Fraud Alert Message Center

Tips for Safe Banking Over the Internet

As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.

The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.

Current Online Threats

Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau.  None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts.  If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it.  The email could potentially contain a virus or malware.

For more information regarding email and phishing scams, please visit: http://onguardonline.gov/

Online Shopping Tips for Consumers. Click Here for Information.

ATM and Gas pump skimming information. Click Here for Article.

7/26/16

FBI seeks ‘We’re Listening Bandit’ in three-county bank robbery spree. The FBI is searching July 23 for a man dubbed the “We’re Listening Bandit” who is suspected of robbing and attempting to rob six banks in Los Angeles, San Bernardino, and Riverside counties since June.

Critical holes in Micro Focus Filr found, plugged. Micro Focus released patches addressing a cross-site request forgery (CSRF) flaw, an Operating System (OS) Command Injection vulnerability, a persistent cross-site scripting (XSS) flaw, a path traversal, and an authentication bypass vulnerability in its Filr enterprise file management and collaborative file sharing solution after a SEC Consult researcher discovered the flaws during a quick security check.

CTB-Faker ransomware uses WinRAR to lock data in password-protected ZIP files. Bleeping Computer and Check Point researchers found that the CTB-Faker ransomware family is currently being distributed via adult Websites, and encourages users to download a ZIP file which contains an executable that initiates the ransomware which moves files to a password-protected file at “C:Users.zip” through the use of the WinRAR application. Researchers determined that the ransomware is decryptable.

Stampado ransomware stomped out before it could do any real damage. A malware analyst at Emsisoft created a free decrypter, unlocking files encrypted by the Stampado ransomware which presents itself as an ad for a Ransomware-as-a-Service (RaaS) offering on Dark Web cyber-crime forums for a low price.

Hacker downloads Vine’s entire source code. Twitter secured an insecure Docker setup used by the company’s staff to manage Vine’s content after security researcher Avicoder discovered the critical security flaw which would have allowed an attacker to download Vine’s entire source code, its application program interface (API) keys, and third party keys, from its servers after determining that the Docker installations were publicly accessible and that Twitter was running Docker API v1 instead of the latest version of Docker (v2).

7/25/16

‘Midday Bandit’ tries to rob West Town bank. The FBI is searching July 21 for a man dubbed the “Midday Bandit” who is suspected of robbing 15 banks in the Chicago area since 2014, including a South Central Bank branch July 21.

Decrypter available for ODCODC ransomware. Security researchers from BloodyDolly released a decrypter for the ODCODC ransomware that circumvents ODCODC’s RSA-2048 encryption to recover the victim’s files without paying the ransom.

Persistent XSS patched in WooCommerce WordPress plugin. WooCommerce released version 2.6.3 of its ecommerce plugin for WordPress addressing a persistent cross-site scripting (XSS) vulnerability after a researcher from Securify discovered an attacker could exploit the flaw to steal session tokens or a victim’s login credentials by creating a special image file containing malicious JavaScript code in the metadata that injects the code into a targeted Website when an administrator uploads the malicious image as a product image or gallery item.

7/22/16

“Dum-Dum Bandit” robs 3 Colorado banks in 30 days. The FBI is searching July 20 for a man dubbed the “Dum-Dum” Bandit who is suspected of robbing three banks in Denver since June, including a U.S. Bank branch July 19.

Police seize 150 credit cards, IDs in counterfeit bust. Two men were arrested in Corona, California, July 16 after authorities found about 150 counterfeit credit cards, numerous counterfeit IDs, and an encoding machine, among other illicit materials in the duo’s apartment after police received information regarding the illegal activities in May. Officials said the duo used the counterfeit cards to make fraudulent purchases in Los Angeles, Orange, and Riverside counties.

Vulnerabilities affecting SAP HANA and SAP Trex put 10,000 customers at risk. Onapsis released security advisories reporting on vulnerabilities in SAP High-Performance Analytic Appliance (HANA) and SAP Trex including a critical risk brute force attack affecting SAP HANA that could allow an attacker to gain unrestricted access to business information, and a critical risk remote command execution flaw affecting SAP Trex that could allow an unauthenticated attacker to modify arbitrary database information, among other vulnerabilities. Researchers from Onapsis reported the flaws pose a risk to over 10,000 SAP customers running different versions of SAP HANA.

Cisco plugs critical flaw in data center operations management solution. Cisco patched a critical vulnerability affecting its Unified Computing System (UCS) Performance Manager software’s Web framework after a researcher from the Adidas Group discovered that an attacker could exploit the vulnerability by sending crafted Hypertext Transfer Protocol Secure (HTTP) GET requests to an affected system, allowing the attacker to execute arbitrary commands with root user privileges.

Chrome 52 patches 48 vulnerabilities. Google released Chrome 52 patching 48 security flaws including 11 high risk flaws and 6 medium severity flaws after external researchers found a high risk sandbox escape flaw in Pepper Plugin application programming interface (PPAPI), a high risk uniform resource locator (URL) spoofing on iOS, a use-after-free in Extensions, and a heap-buffer-overflow issue affecting sfntly, among other vulnerabilities.

Backdoor account found in Dell network security products. Researchers from Digital Defense, Inc., (DDI) released patches addressing six serious security flaws affecting the Dell SonicWALL Global Management System (GMS) after discovering the equipment had a hidden account that could be exploited to add non-administrative users via the command-line interface (CLI) Client, thereby elevating an attacker’s privilege and allowing the malicious actor full control of the GMS interface and all attached SonicWALL appliances. DDI researchers also discovered two unauthenticated root command injections that lead to remote code execution (RCE) with root privileges on Dell equipment, among other vulnerabilities.

CrypMIC ransomware emerges as CryptXXX copycat. Trend Micro security researchers discovered a ransomware dubbed CrypMIC was mimicking the CryptXXX ransomware family, in that it exploits the Neurtino exploit kit (EK) to distribute the malware, utilizes the same ransom note and payment site, and employs a custom protocol via transmission control protocol (TCP) Port 443 to communicate with its command and control (C&C) servers, among other similarities. Researchers reported that the source code and capabilities of the two families are different after finding the CrypMIC ransomware cannot harvest credentials and related information from the affected device, as it does not download and execute an information-stealing module on its process memory.

SoakSoak botnet pushing Neutrino exploit kit and CryptXXX ransomware. Invincea researchers reported a surge in CryptXXX ransomware infections targeting popular Web sites running the Revslider slideshow plugin for Wordpress after discovering the SoakSoak botnet was delivering the CryptXXX ransomware via business Web sites that were compromised to redirect to the Neutrino exploit kit (EK).

7/21/16

Man dubbed ‘Bandaged Bandit’ sought in area bank robberies. The FBI is searching for a man dubbed the “Bandaged Bandit” who is suspected of committing four bank robberies in El Dorado Hills, California, and in Folsom and Stateline, Nevada, since June, including a U.S. Bank branch in Folsom July 15.

Oracle’s critical patch update for July contains record number of fixes. Oracle released its July Critical Patch Update (CPU) that addressed a total of 276 vulnerabilities in several of its products including 19 critical security flaws affecting the Oracle WebLogic Server component, the Hyperion Financial Reporting component, and the Oracle Health Sciences Clinical Development Center component, among other applications. The update also resolves 36 security flaws in applications specifically designed for the insurance, health, financial, and utility sectors, as well as 159 remote code execution (RCE) flaws that can be exploited without authentication.

Free decrypter available for Bart ransomware. A security researcher for AVG released a free decrypter for the Bart ransomware that recovers files locked by the ransomware after discovering Bart uses one password for all files placed inside a password-protected ZIP archive.

Petya ransomware gets encryption upgrade. A security researcher dubbed Hasherezade discovered the Petya ransomware no longer allows for easy data recovery after finding that the malware operators bundled Petya with Mischa, a failsafe designed to encrypt user files one at a time if Petya was unsuccessful in manipulating the Master Boot Record (MBR) to take over the boot process and encrypt the entire hard disk after a reboot.

Security software that uses ‘code hooking’ opens the door to hackers. Researchers from enSilo discovered 6 security vulnerabilities affecting over 15 different products, including antivirus programs from Kapersky Lab, Trend Micro, and Symantec, among others, using hooking to intercept, monitor, or modify potentially malicious behavior in applications and operating systems (OS), can be exploited by malicious attackers to easily bypass the anti-exploit mitigations provided by Microsoft Windows or third-party applications in order to exploit the vulnerabilities and inject malicious code into any process running on a victim’s device while remaining undetected.

Gmail security filters can be bypassed just by splitting a word in two. Security researchers from SecureState discovered that an attacker can bypass Gmail’s security features responsible for detecting malicious macros in Microsoft Office document attachments by separating “trigger words” into two words or across a row of text after finding that the security filters failed to detect malicious macros in the script when an attacker split a sensitive term on two different lines of the exploit code.

DoS vulnerability patched in BIND. The Internet Systems Consortium (ISC) released BIND versions 9.9.9-P2 and 9.10.4-P2 addressing a medium severity, remote code execution (RCE) vulnerability that could cause systems using the lightweight resolver protocol (lwresd) to resolve names to enter a denial-of-service (DoS) condition due to an error in the way the protocol was implemented after finding that the server can terminate when the lwresd is asked to resolve a query name that exceeds the maximum allowable length when combined with a search list entry.

