Fraud Alert Message Center
Tips for Safe Banking Over the Internet
As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.
The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.
- Consumer Best Practices for Online Banking
- Business Best Practices for Online Banking
- Recommendations for Online Fraud Victims
- Recommendations for Mobile Phone Security
Current Online Threats
Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau. None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts. If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it. The email could potentially contain a virus or malware.
For more information regarding email and phishing scams, please visit: http://onguardonline.gov/
Online Shopping Tips for Consumers. Click Here for Information.
ATM and Gas pump skimming information. Click Here for Article.
RBS website disrupted by DDoS attack. The Royal Bank of Scotland (RBS) confirmed that its NatWest Web site was the target of a distributed denial of service (DDoS) attack December 6, causing disruptions for customers. RBS was also recently targeted by a DDoS attack December 2.
PayPal DDoS attackers plead guilty, some may walk free. Fourteen defendants accused of participating in a distributed denial of service (DDoS) attack against PayPal in 2010 pleaded guilty in U.S. District Court in California to related charges December 5.
Citadel malware variant captures screenshots of Bitcoin-related websites. Trusteer researchers identified a variant of the Citadel malware that is capable of capturing screenshots when a user accesses Web sites associated with buying, storing, or trading Bitcoins.
Researchers analyze Dexter and Project Hook PoS malware campaigns. Researchers at the Arbor Security Engineering and Research Team published a paper analyzing point-of-sale (PoS) malware campaigns utilizing the Dexter and Project Hook malware. The paper identified three variants of Dexter, one of which is capable of stealing data via FTP, among other findings.
JPMorgan warns 465,000 card users on data loss after cyberattack. JPMorgan Chase notified around 465,000 holders of prepaid UCard debit cards that their unencrypted personal information may have been obtained by hackers during a July data breach. The cards were issued to corporations to pay employees and to government agencies to pay benefits and tax refunds.
Personal and financial details compromised in Maple Grove Farms of Vermont hack. B&G Foods North America notified customers that a November 16 cyberattack on the Maple Grove Farms of Vermont Web site may have revealed personal information and payment card numbers.
Cybercriminals hijack WP sties with backdoored SEO plugin. Researchers at Sucuri identified a cyberattack that lures owners of WordPress Web sites with a malicious version of a legitimate search engine optimization (SEO) plugin that adds a backdoor to the user’s site and can direct visitors to spam or malicious Web sites.
Passwords reset after ‘Pony’ botnet stole 2 million credentials. Online services affected by the Pony botnet’s disclosure of login credentials, including Twitter, Facebook, ADP, and LinkedIn, reset users’ passwords to prevent unauthorized access.
Logins stolen from Facebook, Google, ADP payroll processor. Researchers at Trustwave gained access to the control panel of a botnet running the Pony controller software and found around 2 million logins and passwords for social media accounts, payment processor ADP, and other services.
Credentials of 38,000 Pixel Federation users leaked by hacker. Game developer Pixel Federation confirmed that a hacker breached its systems and leaked around 38,000 users’ usernames and passwords. The same hacker was also reported to be behind an attack on the U.K. Council for Graduate Education.
Huge quantity of Bitcoins stolen from Sheep Marketplace. The administrators of the Sheep Marketplace underweb market reported to their users that a vendor allegedly broke into the market and stole 5,400 Bitcoins.
Flaw in Android 4.3 can be exploited to remove device locks with rogue apps. Researchers at Curesec identified a vulnerability in Android 4.3 that can be exploited using a rogue app to disable a device’s security features such as PINs and passwords. The researchers produced a proof-of-concept app demonstrating the issue.
Study: 340,000 new malicious websites detected in past 30 days. A study conducted by Commtouch found that the number of malicious Web sites is growing quickly, with an average of 11,500 new threats identified each day. Malware sites made up the majority of malicious sites, followed by phishing and spam sites.
Windows XP zero-day under active attack. Microsoft stated that a recently discovered zero-day vulnerability affecting Windows XP and Windows Server 2003 has been observed being exploited in targeted attacks. The vulnerability can allow privilege escalation, kernel mode code execution, and administrator account creation.
Popular Bitcoin forum targeted in DNS and DDoS attack. The administrators of the BitcoinTalk forum advised their users to avoid logging in for a time December 2 after the site was hit by domain name system (DNS) redirection and distributed denial of service (DDoS) attacks.
D-Link patches security holes in DI-524, DI-524UP, DIR-100 and DIR-120 routers. D-Link released new firmware for various router models addressing a vulnerability that could be leveraged by hackers to gain control of the device after details of a vulnerability were presented in October by Tactical Network Solutions.
Hackers target Bitcoin Talk via vulnerability in AnoymousSpeech registrar. A Bitcoin talk administrator announced December 1 that they were targeted in a man-in-the-middle attack that leveraged a vulnerability in the forum’s AnonymousSpeech registrar, allowing the Web site to be served through CloudFlare. The attacker may have intercepted encrypted communications, including passwords and private messages.
PayPal “Limited Account Access” emails used for phishing. A phishing scheme that is sending emails claiming to be issued by PayPal online payment service asks users for their account login details along with other personal information in order to gain access into their accounts. Users are led into a fake PayPal site that is linked in the email and used to steal their information.
Virus takes user’s photo via webcam. Researchers from Webroot warned that a malware family, made to look like an anti-virus product, disables users’ computers and claims to have detected viruses and demands money to purchase the full version of the product to remove the threats. If the user does not respond, the program takes a picture via webcam and warns the user of the infection and potential theft of personal information.
Researchers track down members of Nigerian cyber gang. Researchers at TrendMicro released a report on a Nigeria-based cybercrime gang dubbed “Ice 419” that is reportedly using the Ice IX banking Trojan to gather personal and banking information and using phishing to target users of Scottrade, Match.com, and a Korean search engine.
VBScript malware deletes files from infected systems. Researchers at TrendMicro identified a piece of malware dubbed VBS_SOYSOS that creates copies of itself using the names of MP3, JPG, and DWG files, deleting the original files. The malware also disables access to the registry editor and task manager, necessitating the installation of alternatives in order to remove the malware.
Ruby on Rails CookieStore vulnerability plagues prominent websites. A researcher found that around 2,000 Web sites using an older version of Ruby on Rails that depends on the CookieStore default cookie storage mechanism were vulnerable to having users’ login information stolen. CookieStore keeps users’ session hashes on the client side, allowing an attacker to use cross-site scripting (XSS) or session hijacking to steal the information.
Experts warn of new banking trojan Neverquest. Security researchers have observed thousands of attempts to infect computers using the Neverquest banking Trojan, a relatively new Trojan that injects a phishing page into sessions when users attempt to access banking Web sites. The Trojan has integrated self-replication mechanisms and is distributed via Trojan downloaders.
Atrax: Cybercrime kit capable of stealing data, launching DDoS, mining for Bitcoins. Security researchers at CSIS identified a new malware kit called Atrax being sold for $250 on underweb forums. Atrax uses The Onion Router (TOR) protocol to hide its communications and comes with several add-ons that allow it to steal data from forms and browsers, launch distributed denial of service (DDoS) attacks, and mine for Bitcoins and Litecoins.
AutoCAD malware paves the way for future attacks. TrendMicro researchers identified a Trojan called Shez that disguises itself as an AutoCAD component in order to create a user account with administrative rights, allowing attackers to steal files and plant additional malware in the future. The Trojan is either dropped by other malware or can be downloaded unknowingly from malicious sites.
Bitcoin exchange Mt. Gox adds ‘extra security’ with one-time password card. To increase security following a series of problems including multiple DDoS attacks, banking delays and the seizure of some of its funds by the U.S. government, the bitcoin exchange Mt. Gox has announced new features and updates to its platform. The platform also introduced a one – time password card as an additional layer of security.
Flash SMS flaw in Google Nexus devices can be exploited to reboot them. Alecu researchers found a vulnerability in Google devices that can be exploited to cause them to reboot and is related to a Class 0 (Flash SMS) messages. The flaw remains unpatched after Google’s Android Security Team was notified over a year ago.
You have a Skype voicemail. PSYCHE! It’s just some fiendish Trojan-flinging spam. A United Kingdom police agency along with MXLab researchers warned that a spam run of fake Skype voicemail alert emails are attached with zip files that are contaminated with a variant of the ZeuS banking Trojan.
10 million new malware strains identified so far in 2013, Q3 study shows. Panda Security researchers reported that almost 10 million new malware strains have been identified so far in 2013, with close to 77 percent identified as Trojans, followed by worms, and viruses.
Evernote warns users whose passwords have been exposed in Adobe breach. Evernote analyzed user data from a recent Adobe breach and found that some of its customers were using the same passwords for Adobe and Evernote. Evernote notified affected customers and advised them to change their passwords.
ICANN terminates accreditation of registrar Dynamic Dolphin. The Internet Corporation for Assigned Names and Numbers (ICANN) announced that it will terminate registrar Dynamic Dolphin’s registrar accreditation agreement effective December 20 due to the registrar having a convicted felon as its owner, a violation of ICANN regulations.
Kaspersky publishes spam report for October 2013. Kaspersky published their spam report for October and found that email spam increased by 6.6 percent, among other findings.
‘High impact’ Gmail password security hole blew accounts wide open. A security researcher found and reported a security flaw in Gmail that could allow an attacker to use a spoof email with a password reset link to direct users to a site that launches a cross-site request forgery (CSRF) attack, harvesting the user’s username, new password, and login cookie. Google closed the vulnerability after it was notified by the researcher.
Number of digitally signed malware samples increases by 50%. McAfee released its threat report for the third quarter of 2013 and found that attacks against the Android platform increased by over 30 percent, that digitally-signed malware increased by more than 50 percent, and that Bitcoin mining malware use is increasing, among other findings
i2Ninja financial malware uses I2P to maintain secure communications. Researchers at Trusteer discovered a piece of financial malware dubbed i2Ninja that uses the Invisible Internet Project (I2P) networking layer to hide and secure its communications with its command and control servers. The malware is capable of stealing information from most browsers and FTP clients, injecting HTML code, stealing information from popular poker clients, scheduling tasks, and allowing users to search for specific files on a compromised
Apache Tomcat servers targeted by self-replicating malware. Symantec researchers identified a self-replicating worm that acts as a Java Servelet and infects Apache Tomcat servers, and appears to be intended for use in distributed denial of service (DDoS) attacks. Command and control servers were identified in Taiwan and Luxembourg.
Bugs hit global payment company PayPal. Researchers with Vulnerability Lab reported finding several vulnerabilities in PayPal’s software that could be used by cybercriminals to hijack customers’ accounts and perform other actions. The vulnerabilities were submitted to PayPal’s bug bounty program.
