified tax returns since January 2010. The charges state that counterfeit treasury checks were mailed to various locations in Rhode Island, Massachusetts, and New York and subsequently deposited into 27 different bank accounts controlled by the co-conspirators or others affiliated with the supermarket, and over $235,000 of the illicit earnings were transferred to a bank in the Dominican Republic.

SEC charges UBS with supervisory failures in sale of complex products to retail investors. The U.S. Securities and Exchange Commission (SEC) announced September 28 that UBS Financial Services agreed to pay more than $15 million to settle charges alleging that the company failed to create and institute policies and procedures intended to properly educate and train sales representatives on the $548 million in reverse convertible notes (RCNs) it sold to over 8,700 inexperienced retail investors, which caused representatives to make unfit recommendations on RCN sales to certain retail clients regarding their investment profiles. As part of the settlement, the company will be censured by the SEC.

High severity DoS flaw patched in BIND. The Internet Systems Consortium released updates for the Domain Name System (DNS) software BIND addressing two vulnerabilities, including a high severity denial-of-service (DoS) flaw affecting all servers that can receive request packets from any source, which can be exploited using maliciously crafted DNS request packets. The updates also resolved a medium severity DoS flaw that can cause a targeted server to terminate due to an error.

Locky ransomware drops offline mode. Security researchers reported that the Locky ransomware adopted new methods after a BleepingComputer researcher spotted the malware appending the .ODIN extension to encrypted files, instead of the .zepto extension, and researchers from Avira found the ransomware switched back to the use of a command and control (C&C) server and dropped the use of an offline mode. The updated Locky version is still distributed via spam email campaigns that contain malicious code in the file attachments, which infects a system in order to deliver a ransom note.

American living in Australia charged in securities fraud case involving scheme to fraudulently inflate by nearly $100 million the cost of Santa Monica software company being purchased by Computer Sciences Corp. A former executive at Commonwealth Bank of Australia (CBA) was charged September 26 after he and several co-conspirators in Australia and the U.S. allegedly defrauded Computer Sciences Corporation (CSC) out of $98 million by inflating revenues for ServiceMesh, Inc., a Santa Monica, Californa-based cloud computer management software company that CSC planned to purchase from 2013 – 2014. The charges also allege that CBA employees received more than $630,000 in undisclosed kickbacks from a senior executive of ServiceMesh, Inc. involved in the scheme.


Bronx tax preparer found guilty of participation in scheme to steal millions using fraudulent tax returns. A former tax preparer at K&S Tax Solution, Inc. (K&S) was convicted September 23 for her role in a more than $19 million fraudulent tax refund scheme where she and 14 co-conspirators filed fraudulent tax returns using identities stolen from Puerto Rico residents, including the identities of patients at a medical clinic in Ponce, Puerto Rico, in order to obtain fraudulent refunds through wire transfers and in check form since 2010. The U.S. Internal Revenue Service identified more than $281 million in attempted fraudulent returns.

Merrill Lynch charged with trading controls failures that led to mini-flash crashes. The U.S. Securities and Exchange Commission (SEC) announced September 26 that Merrill Lynch Wealth Management agreed to pay a $12.5 million penalty after an SEC investigation revealed that the firm caused market disruptions at least 15 times from 2012 – 2014, and violated the Market Access Rule after the firm set its internal controls that prevent incorrect trading orders at high levels, making them ineffective and causing select stock prices to plunge then suddenly recover. As part of the settlement, Merrill Lynch agreed to be censured and is prohibited from further violations of the Securities Exchange Act.

SEC charges CEO and boiler room operator with fraud. The U.S. Securities and Exchange Commission charged September 26 the former chief executive officer (CEO) of Sanomedics Inc. and Fun Cool Free Inc., and a boiler room operator for their roles in a penny stock scheme that defrauded several hundred investors nationwide out of approximately $20 million after boiler-room agents hired by the pair pressured senior citizens and others to invest in the former CEO’s 2 companies by claiming the investors’ funds would be used for research and development, while the money was used for personal expenses and to pay the boiler-room agents. Officials stated the duo agreed to be barred from subsequent penny stock offerings, and the former executive agreed to be barred from operating as an officer or director of a public business.

Russian cyberspies use “Komplex” trojan to target OS X systems. Palo Alto Networks discovered an Apple Mac operating system (OS) X trojan, dubbed Komplex establishes contact with its command and control (C&C) server after infecting a device in order to collect system information, and allows an attacker to execute arbitrary commands and download files to the affected machine. The researchers stated Komplex has reportedly been used by a Russian cyber espionage group known as Sofacy to target the U.S. government, the World Anti-Doping Agency (WADA), and the German parliament.

