Fraud Alert Message Center
Tips for Safe Banking Over the Internet
As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.
The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.
- Consumer Best Practices for Online Banking
- Business Best Practices for Online Banking
- Recommendations for Online Fraud Victims
- Recommendations for Mobile Phone Security
Current Online Threats
Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau. None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts. If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it. The email could potentially contain a virus or malware.
For more information regarding email and phishing scams, please visit: http://onguardonline.gov/
Online Shopping Tips for Consumers. Click Here for Information.
ATM and Gas pump skimming information. Click Here for Article.
Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers. The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.
SEC charges operators of fraud based in Upstate New York. The U.S. Securities and Exchange Commission charged 2 men and 8 companies July 30 with allegedly defrauding over 125 investors out of at least $8 million through misleading statements about company prospects, and through the sale of purported “charitable gift annuities” falsely claimed to have been backed by reputable insurance companies.
AK-47 Bandit strikes again, robs credit union in Iowa. Authorities offered a $100,000 reward for information leading to the arrest and conviction of a suspect dubbed the “AK-47 Bandit”, who allegedly robbed a credit union in Mason City Iowa July 28, shot a police officer in a robbery in California in 2012, and is linked to 4 other bank robberies in multiple States.
Investment adviser pleads guilty in $1.2B Ponzi scheme. A Florida investment adviser pleaded guilty July 29 to charges surrounding his role in a $1.2 billion Ponzi scheme that collapsed in 2009, in which he allegedly lured investors to the scheme’s mastermind through deception and false assurances. Over two dozen other suspects have been convicted in connection to the scam.
“Thin green line” scam allegedly made millions for scam artists. Authorities indicted 8 South Florida individuals who allegedly solicited about $2.4 million from over 200 investors by claiming their company, Thought Development Inc., had invented a device that generated a green laser line on football fields for easier first-down measurement, as well as a scheme in which the suspects fraudulently sold stock in a fee-based gaming serviced called Virgin Gaming.
Cisco IOS-XE update time: squash that DoS bug. Cisco released a patch for a vulnerability In its IOS-XE operating system (OS) in which an attacker could cause a denial-of-service (DoS) condition by sending a series of Internet Protocol version 4 (IPv4) or IPv6 fragments designed to trigger an error message.
More than a third of employees would sell company data. Loudhouse released results from a survey on enterprise security practices polling over 500 Internet technology (IT) decision-makers and 4,000 employees across the U.S., Europe, and Australia, revealing that 25 percent of employees polled would sell company data for less than $8,000, citing the ready access most employees have access to valuable data, among other findings.
Most malvertising attacks are hosted on news and entertainment Web sites. Bromium Labs released an analysis of malware evasion technology revealing that over 50 percent of malware is hosted on news and entertainment Web sites, and reported an 80 percent increase in new ransomware families since 2014, among other findings.
Shellshock flaw still actively exploited: Solutionary. Solutionary’s Security Engineering Research Team released findings from a report revealing that the Shellshock bug discovered in 2014 has been actively exploited by threat actors, identifying about 600,000 Shellshock-related events from over 25,000 Internet Protocol (IP) addresses, mostly in the U.S. Researchers noted that education organizations were the most targeted, among other findings.
Maliciously crafted MKV video files can be used to crash Android phones. Security researchers from Trend Micro discovered a vulnerability in the Android operating system’s (OS) mediaserver component in which an attacker could use a malformed Matroska video container (MKV) file to crash and render a device unusable.
Floridian last of 12 convicted in Texas for timeshare fraud. A Florida man was convicted July 28 for leading a $10 million timeshare scam in the U.S. and Canada in which he scammed over 5,000 timeshare owners by hiring telemarketers to solicit fees in false buying promises. Eleven other suspects have pleaded guilty in connection to the scheme.
Two sought for allegedly stealing more than $100K through fraudulent credit card accounts. Authorities reported July 28 that they are seeking the owners of the Fort Washington-based Centra-Spike heating, ventilation, and air conditioning company on charges that the pair allegedly stole $124,981 by using stolen identities of at least 8 victims to obtain fraudulent loans.
Western Union’s Paymap to pay $38.4 mln over mortgage ads. The U.S. Consumer Financial Protection Bureau reported July 28 that Paymap Inc., a unit of Western Union Co., agreed to pay $38.4 to resolve U.S. regulatory allegations that the company deceived consumers into signing up for a LoanCare LLC program that promised false savings. LoanCare LLC will pay a $100,000 civil fine, and both companies agreed not to advertise the mortgage program’s benefits without providing supporting evidence.
Russian hacker tool uses legitimate Web services to hide attacks: FireEye. Security researchers from FireEye discovered that the APT29 threat group is employing a malicious backdoor dubbed “HAMMERTOSS” that utilizes a multi-stage process involving social media, steganography, and PowerShell to hide malicious activity within legitimate network traffic. Researchers believe that the backdoor is only being deployed against critical targets, possibly as a backup in case other tools fail or are disrupted.
BIND update patches critical DoS vulnerability. The Internet Systems Consortium released updates for the popular BIND Domain Name System (DNS) software addressing a critical remotely exploitable vulnerability in the handling of TKEY recorded queries in which an attacker could use a specially crafted DNS packet to trigger a denial-of-service (DoS) condition.
Black Vine espionage group attacked aerospace, energy, healthcare industries. Security researchers from Symantec reported that the Black Vine espionage group responsible for the 2014 Anthem system breach has been active since 2012, used custom-built malware, zero-day exploits, and watering hole attacks to target organizations across the aerospace, healthcare, energy, military, defense, finance, agriculture, and technology industries, primarily in the U.S.
Microsoft admits critical .NET Framework 4.6 bug, issues workaround. Microsoft released a workaround addressing a critical codegen bug for those running 64-bit processes on .NET Framework 4.6, in which incorrect parameters could be passed, leading to unpredictable results.
Cellphones can steal data from isolated “air-gapped” computers. Researchers at the Ben-Gurion University of the Negev Cyber Security Research Center discovered a way to use central processing unit (CPU) firmware-modification software to turn an air-gapped system into a cellular transmitting antenna, making it possible for any mobile phone infected with malicious code to use GSM phone frequencies to steal data from infected air-gapped systems. Researchers recommended mitigation measures including defined “zones” where mobile phones and other devices are not allowed near at-risk air-gapped computers.
China-tied hackers that hit U.S. said to breach United Airlines. Investigators involved in a probe of a previously unreported May or June breach of United Airlines’ computer systems reported links between the hackers and the Chinese threat group that perpetrated the theft of security-clearance records from the U.S. Office of Personnel Management and medical data from Anthem Inc., as well as at least seven other travel and health insurance organizations. Officials believe that the breach may have compromised movement data of millions of Americans and opened the airline’s systems to future disruptions and attacks.
Xen patches new virtual-machine escape vulnerability. The Xen Projected released updates for its virtualization software addressing a vulnerability in the CD-ROM drive emulation feature of the QEMU open-source hardware emulator that could allow an attacker to bypass the security barrier between virtual machines and their host operating systems (OS).
Fraud victims speak out after financial adviser indicted, arrested. Authorities unsealed indictments against the owner of Stanfill Wealth Management July 27 in Knoxville, alleging that she defrauded over 21 investors out of almost $7 million by promising to invest funds in Charles Schawb and Co., and instead diverted the money for her personal use.
One in 600 Web sites lists its .git folder, exposing sensitive data. A Web developer discovered that out of 1.5 million Web sites scanned, 2,402 had an inadvertently exposed .git folder, possibly exposing sensitive information.
Cybercriminals use Angler exploit kit to target PoS systems. Trend Micro researchers reported that cybercriminals have been utilizing the Angler exploit kit (EK) to deliver a reconnaissance trojan that detects mitigation tools before downloading one of three point-of-sale (PoS) malware payloads.
Over 10 million Web surfers possibly exposed to malvertising. Cyphort released tracking data from malicious advertisement campaigns revealing that since July 18, over 10 million people may have visited Web sites containing malicious ads which redirect visitors to directories hosting the Angler exploit kit (EK).
Darkode forum returns with enhanced security measures. MalwareTech researchers reported that the Darkode hacker forum was back online with enhanced security and authentication processes to prevent future infiltrations, after July raids by the FBI and international partners led to the shutdown of the Web site and the detainment of multiple individuals associated with it.
Apple App Store and iTunes buyers hit by zero-day. Security researchers from Vulnerability Lab published a zero-day filter bypass flaw in Apple’s online invoicing system used in its App Store and iTunes that could allow an attacker to hijack a user’s purchasing session to buy and download any app or content they want, before charging it to the original user.
Software vulnerabilities hit a record high in 2014, report says. Secunia released analysis from its Vulnerability Review 2015 revealing that the number of recorded software vulnerabilities hit a record high of 15,435 in 2014, an increase of 18 percent from the previous year, and that many organizations are too slow to release security fixes, among other findings
Phishing attacks drive spike in DNS threat. Infoblox and Internet Identity published data revealing that the Domain Name System (DNS) Threat Index jumped nearly 60 percent in the second quarter of 2015, reportedly due to a corresponding 74 percent increase in phishing and phishing domains over the same period
FBI asks public’s help identifying “Sabbatical Bandit” bank robber. FBI officials are looking for information leading to the capture of a suspect dubbed the “Sabbatical Bandit”, who allegedly robbed a Mesa bank July 18 in addition to at least 4 others since 2010.
Android Stagefright flaws put 950 million devices at risk. Security researchers at Zimperium zLabs reported that about 950 million Android devices are vulnerable to flaws in the operating system’s (OS) Stagefright media engine, in which excessive permissions could allow an attacker to send a Multimedia Messaging Service (MMS) or Google Hangouts message to trigger the vulnerability, granting system access on the affected device.
Many high-profile firms using vulnerable PHP File Manager: researcher. A security researcher identified several vulnerabilities in Revived Wire Media’s PHP File Manager application, including the existence of a default user account with backdoor access to systems running the software, lack of protection for the user database, and arbitrary file upload vulnerabilities, among other flaws. Many firms reportedly still use the application even though it has not been updated since its release in 2010 – 2011.
Over 5,000 mobile apps found performing in-app ad fraud. Security researchers from Forensiq discovered at least 5,000 mobile applications being used for mobile hijacking ad fraud worldwide that were observed affecting 12 million unique devices over a 10-day period.
Pair of bugs open Honeywell home controllers up to easy hacks. Researchers discovered vulnerabilities in Honeywell’s Tuxedo touch devices used for controlling home systems, including an authentication bypass bug that could grant access to restricted systems, and a cross-site request forgery bug that an attacker could use during an active authenticated session to execute the same commands as the user.
Retired LAPD detective arrested in series of ‘Snowbird Bandit’ bank robberies. Orange County authorities arrested a former Los Angeles Police Department detective July 23 on suspicion of being the ‘Snowbird Bandit,” who robbed at least 5 Orange County banks since March.
Four east coast men arrested in San Carlos for credit card fraud. San Mateo County officials arrested 4 suspects July 22 after deputies discovered hundreds of fraudulent gift and credit cards, equipment used to manufacture cards, and various merchandise valued at $125,000 in their vehicle. .
Discover to pay $18.5 mln over student loan allegations. U.S. regulators reported July 22 that Discover Financial Services agreed to
pay $18.5 million in penalties and consumer refunds to resolve allegations that Discover Bank overstated minimum amounts due on billing statements, took unfair actions on debt collection, and failed to provide basic student loan servicing functions.
Red Hat patches “libuser” library vulnerabilities. Red Hat patched two vulnerabilities in its “libuser” library, including a race condition flaw that could lead to a denial-of-service (DoS) condition and a bug in the chfn function of the userhelper utility that an attacker could leverage to create a DoS condition and achieve privilege escalation on the system.
Citi to shut Banamex USA, pay $140 million fine. Citigroup Inc., announced July 22 plans to liquidate subsidiary Banamex USA and pay $140 million in fines to the Federal Deposit Insurance Corporation and California’s Department of Business Oversight to resolve allegations that Banamex USA failed to comply with Federal anti-money laundering requirements and the Bank Secrecy Act.
Springfield restaurant owner and son plead guilty in multi-million dollar fraud scheme. An owner of multiple Springfield area restaurants and commercial properties and his son pleaded guilty July 22 to charges that they submitted false financial documents to Great Southern Bank in order to receive 4 commercial loans worth about $6 million in 2011.
Four zero days disclosed in internet explorer. Hewlett Packard’s Zero Day Initiative released four new remote code execution (RCE)
zero day vulnerabilities in Microsoft’s Internet Explorer, including an issue in how the browser processes arrays representing cells in Hyptertext Markup Language (HTML) tables in which an attacker could execute code under the context of the current process.
Flash zero-day monster Angler dominates exploit kit crime market. Security researchers from SophosLabs reported that the Angler exploit kit’s (EK) prevalence in the underground malware market has ballooned from about 25 – 83 percent between September 2014 and May 2015, likely due to factors including its low cost and high traffic to Angler-infected Web sites. The EK recently incorporated three Adobe Flash zero-day flaws that were exposed in the breach of Hacking Team.
Cyber poltergeist threat discovered in Internet of Stuff hubs. Security researchers from Tripwire’s Vulnerability and Exposure Research Team (VERT) discovered vulnerabilities in Internet of Things-enabled smart home hubs made by Wink, Vera, and SmartThings, that could allow an attacker to obtain root shell access on the device, provide entry points to the home network.
Smartwatches: a new open frontier for attack. Hewlett Packard released findings from an assessment of 10 smart-watches and their Android and iOS cloud and mobile application components revealing that each watch contained significant vulnerabilities, including insufficient authentication, lack of encryption, insecure software, firmware, interfaces, and privacy concerns.
Bartalex variants spotted dropping Pony, Dyre malware. Security researchers at Rackspace reported that strains of the macro-based Bartalex malware has been observed dropping Pony loader malware along with the Dyre banking trojan.
4 arrested in schemes said to be tied to JPMorgan Chase breach. U.S. and Israeli law enforcement officials arrested 4 suspects in Florida and Israel July 21 and are searching for another in connection to an illegal Bitcoin money laundering operation and a separate pump-and-dump securities manipulation scheme that allegedly netted millions of dollars, which the suspects allegedly funneled through international shell companies. Authorities are investigating the suspects’ potential roles in a 2014 cyber-attack on JPMorgan Chase that compromised the contact information of 83 million customers.
‘Snowbird Bandit’ strikes again at Rancho Santa Margarita bank. FBI officials reported that the suspect dubbed the “Snowbird Bandit,” tied to at least 3 other area robberies since June, struck a First Citizens Bank in Santa Margarita July 21.
Siemens patches vulnerabilities in SIPROTEC, SIMATIC, RuggedCom products. Siemens released updates for its SIPROTEC 4 and SIPROTEC Compact devices addressing a vulnerability in which an attacker could cause a denial-of-service (DoS) condition, a locally exploitable flaw in its SIMATIC WinCC Sm@rtClient application for Android in which an attacker could extract credentials for the Sm@rtServer, and a flaw in RuggedCom devices leaving them vulnerable to Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks in which a man-in-the-middle (MitM) attacker could extract sensitive information from encrypted communications.
It’s official: the average DDoS attack size is increasing. Arbor Networks reported analysis from Quarter 2, 2015 global distributed denial-of-service (DDoS) attack data revealing that the average size of attacks increased, and that the majority of large volumetric attacks leveraged Network Time Protocol (NDP), Simple Service Discovery Protocol (SSDP), and Domain Name System (DNS) servers for reflecting amplification, among other findings.