Google adds Android and Apache to open source security rewards programme. Google expanded its security rewards program for researchers who reveal security issues to include its Android mobile operating system, Apache httpd, and others. Google plans to further expand the platforms included in the program before the end of the year.
Google Ads point to fake Snapchat downloads. Researchers at ThreatTrack Security found that users searching for “Snapchat download” may encounter sponsored results that lead to potentially unwanted applications when they intend to download Snapchat. Similar campaigns of misleading sponsored search results have appeared on Bing as well.
Phony anti-virus programs evade detection with stolen certificates. Researchers at BitDefender found a fake antivirus program named Antivirus Security Pro utilizing stolen digital certificates issued for East Entertainment Services in 2012. BitDefender contacted Ease Entertainment so that the certificates can be revoked.
Cybercriminals use automated attacks to hack GitHub accounts. GitHub confirmed that its authentication service was targeted by an automated brute force attack starting November 17 and continuing through November 19. Users have reported failed login attempts coming from several countries within a short span of time.
More than 12k Cryptolocker victims in less than a week. Researchers at BitDefender Labs used sinkholing to count connection attempts to a Cryptolocker command and control server and found more than 12,000 victims were infected in less than a week, among other findings.
Battlefield 4 PC servers experience DDoS attack. The servers of PC game Battlefield 4 experienced a distributed denial of service (DDoS) attack November 16 that left many users unable to play the game.
Web hosting provider Hetzner hit by large DDoS attacks. Germany-based Web hosting provider Hetzner reported coming under distributed denial of service (DDoS) attack November 16-17, with the attack running at around 60 Gbps.
Rise seen in use of Google service for mobile botnets. Kaspersky Lab released its latest IT Threat Evolution report, which found that mobile botnets are growing and recently began using the Google Cloud Messaging service to communicate with mobile malware, among other findings.
Arbor Networks analyzes Athena DDoS malware. Arbor Networks published an analysis of the Athena malware, capable of launching distributed denial of service (DDoS) attacks, stealing information, and downloading other malware.
Sinowal and Zbot Trojan collaborate in new attack. Researchers at Trend Micro observed a variant of the ZeuS/Zbot Trojan working in collaboration with a new Sinowal Trojan to attempt to make ZeuS’s job easier by disabling the Trusteer Rapport security software. The two Trojans are dropped by the Andromeda backdoor attached to malicious emails.
Pwn2Own crackers leave iOS and Samsung mobe security IN RUINS. Two teams competing in the PacSec 2013 Pwn2Own competition demonstrated methods to compromise security and steal personal information from a Samsung Galaxy S4 running Android and an Apple device running iOS version 7.0.3 and iOS 6.1.4.
Cybercriminals use new Linux backdoor to steal information from companies. Symantec researchers identified a cybercriminal operation that carried out an attack against a large hosting provider using a new Linux backdoor, dubbed Linux.Fokirtor that was able to gain access to usernames, passwords, emails, and possibly financial information. The backdoor hides inside server processes that could give the attack away and prompt security reviews.
Adobe Flash Player 11.9.900.152 addresses critical vulnerabilities. Adobe released a new update for Flash Player, closing two critical memory corruption vulnerabilities. Users were advised to install the updates as soon as possible.
Smartphone PINs skimmed with microphone and camera. Researchers at the University of Cambridge created a program called PIN Skimmer which can utilize a smartphone’s camera and microphone to guess a high proportion of PINs, demonstrating how a malicious program could harvest device PINs and passwords.
Vulnerabilities in RunKeeper allowed cybercriminals to run XSS worm. A security researcher found and reported a cross-site scripting (XSS) and a cross-site reference forgery (CSRF) vulnerability in the RunKeeper app that could have allowed cybercriminals to develop a worm capable of stealing user cookies, collecting private data, or distributing malware. RunKeeper fixed the vulnerabilities after being notified.
Banking malware infections rise to highest level since 2002. Trend Micro released a report for the third quarter of 2013 which found that over 200,000 new banking malware infections were observed between July and September, the highest rate in 11 years. The report stated that ZeuS (also known as Zbot) malware was the most common type of malware, and that the U.S. was the most affected country, among other findings.
Automated hacking tools swarm Web site login pages. Incapsula monitored access attempts at the Web sites of 1,000 of its clients and found that malicious automated tools accounted for 94 percent of access attempts. The tools can be used to find weak passwords and other vulnerabilities.
Bitcoin wallet Inputs.io hacked, 4,100 BTC stolen. Inputs.io notified users that attackers breached the bitcoin wallet service and stole around $1.1 million in bitcoins during two attacks. The attackers were able to compromise email accounts, reset passwords, and bypass two-factor authentication by exploiting server vulnerability.
Cybercriminals opting for real-time malware campaigns and phishing. Commtouch released a report for the third quarter of 2013 and found that the time between news events and phishing attacks that exploited them averaged only 22 hours and that the number of phishing Web sites increased by almost 35 percent during the quarter, among other findings.
Cybercriminals use Android Trojan Svpeng for mobile phishing. Researchers at Kaspersky found that the Svpeng Android Trojan has been enhanced with the ability to perform mobile phishing attacks targeting online banking and credit card information. The Trojan currently targets Russian users but is already equipped with the ability to check for operating system language versions.
Microsoft warns of zero-day attack on Office. Microsoft warned users of a zero day vulnerability in some versions of Office on systems running older versions of Windows. Microsoft offered a fix-it tool until a comprehensive patch can be issued.
Harbor Freight Tools hacked, payment processing system compromised. Harbor Freight Tools began notifying customers of a payment processing system breach that may have exposed customers’ credit card numbers, expirations dates, and CVV codes. The breach concerned transactions that occurred between May 6 and June 30.
Over 1.9 million of Adobe hack victims used “123456” as password. Stricture Consulting Group published a list of the most common passwords used by Adobe customers whose information was part of a major data breach and found lax password practices among many users, with “123456” used by 1.9 million users.
Hackers take limo service firm for a ride. CorporateCarOnline, a limousine and town car service, was found to have been the target of cybercriminals after a plain text archive of more than 850,000 customers’ credit card numbers, names, addresses, transaction records, and other private information was discovered on the same servers where stolen information from PR Newswire and Adobe Systems Inc. was found. Customers whose information was exposed included members of Congress, celebrities, and business executives.
Adobe passwords leaked by hackers not properly encrypted. Researchers found that most customer passwords exposed during a recent Adobe breach could be decrypted due to the passwords being encrypted using Triple DES encryption, which could leave clues to the passwords in the hashes. Adobe confirmed the encryption use, but passwords created within the last year used a newer form of encryption and are not at risk.
Fake LinkeIn profile gathering info for targeted attacks. Websense researchers identified and reported an account on LinkedIn likely being used by cybercriminals to collect information for targeted attacks. The account is used to view potential targets’ profiles and to attempt to redirect users to a dating Web site with an IP address and Autonomous System Number associated with past malicious activity.
Upatre Trojan downloads malware that downloads malware. Researchers at Microsoft’s Malware Protection Center reported a spike in Win/32.Upatre infections in recent months, with a spam campaign distributing the Trojan in malicious attachments. The Trojan then downloads additional malware after it infects a system.
New malware variant suggests cybercriminals targeting SAP users. Researchers at Doctor Web observed a new variant of a banking Trojan that also contains code to search infected systems for SAP client applications, possibly as a first step to targeting SAP users in the future.
Searching for “Google Chrome download” on Yahoo can result in malware infection. ThreatTrack Security researchers discovered that searching for “Google Chrome download” on Yahoo’s search engine can lead users to malicious Web sites via sponsored ads. The malicious sites then attempt to install a variant of the Sirefef/ ZeroAccess malware.
Mavericks Mail’s spam-spewing ‘flaw’ was scripted by red-faced user. Cloud messaging service FastMail retracted a report regarding Apple OS X Mavericks that caused large volumes of spam emails to be generated after finding that the issue was inadvertently caused by an applescript written by one of their employees.
HTTP 301 redirections lead to trouble for mobile apps. Researchers at Skycure found that thousands of mobile apps developed for Apple iOS can be forced to display fake or malicious content due to vulnerability dubbed HTTP Request Hijacking.
Researchers hack counterfeit money detector to accept paper as valid currency. A researcher at IOActive discovered a way to modify the firmware of the Secureuro counterfeit money detector used frequently in Spain so that the device will accept ordinary paper as valid currency. The modifications can be done without hardware hacking and is aided by a lack of encryption in the firmware.
MongoHQ scrambles to address major database hack. Database hosting service MongoHQ reported that it was the victim of a security breach October 28 that compromised users’ email addresses, hashed password data, and other account information.
Adobe breach impacted at least 38 million users. Adobe confirmed that a recent data breach impacted at least 38 million users, with Adobe ID usernames and hashed passwords obtained by attackers. The company also confirmed that the attackers obtained at least some of the source code for Photoshop, as well as previously reported access to the source code of Acrobat, Reader, and ColdFusion.
Hackers can hijack Facebook accounts by exploiting flaw in Android apps. A researcher at Attack Secure found and reported two vulnerabilities in Facebook applications for Android that could allow an attacker to steal access tokens and hijack accounts.
Dun & Bradstreet starts notifying customers of data breach. Dun & Bradstreet began notifying customers that business information was potentially exposed during an attack in March and April 2013 on their commercial information databases.
Syrian Electronic Army claims U.S. President social media hijacking. Members of the Syrian Electronic Army hacktivist group briefly compromised the Twitter and Facebook account of the U.S. President October 28 and sent out links to the group’s Web site. The group obtained access by compromising URL shortening service ShortSwitch and Organizing for Action staff email accounts.
ATM malware may spread from Mexico to English-speaking world. Researchers at Symantec found that the Ploutus banking malware previously used to empty ATMs in Mexico has been translated into English. Two versions made for operating on different ATMs were identified, with the malware spread via manually inserting a CD boot disk into an ATM.
Buffer hacked, attackers send out spam via customer accounts. Hackers were able to compromise systems belonging to social media scheduling service Buffer October 26, sending out spam messages through customers’ Twitter and Facebook accounts. Facebook reported that 30,000 of its customers with connected Buffer accounts were affected.
IBM warns Storwize arrays can DELETE ALL DATA. IBM warned owners of its Storwize arrays, Flex System V7000, and SAN Volume Controllers that administrator access could be obtained without authentication using vulnerabilities in Apache Struts, allowing an unauthorized user to make modifications to the configuration, including deleting all data.