Microsoft removes Windows Journal due to security flaws. Microsoft removed the Windows Journal application available in Windows versions from XP Tablet PC edition through Windows 10 after researchers discovered about a dozen denial-of-service (DoS) flaws, remote code execution vulnerabilities, and a heap overflow issue discovered by a Fortinet researcher which could cause the application to crash. Microsoft advised customers to switch to OneNote.

OpenSSL patch for low severity issue creates critical flaw. OpenSSL released version 1.1.0b after it was discovered that a low severity denial-of-service (DoS) patched in OpenSSL 1.1.0a created a critical use-after-free vulnerability associated with large message sizes which could lead to arbitrary code execution or cause a system to crash. OpenSSL developers also released version 1.0.2j resolving a missing certificate revocation list (CRL) sanity check flaw in version 1.0.2i.


Utah business owner convicted of dealing in firearms without a license and filing false tax returns. A Salt Lake County, Utah resident and owner of HK Parts was convicted September 23 for defrauding the U.S. Internal Revenue Service out of more than $10 million after he underreported his wages on personal income tax returns, underreported total receipts on corporate tax returns, and bought and sold roughly 2,000 firearms without a Federal license through and from the basement of his home under the auspices of another Utah-based business between 2007 and 2012. The charges state that the man used the illicit earnings for personal expenses.

El Dorado Hills woman pleads guilty in bogus tax refund scheme involving more than $1.8 million in illegitimate refunds. An El Dorado Hills, California resident pleaded guilty September 23 to running a more than $1.8 million tax refund scheme where she and a co-conspirator allegedly prepared and filed hundreds of fraudulent claims with the U.S. Internal Revenue Service from June 2012 – March 2014, including claims that reported false wages and listed unrelated minors as dependents for the clients. Officials stated that the duo attempted to receive over $2.5 million in fraudulent tax refund claims during the scheme.

Manhattan federal court permanently bars tax preparer who orchestrated tax fraud scheme and four of his associates from engaging in tax preparation business. A tax preparer operating in New York and New Jersey and his 4 associates were permanently enjoined from engaging in Federal income tax return preparation or interfering with Federal tax law management and enforcement September 23 after he and the 4 co-conspirators ran a more than $17 million tax fraud scheme where the group prepared thousands of illegal tax returns through a New York and Englewood, New Jersey-based tax preparation company, claimed dependent deductions with the stolen identities of deceased children, and claimed fraudulent company losses for non-existent companies, among other illicit practices, from 2000 – 2008.

Locky ransomware fuels surge in .RAR JavaScript attachments. Trend Micro security researchers reported the Locky ransomware was responsible for an increase in certain methods of malware delivery after finding that during the first half of 2016, 58 percent of ransomware threats were delivered via email attachments including JavaScript, VBScript, and Microsoft Office files with macros. The researchers also reported that the malicious emails used to deliver the ransomware contained similar subject lines involving invoices, banking transactions, and parcel delivery, among other subjects, and stated the emails used social engineering to determine which victims to target.


New Haven man admits committing 6 bank robberies in Connecticut and New York. A New Haven, Connecticut resident pleaded guilty September 22 after he robbed 6 banks in Connecticut and New York from October – November 2015.

Six individuals charged for their roles in international money laundering and drug trafficking conspiracies. Six individuals were charged September 22 for laundering hundreds of millions of dollars in drug profits through the U.S., Italy, Hong Kong, and Mexico, and trafficking hundreds of kilograms of drugs since July 2013, as part of their involvement in the ‘Organization,’ a global drug trafficking and money laundering operation with links to the U.S., Panama, Mexico, and other countries. The charges allege that the defendants created a shadow banking system with stash houses throughout the U.S. where the group received the illicit proceeds, and then laundered the money through several Las Vegas businesses operated by a co-conspirator.

Yahoo confirms massive data breach of 500 million accounts. Yahoo Inc. confirmed September 22 that a hacker, dubbed “Peace” and “peace_of_mind” accessed the data from at least 500 million user accounts, including names, email address, hashed passwords, and birth dates, among other information, during a 2014 cyberattack. Yahoo stated unencrypted security questions and answers were invalidated and advised potentially affected users to change their passwords.

Over a dozen vulnerabilities patched in OpenSSL. The OpenSSL project released OpenSSL versions 1.1.0a, 1.0.2i, and 1.0.1u resolving more than 12 vulnerabilities, including a high severity flaw after a security researcher from Qihoo 360 discovered the issue can be exploited to carry out denial-of-service (DoS) attacks by sending the targeted device a large Online Certificate Status Protocol (OCSP) Status Request extension, among other vulnerabilities


Card skimmers found at 3 Kenosha ATMs. Wisconsin authorities are searching September 21 for 2 men suspected of installing credit card skimmers on ATMS at 3 banks in Kenosha, including a North Shore Bank branch and 2 TruStone Financial Federal Credit Union locations. Officials stated the duo also allegedly installed cameras on the ATMs in order to read bank customers’ PIN numbers.