Researcher discloses local privilege escalation vulnerability in OS X. Security researchers from SektionEins released details on a vulnerability in Mac Operating System (OS) X in which an attacker could open or create arbitrary files owned by the root user anywhere in the file system by leveraging an environmental variable that enables error logging to arbitrary files.
Google Chrome update includes 43 security fixes. Google released an update for Chrome addressing 43 heap-buffer-overflow, use-after-free, and memory corruption vulnerabilities, among others, that could allow an attacker to take control of an affected system.
Bug exposes OpenSSH servers to brute-force password guessing attacks. Security researchers reported that OpenSSH servers with keyboard-interactive authentication enabled by default are vulnerable to unlimited authentication retries over a single connection, exposing users to brute-force password guessing attacks.
Skimming devices found at 3 ATM machines in Seminole. Seminole County authorities reported that ATM skimming devices were installed at three locations in early July, and an investigation is ongoing to locate suspects.
Configuration issue exposes 30,000 MongoDB instances: researcher. The founder of the Shodan computer search engine reported that a default listening configuration in MongoDB exposed about 30,000 database instances containing 592.2 terabytes (TB) of data
Microsoft issues critical out-of –band patch for flaw affecting all Windows versions. Microsoft released an update addressing a critical remote code execution vulnerability (RCE) with the OpenType Font Driver in the Windows Adobe Type Manager Library affecting all supported versions of Windows that was being exploited in the wild.
Study: half of critical infrastructure IT professionals believe major attack looming. Findings from a survey of over 600 critical infrastructure information technology (IT) professionals in Intel Security’s “Critical Infrastructure Readiness Report” revealed that about half of all respondents believe an attack on critical infrastructure in the next three years will down systems and lead to loss of life, and that 90 percent of respondents’ organizations faced an average of 20 attacks in the last year, among other statistics.
Canadian pleads guilty in massive U.S. penny stock fraud case. A Canadian man pleaded guilty July 17 to charging U.S. penny stock investors with $5 million in fees for nonexistent services, stemming from a related$140 million penny stock fraud operation. Nine defendants in four countries have been charged in connection to both schemes.
Three men arrested for 100+ fraudulent credit cards. Marion County, Missouri authorities charged 3 suspects with trafficking in stolen identities July 16 after discovering over 115 fraudulent credit cards and card-manufacturing equipment in their vehicle in Palmyra.
FBI: Midday Bandit strikes again in Galewood bank robbery. Authorities are searching for a suspect dubbed the “Midday Bandit” who allegedly robbed a Galewood bank in Chicago July 17 and is believed to be connected to 6 other bank robberies and 2 attempted robberies dating back to 2014.
TD Bank to pay $20 million to settle Ponzi scheme lawsuit. TD Bank agreed to pay $20 million July 17 to resolve allegations from a class action lawsuit that the bank aided a $223 million-plus Ponzi scheme run on European investors by failing to properly monitor trust accounts and investigate suspicious activity.
JPMorgan reaches $388 mln settlement in mortgage securities case. JPMorgan Chase & Co agreed to pay $388 million to settle charges brought by the Fort Worth Employees’ Retirement fund and other investors alleging that the bank misled them about the quality and safety of $10 billion worth of residential mortgage-backed securities leading up to the 2008 financial crisis.
Ashley Madison hacked, info of 37million users stolen. Hackers calling themselves “The Impact Team” reportedly accessed and stole personal information and financial records of 37 million of AvidLife’s Ashley Madison Web site as well as user databases for 2 other sites that the company owns. The hack was perpetrated in response to Avid Life’s failure to provide its offered “full delete” feature for user profiles.
Eaton patches TCP/IP stack flaw affecting controls, relays. Eaton released software updates addressing a remotely executable Transmission Control Protocal/Internet Protocol (TCP/IP) stack vulnerability in its Cooper Power Series Form 6 recloser control and Idea/IdeaPLUS relay protection platforms that could allow an attacker to launch man-in-the-middle (MitM) attacks and execute arbitrary code or crash systems connected to the Internet.
CVS investigating possible payment card breach, shuts down photo Web site. CVS reported that the company had shut down its CVSPhoto.com Web site while it investigated a possible payment card beach of the independent vendor that manages and hosts the site, PNI Digital Media. Company officials confirmed that purchases made in-store and on other CVS Web pages are not affected.
‘Cal Bear Bandit’ pleads guilty to bank robberies in Westminster. The suspect dubbed the “Cal Bear Bandit” pleaded guilty July 16 to charges surrounding 8 bank robberies across Orange County dating back to August 2014.
Medford police arrest man possibly connected to ATM skimming ring. Police in Medford, Massachusetts arrested a suspect July 15 believed to be connected to a ring of Romanian ATM skimmers that have stolen over $1 million from Bank of America. The suspect allegedly stole over $100,000 from the bank and is linked to 4 other cases in Massachusetts.
BMO Harris settles Ponzi scheme lawsuit for $16 million. BMO Harris Bank agreed to pay $16 million July 16 in a settlement with Palm Beach Finance Partners LP and Palm Beach Finance II LP, resolving allegations that its subsidiary, M&I Bank, was complicit in a Ponzi scheme run by a Minnesota businessman that cost investors billions of dollars.
California payment processing company owner pleads guilty to fraud. The owner of California-based Check Site Inc., pleaded guilty July 16 to charges that he used his company to assist at least two fraudulent payday loan merchants who used consumer information to withdraw millions of dollars from consumer accounts without their knowledge by knowingly processing the transactions, and by providing the merchants access to the banking system via remotely created checks (RCC).
Nearly all Web sites have serious security vulnerabilities. Acunetix released a report on 15,000 Web site and network scans of 5,500 companies revealing that almost half of Web applications scanned contained high security vulnerabilities, and 4 of 5 were affected by medium security vulnerabilities, plying that most organizations fail to comply with the Payment Card Industry Data Security Standard (PCI DSS), among other findings.
New GamaPoS malware targets U.S. companies. Security researchers from Trend Micro reported that the operators are using the Andromeda botnet to deliver a new point-of-sale (PoS) malware called GamaPoS that scrapes data via Microsoft’s .NET platform, to U.S. financial, information technology, supply, hospitality, and retail organizations nationally, among others.
TotoLink routers plagued by XSS, CSRF, RCE bugs. Security researchers reported that 15 TotoLink routers contain backdoor credentials, multiple remote code execution flaws that could allow an attacker to bypass administrator authentication and execute commands, and cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities that could allow an attacker to change router network configuration settings.
ATM skimmer use discovered at 7th Wichita bank. Home Bank & Trust Co., officials reported that an ATM skimming device was used at a Wichita location, bringing the total number of skimmers found in Wichita in July to seven.
Santa Ana man suspected of being “Big A Bandit’ is arrested. FBI officials reported July 15 that authorities had arrested a suspect believed to be the “Big A Bandit” responsible for robbing 3 banks in Anaheim, Fullerton, and La Habra.
Security support ends for remaining Windows XP machines. Microsoft ended security support for Microsoft Security Essentials customers running Windows XP as part of its July Patch Tuesday roll-out, and released security advisories for a patched race condition flaw in the Malicious Software Removal Tool (MSRT) allowing for privilege escalation, as well as an update enhancing use of Data Encryption Standard (DES) encryption keys.
Siemens patches authentication bypass bug in telecontrol product. Siemens released a firmware update for its SICAM MIC modular telecontrol devices addressing an authentication bypass vulnerability in which an attacker with network access to the device’s web interface could bypass authentication and perform administrative operations.
Thunder-faced Mozilla lifts Flash Firefox block after 0-days plugged. Mozilla lifted a block on all versions of Adobe Flash in its Firefox Web browser after Adobe released cross-platform updates addressing two zero-day vulnerabilities that were revealed in a recent breach of the Italian surveillance company, Hacking Team.
Vulnerability exposes Cisco Videoscape devices to DoS attacks. Cisco released an advisory warning of a security bug in its Videoscape Distribution Suite for Internet Streaming (VDS-IS) and VDS Service Broker products in which an unauthenticated remote attacker could cause a denial-of-service (DoS) condition by sending specially crafted Hypertext Transfer Protocol (HTTP) packets to trigger device instability.
New RC4 attack dramatically reduces cookie decryption time. Belgian security researchers discovered biases in the Rivest Cipher 4 (RC4) encryption algorithm that could lead to attacks breaking encryption on websites running transport layer security (TLS) with RC4 and Wi-Fi Protected Access (WPA) Temporal Key Integrity Protocol (TKIP) to perform actions under a victim’s name or gain access to personal information.
Three plead guilty in $64M mortgage fraud scheme. Three suspects pleaded guilty July 14 to their roles in a $64 million mortgage fraud scheme in which Great Country Mortgage Bankers employees targeted first-time, low-income, and poor-credit buyers with U.S. Federal Housing Administration loans which they would obtain with falsified documents, before selling them at a profit. Twenty-five have pleaded guilty in connection with the scheme.
SEC Charges 34 defendants in microcap market manipulation schemes. The U.S. Securities and Exchange Commission charged 15 individuals and 19 entities July 14 for allegedly attempting to manipulate the trading of microcap stocks by acting as unregistered broker-dealers for customers wanting to hide their stock ownership and manipulate the microcap market.
Darkode computer hacking forum shuts after investigation spanning 20 countries. U.S. authorities filed hacking charges against 12 suspects affiliated with the Darkode hacker Web forum after the FBI and law enforcement organizations from 20 countries shut down the site and arrested or searched 70 Darkode members worldwide. The Web site allowed hackers to share technology and tradecraft used to infect computers and wireless devices of victims.
Hacking Team malware hides in UEFI BIOS to survive PC reinstalls. Security researchers from Trend Micro discovered that Hacking Team ensured surveillance malware persistence on systems by using Unified Extensible Firmware Interface (UEFI) Basic Input/Output System (BIOS) rootkit to re-install the malware every time it was deleted from the system.
Oracle patches Java zero-day, 192 other security bugs. Oracle released updates addressing 193 security issues across multiple product lines, including a Java remote code execution vulnerability that was exploited by the advanced persistent threat (APT) group Pawn Storm, 54 flaws in third-party components in Oracle product distributions, and 23 vulnerabilities in Java SE that can be exploited remotely by an unauthenticated attacker, among other fixes.
TeslaCrypt 2.0 makes it impossible to decrypt affected files. Security researchers at Kaspersky Lab discovered that recent TeslaCrypt version 2.0 ransomware infections display a Cryptowall 3.0 Web page, possibly in an attempt to convince victims that the malware uses more robust encryption than it actually does.
HTML5 can be used to hide malware in drive-by download attacks. Italian security researchers discovered that Hypertext Markup Language 5 (HTML5)-based obfuscation techniques could be used to hide malware in drive-by download exploits using HTML technologies and application program interfaces (API).
Microsoft patches Hacking Team zero-days, other vulnerabilities. Microsoft released 14 bulletins addressing vulnerabilities in Windows, Office, SQL Server, and Internet Explorer, including a zero-day Jscript 9 use-after-free memory corruption bug in Internet Explorer 11 and a memory corruption flaw in the Adobe Type Manager Font Driver that could both allow an attacker to take complete control of a vulnerable system, as well as a remote code execution flaw affecting the Remote Desktop Protocol (RDP).
More ATM skimmers found in Wichita, at three Intrust Bank locations. Bank and police officials confirmed July 12 that ATM skimming devices were discovered at six Sunflower, INTRUST, and Fidelity Bank locations in Wichita and two Sunflower Bank locations in Salina in July. Authorities believe the suspects are part of an organized gang.
Naples man pleads guilty to $7M wire fraud scheme. A Naples man pleaded guilty July 13 to an investment fraud scheme in which he allegedly used false assurances and fake documentation to solicit over $7 million from about 96 investors, which he used to pay other investors and diverted for personal expenses.
Ex-NY Assembly speaker’s son-in-law admits to defrauding investors. The co-owner of New York-based Allese Capital LLC pleaded guilty July 13 to operating a Ponzi scheme in which he allegedly defrauded investors out of almost $6 million from 2007 – 2014 by soliciting securities investments, only a portion of which he actually invested, while using the rest to repay other investors and for personal expenses.
Flash Player update patches two Hacking Team zero days. Adobe released patches addressing two critical use-after-free vulnerabilities in ActionScript 3 revealed in data dumped from a recent breach of the Italian surveillance software company Hacking Team. Both flaws allowed an attacker to use a Web site hosting the exploit to completely take over an affected system.
Kaseya patches two bugs in VSA IT management platform. Kaseya patched two flaws in its VSA IT management platform, including open redirect vulnerability in which an unauthenticated attacker could redirect users to sites with malicious content, and a path traversal bug in which an authenticated attacker could use a specially crafted Hyptertext Transfer Protocol (HTTP) request to traverse directories and download arbitrary files.
Police: men use backhoe to steal ATM at Winter Haven bank. Winter Haven, Florida police charged two Clewiston men with grand theft after the pair allegedly used a backhoe to steal an ATM machine from a CenterState Bank July 10.
Grand jury indicts 11 for making credit cards at Las Vegas hotels. Las Vegas prosecutors reported July 10 that 11 suspects were indicted for a year-long credit card scheme operated out of casino hotels in which they allegedly used stolen information to manufacture thousands of credit cards that they would use for thousands of fraudulent transactions.
Ex-Patriot indicted for alleged Ponzi scheme. A former professional football player and a business partner were indicted July 10 for their roles in an alleged Ponzi scheme in which they used their company, Capital Financial Partners LLC, to solicit $32 million from over 40 investors to fund high-interest, short-term loans to athletes, from which they would use new investors’ funds to pay off earlier ones while diverting a portion for their personal use.
APT group uses Seaduke trojan to steal data from high-value targets. Security researchers from Symantec released an analysis of the highly-configurable Seaduke trojan used by an advanced persistent threat (APT) group known for cyber-espionage attacks against high-value targets including government organizations. The report revealed that the trojan is installed onto select systems through the CozyDuke trojan, and that it shares similarities with other “Duke” malware.
Java zero-day used in attacks on NATO member, U.S. defense organization. Security researchers at Trend Micro reported that the cyber-espionage group with monikers including Pawn Storm and APT28 was using a Java Oracle SE zero-day remote code execution vulnerability in attacks directed against the armed forces of a NATO member country as well as a U.S. defense organization by sending out emails containing links to malicious domains containing the exploit and a trojan dropper.
Two new Flash Player zero-day bugs found in Hacking Team leak. Security researchers discovered exploits for two additional Adobe Flash Player zero-day vulnerabilities in the recent Hacking Team data leak, including a flaw in the DisplayObject class in ActionScript 3, and a use-after-free (UAF) vulnerability in the ActionScript3 BitmapData object. Both vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary code on an affected system.
‘Dropout Bandit’ sought in 3 NorCal bank robberies. The FBI is searching for a suspect dubbed the ‘Dropout Bandit’ who allegedly robbed at least 3 Schools Credit Union branches in Sacramento since March.
‘Sock Hat Bandit’ indicted for bank robberies during two month period. A Dayton man dubbed the “Sock Hat Bandit” was indicted July 9 for three robberies at the Hebron U.S. Bank, Bellevue Fifth Third Bank, and Independence Fifth Third Bank in Kentucky between May – June, while authorities continue to investigate his role in at least six more robberies across Ohio and Indiana in the two-month span.