Two PHP.net servers hacked, set up to serve malware. The PHP Group found that two of their servers had been compromised and set up to spread malware. Affected services were migrated to secure servers, and the php.net SSL certificate was revoked since it was possible that the attackers had access to its private key.
Researchers flag security flaws in new LinkedIn offering. Security researchers warned that a new feature in LinkedIn called LinkedIn Intro can pose security and privacy risks since it reroutes emails through LinkedIn servers, making private and company emails visible to the service and removing encryption.
Cisco fixes DoS, remote code execution bugs in six products. Cisco released patches for six products, closing several denial of service (DoS) and remote code execution bugs.
Php.net flagged as suspicious website by Google. Google warned users who tried to visit Php.net that four Trojans were found on the site October 23 and blocked access.
Attackers use smaller botnets to launch high-bandwidth attacks. Prolexic’s third quarter 2013 report on distributed denial of service (DDoS) attacks found that attackers have often shifted to using smaller botnets for distributed reflection denial of service (DrDoS) attacks that allow attackers to obfuscate the source of the attack and to use the bandwidth of intermediary victims, among other findings.
U.S. financial institutions complete Quantum Dawn 2 cybersecurity exercise. The Securities Industry and Financial Markets Association (SIFMA) published the results of its Quantum Dawn 2 cybersecurity exercise. The exercise involved over 50 financial organizations, tested participants against several simulated cyberattacks, and led to a report on the observed strengths and weaknesses of financial services cybersecurity.
Network Solutions apologizes to customers after DNS incident. Network Solutions informed users experiencing DNS and email issues October 21 that the problems were caused by spam abuse that resulted in blacklisting by four organizations.
U.S. enterprises in path of data-hijacking Sazoora campaign, firm finds. A researcher at Seculert reported that more than 1,800 machines in the U.S. were infected by the latest version of the Sazoora data-hijacking Trojan, Sazoora.B. The malware has affected around 23,000 machines globally and the newest variant contains new features to help it avoid detection and botnet hijacking.
Aaron’s computer rental chain settles FTC spying charges. Rent-to-own computer chain Aaron’s agreed to settle Federal Trade Commission charges that the company installed spyware on customers’ computers that took photos and used keyloggers to steal login credentials. Under the agreement, the company is prohibited from using monitoring programs and must obtain customer consent to use location-tracking software on its rental computers.
Simple bug exposed Verizon Wireless users’ SMS history. A researcher found and reported a vulnerability in Verizon Wireless’s customer portal that enabled anyone to use a subscriber’s phone number to download that user’s SMS history by modifying the portal URL.
Eastern European banking systems targeted by hackers in Apollo campaign. Trend Micro published a white paper on a cybercrime campaign dubbed Apollo that is using a variant of the Zeus Trojan to steal banking credentials and other information from customers of major eastern European banks. The campaign also utilizes tools such as Pony Loader, Ann Loader, and the Bleeding Life exploit pack.
Google pulls all Android apps linked to adware badness THAT MUST NOT BE NAMED. Google removed several Android apps from its Google Play store found to be using an unnamed mobile app library dubbed Vulna after it was reported that the library poses a major security risk. Google also canceled several Developer accounts associated with apps found to be exploiting the app library vulnerability.
Cutwail cybercriminals replace BlackHole with Magnitude exploit kit. Researchers at Dell’s SecureWorks reported that a cybercriminal group that uses the Cutwail spam botnet to distribute malware has switched from using the BlackHole exploit kit to using Magnitude (Popads) following the arrest of BlackHole’s alleged creator. Trend Micro also reported that all major campaigns utilizing BlackHole have ended following the arrest.
Hackers access customer database of hair care company Ouidad. Ouidad notified customers that its user database was compromised by cybercriminals that obtained names, credit card numbers, CVV numbers, card expiration dates, contact and shipping information, and some usernames and passwords.
Dropbox users hit with Zeus phishing Trojan. Researchers at Appriver identified a phishing campaign targeting Dropbox users that claims a password was reset and then directs users to Web pages that offer to install a browser update that is actually a piece of Zeus malware.
Fake Avaya voice message notifications carry malware. A researcher reported that fake Avaya voicemail notifications are being used to distribute a piece of malware that is currently not flagged as a threat by most antivirus services.
Sophos publishes Dirty Dozen spam report for Q3 2013. Sophos released its third quarter 2013 Dirty Dozen spam report showing which countries relay the most spam, with the U.S. continuing to be the largest spam-relaying country with 14.6 percent of spam by volume.
Video game forum NeoGAF hacked, user passwords reset. Video game forum NeoGAF reset its users’ passwords after an administrator account was briefly compromised and could have been used to steal user information.
VMware patches flaws in ESX, vCenter. VMware issued several patches for its products, including vCenter and ESX, closing a number of vulnerabilities that could be used for authentication bypass or denial of service.
Breach at PR Newswire tied to Adobe hack. PR Newswire confirmed that researchers uncovered the theft of usernames and encrypted passwords of some of its customers. The information was found on servers that also held source code and other information stolen from Adobe Systems Inc.
New malware enables attackers to take money directly from ATMs. Researchers at Safensoft and Trustwave identified and analyzed a piece of malware known as Ploutus that has been infecting ATMs in Mexico and allowing criminals to instruct the machines to dispense cash. The ATMs are infected after their CD-ROM drives are forced open, and instructions are given to compromised machines either by keypad sequences or by the interactive interface.
Info stealer Trojan Nemim used against organizations from the U.S. and Japan. Symantec researchers found that the Nemim Trojan is being used in a campaign targeting U.S. and Japanese organizations to collect information from infected computers, and that the campaign and Trojan appear similar to the Egobot Trojan that has been used to target South Korean organizations since 2009.
PureVPN hacked, stolen email addresses used to send fake emails. VPN provider PureVPN experienced a data breach where attackers managed to access some email addresses and customer names, which were then used to send fake emails about the service shutting down. PureVPN confirmed the breach and found that the attackers had exploited a WHMCS vulnerability to gain access to the information.
Cybercriminals use Upatre downloader to distribute Gameover Trojan. Researchers at Dell’s SecureWorks Counter Threat Unit found that the cybercriminal group using the peer-to-peer (P2P) version of Zeus, Gameover, is using the Upatre downloader to distribute their malware, in addition to the Pony Loader downloader.
Android scareware delivered via advertising SDK. Experts from Bitdefender uncovered several legitimate applications that include the Android advertising SDK from InMobi being leveraged by cybercriminals to distribute a piece of scamware that charges users a certain amount of money for receiving wallpapers and ringtones by signing them up for a premium-rate mobile service.
Phishing Scam: Urgent Windows error fix alert from Microsoft. Researchers from Sophos discovered fake Microsoft phishing emails that are being used by cybercriminals to leverage problems with recent patches put out by the company in order to gain personal information from users.
Exploit kit uses VBScript to deliver malware. Researchers at Sourcefire identified an exploit kit that uses VBScript to write an executable file to the disk without using a vulnerability or downloading an executable file. A malicious Web site prompts users to run an add-on named “Microsoft Script Runtime” to begin the attack.
LinkedIn patches multiple XSS vulnerabilities. Social network LinkedIn fixed four cross-site scripting (XSS) vulnerabilities in its Web site during July, according to a vulnerability report issued by the researcher who first identified and reported the vulnerabilities.
77% of new malware samples found in Q2 2013 were Trojans. Panda Security’s second quarter 2013 threat report found that 77 percent of malware detected during the period were Trojans, and that the global infection rate increased from 31.13 percent to 32.77 percent, among other findings.
Cybercriminals exploit most news within 22 hours. Commtouch Security Lab found that campaigns designed to spread malware by exploiting news stories had begun exploiting a story on average about 22 hours after an event during the last 3 months.
Over 70% of WordPress installations are vulnerable to hackers. Researchers at WP WhiteSecurity found that over 70 percent of the Alexa top 1 million WordPress Web sites are vulnerable to attacks due to outdated WordPress installations.
Unique Vintage hacked, server infected with malware since January 2012. Unique Vintage notified customers that personal and credit card information was compromised after they identified malware on their systems that had been in place since January 2012. The compromised information is comprised of names, email addresses, phone numbers, and credit card numbers.
Icefog cybercriminals launch hit and run attacks against high-profile organizations. Kaspersky released a report on an advanced persistent threat (APT) cyberespionage campaign dubbed Icefog that has been targeting a variety of organizations since 2011. The campaign targets military contractors, telecoms, maritime and shipbuilding organizations, satellite operators, media, governments, and high-tech companies mainly in Japan and South Korea but with some targets in the U.S. and several European and Asian countries.
New malware Napolar steals information, launches DDoS attacks. Researchers from Avast and ESET analyzed a new piece of malware dubbed Napolar, whose author is Solarbot, that is capable of stealing information and launching distributed denial of service (DDoS) attacks. The malware is being sold for $200 and is being distributed to targets through Facebook.
Microsoft uncovers Sefnit Trojan return after Groupon click-fraud scam. Researchers at Microsoft discovered a new version of the Sefnit click fraud Trojan being used as a botnet to defraud Groupon and other popular Web sites.
ICG America hacked, credit card details possibly stolen. E-commerce and Internet marketing company ICG America notified customers that attackers compromised its systems and installed malware that was capable of capturing and decrypting payment information from its systems. The attack began in early January and continued until August 2.
Tumblr fixes DOM XSS vulnerability 2 months after being notified. Tumblr fixed a DOM-based cross-site scripting (XSS) vulnerability that could be used for spam, spreading malware, and phishing attacks 2 months after a security researcher informed Tumblr of the issue.
Phone numbers harvested from Craigslist used in SMS scam. Symantec researchers identified a scam campaign targeting individuals who have posted ads on Craigslist that appears to be using automated harvesting tools to collect phone numbers in posts and then send SMS messages to the numbers which attempt to get targets to access a link on their PC. The link then takes the user to a fake version of GIMP that installs several additional pieces of software used by scammers to generate money via affiliate programs.
BLYPT backdoor malware targets U.S. users via Java exploit. Trend Micro researchers identified a new family of backdoor malware dubbed BLYPT targeting regular Internet users in the U.S. via drive-by downloads and hijacked Web sites. The malware utilizes a Java vulnerability that was patched in March.
Gmail hit by message delivery delays, close to 50 percent of users affected. An undisclosed issue caused some users of Google’s Gmail service to experience email delivery delays for up to almost 9 hours September 23. The disruption also affected Google Docs and Presentation applications for a shorter amount of time.
HLTV.org disrupted by DDoS attack. HLTV.org, a major Half Life TV esports provider, experienced a large distributed denial of service (DDoS) attack September 23, bringing down the site for 2-3 hours.