Connecticut man admits conspiring to conceal income in undeclared Panamanian bank account. A Weston, Connecticut resident pleaded guilty September 21 to concealing over $1.5 million in income from the U.S. Internal Revenue Service after he and co-conspirators allegedly hid profits from duty-free alcohol and tobacco sales in an undeclared bank account in Panama from 2006 – 2012. The charges allege that the defendant used a registered Panamanian corporation, Centennial Group, to purchase and sell the duty-free products, shipped the alcohol via a warehouse in Florida and the tobacco products through a warehouse in New Jersey, and used the illicit proceeds for personal expenses.

Flaws in Cisco Cloud Services Platform allow command execution. Cisco notified its customers that its Cloud Services Platform (CSP) 2100 version 2.0 was plagued with two vulnerabilities, one of which is a critical vulnerability caused by insufficient sanitization of user input that could allow an unauthenticated attacker to remotely execute arbitrary commands on the operating system with root privileges. Cisco reported the second vulnerability could allow an unauthenticated attacker to execute arbitrary code on a targeted system remotely by sending a malicious “dnslookup” request.

Restriction bypass, XSS flaws patched in Drupal 8. The developers of the Drupal content management system (CMS) released versions 8.1.10 and 8.2.0-rc2 patching three serious vulnerabilities, including two restriction bypass issues and one cross-site scripting (XSS) flaw after reserachers discovered an attacker could exploit the flaws to execute arbitrary code in the victim’s browser if a targeted user accesses a maliciously crafted Universal Resource Locator (URL) due to inadequate sanitization in Hypertext Transfer Protocol (HTTP) exceptions. Drupal developers also patched a critical vulnerability in the feature that allows Drupal users to export their site’s configuration to a file, which could allow an attacker to download full configuration exports without administrative privileges, among other vulnerabilities.

Firefox 49 patches critical, high severity vulnerabilities. Mozilla released Firefox 49 resolving several critical vulnerabilities, including multiple memory safety bugs that could be exploited to execute arbitrary code, as well as a high severity certificate pinning flaw caused by flaws in the process Mozilla uses to update Preloaded Public Key Pinning, which could allow a Man in the Middle (MitM) attacker to replace legitimate add-on updates with malicious versions and execute arbitrary code on a targeted system, among other vulnerabilities.


Security bug lets hackers steal Monero, today’s 2nd most popular cryptocurrency. A security researcher at MWR Labs discovered that Monero’s Simplewallet tool was plagued with a cross-site request forgery (CSRF) flaw that can be exploited to empty a user's Simplewallet and potentially initiate the command and transfer of the user’s funds after an attacker issued malicious commands to a Remote Procedure Call (RPC) service on port 18082 using maliciously crafted JavaScript code. Monero stated it was working to develop a Simplewallet user interface without the vulnerable RPC service.

Federal jury finds a serial bank robber guilty of three counts of bank robbery. The U.S. District Court for the Northern District of Oklahoma convicted an individual September 20 for his role in 3 bank robberies in Tulsa and Fairfax, Oklahoma, in June 2016.

North Texas business owners guilty in money laundering scheme. Four North Texas residents were convicted September 20 for their roles in a more than $16 million money laundering scheme from June 2013 – October 2015 where the group, who owned and operated money services business (MSBs), used their authority as authorized agents of over 8 international money transfer companies to facilitate the transmission of profits obtained from the distribution of drugs through wire transfers to Michoacan, Mexico. The charges state that the MSBs charged wire transaction fees and structured the wires in amounts under $1,000, in addition to using fabricated sender information to circumvent financial reporting requirements and hide the ownership and source of the illegal profits.

MacOS 10.12 patches over 60 vulnerabilities. Apple Inc., released the final version of its Mac operating system (OS) Sierra 10.12 resolving at least 65 vulnerabilities, including 16 flaws in the “apache_mod_php” module that could lead to arbitrary code execution or unexpected application termination, as well as denial-of-service issues and arbitrary code execution flaws in Apple’s implementation of Apache, Audio, and Bluetooth, among other components. Apple also released Safari 10, macOS Server 5.2, and iCloud for Windows 6.0 patching a flaw in WebKit that could lead to arbitrary code execution when a device is processing specially crafted Web content, among other vulnerabilities.

Over 840,000 Cisco devices affected by NSA-linked flaw. The Shadowserver Foundation reported that as of September 21, more than 840,000 Cisco devices, including 255,000 in the U.S. were found to be affected by the vulnerability in Cisco’s IOS, IOS XE, IOS XR software Internet Key Exchange version 1 (IKEv1) packet processing code that can be exploited by a remote, unauthenticated attacker to access memory content potentially containing sensitive information, which was originally discovered following the Shadow Brokers leak.