Adviser, racer convicted in fraud case. A former financial adviser and a retired professional race car driver were convicted July 9 of stealing over $30 million from investors over 10 years by falsely promising investments, including land development in Hawaii and a credit card company in Arizona, and that the men used holding companies to divert funds for personal expenses.
Chinese APT group uses Hacking Team’s Flash Player exploit. Security researchers from Volexity reported that the Wekby advanced persistent threat group (APT), also known as APT 18, Dynamite Panda, and TG-0416, was leveraging an Adobe Flash Player exploit revealed through the July breach of the software company Hacking Team by sending spear-phishing emails purporting to be from Adobe which directed users to download a compromised Flash Player file containing malware.
VMware fixes host privilege escalation bug in Workstation, Player, Horizon View. VMware issued patches addressing a privilege escalation vulnerability in the company’s Workstation, Player, and Horizon View Client for Microsoft Windows in which an attacker could leverage a lack of a discretionary access control list (DACL) in a process to elevate privileges and execute code.
Estonian man pleads guilty to role in DNSChanger botnet scheme. The alleged mastermind of an Estonian-based international cyber fraud group pleaded guilty to his role in a 2007 – 2011 operation dubbed “Ghost Click” in which he and co-conspirators installed the DNSChanger trojan on 4 million computers in over 100 countries and collected over $14 million through clickjacking and ad fraud via the malware.
Hacking Team claims terrorists can now use its tools. The Italian security company Hacking Team warned July 8 that the release of 400 gigabytes (GB) of internal data in a July 5 breach of its systems represented an “extremely dangerous” situation and that terrorists and other threat actors could potentially leverage available code to deploy software against any target.
NYSE shut down for nearly four hours by technical glitch. The New York Stock Exchange (NYSE) suspended trading for almost four hours July 8 due to an internal technical issue. Other exchanges traded normally, and the trading of NYSE-listed stocks was unaffected.
Las Vegas exec bilked Japanese victims in $1.5 bln Ponzi scheme- Justice Dept. U.S. Department of Justice officials reported that the former owner of Las Vegas-based MRI International Inc., and 2 Japanese associates were indicted July 8 for allegedly running a $1.5 billion Ponzi scheme targeting Japanese citizens between 2009 – 2013 by promising to buy accounts receivable form medical companies at a discount and to recoup the value later, when instead the defendants used investments to repay earlier investors while diverting funds to themselves.
APT-style evasion techniques spotted in “Kofer” ransomware campaign. Security researchers from Cybereason discovered a ransomware campaign primarily targeting European users dubbed “Operation Kofer” that is mimicking advanced persistent threat (APT) operations by continuously generating new variants of the same malware to evade detection, among other anti-detection techniques.
Despite warnings, majority of firms still run some Windows Server 2003. Softchoice released findings from a June report covering 200 enterprise data centers comprised of over 90,000 servers revealing that all but 7 percent of enterprises still used Microsoft Windows Server 2003, exposing companies to security, compliance, and operational risks as support for the platform is set to end July 14.
Bug in Android ADB backup system can allow injection of malicious apps. Security researchers discovered a severe vulnerability in all versions of the Android debug bridge (ADB) in which an attacker could inject a malicious Android application package (APK) file via the BackupAgent, which does not require Android permissions and does not filter the data stream returned by applications.
OpenSSL patches serious certificate forgery vulnerability. OpenSSL developers released patches for a high severity alternative chain certificate forgery flaw, in which an attacker could bypass untrusted certificate checks and issue invalid certificates. The vulnerability affects versions 1.0.1n and 1.0.2b.
FBI hunts suspected serial bank robber dubbed ‘Filter Bandit’. The FBI announced a $5,000 reward for information leading to the arrest of a suspect dubbed the “Filter Bandit,” who allegedly stole over $60,000 from 7 banks in Broward County since August 2014, ending with the robbery of a BB&T Bank June 16 in Davie
Firms accused of faking loans, draining bank accounts settle with Feds. U.S. Federal Trade Commission officials announced $54 million in settlements July 7 with 14 companies owned by 2 Johnson County, Missouri men to resolve charges that the men allegedly used personal data from short-term payday loan Web sites in conjunction with “lead generators” to take out loans for people without their permission, and that they produced phony loan documentation, misstated loan terms, and misrepresented the transactions to banks.
Bank vice president stole $5.3M in scheme. A former M&T Bank vice president from Williamsville, New York pleaded guilty July 7 to a $5.3 million loan scheme in which he created at least 12 “funding loans” in the name of credit-worthy entities, which he then distributed to customers of his choosing.
Cybercriminal group spying on U.S., European businesses for profit. Symantec reported that a cybercriminal group dubbed Morpho that was known for hacking Apple, Microsoft, Facebook, and Twitter, has extended its cyber-espionage to hit research-and-development related computer systems in 49 different multi-billion dollar pharmaceutical, software, Internet, oil, and metal mining commodities organizations across 20 countries, with the majority being in the U.S. Researchers believe the group has U.S. ties and is run by an organized crime ring.
Hacker search engine becomes the new Internet of Things search engine. The developer of the Shodan Internet device search engine reported that the search engine exposes the systemic vulnerabilities present in consumer-grade Internet of Things hubs due to a poor security posture, where many hubs still use default passwords and have telnet enabled. Once compromised attackers could leverage hubs to monitor sensor data or determine if someone is home
Adobe patches Hacking Team’s Flash Player zero-day. Adobe released an emergency update for its Flash Player to address a zero-day vulnerability in the ActionScript 3 ByteArray class, which could allow a remote, unauthenticated attacker to execute arbitrary code. The vulnerability was exposed after hackers breached and dumped corporate information of the Hacking Team surveillance software company.
ANTlabs patches vulnerabilities in gateway products. ANTlabs released patches for several of its gateway products addressing a Structured Query Language (SQL) injection flaw in the default login page in which a remote attacker could execute arbitrary queries, and a cross-site scripting (XSS) vulnerability in the admin login page that could allow an attacker to obtain login credentials from the administrator panel.
Zero-day exploits leaked in Hacking Team breach. Security researchers from Trend Micro and Symantec reported that data from a recently confirmed Hacking Team breach contained several zero-day vulnerabilities and exploits, including a use-after-free (UAF) flaw affecting Adobe Flash Player versions 9 and later on Microsoft Internet Explorer, Google Chrome, Mozilla Firefox, and Apple Safari, and a Microsoft Windows kernel vulnerability.
Microsoft security tool fails malware detection test. AV Test released results from a recent experiment revealing that Microsoft Security Essentials performed the worst out of 11 tested antivirus products, only detecting 87 percent of malware in real-time tests, when the others were all at least 95 percent effective.
Crypto leaders: “exceptional access” will undo security. Cryptography experts released a report warning of the long term economic and security risks associated with “exceptional access,” a U.S. government initiative to maintain access to cryptographic keys to secure information over the Internet primarily for law enforcement use.
Hackers targeting users of Barclays, Royal Bank of Scotland, HSBC, Lloyds Bank and Santander. Security researchers from Bitdefender warned of a malicious phishing scheme targeting financial users of banks worldwide, including Bank of America, Citibank, Wells Fargo, JP Morgan Chase, and PayPal in the U.S., in which spam servers are distributing emails directing users to download an archive containing a downloader for the Dyreza banking trojan. The three-day campaign has so far distributed 19,000 emails worldwide.
SEC charges oil company and CEO in scheme targeting Chinese-Americans and EB-5 investors. The U.S. Securities and Exchange Commission charged San Francisco-based Luca International Group July 6 and its chief executive officer with running a $68 million Ponzi-like scheme in which the company allegedly falsely portrayed itself to targeted Chinese-American investors in California as well as Chinese citizens through the EB-5 Immigrant Investor Program, and diverted investor funds to personal uses and profit repayments.
Flaw allows hijacking of professional surveillance AirLive cameras. Engineers from Core Security discovered vulnerabilities in AirLive’s surveillance cameras in which an attacker could invoke computer-generated imagery (CGI) files without authentication or utilize backdoor accounts to execute arbitrary operating system commands, possibly allowing the attacker to see camera’s transmission stream and compromise network devices.
Fraudulent BatteryBot Pro app yanked from Google Play. Google pulled a malicious spoof of the Android BatteryBot Pro app from its Play service after Zscaler researchers discovered that the app requested excessive permissions from users in an attempt to gain full control of affected devices, supposedly to download and install other malicious Android packages and profit from click fraud, ad fraud, and SMS fraud. Once the app is granted admin privileges, it is impossible to uninstall.
Old MS Office feature can be exploited to deliver, execute malware. A researcher reported a vulnerability in Microsoft Office in which its Object Linking and Embedding (OLE) Packager could be leveraged to deliver malicious executable files embedded in Office documents without triggering security software.
Fullerton ‘Bandit’ linked to six bank robberies in Orange County. FBI officials are searching for a suspect dubbed the “Big A Bandit” who allegedly robbed a Bank of the West in Fullerton, California July 2 and is believed to be linked to 5 other Orange County bank robberies since 2013.
Developers accused in $16M mortgage fraud. Two Glenview real estate developers and 4 alleged co-conspirators were indicted July 1 on charges alleging that they caused over $16 million in losses to banks, mortgage lenders, Fannie Mae, and Freddie Mac by falsely promoting condominiums at “The Woods at Countryside” in Palatine by promising impossible financial incentives, and that they conspired to conceal and misrepresent facts from banks and mortgage lenders to approve nonconforming loans.
NYPD: 17 charged in counterfeit credit card scheme. New York Police Department officials reported July 2 that 17 suspects were charged in connection with an alleged credit card counterfeiting ring that used stolen debit and credit card information to encode blank cards, which would be used to purchase items in New York City stores.
KINS malware toolkit leaked online. Security researchers from MalwareMustDie reported that version 2.0 of the KINS banking trojan toolkit was leaked and widely distributed on the Internet, and that the malware’s developers have integrated ZeusVM banking trojan technology in the newest release, including the use of stenography to conceal configuration data.
Govt supplier of surveillance software gets hacked, 400GB of data leaked. The Italian surveillance software company, Hacking Team reported that its systems were hacked, and 400 gigabytes of corporate data was leaked to the public. The company developed products for government agencies worldwide, including the U.S. Drug Enforcement Agency and the FBI.
Matsnu backdoor uses RSA crypto on exfiltrated data. Security researchers from Check Point discovered malware dubbed Matsnu, also known as Androm backdoor and Boxed.DQH, which acts as a backdoor on compromised machines, and sends Rivest-Shamir-Andleman (RSA)-encrypted user and system information back to a command and control (C&C) server.
TYPO3 Enterprise CMS update adds 7 security fixes. TYPO3 released an update for its Enterprise Content Management System (CMS) addressing 7 security fixes for cross-site scripting (XSS) and authentication vulnerabilities, as well as the addition of login protection against brute-force attacks.
Dungarees Web site hacked, card information exposed. Dungaree reported that the company’s Web site had been hacked, and that customers who placed orders from March 26 – June 5 may have had their card-related data compromised, including card verification values (CVV). Dungaree secured the Web site and is offering identity theft protection services to affected customers.
Mozilla patches critical vulnerabilities with release of Firefox 39. Mozilla released version 39 of Firefox addressing 24 issues, including 3 use-after-free vulnerabilities, 7 critical uninitialized memory, buffer overflow, unowned memory, poor validation issues, 3 critical memory safety browser engine bugs, and high-severity privilege escalation, and type confusion flaws.
Ad fraud trojan Kovter patches Flash player, IE to keep other malware out. A security researcher from Kafeine reported that the Kovter ad fraud trojan has been updating Adobe Flash Player and Microsoft Internet Explorer on infected systems in an effort to exclude other malware platforms.
SEC charges former stockbroker with conducting Ponzi scheme. The U.S. Securities and Exchange Commission charged a former stockbroker in Pennsylvania July 1 with conducting a Ponzi scheme in which he allegedly raised $15.5 million from over 50 investors by selling fraudulent certificates of deposit (CDs) to customers while promising higher-than-normal interest rates of return, before spending invested funds on himself or to repay earlier investors.
North Miss. bank robbery suspect had gun, pipe bomb. Saltillo, Mississippi Police Department officials reported July 1 that they arrested a man suspected of robbing a First American National Bank with a firearm and a pipe bomb. A local bomb squad responded and closed the area surrounding the bank.
Cisco UCDM platform ships with default, static password. Cisco warned customers that its Unified Communications Domain Manager Platform software versions prior to 4.4.5 have a default, static password for an account with root privileges, possibly allowing an unauthenticated remote attacker to take full control of an affected system with root privileges.
GhostShell hackers reveal 548 targets, links to dumps. Hackers associated with GhostShell released a list of 548 compromised targets including government, educational, and retail sector Web sites along with links to previews of extracted data in an effort to reportedly draw attention to poor cybersecurity practices. The data contained contact information, dates of birth, and hashed and plain text passwords.
PCI Council updates Point-to-Point Encryption Standard. The Payment Card Industry Security Standards Council (PCI SSC) announced the release of Version 2.0 of its PCI Point-to-Point Encryption Solution Requirements and Testing Procedures, updating requirements for encryption products and giving merchants the option to manage their own encryption solutions for point-of-sale (PoS) locations, among other changes intended to enhance security and PCI SSC compliance.
LifeLock patches XSS that could’ve led to phishing. LifeLock patched a cross-site scripting (XSS) vulnerability on its Web site that could have allowed an attacker to inject HyperText Markup Language (HTML) into the site’s uniform resource locator (URL) to create a fake login page to harvest usernames and passwords from customers.
Flaw in 802.11n standard exposes wireless networks to attacks: researchers. Security researchers in Belgium discovered a vulnerability in the frame aggregation mechanism in the 802.11n wireless networking standard in which an attacker could use a Packet-in-Packet (PIP) technique to inject arbitrary frames into wireless networks, allowing access to internal services.
4,900 new Android malware strains discovered every day. Security researchers from G DATA reported that they discovered 440,267 new Android malware strains in the first quarter of 2015, and that at least 50 percent of the malware currently being distributed includes banking trojans and SMS trojans for financial motivations, among other findings.
Schneider Electric’s Wonderware products receive security patch. Schneider Electric released a patch addressing a high-severity security vulnerability in its InTouch, Application Server, Historian, and SuiteLink applications in the Wonderware System Platform in which an attacker could leverage dynamic link library (DLL) hijacking to run code on an affected machine.
Patched Apple Quicktime vulnerability details disclosed. Security researchers from Cisco released details on a recently patched use-after-free vulnerability in Apple’s QuickTime media player in which an attacker could access and control data inside the internal data in a QuickTime file to remotely execute code on a targeted system.
Goldman settles SEC charges over 2013 trading incident. Goldman Sachs Group Inc., agreed to pay $7 million June 30 to resolve U.S. Securities and Exchange Commission charges connected to the “market access” rule, and a 2013 programming error which flooded the stock options market with about 16,000 erroneous orders, causing 1.5 million options contracts to be executed and costing the company $38 million.
Attackers abuse RIPv1 Protocol for DDoS reflection: Akami. Security researchers from Akami discovered that malicious actors have been leveraging routers running Routing Information Protocol version 1 (RIPv1) to reflect distributed denial-of-service (DDoS) attacks by creating malicious requests for routes and then spoofing the source Internet protocol (IP) address to match the one of the targeted system.
iOS 8.4 fixes 33 security vulnerabilities. Apple released iOS version 8.4 addressing 33 security vulnerabilities, including a fix for the Logjam flaw that allows a man-in-the-middle (MitM) attacker to downgrade cryptographic security, and other protection against potential arbitrary code execution.