Flaw in iOS 7 lets attackers take control of user’s iPhones. Researchers at Cenzic disclosed a security vulnerability in Apple’s iOS 7 mobile operating system which can allow attackers to use the SIRI voice assistant to send messages and make social media posts while the iPhone is locked.
FBI warning users about Beta Bot malware. The FBI warned users about a campaign using the Beta Bot Trojan to target online payment systems and financial institutions, as well as blocking users’ access to security Web sites and disabling antivirus programs. The malware has been seen propagating via Skype and USB thumb drives
New file encrypting ransomware CryptoLocker targets organizations. Emsisoft researchers discovered a new family of ransomware dubbed CryptoLock (or Trojan: Win32/Crilock) which encrypts files important to businesses with AES encryption and demands a ransom to decrypt them. The ransomware appears to be targeting businesses due to the types of files it encrypts and the types of emails used to distribute its downloader.
New ransomware strain forces hapless users into becoming Bitcoin miners. A new variant of the Reveton ransomware spotted by researchers at Malwarebytes locks out users from their computers and then uses the infected system to mine Bitcoins.
New wave of Shylock Trojan targets bank customers. Researchers at Zscaler warned of a new campaign using the Shylock (also known as Caphaw) Trojan to target financial institutions. The initial infection vector is currently unknown but thought to be an exploit kit targeting Java vulnerabilities.
Crooks hijack retirement funds via SSA portal. The Social Security Administration (SSA) and financial institutions reported a rise in identity theft cases where criminals register an account on the SSA Web portal in the name of a retiree and then divert the benefits to themselves in the form of prepaid debit cards.
Another flawed Office update tells users to buy the suite. Microsoft confirmed that one of the patches in its September 10 Patch Tuesday update is causing problems for users of Office 2010 Starter Edition, changing file associations of documents and in some cases telling users that they must buy a full capabilities version of Microsoft Office.
Researchers create undetectable layout-level hardware Trojans. A group of researchers published a paper outlining how hardware Trojans could be implemented stealthily below the gate level. The Trojans can weaken protection in random number generators, create a method for leaking secret keys, and when tested were not detected by common Trojan testing methods.
NASDAQ website vulnerable to XSS attacks, expert says. A researcher from High-Tech Bridge identified several cross-site scripting (XSS) vulnerabilities on the Web site of the NASDAQ exchange that could be exploited for phishing attacks. NASDAQ corrected the issues but at least one vulnerability reportedly remains.
Do you trust your waiter? Hacked bank-card reader TEXTS your info to crims. A video advertising a compromised card reader was discovered on underweb forums that allow a customer's card info to be retained and extracted via a cable or by text message if the device is fitted with a SIM card. The sellers of the device also offer a money laundering service to buyers of the device that utilizes a network of corrupt merchants.
Android WebView vulnerability allows cybercriminals to install malicious software. Researchers at AVG Technologies identified a vulnerability in the WebView control in Android applications that can be used to install malware on users' devices. The vulnerability affects devices with versions of Android older than 4.2.
CSRF vulnerability in eBay allows hackers to hijack user accounts. An IT consultant found several security issues on eBay, including a cross-site request forgery (CSRF) vulnerability that could be exploited to change user account information and gain access to accounts.
Website on malware analysis infects visitors, leads to Zeus-laden spam. Hackers compromised the Web site PracticalMalwareAnalysis and are using it to spread the Pushdo botnet malware. Infected systems are then used as part of the botnet to send out spam emails containing the Zeus Trojan.
New monitoring, security features for Java 7. Oracle released an update for Java 7 September 10, which includes fixes for several vulnerabilities and issues, as well as adding two new features for monitoring and correcting development and deployment issues.
Researchers find third variant of OS X Tibet malware. Intego researchers identified a third variant of the "Tibet" malware for OS X, dubbed OSX/Tibet.C. The new variant is distributed via a Java applet hosted on Web sites and uses several recently-patched Java vulnerabilities to attempt to install a backdoor on a victim's system.
Shopping cart malware compromises credit card information. Two Web sites belonging to the Outdoor Network had their shopping cart systems infected with malware, possible compromising customers’ names, addresses, credit card numbers, CVV codes, and card expiration dates. The compromise affects transaction made between December 2012 and July 2013.
Multiplayer video game servers abused for DDoS attacks, experts warn. Prolexic warned that cybercriminals are increasingly abusing multiplayer gaming servers to make their distributed denial of service (DDoS) attacks more efficient. Prolexic observed instances of gaming servers being used to launch DDoS attacks against financial services and online gaming targets.
Syrian Electronic Army hacks large number of FOX Twitter accounts via HootSuite. Members of the Syrian Electronic Army hacktivist group compromised dozens of Twitter accounts belonging to FOX after they gained access to a HootSuite account that links the profiles.
Saboteurs target OAuth protocol to compromise HootSuite users. Around 7,000 HootSuite accounts were compromised and used to send spam through Twitter after attackers targeted a third-party application that uses OAuth to gain access.
C&C PHP script for staging DDoS attacks sold on underground forums. A security researcher at Webroot discovered a command and control (C&C) PHP script designed to integrate multiple compromised servers for use in distributed denial of service (DDoS) attacks for sale on an underweb forum. The script appears to be in early stages of development and has a current listed price at $800.
Biz bods STILL don’t patch hacker’s delight Java and Flash. Websense reported that 81 percent of businesses run outdated versions of Java and 40 percent run outdated versions of Flash, leaving many businesses vulnerable to popular exploits that can be used to steal data or disrupt operations.
Android malware uses SMTP to send stolen information. F-Secure researchers identified a piece of Android malware, Trojan:Android/SMSAgent.C, that uses SMTP servers to send back stolen information. The malware collects phone numbers, SMS messages, and recorded audio.
1,000 Japanese one-click fraud apps published on Google Play in August 2013. Symantec reported that during August a total of 2,500 one-click fraud apps were spotted on the Google Play store, with close to 1,000 of the malicious apps being uploaded by a suspected Japanese cybercrime group.
AVG warns of fake AVG antivirus apps hosted on Google Play. AVG Technologies reported finding at least 33 fake versions of the company’s antivirus app on Google Play. The fake apps change devices’ search options and spam victims with advertisements.
Sykipot malware used to gather intel on U.S. civil aviation sector. Trend Micro researchers spotted the Sykipot malware being used in a new campaign targeting the U.S. civil aviation sector.
Fraudsters abuse Google Calendar for Android to send out scam messages. Researchers at Webroot found that scammers are registering thousands of fake Google accounts and using the Google Calendar app for Android to send out spam calendar invites.
Obad Android Trojan distributed via mobile botnets. The operators of the Obad mobile botnet have begun using four distribution methods to spread malware to mobile devices, including through a new method, dissemination via mobile botnet created by using another form of malware.
Public exploit available for patched Safari bug. Packet Storm released a proof-of-concept exploit for a patched Safari heap buffer overflow vulnerability. The vulnerability was patched in November 2012 and affects users who have not yet updated to newer versions of OS X and iOS.
FTC: Negligence by security camera vendor harms customers’ privacy. TRENDnet settled U.S. Federal Trade Commission charges that were brought due to lax security practices in software for its security cameras that allowed the cameras’ feeds to be remotely posted and watched by unauthorized users.
Cisco warned users of four vulnerabilities. Cisco published four moderate-severity security notices, warning customers of issues in its IOS XR carrier routing software, unified computing system, Adaptive Security Appliance software, and the Web administrator interface for its wireless LAN controllers.
Osprey Packs hacked, customer credit card information stolen. Colorado-based Osprey Packs notified customers of its Pro Deal Web site that attackers might have used malware to obtain access to customers’ credit card numbers and expiration dates, shipping and email addresses, names, and phone numbers.
Digital Product Delivery hit by DDoS attack. E-commerce service provider Digital Product Delivery was hit by a distributed denial of service (DDoS) attack September 2. The attack disrupted service to customers before normal operations were restored.
Cybercriminals attach disassembled malware to malicious emails. Researchers at Symantec observed a targeted email attack technique that contains malware disassembled into several components that reassembles when a shortcut file is launched, helping the malware evade detection.
Fraud and identity theft camouflaged by DDoS attacks. Researchers at Prolexic detailed attack signatures associated with the Drive distributed denial of service (DDoS) toolkit, a tool often used in DDoS attacks that serve as a distraction while attackers attempt to compromise financial and e-commerce services.
Hackers steal credit card information from Midwest Supplies. The Web site of Minneapolis-based Midwest Supplies brewing and winemaking supplies company was breached by hackers who obtained access to customer names, addresses, credit card numbers, expiration dates, CVVs, phone numbers, and email addresses, the company revealed.
Expert shows how hackers can forge application names in Java security dialog. A researcher at Duckware identified three flaws in Java 7 Update 21, including one where the name of an app that appears in Java's security dialog can be easily forged.
Cisco patches remote command execution flaw in Secure Access Control Server. Cisco issued a patch that closes a vulnerability in its Secure Access Control Server (ACS) that could be remotely exploited to execute arbitrary commands and take control of servers.
Remote unauthenticated bug haunts Cisco ACS Server. Cisco warned of a remotely-exploitable vulnerability in several versions of its Secure Access Control Server (ACS) that can allow an attacker to take full control of a server if it is configured as a RADIUS server.
Cybercrime service automates creation of fake scanned IDs, other identity verification documents. Researchers at Group-IB identified a new Web-based cybercrime service that automates the creation of various forms of fake identification including passports, banking statements, and utility bills.
Cloud hosting company DigitalOcean hit by DDoS attack. Cloud hosting service provider DigitalOcean announced that it was the target of a distributed denial of service (DDoS) attack August 28 that disrupted the company’s Web site and control panel.
FBI warns of “search for missing children” spear phishing emails. The FBI warned users of a spearphishing campaign using three malicious files in emails and documents purporting to be from its National Center for Missing and Exploited Children.
Phony Adobe plug-in malware bypasses Craigslist spam controls. Researchers at Solera Networks discovered a spam campaign on Craigslist that uses malware on compromised machines to post spam advertisements.
Pinterest closes hole that allowed anyone to view users’ email addresses. A security researcher found and reported a vulnerability in Pinterest that could allow an attacker to easily discover a user’s email address. Pinterest responded to the researcher and closed the vulnerability.
Linux users warned of privilege escalation vulnerability in VMware workstation. VMWare advised users that VMware Workstation and Player contain a vulnerability that could be exploited on Debian-based Linux machines to escalate privileges to root. A workaround was provided.