Former United States Immigration and Customs Enforcement deportation officer pled guilty to bulk cash smuggling. A former U.S. Immigration and Customs Enforcement (ICE) deportation officer pleaded guilty September 15 to Federal charges after he allegedly smuggled over $2 million into the U.S. when he and co-conspirators, traveling from the Dominican Republic to the U.S. attempted to conceal the money in at least 7 pieces of luggage in order to avoid a currency reporting requirement on the U.S. Customs and Border Protection declaration form. The charges state authorities discovered the money during a subsequent search of the co-conspirators’ luggage.

“Wicked Wig Bandit” robs 5 Denver metro banks in monthlong spree. The FBI is searching September 20 for a woman dubbed the “Wicked Wig Bandit” who is suspected of robbing 5 banks in the Denver metropolitan area since August, including a Chase Bank branch in Northglenn September 19.

Rockwell patches code execution flaw in RSLogix product. Rockwell Automation released patches for several of its RSLogix products used in the food and agriculture, critical manufacturing, water, and chemical sectors to resolve a buffer overflow vulnerability after a researcher discovered the flaw can be exploited by convincing a local user to open a specially crafted rich site summary (RSS) file with a malicious version of RSLogix in order to execute arbitrary code on a targeted system.


Former Massachusetts man pleads guilty to multi-million ponzi scheme. A former Massachusetts resident pleaded guilty September 16 to Federal charges in connection with running a $10 million Ponzi scheme after he convinced more than 20 investors their funds would be used to finance Jamaican businesses through bridge loans while using the funds to repay investment principal to previous investors from 2008 – 2015.

Former owner of investment firms pleads guilty to $9 million fraud. A co-founder of Cavalier Union Investments, LLC and Black Bull Wealth Management, LLC, pleaded guilty September 16 to Federal charges after he and a co-conspirator allegedly caused more than 50 investors to lose over $9 million from 2009 – 2016 by soliciting individuals to invest money in private investment funds that the duo controlled, in addition to specific investment opportunities that they proposed. The charges allege that the pair used the money for personal expenses.

Cisco finds new zero-day linked to “Shadow Brokers” exploit. Cisco researchers discovered another zero-day vulnerability leaked by Shadow Brokers in August, which affects the Internet Key Exchange (IKE) v1 packet processing code in Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x, and 5.2.x and could allow a remote, unauthenticated attacker to retrieve memory contents potentially containing sensitive information by sending a specially crafted IKEv1 packet to an affected device that is configured to accept IKEv1 security negotiation requests. Cisco was working to release a patch for the vulnerability and stated no workaround is available.

H1N1 malware adds support for infostealing features, UAC bypass. Cisco, Proofpoint, and independent security researchers reported recent H1N1 malware versions include a User Access Control (UAC) bypass that can be exploited via unique code obfuscation and a dynamic-link library (DLL) hijacking technique, a self-propagation feature that enables the malware to spread itself to other computers on the same network, and the ability to collect information from infected systems and send it to a central command and control (C&C) server, thereby allowing an attacker to collect and steal information from organizations in the energy, communications, financial, and government sectors, including email login data from Microsoft Outlook and Mozilla Firefox profile login data, among other data.

Serious flaws found in Cisco WebEx Meetings Server. Cisco released software updates to resolve vulnerabilities in its WebEx Meetings Server version 2.6 including a critical flaw caused by insufficient sanitization of user-supplied data that can be remotely exploited to execute arbitrary commands with elevated privileges, and a high-severity issue that could allow an unauthenticated attacker to carry out denial-of-service (DoS) attacks by repeatedly attempting to access a specific service.


New York man convicted in federal court for his role in counterfeit gift card shopping spree. A Queens, New York resident was convicted September 14 of Federal charges after authorities discovered over 100 counterfeit Visa gift cards with the account numbers of customers from dozens of banks nationwide in his and co-conspirators’ possession in 2014. Officials stated the group attempted to or made purchases at more than 6 Pennsylvania stores using the fraudulent cards.

SAP patches serious flaws in database management product. SAP released a security update resolving 19 vulnerabilities, including a denial-of-service (DoS) flaw in Business Objects BI Launchpad, information disclosure bugs, cross-site scripting (XSS) issues, and Structured Query Language (SQL) injection issues that could allow an attacker to create and execute a stored procedure with SQL commands, thereby enabling the attacker to elevate their privileges, modify database objects, or execute commands without authorization.


6.6 million users affected by ClixSense breach. ClixSense confirmed that the details of over 6.6 million users were stolen after hackers gained access to the company’s database server after accessing an old server still connected to the database. ClixSense reported the vulnerable server has been shut down and restored user balances, forum, and account names, and reset user passwords, among other measures.