Researchers expose attack on iOS that can break system apps. Security researchers from FireEye reported two Apple iOS flaws, dubbed Manifest Masque and Extension Masque, in which an attacker could break or replace system apps and extensions on an affected device by taking advantage of apps created in Xcode outside of Apple’s App Store. The vulnerabilities behind Manifest Masque attacks were partially addressed in the release of iOS 8.4.
ESET analyzes complex espionage platform used by “Animal Farm” APT. ESET released research on the Dino cyber-espionage platform used by the “Animal Farm” advanced persistent threat (APT) group revealing that Dino is capable of retrieving information, executing Microsoft Windows batch commands, searching for files, and transferring files back and forth between a command and control (C&C) server. Researchers have not determined the tool’s initial infection vector.
2 downtown Springfield banks robbed, 3 suspicious packages left behind: Springfield officials are investigating two bank robberies at a United Bank and a Bank of America in Springfield, Massachusetts, after a suspect allegedly left three suspicious packages and stole cash June 29.
Dridex is the most prevalent banking malware in the corporate sector: SecurityScorecard released findings from a report revealing that the Dridex banking trojan was the most prevalent malware found in corporate environments from January – May, primarily targeting the manufacturing and retail sectors, followed by the Beloh and Tinba trojans, which targeted telecommunications and technologies companies.
Yahoo patches SSRF vulnerability in image processing system: researcher: A security researcher reported that Yahoo patched a server-side request forgery (SSRF) vulnerability affecting all of its services that required images to be processed in which an attacker could use the vulnerability to bypass controls and access data on the affected system.
Many organizations using Oracle PeopleSoft vulnerable to attacks: report: ERPScan released findings from a report revealing that Oracle’s PeopleSoft contained several vulnerabilities including information disclosure, extensible markup language external entity (XXE), cross-site scripting (XSS), and authentication bypass flaws as well as configuration-related issues that could allow an attacker to breach PeopleSoft systems connected to the Internet.
SEC charges KKR with misallocating broken deal expenses. The U.S. Securities and Exchange Commission charged New York-based Kohlberg Kravis Roberts & Co., June 29 with misallocating over $17 million in “broken deal” expenses to co-investors in the firm’s private equity funds. The company agreed to pay $28.5 million to settle the charges.
Security firm discloses details of Amazon Fire Phone vulnerabilities. MWR InfoSecurity released details on three recently patched Amazon Fire Phone vulnerabilities, including flaws in the CertInstaller package that can allow third party applications to install digital certificates to intercept encrypted traffic via man-in-the-middle attacks, and an issue with the Android Debug Bridge (ADB) in which an attacker could bypass the lock screen, steal information, add and remove applications, and access a high privilege shell on the phone.
Hackers are exploiting Magento flaw to steal payment card info. A security researcher from Sucuri Security discovered that attackers are actively exploiting a flaw in eBay’s Magento platform to steal users’ billing and payment card information by injecting malicious code into Magento’s core file. Researchers are investigating the attack vectors to identify the vulnerability.
LG’s Update Center app fails to check server’s SSL certificate, MitM risk. Security researchers from Search-Lab discovered a vulnerability in LG’s Update Center application on Android phones in which an attacker could exploit the fact that the app does not check the secure sockets layer/transport layer security (SSL/TLS) certificate of the update server to execute a man-in-the-middle (MitM) attack and install arbitrary applications on the device.
Flash player flaw used by APT3 group added to Magnitude exploit kit. A French security researcher discovered that an exploit for a recently patched Adobe Flash Player heap buffer overflow vulnerability, leveraged by the APT3 threat group has been added to the Magnitude exploit kit (EK).
Samsung will stop blocking Microsoft software updates ‘within a few days’. Samsung reported that users will be receiving a patch through the Samsung Software Update notification process to revert back to restore default Microsoft Windows Update settings, after a security researcher discovered that the company had disabled Windows Update to de-conflict with its SW Update service.
Three accused of Akron-based Ponzi scheme that cost investors $17 million. Three Northeast Ohio men were indicted June 25 on charges alleging that they defrauded 70 investors out of $17 million from 2010 – 2014 by convincing them to give money to KGTA Petroleum Ltd., a company partially owned by one of the suspects, and spent the proceeds on luxury items and mortgage payments.
Md. man charged with stealing from ATMs with skimming device. A Riverdale, Maryland man was arrested June 24 on charges that he allegedly stole $300,000 from ATMs using skimming devices at a Sandy Spring Bank in Maryland.
Hundreds of fraudulent credit cards seized, two suspects behind bars. The Boise Police Department’s Organized Retail Crime Unit arrested 2 suspects June 24 and seized 424 counterfeit credit and gift cards along with merchandise that they had bought with the fraudulent cards.
Click-fraud attack morphs into ransomware risk in a couple of hours. Security researchers at Damballa discovered that a threat actor dubbed RuthlessTreeMafia is distributing exploit kits along with the Rerdom malware in a click-fraud campaign in which they sell other threat actors access to infected users’ systems. Researchers observed an infection result in the delivery of the CryptoWall ransomware.
Default SSH keys expose Cisco’s virtual security appliances. Cisco reported that customers using its Web Security, Email Security, and Security Management Virtual Appliances were vulnerable due to the products’ use of default secure shell (SSH) keys, which could allow an unauthenticated, remote attacker to connect to a system with root user privileges. The company released a patch addressing the issue.
94% of Android devices vulnerable to bug exposing memory content. Security researchers from Trend Micro discovered security flaw in the Android operating system’s (OS) debugging component in which an attacker could create a special Executable and Linkable Format (ELF) file to crash the debugger and view dumps and log files stored in memory, or to create a denial-of-service (DoS) condition. The issue affects all Android versions after 4.0, Ice Cream Sandwich.
St. Mary’s Bank issues new debit cards following breach. St. Mary’s Bank officials in Manchester, New Hampshire reported June 23 that the bank was reissuing 5,029 debit cards and replacing about $25,000 in funds after about 160 cards were found to have been compromised in a breach.
Samsung disables Windows Update, undermines the security of your devices. A security researcher discovered that the Samsung SW Update software for Microsoft Windows personal computers (PCs) runs an executable file upon start-up that disables Windows Update to prevent driver and update software conflicts, posing a security risk to users. Microsoft has reportedly contacted Samsung to address the issue.
The downfall of a major cybercrime ring exploiting banking trojans. European authorities from six countries along with Europol and Eurojust arrested five suspects in Ukraine believed to be part of a major cybercriminal ring that developed, exploited, and distributed Zeus and SpyEye malware, actively traded stolen credentials, laundered profits, and infected tens of thousands of users’ computers worldwide with banking Trojans.
Why a Dyre infection leads to more than just stolen banking credentials. Symantec reported that in addition to targeting banks, financial institutions, customers of electronic payment services, and users of digital currencies, cybercriminals are employing the Dyre Trojan to collect credentials for career and human resource Web sites, as well as Web hosting companies. The group using Dyre has reportedly targeted customers of over 1,000 organizations worldwide.
Study: 61 percent of critical infrastructure execs confident systems could detect attack in less than a day. Tripwire released survey results from 400 executives in the energy, oil, gas, and utility industries in its “Critical Infrastructure Study” revealing that executives had high levels of confidence regarding their organizations’ ability to quickly detect cyber-attacks on their systems, while noting that attacks could seriously damage their infrastructure, among other findings.
Android malware dominates mobile threat landscape. Pulse secure released findings from its Mobile Threat Report revealing that 97 percent of mobile malware is targeted at Android devices, and that in 2014 almost 1 million individual malicious apps were released. The report also highlighted the dangers in jailbroken and non-jailbroken iOS devices, among other findings.
Cyber-crime economy triggers rise in malicious macros. Proofpoint released The Cybercrime Economics of Malicious Macros report, revealing that malicious macro campaigns have grown in size, frequency, sophistication, and effectiveness while increasingly relying on inexpensive vectors and techniques to exploit the human factor, among other findings.
MacKeeper flaw enables attacker to run code with admin rights. Security researchers discovered a serious vulnerability in ZeoBit’s MacKeeper utility program in which an attacker could use a phishing email containing a malicious link that prompts a user for a password, effectively executing the malware with administrator rights. ZeoBit reportedly acknowledged and patched the vulnerability.
COA Network breached, all customer data treated as potentially compromised. New Jersey-based COA Network Inc., reported that it had detected a pattern of irregular activity in its systems June 5, and is considering all customer contact and payment information as possibly having been compromised. The company took actions to increase security and protect customer information, and has notified all customers.
ESET patches scan engine against remote root exploit. ESET pushed an update for its scan engine addressing a vulnerability in antivirus products’ code emulator component in which an attacker used a remote root exploit to take complete control of a system. NOD32 Antivirus, Microsoft Windows, Apple OS X, Linux, and numerous other consumer and business antivirus solutions, utilize the product.
Deadly Windows, Reader font bugs can lead to full system compromise. A security engineer with Google Project Zero shared the discovery of 15 flaws in font engines used by Microsoft Windows, Adobe Reader, and other popular software that could allow an attacker to compromise systems in a variety of ways including creating an exploit chain leading to a full-system compromise. All of the reported vulnerabilities have been patched in recent updates.
Visibility challenges industrial control system security: survey. Findings from a SANS Institute survey of over 314 respondents across several industries that interact with industrial control systems (ICS) revealed the perceived threats posed by internal and external attackers and the challenges of ICS protection. Challenges cited include poor optimization of ICS protection for information technology (IT) environments, the difficulty in detecting threats that spread without affecting operations, and the integration of IT into previously isolated ICS platforms, among other findings.
U.S.-Canadian man charged for Cynk trades, $300 mln fraud. A U.S. and Canadian dual-citizen was arrested June 23 on charges surrounding alleged securities fraud and money laundering conspiracies that generated $300 million in illegal profits, including a pump-and-dump scheme that inflated the market value of Cynk Technology Corp to over $6 billion. The U.S. Securities and Exchange Commission filed related civil charges against the suspect.
Suspect dubbed ‘Lucky Bandit’ bank robber arrested. FBI officials reported that the suspect dubbed the “Lucky Bandit” was arrested June 23 in connection with a robbery of a Wells Fargo bank and an attempted robbery of a Citibank branch in Pembroke Pines in April. The suspect is believed to be connected to 8 bank robberies since October 2014.
SEC charges unregistered brokers in EB-5 Immigrant Investor Program. The U.S. Securities and Exchange Commission charged Florida-based Ireeco LLC and its Hong Kong-based successor June 23 with allegedly illegally brokering over $79 million worth of investments by foreigners seeking U.S. residency in the U.S. Citizenship and Immigration Service’s EB-5 Immigrant Investor Program. The firms agreed to be censured and to cease and desist from similar violations in the future.
Banks targeted by hackers three times more than other sectors. Raytheon and Websense released findings from a study on their customers revealing that financial services organizations, many of which are U.S. firms, are targeted three times more by cybercriminals than any other industry, and that these attacks are primarily utilizing the Rerdom, Vawtrack, and Geodo malware families, among other findings.
Most-wanted cybercriminal extradited to U.S. from Germany. German authorities extradited a Turkish suspect, who is considered to be one of the world’s most wanted cybercriminals, to the U.S. June 23 on charges that he allegedly organized a complex bank heist of $40 million in cash from ATMs in New York and in 23 other countries in February 2013. The suspect also reportedly stole $19 million through 25,700 ATM transactions in 20 countries from 2011 – 2012.
RICO conspiracy charged in payday lending case. A Jenkintown, Pennsylvania was charged in an indictment unsealed June 22 with participation in a racketing conspiracy for allegedly operating a payday lending business that violated numerous State usury laws and reaped millions of dollars from illegal fees, and for allegedly helping his sons in a multi-million-dollar telemarketing scam that victimized over 70,000 people nationwide.
Dyre banking malware uses 285 command and control servers. Security researchers from Symantec released a report revealing that multiple groups are running at least 285 command and control (C&C) servers as well as 44 machines to deliver payloads and execute man-in-the-browser (MitB) attacks. The servers are located primarily in Ukraine and Russia but located worldwide, and are primarily targeting financial organizations in the U.S. and United Kingdom.
Feds count Cryptowall cost: $18 million says FBI. The FBI reported that the U.S. Internet Crime Complaints Commission (IC3) received 992 complaints associated with the CryptoWall ransomware resulting in U.S. user and business losses of over $18 million from April 2014 – June 2015.
Flash Player zero-day used by Chinese Cyber-Espionage group. Security researchers from FireEye discovered that the APT3 advanced threat group is currently exploiting a zero-day Adobe Flash Player heap buffer overflow vulnerability patched by Adobe June 23. The group’s latest campaign was dubbed Operation Clandestine Wolf, and they generally target organizations from the aerospace and defense, construction and engineering, technology, telecommunications, and transportation industries.
Cheap radio device can steal decryption keys from nearby laptop. Researchers from Israel created a palm-sized radio device that can capture decryption keys from laptops just a few feet away by intercepting bit patterns in electromagnetic emanations from the targeted machine’s central processing unit (CPU). The device can be built for about $300 from readily available components, and was able to extract decryption keys within seconds.
Targeted attacks rise, cyber attackers spreading through networks, report says. Vectra Networks released findings from its Post-Intrusion Report of 40 customer and prospect networks revealing that non-linear growth in lateral movement of attacks increased 580 percent from 2014, that reconnaissance detections were up 270 percent, and that overall detections increased 97 percent. Vectra attributed the large uptick in detections partly to the increased accessibility of hacker tools.
Government, Healthcare particularly lackluster in application security. Veracode released findings from its State of Software Security Report revealing that government agencies and healthcare organizations performed the worst in industry-specific software security metrics due to issues such as slow rates in addressing identified flaws and cryptographic vulnerabilities from weak algorithms, while all industries struggled with software supply chain issues, among other findings.
TCP vulnerability haunts Wind River VxWorks embedded OS. Security researchers at Georgia Tech discovered a transmission control protocol (TCP) prediction vulnerability in Wind River’s VxWorks embedded operating system (OS) used in a large number of industrial control system (ICS) products in which an attacker can leverage a predictable TCP initial sequence to spoof or disrupt connections to and from target devices.
Adobe fixes Flash Player zero-day exploited in the wild. Adobe released an emergency update for its Flash Player software addressing a heap buffer overflow vulnerability that is being exploited in the wild in which an attacker could execute arbitrary code and take control of an affected system, possibly funneling in malware via drive-by download attacks.
Critical RubyGems vulns can lead to installation of malicious apps: Security researchers Trustwave discovered a vulnerability in the RubyGems package manager in which an attacker could redirect a RubyGem client using hypertext transfer protocol secure (HTTPS) to an attacker controlled gem server, bypassing HTTPS verification and allowing the attacker to install malicious or trojan gems.
Minor Chrome release fixes high severity issues: Google released an update for its Chrome browser addressing issues including a scheme validation error in WebUI, and a cross-origin bypass bug in the browser’s layout engine, among other fixes.
HP releases details, exploit code for unpatched IE flaws: Security researchers at Hewlett-Packard Company’s Zero Day Initiative released details on unpatched Microsoft Internet Explorer vulnerabilities which could allow attackers to fully bypass address space layout randomization (ASLR) mitigation in the browser.