Cybercrooks use DDoS attacks to mask theft of banks' millions. A researcher at Gartner reported that three unidentified banks were the victims of fraudulent wire transfers that used low-level distributed denial of service (DDoS) attacks to distract attention from the thefts.
PayPal fixes vulnerability that allowed hackers to delete any account. A researcher with Vulnerability Lab identified a vulnerability in PayPal that could allow a malicious user to delete another user's account by falsely registering and then removing the victim's email address. PayPal has now addressed the issue.
McAfee threat report highlights mobile attacks, ransomware, malicious sites. McAfee's second quarter threat report highlighted the increasing prominence of aggressive attacks on the Android mobile operating system, as well as the growth of ransomware and infected Web sites distributing malware, among other findings.
Amazon outage: US and Canada service fail takes down 82 domains. Amazon experienced an outage August 19 affecting its Web sites in the U.S. and Canada for almost half an hour.
Sirefef malware found using Unicode right-to-left override technique. A variant of the Sirefef malware was found to be using a known Unicode right-to-left technique to disguise entries in infected machines' registries as legitimate ones.
Attackers use Ramnit malware to target Steam users. Trusteer researchers found a new variant of the Ramnit financial malware being used to steal login credentials for the Steam gaming service.
Fake Adobe Flash Player update extension serves salacious spam ads. A fake Adobe Flash Player update extension for Chrome, Firefox, and Safari browsers has been found in a widespread campaign that injects spam ads onto regular Web sites.
LastPass bug leaks plain text passwords. Users of the LastPass password manager were advised to update to the newest version of the software after a bug was discovered that could expose users' passwords if they are using Internet Explorer.
Firm found using browser plugins to inject unauthorized ads on YouTube. Ad firm Sambreel was found to be using two plugins to inject unauthorized ads into YouTube via two plugins. Malware peddlers have previously been found to use the unauthorized ads to direct users to malicious sites.
Thieves use new method in ATM skimming. Police in the Port St. Lucie area reported that two thieves were seen on video attaching skimming devices to ATMs at Publix grocery stores. The thieves target machines with external card slots, drill holes in the bottom of the reader to avoid detection, and then place skimmers into the drilled hole before sealing it.
New ransomware threat “Browlock” freezes computers and demands payment. Researchers at F-Secure identified a new ransomware called Browlock being used against users in the U.S., Canada, and the U.K and originating on a server in Russia.
Hackers abuse Google Cloud Messaging service in Android malware attacks. Researchers at Kaspersky found that cybercriminals are using a loophole in Google Cloud Messaging to use the service as a command and control server for their Android malware.
Security firm warns of Joomla exploit, users advised to update their installations. Researchers from Verasafe warned users of a zero-day attack in the wild that can control Joomla Web sites and advised them to update their installations. Servers become compromised after users are redirected to a Blackhole landing page and become infected with a Zbot variant.
Facebook scam: Free tickets to Las Vegas from Southwest Airlines. Researchers warned Facebook users about scam posts claiming to give away free Southwest Airline tickets to Las Vegas that are actually malicious links hidden behind a survey used to extract money from unsuspecting users.
Chinese hacker group behind New York Times attack returns with updated tools. FireEye researchers believe a Chinese hacking group responsible for breaking into the New York Times and other high-profile organizations, launched a new attack using variants of Backdoor.APT.Aumlib and Backdoor.APT.lxeshe malware programs. The researchers recommended companies ensure their detection tools are updated to identify new variants.
Spam email contains malware, not Apple gift card. A malicious email, appearing as a $200 Apple Store Gift Card, links victims to instructions on how to download malware that steals data from their computers. The campaign ties the malware to both a link and an attachment, allowing users to become infected through either method.
Sophos experts find more malware leveraging Android “master key” vulnerability. Researchers at Sophos identified three new malware files leveraging the Android “master key” vulnerability. Two malware files are not functional, while the third is able to collect data and send out SMSs.
Citizens Bank hit by DDOS attack, customers warned of intermittent interruption. Citizens Bank warned customers August 8 that the bank’s Web site was under distributed denial of service (DDoS) attack, which could cause service interruptions in online and mobile banking services.
‘Hand of Thief’ banking Trojan reaches for Linux – for only $2K. A banking Trojan called “Hand of Thief” targeting Linux users was found for sale for $2,000 in underweb forums, according to a researchers from RSA. The Trojan includes form-grabbers for several browsers, routines to block access to security updates and measures, and virtual machine detection to avoid analysis
HP plugs password-leaking printer flaw. HP released patches for several models of LaserJet Pro printers that close a vulnerability caused by hardcoded URLs in the printers’ firmware which could allow an attacker to extract plaintext user passwords.
Chrome not the only browser that stores plain-text passwords. Google responded to a software developer’s post that discussed how the Chrome browser displays saved passwords by stating that if an attacker compromises a user’s operating system account then there would be insufficient means to prevent them from accessing passwords. Several security researchers debated whether the saved passwords systems represent a security threat, while one noted that Firefox also stores passwords in a similar manner.
Remotely exploitable bug affects wide range of Cisco telepresence systems. Cisco issued an advisory after a serious vulnerability in its TelePresence system caused by default credentials in the system that could be used by an attacker to gain complete control of the Web server on which the system is running. Workarounds were listed for use until a patch can be issued.
Malware developers migrate ZeuS P2P protocol to new port range. Researchers at Damballa found that the developers of the GameOver peer-to-peer (P2P) version of the ZeuS malware have begun migrating the P2P protocol to a new port range.
Reveton malware uses fake AV to help crooks make a profit. ThreatTrack Security researchers identified a variant of the Reveton ransomware that uses a fake antivirus program called Live Security Professional to lure users into pay the cybercriminals behind it. The ransomware is distributed using the Sweet Orange exploit kit.
Expect more Android security issues in 2013. Trend Micro released their second quarter 2013 Security Roundup Report which found that the number of malicious and high-risk Android apps has grown rapidly from the previous quarter, to 718,000 from 509,000. Malware targeting online banking also grew, increasing 29 percent from the first quarter.
Malware disguised as “F-Secure Security Pack” browser extension. F-Secure warned users that cybercriminals are using the company’s name to distribute a malicious browser extension called “F-Secure Security Pack” that makes social media posts on users’ networks without permission.
Windows Phones BLAB passwords to hackers, thanks to weak crypto. Microsoft warned users to take precautions after it was found that the encryption Windows Phones use to transmit domain credentials is cryptographically weak, allowing rogue hotspots to intercept and decrypt the information. Microsoft advised IT departments to distribute a special root certificate that allows the phones to confirm that they are connecting to a genuine access point before transmission.
Samsung Smart TVs can be hijacked, researchers warn. Researchers from ISEC Partners at the Black Hat 2013 conference demonstrated several vulnerabilities in Samsung Smart TVs that can be exploited to obtain sensitive information or spy via webcam.
IPv6 is latest tool for stealing credit card numbers and passwords. Security firm Neohapsis warned that the lack of implementation of the IPv6 protocol could allow attacks to monitor networks or redirect users to malicious pages by setting up a false IPv6 version of an IPv4 connection. Modern operating systems will then select the IPv6 connection due to their inbuilt preference for the protocol.
Android one-click Google authentication method puts users, businesses at risk. A Tripwire researcher at the DEF CON 21 conference detailed a way in which the weblogin feature on Google sites can be used to give attackers access to Google accounts. The researcher published a proof-of-concept app that can steal weblogin tokens and send them to the attacker for use.
Smart bot reads your Facebook, mimics you in spear phishing messages. Trustwave researchers presented findings on how social media is used to generate spearphishing attacks and released a tool called Microphisher which automates the monitoring of a target’s social media in order to develop a ‘fingerprint’ of believable language patterns to better impersonate the target.
Phishing attacks show sudden drop as criminals use servers for DDoS. The Anti-Phishing Working Group released their first quarter 2013 report, which found that detected phishing Web sites fell 20 percent in the quarter as cybercriminals switched servers to malware distribution or distributed denial of service (DDoS) attacks.
Comfoo cyberspy campaign still active. Dell SecureWorks found in a report that the Comfoo cyberespionage campaign is still actively targeting corporate and government systems worldwide, and found over 200 variants of the malware.
Opscode wiki and ticketing systems hacked, user data compromised. Opscode, developer of the Chef Software configuration management tool, warned customers that attackers gained access to its wiki and ticketing user database, compromising usernames, emails, names, and hashed passwords.
FBI announces cyberattack-reporting portal for private sector companies. The FBI launched a pilot program for private sector companies to report cyber threats called iGuardian. The program is initially open to companies that are part of the InfraGuard network and may eventually be opened to others.
Businesses warned to prepare for evolved Andromeda botnet. Researchers at TrendMicro found that the authors of the Andromeda botnet are about to release a major update to the botnet, including bug fixes and new plugins.
Gmail, Outlook.com, and e-voting ‘pwned’ on stage in crypto-dodge attack. Researchers demonstrated a man-in-the-middle attack at the Black Hat 2013 conference which can allow unauthorized access to email by preventing logout requests. The attack could also be used against certain electronic voting systems.
Google Code developer site targeted by hackers. A researcher at Zscaler identified a scheme where hackers targeted the Google Code developer site in order to host malware, part of a reported trend in attacks.
Malware attacks via malicious iPhone chargers. Researchers at the Black Hat 2013 conference built an iPhone charger that can infect devices connected to it and demonstrated how their attack bypassed Apple security features.
Crooks using Android master key to sneak Trojans onto smartphones and tablet devices. Researchers at Dr. Web identified a Trojan exploiting the Android ‘master key’ vulnerability to infect devices. A similar campaign was identified in July.
Vulnerabilities in D-Link network video recorders enable remote spying, researcher says. Researchers at Qualys found remotely exploitable vulnerabilities in two models of D-Link network video controllers that can enable access to surveillance camera feeds and other data. It was unclear whether a firmware update issued in July closed the vulnerability.
Bogus Chrome, Firefox extensions pilfer social media accounts. Trend Micro researchers discovered two malicious browser extensions for Chrome and Firefox that can hijack Twitter, Facebook, and Google+ accounts if installed.
Shorter, higher-speed DDoS attacks on the rise, Arbor Networks says. Arbor Networks released statistics on distributed denial of service (DDoS) attack and found that the speed of DDoS attacks increased over those in 2012, but that 86 percent of attacks lasted less than 1 hour, among other findings.
Sharp increase in blended, automated attacks. Quarterly attack statistics from FireHost found that cross-site request forgery (CSRF) and SQL injection attacks increased 16 percent and 28 percent in the second quarter of 2013, and that attacks are becoming more automated, among other findings.