Sixth Linux DDoS trojan discovered in the last 30 days. Dr. Web security researchers discovered a trojan affecting Linux machines via the Shellshock vulnerability that launches 25 child processes that carry out a distributed denial-of-service (DDoS) attack on a targeted device when the attacker in control of the trojan botnet issues an attack command. Researchers stated the trojan can start Transmission Control Protocol (TCP) floods, User Datagram Protocol (UDP) floods, and Hypertext Transfer Protocol (HTTP) floods, as well as update itself, terminate its process, and delete itself, among other capabilities.

Apple patches 7 flaws with release of iOS 10. Apple Inc., released version 10 of its operating system (iOS), Xcode version 8, and watchOS version 3 patching a total of seven vulnerabilities, including a flaw in iOS that can be exploited by a man-in-the-middle (MitM) attacker to prevent a device from receiving updates, an information disclosure vulnerability in iOS and watchOS that can be exploited by malicious applications to access an user’s location data, and a flaw in Xcode that could allow a local attacker to execute arbitrary code or crash an application, among other flaws.


Regions bank agrees to pay $52.4 million to resolve alleged False Claims Act liability arising from FHA-insured mortgage lending. The U.S. Department of Justice announced September 13 that Regions Bank agreed to pay $52.4 million to settle allegations that the bank violated the False Claims Act by originating and underwriting mortgage loans insured by the U.S. Department of Housing and Urban Development’s (HUD) Federal Housing Administration (FHA) that did not meet HUD underwriting requirements regarding borrower creditworthiness from January 2006 – December 2011. The charges also allege that Regions failed to maintain a quality control program in compliance with HUD requirements, failed to consistently review samples of FHA-insured loans, and failed to review Early Payment Default (EPD) loans per HUD guidelines, among other violations.

Adobe patches 29 vulnerabilities in Flash Player. Adobe released updates for Flash Player, Digital Editions, and Adobe Air SDK & Compiler resolving a total of 37 vulnerabilities, including integer overflow, use-after-free, among other memory corruption issues in Flash Player that can be exploited to leverage arbitrary code execution, as well as several memory corruption flaws and a use-after-free issue in Digital Editions 4.5.1 and earlier that can be exploited for arbitrary code execution, among other vulnerabilities.

Microsoft patches browser vulnerability exploited in attacks. Microsoft released 13 security bulletins patching nearly 50 vulnerabilities plaguing Windows, Internet Explorer, Edge, Exchange, and Office, including an information disclosure flaw in Internet Explorer and Edge that can be exploited if an attacker convinces a victim to access a compromised Website, as well as a memory corruption issue that can be exploited for remote code execution if the victim accesses a compromised Website, among other vulnerabilities.


Nevada stock promoter admits role in $33 million microcap stock manipulation scheme. A Henderson, Nevada resident pleaded guilty September 12 to his role in a $33 million pump-and-dump stock market manipulation scheme where he and co-conspirators fraudulently inflated the prices of shares of 4 public companies by distributing promotional information about the shares and engaging in manipulative trading in order to sell the stocks at inflated rates before dumping large volumes of the shares, causing investors millions of dollars in losses. Officials also stated the group paid cash kickbacks to a Las Vegas-based investment adviser who purchased the stock of the target companies on behalf of his clients.

Federal grand jury indicts three in $6.5 million diamond investment fraud scheme. The chief compliance officer of Stonebridge Advisers, LLC, the principal partner of Worldwide Diamond Ventures, L.P., and another Dallas, Texas resident were indicted September 9 for their roles in a $6.5 million diamond investment scheme where the group allegedly defrauded 77 Worldwide Diamond Ventures investors by fraudulently concealing material information, including how the group used investor funds from March 2011 – November 2011 and February 2012 – May 2013. The charges also allege that the trio failed to disclose to investors that nearly $2.5 million in investor funds were used to make unauthorized loans to third parties.

Critical MySQL zero-day exposes servers to attacks. An independent security researcher discovered a critical zero-day vulnerability affecting the MySQL open-source database software that can be exploited by an attacker who can authenticate to the MySQL database via a Web interface or network connection to leverage arbitrary code execution with root privileges, which can compromise the server running MySQL. The researcher reported that all MySQL branches are susceptible to the attack, and that the attack can be leveraged on a device with Linux security modules installed.


Court docs: McDonald’s employee stole about 100 credit card numbers while working drive-thru. A former employee at McDonald’s in West Lafayette, Indiana, was charged in court documents unsealed September 9 after she and co-conspirators allegedly skimmed information from about 100 customer credit cards while working at the restaurant and created fake credit cards to make more than $6,000 worth of fraudulent purchases at area stores. Authorities stated the former employee swiped customers’ cards through a handheld skimming device to steal their account information.

Free decrypter available for Philadelphia ransomware. An Emsisoft security researcher released a decrypter for the Philadelphia ransomware that can unlock a victim’s files for free after the researcher discovered the malware was deleting a predetermined number of files from an infected device if the user did not immediately pay the ransom.