Two more Swiss banks settle with U.S. over tax evasion: The U.S. Department of Justice reported June 19 that Swiss banks, Bank Linth LLB AG and Bank Sparhafen Zurch AG will pay a combined $5.96 million in penalties to avoid criminal charges for assisting American citizens in tax evasion. Eleven other Swiss banks made similar deals with the U.S. government under a voluntary program set up in 2013.
Hackers disrupt Polish airline LOT, ground 10 flights: Officials from LOT Polish Airlines reported that their ground operation systems at Warsaw’s Frederic Chopin Airport suffered a 5-hour cyber-attack that grounded 10 national and international flights and affected about 1,400 passengers June 21. An investigation into the attack is ongoing.
New password recovery scam hitting Gmail, Outlook and Yahoo Mail users: Security researchers from Symantec discovered a new password recovery scam in which attackers are utilizing targets’ email addresses and mobile phone numbers along with Microsoft Outlook, Gmail, and Yahoo Mail’s password recovery feature to trick victims into compromising their accounts, at which point the scammers create alternate email addresses that receive forwarded copies of all messages on affected accounts.
‘Bluto Bandit’ sought for bank robberies in L.A., San Bernardino counties: The FBI is offering a $5,000 reward leading to the arrest and conviction of a suspect dubbed the “Bluto Bandit” who has allegedly robbed 3 banks and cased another 3 in Los Angeles and San Bernardino counties since June 10.
Police: Sock Hat Bandit caught after chase: Authorities reported that they caught the suspect dubbed the “Sock Hat Bandit” after he allegedly robbed a Fifth Third Bank in Independence, Kentucky June 18 and led police on a high-speed chase. The suspect admitted to committing 9 bank robberies throughout Ohio, Kentucky, and Indiana.
SEC charges microcap oil company, CEO, and stock promoter with defrauding investors: The U.S. Securities and Exchange Commission (SEC) charged Texas-based Norstra Energy, Inc., its CEO, and the author of a stock-picking newsletter June 18 with allegedly defrauding investors with misleading information about drilling operations to sell the company’s penny stock shares, leading to stock price increases of up to 600 percent in 3 months. The SEC had suspended trading of the company’s stock in June 2013.
SEC charges 36 firms for fraudulent municipal bond offerings: The U.S. Securities and Exchange Commission announced civil penalties against 36 municipal underwriting firms June 18 for alleged fraudulent municipal bond offerings from 2010 – 2014 as part of the Municipalities Continuing Disclosure Cooperation (MCDC) Initiative.
Static encryption key found in SAP HANA database: Security researchers from ERPScan discovered a vulnerability in SAP’s HANA in-memory relational database management system in which an attacker could use various web-based external attacks to remotely execute code, and then leverage static encryption keys to read encrypted passwords, stored data, and backups.
Samsung to issue fix for SwiftKey keyboard bug affecting Galaxy S6 in ‘coming days’: Samsung officials announced plans June 18 to send out an update addressing a plaintext connection vulnerability in the SwiftKey-developed keyboard technology used in up to 600 million devices, including the Galaxy S6. SwiftKey developers reported that the issue is limited to devices running Samsung software, and that the SwiftKey app is not affected.
Report: average botnet in Q1 2015 made up of 1,700 infected hosts per C&C server: Findings from a recently released Level 3 Botnet Research Report for the first quarter of 2015 revealed that the average botnet was made up of 1,700 hosts per command and control (C&C) server, a server’s average lifespan was 38 days, the U.S. generated the most server traffic and was targeted by 56 percent of distributed denial-of-service (DDoS) attacks, and 600 of the servers analyzed were being used for malicious communications targeting corporate environments, among other findings.
SEC charges investment adviser with fraudulently funneling client assets to companies in owner’s interest: The U.S. Securities and Exchange Commission charged Boston-based
Interinvest Corporation and its owner June 17 with allegedly defrauding investors out of up to $12 million after funneling $17 million worth of investments into Canadian penny stock companies in which the owner had undisclosed business interests.
Suspected gas pump identity snatchers arrested for luxe shopping sprees in Santa Clara Co: Santa Clara County authoritiesreported June 16 that 4 suspects were charged with allegedly using credit card information stolen from gas station pumps to create counterfeit cards in which they used to purchase over $500,000 in luxury items at 31 stores in Santa Clara and 1 store in Fresno County from August 2014 – February 2015.
Reddit announces switch to HTTPS only: Reddit Web site developers reported that starting June 29, the site will only be accessible over hypertext transfer protocol secure (HTTPS) encrypted connections served via the company’s CloudFlare content delivery network (CDN).
Drupal security updates patch several vulnerabilities: Drupal developers released updates patching open redirect, information disclosure, and access bypass vulnerabilities in versions 6 and 7 of its open source content management software (CMS).
Unpatched OS X, iOS flaws allow password, token theft from keychain, apps: Researchers from three universities identified critical inter-app interaction services and cross-app resource access (XARA) vulnerabilities in Apple’s OS X and iOS platforms in which an attacker could use sandboxed malware to bypass protections and steal confidential information from affected devices.
2 arrested for stealing thousands of credit, ID, Social Security cards in Highland: Highland, California authorities arrested 2 people June 16 after discovering thousands of stolen credit, identification, Social Security cards, income tax documents, and more in their vehicle’s trunk, as well as an embossing machine allegedly used to flatten names on cards for replacement. The investigation is ongoing.
SEC announces charges against retirement plan custodian in connection with Ponzi scheme: The U.S. Securities and Exchange Commission announced charges June 16 against Westlake, Ohio-based Equity Trust Company, alleging that the company failed to protect its customers from a Ponzi retirement fund investment scheme that 2 representatives used to defraud over 100 investors out of more than $5 million. The two representatives were indicted for alleged offering fraud in New Jersey.
Retrospect clients patched to prevent exposure of backup files: Retrospect Inc., released a patch addressing a password hashing vulnerability in its network backup utility for Apple, Linux, and Microsoft Windows operating systems (OS) in which an attacker with access to networked clients could gain access to users’ backup files.
Over 600 million Samsung devices vulnerable to keyboard security risk: Security researchers at NowSecure discovered a remote code execution vulnerability in the SwiftKey Android app in which an attacker could access device sensors, pictures, and text messages, alter or install apps, or listen to voice-calls. The vulnerability was patched in early 2015.
Study: 15-30 percent of eCommerce site visitors infected with CSIM: A report released by Namogoo revealed that 15 – 30 percent of eCommerce site visitors are infected with client-side injected malware (CSIM), and that attacks have increased by 20 percent in the last 6 months, among other findings.
FinCEN penalizes West Virginia bank for serious BSA violations and actions by a branch manager that assisted criminal activity: The Financial Crimes Enforcement Network announced June 15 a $4.5 million civil money penalty against Bank of Mingo in Williamson, West Virginia, following the bank’s willful violation of the Bank Secrecy Act by staff and a former branch manager who failed to implement and maintain an effective anti-money laundering program from 2008 – 2013, specifically regarding a customer that conducted over $9 million of structured transactions.
Former oil exec pleads guilty in Colombian bribery case: A former co-CEO of PetroTiger pleaded guilty June 15 to violating the Foreign Corrupt Practices Act by conspiring with several company officials to bribe an employee of Colombian Ecopetrol with $333,500 in exchange for help in winning a $45 million contract. Two co-conspirators and a general counsel previously pleaded guilty in connection to the scheme.
Stegoloader malware hides in images on legit sites: Security researchers from Dell SecureWorks released findings from a report warning of potential new trend in which malware uses digital stenography to evade detection and steal information from affected users via various configurable modules.
LastPass has been hacked, change your master password now: Officials from LastPass advised that users change their master passwords after the company discovered that their system was compromised June 12. No user accounts were reported to have been accessed, and encrypted vault data was reportedly not tampered with.
Canonical patches privilege escalation vulnerability in Ubuntu: Canonical released updates for Ubuntu fixing a local root privilege escalation vulnerability related to the OverlayFS Linux file system’s permissions in which an attacker could gain administrative privileges on the affected system.
Duqu 2.0 used stolen digital certificate in attacks: Kaspersky Lab: Security researchers at Kaspersky Lab reported that the attackers behind the Duqu 2.0 malware identified in worldwide attacks in June used a stolen valid digital signature from Hon Hai Precision Industry Co., LTD/Foxcon Technology Group to sign a driver that masked command-and-control (C&C) traffic and ensured the persistence of the malware. The attackers reportedly installed the malicious drivers on firewalls, gateways, and servers with direct internet access as well as corporate network access.
Cisco fixes DoS vulnerability affecting carrier routing systems: Cisco released updates for IOS XR Software installed on CRS-3 Carrier Routing Systems addressing a medium severity vulnerability in which an attacker could cause the line card to reload by sending specially crafted packets to the vulnerable device, causing an extended denial-of-service (DoS) condition.
Police seek South County’s ‘Snowbird Bandit’ bank robber: Authorities are searching for information leading to the capture of a suspect dubbed the “Snowbird Bandit” who allegedly robbed a Wells Fargo bank June 11 in Mission Viejo, California and 2 others in Orange County since March.
Ex-Dolphins player faces charges in Ponzi scheme: A former professional football player and a business partner were charged June 12 in connection to a Ponzi scheme in which they allegedly defrauded investors out of $31 million by forging documents and using later investors’ funds to pay for loans offered to professional athletes through their business, Capital Financial Partners.
Popular WordPress SEO plugin fixes XSS bug: Security researchers discovered a cross-site scripting (XSS) vulnerability in the Yoast WordPress SEO plugin in which an attacker could leverage “snippet preview” functionality to force a vulnerable site to execute arbitrary hypertext markup language (HTML) code.
Wikimedia rolling out HTTPS to encrypt all Wikipedia traffic: The Wikimedia Foundation announced that all Wikpedia and organization Web site traffic will employ Hyptertext Transfer Protocol Secure (HTTPS) and HTTP Strict Transport Security (HSTS) to protect data security and guard against attempts to break HTTPS and intercept traffic.
Pop-under malvertising spreads CryptoWall via Magnitude exploit kit: Security researchers at Malwarebytes discovered a new malvertising campaign leveraging pop-under advertisements over the Popcash ad network to distribute the Magnitude exploit kit (EK), which delivers exploits for Microsoft Internet Explorer and Adobe Flash Player vulnerabilities to inject the Necurs dropper and CryptoWall ransomware on affected systems.
44.5 million new malware variants recorded in 1 month: Symantec released findings from a report revealing that new malware variants increased by over 50 percent in May to 44.5 million, that the most commonly seen threat on the Apple OS X operating system (OS) was a trojan virus that changes the domain name system settings of affected computers, and that medium-sized companies were the most frequently targeted by spear-phishing attacks.
Apple fixed a nasty MitM vulnerability in the latest watchOS: Security researchers from Zimperium Mobile Security discovered that Apple Watch users running watchOS 1.0 are vulnerable to man-in-the-middle attacks dubbed “DoubleDirect” in which threat actors can leverage Internet Control Message Protocol (ICMP) redirects from the device and gateway to potentially steal credentials and deliver malicious payloads that could spread to devices on an entire corporate network.
Encryption keys hard-coded in industrial access point: The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported an unpatched vulnerability in the firmware code of N-Tron 702W industrial-level wireless access point systems in which an attacker could use secure shell (SSH) toremotely intercept encryption keys and communication from the device.
Fileless malware makes almost 200,000 victims mostly in the U.S: Security researchers at Symantec discovered that cybercriminals used a Microsoft Windows zero-day vulnerability permitting arbitrary remote file execution to spread Poweliks malware to 198,500 computers, almost all of which were in the U.S. Poweliks resides in system memory and is primarily used for ad-fraud purposes.
CryptoWall 3.0 delivered in campaign started more than a week ago: Security researchers from Cisco’s TALOS discovered an active malicious email campaign purporting to be regarding possible employment including hypertext markup language (HTML) attachments that redirect users to Google Drive accounts hosting the CryptoWall ransomware.
Only few organizations patched recent Honeywell SCADA flaw: researchers: Security researchers from Outpost24 reported that 90 Honeywell Falcon XLWeb supervisory control and data acquisition (SCADA) control systems, most located in Europe and the Middle East, remain unpatched and are vulnerable to directory traversal flaws in which an attacker could execute operating system (OS) commands. The experts believe that four of the systems analyzed could have been exploited.
OpenSSL patches Logjam bug, DoS vulnerabilities: OpenSSL released patches for its open-source toolkit addressing the “Logjam” vulnerability in which an attacker could use a man-in-the-middle (MitM) attack to force transport layer security (TLS) connections to downgrade to weaker cryptography, as well as a denial-of-service (DoS) vulnerability caused by the way ECParameters structures are handled.
Sock Hat Bandit: man matching suspect’s description accused of robbing Indiana bank: Anderson, Indiana Police Department officials reported that a man matching the description of the suspect dubbed the “Sock Hat Bandit” struck the town’s PNC Bank June 10, marking his ninth robbery across Ohio, Kentucky, and Indiana. The FBI is offering a $5,000 reward for information leading to his arrest.
Serious flaw in iOS mail app exposes users to phishing attacks: A Czech security researcher discovered a vulnerability in Apple’s iOS mobile operating system (OS) in which an attacker can create emails that load remote Hypertext Markup Language (HTML) content when opened, prompting users to input credentials that are sent back to the attacker.
Malvertising campaign hits Bejeweled Blitz game on Facebook, CNN Indonesia: Security researchers from Websense discovered a malvertising campaign impacting up to 50 million users a month that is distributed through popular online locations including the Bejeweled Blitz game on Facebook via the OpenX advertising platform and an old Adobe Flash Player glitch. The campaign directs users to a site hosting the Angler exploit kit (EK) and delivers payloads including ransomware, ad-fraud, backdoor, and malware downloaders.
New APT Duqu 2.0 hits high-value victims, including Kaspersky Lab: Security researchers from Kaspersky Lab discovered that the Duqu advanced persistent threat (APT) group had used a new platform dubbed Duqu 2.0 to compromise the lab’s systems along with about 100 other victims between 2014 – 2015, most of whom were related to P5 + 1 talks over Iran’s nuclear program. The APT group seeks to gain access to intellectual property by attacking systems using modules residing entirely in-memory via Windows zero-day vulnerabilities to inject a backdoor and a larger espionage platform with extensive capabilities
Stuxnet still a threat to critical infrastructure: Findings from Kleissner & Associates “Internet Attacks Against Nuclear Power Plants” report revealed that the Stuxnet malware was found on at least 153 devices worldwide in almost 5 years, at least 6 of which were running supervisory control and data acquisition (SCADA) development software. The researchers reiterated the threat posed by malware developed on behalf of foreign nation states.
U.S. National Vulnerability Database vulnerable to XSS attack: A security consultant discovered that the National Institute of Standards and Technology’s National Vulnerability Database (NVD) housing common vulnerabilities and exposures (CVE) flaws is vulnerable to a cross-site scripting (XSS) attack by replacing the document object mode (DOM) with a phishing page to collect personal identifiable information (PII) and card information. NVD officials reported that the agency is working to address the issue.
Weak remote access practices contributed to nearly all PoS breaches: Trustwave: Trustwave released a report revealing that 40 percent of the 574 breaches the company investigated from 2014 were in point-of-sale (PoS) systems and that 94 percent of the incidents were a result of weak remote security and passwords. The retail sector comprised 43 percent of the PoS breach investigations, among other findings.