Symantec slams Web Gateway back door on would-be corporate spies. Symantec issued an update for its Web Gateway appliances that closes several critical flaws that could allow remote code execution, cross-site scripting (XSS), and other malicious actions.
Hackers using spoofed headers as malware runners. Researchers at Trend Micro detected several attacks using header spoofing to avoid detection while targeting users for malware infection.
TOR-based botnets on the rise. Researchers at ESET found and analyzed two botnets with their command and control (C&C) centers hidden in The Onion Router (TOR) network to avoid detection. The researchers noted that TOR-based botnet C&C is becoming more common.
Microsoft: 88 percent of Citadel botnets down. Microsoft reported that 88 percent of botnets created by the Citadel banking Trojan have been taken down following operations to disrupt them in June.
LinkedIn snaps shut OAuth login token snaffling vulnerability. A software developer found and reported a vulnerability in LinkedIn’s customer help Web site that give out the OAuth token of the logged-in user, which could be used to potentially access profile information. The vulnerability was then fixed by LinkedIn.
First active Google Android Master Key exploit discovered in the wild. Researchers at Symantec found the first attacks leveraging the ‘Master Key’ exploit for Android in the wild. Two legitimate Chinese apps were modified to control devices, disable mobile security apps, send SMS messages, and steal information.
‘Next big’ banking Trojan spotted in cybercrime underground. Researchers at RSA found the first new banking Trojan since Citadel for sale on underweb forums, named KINS. The KINS toolkit is available for sale at $5,000 in standard form, contains several advanced features and add-ons, and shares some similarities to past Trojans.
Simple Machines website hacked, database stolen. Open source community forum platform Simple Machines state that they were the victim of hacking July 20, with encrypted passwords for simplemachines.org stolen. Personal messages may also have been compromised.
Indonesia passes the US when it comes to attack traffic, Akamai says. Akamai’s first quarter 2013 State of the Internet Report found that most attack traffic came from China, with Indonesia supplanting the U.S. for the second highest amount of attack traffic, among other findings.
Pharmacy spammers use Google Translate to evade spam filters. Researchers at Symantec discovered a spam campaign that uses Google Translate links to redirect users to rogue pharmacy Web sites.
U.S. the number one source of web attacks. Imperva published its Web Application Attack Report, which found that retailers suffer twice as many SQL injection attacks as other industries, and that the U.S. was the largest source of Web attacks.
Spam botnet StealRat uses 2 hijacked sites, 1 computer to evade detection. Trend Micro researchers identified a spam botnet dubbed StealRat which uses two compromised Web sites and one computer infected with malware to disguise spam emails and make them appear as if they were sent by the infected computer rather than a spam server.
SIM cards vulnerable to hacking, says researcher. A researcher due to present his findings at the annual Black Hat conference reported that millions of mobile phones may be vulnerable to being tricked into granting access to information due to old encryption methods in SIM cards.
Ubuntu forum defaced, breached by hackers. The Ubuntuforums.org Web site was breached and defaced by hackers July 20, with salted, encrypted passwords and email addresses exposed. The CEO of Canonical stated that the site would remain offline until it can be fixed.
Symantec: Google Glass still vulnerable to Wi-Fi attack. Symantec researchers warned that Google Glass was vulnerable to man-in-the-middle (MiTM) attacks when it scans for known WiFi networks.
Attackers embedding backdoors into image files. Researchers at Sucuri found attackers using image files to hide backdoors, allowing them to maintain access to compromised servers.
One critical, four high-risk vulnerabilities fixed in Chrome 28. Google released Chrome 28 for multiple platforms, addressing one critical use-after-free vulnerability and four high-risk vulnerabilities.
POC code for critical Android bug published. Proof-of-concept (PoC) code for a critical vulnerability in the Android mobile operating system was released by a researcher. The vulnerability allows attackers to modify the code of any app without breaking its cryptographic signature, and the PoC may allow the vulnerability to be exploited.
Experts observe RedKit exploit kit attack on Segway website. Researchers at Symantec published an analysis of a June attack on the Segway Web site that utilized the RedKit exploit kit to drop Waledac, ZeroAccess, and Ponik malware.
Quayside Publishing hacked, customer credit card information possibly stolen. Quayside Publishing notified customers that a breach occurred in their Web sites sometime between April 19 and June 17, possibly exposing customer credit card information and other personal information.
New service allows fraudsters to instantly generate scans of fake documents. A researcher discovered a service on a Russian underweb market that allows cybercriminals to generate fake passports, ID cards, utility bills, and credit cards for use in fraudulent activities.
Mass login attempts compromise 24,000 Nintendo site accounts. July 2 Nintendo detected around 24,000 user account compromises in its Club Nintendo Web site that exposed the personal but not financial information of users.
Crimelords: Stolen credit cards…keep ‘em. It’s all about banking logins now. Research by McAfee revealed details of the stolen financial and user information markets, showing the going rate for bank login details, credit card information, user account information, and other products and services available in underweb communities.
Ubisoft urges password changes following hack. Ubisoft warned users to reset their passwords following an attack on some of their online systems that exposed usernames, email addresses, and encrypted passwords.
Microsoft experts warn of “System Doctor 2014” fake antivirus. Researchers warned that the creators behind the Rogue:Win32/Winwebsec fake antivirus malware are now spreading a new form of malware called System Doctor 2014 that shares some similarities with its predecessor.
Skype vulnerability can lead to Android lockscreen bypass. Vulnerability in the Skype app for Android can allow an attacker to bypass the target device’s lockscreen using a second device.
Litecoin-stealing Trojan found. Researchers at ESET discovered a Trojan that targets the Litecoin virtual currency and attempts to send users’ wallet.dat files to an FTP server under the attacker’s control.
Android hack tools designed to automatically steal information from PCs. F-Secure researchers discovered an Android hack tool identified as Hack-Tool:Android/UsbCleaver.A that, once installed on an Android device, collects information from any Windows computer the device is connected to.
Two malware programs help each other stay on computers. Researchers at Microsoft identified a symbiotic relationship between the Vobfus and Beebone malware where each program downloads variants of the other, making both resilient to antivirus programs.
CNN’s Political Ticker hacked, fake Bitcoin operator story published. CNN’s Political Ticker blog was hacked and used to post a fake story about the shutdown of Bitcoin operator Btc-e.com after a user’s third party publishing platform credentials were compromised.
ICS-CERT warns of brute-force attacks against critical infrastructure control systems. A report by the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) detailed attempted cyberattacks on industrial control systems for the first half of 2013, with the energy sector being the most targeted, among other findings.
Carberp code leak stokes copycat fears. The botnet creation kit, Carberp, coded by a team of hackers that used it to take an estimated $250 million from banks was posted online on multiple forums for anyone to download. Experts worry that its publication will create new hybrid strains of sophisticated banking malware.
Cisco fixes serious vulnerabilities in email, Web and content security appliances. Cisco Systems released email, Web, and content security appliances patches addressing vulnerabilities in prior releases that could allow attackers to execute commands on the underlying operating system or disrupt critical processes.
Gamarue malware-spreading emails purporting to come from Qantas spotted again. Trustwave’s SpiderLabs’ researchers identified bogus emails purporting to come from the Qantas airline company that is sent out by the Cutwail botnet. The messages carry an executable Andromeda bot loader designed to steal financial information from the infected computer once the user unknowingly downloads the malware.
Citadel Trojan automatically localizes fraud content. Trusteer researchers discovered a Citadel variant that allows cyber criminals to deliver fraudulent web pages that are automatically customized for the language of each market and brand being targeted by injecting HTML scripts. The malware is able to collect login credentials as well as credit card information for social networks, banks, and major ecommerce sites.
92% of mobile malware targets Android devices, Juniper report shows. In their annual Mobile Threats Report, Juniper Networks reported a 614 percent increase of malware threats with 92 percent of the pieces of malware aimed at the Android platform from information collected between March 2012 and March 2013.
Maker of Opera browser said its network was hacked to steal code-signing certificate. Opera Software, maker of the Opera browser, neutralized an infection in which attackers made off with at least one certificate that they used to sign malware. The hackers did not compromise any user data but did manage to use the stolen code-signing certificate to distribute malicious software to Windows users running the Opera browser.
Expert identifies backdoor in HP’s StoreOnce backup system. A researcher identified a backdoor vulnerability in the HP StoreOnce 4210 backup appliance where a hidden administrative account can be easily accessed by an SSH client. The researcher released the SHA1 hash of the administrator account password.
Root exploit on LG Android devices possible due to Sprite backup software flaw. A race condition bug in the Sprite Software backup application on at least 40 types of LG Android devices can allow attackers to write to, change permission, and change ownership of files, according to a researcher.
Blizzard suspends mobile app access following account hijacks. Blizzard confirmed an increase in unauthorized access to World of Warcraft (WoW) accounts and blocked access to the WoW auction house via its mobile app after users reported account compromises.
Mobile malware plays hide and seek. Researchers at McAfee found that the Android/Obad.A malware targeting Android devices has several advanced capabilities, such as hiding itself from the Device Administrator list and the ability to infect devices via Bluetooth.
Source code for Carberp financial malware gets leaked online. At least a significant portion of the source code for the Carberp banking Trojan was leaked online, allowing attackers not part of the original group to create and use variants of it.
Android Fakedefender malware attacks Google smartphone and tablet users. Researchers at Sympantec discovered a new piece of ransomware affecting Android phones that poses as a legitimate security app, dubbed Android.Fakedefender.
WordPress hardened with XSS, DoS and SSRF fixes. WordPress released an update to its open source blogging software that closes 12 bugs, 7 of which are security issues. The developers strongly encouraged all users to update to the new version.
DNS provider Zerigo hit by DDOS attack. Cloud-based DNS provider Zerigo was the target of a distributed denial of service (DDoS) attack that took servers offline June 21.
DirtJumper malware version dubbed “Drive” sports powerful DDOS engine. Researchers at Arbor Networks identified a new variant of the DirtJumper malware dubbed “Drive” with much more powerful distributed denial of service (DDoS) capabilities. It has been observed in attacks against commercial and financial targets.
Phishing attacks impacted 37.3 million users last year. Research from Kaspersky Lab found that phishing attacks increased 87 percent in 2012, affecting 37.3 million users.
LinkedIn outage caused by DDOS attack on Network Solutions. Cisco researchers found that cybercriminals indirectly caused a LinkedIn outage June 19 when they launched a distributed denial of service (DDoS) attack against Network Solutions.
iOS device default hotspot passwords easy to crack. Researchers at a German university published a paper that found that the default passwords for mobile hotspots in Apple’s iOS mobile operating system are limited and easy to crack.