Privilege escalation, DoS vulnerabilities patched in Xen. The Xen Project released patches addressing four vulnerabilities, including a privilege escalation flaw in all versions of Xen that could allow a malicious 32-bit paravirtualization (PV) guest administrator to gain host privileges, an overflow issue affecting all Xen versions that could be leveraged by a hardware virtual machine (HVM) guest admin to cause Xen to fail a bug check and cause a host to enter a denial-of-service (DoS) condition, and a use-after-free vulnerability that can be leveraged by a guest admin to crash the host and for information leaks and arbitrary code execution, among other vulnerabilities.


Wells Fargo fined $185M on phony accounts, fires 5,300 staff. California and Federal regulators fined Wells Fargo & Company a total of $185 million September 8 after the bank’s employees allegedly opened more than 2 million bank and credit card accounts and transferred money into those accounts without the authorization of its customers in order to meet projected sales goals. Officials reported that 5,300 Wells Fargo employees were fired in connection with the fraudulent activities.

Former Bergen man admits role in $65 million identity theft scheme. A former Demarest, New Jersey resident pleaded guilty September 8 to Federal charges for his role in a $65 million identity theft scheme where he and co-conspirators stole the birth dates and Social Security numbers from Puerto Rican citizens in order to file fraudulent tax returns and obtain $4.7 million in tax refund checks, which he deposited into bank accounts controlled by the group. The man also stated he and co-conspirators bribed a mail carrier to intercept the refund checks before they were delivered to the identity theft victims.

New Linux trojan discovered coded in Mozilla’s Rust language. Dr. Web security researchers discovered a new trojan coded in Mozilla’s Rust programming language was targeting Linux-based platforms and found that an attacker in control of an Internet Relay Chat (IRC) channel can send a message to the channel’s public chat that forces all connected bots to parse the message and execute the malicious action. The researchers believe this is a testing version of the malware as the trojan infects victims and gathers information about the device’s local system and sends it to its command and control (C&C) center.

DropboxCache cross-platform backdoor targets OS X. Kaspersky Lab security researchers discovered that the DropboxCache, known as Mokes.A or Backdoor.OSX.Mokes now targets Apple Mac operating system (OS) X devices and establishes a connection to the command and control (C&C) server using Hypertext Transfer Protocol (HTTP) on Transmission Control Protocol (TCP) port 80 in order to set up its backdoor features on an infected device, which include capturing audio, monitoring removable storage, scanning the file system for Microsoft Office documents, as well as creating a series of temp files with the collected data when the C&C server is not available, among other features. Researchers warned the malware’s operator can execute arbitrary commands on the infected system and define own file filters to improve its monitoring of the file system.


4 arrested, guns and thousands of blank credit cards seized in Brooklyn: NYPD. Four people were arrested in Bedford-Stuyvesant in Brooklyn, New York, September 7 after authorities discovered 2,433 blank credit cards, 2 credit card embossing machines, and 3 credit card skimmers, among other illicit materials, while executing a search warrant at the group’s apartment.

Gugi banking trojan can bypass Android 6 protection. Kaspersky security researchers discovered a variant of the Gugi mobile banking trojan can bypass two security features in Google’s Android 6.0, including the permission-based app overlays and the dynamic permission requirement for dangerous in-app activities like calls or short message service (SMS) in order to overlay applications and steal mobile banking credentials from its victims, and found the trojan is being distributed via SMS spam that tricks victims into accessing phishing Websites, which downloads the malware onto the device. Researchers advised users to reboot the infected device in safe mood and attempt to uninstall the trojan.

WordPress 4.6.1 security update is out, time to update peeps. WordPress released version 4.6.1 of its WordPress Content Management System (CMS) resolving a path traversal vulnerability and a cross-site scripting (XSS) flaw affecting the admin panel that can be exploited via image metadata and allow a malicious actor to take over the affected Website. The update also patches 15 other bugs related to the underlying CMS codebase.

Flaws in Network Management Systems open enterprise networks to attacks. Rapid7 researchers and an independent researcher discovered over 12 vulnerabilities plaguing 9 different Network Management Systems (NMSs) products that could be exploited via cross-site scripting (XSS) attacks over Simple Network Management Protocol (SNMP) agent-provided data, which could allow a local attacker to add a malicious device to the network, XSS attacks over SNMP trap alert messages, and format string processing on the NMS Web management console that can be carried out via specially crafted trap alert messages. Researchers reported that all the flaws have received patches.

Google patches QuadRooter, other critical Android vulnerabilities. Google released its September 2016 Android Security Bulletin resolving 55 vulnerabilities, including 2 critical remote code execution (RCE) flaws in LibUtils and Mediaserver, a high risk RCE in MediaMuxer, and 2 issues in QuadRooter that impacted over 900 million Android devices using Qualcomm chipsets, among other vulnerabilities.