Microsoft brings HSTS to Windows 7 and 8.1: Microsoft released patches introducing Hypertext Transfer Protocol (HTTP) Strict Transport Security (HSTS) to users running Internet Explorer 11 on Windows 7 and 8.1, in an effort to increase security against man-in-the-middle (MitM) Web sessions and attacks using invalid digital certificates. The protocol forces HTTP sessions to be sent over HTTP Secure (HTTPS) connections according to a list of preloaded sites supporting it.
‘Bandage Bandit’ strikes 8th bank in robbery: The FBI is offering a $10,000 reward for information leading to the capture of the suspect dubbed the “Bandage Bandit,” who allegedly robbed a Fifth Third Bank branch in Chicago June 9 and is tied to 7 other robberies or attempted robberies since March.
Fullerton man among three convicted in loan modification scheme: The co-owner Rancho Cucamonga, California-based 21st Century Legal Services Inc., and 2 co-defendants were convicted June 9 for their roles in a $7 million loan modification scheme that victimized over 4,000 distressed home owners who were falsely promised loan modifications and other services. Seven other defendants previously pleaded guilty in connection to the scheme.
Microsoft patches zero-day used in targeted attacks: Microsoft released eight security bulletins, including vulnerability in Windows’ kernel-mode driver Win32k.sys that was leveraged by threat actors to elevate privileges and execute arbitrary code on affected machines. The bulletins also included two critical security patches for Internet Explorer and Windows Media Player that could have allowed the possibility of remote code execution.
Financial impact of SaaS storage breaches now $13.85 million: Findings from analysis in Elastica’s Shadow Data Report revealed that the direct financial impact of exposed data in software as a service models can be up to $13.85 million, and that 1.34 percent of all accounts had signs of malicious activities. Analysis also indicated that the healthcare industry suffers the highest frequency of policy violations due to leaks of protected health information, among other findings.
VMware fixes critical security issues in Workstation, Fusion, Horizon View: VMware published fixes for several memory manipulation issues and denial-of-service (DoS) vulnerabilities affecting its Workstation, Player, and Horizon View Client for Microsoft Windows.
DDoS attacks increase in Q2 2015, largest one over 253Gbps strong: Incapsula released findings from a report on distributed denial-of-service attacks in the second quarter of 2015 which revealed that powerful user datagram protocol (UDP) and synchronize (SYN) floods were the preferred method of network-layer attacks, while botnet-for-hire services were typically used to probe defenses. Incapsula reported that out of 56 percent of UDP and SYN floods seen, 8 percent were launched from “Internet of Things” (IoT) devices, among other findings.
Flash Player 22.214.171.124 fixes 13 vulnerabilities: Adobe released updates for Flash Player addressing 13 security flaws, including vulnerabilities that could be leveraged for information disclosure, privilege escalation, and remote code execution, among others.
RPM Mortgage fined $20 million over loan scheme: The U.S. Consumer Financial Protection Bureau issued $20 million in fines June 8 to RPM Mortgage and the company’s CEO following allegations that he paid employees bonuses to place clients in loans with higher interest rates from 2011 – 2013. RPM Mortgage agreed to settle the allegations without admitting wrongdoing.
Cyber-thieves cash in from malware: Security researchers at Trustwave reported that cyber-thieves can earn almost 1,500 percent potential profit from ransomware kits by spending approximately $5,900 on kits that could earn about $90,000 a month in an attack campaign via a compromised Web site.
HDD firmware altering modules from Equation Group may exist for Apple devices: Security researchers from the Intel Corporation’s McAfee Labs analyzed samples of EquationDrug hard-drive reprogramming modules in their May McAffee Labs Threats Report and found indications that versions of the module exist for Apple iOS and OS X systems, as well as Microsoft Windows.
High-tech extortion attacks nearly doubled in first quarter, report says: Findings from the Intel Corporation’s May McAfee Labs Threats Report revealed that high-tech extortion schemes via ransomware surged by 165 percent to 700,000 samples in the first quarter of 2015, and that Adobe Flash malware increased by 317 percent to 200,000 samples.
Vawtrak banking malware found to use Tor2Web: Security researchers from Fortinet reported that the Vawtrak banking malware, also known as Neverquest, is using Tor2Web as a method to steal banking credentials undetected by accessing Tor anonymous network sources without directly connecting to the network or using a Tor client. The malware typically used fixed command-and-control (C&C) servers, which are easier to trace.
HTTPS-everywhere for government: The White House Office of Management and Budget issued the HTTPS-Only Standard directive June 8, requiring that all publicly accessible Federal Web sites and Web services only provide service through Hyper Text Transfer Protocol Secure (HTTPS) connections by December 31, 2016. The U.S. Chief Information Officer set up a Web site to provide technical assistance and best-practices for migration as well as a public dashboard to monitor progress.
‘Sock hat bandit’ strikes again, allegedly robs bank No. 8: Authorities are searching for a suspect dubbed the “Sock hat bandit” after he allegedly robbed a PNC Bank in Hamilton Township June 6, and has been connected to seven other bank robberies in Bellevue, Queensgate, Columbus, and Green Township.
MalumPOS malware targets Oracle Micros PoS systems: Security researchers at Trend Micro discovered a new point-of-sale (PoS) malware dubbed MalumPOS that is targeting Oracle’s Micros and other PoS platforms via files disguised as display drivers before targeting up to 100 running processes to scrape payment card information.
NIST updates ICS cyber security guide: The National Institute of Standards and Technology (NIST) released the second revision of its “Guide to Industrial Control Systems (ICS) Security,” which includes updated sections for vulnerabilities and other threats, risk management, security architectures, recommended practices, and security capabilities and tools as well as guidance on how to adapt traditional cybersecurity controls to ICS requirements
SEC charges CSC and former executives with accounting fraud: The U.S. Securities and Exchange Commission charged the Computer Sciences Corporation (CSC) and eight former executives June 5 with manipulating financial results and concealing problems regarding its multi-billion dollar contract with the United Kingdom’s National Health Service. CSC agreed to pay $190 million to settle the charges, and 5 of 8 executives charged agreed to settlements.
Florida residents arrested in Aurora with over 700 fake credit and gift cards: Kane County authorities arrested 6 Florida residents in Aurora, Illinois June 1 after traffic stops led to the discovery of over 700 fake credit and gift cards in their hotel rooms and vehicles.
Virginia Credit Union finds evidence of skimming at third ATM: Virginia Credit Union officials reported June 4 the discovery of a third debit-card skimming device on an ATM at its Chester, Virginia branch, bringing the total number of replacement cards being issued to 2,800. ATM skimmers were previously discovered at its Southpark and Glenside branches, and the bank said it disrupted another skimming attempt at its Hanover branch.
Zeus banking trojan variant goes completely undetected: A security researcher from PricewaterhouseCoopers discovered that a new variant of the Zeus banking trojan delivered via the Neutrino exploit kit (EK) is completely undetectable by most antivirus products, and that encoded data in the EK indicates that the trojan is part of a new malicious campaign.
Adware-laden Skype botnet disrupted: Security researchers from PhishMe and Amazon Web Services dismantled a Microsoft Skype-driven botnet that circulated adware via calls from attackers that prompted users to install infected executable files.
Police: ATMs stolen from businesses in West Side burglaries: Chicago Police issued an alert and are seeking information after 5 ATMs were stolen from West Side businesses in Chicago between April and June. In two instances, the thieves pulled the electric meter from the back of the ATMs to disable surveillance and alarm systems.
Hoard of vulnerabilities found in SysAid Help Desk: A security researcher discovered 11 vulnerabilities in SysAid Help Desk version 14.4, including a flaw that could allow an attacker to create an administrator account without any authentication, and an exploit in which an attacker could perform remote execution by uploading arbitrary files via directory transversal attacks. The software is used by over 10,000 organizations worldwide.
Cloud providers hit hard by DDoS attacks in Q1: VeriSign: VeriSign reported research finding that information technology (IT) services and cloud providers received over one third of all distributed denial-of-service (DDoS) attacks in the first quarter of 2015, followed by the government and financial services sectors, where the frequency of attacks increased by 3 percent. The total number of attacks increased seven percent since the last quarter of 2014.
Zero-day disclosed in Unity Web Player: Unity Technologies acknowledged bug reports and released details about a zero-day vulnerability in the company’s Unity Web Player browser plugin in which an attacker could load or inject a malicious Unity app in order to use a victim’s credentials to read messages or gain access to online services.
Southern California broker pleads guilty in $6 million fraud: A Carlsbad stockbroker pleaded guilty June 2 to charges that he stole over $6 million from 32 investors from 2007 – 2014 by misappropriating investments into funding his personal lifestyle and for risky day trading, which he concealed using false statements and funds from newer investors.
2,000 Virginia Credit Union debit cards being replaced after skimming scheme: Virginia Credit Union representatives reported that approximately 2,000 bank member debit cards were vulnerable after the bank discovered ATM skimming devices were installed at their Glenside and Southpark branches over the weekend of May 23. The bank promised to restore any losses due to fraud, and the investigation is ongoing.
Weak SSH keys opened many GitHub repositories to compromise: A security researcher discovered that large numbers of GitHub repositories are vulnerable to compromise and the delivery of malicious code due to a flaw that generated weak cryptographic secure shell (SSH) keys until 2008.
IoT devices entering enterprises, opening company networks to attacks: A recently released OpenDNS report on Internet of Things (IoT) devices and infrastructure in business found that IoT devices have become prevalent in highly regulated industries such as healthcare, energy infrastructure, government, financial services, and retail, and that the infrastructure supporting the devices are vulnerable to well-known security flaws as well as other threats inherent to the nature of IoT technology.
Russian crypto-malware encrypts files completely: Security researchers at Check Point discovered that a new piece of ransomware called Troldesh, also known as Encoder.858 and Shade, applies full encryption to files it processes and offers a way to contact the ransomware operators in an effort to maximize profits and guarantee payment.
Southern Oregon developer indicted in alleged Oklahoma bank fraud scheme: The former president of First State Bank of Altus and a business partner were indicted on bank fraud and other charges June 1 for allegedly committing 3 fraud schemes totaling over $22.5 million in loans issued without proper approval and to companies affiliated with the former president.
‘Black Cap Bandit’ suspect arrested, charged: The FBI arrested the suspect known as the “Black Cap Bandit,” who is believed to be responsible for robbing banks in Chicago, Oak Lawn, Burbank, and Calumet City from September – December 2014. The man was arrested by State authorities May 22 on unrelated charges.
Merrill Lynch pays $11 mln to settle short sale violations: U.S. regulators announced June 1 that Bank of America’s Merill Lynch agreed to pay $11 million and admitted that they had violated “Regulation SHO” Federal short sale rules by using inaccurate data for short sale orders. The company also agreed to retain an independent compliance consultant as part of the settlement.
Tennessee bank to pay $212.5 mln in FHA-insured mortgage lending case: U.S. Department of Justice officials reported June 1 that First Tennessee Bank agreed in April to pay $212.5 million to resolve claims of mortgage lending violations relating to U.S. Federal Housing Administration (FHA)-insured home loans issued from 2006 – 2008, in which the bank allegedly failed to report deficient mortgages to the FHA and caused them to insure hundreds of loans ineligible for insurance, resulting in substantial losses.
Exploit for recently patched Flash flaw added to Magnitude, Neutrino, Nuclear Pack: Security researchers from Kafeine discovered that the Magnitude, Neutrino, and Nuclear Pack exploit kits (EKs) are leveraging a recently published Adobe Flash Player memory corruption vulnerability to deliver variants of the Andromeda malware and CryptoWall ransomware.
Dyre banking trojan aims at Europe and North America, infections double up: Security researchers at Trend Micro reported that the number of infections caused by the Dyre banking trojan increased by 125 percent in the first quarter of 2015, up from a previous increase of 4,000 in the previous quarter, and that cybercriminals increasingly targeted Europe and North America over the last 3 months. Researchers also reported that the Upatre downloader used to inject Dyre had gained capabilities that allow it to bypass detection from firewalls and other network-related products.
Thousands targeted by credit card skimmer in Seatac: Seatac authorities arrested a man during the week of May 18 for allegedly paying employees at Doug Fox Parking and Shuttle Park 2 in Seatac to skim over 17,000 customer card numbers from 2013 – 2014, resulting in over $600,000 in fraudulent charges.
Man indicted for $50M mortgage fraud involving Miami-Dade homes: Authorities indicted a Guyanese national May 28 for his role in a $50 million mortgage fraud scheme in which he and co-conspirators allegedly recruited and paid straw buyers to obtain fraudulent loan applications in order to buy properties from distressed owners and sellers in Florida and other States.
U.S. sports exec pleads not guilty in FIFA case: The U.S. head of the Brazilian sports marketing company Traffic Group pleaded not guilty May 29 to allegations that he secured media and marketing contracts worth over $35 million and arranged bribes for the vice president of the Fédération Internationale de Football Association (FIFA). Thirteen other suspects were indicted for bribery-related charges.
Apple vulnerability could allow firmware modifications, researcher says: A security researcher discovered a vulnerability in the firmware of Apple computers made before mid-2014 in which an attacker could tamper with the system’s unified extensible firmware interface (UEFI) and install a rootkit by exploiting a flaw that unlocks UEFI code when a computer goes to sleep and reawakens.
Blue coat patches SSL visibility appliance against 4 security bugs: Carnegie Mellon University’s Computer Emergency Response Team (CERT) released an advisory warning of cross-site request forgery (CSRF), same-origin policy failure, and other flaws in Blue Coat’s Secure Sockets Layer (SSL) Visibility appliance in which a remote attacker could assume legitimate users’ identities and execute actions on their behalf. The company released a patch mitigating the vulnerabilities.
Jackson man admits $6M mortgage scam. A former loan officer in North Jersey pleaded guilty May 28 to his role in a $6 million mortgage fraud scheme in which he allegedly conspired with 9 others to target 15 institutions in Newark and Elizabeth and used information about potential “straw buyers” along with falsified documents to obtain mortgage loans. Authorities believe the scheme caused establishments around $10 million in losses over a 4-year period.
Bicycle Bank Bandit indicted on 16 counts. The suspect dubbed the “Bicycle Bandit” was indicted May 28 on charges that he allegedly robbed 5 Northern Virginia banks and attempted to rob another between 2013 – 2015. The suspect was originally charged in March but escaped from a hospital where he was receiving treatment, triggering a large manhunt.
Non-sophisticated malware steals thousands of credentials from targeted SMBs. Security researchers from Kaspersky discovered a large malware campaign, dubbed Grabit that has infiltrated small and medium businesses worldwide across a variety of sectors with a commercial keylogger called HawkEye and several remote administration tools (RATs) distributed via emails containing malicious macro-laden Microsoft Word documents. The researchers reported that the campaign has collected about 10,000 files from the U.S., India, and Thailand since February.
Researchers find over 50 security flaws in D-Link NAS, NVR devices. Security researchers at SEARCH-LAB identified over 50 vulnerabilities in network-attached storage (NAS) and network video recorder (NVR) products from D-Link, including information leakage, authentication flaws, CGI vulnerabilities, input validation problems, and Web page issues, some of which attackers could exploit remotely to execute arbitrary code and take over affected devices.
Angler Exploit Kit exploiting new Adobe vulnerability, dropping CryptoWall 3.0. A security researcher at SANS Internet Storm Center discovered variants of the Angler Exploit Kit (EK) dropping CryptoWall ransomware on affected machines for the first time, and security researchers at FireEye observed that the EK added a recent Adobe Flash Player vulnerability in which attackers could exploit a race condition in its shader class to execute arbitrary code.