LinkedIn outage prompts security concerns. LinkedIn reported that it experienced an outage for several hours June 19 due to an unspecified domain name system (DNS) issue caused by human error.
Domain name registrar Moniker hacked, users forced to change passwords. Doman name registrar Moniker notified customers that it discovered and blocked suspicious activity on its network, but did not find evidence that domains or personal information was affected. Moniker advised users to change their passwords as a precaution.
Best Buy recalls 5,100 MacBook Pro replacement batteries after reports of fire. Best Buy announced a recall of around 5,100 ATG lithium-ion batteries for MacBook Pro laptops after reports of batteries catching fire.
Study: 20% of the 50 most popular WordPress plugins are vulnerable to cyberattacks. A report by Checkmarx found that 20 per cent of the 50 most popular plugins for WordPress are vulnerable to Web attacks such as SQL injections, and that 7 out of the 10 most popular e-commerce plugins contain vulnerabilities, among other findings.
Critical vulnerability in Blackberry 10 OS. BlackBerry advised users of a critical permissions vulnerability in versions of its mobile operating system (OS) prior to version 10.0.10.648.
Spammers use black hat SEO to inject jailbreak scams into Google News. Researchers from F-Secure discovered a spam campaign utilizing search engine optimization (SEO) techniques to inject links to phone jailbreak scams into Google News threads related to iOS.
Trojan uses fake Adobe certificate to evade detection. Symantec researchers found that the Backdoor. Trojan malware utilizes a fake digital certificate claiming to be from Adobe in an effort to trick users into running it. The Trojan itself can perform various information-stealing tasks.
Bad Pigs removed from Google Play after 10k users download bogus app. Google removed from its Google Play store a malicious app that imitated a legitimate game and was installed more than 10,000 times.
Zeus money mule recruiting scam targets job seekers. Attackers involved in a Zeus Trojan campaign configured their variant of the banking malware to redirect users trying to access CareerBuilder to fake jobs Web site in an attempt to recruit them as money mules for the fraud operation.
RARSTONE RAT used in targeted attacks against Asian organizations. Trend Micro researchers identified a cybercrime campaign dubbed Naikon that uses the RARSTONE remote access Trojan (RAT) to take control of targets’ computers. The campaign has been seen targeting media, energy, and government organizations in Asia and spreads through spear phishing.
Flash Player click jacking flaw allows hackers to hijack your webcam. A researcher discovered vulnerability in Adobe’s Flash Player that can be exploited to access a user’s webcam and microphone if the user is using the Mac version of Chrome, Linux, Chromium, and possibly other configurations.
AnonGhost claims to have hacked Mozilla an email, company responds. Mozilla reported that 50 email addresses were published by hackers associated with the AnonGhost group but that 16-character strings published with them were activation codes for Mozilla blogging software and not passwords as the hackers claimed.
Kilim Trojan hijacks social media accounts with rogue browser extensions. Microsoft researchers found that the Kilim Trojan uses malicious Chrome browser extensions to hijack targets’ social media accounts.
iOS 7 beta bug enables lockscreen bypass. An iPhone user published a demonstration of a method to bypass the lockscreen on phones running the beta version of Apple’s iOS 7 mobile operating system.
Gamarue malware downloads malicious components from SourceForge. Trend Micro researchers identified a variant of the Gamarue malware that downloads additional components from a SourceForge project after it infects a target.
DOS vulnerability affects WordPress 3.5.1. A security researcher identified a denial of service (DOS) vulnerability in WordPress 3.5.1 that may affect other versions as well.
Microsoft patches critical IE vulnerabilities and actively exploited Office flaw. Microsoft’s most recent Patch Thursday release included updates that close 23 vulnerabilities in Internet Explorer (IE), Windows, and Office, including one rated “critical” in all versions of IE 6-10 and an actively-exploited Office vulnerability.
Mobile version of Cridex banking Trojan spotted in the wild. A mobile version of the Cridex/Bugat banking Trojan targeting Android, Blackberry, and Symbian devices was spotted in the wild by researchers from RSA.
Washington Free Beacon website redirects to malware. Invincia researchers found several pages on the Web site of the Washington Free Beacon were compromised and used to redirect users to a domain hosting the Fiesta exploit kit. The kit attempts to drop the ZeroAccess rootkit and the Internet Security Pro fake antivirus malware.
Researchers find self-propagating Zeus variant. Researchers at Trend Micro discovered a variant of the Zeus/Zbot Trojan that spreads via a malicious .pdf file and then copies itself onto any removable drives detected on an infected computer.
CERT warns of vulnerabilities in HP Insight Diagnostics. The Computer Emergency Readiness Team (CERT) Program issued an alert over multiple vulnerabilities in HP’s Insight Diagnostics server management tool that could be used to run code and take over infected computers.
Apple Store vulnerable to XSS. A cross-site scripting (XSS) vulnerability was found in the Apple Store Web site, which exposes visitors to possible attack. A proof-of-concept exploit code was released.
After CNN patches vulnerability, diet spammers start abusing Ask.com flaw. Spammers abused an open redirect vulnerability in CNN’s Web site until the news organization closed the vulnerability. However, similar vulnerabilities in Ask.com and Yahoo continued to be used in the spam campaign.
McAfee says it made a mistake, Koobface worm not on the rise. McAfee acknowledged that it made a mistake in reporting that the Koobface worm has been on the rise, when instances of it have in fact decreased.
New variant of Bicololo malware disguised as legitimate antivirus app. Researchers discovered a new version of the Bicololo malware disguised as VIPRE Antivirus.
New Android Trojan app exploits previously unknown flaws, researchers say. Researchers discovered a sophisticated Android malware dubbed Backdoor.AndroidOS.Obad.a that can be used to execute commands via a remote shell, send SMS messages, steal data, and download additional malicious apps.
Web hosting provider Hetzner hacked, users advised to change passwords. Web hosting provider Hetzner advised its users to change their passwords after an unknown piece of malware was detected in the company’s systems.
Microsoft and FBI storm ramparts of Citadel botnets. Microsoft and the FBI have disabled around 1,000 of the estimated 1,400 botnets created by the Citadel botnet malware that have stolen more than $500 million. Microsoft also filed suit against the alleged controller of the botnet, and the FBI is working with law enforcement in various countries to identify the botmaster and 81 bot herders.
Expert finds XSS flaws on Intel, HP, Sony, Fujifilm and other websites. A researcher identified cross-site scripting (XSS) vulnerabilities on the Web sites of several major companies in the information technology and entertainment industries.
64% of data breaches caused by human and system errors, study finds. Symantec and the Ponemon Institute released their 2013 Cost of Data Breach Study that finds that 64 per cent of data breaches were due to human and system errors, among other findings.
Systems of DNSimple and easyDNS abused for DNS amplification attack. Recent distributed denial of service (DDoS) attacks against DNS providers DNSimple and easyDNS were in fact part of a DNS amplification attack that abused the targets’ systems to power an attack against another target.
Experts identify source code of ransomware, ZeuS and IRC worm on torrent site. Researchers from Malware Must Die discovered the source code from several pieces of older malware on a torrent site and are willing to share the information with trusted researchers.
2011 SCADA flaw finally fixed. Schneider Electric distributed a fix for vulnerability in their Quantum Ethernet Module discovered in 2011 that involved hardcoded passwords.
Google researcher discloses zero-day exploit for Windows. A Google researcher discovered security vulnerability in Windows that can be exploited to obtain administrator privileges, and has now published an exploit for the vulnerability.
Nebraska Dept. of Banking and Finance warns of fraudulent escrow firm. The Nebraska Department of Banking and Finance ordered Lincoln Closing and Escrow Services to cease acting as a money transmitter and warned the public that the company is not licensed to handle money transfers.
NetTraveler espionage campaign makes 350 high-profile victims in 40 countries. Researchers at Kaspersky identified a long-running cyberespionage campaign with victims in 40 countries known as NetTraveler. The campaign may have begun in 2004 and increased recently, with targets including diplomats, governments, energy companies, defense contractors and industries such as medicine, nuclear power, communications, and others.
easyDNS hit by DDOS attack. Managed DNS provider easyDNS was targeted by a distributed denial of service (DDoS) attack June 3. The attack was preceded by a smaller DDoS attack, believed to be a test run.
Expert develops fake Chrome browser for phishing attack POC. A researcher developed a proof of concept (POC) that uses a fake browser to open a window after a victim clicks on a link, allowing information to be taken in a phishing attack.
SEC suspends trading of 61 companies ripe for fraud in over-the-counter market. The U.S. Securities and Exchange Commission suspended trading in the securities of 61 companies seemingly no longer in business to prevent their use by fraudsters in ‘pump and dump’ investment schemes.
DNSimple hit by major DDOS attack. Hosted DNS service DNSimple reported coming under a large distributed denial of service (DDoS) attack May 31, and that it continued to be under attack June 3.
DDoS sends EVE Online offline. Massively multiplayer games EVE Online and DUST 514 were knocked offline due to a massive, sustained distributed denial of service (DDoS) attack beginning June 2.
Financial exchange platform hit by 167 Gbps DNS reflection DDOS attack. Prolexic revealed that a financial exchange platform that is a client of the company experienced the largest distributed denial of service (DDoS) attack in Prolexic’s history that peaked at 167 Gbps May 27.
Hackers’ Citadel and Koobface Trojans pose major threats to business data. McAfee’s Q1 2013 Threat Report listed new versions of the Citadel and Koobface Trojans as two of the biggest threats to businesses, among other findings.
Red Robin customer’s victims of months-long skimming scheme. A waitress who worked at a Red Robin restaurant in Des Moines, Washington, was arrested for allegedly skimming customers’ credit and debit cards over several months, resulting in thousands of dollars in fraudulent purchases.
Drupal confirms confidential breach following third party application vulnerability. The Drupal Association confirmed that an attack that captured the user information of nearly one million users was caused by a known vulnerability in third-party software installed on company servers.
Apache server bug allows remote code execution. Vulnerability in Apache HTTP Server which can allow attackers to compromise systems and execute arbitrary commands was disclosed by Secunia. A patch is available that closes the vulnerability.
"Beta Bot" marks the latest banking malware to hit the online underground. A researcher at RSA reported the discovery of a new financial and root access malware dubbed Beta Bot. The malware has been seen for sale on underground forums and appears to have been created by a skilled programmer.
Drupal.org compromised. Drupal.org's security team discovered unauthorized access that exposed user names, countries, emails, and hashed passwords. Drupal.org reset all user passwords and was continuing to investigate to find out if other kinds of user information were also exposed.