Siemens fixes several flaws in SIPROTEC products. Siemens released firmware updates addressing vulnerabilities in its SIPROTEC 4 and SIPROTEC Compact devices after Kaspersky Lab researchers found the devices were plagued with a flaw that an attacker with network access could exploit to bypass authentication mechanisms and carry out administrative operations, and a flaw that could allow an attacker with network access to perform those actions while a legitimate user is logged in to the Web interface. Siemens advised customers to use network segmentation, virtual private networks (VPNs), and firewalls to protect their systems against attacks.


Texas woman pleads guilty to preparing false tax returns. A Greenville, Texas-based tax preparer operating under the names TX ASAP Tax Services and Fiesta Tax Service pleaded guilty September 6 to preparing and filing approximately 1,163 fraudulent income tax returns for clients, including false credits and deductions, as well as fraudulent business income and losses in order to produce inflated returns, thereby causing the U.S. more than $1 million in losses.

Cry ransomware uses Google Maps to find victim locations. BleepingComputer researchers discovered a new piece of ransomware, dubbed Cry or CSTO, as it pretends to come from a fake group called the Central Security Treatment Organization, was using public Websites to host information about victims, and could determine a victim’s location by using a nearby wireless service set identifier (SSID) to query the Google Maps application programming interface (API). Researchers also spotted the malware encrypting the victim’s files and deleting Shadow Volume Copies to prevent users from restoring their files.


FBI: Prolific ‘Filter Bandit’ strikes again at Fort Lauderdale bank. The FBI is searching September 2 for a man dubbed the “Filter Bandit” who is suspected of robbing several banks in Broward County, Florida, since August 2014, including an AmTrust Bank branch in Fort Lauderdale September 2.

Cerber 3.0 ransomware variant emerges. TrendMicro researchers reported a new variant of the Cerber ransomware, dubbed Cerber 3.0 emerged as a payload in a malvertising campaign and serves users with a malicious ad in a pop-up window after clicking a video to play, which then redirects the victims to the Magnitude and RIG exploit kits (EKs) landing page. Researchers found the malware appends the .cerber3 extension to the encrypted files, then deletes all copies of the files to prevent users from restoring their files, and prompts victims with a ransom note.

Attackers combine three botnets to launch massive DDoS attack. Sucuri researchers reported attackers combined a home router botnet comprised of 11,767 devices, an internet of things (IoT) closed circuit television (CCTV) botnet comprised of 25,000 cameras, and a botnet made up of compromised Linux servers to carry out a Layer 7 distributed denial-of-service (DDoS) attack involving traffic from over 47,000 Internet Protocol (IP) addresses. Sucuri stated the 3-botnet distribution enabled the attacker to send 120,000 requests per second without disrupting the operation of the infected machines.


Thousands of fraudulent cards, crystal meth found in SW Miami-Dade home. Two southwest Miami-Dade, Florida residents were arrested September 1 after authorities discovered over 2,000 counterfeit gift cards, thousands of fraudulent credit cards, and several laptops in the duo’s home, which were used to steal over $50,000 from victims.

Staten Island man indicted as ‘Mad Hatter’ bank bandit. A man dubbed the “Mad Hatter” was indicted August 30 after he allegedly robbed or attempted to rob 11 banks in Manhattan since March 9, stealing a total of more than $22,000.

Apple patches spyware-related zero-days in OS X, Safari. Apple released patches resolving three zero-day vulnerabilities, dubbed Trident affecting its Mac operating system (OS) X including OS X Yosemite, OS X El Capitan, and in Safari for OS X Mavericks that were exploited by Pegasus surveillance software to spy on individuals via iOS devices and could lead to kernel memory disclosure, applications executing arbitrary code with kernel privileges, and arbitrary code execution when a user visits a maliciously crafted Website.

Google fixes Nexus 5X flaw that allowed attackers to dump phone memory via USB. Google patched a vulnerability affecting Android images deployed on LG Nexus 5X devices with the Android Debug Bridge (ADB) feature turned on after researchers from IBM’s X-Force team discovered the flaw could allow an attacker to infect a victim’s device with malware that exploits the vulnerability and dumps the phone’s memory and extracts sensitive information via a universal serial bus (USB) port.


FBI seeks help identifying ‘Helmet Head Bandit’ in connection with 2 recent bank robberies. Authorities are searching August 31 for a man dubbed the “Helmet Head Bandit” who is suspected of robbing 2 banks in La Canada Flintridge and Tujunga, California, and attempting to rob 1 other in Tujunga August 31.

Duo arrested in widespread LA ATM machine skimming scam. Two men were arrested in Torrance, California, August 30 for their roles in an $85,000 ATM skimming scheme where the duo installed skimming devices on ATM machines in Burbank and elsewhere in Los Angeles County and stole the account information from over 50 bank customers to create cloned ATM cards and withdraw cash from other ATMs in the county. Officials discovered an additional $233,000 in declined transactions attempted by the duo.