(Arkansas) LR man reaches a deal in IRS case. The former CEO, president, and manager of Little Rock-based Global Coal LLC pleaded guilty May 27 to charges alleging that he fraudulently sold millions of dollars’ worth of non-existent refined coal tax credits since starting the company in 2010.
(International) World soccer rocked by U.S., Swiss arrests of officials for graft. Seven Fédération Internationale de Football Association (FIFA) officials were arrested on U.S. corruption and face extradition in Switzerland May 27 after an investigation revealed FIFA officials were allegedly apart of corruption involving more than $150 million in bribes over a period of 24 years. U.S. officials reportedly plan to make more arrests in connection to the charges and announced a criminal investigation into the awarding of the next two World Cups.
(Oregon) ‘Short Stack Bandit’ pleads guilty to 5 Portland area bank robberies. A bank robbery suspect dubbed the “Short Stack Bandit” pleaded guilty May 26 to allegedly robbing 5 Portland-area banks and attempting to rob another from 2013 – 2014.
(New Jersey) Police seeking suspect in ATM thefts at Kearny Bank in North Arlington. Authorities are searching for a suspect that allegedly used a skimming device to steal over $100,000 dollars from more than 128 customers of Kearny Bank in North Arlington in April. The bank plans to reimburse affected customers.
(Texas) Ponzi man looking at eight years in stir. The former owner of Dallas-based GC Resources LLC pleaded guilty May 28 to charges connected to an alleged Ponzi scheme in which he solicited $11.8 million worth of investments in oil and gas wells that the company neither owned nor controlled and forged contracts to fool victims.
(International) Apache Cordova glitch allows tampering with mobile app behavior. A security researcher at Trend Micro discovered a high-severity security flaw in Android apps built with Apache Cordova which could allow an attacker to use locally compromised apps or remote web servers to inject malicious intent bundles by taking advantage of default behavior preferences in the Cordova framework.
(International) Flash Player vulnerability exploited 2 weeks after Adobe’s patch release. Security researchers at FireEye discovered that cybercriminals are targeting outdated versions of Adobe’s Flash player with drive-by attacks that leverage a memory corruption vulnerability to deliver the Bedep trojan, which initiates click-fraud activities and an infection cycle that funnels in additional malware through redirects.
(International) Rockwell addresses weak password protections in its HMI software. Rockwell Automation patched a vulnerability in its RSView32 human machine interface (HMI) software in which an attacker with local access could exploit weak, outdated user-defined password encryption algorithms to reveal passwords and gain access to the automation environment.
Orchard Lake attorney charged with conducting mortgage fraud scheme. An Orchard Lake attorney and his company, Home Legal Group PLLC, were charged May 22 for allegedly defrauding over 114 victims by falsely promising mortgage modifications to clients seeking to avoid foreclosure and collecting hundreds of thousands of dollars in fees from the victims.
New Linux-based router worm used in social network scheme. Security researchers at ESET discovered a new piece of malware, known as Moose, that primarily spreads by compromising unsecure Linux-based consumer routers and can eavesdrop on communications. Compromised devices steal unencrypted network traffic, mostly from social network sites, and act as a proxy service for botnet operators.
SEC Charges Deutsche Bank with misstating financial reports during financial crisis. The U.S. Securities and Exchange Commission (SEC) reported May 26 that Deustche Bank AG agreed to pay $55 million to settle charges that the bank allegedly filed misstated financial reports during the financial crisis that discounted material gap risks for potential losses estimated to be in the billions of dollars. The SEC also ordered the bank to avoid committing similar violations in the future. Source: http://
Apache HBase fixes denial-of-service, info disclosure flaw. Apache released a fix for a vulnerability in its HBase software in which a remote attacker with network access could create a denial-of-service (DoS) condition and read sensitive information by exploiting insecure Access Control Lists (ACLs) on the ZooKeeper quorum.
Synology fixes XSS, command injection vulnerabilities in NAS software. Taiwan-based Synology released software updates addressing security vulnerabilities in DiskStation Manager (DSM) network attached storage (NAS) software that runs on the company’s DiskStation and RackStation devices, including a cross-site scripting (XSS) bug that could allow attackers to steal victims session tokens and login credentials or perform arbitrary actions, and a command injection flaw that exposes devices to cross-site request forgery (CSRF) attacks.
Massive campaign uses router exploit kit to change routers’ DNS servers. A security researcher discovered an active campaign in which attackers are targeting Google Chrome browser users with cross-site request forgery (CSRF) code attacks via compromised Web sites with the intent of compromising routers and changing their domain name system (DNS) settings to point to a hacker-controlled server. Researchers believe that millions of devices across 55 router models made by several manufacturers have been affected in the campaign.
New PoS malware hits victims via spam campaign: FireEye. Security researchers at FireEye discovered a new type of point-of-sale (PoS) malware dubbed NitlovePoS that can capture and exfiltrate both track one and two data from payment cards by running process on compromised machines, and is distributed via emails containing Word documents with embedded malicious macros.
Emerson patches SQL injection vulnerability in ICS product. Emerson’s Process Management group released a software addressing a structured query language (SQL) injection vulnerability in its AMS Device Manager in which an attacker could escalate privileges and gain access to administrative functions by supplying a malformed input to the software. The AMS Device Manager is part of the AMS Suite and is used in many industrial control systems (ICS) worldwide, especially in the oil, gas, and chemical industries.
South Florida men targeted seniors around the world in $28M sweepstakes fraud, feds say. Authorities arrested 4 individuals in connection to a sweepstakes fraud ring that allegedly bilked about $28 million from hundreds of thousands of victims internationally by targeting senior citizens with false notifications of sweepstake winnings that were guaranteed in exchange for small payments from the winners.
Apache Hive infrastructures vulnerable to authentication flaw in HiveServer2. Apache reported that a vulnerability in all versions of its HiveServer2 interface for Apache Hive enterprise data warehouse infrastructure in which users without proper credentials could gain access by exploiting a flaw in the Lightweight Directory Access Protocol (LDAP) authentication mode. The company recommended that users update to the newest version or disable unauthenticated binds in the LDAP service.
Flawed Android factory reset allows recovery of sensitive data: researchers. Security researchers at the University of Cambridge discovered that up to 500 million Android devices may not properly sanitize data partitions containing credentials and other personal data when users utilize the “factory reset” feature.
mSpy finally admits they’ve been hacked. Officials from mSpy announced that their servers had been breached, and that data from 80,000 customers could have been stolen and leaked on the Dark Web. The software is intended for legal monitoring of individuals’ online and phone activity.
Major banks admit guilt in forex probe, fined $6 billion. Citigroup, JP Morgan, Barclays, the United Bank of Switzerland (UBS), and the Royal Bank of Scotland (RBS) agreed to plead guilty and pay $6 billion in fines May 20 in a settlement with the U.S. Federal Reserve and U.S. Department of Justice (DOJ) to resolve charges of foreign currency exchange manipulation that had occurred until regulators started punishing banks for the misconduct in 2013. The settlement represents the largest antitrust fines issued by the DOJ in agency history.
State finds 103 credit-card skimmers in 3-month inspection of gas pumps. Florida’s Commissioner of Agriculture and Consumer Services announced May 19 that a 3-month inspection of 7,571 gas pumps revealed 103 credit-card skimming devices across the State. The Florida Petroleum Council and the Florida Petroleum Marketers and Convenience Store Association plan to train employees to be vigilant for skimmers.
PayPal to pay $25 mln over credit product problems. The U.S. Consumer Financial Protection Bureau (CFPB) announced allegations May 19 that PayPal illegally signed consumers up for an online credit product without their knowledge or permission, and has issued the company to pay $25 million in fines to the government and consumer refunds. The CFPB also alleged that PayPal Credit failed to honor advertised promotions and charged illegitimate late fees when Web site problems prevented customers from making payments.
TLS protocol flawed, HTTPS connections susceptible to FREAK-like attack. Cryptography and security researchers discovered that approximately 8.4 percent of the top one million domains containing mail and web servers are vulnerable to an attack dubbed Logjam, in which an attacker could compromise a secure communication between a client and server by downgrading the transport layer security (TLS) connection to 512-bit export-grade cryptography due to left over variants of the Diffie-Hellman cryptographic key exchange mechanism from the 1990s. The attack method is similar to the one used in the Factoring RSA Export Keys (FREAK) attacks from early 2015
Millions of routers vulnerable to attacks due to NetUSB bug. Security researchers at SEC Consult discovered a kernel stack buffer overflow vulnerability in NetUSB drivers developed by Taiwan-based KCodes, in which an unauthenticated attacker can execute arbitrary code or cause a denial-of-service (DoS) condition by specifying a computer name longer than 64 characters when the client connects to the server. The driver is found in millions of routers from vendors including Netgear, TP-Link, ZyXEL, and TRENDnet.
Google fixes sandbox escape in Chrome. Google patched 37 bugs in Chrome version 43, including 6 high-risk sandbox-escape, cross-origin bypass, and use-after-free vulnerabilities discovered by various security researchers.
Malvertising leads to Magnitude exploit kit, ransomware infection. Security researchers at Zscaler discovered that attackers are using malicious ads and 302 cushioning attacks to direct users to sites hosting the Magnitude exploit kit (EK), which in turn infects users with CryptoWall ransomware. The researchers reported that most of the threat infrastructure for these attacks is housed in Germany.
Thieves use skimmer to get away with $50,000 from Lincolnwood ATM: Lincolnwood police are searching for 2 suspects who allegedly placed skimming devices on an ATM at a BMO Harris Bank in Chicago and stole at least $50,000 from bank customers since April 26. A similar incident in January cost bank customers $70,000, and bank officials reported that all affected accounts will be fully reimbursed.
Accused ‘ghost employee’ pleads guilty to bank fraud: A man described by authorities as a former “ghost employee” of the Knox County Trustee’s Office pleaded guilty May 18 for allegedly conspiring with 2 others to file false loan applications to defraud Bank of America, SmartBank, and Pinnacle National Bank of over $6.7 million, which they used for personal expenses. The man also faces separate charges for receiving pay for work for a former trustee that he did not do.
St. Louis Federal Reserve suffers DNS breach: The St. Louis Federal Reserve reported that hackers hijacked its domain name servers (DNS’) April 24 and redirected a portion of the bank’s online traffic to rogue sites resembling portions of its research.stlouisfed.org Web site. The bank recommended that potentially affected users change login information that could have been compromised in the attack.
Attackers use trojanized version of PuTTY to steal SSH credentials: Security researchers at Symantec discovered that actors are using a malicious version of the PuTTY open-source secure shell (SSH) software to access systems remotely and steal data by copying secure server connection info and login details to be sent to an attacker-controlled server. The software bypasses common firewalls and security products due to its whitelisted status and used by system and database administrators and web developers.
Address bar spoofing bugs found in Safari, Chrome for Android: Security researchers identified address bar vulnerabilities in the Safari and Chrome for Android Web browsers in which attackers could leverage Web page reloads via the setInterval() function in Safari and a problem in how Chrome handles 204 ‘No Content’ responses to render spoofed Web pages.
Finter Bank Zurich to pay $5.4 million in deal with U.S. over tax offenses: Finter Bank Zurich reached a settlement with the U.S. Department of Justice May 15 in which the bank agreed to pay $5.4 million to avoid U.S. prosecution for helping U.S. clients open, conceal, and maintain bank accounts, undeclared assets, and income from U.S. tax authorities from 2008 – 2011. The bank provided detailed information on designated accounts, agreed to close accounts that do not meet U.S. obligations, and agreed to implement new controls to stop future misconduct.
FBI hunts for serial bank robber dubbed ‘Lucky Bandit’: The FBI is offering a $2,500 reward for information leading to the arrest of the suspect dubbed the “Lucky Bandit”, who is wanted in connection to 8 robberies in Pembroke Pines, Cooper City, and Hollywood in a 6 month span.
Theft ring accused of using Oregon data breach to help steal $2 million in tax refunds: Five suspects from Georgia and Maryland were indicted May 7 for their roles in an identity-theft ring which they allegedly mined the personal information of over 125,000 people to file $6.6 million in false tax returns from 2013 – 2014, $2 million of which they successfully collected. Four of the suspects have been arrested while one remains at large.
Aparche fixes vulnerability affecting security manager protections: The security team responsible for Apache Tomcat discovered a vulnerability in multiple versions of the software’s open-source web server and servlet container that could allow an attacker to bypass protections for the Security Manager component and run malicious web applications.
Washington Post mobile site temporarily shut down in apparent hack: The Washington Post confirmed that it was the victim of an apparent hack May 14 after the paper’s mobile Web site was blocked and redirected users to a site claiming to be run by the Syrian Electronic Army. No customer information was impacted.
Connecticut fund executive faces new SEC fraud charges: The U.S. Securities and Exchange Commission charged and froze the assets of a former Oak Investment Partners venture capital executive from Greenwich, May 13, alleging that the suspect transferred $27.5 million worth of investors’ funds to himself, induced his firm to overpay for investments into 2 Asian e-commerce companies for which he pocketed $20 million, and induced the firm to pay I-Cubed Domains LLC $7.5 million for its stake in an e-commerce company without disclosing that he and his wife owned I-Cubed Domains and had purchased the stake for $2 million.
Delco mortgage lender charged with $9.7M fraud scheme: A former co-owner of Folsom-based Capital Financial Mortgage Corporation was charged May 13 for his role in a $9.7 million mortgage fraud scheme in which he allegedly defrauded lenders including Wells Fargo & Co., and Customers Bank into purchasing second mortgages that he represented as first mortgages and defrauded other lenders that loaned money to the company on a warehouse line of credit. Authorities claim he used the fraudulent profits to pay for personal expenses.
FBI increases reward for serial ‘Bandage Bandit’ bank robbery suspect: The FBI increased the reward for information leading to the arrest of the bank robber dubbed the “Bandage Bandit” to $10,000, after a May 9 robbery at a Chase Bank in Chicago was attributed to him, bringing the total to 5 robberies since March.
Cisco TelePresence vulnerable to unauthorized root access, denial of service: Cisco reported two vulnerabilities in versions of its TelePresence TC and TE video conference products in which an attacker could exploit improper authentication protocols for internal services to bypass authentication and obtain root access on the system, and a flaw in the network drivers in which an attacker could use specially crafted internet protocol (IP) packets sent at a high rate to cause a denial-of-service (DoS) condition.
APT17 DeputyDog hackers are pushing Blackcoffee malware using TechNet: Research by FireEye revealed that the APT17 threat group used posts and profiles on the TechNet blog as a way to conceal their use of the Blackcoffee backdoor by embedding strings that the malware would decode to find and communicate with the malware’s true command-and-control (C&C) server. The TechNet blog was not compromised and the operation was shut down, but FireEye warned that other groups may mimic the tactic.
XSS, CSRF vulnerabilities identified in WSO2 Identity Server: Researchers at SEC Consult discovered three cross-site scripting (XSS), cross-site request forgery (CSRF), and extensible markup language (XML) external injection vulnerabilities in version 5.0.0 of WSO2 Identity Server that could allow an attacker to take over a victim’s session, add arbitrary users to the server, or inject arbitrary XML entities.
Flaw found in OSIsoft product deployed in critical infrastructure sectors: OSIsoft advised customers to mitigate an incorrect default permissions vulnerability in its PI Asset Framework (PI AF) in which an unauthorized remote attacker could leverage “Trusted Users” group status in some product installations to execute arbitrary structured query language (SQL) statements on the affected system, potentially leading to information disclosure, data tampering, privilege escalation, and/or denial-of-service (DoS) conditions.