7/20/16

$5K reward offered to stop ‘Americas Bandit’ after 6 Manhattan banks struck in almost a year. Authorities offered a reward July 18 in exchange for information on a man dubbed “America’s Bandit” who is suspected of robbing six banks in New York City since September 2015, including a Chase Bank branch July 9. The suspect is considered armed and dangerous.

Apple patches tens of vulnerabilities in iOS, OS X. Apple Inc., released security updates for several of its products including OS X El Capitan version 10.11.6, which patched a total of 60 security bugs affecting components such as audio, FaceTime, and CFNetwork, among others after a Zscaler researcher discovered the flaws could allow unprivileged applications to access cookies stored in the Safari browser. Apple also released iOS version 9.3.3., resolving 43 vulnerabilities, one of which could allow an attacker with physical access to the device to abuse Siri and view private contact information, among other patches.

HTTPoxy vulnerability affects CGI-based apps in PHP, Python, and Go. A developer from Vend discovered CGI applications written in Hypertext Preprocessor (PHP), Python, and Go were plagued by a HTTPoxy vulnerability after finding that CGI-based environments receiving incoming Hypertext Transfer Protocol Secure (HTTP) requests containing a “Proxy” header were dropping the header’s content in the HTTP_PROXY environment without sanitization, which could allow an attacker to force a vulnerable CGI-based application to use a malicious proxy for its outgoing HTTP requests, carry out Man-in-the-Middle (MitM) attacks, and poison servers.

CryptXXX now being distributed via spam emails. Security researchers from Proofpoint warned that the CryptXXX malware was leveraging a spam email campaign after discovering that the emails, using subjects such as “Security Breach – Security Report #123456789,” were tricking users into activating malicious macros embedded in the emails’ document attachments, which were designed to download and install the ransomware when the victim interacted with them.

Steemit social network hacked, user funds stolen, DDoS attack ensued. Steemit, a social networking platform, announced July 14 that an unknown attacker exploited the network’s browser-side vulnerabilities to steal $85,000 worth of Steem Dollars and Steem Power from approximately 260 users’ funds after a user reported mysterious transactions that transferred funds from his account to another Bittrex account, a Bitcoin trading portal. Steemit’s servers also faced a distributed denial-of-service (DDoS) attack, prompting the network to bring down its servers for maintenance and service upgrades.

7/19/16

‘Dreaded bandit’ wanted in series of Bay Area bank robberies. The FBI offered a reward July 15 in exchange for information leading to the arrest or conviction of a man dubbed the “Dreaded Bandit” who is suspected of robbing at least three San Francisco Bay area banks since April, including a Comerica, Inc., bank branch in the Cow Hollow neighborhood July 11. Authorities stated the suspect is armed.

Metairie woman convicted of multi-State bank fraud scheme and aggravated identity theft. A Metairie, Louisiana woman pleaded guilty July 13 to Federal charges for her role in a multi-State bank fraud scheme where she stole individual’s personal information and used the information to create fraudulent credit cards in order to embezzle approximately $102,257 from victims’ accounts at 21 banks in Louisiana, Texas, and Mississippi.

Ubuntu Forums hacked again, 2 million users exposed. Canonical chief executive officer (CEO) reported that an attacker exploited a Structured Query Language (SQL) injection flaw in its Ubuntu Forums to access and download part of the Forums database, containing usernames, email addresses, and internet protocol addresses (IPs) for 2 million users. Canonical shut down the database, reset all users’ passwords, and installed a Web application firewall after being notified that an individual was claiming to have a copy of the Forums database.

Researcher finds way to steal money from Instagram, Google, and Microsoft. An independent Belgian security researcher discovered a flaw in Facebook, Google, and Microsoft’s two-factor authorization (2FA) voice-based token distribution systems that could allow an attacker, who has created premium phone services and linked them together with fake Instagram, Google, and Microsoft Office 365 accounts, to use automated scripts to request 2FA tokens for all accounts, and by doing so, place legitimate phone calls to their premium phone service, thereby earning a substantial profit.

Cisco patches serious flaws in router and conferencing server software. Cisco Systems released patches addressing several vulnerabilities in its Cisco internetwork operating system (IOS), IOS XR, ASR 5000, WebEx Meetings Server, and Cisco Meeting Server including a high severity denial-of-service flaw and an arbitrary code execution issue in its Cisco IOS XR software, two cross-site scripting (XSS) vulnerabilities in the WebEx Meetings Server version 2.6, and an insure Simple Network Management Protocol (SNMP) implementation flaw in the ASR 5000 Series platform, among other vulnerabilities.

Locky ransomware gets offline encryption capabilities. Security researchers from Avira discovered an update to the Locky ransomware that allows the ransomware to enter an offline encryption mode when it cannot connect to the command and control (C&C) server. The development mimics the Bart ransomware, in that it ensures that the ransomware can carry out malicious actions even when its Internet connectivity is blocked, making detection more difficult.

7/18/16

Investigators: Link between skimmers and 103 credit cards found possible. A New York resident was arrested in Symmes Township, Ohio, July 14 after police found over 103 fraudulent Visa gift cards that had been re-encoded with stolen credit card numbers in the suspect’s vehicle during a routine traffic stop. Authorities are investigating whether the man is linked to a credit card skimming scheme targeting New York, New Jersey, and Connecticut.

‘Hipster Bandit’ bank robbery suspect arrested. A man dubbed the “Hipster Bandit” was arrested in Serra Mesa, California, July 14 after he allegedly robbed eight banks and attempted to rob two others in San Diego, Riverside, and Orange counties since November 2015.

New trojan helps attackers recruit insiders. Researchers at Gartner Research and Diskin Advanced Technologies found a new trojan dubbed “Delilah” that uses social engineering and extortion to recruit insiders by collecting personal information and capturing video from the targeted user’s webcam while instructing users to use virtual private networks (VPNs) and the Tor network in order to manipulate or blackmail the targeted individual.

IE exploit added to Neutrino after experts public PoC. FireEye and Symantec researchers found that Neutrino exploit kit (EK) researchers use an Adobe Flash file to deliver exploits in order to profile a victim’s system to determine which exploit to use after researchers published a proof-of-concept (PoC) exploit on two remote code execution (RCE) vulnerabilities that were patched by Microsoft in May. Researchers determined that the exploit added to Neutrino is identical to the one published, except for the code that runs after initial control.

CryptXXX devs provide free decryption keys for some ransomware versions. Bleeping Computer researchers released a category of users who could obtain a free decryption key by visiting the Tor-based payment sites of the CryptXXX ransomware after their files were encrypted by the ransomware using the “.crypz” and “.cryp1” file extensions at the end.

Maxthon browser collects sensitive data even if users opt out. Maxthon is investigating after Exatel and Fidelis Cybersecurity researchers found that the Maxthon Web browser collects sensitive information and sends it to its servers, even if the user opts out of the option due to an issue in the current implementation of User Experience Improvement Program (UEIP) that lets the browser manufacturer collect analytical information about how users utilize their product.

7/15/16

Two arrested for credit card fraud scheme. Two individuals were arrested and charged in Montgomery County, Texas, July 11 after authorities discovered approximately 100 stolen credit cards and a credit card embossing machine, among other illicit material in the duo’s vehicle during a routine traffic stop.

Longtime fugitive pleads guilty to stealing $65 million from hundreds of people. A fugitive, initially indicted in October 2003 pleaded guilty July 13 to defrauding around 800 investors out of an estimated $65 million in a Ponzi scheme where he and co-conspirators operated Doylestown, Ohio-based Cyprus Funds, Inc., to sell certificates of deposit and unregistered mutual funds in Latin America and the U.S. from 1995 – 1999.

Juniper patches high-risk flaws in Junos OS. Juniper Networks fixed several vulnerabilities in the Junos operating system (OS) used on its networking and security appliances, including an information leak in the J-Web interface, vulnerabilities that could lead to denial of service conditions, a potential kernel crash, a potential memory buffer (mbuf) leak, a crypto vulnerability, and an issue with SRX Series devices.

Microsoft discovers new version of Troldesh ransomware. Microsoft Malware Protection Center researchers discovered a new version of the Troldesh ransomware, also known as Encoder.858 and Shade Ransomware, that contains new modifications including a dedicated payment portal where users can get information on how to pay the ransom, utilization of a Tor Web site, and two new extensions, “.da_vinci_code” and “.magic_software_syndicate,” which are added to the end of encrypted files.

Huge spam wave drops Locky variant that can work without an internet connection. F-Secure researchers examined a July 12 campaign utilizing the Locky ransomware where the group sent out 120,000 spam email messages every 2 hours in 2 instances of activity. Avira researchers also found that a new Locky variant works in “offline mode,” making it harder to block

Three popular Drupal modules patch site-takeover flaws. Drupal, a content management system, worked with three third-party module maintainers, RESTWS, Coder, or Webform Multiple File Upload, to address critical vulnerabilities that could allow attackers to take control of Web sites, including a flaw that allows attackers to execute rogue Hypertext Preprocessor (PHP) code Web servers that host Drupal Web sites with the modules, as well as flaws that could lead to remote code execution (RCE).