Betabot starts delivering Cerber ransomware. Security researchers from Invincea discovered the Betabot ransomware began carrying out a second-stage payload where the malware delivers the Cerber ransomware on the endpoint of a compromised machine after stealing user passwords in the first-stage, in order for the malware operators to increase their profits. Researchers also found the ransomware was being delivered by the Neutrino exploit kit (EK) and stated the malware avoids detection and analysis through virtual machine awareness and by checking for sandboxes.

Cisco fixes severe flaw in WebEx, small business products. Cisco released software and firmware updates addressing several vulnerabilities in its WebEx Meetings Player version T29.10 for WebEx Recording Format (WRF) files after a COSIG security researcher discovered a critical flaw that could allow an unauthenticated attacker to execute arbitrary code remotely by tricking a user to open a specially crafted file, and a medium severity vulnerability that could allow an unauthenticated attacker to remotely crash the program by convincing the user to access a malicious file. Cisco also released fixes for three denial-of-service (DoS), cross-site request forgery (CSRF), and cross-site scripting (XSS) issues plaguing its Small Business 220 Series Smart Plus (Sx220) switches that could allow a remote, unauthenticated attacker to gain access to Simple Network Management Protocol (SNMP) objects on a compromised device.

Vulnerability in Yandex browser allows attackers to steal victims’ browsing data. A security researcher from Netsparker discovered the login form of the Yandex Browser was plagued with a cross-site forgery request (CSRF) vulnerability that could allow an attacker to steal a victim’s passwords, bookmarks, autocomplete info, and browser history, among other data, by convincing a user to visit a malicious Website that includes code to create a Yandex Browser data sync login form and submits the information with the attacker’s credentials, thereby starting an automatic syncing process that sends a copy of the user’s data to the attacker.

Adobe patches critical vulnerability in ColdFusion. Adobe released security updates for ColdFusion versions 10 and 11 resolving a critical vulnerability after a researcher from discovered the flaw is related to parsing specially crafted XML entities and could lead to information disclosure. Adobe officials advised users to install the patches and apply secure configuration settings to avoid the security flaw.


‘Baggy Eyes Bandit,’ suspected in Anaheim Hills, Placentia bank robberies, has been arrested. A man dubbed the “Baggy Eyes Bandit” was charged August 30 in connection with 2 bank robberies after he allegedly robbed 6 banks in Los Angeles, Riverside, San Bernardino, and Orange counties and attempted to rob a Citibank branch in Anaheim Hills, California, August 27.

Investment advisor pleads guilty to stealing from clients. A former investment adviser and operator of Gist, Kennedy & Associates pleaded guilty August 30 to defrauding more than 30 clients out of $5 million by falsely informing investors that he would make conservative investments for investors in corporate bonds and other securities, while he used the funds for personal expenses, to fund ENCAP Technologies operations, and to pay other clients proceeds and dividends from the fraudulent investments. Officials stated the adviser also prepared and mailed false account statements to the investors that showed false investment returns in order to continue the fraud scheme.

68 million exposed in old Dropbox hack. Dropbox, Inc. began prompting password resets for more than 68 million users potentially exposed in a July 2012 data breach where user email addresses and hashed and salted passwords for Dropbox accounts may have been improperly accessed after a Dropbox employee’s password was stolen and used to access an employee account that contained a document containing the user information. Dropbox officials do not believe any account was improperly accessed during the breach.

Vulnerabilities found in CryptWare BitLocker enhancement tool. CryptWare released CryptoPro Secure Disk 5.2.1 for BitLocker addressing two serious vulnerabilities, one of which can be exploited to access a root shell at boot and execute arbitrary commands, as CryptoPro Secure Disk improperly blocks terminal access, and a second serious flaw that can be exploited to modify files on the system and bypass the verification process, which can be leveraged to backdoor the system and steal sensitive information such as domain credentials and BitLocker, among other information, due to inadequate verification mechanisms.

Unsophisticated Revenge RAT released online for free. Security researchers discovered a malware coder named Napoleon released a new remote access trojan/tool (RAT), dubbed Revenge v0.2 online for free via underground hacking forums. Researchers found the RAT is able to access the user’s Webcam, open a remote shell, initiate remote desktop sessions, interact with the victim’s file manager, and manage operating system (OS) services, among other malicious actions.

Site of BitTorrent app “Transmission” again used to deliver OS X malware. Security researchers from ESET reported that the official Website for the BitTorrent client, Transmission was being exploited to distribute an Apple Mac operating system (OS) X malware, dubbed OSX/Keydnap that steals the content of the OS X keychain and maintains a permanent backdoor on an infected system after finding that cybercriminals compromised the Transmission site and replaced the legitimate app with a malicious version, which was available for download as Transmission v2.92 between August 28 and August 29. Researchers stated users can determine if their systems are infected by checking if files associated with the malware are present on their system.