Kelihos botnet used for "Only 24 hours left to shop" pharma spam campaign. Cisco researchers discovered a pharmaceuticals spam campaign using the Kelihos botnet. The campaign sends out massive amounts of spam instead of trying to bypass spam filters, and the site linked to in the emails uses various means to track users.
Experts find code execution flaw in PS3, password reset bug in Sony Entertainment Network. Researchers at Vulnerability Lab revealed that several vulnerabilities in Sony’s Playstation 3 firmware were disclosed to Sony and recently fixed. They also found that the Sony Entertainment Network Web site’s password recovery function could be exploited to reset users’ passwords.
Microsoft exposes green users’ privates in web quiz snafu. A Web design issue on Microsoft’s Greener IT Challenge Web site left the names and email addresses of users easily accessible after users completed the site’s quiz. Microsoft resolved the issue.
Event ticketing company hacked, at least tens of thousands affected. Online ticketing company Vendini was the victim of a server attack that exposed tens of thousands of users’ credit card information, names, addresses, and email addresses.
Google researcher reveals another Windows 0-day. A researcher at Google found and reported a zero day vulnerability affecting Windows 7 and 8 that can allow privilege escalation and arbitrary code execution, though it is not remotely exploitable.
Another Max OS X backdoor reported. Another instance of OS X spyware known as OSX/KitM.A or OSX/Filesteal was reported by German authorities. The spyware is signed by a valid Apple developer certificate that has since been revoked.
New Citadel malware strain targeting Payza service. Researchers at Trusteer discovered a new variant of the Citadel banking malware targeting users of the Payza money transfer service. The malware uses a man-in-the-browser technique to obtain users’ login information and PIN.
Researchers find critical vulnerabilities in popular game engines. Researchers at ReVuln found memory corruption and buffer-overflow issues in four computer game engines that could allow attackers to launch remote code execution or denial of service attacks against clients and servers.
Google fixes more than a dozen flaws in Chrome 27. Google released the newest version of its Chrome browser, addressing 16 vulnerabilities ranging in severity.
Cyber espionage campaign uses professionally-made malware. Researchers at Trend Micro identified a large cyberespionage campaign dubbed “Safe” that has targeted computers in several countries and appears to have been created by an individual with formal computer engineering training.
Form-grabbing rootkit sold on underground forums. A Webroot researcher found a rootkit for sale on underground forums known as “Private Grabber” that can capture communication sent over SSL and steal login credentials.
Ransomware adds password stealing to its arsenal. Microsoft researchers found a new variant of the Reveton malware that downloads a password-stealing component after it infects a victim’s computer.
Mac malware found with valid developer ID at freedom conference. A security researcher participating in the Oslo Freedom Conference discovered a piece of malware for Apple OS X that takes regular screenshots from a victim’s computer and then sends them to two servers.
Researchers reveal OpUSA attackers’ MO. Trend Micro researchers analyzed attacks in the recent OpUSA campaign and found that attackers compromised some sites ahead of time with compromised URLs.
PushDo malware resurfaces with DGA capabilities. The PushDo Trojan associated with the Cutwail botnet was found to now incorporate a domain generation algorithm (DGA) to avoid detection and increase resiliency.
Mozilla’s Firefox update fixes three critical holes. Mozilla released an update for its Firefox browser that fixes three vulnerabilities rated “critical” or “high severity.”
Microsoft fixes 33 vulnerabilities. Microsoft’s latest Patch Tuesday release included critical fixes for several programs, including a fix for an Internet Explorer (IE) 8 zero-day flaw recently used in targeted attacks.
Google Android malware levels rocket as spam threat grows. F-Secure released its Q1 2013 Threat Report, which found malware variants targeting mobile devices have risen by 49 per cent since 2012, among other findings.
New Dorkbot worm spreads via Facebook chat steals data from infected PCs. A new variant of the information-stealing Dorkbot malware was identified by Bitdefender spreading through Facebook’s chat function and through infected USB drives.
Privacy breach on Bloomberg’s data terminals. Bloomberg confirmed that reporters at its Bloomberg News division had had access to certain user information from customers using the company’s financial data terminals service before a complaint prompted the access to be disabled.
Malicious browser extensions are hijacking Facebook accounts. Microsoft warned that Facebook accounts are being hijacked via malicious extensions for the Firefox and Chrome Web browsers.
Font apps on Google Play deliver spyware. Webroot identified two malicious Android apps on the Google Play app store that download spyware to users’ devices. Google removed the apps but they remain on their developer’s site.
Winnti backdoor created with Aheadlib to mimic legitimate system library. Researchers at Trend Micro found a new Winnti malware family backdoor dubbed “Bkdr_Tengo.A” which was built with Aheadlib in an attempt to make the malware appear to be a legitimate system library.
Hijacking Facebook accounts via expired Hotmail accounts. Researchers at Rutgers University found that Facebook accounts can be hijacked by requesting automatically retired Hotmail email accounts to be assigned to a new user, and then using Facebook’s password reset function.
Adobe warns of critical vulnerability in ColdFusion. Adobe warned users that a critical vulnerability in ColdFusion has been observed in the wild which can allow unauthorized users to remotely retrieve files stored on servers.
Name.com forces customers to reset passwords following security breach. Domain registrar Name.com required its customers to reset their passwords after a security breach that may have exposed usernames, email addresses, encrypted passwords, and credit card information.
OpUSA: Fake leaks, small website defacements, and “pedestrian” DDOS attacks. The “OpUSA” campaign of attacks against U.S. Web sites organized by various groups claiming the Anonymous label appears to have caused only minor damage or disruption, according to researchers.
Stealthy Web server malware spreads further. The Linux/Cdorked malware found infecting Apache Web servers continues to spread via an unknown means, with new versions found that are engineered for widely-used Lighttpd and NGINX servers.
Old IE attack finds its way into Cool Exploit Kit. Microsoft reported that the Cool Exploit Kit has been updated to include an Internet Explorer (IE) vulnerability that was patched in June 2012, as well as Adobe Reader and Flash vulnerabilities.
Hackers gain access to all .edu domains. The Hack the Planet (HTP) hacker group disclosed vulnerabilities in the MoinMoin wiki system and Adobe Cold Fusion that the group used in past attacks against Linode and the Massachusetts Institute of Technology.
US convenience store chain Mapco Express hacked, payment cards compromised. The Mapco Express convenience store chain experienced a breach of customer credit/debit card information after malware was planted in payment processing systems. Customers who used credit/debit cards at Mapco Express stores during certain periods in March and April may be affected.
Exploit for new IE8 0-day vulnerability in the wild. A Metasploit module that exploits an Internet Explorer (IE) 8 zero-day vulnerability used in recent watering hole attacks is now available, making the exploit generally accessible. Microsoft suggested several security measures to implement until a patch is developed.
Malicious Flash Player updates hosted on Dropbox. Researchers at Zscaler found and analyzed a fake Flash Player update attack that stores the malicious update in a Dropbox account. The files attempt to disable security programs and then drop a Sality variant onto victims’ systems.
Unpatched building management system exposes Google’s Wharf 7 HQ to hackers. Two security researchers found that the Tridium Niagara AX building management system at Google Australia’s Wharf 7 headquarters was vulnerable to attack due to Google not having applied a patch that closed known vulnerabilities.
Google fixes CSRF vulnerability in Translator and clickjacking flaw in Gmail. A security researcher published proof-of-concept videos for a Google Translate cross-site reference forgery (CSRF) vulnerability, and for a clickjacking vulnerability in Gmail’s “Tasks” feature, after Google was informed and addressed the vulnerabilities.
US SEC warns investors of oil and gas scams. The U.S. Securities and Exchange Commission issued a warning to investors over the increasing number of fraud schemes involving oil and gas ventures.
IE8 0-day used in watering hole attacks. An attack on the U.S. Department of Labor’s Web site the week of April 30 utilized a previously unknown exploit for the Internet Explorer (IE) 8 browser, and was found to also have been used in other watering hole attacks on aerospace, defense, and non-profit organization Web sites.
Experts identify 9 full sandbox bypass exploits affecting IBM Java. Researchers at Security Explorations discovered five new and four improperly addressed exploits for IBM’s Java sandbox, allowing a complete bypass of the sandbox.
Critical security updates released for IP.Board 3.2.x, 3.3.x and 3.4.x. Invision Power Services released updates for three IP.Board versions and advised users to apply the patches to close a critical security vulnerability that could allow unauthorized access to administrator accounts.
g01pack: First exploit kit to deliver payload via multistage attack. Researchers at Trusteer found a variant of the g01pack Java exploit kit that delivers its payload in a multistage attack to help avoid security programs.
OAuth vulnerabilities allowed hackers to access private photo on Instagram. A researcher at Break Security identified two methods to hijack Instagram accounts by exploiting OAuth flaws. The flaws were reported to Instagram’s owner, Facebook, and were addressed.
Certificate bug in open source IPsec VPN. The developers of the strongSwan open source IPsec VPN software found its software may accept invalid digital signatures and certificates if the OpenSSL crypto backend is enabled.
CakePHP 1.2.12, 1.3.16, 2.2.8, and 2.3.4 released to prevent SQL injections. The Cake Software Foundation released updates to several versions of CakePHP to address a vulnerability that could allow SQL injection attacks.
D-Link publishes beta patches for IP camera flaws. D-Link published beta patches to address vulnerabilities in its IP surveillance cameras that could allow attackers to intercept video streams. Final versions of the patches will be available within a month.
Printers, routers used as bots in DDoS attacks. A report from Prolexic warned that various Internet-connected devices such as printers and IP cameras are being used in distributed denial of service (DDoS) attacks.
Bitdefender experts identify new TDL malware variants. Researchers at Bitdefender found new variants of the often-undetected TDL malware designed to infect computers’ master boot records.
FBI: DDoS botnet has been modified. The FBI warned that the Brobot botnet used in a campaign of hacktivist attacks against U.S. banking institutions has been updated in an attempt to circumvent banks’ countermeasures.
Reputation.com hacked, all users passwords reset. Internet reputation and management company Reputation.com suffered a security breach where attackers obtained personal information and a limited number of encrypted passwords. The company reset all users’ passwords and is investigating.
Not cool: Bitcoin mining malware found in ESEA server client. The popular ESEA server client used for online gaming was found to contain Bitcoin mining malware, with some users reporting overheated or disabled GPUs as a result of the mining.
Vulnerabilities in D-Link IP cameras can be used to capture video streams. Several vulnerabilities in D-Link IP cameras can be exploited to access video streams, execute arbitrary commands, bypass authentication, and other purposes, according to research from Core Security.