Ransomware permanently deletes your files then has the nerve to ask for money. Cisco Talos researchers discovered a new piece of ransomware dubbed Ranscam that deletes the victim’s files after infecting the computer, and removes core Microsoft Windows executables responsible for the System Restore feature, hard drive shadow copies, and several registry keys associated with booting into Safe Mode, among other modifications. Once the removal is complete, the ransomware shows its ransom note and falsely informs the victim that their files are encrypted and moved into a hidden partition.

7/14/16

SAP patches critical Clickjacking vulnerabilities. SAP released 10 Security Patch Day Notes and 26 Support Package Notes addressing several vulnerabilities, including a critical Clickjacking flaw in multiple SAP frameworks and technologies, denial of service flaws, missing authorization checks, code injection, and a cross-site scripting (XSS) issue, among other vulnerabilities.

New Stampado ransomware advertised on the Dark Web for only $39. Heimdal Security researchers spotted a new version of ransomware on the Dark Web dubbed, Stampado, which is offered via Ransomware-as-a-Service (RaaS) model and locks files with a “.locked” file extension, similar to other ransomware families. Stampado is being offered for $39 for a lifetime license and mimics the Jigsaw ransomware, in that it deletes a random file from the infected computer every 6 hours in order to scare the victim into paying the ransom.

Microsoft patches critical flaws in Internet Explorer, Edge. Microsoft released 11 bulletins addressing 15 bugs in Internet Explorer, 13 bugs in Edge, and several other flaws in Office, Jscript, VBScript, and .NET Framework including a remote code execution (RCE) bug, an elevation of privilege issue in Windows Print Spooler, and a scripting engine memory corruption vulnerability in Jscript and VBScript, among others.

Adobe patches critical vulnerabilities in Flash, Acrobat, Reader. Adobe released security updates for Flash Player, Acrobat, Reader, and XMP Toolkit for Java patching more than 82 bugs affecting Microsoft Windows, Mac OS X, ChromeOS, and Linux users, including an integer overflow issue, a user-after-free vulnerability, a heap buffer overflow bug, and multiple memory corruption vulnerabilities, among others.

7/13/16

Southern California man pleads guilty for his role as sales manager in fraudulent mortgage modification scheme. An Orange County, California resident pleaded guilty July 11 for his role as the sales manager of an estimated $9 million fraudulent mortgage modification scheme where he supervised dozens of telemarketers who made misleading statements and false promises to convince over 1,500 homeowners facing foreclosure to pay up to $5,500 for the services of Rodis Law Group (RLG) and a successor entity, America’s Law Group between October 2008 and June 2009 by falsely claiming RLG consisted of a team of attorneys experienced in negotiating lower interest rates and lowering principal balances, among other misrepresentations. Two co-defendants were also charged for their roles in the scheme.

Code execution flaw plagues Intel Graphics Driver. Security researchers from Cisco Talos discovered a local code execution vulnerability in Intel HD Graphics Windows Kernel Mode Driver version 10.18.14.4264 that could allow an attacker to run arbitrary code on a victims’ system or cause denial-of-service (DoS) by sending a specially crafted D3DKMTEscape request to the Intel DH Graphics drivers. Microsoft removed the NTVDM subsystem from its Windows 8 to mitigate the attack, but researchers stated the mitigations were not foolproof.

Website takeover issue fixed in WordPress’ most popular plugin. A security researcher reported that the All in One SEO Pack WordPress plugin was plagued with a vulnerability that could allow attackers to store malicious code in the Web site’s admin panel which could potentially enable attackers to control the Web site.

DoS flaw affects Symantec endpoint products. Symantec released a patch that addressed a denial-of-service (DoS) vulnerability that affected its Norton Security’s Portable Executable file scanning functionality as well as its Endpoint Protection products after a security researcher from Cisco Talos found an attacker could exploit the vulnerability by sending a victim a crafted file with a large SizeOfRawData field in a section header due to a flaw in the Client Intrusion Detection System (CIDS) driver, which can cause a system to crash when interacted with a specially-crafted portable executable (PE) file.

7/12/16

GootKit banking trojan receives massive update. Security researchers from IBM’s X-Force Research reported that the GootKit trojan, which targets banks internationally, has updated its source and mode of operation to avoid antivirus detection by changing its installation method to use scheduled tasks that run every minute, allowing the trojan to run with least-privilege user accounts (LUA) and administrator accounts.

FBI seeks ‘Hipster Bandit,’ offers $20K reward. The FBI offered a reward July 8 in exchange for information leading to the capture of a man dubbed the “Hipster Bandit” who is suspected of robbing eight banks and attempting to rob two others in San Diego County since September 2015, including a Wells Fargo Bank branch July 2.

Norwich resident admits role in insurance fraud scheme. A Norwich, Connecticut resident pleaded guilty July 7 for his role in an insurance fraud scheme where he and co-conspirators staged approximately 50 car crashes in southeastern Connecticut, and filed fraudulent property damage and bodily injury claims with various automobile insurance companies in order to collect up to $30,000 in insurance payouts per fraudulent claim between April 2011 and February 2014.

MIUI vulnerability affects millions of Xiaomi Android devices. Security researchers from IBM’s Security Intelligence team reported that a remote code execution (RCE) vulnerability exists in MIUI analytics component in versions prior to MIUI Global Stable 7.2 after researchers discovered that the self-update mechanism can be hijacked via a Man-in-the-Middle (MitM) attack and used to deliver malicious update packages. The analytics package uses Hypertext Transfer Protocol (HTTP) to query an update server for upgrades and downloads the update requests, allow attackers to watch for requests and use basic spoofing techniques.

7/11/16

Former Regions Bank VPs indicted in bribery, wire fraud scheme. Two former vice presidents at Regions Bank, who also served as officers at Regions Equipment Financing Corp., (REFCO) in Birmingham, Alabama, were indicted July 7 for their roles in a $5 million bribery and wire fraud scheme where the duo and a co-conspirator allegedly established a fraudulent company, Residual Assurance Inc., that would enter an agreement with REFCO to provide residual value insurance, directed REFCO’s residual value insurance business to the company, and split the business’s proceeds between September 2010 and November 2015. The charges allege that the former executives collectively received over $3 million for their roles in the scheme.

New “Patchwork” cyber-espionage group uses copy-pasted malware for its attacks. Security researchers from Cymmetria reported that a new cyber-espionage group dubbed, Patchwork Advanced Persistent Threat (APT) was seen infecting at least 2,500 machines since December 2015 and can infect an underlying operating system (OS) with their malware using spear-phishing emails that contain PowerPoint files as attachments, which are embedded with the Sandworm exploit. The cyber criminals use an assortment of copy-pasted code from known malware such as PowerSploit, Meterpreter, Autolt, and UACME.

7/8/16

Ex-Wall Streeter pleads guilty in fraud case. A former executive at Park Hill Group pleaded guilty July 6 to Federal charges after he bilked approximately $38.5 million from more than 10 individuals and entities in a Ponzi-like scheme where he convinced family and friends to invest in a non-existent private equity firm from July 2015 – March 2016 and used the money for personal option trades, to repay money he had previously diverted from the Park Hill Group, and for personal use, among other illicit purposes. Officials stated the scheme attempted to bilk investors out of nearly $150 million.

Dangerous GNU wget vulnerability still not patched in all Linux distros. Security researchers from Golunski and SecuriTeam discovered a GNU wget vulnerability that could be exploited to allow an attacker to upload arbitrary files and achieve code execution due to wget’s improper handling of file names when redirecting users from an initial Hypertext Transfer Protocol (HTTP) Uniform Resource Locator (URL) to a File Transfer Protocol (FTP) link.

Over 6,000 Redis database servers ready for taking. Security researchers from Risk Based Security released a report detailing that 6,338 Redis servers were compromised after performing a non-intrusive scan using Shodan which revealed that the hacked servers featured the “crackit” Secure Socket Shell (SSH) key and were attached to an email address that was previously seen in other incidences. Researchers recommended that Webmasters update their Redis database to the recent version and activate “protected mode” feature.

Campaign of infected WordPress and Joomla sites leads to CryptXXX ransomware. Security researchers from Sucuri discovered that a new campaign dubbed Realstatistics was using outdated Content Management Systems (CMSs), primarily WordPress and Joomla Web sites, to hack Web sites using vulnerabilities in plugins rather than using core vulnerabilities after discovering at least 2,000 Web sites were affected by the campaign.

Caja toolkit vulnerability exposed Google Docs domain to XSS attacks. Google released patches for several cross-site scripting (XSS) issues in its Caja toolkit used inside its Docs and Developers series after a security researcher found the tool failed to sanitize various types of XSS attacks, potentially allowing attackers to create malicious Google Docs files containing Google Apps Script, that when loaded, could steal cookies and execute malicious actions.

7/7/16

Information-collecting Android keyboard tops 50 million installs. Security researchers from Pentest Limited discovered a third-party keyboard application for Android dubbed “Flash Keyboard” was allegedly seen conducting malicious activity by communication with servers in several countries and sending personal data including the device manufacturer and model number, International Mobile Station Equipment Identity (IEMI), Android version, user email address, mobile networks, and GPS co-ordinates to a remote server. The application engages in deceptive behavior, which Google prohibits.