Russian cyber espionage group planning to hit banks: Report: The cybersecurity services and training provider root9B discovered that the cyberespionage group APT28, also known as Pawn Storm, Sednit, Fancy Bear, Tsar Team, and Sofacy, has planned attacks on financial institutions worldwide including Bank of America, The United Nations Children’s Fund, and others. The group was previously linked to Russia by cybersecurity experts.
Nomura, RBS face $805 million damages after U.S. ruling –lawyer: A U.S. District Judge ruled May 11 that Nomura Holdings Inc., and the Royal Bank of Scotland Group Plc., were liable for making false statements in the sale of mortgage-backed securities to Fannie Mae and Freddie Mac. Officials estimated that the damages owed to the Federal Housing Finance Agency could exceed $805 million, while the exact amount is yet to be determined.
Flash Player 126.96.36.199 addresses security holes: Adobe released updates for Flash Player that fixed 18 vulnerabilities, including 10 memory corruption, heap overflow, integer overflow, type confusion, and use-after-free bugs that could allow an attacker to run arbitrary code on an affected system.
Mozilla Firefox 38 fixes 13 vulnerabilities, 5 are critical: Mozilla released fixes for 13 vulnerabilities in Firefox version 38, including 5 critical flaws that could be leveraged to execute arbitrary code or read parts of the memory containing sensitive data. The update also added support for Digital Rights Management (DRM), among other improvements.
Adobe rolls out critical update for Reader and Acrobat: Adobe released new versions for Acrobat and Reader PDF software patching 34 vulnerabilities, 17 of which include use-after-free, heap-based buffer overflow, and buffer overflow to memory corruption bugs that could have allowed an attacker to execute arbitrary code and take control of an affected system.
Microsoft fixes 46 flaws in Windows, IE, Office, other products: Microsoft released patches addressing 46 vulnerabilities across various products, including 3 critical security bulletins that covered remote code execution flaws in Windows, Internet Explorer, Office, Microsoft .NET Framework, Lync, and Silverlight.
“VENOM” flaw in virtualization software could lead to VM escapes, data theft: Security researchers from CrowdStrike discovered a vulnerability in virtualization platforms in which an attacker could exploit a flaw in the virtual floppy disk controller component of the QEMU open-source visualization package to escape from a guest virtual machine (VM) to gain code execution on the host in addition to any other VMs running on the affected system. The bug has been dubbed VENOM and affects a variety of virtualization software running on all major operating systems (OS’).
SEC charges ITT Educational, CEO, CFO with fraud; shares plunge. The U.S. Securities and Exchange Commission charged ITT Educational Services Inc., its chief executive officer, and chief financial officer May 12 with fraud, alleging that the defendants concealed two poorly performing financially-guaranteed student loan programs by making payments on behalf of struggling borrowers and by hiding the extent of losses due to high default rates.
DDoS botnet relies on thousands of insecure routers in 109 countries. An investigation by the Web site security company Incapsula revealed that cybercriminals are using tens of thousands of Internet service providers (ISP) distributed home routers with default security configurations to create large botnets for distributed denial of service (DDoS) attacks. Findings revealed that 60 command and control (C&C) servers were being used for the botnets by a variety of groups employing various forms of malware worldwide.
FBI agent shot at motel; suspect dead: An FBI agent was injured May 8 after being fired upon while trying to serve an arrest warrant at a Littleton motel to the bank robbery suspected dubbed “The Longhorn Bandit,” who had allegedly robbed multiple banks in the area since February. Authorities reported that officers did not fire any shots, and that the suspect was found dead in his room.
MacKeeper patches serious remote code execution flaw: The developers of the MacKeeper utility software suite for Apple OS X patched a critical input validation vulnerability which an attacker could exploit to remotely execute code on affected systems by tricking victims to visit a specially crafted Web site that runs code with root privileges once visited.
Angler EK makes it difficult to track down malvertising sources: A security expert discovered that the Angler Exploit Kit (EK) is leveraging Web browser bugs to break the referrer chain, making it more difficult for security researchers and advertising networks to determine the kit’s source in the campaign.
Apple fixes webkit vulnerabilities in Safari browser. Apple released an update for its Safari Web browser fixing multiple vulnerabilities in Webkit, including memory corruption and anchor element issues that could be exploited by an attacker to send users to malicious Web sites, leading toarbitrary code execution or unexpected application termination, as well as a state management problem in which unprivileged origins could access filesystem contents via a specially crafted Web page.
Six people convicted in Sacramento-area mortgage fraud scheme: Six Sacramento residents were convicted of wire fraud May 6 in connection to a mortgage fraud scheme in which they served as straw buyers for area homes and obtained over $5 million in loans from 2007 – 2008 by using falsified applications and documentation.
US charges ex-Wilmington Trust officers over troubled loans: Four executives from Wilmington Trust Co., a part of M&T Bank Corp, were indicted May 6 on charges alleging that they concealed the amount of loans that were not being repaid from U.S. regulators following the financial crisis. The U.S. Securities and Exchange Commission previously brought related civil charges against the individuals for their roles.
Ex-MillerCoors executive, 7 others charged for $7 mln fraud: U.S. authorities announced charges May 6 against a former MillerCoors executive and seven others for their roles in an alleged scheme in which they defrauded the brewing company out of at least $7 million by falsely billing for promotional and marketing services. The individuals allegedly used the money for personal expenses, collectible firearms, and investments in a hotel and bar, among other things.
Feds: Republic man gathers $14.5 million for phony video games: Authorities unsealed Federal charging documents revealing that the former owner of multiple video game companies including Interzone Entertainment, LLC, and Spectacle Games, was indicted in June 2014 on charges of wire fraud and money laundering after the suspect allegedly raised over $14.5 million from clients for companies in Missouri, Chicago, Australia, Brazil, and China since 2008, which produced less than $2,300 in revenue in that period. Authorities claimed the suspect solicited funds to create video games, but instead used the money for personal expenses.
Cisco plugs critical vulnerability in UCS Central Software: Cisco reported that it released an update addressing a vulnerability in its Unified Computing System (UCS) Central Software versions 1.2 and older that could have allowed attackers to access information, run arbitrary code, or make affected devices unavailable by leveraging an improper input validation flaw in the software’s Web framework.
WordPress 4.2.2 fixes DOM-based XSS bug affecting millions of websites: WordPress developers released a critical security update for the platform’s content management system (CMS) addressing a critical cross-site scripting (XSS) flaw in all plugins and themes utilizing the Genericons icon font package, in which attackers could take over an affected Web site or execute code remotely via a document object model (DOM)-based XSS attack targeting a file called “example.html.”
Lenovo patches vulnerabilities in system update service: Security researchers from IOActive reported that Lenovo patched three vulnerabilities in April including a serious bug that allows least privileged users to potentially run commands as a system administrator due to the use of a predictable authentication token, another in which an attacker could bypass signature validation by creating a fake certificate authority (CA) to swap out executables being downloaded by System Update, and a third in which local users could run commands as an administrator using a directory writeable by any user.
Tinba banking trojan checks for sandbox before launching: Security researchers from F-Secure discovered a new variant of the Tiny Banker (Tinba) trojan, which checks for mouse movement and the active window a user is working on to ensure that it is executed on a real machine and not a sandbox before running its malicious routines. The trojan also queries the number of cylinders available to the system’s storage device to determine if it is a virtual machine.
Ripple Labs Inc. resolves criminal investigation: The U.S. Treasury Department Financial Crimes Enforcement Network (FinCEN) in conjunction with the U.S. Attorney’s Office of the Northern District of California assessed a $700,000 penalty against San Francisco-based Ripple Labs Inc., and its subsidiary, XRP II, LLC May 5, for willful violations of the Bank Secrecy Act. Violations include selling virtual currency without registering with FinCEN, and failing to implement and maintain an adequate anti-money laundering program.
SEC lawsuit alleges Ponzi scheme over North Dakota ‘man camps.’: The U.S. Securities and Exchange Commission (SEC) sued North Dakota Developments LLC and its three owners May 5, for an alleged fraud and Ponzi scheme in which the suspects illegally raised over $62 million from hundreds of investors in at least 12 States and multiple European countries since 2012 by selling stakes in 4 short-term housing projects for oil workers in the Bakken oil field region in North Dakota and Montana, known as “man camps.” The SEC claimed that the trio paid investors from other invested funds and misappropriated over $25 million for hidden broker commissions, payment to themselves, and investment in other Bakken projects.
Longhorn Bandit strikes again: Suspect robs credit union in Broomfield; 9th target, FBI says: Denver authorities are searching for a suspect dubbed the “Longhorn Bandit” who is allegedly responsible for six bank robberies, one casing, and two attempted robberies in the area since February. The suspect’s most recent robbery included a Public Service Credit Union branch in Broomfield May 4.
New AlphaCrypt ransomware delivered via Angler EK: Security researchers at Webroot and Rackspace discovered and determined that a new form of ransomware resembling TeslaCrypt and CryptoWall, dubbed AlphaCrypt, is being delivered via the Angler exploit kit (EK). Researchers stated that it differs from other ransomware variants by deleting volume snapshot services (VSS) and executing quietly in background processes to avoid detection.
New infostealer tries to foil analysis attempts by wiping hard drive: Security researchers from Cisco discovered a new information-stealing trojan dubbed Romberik, which is being delivered via spoofed emails purporting to be from the “Windows Corporation,” and hooks into users’ browsers to read credentials and other sensitive information for exfiltration to an attacker-controlled server. If the trojan detects an analysis attempt, it attempts to destroy the affected computer’s hard disk by overwriting the system’s master boot record (MBR).
Cybercriminals borrow from APT playbook in attack against PoS vendors: Security researchers at RSA and FireEye reported cybercriminals began mimicking cyberespionage advanced persistent threat (APT) groups by deploying spear-phishing campaigns designed to infect point-of-sale PoS payment systems. The attacks delivered the Vawtrak banking trojan and a new document-based exploit kit (EK) called Microsoft Word Intruder (MWI).
Crimeware infects one-third of computers worldwide: The Anti-Phishing Working Group (APWG) reported that 23.5 million malware variants were detected in the fourth quarter of 2014, setting a new record that was up 59 percent from the second quarter of 2014. According to researchers, the retail/service industry was the most targeted sector, specifically through payment services.
3 suspects charged with credit, debit card fraud: Salem, Oregon police reported that three suspects from California were arrested April 23 on charges of identity theft related to a regional skimming scheme in which the suspects allegedly planted skimming devices at various locations to steal credit and debit card information that they used to purchase thousands of dollars of merchandise in multiple cities in Oregon. Authorities recovered over 100 fraudulent credit and debit cards, electronics, clothing, gift cards, and $3,500 in currency in searches of the suspects’ vehicle and hotel room.
3 convicted in $9.2-million wire fraud scheme: Three businessmen were convicted of wire fraud May 1 for a scheme in which they used two New Zealand-based companies, Unistate Investments Savings and Loan Limited, as well as Aster Capital, Inc., and Vital Funds, Inc., to offer clients alternative capital financing and collected account arrangement fees on deals that were never closed, costing clients about $9.2 million in losses. One additional suspect remains a fugitive while two others pleaded guilty to their roles in the scheme.
“Cotton Ball Bandit” convicted for 10 bank robberies: A Lakspur, California man dubbed the “Cotton Ball Bandit” was convicted April 29 for robbing 10 banks and attempting to rob another throughout Marin County between December 2012 and December 2013. Police arrested the suspect after he robbed the Novato Bank of the West in 2013 and led officers on a chase before crashing near Northgate Mall on U.S. Highway 101 in San Rafael.
Kearny bank branch in North Arlington says skimmer was hooked up to ATM: Authorities are investigating after reporting May 1 that 128 Kearny Bank customers in North Arlington, New Jersey, may have had their credit or debit card data stolen after a skimmer device was found on an ATM machine at the bank.
PayPal fixes remote code execution flaw in Partner Program website: PayPal fixed a vulnerability discovered by Vulnerability Lab researchers in its Partner Program Web site which would allow an attacker to leverage a bug in the site’s Java Debug Wire Protocol (JDWP) service to remotely execute server-side commands with root privileges.
Mozilla moving toward full HTTPS enforcement in Firefox: The Mozilla Foundation reported that it will be phasing out unsecured hypertext transfer protocol (HTTP) connections in the Firefox browser in a two-phase plan, in which the company will only offer new browser features to secure, HTTPS (HTTP Secure)-enabled Web sites, before ultimately making existing features incompatible with HTTP sites altogether.
2 men arrested with hundreds of fraudulent credit cards: Two individuals were arrested April 29 in Palm Desert for burglary, fraud, identity theft, and possession of stolen property after authorities discovered hundreds of manufactured credit cards, purchased gift cards, and stolen clothing and electronics from several local businesses in a rental car. Investigators allege the pair racked up tens of thousands of dollars in fraudulent charges in the area with stolen credit card numbers from victims across the U.S.
Security bug in ICANN portals exploited to access user data: The Internet Corporation for Assigned Names and Numbers (ICANN) released April 30 initial findings from an investigation revealing that a vulnerability in two of the organizations generic top-level domain (gTLD) portals had resulted in the exposure of 330 advanced search result records pertaining to 96 applicants and 21 registry operators since April 2013. The organization plans to contacboth the affected users and those who exploited the vulnerability to access the records.
Unnoticed for years, malware turned Linux and BSD servers into spamming machines: Security researchers at ESET discovered that servers running BSD and Linux operating systems (OS) worldwide have been targeted for the past 5 years by a group that compromised systems via a backdoor trojan that would use a commercial automated e-mail distribution system to send out anonymous emails.
Dyre banking trojan jumps out of sandbox: Security researchers at Seculert discovered a new strain of the Dyre banking trojan, called Dyreza, that evades detection by checking for the number of processor cores running on an infected machine, and terminating itself if there is only one. The researchers also noted that the new strain changed to a new user agent and incluother minor updates to avoid signature-based detection products.
MySQL bug can strip SSL protection from connections: Researchers at Duo Security identified a serious vulnerability in how versions of Oracle’s MySQL database product handle requests for secure connections, in which an attacker could use a man-in-the-middle (MitM) attack to force an unencrypted connection and intercept unencryptoed queries from the client to the database. In this scenario, the attack could occur regardless of whether or not the server is toggled to require secure socket layer (SSL).
FBI offers $5,000 after ‘Bandage Bandit’ hits fourth bank in last month: The FBI offered a $5,000 reward for information leading to a suspect dubbed the “Bandage Bandit” who allegedly robbed 4 Chicago banks since March 31, including a PNC Bank branch on Western Avenue April 28.
Barracuda fixes critical MITM flaws in its Web filter: Barracuda Networks issued a security update patching two critical flaws in the firmware of its Web Filter appliances in which an attacker could perform man-in-the-middle (MitM) attacks due to vulnerabilities in certificate verification when performing secure socket layer (SSL) inspection and the use of default certificates for multiple machines.
Bartalex malware used to deliver Dyre banking trojan to enterprises: Security researchers at Trend Micro discovered a campaign employing thousands of spam emails purporting to be from the Automated Clearing House (ACH) that point to malicious documents on Dropbox containing the Bartalex malware, which downloads the Dyre banking trojan once macros are enabled. Thirty-five percent of the infections observed in the past 3 months were in the U.S.