New malware uses Tor to open backdoor on Mac OS X systems. Security researchers from Bitdefender discovered a new malware family named Backdoor.MAC.Eleanor on Mac operating system (OS) X can open a backdoor via the Tor hidden service, Hypertext Preprocessor (PHP) Web service, and a Pastebin client. The backdoor can allow cyber criminals to navigate and interact with local fire system, launch reverse shells to execute root commands, and launch and execute several scripts including PHP, PERL, Python, Ruby, Java, and C.

7/6/16

4 men face credit card fraud-related charges. Four men were arrested in Tolland, Connecticut, July 2 after police were notified that the group allegedly attempted to use several fake or stolen credit cards at a Mobil gas station. A subsequent search of the suspects’ vehicle revealed numerous fraudulent credit cards in various stages of production, a credit card embossing machine, and two electronic credit card writers, among other illicit materials.

‘Straw Hat Bandit’ strikes North Wales bank. Authorities are searching for a man dubbed the “Straw Hat Bandit” who is suspected of robbing 10 banks in the Philadelphia area since 2012, including a PNC Bank branch in North Wales July 2.

Flaws in free SSL tool allowed attackers to get SSL certificates for any domain. StartCom released a new version of its StartEncrypt Linux tool after a security researcher from CompuTest discovered the product had several design and implementation flaws that could allow an attacker to extract signatures from any Web site that enables its users to upload files including GitHub and Dropbox. In addition, an attacker could obtain Secure Sockets Layer (SSL) certificates for other domains.

Free decrypter available for download for MIRCOP ransomware. A security researcher created a decrypter tool that can recover files locked by the MIRCOP ransomware without paying the ransomware fee after an independent researcher and security researchers from Trend Micro revealed the presence of the new ransomware family at the end of June.

New Adwind RAT campaign with zero AV detection targets businesses in Denmark. Security researchers from Heimdal Security discovered a spam email campaign was targeting Danish companies after finding that the spam emails came with malicious file attachments named “Doc-[Number].jar” that were not detected by antivirus engines, even if the attachments carried Adwind Remote Access Trojan (RAT). Researchers believe the campaign may target other international countries as the emails were written in English.

Malware spread via Facebook makes 10,000 victims in 48 hours. Security researchers from Kaspersky Lab reported that from June 24 – June 27, cyber criminals were using Facebook spam messages to distribute malware to user accounts and allegedly selling Facebook “likes” and “shares” via botnet of infected devices by informing users about mentions in comments and convincing them to access a link that would secretly download a trojan on the user’s computer, as well as secretly install an extension in the user’s Google Chrome Web browser. Facebook blocked the technique and Google removed the extension from its Chrome Web Store.

Critical vulnerability breaks Android full disk encryption. An independent Israeli security researcher discovered that Qualcomm Secure Execution Environment (QSEE) was plagued with a critical elevation of privilege (EoP) flaw that affects 57 percent of Android devices, which could allow an attacker to bypass the Full Disk Encryption (FDE) security feature previously implemented in Android 5.0 Lollipop. The flaw could allow a compromised, privileged application, with access to QSEECOM, to execute arbitrary code in the TrustZone content.

Spam campaign distributing Locky variant Zepto ransomware. Security researchers from Cisco Talos warned customers that the Zepto ransomware, a variant of the Locky ransomware, was found distributing over 4,000 spam emails June 27, and distributing as many as 137,731 emails in 4 days via an attached .zip archive that contains a malicious JavaScript. Researchers reported that the campaign contained a total of 3,305 unique samples that convinced targets to open the spam emails by using various subject lines and sender profiles including “CEO” and VP of Sales.”

HawkEye keylogger users employ hacked emails accounts to receive stolen data. Security researchers from Trustwave discovered a spam email campaign was using the HawkEye keylogger to allow attackers to collect emails, browsers, and File Transfer Protocol (FTP) settings and passwords by delivering malicious Rich Text Format (RTF) documents disguised as Microsoft Word files to victims, and allowing the hijacked accounts to reroute all messages received from a victim’s email address to the attacker’s personal inbox.

Second man pleads guilty to hacking entertainment celebs. The U.S. District Court for the Central District of California reported that an Illinois resident pleaded guilty for his involvement in a phishing scheme where he gained access to several female celebrities and non-celebrities’ usernames, passwords, and personal information including private photographs and videos after he sent them emails disguised as security accounts of Internet service providers. The culprit accessed at least 300 Apple iCloud and Google Gmail accounts.

Firmware zero-day allows hackers to disable security features. A security researcher discovered a zero-day firmware vulnerability in the Unified Extensible Firmware Interface (UEFI), which is installed on all Lenovo ThinkPad series laptops, after identifying that the flaw exists in the System Management Mode (SMM) code of Lenovo’s UEFI and can be exploited for several malicious actions including disabling the Secure Boot feature, disabling UEFI write protections, and bypassing Windows 10 Enterprise security features. Lenovo is investigating the incident.

Satana ransomware encrypts your boot record and prevents your PC from starting. Security researchers from Malwarebytes reported that the new ransomware dubbed Satana encrypts files using the same method as other ransomware families, but attaches its email address to each file, encrypting the Master Boot Record (MBR) and replaces it with its own. Once a user restarts their computer, the MBR boot code will load and lock the user out of the computer while Santa’s ransom note displays on the screen.

7/5/16

Man accused of using fraudulent plastic to charge $85,000 in purchases. A Raleigh resident was arrested June 29 for allegedly using a fraudulent credit card to spend approximately $85,000 at businesses in Cary and Garner, North Carolina, and for cashing two checks drawn on a closed Bank of America account.

Google finds 16 bugs, 2 zero-days, in Windows kernel font handling. Microsoft released patches for its Windows kernel that fixed 16 flaws after security researchers from Project Zero discovered that Windows executes all font processing operations in the kernel’s ring-0 with the highest level of permissions, allowing attackers to have direct access to the entire operating system (OS).

Free decrypter available for Unlock92 ransomware. An independent security researcher created a decrypter tool for the ransomware, Unlock92 after security researchers from Malwarebytes discovered the new ransomware can encrypt victims’ files with a symmetric and Advanced Encryption Standard encryption (AES) and generate a 64-character hexadecimal password for each target.

Foxit patches RCE flaws in Reader, PhantomPDF. Foxit Software released updates for its Reader and PhantomPDF products running version 7.3.4.311 and earlier Windows versions, that addressed more than a dozen vulnerabilities including out-of-bounds read, heap buffer overflows, stack buffer overflow, user-after-free, and uninitialized pointer issues that could have been exploited remotely to expose sensitive information, crash the application, and execute arbitrary code.

Hackers can exploit LibreOffice flaw with RTF files. LibreOffice 5.1.4 was released June 30 after security researchers from Cisco Talos discovered that the Rich Text Format (RTF) parser in LibreOffice was susceptible to a flaw that could allow an attacker to execute arbitrary code using specially crafted RTF files by tricking the victim into opening a malicious RTF file sent via email.

7/1/16

6 arrested in fast-food credit card scheme in northern Colorado. Six New York residents were arrested and indicted June 15 for allegedly using fraudulent credit cards to purchase more than $10,000 worth of gift cards at McDonald’s Corp., restaurants and other fast-food chain restaurants in Wyoming and Colorado. Authorities confiscated over 1,000 gift cards, a credit card reader, and a machine used for printing credit cards during the groups’ arrest.

Google adds SEO spam notifications to Google analytics dashboard. Google reported that it will be enhancing its security notifications for compromised Web sites by integrating the Safe Browsing application programming interface (API) into the Google Analytics dashboard, which will help detect malware and warn the Webmaster of a search engine optimization (SEO) spam on their Web site.

Android ransomware quadrupled in the past year. Kaspersky Lab released a study which revealed that in 2016, Android ransomware infections grew 4 times the amount of previous years, increasing from 35,413 victims in 2015 to 136,532 victims in 2016. Security researchers stated the attacks were attributed to four Android ransomware strains including Small, Fusob, Pletor, and Svpeng.

 6/30/16

Symantec products affected by multiple “as bad as it gets” vulnerabilities. A security researcher from Google’s Project Zero initiative discovered several vulnerabilities in Symantec’s security products including buffer overflow flaws, memory corruption flaws, and a high-severity flaw that does not require user interaction, affects default configuration, and allows the software to run on the highest privilege levels possible due to a vulnerable code in ASPack. Attackers could exploit the vulnerabilities by sending an email with a malicious file or embed a malicious link inside the email, among other methods.

Alpine Linux 3.4.1 released with Linux Kernel 4.4.14 LTS, latest security fixes. Alpine Linux project released its Alpine Linux 3.4.1 operating system (OS) which included security updates in its kernel packages and in its core components, as well as other improvements to several other applications within its systems.

LevelDropper Android app infected with autorooting malware. Lookout researchers identified the LevelDropper app in the Google Play Store which hides malware capable of rooting the user’s device in order to install unwanted applications. Researchers also found two privilege escalation exploits and supporting package files such as busybox and SuperSU, which also have the ability to root the device.

6/29/16

Former attorney pleads guilty to participating in fraudulent mortgage modification scheme. A former Irvine, California-based attorney pleaded guilty June 27 to Federal charges for his role in a multi-million dollar fraudulent mortgage modification scheme where he and co-conspirators allegedly convinced homeowners facing foreclosure to pay up to $5,500 for services from the Rodis Law Group (RLG) by falsely claiming that RLG consisted of a team of attorneys experienced in negotiating loan modifications from the homeowners’ mortgage lenders, and by purporting that RLG was consistently successful in obtaining lower interest rates for homeowners, among other misrepresentations between October 2008 and June 2009.

Michigan men suspected in Canton credit card fraud. Two Michigan men were arrested at a Walmart store in Canton, Ohio, June 24 for allegedly using stolen credit card information to clone a credit card and purchase 501 gift cards and pre-paid debit cards. Authorities stated the cards were worth over $50,000.

Microsoft Office 365 corporate users hit by Cerber ransomware attack. Avanan researchers reported that about 57 percent of all companies using Microsoft Office 365 received at least 1 copy of the Cerber ransomware in their inboxes in a June 22 attack that lasted 5 hours before Microsoft blocked the malicious file attachments.

MIRCOP ransomware claims to be victim, demands payback. Trend Micro researchers reported that the MIRCOP ransomware abuses Microsoft PowerShell to download and execute the malicious payload, and sends the user a ransom note claiming that the victim stole 48.48 Bitcoins, suggesting that the victim knows how to return the money. MIRCOP prepends files with the string “Lock” and can steal credentials from various applications including Mozilla Firefox, Google Chrome, Opera, FileZilla, and Skype.

6/28/16

Uber bugs allowed hackers to gather details on rides, drivers, passengers. Security researchers from Integrity discovered 14 issues in Uber Technologies Inc.’s system that could be exploited to extract user details via the mobile app’s Help Section, obtain a driver’s and user’s universally unique identifier (UUID) and request private information such as names, pictures, location, car types, status, among other data, and use over 1,000 active promo codes that could have added $100 to each driver’s fair earnings, among other flaws.

Bart ransomware locks files as individual password-protected ZIP archives. Security researchers from PhishMe, Proofpoint, and other firms reported that a new ransomware dubbed Bart was similar to the Locky ransomware and believe the ransomware was created by the same cyber-criminals as the distribution of the two ransomwares utilizes email spam campaigns to deliver a ZIP archive containing a malicious JavaScript (JS) file, which downloads RockLoader and the Bart ransomware. The Bart ransomware uses a different encryption method by placing each file in its ZIP archive file and securing the archive with a password.

Severe vulnerabilities found in Meinberg NTP servers. Meinberg released firmware updates for several of its network time protocol (NTP) time servers after a security researcher found the devices were plagued with two stack-based buffer overflows and a weak access control issue that could allow an attacker to exploit the vulnerabilities to escalate the privileges to root.

Flaw allowed hackers to deliver malicious images via PayPal. PayPal fixed a flaw in its Web site after a security researcher discovered the Uniform Resource Locator (URL) of payment pages set by users included a parameter named “image_url” that could be replaced with a URL pointing to an image hosted on a remote server, which could allow an attacker to use a third-party vendor’s PayPal payment page to deliver malicious images.

 6/24/16

Hackers breach US company and unwittingly expose 154 million voter records. Security researchers from MacKeeper discovered that a CouchDB database containing details on over 154 million U.S voters was compromised after a hacker took down L2’s, a company that builds, manages, and sells access to U.S. voter records, firewall. The database contained 1-year-old information and was taken down, and authorities were unsure of the identity of the hacker.

Criminals set up fake companies to hijack and sell IPv4 addresses. Security researchers from Check Point reported that cyber criminals were leveraging legacy networks belonging to companies no longer in existence by scanning the IPv4 address pool and searching for networks’ contact information, and if no data is found, attackers impersonate the defunct company by re-registering old business names or expired domain names.

Massive spam flood delivering Cerber ransomware hit users at the end of May. Check Point released a report which detailed that the Cerber ransomware was attacking victims in April and May through two recent incidences that included large amounts of email spams containing Microsoft Office documents loaded with malicious macros that were downloading and installing the ransomware.

6/23/16

SEC halts scheme defrauding pro athletes. The U.S. Securities and Exchange Commission unsealed a complaint June 21 charging and freezing the assets of The Ticket Reserve Inc., its chief executive officer, a chief operating officer, and a managing director from RGT Capital Management after the group allegedly siphoned more than $33 million from professional athletes’ bank accounts without their authorization in order to invest the money into The Ticket Reserve, make Ponzi-like payments to existing investors using money from new investors, and falsify documents, among other illicit actions in order to conceal the scheme. The charges also allege that the managing director received nearly $2 million in hidden compensation from the company, failed to disclose to investors that he was a member of The Ticket Reserve’s board of directions, and falsely claimed to be a certified public accountant (CPA).

Over a dozen flaws patched in Pidgin chat client. Pidgin chat client released Pidgin 2.11.0 patching 16 information disclosure flaws, denial-of-service (DoS) flaws, directory traversal, and buffer overflow flaws after a security researcher from Cisco Talos discovered the vulnerabilities could allow a man-in-the-middle (MitM) attacker to overwrite arbitrary files on the system, among other actions.

Carbonite online backup service resets all users passwords after cyber-attack. Carbonite, the online backup software for Apple Mac and Microsoft Window products, reported that it issued a service-wide password reset for all of its users June 21 after the company discovered an ongoing, large account takeover (ATO) or Identify Testing Attacks in its systems. The company stated the third-party attack did not compromise any users’ accounts and initiated the password reset as a precautionary measure.

WordPress 4.5.3 fixes bug that allowed password change via stolen cookies. WordPress released its newest version WordPress 4.5.3 fixing 8 security bugs and 17 maintenance issues including simple cross-site scripting (XSS) flaws, a denial-of-service (DoS) flaw, and an insecure input filtering flaw after a company security researcher discovered that one of the flaws could allow attackers to change a user’s password by leveraging stolen cookies.

Several vulnerabilities patched in Libarchive library. Libarchive released a new version for its open-source library, Libarchive 3.2.1 after a security researcher from Cisco Talos discovered three severe flaws in the system, including a stack-based buffer overflow flaw and a heap corruption flaw that can lead to arbitrary code execution, as well as an integer overflow flaw that could allow an attacker to execute arbitrary code using specially crafted 7-Zip files.

6/22/16

Stafford police arrest man wanted for $386,000 in bank fraud by opening up phony bank accounts. A New Jersey man was arrested in Atlantic City June 18 after he and co-conspirators allegedly defrauded TD Bank out of $386,000 by opening over 86 fraudulent checking accounts at bank branches in New Jersey, Pennsylvania, New York, Connecticut, and Massachusetts since June 2015. The man was arrested after a bank employee recognized the man from previous fraud attempts and notified authorities.

Springfield woman admits cashing $1.4M worth of fake tax refund checks. A Springfield, Massachusetts woman pleaded guilty June 20 to orchestrating a scheme where she and co-conspirators cashed 236 fraudulent Federal income tax refund checks in order to steal nearly $1.4 million in tax returns from January 2012 – May 2013. Authorities stated that the group filed the fraudulent returns and Social Security numbers under the names of people living in Puerto Rico, while the addresses were falsely listed as Massachusetts and New York.

Cybercriminals use new tricks in phishing attacks. Sucuri researchers reported that phishing attacks were increasing and cyber attackers were using new techniques to avoid detection after discovering that attackers were leveraging hosting providers’ failures to properly configure temporary Uniform Resource Locators (URLs), which were offered to users to test their Web sites before linking them to separate domains. An attacker can register an account on a shared server, upload their phishing pages, and compile a list of other Web sites on that server, which enables hackers’ access from any neighboring domain names.

Acer security breach exposes data of 34,500 online shoppers. Acer Inc., reported that its online store was compromised after a hacker leaked 34,500 customers’ data including customer names, addresses, and credit card numbers with expiration dates and CVC security codes from May 2015 – April 2016. The breach was considered a security issue when the company inadvertently stored customer data in an unsecured format.

6/21/16

Man arrested in Boca Raton stole more than $89K using ATM skimmers, police say. A Colombian citizen was arrested in Boca Raton, Florida, June 16 after he allegedly installed 10 skimming devices at Chase Bank branch ATMs in Miami-Dade, Broward, and Palm Beach counties in order to steal the credit or debit card information of over 300 ATM customers and skim at least $85,000 from the victims’ accounts. The man was arrested when a Chase Bank investigator witnessed the man installing a skimmer and notified authorities.

Losses from business email scams reach a whopping $3 billion. The FBI’s Internet Crime Complaint Center (IC3) reported that global Business Email Compromise (BEC) scams and campaigns were increasing with companies losing over $3 billion in global scams and over $960 million in U.S-targeted scams from October 2013 – May 2016. Many targeted companies stated that the fraudulent actions occurred by hacking into the chief financial officer’s or chief executive officer’s email accounts.

6/20/16

Time runs out for suspected ‘Countdown Bandit;’ arrest made in North Jersey bank heists. A man dubbed the “Countdown Bandit” was arrested June 16 after he allegedly robbed the Spencer Savings Bank in Wallington, New Jersey, and at least nine other banks in the region since February 2015.

Adobe patches flash zero-day exploited by APT Group. Adobe released Flash Player 22.0.0.192 which addressed 36 flaws that could be exploited for arbitrary code execution and information disclosure after a new advanced persistent threat (APT) group dubbed, “ScarCruft” was using the flaws to disseminate its “Operation DayBreak” campaign to target high-profile targets. In addition, researchers discovered that attackers were using a method to bypass modern anti-malware products by decrypting and executing a shellcode that downloads and runs a Dynamic Link Library (DLL) file.

GitHub resets some user passwords after brute-force attack. GitHub reported that it reset all its users’ passwords and advised its users to look at their password complexity level and enable the two-factor authentication for their accounts after the company’s security researchers found a hacker had used credentials leaked during a previous breach to access GitHub users’ accounts. The company stated their systems were not compromised or breached in the attack.

Microsoft open-sources “Checked C,” a safer C version. Microsoft released its open-sourced Checked C, which will help developers detect common programming errors such as buffer overruns, out-of-bounds memory access, and incorrect type casts that were previously used in vulnerabilities including Shellshock, Heartbleed, and Sandworm. Checked C will modify how pointers are handled and will allow programmers to detect errors as they create the code.

6/17/16

Former credit union CEO accused of bank fraud. Pennsylvania officials charged the former chief executive officer of Valor Federal Credit Union, formerly known as Tobyhanna Federal Credit Union, June 15 after he allegedly embezzled over $700,000 from the bank and used the money for personal use. Authorities stated that the former executive also attempted to rig the elections for the bank’s board of directors and established a fraudulent severance deal where he would be paid over $1 million if he was terminated.

Man uses fake ID to get debit card, steals $90K. Authorities are searching June 15 for a man who used a fraudulent ID and documents to steal $90,000 from a victim’s bank accounts at 5 Chase Bank branches in San Diego County since March. Authorities stated that the man is suspected of committing similar thefts in Los Angeles and Orange counties.

24 charged in ‘intricate’ international bank fraud ring. Twenty-four people were charged June 14 for their roles in an international bank fraud ring where the group stole $1 million from banks and corporations by creating phony companies to defraud individuals and companies into wiring over $8 million to the group’s fraudulent corporate bank accounts. Authorities stated that the indictments were part of an ongoing investigation that was initiated following a routine traffic stop.

Microsoft OLE abused to embed malicious code in Office docs, similarly to macros. Security researchers discovered a macro malware infection method was abusing Microsoft’s Object Linking and Embedding (OLE) system by tricking users into embedding a JavaScript or a VBScript file that downloads an encrypted binary and bypasses network-based protections that identify malicious data formats. Once the scripts save the encrypted binary, a Vibrio or the Donvibs trojan is installed and the final payload, Cerber ransomware can infect the victim’s system.

Flaw allowed hackers to steal emails from Verizon users. A security researcher discovered several vulnerabilities in Verizon’s Webmail portal that could be exploited by hackers, who possess a Verizon email account, to substitute the value of the userID in their own request with the victim’s userID in order to forward all the victim’s emails to an arbitrary email address. Victims would be unaware of the email forwarding as the transactions are not shown in the Verizon inbox.

70,000 hacked servers for sale on xDedic underground market. Security researchers from Kaspersky Lab investigated the xDedic marketplace, a global forum where cybercriminals can buy and sell access to compromised servers, and found that 70,624 hacked remote desktop protocol (RDP) servers used to host or provide access to popular consumer Web sites were for sale. The illegal data can be used to target government entities, corporations, and universities without the institute’s knowledge.

Schneider patches severe flaw in video management system. Schneider Electric released version 7.13.84 for its Pelco Digital Sentry (DS) product after the company found the tool contained hardcoded credentials that could be leveraged by an attacker to elevate their privileges and gain access to sensitive information or execute arbitrary code on the affected system.

6/16/16

Serial bank robber ‘The Forever Loyal Bandit’ arrested in Virginia, police say. The “Forever Loyal Bandit” was arrested June 14 in Fairfax County, Virginia, after he allegedly committed six bank robberies and one attempted robbery in Fairfax and Arlington counties since June 2014.

Hacker steals 45 million records from 1,100 home, sports and tech support forums. VerticalScope.com reported that its system was compromised in February after a hacker stole over 45 million user records from its database which contained details from over 1,100 tech, home, and sport support portals.

APT group uses Flash zero-day to attack high-profile targets. Security researchers from Kaspersky Lab reported that a new advanced persistent threat (APT) group dubbed, “ScarCruft” was using a Flash Player zero-day vulnerability and Microsoft XML Core Services (MSXML) vulnerability to target high-profile people through a campaign dubbed “Operation Daybreak” and “Operation Erebus.” Kaspersky stated they will release more details on the campaigns after Adobe releases a patch.

SAP patch batch includes fix for 3-year-old info disclosure vuln. SAP released patches for its Business Intelligence and Business Warehouse products, which addressed a three-year-old flaw and more than 20 vulnerabilities including a directory traversal vulnerability that can be exploited to access any file on the operating system (OS) and obtain critical data about the company’s finances.

Microsoft patches critical flaws in Windows, Edge, Office. Microsoft released 16 security bulletins which patched about 40 vulnerabilities in its Windows, Edge, Internet Explorer, Office, and Exchange Server products after security researchers found a remote attacker could exploit a use-after-free vulnerability for arbitrary code execution by sending a specially crafted request to the targeted Doman Name System (DNS) server. Other patched vulnerabilities included privilege escalation flaws, remote code execution (RCE) flaws, and a denial-of-service (DoS) flaw, among others.

Flash security patch coming in two days to fix zero-day used in live attacks. Adobe announced that they will release an emergency patch June 16 that will fix a zero-day vulnerability affecting all Flash Player installations after security researchers from Kaspersky found the flaw was used in targeted attacks and exploited in the wild. An attacker could exploit the flaw to crash a Flash Player installation, enabling a hacker to run malicious code on the user’s system and control the machine.

6/15/16

Former Ithaca accountant admits to $10M investment fraud. The former managing partner, treasurer, and secretary of Global Financial Fund 8 LLP pleaded guilty June 13 to Federal charges after he and 2 co-conspirators allegedly defrauded at least 16 investors out of $10 million by making phony profit payments to the investors between 2004 and 2005, and by claiming investors’ funds were held in an Italian bank where the money was generating significant profits. Officials stated the former accountant used $1.5 million of the investors’ funds for personal use.

RAA ransomware is 100 percent JavaScript. Security researchers from Emsisoft reported that a new ransomware family titled RAA was the first ransomware to solely use obfuscated JavaScript code to infect computers and encrypt victims’ data after finding the ransomware includes the CryptoJS library which allows RAA to encrypt files. The ransomware uses JavaScript to deter security researchers from reverse-engineering its source code.

Samsung patches privilege escalation flaw in update tool. Samsung released SW Update version 2.2.7.24 after a security researcher from Frost Security discovered that Samsung’s SW Update application tool was plagued with a vulnerability that could allow an attacker to gain complete control over a Samsung computer by placing a specially crafted Dynamic Link Libraries (DLLs) in the SW Update folder.

Ransomware targets Android smart TVs. Security researchers found that Sharp and Philip brand smart TVs running the Android TV operating system (OS) were susceptible to the FLocker ransomware which disguises itself as U.S. Cyber Police, accuses the victims of crimes they did not commit, and demands $200 worth of iTunes gift cards via spam Short Message Service (SMS) or malicious links. Researchers advised affected users to contact the device vendor and enable the Android Debugging Bridge (ADB) tool.

6/14/16

‘Bad Eye Bandit:’ guaranteed $1,000 reward to help catch serial bank robber wearing wig, patch over hurt eye for heists. Authorities offered a reward June 10 in exchange for information on a man dubbed the “Bad Eye Bandit” who is suspected of committing six bank robberies in Washington since January.

Email server glitch exposes email addresses for 7,618 Let’s Encrypt users. The Let’s Encrypt project, launched by Mozilla Foundation and the Electronic Frontier Foundation, reported June 11 that a glitch in its email newsletter system inadvertently exposed the email addresses of 7,618 users, which were 1.9 percent of the entire subscriber base. Let’s Encrypt officials stated they will provide an incident report on what transpired.

Hackers find clever way to bypass Google’s two-factor authentication. A security researcher from Clearbit.com reported that a Google two-factor authentication, or 2FA, attack was active after discovering attackers were disguising themselves as Google notifications in order to trick victims into sending the 6-digit verification code associated with each email account.

Facebook activates Safety Check after Orlando massacre, its first use in US. Facebook activated its Safety Check tool which aimed to inform family and friends of the status of people near an affected area following the June 12 shooting at the Pulse nightclub in Orlando. The tool was utilized for the first time in the U.S. after it was activated during the 2015 Paris shooting.

6/10/16

‘North Center Bandit’ hits bank for first time in 6 months. Authorities offered a reward in exchange for information on a man dubbed the “North Center Bandit” who is suspected of robbing a Chase Bank branch in the Jefferson Park area of Illinois June 8. Officials stated the man is suspected of committing four other bank robberies in the Chicago area since August 2015.

Two arrested in southwest VA after traffic stop, search yields 99 fake credit cards. Two New York men were arrested and charged in southwest Virginia June 6 after police discovered around 99 counterfeit or forged credit cards in the duo’s vehicle during a routine traffic stop.

Fourteen defendants charged with drug trafficking and illegal weapons possession in the Cypress Hills Houses in Brooklyn. Indictments unsealed June 7 revealed that authorities arrested and charged 14 members of the Back Side and Team Side gangs in Brooklyn, New York, after FBI agents intercepted a package belonging to the defendants that contained more than 1,300 fraudulent credit cards. Authorities stated that a Federal investigation also revealed the gang members were trafficking weapons and drugs from the New York City Housing Authority’s Cyprus Hills Houses.

Bug in Chrome’s PDF reader allows arbitrary code execution. A security researcher discovered that the PDFium, a default PDF reader in Google Chrome Web browser was susceptible to a heap-based buffer overflow vulnerability in OpenJPEG parsing library that can be exploited through a PDF file with an embedded jpeg2000 whose SIZ marker states 0 components. In addition, the vulnerability can be exploited to achieve arbitrary code execution on a victim’s system and cause disruption of service, unauthorized information disclosure, and modification.

uTorrent forums breached via software vendor, consider passwords compromised. The uTorrent team released a security advisory warning users of an intrusion into their IP.Board forum, provided by Invision Power Services, after a client experienced a breach when an attacker downloaded user information from the forum and accessed other Invision users. The attacker’s entry point was unknown, but Invision Power Services released a security update June 1 for its IP.Board forum platform.

RansomWeb attacks on the rise. Security researchers from High-Tech Bridge reported that RansomWeb attacks were increasing and have been targeting large organizations with business-critical Web applications by encrypting data on-the-fly before its insertion into the database, which can allow attackers to remain undetected and ensure that Web site backups are overwritten with encrypted content to prevent victims from decrypting the files.

Mandatory password reset for some Facebook and Netflix users in wake of mega-branches. Facebook Inc., and Netflix began notifying its customers that as a precaution the companies have reset their users’ passwords after an attacker breached the Web sites of VK.com, Tumblr, MySpace, and LinkedIn and released over 750 million user records online.

6/9/16

Kansas tax return preparer pleads guilty to stealing more than $2 million in government funds. A Kansas tax return preparer pleaded guilty June 6 to Federal charges after he obtained over $2 million in fraudulent tax returns from the U.S. Internal Revenue Service (IRS) by filing false tax returns in the names of his clients without their knowledge and directing the refunds into bank accounts he controlled.

Critical vulnerabilities patched with release of Firefox 47. Mozilla released version 47 of its Firefox Web browser which patched more than a dozen flaws including a heap buffer overflow vulnerability that can be exploited when parsing Hypertext Markup Language 5 (HTML5) fragments, several memory safety bugs, a use-after-free flaw, a pointer lock permission bypass issue, and an out-of-bounds write flaw, among other vulnerabilities.

Uber pays researcher $10K for login bypass exploit. Uber Technologies Inc., recently patched a flaw in its Web site after a security researcher found a hacker could bypass the OneLogin system used for employee authentication and potentially compromise its internal network hosted on Atlassian’s Confluence collaboration software. In addition, the security researcher stated that the flaw could be exploited to compromise a server that uses WordPress plugins.

Critical vulnerabilities patched in Android Mediaserver, Qualcomm drivers. Google released security updates for its Android operating system (OS) which patched a total of 40 vulnerabilities in the platform including 15 security vulnerabilities in the Mediaserver component, 16 flaws in the Qualcomm drivers, and 9 bugs in other components and drivers.

6/8/16

Facebook patches vulnerability in Messenger app. Security researchers from Check Point discovered that the Facebook Messenger app was plagued with a vulnerability that could allow attackers to change the content of a conversation or replace legitimate links and files with malicious content. Attackers could exploit the flaw by obtaining identification (ID) assigned to each message via a request to “facebook.com/ajax/mercury/thread_info.php” and send another message with a duplicate ID to the victim.

Massive DDoS attacks reach record levels as botnets make them cheaper to launch. Akamai released a report titled State of the Internet which revealed that during the first quarter of 2016, there were 19 distributed denial-of-service (DDoS) attacks that exceeded 100 Gigabits per second, making DDoS attacks four times more prevalent than the previous quarter. The report indicated that criminals could now afford to launch crippling attacks towards major companies.

Angler exploit kit finds a method to escape Microsoft’s EMET security toolkit. Security researchers from FireEye reported that the Angler exploit kit (EK) installations were capable of bypassing Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) on Windows 7 to infect a system by deploying two exploits, one for Flash and one for Silverlight. The two exploits run their code via protected memory slots that allow them to deliver a malicious payload regardless of EMET’s Data Execution Mitigation (DEP), Export Address Table Access Filtering (EAF), and EAF+ mitigations.

Black Shades ransomware asks victims only for a measly $30. Several security researchers from various companies discovered a ransomware dubbed Black Shades Crypter was locking user files and demanding ransom money after finding that the ransomware adds an extra extension, “.silent” to encrypted files, informs victims to pay a small ransom to unlock their files, and encodes strings in its source code to make it difficult for malware analysts to decode.

Windows BITS Service used to reinfect computers with malware. Security researchers from SecureWorks stated that attackers were using Window’s Background Intelligent Transfer Service (BITS) to set up recurring malware download tasks, and then leveraging its autorun capabilities to install the malware after an investigation revealed that the original malware, called Zlob.Q, added malicious entries to the BITS service, which would download malicious code on the system, run the malware, and erase itself when the infection is completed.

6/7/16

FDIC, banks in $190 million settlement over risky Countrywide debt. The U.S. Federal Deposit Insurance Corporation (FDIC) announced June 2 that 8 financial services firms paid the FDIC $190 million to settle claims that they violated Federal and State securities laws after they misled 5 U.S. banks into buying risky residential mortgage-backed securities (RMBS) from the former Countrywide Financial Corp., by making material misrepresentations in the offering documents for 21 Countrywide RMBS the financial firms underwrote from 2005 – 2007. The settlement funds will be distributed among the five banks, which failed in 2008 and 2009 in part as a result of the risky mortgage securities.

CryptXXX ransomware improves security, GUI slurps Cisco creds. Security researchers from Proofpoint reported that the developers behind the CryptXXX malware released new variations of the malware that can encrypt network shares and steal account logins by using a StillerX to steal account credentials from various software programs including Cisco Virtual Private Networks (VPNs), Microsoft Credential Manager, and online poker platforms after researchers found the new variant had updates to its encryption, network share scanning, cosmetic updates, and updates to lock screen behavior.

High severity DoS vulnerability patched in NTP. NTP project released a new version of its Network Time Protocol daemon (ntpd) patching five vulnerabilities including a high severity denial-of-service (DoS) flaw that an off-path attacker can leverage to cause a preemptable client association to be demobilized. Other patched flaws included bad authentication demobilizes ephemeral associations, processing spoofed server packets, autokey association reset, and a broadcast interleave issue.

New Cerber ransomware variants morph every 15 seconds. Security researchers from Invincea reported that the developers behind the Cerber ransomware were using a technique called “malware factory” to change the ransomware’s mode of operation to bypass basic scanning techniques and infect computers even with antivirus products by sending out different file hashes every 15 seconds from its command and control (C&C) server.

GhostShell leaks around 36 million records from 110 MongoDB servers. The Romanian hacker, GhostShell reportedly leaked 36 million user records from 110 MongoDB servers online after the hacker found 5.6 gigabytes of data on the hacked server’s Internet Protocol (IP), which contain real names, usernames, email addresses, passwords, general social media data, and details about the user’s smartphone model, among other personal information. The hacker revealed that the hack was part of a campaign to raise awareness on the importance of cyber security practices.

 6/6/16

SEC: Adviser steered investor money to his own companies. The U.S. Securities and Exchange Commission announced June 2 charges against a North Carolina-based investment advisor for allegedly defrauding at least 85 investors out of approximately $11.5 million after he sold interests in two unregistered pooled investment vehicles, DCG Commercial Fund I LLC and DCG Real Estate Assets LLC, siphoned the investment funds into deals with companies he owned and operated, and improperly received over $1.5 million from the investor funds’ bank accounts in management fees. Officials stated that the adviser continued the scheme by making false or misleading statements to investors regarding their investments, and failed to inform investors of their losses as his companies failed to pay the loans in full, among other illicit actions.

SEC: forex trader misrepresented track record and hid massive losses. The U.S. Securities and Exchange Commission announced June 2 charges against a New York City-based trader for allegedly defrauding over 30 investors out of $14 million since 2012 by misrepresenting her investment track record, the profitability of her investments, and her use of investor funds after she purported to have profitable foreign currency (forex) trading strategies and sent investors fraudulent account statements showing fictitious profits. New York officials filed parallel criminal charges June 2 against the trader for the scheme which caused over $16 million in losses.

One in ten NFS servers worldwide is misconfigured, exposes sensitive files. Fortinet researchers found that tens of thousands of inattentive system administrators are using older versions of the Network File System (NFS) protocol, such as insecure NFSv3, which can expose private or sensitive files to the Internet including server logs, server backups, the source code of various Web sites, and server image files. Researchers recommended companies to switch to NFSv4 protocol which has been modified to use Kerberos to provide a basic level of authentication.

WordPress sites under attack from new zero-day in WP mobile detector plugin. Security researchers from Plugin Vulnerabilities discovered that hackers were exploiting an arbitrary file upload vulnerability in WP Mobile Detector plugin, which handles image uploads, to upload Hypertext Preprocessor (PHP)-based backdoors on WordPress Web sites after finding that the plugin lacks basic input filtering, allowing attackers to pass a malicious file to upload it to the plugin’s /cache directory.

Researchers find 5,275 login credentials for top 100 companies on the Dark Web. A U.K.-based security firm, Anomali reported that over 5,000 login credentials including email addresses, cleartext passwords, and usernames were posted online via the Dark Web, potentially allowing hackers to use the stolen information to access various sections of an Information Technology (IT) network owned by the top 100 international companies. The firm stated that the credentials were primarily from the oil and gas industry, pharmaceuticals, consumer goods, banking, telecommunications, and military sectors.

Two men plead guilty in U.S. to hacking, spamming scheme. Officials reported June 2 that two men pleaded guilty in New Jersey for their involvement in a hacking and spamming scheme that generated more than $2 million in illegal profits after the duo and a co-conspirator targeted and stole the personal information of 60 million people, hacked into corporate email accounts, seized control of corporate mail servers, and created their own software to exploit vulnerabilities in numerous corporate Web sites via specially crafted code in computer programs, which hid the origin of the spam and bypassed spam filters.

6/3/16

Couple arrested for allegedly manufacturing 80 fake credit cards. Two Tennessee residents were arrested in Kingston May 27 for allegedly manufacturing about 80 counterfeit credit and gift cards after a routine traffic stop led authorities to the duo’s motel room, prompting a subsequent search of the room which revealed a card reader, a machine used to punch numbers on credit cards, and blank cards, among other illicit materials.

KeePass update check MitM flaw can lead to malicious downloads. A security researcher reported that all versions of KeePass, an open source password manager, were susceptible to a man-in-the-middle (MitM) attack that could allow attackers to trick users into downloading malware disguised as a software update as the product uses Hypertext Transfer Protocol (HTTP) to request the current version information, allowing an attacker to modify the server response. A KeePass developer stated the vulnerability will not be fixed as the cost of switching to Hypertext Transfer Protocol Secure (HTTPS) make it a inviable solution.

Cisco fixes flaws in network analysis modules. Cisco released patches addressing high and medium severity vulnerabilities in its Prime Network Analysis Module products that could allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition by sending a specially crafted Internet Protocol v6 (IPv6) packets on the network, as well as remotely execute arbitrary commands on the underlying operating system via specially crafted Hypertext Transfer Protocol (HTTP).

Google fixes 15 security bugs in Chrome, awards $26,000 to researchers. Google released version 51.0.2704.79 for its Chrome Web browser which fixes 15 security flaws including two high-level vulnerabilities that could allow attackers to bypass the browser’s cross-origin code execution restrictions and run malicious code via the Blink engine and its Extensions component. The new Web browser version also patched some flaws that crashed the browser or scrambled up its download file paths.

Microsoft patches Outlook.com to fix recent spam flood. Microsoft released a patch for its Outlook and Hotmail products after the company received reports of a massive spam flood that bypassed the products spam filters, allowing hackers to inundate users with Viagra ads and Russian bride ads.

ABB patches password flaws in substation automation tool. ABB released software updates for one of its substation automation products, PCM600 after a security researcher from Positive Technologies found several vulnerabilities in industrial control systems (ICS) and found that the PCM600 product was plagued with four password-related flaws. The flaw can be exploited via the hash, which can be easily broken and allow an attacker to obtain the password.

User data possible stolen in Scrum.org hack. Scrum.org released a patch and warned its users that their usernames, email addresses, encrypted passwords, password decryption keys, profile pictures, and certification information may have been compromised after an investigation revealed that an unknown user had created a new admin account on the mail server and modified the settings. In addition, Scrum.org was notified that its software was plagued with a flaw that could be exploited to conduct the same malicious activities.

6/2/16

SEC: Nashville firm schemed to collect extra fees from hedge funds. The U.S. Securities and Exchange Commission announced May 31 charges against Nashville-based Hope Advisers Inc., and its owner for allegedly scheming to collect extra monthly fees from two hedge funds managed by the firm, Hope Investments LLC and HDB Investments LLC, by orchestrating certain trades that enabled the funds to experience large gains at the end of one month, guaranteeing significant losses at the beginning of the next month in order to delay the realization of trading losses and continue earning large incentive fees. Officials stated that the scheme allowed Hope Advisers to avoid the realization of over $50 million in losses in the hedge funds and earn millions of dollars in fraudulent fees.

Update tools preinstalled on PCs expose users to attacks. Security researchers from Duo Security conducted an analysis on software updates and support tools shipped by major personal computers (PCs) makers including Acer, Asus, HP, Dell, and Lenovo, and discovered that each of the tested updater tools were plagued with a least one flaw that could be easily exploited for remote code execution (RCE) with SYSTEM permissions, which can lead to a complete compromise of the vulnerable device.

ZCryptor ransomware spreads via removable drives. Security researchers from Microsoft and TrendMicro reported that the ransomware dubbed, Ransom: Win32/ZCryptor.A was targeting Windows XP 64-bit computers and Windows 7 and Windows 8 versions to encrypt files and demand monetary funds by dropping a autorun.inf file on removable drives, which allows the ransomware to infect a computer once the removable drives are connected. In addition, the ransomware leverages network drives to self-propagate from a compromised system.

Windows zero-day affecting all OS versions on sale for $90,000. A hacker under the name, BuggiCorp was discovered selling a zero-day vulnerability affecting over 1.5 billion users and all versions of Window operating systems (OS) after security firm Trustawave found the attacker could escalate the privileges of an application in Windows 10 with the May 2016 security patch installed, and bypass all security features including Microsoft’s newest version of the Enhanced Mitigation Experience Toolkit (EMET) toolkit.

DDoS attack via TFTP protocol become a reality after research goes public. Security researchers from Akami Security Incident Response Team (SIRT) reported that it has detected at least ten distributed denial-of-service (DDoS) attacks since April 20 after attackers employed Trivial File Transfer Protocol (TFTP) servers as part of a multi-vector DDoS attack by mixing different DDoS-vulnerable protocols together to confuse a victim’s Information Technology (IT) department. In addition, researchers found a weaponized version of the TFTP attack script circulating online following The Edinburgh Napier University study which detailed how to carry out reflection DDoS attacks via TFTP servers.

ICS system with public exploits cannot be patched. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released a security advisory for customers using the Environmental Controls System (ECS) 8832 version 3.02 and earlier version after a security researcher discovered the product had two vulnerabilities, which cannot be patched, including an authentication bypass flaw and a privilege escalation flaw that could allow an attacker to perform unauthenticated operations over the network. The ECS product is used in the energy industry to provide operators with an interface to control calibration functions.

6/1/16 

Bank robber called ‘Ball Cap Bandit’ hunted by FBI. Authorities offered a reward May 31 in exchange for information regarding a man dubbed the “Ball Cap Bandit,” who is suspected of robbing nine Chase Bank branches in Palm Beach County, Broward County, and Martin County, and one PNC Bank branch in Martin County since December 2015. Authorities stated that the suspect should be considered armed and dangerous. 

65 million users affected by Tumblr breach. Tumblr officials reported that as a precaution, they have reset all their customers’ passwords after an Australian security researcher found that a hacker under the online name, “peace_of_mind” posted the information of 50 million Tumblr accounts on a darknet Web site called, “The Real Deal” for a small sum of money. The same hacker was also seen selling millions of records of LinkedIn, Fling.com, and Myspace users. 

Tor browser 6.0 based on Firefox 45-ESR released with updated security features. The Tor Project released version 6.0 for its Web browser affected Linux, Mac, and Window products that will include Hyper Text Markup Language 5 (HTML5) support, code-signing for Mac operating system (OS) X, and the removal of support for Secure Hash Algorithm 1 (SHA-1) certificates. 

Recently patched OpenSSL flaw still plagues top sites. An OpenSSL vulnerability previously patched in early May was discovered unpatched on 19 percent of Alexa Top 10,000 Web sites after a security researcher from High-Tech Bridge conducted an automated, non-intrusive scan by searching for the use of Advanced Encryption Standard (AES) Cipher Block Chaining (CBC) and by using custom OpenSSL code designed to check for the vulnerability. 

WordPress plug-in flaw puts over 1M websites at risk. Security researchers from Sucuri discovered a cross-site scripting (XSS) vulnerability that affects all Jetpack versions starting with 2.0 and released since 2012 after finding that the flaw was located in the Shortcode Embeds Jetpack module and could allow an attacker to inject malicious JavaScript code into the comments of external videos, images, documents, tweets, and other resources. The flaw can be exploited to steal users’ authentication cookies, redirect victims to exploits, and inject search engine optimization (SEO) spam. 

Ancient Bayrob backdoor trojan resurfaces after nine years with updated versions. Security researchers discovered that the Bayrob trojan, which was dormant for nine years, started reappearing with new features including cloning techniques that allows the trojan to launch multiple processes tasked with its own malicious routine, encrypt exfiltrated information, and uses a custom protocol over Transmission Control Protocol/ Internet Protocol (TCP/IP) to communicate with its server. 

Reddit resets passwords for 100,000 users after recent surge in hacked accounts. A Reddit spokesperson reported May 26 that as a precaution, the company advised 100,000 of its users to reset their passwords after a security researcher detecting an increase in account hijackings.